Wireless Security Tools Tutorial

10.1 Intro to Security Tools

We're about to have a large discussion on security tools, pen testing tools and so forth. So let's discuss this for just a moment before we jump into the deep into the pool and go through a lot of these different tools that we're going to discuss. There's a large variety of tools available to penetration testers Especially wireless penetration testers. There are several different classes of tools out there and what you use depends upon what you need it for and how well you know it. These tools are commercial in nature, some of them are, some of them are intended for enterprise level networks. Some of them are intended for small networks or even wardriving and so forth. Some are open source obviously so you can download them and change their source code and feel free to pass them on. Some are freeware. Actually and some are for priority obviously developed by companies and may keep their code a secret or their operation a secret and you have to purchase those in order to use them and then only specific situations. Tools that come to come to on that category or things like core impact for example. That's a one very good Good commercial tools, also proprietary, there's also home grown tools that an organization may develop on their own, these are simply scripts for example, but they also could be very good commercial class software that's developed in house for in house use. There's also government produce software that's out there, there's penetration testing tools that I've seen before. That are only to be used within government circles. So you have a wide variety of tools out there that come from a wide variety of sources. Some of these tools are very specific in what they do. They may only do one or two things. Maybe they only scan the network. Maybe they only detect vulnerabilities. Some are very general purpose in use and can do a wide variety of Things. The point is, you probably want all of these in your toolbox, because you're probably going to encounter different situations in penetration testing where you will want to use different tools. Now, wireless tools are basically a A subset of the penetration tools that you'll see out there and in fact they are probably often included in the penetration testing tools set. Now, there are some wireless tools out there that you can get individually, separately from A larger penetration testing tools set as well. Now keep in mind that wireless penetration testing. Remember that wireless is a network and it takes place at the bottom two layers of model. You're not really hacking Applications or web servers or anything like that when you're using And wireless penetration testing. You're only getting access to the network. So the tools that we talk about to do wireless hacking will only get you in the network, that's all. It gets you authenticated in most cases and it gets you access. After that, there's a whole lot of other penetration testing that has to be done. To actually get things like data or access to services and resources. And there are obviously more tools that you could use after that to get into the network and get to those resources. So, most of the tools that we talk about during this course are just to get you into the network. Some tools we see are reused more for network management that are typically there for administrators. We may see tools that are used for network management, but they can be turned into penetration testing tools as well. Things like Solar Winds, for example, is a tool set that's primarily. A network management tool set, but it can be used during penetration testing also, or security testing. Now, when we say tools, we automatically assume we're talking software obviously, hacker tools, penetration testing tools and so forth. But there's also hardware that we'll discuss because hardware Is very important, definitely important in penetration testing but probably even moreso important in wireless security testing because you have to have specific types of hardware in order to be able to conduct a test. Now most of the tools that we use in this course are obviously software. We will discuss some hardware tools as well. Things like network hards, but most of them are software, and in fact, most of them that we'll talk about are open source tools and also most of them come from the Backtrack 5 Linux penetration testing distribution. And if you're unfamiliar with Backtrack, it's basically the defacto penetration testing tool set that most penetration testers use. From the open source world. And we'll cover Backtrack a little bit more in depth in a later session but understand that that's probably what you're going to see during most of the rest of the course. So let's go ahead and take a look and dive into most of the rest of these security tools.

