×


All Labs

WEP Cracking via Passive Listening
WEP Cracking via Passive Listening

The purpose of this lab is to understand and exploit the security vulnerabilities of an 802.11 WEP-secured network. You will passively collected enough WEP IV's (Initialization Vectors) to determine the WEP encryption key. After obtaining the key, you will need to masquerade as a legitimate WEP client on the network, access a server, and download a file.

Fundamental

mobile

WEP Cracking via Active Injection
WEP Cracking via Active Injection

The purpose of this lab is to continue exploring the vulnerabilities of the 802.11 WEP security protocol. It is well-known that the WEP protocol is crippled with numerous security flaws. In the WEP Cracking via passive Listening lab in the Eureka series, we explored the methods of exploiting these flaws when a large amount of data was present. However, it is unlikely that a sufficiently large data stream is present on a network when in regular usage. This makes the relatively easy WEP crack from the Basic lab considerably more difficult. In this lab, we will use more efficient techniques to continue exploiting the WEP protocol.

Fundamental

mobile

WPA-PSK Key Cracking via Handshake Capture
WPA-PSK Key Cracking via Handshake Capture

The first generation of the IEEE 802.11 Wired Equivalent Privacy (WEP) security standard was found to be vulnerable to various statistical weaknesses in the encryption algorithm. While at- tempts were made to correct the problem, it is still relatively simple to crack WEP and essentially obtain the password right out of thin air. As a result, the Wi-Fi Alliance created an interim stan- dard called Wi-Fi Protected Access (WPA). However, the WPA Pre-Shared Key (PSK) mode is crackable due to a flaw that exists in the au- thentication procedure. There is a human-friendly password and a user involved. Combined with the reality that most users select poor passwords, there is an opportunity that can be exploited. The TKIP cipher is not crackable, as it is a per-packet key. However, the initialization of the TKIP, which happens during client authentication, provides an opportunity to obtain the password. An effective way to crack WPA-PSK is to force a re-authentication of a legitimate client. By forcing an actively connected client to disconnect and reconnect, we can capture the WPA-PSK four-way handshake that protects the key exchange. A robust dictionary attack may take care of a lot of simple passwords. Consequently, it is potentially easier to crack WPA-PSK than it is to crack WEP, as we will discover in this lab.

Fundamental

mobile

"Unlock" Wi-Fi Protected Setup (WPS)
"Unlock" Wi-Fi Protected Setup (WPS)

Wi-Fi Protected Setup, or WPS, is a push-button authentication method for WPA2 Personal-secured networks. Have you ever been connecting to a network and seen an option underneath the ``Password" field that said ``Or push the button on the router to connect?" That is WPS at work. WPS relies mainly on physical security, or the idea that a potential attacker needs to be physically present to compromise the system. However, this lab will demonstrate how a remote WPS attack is still possible.

Advanced

mobile

Secure your WiFi with WPA2-Enterprise
Secure your WiFi with WPA2-Enterprise

The purpose of this lab is to setup a WPA/WPA2 Enterprise (TKIP/AES + EAP-TTLS/PEAP) wireless network using FreeRadius and OpenWRT on a router. In addition, you will configure Linux/Windows/Android clients to connect to the network.

Advanced

mobile

Mobile Lab Platform for Users (Updated)
Mobile Lab Platform for Users (Updated)

In this document, we first will introduce how to create a user lab platform to perform activities for our Eureka labs. Next, we will exercise with a few important wireless related commands. Lastly, we will perform a rudimentary wireless network survey with these tools and commands.

Fundamental

mobile

"Hide-and-Seek" in Wireless
"Hide-and-Seek" in Wireless

In this basic lab, we will setup a simple wireless network with SSID hiding enabled. Students will be tasked to perform wireless network ``hide-and-seek'' (a simple wireless penetration test).

Fundamental

mobile

Mischievous MAC?
Mischievous MAC?

Carrier Sense Multiple Access (CSMA) is a probabilistic media access control (MAC) protocol in which a node verifies the absence of other traffic before transmitting on a shared transmission medium. CSMA/CA (Collision Avoidance) is a protocol for carrier transmission in 802.11 networks. In this lab, we will observe how traffic is regulated by CSMA/CA. With this knowledge, we can detect abuses and misbehavior targeted at CMA/CA at the MAC layer.

Challenging

mobile

Evil Twin AP Attacks and Prevention
Evil Twin AP Attacks and Prevention

Evil twin is a malicious access point set up to copy the identity of a real access point, hence the name twin, in order to eavesdrop and steal sensitive information. This attack will trick unsuspected users to connect to it, and from there, the attacker can perform many other attacks like man-in- the-middle or phishing websites.

Advanced

mobile network

Passing on Passwords
Passing on Passwords

When passwords are compromised, they can lead to unintentional data access, putting users at risk.

Fundamental

network system

XSS Attack and Defense
XSS Attack and Defense

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Fundamental

network

Take My Coin!
Take My Coin!

A blockchain is a growing list of records, called blocks, that are linked using cryptography. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. In this lab, we will exercise coin mining and block creation.

Fundamental

network

Identity Demystified
Identity Demystified

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject.

Advanced

network

Crypto Flickered!
Crypto Flickered!

Length extension attacks can cause serious vulnerabilities when people mistakenly try to construct something like an HMAC by using hash(secret || message)}. Many hash functions are subject to length extension. Such hash functions are built around a compression function and maintain an internal state, which is initialized to a fixed constant. Messages are processed in fixed-sized blocks by applying the compression function to the current state and current block to compute an updated internal state. The result of the final application of the compression function becomes the output of the hash function. A consequence of this design is that if we know the hash of an n-block message, we can find the hash of longer messages by applying the compression function for each block that we want to add. This process is called length extension, and it can be used to attack many applications of hash functions.

Advanced

system