CEH v8 Labs Module 15 Hacking Wireless Networks PDF

C E H
Lab M a n u a l
H a c k in g W ir e le s s N e tw o rk s M o d u le 1 5
M odule 15 - H ackin g W ire le s s N etw o rk s
H a c k i n g W i r e l e s s
N e t w o r k s
I Vi-Fi i sdevelopedon I E E E 802.11 standards and i swidely usedin w i r e / e s s communication. Itprovides w i r e / e s sa c c e s st oap p/ications and data a c ro ss a radio network.
I C ON KEY
Lab Scenario
Wireless network teclmology is becoming increasingly popular but, at the same time, it has many security issues. A wireless local area network (WLAN) allows workers to access digital resources without being tethered to their desks. However, the convenience of WlANs also introduces security concerns that do not exist in a wired world. Connecting to a network no longer requires an Ethernet cable. Instead, data packets are airborne and available to anyone with ability to intercept and decode them. Several reports have explained weaknesses 111 the Wired Equivalent Pnvacy (WEP) algorithm by 802.1 lx standard to encrypt wireless data. To be an expert ethical hacker and penetration tester, you must have sound knowledge of wireless concepts, wireless encryption, and their related threats. As a security administrator of your company, you must protect the wireless network from hacking.
[Z7 Valuable information Test roui knowledge

=
Web exercise Workbook review
Lab Objectives
The objective of this lab is to protect the wireless network from attackers.
111
this lab, you will learn how to: Crack WEP using various tools Capture network traffic Analyze and detect wireless traffic
Lab Environment
C 7T oo ls d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHT oo ls\C E H v8 M o du le 15 H a c k in g W ireles s N e tw o rk s
111 the
lab you will need a web browser with an Internet connection.
Tins lab requires A irP c ap adapter installed on your machine for all labs
Lab Duration
Time: 30 Minutes
Overview of Wireless Network

A wireless network refers to any type of computer network that is w ire le s s and is commonly associated with a te le c o m m u n ic a tio n s network whose in te rc o n n e c tio n s between nodes are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of re m o te information transmission system that uses e le c tro m a g n e tic w a v e s such as
C E H Lab Manual Page 819
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
radio waves for die c a rr ie r. Tlie implementation usually takes place at the physical level or layer of die network.
^ TASK
O v e rv ie w
L a b T a s k s
Pick an organization diat you feel is worthy of vour attention. Tins could be an educational uistimtion, a commercial company, 01perhaps a nonprofit chanty. Recommended labs to assist you 111 Wireless Networks: WiFi Packet Slutting Using AirPcap with Wireshark Cracking a WEP Network with Aircrack-ng for Windows Sniffing die Network Using the OmniPeek Network Analyzer
L a b A n a ly s is
Analyze and document the results related to the lab exercise. Give your opinion 011 your targets security posture and exposure.
P LE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
W i F i
P a c k e t Sniffing U s i n g A i r P c a p
w i t h W i r e s h a r k
T h e A ir P c a p a d a p te r is a U S B d e v ic e th a t, w h e n u s e d in ta n g e n t n i t h th e A ir P c a p d r iv e rs a n d W in P c a p lib ra rie s , a llo w s a p e n te s te r to m o n ito r 8 0 2 . 1 1 b /g t r a ffic in m o n ito r m o d e .
c o n
key
L a b S c e n a r io
[ Z 7 V a lu a b le in fo rm a tio n
T est your k n o w le d g e
W e b e x e rc is e
W o r k b o o k r e v ie w
Wireless networks can be open to active and also passive attacks. These types of attacks include DoS, MITM, spooling, jamming, war driving, network liijacking, packet sniffing, and many more. Passive attacks that take place on wireless networks are common and are difficult to detect since die attacker usually just collects information. Active attacks happen when a hacker has gathered information about the network after a successful passive attack. Sniffing is die act of monitoring die network traffic using legitimate network analysis tools. Hackers can use monitoring tools, including AiroPeek, Ethereal, TCPDump, or Wireshark, to monitor die wireless networks. These tools allow hackers to find an unprotected network diat diey can hack. Your wireless network can be protected against tins type of attack by using strong encryption and authentication methods.
111 tins lab we discuss the Wireshark tool, which can sniff the network using a wireless adapter. Since you are the etlncal hacker and penetration tester of an organization, you need to check the wireless security, exploit the flaws ni WEP, and evaluate weaknesses present 111 WEP for your organization.
L a b O b je c tiv e s
The objective of tins lab is to help sftidents learn and understand how to: Discover WEP packets
L a b E n v ir o n m e n t
7 T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 15 H a c k in g W ir e le s s N e tw o rk s
To execute the kb, you need: Install AirPcap adapter drivers; to install navigate to D:\CEH -Tools\C EHv 8
M o du le 15 H a c k in g W ireles s Netw orksVA irPcap -Enabled O pen S o u rce to ols,
and double-click setup _airp cap _4_1_1.exe to install
When you are installing the AirPcap adapter drivers, it any installation error occurs, install the AirPcap adapter drivers 111 compatibility mode (right-click the A irP c ap a d a p te r d riv e r exe hie, select P ro p e rtie s ^C o m p atib ility. 111 compatibility mode, and select W in d ow s7) "
W ire s h a rk 1.4 .4 .e x e
located at D:\CEH -Tools\C EHv 8
M o du le 15 H a c k in g W ireles s
N e tw o rk s \A irP c a p -E n ab led O pen S o urce to o ls \w ire s h a rk -w in 6 4 -
Run diis lab 111 Windows Server 2012 (host machine)
An access point configured with WEP on die host machine This lab requires the AirPcap adapter installed on your machine. If you dont have this adapter, please do not proceed with this lab A standard AirPcap adapter widi its drivers installed on your host machine WinPcap libraries, Wireshark, and Cain & Abel installed on your host machine Administrative privileges to run AirPcap and other tools
L a b D u r a t io n
Time: 15 Minutes
O v e r v ie w o f W E P ( W ir e d E q u iv a le n t P r iv a c y )
Several serious w e a k n e s s e s 111 the protocol have been identified by cryptanalysts with die result diat, today, a WEP connection can be easily cracked. Once entered
C E H Lab Manual Page 822 Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited
onto a network, a skilled hacker can m o d ify software, n e tw o rk s e c u rity settings.
se ttin g s,
and odier
Wired Equivalent Privacy (WEP) is a deprecated security a lg o rith m for IEEE 802.11 wireless networks.
L a b T a s k s
C onfigure A irP cap
Download AirPcap drivers Jtrom the site and lollow die wizard-driven installation steps to install AirPcap drivers. 1. Launch the S ta r t menu by hovering the mouse cursor on the lower-left corner of the desktop.
You can download AirPcap drivers from http://www.a rdemon.net/ riverbed.html
ca
F IG U R E 1.1: Windows Server 2012Desktop view
2. Click the A irP c a p P a n e l window.
C o n tro l P a n e l
app to open the A irP c a p
C o n tro l
The AirPcap adapters can work in monitor mode. In tliis mode, the AirPcap adapter captures all o f the frames that are transferred on a channel, not just frames drat are addressed to it.
F IG U R E 1.2: Windows Server 2012Apps
3. The A irP c ap
C ontrol P anel
window appears.
AirPcap Control Panel

Settings Keys
Interface AirPcap USB wireless capture adapter nr. 00

c a The Multi-Channel Aggregator can be configured like any real AirPcap device, and therefore can have its own decryption, FC S checking and packet filtering settings.
Blink Led
Model: AirPcap Nx Basic Configuration Channel 2437 MHz [BG 6]
Transmit: yes
Media: 802.11 a/b/g/n
@ Include 802.11 FCS in Frames
Extension Channel Capture Type 802.11 +Radio v FCS Filter All Frames
Help Reset Configuration Ok Apply Cancel
F IG U R E 1.3: AirPcap Control Panel window
4. On the S e ttin g s tab, click the In te rfa c e drop-down list and select A irP c ap
USB w ire le s s c a p tu re ad ap ter.
5.
111 the B asic C o n fig uratio n section, select suitable C hannel, C a p tu re T yp e, and FCS F ilte r and check the In c lu d e 8 0 2 .1 1 FCS in F ra m e s check box.
AirPcap Control Panel *
Settings Keys
Interface AirPcap USB wireless capture adapter nr. 00

Q=& In Basic Configuration bos settings: Channel: The channels available in the Channel list box depend upon the selected adapter. Since channel numbers 14 in the 2.4GHz and 5GHz bands overlap and there are center frequencies (channels) that do not have channel numbers., Each available channel is given by its center frequency.
Blink Led
Model: AirPcap Nx Basic Configuration Channel 2412 MHz [BG 1] 0
Transmit: yes
Media: 802.11 a/b/g/n
]Include 802.11 FCS in Frames v v FCS Filter All Frames
Extension Channel Capture Type
802.11 Only
F IG U R E 1.4: AirPcap Control Panel window'
6.
Now, click die K e y s tab. Check die E n a b le W EP D e c ry p tio n check box. Tins enables die WEP decryption algoridim. You can A dd N e w K e y, R e m o v e K e y, E d it K e y, and M o v e K e y U P an d D o w n.
7. After configuring settings and keys, click OK.

AirPcap Control Panel *
Settings Keys
In Basic Configuration Settings: Extension Channel: For 802.1 In adapters, one can use the Extension Channel list to create a wide channel. The choices are 1 (the preceding 20MHz frequency band), 0 (no extension channel), or +1 (the succeeding 20MHz frequency band). The channel o f the additional frequency band is called the extension channel.
WEP Configuration [Enable WEP Decryption Keys Add New Key Remove Key Edit Key Move Key Up Move Key Down
F IG U R E 1.5: AirPcap Control Panel window
D TASK
p a c k e ts
2 Id
file dit
Launch W ire s h a rk appears.

