Hi thanks for the earlier help. We are now in phase II of the project and need to build a more secure network. I had the following questions:
1. For this I was planning to use fakeap to create a large number of fake APs. But I am not able to configure fakeap after spending hours and hours on it. From what I understand, we need to have hostap inorder to run fakeap. I wasn't able to configure and install it ( I am trying to get this working on Ubuntu and then later if possible on OpenWRT on Linksys wrt 54gl) . It would be great if anybody out there could guide me or point me to some place where it is clearly explained how to get hostap and fakeap working.
2. If there are any other similar tools out there please let me know.
3. Advice on how to monitor our wireless network. Using wids? which WIDS would you guys suggest we use?
-----Original Message-----
From: bLiTz [mailto:blitztrade (at) yahoo (dot) com [email concealed]]
Sent: Wednesday, April 02, 2008 1:47 PM
To: Nico Darrow
Subject: Re: Help for wireless penetration testing game/competition
Theywant us to break into the network in general and we get pointsdepending on what we do. Yes ours is not that advanced a course. Socould just cause DoS at all the APs. Getting the file from the serverwill get us the maximum points. Any idea how we could get to theirserver? Its running on VMWare.
----- Original Message ----
From: Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
To: <blitztrade (at) yahoo (dot) com [email concealed]>; Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
Sent: Wednesday, April 2, 2008 11:58:29 AM
Subject: RE: Help for wireless penetration testing game/competition
EAP-TLSwill require u to pen the client to get the certificates and logincredentials. If there is no server side certifcate verification then ucan MiTM the client and try sniffing the handshake inside the tlstunnel. Remember with newer EAP, the firtst handshake is always fakebut the real one happens inside the tunnel.
Are u sure they want u to break the eap-TLS AP? Thats a little advanced for a classroom project
-----Original Message-----
From: <blitztrade (at) yahoo (dot) com [email concealed]>
To: "Nico Darrow" <ndarrow (at) airdefense (dot) net [email concealed]>
Sent: 4/2/2008 11:01 AM
Subject: Re: Help for wireless penetration testing game/competition
I am sorry I had to write that in a hurry and didn't really think of explaining in a better way. Thanks for the quick reply.
1.For this phase we are supposed to leave the DHCP on (the competition isin two phases and this network configuration is supposed to emulate aninsecure network. In the next phase we are allowed to make changes)
4. No the EAP method being used is not LEAP. I think they are using EAP-TLS
----- Original Message ----
From: Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
To:<blitztrade (at) yahoo (dot) com [email concealed]>; "pen-test (at) securityfocus (dot) com [email concealed]" <pen-test (at) securityfocus (dot) com [email concealed]>; wifisec <wifisec (at) securityfocus (dot) com [email concealed]>
Sent: Wednesday, April 2, 2008 9:17:10 AM
Subject: RE: Help for wireless penetration testing game/competition
First of all, that was very hard to read and painful.
Things I'd recommend.
1.Your open AP, enable MAC filtering, disable DHCP (set your clientsstatic) and change your subnet. This will prevent them from connectingwirelessly, if they still can plug into your AP via a hardline thenignore this.
2. WEP, easy. If you're AP has something called "IPisolation"/"PSPF"/"MU-to-MU dissalow", enable this feature, it'll slowthem down depending on their level.
3. WPA-PSK, cracking thisdoesn't require traffic, you need the WPA 4-way handshake that happenswith a client associates to the AP. Usually the best way is to DoS aclient off the AP (hard and fast). Make sure you target the clientspecifically and not just do a broadcast deauth, some clients willignore the broadcast deauth or won't be sufficient enough to force ahandshake.
4. EAP, you can bet it's going to be LEAP. Take a look atthe asleep tool available (google is your friend). If they've setupanything else (radius backend) then you'll have to do a MiTM or clientpenetration to get certificates and credentials.
5. Client penetration, nmap, nessus, metasploit, scapy. 'nuff said.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
Sent: Tuesday, April 01, 2008 3:35 PM
To: pen-test (at) securityfocus (dot) com [email concealed]; wifisec
Subject: Help for wireless penetration testing game/competition
Hi
I am a student and am taking this course called Wirelesssecurity. Asapart of the course the class is divided into two teamsand we havetohack each other's wireless networks. It works in twophases. Ineedhelp in the first phase.
We have 4 AP's :
1.Openaccesspoint:the opposite team's access point is in our team'sphysicallocation(and ours is in their location). It has DHCP enabledand ifneeded wecan dc it and plug our client and get on thierphysicalnetwork.
2. WEP AP: We have already cracked thier WEP key
3.WPAPSK: the problem with getting into this is that for the 1st phasethereisno traffic being generated by the other team so we can'tdeauth itandget the PSK.
4. WPA EAP - Not sure what EAP method they are running.
Thenetworkismanaged by a Windows server 2003 running on VMWare and thereis aPIXfirewall and a switch. The server has two files: one hiddenand oneisthe open.
So the task is now to somehow get:
1. Access to the AP which is not open or launch a DoS
2. Get to the server files or corrupt them
WEcandothe task either wirelessly or through the wired network. Wewerealsoable to take one AP out of the network by ARP poisoningusingscapy. SoI wanted suggestions from you guys out there. I knowthereare loads ofmaterials out there but we don't have time. So anyhelpwill beappreciated.
