Presentation is loading. Please wait.

Presentation is loading. Please wait.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10.

Similar presentations


Presentation on theme: "SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10."— Presentation transcript:

1 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10 Stanford University June 14-17, 2010

2 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconaissance – Airgraph-ng – GISKismet

3 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP Still broken but still used Sometimes you can’t crack the key « What can I do? »

4 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP Check if you have enough data packets. – ~30K are needed for 64 bit with PTW – ~80K for 128 bit with PTW Switch to KoreK starting from K packets – ~200K for 64 bit with KoreK – ~500K for 128 bit with KoreK Usually, if you can’t crack, as a rule of thumb, just get more (data) packets More than enough and still can’t crack the key, split the capture file and crack them individually

5 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Split files Pcap-util: Perl script Works on Linux/Windows

6 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Split files (2)

7 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Split files (3) Has several options: – Split in files of X Mb – Extract packets that falls within a period of time – Extract packets that match a libpcap filter Just need to split in smaller files so: – perl pcap-util split large.pcap small 3

8 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – PTW limitations Works with 64 and 128 bit keys Works in 2 phases: – Phase 1: ARP – Phase 2: Then use all other data packets (some packets are ignored because known to be unusable for PTW) List of usable packets can be found at –

9 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ « Motorol AirDefese WEP Cloaking™ provides protection for wireless infrastructure secured by legacy encryption protocols. This is an add-on module to Motorola AirDefense Enterprise, the market leading Wireless Intrusion Prevention System. » Solution: airdecloak-ng, but sometimes aircrack-ng can crack it directly

10 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ (2) aircrack-ng wep_cloaking_full_speed_dl.pcap -b 00:12:BF:12:32:29 -K -n 64 -d 1F:1F:1F

11 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ (3)

12 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ (4) Not all packets were filtered out but enough to crack the key

13 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Broken capture file Aircrack-ng: – Invalid packet capture length 0 - corrupted file? Wireshark

14 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Broken capture file (2)

15 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Broken capture file (3) Mark first packet Mark the last good packet File – Save as … Select « first to last marked packet » Select an output filename then save it DONE

16 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconaissance – Airgraph-ng – GISKismet

17 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA WPA is at the same time easy and hard to crack – Easy to get the handshake – But the passphrase can be really complex

18 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA i group launched when flaws were found in WEP 2 link-layer protocols: – TKIP (WPA1): Draft 3 of i group (backward compatible with legacy hardware). – CCMP (WPA2): final i standard 2 authentication methods: – Personal: PSK (Shared key, 8-63 characters) – Enterprise: MGT (Radius server)

19 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA-PSK – 4 way handshake

20 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Location You need to be located not too far from the client and the AP to hear the whole 4-way handshake. Aircrack-ng can work with less than the 4 EAPOL packets

21 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Good Location

22 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Bad location Only hear the AP: Only hear the client:

23 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Airbase-ng Act as an AP with airbase-ng and get the handshake => Just need to be in the range of the client: airbase-ng -z 2 -W 1 –y -c 6 –F dump -e “Philips WiFi” rausb0 Location problem solved ;), you just need the client:

24 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Airbase-ng (2) DEMO

25 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Debug Aircrack-ng/cowpatty/pyrit/OTHER TOOL doesn’t see the handshake, why? So, how does it look in capture files and how do we debug it?

26 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Debug DEMO

27 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Cracking Once you have the handshake, it’s time to crack it Two methods come to mind: – Using a wordlist – Bruteforcing Bruteforce not doable since minimum key length is 8 characters, so we need a good dictionary

28 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Dictionary Having the right dictionary is important ! Here are a few tips to build yours: – Use generic dictionaries, add things like: Language used Phone numbers (IE, use JTR to generate all possible phone numbers) City and different things around Other things that come to your mind, … – Use programs to « add » words: John The Ripper (and Markov) Wyd … Combine all of these … … and you may end up with huge dictionaries.

