Wireless Hacking and Penetration Testing

Presented By
Harshad Shah
Global Cyber Security Response Team
 GCSRT Line of Business (LOB)

Education

Cyber Security

IT-Enabled Services

Research and Development

 Company Profile -
Global Cyber Security response Team
 Brief Introduction About me -

 I am currently working with GCSRT(Global Cyber Security

Response Team
 Wireless Penetration Tester
 Red Hat Certified System Administrator(RHCSA)
 Red Hat Certified Engineer(RHCE)
 Certified Ethical Hacker(CEH)
 Computer Hacking Forensics Investigator(CFI)
 Certified Security Analyst (CSA)
 Member of International Council of Hacker Association(United states of
America)
 Red Hat certified Security Specialist (RHCSS)
 Introduction continue-

 Certificate of Expertise in Hybrid Cloud Storage(COE-India's

First)
 Certificate of Expertise in Directory Services and Autentication
 Cloud Computing Expertise
 Red Hat certified Virtualization Administration(RHCVA)
 Licensed penetration Tester(LPT)
 Several Times in Media for Security Breaches (System Hacking, Data
protection and Secure Computer from Hackers)
 Recieved Best Performance Award on Working model Handed Over by
disaster Management and relief minister of Rajasthan
 Wireless Hacking and Penetration Testing Course Outline-

 Following are the course outline which we cover in this conference

Module1-Brief Introduction to Wireless World and Technology

Module2-Brief Introduction to IEEE 802.11 standard for Wireless
Technology
Module3-Brief Introduction to Wireless Access Point
Module4-Brief Introduction to Wireless Network
Module5-Brief Introduction to Signal and Electromagnetic wave and
RF(Radio Frequency Wave)
Module6-How to Setup Wireless Network?
Module7-Brief Introduction to AD-HOC Network and WLAN(Wireless
Local Area Network)
 Wireless Hacking and Penetration Testing Course Outline-

 Following are the course outline which we cover in this conference

Module8-Brief Introduction to Wireless Hacking and Penetration

Testing
Module9-Configuring Wireless Hacking Lab Setup
Module10-Brief Introduction to WLAN Packet Injection
Module11-WLAN Sniffing and Injection Technique
Module12-Brief Introduction to Wireshark and Tshark
Module13-Bypass MAC Security, ByPass Open Authentication,ByPass
Shared Authentication
Module14-Pwning SSID
 Wireless Hacking and Penetration Testing Course Outline-

 Following are the course outline which we cover in this conference

Module15-What is WEP based Authentication and how to

crack WEP based Authentication
Module16-What is WPA/WPA2 based Authentication and how to crack
WPA/WPA2 and WPA2-PSK based Authentication.
Module17-Hacking and Securing WLAN Infrastructure
Module18-Man-in-the-Middle Attack in Wireless Network
Module19-Cracking Wireless Router Password
Module20-Creating Fake Access Point
Module21-Wireless-De-Authentication and Dis-Associating Attack
 Wireless Hacking and Penetration Testing Course Outline-

 Following are the course outline which we cover in this conference

Module22-Session Hijacking Technique Over Wireless Network

Module23-Introduction to Radius Server
Module1-Brief Introduction to Wireless World and Technology

Module1-Brief Introduction to Wireless World and Technology

Key Point:

(i)What is Wireless Technology?

(ii)How Wireless System Communicate?
 Module1-(i)What is Wireless Technology?

 Today, the term "wireless" refers to a variety of technologies

and devices, from smartphones to computers and printers to
headphones and speakers, connecting with one or more
Methods

 Current wireless phones, for example, may include 3G and 4G cellular

radios, Wi-Fi and Bluetooth technologies. As these technologies advance,
investing in the latest wireless equipment, such as a 4G phone or 802.11ac
router, could offer you serious speed improvements.
 Module1-(i)What is Wireless Technology?

(i)WIFI-
Primarily associated with computer networking, Wi-Fi uses the IEEE 802.11
specification to create a wireless local-area network that may be secure, such as
an office network, or public, such as a coffee shop

(ii)Cellular-
Most often associated with wireless phones, a cellular network uses connected
transmitters, or cells, that enable the user to move about while remaining in
contact with the network
Module1-(i)What is Wireless Technology?
 Module1-(i)What is Wireless Technology?

