Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
BackTrack 5 Wireless Penetration Testing Beginner's Guide

You're reading from  BackTrack 5 Wireless Penetration Testing Beginner's Guide

Product type Book
Published in Sep 2011
Publisher Packt
ISBN-13 9781849515580
Pages 220 pages
Edition 1st Edition
Languages
Concepts
Author (1):
Vivek Ramachandran Vivek Ramachandran
Profile icon Vivek Ramachandran
LinkedIn
Vivek Ramachandran has been working on Wi-Fi security since 2003. He discovered the Caffe Latte attack and also broke WEP Cloaking, a WEP protection schema, publicly in 2007 at DEF CON. In 2011, he was the first to demonstrate how malware could use Wi-Fi to create backdoors, worms, and even botnets. Earlier, Vivek was one of the programmers of the 802.1x protocol and Port Security in Cisco's 6500 Catalyst series of switches, and he was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65,000 participants. He is best known in the hacker community as the founder of SecurityTube.net, where he routinely posts videos on Wi-Fi security, assembly language, exploitation techniques, and so on. SecurityTube.net receives over 100,000 unique visitors a month. Vivek's work on wireless security has been quoted in BBC Online, InfoWorld, MacWorld, The Register, IT World Canada, and so on. This year, he will speak or train at a number of security conferences, including Blackhat, DEF CON, Hacktivity, 44con, HITB-ML, BruCON Derbycon, Hashdays, SecurityZone, and SecurityByte.
See other products by Vivek Ramachandran

Table of Contents (18) Chapters

BackTrack 5 Wireless Penetration Testing
Credits
About the Author
About the Reviewer
www.PacktPub.com
Preface
1. Wireless Lab Setup 2. WLAN and Its Inherent Insecurities 3. Bypassing WLAN Authentication 4. WLAN Encryption Flaws 5. Attacks on the WLANInfrastructure 6. Attacking the Client 7. Advanced WLAN Attacks 8. Attacking WPA-Enterprise and RADIUS 9. WLAN Penetration Testing Methodology Conclusion and Road Ahead Pop Quiz Answers Index

Chapter 3. Bypassing WLAN Authentication

Note

"A false sense of security is worse than being unsure."

Anonymous

A false sense of security is worse than being insecure, as you may not be prepared to face the eventuality of being hacked.

WLANs have weak authentication schemas, which can be easily broken and bypassed. In this chapter, we will look at the various authentication schemas used in WLANs and learn how to beat them.

In this chapter, we will look at the following:

  • Uncovering hidden SSIDs

  • Beating MAC filters

  • Bypassing Open Authentication

  • Bypassing Shared Key Authentication

Hidden SSIDs

In the default configuration mode, all access points send out their SSIDs in the Beacon frames. This allows clients in the vicinity to discover them easily. Hidden SSIDs is a configuration where the access point does not broadcast its SSID in the Beacon frames. Thus, only clients which know the SSID of the access point can connect to it.

Unfortunately, this measure does not provide robust security, but most network administrators think it does. We will now look at how to uncover hidden SSIDs.

Time for action – uncovering hidden SSIDs

Follow these instructions to get started:

  1. Using Wireshark, if we monitor the Beacon frames of the Wireless Lab network, we are able to see the SSID in plain text. You should see Beacon frames as shown in the following screenshot:

  2. Configure your access point to set the Wireless Lab network as a hidden SSID. The actual configuration option to do this may differ across access points. In my case, I need to check the Invisible option in the Visibility Status option as shown next:

  3. Now if you look at the Wireshark trace, you will find that the SSID Wireless Lab has disappeared from the Beacon frames. This is what hidden SSIDs are all about:

  4. In order to bypass them, first we will use the passive technique of waiting for a legitimate client to connect the access point. This will generate Probe Request and Probe Response packets which will contain the SSID of the network, thus revealing its presence:

  5. Alternatively, you can use aireplay-ng to send Deauthentication...

MAC filters

MAC filters are an age old technique used for authentication and authorization and have their roots in the wired world. Unfortunately, they fail miserably in the wireless world.

The basic idea is to authenticate based on the MAC address of the client. This list of allowed MAC addresses will be maintained by the network administrator and will be fed into the access point. We will know look at how easy it is to bypass MAC filters.

Time for action – beating MAC filters

Let the games begin:

  1. Let us first configure our access point to use MAC filtering and then add the client MAC address of the victim laptop. The settings pages on my router look as follows:

  2. Once MAC filtering is enabled only the allowed MAC address will be able to successfully authenticate with the access point. If we try to connect to the access point from a machine with a non-whitelisted MAC address, the connection will fail as shown next:

  3. Behind the scenes, the access point is sending Authentication failure messages to the client. The packet trace would resemble the following:

  4. In order to beat MAC filters, we can use airodump-ng to find the MAC addresses of clients connected to the access point. We can do this by issuing the commands airodump-ng -c 11 -a --bssid 00:21:91:D2:8E:25 mon0. By specifying the bssid, we will only monitor the access point which is of interest to us. The -c 11 sets the channel to 11 where the access point is. The -a ensures that...

Open Authentication

The term Open Authentication is almost a misnomer, as it actually provides no authentication at all. When an access point is configured to use Open Authentication, it will successfully authenticate all clients which connect to it.

We will now do an exercise to authenticate and connect to an access point using Open Authentication.