10.2 Hardware

Before we delve into the world of wireless security software, let's take a few moments to talk about hardware, because it's very important when considering wireless security testing. Now the hardware you would use to connect to a typical network, a wired network, for example, is fine for most penetration tests. If you're going to just test wired networks. But for wireless, it's a little bit different. In addition to having a card that can also connect to the wireless network, there are other things that a wireless security test has to have that a card must be able to do. So a card used in wireless security testing. Is more specialized and typically must meet certain functionality requirements. There's certain things it has to be able to do. Now strictly from the platform perspective, most mobile devices that you use in wireless penetration testing will do just fine. And I'm talking about consumer grade laptops, tablets, and PCs. They'll pretty much do the job for a wireless penetration test, wireless card aside. Now as far as specs goes, these devices ought to have a lot of memory, and a fast CPU. And the reason you want that is because you maybe doing some intensive operations sometimes such as password cracking for example or scanning. And this can be CPU and memory intensive, in addition to that you also want plenty of hard drive space, plenty of storage. And you need this for traffic capture files. When you capture traffic, the file size can grow to be enormous. So you need a lot of storage for that. In addition to that, the boxes probably should be relatively new, have a new operating system put on it and so forth. You really don't want to grab an old dusty laptop from the corner and use it, simply because it may not be able to handle the load. Now getting back to wireless cards, they are the key to successful wireless penetration testing. In addition to being able to connect to the wireless network themselves as you would expect, there's some other things they should have to be able to do in order to do wireless pin testing. First of all, you need to be able to put them into monitor mode. A lot of cards can't be put into monitor mode. And, monitor mode basically is the same thing as promiscuous mode for a wired card. So you need to be able to put it into monitor mode so it can scan and capture packets. The other thing the wireless card needs to be able to do is inject packets. And most cards can't do that. And you'll discover why we need it to inject packets later on in the course. Now there are some older cards out there that are great for wireless penetration testing. In fact they're probably pretty much famous throughout the wireless security community and that's the older Prism and Orinoco chipset cards. They're still out there, they're still great cards to use. The Orinoco Gold is a fantastic card. But a lot of these cards can only capture 802.11b traffic. They're not really appropriate for some of the faster networks that you'll have out there, the G and the N networks. And some of them many not support newer security measures such as WPA 2 and so forth. Now these newer cards that are out, there's a few of them that are really suitable for wireless hacking. And you'll find that the ones that are typically use Atheros or Realtek chipsets. And there are other ones out there, don't get me wrong. But those are the most popular ones. So the couple of cards that I'll show you during the course Will use one of those two chipsets. Some of these are built in obviously to the computer itself. If you're using a laptop that has one of these cards built in, that's fantastic. And one of the things I'll show you in a moment shows one that's built into a laptop, an Atheros card. You'll find, however, that USB cards are probably more flexible and portable because you can unplug them from any device that has USB port and plug them into a different one. So you can use them in a Windows box. You can use them in a Linux box. The other thing that's possible with a USB wireless card is you can use it in VMs. It's a very difficult to get virtual machines to detect wireless cards because typically they bridge to the network card on the host. And they pretty much see everything as a wired card. So running a wireless commands within a VM is problematic. Even if the device your using, the laptop for example has a wireless card. So what you'd want to do is use a USB card and have the VM take exclusive control of the USB device. Then it can detect it as a wireless card and use wireless commands. Now there's a couple cards that I recommend. Obviously the Atheros cards and the Realtek chipset cards. And on the left side of the screen we have an Alfa card. And it's a USB, actually a USB adapter. Not really a card. And it's pretty famous within the wireless security world. Being able to do wireless security testing. It's a fantastic card and you can get them from a wide variety of sources. Amazon.com has them, obviously. The bigger and better computer supply stores and network supply stores have them. They're not very expensive. And they do monitoring packet injection and they work in Linux like a champ. They work in Windows like a champ. They also work in virtual machines pretty good too. The screenshot on the right shows an output from Airmon and it shows you that there's an Atheros card loaded on. The laptop that I took a screenshot on for this course, it's using the Atheros card, and it's in monitor mode, so it's able to use this Atheros chip set to do wireless penetration testing. To do traffic capturing and so forth. So. Anything that you use probably oughtta have one of those chipsets. The Alfa has a Realtek chipset to it, and the Atheros card obviously has an Atheros chipset. So these are fantastic cards to use. You may get lucky enough to have one built into your laptop, but if not, you can always fall back to getting the USB card. So those are the recommendations from most wireless penetration testers.

10.3 Pen Testing Platforms

Now let's talk about penetration testing platforms for a moment. And this would have to do with the different platforms, such as operating system and so forth, that you might use to perform penetration testing tasks. And there's a lot of platforms out there obviously available. Different operating systems, different hardware and so forth. And in some cases, you can use anything with a wireless card and software but that's not typically true for For hardcore penetration testing such as packet injection, monitoring and so forth. But if you just going to scan to find wireless networks, then most things will do. You can use older PDAs like an old iPack that I used to use. You can use cell phones, laptops, like PCs even tablets. They all in themselves becoming a platform for scanning for wireless networks. Depending upon which operating system you use and what's it's capabilities are and which hardware you use, such as wireless card, there many more things you can do. And this advantage is to all three of those, we'll discuss that now. The platform that you use, depends upon on what you need it to do. If you're going to just war drive then PDAs, and laptops obviously would be fine, cell phones would be great. Because all you're doing with war driving, typically, is detecting unsecured wireless networks and using them. Least that's what most hackers do. If you're going to do WEP and WPA key cracking on the other hand, you might want to use a stronger something. A laptop will probably do if it has the right card. In it, and if it has the right software. But if you're just war driving, pretty much most things will do. If you're going to do enterprise or company-wide testing, you definitely want to use PCs or laptops. Laptops probably are preferable, because with wireless security testing, you're going to be moving from place to place, possibly, to get a stronger signal. Or to access a different access point and so forth. The bottom line is, use the platforms that meet your needs. Use the software and tools that meet your requirements. If you're just scanning for rogue wireless access points, for example, you may not need anything complex. You may just need a Windows box. That can scan for wireless networks. If you're going to be using WAP or WPA cracking tools, then you may have to use something a little bit better. Let's talk about Windows for a moment. Windows platforms are obviously the most widely available out there. Most laptops come with them. Some newer tablets are coming with things like Windows 8 on them. They're standard general purpose machines and they can be used for some wireless penetration testing tasks, but not everything. There's a lot of software out there available for Windows, but not In terms of penetration testing, serious penetration testing tools. Obviously you have things like Canvas and Core Impact. Those are commercial tools. And you also have other tools out there. Things like Commview WiFi and some of these are meant to be enterprise management tools. Not necessarily penetration testing tools. In the case of CommView WiFi, for example, by TamoSoft, it's used as a wireless tool to manage the wireless networks across the enterprise. It can be used to scan wireless networks also. In the case of Canvas and CoreImpact, their penetration testing suites, commercial suites, And have a wide variety of tools out there. And all of these are on Windows platforms, by the way. There's typically a low training curve with most of these tools because Windows is point and click, click next and so forth. So you can do a lot of pen testing tasks with Windows if you have the right software. One thing about Windows is it's difficult to get your cards in the promiscuous or monitor mode. It really depends on the card and the driver. If you're using a wired card obviously you can use something like WinPeak app to put the card into promiscuous mode. But if you're using a wireless card, you may have to use something like AirPcap from Case Technologies to do it. It's very difficult to find drivers for wireless cards in Windows, that will put them in monitor mode and inject packets. Some of the hardware that we want to use for wireless penetration testing, some of the cards don't perform the full functions under Windows. Some of the cool cards that we might use for penetration testing may not do packet injection under Windows for example because the software and the drivers stack doesn't work that way. And again some of the software that you might want to use with Windows can't perform some of the more advanced test functions, again packet injection I mentioned. Now Linux platforms are. Not as widely used by the typical user. But they are very widely used by serious penetration testers because you can do almost anything with a penetration testing tool set that's in Linux. Backtrack obviously is the most popular out there that a lot of penetration testers use. And you'll find that it is more flexible, much easier to get into the core of Linux and change drivers and driver stacks to meet your needs to do certain things like packing injections and so forth. Some of that is built in to Linux already as a matter of fact. So, probably Linux, if you're going to be a serious pen tester, is the way to go. Now Macs can also be use for war driving and some penetration testing. But there's not a lot of software designed and built specifically for Macs to do that. The Macs that you might see in wireless penetration testing. Maybe using some sort of virtual machine to do it, or they may use open source software because under the hood, a Mac is essentially a BSD type of operating system. So there is some stuff out there build for BSD that a Mac can use. It really just depends upon How the drivers are set up, and so forth. So there is some software out there, but not a lot. You may have to investigate that if MAC is your preferred platform. [BLANK_AUDIO]

10.4 Backtrack Toolset

Now let's talk about the real meat of the penetration testing tools we're going to be using for the course. We're going to be using Backtrack. And Backtrack is probably the most ubiquitous penetration testing tool set there is out there. If you're a penetration tester that actually claims to be one Then you're probably going to be very familiar with backtrack, and you need to have some good experience with it, both in normal penetration testing, and wireless, as well. Now, it's a Linux distribution that's been around actually quite a while, it's carton version is based on Ubuntu 10.04/ Now, a few years ago, it was based in a different Linux distribution, It actually came from several other security distros. A combination of things like old Whax and Auditor. Now the current release is Backtrack five release three, which came out probably several months ago, at the time of this recording. Let's go ahead and take a tour of Backtrack five release three, and we'll look at a lot of the different wireless tools available to you. We won't go into depth on any one of them. I just kind of want to give you a tour of where to find them. And a lot of them we'll be covering in depth as we go through the penetration testing demonstrations in the course. Okay, we're go to Backtrack 5, release 3 distribution. And I just wanted to give you a quick tour of some of the tools you'll see as we go through the remainder of the course. Conducting some wireless penetration testing demonstrations and so forth. And these are tools you probably need to be familiar with if you've going to do this kind of work. If you're a GUI junkie, let's take a quick look at where everything is typically in the GUI. And unfortunately it can be in different places, so you may have to look and see What kind of tool you want based upon what you want to do. You have several different menus here in back track, we're just going to go through a few that contain the wireless tools. We have information gathering and you can look at certain wireless tools there. We have bluetooth tools, obviously as well, they are considered under that category but we also have WLAN tools and for information gathering, They list a wide variety of tools that are typically sniffers, kismet, airodump, pcapdump and so forth. Again, we're going to cover some of these tools a little bit later. Now they don't list, obviously, the entire aircrack.ng suite under that particular category. You have to go back to, say, vulnerability assessment. And exploitation tools and other categories to find some of these tools. So let's go down to exploitation tools for wireless and you'll see that we have Bluetooth, GSM and WLAN. Let's look at WLAN. You have things like aircrack.ng, airmon, airodump. So pretty much most of the tools you're going to use are here in this category. And obviously if you wanted to run a tool you just click on it. Now I can tell you that the GUI is a little bit deceiving. If your a GUI junkie versus Command Line junkie, you might be in for a little bit of a disappointment. Because if you click on any of these tools you're pretty much going to get thrown back into the Command LIne. And they're probably not going to run. They may give you the simple help listing as to how to run the tool and that'll be about it. Then you'll want to pass the command line running these tools from there anyway. So it'll actually be useful to go and look at the command line At the terminal and kind of look and see where these tools are and how you can access them. Most of the tools in back track are under pin test directory so you want to go. [BLANK_AUDIO] Pin test. [BLANK_AUDIO] And then you can kind of list all of the tools that are in there. Obviously, you have things like Bluetooth, fuzzers, forensics, exploits, password scanners, and crackers, and so forth. But what we're looking for is under wireless. [BLANK_AUDIO] In the wireless tools, we have a wide variety obviously here. Aircrack, the entire suite, giskismet, killerbee, wifi-honey which is a honey pot for wireless networks. So you have a wide variety of tools that are there for you. Let's take a look in some of these directories. [BLANK_AUDIO] And you'll see a wide variety of things here. The source code the man pages for them. The different scripts that basically make up aircrack and so forth. Now, you don't have to burrow into these directories at all really. To use the tool. For example, if you were outside of the directory, [BLANK_AUDIO] And you wanted to just run say airmon for example, you might go, [BLANK_AUDIO] And you'd run the tool. Obviously, we don't have our wireless card hooked up just yet. But you don't have to be in those directories to run the tool. So, these are some of the tools you'll be using and you'll be looking at throughout the course. We won't use all of them. This is basically a surface treatment of some of the main tools you'll use. And it's basically just to get you on the road to knowing where they're at and knowing how they work. But we will be using some of them in depth. So this is a quick introduction to backtracking where the wireless tools are. [BLANK_AUDIO]

