6. Kismet, Aircrack-ng, Aireplay
Kismet is a network detector, a packet sniffer, an intrusion detection system for 8211 wireless Lans. Kismet will work with any wireless card which supports Raw monitoring mode. It can sniff 811 A, 8211 B and G as well as N and even AC. The program runs under Linux freebsd netbsd, open Bsd, SD and Mac operating system. The client can also run the wireless card we typically use is under Linux because they’re cheap and very readily available, and I’ll show you several examples of that in the next couple of slides. Aircrack Ng is a software suite consisting of a network detector, a packet sniffer wep and Wpawpa, two pre shared key cracker and an analysis tool for 800 and 211 Wireless LAN.
It works with any wireless network interface controller who driver supports Raw monitoring mode and can sniff 800 and 211 A, Bgn and AC. The program runs under Linux and Windows port has been made to iPhone. Aircrack Ng is a fork of the original aircraft project and the Ng stands for Next Generation or New Generation. In order to generate the information that we need, a disassociate packet will repeatedly transmit spoofed disassociate packets with a target access point’s Mac address. A deauth packet is essentially the same, but with a deauthenticated packet it’s more effective than a disassociate.
Typically what we try and do is send a deauth packet message to an access point tied to a client IP address, thereby knocking the user offline and requiring reauthenticate give the attacker valuable insight into the reauthentication and handshaking that occurs. To mitigate such an attack, the access point can be set up to delay effects of deauthentication or disassociation, thereby giving the access point an opportunity to observe the subsequent packet from a client.
If a data packet arrives after the deauthentication or disassociation packet is queued, that request is discarded since the legitimate client would never generate packets in that particular order. Then we have another tool in the suite of Air in G and it’s used to inject frames. The primary function is to generate traffic for the latter use in cracking air in G for the cracking of web and possibly WPA preshared keys. There are different attacks that can cause deauthentication for the purpose of capturing WPA handshake data fake authentications or interactive packet replay handcrafting arp request injection and Arp request reinjection.
7. EAP Types, EAP Advantages/DisAdvantages, Typical Wired/Wireless Network
Last in our process. We’re going to talk about the Extensible authentication protocol. Now, the Extensible Authentication Protocol, or Eap, is actually an authentication framework frequently used in wireless networks and point to point connection. It’s defined by RFC 37 48. Eap is an authentication framework providing for the transport and usage of keying material and parameters generated by the Eap measure methods. There are many methods defined by the RFCs and a number of vendors. Specific methods and even new proposals exist. Eap is not a wire protocol.
Instead, it only defines message formats. Each protocol that uses Eap defines a way to encapsulate Eap messages within that protocol’s message. Eap is actually in very wide use. For example, in the 8211, WiFi, WPA and WPA two standards have all adopted this with five Eap types as the official authentication mechanisms. Let’s just take a look at some of the popular ones. We have what’s called eap TLS. We need a public key certificate. We have a Supplicant, which is the network card, and it delivers dynamic key delivery very similar to how SSL does it.
The only problem is our identity could be exposed. Now, I want you to also notice that we have a public key certificate right here on Eap TTLs. We have the chat and dynamic key delivery. A man in the middle attack could happen here because we don’t have a certificate on both sides. If we have a certificate on both sides, a man in the middle attack cannot happen. Eap TTLs only has a certificate on the server side as well as peak, which would cause perhaps a man in the middle attack on the plus side. 802 One X detects entry to the network before the endpoint, has an IP address and can cause havoc on the network.
The drawbacks are typically tied to manageability to be effective. Eight two One X approach requires both management of every endpoint device and integration with a third party. All network devices must be configured for 802 One X and they must also integrate with the authentication server. Additionally, this approach often requires an upgrade of legacy networking equipment and operating systems. This is typical wired wireless network where we have a Wan, the wide area network, a DMZ and another firewall which consists of the land and our Supplicants inside of it.
