ITP 470

WIRELESS SECURITY
Independent Study
Ronnie Flathers 5/8/2011

Flathers - 2

Table of Contents
EXECUTIVE SUMMARY .................................................................................................................................. 4 DISCOVERY OF WIRELESS NETWORKS .......................................................................................................... 5 Active Scans .......................................................................................................................................... 5 Passive Scans ......................................................................................................................................... 5 Scanning Software ................................................................................................................................ 6 Avoiding Detection................................................................................................................................ 9 GAINING ACCESS ......................................................................................................................................... 10 CRACKING WEP ....................................................................................................................................... 11 Cracking Software ............................................................................................................................... 12 Capturing the IVs................................................................................................................................. 12 Packet Injection................................................................................................................................... 13 Cracking the key .................................................................................................................................. 15 Protecting the network ....................................................................................................................... 17 CRACKING WPA ....................................................................................................................................... 17 Capturing the handshake .................................................................................................................... 18 Forcing the handshake ........................................................................................................................ 19 Cracking the passphrase ..................................................................................................................... 20 Protecting the network ....................................................................................................................... 23 INFORMATION GATHERING ........................................................................................................................ 23 Passive scans ....................................................................................................................................... 23 Aggressive scans.................................................................................................................................. 24 Monitoring traffic ................................................................................................................................ 26 MAN IN THE MIDDLE ATTACKS ................................................................................................................... 26 ARP SPOOFING ........................................................................................................................................ 26 Spoofing Software ............................................................................................................................... 27 Advanced Software ............................................................................................................................. 28 ENCRYPTED TRAFFIC ............................................................................................................................... 29 SSL Encryption ..................................................................................................................................... 29 Fake Certificates .................................................................................................................................. 29 SSL Strip............................................................................................................................................... 31 Using SSLStrip...................................................................................................................................... 32

Page 2

Flathers - 3
PROTECTING FROM MITM ATTACKS ...................................................................................................... 34 THE NEXT STEPS .......................................................................................................................................... 35 Metasploit ........................................................................................................................................... 35 Rogue APs ........................................................................................................................................... 36 CONCLUSION............................................................................................................................................... 36 SOURCES ..................................................................................................................................................... 38

Figure 1. Running Kismet ............................................................................................................... 8 Figure 2. Running airodump-ng ...................................................................................................... 9 Figure 3. Capturing Packets .......................................................................................................... 13 Figure 4. Injecting Packets ............................................................................................................ 15 Figure 5. Cracking the WEP Key ................................................................................................. 16 Figure 6. Waiting for WPA Handshake ........................................................................................ 18 Figure 7. Capturing Handshake After a DeAuth .......................................................................... 20 Figure 8. Dictionary Attack on WPA ........................................................................................... 21 Figure 9. Cracking WPA Key ....................................................................................................... 22 Figure 10. Passive Network Map .................................................................................................. 24 Figure 11. Active Network Map ................................................................................................... 25 Figure 12. ARP Spoofing .............................................................................................................. 27 Figure 13. Browser Warning......................................................................................................... 30 Figure 14. SSL Stripping .............................................................................................................. 33 Figure 15. Captured Passwords..................................................................................................... 34

Page 3

Flathers - 4

EXECUTIVE SUMMARY
Over the past several months, I have been researching wireless networks and their security. I started with a very basic understanding of Linux and wireless networks and a rough idea of what I wanted to accomplish. I created a scenario of a malicious hacker being within range of a private wireless network. My goals were to: Discover the network and its relevant information Gain unauthorized access to the network Passively scan and sniff for valuable information

I envisioned a small business or a household using consumer level wireless products with limited IT security knowledge. I wanted to see what kind of information an attacker would be able to glean from the network while trying to remain hidden. Through the course of my research and practice, I also kept in mind ways to defend against what I was doing. In that sense, anyone who reads this paper should have a better understanding of how to properly configure security on their wireless networks. My Set Up. I modified my familys existing wireless network to suit my needs. We have AT&T DSL internet which is connected to a Netgear Wireless N Router. This router broadcasts in wireless N and b/g throughout our entire house. The signal is even capable of being picked up several hundred feet outside of our house. The model router is the RangeMax NEXT WNR854T. This is consumer level router designed for households, but can also commonly be used in small businesses. For example, the Vagabond Inn on Figueroa uses a similar Netgear Wireless-N router to provide free internet to all of its guests. The routers IP address is 10.0.0.1 and the subnet is 10.0.0.1-255. I set up a few victim machines which were connected to the network. These machines served as the machines I directed my attacks towards. There were 2 virtual machines and one physical laptop. The virtual machines were connected to the internet through a bridged connection with the host. The operating system on each was Windows 7 Ultimate (host) Windows XP with Service Pack 3 (virtual) Windows 2000 (virtual)

For the attackers PC, I used another laptop that was running Backtrack 4 R2. Backtrack is a Debian based Linux distribution that contains numerous security tools for all sorts of penetration testing and analysis. All of the tools I used were included in Backtrack by default. It was Page 4

Flathers - 5 installed on an 8GB thumb drive that allowed persistent changes. The laptop was booted from the thumb drive. The last piece of hardware needed was an adequate wireless card. After attempting a few techniques it became obvious that the wireless adapter built into the attack PC could not perform some attacks. A card that supported packet injection was needed. This is explained later. After some research on cards that had supported chipsets and worked well with Linux, I purchased an ALFA AWUSO36H wireless card. This came with a 3 foot USB cord and a 5 dB antenna. This card used the Realtek chipset, which has great open source support and also allows for packet injection. The card costs around $30 and was an excellent purchase. Paper Organization. Below is the culmination of all that I learned about wireless security. It is broken up into sequential steps, starting with the initial discovery of the wireless networks. Screenshots and commands used accompany the descriptions.

