BackTrack 5 Wireless Penetration Testing Beginner's Guide

Table of Contents

BackTrack 5 Wireless Penetration Testing

Credits

About the Author

About the Reviewer

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why Subscribe?

Free Access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Time for action – heading

What just happened?

Pop quiz – heading

Have a go hero – heading

Reader feedback

Customer support

Errata

Piracy

Questions

1. Wireless Lab Setup

Hardware requirements

Software requirements

Installing BackTrack

Time for action – installing BackTrack

What just happened?

Have a go hero – installing BackTrack on Virtual Box

Setting up the access point

Time for action – configuring the access point

What just happened?

Have a go hero – configuring the access point to use WEP and WPA

Setting up the wireless card

Time for action – configuring your wireless card

What just happened?

Connecting to the access point

Time for action – configuring your wireless card

What just happened?

Have a go hero – establishing connection in WEP configuration

Pop quiz – understanding the basics

Summary

2. WLAN and Its Inherent Insecurities

Revisiting WLAN frames

Time for action – creating a monitor mode interface

What just happened?

Have a go hero – creating multiple monitor mode interfaces

Time for action – sniffing wireless packets

What just happened?

Have a go hero – finding different devices

Time for action – viewing Management, Control, and Data frames

What just happened?

Have a go hero – playing with filters

Time for action – sniffing data packets for our network

What just happened?

Have a go hero – analyzing data packets

Time for action – packet injection

What just happened?

Have a go hero – installing BackTrack on Virtual Box

Important note on WLAN sniffing and injection

Time for action – expermenting with your Alfa card

What just happened?

Have a go hero – sniffing multiple channels

Role of regulatory domains in wireless

Time for acton – experimenting with your Alfa card

What just happened?

Have a go hero – exploring regulatory domains

Pop quiz – WLAN packet sniffing and injection

Summary

3. Bypassing WLAN Authentication

Hidden SSIDs

Time for action – uncovering hidden SSIDs

What just happened?

Have a go hero – selecting Deauthentication

MAC filters

Time for action – beating MAC filters

What just happened?

Open Authentication

Time for action – bypassing Open Authentication

What just happened?

Shared Key Authentication

Time for action – bypassing Shared Authentication

What just happened?

Have a go hero – filling up the access point's tables

Pop quiz – WLAN authentication

Summary

4. WLAN Encryption Flaws

WLAN encryption

WEP encryption

Time for action – cracking WEP

What just happened?

Have a go hero – fake authentication with WEP cracking

WPA/WPA2

Time for action – cracking WPA-PSK weak passphrase

What just happened?

Have a go hero – trying WPA-PSK cracking with Cowpatty

Speeding up WPA/WPA2 PSK cracking

Time for action – speeding up the cracking process

What just happened?

Decrypting WEP and WPA packets

Time for action – decrypting WEP and WPA packets

What just happened?

Connecting to WEP and WPA networks

Time for action – connecting to a WEP network

What just happened?

Time for action – connecting to a WPA network

What just happened?

Pop quiz – WLAN encryption flaws

Summary

5. Attacks on the WLANInfrastructure

Default accounts and credentials on the access point

Time for action – cracking default accounts on the access points

What just happened?

Have a go hero – cracking accounts using bruteforce attacks

Denial of service attacks

Time for action – De-Authentication DoS attack

What just happened?

Have a go hero – Dis-Association attacks

Evil twin and access point MAC spoofing

Time for action – evil twin with MAC spoofing

What just happened?

Have a go hero – evil twin and channel hopping

Rogue access point

Time for action – Rogue access point

What just happened?

Have a go hero – Rogue access point challenge

Pop quiz – attacks on the WLAN infrastructure

Summary

6. Attacking the Client

Honeypot and Mis-Association attacks

Time for action – orchestrating a Mis-Association attack

What just happened?

Have a go hero – forcing a client to connect to the Honeypot

Caffe Latte attack

Time for action – conducting the Caffe Latte attack

What just happened?

Have a go hero – practice makes you perfect!

De-Authentication and Dis-Association attacks

Time for action – De-Authenticating the client

What just happened?

Have a go hero – Dis-Association attack on the client

Hirte attack

Time for action – cracking WEP with the Hirte attack

What just happened?

Have a go hero – practice, practice, practice

AP-less WPA-Personal cracking

Time for action – AP-less WPA cracking

What just happened?

Have a go hero – AP-less WPA cracking

Pop quiz – attacking the client

Summary

7. Advanced WLAN Attacks

Man-in-the-Middle attack

Time for action – Man-in-the-Middle attack

What just happened?

Have a go hero – Man-in-the-Middle over pure wireless

Wireless Eavesdropping using MITM

Time for action – wireless eavesdropping

What just happened?