8. Exercise/Assignment; Cracking WPA/WPA2 Password Preparation
Okay, folks, this is the cracking WPA WPA two Wireless Lab. I had a guy that used to live with me in college and after I showed him how you could do this, he said, you know what, if somebody lives in an apartment they’re an idiot for paying for wireless, for paying for Internet. Well, that’s not really ethical, but I guess he’s kind of more or less correct. There’s a lot of other things that could go wrong with that as well, but in some cases people just simply don’t use very strong passwords. So be that as it may, let’s go ahead and dive right into this. Now I’m going to show you right here the document that you’re going to be able to download. Now there’s a couple of prerequisites that you’re going to need to get.
First off, you’re going to need to have a cheap wireless access point. Now what I’m going to recommend that you use is I really like this one and, and what I really like about that is this W Wrt 55 AG gives you the capability of replacing the firmware and you can use a lot of different kinds on it. And look, it’s only $15 so I really like this particular one. You don’t want anything real elaborate, you want something pretty simple because we’re going to be doing something pretty simple, all right. And you don’t really want to use the one that is in your home because you’re going to be knocking people off and you’re going to make people mad.
You don’t want to use your neighbors because you’re going to make people mad. So these things aren’t very expensive guys. So just go ahead and invest in something. It’s not very expensive. It’s all I’ve got to say. All right. All right. The next thing we’re going to take a look at is this is absolutely no substitutions on this and I want you to take a look at this one and you’re going to want to make sure that you get this. What it is is this particular card right here. Okay? Now this card right here is the Alpha network card. All right? And it works fantastic. Now some people will say, well, I can use this card and I can go ahead and install a new driver inside of Collie. Don’t try it, learn from my pain.
It just simply doesn’t work. Especially if you’re using an ISO because every time you reboot you’re going to have to restart that driver. And if you know too much about Linux, it’s kind of like conducting a symphony and you add a tuba and the trumpet stops playing. And I’m using a little bit of an over analogy that the Linux guys may get a little angry at me, but sometimes it works that way. One driver steps on another driver or a library steps on another library, but please use one that already works inside of college. Linux, that’s my best set of advice to you. Look at the price 1899, you won’t have any problem, okay? So I will not help you unless you’re using this particular card.
Now I don’t really care what access points you’re using. I don’t want you to use one that you’d be using at work with extensible authentication protocol a Cisco, a real high end device because that more or less defeats what we’re trying to do. Okay? So what we’re going to do right here is we’re going to assign the card itself to Kali Linux. Now you may have even seen it come up on my machine where my machine has already grabbed that particular card. So what we’re going to do is make sure that we disconnect it from the host and assign it to Kali Linux. All right? So let’s go ahead and do that first.
Like I said, I’m going to go ahead and just get you started and then I’m going to pause the video and let you kind of work through it and then I’m going to come back and I’m going to work through the rest of it with you, see if you guys can figure it out. I’m going to give you a couple of tips and tricks, all right? So the first thing we’re going to do is we’re going to come up here under Kali Linux, we’re going to click on VM under Removable Devices and we’re going to look at the VM RTL thing and it says Connect disconnect from host. We’re going to connect it to our machine. All right? So we’re going to click on OK and with any luck right here it should connect to our machine.
Now the way that you’re able to detect that is there’s a couple of commands in collie, all right? You use iwconfig and you use if config So let’s start off and see if it detects iwconfig and lo and behold it sure tech has seen it. Now I want you to notice right here it’s assigned W land zero to it and I want you to also notice it’s in managed mode. Now managed mode means that it’s going to directly connect to an access point and to the card back and forth. We want to be like a gossiping neighbor where the neighbor over the fence says, what did you say? And where the neighbor might say and did you know she walked in the other day and that is not her wife.
We want to be very nosy and that type of nosy type neighbor is known as monitor mode. And so we need to take this and put that into monitor mode. Let’s first off see if Config is showing it. Now first off it is showing Wlan zero. So I’m going to need to take wlan zero and bring it down. So I’m going to type in ifconfig wlan zero down. Okay, let’s see what happens here. Jim, come on. All right, now with it down I can then type W mode monitor. All right, great. And then I’m going to type if config Wlan zero up. For some reason or another, it seems to take a little while for it to come back up. I don’t know why it ever does that, but it does.
