Hacking WEP Networks: A Step-by-Step Guide, Lab Reports of Electrical and Electronics Engineering

A detailed guide on how to hack into wep networks by obtaining mac addresses, disabling filters, cracking wep keys, and setting up a fake access point. It includes instructions for using various tools like nmapfe, ethereal, and aircrack.

Typology: Lab Reports

Pre 2010

Uploaded on 08/05/2009

koofers-user-pdk-1
koofers-user-pdk-1 🇺🇸

8 documents

1 / 25

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ECE 4112: Internetwork Security
Wireless 802.11 Security
Group Number: _________
Member Names: ___________________ _______________________
Date Assigned:
Date Due:
Last Revised: April 25, 2005
Please read the entire lab and any extra materials carefully before starting. Be sure to start early
enough so that you will have time to complete the lab. Answer ALL questions and be sure you
turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due.
Goal: The goal of this lab is to use wireless tools on the Auditor security collection live-cd
such as Kismet and Aircrack to detect and penetrate wireless networks. We will sniff packets to
obtain MAC addresses to get around filters and crack a WEP key.
Summary: The four sections of this lab will show you how to monitor unencrypted
traffic, spoof a MAC address, crack WEP and decrypt encrypted packets.
Attention: Please unplug the power from the wireless access point when you have
completed the lab. The access point may cause interference with the GT wireless network, so
please unplug the power adapter from the back of the access point when the access point is not
being used.
Background and Theory:
Introduction
IEEE 802.11 or Wi-Fi denotes a set of Wireless LAN standards developed by working
group 11 of the IEEE LAN/MAN Standards Committee (IEEE 802). The term is also used to
refer to the original 802.11, which is now sometimes called "802.11legacy".
The 802.11 family currently includes six over-the-air modulation techniques that all use
the same protocol, the most popular (and prolific) techniques are those defined by the a, b, and g
amendments to the original standard; security was originally included, and was later enhanced
via the 802.11i amendment. Other standards in the family (c–f, h–j, n) are service enhancement
and extensions, or corrections to previous specifications. 802.11b was the first widely accepted
wireless networking standard, followed (somewhat counter intuitively) by 802.11a and 802.11g.
802.11b and 802.11g standards use the unlicensed 2.4 Giga Hertz (GHz) band. The
802.11a standard uses the 5 GHz band. Operating in an unregulated frequency band, 802.11b and
802.11g equipment can incur interference from microwave ovens, cordless phones, and other
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19

Partial preview of the text

Download Hacking WEP Networks: A Step-by-Step Guide and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity!

ECE 4112: Internetwork Security

Wireless 802.11 Security

Group Number: _________ Member Names: ___________________ _______________________ Date Assigned: Date Due: Last Revised: April 25, 2005 Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due.

Goal: The goal of this lab is to use wireless tools on the Auditor security collection live-cd

such as Kismet and Aircrack to detect and penetrate wireless networks. We will sniff packets to obtain MAC addresses to get around filters and crack a WEP key.

Summary: The four sections of this lab will show you how to monitor unencrypted

traffic, spoof a MAC address, crack WEP and decrypt encrypted packets.

Attention: Please unplug the power from the wireless access point when you have

completed the lab. The access point may cause interference with the GT wireless network, so please unplug the power adapter from the back of the access point when the access point is not being used.

Background and Theory:

Introduction IEEE 802.11 or Wi-Fi denotes a set of Wireless LAN standards developed by working group 11 of the IEEE LAN/MAN Standards Committee (IEEE 802). The term is also used to refer to the original 802.11, which is now sometimes called "802.11legacy". The 802.11 family currently includes six over-the-air modulation techniques that all use the same protocol, the most popular (and prolific) techniques are those defined by the a, b, and g amendments to the original standard; security was originally included, and was later enhanced via the 802.11i amendment. Other standards in the family (c–f, h–j, n) are service enhancement and extensions, or corrections to previous specifications. 802.11b was the first widely accepted wireless networking standard, followed (somewhat counter intuitively) by 802.11a and 802.11g. 802.11b and 802.11g standards use the unlicensed 2.4 GigaHertz (GHz) band. The 802.11a standard uses the 5 GHz band. Operating in an unregulated frequency band, 802.11b and 802.11g equipment can incur interference from microwave ovens, cordless phones, and other