(iii)Bluetooth-
While both Wi-Fi and cellular networks enable connections to anywhere in
the world, Bluetooth is much more local, with the stated purpose of
"replacing the cables connecting devices," according to the official
Bluetooth website

(iv)WiMAX-
While over-the-air data is fast becoming the realm of cellular providers,
dedicated wireless broadband systems also exist, offering fast Web surfing
without connecting to cable or DSL. One well-known example of wireless
broadband is WiMAX, offered by providers such as Clear or Skyriver.
Although WiMAX can potentially deliver data rates of more than 30
megabits per second, providers offer average data rates of 6 Mbps and
often deliver less, making the service significantly slower than hard-
wired broadband.
Module1-(ii)How Wireless System Communicate?
 Module2-Brief Introduction to IEEE 802.11 Standard for
Wireless Technology

Module2-Brief Introduction to IEEE 802.11 Standard for Wireless

Technology

Key Point:

(i)Learn 802.11 IEEE standard

(ii)Learn 802.11a,802.11b,802.11n
(iii)Learn Bandwidth Concept
 Module2-(i)Learn 802.11 IEEE Standard

 802.11 and 802.11x refers to a family of specifications

developed by the IEEE for wireless LAN (WLAN) technology.
802.11 specifies an over-the-air interface between a wireless
client and a base station or between two wireless clients. The
IEEE accepted the specification in 1997.

 802.11 — applies to wireless LANs and provides 1 or 2 Mbps t

ransmission in the 2.4 GHz band using either frequency hopping
spread spectrum (FHSS) or direct sequence spread spectrum
(DSSS).
Module2-(ii)Learn 802.11a/b/g/n/ac IEEE Standard
 Module2-(iii)Learn Bandwidth Concept

(i)Bandwidth-
If you've ever wondered why it takes so long to download certain Web
pages or other files to your computer, it's all determined by the bandwidth
of the connection between your computer and your Internet Service
Provider
 Demo-Wireless Geographical Fraud Demo

 Demo Time

 Now I am showing you a Wireless Geographical Fraud

 Hacker as like me Generally use this kind of method to

bounce thier Location
Module3-Brief Introduction to Wireless Access Point

Module3-Brief Introduction to Wireless Access Point

Key Point :

(i)What is Access Point ?

(ii)Learn about MAC Address and Finding MAC address of an
Access point?
(iii)Learn SSID and BSSID concept in Wireless Terminology
(iv)Learn Beacon Frame Concept
 Module3-(i)What is Access Point ?

 wireless Access Point (AP) is a device that allows wireless

devices to connect to a wired network using Wi-Fi, or
related standards. The AP usually connects to a router (via
a wired network) as a standalone device, but it can also be
an integral component of the router itself.
 Module3-(i)What is Access Point ?

Interfaces-
 Lo-Loopback-
 loopback interface is a virtual interface that resides on a router.
It is not connected to any other device. Loopback interfaces are
very useful because they will never go down, unless the entire
router goes down
 Eth0 ethernet cable(Wired Connection)
 Wlan0-Wireless Local Area Network(Wireless)

 Windows7- use command #ipconfig

 Linux- Use command #ifconfig
Module3-(ii)Learn About Mac Address and Finding Mac
Address

Mac Address-

Module3-(ii)Learn About Mac Address and Finding Mac
Address of Access Point

Mac Address-
 Finding Mac Address of Access Point

 #iwlist wlan0 scanning

 Output-you got MAC address and SSID

 Module3-(iii)SSID and Beacon Frame

SSID-
 #iwlist wlan0 scanning<run this Command in
Backtrack)
 SSID stands for Service Set Identifier
 BSSID Basic Service Set Identifier

 SSID/ESSID- Generally name of Access Point

 BSSID – Generally MAC address of Access Point

 Beacon Frame-Beacon frames or simple beacons are

transmitted periodically by base stations or access points to
announce the presence of wireless networks
Demo Time-SSID/BSSID/Beacon Frame/AccessPoint

Demo Time-
 #iwlist wlan0 scanning<run this Command in
Backtrack)
 Showning SSID/BSSID/Beacon Frame/Access Point
 Module4-Brief Introduction to Wireless Network

 Key Point:

 Wireless Device Working Process

 Module4-Demo Time

Configuring Wireless Card

 command#iwconfig
 command#iwconfig wlan0 up <to bring Interface up>
 command#iwconfig wlan0 <see the Current status of Interface
 Command#iwlist wlan0 scanning <you fill list of Network in your
Infrastructure
Module5-Brief Introduction to Signal and Electromagnetic
Wave and RF(Radio Frequency Wave)

(i)Signal
In electronics, a signal is an electric current or electromagnetic field used to
convey data from one place to another
Module5-Brief Introduction to Signal and Electromagnetic
Wave and RF(Radio Frequency Wave)

