Add hacking WEP Wi-Fi workshop

Worksheets/Hacking Wep Wifi workshop/Instructor Cheat Sheet.md

@@ -0,0 +1,64 @@
+# Instructor's cheat sheet, Hacking WEP Wi-Fi with Pi 3's
+
+ Workshop created by @JamesMatchett
+
+## Before the workshop starts:
+
+* Check all pi’s have been flashed with the correct adapter firmware and have aircrack installed on them by running through the first few steps of the worksheet, make sure to reboot the pi afterwards.
+* Setup a Wi-Fi router with WEP security and make a note of the password.
+* Connect one or more devices to the network using the password (this can your phone, laptop, anything, it just has to be connected and in close proximity to the pi’s and routers)
+* IMPORTANT NOTE: Ensure that if your Wi-Fi network is 5GHz, force it to use 2.4GHz by either using a 2.4GHz only device or by repeatedly connecting and disconnecting.
+The Pi's can only intercept 2.4GHz traffic and the workshop won't work if the connected device is using 5GHz.
+
+## During the workshop:
+
+* Give a *quick* breakdown of the workshop's content, how Wi-Fi works and why WEP is vulnerable.
+* Get the attendees started by following the worksheet from the *very* beginning,     
+***commands to be typed in are in red*** and must be entered in the order they appear in the worksheet E.g.
+- `sudo airmon-ng check kill`
+- `nexutil -m2`
+- `sudo airmon-ng start wlan0`  
+
+
+* Once all attendees get into monitor mode and are watching the live dump of what networks are in range of the Wi-Fi chip, ask them to call out the MAC Address, Channel and SSID of the target router. Write this information on the whiteboard for the next commands. This means they are far less likely to target a router that isn't yours!
+
+* As soon as the attendees get to the "aireplay" command, you can begin to speed up the rate the attack captures traffic by standing beside the Pi's with the phone or laptop you connected previously and trying to load a webpage repeatedly, although nothing will load this will still generate traffic and reduce the time taken to capture enough packets.
+
+<div class="page-break"></div>
+
+* The final command "sudo aircrack-ng WEPcrack-01.cap" can either fail or succeed depending on how many packets have been captured. If it fails simply re-enter the command and run again or wait for the program to auto restart when enough new packets have been captured.
+
+## Once the key has been cracked:
+
+* Get parents/kids attending the workshop and try to connect their devices (either their mobile phones or if they don't have one their Pi after a reboot to reset to default configuration) using the Wi-Fi password they've captured, show them that if this was a "real Wi-Fi network" they'd be able to x attacks.
+
+## Shortcuts:
+
+* Ctrl + C stops any captures/processes underway so you don't have to force close a terminal window.
+* Using the up-arrow to re-enter/edit commands saves so much time.
+
+## Things that typically go wrong:
+
+* Last command doesn't work/number of keys doesn't increase for file entered a the last operand:
+
+  * This means that the capture has either stopped or is under a different filename, check the attendee's terminal windows to see if another capture has to be started or if one is underway under a different filename than "WEPcrack-01.cap" *by default it usually changes to 02 or 03 instead of 01.*
+
+* Packet capture going really slowly:
+
+  * make sure your connected device is still connected and try to generate some traffic by standing beside the Pi's and trying to browse the internet, nothing will load however the requests sent will generate traffic for the attendee's Pi to capture, I find that putting the Pi between your device and the router works best. *Using this method you can actually control the speed the workshop runs at so if it's running behind you can really get it moving!*
+
+* "Network is open/WPA2" error on final command:
+
+  * This means the attendee has probably started the capture on the wrong network, restart the capture and make sure the right MAC address is entered.
+
+* Aircrack module won't start/monitor mode can't be started:
+
+  * This means either the commands have been mistyped/in the wrong order or something has gone wrong configuration wise, reboot the pi and take care entering the initial instructions in the right order.
+
+* Pi won't boot or Aircrack & monitor mode will not work:
+
+  * This probably means there's a problem with the image on the SD card, I cover this in more detail in the flashing guide but just make sure the image isn't "shrunk" and the SD card is seated properly.
+
+
+
+#### Best of luck on this introduction to InfoSec!

