BackTrack 5 Wireless Penetration Testing Beginner's Guide. Packt

BackTrack 5 Wireless Penetration Testing Beginner's Guide. Packt

Now pay Easier and Secure using Paypal

Read more

Vivek Ramachandran

Master bleeding edge wireless testing techniques with BackTrack 5

Learn by Doing : Less Theory, More Result

e-books shop
BackTrack 5 Wireless Penetration Testing
Beginner's Guide

About the Author
Vivek Ramachandran has been working on Wi-Fi Security since 2003. He discovered the Caffe Latte attack and also broke WEP Cloaking, a WEP protection schema publicly in 2007 at Defcon. In 2011, Vivek was the first to demonstrate how malware could use Wi-Fi to create backdoors, worms, and even botnets.
Earlier, he was one of the programmers of the 802.1x protocol and Port Security in Cisco's 6500 Catalyst series of switches and was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65,000 participants. He is best known in the hacker community as the founder of http://www.SecurityTube.net/ where he routinely posts videos on Wi-Fi Security, Assembly Language, Exploitation Techniques, and so on. SecurityTube.net receives over 100,000 unique visitors a month.
Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada, and so on. This year he is speaking or training at a number of security conferences, including BlackHat, Defcon, Hacktivity, 44con, HITB-ML, Brucon, Derbycon, HashDays, SecurityZone, SecurityByte, and so on.
I would like to thank my lovely wife for all the help and support during the book's writing process; my parents, grandparents, and sister for believing in me and encouraging me for all these years, and last but not the least, I would like to thank all the users of SecurityTube.net who have always been behind me and supporting all my work. You guys rock!

About the Reviewer
Daniel W Dieterle has over 20 years experience in the IT field. He has provided various levels of support to clients ranging from small businesses to fortune 500 companies. Daniel enjoys computer security, runs the security blog CyberArms (http://cyberarms.wordpress.com/) and is a guest security author on https://Infosecisland.com/.
I would like to thank my beautiful wife and children for graciously giving me the time needed to assist with this book. Without their sacrifice, I would not have been able to be a part of this exciting project.

Wireless Networks have become ubiquitous in today's world. Millions of people use them worldwide every day at their homes, offices, and public hotspots to log on to the Internet and do both personal and professional work. Even though wireless makes life incredibly easy and gives us such great mobility, it comes with its risks. In recent times, insecure wireless networks have been exploited to break into companies, banks, and government organizations. The frequency of these attacks has only intensified, as the network administrators are still clueless on how to secure wireless in a robust and foolproof way.

BackTrack 5 Wireless Penetration Testing: Beginner's Guide is aimed at helping the reader understand the insecurities associated with wireless networks, and how to conduct penetration tests to find and plug them. This is an essential read for those who would like to conduct security audits on wireless networks and always wanted a step-by-step practical guide for the same. As every wireless attack explained in this book is immediately followed by a practical demo, the learning is very complete.

We have chosen BackTrack 5 as the platform to test all the wireless attacks in this book. BackTrack, as most of you may already be aware, is the world's most popular penetration testing distribution. It contains hundreds of security and hacking tools, some of which we will use in this course of this book.