(ii)Electromagnetic Wave:
Electromagnetic radiation (EM radiation or EMR) is a fundamental
phenomenon of electromagnetism, behaving as waves and also as particles
called photons which travel through space carrying radiant energy. In a
vacuum, it propagates at the speed of light, normally in straight lines
Module5-Brief Introduction to Signal and Electromagnetic
Wave and RF(Radio Frequency Wave)

(iii)Radio Frequency Wave:

Radio waves are a type of electromagnetic radiation with wavelengths in the
electromagnetic spectrum longer than infrared light.
Like all other electromagnetic waves, they travel at the speed of light.
Naturally occurring radio waves are made by lightning, or by astronomical
objects
 Module6-How to Setup Wireless Network

Key Point:

(i)Configuring and Setup Wireless Device and Network for

WLAN(Wireless Local Area Network)
(ii)Introduction to Router
(iii)Quick look to Wireless Router and Configuring Wireless
Router for WLAN(Wireless Local Area Network)
 Module6-(ii)Introduction to Router

(i)Router-

 A router is a device that forwards data packets between computer

networks.

 When a data packet comes in one of the lines, the router reads the
address information in the packet to determine its ultimate destination.
Then, using information in its routing table or routing policy
 Module6-Configuring Wireless Router

(i)Configuring Wireless Router-

 Module6-Configuring Wireless Router

(i)Configuring Wireless Router-

 Command#route -n<showning Router Gateway IP>

 Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0

 Browse# http://192.168.1.0 <and Hit Enter>

 Then you got Web Portal for Router
 Give Login-admin
 Give Password-admin
 Command#route -n <showing Router Gateway IP>
 Module7-Brief Introduction to AD-HOC Network

AD-HOC Network

 On wireless computer networks, ad-hoc mode is a method for wireless devices

to directly communicate with each other.
 Operating in ad-hoc mode allows all wireless devices within range of each other
to discover and communicate in peer-to-peer fashion without involving central
access points (including those built in to broadband wireless routers).
Module7-Brief Introduction to AD-HOC Network

AD-HOC Network
 Module8-Brief Introduction to Wireless Hacking and
Penetration Testing

 Key Point:

 (i)What is Wireless Hacking?

 (ii)What is Penetration Testing
 (iii)What is Wireless Penetration Testing
 Module8-Brief Introduction to Wireless Hacking and
Penetration Testing

 Key Point:

 (i)What is Wireless Hacking?

 Module8-Brief Introduction to Wireless Hacking and
Penetration Testing

 Key Point:

 (ii)What is Wireless Hacking and Penetration Testing?

 Module9-Configuring Wireless Hacking Lab Setup

 Key Point:

 (i)Introduction to Wireless Hacking Lab Setup

 (ii)Configuring System for Wireless Hacking and Penetration Testing
 Module9-Configuring Wireless Hacking Lab Setup

 Configuring System for Wireless Hacking and Penetration Testing

 Installation Process of Backtrack OS for Wireless Penetration
Testing.
 Module9-Configuring Wireless Hacking Lab Setup
image1

 Installation Process of Backtrack OS for Wireless Penetration

Testing.
 Module9-Configuring Wireless Hacking Lab Setup
image2

 Installation Process of Backtrack OS for Wireless Penetration

Testing.
 Module9-Configuring Wireless Hacking Lab Setup
image3

 Installation Process of Backtrack OS for Wireless Penetration

Testing.
 Module9-Configuring Wireless Hacking Lab Setup
image4

 Installation Process of Backtrack OS for Wireless Penetration

Testing.
 Module9-Configuring Wireless Hacking Lab Setup
image5

 Installation Process of Backtrack OS for Wireless Penetration

Testing.
 Module10-Brief Introduction to WLAN Packet Injection

 Key Point:

 (i)Creating a monitor mode Interface

 (ii)Packet Injection Technique
 Module10-Brief Introduction to WLAN Packet Injection

Creating a monitor mode Interface

 command#iwconfig <showing Wlan0 interface>

 command#iwconfig wlan0 up <bring Interface up>
 command#airmon-ng <put the card on monitor mode>
 Interface Chipset Driver
wlan0 Intel 3945ABG iwl3945 – [phy0]
 Command#airmon-ng start wlan0<create monitor Mode>
 Command#airmon-ng <to check mon0 is start or not>
 Interface Chipset Driver
mon0 Intel 3945ABG iwl3945 - [phy0]
wlan0 Intel 3945ABG iwl3945 - [phy0]
 Module11-WLAN sniffing and Injection Technique

 Key Point:

 (i)What is Sniffing and Injection Technique

 (ii)What is WLAN sniffing?
 Module11-WLAN sniffing and Injection Technique

What is Sniffing?

 wireless sniffer is a type of packet analyzer. A packet analyzer (also known as packet sniffer) is
a piece of software or hardware designed to intercept data as it is transmitted over a network
and decode the data into a format that is readable for humans.
 Diagnosing and investigating network problems
 Monitoring network usage, activity, and security
 Discovering network misuse, vulnerabilities, malware, and attack attempts
 Filtering network traffic
 Identifying configuration issues and network bottlenecks
 Module12-Brief Introduction to Wireshark and Tshark

What is Wireshark?

 wireless sniffer is a type of packet analyzer. A packet analyzer (also known as packet sniffer) is
a piece of software or hardware designed to intercept data as it is transmitted over a network
and decode the data into a format that is readable for humans.
 Diagnosing and investigating network problems
 Monitoring network usage, activity, and security
 Module12-Brief Introduction to Wireshark and Tshark

Wireshark<Demo Time>
 Capturing Packet with Wireshark
 Module13-ByPass Mac Security

Key Point:

(i)What is MAC Security and how we bypass Mac Security?

 A media access control address (MAC address) is a unique identifier

assigned to network interfaces for communications on the physical
network segment. MAC addresses are used as a network address for
most IEEE 802 network technologies, including Ethernet. Logically, MAC
addresses are used in the media access control protocol sublayer of the
OSI reference model.
 Module13-ByPass Mac Security

By Pass MAC Security in Wireless Network

 Demo Time <Video Time>

 How to by pass MAC based Security in Wireless System
 Module14-Pwning Hidden SSID

 Pwning Hidden SSID

 command#iwlist wlan0 scanning<showning SSID>
 Sometimes we are not able to find out the hidden SSID <the name of
access point>
 So what we have to do?

 So By using Wireshark ,if we monitor the beacon frame of Wireless Lab

Network , so we are able to see the SSID in plain Text.

 Start Sniffing on Wireless Network.

 Module14-Pwning Hidden SSID


Module15-What is WEP based Authentiction and how to crack WEP
based Authentication

 Key Point:

 (i)Learn WEP based Authentication

 (ii)Learn How to Crack WEP keys?

Module15-What is WEP based Authentiction and how to crack WEP
based Authentication

WEP based Authentication

 What is WEP Wireless Encryption?

 Wired Equivalent Privacy (WEP), and its weaker security level is

discussed
here.

 Wired Equivalent Privacy (WEP) is a security protocol for wireless

networks that encrypts transmitted data . It's easy to configure. Without
any security your data can be intercepted without difficulty.

 However, WEP was an early attempt to secure wireless networks, and

better security is now available such as DES, VPN, and WPA..
Module15-What is WEP based Authentiction and how to crack WEP
based Authentication

WEP based Authentication

 WEP has three settings: Off (no security), 64-bit (weak security), 128-
bit (a bit better security). WEP is not difficult to crack, and using it
reduces performance slightly.

 If you run a network with only the default security, where WEP is
turned off, any of your neighbors can immediately log on to your
network and use your Internet connection.

 For wireless devices to communicate, all of them must use the same
WEP setting. (40-bit and 64-bit WEP encryption are the same thing —
40-bit devices can communicate with 64-bit devices..


Module15-What is WEP based Authentiction and how to crack WEP
based Authentication

Cracking WEP based Authentication

 Demo time<cracking WEP Based authentication>
 Fern WIFI-Cracker


Module16-What is WPA/WPA2-PSK based authentication and how to
crack WPA/WPA2-PSK based Authentication

 Key Point:

 (i)Learn WPA/WPA2-PSK based Authentication

 (ii)Learn Handshaking Process
 (ii)Learn How to Crack WPA/WPA2-PSK keys?


Module16-What is WPA/WPA2-PSK based authentication and how to
crack WPA/WPA2-PSK based Authentication

 WPA/WPA2-PSK based Authentication

 Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security
protocols and security certification programs developed by the Wi-Fi Alliance to secure
wireless computer networks

 WPA-
 The WPA protocol implements much of the IEEE 802.11i standard.
 Specifically, the Temporal Key Integrity Protocol (TKIP) was adopted for WPA. WEP used
a 40-bit or 104-bit encryption key that must be manually entered on wireless access points
and devices and does not change. TKIP employs a per-packet key, meaning that it
dynamically generates a new 128-bit key for each packet and thus prevents the types of
attacks that compromised WEP.