View 0 Capture Analyze Statistics
N e tw o r k A n a ly z e r.
The
W ire s h a rk
main window
E l ! x '
T h eW ire sh a rkN e tw o rkA n a lyze r [W ire sh a rk1 .8 .2 (S V NR e v4 4 5 2 0fro m/trunk-1.8)]

Telephony
C aptu rin g th e
I j W t f M t M B B K S A I * *
Filter
m T [B p ]
Clear Apply
Tools
Internals
Help
^ ^ 0 10
Save
yt
| v | Expression...
WIRESHARK
, Interface List
The W orld's Most Popular Network Protocol Analyzer Version 1.8.2 (SVN Rev 44520 from /trunk-1.8)
Open
Open a p-evousV captured fie Open Recent:
ft
W ebsite
Visit the project's website
You can download Wireshark from http://www.wireshark.org.
M start
Choose one or mo1 nteffaces to capture from, then Start " t " AirPcap US8 wireless capture adapter nr. 00: \\.\ai A
User's Guide
Th User's Guid (local version, if instaied
Sample Captures
A rich assortment of example captir files on th* wiki
Security
Work with Wireshark as secu!*ty as posstte
ff] \Devke\NPF_{0A6DAE573C5C4CFE9F 4E E 8E 8J s
J Microsoft Corporation: \Device\MPFJ82C13C97' | o r u r.pc c . ^ k . r \
'
mdc v I
Capture Options
Start a capture with au.*a opeons
IE
Ready to load or capture Profile: Default
F IG U R E 1.6: Wireshark Network Analyzer main window
9. Configure AirPcap as ail interface to \\

H ie following are some o f die many features Wireshark provides available for U N IX and W indow s. * Capture live packet data from a network interface. Display packets with very detailed protocol inform ation. Open and Save packet data captured.
ark. Select
C a p tu re
->
In te r fa c e ... (C trl + l).
You can also click die

Jools internals Help
icon on die toolbar.

I - x
DI* 0 ^
Save
(/TjThe W ireshark Network Analyzer [W ireshark 1.8.2 (SVN Rev 44520 from /trunk-1 .i
File l i Edit ^ View K Go | Capture | Analyze it IB W interfaces... Options... Jv Expression... Clear Apply Statistics Telephony
? & [WPI 6 1 1
Interface List
Im port and Export packet data from and to a lot o f other capture programs. Filte r packets on many criteria. * Search for packets on many criteria. Colorize packet display based on filters. Create various statistics
Open previously captured *te
0pen a
a 3
Website
VWt the project's websne
Open Recent:
Start
e interfaces to capture from, then Start AirPcap USB wireless capture adapter nr. 00: \\.\ai ^ \Device\NPFJ0A6OAE57-3C5C4C FE 9 F4EE8E83: = Microsoft Corporation: \Devke\NPFJ82C18C97-'J OT Po.Hair prio c pc c3>;r, \ mpc
User's Guide
The User $ Guide (local verson, tf instiled)
Sample Captures
A rich assortmert of example capture files on the w ild Work with Wireshark as securely as p o ss4 > te
Capture Options
Start a capture *ith detailed options
Ready to load or capture
Profile: Default
F IG U R E 1.7: Wireshark Network A aly er with interface option
11 2
10. The W ire s h a rk : C a p tu re In te r fa c e s window appears. By default, die AirPcap adapter is not 111 ninnuig mode. Select die A irp c a p U S B w ir e le s s c a p tu re a d a p te r n r. 0 0 check box. Click S ta r t
Wireshark: Capture Interfaces
Description 1 0 |,,t" AirPcap USB wireless capture adapter nr. 00 PI
N ote: Wireshark isn't an intrusion detection system. It does not warn you when someone does tilings on your network that he/ she isn't allowed to do. However, if strange things happen, Wireshark might help you figure out what is really going on.
IP none none fe80::3d78:efc3:c874:6f57 none
Packets Packets/s 2154 0 375 375 1 5 0 3 3 Details Details Details Details
1]
ff Microsoft Corporation I ff1 Realtek PCIe GBE Family Controller

Help Start
Stop
Options
Close
F IG U R E 1.8: W ireshark Capture Interface
11. Automatically, die

a d a p to r nr. 0 0 -
C a p tu rin g W ire s h a rk
fro m
A irP c a p
USB
w ir e le s s
c a p tu re
window appears, and it starts capturing
packets from AirPcap Adapter.
[/T |C a p tu rin gfro mA i-P c a pU S Bw ire le s sca p tu rea d a p te rn r. 0 0 :\V \a irp c a p O O [W ie sh a rk1 .8 .2 (S V NR e v4 4 5 2 0from /trunk-...1 I x
File Edit Vie* 60 Capture Analyze Statistics Telephony Tools internals Help
K < u a tt * 1m h x a < a 1a 4
Wireshark can capture traffic from many different network media types - and despite its name - including wireless L A N as well. W hich media types are supported, depends on many things, such as the operating system you are using.
ifsln e i a s i H
[ Expression,... Clear Protoccl 802 .1 1 8 02 .1 1 Appl( Save
Time Source 278 12. 8113270 N e t g e a r _ 8 0 : a b : 3e 279 12. 9136860 N e t g e a r _ 8 0 :a b : 3e
Destination Bro ad ca st Bro ad ca st
280 12. 9347300 Netgear_32:7c :06

281 282 283 284 285 286 287 288 289 290 291 292 293 294 12. 9844520 N e t g e a r _ a e : 2 4 :c c 1 3 .0 1 60 93 0 N e t g e a r _ 8 0 : a b : 3e 1 3 .0 3 70 69 0 N e t g e a r _ 3 2 :7 c :0 6 1 3 .0 4 11 94 0 e 2 : 5 5 : e 5 : 2 7 : b l : c O 1 3 .1 1 84 52 0 N e t g e a r _ 8 0 :a b :3 e 1 3 .1 3 94 87 0 N e t g e a r _ 3 2 :7 c :0 6 1 3 .1 8 36 99 0 C o n p e x _ 6 8 :b 6 : f 5 1 3 .1 8 91 99 0 N e t g e a r _ a e : 24 : c c 1 3 .2 2 08 27 0 N e t g e a r _ 8 0 :a b : 3e 13. 2400780 N e t g e a r _ 3 2 : 7c :0 6 13. 2898380 2 c : d b : c f : c 6 : a a : 6 4 13. 3233130 N e t g e a r _ 8 0 :a b : 3e 13. 344 3 8 3 0 N e t g e a r _ 3 2 :7 c :0 6 13.4 2 57 28 0 N t g e a r _ 8 0 : ab : 3q
Broadcast
Bro ad ca st Bro ad ca st Bro ad ca st (e 4 :d 2 :6 c :4 0 :fe :2 7 Bro ad ca st Bro ad ca st Bro ad ca st Bro ad ca st Bro ad ca st Bro ad ca st 4 5 :c 9 :c 7 :6 a :0 4 :0 9 Bro ad ca st Bro ad ca st Bro ad ca st
802.11
8 02 .1 1 8 02 .1 1 802 .1 1 (8 0 2 .1 1 8 02 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1
164 164 322 109 164 322 3707 164 322 132 109 164 91 3838 164 322 164
Info Be a c o n f r a m e , Be a c o n f r a m e ,
S N 4 0 3 1 , FN=0, Flags S N 4 0 3 2 , FN=0, Flags Beacon frame, SN264, FN=0, Flags=. Be a c o n f r a m e , S N 1 7 5 3 , FN=0, Flags Be a c o n f r a m e , S N 4 0 3 3 , FN=0, Flags Be a c o n f r a m e , SN=265, FN=0, F l a g s 802.11 B lo c k A c k , F la g s = o p m .r m ft Beacon frame, 5n4034, fn=0, Flags Be a c o n fr a m e , Be a c o n fr a m e ,
f?
SN266, FN=0,F l a g s S N 1 6 4 2 ,F N 0 , F l a g s -
Deacon frame,
Be a c o n fr a m e , Be a c o n fr a m e ,
5N=1756, FN=0, Flags

SN *40 3 5, f n - 0 , SN -2 6 7, F la g s f n - 0 ,F l a g s F la g s FN-0, F l a g s -
e
E
Acknowl cdgcm cnt (No data), SN-91S, TN-3, rlac

Be a c o n fr a m e , SN -4036, F N -0 , Be a c o n fr a m e , SN -2 6 8,
Boacon frame,
sn- 4037, FN-0,

