Table of Contents
WiFi Warzone
WiFi warzone | |
---|---|
founder: | ruza |
depends on: | |
interested: | |
software license: | - |
hardware license: | - |
~~META: status = active ~~
Why?
“WiFi warzone” is an test and training environment built in brmlab hackerspace aimed on pentesting wireless networks, because, You know, attacking other people's computer is not always legal.
This lab should not be about “I know the shared key, therefore I'm done” only, but also about understanding and knowing wireless pentesting principles through your own personal experience. Crack that key by yourself, even if somebody told you what the shared key is.
What you should learn is not to know the “exact string” which will enable you to connect. You should learn how to setup a proper tools to crack it by yourself, which WiFi card and driver works well for you, which wifi card is able to do things like packet injection, how hard/easy it is, where to get appropriate wordlist, how to create it, etc.
What?
Task: using various techniques, tools and skills try to get an Shared key used to associate to each AP/ESSID. Once You are able to associate to this ESSID and got an working connectivity you're done. Make sure you understand what you've just done :)
Each ESSID has its own shared secret set up.
Hardware and software setup
TP-link WR1043NDv1 with DD-WRT v24SP2 firmware installed. Whole HW&SW setup is somewhat extended via Optware (opkg) and few ugly instalation hacks onto an 8GB USB stick. All wireless networks set up are available on 802.11 b/g/n. Upstream connectivity it routed through Tor_(anonymity_network).
HACKME-WPS runs at TP-link WR703N.
Client side
client NOT associated to AP/ESSID
That's you :)
client associated to AP/ESSID
an device you can log on and connect in “WiFi client” mode to the ESSID you are attacking and also generate traffic through the AP connected. (TODO, not available yet)
Wireless networks
Since all the upstream connectivity on this HW device is routed through Tor_(anonymity_network) this additional ESSID was configured for You to be able to connect to AP that has all connectivity routed through Tor_(anonymity_network) network.
ESSID: "HACKME-WEP"
Wireless security: WEP 64 bit encryption with Shared keys
It's actually not an complicated task to hack into a wireless network with such a wireless security. That's the main reason why WEP encryption is mostly not used and not recommended already these days, yet you can still encounter such networks in the wild. On this AP/ESSID you should start to understand how the lab is built and what can you do with.
ESSID: "HACKME-WPA"
Wireless security: WPA-PSK (aka Personal)
Hacking this ESSID you should get more practical usable experience for hacking today's wireless networks.
ESSID: "HACKME-WPA2"
Wireless security: WPA2-PSK (aka Personal)
ESSID: "HACKME-WPS"
Wireless security: WPA/WPA2-PSK (aka Personal)
This AP has “Wi-Fi Protected Setup” (WPS) enabled. Hint: be careful. AP will lock you out after few failed attempts.
ESSID: "brmlabTor"
Wireless security: WPA2-PSK
Preshared key: same as for brmlab.cz ESSID
ToDo
- setup an WiFi client side (client that is connected to the AP and is generating traffic). Attacker is (maybe) able to choose an AP to which an client is connected and also (maybe) generate traffic by himself.
- setup an Wi-Fi_Protected_Setup hackable AP