DISCOVERY OF WIRELESS NETWORKS

The first step of any wireless attack is to identify the network you are attempting to access. Sometimes, an attacker will know exactly what wireless network he wants to work on, other times it is necessary to discover a wireless network. There are two different types of wireless scans: active and passive scanning. Active Scans. Active scanning occurs when either an Access Point (AP) or a client are actively trying to discover one another. It can be directed to a specific network or client, or be general. Wireless APs broadcast a packet called a beacon every tenth of a second. The purpose of these beacons is specifically for clients to discover the AP. The beacon includes information about the network, such as the SSID, MAC address of the AP, whether or not encryption is used, etc. A client can also send out a directed probe looking for an AP, and wait for a response. When a normal user conducts a scan for wireless networks in range using Windows or Mac, the operating system is capturing these beacons and displaying the results. This is the most basic way of discovering wireless networks. An attacker could simply use Windows to discover networks in range while he slowly moves around a neighborhood. While reading beacons is generally good enough for the average consumer to connect to their own home network or a public hot spot, they are only useful if the network is set up to even be discovered. There are more efficient and stealthier ways of detecting wireless networks. Passive Scans. As opposed to active discovery, passive discovery involves reading packets and deriving information from the packets. Passive scanners do not send out any beacons or probes, but instead gather information from traffic that is already going on wirelessly. Passive scanning

Page 5

Flathers - 6 will yield much greater results than active scanning. To passive scan, a wireless card must be put into monitor mode. Monitor mode for a wireless card is similar to promiscuous mode for a NIC. A card in monitor mode will read every wireless packet it can reach and try to extrapolate data. Because all wireless networks operate on the same frequency, the air is usually flooded with packets from several different networks. The card picks up these packets and deduces what network they belong to. This is different than just only trying beacon or probe packets because there is always much more traffic than just those two types of packets. Not all wireless cards support monitor mode. The chipset of the card must support the mode as well as the driver being used. There are several programs that utilize these passive scanning techniques. These programs use a card in monitor mode to constantly read wireless packets. When a new network is discovered (either through a beacon packet, or reading a normal data packet) the program displays all the information it can about the network in range. These programs are extremely useful for not only discovering the location of wireless networks, but also passively collecting important information about the network. Without even connecting to the network, an attacker can use these sniffing programs to discover pertinent information about the targets before making an attack. Scanning Software. Before scanning software can be used to its full potential, the wireless card must be put into monitor mode. If monitor mode is available with the chipset and the driver, the command to put the wireless interface (in this case wlan1) into monitor mode is:
# iwconfig wlan1 mode monitor

Another option is to use a built in program with Backtrack, airmon-ng.

# airmon-ng start wlan1

This will put wlan1 into monitor mode and create a new monitor interface, usually mon0. This interface will start reading all packets that it picks up. Once the wireless card is in monitor mode, we are able to begin running a passive scan using the software of our choice. Although passive scanning applications exist for both Windows and Mac, the best are available on Linux. The gold standard of scanning software for Linux is a program called Kismet. Kismet interfaces with all of the wireless cards on a system and logs lots of information in various formats. It also does a nice job of graphically representing the networks it has discovered. Backtrack includes the latest version of Kismet by default. Kismet is used within the console in Backtrack Linux. It runs as a client/server application, so the first time it is started it will prompt the user to start the Kismet server. The interface is then Page 6

Flathers - 7 used as the client. Most of the time, the client will be local, but it is possible to run the client remotely. Kismet will create several files in the directory that it is run, so it is best practice to create a new directory each time Kismet is run. Name the directory something useful by including the date or location that the scan was run. When Kismet is running, it displays information about all the wireless networks that it finds in range and saves the data to files that can be read later or used by other programs. To create a dump directory and run Kismet:
# mkdir kismetscan0224 # cd kismetscan0224 # kismet

Select to start the Kismet server. The Kismet program runs entirely in the console. The ~ is used to pull up menus, and Tab and Enter are used to move and select. If no interfaces are automatically added, add the interface that was previously put into monitor mode, in this case, wlan1 or mon0. After a few seconds, Kismet should begin to populate with wireless networks that it discovers. It will list the name of the network (if it can determine it), the channel the network is on, and the number of packets that it has read from that network. The sample output in my scenario is:

Page 7

Flathers - 8

Target Network

Figure 1. Running Kismet

An attacker now has information about which wireless networks are in range and could be capable of being attacked. In this example, we have identified our target flathers-n. It has a strong signal strength and high traffic. Another option besides Kismet for discovering wireless networks is to use a program included with the aircrack-ng suite called airodump-ng. This program is used to capture packets and will be used later on to crack security. However, it can also be used to list wireless networks in range without capturing and saving any packets. Once again make sure the wireless card is in monitor mode.
# airodump-ng wlan1

This will start reading packets and listing networks. It shows a little more text information on the main screen than Kismet, although both are capable of extrapolating the same information. The bottom portion of the screen also identifies clients that are sending and receiving packets, important information for later in the attack.

Page 8

Flathers - 9

Target Network

Figure 2. Running airodump-ng

Avoiding Detection. As evidenced by above, if an attacker is in range of a wireless network, it is not a real challenge to discover it and find out information about it. Several programs make this almost automatic. Avoiding active scanning is relatively simple, and usually good enough for most consumers who are not concerned with high security. Since active scanners rely solely on beacon packets sent from the AP, setting the access point to not include its SSID in its beacons (beacons cannot be disabled entirely) is the simplest way to avoid detection. All consumer wireless routers have this ability (it is usually called Dont broadcast). With this enabled, the average consumer using the default networking programs on Windows or Mac will not discover the wireless network. All network traffic will include a null value in place of the SSID. Clients can still connect to the network if they know the actual SSID. Their active scanners can send probes directed at the SSID which the AP will by default respond too. This can also be deactivated. Unfortunately, this is not secure, and any smart attacker will be able to bypass this easily, and actually use it to his or her advantage. Using passive scanning, an attacker will still be able to tell that there is a wireless network in range, regardless if it is transmitting its SSID. In addition, for legitimate clients to connect, they need to send a directed probe with the correct SSID. This is Page 9

Flathers - 10 easily intercepted and read by a passive scanning program. An attacker can even remotely disconnect a legitimate user and then sniff the packet he sends to reconnect to get the SSID. Disabling the broadcasting of the SSID on a router might make it a little more difficult for an average user to discover or connect, but it really has no effect on a determined attacker. There are no completely effective ways to avoid detection by a passive scanner. All it takes to be discovered is to send one packet within range of a listening device. Some recommended ways to lessen the probability of discovery is to use only Wireless-N, since most attackers will be looking for B or G networks, or purchase foreign networking equipment that operates on a different frequency than the standard. A determined attacker with the right equipment, however, will always eventually be able to discover a wireless network.

