SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10.

Slides:

Advertisements

Similar presentations

Anatomy of an Wi-Fi Enterprise Wireless LAN Chris De Herrera Pacific Crest Bank Chief Information Officer Webmaster, Tablet PC Talk, CEWindows.NET.

Advertisements

Overview How to crack WEP and WPA

1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).

Wireless Cracking By: Christopher Zacky.

Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.

MIS Week 12 Site:

WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

1 MD5 Cracking One way hash. Used in online passwords and file verification.

Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.

Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

MIS Week 13 Site:

The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.

December 17, Wi-Fi Mark Faggiano GBA 576. December 17, Purpose of the Project  I hear Wi-Fi, WLAN, everywhere  What does it all.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Wireless Insecurity.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.

1. A router is a device in computer networking that forwards data packets to their destinations, based on their addresses. The work a router does it called.

WLAN What is WLAN? Physical vs. Wireless LAN

195Eg Ethernet Wired LAN 195Eg. Wireless Ethernet Setting IP Address Using Utility Programs Begin Programming Definition Selection Programming Modes of.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Wireless Versus Wired Network Components By: Steven R. Yasoni & Dario Strazimiri.

Northeastern Illinois University. Authors Salwa Abdelrahim Samia Nur Eldayim Supervisor Prof. Cafatori.

Copyright AvaLAN Wireless 2011 Installing AvaLAN Wireless Ethernet Systems Presented by Michael Derby AvaLAN Wireless Systems.

1 Chapter Overview Wireless Technologies Wireless Security.

Computer Networks. Network Connections Ethernet Networks Single wire (or bus) runs to all machines Any computer can send info to another computer Header.

Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.

Ethical Hacking Defeating Wireless Security. 2 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information.

Wireless Network Security Dr. John P. Abraham Professor UTPA.

1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.

Wireless Networking Concepts By: Forrest Finkler Computer Science 484 Networking Concepts.

Environment => Office, Campus, Home  Impact How, not Whether A Checklist for Wireless Access Points.

© Aastra – 2012 SIP-DECT 4.0 RFP 43 WLAN June 2012.

1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.

1. Insert the Resource CD into your CD-ROM drive, click Start and choose Run. In the field that appears, enter F:\XXX\Setup.exe (if “F” is the letter of.

Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.

Understanding Wireless Networking. WiFi Technology WiFi began as a way to extend home and small office network access without installing more cable. As.

Copyright Security-Assessment.com 2005 Wireless Security by Nick von Dadelszen.

1 WPA, what else? UNAM, Mexico City November 27-28, 2008 Thomas d’Otreppe de Bouvette Aircrack-ng.

Getting Started. Searching The best way to find information on the web: googling What search engines are there?

Wireless Encryption: WEP and cracking it. Eric Shea.

Protecting Your Wireless Network Protecting Your Wireless Network University of Tasmania School Of Computing 2007.

WEP Protocol Weaknesses and Vulnerabilities

Copyright Security-Assessment.com 2004 Security-Assessment.com Wireless Security By Nick von Dadelszen.

Wireless Networking & Security Greg Stabler Spencer Smith.

Distributed WPA Cracking CSCI Distributed Systems Spring 2011 University of Colorado Rodney Beede Ryan Kroiss Arpit Sud

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

KSU 2015-Summer Cyber Security | Group 1 | Seul Alice Bang Get a Wifi Password.

Wireless Networks Standards and Protocols & x Standards and x refers to a family of specifications developed by the IEEE for.

Wireless Security John Himmelein Erick Andrew Christian Adam Varun Bapna.

How are Computers Connected? Chapter 8. How do you connect computers? Run wires between two computers Power Cord Plug into a power outlet Two wires needed.

Cracking WPA/WPA2 in the Cloud

Cisco Discovery Home and Small Business Networking Chapter 7 – Wireless Networking Jeopardy Review v1.1 Darren Shaver Kubasaki High School – Okinawa,

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.

 Today’s networks are no longer limited to using cabled, or wired, devices.  Today’s networks have a mix of wired systems along with wireless systems.

WPA Cracking with Rainbow Tables For Educational Purposes Only Kurt Wondra November 18 th, 2010  1) Scanning for Vulnerable Networks  2) Capturing Usable.

Doc.: IEEE /0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: Authors:

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

 Things you may not know…  Why should we be secure?  How to secure your computer  Security Types.

Module 48 (Wireless Hacking)

Re-evaluating the WPA2 Security Protocol

Wireless Attacks: WEP Module Type: Basic Method Module Number: 0x00

Practical stuff Crack the WPA key of this laptop (SSID: « Philips WiFi »). Rules: Do not attack anything else on this laptop. You can use aircrack-ng but.

Advanced Penetration testing

Wireless Hacking.

