Hacking. Aims. Naming, Acronyms, etc. Sources



Similar documents
ENHWI-N n Wireless Router

TECHNICAL NOTE. GoFree WIFI-1 web interface settings. Revision Comment Author Date 0.0a First release James Zhang 10/09/2012

Linksys WAP300N. User Guide

Access Point Configuration

YO-301AP POE AP Datasheet

Cisco WAP4410N Wireless-N Access Point: PoE/Advanced Security. Cisco Small Business Access Points

WRE2205. User s Guide. Quick Start Guide. Wireless N300 Range Extender. Default Login Details. Version 1.00 Edition 1, 06/2012

DSL-2600U. User Manual V 1.0

running operation mode painless TECHNICAL SPECIFICATION WAN/LAN: One 10/100 Fast Ethernet RJ-45 WPS (WiFi Protected Setup) WAN (Internet connection)

User Guide. E-Series Routers

2.4GHz / 5GHz Dual CPU 600Mbps 11N AP/Router

Chapter 2 Configuring Your Wireless Network and Security Settings

Cisco WAP4410N Wireless-N Access Point: PoE/Advanced Security Cisco Small Business Access Points

Link Link sys E3000 sys RE1000

ESR7550 KEY FEATURES PRODUCT DESCRIPTION

ECB GHz Super G 108Mbps Access Point/Client Bridge/Repeater/WDS AP/

OpenWRT - embedded Linux for wireless routers

ESR b/g/n SOHO Router

WHA-5500CPE. 108 Mbps. 5GHz a Super Range Outdoor CPE. PoE. Long Distance Champion. All-In-One Solution. 25 Kilometers Distance or More

Chapter 2 Wireless Settings and Security

WBS210/WBS510 Datasheet

ESR b/g/n SOHO Router

USER GUIDE AC2400. DUAL BAND GIGABIT Wi Fi ROUTER. Model# E8350

USER GUIDE Cisco Small Business

802.11b/g/n SOHO Router 2.4GHz 150Mbps 11N AP/Router

OSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R

ECB1220R. Wireless SOHO Router/Client Bridge

ESR b/g/n SOHO Router PRODUCT OVERVIEW. 2.4 GHz 150Mbps 11N Router/AP

EAP300. Long Range Ceiling Mount Access Point PRODUCT OVERVIEW

EAP N Wall Mount Access Point / WDS AP / Universal Repeater

AP60. 9 Wireless. Wireless-b/g/n Long Range PoE Access Point. Wireless-b/g/n Long Range Radio. Passive PoE and 4-LAN Ports. IP Finder Management 4 LAN

DOCUMENT REFERENCE: SQ EN FIXED BROADBAND WHITEBOX SAMKNOWS BRIEFING. August 2015

BASIC INSTRUCTIONS TO CONFIGURE ZYXEL P8701T CPE USING THE WEB INTERFACE

Output Power (without antenna) 5GHz 2.4GHz

Network Security Best Practices

9 Simple steps to secure your Wi-Fi Network.

Network Security. Network Packet Analysis

5GHz 300Mbps a/n Wireless Outdoor Access Point

DT01 WiFi/3G VoIP PBX / ATA User Manual

EAP350. Long Range Ceiling Mount Access Point PRODUCT OVERVIEW

Chapter 6 Using Network Monitoring Tools

LW310V2 Sweex Wireless 300N Router

Wireless Encryption Protection

Wireless LAN Access Point. IEEE g 54Mbps. User s Manual

EPI-3601S Wireless LAN PCI adapter Version 1.2 EPI-3601S. Wireless LAN PCI Adapter. (802.11g & b up to 108 Mbps) User Manual. Version: 1.

Topics in Network Security

EW-7438RPn V2 User Manual

Conceptronic 150N Wireless LAN Access Point User s Manual Version: 1.0

WIRELESS ROUTERS. 450Mbps Wireless Dual-Band iq Router. 300Mbps Wireless Broadband iq Router. Wireless Networking Solutions

ESR (Go Green Series) Wireless-N Broadband Router / AP / Repeater. 2.4 GHz b/g/n 300 Mbps

WiFi Security Assessments

How To Check If Your Router Is Working Properly

Installation Guide Wireless 4-Port USB Sharing Station. GUWIP204 Part No. M1172-a

WAP3205 v2. User s Guide. Quick Start Guide. Wireless N300 Access Point. Default Login Details. Version 1.00 Edition 2, 10/2015

Chapter 6 Using Network Monitoring Tools

HIGH PERFORMANCE WIRELESS ADAPTER

Wharf T&T Limited Report of Wireless LAN Technology Trial Version: 1.0 Date: 26 Jan Wharf T&T Limited. Version: 1.0 Date: 26 January 2004

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

WISP 101. The DO s and DON T s of becoming a Wireless ISP

EAP300. Long Range Ceiling Mount Access Point PRODUCT OVERVIEW

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

Security Awareness. Wireless Network Security

EAP350 EAP350. Long Range Ceiling Mount Access Point PRODUCT OVERVIEW

PePWave Surf Series PePWave Surf Indoor Series: Surf 200, AP 200, AP 400

AC1750 Dual Band Wireless Router with StreamBoost Technology. TEW-824DRU (v1.0r) TEW-824DRU

Nokia Siemens Networks. CPEi-lte User Manual

AC : MOBILE AND WIRELESS NETWORKS COURSE DEVELOPMENT WITH HANDS-ON LABS

estadium Project Lab 8: Wireless Mesh Network Setup with DD WRT

FI8910W Quick Installation Guide. Indoor MJPEG Pan/Tilt Wireless IP Camera

WLAN Outdoor CPE For 2.4G. Quick Installation Guide

IEEE a/ac/n/b/g Enterprise Access Points ECW5320 ECWO5320. Management Guide. Software Release v

NetComm Wireless NP920 Dual Band WiFi USB Adapter. User Guide

Cisco WAP4410N Wireless-N Access Point, PoE/Advanced Security

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

MIMOTEC GigaLink AC. User Manual. Version 1.5 (8 January 2014) MIMOTEC, Norway & Sweden

LOHU 4951L Outdoor Wireless Access Point / Bridge

A Division of Cisco Systems, Inc. GHz g. Wireless-G. Access Point with SRX. User Guide WIRELESS WAP54GX. Model No.

Wireless N ADSL2/2+ Router

Figure 1. The Motorola SB4200 cable modem

Preparing the Computers for TCP/IP Networking

Wireless Ethernet LAN (WLAN) General a/802.11b/802.11g FAQ

How To Check If Your Router Is Working Properly On A Nr854T Router (Wnr854) On A Pc Or Mac) On Your Computer Or Ipad (Netbook) On An Ipad Or Ipa (Networking

WRE6505. User s Guide. Quick Start Guide. Wireless AC750 Range Extender. Default Login Details. Version 1.00 Edition 1,

WL-5460AP. User s Manual. 54Mbps Multi-Function Wireless AP. AirLive WL-5460AP v2 User Manual

Lab Organizing CCENT Objectives by OSI Layer

The next generation of knowledge and expertise Wireless Security Basics

User Manual. PePWave Surf / Surf AP Indoor Series: Surf 200, E200, AP 200, AP 400. PePWave Mesh Connector Indoor Series: MC 200, E200, 400

Quick Installation Guide

54M/150M/300Mbps USB WIRELESS ADAPTER. User s Manual Version 2.0

GW-300NAS. Giga WAN Port. Giga LAN Port. Wireless 2T2R 300Mbps Giga NAS Router 2T2R. Mbps Green Router. IPTV Pass- Through

Yun Shield User Manual VERSION: 1.0. Yun Shield User Manual 1 / 22.

Wireless Network Standard and Guidelines

University of Hawaii at Manoa Professor: Kazuo Sugihara

United States Trustee Program s Wireless LAN Security Checklist

OV704WVG Product Specifications

Wireless-N Access Point with Power Over Ethernet

Wireless LAN Device Series

DV230 Web Based Configuration Troubleshooting Guide

Movie Cube. User s Guide to Wireless Function

Transcription:

Free Technology Workshop Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by Steven Gordon Bangkadi 3 rd floor IT Lab 10:30-13:30 Friday 18 July 2014 http://ict.siit.tu.ac.th/moodle/.-----.-----.-----..----. _ - _ - _ _ W I R E L E S S F R E E D O M Aims Understand what is a wireless router See the internals (hardware) Know about (open source) firmware Understand what is a wireless LAN Setup a wireless LAN Aware of security features in wireless LANs Capture wireless packets ( sniffing ) Bypass security features in wireless LANs openwrt.org wikipedia.org and others Sources AP - access point Naming, Acronyms, etc. BSSID - basic SSID identifies AP CTS - clear to send ESSID - extended SSID identifies network (also SSID) LAN - local area network MAC - medium access control (layer) defines how to share channel with others NAT - network address translation allows private addressing in internal network PHY - physical (layer) defines data rate, channels, power, signals,... RTS - request to send SSID - service set identifier WAN - wide area network WEP - wired equivalent privacy insecure encryption WLAN - wireless LAN also WiFi, IEEE 802.11 WMM - wireless multimedia mode priority for voice, video packets WPA - WiFi protected access secure encryption WRT - wireless router

