802.11PenTestingNotesv2.0.2017

1

Changing several characteristics of the wireless card Basic tools Toretrievealistofinterfaces(eventheinactiveones)ifconfig–a

Typically,wirelessinterfacesarerepresentedaswlanXXIfthewirelessinterfaceisontheDOWNstate(disabled),thenweshouldenableitbeforedoinganythingmeaningfulwithitifconfig<interface>upToseethecharacteristicsofthewirelessextensionsoftheinterfacesonoursystemiwconfig

802.11PenTestingNotesv2.0.2017

2

Inthecaseofourexampletheonlywirelessinterfaceisthewlan1Changing the channel Tochangethechannelofthecardiwconfig<interface>channel<channelnumber>Afterdoingso,ifyouruntheiwconfigcommandagainyouwillnoticethatthecardissetto2.412GHzwhichcorrespondstothefrequencyofthefirstchannel.

802.11PenTestingNotesv2.0.2017

3

Changing the transmission power Theregionofthedeviceisanimportantsettingwhichindirectlydictatesthestrengthofthesignalinwhichthecardtransmits.Differentcountrieshavedifferentlegislationsregardingthemaximumstrengthofthesignalofawirelesscard.Forpentestingpurposesitistothebestbenefittohaveacardsettothemaximumsupportingpower.Togetthecurrentregioniwregget

802.11PenTestingNotesv2.0.2017

4

Tochangetheregionthus,thetransmissionpowerofthecardifconfig<interface>downiwregset<regioncode>ifconfig<interface>upiwregget

802.11PenTestingNotesv2.0.2017

5

Acomprehensivelistofregioncodescanberetrievedhere:https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2 Changing the operation mode Typically,wirelesscardsaresettomanagedmode,sotheycanfunctionasclientstoinfrastructurebasednetworks.Monitormodeallowscardstoreadalltrafficincludingpacketsthatoriginatefromnon-associatednetworks.Tosetthecardinmonitormodeonecanrelyonthetoolairmon-ngoftheaircracksuiteairmon-ngstart<interface>Changing the mac address ItispossibletochangetheMACaddressoftheNICcardIfconfig<interface>downmacchanger–m<newmacaddress><interface>Ifconfig<interface>up

Analyzing Traffic

802.11PenTestingNotesv2.0.2017

6

Whenawirelesscardissetinmonitormodeitcapturesallpacketsfromtheairinterface.Itispossiblewiththerighttoolstoview,analyzeandstorethesepackets.The airodump-ng tool ToviewalistofalltheAPsintheareaandtheSTAsconnectedtoeachoneairodump-ng<interfaceinmonitormode>

Note:bydefault,airodump-ngforcesthecardtohopamongchannels.Keepinmindthattoachievethis,thecardspendsonlyaportionoftimeoneachchannel.However,whenlisteningtoachannelallpacketstransmittedtotherestofthechannelswillevadethemonitoring.Torestrainthemonitoringtoaspecificchannelairodump-ng<interfaceinmonitormode>-c<numberofdesiredchannel>ThisisusuallydonewhentheattackerhaslocatedthevictimAPorSTAandwishestocaptureasmanypacketsaspossibleforfurtheranalysis.Airodumphasthecapabilityofsavingallpacketsonthedisk.airodump-ng<interfaceinmonitormode>-c<numberofdesiredchannel>-w<nameoffile>

802.11PenTestingNotesv2.0.2017

7

Notethatairodump-ngsavespacketsonlyrelevanttoWEPkeycrackingorpentesting.Therefore,thecreatedfilewillnotcontainallthepacketsinthechannel.Formoreinformationonthecapabilitiesofairodump-ngtoolvisit:http://www.aircrack-ng.org/doku.php?id=airodump-ngThe Wireshark tool ItispossibletoassociateWireshark’soutputwithawirelessnetworkinterfacethus,gaininginsighttothepacketsofthelivecapture.Moreover,onecanapplydifferentkindsoffiltersregardingvariousfieldsofthepackets(e.g.theirtypeandsubtype).Thiscanbedonebyinsertingthemnemonicandthedesiredvalueinthefilterinputfield.Alternatively,filteringcanbeachievedbylocatingapacketwithadesiredattributeandsettingitasanexamplefilter.Moreover,itispossibletocombinemultiplefiltersbyapplyingthestandardCoperators(e.g.,==,!=,>,<=,!,&&,||etc.).Someofthemostimportantfiltersforwirelesscapturecanberetrievedfromhere:https://www.wireshark.org/docs/dfref/w/wlan.htmlhttps://www.wireshark.org/docs/dfref/w/wlan_mgt.htmlThesubtypecodesof802.11framescanberetrievedhere:https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-tracesThetrafficcapturedwithWiresharkcanbesavedasabinaryfile(pcap)oranotherfiletypeincludingtextualformats(e.g.,CSV).Thisisusefulforprocessingwithconventionaltoolsandmethods.TodothatinWiresharkonesimplycanchooseFile->ExportPacketDissections->as“CSV”.

