S /3133 Networking Technology, laboratory course A/B

(1)

S-38.2131/3133 Networking Technology,

laboratory course A/B

37 – Wireless Networks

Student edition

Anni Matinlauri, 3.1.2007 Tuomas Järekallio, 15.8.2008

(2)

1 Preliminary exercises (22 points)

P1 (2 points)

Is it legal to listen to unencrypted WLAN traffic? P2 (2 points)

Is it legal to collect encrypted WLAN data and crack it? P3 (6 points)

What are the ways to make WLAN safer? P4 (2 points)

Describe shortly what is an Ad hoc network? P5 (2 points)

What kinds of wireless standards does IEEE have? P6 (2 points)

What security improvements have taken place as IEEE 802.11 standards have developed? P7 (2 points)

Why was WEP used and how does it work? Why shouldn’t it be used anymore? P8 (2 points)

Create an example configuration file for application hostapd for posing as an open access point (min 4 parameters). This file will be modified and used during the labwork.

P9 (2 points)

(4)

2 Laboratory exercises (19 points)

2.1 Background info

As wireless networks are gaining popularity it is important to get to know them. In this assignment the main focus is in security aspects. Some hacking techniques are tried so that you understand in which ways wireless networks are vulnerable. These assignments however, by no means cover everything and every new way to exploit wireless networks, so it is important to always follow the latest development.

The hardware used in this laboratory work consists of three desktop computers, heppa, kani and sybil, and two wireless routers matti and teppo. All of them are IEEE 802.11g capable. The wireless interface in the desktops is wlan0, and eth1 in the APs. The APs are also connected to the lab’s wired network. The desktops Heppa and Kani have only wireless access. The desktop Sybil is located outside of the lab hall, and it can be managed from lab by connecting to 10.38.0.101 with SSH.

The most important commands in this assignment are ifconfig, iwconfig, some commands from the Aircrack-ng suite [1] and kismet [2]. If you are not familiar with some of the commands, check their man pages. Many of the commands must be run as root (administrator), so you must use the sudo command before them, i.e., sudo ifconfig. The password for sudo is lab. The APs (Access Points) run DD-WRT [3], which is a lightweight Linux-based operating system designed for wireless routers. Most configuration changes for the APs are done with shell scripts. The scripts (none.sh, wep.sh & wpa.sh) are located in /home/lab/labra in Heppa and they have to be uploaded to the APs (the APs have only temporary memory, so scripts are lost at reboot). Run ./upload_scripts.sh in the labra directory to copy the scripts to the APs. To change the AP settings, scripts can be run via ssh: ssh [email protected] ./none.sh.

NetworkManager [4] is helpful in joining wireless networks. In Sybil, the NetworkManager is used from the command line by nmcli and nm-connection-editor. All wireless networks used during the assignment, except the ad hoc network, are preconfigured into Network Connections andshould not be modified! The list of the available networks in NetworkManager may take a while to update, so be patient. ifconfig and iwconfig commands can also be used and they are especially useful in troubleshooting. Don’t worry if everything doesn’t work when you first try it. Making the machines connect to APs may take some effort. You might need to try again and rewrite commands several times. Changing the authentication method from Open System to Shared Key may help in cases, where clients are able to join the network, but not able to transmit any data.

APs are named Matti and Teppo and their IP addresses are 10.38.40.2 and 10.38.40.1. The user is root and the password eeeeee. There is an ssh key already on the clients to help logging in to the APs and the password to unlock the key is eeeeee. Username and password for the client machines is lab and their wireless IP addresses are shown in Table 1.

Note that Heppa and Kani are connected to network only by wireless access, so any changes in your wireless network (i.e. changing the encryption or mode) will cause the loss of connection for a while. Your assistant will show you a computer from where you can manage Matti, Teppo and Sybil without losing connection to those.

