8:["$","$L22",null,{"documentTextVersion":{"pageTexts":["802.11 Attacks\nVersion 1.0\n\nAuthor:\nBrad Antoniewicz\nSenior Security Consultant\nFoundstone Professional Services\n\n1\n\nwww.foundstone.com | 1.877.91.FOUND","$23","$24","$25","$26","$27","$28","$29","$2a","Figure 1: Reformating the MBR on your USB Stick\n\nWith your BackTrack USB stick inserted, start your computer. BackTrack should automatically load all of the\nnecessary drivers for your system and provide you with a full Linux distribution with all of the tools you need\npreloaded.\n\n10\n\nwww.foundstone.com | 1.877.91.FOUND","$2b","Figure 3: The EAP messaging process performed during 802.1x authentication with WPA-Enterprise\n\nEAP Response Identity: Once a client finishes its basic association, the authenticator (access point) sends\nan “EAP Request Identity” to the client. The client then responds with an “EAP Response Identity” containing\nits username to be passed onto the authentication (RADIUS) server. Some configurations may set this field\nto “anonymous” for security reasons which tell the authentication server to rely purely on the credentials\nprovided within the inner authentication protocol. However, some configurations will put the actual\n\n12\n\nwww.foundstone.com | 1.877.91.FOUND","username of the client in this field, providing the attacker with enough information to manually test\npasswords. Due to active directory authentication, this field may also contain the Windows domain to which\nthe client is authenticating against.\n\nPerforming the attack:\nThese messages are transmitted in the clear when a client is establishing connectivity to the wireless\nnetwork. Using a wireless sniffer, simply observe a client connecting (or force the client to\ndisconnect/reconnect using the de-authentication attack) and inspect the â€œEAP Response Identityâ€?.\n\nFigure 4: Username contained in the EAP Response Identity frame (Wireshark)\n\n13\n\nwww.foundstone.com | 1.877.91.FOUND","$2c","$2d","$2e","Figure 6: WPA-Enterprise configuration on OpenWRT\n\nAnother important thing to mention is that although I am using an off the shelf access point for this setup,\nyou may just as easily use hostapd (http://hostap.epitest.fi/hostapd/) to combine all elements of the attack\ninto a single machine.\n\nSetting up the RADIUS server\nThe FreeRADIUS-WPE patch has been developed with ease in mind. All configuration files have been set up\nto accept any authentication and return successful for most authentication attempts. That being said,\nFreeRADIUS-WPE should never be used in a production environment or considered a secure RADIUS server.\nTable 6: FreeRADIUS-WPE installation\n\nDescription\nExtract the FreeRADIUS\n2.0.1 source (Fig. 7)\n\n17\n\nCommands\ntar â€“zxf freeradius-server-2.0.1.tar.gz\n\nwww.foundstone.com | 1.877.91.FOUND","Copy the FreeRADIUSWPE patch into the\nextracted directory\n(Fig. 7)\n\ncp freeradius-wpe-2.1.patch freeradius-server-2.0.1/\n\nChange directories into the\nextracted directory\n(Fig. 7)\n\ncd freeradius-server-2.0.1/\n\nPatch the FreeRADIUS\nsource using the\nFreeRADIUS-WPE patch\n(Fig. 7)\n\npatch -p1 < freeradius-wpe-2.1.patch\n\nConfigure, compile and\ninstall (Fig. 7)\nChange into the certificates\ndirectory (Fig. 8)\n\n./configure && make && make install && ldconfig\n\nGenerate certificates using\nthe bootstrap script\n(Fig. 8)\n\n./bootstrap\n\n18\n\ncd /usr/local/etc/raddb/certs\n\nwww.foundstone.com | 1.877.91.FOUND","Figure 7: The FreeRADIUS-WPE installation procedure\n\n19\n\nwww.foundstone.com | 1.877.91.FOUND","$2f","MSCHAPv2 and the other using EAP/TTLS and PAP. Because PAP is clear text, youâ€™ll notice the password\nitself is directly outputted. PEAP MSCHAPv2 requires another step once captured.