OLD DOMINION UNIVERSITY

CYSE 301 CYBERSECURITY TECHNIQUES AND OPERATIONS

Assignment #5

Jesse Vallejos: 01053345

Spring 2019

1 SUMMARY

At the beginning of this module, we discussed wireless networks, authentication, and

encryption for wireless, to gain a better understanding of how the attacks in the later sections

would be executed. For this module, we focused on the WEP and WPA authentication methods

and their weaknesses. WEP is as secure as a wired connection, and the encryption scheme can be

cracked through the use of Initiation Vectors. As for WPA, this method is more secure, but the

hacker can still decrypt the network traffic if the passphrase for the scheme is obtained. One

major difference between these two encryption protocols is that WEP does not have mutual

authentication, whereas WPA does. WPA uses a four-way handshake to authenticate the client

and access points, and WEP uses only the access points to authenticate a station.

After learning about these protocols, the module shifted to practice that gave experience

with cracking WEP and WPA traffic. Both of these practices began with running Wireshark on

the corresponding .cap files to give an understanding of what the encrypted traffic looked like.

From there we began to run the aircrack-ng command on the wep.cap file and selected the

corresponding index number to crack the WEP key. After that, the airdecap-ng command was

used to decrypt the traffic, and the -dec.cap file that was created in response was opened in

Wireshark as the decrypted file. As for the WPA protocol, the process was relatively similar,

except we needed to run a dictionary attack with the aircrack-ng -w wordlist command to obtain

a passphrase. Once this command was entered and the index number was selected, the

passphrase was revealed. Allowing for the airdecap-ng -p Passphrase -e Essid command to be

entered to decrypt the file. Once completed, the -dec.cap could be run in Wireshark to reveal the

decrypted traffic information.

2 SCREENSHOTS

airdecap-ng to decrypt the network traffic

#wireshark lab4wep-dec.cap

#aircrack-ng –w wordlist.txt WPA2.cap

#airdecap-ng lab4wpa2.cap -p password -e CCNI

#wireshark WPA2-dec.cap

3 Exercise

1. Implement a dictionary attack and find the password used for encryption.

For this particular exercise, I downloaded my .cap file to the same location as the rockyou.txt, so

I first needed to change the directory to CYSE301, then to CYSE/Module V-Wireless Security. I

then used the ls command to confirm the files where in the current directory.

Once I confirmed that all of the necessary files were in this directory, I used the command

aircrack-ng -w rockyou.txt WPA2-P3-01.cap to run a dictionary attack with rockyou.txt as the

wordlist. When the command finished, the password manchester was revealed.

2. Decrypt the encrypted traffic and write half page summary to describe what you have

explored from this encrypted traffic file (e.g., packet distribution, the majority, protocol

type).

Before attempting to decrypt the WPA file’s traffic, I used the command aircrack-ng WPA2-

P3-01.cap to ensure that there was a WPA handshake in the file and to find the ESSID.

After obtaining the ESSID, I used the previously discovered password from the last exercise in

the command airdecap-ng WPA2-P3-01.cap -p manchester -e CyberPHY, to decrypt the

traffic.

Lastly, the command wireshark WPA2-P3-01-dec.cap was used to run the newly created file in

Wireshark, revealing the decrypted traffic in the file.

Summary of Exercise 2

The first thing that I explored in the encrypted file was the protocols that were used for

the various packets. While scrolling through the Wireshark results, I noticed that there was a

large number if QUIC packets in the file, so I decided to filter for this protocol to see how many

there were. In the filter, I saw that 948 of the 1169 packets were QUIC which made up 81.1% of

the entries. They were sent to and from various sources, and they all contained information

related to payloads.

In addition to exploring the QUIC protocol, I also took time to examine the packets that

were centered around client key exchange. My first takeaway was that the key exchange used the

TLSv1.2 protocol and that this protocol shows up in the TCP filter. In addition to this

information, I also noticed that the TLSv1.2 protocol was used for application data and client

information. Which makes sense considering that the protocol showed up in the TCP filter, and

seemed to work within the handshakes of the WPA traffic.

The last thing that I explored in this encrypted file was the ARP protocol packets, which

showed the source and destinations by name, rather than their IP addresses. While these packets

did not reveal the IP addresses for the sources and non-broadcast destinations, they did provide

the MAC addresses next to their names. As for the information gathered from these packets, they

were all centered around the source and destination requests. There were a lot of Who has and

tell processes in the info section of Wireshark, and even a couple of entries that explained which

MAC addresses corresponded with particular IP addresses.