Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

creating fake APs
From: bLiTz <blitztrade () yahoo com>
Date: Wed, 16 Apr 2008 21:08:46 -0700 (PDT)
Hi thanks for the earlier help. We are now in phase II of the project and need to build a more secure network. I had 
the following questions:
1.  For this I was planning to use fakeap to create a large number of fake APs. But I am not able to configure fakeap 
after spending hours and hours on it. From what I understand, we need to have hostap inorder to run fakeap. I wasn't 
able to configure and install it ( I am trying to get this working on Ubuntu and then later if possible on OpenWRT on 
Linksys wrt 54gl) . It would be great if anybody out there could guide me or point me to some place where it is clearly 
explained how to get hostap and fakeap working.
2.  If there are any other similar tools out there please let me know. 
3. Advice on how to monitor our wireless network. Using wids? which WIDS would you guys suggest we use?


-----Original Message-----
From: bLiTz [mailto:blitztrade () yahoo com]
Sent: Wednesday, April 02, 2008 1:47 PM
To: Nico Darrow
Subject: Re: Help for wireless penetration testing game/competition

Theywant us to break into the network in general and we get pointsdepending on what we do. Yes ours is not that 
advanced a course. Socould just cause DoS at all the APs. Getting the file from the serverwill get us the maximum 
points. Any idea how we could get to theirserver? Its running on  VMWare.

----- Original Message ----
From: Nico Darrow <ndarrow () airdefense net>
To: <blitztrade () yahoo com>; Nico Darrow <ndarrow () airdefense net>
Sent: Wednesday, April 2, 2008 11:58:29 AM
Subject: RE: Help for wireless penetration testing game/competition

EAP-TLSwill require u to pen the client to get the certificates and logincredentials. If there is no server side 
certifcate verification then ucan MiTM the client and try sniffing the handshake inside the tlstunnel. Remember with 
newer EAP, the firtst handshake is always fakebut the real one happens inside the tunnel.

Are u sure they want u to break the eap-TLS AP? Thats a little advanced for a classroom project


-----Original Message-----
From:  <blitztrade () yahoo com>
To: "Nico Darrow" <ndarrow () airdefense net>
Sent: 4/2/2008 11:01 AM
Subject: Re: Help for wireless penetration testing game/competition


I am sorry I had to write that in a hurry and didn't really think of explaining in a better way. Thanks for the quick 
reply.
1.For this phase we are supposed to leave the DHCP on (the competition isin two phases and this network configuration 
is supposed to emulate aninsecure network. In the next phase we are allowed to make changes)
4. No the EAP method being used is not LEAP. I think they are using EAP-TLS



----- Original Message ----
From: Nico Darrow <ndarrow () airdefense net>
To:<blitztrade () yahoo com>; "pen-test () securityfocus com" <pen-test () securityfocus com>; wifisec <wifisec () 
securityfocus com>
Sent: Wednesday, April 2, 2008 9:17:10 AM
Subject: RE: Help for wireless penetration testing game/competition

First of all, that was very hard to read and painful.

Things I'd recommend.
1.Your open AP, enable MAC filtering, disable DHCP (set your clientsstatic) and change your subnet. This will prevent 
them from connectingwirelessly, if they still can plug into your AP via a hardline thenignore this.
2. WEP, easy. If you're AP has something called "IPisolation"/"PSPF"/"MU-to-MU dissalow", enable this feature, it'll 
slowthem down depending on their level.
3. WPA-PSK, cracking thisdoesn't require traffic, you need the WPA 4-way handshake that happenswith a client associates 
to the AP. Usually the best way is to DoS aclient off the AP (hard and fast). Make sure you target the 
clientspecifically and not just do a broadcast deauth, some clients willignore the broadcast deauth or won't be 
sufficient enough to force ahandshake.
4. EAP, you can bet it's going to be LEAP. Take a look atthe asleep tool available (google is your friend). If they've 
setupanything else (radius backend) then you'll have to do a MiTM or clientpenetration to get certificates and 
credentials.
5. Client penetration, nmap, nessus, metasploit, scapy. 'nuff said.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] 
Sent: Tuesday, April 01, 2008 3:35 PM
To: pen-test () securityfocus com; wifisec
Subject: Help for wireless penetration testing game/competition

 Hi
I am a student and am taking this course called Wirelesssecurity. Asapart of the course the class is divided into two 
teamsand we havetohack each other's wireless networks. It works in twophases. Ineedhelp in the first phase.
We have 4 AP's :
1.Openaccesspoint:the opposite team's access point is in our team'sphysicallocation(and ours is in their location). It 
has DHCP enabledand ifneeded wecan dc it and plug our client and get on thierphysicalnetwork.
2. WEP AP:  We have already cracked thier WEP key
3.WPAPSK: the problem with getting into this is that for the 1st phasethereisno traffic being generated by the other 
team so we can'tdeauth itandget the PSK.
4. WPA EAP - Not sure what EAP method they are running.
Thenetworkismanaged by a Windows server 2003 running on VMWare and thereis aPIXfirewall and a switch. The server has 
two files: one hiddenand oneisthe open.

So the task is now to somehow  get:
1. Access to the AP which is not open or launch a DoS
2. Get to the server files or corrupt them
WEcandothe task either wirelessly or through the wired network. Wewerealsoable to take one AP out of the network by ARP 
poisoningusingscapy. SoI wanted suggestions from you guys out there. I knowthereare loads ofmaterials out there but we 
don't have time. So anyhelpwill beappreciated.
Thx






      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]