Module17-What is WPA/WPA2-PSK based authentication and how to
crack WPA/WPA2-PSK based Authentication

 WPA2

 WPA2 has replaced WPA. WPA2, which requires testing and certification by the Wi-Fi
Alliance, implements the mandatory elements of IEEE 802.11i. In particular, it introduces
CCMP, a new AES-based encryption mode with strong security.

 WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.

 Encryption protocol

 TKIP (Temporal Key Integrity Protocol)

The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically
generates a new key for each packet. Used by WPA.

 CCMP (Counter Cipher Mode with block chaining message authentication code Protocol)
An AES-based encryption mechanism that is stronger than TKIP. Used by WPA2. Among
informal names are "AES" and "AES-CCMP". According to the 802.11n specification,
Module17-What is WPA/WPA2-PSK based authentication and how to
crack WPA/WPA2-PSK based Authentication

 WPA2-Four Way -Handshaking Process

Module17-What is WPA/WPA2-PSK based authentication and how to
crack WPA/WPA2-PSK based Authentication

 WPA2-Four Way -Handshaking Process

Module17-What is WPA/WPA2-PSK based authentication and how to
crack WPA/WPA2-PSK based Authentication

 WPA2-PSK

 WiFi Protected Access, Pre-Shared Key

 WPA is a more powerful security technology for Wi-Fi networks than

WEP. It provides strong data protection by using encryption as well as
strong access controls and user authentication. WPA utilizes 128-bit
encryption keys and dynamic session keys to ensure your wireless
network's privacy and enterprise security.

 There are two basic forms of WPA:

 • WPA Enterprise (requires a Radius server)
 • WPA Personal (also known as WPA-PSK)
Module17-What is WPA/WPA2-PSK based authentication and how to
crack WPA/WPA2-PSK based Authentication

 Cracking WPA/WPA2-PSK
 Issue18-Man-in-the-middle Attack over Wireless Network

Configuring system for Man-in-the-middle-Attack

Demo Time
 Module19-Cracking Wireless Router Password

Brute Force and Dictonary Attack on Wireless Router

Demo Time
Module20-Creating Fake Access Point

Fake Access Point

 Module20-Creating Fake Access Point

Fake Access Point

 Demo Time <Showing video >

 Creating Fake Access Point
Module21-Wireless De-authentication and Dis-Association Attack

Wireless De-authentication and Dis-Association Attack

 Demo Time <Showing video >

 Creating Wireless De-authentication and Dis-Association Attack

 Kick off any Wireless Network which are inside or outside doesn't
matter.

 Video is only for Educational Purpose

Module22-Session Hijacking Technique Over Wireless Network

 Session Hijacking -

 In computer science, session hijacking, sometimes also known as cookie hijacking is the
exploitation of a valid computer session—sometimes also called a session key—to gain
unauthorized access to information or services in a computer system.
Module22-Session Hijacking Technique Over Wireless Network

 Session Hijacking
 Demo time<Implement Session Hijacking on wireless
Network
 Module23-Introduction to Radius Server

RADIUS Server

 Remote Authentication Dial In User Service (RADIUS) is a networking

protocol that provides centralized Authentication, Authorization, and Accounting (AAA)
management for users that connect and use a network
Service.

 Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is
often used by ISPs and enterprises to manage access to the Internet or internal networks,
wireless networks, and integrated e-mail services.
Module23-Introduction to Radius Server

RADIUS Server
 Thank You

Presented By
Harshad Shah
Global Cyber Security Response Team
 Few of the achievements listed below
Successfully cracked many complex cyber crime cases and practically have
demonstrated the loop hole in the cyber space in most of the top media
channels, like TV9, Suvarna News 24X7, Public TV, News 9 and etc...

Successfully completed free cyber crime and security awareness programs

in most of the engineering colleges in Karnataka

Successfully completed free cyber crime and security awareness programs

in media for Karnataka public in regional language including the other states
with their regional language

Working with Karnataka Film Chambers of commerce against piracy and

Online Movie sharing Projects

Successfully received the appreciation latter from Karnataka Film

Chambers of commerce for working on antipiracy and computerizing the
KFCC ledger works

Successfully restored the BBMP & BJP website , which was hacked
 Why GCSRT?

Well Trained & experienced team that are always put through
continuous Training practices to effectively handle today’s IT demand

Well experienced team at GCSRT follows unique methodologies to help

all the level users

Very clear and effective communication at any given point of time

Well qualified legal ,techno legal and product based trainers

train/work at GCSRT

GCSRT team is been recognized by its dedicated work globally