\n\nFigure 9: FreeRADIUS-WPE in action\n\nThe first entry in Figure 9 displays a user connecting with PEAP using MSCHAPv2 as its inner authentication\nprotocol. With access to the challenge and response, we can launch a brute force attack against them. One\nnotable item here is that it is extremely common for Windows clients to use domain authentication during this\nprocess, meaning that if the MSCHAPv2 credentials are brute forced, the attacker now has access to the\nWindows Domain!\nCracking MSCHAPv2\nNow that we have the MSCHAPv2 challenge and response, we can use ASLeap to crack these directly from\nthe command line.\nDescription\nASLeap\n\n21\n\nLink\nhttp://www.willhackforsushi.com/code/asleap/2.1/asleap-2.1.tgz\n\nwww.foundstone.com | 1.877.91.FOUND","Figure 10: Using asleap to crack MSCHAPv2\n\nasleap -C 4c:ad:9d:d8:e4:58:23:42 -R e1:65:e0:ee:f3:f6:60:13:71:21:ca:\nf9:26: b8:ad:46:72:97:c3:7c:18:fd:23:34 -W password.txt\n\nAttribute\n-C \n\nDescription\nSpecifies the Challenge\n\n-R \n\nSpecifies the Response\n\n-W \n\nSpecifies the dictionary\n\nDefault Configurations\nWireless device manufacturers have made it possible for the average home user to take advantage of\nwireless technologies by making them easy to set up and configure. One downside to this easy, plug-n-play\nconfiguration is that technically incompetent users do not understand the security measures that are available\nto protect wireless networks, nor do they understand the risks associated with having an unsecured wireless\nnetwork. Because of these reasons, it is very common for Small Office / Home Office (SOHO) users to set up\na completely unsecured wireless network, not changing any of the manufacturer default settings. This\n\n22\n\nwww.foundstone.com | 1.877.91.FOUND","$30","$31","echo -Destroying VAPs:\nfor i in $( ls /proc/net/madwifi ); do\nwlanconfig $i destroy 2>&1 /dev/null\necho -e \"\\t$i - destroyed\"\ndone\necho -Downing wifi0\nifconfig wifi0 down\necho -Using macchanger to change MAC of wifi0\nmacchanger -m $1 wifi0\necho -Bringing wifi0 back up\nifconfig wifi0 up\necho -Bringing up one VAP in station mode\nwlanconfig ath create wlandev wifi0 wlanmode monitor -bssid > /dev/null\necho -All done!\necho -Confirm your settings:\necho -----------------------------------------------------ifconfig wifi0\necho ------------------------------------------------------\n\nFigure 11: athmacchange.sh - To change an adapters MAC address when using an Atheros adapter\n\nWindows: There are a number of commercial utilities out there such as SMAC that will allow you to change\nyour MAC address on a Windows system. If you’re lucky however, your driver may already permit this, so it’s\nworth a check into the advanced section of your adapters’ driver properties.\n\n25\n\nwww.foundstone.com | 1.877.91.FOUND","$32","$33","$34","$35","$36","$37","Replay your newly created unicast\nARP. Be sure airodump-ng is\ncapturing the traffic.\n\naireplay-ng --interactive -r arprequest.skey ath0\n\nStart aircrack-ng again to crack the\nkey. Although this is not always the\ncase, it might be required for you to\nrun the injection for about 3 minutes\nor so. Then, filter all the unicast traffic\nso it doesn’t mess up aircrack. With\nthat data filtered, you can then be sure\nyou’re only cracking the unicast\nframes.