0
Plags-
'
IS F ram e 1 : 3247 b y t e s on w i r e (259 76 b i t s ) , 3247 b y t e s c a p t u r e d l j I E E E 8 0 2 .1 1 u n r e c o g n iz e d ( R e s e r v e d f r a m e ) , F l a g s : ----r . f t
(2 5 9 7 6 b i t s )
on i n t e r f a c e
O O O O 06 Ob 0 0 1 0 6b c3 0 0 2 0 c9 cc
0030 91 86 004 0 d5 5b
0
16 8f 5d83 8adf aa b2 be5a
49 63 ef 10 cb
54 c8 13 fO e6 28 c3 aO 98 86 b4 2f 84 20 b3
48 2b 91 4e 05
8c d9 75 ac fO
fd ec 5alc 155e caab le 62
65 69 5f 6e 39
71 93 b2 8d 52 44 87 fa 5d 68
5e fl 3d 16 c7
k. ] . c . . ( + .z . ___
. IT. H . *q ...........u .A _ R D ............../ N .. . n . . .
. [ .z ............. b9]h.
Profile: Default
AirPcap JS B wireless capture adapter nr. GO:...
Packets: 489 Displayed: 489 Marked: 0
F IG U R E 1.9: Wireshark Network Analyzer window with packets captured
12. Wait while Wireshark captures packets from AirPcap. II die F ilte r T o o lb a r option is not visible on die toolbar, select V ie w -> F ilte r T o o lb a r. The Filter Toolbar appears.
N o te : Wireshark doesn't benefit much from Multiprocessor/Hvperdiread systems as time-consuming tasks, like filtering packets, are single direaded. No mle is widiout exception: During an update list of packets 111 real time capture, capturing traffic mns 111 one process and dissecting and displaying packets runs 111 another process, which should benefit from two processors.
C a p tu rin gfro mA irP c a pU S Bw ire le s sca p tu rea d a p te rn r. 0 0 : \Y \a irp c a p O O [W ire s h a rlc1 .8 .2 (S V NR e v4 4 5 2 0from/tru n k-... I ~ I r x
internals Help
m u t
/ Main Tco bar / Filter Too bar Wireless Toolbar <Status Bar Packet L i*
? 4
r Expression..
0. 0.
ax
Save
4>
m m
Gear Apply
*
Wireshark can open packets captured from a large number o f other capture programs.
Packet Qetails
/ Packet Bytes lim e Display Format I Name Resolytion ! */ Coloriz Pckt List Auto Scroll in Liye Capture Q Q Q E Zoom In Zoom Qut Normal Size Resize All Columns Displayed Columns Expand Subtrees Expand A l Collapse All
Protocol Length 164 St 802 1 1 e : 6f 6 b 18 802 1 1 109 164 St 802 1 1 164 802 1 1 St n _ f 2 45 Oc 802 1 1 30 104 St 802 1 1 164 St 802 1 1 St 164 802 1 1 164 St 802 1 1 164 802 1 1 St 802 1 1 322 St 802 1 1 109 C tr l * * St 164 St 802 1 1 C trl * St 802 1 1 322 Ctr1+= f e 27 (8 0 2 1 1 3707 164 St 802 1 1 S h ift *Ctrl+R St 802 1 1 322 o u S h ift *Right Ctrl* Right C trl * Left C trl * Space 3247 b y t e s c a p tu r e d
nfo B e a c o n f r a m e , s n 4 0 2 5 , fno , F l a g s Beacon fr a m e , s n1 628 , f n 1 1 , F la g s Be aco n fr a m e , S N 4 0 2 6 , F N 0 , F la g s
Beacon frame, sn^4027, fnÔ, Flags^

D e a u t h e n t ic a t io n , s n -1 78 0 , f n - 4 , F la g s B e a c o n f r a m e , s n - 4 0 2 8 , f n -0 , F l a g s B e a c o n f r a m e , SN -4 0 29 , F N -0 , F l a g s B e a c o n f r a m e , SN -4 0 30 , F N -0 , F l a g s -
Beacon frame, SN-4031, FN-0, FlagsBeacon fr a m e , SN-4032, F N -0 , F l a g s -
Beacon frame, SN-204, FN=0, FlagsBeacon fr a m e , S N 1 7 5 3 , F N 0 , F la g s Beacon fr a m e , s n4 0 3 3 , f n 0 , F la g s
Beacon frame, N=26S, FN=0, Flags

8 0 2 .1 1 B l o c k A c k , F l a g s opm.RMFT Beacon fr a m e , s n 4 0 3 4 , f n 0 , F la g s B e a c o n f r a m e , S N 2 6 6 , F N 0 , F la g s
(2 59 76 b i t s )
on i n t e r f a c e
Flags: ....s .F T
0 0 : 0 0 1 0 0 : 1 0 1 0 0 ; 2 0 loo 0030 1 0 0040 0 I
Colorize Conversation Reset Coloring 1-10 ^ Coloring Rules... Show Packet in New Window
5 71 93 5e 9 b2 8d f l f 52 44 3d e 87 fa 16 9 5d 68 c7
____ I T . . H. . . e q . A k .].c ..( t .z . i. .. ................. U.a_RD= ............../ M .. . n . . . . [ . Z ................ b 9 ]h .
Ctrl+R )isplayed: 7211 Marked: 0
Profile: Default
F IG U R E 1.10: Wireshark Network Analyzer window with interface option
13. Now select V ie w window.

File m * Edit | View | Go Capture Analyze
-> W ire le s s T o o lb a r.
The wireless toolbar appears 111 die

x
kD Capturing from A irPcap U S B wireless capture adapter nr. 00: \\.\airpcap00 Statist cs Telephony Jools Internals Help
[W ireshark 1.8.2 {SV N R ev 44520 from /trunk ... I P
tg i >/ Wain Todbar Fltcr Toolbar
* 5 ik [M]S
' Expression
0 I & 0
Save
0 2.1 1C h an S ta tu s3r
] * Wireless Toolbar
Packct List P 3cket Details Packct Bytes
Clear Apply
| v [ D r i v e r [v] W ire le s sSetings-. D ecryp tio nK e y s ... 802.11 164 Beacon frame, SN-4025, FN-0, Flags-......... e:6f:6b:18 802.11 109 Beacon frame, 5N-1628, FN-11, Flags........ St 802.11 164 Beacon frame, 5n=4026, fn=o, Flags ......... St 802.11 164 Beacon frame, SN-4027, FN-0, Flags*......... n_f2:45:0c 802.11 30 Deauthentication, 5N-1780, fn- 4, Flags-.. st 802.11 164 Beacon frame. SN-4028, fn- 0, Flags-......... 164 Beacon frame. SN-4029, fn- 0. Flags-......... St 802.11 st 8 0 2 .11 164 Beacon frame, SN-4030, FN-0, Flags-......... st 8 0 2 .11 164 Beacon frame, SN-4031, TN-0, Flags-......... 802.11 164 Beacon frame, sn- 4032, FN-0, Flags-......... C trl * * st .St 802.11 322 Beacon frame, 5N-204, fn- 0, Flags-........... C trl * 109 Beacon frame, SN-1753, FN-0, Flags-......... St 802.11 C trl* St 164 Beacon frame, SN-4033, fn- 0, Flags-......... 802.11 322 Beacon frame, SN-265, FN-0, Flags-........... St 802.11 c:40:fe :27 (802.11 3707 802.11 Block Ack, Flags-opm.RMFT st 802.11 164 Beacon frame, SN=4034 , FN=0, Flags=......... 322 Beacon frame, SN-266, FN-0, Flags-........... st 802.11 S h ift R ig h t C trl-Right 3247 bytes captured (2S976 bits) on interface 0 C trl*L e ft _ R.FT Flags: _
st
Protocol
Length Info
O Wireshark is a network packet analyzer that captures network packets and tries to display that packet data as detailed as possible.
Jim D isp layF o rm at N am eR eso lu tio n C o lo ri7eP acket list A uto S c ro ll in L iy eC ap ture
200m n
ZoomQ u t N orm al S 2e R esi:eA ll C olum ns D isp layedC olum ns

Eipanc Subtrees
E x p a n dAl C ollap seA ll

Colori2e Conversation
IT . .. eq. a 5 71 93 5e 9 b2 3d f l k. ] . c .. ( +.Z . . . . f 52 44 3d ....................u . a _ rde 87 f a 16 ........... / N... n... 0030 C trK R 9 5d 68 c7 . [ . z ............... b 9 ]h . A irP capU S B.v ire le s scaptureadapter n r. O ): ... P a c lc e ts : 12 98 6D isp layed 12986M arked :
OODO
0 0 1 0 0 0 2 0
Rcitl Culjrhy 1-10 C oloring R u le s ...
_ .H .
S ho wP acket inN ewW indow
P ro file :D efault
'
F IG U R E 1.11: Wireshark Network Analyzer window with wireless toolbar option
14. You will see die Wireshark.