It may take you well, I guess it’s pretty fast on this one. Okay. So that’s kind of the tricky part. All right, so I’m going to kind of pause right here and let you follow the lab from here on. All right? But I do want to give you a couple of clues. All right. I’m going to bring this back over and I want you to notice as we go down through here that we’re going to be using a dictionary to do this. Now, if you recall from the lecture, we have a couple of things that we’re going to use, all right? WPA and WPA two have utilized a nonce as well as a hash of the Mac address of the access point and a hash of the Mac address of the card. Okay.
They use all of those things and everything right there is transmitted over the air in clear text with the exception of the password. All right? So what we’re going to want to do is we’re going to want to either get someone to log on to the network or knock somebody off of this existing access point because if we knock them off, they’re automatically going to try and reauthenticate and we’re going to grab all those things back out of the air. And that’s called the handshake. And when we grab that handshake, we can then go ahead and try all of these different words in the word list, one after the other until one of them matches and we guessed that passphrase or that password.
All right. The thing that I wanted you to be aware of is that we’re going to need to utilize this word list, and that word list may be already zipped up. So the word list is called Rock U. All right, so let’s go ahead and take a look real quick. Now you’ll notice that it’s located right here under this Usrsharerocku txt. So let’s go ahead and just look underneath there and see if we can find it and see if it is indeed that way. So I’m going to type in LS right here. Rocku txt maybe. Yeah. All right. And so it should end up with a file called Rocku. Txt. And if I type it LS now, it sure tech did. All right.
And that file right there, if I were to cat out that file and cat in Linux is the same as type, you’re going to see, boy, it’s going to go on. That thing is big. Okay. You’re going to need to make sure that that word that you use to set the password in is in that file. So if not, it’s never going to crack. It so I’m going to assume mine is. So we’re going to go ahead and let you go ahead and try this. And I’m going to pause the thing right here, and then we’re going to pick back up where we left off here. Okay?
9. Exercise/Assignment; Cracking WPA/WPA2 Password – Solution
Okay, let’s see if we can pick up where we left off here. Now, where we left off, we went ahead and put the card into Monitor Mode. So let’s go ahead and check that iwconfig and you can see it is indeed in Monitor Mode. And I’m going to add actually type in Airmang, and you can see that I have the Wlan Zero, and I have all of that information. Great, perfect. I also want to due start W land Zero. All right, now what’s going to happen here is PID stands for Process ID. And what I want to do is I want to kill any processes that are associated with the Airman or the Wlan Zero in reality. So I’m going to kill those off.
So what I’m going to do is I’m just going to simply type in Kill, and I’m going to list any processes that I want to kill. So I’m going to kill 450. All right? Then I’m going to kill 634. All right? And then I’m going to kill 62, 75. All right, now sometimes let’s see, try that one more time. 62, 75. Okay.Sometimes it’ll come back and say no such process. What ends up happening is one process kills the second process so we don’t have to end up killing them all. This ends up giving us a lot better results when we do this. So the next thing I’m going to do is I’m going to type Arrowdump in G and I’m going to type in Wlan Zero, all right? And what’s going to happen right here is it’s going to list for me all of the access points.
Now, the access point that I’m going to try and get access to is this one called Ecsa, and that’s the one that I’m going to utilize, all right? So I’m going to need to get a couple of things here. The first thing I need to find out on it is what channel it’s on. It looks like it’s going to be on channel Six, all right? And so I’m going to actually just open up Notepad and I’m just going to jot down a couple of things, all right? So I’m going to basically say that all of this kind of stuff right here and I’m going to say Arrow Dump, it was on channel six, and I’m going to start it with a W. And I’m going to use the word capture. All right? BSSID happens to be the Mac address, and the BSSID right here happens to be this one right here. There we go.