Breaking into Wi-Fi Networks

Disclaimer... Unauthorized access to a network is unlawful and can lead to criminal charges. Whether or not this applies to open networks is widely disputed and varies between states

Useful Tools Aircrack-ng: A 802.11 WEP and WPA key cracking program. Pyrit – A WPA/WPA2 key cracker which utilizes your GPU Cowpatty -Another useful tool for WPA/WPA2 key cracking Crunch – A wordlist generator Reaver – A tool to break WPS

Wi-Fi Basics Operates over 2.4 GHz and 5 GHz Infrastructure mode Wireless devices connect to a single access point and communicate through it Ad hoc mode All wireless nodes communicate with each other directly In both cases all devices must agree on a SSID We will be focusing on infrastructure mode

The SSID and BSSID The BSSID (basic service set identification) is the MAC address of the access point. The SSID is the human readable name of the access point. This is what you see when you look at a list of nearby wireless networks.

Making the SSID 'hidden' By making the network hidden, access points no longer send their SSID in beacon packets and will no longer respond to broadcast probe requests Many people think that by hiding their network that will keep unauthorized users from finding and connecting to their network Security through obscurity is not secure!

Circumventing a hidden SSID Association requests to the access point require the SSID Every authorized client needs to transmit the SSID to the access point in order to connect to the network All an unauthorized user needs to do is wait for someone to connect to the access point

...or we could force their hand We can boot a user off the network using a deauthentication attack. Using aireplay-ng we can send a deauthentication packet to the client, claiming to be the access point. After deauthenticating, the user will automatically reconnect.

MAC Address Filtering Essentially a white listing policy where the only devices allowed to connect to the access point are those with approved MAC addresses At one time MAC addresses were static things burned right into the hardware of wireless cards – making MAC filtering somewhat effective.

Those days are long gone Changing your MAC address is very trivial Most modern cards/drivers support MAC address spoofing All you need to do is find the MAC address of an authorized client and match their MAC address.

WEP – Wired Equivalent Policy WEP was introduced as a means of making wireless data confidential Uses the stream cipher RC4 to encrypt data 64 bit WEP uses a 40 bit key (ten hexadecimal characters) concatenated with a 24 bit initialization vector 128 bit WEP works in the same way but with 26 hexadecimal characters. Most devices also allow the user to enter the key 13 ASCII characters Officially retired in 2004

Attacking WEP with a Dictionary Feed some cracking software a dictionary and a .cap file with the hopes that it will brute force the password. Dictionary attacks are uncommon because there is no real standard on how to translate a password into a WEP key It is much easier to attack the weak cipher which WEP uses to encrypt it's data

Attacking WEP With Aircrack-ng WEP can be easily broken because vulnerabilities in the RC4 shift cipher it uses to encrypt data The IVs (initialization vectors) are perpended to the secret key which means that if an attacker captures enough data packets, a couple of seconds of analysis can break the key.

WPS- Wi-Fi Protected Setup WPS adds a simple way to allow people to connect to the network without worrying about having to remember difficult passwords This can be implemented in different ways: A button the access point A shared PIN between the access point and station A USB NFC

The Online Brute Force Attack The pin WPS uses is eight digits long but the last digit is used as a checksum so you only need to guess 10000000 combinations! When trying to gain access with the PIN the registrar reports the validity of the first and second half of the PINS separately meaning that we need to guess at most 11,000 different pins Reaver was developed to take advantage of this attack. In many cases reaver can break WPS within four hours The only mitigation for this attack is to disable WPS

WPA -Wi-Fi Protected Access WPA is the response to the vulnerabilities in WEP WPA uses 256-bit keys (an improvement over 64 and 128 bit WEP keys) WPA also introduced message integrity checks to determine if packets were captured It originally used the temporal key integrity protocol (TKIP) which employed a per-packet key system which is much more secure than the fixed key used in WEP TKIP was eventually replaced with Advanced Encryption Standard (AES)

WPA vs WPA2 WPA2 was designed to replace WPA in 2006 The primary change was a mandatory use of AES and the introduction of CCMP as a replacement for TKIP WPA has been shown to be vulnerable due to the use of TKIP but current attacks do not give away the key. The most common way a WPA network is broken into is through WPS WPA2 has some very obscure vulnerabilities but they usually require the attacker to already have access to the network

The Four Way Handshake

Step 0: Monitor Mode Iwconfig → find wireless interface Sudo ifconfig [wireless interface] down Sudo iwconfig [wireless interface] mode monitor Sudo ifconfig [wireless interface] up

Step 1: Capture Handshake Airodump-ng [interface name] Find network, BSSID, and channel Airodump-ng -w [output file] -c [channel] –bssid [bssid] [interfacename]

Step 2: Deauthenticate New terminal Aireplay-ng –deauth 2 -a [access point] -c [target client] [interface]

What next? We need a list of passwords which we can test against the handshake For very good passwords this can take a very, very long time Imagine an 8 character long password which contains upper and lowercase letters with numbers… (26+26+10)^8= 2.18*10^14 possible passwords Luckily most people suck at making passwords

Crunch Crunch is a tool which lets us create large lists of possible passwords Note that these password lists can get very large very fast A lowercase only 8 character password list is about 1.75 TB Some examples: Crunch 4 4 → generates a list of words aaaa – zzzz Crunch 1 4 → generates a list of words a - zzzz

More Crunchy Goodness Using the -t flag followed by ['@', ',' '%', or '^'] we can get more specific words @=lowercase ,=uppercase %=numbers ^=symbols Crunch 4 4 -t @@@@ → aaaa – zzzz Crunch 4 4 -t ,,,, → AAAA-ZZZZ Crunch 4 4 -t %%@, → 00aA – 99zZ Crunch 5 5 -t A2@@@ → A2aaa - A2zzz

Step 3: Break the Key Aircrack-ng -w [wordlist] [capfile]

How can we make this faster? Pyrit is an alternative to aircrack-ng for breaking WPA keys. It uses your GPU over the CPU to crack password hashes much faster Very large GPU clusters can guess millions of passwords per second Cowpatty is another alternative to pyrit and aircrack-ng There are very large precomputed hash tables online which can be used to crack passwords to common SSIDs