GAINING ACCESS
Once a wireless network is discovered, the next step for an attacker is to connect to the network. Connecting to the network allows the attacker to communicate with the AP and the connected clients and also to sniff or see what information is being transferred. Although passive scanners are able to detect packets and ascertain some basic information from intercepted packets, the actual data in the packets is still encrypted. This is true even for wireless networks that do not have any encryption methods in place. The data in a packet is designed only to be read by a client that knows the SSID and has the encryption key (if any). To gain anything really valuable, an attacker must connect to the network and associate his client with the AP. The idea behind wireless encryption is that the initial authentication requires a passcode, and then every single packet being transmitted between the WAP and the client carries a partial passcode from then on. When the packet reaches its destination, the code is decrypted and verified, which allows the packet to be read. The purpose of this is to not only bar unauthorized users from connecting to the WAP, but also to make sure the packets are not read. Packets can be intercepted as they travel across radio waves by clients that are not connected to the network. Because of this, every packet needs to be encrypted while it is travelling. If the network is unprotected, that is to say, has no encryption in place, any client is able to connect to the network. Most public hot spots will allow any client within range that requests a connection to connect. By default, this is how most consumer wireless routers are configured. The priority of most consumer wireless router manufacturers is sadly ease of setup and use - not security. Because of this, by default all security and encryption methods are turned off. This enables a consumer to plug in the router to their existing internet connection and have an instant wireless network. These routers also come with default SSIDs, usually the name of the company, such as Linksys and NETGEAR. Although they include instructions, and sometimes warnings, to enable security, many consumers do not follow them. Many, many, networks are Page 10

Flathers - 11 left completely open and accessible to anyone in range simply because consumers do not know the risk they are taking. The two most popular types of encryption for consumer wireless networks are Wireless Equivalency Protocol (WEP) and WiFi Protected Access (WPA). The latter is much more secure and recommended; however both are vulnerable to different types of attacks.

CRACKING WEP
With WEP there are two forms of authentication: open system and shared key. In open system authentication any client can associate with the WAP. The client is authenticated regardless of the key it possesses and begins to receive packets. The client would need the correct key at this point to read the packets. In shared key, the client requests authentication and the WAP sends a challenge text. The client encrypts the challenge text using the WEP key and sends the response back. If it matches, then the WAP authenticates and associates with the client. A WEP key is usually 128bit comprised of 26 hexadecimal values, and a 24bit Initialization Vector (IV). Each packet is encrypted using the RC4 algorithm with the 26 hexadecimal value and a random IV. The packet is sent, along with the IV in plain text. The client then decrypts the packet using the hex key and the included IV. The weakness to WEP lies in the IV. It is sent as plaintext with the packet, which basically means that anyone who grabs the packet can see the first 24bits of the code that was encrypted. The RC4 encryption algorithm can only generate about 16million different codes based on the IV, meaning if you gather enough of these IVs, you can crack the code. Also contributing to WEPs weakness is the discovery that some of the IVs are weaker than others. Software can recognize the weak IVs and use them to crack the key even quicker. After the theory of how to crack WEP was proved possible, computer programs were written that streamlined the process. There are two steps involved that the programs take. Once an encrypted wireless network is found and the client is in range, it begins intercepting packets and logging the IVs. The packets contain encrypted data and are worthless individually, but if enough IVs are logged the code can be cracked. Usually about 50,000 IVs are needed to crack WEP. The number of IVs traveling is related to network traffic, so if no ones on the network, it will take days to get that many. If someone is downloading large files, it could just take hours or minutes. Once enough IVs have been logged, the next step is to decrypt them and find the key. With enough IVs, this process only takes seconds. One method of speeding up the collection of IVs is through a certain type of packet injection. Not every wireless card can support this, however. They type of packet injection used is called ARP injection. With this technique, the wireless card sends out an ARP request to the access Page 11

Flathers - 12 point, which then responds with an ARP response. This response contains an IV, which is then captured. This process is repeated rapidly to generate numerous IVs. To perform this injection, the origin of the ARP request must be associated with the AP, or else the AP will not respond. Software is able to spoof the origin to make the request look like it came from an associated client, not from the attackers computer. Cracking Software. The most useful tool for cracking wireless security is a suite of programs called aircrack-ng. This suite is included in Backtrack and contains all the tools necessary for discovering and cracking wireless networks. Once a network has been identified through any technique, the basic steps to crack a WEP encrypted network, and the programs used to accomplish them are: 1) Begin capturing packets that contain unique IVs and save them to the disk (airodump-ng) 2) Inject ARP requests from an associated client to generate new packets (aireplay-ng) 3) Once enough IVs have been captured, run a cryptographic attack to decipher the WEP key (aircrack-ng) Capturing the IVs. In this case, the attacker has already identified the WEP encrypted network he wants to crack using either Kismet or some other scanning technique. The information he will need to start collecting IVs is the BSSID of the access point and the channel it is operating on. When this information is known, the program airodump-ng is used to capture the IVs and save them to a file. In this case, the BSSID of the network we are trying to crack is 00:1B:2F:D5:2D:E6, the channel is 1, the output file is flathers, and the interface is wlan1:
# airodump-ng -channel 1 bssid 00:1B:2F:D5:2D:E6 --write flathers wlan1

The output will look like this as it is capturing:

Page 12

Flathers - 13

Unique IVs

Figure 3. Capturing Packets

Notice the column #Data. This is the number of unique IVs we have captured. To have a good chance of cracking the passcode, we will need at least 35,000. The #/s column shows roughly how many we are capturing each second. In a network with high traffic, this number will be higher. The stations listed are the associated clients currently sending and receiving packets, which will be needed to start packet injection. The program needs to continue to run until it has captured a sufficient amount of IVs. At the rate shown in the screenshot, this would take an extremely long time. To speed this up, we will use a packet injection technique. Packet Injection. While airmon-ng is running in the background, we can launch a new program to start a packet injection technique called ARP replay. The goal of this is to dramatically increase the #/s of data captured and decrease the amount of time needed to get all of the necessary IVs. A program called aireplay-ng is capable of doing several injection attacks and will be used to start the ARP replay.

Page 13

Flathers - 14 Because an ARP request will only be responded to if the origin is from an associated client, we need to use the address of one of the clients in our attack. Airmon-ng shows a list of connected clients and their IDs. In this case, there is one client connected and its address is 00:0F:66:7F:23:D9. To perform an ARP replay attack, the wireless card must be capable of packet injection and it must be within range of the AP. If the attacker is too far away, the ARP request packets he sends will not be responded to. Aireplay-ng contains a simple test to see if injection is capable to the BSSID of the AP:
# aireplay-ng --test -a 00:1B:2F:D5:2D:E6 wlan1

If the test is successful, then the card is able to inject packets and is within range of the AP. The next step is to start the ARP replay attack. Aireplay-ng needs both the BSSIDs of the AP and an associated client, which can be obtained from the client list in airmon-ng:
# aireplay-ng --arpreplay -h 00:0F:66:7F:23:D9 -b 00:1B:2F:D5:2D:E6 wlan1

Once the ARP replay starts working, aireplay-ng will flood the airwaves with ARP requests that look like they are coming from the associated host. Each of these requests will provoke a response from the AP which is then captured by airodump-ng running in the background. A successful attack will look like this:

Page 14

Flathers - 15

ARP Packet Injection

Figure 4. Injecting Packets

The bottom screen shows aireplay-ng running. Airmon-ng is capturing the packets in the background. Notice the #/s has increased dramatically. It is now only a matter of minutes before enough IVs are captured. Once 50,000 IVs are captured, there is a fifty percent chance that the WEP key will be able to be cracked. Cracking the key. All of the captured data packets containing IVs are stored in a file outputted by airmon-ng. The program will write multiple files to the active directory in different formats. The ones we are interested in are the *.cap files. The program used to read the IVs and crack the key is called aircrack-ng. This program utilizes two different cryptographic techniques to extract the key: FMS and PTW. The PTW method is more efficient but only works with captured ARP responses. It is the default cryptographic attack for aircrack-ng. Because each packet is also partially encrypted with the SSID, the BSSID of the network is also needed to decrypt the key. To start the attack:
# aircrack-ng -b 00:1B:2F:D5:2D:E6 flathers*.cap

Page 15

Flathers - 16 With over 70,000 IVs, it took less than 2 seconds to crack the passcode:

Figure 5. Cracking the WEP Key

This is the correct key and can now be used to connect to the network. The entire process takes only a few minutes and the attacker now has the WEP passcode needed to connect to the network and decrypt intercepted packets. However, this technique relies on there being at least one associated client sending and receiving packets that airmon-ng can capture. Sometimes, there may be no traffic on the network. For example, if an attacker is trying this technique in the middle of the night when no machines are on, he will not be able to intercept any packets. This makes it more challenging, but not impossible. The attacker needs to artificially create traffic. To accomplish this, the attacker would launch a fake authorization attack on the AP with his own address. This tricks the AP into thinking that his address is associated with the AP. The next step is to acquire and isolate an encrypted keystream from a packet sent from the AP. Aireplay-ng has two methods for doing so, a fragmentation attack and a chop-chop attack. Once the keystream

Page 16

Flathers - 17 is isolated it can be used to encrypt a fake ARP request. Once that fake packet is created, the same ARP replay technique can be used as above. This technique basically tricks the AP into sending an encrypted beacon packet to the attacker. He then is able to extrapolate the encrypted part and use it to encrypt his own ARP packet. This way, when he sends an ARP request back to the AP, it looks like it came from an associated client that already has the passcode, since its encrypted properly. Then the same steps are used to crack the WEP key. Protecting the network. Breaking WEP encryption is incredibly easy for even an inexperienced attacker. Although it was the standard for several years, the techniques mentioned above have proven it to be nearly useless. It is still the default encryption method for many wireless routers, however. It does an adequate job of keeping out average people who see it has a password and move on, but it really does nothing against a determined attacker. Really, the only secure advice is to not use WEP at all. If any business or home is using WEP and is concerned about security they should upgrade immediately to a more secure form of encryption, like WPA.

CRACKING WPA
After WEP was proven to be completely breakable, WPA became its successor. WPA uses a much more advanced algorithm and does not have IVs. No amount of packets collected will allow a computer to crack it. Most consumers use what is called WPA Personal, which utilizes a pre-shared key (PSK), which is a common key shared across all devices used for authentication. When a client wants to associate with a WPA encrypted network, a four-way handshake takes place. Briefly what occurs is the client first seeks association with the AP. The AP sends the client a bit of data which the client encrypts using the passphrase, SSID, and some other data. The client sends this back to the AP with another small piece of data which then encrypts that. If all of these keys match up, the AP installs the main key on the client and the client is successfully associated and able to decrypt the packets. The packets are encrypted with this key, not the passcode. This is known as the four-way handshake between a client and the AP. Unlike WEP, there is not enough information contained in the packets to find the key. No matter how long an attacker sniffs the network and intercepts packets, he will never be able to crack the passphrase. However, within the four-way handshake, there is enough information to brute-force the passphrase. The basic steps for cracking a WPA Personal encrypted network are: 1) Discover the network and be within range to intercept and inject packets 2) Start sniffing the network for the four way handshake and capture it when it arises 3) Wait for a new client to authenticate -OR- deauthenticate a current client Page 17

Flathers - 18 4) Brute force the captured handshake file with a dictionary file Capturing the handshake. The four-way handshake occurs between the AP and a new client every time a new client attempts to connect to the network. To capture the handshake, airodumpng must be configured to be monitoring the correct channel or SSID and capturing packets. Assume the attacker has already found a WPA encrypted network named flathers-n at BSSID 00:1B:2F:D5:2D:E6. To start airodump-ng capturing:
# airodump-ng --bssid 00:1B:2F:D5:2D:E6 -w flathers wlan1

This will start airodump-ng capturing every packet coming from that BSSID. Additionally we could tell airodump-ng to listen to all traffic on a specific channel for a four way handshake, regardless of the network. If a four-way handshake is discovered, the program will give a notification and the handshake will be saved in a separate file. Note that this saves all the packets transmitted, but all that is really needed is the handshake.

Target BSSID

Figure 6. Waiting for WPA Handshake

Page 18

Flathers - 19 Airodump-ng is capturing packets from the flathers-n network and waiting for a four-way handshake. When a handshake is captured, a notification will appear in the upper right hand corner. Forcing the handshake. Since a handshake is conducted every time a client tries to authenticate with the AP, all that it is needed is for somebody to connect to the network. In large networks this occurs frequently. The attacker would only need to wait patiently until a new computer is connected to the network. Alternatively, if there are already clients connected to the network, an attacker can deauthenticate them and force them to reconnect. This uses a simple deauth attack which disrupts the connection between the client and the AP. The client is disconnected momentarily and will automatically attempt to reconnect. Since it already has the correct credentials, it will be authenticated by the AP, and a brand new four way handshake is generated. This happens almost invisibly to the user, who might notice a quick period of disconnection. To perform the deauth attack, we must know the ID of one of the connected clients, which airmon-ng lists (in this case 00:1C:26:40:B1:8A),. We must also be able to inject packets (see injection test above). The program used is aireplay-ng:
# aireplay-ng --deauth 25 -a 00:1B:2F:D5:2D:E6 -c 00:1C:26:40:B1:8A wlan1

The number after --deauth is the number of times aireplay-ng will try the attack. A higher number will increase the probability of it working, but is less stealthy. If the client was successfully deauthenticated and then reconnected, airmon-ng will update saying that it has captured a four way handshake:

Page 19

Flathers - 20

Acquired Handshake

DeAuth Attack

Figure 7. Capturing Handshake After a DeAuth

In the above picture, the bottom screen shows the deauthentication attacks being conducted. Airmon-ng has updated and shows in the upper right hand corner that the handshake has been captured. Once the handshake has been captured, the attacker can stop capturing all packets. The information contained in the handshake is all that is needed to crack to WPA passphrase. Cracking the passphrase. Once the attacker has the handshake it is possible to crack the passphrase through brute force or dictionary techniques. This technique uses a word list and goes through each word one at a time, encrypting it with the other data gathered (the SSID) to see if it matches. When a match occurs, the word from the list is the passphrase used. This can be extremely time consuming depending on the complexity of the passphrase and the size of the dictionary file. An attacker is limited by his processor speed to how many passwords he can try per second. With dictionary files containing billions and billions of different combinations of letters and words, the process could take a very long time. Fortunately, most