appliances using the same 2.4 GHz band. The equipment in the lab is capable of using either the 802.11a or 802.11b protocol. We will be using 802.11a in an attempt to limit interference from GTwireless on 802.11g. Wireless Network Security The broadcast properties of wireless technology makes it vulnerable to a series of attacks. Snooping on a wireless network consists of using a laptop, a wireless card, and some software while being in transmission range of a wireless network. The service set identifier, or SSID, is the name of the wireless network and it can be used to gain access. Turning off SSID broadcasting means that no one can see it by using an auto find of networks. However, if you leave the default SSID unchanged, a hacker could try the common SSIDs and connect to your network (assuming WEP is off). MAC address filtering can be used to increase the security of your network. It works by allowing only a set list of network cards to connect based upon their known MAC address, which should be unique for every device. However, MAC address can be captured bu snooping and spoofed which will then allow an attacker to gain access. Most wireless cards now allow MAC addresses to be changed. The second type of attack utilizes vulnerabilities in the Wired Equivalent Privacy, or WEP, key. The WEP key utilizes an RC4 encryption algorithm, also known as a stream cipher. The sender takes a key and expands it to a lengthy random key stream and then XORs that with the information that is being sent. The receiver also has the same key and XORs the cipher-text, which gives the original information. This presents a problem because when an attacker has obtained two cipher-texts encrypted with the same WEP key, he can then XOR the two together and get the original information without needing to decrypt it with the WEP. To prevent against this, an integrity check is implemented using an Initialization Vector, or IV. This vector prevents the same random key stream from encrypting two different packets. Unfortunately, it is only 24 bits long, which means that a busy access point will have to reuse the same random key stream sometime, usually within a few hours. An attacker will still be able to sniff this information off the network and use XOR to obtain the original information. WEP uses the stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity. For RC4, WEP uses two key sizes: 40 bit and 104-bit; to each is added a 24-bit initialization vector (IV) which is transmitted in the clear. Cam-Winget et al. (2003) surveyed a variety of shortcomings in WEP. Two generic weaknesses were that: § the use of WEP was optional, resulting in many installations never even activating it, and § WEP did not include a key management protocol, relying instead on a single shared key amongst users. More specific attacks have also become evident: in August 2001 , Fluhrer et al. published a cryptanalysis of WEP that exploits the way the RC4 cipher is used, resulting in a passive attack that can recover the RC4 key after eavesdropping on the network for a few hours; the attack was soon implemented, and automated tools have since been released. It is possible to perform the attack with a personal computer, off-the-shelf hardware and freely-available software. Cam- Winget et al. write, " Experiments in the field indicate that, with proper equipment, it is practical to eavesdrop on WEP-protected networks from distances of a mile or more from the target. " In 2005, a group from the U.S. Federal Bureau of Investigation gave a demonstration where they broke a WEP-protected network in 3 minutes using publicly available tools. We will