\n\naircrack-ng DynamicWEP.skey-01.cap\n\nFigure 15: ChopChop Frame selection and Attack (Session Key)\n\nTroubleshooting: The main issue I see when performing this attack is that Aircrack-ng doesn’t work well\nwith 802.11e (QoS) data frames. You’ll know if this is your problem if you open your capture in wireshark\n\n32\n\nwww.foundstone.com | 1.877.91.FOUND","$38","consisting of approximately 172,000 passwords. It should be noted that the hash captured during the 4-way\nhandshake is generated using the SSID of the network, meaning that these rainbow tables are SSID\ndependant. That being said, it might be a good idea to have this on a portable hard disk if you perform a lot\nof wireless penetration tests. Youâ€™ll see below the drastic difference in speed when using rainbow tables.\nDescription\nRainbow Table SSIDs\nRainbow Table Torrent\nDownload Link\nWigleâ€™s Top 1000 SSIDs\n\n34\n\nLink\nhttp://www.churchofwifi.org/FileLib/9-ssid.txt\nhttp://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent\nhttp://wigle.net/gps/gps/main/ssidstats\n\nwww.foundstone.com | 1.877.91.FOUND","Figure 16: Using coWPAtty with Church of Wifi's rainbow tables\n\ncowpatty -r wpapsk-linksys.dump -s linksys -d /wpapsk-tables/xai-0/linksys\n\nAttribute\n\n35\n\n-r \n\nDescription\nSpecify de-authentication attack with number of\ndeauth frames to send\n\n-s \n\nSpecify the SSID of target network\n\n-d \n\nAP MAC Address\n\nwww.foundstone.com | 1.877.91.FOUND","Aircrack-ng Suite: To launch a brute force attack against WPA-PSK using the Aircrack-ng Suite, type:\n\nFigure 17: Using aircrack-ng to brute force WPA-PSK\n\naircrack-ng -w dict wpapsk-linksys.dump\n\nAttribute\n-w \n\nDescription\nSpecifies the dictionary file to use\n\n\n\nThe last attribute is the capture of the 4-way\nhandshake\n\ncoWPAtty: coWPAtty is another WPA-PSK cracking tool which can accept input from standard in as a\nwordlist for its dictionary attack. This means that we can take the output from a password generator and\nsimply redirect it into coWPAtty.\n\n36\n\nwww.foundstone.com | 1.877.91.FOUND","Figure 18: Using coWPAtty to launch a dictionary attack against WPA-PSK\n\ncowpatty -f dict -r wpapsk-linksys.dump -s \"linksys\"\n\nAttribute\n\nDescription\nSpecifies the dictionary to be used\n\n-f \n\nSpecifies the PCAP file containing the 4-way\nhandshake\nSpecifies the SSID of the target network\n\n-r \n-s \n\nWe can use “john the ripper” to create a nicely mangled wordlist and output to standard out so that we can\nredirect the output to coWPAtty (see the “Wordlist Tips” section for more information). By combining\nwordlist permutation techniques with coWPAtty, we really start using the functionality of these two powerful\ntools:\n\njohn –-wordlist=all.lst –-rules –-stdout | cowpatty -r wpapsk-linksys.dump -s\n\"linksys\" -\n\nAttribute\n-\n\n37\n\nDescription\nThe single dash attribute to coWPAtty tells it to accept\ninput from standard in.\n\nwww.foundstone.com | 1.877.91.FOUND","$39","$3a","Raw Wireless Tools: Laurent Butti’s “Wi-Fi Advanced Fuzzing” presentation at BlackHat Europe 2007\nintroduced us to this set of proof of concept wireless fuzzing tools. This presentation is a required read if you\nare getting into the realm of 802.11 fuzzing.\nDescription\nRaw Wireless Tools\n“Wi-Fi Advanced Fuzzing”\nPresentation\n\nLink\nhttp://rfakeap.tuxfamily.org/\nhttp://www.blackhat.com/presentations/bh-europe-07/Butti/Presentation/bh-eu07-Butti.pdf\n\nFuzz-e: Fuzz-e was specifically developed with 802.11 fuzzing in mind. It is included as part of Johnny\nCache’s airbase utilities.