Page 20

Flathers - 21 consumers choose simple, easy to remember passphrases that can be decrypted using smaller dictionary files containing common names and passwords. The program aircrack-ng can be used to crack the handshake. The attacker must have a word list on his system. Backtrack includes several wordlists of different sizes, and larger ones can be downloaded from the internet. The largest word list included with Backtrack is:
/pentest/passwords/wordlists/wpa.txt

This is a wordlist designed specifically for cracking WPA passphrases. It is 420 MB and contains over 35 million different passwords - and this is a relatively small dictionary file! To use this word list with aircrack-ng and our captured handshake:
# aircrack-ng -w /pentest/passwords/wordlists/wpa.txt flathers*.cap

The output will look like this while aircrack is trying the various passwords:

Current Location in Dictionary

Figure 8. Dictionary Attack on WPA

Page 21

Flathers - 22 This gigantic dictionary file would take several days to be processed by my system. Normally an attacker would be willing to leave his computer on for a few nights to crack the password. Since I know that the passphrase for this network is in a smaller dictionary file, however, I used that to quickly crack the password:

Successful Key

Figure 9. Cracking WPA Key

It only took 20 guesses into the dictionary file to discover a match. The correct passphrase was deciphered: baseball. The attacker now has the ability to connect to the network. Speeding up the cracking process. Bruteforcing and dictionary attacks are processor intensive and inefficient. For each word in the dictionary file, the computer must encrypt it with the relevant data and then test to see if it matches. The encryption process for each file is the slowest one. One way attackers quickly break passwords is through precomputed hash tables, also known as Rainbow Tables. A rainbow table takes a word list and precomputes all of the encrypted hashes. Once they are precomputed it is extremely quick for software to locate a match. Rainbow tables are extremely effective when the encryption method is known and static, such as Windows Page 22

Flathers - 23 passwords. However, because the WPA key is encrypted with both the passphrase and the SSID, the tables are only effective if they were precomputed with the correct SSID. There are large rainbow tables available for free online that were computed with the 1000 most common SSIDs. This includes all the default SSIDs that most people dont bother to change. The file size is very large, but if an attacker possesses it and the victims SSID is within the 1000, it will only take him a matter of minutes, if not seconds, to crack the password. For example, in the above test, a standard dictionary attack on the passphrase processed about 115 passwords/second. When a rainbow table was computed with the SSID flathers-n and the crack was run again, the computer processed 44,117 passwords/second! Protecting the network. WPA is far more secure than WEP and should be standard practice. However, it is still vulnerable to dictionary attacks. The best way to prevent attacks is to use a complex passphrase and avoid dictionary words. Also, because the key is also encrypted with the SSID, using a unique or random SSID will make it harder for an attacker to use a rainbow table. Noticing unexpected and repetitive deauthentications could also be an indication that an attacker is attempting to acquire the handshake. The above technique only works for WPA when it is using a Pre-shared key (PSK). There are other forms of WPA that are much harder to crack. For example, WPA-AES uses a separate encryption server to generate the passcodes. This makes it much more difficult (though not impossible) for an attacker to gain access. However, this type of encryption is expensive and difficult to set up and maintain and is only really seen at the enterprise level

INFORMATION GATHERING
Once an attacker has access to a wireless network, there are many different attacks and exploits he can perform. To begin with, however, the attacker must have a clear understanding of the network layout and what clients could be his potential victims. There are many different programs that detect live hosts and map a network, and they range from extremely stealthy to aggressive. Depending on how paranoid the attacker is or how well monitored the network is, some scans may be better than others. Passive scans. Network mapping software that is completely passive will only read incoming packets and attempt to extrapolate any and all information about the network from them. They do not send out any probes or requests. This takes longer to gather information, and may not give a complete overview of the network, but the scans are virtually undetectable. Included with Backtrack is a tool called lanmap. This is a completely passive scanner that just sits and listens to network traffic. It then generates an image of what it guesses to be the network Page 23

Flathers - 24 map. This is a useful first step in determining the network layout, especially if the attacker is being cautious about getting detected. The usage is
# lanmap -i wlan1 -r 10 -T png

Wlan1 is the interface we want to use, the 10 is the refresh rate (in seconds) and png is the output we want the network map to be. The longer lanmap runs, the more accurate it will be. Since it only passively sniffs data there must be network activity for it to discover anything. Accordingly, running this application late at night or when nobody is using the network will yield limited results. After running this program for only a few minutes, lanmap was able to discover 2 live hosts other than itself and printed a network map:

Gateway Active Clients

Figure 10. Passive Network Map

Aggressive scans. While passive scanning may be the stealthiest, it is the slowest and provides the least amount of information. Several programs make use of active scans to discover hosts and find out further information about them, such as open ports and running services. Nmap is one of the most popular host and port scanning applications. It is included in Backtrack, along with a GUI interface called Zenmap. Nmap has many different scan options ranging from quick to slow and intensive. This differs from a passive scanner because Nmap will actively send out request packets trying to contact other hosts. It will also probe ports to see if they are open. This activity on a network is easy to spot if one is looking for it and larger, managed networks are set up to notice these scans. However, for most small home or business wireless networks, they will probably go undetected. Nmap can perform a port search on a single IP or a range of IPs. When the attacker connects to the network he will be able to see what subnet the network is operating on. A quick command to identify the gateway and subnet is:
# netstat -ar

Page 24

Flathers - 25 In the case of the flathers-n network the subnet is 10.0.0.* This means that the IP address of every connected device has to be within the range 10.0.0.1-255. For large networks, doing a port scan of every available host is time consuming, so the first step is usually just to determine which hosts are live by a quick scan
# nmap -T4 -F 10.0.0.1-255

This will yield a quick search of hosts that are live, and any information nmap was able to gather about them. For this search, 7 live hosts were found and nmap created a rudimentary network topology:

Our Machine

Gateway

Figure 11. Active Network Map

Page 25

Flathers - 26 Notice that compared to the passive scan, nmap picked up a lot more live hosts. This is because some of the hosts nmap discovered were not transmitting data when lanmap was run. Nmap actively probed and searched and found these hosts. Nmap is capable of much more intensive scans, such as finding open ports and running services. This is extremely useful in locating potential vulnerabilities on certain clients to exploit. Monitoring traffic. Another passive way to collect information from a network is by monitoring traffic. Once the attacker is associated with the network, he can begin intercepting data packets and reading them. This only works with WEP encrypted networks, however. Because the same WEP key is shared between all clients, the attacker can decrypt packets sent from any client using the one key. If the wireless card is set to monitor mode, the program Wireshark can be used to read all wireless packets on a certain channel. If you know the WEP key, Wireshark can decrypt the packets it reads in this mode. This can be useful if the attacker does not want to actually join the network and just wants to passively look at the traffic. If the attacker joins the network, however, he can set up additional attacks that are much more effective in intercepting valuable data.