Thx
________________________________________________________________________
____________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
1. For this I was planning to use fakeap to create a large number of fake APs. But I am not able to configure fakeap after spending hours and hours on it. From what I understand, we need to have hostap inorder to run fakeap. I wasn't able to configure and install it ( I am trying to get this working on Ubuntu and then later if possible on OpenWRT on Linksys wrt 54gl) . It would be great if anybody out there could guide me or point me to some place where it is clearly explained how to get hostap and fakeap working.
2. If there are any other similar tools out there please let me know.
3. Advice on how to monitor our wireless network. Using wids? which WIDS would you guys suggest we use?
-----Original Message-----
From: bLiTz [mailto:blitztrade (at) yahoo (dot) com [email concealed]]
Sent: Wednesday, April 02, 2008 1:47 PM
To: Nico Darrow
Subject: Re: Help for wireless penetration testing game/competition
Theywant us to break into the network in general and we get pointsdepending on what we do. Yes ours is not that advanced a course. Socould just cause DoS at all the APs. Getting the file from the serverwill get us the maximum points. Any idea how we could get to theirserver? Its running on VMWare.
----- Original Message ----
From: Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
To: <blitztrade (at) yahoo (dot) com [email concealed]>; Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
Sent: Wednesday, April 2, 2008 11:58:29 AM
Subject: RE: Help for wireless penetration testing game/competition
EAP-TLSwill require u to pen the client to get the certificates and logincredentials. If there is no server side certifcate verification then ucan MiTM the client and try sniffing the handshake inside the tlstunnel. Remember with newer EAP, the firtst handshake is always fakebut the real one happens inside the tunnel.
Are u sure they want u to break the eap-TLS AP? Thats a little advanced for a classroom project
-----Original Message-----
From: <blitztrade (at) yahoo (dot) com [email concealed]>
To: "Nico Darrow" <ndarrow (at) airdefense (dot) net [email concealed]>
Sent: 4/2/2008 11:01 AM
Subject: Re: Help for wireless penetration testing game/competition
I am sorry I had to write that in a hurry and didn't really think of explaining in a better way. Thanks for the quick reply.
1.For this phase we are supposed to leave the DHCP on (the competition isin two phases and this network configuration is supposed to emulate aninsecure network. In the next phase we are allowed to make changes)
4. No the EAP method being used is not LEAP. I think they are using EAP-TLS
----- Original Message ----
From: Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
To:<blitztrade (at) yahoo (dot) com [email concealed]>; "pen-test (at) securityfocus (dot) com [email concealed]" <pen-test (at) securityfocus (dot) com [email concealed]>; wifisec <wifisec (at) securityfocus (dot) com [email concealed]>
Sent: Wednesday, April 2, 2008 9:17:10 AM
Subject: RE: Help for wireless penetration testing game/competition
First of all, that was very hard to read and painful.
Things I'd recommend.
1.Your open AP, enable MAC filtering, disable DHCP (set your clientsstatic) and change your subnet. This will prevent them from connectingwirelessly, if they still can plug into your AP via a hardline thenignore this.
2. WEP, easy. If you're AP has something called "IPisolation"/"PSPF"/"MU-to-MU dissalow", enable this feature, it'll slowthem down depending on their level.
3. WPA-PSK, cracking thisdoesn't require traffic, you need the WPA 4-way handshake that happenswith a client associates to the AP. Usually the best way is to DoS aclient off the AP (hard and fast). Make sure you target the clientspecifically and not just do a broadcast deauth, some clients willignore the broadcast deauth or won't be sufficient enough to force ahandshake.
4. EAP, you can bet it's going to be LEAP. Take a look atthe asleep tool available (google is your friend). If they've setupanything else (radius backend) then you'll have to do a MiTM or clientpenetration to get certificates and credentials.
5. Client penetration, nmap, nessus, metasploit, scapy. 'nuff said.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
Sent: Tuesday, April 01, 2008 3:35 PM
To: pen-test (at) securityfocus (dot) com [email concealed]; wifisec
Subject: Help for wireless penetration testing game/competition
Hi
I am a student and am taking this course called Wirelesssecurity. Asapart of the course the class is divided into two teamsand we havetohack each other's wireless networks. It works in twophases. Ineedhelp in the first phase.
We have 4 AP's :
1.Openaccesspoint:the opposite team's access point is in our team'sphysicallocation(and ours is in their location). It has DHCP enabledand ifneeded wecan dc it and plug our client and get on thierphysicalnetwork.
2. WEP AP: We have already cracked thier WEP key
3.WPAPSK: the problem with getting into this is that for the 1st phasethereisno traffic being generated by the other team so we can'tdeauth itandget the PSK.
4. WPA EAP - Not sure what EAP method they are running.
Thenetworkismanaged by a Windows server 2003 running on VMWare and thereis aPIXfirewall and a switch. The server has two files: one hiddenand oneisthe open.
So the task is now to somehow get:
1. Access to the AP which is not open or launch a DoS
2. Get to the server files or corrupt them
WEcandothe task either wirelessly or through the wired network. Wewerealsoable to take one AP out of the network by ARP poisoningusingscapy. SoI wanted suggestions from you guys out there. I knowthereare loads ofmaterials out there but we don't have time. So anyhelpwill beappreciated.
Thx
________________________________________________________________________
____________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
[ reply ]