10.5 Kismet

Kismet is an older tool used for wireless penetration testing. However, it's still very relevant as it's updated periodically. The last time in 2011, in fact. It's a great tool, you run it from command line and there are several options. So it has a wide variety of things you can do. Now it scans for WAP, Wireless Access Point, and collect traffic for all variations of 802.11. The cool thing about Kismet and its variations is that it can output to a capture file that tcpdump or wireshark or your favorite network protocol analyzer can read Let's go ahead and take a look at Kismet in Backtrack Five now. Kismet is very easy to use, although it does have a lot of different options. Let's just go ahead and run a basic installation of Kismet. Now you're going to get some prompts here before it starts. You'll answer yes, basically to whether you see the screen or not. It gives you a warning if you are running this root, not something you should do all the time but might be something you need to do from time to time. Going to go ahead and say OK. It's going to ask us if we want to go ahead and start the Kismet server. So we're going to say yes to this. And it's going to ask us for some options, I'm just going to go ahead and leave the default options there and click start. And it's going to do a little bit and it's going to probably come back and tell me that it does not have a source, so it's going to ask us if we want to add a source. I'm going to say yes, and I'm going to specify Wlan0. And add that. [BLANK_AUDIO] And we get a source, a warning about processes that are running that could interfere with it. So we're going ahead and running this now. And it's doing some scanning here. It's picking up some wireless access points. I'm going to close the console window here, so we can get the pretty colors. And as you can see, it's picking up a lot of wireless access points, and it's showing on the right hand side the networks it's detected. And how many packets it's picked up. And you can see the cute little graph there going across the bottom that shows signal strengths and so forth, and how they vary. So we're seeing a lot of different wireless networks here on the Kismet screen. And as it progresses, we can actually Save the data. If you go up here to the top line menu, there's a lot of different options. You have the options to start the server console again, to disconnect from the console, to add another source, because Kismet can be used in multiple wireless interfaces. You also have the option to look at different plugins here. Let's go up to sort and we can actually sort on these particular filters, in order to see our wireless networks. We click on View, [BLANK_AUDIO] We see the Network List, the Client List. GPS Data, the Battery. Those are things that show up here in the screen that we're looking at. [BLANK_AUDIO] And if we look at Windows finally, those are the windows that will display that we can look at the The data that Kismet is getting here on the screen. I'm just going to leave everything at the defaults. Now, one of the things you definitely can do is pipe data into a capture file, and we didn't use that option, so what we're seeing on the screen is what we're getting. But there's a lot of different options with Kismet you can use. It's a fantastic tool, and it has a lot of options that we haven't even mentioned, so While air crack NG, the sweet of tools that come with that are becoming to the fact of standard Kismet is still out there, it's still included with backtrack and it's a fantastic tool and a lot of people still use it because that's What they learned on. And it does a really good job of what it does. So I would definitely recommend that you take some time to learn Kismet if you're going to be a serious wireless penetration tester. [BLANK_AUDIO]

10.6 Aircrack-ng

Now let's discuss a tool you're going to see a lot of during the rest of this course, and that's the Aircrack-ng suite. Now, Aircrack has become pretty much the most widely used suite of tools for wireless penetration testing. It's been around for quite a while, and it's been in backtrack Pretty much almost as long as BackTrack has been around. Now, it's capable of a wide range of wireless attacks. There's so many things you can do with Aircrack and we're only going to scratch the surface during this course. There's also a lot of tools we probably won't even look at because there's so many of them in the suite. But we will look at the major ones and we'll use Aircrack And it's related tools quite a bit. Aircrack can do many things including capturing traffic, traffic injection, and WEP, and WPA cracking. Now let's command tool with a wide variety of options available to it. And we're going to learn some of those options. We obviously won't have time during this course to cover every single thing that Aircrack can do, but we'll cover a huge majority of it. Now, Aircrack is a suite of several tools, and some of the more popular ones are here on the screen, airmon, airodump, aircrack, and aireplay. Airmon is concerned primarily with turning your card on into monitor mode. Airodump helps you to capture traffic. Aircrack helps you to crack WPA and obviously And aireplay is good for packet injection attacks. So let's go ahead and take a quick tour of the aircrack ng suite we're just going to look at some of the options available to the commands. You'll get a lot of practice with the commands as we go through the penetration testing portion of the course. We're in backtrack 5 and I've actually navigated to the directory where air crack ng and its tools are stored and that is in /pentest/wireless/aircrack-ng. Now as I said there are many different tools available with aircrack we're only going to cover a few of them during the course. But I would highly recommend that you go to the aircrack-ng site. And it's a fantastic site that really has a lot of good documentation on the suite of tools. As well as lot of information on how to use them for wireless penetration testing. There's also some good information on what wireless cards are compatible. With aircrack-ng, which ones you can put into monitor mode, which ones will do pack injection and so forth. Let's go ahead and take a look at a couple of aircrack-ng tools, as I said, you'll get plenty of practice with it throughout the course. Let's look at airmon first. [BLANK_AUDIO] And what airmon's going to do for us is put our Wireless card into monitor mode right now I already have it set in monitor mode and I'll show you how we do this a little bit later we'll take a card in and out of monitor mode. This one is actually put in the monitor mode by Kismet during an earlier demonstration. Some tools can go ahead and quit. The wireless card into monitor mode by themselves. You may not necessarily need airmon to do that but it can do it. So let's go ahead and take out monitor mode right now. [BLANK_AUDIO] Let's go ahead and stop our monitoring interface. [BLANK_AUDIO] And that destroyed the monitor mode interface. And really there's not much to airmon except putting the card in and out of monitor mode obviously. So there's not much to that. There's some other options we'll talk about later. Now if we look at airodump [BLANK_AUDIO] There's a lot of different options available for you here as well. And let's scroll up just a little bit here and see some of them. We have obviously a lot of different Options. We include the interface in there and we can basically use Airodump to capture packets and dump them to a file or visually see them on the screen. And as you can see, there's a whole lot of Options here. We can filter based upon different things. We can also configure the packet capture. We can change the time between channel hopping. We can read packets from a file there's all kinds of things you can do with airodump. Basically your limits are only what you can do with these switches. And your own imagination. So there's a lot of different things here. You can filter, you can do all kinds of things. So definitely get to know airodump. And we'll be using it in a little while so you'll be able to see some of the things it can do. [BLANK_AUDIO] Now let's look at aireplay. [BLANK_AUDIO] Now, aireplay is used for actual attacks, and you have several different attacks that you can use. And it's not very difficult, it's kind of a intimidating come in handy use it first but you'll see there's so many things you can do with it. You can filter based upon different things like the SSID, the MAC address, destination of source, packet information and so forth. There's different replay options, and what Aireplay does is inject packets. That's what it's good at. That's what it was designed to do. So you can control how many packets per second, and particular characteristics of each packet as you go. You can do fake authentication attacks Fragmentation attacks, deauthentication attacks, and so forth. And there's a lot of different attack options you need to be familiar with, the attack modes, if you are going to use this, and we'll go through some of those. We have the fake authentication attacks, interactive attacks chopchop attacks and so forth. And all you really need to know is the number, so it's good to know where the help is so you can find that number depending upon what kind of attack you want to run. The other Aircrack-ng tools we'll go through a little bit more as we go through the course This was just a basic introduction to them to show you how they work and talk about their different options, and just kind of give you an introduction to them. So that was the brief tour but we'll be using them a lot later. [BLANK_AUDIO]