Router IP: 192.168.1.1 Quick Reference Router username: root Router password: s11tnetw0rk Router name and SSID: ICTRxx (xx=10, 11,...) Wireless Routers imac username: student imac password: student Software: http://ict.siit.tu.ac.th/software/ Workshop: http://ict.siit.tu.ac.th/moodle/ Removable antennas Wireless Router at Home 192.168.1.2 Modem 120.6.46.15 192.168.1.1 192.168.1.3 telephone line to ISP Reset Internet (WAN) port LAN ports Power Internet connection with public IP 192.168.1.4 internal LAN with private IPs 192.168.1.5

Wireless All-in-one Router at Home Link to ISP Wireless LAN AP at SIIT SIIT internal network with private IPs 192.168.1.1 192.168.1.2 120.6.46.15 192.168.1.3 telephone line to ISP 203.131.209.66 192.168.1.4 192.168.1.5 Internet connection with public IP internal LAN with private IPs Wireless Router Wireless Router with ADSL Modem Ethernet WAN port Router with firewall, NAT, web server, SSH server, DHCP server,... Ethernet switch WLAN access point ADSL Modem Router with firewall, NAT, web server, SSH server, DHCP server,... Ethernet switch WLAN access point external network internal network external network internal network

Wireless AP Router Ethernet port Bridge All-in-one WLAN interface internal network AP Removable antennas Linksys WRT54G(L) Since 2003, popular wireless router with Linux firmware supports 3 rd party firmware CPU: Broadcom 200MHz 32-bit MIPS Flash: 4MB Non-volatile storage RAM: 16MB Volatile storage Wireless chip: Broadcom (integrated) CPU + WiFi + Switch Wireless PHY: 11b, 11g Up to 54 Mb/s Wireless Tx Power: 63 mw Adjustable Antenna: 2 x 2.2dBi dipole Removable RP-SMA Reset Internet (WAN) port LAN ports Power Wired ports: 5 x 10/100Mb/s 4 x LAN + 1 x WAN

RAM Broadcom CPU Flash Memory Wireless LANs Wireless LANs IEEE 802.11 (standards), WiFi (marketing) Aim: Provide equivalent functionality to wired Ethernet Advantages of wireless: No wires Mobility Disadvantages of wireless: More errors, varying delay: hard to achieve same performance as wires Spectrum/frequencies available is limited: cannot just add more wires Radio transmissions are broadcast: No physical security

Wireless LANs: Broadcast Radio Wireless LANs: Broadcast Radio transmission range C A - Transmit signal at center frequency f, with bandwidth BW - Devices with receives tuned to frequency f will receive the signal (if it has strong enough power) - Strong enough power : depends on transmit power, receiver characteristics, antennas, frequency, obstructions - Assume maximum distance some signal can be transmitted is range D B Everyone within range of transmitter receives the signal If two (or more) signals received at same time, then neither can be understood Interference, a collision occurs IEEE 802.11 MAC protocol aims to ensure only one device transmits at a time Good: No (or few) collisions Bad: Each device must wait for other devices before it can send Shared medium: divide the data rate by number of devices wanting to share IEEE 802.11 Wireless LANs IEEE 802.11 Wireless LANs Access Point (AP): acts as a bridge between wireless segment (WiFi) and wired segment (Ethernet) Client: wireless communications to AP Wired network AP C1 Physical (PHY) Layer: Defines how to send wireless signals between devices Data rate, frequency, bandwidth, power, modulation,... Different standards: 802.11a, 802.11b, 802.11g,... Medium Access Control (MAC) Layer: Defines how to efficiently send data between devices while sharing the medium Common across different PHY standards C2 C3

Wireless LAN PHY Characteristics Channels in 2.4 GHz Band 2.4 GHz ISM Band: 2.400-2.485 GHz Channel Bandwidth: ~20 MHz 11n, 11ac use larger bandwidth for higher data rate www.microwavejournal.com Wireless LANs: Key Points Data Rate Speed at which data sent between 2 devices Varies according to PHY and distance Throughput: MAC Overheads, e.g. headers, ACKs: 20-40% 54 Mb/s - 25% overhead = 4 Mb/s Waiting for others: divide by number of users 10 users associated with AP: 4 Mb/s per user 5 GHz band allows for more non-overlapping channels and has less interference

Wireless LANs: Key Points Wireless LANs: Key Points Frequency Bands: 2.4 GHz: supported by all devices; crowded 5 GHz: not all APs, clients support; shorter range; less interference Channels: Important when many nearby APs Security: None: no authentication or encryption WEP: shared secret key, flawed WPA: shared secret key (client and AP) 2 APs, 20 clients split amongst the APs APs use same channel: 2 Mb/s per user APs use non-overlapping channels: 4 Mb/s per user WPA Enterprise: authentication performed between client and separate server, encryption between client and AP 2.4 GHz band: channels 1, 6 and 11 (and 14) 5 GHz band: 8 non-overlapping channels WRT54GL Flash Memory 4096KB = 4MB 256K 501K 1739K 64K 1536K Wireless Router Firmware Bootloader Kernel Root file system Root data NVRAM Bootloader: loads firmware image into RAM, reads parameters from NVRAM Firmware image: Linux Kernel Root file system, e.g. permanent applications and libraries Root data, e.g. config files, installed applications NVRAM: configurable parameters only used by bootloader How to see this info? cat /proc/mtd and/or dmesg

Wireless Router Firmware - Normal Operation Wireless Router Firmware - Flashing New Firmware When router boots, bootloader loads firmware (kernel + root + data) into RAM and executes kernel Bootloader can be used to write a new firmware image Permanent changes can be written to root data on Flash Edit configuration files Install new applications Non-permanent changes can be written to temporary file system in RAM Log files Replace kernel + root file system Two common options: Existing firmware image has option to replace itself Bootloader includes simple application (TFTP) to allow transfer of firmware image to device upon boot Next time the device boots, bootloader loads the new kernel + root file system Wireless Router Firmware OpenWRT All wireless routers come with manufacturer provided firmware Based on Linux and other embedded OS 3 rd party firmware projects, usually Linux-based OpenWRT: configurable with latest developments, free, open source software DD-WRT: based on OpenWRT, ready-to-use, includes proprietary components Tomato: ready-to-use, includes proprietary components and others Open source Linux distribution for embedded network devices Base packages provided as downloadable firmware image for many different devices Package manager (opkg) allows additional packages to be installed Different versions: 14.07 Barrier Breaker 12.09 Attitude Adjustment 10.03 Backfire 8.09 Kamikaze

Challenges with OpenWRT (and other 3 rd party firmware) Only work for selected wireless routers, primarily those that use Linux-based manufacturer firmware Delay between release of new router and firmware image release Mac OSX Command Line Without open source drivers (or binary drivers provided by chip manufacturers) router features may not work E.g. 802.11ac drivers are not yet common Performance with open source drivers may be worse (or better!) then manufacturer drivers Mac OSX File Sharing Mac OSX Commands File Sharing Time a command on Terminal: System Preferences Sharing $ cd /Volumes/students' Public Folder File Sharing: On Connect to another imac: Finder Shared imac_xx Public Shared Directory: Yours: /Users/student/Public Theirs: /Volumes/student's Public Folder Create 20 MB random file in Terminal: $ time cp rand.bin ~/ real 0m8.804s... View interfaces (en0 Ethernet, en1 WiFi): $ ifconfig en1 Change MAC address: $ sudo ifconfig en1 ether aa:bb:cc:11:22:33 $ dd if=/dev/urandom of=rand.bin bs=20m count=1

Mac OSX Software Installs Mac OSX Packet Capture http://ict.siit.tu.ac.th/software/osx/ XQuartz (needed by Wireshark) Wireshark Link to airport: (only needed once) sudo ln -s /System/Library/PrivateFrameworks/Apple80211.fr amework/versions/current/resources/airport /usr/local/bin/airport Search for active channels: $ sudo airport en1 -s Start capture on channel 6: $ sudo airport en1 sniff 6 (Ctrl-C to quit) View the.cap file with tcpdump or Wireshark Setup the Wireless Router Example Wireless Networks Explore OpenWRT web interface View Stats: Status Realtime Graphs... Config Wifi: Network Wifi Edit... Install software: System Software... Edit firewall: Network Firewall...

Measure Performance Intercept Other Peoples Data imac1 imac2 wsiit AP imac2 Compare delay across Ethernet vs WiFi imac1: ping 192.168.1.1 imac1 imac2: ping 192.168.1.1 Measure throughput across WiFi Setup File Sharing on imacs imac1: Create 20MB random file in Public directory $ dd if=/dev/urandom of=rand.bin bs=20m count=1 imac2: Copy file from imac1 shared directory to home $ time cp /Volumes/students' Public Folder/rand.bin ~/ imac1: Start packet capture imac2: Access website (via SIIT internet) imac1: Stop packet capture and view.cap file in Wireshark Filter by 'http' and/or 'ip==10.10.x.y' Use Wireless Router as Client wsiit AP Setup a Rogue AP and Redirect HTTPS Login Web Pages to Unencrypted HTTP Logins In OpenWRT web interface: Network Wifi Scan Join Network Default parameters (wwan, ) Save and Apply Now use imac to access SIIT internet via router?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information