how to wraps like snoop dogg

1|P a g e HewlettPackardEnterprise

Writtenby:AlexKimC|EH,CPT,PMP

,-.----. .---. ,-.----. ,---, \ / \ .--.--. /. ./| \ / \ ' .' \ | : \ / / '. .--'. ' ; ; : \ / ; '. | | .\ :| : /`. / /__./ \ : | | | .\ : : : \ . : |: |; | |--` .--'. ' \' . . : |: | : | /\ \ | | \ :| : ;_ /___/ \ | ' ' | | \ : | : ' ;. : | : . / \ \ `. ; \ \; : | : . / | | ;/ \ \; | |`-' `----. \ \ ; ` | ; | | \ ' : | \ \ ,'| | ; __ \ \ | . \ .\ ; | | ;\ \ | | ' '--' : ' | / /`--' / \ \ ' \ |___ : ' | \.'___ | : : ___ : : : ___'--'. / : ' |--"/ .\ : : :-' / .\ | | ,'/ .\ | | :/ .\ `--'---' \ \ ; \ ; || |.' \ ; |`--'' \ ; | `---'.|\ ; | '---" `--" `---' `--" `--" `---` `--" Wi-Fi Rogue Access Point Scanning

AlexKim,C|EH,CPT,PMP

alexanderdotkim(shift2)hpedotcom



Introduction

If you’re reading this write-up, it’s probably because you’ve taken an interest in learning more about wireless fidelity hacking. This introduction will allow you to take your first steps into the world of penetration testing. Penetration testing involves multiple stages, but the most important stage of all is reconnaissance. Without knowing the ins and outs of your target, how can you own them? You can’t. You need to perform recon on your target to plan out vectors of attacks.

Purpose The goal of this procedure is to go through what it takes to perform recon on Wi-Fi networks. This write-up will not go into the act of performing any attacks of any nature. Hewlett Packard Enterprise Software has a need to perform this scanning procedure as part of PCI compliance. By scanning for rogue access points we are actively reducing the risk of potential open networks that may be attached to the HPE network.

Threat Analysis Rogue access points are any Wi-Fi networks that are attached to the HPE network without the permission of network administrators and Cyber Security. These rogue access points are typically set up for convenience and pose a high risk to the company if a malicious attacker were to exploit the network from outside of the HPE building.

Evil Twin Attack:

This is a type of man in the middle attack where a malicious attacker would set up an access point to directly mirror an existing open network. The hope is for users within a common area to connect to this malicious AP only to have all of their network traffic sniffed by the malicious attacker (who could be sitting right next to you while you drink your delicious two pump hazelnut double shot soy mocha frapp).



Risk Level: Medium/Low

While this attack is quite easy to set up in a common area such as a coffee shop or airport, carrying out this attack within or near an HPE facility would be much more difficult.

WEP Attacks:

Wired Equivalent Privacy (WEP) is an algorithm that was developed for 802.11 wireless networks in the 90’s. Unfortunately, using free tools and a bit of knowledge anyone can extract the WEP security key and therefore have full access to your network. The OEM manufacturers and Telco companies have done a good job to steer users into using the more secure WPA2 protocol by releasing their products with WPA2 activated.

Risk Level: High

It takes a matter of minutes to crack WEP with free tools available online. If a rogue access point were to be attached to the HPE network and only protected by WEP, the damage and potential loss would be high.



This page has been reserved for cat meme.



KALI and Aircrack How to scan the Wi-Fizzzz Note: This tutorial does not go into how to set up KALI, if you haven’t done so already, you will need to establish your own KALI VM or workstation.

Items you will need to scan networks:

1. KALI Linux VM 2. Linux Kung-Fu 3. Wireless adapter with monitor mode capabilities.

a. For the purpose of this tutorial, we will be using the ALFA networks adapter because it’s the shizznizz.

For visual representations see below:

1.

2.

3.



Setting up your ALFA or other Wi-Fi adapter

1. Plug your Wi-Fi adapter into your workstation. (Duh) 2. Make sure your VM recognizes the USB adapter.

a. If you’re using KALI directly on the metal, you can skip this step. 3. Make sure KALI is recognizing your USB is connected by typing ‘lsusb’ in a terminal.

Figure 1 – USB settings kali

You should see your USB device active and recognized by the OS.

4. Another check to see if the WLAN settings are working properly: a. In the terminal type: ‘ifconfig’

Figure 2 – ifconfig output



Now that KALI recognizes your adapter, we move on to using aircrack-ng.

Putting your Wi-Fi adapter into Monitor Mode 1. Run the following command in the terminal:

a. ‘airmon-ng check kill’ b. This will kill any interring processes so that you can start fresh.

2. To put the adapter into monitor mode enter the following: a. ‘airmon-ng start wlanX’

i. X denotes the adapter settings in your setup which you will obtain from Figure 2 on page 6.

b.

Figure 3 – Output from airmon-ng command

c.

Figure 4 – Note the device id is now ‘wlan2mon’, which denotes the device is now in monitor mode.



Your device is now in monitor mode.