802.11PenTestingNotesv2.0.2017

8

Availability Attacks Itispossibletoreducetheavailabilityofawirelessnetworkorcausedenial-of-service(DoS)againstspecificclientsbyforgingandtransmittingspecificmanagement(inmostcases)frames.Thissteamsfromthefactthatin802.11networksmanagementframesaretransmittedunencrypted.Deauthentication attack Thisattackisbasedonthetransmissionofdeauthenticationframes.ItisconsideredtheeasiestandmosteffectivewayofcreatingaDoSattackagainstallorspecificclientsofthenetwork.Theaircracksuitehastoolsthatautomatethisprocess.TounleashadeauthenticationattackagainstallclientsconnectedtoaspecificAP,firstonehastoknowtheMACaddressofthevictimAP.Thiscanbeeasilydoneviaairodump-ngorwireshark.Then,byusingthe-0(or--deauth)optionoftheaireplay-ngtoolonecancauseafloodofdeauthenticationframestobetransmitted.aireplay-ng--ignore-negative-one-0<packetstobesent>-a<APMACAddress><interfaceinmonitormode>

802.11PenTestingNotesv2.0.2017

9

Noticethatyoucaninsert0insteadofapredefinednumberofpacketsandtheprocesswillcarryonindefinitely.Anothertoolthatcanunleashadeautheticationattackismdk3.Actually,thespecifictoolfollowsadeadliermethodology(butatthesametimemoreobvioustointrusiondetectionsystems)forthisattack.Toexecuteadeauthenticationattackwithmdk3mdk3<interface>d

802.11PenTestingNotesv2.0.2017

10

Impersonation Attacks 802.11permitsmultipleAPs,advertisingthesameESSIDtoexistinthesamelocation.ThisisdonesothatmultipleBSScanbeformedunderthesameESS,thuseffectivelyincreasingtherangeofanetwork.However,thisfactcanbeabusedbyanattackertointroducetheirownAP,intheneighborhoodofavalidAP.Typically,theattackerwillmimicthecharacteristicsofthevalidAP(BSSID,advertisedESSID,securitycapabilities)toconfusetheclient.ThispracticeisknownasEvilTwinattack.Asafirststeptheattackerwilltypicallysettheircardintohigherpowermodesothathis/herfakeAPbepreferredbytheclients:First,disablethecardifconfig<interface>downChange,theregionofthewirelessinterfaceiwregset<regioncode>Re-enablethewirelessinterfaceifconfig<interface>upMakesurethatthechangesweresuccessfullyapplied.iwreggetiwconfig<interface>Acomprehensivelistofregioncodescanberetrievedhere:https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2Note:thedatabaseof<region,permittedpowerlevels>residesinthekernelandistakenfromthefilewiththenamewireless-regdb.Alistofsuchfilescanbefoundin:https://www.kernel.org/pub/software/network/wireless-regdb/

802.11PenTestingNotesv2.0.2017

11

ThenextstepshouldbetoinferthecharacteristicsofthevalidAPandthenattempttocloneeachoneoftheAPcharacteristics.Theformer,caneasilybedonewiththeairodump-ngtoolwhileforthelatteranattackercanchoosetogothroughamanualchangeofsettingsorusetheairbase-ngtool.Forexample,iftheywouldwishtomanuallychangethechannelofthewirelessinterfaceonecanrelyonairmon-ngtool:airmon-ngstart<interface><channelnumber>alternatively,thesamecanbeachievedthroughtheiwconfigtool:iwconfig<interface>channel<channelnumber>Afterdoingso,iftheiwconfigcommandisexecutedagain,analternativefrequencyinGHzispresentedwhichcorrespondstothechosenchannel.

802.11PenTestingNotesv2.0.2017

12

Othersettingsofthewirelesscardcanchangemanual,howeverthemostpreferablewayofsettingupafake“soft”APisbyusingtheairbase-ngairbase-ng-a<APMAC>--essid<nameofnetwork>-c<channelnumber><wirelessinterface>Normally,clientsthatwishtoconnecttothevalidAPwillnowpreferthefakeAPduetoitshighersignalstrength.Tospeeduptheprocessofre-directingthealreadyconnectedclientstothefakeAPtheattackermayfirstwishtodisconnectallusersfromthevalidAP.Note:ThisprocessisnotpossiblewiththemoresophisticatedWPA/WPA2securityschemesastheyrequiremutualauthenticationi.e.,theyrequirefromtheAPtoprovethatisinpossessionofakeytotheclient.Note:IfthesecuritysettingsofthefakeAParesettoWEPtheneventhoughtheclientswillbeluredtoconnecttothefakeAP,theattackerwillnotbeabletodecryptthetrafficencryptedwiththeWEPkeyunlesstheyhavecrackeditfirst.Note:CreatinganEvilTwinwhichhasnoprotectionwillallowanattackertomonitoralltrafficbutwillincreasethechancesofreceivingawarningfromtheOSoftheclientuponconnection.