(5)

The IP addresses used in this lab are shown in Table 1. Table 1: IP addresses

Name IP address IP addr in Ad hoc mode IP addr for management

Sybil 10.38.40.101 10.38.50.101 10.38.0.101

Kani 10.38.40.102 10.38.50.102 Heppa 10.38.40.103

Matti 10.38.40.2 10.38.50.105 Teppo 10.38.40.1 10.38.50.104

You should save all the files you create during the assignment into a same folder. This way it is much easier to clean up the workstations after the assignment is finished.

2.2 Basic monitoring and performance measurement

Login to Heppa as lab and run ./upload_scripts.sh in /home/lab/labra. After this run ./none.sh on both APs as told in the Background Info. Connect Sybil and Kani to the wireless network netlabtest_none. The IP addresses of the WLAN interfaces are found in Table 1. Start pinging Sybil from Kani to make sure that the network is working.

Q1 (1 point)

Use airmon-ng on Heppa to create a WLAN monitoring interface. Use Kismet to scan for possible wireless networks using this interface (mon0).

(a) Write down the following information about networks other than aalto: ESSID, BSSID, channel, signal power and IP range (probably 0.0.0.0 on most networks, but you should see at least some IP addresses of individual clients).

(b) Use airodump-ng on Heppa to scan wireless networks. Q2 (2 points)

What information do the programs give? Shortly compare Kismet and Airodump-ng. F1a: Write down the average bandwidth of the wireless network

End the ping between Kani and Sybil. Start an iperf server (TCP) on Kani and measure the connection speed from Sybil. You should run the test a few times to get more accurate results. (Questions F1a - F1f are for final report.)

2.3 Posing as an access point

Use the information you just collected to pose as an AP. Disable wireless networking in Heppa’s NetworkManager and write down Heppa’s old MAC address. Then change it to the MAC address of a netlabtest_none AP using ifconfig. Then edit the hostapd configuration file you created in the preliminary exercises to match the network information. Launch hostapd with the edited config file.

(6)

Hint: The wireless interface in Heppa uses driver nl80211.

To avoid confusion, log on to both APs as root and take their WLAN interfaces (eth1) down using the wlconf command. Change Heppa’s wireless IP address to 10.38.40.103/24 and ping this address from Sybil and Kani to make sure they are connected to Heppa. Use Wireshark on Heppa to monitor traffic on the network. After successfully posing as an access point, stop ping, return Heppa’s MAC address back to the original and bring the APs’ WLAN interfaces up again.

Q3 (2 points)

What harm could you do in real life if you managed to pose as an AP?

2.4 Fake Access Points

To fool possible attackers it is possible to generate false AP signals. In Kani there is a program fakeap.py in the /home/lab/labra directory. First use this program to generate fake access points with the default settings. Then change the used ESSID to netlabtest_none. Use Kismet on Heppa’s mon0 interface to monitor the situation.

TIP: You’ll probably have to restart Kismet between each step to clear the AP list. Q4 (2 points)

What does Kismet show?

(a) When running FakeAP with default settings

(b) With static ESSID (netlabtest_none) and no wireless security

(c) With ESSID, BSSID, security and channel set to netlabtest_none values Q5 (1 point)

How could you identify the real netlabtest_none AP in each point a, b and c?

Stop fakeap.py and have the clients connect to the real access points again, in case they have disconnected.

2.5 Cracking WEP

Change the AP Matti (10.38.40.2) to use WEP with 64 bit encryption. Set the key to be ABCDEFABCD. This can be done easily all at once by using the wep.sh script, as previously mentioned in the Background info section. Also connect to Teppo (10.38.40.1) with ssh and use wlconf again to take the wireless interface down. This way Teppo’s signal won’t disturb this exercise. Now the clients should see a network named netlabtest_wep. NetworkManager takes a while to update the list of available networks, so be patient. Connect Sybil and Kani to the network. If clients have problems connecting to the network, reboot should help.