Worksheets/Hacking Wep Wifi workshop/worksheet.md

@@ -0,0 +1,103 @@
+# Cracking WEP secured WiFi using Raspberry pis
+
+<img src="images/front-page.png" width="950px" align="centre"/>
+
+In this workshop we’ll discuss and practise acquiring the PSK (pre-shared key) (Also known as the Wi-Fi password!) on a WEP secured network using nothing except a raspberry pi and a software suite known as Aircrack-NG.
+
+### In this worksheet:
+
+- What is WEP
+- How our attack will work
+- How to set up & carry out the attack
+- Additional tasks
+
+<div class="page-break"></div>
+
+### What is WEP?
+WEP (Wired Equivalent Privacy) is a security protocol for old WiFi networks. It basically meant that you had to have the wifi password so that you could join the network, but also that you couldn’t see what was being sent on the network without the password.
+
+<img src="images/wep-explain.png" align="left"/>
+
+It works by combining a random number (The IV) and the key (your wifi password) to generate an RC4 keystream which encrypts whatever data you send. However if the same IV (random number) is used twice then it allows for the key to be recovered! This repetition is very likely as the IV is typically only 24 bits long and we can tell when it repeats because it isn’t encrypted when it’s sent!
+
+If we capture enough IV’s, then the key can be recovered!
+
+<img src="images/console-screen.png" align="centre"/>
+
+The tools we’ll need are:
+- A software suite known as aircrack
+- A Raspberry Pi
+- A USB wifi antenna (or a flashed chip which will be on the Pi for this workshop)
+
+### Let’s have a look
+
+We’re going to have a look at what Wi-Fi networks are around us and what the Wi-Fi card can see by putting it into something called monitor mode. This mode just allows us to capture packets being sent by Wi-Fi networks without having to join them ourselves.
+
+Firstly open a terminal on your Raspberry Pi.
+
+<img src="images/desktop.jpg" align="centre"/>
+
+And type in the following commands
+
+- `sudo airmon-ng check kill`
+- `nexutil -m2`
+- `sudo airmon-ng wlan0`
+
+These commands check if there are any running programs that would cause interference, kill them and allow the Pi Wi-Fi chip “wlan0” to enter monitor mode
+
+If the last commands worked okay, close that terminal window, open a new one and type the following command.
+
+- `sudo airodump-ng start wlan0mon`
+
+<img src="images/info-airmon-screen.png" align="centre"/>
+
+You should hopefully see a screen similar to the one above.
+
+The person taking the course will tell you the name or “ESSID” of the router we’re trying to get the password of, try and fill in the table below using the information on your terminal screen.
+
+| What you're finding                                    |what you found: |
+| -------------------------------------------------------|:--------------:|
+|ESSID (another name for the WiFi name)                  |                |
+| BSSID (another name for MAC address)                   |                |
+| ENC (encryption type)                                  |                |
+|CH (Channel, the WiFi channel being used by that router)|                |
+
+<div class="page-break"></div>
+
+Check with the person taking the course once you’re done to make sure the information is correct or if you’re having any difficulty.
+
+- Press Ctrl + C in the terminal window outputting information
+- Open a new terminal window
+- Here we’re going to use the information we acquired on the last page
+- `sudo airodump-ng --bssid *BSSID* -c *Channel* -w WEPcrack wlan0mon`
+
+<img src="images/second-info-airmon.png" align="left" width="600px"/>
+
+Hopefully you should see a screen similar to the one left, only one router should be appearing at the top row.
+Look at the “#Data” column, these are the IV’s we have to capture, More Iv’s means we have a better chance of cracking the password. To get more IV’s quicker we’re going to simulate traffic.
+
+Open a new terminal window (don’t close any other terminal windows)
+
+- `sudo aireplay-ng -3 -b *bssid* -h *mac address in station* wlan0mon`
+
+<img src="images/arp-replay-diagram.png" width= "350" align="left"/>
+Our attack captures genuine traffic and replays it to the router, the router replies and we capture it’s response to get another IV
+
+
+
+**Once we have enough IV’s we can try to crack the password**
+
+`sudo aircrack-ng WEPcrack-01.cap`
+
+<img src="images/aircrack-screen.png" width="700px" align="centre"/>
+
+This program crawls through the captured data and finds IVs, once it has all the IVs it will try and compute the key through cryptographic analysis.
+
+If there is enough information to extract the key the it will be output! If not it will automatically try again when more IV’s have been captured.
+
+### What next?
+- Can you connect to the wifi network with the key you’ve cracked?
+- Can you see how many other devices are connected to the network
+- Can you find out how WPA and WPA2 are immune from this style of attack
+- How would a longer PSK affect the cracking time?
+- What physical conditions would you change to affect the intercept rates, test them! Do your changes affect how quickly IV’s are captured?