Time for action – bypassing Open Authentication

Let us now look at how to bypass Open Authentication:

  1. We will first set our lab access point Wireless Lab to use Open Authentication. On my access point this is simply done by setting Security Mode to None:

  2. We then connect to this access point using the command iwconfig wlan0 essid "Wireless Lab" and verify that the connection has succeeded and that we are connected to the access point:

  3. Note that we did not have to supply any username / password / passphrase to get through Open Authentication.

What just happened?

This is probably the simplest hack so far. As you saw, it was not trivial to break Open Authentication and connect to the access point.

Shared Key Authentication

Shared Key Authentication uses a shared secret such as the WEP key to authenticate the client. The exact exchange of information is illustrated next (taken from http://www.netgear.com):

The wireless client sends an authentication request to the access point, which responds back with a challenge. The client now needs to encrypt this challenge with the shared key and send it back to the access point, which decrypts this to check if it can recover the original challenge text. If it succeeds, the client successfully authenticates, else it sends an authentication failed message.

The security problem here is that an attacker passively listening to this entire communication by sniffing the air has access to both the plain text challenge and the encrypted challenge. He can apply the XOR operation to retrieve the keystream. This keystream can be used to encrypt any future challenge sent by the access point without needing to know the actual key.

In this exercise, we will learn...

Time for action – bypassing Shared Authentication

Bypassing Shared Authentication is a bit more challenging than previous exercises, so follow the steps carefully.

  1. Let us first set up Shared Authentication for our Wireless Lab network. I have done this on my access point by setting the Security Mode as WEP and Authentication as Shared Key:

  2. Let us now connect a legitimate client to this network using the shared key we have set in step 1.

  3. In order to bypass Shared Key Authentication, we will first start sniffing packets between the access point and its clients. However, we would also like to log the entire shared authentication exchange. To do this we use airodump-ng using the command airodump-ng mon0 -c 11 --bssid 00:21:91:D2:8E:25 -w keystream. The -w option which is new here, requests airodump-ng to store the packets in a file whose name is prefixed with the word "keystream". On a side note, it might be a good idea to store different sessions of packet captures in different files. This allows...

Summary

In this chapter, we have learnt the following about WLAN authentication:

  • Hidden SSIDs is a security through obscurity feature, which is relatively simple to beat.

  • MAC address filters do not provide any security as MAC addresses can be sniffed from the air from the wireless packets. This is possible because the MAC addresses are unencrypted in the packet.

  • Open Authentication provides no real authentication at all.

  • Shared Key Authentication is bit tricky to beat but with the help of the right tools we can derive the store the keystream, using which it is possible to answer all future challenges sent by the access point. The result is that we can authenticate without needing to know the actual key.

    In the next chapter, we will look at different WLAN encryption mechanisms—WEP, WPA, and WPA2, and look at the insecurities which plague them.

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 18
Next Chapter arrow right
You have been reading a chapter from
BackTrack 5 Wireless Penetration Testing Beginner's Guide
Published in: Sep 2011 Publisher: Packt ISBN-13: 9781849515580
© 2011 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime}

Authors (1)

Profile icon Vivek Ramachandran
LinkedIn
Vivek Ramachandran has been working on Wi-Fi security since 2003. He discovered the Caffe Latte attack and also broke WEP Cloaking, a WEP protection schema, publicly in 2007 at DEF CON. In 2011, he was the first to demonstrate how malware could use Wi-Fi to create backdoors, worms, and even botnets. Earlier, Vivek was one of the programmers of the 802.1x protocol and Port Security in Cisco's 6500 Catalyst series of switches, and he was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65,000 participants. He is best known in the hacker community as the founder of SecurityTube.net, where he routinely posts videos on Wi-Fi security, assembly language, exploitation techniques, and so on. SecurityTube.net receives over 100,000 unique visitors a month. Vivek's work on wireless security has been quoted in BBC Online, InfoWorld, MacWorld, The Register, IT World Canada, and so on. This year, he will speak or train at a number of security conferences, including Blackhat, DEF CON, Hacktivity, 44con, HITB-ML, BruCON Derbycon, Hashdays, SecurityZone, and SecurityByte.
Read more
See other products by Vivek Ramachandran

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.
Aug 2023 11 hours 16 minutes
Automotive Cybersecurity Engineering Handbook
Automotive Cybersecurity Engineering Handbook
This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.
Oct 2023 13 hours 4 minutes
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.
Aug 2023 16 hours 32 minutes
Cloud Penetration Testing for Red Teamers
Cloud Penetration Testing for Red Teamers
The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.
Nov 2023 9 hours 56 minutes
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.
Sep 2023 10 hours 32 minutes
Burp Suite Cookbook
Burp Suite Cookbook
Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.
Oct 2023 15 hours 0 minutes
Building and Automating Penetration Testing Labs in the Cloud
Building and Automating Penetration Testing Labs in the Cloud
This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.
Oct 2023 18 hours 44 minutes
Ethical Hacking Workshop
Ethical Hacking Workshop
As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.
Oct 2023 7 hours 20 minutes
Windows Forensics Analyst Field Guide
Windows Forensics Analyst Field Guide
This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.
Oct 2023 10 hours 36 minutes
Implementing DevSecOps Practices
Implementing DevSecOps Practices
This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.
Dec 2023 8 hours 36 minutes
Right arrow icon