What this book covers
Chapter 1, Wireless Lab Setup, introduces dozens of exercises that we will be doing in this book. In order to be able to try them out, the reader will need to set up a wireless lab. This chapter focuses on how to create a wireless testing lab using off the shelf hardware and open source software. We will first look at the hardware requirements which include wireless cards, antennas, access points, and other Wi-Fi-enabled devices, then we will shift our focus to the software requirements which include the operating system, Wi-Fi drivers, and security tools. Finally, we will create a test bed for our experiments and verify different wireless configurations on it.
Chapter 2, WLAN and its Inherent Insecurities, focuses on the inherent design flaws in
wireless networks which makes them insecure out-of-the-box. We will begin with a quick
recap of the 802.11 WLAN protocols using a network analyzer called Wireshark. This will
give us a practical understanding about how these protocols work. Most importantly, we
will see how client and access point communication works at the packer level by analyzing
Management, Control and Data frames. We will then learn about packet injection and packer
sniffing in wireless networks, and look at some tools which enable us to do the same.
Chapter 3, Bypassing WLAN Authentication, talks about how to break a WLAN authentication
mechanism! We will go step-by-step and explore how to subvert Open and Shared Key
authentications. In course of this, you will learn how to analyze wireless packets and figure
out the authentication mechanism of the network. We will also look at how to break into
networks with Hidden SSID and MAC Filtering enabled. These are two common mechanisms
employed by network administrators to make wireless networks more stealthy and difficult
to penetrate, however, these are extremely simple to bypass.
Chapter 4, WLAN Encryption Flaws, discusses one of the most vulnerable parts of the
WLAN protocol are the Encryption schemas—WEP, WPA, and WPA2. Over the past decade,
hackers have found multiple flaws in these schemas and have written publically available
software to break them and decrypt the data. Even though WPA/WPA2 is secure by design,
misconfiguring those opens up security vulnerabilities, which can be easily exploited. In this
chapter, we will understand the insecurities in each of these encryption schemas and do
practical demos on how to break them.
Chapter 5, Attacks on the WLAN Infrastructure, shifts our focus to WLAN infrastructure
vulnerabilities. We will look at the vulnerabilities created due to both configuration and
design problems. We will do practical demos of attacks such as access point MAC spoofing,
bit flipping and replay attacks, rogue access points, fuzzing, and denial of service. This
chapter will give the reader a solid understanding of how to do a penetration test of the
WLAN infrastructure.
Chapter 6, Attacking the Client, opens your eyes if you have always believed that wireless
client security was something you did not have to worry about! Most people exclude the
client from their list when they think about WLAN security. This chapter will prove beyond
doubt why the client is just as important as the access point when penetrating testing a
WLAN network. We will look at how to compromise the security using client side attacks
such as mis-association, Caffe Latte, disassociation, ad-hoc connections, fuzzing, honeypots,
and a host of others.
Chapter 7, Advanced WLAN Attacks, looks at more advanced attacks as we have already
covered most of the basic attacks on both the infrastructure and the client. These attacks
typically involve using multiple basic attacks in conjunction to break security in more
challenging scenarios. Some of the attacks which we will learn include wireless device
fingerprinting, man-in-the-middle over wireless, evading wireless intrusion detection and
prevention systems, rogue access point operating using custom protocol, and a couple of
others. This chapter presents the absolute bleeding edge in wireless attacks out in the
real world.
Chapter 8, Attacking WPA Enterprise and RADIUS, graduates the user to the next level by
introducing him to advanced attacks on WPA-Enterprise and the RADIUS server setup. These
attacks will come in handy when the reader has to perform a penetration test on a large
Enterprise networks which rely on WPA-Enterprise and RADIUS authentication to provide
them with security. This is probably as advanced as Wi-Fi attacks can get in the real world.
Chapter 9, Wireless Penetrating Testing Methodology, is where all the learning from the
previous chapters comes together, and we will look at how to do a wireless penetration test
in a systematic and methodical way. We will learn about the various phases of penetration
testing—planning, discovery, attack and reporting, and apply it to wireless penetration
testing. We will also understand how to propose recommendations and best practices after a
wireless penetration test.
Appendix A, Conclusion and Road Ahead, concludes the book and leaves the user with some
pointers for further reading and research.

What you need for this book
To follow and recreate the practical exercises in this book, you will need two laptops with
built-in Wi-Fi cards, an Alfa AWUS036H USB wireless Wi-Fi adapter, BackTrack 5, and some
other hardware and software. We have detailed this in Chapter 1, Wireless Lab Setup.
As an alternative to the two laptop setup, you could also create a Virtual Machine housing
BackTrack 5 and connect the card to it over the USB interface. This will help you get started
with using this book much faster, but we would recommend a dedicated machine running
BackTrack 5 for actual assessments in the field.

As a prerequisite, readers should be aware of the basics of wireless networks. This includes
having prior knowledge about the basics of the 802.11 protocol and client access point
communication. Though we will briefly touch upon some of this when we set up the lab, it is
expected that the user is already aware of these concepts.

Who this book is for
Though this book is a Beginner's series, it is meant for all levels of users, from amateurs
right through to wireless security experts. There is something for everyone. The book starts
with simple attacks but then moves on to explain the more complicated ones, and finally
discusses bleeding edge attacks and research. As all attacks are explained using practical
demonstrations, it is very easy for readers at all levels to quickly try the attack out by
themselves. Please note that even though the book highlights the different attacks which can
be launched against a wireless network, the real purpose is to educate the user to become a
wireless penetration tester. An adept penetration tester would understand all the attacks out
there and would be able to demonstrate them with ease, if requested by his client.

