Book Image

BackTrack 5 Wireless Penetration Testing Beginner's Guide

By : Vivek Ramachandran
Book Image

BackTrack 5 Wireless Penetration Testing Beginner's Guide

By: Vivek Ramachandran

Overview of this book

Wireless has become ubiquitous in today’s world. The mobility and flexibility provided by it makes our lives more comfortable and productive. But this comes at a cost – Wireless technologies are inherently insecure and can be easily broken. BackTrack is a penetration testing and security auditing distribution that comes with a myriad of wireless networking tools used to simulate network attacks and detect security loopholes. Backtrack 5 Wireless Penetration Testing Beginner’s Guide will take you through the journey of becoming a Wireless hacker. You will learn various wireless testing methodologies taught using live examples, which you will implement throughout this book. The engaging practical sessions very gradually grow in complexity giving you enough time to ramp up before you get to advanced wireless attacks.This book will take you through the basic concepts in Wireless and creating a lab environment for your experiments to the business of different lab sessions in wireless security basics, slowly turn on the heat and move to more complicated scenarios, and finally end your journey by conducting bleeding edge wireless attacks in your lab.There are many interesting and new things that you will learn in this book – War Driving, WLAN packet sniffing, Network Scanning, Circumventing hidden SSIDs and MAC filters, bypassing Shared Authentication, Cracking WEP and WPA/WPA2 encryption, Access Point MAC spoofing, Rogue Devices, Evil Twins, Denial of Service attacks, Viral SSIDs, Honeypot and Hotspot attacks, Caffe Latte WEP Attack, Man-in-the-Middle attacks, Evading Wireless Intrusion Prevention systems and a bunch of other cutting edge wireless attacks.If you were ever curious about what wireless security and hacking was all about, then this book will get you started by providing you with the knowledge and practical know-how to become a wireless hacker.

Related Content you might be interested in

Current Title:

Small book image
BackTrack 5 Wireless Penetration Testing Beginner's Guide
Vivek Ramachandran
Sep, 2011 | 220 pages
No titles found
Table of Contents (18 chapters)
BackTrack 5 Wireless Penetration Testing
BackTrack 5 Wireless Penetration Testing
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Wireless Lab Setup
Wireless Lab Setup
Hardware requirements
Software requirements
Installing BackTrack
Time for action – installing BackTrack
Setting up the access point
Time for action – configuring the access point
Setting up the wireless card
Time for action – configuring your wireless card
Connecting to the access point
Time for action – configuring your wireless card
Summary
2
WLAN and Its Inherent Insecurities
WLAN and Its Inherent Insecurities
Revisiting WLAN frames
Time for action – creating a monitor mode interface
Time for action – sniffing wireless packets
Time for action – viewing Management, Control, and Data frames
Time for action – sniffing data packets for our network
Time for action – packet injection
Important note on WLAN sniffing and injection
Time for action – expermenting with your Alfa card
Role of regulatory domains in wireless
Time for acton – experimenting with your Alfa card
Summary
3
Bypassing WLAN Authentication
Bypassing WLAN Authentication
Hidden SSIDs
Time for action – uncovering hidden SSIDs
MAC filters
Time for action – beating MAC filters
Open Authentication
Time for action – bypassing Open Authentication
Shared Key Authentication
Time for action – bypassing Shared Authentication
Summary
4
WLAN Encryption Flaws
WLAN Encryption Flaws
WLAN encryption
WEP encryption
Time for action – cracking WEP
WPA/WPA2
Time for action – cracking WPA-PSK weak passphrase
Speeding up WPA/WPA2 PSK cracking
Time for action – speeding up the cracking process
Decrypting WEP and WPA packets
Time for action – decrypting WEP and WPA packets
Connecting to WEP and WPA networks
Time for action – connecting to a WEP network
Time for action – connecting to a WPA network
Summary
5
Attacks on the WLANInfrastructure
Attacks on the WLANInfrastructure
Default accounts and credentials on the access point
Time for action – cracking default accounts on the access points
Denial of service attacks
Time for action – De-Authentication DoS attack
Evil twin and access point MAC spoofing
Time for action – evil twin with MAC spoofing
Rogue access point
Time for action – Rogue access point
Summary
6
Attacking the Client
Attacking the Client
Honeypot and Mis-Association attacks
Time for action – orchestrating a Mis-Association attack
Caffe Latte attack
Time for action – conducting the Caffe Latte attack
De-Authentication and Dis-Association attacks
Time for action – De-Authenticating the client
Hirte attack
Time for action – cracking WEP with the Hirte attack
AP-less WPA-Personal cracking
Time for action – AP-less WPA cracking
Summary
7
Advanced WLAN Attacks
Advanced WLAN Attacks
Man-in-the-Middle attack
Time for action – Man-in-the-Middle attack
Wireless Eavesdropping using MITM
Time for action – wireless eavesdropping
Session Hijacking over wireless
Time for action – session hijacking over wireless
Finding security configurations on the client
Time for action – enumerating wireless security profiles
Summary
8
Attacking WPA-Enterprise and RADIUS
Attacking WPA-Enterprise and RADIUS
Setting up FreeRadius-WPE
Time for action – setting up the AP with FreeRadius-WPE
Attacking PEAP
Time for action – cracking PEAP
Attacking EAP-TTLS
Time for action – cracking EAP-TTLS
Security best practices for Enterprises
Summary
9
WLAN Penetration Testing Methodology
WLAN Penetration Testing Methodology
Wireless penetration testing
Time for action – discovering wireless devices
Summary
Conclusion and Road Ahead
Conclusion and Road Ahead
Wrapping up
Building an advanced Wi-Fi lab
Staying up-to-date
Conclusion
Pop Quiz Answers
Pop Quiz Answers
Chapter 1, Wireless Lab Setup
Chapter 2, WLAN and its Inherent Insecurities
Chapter 3, Bypassing WLAN Authentication
Chapter 4, WLAN Encryption Flaws
Chapter 5, Attacks on the WLAN Infrastructure
Chapter 6, Attacking the Client
Chapter 7, Advanced WLAN Attacks
Chapter 8, Attacking WPA Enterprise and RADIUS
Chapter 9, Wireless Penetrating Testing Methodology
Index
Index