MAN IN THE MIDDLE ATTACKS

Once an attacker is connected to a wireless network, he can begin actively disrupting traffic and gathering important information. One of the most common and most effective techniques is known as a man-in-the-middle attack (MiTm). This refers to the fact that the attacker is placing his or her computer in between where traffic is intended to go, without either party realizing it. Once his is in the middle of the traffic, he can execute a number of different attacks to gain valuable information and wreak havoc on the network.

ARP SPOOFING
Address Resolution Protocol (ARP) is used to direct traffic on a network. It resolves IP addresses with MAC addresses, so clients know where to send their data. For example, when a client wants to send an HTTP request to the gateway, it uses ARP to see what MAC address is associated with the gateway IP (in this case, 10.0.0.1). When an attacker is connected to a wireless network, he can use ARP spoofing to redirect, or even terminate all network traffic. To become a man in the middle, he redirects all traffic between two clients or a client and the gateway to go through him. The traffic essentially passes through his computer transparently to the end user.

Page 26

Flathers - 27 ARP spoofing is the most essential man in the middle attack. Once traffic is redirected through the attackers computer, he can sniff the traffic for passwords or other information. It also sets him up for more vicious attacks. Spoofing Software. Backtrack comes with a program called arpspoof that makes it easy to set up ARP spoofing and become a man in the middle. The first step is to make sure the default firewall will allow traffic to pass through computer by turning on IP forwarding. The following command turns on IP forwarding;
# echo 1 > /proc/sys/net/ipv4/ip_forward

The next step is to put the attacking computer in between the traffic of a client and the gateway. The gateway in this case is located at 10.0.0.1. We can set up an ARP spoof on the entire network, which would route all network traffic from any source through our computer. However, this can really bog the network down. It is more effective to target individual IP addresses. From one of our earlier scans of the network, we also have the IP address of an active client on the network (other than our own, obviously): 10.0.0.4. To begin ARP spoofing:
# arpspoof -i wlan0 -t 10.0.0.1 10.0.0.4 && arpspoof -i wlan0 -t 10.0.0.4 10.0.0.1

This executes two commands simultaneously. The first tells the gateway to send all traffic destined for 10.0.0.4 to the attackers computer instead. The second tells the client to send all traffic destined for the gateway to us. The ARP tables on the victims computer will change:

Before Spoofing

After Spoofing

Figure 12. ARP Spoofing

Page 27

Flathers - 28 The physical address of the default gateway was changed to the address of the attackers system. The victims machine now directs all traffic to the attackers system, thinking that it is the gateway. The ARP tables on the gateway have changed as well. Once the traffic being redirected to our computer, we can begin to monitor it. Programs like Wireshark can now be used to read packets. A lot of valuable information is sent in plaintext over packets, including unencrypted usernames and passwords. Wireshark can also be set up to read emails, chat logs, etc. In this set up, any information sent over an unencrypted medium is readable by the attacker. This includes HTTP, FTP, SMTP and many more. While useful information is often sent over these unsecure protocols, the real valuable information to an attacker, like important passwords and login information will be encrypted and sent over secure channels like SSL. It is still possible, though, to exploit a man-in-the-middle attack to obtain this encrypted data. Advanced Software. Ettercap is a multi purpose tool that is included with Backtrack that automates many man in the middle techniques. It is a very flexible program that allows customizable scripts and plugins to perform a multitude of attacks. In addition to being able to perform ARP spoofing man in the middle attacks, Ettercap is also capable of other MiTm style attacks, such as DHCP and DNS spoofs. When ettercap is launched as a man in the middle ARP attack on a target, it automatically redirects and forwards traffic, eliminating the need to manually do it. It also poisons the targets ARP cache - meaning it changes the ARP data on the target for the duration of the attack. When ettercap closes, it returns the packet forwarding to normal and un-poisions the victims ARP cache. To perform a simple ARP poison MiTm attack on host 10.0.0.4 with the gateway 10.0.0.1, issue the following command:
# ettercap -i wlan1 -T -M ARP:REMOTE /10.0.0.1/ /10.0.0.4/

The -T parameter sets ettercap in text mode. Although it does have a GUI, like most applications in Backtrack, it is most flexible from the command line. The -M option is for a man in the middle attack, and ARP is the type of attack we want to perform. Adding REMOTE allows ettercap to sniff remote connections beyond the gateway. Once the attack is running, we can perform any number of information gathering techniques. Ettercap also comes with plugins that can perform specific functions. A particularly useful one is the ability to spoof DNS. The file /usr/share/ettercap/etter.dns can be configured to redirect DNS host names to new IP addresses. When ettercap is running a MiTm attack and this plugin is launched, ettercap will redirect all traffic according to the rules in the etter.dns file. This is especially useful in getting the victim to visit malicious websites.

Page 28

Flathers - 29 Perhaps the most useful feature of ettercap is its ability to fake authentication certificates. This allows ettercap to intercept and read encrypted internet traffic, such as sensitive passwords and banking information. This type of traffic is generally encrypted with SSL.

ENCRYPTED TRAFFIC
SSL Encryption. Secure Socket Layer (SSL) was developed by Netscape in the nineties as a way to privately communicate and share data. It has been replaced by a newer version called Transport Layer Security (TSL), although it is still commonly referred to as SSL. It is a method used to privately share data between any two communicating applications, though its most notable use is sending encrypted data over the web. The standard protocols for submitting data over the internet are not secure and can be read by anyone sniffing the packets. Secure websites encrypt the sensitive data using SSL, and use what is referred to as HTTPS, or a secure form of HTTP, generally through port 443. When the client tries to connect via HTTPS it sends an initial handshake to the server, which then responds. They exchange keys and can then start transmitting encrypted data back and forth to each other. The most important part, however, is not the handshake, or the encryption, but authenticating the server. A user needs to make sure he is actually creating a secure connection with his real online bank, and not a look-a-like that will steal his data. To authenticate the server, browsers use digital certificates. When a customer tries to access a secure website, like their bank for example, before they establish a secure connection they need assurance that the bank is who they say they are. So the bank presents them with a digital certificate from a third party verifying that they are legitimate. But to verify that the third partys certificate is legitimate as well, the third party also presents a form of authentication. This process of trust keeps leading upwards until it reaches a high level, well trusted authority, referred to as a trust anchor. In a sense, every secure website is entangled in a large web of trust that leads back up to the top to a few very trusted, high level authorities. If a websites certificate falls on this chain of trust, the user can trust that the website is legitimate. Fake Certificates. Since the encryption is nearly unbreakable with SSL, the vulnerability lies in the authentication process. When an attacker gets in the middle of a client trying to securely connect to a server, he can break the authentication up into 2 parts. Take the example of accessing a bank. The man-in-the-middle can pretend to be the customer when communicating with the bank. And when communicating with the user, he pretends to be the bank. If all worked well, neither party would suspect a thing. This is the purpose of the digital certificate. The attacker does not have the verified certificate that the bank has, so he cannot authenticate himself to the user to initialize the secure connection.

