Security
Reader small image

You're reading from  BackTrack 5 Wireless Penetration Testing Beginner's Guide

Product typeBook
Published inSep 2011
PublisherPackt
ISBN-139781849515580
Edition1st Edition
Tools
Backtrack
Concepts
Penetration Testing
Right arrow
Author (1)
Vivek Ramachandran
Vivek Ramachandran
author image
Vivek Ramachandran

Vivek Ramachandran has been working on Wi-Fi security since 2003. He discovered the Caffe Latte attack and also broke WEP Cloaking, a WEP protection schema, publicly in 2007 at DEF CON. In 2011, he was the first to demonstrate how malware could use Wi-Fi to create backdoors, worms, and even botnets. Earlier, Vivek was one of the programmers of the 802.1x protocol and Port Security in Cisco's 6500 Catalyst series of switches, and he was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65,000 participants. He is best known in the hacker community as the founder of SecurityTube.net, where he routinely posts videos on Wi-Fi security, assembly language, exploitation techniques, and so on. SecurityTube.net receives over 100,000 unique visitors a month. Vivek's work on wireless security has been quoted in BBC Online, InfoWorld, MacWorld, The Register, IT World Canada, and so on. This year, he will speak or train at a number of security conferences, including Blackhat, DEF CON, Hacktivity, 44con, HITB-ML, BruCON Derbycon, Hashdays, SecurityZone, and SecurityByte.
Read more about Vivek Ramachandran

Right arrow

Chapter 7. Advanced WLAN Attacks

Note

"To know your enemy, you must become your enemy."

Sun Tzu, Art of War

As a penetration tester, it is important to know the advanced attacks a hacker could do, even if you might not check or demonstrate them during a penetration test. This chapter is dedicated to how a hacker could conduct advanced attacks using wireless access as the starting point.

In this chapter, we will look at how we can conduct advanced attacks using what we have learned till now. We will primarily focus on Man-in-the-Middle (MITM) attack, which requires a certain amount of skill and practice to conduct successfully. Once we have done this, we will use this MITM attack as a base to conduct more sophisticated attacks such as Eavesdropping and Session Hijacking.

We will cover the following:

  • Man-in-the-Middle attack

  • Wireless Eavesdropping using MITM

  • Session Hijacking using MITM

Man-in-the-Middle attack

MITM attacks are probably one of most potent attacks on a WLAN system. There are different configurations that can be used to conduct the attack. We will use the most common one—the attacker is connected to the Internet using a wired LAN and is creating a fake access point on his client card. This access point broadcasts an SSID similar to a local hotspot in the vicinity. A user may accidently get connected to this fake access point (or can be forced to using the higher signal strength theory we discussed in the previous chapters) and may continue to believe that he is connected to the legitimate access point.

The attacker can now transparently forward all the user's traffic over the Internet using the bridge he has created between the wired and wireless interfaces.

In the following lab exercise, we will simulate this attack.

Time for action – Man-in-the-Middle attack

Follow these instructions to get started:

  1. To create the Man-in-the-Middle attack setup, we will first c create a soft access point called mitm on the hacker laptop using airbase-ng. We run the command airbase-ng --essid mitm –c 11 mon0:

  2. It is important to note that airbase-ng when run, creates an interface at0 (tap interface). Think of this as the wired-side interface of our software-based access point mitm.

  3. Let us now create a bridge on the hacker laptop, consisting of the wired (eth0) and wireless interface (at0). The succession of commands used for this are—brctl addbr mitm-bridge, brctl addif mitm-bridge eth0, brctl addif mitm-bridge at0, ifconfig eth0 0.0.0.0 up, ifconfig at0 0.0.0.0 up:

  4. We can assign an IP address to this bridge and check the connectivity with the gateway. Please note that we could do the same using DHCP as well. We can assign an IP address to the bridge interface with the command—ifconfig mitm-bridge 192.168.0.199 up. We can...

Wireless Eavesdropping using MITM

In the previous lab, we have learned how to create a setup for MITM. Now we will look at how to do Wireless Eavesdropping with this setup.

The whole lab revolves around the principle that all the victim's traffic is now routed through the attacker's computer. Thus the attacker can eavesdrop on all the traffic sent to and from the victim's machine over wireless.