One possible alternative is to ran tcpdump, or the dumpcap utility diat comes with Wireshark, with superuser privileges to capture packets into a file, and later analyze diese packets by running Wireshark with restricted privileges on the packet capture dump file
s o u rc e
and
d e s tin a tio n
of the packet captured by
r t3 )Capturing from AiiPcdp USB wireless capture adapter nr. 00: \V\airpcapOO
ile dit View (jo Cooturc Analyze Statistics Telephony Tools Internals Help
[Wireshark 1.8.2 (SVN Rev 44520 from /trunk-... L ^ J r *
m u
Filter
* 9t *
6 3 3 ^ ^ ^1 || ^ ^ ^: 0
|~ v| E x p re s s io n ... C lear A pply S a v e
v FCS Filter All Frames Destination None
0211 Charnel: Time
v !Channel CHfset Source
jv ]
Wireless Settings... Decryption Keys..
Protocol Length Info
<fl__________________________________________________
S 3
282 13.0160930 Netgear_30:ab:3e 283 13.0370690 Netgear_32:7c :06 284 13. 0411940 e2:55:e5:27 :bl:cO 285 13.1184520 Netgear_80: ab: 3e 286 13.1394870 Netgear_32:7c :06 287 13.1836990C0mpex_65:be:f5 288 13.1891990 Netgear_ae: 24: cc 289 13. 2208270 Netgear_80:ab:3e 290 13. 2400780 Netgear_32:7c :06 291 13. 2898380 2c:db:ef:e6:aa:64 292 13. 3233130 Netgear_80: ab; 3e 293 13. 3443830 Netgear_3z:7c:06 294 13.4257280 Netgear_80:ab:3e 295 13. 5282000 Netgear 80:ab:3e ?06 13. S4907?ONetgear_?2:7c:06 297 13. 6304580 Netgear_80: ab: 3e 298 13. 6514 500 Netgear _32: 7c. 00
Broadcast Broadcast ( e4 :d2 :6c:40:f e:27 Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast 45:c9:e7:6a:04:e9 Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast B r oadcasl
802.11 802.11 C802.ll 802.11 802.11 802.11 802.11 802.11 802.11 802.11 802.11 802.11 ou2.11 802.11 802.11 802.11 802.11
164 Beacon frane, SN=4033, FN=0, Flags 322 Beacon frame, SN=265, FN=0, Flags E 3707 802.11 Block Ack, Flags=opm.RMFT 164 Beacon frame, SN-4034, fn- 0, Flags322 Beacon frane, SN=266, FN=0, Flags C 132 Beacon frane, sn1642, fn=o , Flags 109 Beacon frane, SN1756, fn=0, Flags 164 Beacon frane. SN=4035. FN=0, Flags 91 Beacon frane, SN=267, FN=0, Flags= E 3838 Acknowledgement (No data), SN-915, FN-3, Flac 164 Beacon frane, SN-4036, FN=0, Flags322 Beacon frane, SN=2btt, fn- u, Flags104 Beacon Trane, 5n-4 us/ , fn- u , Flags-................ 164 Beacon frane. SN-4038. FN-0. Flags-.................. 322 Beacon frane, SN-270, FN-0, Flags-............... B 164 Beacon franc, SN-4039, FN-0, Flags-............... 322 Beacon frane, SN-271, FN-0, Flags-............. .. C
Frane 293: 322 bytes on wire (2576 b its), 322 bytes captured (2S76 bits) on interface 0 + ieee 802.11 Beacon frane, Flags: ............. IEEE 802.11 wireless lan management frame 00 60 00 82 00 0000 de32 1104 840b 2a01 ff 7c 00 16 00 ff 06 09 24 2f ff ff cO 10 4b 75 30 48 01 00 ff 96 73 6c 30 ff 31 75 03 18 4C60 8e64 6d20 0101 0100 de 00 57 05 00 32 00 4c 04 Of 7C 00 52 01 ac 06 00 01 02 02 .................. L 2 |. L'. 21. . . . 1. d_ _ d....... Kj sum W L R .
0 0 0 0 0 0 1 0 0 0 2 0 0030
m an nn n f r\A nn n f AirPcap U S Bwi'eless capture adapter nr. GO:...
80 4c 64 08 0040 00
.... S O H1........
Profile: Default
Paclcets: 32940 Displayed: 32040 Marked: 0
F IG U R E 1.12: Wireshark Network Analyzer window with 802.11 channel captured packets
15. After enough packet capUires, stop Wireshark
Capturing from AirPcap USB wireless capture adapter nr. 00 Wireshark

ile Edit View Go Capture Analyze Statistics Telephony Tools Help
m m
a *
Expression... Clear Apply | v | FCS Filter All Frames |v|N on e WirelessSettings...DecryptionKeys... | v ] Channel Offset |0 Destination Protocol Info
$02.11 Channel: 2412 [B G 1] ). Time Source
4992 90.885184 2a:13:4C:al:CC:la C7:0 : 80: 13 IEEE 802.11 Fragnented ieee S02.ll frame 4993 90.885677 IEEE 802.11 unrecognized (Reserved frame), Flags . . . p . m . . 4994 90.985558 Netgear_ae:24:cc Broadcast IEEE 802.11 Beacon frame, SN=2080, FN=0, Flags BI=100, unrecognized 4995 91.049792 ab:76:13:1c:e6: 3f f f :57:a6:9:1EEE 802.11 (Reserved frame), SN2851, FN0, Flagso 4996 91.087908 Netgear_ae:24:c c Broadcast IEEE 802.11 Beacon frame, SM=2081,PN0, Flags BI 100, 4997 91.497565 Netgear_ae:24:c c Broadcast IEEE 802.11 Beacon frame, SN-2085,FN-O, FlagsBI-100, 4998 91.600033 98:14:34:f c :48: cc Broadcast IEEE 802.11 Beacon frame, SN=3733,FN=7, Flags BI1]8896 4999 91.70239* Dlg1talG_02:e8:d5 Broadcast ieee 802.11 Beacon frame, sn2087,fn- 0, Flags B1100, 5000 91.704757 f 8:a f:ed:3d:6c:62 f9:ea:f9:f IEEE 802.11 ( no data), SN3864, fn=15, Flags ...P.M Null function Data, 802.11 SN-2916, fn- 0, Flags-.p F. 500191.705380 bl:7c:25:46:el:dl e6:61:a IEEE:13 5002 91. 804794 Netgear_ae:24:cc Broadcast IEEF 802.11 Beacon frame. SN-2088,FN-0, FlagsBT-100, 5003 91.907138 Ntgear_a:24:cc Broadcast IEEE 802.11 Beacon frame, &N-2089,F N ^-O , FlagsBI-100, 5004 92.112081 l c :12:30:8b:24: f 5 f f : f f : f f :3 IEEE 802.11 Beacon frame, SN-1151,FN-2, FlagsBI-55820 802.11 5005 92.246059 MonHaiPi _0a:72:8a 8:2c:b0:5d IEEE Null function (no data), SN-2733, FN-0, Flag>-.. . P... 5000 92.246276 horiHalpr_o. ieee 802.11 Acknow le d g e n e n t, F la g s 5007 92. 316789 Netgear_ae:24:cc Broadcast IEEE 802.11 Beacon frame, SN-2093,fn- 0, FlagsBI-100, 5008 92. 319258 91:6c: 5c: 32:50:d2 4d: 22: e: 24 IEEE 802.11 Qos Data + CF-P011. 5N-1B31, FN-15, Flags-.p.PR..T L 5009 92. S2164S Netgear_ae:24:cc Broadcast IEEF 802.11 Beacon frame. SN-2095,fn- 0. FlagsBT-100, + Frame 1: 14 bytes on wire (112 b its), 14 bytes captured (112 bits) S IEEE 802.11 Acknowledgement, Flags: ............. Type/Subtype: Acknowledgement (Oxld) Frame control: O xO O D J (Normal) 0000 d4 00 00 00 2c b O 5d 80 ab 3e 6a 3e 19 81
......].
PioHIc; Default
AiP.ap LSBv
lapluie atiajlei nr. 00:...
Packets; 5C09 Displayed; 3009 MaiJ.cc: C
F IG U R E 1.13: Stop wiieshaik packet capture
16. Go to F ile from menu bar, and select S a v e
T lie latest version is faster and contains a lot of new features, like A PR (Arp Poison Routing) which enables sniffing on switched LA N s and Manin-the-Middle attacks.
AirPcap USB wireless capture adapter nr 00 Wireshark
[d< t yicw 20 cptjrc Analyze Statistics Telephony Tools tJelp
U i
&
Opengecent Merge...
cw .0 b a
ClriW 1rnc! Offset: [0
|n|n| < 3 .q ! 3 1
kpressicn [ v j FCSFilter All Frames Protocol Clear Appf/ [v^None Info
yt b
& ib
["vj Wireless Settings- Decryption Keys...
Destination E Save As. .
Control wrapper. Flags-.pm.R.f . IEEE 802.11 Broadcast IEEE Beacon 802.11 frane, SN-353, FN-0, Flags BI-100, S Beacon frane, SN-3 54, FN-O, Flags . . . . f f :ee:1:93IEEE 802.11 61=12530 f f :f6:54:d'IEEE Beacon 802.11 frane[Ka1formed Packet] xport B I 5 ,100 broadcast ieee Beacon 80 frane, 2 .11 5n=356, fn=0, Flags . . . . Data, 802.11 SN357, FN1 , Flags=opmP.. FT d4:fa:cb:c.lEEE rint._ Beacon frane, SN358 , FN0, Flags BI 100, S Broadcast IEEE 802.11 Beacon frane, sn361 , FN0,Flags . . . . BI 100, S d4:aa:01:4 IEEE 802.11 E Quit Ctrl*Q f : b 8 : c l Beacon 802.11 frane, SN364 , FN=0, Flags BI. 1.0 . .0 , S / o u x jz o v.w a v a mw w c t jw a i_ iw .2 4 :C C B r o a d c a s t IEEE B r o a d c a s t IEEE Beacon 802.11 frame, SN=335, FN=14, Flag5=... , BI= 200, 7641 267. 835429 Netgear_ae: 60: ce Data, 802.11 5n3037, fn3, Flags=.p. . . . F. 7 6 4 22 6 7 .8 7 7 9 4 60 1 :5 4 :2 9 :0 1 :0 0 :4 4 IPv6mcaSt_HEEE Broadcast IEEE Beacon 802.11 frane, sn369 , fn0, Flags BI 100, S I 7643 268.038309 Netgear_ae: 24: cc Beacon frane, SN370 , fn0, Flags BI 100, S I 7644 268.143787 Netgear.ae:24:cc Broadcast IEEE 802.11 Beacon frane, SN372 , fn0. Flags . . . . BI 100, S I Broadcast IEEE 802.11 7645 268. 345546 Netgear_ae: 24: cc B r o a d c a s t IEEE Beacon 802.11 frane, SN=375, FN=0, Flags . . . . BI 100, S I 7646 268. 652782 Netgear_ae: 24: cc Null function 802.11 ( no data), SN-36, FN-0, Flags-. .. PR. .T 7647 268.661651 HorHai Pr_0a: 72 :8a 2c:bO:5d:8'IEEE Null function 802.11 ( no data), 5N-36, fn-O, Flags . .. pr. . t [ I 7 6 4 82 6 8 .6 6 2 1 6 0n o m a 1 p r_ 0 a :7 2:8 a 2c:bO:5d:8'IEEE 7649 269.164812 48:09:39:1a:ce:d4 ff:ff:lb :f-IEE E Beacon 802.11 frane, SN-3746, FN-O, Flags-... BI-36936 Frane 1: 14 bytes on wire (112 b its), 14 bytes captured (112 bits) - ieee 802.11 Acknowl edgernent, Flags: ............. Type/Subtype: Acknowledgement (Oxld) 0 0 Frame control: O xO O D 4 (Nornal) :24:cc 1:02: cd b : 24:ec 1:24: C C C trl+P p:f8:41 :24:cc 00D0 d4 00 00 00 2c bo 50 80 ab Je 6a 4e 19 81
....... j
> ) >
File: "C:\Oters\ADMN - '\AppOata\local\T...
Packets: 7649 Displayed: 69 Marked: 0 Drcppec: C
F IG U R E 1.14: Save the captured packets
17. Enter die F ile
nam e,
and click Save.
Wireshark: Save file as