Page 29

Flathers - 30 However, programs like ettercap are capable of faking a certificate. The certificate imitates the real one, but will not be fully verified. Whatever browser the customer is using will recognize that the certificate is not official. It will warn the user that the certificate is not verified and ask if they want to proceed. If the user accepts the certificate anyway, then a secure connection is established with the attackers machine. The victim believes they are directly connected to the bank but in reality they are sending all of their encrypted data directly to the attacker. Ettercap has a certificate template built in and will automatically attempt to have the target accept the certificate whenever it intercepts encrypted traffic. As an example, first start ettercap in an ARP poisoning MiTm attack between the victim and the gateway:
# ettercap -i wlan1 -T -M ARP:REMOTE /10.0.0.1/ /10.0.0.4/

The program is now in the middle of all traffic between the victim and the outside internet. When the victim goes to a secure website like https://www.bankofamerica.com, the real bank will send over its certificate for verification. Ettercap will intercept this certificate and instead send its own fake one to the victim. Depending on the browser the victim is using, a warning will pop up similar to this:

Unverified Certificate

Figure 13. Browser Warning

Page 30

Flathers - 31 The browser does not trust the connection (because its really a connection from the attackers machine) and tries to warn the user. Many users, however, do not fully comprehend the meaning or danger of an unverified certificate, and may attribute this warning to just a bug. If the user clicks Add Exception, the browser will temporarily allow this certificate and establish a secure (SSL) connection between the victim and the attackers machine. Now, when the victim submits his username and password from the banking website, they are still being encrypted with SSL. Unfortunately, they are being encrypted using the attackers key which means he, not the bank, can unencrypt it. Once the attacker in the middle unencrypts the info he can see the username and password in plain text. Ettercap handles all of this automatically. It sniffs out encrypted usernames and passwords and will display them in plain text on the attackers computer. If it is left running for a period of time, ettercap will even create a log file with all of the captured username and passwords for each site the victim visited. After intercepting the username and password, the attacker pretends to be the customer and establishes a secure connection with the actual bank, then sends along the username and password encrypted for the bank. The bank sees that it received the right username and password and grants access, which is relayed back to the original victim. From both the victim and the banks perspective, everything worked and was secure. SSL Strip. Man in the middle attacks with fake certificates are fairly noticeable to the victim. When he attempts to access a secure site, whatever browser he is using will display a large warning that the certificate has not been verified. Many users, however, will click through the warnings, especially if they have visited the site before. Some, though, will notice that something is not right and immediately exit. There is another MiTm attack that is even less noticeable to the user. When the victim is accessing a secure website, like their bank, no warning will appear. This attack uses a tool developed in 2009 called SSL Strip. The principle behind SSL strip is that the attacker gets in the middle of communication between a secure site (a bank) and the end user. The attacker creates the secure connection to the bank instead of the user. As opposed to a fake certificate being sent to the user, in which a warning would pop up, the attacker essentially strips the SSL from the website the victim is accessing. For example, the main login page for an online bank may be something like https://www.bankofamerica.com. Notice the protocol is HTTPS, so the connection is secured by SSL. The program SSL strip intercepts this secure login page before it reaches the user and replaces it with an identical looking page, minus the security. The user will see an identical login page, but the address will be http://www.bankofamerica.com, lacking any form of encryption. Page 31

Flathers - 32 When the victim inputs his username and password on this unsecure page, the information is sent over standard HTTP in plaintext to the man in the middle machine. The attacker reads the username and password in plaintext, and then encrypts it using the public SSL key it got from the bank and forwards it on. The login goes through and the victim has access to the website, but all subsequent traffic is unencrypted and readable by the attacker. The main difference between an SSL strip and a fake certificate attack is the way data is transferred between the victim and the attacker. In a fake certificate MiTm attack, the victim is still encrypting his username and data, but instead of using the verified public key provided by the bank, he is using a key created by the attacker. In an SSL strip attack, the victim is not encrypting any data and is sending information in plaintext to the attacker. The connection between the attacker and the secure website is the same in both attacks. As opposed to the large warning about an unverified certificate, the only warning a victim will have in an SSL strip attack is that he is using HTTP instead of HTTPS. A very observant user may notice that the s is missing from the URL, but it is not likely, especially if they have used the site many times before. Browsers also feature a small icon that looks like a padlock to indicate that encryption is being used. This is also missing in the attack, but the program SSL strip can actually inject a fake secure icon to fool the user. Using SSLStrip. SSL Strip is a free program that is included in Backtrack. To start the attack, the first step is to allow packet forwarding, just as in a MiTm attack:
# echo 1 > /proc/sys/net/ipv4/ip_forward

Once packet forwarding is enabled, the IP tables must be configured to redirect HTTP traffic through the SSL strip program:
# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT -to-port 10000

What this step does is tell the attacker machine to listen for any HTTP traffic on port 80 it intercepts between the victim and the gateway and redirect it an arbitrary port, in this case 10000. When SSL strip is running, it will listen on port 10000 for traffic and remove the SSL from any secure webpages. Start the SSL strip program and tell it to listen on port 10000:
# sslstrip -p -l 10000

This starts the SSLStrip program and tells it to listen on port 10000 for traffic. The -p option tells it to only capture username and passwords (as opposed to all SSL traffic). The final step is to start the man in the middle attack so the attackers computer can intercept the data. This can be done using any of the techniques mentioned above, such as using ARP spoof,

Page 32

Flathers - 33 or ettercap. A fake certificate is not necessary when using SSLStrip, so ARPSpoof is a simpler program:
# arpspoof -i wlan0 -t 10.0.0.1 10.0.0.3 && arpspoof -i wlan0 -t 10.0.0.3 10.0.0.1

SSL Strip will then automatically begin removing the security from webpages and forwarding them to the victim. This is what the victim will see when directing their browser to a (supposedly) secure site:

http:// instead of https://

Figure 14. SSL Stripping

Notice that the URL starts with http instead of https which it normally does. This is the only evidence that something is different. Its extremely easy for a user to overlook. When SSLStrip discovers a username and password, it will display them in plaintext for the attacker to see. By default, SSLStrip saves all of the found usernames and passwords in a log file in the root directory. After running the program for a few minutes directed at the victims machine, the output looks like this:

Page 33

Flathers - 34

Figure 15. Captured Passwords

The program captured the username and password for 2 secure sites that the victim visited: Gmail and Facebook. His Google login is victim1@usc.edu with password gmailpassword. His Facebook login is victim2@usc.edu with password fbpassword.

