First of all, that was very hard to read and painful.
Things I'd recommend.
1. Your open AP, enable MAC filtering, disable DHCP (set your clients static) and change your subnet. This will prevent them from connecting wirelessly, if they still can plug into your AP via a hardline then ignore this.
2. WEP, easy. If you're AP has something called "IP isolation"/"PSPF"/"MU-to-MU dissalow", enable this feature, it'll slow them down depending on their level.
3. WPA-PSK, cracking this doesn't require traffic, you need the WPA 4-way handshake that happens with a client associates to the AP. Usually the best way is to DoS a client off the AP (hard and fast). Make sure you target the client specifically and not just do a broadcast deauth, some clients will ignore the broadcast deauth or won't be sufficient enough to force a handshake.
4. EAP, you can bet it's going to be LEAP. Take a look at the asleep tool available (google is your friend). If they've setup anything else (radius backend) then you'll have to do a MiTM or client penetration to get certificates and credentials.
5. Client penetration, nmap, nessus, metasploit, scapy. 'nuff said.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Deepak Nuli
Sent: Tuesday, April 01, 2008 3:35 PM
To: pen-test (at) securityfocus (dot) com [email concealed]; wifisec
Subject: Help for wireless penetration testing game/competition
Hi
I am a student and am taking this course called Wirelesssecurity. As apart of the course the class is divided into two teamsand we have tohack each other's wireless networks. It works in twophases. I needhelp in the first phase.
We have 4 AP's :
1.Openaccess point:the opposite team's access point is in our team's physicallocation(and ours is in their location). It has DHCP enabled and ifneeded wecan dc it and plug our client and get on thier physicalnetwork.
2. WEP AP: We have already cracked thier WEP key
3.WPAPSK : the problem with getting into this is that for the 1st phasethereis no traffic being generated by the other team so we can'tdeauth itand get the PSK.
4. WPA EAP - Not sure what EAP method they are running.
Thenetworkis managed by a Windows server 2003 running on VMWare and thereis a PIXfirewall and a switch. The server has two files: one hiddenand one isthe open.
So the task is now to somehow get:
1. Access to the AP which is not open or launch a DoS
2. Get to the server files or corrupt them
WEcando the task either wirelessly or through the wired network. We werealsoable to take one AP out of the network by ARP poisoning usingscapy. SoI wanted suggestions from you guys out there. I know thereare loads ofmaterials out there but we don't have time. So any helpwill beappreciated.
Thx
________________________________________________________________________
____________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
Things I'd recommend.
1. Your open AP, enable MAC filtering, disable DHCP (set your clients static) and change your subnet. This will prevent them from connecting wirelessly, if they still can plug into your AP via a hardline then ignore this.
2. WEP, easy. If you're AP has something called "IP isolation"/"PSPF"/"MU-to-MU dissalow", enable this feature, it'll slow them down depending on their level.
3. WPA-PSK, cracking this doesn't require traffic, you need the WPA 4-way handshake that happens with a client associates to the AP. Usually the best way is to DoS a client off the AP (hard and fast). Make sure you target the client specifically and not just do a broadcast deauth, some clients will ignore the broadcast deauth or won't be sufficient enough to force a handshake.
4. EAP, you can bet it's going to be LEAP. Take a look at the asleep tool available (google is your friend). If they've setup anything else (radius backend) then you'll have to do a MiTM or client penetration to get certificates and credentials.
5. Client penetration, nmap, nessus, metasploit, scapy. 'nuff said.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Deepak Nuli
Sent: Tuesday, April 01, 2008 3:35 PM
To: pen-test (at) securityfocus (dot) com [email concealed]; wifisec
Subject: Help for wireless penetration testing game/competition
Hi
I am a student and am taking this course called Wirelesssecurity. As apart of the course the class is divided into two teamsand we have tohack each other's wireless networks. It works in twophases. I needhelp in the first phase.
We have 4 AP's :
1.Openaccess point:the opposite team's access point is in our team's physicallocation(and ours is in their location). It has DHCP enabled and ifneeded wecan dc it and plug our client and get on thier physicalnetwork.
2. WEP AP: We have already cracked thier WEP key
3.WPAPSK : the problem with getting into this is that for the 1st phasethereis no traffic being generated by the other team so we can'tdeauth itand get the PSK.
4. WPA EAP - Not sure what EAP method they are running.
Thenetworkis managed by a Windows server 2003 running on VMWare and thereis a PIXfirewall and a switch. The server has two files: one hiddenand one isthe open.
So the task is now to somehow get:
1. Access to the AP which is not open or launch a DoS
2. Get to the server files or corrupt them
WEcando the task either wirelessly or through the wired network. We werealsoable to take one AP out of the network by ARP poisoning usingscapy. SoI wanted suggestions from you guys out there. I know thereare loads ofmaterials out there but we don't have time. So any helpwill beappreciated.
Thx
________________________________________________________________________
____________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
[ reply ]