Keep wireless networking disabled in Heppa’s NetworkManager and use the machine to collect traffic using airodump-ng. This time you also have to save the traffic. Start generating traffic with ping in flood mode or a file transfer. There is a file named biggerfile in /home/lab directory. You can transfer this file between Sybil and Kani until you have generated enough traffic. For 64 bit WEP encryption 300 000 IV’s (=packets) should be enough. Then use the program aircrack-ng to crack the WEP. If you’re out of luck, you

(7)

need to capture more packets. Newly captured files can be input to aircrack-ng. If it seems that the collecting is taking far too long, then make an estimate of the time you think it would take.

Q6 (1 point)

How long did the data collecting take or did seem to take? Q7 (1 point)

How long did the actual cracking take?

Similar process can be used when cracking WEP with longer keys, only the amount of IVs needed is higher. For 128 bit WEP over 1 500 000 IVs are typically needed. Use the previously captured file wep128.ivs to crack 128 bit WEP.

Q8 (1 point)

How long does it take for the program aircrack-ng to crack 128 bit WEP? Q9 (2 points)

What can you say about the security of WEP? Q10 (2 points)

Open the capture of 64 bit WEP traffic with Wireshark. What can you see? Then decrypt the file with airdecap-ng and use Wireshark again. What can you see now?

F1b: With 64 bit WEP on, measure the transfer bandwidth with iperf again and write down the results.

2.6 Cracking WPA

Now try cracking WPA encryption. Set AP Matti (10.38.40.2) to WPA encryption mode by running the wpa.sh script. Sybil and Kani should now see a network named netlabtest_wpa to which they should also join. To make sure that the clients are connected successfully to the AP, try to ping between Sybil and Kani. If clients have problems connecting to the network, reboot should help.

F1c: With WPA encryption on, measure the transfer bandwidth with iperf again and write down the results.

Start packet capture on Heppa with airodump-ng while running deauth attack using aireplay-ng (interface: mon0). Let the attack run until you have captured at least one handshake. After

that stop the capture and run aircrack-ng with dictionary attack using /home/lab/labra/password.ls as the wordlist.

Q11 (2 points)

How did that attack work? What can you say about the meaning of strong keys nevertheless the encryption strength?

2.7 Ad hoc Network

You can configure dd-wrt APs also from the web (HTTP) interface. Use Firefox to configure both APs to work as wireless unbridged ad hoc nodes with no encryption. You can choose the ESSID and channel freely, but they have to be identical on every device. On Sybil

(8)

and Kani, switch wireless interface to ad-hoc mode using iwconfig. You have to bring the wireless interface down with ifconfig before you can change the mode. The channel and ESSID can also be configured using iwconfig or using NetworkManager in Kani and nm-connection-editor in Sybil. After all the required settings are done, use ifconfig again to bring the wireless interface up.

The IP addresses in ad-hoc networks should be: • Matti: 10.38.50.105/24

• Teppo: 10.38.50.104/24 • Sybil: 10.38.50.101/24 • Kani: 10.38.50.102/24

Use ping to check that the ad hoc network is working correctly. You may need to configure the settings few times to get each client working properly. Changing ESSID and channel may also help.

F1d: Measure the bandwidth between Sybil and Kani using iperf a few times and write down the results.

2.8 Ad hoc Routing

Next you will test an ad hoc routing protocol, OLSR [5]. The code for this protocol is experimental and hence not very user friendly. Problems may occur but try to be patient and methodical. Ask the assistants help if necessary. The most important thing here is to try the protocol with direct links between computers. Getting the transfer through hops can be trickier, so it’s okay if you do not succeed in it. However, extra points are available for one hop and two-hop transfer results. If you succeed in one hop and two hops transfer then try three hops transfer by enabling network manager and running OLSR routing in Heppa. You can check the status of OLSR in the APs by connecting to the port 80 with your browser.

Use airodump-ng in Heppa to capture packets in your ad hoc channel. Start OLSR routing in Sybil and Kani using the olsrd command. OLSR can be enabled on the APs using the web interface selecting the Setup->Advanced Routing->Operating mode: OLSR Router. If there is already an interface for eth1 with all zero values, delete it. Then select New Interface: eth1, click Add and Apply. Use ping and tracepath to check that the routing is working. Stop capturing packets in Heppa.