Save tn
< t = & C? Date modified 10/19/2012 2:44 PM Type File folder
|jj.
AirPcap -Enabled Open Source tools
Recent places
**
Name
aircrack-ng-0.9-airpcap
K
Desktop
Lbranes
'V
Computer
Network
< 1
III
>
File name: Save as type
| Packet capture | Wreshark.cpdump kfcpcap f pcap :*cap)
A
_^J
Save Cancel Hdp
( Captured Vpackets
Selected packet (" Marked packets (" First to last marked c Range 1 r Remove Ignored packets 7649 0 0 0 0
Displayed
0 0 0
F IG U R E 1.15: Save the Captured packet file
L a b A n a ly s is
Analyze and document the results related to die lab exercise. Give your opinion on your targets security posture and exposure.
P LE A SE
TA LK
TO
H A V E
Q U E ST IO N S
Tool/Utility
Information Collected/Objectives Achieved Used Adapter: AirPcap USB wireless capture adapter nr .00
Wireshark
Result: Number ol sniffed packets captured by Wireshark in network, which include: Packet Number, Time, Source, Destination, Protocol, and Info
Q u e s t io n s
1. Evaluate and determine the number of wireless cards supported by die wireless scanner. 2. Analyze and evaluate how AirPcap adapters operate. Internet Connection Required 0 Yes Platform Supported
0 Classroom 0 No
!Labs
Lab
C r a c k i n g
W E P
N e t w o r k w i t h
A i r c r a c k - n g for W i n d o w s
A ir c r a c k - n g re c o v e rs keys is an 8 0 2 .1 1 W E P and W P A -P S K have be en k e y s c ra c k in g p r o g r a m c a p tu re d . It im p le m e n ts th a t th e
o n ce e n o u g h
d a ta p a c k e ts
s ta n d a r d F A I S
a tta c k a lo n g n it h so m e o p tim is a tio n s lik e K o r e K a tta c k s , a s w e ll a s a tta c k , th u s m a k in g th e a tta c k m u c h fa s t e r c o m p a re d to o th e r
th e a ll- n e w P T W
W E P c ra c k in g to o ls .
I C O N K E Y
'/ V a l u a b l e in fo rm a tio n
> >
W e b e x e rc is e
c a
Network administrators can take steps to help protect their wireless network from outside tinea ts and attacks. Most hackers will post details of any loops or exploits online, and if they find a security hole, they will come 111 droves to test your wireless network with it. WEP is used for wireless networks. Always change your SSID from the default, before you actually connect the wireless router for the access point. If an SSID broadcast is not disabled on an access point, die use of a DHCP server to automatically assign IP address to wireless clients should not be used because war dnving tools can easily detect your internal IP addressing it the SSID broadcasts are enabled and the DHCP is being used. As an etlncal hacker and penetration tester of an organization, your IT director will assign you the task of testing wireless security, exploiting the flaws in \\EP, and cracking the keys present 111 WEP of an organization. 111 tliis lab we discuss how WPA key are cracked using standard attacks such as korek attacks and PTW" attacks.
&
Too ls
d e m o n s tra te d in th is lab a re a v a ila b le on D:\CEHT oo ls\C E H v 8 M o du le 15 H a c k in g W ireles s N e tw o rk s
The objective of tins lab is to protect wireless network from attackers.

111
tins lab, you will learn how to: Crack WEP using various tools Capture network traffic Analyze and detect wireless traffic
To execute the kb, you need:
m V is it B a c k tr a c k
A irc ra ck-n g
located at D:\CEH -Tools\C EHv 8
M o du le 1 5 H a c k in g W ireles s
Networks'!W EP-W PA C rac kin g T oo ls\A ircrack-n g\b in

h o m e s i te h t t p : / / w w w .b a c k t r a c k lix u 1x . o r g f o r a c o m p l e t e lis t o f c o m p a tib le W i-F i a d a p te rs .
Tins tool requires Administrative pnvileges to ran A client connected to a wireless access point This lab requires AirPcap adapter installed on your machine. If you dont have this adapter please do not proceed with the lab
Time: 20 Minutes
O v e r v ie w
Airplay filter options: -b bssid: M AC address, access point.
o f A ir c r a c k - n g
A wireless network refers to any type of computer network that is w ir e le s s , and is commonly associated with a te le c o m m u n ic a tio n s network whose in te rc o n n e c tio n s between n o d e s are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of r e m o te information transmission system that uses e le c tr o m a g n e tic w a v e s , such as radio waves, for the c a rr ie r, and this implementation usually takes place at the physical level or layer of the network.
L a b T a s k
TASK
N e tw o rk
C rac kin g a W EP
1. Launch
A irc ra ck-n g G U I
from
D :\CEH -Tools\C EHv 8 M o du le 1 5 H a ck in g G U I.e xe .
W ireles s N e tw o rk s \A irP c a p -Enabled O pen S o u rce to o ls \a irc ra c k -n g -0 .9 a irp c a p b in
by double-clicking A irc ra c k -n g
2. Click the A ird u m p -n g tab.
To start wlanO in monitor mode type: airmon-ng start wlanO.
To stop wlanO type: airmon-ng stop wlanO.
F IG U R E 2.1: Airodump-ng window
3. Click L au n c h . This will show the
a iro d u m p
window.
x
airodump-ng 0.9
airodump-ng 0.9 < C > 2006 T hom as d'Otreppe Original work: Christophe Devine
To confirm diat die card is in monitor mode, run the command iwconfig . You can then confirm the mode is monitor and the interface name.
usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag] K now n network adapters: 1 AirPcap U S B wireless capture adapter nr. 00 Network interface index num ber ->
F IG U R E 2.2: Airodump-ng selecting adapter window
4. Type the Airpcap adapter index number as 0 and select all channels by typing 1 1 . Press E n ter.
airodump-ng 0.9
tewJ Aircrack-ng option: b bssid Long version bssid. Select the target network based on the access point's M AC address.
airodump-ng 0.9 - < C > 2006 T hom as d'Otreppe Original work: Christophe Devine usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Cius only flag] K now n network adapters: 1 AirPcap U S B wireless capture adapter nr. 00 Network interface index num ber -> 0 Channel<s>: 1 to 14. 0 = a ll -> 11 (note: if you specify the sane output prefix, airodump w ill resum e the capture session by appending data to the existing capture file ) Output f ilename pref ix ->
For cracking W P A /W P A 2 pre-shared keys, only a dictionary method is used. SSE2 support is included to dramatically speed up W PA /W PA 2 key processing.
5. It will prompt you for a file name. Enter
C a p tu re
and press
E n ter.
airodump-ng 0.9
I~ I
airodump-ng 0.9 - < C > 2006 T hom as d'Otreppe Original work: Christophe Devine
Aircrack-ng completes determining the key; it is presented to you in hexadecimal format such as K E Y FO U N D ! [BF:53:9E:DB:37],
usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag] K now n network adapters: 1 AirPcap U S B wireless capture adapter nr. 00 Network interface index num ber -> 0 ChanneKs): 1 to 14, 0 - a ll 1 1< <note: if you specify the sam e output prefix, airodump w ill resum e the capture session by appending data to the existing capture file> Output filename prefix ->| capture | <note: to save space and only store the captured W E P IUs, press y. The resulting capture file w ill only be useful for W E P cracking) Only write W E P IUs <y/n) >
6.
Airodump option: -f <msecs> : Tim e in ms between hopping channels.
Type y
111 O n ly w r it e W E P IV s
Press
E n te r
airodump-ng 0.9
airodump-ng 0.9 - < C > 2006 T hom as d'Otreppe Original work: Christophe Devine usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag] K now n network adapters: 1 AirPcap U S B wireless capture adapter nr. 00 Network interface index num ber 0 < ChanneKs): 1 to 14, 0 = a ll -> 11 (note: if you specify the sam e output prefix, airodump w ill resum e the capture session by appending data to the existing capture file ) Output filename prefix -> capture <note: to save space and only store the captured W E P IUs, press y. The resulting capture file w ill only be useful for W E P cracking) Only write W E P IUs <y/n) <
Airplay filter option: d dmac : M A C address, Destination.
F IG U R E 2.5: Airodump-ng dumping the captured packets window
7. After pressing y it will display Wi-Fi traffic; leave it running for few minutes.
8.
Allow airodump-ng to capturea large number ot packets (above 2,000,000).
1 1 B S S ID B8:A3:86:3E:2F:37 1C:7E:E5:53 :04:48 4C:60:DE:32 :3B:4E 4C:60:DE:32 :7C:06 80:A1:D7:25 :63:13 80:A1:D7:25 :63:10 80:fll:D7:25 :63:12 80:A1:D7:25 :63:11 <J4:44^9:F9 :4q:nn |0 e 9r z& z m 9c B S S ID B 8:A3:86:3E 2F:37 1C:7E:E5:53 A4:48 1C:7E:E5:53 A4: 48 1C:7E:E5:53 04:48 1C:7E:E5:53 04:48 94:44:52:F2 45:0C 94:44:52: F 2 45:0C 94:44:52:F2 45:0C 94:44:52:F2 45:0C 94:44:52:F 2 45:0C 00:09:5B:AE 24:CC 00:09:5B:AE 24:C C
<|
Channel :11 - airodump-ng 0.9.3
L - ll
rH
P U R Beacons It Data C H M B E N C E S S ID -78 5 0 1 48 W E P ? S A A C H I -80 5496 2146 1 1 48 U P A D Link_DIR-524 -80 181 1 6 48 U P A Ithey Ithey 0 11 48 W -81 5 E P ? K usum W L R -77 13 0 1 54 O P N 78 21 0 1 54 W E P ? G 0 E -80 12 0 1 54 O P N 78 18 0 1 54 O P N 1 99rh4 1 HANTFn 1 4R IJPA -10 53036 224385 11 54 W E P N E T G E A R S TA T IO N P U R Packets E S S ID 00:24:2C:38:39:96 -75 1 S A A C H I AC:72:89:6B:BD:B3 -81 38 D Link_DIR-524 29 D-Link_DIR-524 30:69:4B:C7:F9:F7 -84 D0:B3:3F:12:O1:FF -79 7 D-Link_DIR-524 E0:F8:47:95:05: D 6 -82 421 D-Link_DIR-524 4C:ED:DE:02:5B:BF -80 2 G A N T E C 4C: E D :D E : 94: C E: El -80 5 G A N T E C 00:26:82:CF:09:C2 -80 16256 G A N T E C 50:01:BB:58:05:27 -76 1 G A N T E C 00:23:15:73:E7:E4 -73 293 G A N T E C 1C:66:AA:7C:F0:79 -81 213 N E T G E A R 04:54:53:0E:2C:OB -33 125920 N E T G E A R
III
F IG U R E 2.6: Airodump-ng Channel listing window
>
airmon-ng is a bash script designed to turn wireless cards into monitor mode. It auto-detects which card you have and run the right commands. Airodump-ng is used for packet capturing o f raw 802.11 frames and is particularly suitable for collecting W E P IV s (Initialization Vector) for the intent o f using them with aircrack-ng.
9. Now close the window. 10. Go to

