OLD DOMINION UNIVERSITY
CYSE 301 CYBERSECURITY TECHNIQUES AND OPERATIONS
Assignment #5
Jesse Vallejos: 01053345
Spring 2019
1 SUMMARY
At the beginning of this module, we discussed wireless networks, authentication, and
encryption for wireless, to gain a better understanding of how the attacks in the later sections
would be executed. For this module, we focused on the WEP and WPA authentication methods
and their weaknesses. WEP is as secure as a wired connection, and the encryption scheme can be
cracked through the use of Initiation Vectors. As for WPA, this method is more secure, but the
hacker can still decrypt the network traffic if the passphrase for the scheme is obtained. One
major difference between these two encryption protocols is that WEP does not have mutual
authentication, whereas WPA does. WPA uses a four-way handshake to authenticate the client
and access points, and WEP uses only the access points to authenticate a station.
After learning about these protocols, the module shifted to practice that gave experience
with cracking WEP and WPA traffic. Both of these practices began with running Wireshark on
the corresponding .cap files to give an understanding of what the encrypted traffic looked like.
From there we began to run the aircrack-ng command on the wep.cap file and selected the
corresponding index number to crack the WEP key. After that, the airdecap-ng command was
used to decrypt the traffic, and the -dec.cap file that was created in response was opened in
Wireshark as the decrypted file. As for the WPA protocol, the process was relatively similar,
except we needed to run a dictionary attack with the aircrack-ng -w wordlist command to obtain
a passphrase. Once this command was entered and the index number was selected, the
passphrase was revealed. Allowing for the airdecap-ng -p Passphrase -e Essid command to be
entered to decrypt the file. Once completed, the -dec.cap could be run in Wireshark to reveal the
decrypted traffic information.
3 Exercise
1. Implement a dictionary attack and find the password used for encryption.
For this particular exercise, I downloaded my .cap file to the same location as the rockyou.txt, so
I first needed to change the directory to CYSE301, then to CYSE/Module V-Wireless Security. I
then used the ls command to confirm the files where in the current directory.
Once I confirmed that all of the necessary files were in this directory, I used the command
aircrack-ng -w rockyou.txt WPA2-P3-01.cap to run a dictionary attack with rockyou.txt as the
wordlist. When the command finished, the password manchester was revealed.
2. Decrypt the encrypted traffic and write half page summary to describe what you have
explored from this encrypted traffic file (e.g., packet distribution, the majority, protocol
type).
Before attempting to decrypt the WPA file’s traffic, I used the command aircrack-ng WPA2-
P3-01.cap to ensure that there was a WPA handshake in the file and to find the ESSID.
After obtaining the ESSID, I used the previously discovered password from the last exercise in
the command airdecap-ng WPA2-P3-01.cap -p manchester -e CyberPHY, to decrypt the
traffic.
Lastly, the command wireshark WPA2-P3-01-dec.cap was used to run the newly created file in
Wireshark, revealing the decrypted traffic in the file.
Summary of Exercise 2
The first thing that I explored in the encrypted file was the protocols that were used for
the various packets. While scrolling through the Wireshark results, I noticed that there was a
large number if QUIC packets in the file, so I decided to filter for this protocol to see how many
there were. In the filter, I saw that 948 of the 1169 packets were QUIC which made up 81.1% of
the entries. They were sent to and from various sources, and they all contained information
related to payloads.
In addition to exploring the QUIC protocol, I also took time to examine the packets that
were centered around client key exchange. My first takeaway was that the key exchange used the
TLSv1.2 protocol and that this protocol shows up in the TCP filter. In addition to this
information, I also noticed that the TLSv1.2 protocol was used for application data and client
information. Which makes sense considering that the protocol showed up in the TCP filter, and
seemed to work within the handshakes of the WPA traffic.
The last thing that I explored in this encrypted file was the ARP protocol packets, which
showed the source and destinations by name, rather than their IP addresses. While these packets
did not reveal the IP addresses for the sources and non-broadcast destinations, they did provide
the MAC addresses next to their names. As for the information gathered from these packets, they
were all centered around the source and destination requests. There were a lot of Who has and
tell processes in the info section of Wireshark, and even a couple of entries that explained which
MAC addresses corresponded with particular IP addresses.
Top Related