802.11PenTestingNotesv2.0.2017
1
Changing several characteristics of the wireless card Basic tools Toretrievealistofinterfaces(eventheinactiveones)ifconfig–a
Typically,wirelessinterfacesarerepresentedaswlanXXIfthewirelessinterfaceisontheDOWNstate(disabled),thenweshouldenableitbeforedoinganythingmeaningfulwithitifconfig<interface>upToseethecharacteristicsofthewirelessextensionsoftheinterfacesonoursystemiwconfig
802.11PenTestingNotesv2.0.2017
2
Inthecaseofourexampletheonlywirelessinterfaceisthewlan1Changing the channel Tochangethechannelofthecardiwconfig<interface>channel<channelnumber>Afterdoingso,ifyouruntheiwconfigcommandagainyouwillnoticethatthecardissetto2.412GHzwhichcorrespondstothefrequencyofthefirstchannel.
802.11PenTestingNotesv2.0.2017
3
Changing the transmission power Theregionofthedeviceisanimportantsettingwhichindirectlydictatesthestrengthofthesignalinwhichthecardtransmits.Differentcountrieshavedifferentlegislationsregardingthemaximumstrengthofthesignalofawirelesscard.Forpentestingpurposesitistothebestbenefittohaveacardsettothemaximumsupportingpower.Togetthecurrentregioniwregget
802.11PenTestingNotesv2.0.2017
4
Tochangetheregionthus,thetransmissionpowerofthecardifconfig<interface>downiwregset<regioncode>ifconfig<interface>upiwregget
802.11PenTestingNotesv2.0.2017
5
Acomprehensivelistofregioncodescanberetrievedhere:https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2 Changing the operation mode Typically,wirelesscardsaresettomanagedmode,sotheycanfunctionasclientstoinfrastructurebasednetworks.Monitormodeallowscardstoreadalltrafficincludingpacketsthatoriginatefromnon-associatednetworks.Tosetthecardinmonitormodeonecanrelyonthetoolairmon-ngoftheaircracksuiteairmon-ngstart<interface>Changing the mac address ItispossibletochangetheMACaddressoftheNICcardIfconfig<interface>downmacchanger–m<newmacaddress><interface>Ifconfig<interface>up
Analyzing Traffic
802.11PenTestingNotesv2.0.2017
6
Whenawirelesscardissetinmonitormodeitcapturesallpacketsfromtheairinterface.Itispossiblewiththerighttoolstoview,analyzeandstorethesepackets.The airodump-ng tool ToviewalistofalltheAPsintheareaandtheSTAsconnectedtoeachoneairodump-ng<interfaceinmonitormode>
Note:bydefault,airodump-ngforcesthecardtohopamongchannels.Keepinmindthattoachievethis,thecardspendsonlyaportionoftimeoneachchannel.However,whenlisteningtoachannelallpacketstransmittedtotherestofthechannelswillevadethemonitoring.Torestrainthemonitoringtoaspecificchannelairodump-ng<interfaceinmonitormode>-c<numberofdesiredchannel>ThisisusuallydonewhentheattackerhaslocatedthevictimAPorSTAandwishestocaptureasmanypacketsaspossibleforfurtheranalysis.Airodumphasthecapabilityofsavingallpacketsonthedisk.airodump-ng<interfaceinmonitormode>-c<numberofdesiredchannel>-w<nameoffile>
802.11PenTestingNotesv2.0.2017
7
Notethatairodump-ngsavespacketsonlyrelevanttoWEPkeycrackingorpentesting.Therefore,thecreatedfilewillnotcontainallthepacketsinthechannel.Formoreinformationonthecapabilitiesofairodump-ngtoolvisit:http://www.aircrack-ng.org/doku.php?id=airodump-ngThe Wireshark tool ItispossibletoassociateWireshark’soutputwithawirelessnetworkinterfacethus,gaininginsighttothepacketsofthelivecapture.Moreover,onecanapplydifferentkindsoffiltersregardingvariousfieldsofthepackets(e.g.theirtypeandsubtype).Thiscanbedonebyinsertingthemnemonicandthedesiredvalueinthefilterinputfield.Alternatively,filteringcanbeachievedbylocatingapacketwithadesiredattributeandsettingitasanexamplefilter.Moreover,itispossibletocombinemultiplefiltersbyapplyingthestandardCoperators(e.g.,==,!=,>,<=,!,&&,||etc.).Someofthemostimportantfiltersforwirelesscapturecanberetrievedfromhere:https://www.wireshark.org/docs/dfref/w/wlan.htmlhttps://www.wireshark.org/docs/dfref/w/wlan_mgt.htmlThesubtypecodesof802.11framescanberetrievedhere:https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-tracesThetrafficcapturedwithWiresharkcanbesavedasabinaryfile(pcap)oranotherfiletypeincludingtextualformats(e.g.,CSV).Thisisusefulforprocessingwithconventionaltoolsandmethods.TodothatinWiresharkonesimplycanchooseFile->ExportPacketDissections->as“CSV”.