A irc ra c k -n g
andclick A d v a n c e d
Aircrack-ng GUI
O p tio n s x
Aircrack-ng Filename (s) Encryption
Arodump-ng ] Airdecap-ng | WZCook | About Choose. () W E P Key size 1 128 v | bits Use wordlist Use PTW attack
O W PA
Specify ESSID
I I Specify BSSID Fudge factor Disable KoreK attacks
I
1 2 3 4 5 6 U8 -
Key search filter Alphanumeric characters
Baiteforce Last keybytes bnjteforce @ I aJ LZj
1 1 BCD characters
Multithreading bnjteforce
1 1 Numeric (Fntz'BOX)
1 1 Single Bnjteforce attack
Launch
F IG U R E 2.7: Aircrack-ng options window
11. Click C h o o s e and select the filename
c a p tu re , ivs
N o te : Tins is a different file from the one you recorded; this file contains precaptured IVS keys. The path is D :\C E H -T o o ls \C E H v 8 M o d u le 1 5 H a c k in g W ire le s s N e tw o rk s \A irP c a p -E n a b le d O pen S o u rc e to o ls \a irc ra c k -n g -0 .9 -a ir p c a p
To save time capturing the packets, for your reference, the tile (tins c a p tu re .iv s tile contain more than 200000 packets) is at D :\C E H -T o o ls \C E H v 8 M o d u le 1 5 H a c k in g W ire le s s
N o te : c a p tu re .iv s N e tw o rk s V A irP c a p -E n a b le d O p en S o u rc e to o ls \a irc ra c k -n g -0 .9 a irp c a p .
12. After selecting tile, click Launch.

Qi-J
Aircrack-ng GUI
Airodump-ng
Aircrack-og Filename(s)
j Airdecap-ng [ WZCook
Key size 128 v
About Choose 1
"D:\CEH-T0 0 ls\CEHv8 Module 15 Hacking Wireless Networks\AirPcap Enabled Open () W E P bits Q Usewordlist Q
Iff ll To put your wireless card into monitor mode: airmon-ng start rausbO.
Enctyption
Use PTW attack
O W PA
@ Advanced options Specify ESSID Specify BSSID Fudge factor Disable KoneK attacks 2 Key search filter
A
Biuteforce Last keybytes biuteforce M

1 1*1
m n2 3 4 5 6 7 8
Alphanumeric characters BCD characters
tZ J
Multithreading biuteforce
1 1 Numeric (FritzlBOX)
1 1 Single Biuteforce attack
Launch
F IG U R E 2.8: Aircrack-ng launch window
You may use this key without the in your wireless client connection prompt and specify that the key is in hexadecimal format to connect to the wireless network.
13. If you get the enough captured packets, you wiil be able to crack the packets. 14. Select your target network from
B S S ID
and press
E n ter.
* I
C:\W1ndows\System32\cmd.exe- "C:\Users\Adm1n1strator\Desktop\a1rcrack-ng !! "-
Opening D:\CEH-T001s\CEHv8 M odule 15 Hacking Wireless NetworksSHirPcap -Enabled O p e n Source tools\aircrack-ng-0.9-airpcap\capture. ius R ead 231344 packets. 00:09:5B:AE:24:CC 94:44:52:F2:45:0C Index num ber of target network ? 1 W E P <231233 IUs> W E P <111 IUs>
F IG U R E 2.9: Select target network
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited
Aircrack-ng 0.9.3 K B 0 1 2 3 [00:00:06] Tested 1 keys <got 164492 IUs> byte<uote> B F < 42> B 9< 15> 4B < 13> 41< 12> F F < 9> 53< 40> C 9 < 32> 34< 20> flF< 19> B 4< 19> 9E < 40) D 8 < 28> 64< 23> 88< 23> E 4< 18> D B < 143> 9?< 46> 33< 33> 43< 29> 38< 27> K E VF O U N D ! [ BF:S3:9E:DB:3? J Decrypted correctly: 100X depth 0/ 1 0/ 3 0/ 4 0/ 1
Aircrack-ng can recover the W E P key once enough encrypted packets have been captured with airodump-ng.
F6< 4> 40< 16> 82< 18> 36< 26>
C:\Users\fldninistrator\Desktop\aircrack-ng-0.9.3-win\airerack-ng-0.9.3-win\bin>
F IG U R E 2.10: aircrack-ng with W E P crack key
L a b A n a ly s is
Document die BSSID of the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate.
P LE A S E
TA LK
TO
H A V E
Q U E ST IO N S
Tool/U tility
Information Collected/Objectives Achieved N um ber of packet captured: 224385
Aircrack-ng
Cracked wireless adaptor name: NETGEAR Output: Decrypted key BF:53:9E:DB:37
Q u e s t io n s
1. Analyze and evaluate how aircrack-ng operates. 2. Does die aircrack-ng suite support Airpcap Adapter?
Internet Connection Required Yes Platform Supported 0 !Labs 0 No
Sniffing t h e N e t w o r k O m n i P e e k
U s i n g t h e
N e t w o r k A n a l y z e r
O m n iP e e k is a s ta n d a lo n e n e tw o rk a n a ly s is to o l u s e d to s o lv e n e tw o rk p ro b le m s .
I CON
/ V a lu a b le
KEY
in fo rm a tio n
w
m
W e b e x e rc is e
Packet sniffing is a form of wire-tapping applied to computer networks. It came into vogue with Ethernet; tins mean that traffic 011 a segment passes by all hosts attached to that segment. Ethernet cards have a filter that prevents the host machine from seeing traffic address to other stations. Sniffing programs turn off the filter, and thus see everyone traffic. Most of the hubs/switches allow the inducer to sniff remotely usmg SNMP, which has weak authentication. Usmg POP, IMAP, HTTP Basic, and talent authentication, an intruder reads the password off the wire ni cleartext. To be an expert ethical hacker and penetration tester, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing die network, and DNS poisoning. OmniPeek network analysis performs deep packet inspection, network forensics, troubleshooting, and packet and protocol analysis of wired and wireless networks. 111 tliis lab we discuss wireless packet analysis of capuired packets.
& Too ls d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHT oo ls\C E H v 8 M o du le 15 H a c k in g W ireles s N e tw o rk s
The objective of this lab is to reinforce concepts of network security policy, policy enforcement, and policy audits.
111 tins lab, you need:
A d va n c ed O m n iP e e k N e tw o rk A n a ly ze r N e tw o rk A n a ly ze r
located at D:\CEH-T 00 ls\C EH v 8
M o du le 15 H a c k in g W ireles s N e tw o rk s\W i-F i P a c k e t S n iffe r\O m n iP e ek
You can also download the latest version ot O m n iP e e k from the lnik http: / / www.w1ldpflckets.com
N e tw o rk A n a ly ze r
If you decide to download die die lab might differ
la te s t version,
dien screenshots shown
111
Run diis tool 111 Windows Server 2008 A web browser and Microsoft .NET Framework 2.0 or later Double-click O m n iP e e k 6 8 2 d e m o .e x e and follow the wizard-driven installation steps to install OmniPeek Administrative privileges to mil tools
Tune: 20 Minutes
O v e r v ie w
You can download OmniPeek Network Analyzer from http://www.wi1dpackets.co
o f O m n iP e e k N e t w o r k A n a ly z e r
OmniPeek Network Analyzer gives network engineers real-time visibility and expert analysis of each and even7 part of die network from a single interface, which includes Edieniet, Gigabit, 10 Gigabit, VoIP, Video to remote offices, and 802.11 a/b/g/n.
L a b T a s k s
m.
TASK
1. Launch OmniPeek by selecting

