4. WLAN Encryption Flaws | Kali Linux: Wireless Penetration Testing Beginner's Guide, Second Edition

Sign In Start Free Trial

Book Overview & Buying
Table Of Contents
Feedback & Rating

Kali Linux: Wireless Penetration Testing Beginner's Guide, Second Edition

By : Cameron Buchanan, Vivek Ramachandran

4.5 (44)

Kali Linux: Wireless Penetration Testing Beginner's Guide, Second Edition

4.5 (44)

By: Cameron Buchanan, Vivek Ramachandran

Overview of this book

If you are a security professional, pentester, or anyone interested in getting to grips with wireless penetration testing, this is the book for you. Some familiarity with Kali Linux and wireless concepts is beneficial.

Preface

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Free Chapter

1. Wireless Lab Setup

1. Wireless Lab Setup

Hardware requirements

Software requirements

Installing Kali

Time for action – installing Kali

Setting up the access point

Time for action – configuring the access point

Setting up the wireless card

Time for action – configuring your wireless card

Connecting to the access point

Time for action – configuring your wireless card

Summary

2. WLAN and its Inherent Insecurities

2. WLAN and its Inherent Insecurities

Revisiting WLAN frames

Time for action – creating a monitor mode interface

Time for action – sniffing wireless packets

Time for action – viewing management, control, and data frames

Time for action – sniffing data packets for our network

Time for action – packet injection

Important note on WLAN sniffing and injection

Time for action – experimenting with your adapter

The role of regulatory domains in wireless

Time for action – experimenting with your adapter

Summary

3. Bypassing WLAN Authentication

3. Bypassing WLAN Authentication

Hidden SSIDs

Time for action – uncovering hidden SSIDs

MAC filters

Time for action – beating MAC filters

Open Authentication

Time for action – bypassing Open Authentication

Shared Key Authentication

Time for action – bypassing Shared Authentication

Summary

4. WLAN Encryption Flaws

4. WLAN Encryption Flaws

WLAN encryption

WEP encryption

Time for action – cracking WEP

WPA/WPA2

Time for action – cracking WPA-PSK weak passphrases

Speeding up WPA/WPA2 PSK cracking

Time for action – speeding up the cracking process

Decrypting WEP and WPA packets

Time for action – decrypting WEP and WPA packets

Connecting to WEP and WPA networks

Time for action – connecting to a WEP network

Time for action – connecting to a WPA network

Summary

5. Attacks on the WLAN Infrastructure

5. Attacks on the WLAN Infrastructure

Default accounts and credentials on the access point

Time for action – cracking default accounts on the access points

Denial of service attacks

Time for action – deauthentication DoS attacks

Evil twin and access point MAC spoofing

Time for action – evil twins and MAC spoofing

A rogue access point

Time for action – cracking WEP

Summary

6. Attacking the Client

6. Attacking the Client

Honeypot and Mis-Association attacks

Time for action – orchestrating a Mis-Association attack

The Caffe Latte attack

Time for action – conducting a Caffe Latte attack

Deauthentication and disassociation attacks

Time for action – deauthenticating the client

The Hirte attack

Time for action – cracking WEP with the Hirte attack

AP-less WPA-Personal cracking

Time for action – AP-less WPA cracking

Summary

7. Advanced WLAN Attacks

7. Advanced WLAN Attacks

A man-in-the-middle attack

Time for action – man-in-the-middle attack

Wireless Eavesdropping using MITM

Time for action – Wireless Eavesdropping

Session hijacking over wireless

Time for action – session hijacking over wireless

Finding security configurations on the client

Time for action – deauthentication attacks on the client

Summary

8. Attacking WPA-Enterprise and RADIUS

8. Attacking WPA-Enterprise and RADIUS

Setting up FreeRADIUS-WPE

Time for action – setting up the AP with FreeRADIUS-WPE

Attacking PEAP

Time for action – cracking PEAP

EAP-TTLS

Security best practices for Enterprises

Summary

9. WLAN Penetration Testing Methodology

9. WLAN Penetration Testing Methodology

Wireless penetration testing

Planning

Discovery

Attack

Reporting

Summary

10. WPS and Probes

10. WPS and Probes

WPS attacks

Time for action – WPS attack

Probe sniffing

Time for action – collecting data

Summary

A. Pop Quiz Answers

Chapter 1, Wireless Lab Setup

Chapter 2, WLAN and its Inherent Insecurities

Chapter 3, Bypassing WLAN Authentication

Chapter 4, WLAN Encryption Flaws

Chapter 5, Attacks on the WLAN Infrastructure

Chapter 6, Attacking the Client

Chapter 7, Advanced WLAN Attacks

Chapter 8, Attacking WPA-Enterprise and RADIUS

Index

Index

Customer Reviews

4.5 (44)

5 star

75%

4 star

15.9%

3 star

2.3%

2 star

2.3%

1 star

4.5%

Time for action – speeding up the cracking process

We can proceed with the following steps:

We can precalculate the PMK for a given SSID and wordlist using the genpmk tool with the following command:
```
genpmk –f <chosen wordlist>–d PMK-Wireless-Lab –s "Wireless Lab
```
This creates the PMK-Wireless-Lab file containing the pregenerated PMK:
We now create a WPA-PSK network with the passphrase abcdefgh (present in the dictionary we used) and capture a WPA-handshake for that network. We now use Cowpatty to crack the WPA passphrase, as shown in the following screenshot:
It takes approximately 7.18 seconds for Cowpatty to crack the key, using the precalculated PMKs.
We now use aircrack-ng with the same dictionary file, and the cracking process takes over 22 minutes. This shows how much we are gaining because of the precalculation.
In order to use these PMKs with aircrack-ng, we need to use a tool called airolib-ng. We will give it the options airolib-ng, PMK-Aircrack --import,and cowpatty PMK-Wireless...

Search

Your notes and bookmarks