\nDescription\nAirbase\n\nLink\nhttp://www.802.11mercenary.net/code/airbase-stable.tar.gz\n\nScapy – Scapy is a packet manipulation/forging application written in Python. I haven’t had very good luck\nwith it however it is seen to be very powerful because of its Python base.\nDescription\nScapy\n\n40\n\nLink\nhttp://www.secdev.org/projects/scapy/\n\nwww.foundstone.com | 1.877.91.FOUND","$3b","$3c","$3d","To obtain the Prism Test Utility, try Googling for “PrismTestUtil322”. The checksum for the version I have is\nbelow:\nFile\nPrismTestUtil322.zip\nPrismTestUtil322.exe\n\nMD5\na7c04ff2783f94e1f60dc45425b926d0\n0088fd7f41dc972935bb7bb6d546b8de\n\nFigure 20: Prism Test Utility\n\n44\n\nwww.foundstone.com | 1.877.91.FOUND","$3e","$3f"]},"initialDocumentData":{"document":{"access":"PUBLIC","contentRating":{"isAdsafe":true,"isExplicit":false,"isReviewed":true},"description":"Version 1.0 1 www.foundstone.com | 1.877.91.FOUND Brad Antoniewicz Senior Security Consultant Foundstone Professional Services Author:","path":{"type":"user","username":"spydrbyte","documentName":"802.11-attacks"},"fullPageImageDimensions":[{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496},{"width":1156,"height":1496}],"originalPublishDateInISOString":"2010-03-17T00:00:00.000Z","pageCount":46,"publicationId":"ac3c3cf3417045339342b0be1be0f3bb","revisionId":"100317023506","title":"802.11-Attacks","isDocumentGated":true,"username":"spydrbyte","documentName":"802.11-attacks"},"publisher":{"owner":{"type":"user","username":"spydrbyte","userId":1662685},"displayName":"Matt Moore","userPlan":"UNKNOWN_PLAN","moreDocuments":[{"type":"user","coverRatio":0.7727272727272727,"docUrl":"spydrbyte/docs/16957805-secrets-of-a-super-hacker","documentId":"100317024221-b9d64f7669524ddb9d90be8966658eba","ownerDisplayName":"Matt Moore","ownerUsername":"spydrbyte","publicationId":"b9d64f7669524ddb9d90be8966658eba","publicationName":"16957805-secrets-of-a-super-hacker","publishDate":{"year":2010,"month":3,"day":17},"title":"16957805-Secrets-of-a-Super-Hacker"},{"type":"user","coverRatio":0.7066508313539193,"docUrl":"spydrbyte/docs/7258976-wireless-networking","documentId":"100317023822-eeaa722bb8544284a89652b566c99a9f","ownerDisplayName":"Matt Moore","ownerUsername":"spydrbyte","publicationId":"eeaa722bb8544284a89652b566c99a9f","publicationName":"7258976-wireless-networking","publishDate":{"year":2010,"month":3,"day":17},"title":"7258976-Wireless-Networking"},{"type":"user","coverRatio":0.7727272727272727,"docUrl":"spydrbyte/docs/21716878-hacker-s-desk-reference","documentId":"100317024314-096eb68534324adcb8a35990fff84f7f","ownerDisplayName":"Matt Moore","ownerUsername":"spydrbyte","publicationId":"096eb68534324adcb8a35990fff84f7f","publicationName":"21716878-hacker-s-desk-reference","publishDate":{"year":2010,"month":3,"day":17},"title":"21716878-Hacker-s-Desk-Reference"},{"type":"user","coverRatio":0.7066508313539193,"docUrl":"spydrbyte/docs/open-hack-day-2009","documentId":"100317025920-ad9389add1a04c658eb2e2ec51094be6","ownerDisplayName":"Matt Moore","ownerUsername":"spydrbyte","publicationId":"ad9389add1a04c658eb2e2ec51094be6","publicationName":"open-hack-day-2009","publishDate":{"year":2010,"month":3,"day":17},"title":"Open-Hack-Day-2009"},{"type":"user","coverRatio":0.6680584551148225,"docUrl":"spydrbyte/docs/23438268-fm-72-20-jungle-warfare-27-october-1944","documentId":"100317024830-9583ea22ebfa4202a575c338d3b790d8","ownerDisplayName":"Matt Moore","ownerUsername":"spydrbyte","publicationId":"9583ea22ebfa4202a575c338d3b790d8","publicationName":"23438268-fm-72-20-jungle-warfare-27-october-1944","publishDate":{"year":2010,"month":3,"day":17},"title":"23438268-Fm-72-20-Jungle-Warfare-27-October-1944"},{"type":"user","coverRatio":0.7727272727272727,"docUrl":"spydrbyte/docs/100317024023-ac3291f49f4d4cbfbf9c7f9e419d14f2","documentId":"100317024023-ac3291f49f4d4cbfbf9c7f9e419d14f2","ownerDisplayName":"Matt Moore","ownerUsername":"spydrbyte","publicationId":"ac3291f49f4d4cbfbf9c7f9e419d14f2","publicationName":"100317024023-ac3291f49f4d4cbfbf9c7f9e419d14f2","publishDate":{"year":2010,"month":3,"day":17},"title":"[Title will be auto-generated]"},{"type":"user","coverRatio":0.7727272727272727,"docUrl":"spydrbyte/docs/17933180-hack-faq","documentId":"100317024245-3093b2d977634f82b79b8efe0abf874c","ownerDisplayName":"Matt Moore","ownerUsername":"spydrbyte","publicationId":"3093b2d977634f82b79b8efe0abf874c","publicationName":"17933180-hack-faq","publishDate":{"year":2010,"month":3,"day":17},"title":"17933180-Hack-Faq"},{"type":"user","coverRatio":0.7727272727272727,"docUrl":"spydrbyte/docs/7315rpt_threat_1009v2","documentId":"100317023550-43ee3fe9899a4e609445cea0fa361028","ownerDisplayName":"Matt Moore","ownerUsername":"spydrbyte","publicationId":"43ee3fe9899a4e609445cea0fa361028","publicationName":"7315rpt_threat_1009v2","publishDate":{"year":2010,"month":3,"day":17},"title":"7315rpt_threat_1009v2"},{"type":"user","coverRatio":0.7727272727272727,"docUrl":"spydrbyte/docs/paradox-of-web-leeching","documentId":"100317025956-9a646fa47266470d94ff5689d956cfb1","ownerDisplayName":"Matt Moore","ownerUsername":"spydrbyte","publicationId":"9a646fa47266470d94ff5689d956cfb1","publicationName":"paradox-of-web-leeching","publishDate":{"year":2010,"month":3,"day":17},"title":"Paradox-Of-Web-Leeching"},{"type":"user","coverRatio":0.7074910820451843,"docUrl":"spydrbyte/docs/penetration-from-application-down-to-os--getting-o","documentId":"100317030047-e29d41e7cb2442b9b024a6d6d5c0e936","ownerDisplayName":"Matt Moore","ownerUsername":"spydrbyte","publicationId":"e29d41e7cb2442b9b024a6d6d5c0e936","publicationName":"penetration-from-application-down-to-os--getting-o","publishDate":{"year":2010,"month":3,"day":17},"title":"Penetration-From-Application-Down-To-OS--Getting-OSAccessUsingOracleDatabaseUnprivilegedUser"},{"type":"user","coverRatio":0.7727272727272727,"docUrl":"spydrbyte/docs/protectingyournetworkfromhome-wireless-hackers-aug","documentId":"100317030127-0c06886dc96141aca9b2f56b358434f9","ownerDisplayName":"Matt Moore","ownerUsername":"spydrbyte","publicationId":"0c06886dc96141aca9b2f56b358434f9","publicationName":"protectingyournetworkfromhome-wireless-hackers-aug","publishDate":{"year":2010,"month":3,"day":17},"title":"ProtectingYourNetworkFromHome-Wireless-Hackers-August-2008"}],"licenses":{"removeSignupButton":false,"hideAdsInReader":false,"hideReadMoreSection":false},"username":"spydrbyte","userId":1662685},"visitor":{"isLoggedIn":false},"articleSummaries":[],"articleStorySummaries":"$8:props:initialDocumentData:articleSummaries","iabCategories":[],"categories":[{"path":"/categories/technology-and-computing/computers","label":"Computers","id":1702},{"path":"/categories/technology-and-computing/programming","label":"Programming","id":1707}]},"initialPageNumber":1,"initialViewportWidth":1024,"referrer":"","isCrawler":true,"experiments":[],"userId":"$undefined"}]