Time for action – wireless eavesdropping

Follow these instructions to get started:

  1. Replicate the entire setup as in the previous lab. Fire up Wireshark. It would be interesting to note that even the mitm-bridge shows up. This interface would allow us to peer into the bridge traffic, if we wanted to:

  2. Start sniffing on the at0 interface, so that we can monitor all traffic sent and received by the wireless client:

  3. On the wireless client, open up any web page. In my case, the wireless access point is also connected to LAN and I will open it up by using the address: http://192.168.0.1:

  4. Sign in with my password and enter the management interface.

  5. In Wireshark, we should be seeing a lot of activity:

  6. Set a filter for HTTP to see only the web traffic:

  7. We can easily locate the HTTP post request, which was used to send the password to the wireless access point:

  8. Next is a magnified look at the preceding packet:

  9. Expanding on the HTTP header, allows us to see that actually the password we entered in plaintext...

Session Hijacking over wireless

One of the other interesting attacks we can build on top of MITM is application session hijacking. During an MITM attack, the victim's packets are sent to the attacker. It is now the attacker's responsibility to relay this to the legitimate destination and relay the responses from the destination to the victim. An interesting thing to note is that, during this process the attacker can modify the data in the packets (if unencrypted and sunprotected from tampering). This means he could modify, mangle, and even silently drop packets.

In this next example, we will look at DNS hijacking over Wireless using the MITM setup. Then using DNS Hijacking, we will hijack the browser session to Google.com.

Time for action – session hijacking over wireless

  1. Set up the test exactly as in the Man-in-the-Middle attack lab. On the victim let's fire up the browser and type in "google.com". Let us use Wireshark to monitor this traffic. Your screen should resemble the following:

  2. Apply a Wireshark filter for DNS and as we can see, the victim is making DNS requests for "google.com":

  3. In order to hijack the browser session we will need to send fake DNS responses which will resolve the IP address of "google.com" to the hacker machine's IP address 192.168.0.199. The tool we will use for this is called Dnsspoof and the syntax is dnspoof –i mitm-bridge:

  4. Refresh the browser windows and now as we can see through Wireshark, as soon as the victim makes a DNS request for any host (including google.com), Dnsspoof replies back:

  5. On the victim machine, we see an error which says "Connection Refused". This is because we have made the IP address for google.com as 192.168.0.199 which is the hacker machine's IP, but there...

Finding security configurations on the client

In previous chapters, we have seen how to create honeypots for open access points, WEP protected and WPA, but when we are in the field and see Probe Requests from the client, how do we know which network the probed SSID belong to.

Though this seems tricky at first, the solution to this problem is simple. We need to create access points advertising the same SSID but different security configurations simulataneously. When a roaming client searches for a network, it will automatically connect to one of these access points based on the network configuration stored on it.

So let the games begin!

Time for action – enumerating wireless security profiles

  1. We will assume that the wireless client has a network Wireless Lab configured on it and it actively sends Probe Requests for this network, when it is not connected to any access point. In order to find the security configuration of this network, we will need to create multiple access points. For our discussion, we will assume that the client profile is either—an open network, WEP protected, WPA-PSK or WPA2-PSK. This would mean we would have to create four access points. To do this we will first create four virtual interfaces—mon0 to mon3 using the airmon-ng start wlan0 command multiple times:

  2. You could view all these newly created interfaces using the ifconfig –a command:

  3. Now we will create the Open AP on mon0:

  4. Let's create the WEP-protected AP on mon1:

  5. The WPA-PSK AP will be on mon2:

  6. WPA2-PSK AP will be on mon3:

  7. We can run airodump-ng on the same channel to ensure all the four access points are up and running as shown:

  8. Now let's switch the...

Summary

In this chapter, we have learned how to conduct advanced attacks using wireless as the base. We created a setup for a MITM over wireless and then used it to eavesdrop on the victim's traffic. We then used the same setup to hijack the application layer of the victim (web traffic to be specific) using a DNS poisoning attack.

In the next chapter, we will learn how to conduct a wireless penetration testing right from the planning, discovery and attack to the reporting stage. We will also touch upon the best practices to secure WLANs.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 13 of 18
Next Chapter
You have been reading a chapter from
BackTrack 5 Wireless Penetration Testing Beginner's Guide
Published in: Sep 2011Publisher: PacktISBN-13: 9781849515580
© 2011 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Vivek Ramachandran

Vivek Ramachandran has been working on Wi-Fi security since 2003. He discovered the Caffe Latte attack and also broke WEP Cloaking, a WEP protection schema, publicly in 2007 at DEF CON. In 2011, he was the first to demonstrate how malware could use Wi-Fi to create backdoors, worms, and even botnets. Earlier, Vivek was one of the programmers of the 802.1x protocol and Port Security in Cisco's 6500 Catalyst series of switches, and he was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65,000 participants. He is best known in the hacker community as the founder of SecurityTube.net, where he routinely posts videos on Wi-Fi security, assembly language, exploitation techniques, and so on. SecurityTube.net receives over 100,000 unique visitors a month. Vivek's work on wireless security has been quoted in BBC Online, InfoWorld, MacWorld, The Register, IT World Canada, and so on. This year, he will speak or train at a number of security conferences, including Blackhat, DEF CON, Hacktivity, 44con, HITB-ML, BruCON Derbycon, Hashdays, SecurityZone, and SecurityByte.
Read more about Vivek Ramachandran

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages