Wireless Network Security Lab: Exploiting Wireless Networks and Servers, Lab Reports of Computer Science

Download Wireless Network Security Lab: Exploiting Wireless Networks and Servers and more Lab Reports Computer Science in PDF only on Docsity! Wireless Security Lab ( Due on 12/6/04 ) Introduction: The purpose of this lab is to experiment with a wireless network and learn how to exploit its properties. In doing so, you will learn how to use a variety of new tools for surveying and sniffing wireless networks (and networks in general). The overall goal, however, is to exploit a Red Hat 7.1 server on the wired network, by going through the wireless network. This can be done by any means necessary, although we do provide you with a local root exploit that has been tested to work on this server. Part I To begin this lab, you will have to try and find a way to associate with the access point with the SSID CS4803. This will require you to figure out what kind of security features the access point is implementing. It’s not a bad start to try and simply set your client to associate with the access point, but it’s not going to work. For windows users, survey the site using Netstumbler. For Linux users, use either Kismet or Air snort. After surveying the site, it should be fairly clear as to why you cannot associate properly. The next step will be to sniff the traffic on the WLAN, and hopefully this can provide you with enough information to associate with and use the WLAN. I suggest the use of libpcap or winpcap and ethereal, but you may use whatever you like. Note: On windows machines, it may be difficult to sniff a WLAN you are not yet fully connected since as soon as windows figures out you aren’t welcome, it stops listening to the traffic. You can still sniff by having your sniffer open while trying to connect to the AP a few times. This behavior may vary from card to card and from Windows version to Windows version. You only need a few packets at this point. Another note for windows, in order for me to be able to use the network properly, I had to reboot a few different times for no actual apparent reason. Results may vary. Part II Now that you are connected to the network, you will need to find out what’s going on. There is 1 server on this network, and 1 wireless client. Through sniffing the network traffic, figure out who the server is. Also determine which services it provides because you must find a way to gain access to it. You may portscan this server if you wish, but there is a very stealthy attack that does not require this. Instead, look for insecure protocols that the clients might be using to access the server. This can provide you with all sorts of information, including valid user level logins to the server. Definitely be patient with the sniffing. Sniff for at least 20-30 minutes, or until you are confident you have a lead. Part III After doing your reconnaissance, you should have acquired enough information to begin exploiting the server. If you have never done this before, do not fear the server is horribly insecure. An exploit is provided under /tmp as “exploit.c”, but once again exploit what you want (just please no DOS). So once you gain root, read the secret message in the file /root/Mr-Lee (not Dr-Lee, that is someone else). Be sure to clean up after yourself! There should be no traces of you left on the machine once you are done with this (clear your bash history, etc). Extra Credit There is another wireless connection whose SSID is “tinyPEAP”. Its IP address is 10.1.2.50. Please login to it using a web browser of your choice and create your user account (gt number), then log into it using your personal laptop (this part of the assignment does not contribute to your grade). Please do NOT try to reconfigure the two laptops on the table. The instruction is provided at http://www.tinypeap.com. The site also contains a white paper for tinyPEAP. Please use it to explain any possible exploits on tinyPEAP. What to Turn In Part I: (30 pts) 1. Describe the security features implemented at the wireless access point; (10 pts) 2. Describe how you can connect to the wireless access point as a legitimate user. (20 pts) Part II: (40 pts) 1. Analyze the sniffed packets and find out the IP address of the server; (10 pts) 2. Find out the vulnerable services running at the server; (20 pts) 3. Describe how you gain the access to the server. (10 pts) Part III: (30 pts) 1. Find and run an exploit to gain the root access; (10 pts) 2. Describe how the exploit that you used works; (10 pts) 3. Read the file /root/Mr-Lee. (10 pts) Thee extra credit: (20 pts) 1. Create a user account on tinyPEAP router; (3 pts) 2. Of which category does tinyPEAP fall into?: 802.1x, WPA, or 802.11i (7pts) 3. Briefly explain the possible exploits on tinyPEAP. (10 pts) Please make the homework into a tar ball and email this to joshz@cc.gatech.edu. Windows Wireless Security Tools Ethereal – a free network protocol analyzer (sniffer) http://www.ethereal.com/ WinPcap – for capturing packets http://winpcap.polito.it/default.htm SMAC – a utility for changing your MAC address even when your driver doesn’t have that option. It requires a reboot after changing. http://www.klcconsulting.net/smac/ Netstumbler – site surveying utility http://www.netstumbler.com/ tinyPEAP – Official tinyPEAP site http://www.tinypeap.com Linux Wireless Security Tools