802.11PenTestingNotesv2.0.2017
8
Availability Attacks Itispossibletoreducetheavailabilityofawirelessnetworkorcausedenial-of-service(DoS)againstspecificclientsbyforgingandtransmittingspecificmanagement(inmostcases)frames.Thissteamsfromthefactthatin802.11networksmanagementframesaretransmittedunencrypted.Deauthentication attack Thisattackisbasedonthetransmissionofdeauthenticationframes.ItisconsideredtheeasiestandmosteffectivewayofcreatingaDoSattackagainstallorspecificclientsofthenetwork.Theaircracksuitehastoolsthatautomatethisprocess.TounleashadeauthenticationattackagainstallclientsconnectedtoaspecificAP,firstonehastoknowtheMACaddressofthevictimAP.Thiscanbeeasilydoneviaairodump-ngorwireshark.Then,byusingthe-0(or--deauth)optionoftheaireplay-ngtoolonecancauseafloodofdeauthenticationframestobetransmitted.aireplay-ng--ignore-negative-one-0<packetstobesent>-a<APMACAddress><interfaceinmonitormode>
802.11PenTestingNotesv2.0.2017
9
Noticethatyoucaninsert0insteadofapredefinednumberofpacketsandtheprocesswillcarryonindefinitely.Anothertoolthatcanunleashadeautheticationattackismdk3.Actually,thespecifictoolfollowsadeadliermethodology(butatthesametimemoreobvioustointrusiondetectionsystems)forthisattack.Toexecuteadeauthenticationattackwithmdk3mdk3<interface>d
802.11PenTestingNotesv2.0.2017
10
Impersonation Attacks 802.11permitsmultipleAPs,advertisingthesameESSIDtoexistinthesamelocation.ThisisdonesothatmultipleBSScanbeformedunderthesameESS,thuseffectivelyincreasingtherangeofanetwork.However,thisfactcanbeabusedbyanattackertointroducetheirownAP,intheneighborhoodofavalidAP.Typically,theattackerwillmimicthecharacteristicsofthevalidAP(BSSID,advertisedESSID,securitycapabilities)toconfusetheclient.ThispracticeisknownasEvilTwinattack.Asafirststeptheattackerwilltypicallysettheircardintohigherpowermodesothathis/herfakeAPbepreferredbytheclients:First,disablethecardifconfig<interface>downChange,theregionofthewirelessinterfaceiwregset<regioncode>Re-enablethewirelessinterfaceifconfig<interface>upMakesurethatthechangesweresuccessfullyapplied.iwreggetiwconfig<interface>Acomprehensivelistofregioncodescanberetrievedhere:https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2Note:thedatabaseof<region,permittedpowerlevels>residesinthekernelandistakenfromthefilewiththenamewireless-regdb.Alistofsuchfilescanbefoundin:https://www.kernel.org/pub/software/network/wireless-regdb/
802.11PenTestingNotesv2.0.2017
11
ThenextstepshouldbetoinferthecharacteristicsofthevalidAPandthenattempttocloneeachoneoftheAPcharacteristics.Theformer,caneasilybedonewiththeairodump-ngtoolwhileforthelatteranattackercanchoosetogothroughamanualchangeofsettingsorusetheairbase-ngtool.Forexample,iftheywouldwishtomanuallychangethechannelofthewirelessinterfaceonecanrelyonairmon-ngtool:airmon-ngstart<interface><channelnumber>alternatively,thesamecanbeachievedthroughtheiwconfigtool:iwconfig<interface>channel<channelnumber>Afterdoingso,iftheiwconfigcommandisexecutedagain,analternativefrequencyinGHzispresentedwhichcorrespondstothechosenchannel.
802.11PenTestingNotesv2.0.2017
12
Othersettingsofthewirelesscardcanchangemanual,howeverthemostpreferablewayofsettingupafake“soft”APisbyusingtheairbase-ngairbase-ng-a<APMAC>--essid<nameofnetwork>-c<channelnumber><wirelessinterface>Normally,clientsthatwishtoconnecttothevalidAPwillnowpreferthefakeAPduetoitshighersignalstrength.Tospeeduptheprocessofre-directingthealreadyconnectedclientstothefakeAPtheattackermayfirstwishtodisconnectallusersfromthevalidAP.Note:ThisprocessisnotpossiblewiththemoresophisticatedWPA/WPA2securityschemesastheyrequiremutualauthenticationi.e.,theyrequirefromtheAPtoprovethatisinpossessionofakeytotheclient.Note:IfthesecuritysettingsofthefakeAParesettoWEPtheneventhoughtheclientswillbeluredtoconnecttothefakeAP,theattackerwillnotbeabletodecryptthetrafficencryptedwiththeWEPkeyunlesstheyhavecrackeditfirst.Note:CreatinganEvilTwinwhichhasnoprotectionwillallowanattackertomonitoralltrafficbutwillincreasethechancesofreceivingawarningfromtheOSoftheclientuponconnection.