PROTECTING FROM MITM ATTACKS

The first step in preventing man in the middle attacks is to stop the attacker from gaining access to the network. For a MiTm attack to be successful, the attackers computer must be able to communicate with both the victims machine and the gateway. Strong wireless encryption passwords that are hard to break are recommended. Also, monitoring the network for unauthorized devices can stop an attack before it begins. If an attacker has network access, there are a few measures that can be taken to prevent ARP spoofing. The best defense is to manually set static ARP tables. With this set up, the clients will not send out ARP requests and they cannot be spoofed. This is tedious to set up however, as it must be configured on every client and updated continuously. Page 34

Flathers - 35 There is also monitoring software available that can detect changes in MAC addresses in ARP tables. This can alert the user that somebody could be attempting an ARP spoof attack. When a MiTm attack is successfully launched, precautions can be taken to avoid divulging sensitive information. The attacker can read anything stored in plain text, so its important to avoid protocols that do not have encryption. Also, users should heed the warnings of their browsers when a certificate is not verified. This is a large indicator of a possible attack. Do not use websites that have unverified certificates. Lastly, when accessing secure websites, make sure that SSL is indeed being used. This can be done by ensuring the protocol is HTTPS. Software is also available that can provide warnings to users when a website is not using SSL.

THE NEXT STEPS

The previous attacks are only the beginning of what is possible with wireless networks. They are somewhat passive attacks, as they most rely on monitoring network data to collect information. These attacks can still be quite devastating though to a small business or home network. After an attacker has performed these steps, he can attempt more active attacks against the victim. Active attacks can occur when the attacker is able to directly communicate with the victims machine. The first step in an active attack is to run a scan to discover hosts and information about them. Nmap is particularly good at this. Backtrack also includes a vulnerability scanner called OpenVAS. This is an open source fork of the popular Nessus software. These vulnerability scanners provide much more details about the hosts on the network and give the attacker possible angles of attack. Metasploit. Backtrack includes the very powerful and easy to use Metasploit framework. Metasploit is a collection of various known exploits and payloads. Instead of having to write specific code to exploit machines, Metasploit allows an attacker to mix and match different exploits and payloads for his needs. A payload is what the attacker receives when the attack is successful. For most attacks, getting a command shell with administrator privileges is the ultimate goal. From there, almost anything is possible. As the hacking community popularly refers to it, getting a root shell is game over. Metasploit works well with the scanning software also included in Backtrack. It can accept results from Nmap and OpenVAS and then automatically tailor custom attacks based on the information. With these tools, an attacker barely needs any programming or vulnerability knowledge as Metasploit mostly automates the whole process.

Page 35

Flathers - 36 Possible things to do when a machine is popped (a term referring to gaining a root shell) is browsing and accessing the files, installing keyloggers, and setting up Trojans, backdoors and viruses on the network. I plan on researching these direct attacks much more in detail this summer and learning how to perform and defend from them. Rogue APs. The wireless attack techniques above all rely on being able to gain access to an existing wireless network. Another form of attack lures victims to connect to the attackers own network, where he can then perform further attacks. This is referred to as setting up a Rogue Access Point. This can be as simple as creating a wireless network with an innocuous name like Free WiFi and hoping a user connects to it. There are more active ways to accomplish this however. Windows machines save preferred networks so it can automatically connect to them when they are in range. The machine will periodically send out beacons looking for these preferred networks to see if they are in range. An attacker can intercept these beacons, and then create a network with the exact same information. Windows thinks that this is the preferred network it has saved and will automatically connect to it. From there, the attacker is free to do what he wants. I also plan to familiarize myself with setting up Rogue APs. Used in combination with Metasploit, they can lead to extremely devastating attacks.

CONCLUSION
This independent study project was a challenging, yet very rewarding experience. I started with a rough idea of what I wanted to research, having heard terms and ideas but not understanding them. I really enjoyed researching and practicing what I wanted as I had no solid direction I needed to go in. I used the Hacking Exposed Wireless book as a rough guide, but did a lot more research on my own through various forums and webistes. I followed a variety of tutorials and through the practice my knowledge of the theory and application of these security principles increased greatly. I started with only a basic knowledge of Linux and almost no command line experience. I also lacked a solid understanding of exactly how networking protocols worked. By the end of the semester, I was not only much more proficient in Linux and command line tools, I understood the intricacies of networking much better. Things I had learned in the past in previous classes made a lot more sense to me now as I understood why things were working and not just how to do them. Page 36

Flathers - 37 Everything I learned this semester was self taught from books and online resources. I spent countless hours trying things until I got them to work, and this trial and error process taught me more than I could ever learn just from reading something. The tutorials I followed were only the foundation for my knowledge. Once I learned how to use a specific tool, I thought of various ways to use it and combine it with others. The exercises I created for myself were fun and practical. I have yet to cover everything I want to. As I learn new things I discover more I want to learn. I plan on continuing using my current set up to learn more about all aspects of penetration testing and network security. Specifically, I plan on becoming proficient in other forms of active attacks and using exploits. It will be a fun summer.

Page 37

Flathers - 38

SOURCES
Cache, Johnny. Wright, Joshua. Liu, Vincent. Hacking Exposed Wireless: Wireless Security Secrets and Solutions. 2010 http://www.backtrack-linux.org/ http://www.backtrack-linux.org/tutorials/ http://www.backtrack-linux.org/forums/ http://www.irongeek.com/i.php?page=security/security http://www.irongeek.com/i.php?page=security/hackingillustrated http://www.cacetech.com/documents/ARP%20Overview%201.1.pdf http://nmap.org/book/man.html http://forum.intern0t.net/offensive-guides-information/ http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-beale-2.pdf http://www.oxid.it/downloads/apr-intro.swf http://www3.rad.com/networks/applications/secure/tls.htm http://computing.ece.vt.edu/~jkh/Understanding_SSL_TLS.pdf http://www.thoughtcrime.org/software/sslstrip/ https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-MarlinspikeDefeating-SSL.pdf A lot of information came from trial and error and reading the --help pages for applications. Many forum posts were read that contained bits of pieces of information. The main forums visited are listed above.

Page 38