swap(S[i],S[j]) RC4 falls short of the standards set by cryptographers for a secure cipher in several ways, and thus is not recommended for use in new applications. The keystream generated by RC4 is slightly biased in favour of certain sequences of bytes. The best attack based on this bias is due to Fluhrer and McGrew, which will distinguish the keystream from a random stream given a gigabyte of output. RC4 does not take a separate nonce alongside the key. As with any cipher, but particularly with Vernam ciphers, such a nonce is a requirement for security, so that encrypting the same message twice produces a different ciphertext each time. A secure solution to this that works for any secure cipher is to generate each RC4 key by hashing a long-term key with a unique nonce using a construction such as HMAC. However, many applications that use RC4 simply concatenate key and nonce; RC4's weak key schedule then gives rise to a variety of serious problems. In 2001 a new and surprising discovery was made by Fluhrer, Mantin and Shamir: over all possible RC4 keys, the statistics for the first few bytes of output keystream are strongly non- random, leaking information about the key. If the long-term key and nonce are simply concatenated to generate the RC4 key, this long-term key can be discovered by analysing large number of messages encrypted with this key. This and related effects were then used to break the WEP ("wired equivalent privacy") encryption used with 802.11 wireless networks. This caused a scramble for a standards-based replacement for WEP in the 802.11 market, and led to the IEEE 802.11i effort and WPA. Cryptosystems can defend against this attack by discarding the initial portion of the keystream (say the first 1024 bytes) before using it. While WEP may sound like a great idea, it is inherently flawed on many levels. For the scope of this lab, the major flaws lie in the use of the initialization vector and the RC4 algorithm itself. In a paper entitled Weaknesses in the Key Scheduling Algorithm of RC4 by Fluhrer, Mantin, and Shamir, the authors propose a method in which under certain conditions the key setup algorithm of RC4 can leak information about the secret key. To attack RC4, they propose to search for specific IV’s that place the keystream in this vulnerable state. In the parlance of this attack, these vectors are called “interesting”. By collecting enough of these “interesting packets” the entire secret key can be reconstructed. Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin-Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think The first caveat to this old approach is that only encrypted packets count. As wireless access points transmit unencrypted beacons several times per second, it is easy to be fooled into believing that you have a larger number of useful packets than you really do. If you use Kismet for network discovery and sniffing, it breaks down the packet count for you, displaying the number of "Crypted" packets separately from the total number.

The second thing working against your packet collection efforts is that only certain "interesting" or "weak" IVs are vulnerable to attack. Kismet also tells you how many of these have been gathered, although it may not use the same counting method as the various cracking tools. To make matters more difficult, wireless manufacturers responded to the FMS attack by filtering out the majority of weak IVs that their access points and wireless cards transmit. Unless your target network is using old equipment, chances are you'll have to collect no less than ten million encrypted packets to crack a WEP key using these older tools. On August 8th, 2004, a hacker named KoreK posted new WEP statistical cryptanalysis attack code (soon to become a tool called chopper) to the NetStumbler forums. While chopper is functional, it is not currently maintained, and the attacks have since seen better implementations in aircrack and WepLab. However, the KoreK attacks change everything. No longer are millions of packets required to crack a WEP key; no longer does the number of obviously "weak" or "interesting" IVs matter. With the new attacks, the critical ingredient is the total number of unique IVs captured, and a key can often be cracked with hundreds of thousands of packets, rather than millions. Aircrack's speed comes from the fact that it combines these attacks. From the Aircrack webpage: aircrack is a 802.11 WEP key cracker. It implements the so-called Fluhrer - Mantin

  • Shamir (FMS) attack, along with some new attacks by a talented hacker named KoreK. When enough encrypted packets have been gathered, aircrack can almost instantly recover the WEP key. Every WEP encrypted packet has an associated 3-byte initialization vector (IV). Some IVs leak information about a certain byte of the key, thus statistically the correct key emerges when a sufficient number of IVs have been collected. How many packets are needed depends on your luck and the key size. For 40-bit WEP keys, ~150.000 unique IVs are usually enough. For 104-bit WEP keys, around 500k - 1M unique IVs will be required.

Prelab Questions: None.

Lab Scenario: This lab will use two Pentium 4, 2.4GHz machines. Both machines

will be running the Auditor Security Collection live-cd, one of which will be the attacker and the other will be a client on the network. The wireless access point (AP) will be the D-Link tri-mode dualband wireless access point (DWL-7000AP), which means it can run 802.11a, 802.11b, and 802.11g, though we will only be using 802.11a. Both machines will use Linksys wireless A+G PCI adapter cards (WMP55AG). You will not need your hard drive or any CD from the TA’s. Software: Ethereal - http://www.ethereal.com/ Kismet - http://www.kismetwireless.net/