IMPORTANT NOTE: Ensure that Network Manger is not disabled. Since, OLSR routing doesn’t work if you configure the Ad-hoc network with iwconfig in disabled mode. Also ensure that wireless encryption is disabled before you configure.

Hint for succeeding in one hop and two hops transfer:

Keep OSLR running. First tracepath to AP from both machine(Sybil & Kani). If it’s work then try tracepath from Sybil to Kani and vice-versa.

Q12 (2 points)

Analyze your OLSR capture with Wireshark. List the different OLSR message types that you see and briefly explain their purpose.

Next, use iptables to configure the Linux firewall [6] in Kani and one of the APs to force the transfer through more hops. The forcing can be done by blocking MAC addresses.

(9)

i p t a b l e s - L

i p t a b l e s - A I N P U T - m mac -- mac - s o u r c e < mac address > - j DROP i p t a b l e s - F // F l u s h e s the t a b l e

F1e: Measure iperf performance a few times with one AP between Sybil and Kani. F1f: Have the transfer go through two APs (from Sybil to Kani) and measure the average bandwidth using iperf a few times.

Before leaving the lab do the following: stop OLSR routing, flush iptables, enable wireless on NetworkManager on all the workstations and copy all the files you are going to need for you final report to a remote server, e.g., kosh.aalto.fi, or a memory stick. You also have to enable eth1 interface in APs and disable mon0 interface on Heppa. Then delete all the files you have created from the workstations. Put also both wireless routers back to default mode by running none.sh in both of them. The commands are the following:

i p t a b l e s - F

i f c o n f i g eth1 up airmon - ng stop mon0

ssh r o o t @ 1 0 . 3 8 . 4 0 . 1 ./ none . sh ssh r o o t @ 1 0 . 3 8 . 4 0 . 2 ./ none . sh

(10)

3 Final report (12 points)

In your final report answer to the questions presented during the lab work (marked with Q) and to the following final report questions.

F1 (4 points)

(a) Make a chart depicting all the bandwidth rates you have collected in exercises F1a–F1f (2 pts)

(b) What can you say about the results? How quickly does the connection deteriorate if there is more than one hop? (2 pts)

F2 (4 points)

During the lab you saw how WEP can be cracked as well as WPA. Discuss briefly WPA/ WPA2’s security.

F3 (4 points)

Ad hoc routing protocols can be divided into reactive and proactive protocols. Explain the difference and specifically explain how AODV (not tested in this lab work) and OLSR work?

4 Points and Grade

The grade should be given according to the next table: Preliminary report: 20 pts. Final report: 19 + 12 = 31 pts Total: 51 pts. Grades Points Grade 0. . . 26 0 27. . . 31 1 32. . . 36 2 37. . . 41 3 42. . . 46 4 47. . . 51 5

However, the grade must be zero (0) if any of the following conditions is true:

• Less than 50% of preliminary exercises are right. • Less than 50% of final exercises are right.

• The student has failed to pass tasks in the laboratory.

(11)

References

[1] Aircrack-ng Main documentation. http://www.aircrack-ng.org/documentation.html. [2] Kismet homepage. http://www.kismetwireless.net/.

[3] NewMedia-NET GmbH. DD-WRT homepage. http://dd-wrt.com/.

[4] NetworkManager homepage. http://projects.gnome.org/NetworkManager/. [5] Tønnesen; Lopatic; Gredler et al. olsrd homepage. http://www.olsr.org/. [6] Pablo Neira Ayuso. Netfilter homepage. http://www.netfilter.org/.

S /3133 Networking Technology, laboratory course A/B

S-38.2131/3133 Networking Technology,

laboratory course A/B

37 – Wireless Networks

Contents

1

Preliminary exercises (22 points)

2

Laboratory exercises (19 points)

3

Final report (12 points)

4

Points and Grade

References