Table of Contents
Preface 1
Chapter 1: Wireless Lab Setup 7
Hardware requirements 8
Software requirements 8
Installing BackTrack 8
Time for action – installing BackTrack 9
Setting up the access point 12
Time for action – configuring the access point 12
Setting up the wireless card 15
Time for action – configuring your wireless card 16
Connecting to the access point 17
Time for action – configuring your wireless card 18
Summary 22
Chapter 2: WLAN and Its Inherent Insecurities 23
Revisiting WLAN frames 24
Time for action – creating a monitor mode interface 26
Time for action – sniffing wireless packets 29
Time for action – viewing Management, Control, and Data frames 32
Time for action – sniffing data packets for our network 36
Time for action – packet injection 40
Important note on WLAN sniffing and injection 42
Time for action – experimenting with your Alfa card 42
Role of regulatory domains in wireless 45
Time for action – experimenting with your Alfa card 45
Summary 49
Chapter 3: Bypassing WLAN Authentication 51
Hidden SSIDs 51
Time for action – uncovering hidden SSIDs 52
MAC filters 57
Time for action – beating MAC filters 57
Open Authentication 60
Time for action – bypassing Open Authentication 60
Shared Key Authentication 62
Time for action – bypassing Shared Authentication 63
Summary 71
Chapter 4: WLAN Encryption Flaws 73
WLAN encryption 73
WEP encryption 74
Time for action – cracking WEP 74
Time for action – cracking WPA-PSK weak passphrase 85
Speeding up WPA/WPA2 PSK cracking 89
Time for action – speeding up the cracking process 90
Decrypting WEP and WPA packets 94
Time for action – decrypting WEP and WPA packets 94
Connecting to WEP and WPA networks 96
Time for action – connecting to a WEP network 96
Time for action – connecting to a WPA network 97
Summary 99
Chapter 5: Attacks on the WLAN Infrastructure 101
Default accounts and credentials on the access point 101
Time for action – cracking default accounts on the access points 102
Denial of service attacks 104
Time for action – De-Authentication DoS attack 104
Evil twin and access point MAC spoofing 107
Time for action – evil twin with MAC spoofing 108
Rogue access point 112
Time for action – Rogue access point 112
Summary 116
Chapter 6: Attacking the Client 117
Honeypot and Mis-Association attacks 118
Time for action – orchestrating a Mis-Association attack 118
Caffe Latte attack 124
Time for action – conducting the Caffe Latte attack 124
De-Authentication and Dis-Association attacks 129
Time for action – De-Authenticating the client 129
Hirte attack 133
Time for action – cracking WEP with the Hirte attack 133
AP-less WPA-Personal cracking 135
Time for action – AP-less WPA cracking 137
Summary 140
Chapter 7: Advanced WLAN Attacks 141
Man-in-the-Middle attack 141
Time for action – Man-in-the-Middle attack 142
Wireless Eavesdropping using MITM 147
Time for action – wireless eavesdropping 147
Session Hijacking over wireless 152
Time for action – session hijacking over wireless 153
Finding security configurations on the client 156
Time for action – enumerating wireless security profiles 157
Summary 161
Chapter 8: Attacking WPA-Enterprise and RADIUS 163
Setting up FreeRadius-WPE 163
Time for action – setting up the AP with FreeRadius-WPE 164
Attacking PEAP 168
Time for action – cracking PEAP 168
Attacking EAP-TTLS 173
Time for action – cracking EAP-TTLS 174
Security best practices for Enterprises 176
Summary 177
Chapter 9: WLAN Penetration Testing Methodology 179
Wireless penetration testing 179
Planning 180
Discovery 180
Time for action – discovering wireless devices 181
Attack 183
Finding rogue access points 183
Finding unauthorized clients 185
Cracking the encryption 186
Compromising clients 189
Reporting 191
Summary 192
Appendix A: Conclusion and Road Ahead 193
Wrapping up 193
Building an advanced Wi-Fi lab 194
Staying up-to-date 196
Conclusion 197
Appendix B: Pop Quiz Answers 199
Chapter 1, Wireless Lab Setup 199
Chapter 2, WLAN and its Inherent Insecurities 199
Chapter 3, Bypassing WLAN Authentication 200
Chapter 4, WLAN Encryption Flaws 200
Chapter 5, Attacks on the WLAN Infrastructure 200
Chapter 6, Attacking the Client 201
Chapter 7, Advanced WLAN Attacks 201
Chapter 8, Attacking WPA Enterprise and RADIUS 201
Chapter 9, Wireless Penetrating Testing Methodology 202
Index 203


e-books shop

Purchase Now !
Just with Paypal

Product details
 220 p
 File Size
 16,991 KB
 File Type
 PDF format
 2011 Packt Publishing 

═════ ═════