Before you begin, make sure the AP has been reset back to no MAC filtering and also no encrypted (WEP) settings. Do the following: § Using a web-browser on Auditor client, connect to http://192.168.1. § Username is “admin”. There is password is “password” § To turn off the MAC control list filtering on the access point, connect to the AP. § Click the advanced tab § Choose enable MAC control filtering and select disable § Click APPLY § Wait for one minute as instructed and click OK To turn off WEP on the Access Point: § Connect to the AP again § Click the “Advanced” tab on top then the “Encryption” tab on the left § Make sure the “Disable” radio button next to WEP is clicked § Click Apply, after you changes have been saved click continue Make sure that all both computers can communicate with the AP. In our case, this is accomplished by running on each of the two machines: #ping 192.168.1. In the event the either machine cannot ping, type the lines below, in a terminal. _#ifconfig ath0 down

ifconfig ath0 192.168.1._ x (for x use either 50 or 100)

#iwconfig ath0 essid wireless_ece4112 channel 44 mode Managed #ifconfig ath0 up #iwconfig (you should see essid and mode set correctly) #ifconfig (you should see ath0 up with correct IP) now try to ping the Access Point #ping 192.168.1. Now run NmapFE to scan the network Right click->Auditor->Scanning->Network Scanner->NmapFE In NmapFE you want to scan the router, the OS fingerprinting of Nmap will allow you to determine what type of router this network is using. In the targets field type 192.168.1. Take a screenshot of the router's scan. NOTE: Through out the lab you will need to take screenshots of various windows. To do this right click on the desktop. The go to apps->graphics->kSnapshot. This program is very easy to use can take a screenshot of the entire screen or a single window you select (it can also make an image from a region the user selects).

SCREENSHOT 1 - nmapfe scan.png Now knowing this is a D-link router, find out the default configuration on the internet. Q1.1 What is the default login and password for our D-link router? As an attacker is worth trying to log in to the router, this way we can change things to our advantage, including a new login password. Section 2: Use ethereal to capture http packets It is very easy to believe that wireless network is more secure than wire line networks. It this lab, we will illustrate how wireless traffic are just as easy to sniff as are wireless traffic. We will also show the importance of use of encryption when sending packets over a wireless network. Many programs don’t encrypt their packets sent over a network. Thus, someone with a program such as ethereal can simply sniff for different packets on a network. For instance, plain ftp, telnet and other data transfer services don’t encrypt their traffic before it is sent on a network. First, we begin by setting up the wireless network with two machines and a router. Let’s look at the router. Before you begin, let’s set the router back to the default settings (No MAC filtering and no encrypted (WEP) settings, which it should be after section 1. The commands are given in section 1 to reset the router. For the attacker #ifconfig ath0 down #ifconfig ath0 192.168.1. #iwconfig ath0 essid “” channel 44 mode Monitor #ifconfig ath0 up § Now using the attacker machine, open ethereal § Open ethereal from console or GUI. § Hit Capture § Start § Interface needs to be “ath0” § Update in real time § Automatic scrolling § Start capturing packets. Now on the client machine connect to the router’s webpage. Open a web browser and go to http://192.168.1.144. Log in then generate some more traffic by clicking on some of the tabs. On the attacker, take a screenshot of the http packet containing the password captured in ethereal. SCREENSHOT 2: ethereal unencrypted traffic

Q2.2: What are some ways to prevent this kind of packet sniffing? Q2.3: What are the major disadvantages of leaving the traffic unencrypted?

Section 3: MAC Control List Subversion

One way to restrict the access to a wireless network is to allow only certain MAC address to connect. Almost all access points have such a feature, and it theoretically should provide a decent level of security. However, these MAC addresses can easily be spoofed. Enable MAC address filtering on the access point and show that the attacker can gain access to the network by spoofing his address. Show screen captures and the like to show how you determined a valid MAC and how you gained access, include these with the questions section you turn in. Use the following instructions to help you accomplish this: To enable MAC control list filtering on the access point, connect to the AP. § using a web-browser on client, connect to http://192.168.1. § Click the advanced tab § Click on the “Filters” tab on the left § Change “Access Control” drop down box to “accept” for BOTH A & G (left and right columns) § Place the MAC address of the client machine in the first entry of the table. ASIDE: To determine the MAC address, open up a command window and type: # ifconfig *Make sure you get the MAC of the wireless device Click “apply”, and after your changes have been saved message, “continue” § On client type #ifconfig ath0 down #ifconfig ath0 up The attacker machine should not be able to connect to the wireless network now, to see this try to ping the router (however the client machine should be able to ping 192.168.1.144). The attacker machine can, however, still sniff the wireless network and see what MAC addresses are allowed on the network. Let’s use Kismet on our attacker machine to see the active MAC addresses on a network. Setup the attacker’s wireless card by: #iwconfig ath0 essid “” channel 44 mode Monitor Now you need to change the kismet.conf file in order for kismet to know which interface to use. Copy the kismet.conf file from the /usr/local/etc folder to the /home/knoppix folder. Open the kismet.conf file in your favorite editor (Emacs is not an option. Use Kwrite which can be found by right clicking on the desktop and going to Applications->Editors->KWrite. Go down to the line which starts with source. Change this line to source=wlanng,ath0, (you can leave the at addme if you want). Save the changes and type to following command: #kismet -f kismet.conf -X -I kismet:

Now kismet should be running. Figure 2: Kismet running This launches the kismet application itself and begins to display data. (Aside: kismet logs all packets it sees in a file which it stores in /ramdisk/var/log/kismet). The interface is entirely keyboard driven and if you get lost, you can display the help screen at any time by pressing H. Type in H and take a look at the commands. Use + to scroll down so you may read all the help info. Use Q to quit the help menu. Several useful options are given but to begin with, simply hit S then S again in order to sort the wireless networks displayed by their SSID. We want to look at data coming from the network identified as wireless_ece4112 so move down to it using the arrow keys and "tag" it by hitting T. Now use the C option for the tagged wireless network. Do a ping from the client machine to generate some traffic from each wireless card and note how the client list in kismet shows you the client MAC address. If you are not able to see the MAC address or IP address with traffic generated by ping, connect to the webpage on the router to create traffic. (Some have reported that ping does not cause the MAC to show up). Now that you're finished running kismet, it is important to shut it down properly or the wireless

#ifconfig ath0 hw ether (or just make up one) #ifconfig ath0 192.168.1. #ifconfig ath0 up #ifconfig (make sure original IP and MAC are back) #iwconfig ath0 essid “” channel 44 #iwconfig (you should see essid and mode set correctly) You should turn off MAC access list in the AP now by: § Using a web-browser on client, connect to http://192.168.1. § Username is “admin”. Password is “password”. To turn off the MAC control list filtering on the access point, connect to the AP. § Click the advanced tab § Click on the “Filters” tab on the left § Change the “Access Control” drop down to “disabled” on BOTH A & G (the left and right columns) § Click “apply”, wait 1 minute, click “continue” Q3.1: In this section you changed the MAC address and the IP address of the attacker. In order to bypass Mac filtering however one only needs to change the MAC address. Why might one want to change the IP address as was done in this section?

Section 4: Using Aircrack to Break WEP

In order to break WEP we need to sniff a great deal of traffic from the victim network. Since we are not patient, we will generate traffic on the network. There are two main methods for traffic generation. Section 4.1 covers using a host on the victim network to generate traffic. Section 4.2 explains how to generate traffic on a network on which the attacker does not have control of a host. Turning on WEP(if you did not turn it on in section 3) § Using browser on client, connect to http://192.168.1. § Username is “admin”. Leave password field blank. § After the AP (Access Point) setting screen, turn on WEP on the AP by clicking the “advanced” tab, then “encryption” tab on left. Click the enable radio button.. § Change the Key length to 64bits § Enter the WEP key, (We used the pass phrase ece4883 WEP key and this generated the one we are using for us ) § Use the key: 08905EF49F in key 1 § Click apply and you will then no longer be able to communicate with the Access point from this PC until you turn on this PC’s WEP on its wireless card. Setup WEP on client machine(if you did not turn it on in section 3)

#ifconfig ath0 down #ifconfig ath0 192.168.1. #iwconfig ath0 essid “wireless_ece4112” channel 44 mode Managed enc 08905EF49F #ifconfig ath0 up The client machine should now be able to connect to the network (ping 192.168.1.144) using WEP. The attacker machine will not have WEP turned on so in theory it cannot see the wireless network. (Need the section) Running attack to break 64-bit WEP On the attacker open a terminal and cd into the /home/knoppix directory. There run the follow commands: #ifconfig ath0 down #iwconfig ath0 mode Monitor channel 44 #ifconfig ath0 up Now we will be using airodump to capture packets in order to crack the WEP key. Run the command: # airodump ath0 capture.pcap 00:05:5d:99:60:db You should see airodump capturing approximately 10 packets per second. If airodump does not show any packets being captured try to rerun the above commands. If this fails restart the computer. In this exercise we will run Aircrack on our attacker machine in order to crack the WEP key. Open a new terminal and cd in the /home/knoppix again. Leave this terminal open you'll be using it in a second. Go to the client machine and open a terminal. Now type in the following command: # ping -q -f 192.168.1. This will flood the router with pings generating massive amounts of traffic for the attacker to collect. Go back to the attacker machine and in the open terminal use the following command: # aircrack -n 64 -f 4 -q 3 capture.pcap.cap This will open the capture.pcap and run through it trying to crack the key. If there are not enough packets this could take a while or will stop with a statement saying that the program failed. To avoid waiting for no reason every time the time value shown by the aircrack command reaches 30 seconds press ctrl+C and run the command again (press up once then hit enter). Once the key is cracked it will show the key found.

wlan.bssid == 00:05:5d:99:60:db (MAC address of you AP) Screenshot 6: Take a screen shot of the decrypted packets. To finish up the lab exercises and to be a good citizen, please turn off WEP by: Make sure the AP has been reset back to no MAC filtering and also no encrypted (WEP) settings. Do the following: § Using a web-browser on the client, connect to § Username is “admin”. Password is “password”. § To turn off the MAC control list filtering on the access point, connect to the AP. § Click the advanced tab § Click on the “Filters” tab on the left § Change “Access Control” drop down box to “disable” § Click “apply”, wait one minute and click “continue” To turn off WEP on the Access Point: § Connect to the AP again § Click the “Advanced” tab on top then the “Encryption” tab on the left § Make sure the “Disable” radio button next to WEP is clicked § Click Apply, after you changes have been saved click continue Make sure that both computers can communicate with the AP. In our case, this is accomplished by running on each of the three machines: #ping 192.168.1. In the event the either machine cannot ping, #ifconfig ath0 down #ifconfig ath0 192.168.1.x #iwconfig ath0 essid wireless_ece4112 channel 44 mode Managed #ifconfig ath0 up #iwconfig (you should see essid and mode set correctly #ifconfig (you should see ath0 up with correct IP) Section 6: Using a fake access point to steal information.

Section 6.1 Setting up the Fake AP:

A more complicated attack involves setting up your own access point. The wireless cards we have allow us to operated in Master mode, which makes the wireless network card all you need to build a wireless network. By setting up our own access point, and making it seem like a

legitimate one, we can steal valuable information. In this exercise you will deauthenticate a client from a real access point, and setup our attacker as a access point and spoof Gtwireless. We will then reestablish the clients connection, but it will connect to the fake access point. Before you begin, make sure the AP has been reset back to no MAC filtering and also no encrypted (WEP) settings. Do the following: § Using a web-browser on Auditor client, connect to http://192.168.1. § Username is “admin”. Password is “password”. To turn off the MAC control list filtering on the access point, connect to the AP. § Click the advanced tab § Choose enable MAC control filtering and select disable § Click APPLY § Wait for one minute as instructed and click OK To turn off WEP on the Access Point: § Connect to the AP again § Click the “Advanced” tab on top then the “Encryption” tab on the left § Make sure the “Disable” radio button next to WEP is clicked § Click Apply, after you changes have been saved click continue Make sure that the client computer can communicate with the AP. #ping 192.168.1. In the event the client machine cannot ping, type the lines below, in a terminal. _#ifconfig ath0 down

ifconfig ath0 192.168.1.