O m ni p a c k e ts Dem o.
S ta rt Âll P ro g ram s )
W ild p a c k e ts
A n alyzin g W EP P a c k e ts
2. Click V ie w
: = J< ;
sa m p le file s.
- Monitor Tools Window
E c h V ie w C a p tu r e S e n d
Start Page x j
H e lp
B ,,
& O a SI
it,;a a a ja f e 1&
W ild Pd cke t 6 m n iP ee k
N ewCapture
Recent Files WsP.att Pacxet Exa-noba.pxt WÂpd Recent Capmre Tem plates he r#e*at t#nput Documentation (flWWPWWT* \A o w r tf Cerwj Staled Godo vtevr iMtaiBdH nsiructoi* me L** Sude CnrCrgire O efcirg Started Quide
O pen Capture File
View O m niEngines
f$
Start M onitor
H U
Location C\Progom= i09 (x86)\WidPac*ate\OmPMk Dnc\aanptoe\AEP pkl CAProgrem Filoa (x8)'V/JdPactaUVOmP881Dnc\a#nplaVPecl> t Exam ple#, p k t C.XProgrwn (x8)'V/kJPacH\0Pt Dno\*anplM\APA.pkt I oration
Summary SSD BlackSlato K a y- 1235785D SSD BlackSlat* PS< =wldpac:*te Summary
Resources Lg1 r a 1 !e2Q uQ -m a jvow attapfe *toe I WUPBCcmcttwsa Events E H ] Vow Het.vok rolâis 6po *hit# papers, and m oro L iiiJ
yutt
Technical Support vfevr :echc3l euosort reaouc6 3 f9r W ildPacket3produels WMFBCttts :ecfncaisuooort mP63< Sjppcrted harcv/3rs L'iiil>
^ 1 3
E Z D
C 2 D
L IU caac:ut1 c P 3 :te ts o o rs u itn sQ D

wlcPa;t8 Acadcny fine l'vP6e<
Training & Services
I 4
J } None
_ rj
[F d ic p, press FI
F IG U R E 3.1: Omnipeek main window
Select W E P .p kt
P
F I. Edit v *w C *x e Send Monitor Tool! Window Help W lld P .. kt ! S ^ n lP e e k
^ t! ma. fe :a a j a t, * * B i i! r a tz1 . E ^ ^,:oE

Start Fac x
5 o jd 3 4 W ildP ackets O m niP eek S am p le F ile s

P a s K .e !bam pies.cM
Sancte fie wch a variety of wired traffic. 1 <
^ O m n iP e e k
gives n e tw o rk en g in ee rs realtim e vis ib ility and E x p e rt A n alysis in to e v e ry p a rt of th e n e tw o rk fro m a sin g le in te rfa c e , including E th e rn e t, G ig ab it, 1 0 G ig ab it, 8 0 2 .1 1a/b/g/n w ire le s s , V o IP , and V id e o to re m o te o ffic es.
: - te p, press Pi
SackSiate Key i2J45675*i)
2 ncrypUd traffic. (SSID BlackSlilt 9SK wldpacUtt)
AlPiOcS. nc
154C Tied: Boulevard. S AotrU C e e fc . 2jlfoma 25( 9*2 0
F IG U R E 3.2: Omiiipeek Sample Files W indow
4. It will open W E P .p kt 111 die window. Select P a c k e ts from die left pane.
F IG U R E 3.3: T E L N E T - U VVEP packets Window
11
5. Double-click any of die packets 111 die nglit pane.
1 Fit
Ed*
View.
Capture
Send
Monitor a
Tools
Window
Help 9. ! n _ ! - E n u i l i A l
W ild '.( ki t 6 rnnlP *ek
!2 1 ^ 1 . Start Pi$4 WEP pkt x
Enier 3 fiter Gxpf-mior here (1.09 F1forhdp)
I i sSSID * 3 a f f a l = : A l : 32 :31 * B a r m s : A 1:52:: 31 =lags *? ? *? *? Wf i* 'lit Wf Wf W f Wf p *p *? *p 9 *? *P P Channel 1 1 Signal Data Rate 1 % 170 1 % 1.3 100( 1 103t 1.0 1001 100* 100 lo o t 100% lo o t lo o t lo o t lo o t 1001 lo o t lo o t lo o t lo o t lo o t lo o t lo o t lo o t lo o t 1001 lo o t lo o t pacms: 2003 13.9 12.0 9.0 6.0 8.0 6.0 6.0 6.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 21.0 13.0 12.0 9.0 See 113 113 : 1 113 74 71 74 74 74 71 74 74 113 US 115 115 115 113 115 115 115 115 71 74 74 74 _L Duration 000:4c a;M.cr.e ^ -I
z~ C o m p re h e n s ive n e tw o rk p e rfo rm a n c e m a n a g e m e n t and m o n ito rin g o f e n tire e n te rp ris e n e tw o rk s , including n e tw o rk s e g m e n ts a t re m o te o ffic es
Dashboards vott &voeo Aodex Zyirosss Capture = dde3 *s Expert b: Web Server* Cteru *A*? Vokc ft Video C9I *** Vkuak r ?w m j c 3C^tt SLdlbUcs SDllK Prctacos Sumvtry V/irdesi | ALAN Signal <1 Fj flap, press Fl
< . *> i n i a d @ 1 h i 1 !- 5 3ack: Source Destination 1 * B u f f a l o :A l: 32:31 },}Ethernet B ice dce rt 2 * B u f f a l o :A l: 82:31 9 Ethernet Broadcast j> B u ffa lo :A l: 32:31 S * B u f f a l o : A l : 82:31 * B u f f a l o :A l: 32:31 * B u f f a l o ( A lt 82: 31 * B u f f a l o :A l: 32:31 * B u f f a l o : A l: 32:31 *B u r ra io :A 1 :8 2 :3 1 * B u f f a l o : A lt 82!31 * 3 u f f a l o ! A ll 32131 * B u f f a l o : A l : 92:31 * aurra1c:A1:52:31 * B u f f a l o :A l! 82 !31 * B u f f a l o 1A l l 32131 * B u f f a l o : A l: 82;31 *.-*u S S a lo :A l:3 2 :3 l * B u f f a l o :A ll 82131 * B u f f a l o :A l: 32:31 * B u f f a l o :A l: 82:31 *3 u rra 1 0 :A 1 :s 2 :3 1 * 3 u f f a l o : A l: 32: 31 * B u f f a l o : A l: 82:31 * B u f f a l o : A l: 32:31 *B u rra 1 0 :A 1 :8 2 :3 1
8 9 10 :: 1: 13 14 : U 1 1: 20 21 22 21 2* 2S 2c 2 2:
!Ethernet Srcsdcast * 3 u f f a l o : A l : 3 2 :31 Ethernet B rcedcart * 3 u f f a l o : A l : B2 * L .te o n ie c h : 55: C2: CC * 3 .1 r r a l2 : A 1 :22 i ^ I te o n 7 e ^:.c. e :c;-: * * a ffa L ? :A L :3 2 11 teoniech:EE:C3:CC * 3 a f f a l o : A l : 32 Ij{|11teonTech:SS:03:CC * 3 u f f a l o : A l : 32 lj|)l.teon7ech:S5:C 3:C C * 3 a f f a l : : A l : 22 p 1 :te o a l cn :5 5 :c2 : * 5 a r ra 1 5 :A i:5 2 S > 1 1 te o n T ch :5 5 :C 3 :C 3 * : a f fa lD :A l:32: i|L 1 tc o a T c c h :E E :C 3 s C 3 * : af f al oAl 92 J|l-teoa7ech:55:C3:OC * 3 u f f a l o : A l : 52 Ip E i& e rn e t srcaocast *9 u rra 1 9 :A 1 :s 2 : *jE th#rn#t 816 * *>i i f f a l ' r i l : 12 JpEthcract Sreadcaat * 3 a f f a l s : A l : 22 S E th eia et &:cedcaat * 3 a f f a l ; : A l : !2 I^ E lh e r& e t S:CeOCat * 5 a f r 3 1 3 : A l: 52 )Ethernet B re isra a t tp < : r r l? r il: 2 ]Êthernet Srcadceet * 3 a f f a l o : A l : 22 ^ E th ern et Ezceocaat 4 3 i f f 1 1 ; : A l: 12 SJElheraei BlCcOCaSt * 3 j f f a l 2 : A l : 52 ^ Ethernet Brceocast * 5 j r r a i o : A l : : 2 *1 1te on 7e ch:5S :03 :0C * 3 a f f a l o : A l : 32 1011teon7ech:5S:C2:C C * 3 u f f a l o : A l : 32 * 1 .te o n ie ch :5 5:0 2:C C * 3 j f f a l = : A l : 52 3 1
Wf Wf
.................
F IG U R E 3.4: T E L N E T - U n W E P packets analyzer
6.
Click die right arrow to view the next packet.
[Z"Om niPeek C o n n e ct m a n a g e s an o rg an iza tio n s O m n ip lia n c e and T im e L in e n e tw o rk re co rd ers, and provides all th e co n so le c a p a b ilitie s o f O m n iP e e k E n terp ris e w ith th e e x c e p tio n of lo c al c a p tu re and V o IP ca ll p la y b a c k
v ___Suit
le
Edit
View
Capture
Send
Monitor
Tools
Window
! u> . :a !l J il al. * * ai
W E P .p k t
WEP put - Packet 3 x
i\T S E -
Help
W ild
icketi O m n iP r fk
' li] & 1iiB: J 1
. 4J2EB3HQDQ
&"
0x00000000
: # Facket tJurfcer: 9 F lag : 9 Packet Larvgrh:
0 x 0 0 0 0 0 0 0 0 1 0 0 1
45 115 14:29:38.441934700 G 5 2 1.9 Mbps 1 2412M31 602.11b
9T is e rta s f:
9 Eata Pare: j# Channel: 9 S ic r a l L a val: f ic c ! ast: j- 9 Noise L e ve l: j *- Seise d2c: B T~ 802 .11 m e Eeader
| I - version:
< T ipe : I- 9 SuLtyte: ! B J r a c C on trol Plag3:
0 :0 Mask oxc-3] *00 Management [0 Mask OxOC] % 1 0 0 0 Seacon [0 M ask O x F O ]
j i-
1-9
1 0 0 0 0 0 0 0 0[1 ]
. .0
0 .............. A cfl-s c ric c c rc e r .0 ............ Ken-Protected Fras9 .........W o . . . 0 . . . . Fcvcx Management - a c tiv e r s ia --- 0 ... 7/1 15 15 net .......... 0 .. le s t o r Vnfragjcntsd Franz ...........0. Kcc
Ncre D ata
a R~-Transvissioa
an Exit T ro u t tne Distrioizloa syszen

