n this question the attacker/pen-tester machine attempts to capture WPA/WPA2 4- way handshake packets between an AP and a victim/target machine by first de-authenticating the victim from the AP,
INSTRUCTIONS TO CANDIDATES
ANSWER ALL QUESTIONS
- In this question the attacker/pen-tester machine attempts to capture WPA/WPA2 4- way handshake packets between an AP and a victim/target machine by first de-authenticating the victim from the AP, then conducting a brute-force dictionary attack of the packet capture file to crack the pre-shared key of the WLAN. The main tools used are part of the aircrack-ng suite (preinstalled in Kali Linux), You need to follow the below steps and describe your work/results (including screenshots) using your words in each of the steps: Note: To balance documentations of your work and, at the same time, protecting your privacy, please do not include model/serial numbers in your answers or screenshots, and, for MAC addresses (6 bytes), report only the first 2 bytes and blank out (redact) the last 4 bytes (out of the 6 bytes); for SSIDs, blank out (redact) all leading characters except for the last character of the SSID.
- Describe briefly the equipment you use for this question, including: the pen-tester and target machines (e.g., a Dell laptop running Kali Linux VM in Virtualbox, and a Dell desktop PC, respectively) and the AP (e.g., an IEEE 802.11n Wireless router/DSL modem made by Zyxel). Additionally, include a statement whether you have administrative privileges, or are given the consent, to conduct penetration testing using the equipment described
- In Kali Linux, open a terminal and use the command “ifconfig –a” to make sure your pen-tester/attacker machine sees the wireless interface wlan0 is up. Produce a screenshot showing the wlan0 interface and the current time when you did this work (using the “date” command to show current date/time).
- Logon to your wireless router/access point and change its current password/phrase to something different but equally strong (with adequate length and combinations of characters). Report what you did (but do not report your AP’s old password/phrase), when you made the change (e.g., 05:10 pm on 11/18/2018), and the new password/phrase. After completing Question 1, be sure to restore the AP’s password/phrase to its
- After you changed the AP’s password/phrase, reconnect your target/victim machine to the AP using the new password/phrase. Do not reconnect your pen-tester/attacker machine to the AP using the new password/phrase. In Kali Linux, open a terminal, run the below commands, respectively, to: put the pen-tester machine’s wireless interface in monitor mode; and identify the AP and connected target/victim device. Report what you did, when you did this, and relevant screenshots (Be sure to blank out/redact) portions of the MAC addresses, SSIDs, etc., as noted above, in your screenshots):
airmon-ng start wlan0 (to put the pen-tester’s wireless adapter in monitor mode) airodump-ng wlan0mon (to identify your AP's MAC address, the channel number used, and the target device’s MAC address)
- Once you identified your AP’s channel (e.g., 11), run the below command to capture wireless packets on that channel and write/save them to a file. Report your work, time, and relevant screenshot(s):
airodump-ng -c 11 --bssid xx:xx:xx:xx:xx:xx -w out wlan0mon (to start capturing wireless packets on channel 11 (replace 11 with your AP’s channel), AP’s MAC address of 6 bytes separated by the colon “:” symbol (replace XX’s with your AP’s MAC address), save packets to the file “out” in the current directory (e.g., under /root); there will be several files saved starting their names with “out”.
- Open a new terminal in Kali (while keeping the terminal of the previous part intact), run the below aireplay-ng command to de-authenticate the target/victim machine, and wait for the command airodump-ng of the previous part captures the WPA/WPA2 4-way handshake packets between the AP and the target/victim machine:
aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c yy:yy:yy:yy:yy:yy wlan0mon
-0 means de-authentication
1 is the number of de-authentications to send (you can send multiple if you wish)
-a xx:xx:xx:xx:xx:xx is to specify the AP’s MAC address
-c yy:yy:yy:yy:yy:yy is to specify the client (target/victim)’s MAC address Describe your work (procedure and steps), results, and relevant screenshot(s).
Wait for the airodump-ng terminal of Part (e) to show WPA Handshake has been captured (a message displayed in its upper right corner). Take a screenshot, then type CTRL-C to terminate airodump-ng( started in Step (e). Use the command “ls –l” to list the capture file(s) in the current directory. Describe your work, results, and relevant screenshot(s).
- Create a “dictionary” (wordlist) consisting of the current password/phrase for the AP, for example, using the command “echo zzzzz > dictionary” replacing zzzzz with your AP’s password/phrase will create a file named “dictionary” in the current dictionary consisting of a single word “zzzz”. Use the command “cat dictionary” to type out the file’s content. Describe your work, results, and relevant screenshot(s). Please note that in practice, the dictionary/wordlist would consist of many words that are presumably popular choices for a password/phrase, and that those AP’s using such common passwords/phrases will be potential hacking
- Use the aircrack-ng command shown below to crack the AP’s password/phrase: aircrack-ng -w dictionary out*.cap
Describe your work, results, and relevant screenshot(s).
- After successfully completing the above work, logon to your AP and restore the AP’s password/phrase to its
- (16 pts., Part 2 incomplete) This question continues from Question 1, assuming the pen- tester machine (Kali Linux) is connected to the AP, and there is a target/victim Windows machine also connected to the same wireless network (running WPA/WPA2-PSK security after the pen-tester has successfully obtained the PSK). Answer the below questions and describe your work, results, and relevant screenshot(s) for each of the steps.
Note: To balance documentations of your work and, at the same time, protecting your privacy, please do not include model/serial numbers in your answers or screenshots, and, for MAC addresses (6 bytes), report only the first 2 bytes and blank out the last 4 bytes (out of the 6 bytes); for SSIDs, blank out all leading characters except for the last character of the SSID. Regarding IP addresses you need to include/show all local IP addresses (e.g.,
10.x.x.x or 192.168.x.x) in your answers including screenshots but please blank out all IPv6 addresses and, for global IPv4 addresses, blank out the first 3 decimal numbers but keep the last decimal number (e.g., the DNS servers on the target Windows system include: 192.168.0.1 (show a local address) and x.x.x.226 (show the last decimal number of a global IP address).
Part 1. ARP Spoofing:
- Same as in Question 1(a), describe your equipment and include a statement authorizing your use of the equipment for pen-testing.
- Open a command window on the target Windows system and type the command “ipconfig /all” (without the quotes) to report the wireless LAN network connection, including: wireless adapter’s MAC address, (local) IPv4 address, default gateway, Also, type the command “arp -a” and report the current content of the system’s ARP table.
- Open a terminal in Kali Linux, type the command “iwconfig” to report its wireless connection, and type the command “arp –a” to report the current content of the system’s ARP table. In particular, the ARP table should show the AP’s MAC
In Parts (d) – (h) below you will demonstrate how to use ARP poisoning/spoofing “to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.” Also, “ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.” Specifically, you will demonstrate how the attacker captures the web pages opened by the victim after its ARP table is poisoned.
- Zenmap, which is a graphical front-end to nmap and a tool for network exploration and security auditing (port scanning), is preinstalled in Kali Linux. To start zenmap, select it under the main menu Applications>Information Gathering. Alternatively, open a new terminal and type zenmap followed by <Enter> to start it. In zenmap, enter appropriate local subnet (for example, 192.168.0.1/24, based on the interface wlan0’s IP address and the network mask in the command ifconfig’s output) as the target and select “Quick scan plus” in Profiles’ list, then click the “Scan” button. Report the actual nmap command syntax used for this scan, and the purpose of each of the flags/switches used in the command (by consulting nmap’s man(ual) pages typing the command “man nmap” in a terminal, using space-bar to advance a page, <Enter> to advance a single line, and “q” to quit the man page). Additionally, report the scan’s output when done. In particular, identify a target that is a Windows system from the output (which will be used as the target/victim for this question). After completing this part, close/terminate
- On the same Kali Linux terminal of Part (c), first type the command
"echo 1 > /proc/sys/net/ipv4/ip_forward" (without the quotes) to enable IP forwarding. Then, type the below command to “spoof/poison” the target Windows system’s ARP table:
arpspoof –i wlan0 –t x.x.x.x y.y.y.y
(where x.x.x.x is the target/victim’s IP address, y.y.y.y is the AP’s IP address)
The above command will cause the Kali terminal to continuously outputting ARP redirect messages. Leave this terminal intact.
Similarly, open another (new) terminal in Kali and type the below command: arpspoof –i wlan0 –t x.x.x.x –r y.y.y.y
(where x.x.x.x is the target/victim’s IP address, y.y.y.y is the AP’s IP address) Also, leave this terminal intact.
Go to the target Windows system, type that command “arp –a” to report the current content of its ARP table, and note any differences in the AP’s MAC address compared to the earlier results reported in Part (b).
- Open another (new) terminal in Kali Linux while keeping both terminals of the previous part intact. Type the below tcpdump command (all on one line) to capture any http traffic to/from the target Windows system and save to a file named “tcpdump.pcap” in the current directory:
tcpdump –i wlan0 –s 1500 –w tcpdump.pcap “host x.x.x.x and tcp port http” (where x.x.x.x is the target/victim’s IP address)
Keep this terminal intact.
- While tcpdump of Part (f) is running, go to the target Windows system, open a web browser (Chrome, Firefox, etc.) and logon to the below site to generate some http traffic
After the page is loaded, close the browser.
- Return to Kali’s terminal running the tcpdump command of Part (f), type CTRL-c to terminate tcpdump. Use the command “ls –l” to identify a file named “tcpdump.pcap” has been created. Use Wireshark (in Kali or in a Windows system) to open the captured pcap file and identify the HTML page of the website accessed in Part (g).
Part 2. Client-Side Attack: Exploit of a Windows System using Metasploit:
The Metasploit Project is a security project which delivers information about security vulnerabilities and helps penetration testing and intrusion detection. “The open source project– known as the Metasploit Framework, is used by security professionals to execute exploit code against a remote target machine–for penetration testing.”
- A vulnerability is a security hole in a piece of software, hardware or operating system that provides a potential angle to attack the system. A vulnerability can be as simple as weak passwords or as complex as buffer overflows or SQL injection vulnerabilities.
- An exploit is a small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer
- A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the
Attachments:
Related Questions
. Introgramming & Unix Fall 2018, CRN 44882, Oakland University Homework Assignment 6 - Using Arrays and Functions in C
DescriptionIn this final assignment, the students will demonstrate their ability to apply two ma
. The standard path finding involves finding the (shortest) path from an origin to a destination, typically on a map. This is an
Path finding involves finding a path from A to B. Typically we want the path to have certain properties,such as being the shortest or to avoid going t
. Develop a program to emulate a purchase transaction at a retail store. This program will have two classes, a LineItem class and a Transaction class. The LineItem class will represent an individual
Develop a program to emulate a purchase transaction at a retail store. Thisprogram will have two classes, a LineItem class and a Transaction class. Th
. SeaPort Project series For this set of projects for the course, we wish to simulate some of the aspects of a number of Sea Ports. Here are the classes and their instance variables we wish to define:
1
Project 1
Introduction - the SeaPort Project series
For this set of projects for the course, we wish to simulate some of the aspects of a number of
. Project 2 Introduction - the SeaPort Project series For this set of projects for the course, we wish to simulate some of the aspects of a number of Sea Ports. Here are the classes and their instance variables we wish to define:
1
Project 2
Introduction - the SeaPort Project series
For this set of projects for the course, we wish to simulate some of the aspects of a number of