10.7 Gerix

For all of you folks out there who fear the command line and love GUIs, there is a tool for you that's actually included in Backtrack that can help run the aircrack-ng suite [INAUDIBLE] Of Tools, and it's called Gerix. Now gerix-wifi-cracker-ng is the actual name of the tool. It's not part of the original aircrack-ng suite of tools. You won't find it in there. It was developed separately by an enterprising developer who really wanted to have a GUI for these tools to make it simpler. And it makes it very simple. This GUI will run Aircrack-ng tools right from the desktop and backtrack. And what it can help you do is if you have long, complex. Commands with switches, Gerix can run them for you. However, they're pretty much pre-built options, so you don't get a lot of flexibility. I would not say you should replace your command line use of aircrack with Gerix, however it can do some really quick stuff for you if you want. And if you're a little bit intimidated by. The command line then Gerix is a good place to start. Let's go ahead and take a look at Gerix and what it can do for us. Okay we're in BackTrack again and what we want to do is here at our desktop we want to go to BackTrack, Exploitation Tools and we're going to take a look at Wireless Exploitation Tools. And then WLAN Exploitation and down here bury the menu is gerix-wifi-cracker-ng, let's go and click on that now. And we get the cool little screen there and basically you can run through here and see some of the things this can do, let's go to configuration. And we have different interfaces here. One thing you might want to do is clean old session files from previous uses of Gerix. And you have your interfaces right here. Let's reload the wireless interfaces up a little bit. And if you want we can enable or disable monitor mode for here as well. [BLANK_AUDIO] We can also set a random MAC address. And this would keep us from being detected, in terms of someone seeing which MAC address we're using or if we needed to spoof another MAC address. So, we've obviously got a interface now in monitor mode. Now let's go ahead and do some scanning. Let's just see what we come up with. Rescan networks. Let's see what we come up with. [BLANK_AUDIO] There we go. Now we have a great many of these targets lined up. And we can look at some of these and see what we get. I'm going to click one, the VTC one. That's obviously the one we want. And you can see the SSID, the MAC address, the channel it's on, the signal you're getting, as well as the encryption level so that we see that some of these are open and some of these are using WEP. So what you might want to do then is once you've selected one You can click over here to WEP, and you can start sniffing and logging. And it will start sniffing your connection for you, that may be a little bit hard to see, that's just how Gerix puts it out. By looking at this, you can see that this is pretty much the same thing as the error dump screen you've seen earlier. Now, basically, Airdump is connecting to this wireless access point. It's sniffing it, rather, and it's trying to pick up traffic, and it has a station connected to it. So, the goal here is to crack WEP, and we'll talk more about cracking WEP a little bit later. We won't actually do it right now, because it requires a good bit of traffic. And we'll look at ways to generate traffic artificially and inject that into the network so we can get more traffic to speed that process up. So right now, we're seeing the client connect to this web-enabled wireless access point called VTC. So that is how. Gerix works. We can also do test injections here and what we'll do is it we'll tell us if our card supports injection and if we can inject probe request and so forth into the access point and so forth. So, we'll get that and looks like injection has worked. We can do in lot of other things with Gerix also. We can correct WPA. We can run a fake AP if we want. Now if we use this fake AP, we can determine what cryptography version, we can determine what channel, what the ESSID name is, and we can go ahead and start this fake access point here. And it's going to if we were going to sniff now, we would see this access point. Sending out traffic, and this might be used to create a rogue access point that people might try to connect to, or basically just fool them into trying to connect to so we can intercept traffic. We could use this for all kinds of things, but Gerix is a pretty cool tool. And I'm not saying don't use it, definitely use it. In my opinion, computers were invented to make our lives easier, not harder, for sure. But you really need to get familiar with the command line versions of the tools we've talked about. And that's obviously AirMon NG, AirCrack NG, AirRaDump, and AirReplay, and the other tools as well in the AirCrack suite. Other things we can do include, decrypting the web passwords, when we have enough packets, and some other things that Gerix can do for you. So, that's just a quick demonstration of Gerix and how it works. We may use it later on in the course. First is the commands so you can see how a little bit more of it works. But it's there for you to use and learn but definitely don't ignore the command line tools at all.

10.8 Wireshark

Let's take a few minutes to talk about Wireshark. Now Wireshark is probably the best and most popular network and protocol analyzer out there. If you're an old network administrator you've probably used Wireshark. Now it's open source which means really it's free it does come with Backtrack and you can download it freely for Windows as well. It used to be called Ethereal and then Wireshark and Ethereal went their separate ways. That's a different story. We've seen it a lot in wired networks, as I said, but it can also be used in wireless penetration testing for sniffing and traffic capturing. What we're going to do is just take a quick look at Wireshark. I'm not really going go through the different options and things you can do with it. I just want to show you how it can help capture traffic from a wireless network after your card has been put into monitor mode. So let's go ahead and take a look at this really quick and you can see kind of how it works Okay, we're in our backtrack five and we're in a terminal, and I've already placed the card in monitor mode, as you can see here on the screen, and what I'm going to do now is start wireshark And get it going. And what we can do is go ahead and click on an interface. And in this case we want mon0 because that's our monitor mode interface. And we're going to click Start. Now as I said, we're not going to really do a lot here in Wireshark during this session. We're just going to kind of look at capturing traffic. And I'll show you a couple of quick things. Later on in the course we have a couple of questions specifically on capturing traffic. And then later analyzing traffic And we'll being using Wireshark for some of that, so you'll get to know it a little bit better. It's one of those tools that regardless of whether you're testing a wireless network or administering a wireless network, you really need to be familiar with Wireshark. It's probably one of those things that all network administrators should be able to use. So we see some traffic coming across here and you can see some of this is probably Apple traffic. That looks like the NIC for an iPad or an iPhone or something of that nature. We've got some Belkin traffic, some wireless access point probably, some broadcast traffic. And one thing you'll notice is this is all 802.11 traffic. Unlike other Wireshark captures you've probably seen, where you see things like TCP connections and HTTP connections and so forth. We're capturing 802.11 traffic, which happens at layer two of the OSI model. So keep in mind that a lot of this upper layer traffic is probably encrypted. We may not see any of that. occasionally we might see something, but it won't be much. So, and primarily we're looking for this 802.11 traffic because we want to look at things like management frames, beacon frames. We want to try to collect enough traffic to get initialization vectors for WEP. Things of that nature, so we can crack WEP and WPA passwords. And that's really what we do the traffic captures for. Let's take a couple of looks at a couple of packets here. Just going to click randomly on one here. Let's see if we can find one. Let's click on that one. And we see that it's a 802.11 frame. And let's go look at the data a bit. We don't get much here, and unfortunately some of this stuff you're not going to get. So we can drill down within each little subsection here. And I'm not going to go over what some of these things are right now. We will talk about this a little bit later. When we look at capturing traffic and analyzing that traffic. There's all kinds of things we can look at. We can take the packet, or in this case the frame apart and get a lot of information from it. And some of this stuff we'll want to look at later and I'll show you some particular things we're looking at when we go through the traffic capture sessions. There's a lot of traffic here and basically you're seeing what a wide variety of access points and clients are putting out, what they're broadcasting. So this is Wireshark in a nutshell. Again, we'll go through a lot of it's options and things you can do with it later. But this is basically just to give you the 50 cent tour, if you will, to familiarize yourself with some of the tools that are available out there to help you do your wireless pen testing with. And Wireshark is obviously one of those tools. Now you might be asking yourself, Well if Wireshark is that easy to use and it gives us this nice orderly interface, why would we want to use airodump? Well, the answer's actually pretty simple. Airodump gives you a wide variety of options you can use. And yes, they're command line options that you have to know and understand in order to use them, but there are so many things you can get with airodump that you can narrow down and get specific kinds of packets Were specific kinds of traffic from specific access points or clients. So you would want to use that really use airodump to collect the traffic and capture it and send it to a file. And then maybe look at it in Wireshark later. While airodump is great for catching the traffic, you really want to look at the traffic capture file in something else. So that's really why you'd want to use Wire Shark. Not saying you couldn't use it for just simple traffic captures from time to time, or even massive traffic captures. If you just want to collect a lot of traffic over time and walk away and save it to a file, you could do that But it really depends on what your purpose is, what your goal is. And obviously a lot of people have learned Wireshark and know well. So that's what they're comfortable with. But again like all the tools I've talked to you about, they have graphical versions you really want to learn the command line version as much as you possibly can. So this is Wireshark. Capturing wireless traffic. We're going to go ahead and stop the capture here and you have the option when you in Wireshark here to go ahead and save it to a file. Which we're not going to do right now. Or not save it, it's up to you. But we're not going to save it for right now. And that's Wireshark and we'll get a lot more practice with it later.

10.9 Net Stumbler

Since we're talking about other tools, let's talk about an old Windows tool that's still a favorite of mine. And probably a favorite of a lot of other old wardrivers. And that's Netstumbler. Netstumbler is an older tool that we used to use to scan for and detect wireless networks. You'll actually still see people using it, even though it is a legacy tool. It's primarily used in Windows, and as far as tools go it's still a great tool for Windows. It also has been ported to other devices. In fact, I used to used NetStumbler on an old iPAQ. And I would use it to drive around looking for wireless Networks obviously. Now it cannot detect some of more recent features of wireless networks, things like more advanced security measures and so forth and it can't do any hacking into these networks. It can't do things like web cracking and so forth, but it's still actually a very useful tool in war driving. Because you can scan for and detect wireless networks, and know where they're at. It also has the capability to use GPS to pinpoint these wireless networks for you. Let's take a look at good old fashioned NetStumbler. Okay, we're back in our Windows XP box. And we're going to take a look at NetStumbler. I have that loaded already, and again, NetStumbler is a really cool tool for Windows. We don't have to be connected to a wireless network in order to use it. Because if we double click on it, it will go ahead and stop the wireless zero configuration service, and then it will go ahead and start scanning,. Now you may hear funny tones when it comes simple because it's using those to alert that it's found a lot of good wireless network connections. Now let's expand this a little bit and take a look at what some of the things net stumbler can do for us. It's detected several wireless networks obviously within range of our wireless device and it's listing them all out here and there's several here. Green typically means a very strong signal. Orange and gray not so much. So let's go ahead and just take a tour of Network's tumbler, the screen here, it'll periodically scan and see if it can detect wireless networks so it does this on a periodic basis So you'll hear the evil little sounds that it makes wants us to detects one. It tells you what channel it detects it on and also gives you the relative speed. Now, obviously it was designed to work before wireless and So the fastest speed it can detect and report is 54 megabits per seconds. So it will pretty much report everything as wireless G at, at the top. It also is not very good at discerning vendor MAC addresses. So it can't really tell you what vendor the AP is. But it can tell you it's an AP, it tells you if its encryption is activated or not, and unfortunately it thinks that everything that's encrypted is WEP, and there's a lot of other things it tells you. The signal and noise, settings and so forth. You can get different information if it can connect to the network, if you're already connected, it can tell you the IP address, range and so forth. If you have a GPS connected, it can also tell you the latitude and longitude. It will also tell you when it was first seen and last seen .So there's a lot of different information it actually can give you to start an analysis. If we click through here we can see that it lists things and sorts them by different methods, channels. And it lists everything's on Channel One, for example, everything that's on Channel Two, Six, and Eleven. It'll also list them by SSIDs. So you can connect to one of these and get a little bit more information about it. And there's a lot of things you can filter on as well. Whether encryption is on or off, You can look at the different things, like the IBSS, which is a peer-to-peer ad hoc type of network. And it will tell you about basically a lot of good information upfront that you can use to start looking for viable targets. You might use NetStumbler to determine basically what has encryption turned on and what doesn't. and then work from there and try and go after the things. That don't have encryption enabled. As I said once it runs continually in the background and it will detect and refresh itself depending upon what new wire is access point is show up. That's actually a great little tool again it's a legacy tool and served us purpose well for all of us all word drivers out there. So it's worth mentioning In any discussion about wireless security. An older tool but still useful. [BLANK_AUDIO]

10.10 Modern Windows Tools

We looked at NetStumbler earlier, and it's an older tool that works very well for what it does, but it really only works with older versions of Windows such as Windows 2000 and Windows XP. And back when NetStumbler came out there wasn't a lot of free tools for Windows that you could use. Well, fast forward to now and there's a lot better tools that you can use that will do many more things. For Windows. Now some of these are free but a lot of them are commercial and cost a little bit. So they may not be practical for the average one person show or one person war driver. They're probably more appropriate for an enterprise level type of network effort. Let's talk about a few of these and I'll give you a demonstration of some of them as well. AirPcap is a very popular tool. In fact it's probably the most popular tool for wireless security with Windows simply because it has the right drivers and the right kind of card to go ahead and do wireless monitoring, password cracking and packet injection. It's a little expensive and it's made by Cace Technologies, but it's probably the defacto tool you would use for Windows. CommView for WiFi and other tool and they also are commercial and they sell a set of software that can do wireless scanning and they sell a set of software that can do wireless scanning and so forth and you can get a card that goes with it that can perform packet injection and so forth. And drivers are very important part of their package as well, and we'll look at CommView for WiFi in a moment. We also have two free tools. HeatMapper, and inSSIDer, and I'm going to show you both of those. HeatMapper is a cool free tool that will let you map out where wireless access points are on a grid or a map. And inSSIDer is basically a scanning tool, that will help you look at where wireless access points are, their strengths, signals, encryption, and so forth. Let's take a look at both those tools. All right, we're in our Windows 7 desktop, and the first tool I want to bring up is Heat Mapper. And Heat Mapper basically is a tool where you can overlay a map, such as one you might get from Google Maps or Bing, and you can basically walk around, and it's a very simple tool, and you can outlay where wireless access points are. Now if you walk around with these, and you basically click where you want the wireless access point to be. You can do this by signal strength and so forth. You can also use GPS if you want to put coordinates on the grid. And there's probably much more effective with a map and you'll have to get a map for your local area to test this out. There's actually a pretty cool tool, it doesn't do a lot. But it can give you a graphical representation of where wireless access points are. This could help you to take rogue access points, if you walk around and you find some that are unfamiliar and you map them out, and you can see where exactly they're at. They could be adjoining or adjacent wireless access points, or they could be wireless access points that someone has that they shouldn't. So let's go ahead and take a look And come before wi-fi as well. Comview, as I mentioned, is a commercial tool, and basically it allows to do pocket capturing, monitoring, and so forth. You can even do cracking with some versions of it. And you can do packet injection list. Go ahead and click play here. And we can scan the network at first and we'll get a lot of different access points by channel. And it'll tell us what kind of access point it is. It'll give us relative signal strength and so forth. It could also give us different information such as type of encryption and so forth. If we actually click on capture, we can get some traffic from each of those wireless access points. Now we're using the evaluation version so it's only going to let us capture for about five minutes. But we don't even need that much to show you how it works. So we can go ahead and click continue here. When you buy the full version, you don't get this. So, we're going to capture packet here. Capture traffic. from the various access points on that channel. And you can pipe this into Wireshark later or even something like TCP dump and take a look at it, but you can look at it here as well. [BLANK_AUDIO] Let's go ahead and stop the capture. And if you click through here, you can show the different traffic down here. [BLANK_AUDIO] And then the details about are there as well. If you click through here, you can see different information about the notes that were detected. The channels, any IP connections that occur will show up, logging, and so forth. You can manage. It's a really cool tool. It is commercial. It is a little bit expensive but it's well worth it in an enterprise environment. Now let's go ahead and take a look at inSSIDer. And notice the spelling of inSSIDer with the SSID in In there, that kind of tells you what it's looking for. We'll give it a second to open up here. And here we are with a very pretty interface that Insider provides us. Once it's does it's initial scan anyway, it'll detect the different wireless access points around us. It will show us what their strengths are, their signal strengths, channels and SSIDs and various other information about them. It can take a second to scan and show us it's information. There we go. Again it can take a little bit to scan your network. So it's going to show us the different networks that it finds and it's going to come back and give us a time graph after a little bit of time it'll do this. It'll show you how long the node's been up and so forth. So it's a really cool tool, it can give you some information, take some time to play with it. It's got some pretty colors and so forth as well. But it's a really good scanning tool, and it's free. So that's always good. Those are some tools for Windows that you can use, commercial and free. [BLANK_AUDIO]

10.11 Other Tools

We've looked at various tools already throughout the last few sessions. For Windows, for example, such as CommView for WiFi, Netstumbler, HeatMapper and so on and we've looked at a lot of Linux tools that you would use under, say, Backtrack 5 for example. Things like the Aircrack-ng suite. Kismet and so forth. There are some other tools out there that you can use. In fact, there's probably hundreds of other tools out there that you can use for wireless security and penetration testing. Some of these tools are a little bit older and they're really of no more value than a historical reference significance. But it's helpful to understand them and know them, in case they every come up in conversation or you hear about them. I'm not going to give demonstrations or anything on these particular tools. I'm just going to really, just kind of tell you a little bit about them.FakeAP is one such tool, it was a really cool tool back in it's day and what it did was broadcast SSIDs all over the place. And what it would look like if you were scanning the network, you'd see hundreds sometimes of these FakeAPs, a little like there were all kinds of wireless access points out there. And the idea was to hide your true access points somewhere in that big mix. So it couldn't really be discerned. So it was kind of a security through obscurity type of thing. Another thing it might be used for is to confuse people who might want to connect to an access point and they might keep trying to connect to one. To one of these fake APs and they never could. So you could actually cause interference attacks and denial of service attacks using this tool because regular users cannot connect to the access point they needed to. Since it's an older tool, it really doesn't have much effect on today's wireless technologies and scanners. Since it is an older tool, what it really puts out is 802.11b frames, and most modern scanners can kind of pick that up. So if you ever see some traffic with a lot of these default SSIDs like Linksys, D-Links, Tsunami and so forth. And their all enter to the level 11 B frames. You might take a guess that someone is using fakeAP out there. You can also put your own SS ids in there if you wish that takes a little bit of more of an ever than some people are willing to put into it. So most people we will use a Defalse. On its' Website produced by Black Alchemy. Which is still out there. It's a little bit old and it hasn't been updated. But the website is still out there. It basically talks about the whole reason for its existence. And that's to fool scanners like NetStumbler. And it actually calls this out on the website. So both FakeAP and its nemesis, NetStumbler, have kind of gone the way of extinction. But they're out there, and, you know, it's helpful to be aware of them, in case you hear about them from the old timers. Another older tool out there is Airsnort, and it's been deprecated, and is no longer updated, obviously. It was out there, probably early 2000's to about 2004, so, and in fact, it's website is out there, but it Hasnt been updated in a long time. In it actually refers you to a newer tools like AirCrack-NG. And it basically performs some of the same functions on older wireless networks like 802.11b and so forth. It was an okay tool when its time. But didnt have the same functions as something like AirCrack-NG had. Has. Another older tool out there was Airopeek, and it was designed for Windows. And it basically would do monitoring and scanning and so forth. Now, it's still out there but it's changed its name and it's been updated over the years. It's called OmniPeek, and it's by Wild Packets. And it comes in the form of a USB wireless device that has the ability to scan for traffic, to capture traffic, and to inject traffic. Now it requires special drivers, of course, since it is Windows based, and you have to get those drivers by buying one of their applications. So if you buy the application. And you buy the wireless USB card and then, your in business. But safety wireless USB card can be used but typically not the environment it was intended by Windows, unless you have one of the apps to go with it. And the peak is in enterprise only tools and something you might not see unless you're in a big wireless environment and you're using their products to manage the environment And to secure it, so it's a great tool but it's a little expensive and when you compare it to what you might use as an individual Back Track 5 for example and a typical alpha or arthos card it may or may not be worth it to you. Well these are some of the tools that are out there again there's hundreds more that we haven't discussed. And probably wouldn't have time to anyway. We'll just take a look at some of the one time and just familiarize yourself with them and maybe download them and play with them a little bit. [BLANK_AUDIO]

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

We use cookies on this site for functional and analytical purposes. By using the site, you agree to be cookied and to our Terms of Use. Find out more

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)

By proceeding, you agree to our Terms of Use and Privacy Policy

We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*

By proceeding, you agree to our Terms of Use and Privacy Policy