Have a go hero – finding Google searches

Session Hijacking over wireless

Time for action – session hijacking over wireless

What just happened?

Have a go hero – application hijacking challenge

Finding security configurations on the client

Time for action – enumerating wireless security profiles

What just happened?

Have a go hero – baiting clients

Pop quiz – Advanced WLAN Attacks

Summary

8. Attacking WPA-Enterprise and RADIUS

Setting up FreeRadius-WPE

Time for action – setting up the AP with FreeRadius-WPE

What just happened?

Have a go hero – playing with RADIUS

Attacking PEAP

Time for action – cracking PEAP

What just happened?

Have a go hero – variations of attack on PEAP

Attacking EAP-TTLS

Time for action – cracking EAP-TTLS

What just happened?

Have a go hero – EAP-TTLS

Security best practices for Enterprises

Pop quiz – attacking WPA-Enterprise and RADIUS

Summary

9. WLAN Penetration Testing Methodology

Wireless penetration testing

Planning

Discovery

Time for action – discovering wireless devices

What just happened?

Attack

Finding rogue access points

Time for action – finding rogue access points

What just happened?

Finding unauthorized clients

Time for action – unauthorized clients

What just happened?

Cracking the encryption

Time for action – cracking WPA

What just happened?

Compromising clients

Time for action – compromising the clients

What just happened?

Reporting

Pop quiz – Wireless Penetration Testing

Summary

A. Conclusion and Road Ahead

Wrapping up

Building an advanced Wi-Fi lab

Staying up-to-date

Conclusion

B. Pop Quiz Answers

Chapter 1, Wireless Lab Setup

Chapter 2, WLAN and its Inherent Insecurities

Chapter 3, Bypassing WLAN Authentication

Chapter 4, WLAN Encryption Flaws

Chapter 5, Attacks on the WLAN Infrastructure

Chapter 6, Attacking the Client

Chapter 7, Advanced WLAN Attacks

Chapter 8, Attacking WPA Enterprise and RADIUS

Chapter 9, Wireless Penetrating Testing Methodology

Index

BackTrack 5 Wireless Penetration Testing

BackTrack 5 Wireless Penetration Testing

Copyright © 2011 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: September 2011

Production Reference: 1300811

Published by Packt Publishing Ltd.Livery Place35 Livery StreetBirmingham B3 2PB, UK.

ISBN 978-1-849515-58-0

www.packtpub.com

Cover Image by Asher Wishkerman (<a.wishkerman@mpic.de>)

Credits

Author

Vivek Ramachandran

Reviewers

Daniel W. Dieterle

Teofilo Couto

Acquisition Editor

Tarun Singh

Development Editor

Neha Mallik

Technical Editor

Sakina Kaydawala

Project Coordinator

Michelle Quadros

Proofreader

Mario Cecere

Indexers

Tejal Daruwale

Hemangini Bari

Production Coordinator

Arvindkumar Gupta

Cover Work

Arvindkumar Gupta

About the Author

Vivek Ramachandran has been working on Wi-Fi Security since 2003. He discovered the Caffe Latte attack and also broke WEP Cloaking, a WEP protection schema publicly in 2007 at Defcon. In 2011, Vivek was the first to demonstrate how malware could use Wi-Fi to create backdoors, worms, and even botnets.

Earlier, he was one of the programmers of the 802.1x protocol and Port Security in Cisco's 6500 Catalyst series of switches and was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65,000 participants. He is best known in the hacker community as the founder of http://www.SecurityTube.net/ where he routinely posts videos on Wi-Fi Security, Assembly Language, Exploitation Techniques, and so on. SecurityTube.net receives over 100,000 unique visitors a month.

Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada, and so on. This year he is speaking or training at a number of security conferences, including BlackHat, Defcon, Hacktivity, 44con, HITB-ML, Brucon, Derbycon, HashDays, SecurityZone, SecurityByte, and so on.

I would like to thank my lovely wife for all the help and support during the book's writing process; my parents, grandparents, and sister for believing in me and encouraging me for all these years, and last but not the least, I would like to thank all the users of SecurityTube.net who have always been behind me and supporting all my work. You guys rock!

About the Reviewer

Daniel W Dieterle has over 20 years experience in the IT field. He has provided various levels of support to clients ranging from small businesses to fortune 500 companies. Daniel enjoys computer security, runs the security blog CyberArms (http://cyberarms.wordpress.com/) and is a guest security author on https://Infosecisland.com/.

I would like to thank my beautiful wife and children for graciously giving me the time needed to assist with this book. Without their sacrifice, I would not have been able to be a part of this exciting project.

www.PacktPub.com

Support files, eBooks, discount offers, and more

You might want to visit www.PacktPub.com for support