Time for action – configuring your wireless card

Here we go! Follow these steps to connect your wireless card to the access point:

  1. Let us first see what wireless networks our Alfa card is currently detecting. Issue the command iwlist wlan0 scanning and you will find a list of networks in your vicinity:

  2. Keep scrolling down and you should find the Wireless Lab network in this list. In my setup, it is detected as Cell 05, it may be different in yours. The ESSID field contains the network name:

  3. As multiple access points can have the same SSID, verify that the MAC address mentioned in the Address field above matches your access point's MAC. A fast and easy way to get the MAC address is underneath the access point or using the web-based GUI settings.

  4. Now, issue the command iwconfig wlan0 essid "Wireless Lab" and then iwconfig wlan0 to check the status. If you have successfully connected to the access point, you should see the MAC address of the access point in the Access Point: field in the output of iwconfig, as shown in the following screenshot:

  5. We know the access point has a management interface IP address "192.168.0.1" from its manual. Alternatively, this is the same as the default router IP address when we run the route –n command. Let's set our IP address in the same subnet by issuing the command ifconfig wlan0 192.168.0.2 netmask 255.255.255.0 up. Verify the command succeeded by typing ifconfig wlan0 and checking the output:

  6. Now let's ping the access point by issuing the command ping 192.168.0.1. If the network connection has been set up properly, then you should see the responses from the access point. You can additionally issue an arp –a to verify that the response is coming from the access point. You should see that the MAC address of the IP 192.168.0.1 is the access point's MAC address we have noted earlier. It is important to note that some of the more recent access points might have response to ICMP Echo Request packets disabled. This is typically done to make the access point secure out-of-the-box with only the bare minimum configuration settings available. In such a case, you could try to launch a browser and access the web interface to verify that the connection is up and running.

  7. On the access point, we can verify the connectivity by looking at the connection logs. As you can see in the following log, the MAC address of the wireless card 00:c0:ca:3a:bd:93 has been logged:

What just happened?

We just connected to our access point successfully from BackTrack using our Alfa wireless card as the wireless device. We also learnt how to verify that a connection has been established at both the wireless client and the access point side.

Have a go hero – establishing connection in WEP configuration

Here is a challenging exercise for you—set up the access point in WEP configuration. For each of these, try establishing a connection with the access point using the wireless adapter. Hint: Check the manual for the iwconfig command by typing man iwconfig for how to configure the card to connect to WEP.

Pop quiz – understanding the basics

  1. After issuing the command ifconfig wlan0 up, how do you verify the wireless card is up and functional?

  2. Can we run all our experiments using the BackTrack live CD alone? And not install it to the hard drive?

  3. What does the command arp –a show?

  4. Which tool should we use in BackTrack to connect to WPA/WPA2 networks?

Previous Section
End of Section 11
Next Section