#iwconfig ath0 essid wireless_ece4112 channel 44 mode Managed #ifconfig ath0 up #iwconfig_ (you should see essid and mode set correctly ) #ifconfig ( you should see ath0 up with correct IP ) Now try to ping the Access Point, #ping 192.168.1. Now setup the attacker computer, _#ifconfig ath0 down

ifconfig ath0 192.168.1.

#iwconfig ath0 channel 44 mode Managed #ifconfig ath0 up #iwconfig (you should see essid and mode set correctly) Deauthenticate the client_

§ Do you want to use DHCP to gather the IP configuration? NO § Enter the IP address you want to use use 192.168.1.200; click Ok § Enter the desired netmask for the IPadress 192.168.1. use the default; click Ok § Enter the default gateway 192.168.1.200; click Ok § Enter the IP of the DNS server you want to use use the default; click Ok A summary window will pop up, click exit § What ESSID / Networkname should the accesspoint provide enter GTwireless; click Ok § Enter desired channel number enter 44; click Ok You should now get another summary popup. You should see your card with Mode:Master, Frequency:5.22GHz, ESSID:"GTwireless" Now on the client we will attempt to reconnect to “GTwireless” _#ifconfig ath0 down

ifconfig ath0 192.168.1.

#iwconfig ath0 essid GTwireless channel 44 mode Managed #ifconfig ath0 up #iwconfig (you should see essid and mode set correctly) #ifconfig (you should see ath0 up with correct IP)_ Now you should be connected to the fake access point. We will now setup the fake GTwireless login page on the apache server on the attacker.

Section 6.2: Setting up Apache Web Server and the Fake Login Page

The Apache Web Server can be started very easily on the Auditor Security Collection. Simply right click anywhere on the Desktop. Click on Utils --> “Apache start with current IP”. The Apache web server should now be running with the default home page. On the user computer you can open up a browser and access the web server by typing http://192.168.1.200 in the address bar. The default page should show up. Next we need to setup a Fake Login Page. A complete attack, would also setup dnsspoof on the network, which could be configured to reroute all HTTP traffic on the users computer to the Web Server of the attacker, and hence to the Fake Login Page you are about to setup. This lab does not cover the Html and CGI scripting required to create a Fake Login page, and to process the forms therein. The Login page has already been created and is stored on the attacker hard drive. have already created a Login page to be used. It should be stored on the hard drive. We will need to transfer it

into Apache’s default Document root directory(/var/www). Though first we need to mount the hard drive. _ mount /mnt/hda cd home/wireless_lab cp fakeloginpage.tar.gz /var/www/ cd /var/www rm -f index.html_ Hit 'y' to overwrite the default index.html file. _ tar -zxvf fakeloginpage.tar.gz_ Now move the form.cgi file, which is the cgi script used to handle the form, to the cgi-bin directory. _ mv form.cgi cgi-bin/_ The permission on the cgi file needs to be set such that the client can execute the script. _ cd cgi-bin chmod . 755_ This completes the setup of the Web server with the Fake Login Page. Now back on the client computer, open a web browser and in the URL field enter "http://192.168.1.200” to connect to the web server. On the page that opens up, enter any username and password. (DO NOT enter your actual prism login information). The CGI script handling the form will display the information you just entered, once the Submit button has been clicked. Although GTWireless will not let us forward the user onto the actual network, the username and password, can be collected discretely. SCREENSHOT 7: Screenshot of the fake login page after submitting password SCREENSHOT 8: The ethereal capture of the text. Q6.2.1 How can a user discover that he/she is being tricked into going to a fake site?

Sources:

[1] http://en.wikipedia.org/wiki/IEEE_802. [2] http://en.wikipedia.org/wiki/WEP [3] http://en.wikipedia.org/wiki/RC [4] http://www.securityfocus.com/infocus/