Time to Collect the Data Now that your adapter is now set up to collect data, we’re ready to start collecting data. Here is where we get into the interesting stuff. If you’re having issues, my recommendation is to do a bit more research and see if you can figure it out. Pen testing is all about figuring out different ways to make things work. If you’re really stuck, you can always reach out to the author of this document (make sure you bring food or beer, and none of that water hidden in a Coors light can)

Aircrack is a powerful tool with a lot of different features, for the sake of brevity and this document, we’ll only be going into scanning IV’s and collecting the data in packet capture files. Feel free to ‘man’ aircrack. Hint: type man aircrack in your terminal and see what you get.

1. To initialize the scan enter the following command: a. Airodump-ng wlanXmon (Remember ‘X’ denotes your own setup in the above steps) b. This will just get the scan going. Go ahead and try it out just to see what you get.

Figure5–Yourscanshouldoutputsomethinglikethisintheterminal.Seeanythingfunny?



In order for this activity to be useful, we need to actually save the collected data to analyze. So we need to add in a few variables to the command used above in order to collect the data.

2. You will need to cancel the current scan you started (if you started one) and enter the following: a. Scanning 2.4 Ghz band:

i. airodump-ng wlanXmon –w ‘Enter name of file’ 1. X – The red X denotes your wlan settings from above. 2. –w tells aircrack you want to write to a file. Without the quotes, enter a

name for the capture file. Putting the name of the area you are scanning makes for an easier time to sift through multiple pcap files.

3. Your command could look like the following when typed into the terminal: a. airodump-ng –b a wlan2mon –w give_me_the_wifiz24

b. Scanning 5.0 Ghz band: i. airodump-ng –b a wlanXmon –w ‘Enter name of file’

1. –b denotes the variable to scan a specific band. For the command above we are scanning the ‘A’ band.

2. X – The red X denotes your wlan settings from above. 3. –w tells aircrack you want to write to a file. Without the quotes, enter a

name for the capture file. Putting the name of the area you are scanning makes for an easier time to sift through multiple pcap files.

ii. Your command could look like the following when typed into the terminal: 1. airodump-ng –b a wlan2mon –w give_me_the_wifiz50



Thepcapfileswillbestoredinyourrootdirectoryorwhicheverdirectoryyouranthecommand,ifyoudoasimple‘ls’commandintheterminal,youshouldseeyourfilesrightthere.

Note:Ifyouneedtoscanboth2.4Ghzand5.0Ghzbands,makesureyoulabelyourpcapfilesaccordinglysoyouknowwhichoneiswhich.

Tip: If you’re running scans for both bands, you can run two different terminals and capture data for both bands at the same time.



While On-site, What Should You Do?

Now that you’ve set up your rig to collect and scan for data. You can’t just set it and forget it Ron Popeil style. You need to start investigating. Here are a couple of things you need to keep in mind.

1. Talk to the data center manager, this person knows the facility in and out. 2. Ask this person to provide a list of known authorized Wi-Fi AP’s inside the data center.

a. If possible, ask for the SSID’s and their respective MAC Addresses. 3. As soon as you’ve started your scans, and made sure everything is running smoothly, start walking

the areas you are interested. 4. Wi-Fi is a crazy crazy phenomenon. It will bounce and do all sorts of craziness which makes this

exercise so difficult. 5. While looking at your screen output, you need to be mindful of what your scan is seeing.

Looking at the top portion of your terminal screen, these are the AP’s that are sending out beacons or call requests to wifi adapters.



A few things you want to keep in mind while analyzing the scan:

1. Do you see any ESSID’s in the far right column that do not appear on your list from the data center manager?

2. What is the signal strength denoted in the column under “PWR”. a. The lower the negative number, the stronger the signal. I.e.: -40 is a stronger signal than -80

on the logarithmic scale. 3. How many beacons is the particular ESSID seeing?

a. Beacons are basically calls the AP makes to let a Wi-Fi receiver know that it is here and operating.

b. The more beacons, the stronger the chance the AP is close by c. Depending on how sensitive your Wi-Fi adapter is, you may see beacons from AP’s that are

hundreds of feet away. 4. Do you see any ESSID’s as “<length: 0>?

a. This means the SSID is hidden in its settings. This should be a red flag. b. Your task is now to try and triangulate the signal and locate where it is. c. By simply walking in directions where you see the signal strength increase, you can

somewhat pin point where it might be located. d. How many beacons are you seeing?

i. If it’s much lower than the other SSID’s you are seeing on-site, chances are it’s coming from a location outside of where you are.

ii. If the beacon count is much smaller compared to the known SSID’s, it’s probably safe to say that particular AP is not in the location you are in.

5. Do you see any ‘OPN’ networks listed under the column ‘ENC’? a. These are AP’s that do not have encryption or any type of protection b. If the AP you are seeing has an OPN encryption type, confirm with the facility that this is

approved. Chances are it could be a guest Wi-Fi AP. 6. Do you see any ‘WEP’ networks listed?

a. This is a red flag as well, especially if it is an authorized AP connected to HPE networks. b. Take note of the SSID, when you are preparing your report, you will need to submit it to the

appropriate personnel for remediation. WEP should be avoided at all costs. The remediation plan is simple and that is to use WPA2.



This document should give you enough tools and knowledge to effectively scan a facility for rogue AP’s. This is only the beginning, I would encourage you to continue research and always hack responsible. Never do anything illegal, like hack into your neighbor’s network, or setup evil twins at the local Starbucks. Leave those poor people alone.

For further resources and references to KALI and Aircrack:

https://www.aircrack-ng.org/

https://www.offensive-security.com/

how to wraps like snoop dogg

Documents