Welcome to the Mini WiFi village (inspired by https://wctf.us). This exercise writeup was made with a classroom setting in mind. This is, it can be setup at an academic institution to allow students have a hands-on experience with attacking/cracking WEP and WPA2 access points.
Please setup the lab environment as directed in the Setup Directions sections.
Type the commands yourself.
Copy and paste will not work properly.
If you run into trouble or have questions, feel free to e-mail Ahmed Ibrahim at (aibrahim@pitt.edu) for assistance.
- Required Equipment
- Networks Setup Directions
- Raspberry Pis (RPis) Setup Directions
- Gathering bssid information
- Cracking these networks
To build the lab environment, you need the following equipment:
- One Belkin N450 F9K1105V4 (The V4 is guaranteed to work but is currently out-of-stock - find it on eBay)
- One TP-Link AC1750 (Archer A7)
- Three CanaKit Raspberry Pi 3
- Three Samsung 32GB MicroSD Memory Card
At the time of creating this document, the cost for the abovementioned equipment is as follows:
| Device | Unit Price | Quantity | Total Price |
|---|---|---|---|
| Belkin N450 F9K1105v4 | ~$20 | 1 | $20 |
| TP-Link AC1750 (Archer A7) | $59.99 | 1 | $59.99 |
| CanaKit Raspberry Pi 3 | $54.99 | 3 | $164.97 |
| Samsung 32GB MicroSD Memory Card | $7.99 | 3 | $23.97 |
| TOTAL | $268.93 |
To perform the attack, you need the following external wireless adapter:
The Belkin N450 router will broadcast the following networks:
| AP Name | Band | Channel | Security | Key | Notes |
|---|---|---|---|---|---|
| Munich | 2.4GHz | 9 | WEP 64-bit | 1111222233 | -- |
| LONDON | 5GHz | 149 | WEP 64-bit | 1223344556 | -- |
| Toronto | 2.4GHz | 9 | WPA2 | Rotterdam | Guest Network |
Note that the 2.4GHz 'Toronto' guest network configuaration will not have a field for the 'Channel'. My guess is that it automatically uses the same channel you set for the regular 2.4GHz 'Munich' network.
The TP-Link AC1750 router will broadcast the following networks:
| AP Name | Band | Channel | Security | Key | Notes |
|---|---|---|---|---|---|
| Paris | 2.4GHz | 8 | WEP 64-bit | 0123456789 | -- |
| LUXOR | 5GHz | 157 | WEP 128-bit | 11223344556677889900AABBCC | -- |
| -- | 2.4GHz | - | - | - | Guest Network |
Here's a figure demonstrating the APs and the network they are broadcasting:
The 2.4GHz 'Munich' and 'Paris' networks should not have any connected clients. This allow students to experience packet injection and cracking WEP with no connected no wireless clients.
Each of the 5GHz 'LONDON' and 'LUXOR' networks will have a connected client. This allow students to experience sniffing wireless packets and cracking WEP with both, 64-bit and 128-bit, key sizes.
The 2.4GHz 'Toronto' network (WPA2) should have a wireless client that keeps connecting and disconnecting within a given amount of time. This allows students to experience capturing a WPA2 handshake to use it with a given wordlist to find the key/password.
Now, let us setup and configure the three Raspberry Pis such that:
- One RPi will connect to the 5GHz
LONDONnetwork and keep generating traffic on the network - One RPi will connect to the 5GHz
LUXORnetwork and keep generating traffic on the network - One RPi will keep connecting to and disconnecting from the 2.4GHz
Torontoto generate WPA2 handshakes
Step 2.1:
Follow the directions here to setup each of the RPis.
Step 2.2:
On the RPi that you want to use for generating traffic on the 5GHz LONDON network, perform the following directions.
Step 2.3:
On the RPi that you want to use for generating traffic on the 5GHz LUXOR network, perform the following directions.
Step 2.4:
On the RPi that you want to use for connecting to and disconnecting from the 2.4GHz Toronto network, perform the following directions.
You can certainly gather the BSSID information for each WiFi network from the router/device itself. However, I prefer that you gather the BSSID for each network the same way the students will gather such information to make sure nothing went wrong during setup.
If you are new to wireless monitoring, here is a step-by-step guide on how to start that process.
Once you have a Panda N600 Dual Band WiFi network card in monitor mode, you can perform the following operations:
- To find the BSSID for your
Munichnetwork, runairodump-ng -c 9 --essid Munich wlan0mon - To find the BSSID for your
Parisnetwork, runairodump-ng -c 8 --essid Paris wlan0mon - To find the BSSID for your
LONDONnetwork, runairodump-ng -c 149 --essid LONDON wlan0mon - To find the BSSID for your
LUXORnetwork, runairodump-ng -c 157 --essid LUXOR wlan0mon - To find the BSSID for your
Torontonetwork, runairodump-ng -c 9 --essid Toronto wlan0mon
Here is an example of a project you can assign to students: Example Project.
To obtain the solution manual on how to crack these network, please send an e-mail to Ahmed Ibrahim at (aibrahim@pitt.edu) with the subject "WiFi Project Solution Manual". Please include a link to your instrcutor web page in the e-mail. Once you are validated as an instructor, we will send you the solution manual. Please don't share the solution manual with any students.
© Ahmed Ibrahim, 2019
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0). To view a copy of this license, visit https://creativecommons.org/licenses/by-nc-sa/4.0/.
The information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY) DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.