- 1 When/Where/What
- 2 Requirements
- 3 Creating Bootable USB Memory Stick
- 4 Running UBuntu Linux on existing Windows computer without changing anything
- 5 Hacking Wireless WPS Access Point using Reaver
- 6 Censorship Circumvention
- 7 Dealing With A Dead Computer
- 8 What Film Should We Watch
- Saturday 17th May 2014
- From 17:00 (5pm) onwards (soft start) - come earlier or later as you wish.
Suggest we plan to start watching the chosen film at around 19:00 (7pm) so that we can be finished around 9pm (21:00).
People are free to come/go when they like.
The Oliver's house
We will be providing Pizza and Icecream!
The tasks for the evening:
- Obtain WiFi Access
- Install Webserver
- Censorship Circumvention
If you have the following that you are permitted to bring, then please do:
- Laptop (preferable MS Windows) - we will NOT be changing the existing installation
- USB Memory Stick (suitable to be wiped)
If you do not have a laptop or USB Memory stick, not to worry - let us know.
Creating Bootable USB Memory Stick
UBuntu Only USB
Running UBuntu Linux on existing Windows computer without changing anything
Basic Linux/Unix commands
Hacking Wireless WPS Access Point using Reaver
What is WPS?
Wi-Fi Protected Setup, or WPS is a computing standard that attempts to allow easy establishment of a secure wireless home network.
The idea is to quickly allow a WiFi device such as a laptop or smartphone to connect to a WiFi Access Point without having to remember the lengthy WiFi WPA encryption key.
For more information, see Wikipedia page on WPS.
What is wrong with WPS?
In December 2011 researcher Stefan Viehböck reported a design and implementation flaw that makes brute-force attacks against PIN-based WPS feasible to perform on WPS-enabled Wi-Fi networks. A successful attack on WPS allows unauthorized parties to gain access to the network. The only effective workaround is to disable WPS.
For more details, see WPS Security Problem.
How can I defend myself from this WPS vulnerability?
All you need to do is disable the WPS feature.
By default all WiFi routers have to have WPS enabled - this is a requirement for their WiFi license.
Apple's Airport Extreme/Express has WPS disabled by default.
At the time of writing, pretty much ALL Cisco/Linksys WiFi routers/access points could not have their WPS feature disabled - a bug in all their firmwares. Even when the WPS option is disabled, the WPS functionality is still enabled.
Some Cisco/Linksys WiFi routers cannot have their WiFi turned off properly either!
If you have a Cisco/Linksys or similarly affected device, you have following options:
- buy a new WiFi router
- turn off WiFi functionality - optionally buy a new WiFi access point to provide that functionality (Apple Airport Express/Extremes are good)
- configured the Cisco/Linksys's WiFi to use an out-of-band frequency channel (13/14), turn off SSID broadcasting, enable MAC address filtering, set a very strong WPA password, etc etc... and then buy yourself a new WiFI access point to provide WiFi functionality
How easy is it to Brute-Force attack WPS
It typically takes 4-10 hours to obtain the WPA password.
- Download Kali Linux
- Create bootable DVD or USB (YUMI USB Creator)
- Boot Kali
- apt-get install aircrack-ng (already installed in Kali)
- apt-get install reaver (already installed in Kali)
- airmon-ng start wlan0
- airodump-ng mon0
- reaver -i mon0 -b C8:3A:35:30:E5:B8 -vv --pin=32045369
Note that to save time, the above 'reaver' command we are pre-starting the scan from the actual pin - otherwise it would take some 6 hours to complete...
Is it legal to attempt to Brute-Force attack somebody elses WPS enabled WiFi?
No - VERY ILLEGAL!
However you might like to tell them about the vulnerability. If they are willing, you could demonstrate how easily it can be done by running the above Reaver Attack Tool.
ISP's/countries attempt to stop access to a particular website by poisoning their DNS. For example, Turkey.
For example, if a web browser wishes to access 'http://youtube.com', instead of returning the correct IP address (126.96.36.199), it returns a fake or government IP address.
DNS Poisoning Circumventon
The solution is to use alternative 'good' DNS servers - for example, OpenDNS.
Recommend using DNSCrypt.
IP Address Blocking
DNS Poisoning is very easy to circumvent.
The next level is to block access to specific IP addresses. For example, Great Firewall of China, or corporate/company/school firewalls.
Part of the function of the firewall is to perform:
- URL monitoring (where users are visiting)
- Content monitoring (what text/images users are seeing/sending)
- Deep Packet Analysis (detect what circumvention mechanism users are trying/using)
Note that the same technology to stop inappropriate web access within schools is used by governments to stop human right/etc groups and control media access.
VPN - Virtual Private Network
'It enables a computer to send and receive data across shared or public networks as if it is directly connected to the private network, while benefiting from the functionality, security and management policies of the private network.'
ISPs/governments can see that the user (i.e. you) is connected to some remote VPN service. They can determine the amount of data being sent/received, but cannot directly know the data contents. However researchers have been able to determine message content by analysing the encrypted data length.
Note that depending on the user's computer configuration or VPN setup, it is very possible for the computer to leak information about what websites the user is accessing. That might be sufficient for authorities to issue arrest warrants.
TOR - The Onion Router
Dealing With A Dead Computer
- GRC's SpinRite
- Boot Linux from USB
What Film Should We Watch
By popular demand (50% in class vote), we will be watching:
'War Games' (1983) - 1'53
Other Films We Considered
'Tron' (1982) - 1'30
'Tron: Legacy' (2010) - 2'05
'Short Circuit' (1986) - 1'38
Doctor Who: 'The Bells of Saint John' (2013 - S07E06) - 0'45