82 65 72 00 31 00 16 Cl A l 2 31 10 23 14 33 34 ) 00 00 00 00 04 01 08 e2 64 EE S6 12 24 48 K 33 31 01 32 04 8C 98 B0 . 1 . . .31acicSlatc............ * H I . . . 2 -----02 01 01 C C C O C3 A4 00 00 27 A4 30 00 42 43 SC 00 62 .......... * ......... ?................... . . .SC* .b 00
06 : C C C CC CC 0:33: C C31 C4 CC iC CS C4 CC p:5S: 0099: 322 r CO DC
FF CA Cl 07
FF 42 00 00
FF FF FF 6C 1 63 00 2A 01 OC 43 00
FF 00 63 53 00 DD 00 00
16 6C 18 00
01 61 00 00
AL ?4 S O 00
F IG U R E 3.5: T ELN ET-U n W E P packets frame window
7. Close the tab from the top and select different options from the nglit pane; click G raphs.
F
Edit View Capture Send Monitor Tools Window Help
fcl H
Start
: !3 ft J _!j g)
WlEP.pkt x
f:4
fe S1; j!
'AEP pkt -Packet = 3 3 2
~ O m n iP e e k E n terp ris e also provides ad v a n c e d V o ic e and V id e o o v e r IP fu n c tio n a lity including sig nalin g and M ed ia an a ly s e s of v o ic e and vid eo , V o IP p la y b a c k , vo ic e and video E x p e rt A n alysis, V isu al E xp e rt, and m o re
j5k| 5 1 * 0 3
t te n ro rt
C a p tu re
= acte3 Dashboards vwoe & vceo Aadex
^n > < r / j X 0 U a
Acdcs Cbun; Conpersons Appicetion _ayer Protocols by 3ytc5 Zppicstion Layer P oto:ols by 3ackets ARP An^\ss 0oacast$ CO fTpgredto Total Eert Events Boert VoP -H.323 Cal Erors E>oert V0P - RTP Brcrs Boert: Y 0P - SIP Errors Ex>ert 'jireess Clent -^ slcal Errors Ejoert N re bs ReossociaticnDeried G^cbfc =our Pert Ublirabor (bts/3] Gâbfc =our Pert Uttli2attor (perc);! Gigabt! TtvoPytLttuaton (bits/s) C-KXbt: Twopytutiiraron Cpercent) . Networklltlixeto! (bits/s)
< 3 > liL ! ii

P ack e t Size Distribution
E r r e dP o tD C Q ls
* b :
Web Cterts A0es
'f :
:: ::. : :c't:
V okc a V id e o C a ls
StdlfeliLS
M iflM
SurMnory V/irdes*
* 9 0 1
rteip, press F1
rc R eacts arrl Reoies TCPAravs* TCP V3LCP \-0lP ^Votocos v/b Protocoe woto Jftlc v/rdess: Access Potns bv Trust WfrdaK Access Points vs. Clents V/rdes* Assccobons arc Reeojoaoto-i: V/rrittQ 3 tes to/frorr Dutroubor Syote V7rtes: Cierts ay Trust v/rdess: Data 'vpes v/rdess: acke: Trees V/rdess; 3adcts to'fron Dstnbubon Sv: V/rdess: ^cbe Req vs. ^rcbe Rso V/rdess: êres PacKrts: zcXX) Duration 000:40
F IG U R E 3.6: W E P Graphs window
8.
Now traverse through all the options 111 die left pane of the window.
L a b A n a ly s is
Document die BSSID of the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate.
PLE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF YO U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Tool/Utility
Information Collected/Objectives Achieved Packet Information: Packet Number Flags Status Packet Length Timestamp Data Rate Channel Signal level
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited
OmniPeek Network Analyzer
Signal dBm Noise Level Noise dBm 802.11 MAC Header Details
Q u e s t io n s
1. Analyze and evaluate the list of captured packets. Internet Connection Required 0 Yes Platform Supported 0 Classroom !Labs No

CEH v8 Labs Module 15 Hacking Wireless Networks PDF

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CEH v8 Labs Module 15 Hacking Wireless Networks PDF

Transféré par

Droits d'auteur :

Formats disponibles

C E H

M odule 15 - H ackin g W ire le s s N etw o rk s

[Z7 Valuable information Test roui knowledge

Web exercise Workbook review

lab you will need a web browser with an Internet connection.

Overview of Wireless Network

C E H Lab Manual Page 819

M odule 15 - H ackin g W ire le s s N etw o rk s

C E H Lab Manual Page 820

M odule 15 - H ackin g W ire le s s N etw o rk s

C E H Lab Manual Page 821

M odule 15 - H ackin g W ire le s s N etw o rk s

and double-click setup _airp cap _4_1_1.exe to install

located at D:\CEH -Tools\C EHv 8

N e tw o rk s \A irP c a p -E n ab led O pen S o urce to o ls \w ire s h a rk -w in 6 4 -

Run diis lab 111 Windows Server 2012 (host machine)

M odule 15 - H ackin g W ire le s s N etw o rk s

onto a network, a skilled hacker can m o d ify software, n e tw o rk s e c u rity settings.

You can download AirPcap drivers from http://www.a rdemon.net/ riverbed.html

F IG U R E 1.1: Windows Server 2012Desktop view

2. Click the A irP c a p P a n e l window.

app to open the A irP c a p

F IG U R E 1.2: Windows Server 2012Apps

C E H Lab Manual Page 823

M odule 15 - H ackin g W ire le s s N etw o rk s

AirPcap Control Panel

Interface AirPcap USB wireless capture adapter nr. 00

Model: AirPcap Nx Basic Configuration Channel 2437 MHz [BG 6]

Media: 802.11 a/b/g/n

@ Include 802.11 FCS in Frames

Help Reset Configuration Ok Apply Cancel

F IG U R E 1.3: AirPcap Control Panel window

Interface AirPcap USB wireless capture adapter nr. 00

Model: AirPcap Nx Basic Configuration Channel 2412 MHz [BG 1] 0

Media: 802.11 a/b/g/n

]Include 802.11 FCS in Frames v v FCS Filter All Frames

Extension Channel Capture Type

Help Reset Configuration Ok Apply Cancel

F IG U R E 1.4: AirPcap Control Panel window'

C E H Lab Manual Page 824

M odule 15 - H ackin g W ire le s s N etw o rk s

7. After configuring settings and keys, click OK.

Help Reset Configuration Ok Apply Cancel

F IG U R E 1.5: AirPcap Control Panel window

Launch W ire s h a rk appears.

T h eW ire sh a rkN e tw o rkA n a lyze r [W ire sh a rk1 .8 .2 (S V NR e v4 4 5 2 0fro m/trunk-1.8)]

You can download Wireshark from http://www.wireshark.org.

F IG U R E 1.6: Wireshark Network Analyzer main window

C E H Lab Manual Page 825

M odule 15 - H ackin g W ire le s s N etw o rk s

9. Configure AirPcap as ail interface to \\

In te r fa c e ... (C trl + l).

You can also click die

icon on die toolbar.

Open previously captured *te

Ready to load or capture

F IG U R E 1.7: Wireshark Network A aly er with interface option

IP none none fe80::3d78:efc3:c874:6f57 none

Packets Packets/s 2154 0 375 375 1 5 0 3 3 Details Details Details Details

ff Microsoft Corporation I ff1 Realtek PCIe GBE Family Controller

F IG U R E 1.8: W ireshark Capture Interface

11. Automatically, die