29 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Cracking hardware Processing big dictionaries takes time CPU too slow => Use GPU and FPGA

30 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – GPU performance Pyrit performance

31 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – GPU Crackers Quite easy to set up … – apt-get install backtrack-cuda … but – Don’t forget the power bill ;) – Creating dictionaries takes time Online services available: – Cloud computing: – GPU:

32 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP WPA Choose hardware Wireless reconnaissance – Airgraph-ng – GISKismet

33 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Often asked: « What is the best antenna? » Depends on your needs: – Long or short links? Low or High power antenna – Point to Point or Point to Multi point ? Directionnal antenna or omni – Frequency? 2.4Ghz/5Ghz (4.9/5.2/5.8/…) –...

34 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Antenna pattern: Vertical pattern: Look at the horizon Horizontal pattern: Look at the ground from the sky

35 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Omni Great for Point to Multipoint connections (ie, AP) Theory: radiate in all directions Highest power is not the best one

36 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Omni 5dbi

37 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Omni 9dbi

38 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Sector 120°

39 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Grid

40 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Home made - Biquad

41 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas So, don’t just get the most powerful Check the law Look at the specs of the cards – RX sensitivity: ability to hear – TX power: needed for long distance links – Important: Both takes the rate, the frequency and modulation into account Example: Ubiquiti SRC datasheet

42 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Cables Cables have losses – Thin: high loss, usually for short links (bend easily) – Thick: low loss, for long links (can’t be bent easily) – Loss depends on the frequency Connectors also have losses: around 0.5dB A few cables (loss for 100 feet at 2.4Ghz) – RG174: ~60dB – RG58: ~25dB – LMR 200: ~16.5dB – LMR 400: ~6.7dB

43 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconnaissance – Airgraph-ng – GISKismet

44 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng Airgraph-ng creates a picture of the networks. Usage examples: – Display a network map – Network monitor Uses the CSV output of airodump-ng. Part of the suite (can be found in scripts/)

45 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Graph types Client to Access Point Relationship graph (CAPR) : – Client to Access Point Relationship – Focus more on clients than AP – AP without clients aren’t graphed – Colors for each type of encryption Green: WPA Yellow: WEP Red: Open Black: Unknown Client Probe Graph (CPG): – Links between clients and AP

46 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Examples Parameters: – Input file: Airodump-ng CSV file (.csv) – Graph type: CAPR (Client – AP Relationship): Connected clients CPG (Common Probe Graph): Probed SSID – Output file: Picture file name Examples: – CAPR: airgraph-ng.py -i sharkfest-01.csv -g CAPR -o sharkfest-capr.png – CPG: airgraph-ng.py -i sharkfest-01.csv -g CPG -o sharkfest-cpg.png

47 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Examples (2) CAPR

48 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Examples (3) CPG

49 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconnaissance – Airgraph-ng – GISKismet

50 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet « GISKismet is a wireless recon visualization tool to represent data gathered using Kismet in a flexible manner » Display Access Points on Google earth => require GPS. Also work with airodump-ng

51 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet (2) Store information in a database (SQLite) Input: Kismet newcore XML (netxml) Outputs a KML file Filter data: – Input: limited to things like channel, ESSID, … – Output: Flexible, SQL order

52 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet (3) Importing data: – giskismet –x dump-01.kismet.netxml Will create a file called wireless.dbl (SQLite3 database with 2 tables: – Clients: all clients – Wireless: all AP Exporting: giskismet –q SQL_ORDER –o OUTPUT_FILE.kml

53 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet (4) SQL Queries: All: select * from wireless SSID starting with ‘SpeedTouch’: select * from wireless where ESSID like 'SpeedTouch%' AP from Aruba Networks: select * from wireless where Manuf = 'Aruba Networks' Hotspots: select * from wireless where ESSID like '%hotspot%' Channel 6: select * from wireless where channel = 6

54 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 ?

55 Links Pcap-util : List of supported packets for PTW: John The Ripper: Markov: Wyd: « Next generation wireless recon … » (Shmoocon 2009) NextGenerationWirelessRecon-VisualizingTheAirwaves- ShmooCon2009.pdfhttp://spl0it.org/files/talks/Abraham-Smith- NextGenerationWirelessRecon-VisualizingTheAirwaves- ShmooCon2009.pdf (short: Cable loss calculator:


Download ppt "SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10."

Similar presentations


Ads by Google