brief summary of week 2 (first successful attack trial)

Unfortunately, we did not meet all the requirements that supervisor gave, especially, the concept of 802.11 MAC frame. Thus, next week before everything we should search and get at least simple understanding of it. The attachment gives explanation of the frame. (How 802.11 wireless work)

This week, what we have done is that we had checked configuration of the WEP and WPA encryption which is often used for wireless network password. In addition, we have successfully complete the deauth attack and injection attack with the WEP encryption yet the decryption of WPA needs more effort. We have already get the password of WEP encrypted wireless network. The demonstration and the screenshots are shown below:

The first step is to turn on the monitoring mode with "airmon-ng" and monitor specific channel by filtering the BSSID with "airodump-ng" to target on the aimed AP. The packets would be caught and written into a file with a name customized by the attacker.

It could be very slow to caught enough packets at a short time, thus we use the command in the figure above, the "aireplay-ng" to send packets to the AP.

After we have enough packets, i.e. enough information, we simply use the "aircark-ng" corresponding to the written file mentioned above, and we got the password: 12345, just as we set.

Compared with WPA encryption, the length of IV (initial vector) has been lengthened and the TKIP (temporal key integrity protocol) make it possible to dnamically generates a new 128-bit key for each packet. Thus, the old method for WEP does not work.
Two solutions: One is using reaver to implement exhaustive method and the whether it could find the right password or not depends on luck or it could take incredibly long time to do it.
The other is to deauth one user device and get a handshake packet when it reconnect to the AP. The handshake packet could help the decryption.
However, the decryption of WPA needs time valued by days even the handshake packet is got.

Therefore, our team would try to work on WPA and learn how to pretend to be a fake AP. If we have extra time, we would start to try the kismet used for intrusion detection.
PS: we would be familiar with the concept of the 802.11 frame.