Advanced Penetration testing

Advanced Penetration testing

Presentation transcript:

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10 Stanford University June 14-17, 2010

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconaissance – Airgraph-ng – GISKismet

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP Still broken but still used Sometimes you can’t crack the key « What can I do? »

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP Check if you have enough data packets. – ~30K are needed for 64 bit with PTW – ~80K for 128 bit with PTW Switch to KoreK starting from K packets – ~200K for 64 bit with KoreK – ~500K for 128 bit with KoreK Usually, if you can’t crack, as a rule of thumb, just get more (data) packets More than enough and still can’t crack the key, split the capture file and crack them individually

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Split files Pcap-util: Perl script Works on Linux/Windows

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Split files (2)

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Split files (3) Has several options: – Split in files of X Mb – Extract packets that falls within a period of time – Extract packets that match a libpcap filter Just need to split in smaller files so: – perl pcap-util split large.pcap small 3

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – PTW limitations Works with 64 and 128 bit keys Works in 2 phases: – Phase 1: ARP – Phase 2: Then use all other data packets (some packets are ignored because known to be unusable for PTW) List of usable packets can be found at –

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ « Motorol AirDefese WEP Cloaking™ provides protection for wireless infrastructure secured by legacy encryption protocols. This is an add-on module to Motorola AirDefense Enterprise, the market leading Wireless Intrusion Prevention System. » Solution: airdecloak-ng, but sometimes aircrack-ng can crack it directly

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ (2) aircrack-ng wep_cloaking_full_speed_dl.pcap -b 00:12:BF:12:32:29 -K -n 64 -d 1F:1F:1F

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ (3)

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ (4) Not all packets were filtered out but enough to crack the key

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Broken capture file Aircrack-ng: – Invalid packet capture length 0 - corrupted file? Wireshark

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Broken capture file (2)

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Broken capture file (3) Mark first packet Mark the last good packet File – Save as … Select « first to last marked packet » Select an output filename then save it DONE

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconaissance – Airgraph-ng – GISKismet

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA WPA is at the same time easy and hard to crack – Easy to get the handshake – But the passphrase can be really complex

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA i group launched when flaws were found in WEP 2 link-layer protocols: – TKIP (WPA1): Draft 3 of i group (backward compatible with legacy hardware). – CCMP (WPA2): final i standard 2 authentication methods: – Personal: PSK (Shared key, 8-63 characters) – Enterprise: MGT (Radius server)

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA-PSK – 4 way handshake

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Location You need to be located not too far from the client and the AP to hear the whole 4-way handshake. Aircrack-ng can work with less than the 4 EAPOL packets

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Good Location

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Bad location Only hear the AP: Only hear the client:

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Airbase-ng Act as an AP with airbase-ng and get the handshake => Just need to be in the range of the client: airbase-ng -z 2 -W 1 –y -c 6 –F dump -e “Philips WiFi” rausb0 Location problem solved ;), you just need the client:

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Airbase-ng (2) DEMO

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Debug Aircrack-ng/cowpatty/pyrit/OTHER TOOL doesn’t see the handshake, why? So, how does it look in capture files and how do we debug it?

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Debug DEMO

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Cracking Once you have the handshake, it’s time to crack it Two methods come to mind: – Using a wordlist – Bruteforcing Bruteforce not doable since minimum key length is 8 characters, so we need a good dictionary

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Dictionary Having the right dictionary is important ! Here are a few tips to build yours: – Use generic dictionaries, add things like: Language used Phone numbers (IE, use JTR to generate all possible phone numbers) City and different things around Other things that come to your mind, … – Use programs to « add » words: John The Ripper (and Markov) Wyd … Combine all of these … … and you may end up with huge dictionaries.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Cracking hardware Processing big dictionaries takes time CPU too slow => Use GPU and FPGA

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – GPU performance Pyrit performance

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – GPU Crackers Quite easy to set up … – apt-get install backtrack-cuda … but – Don’t forget the power bill ;) – Creating dictionaries takes time Online services available: – Cloud computing: – GPU:

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP WPA Choose hardware Wireless reconnaissance – Airgraph-ng – GISKismet

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Often asked: « What is the best antenna? » Depends on your needs: – Long or short links? Low or High power antenna – Point to Point or Point to Multi point ? Directionnal antenna or omni – Frequency? 2.4Ghz/5Ghz (4.9/5.2/5.8/…) –...

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Antenna pattern: Vertical pattern: Look at the horizon Horizontal pattern: Look at the ground from the sky

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Omni Great for Point to Multipoint connections (ie, AP) Theory: radiate in all directions Highest power is not the best one

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Omni 5dbi

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Omni 9dbi

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Sector 120°

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Grid

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Home made - Biquad

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas So, don’t just get the most powerful Check the law Look at the specs of the cards – RX sensitivity: ability to hear – TX power: needed for long distance links – Important: Both takes the rate, the frequency and modulation into account Example: Ubiquiti SRC datasheet

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Cables Cables have losses – Thin: high loss, usually for short links (bend easily) – Thick: low loss, for long links (can’t be bent easily) – Loss depends on the frequency Connectors also have losses: around 0.5dB A few cables (loss for 100 feet at 2.4Ghz) – RG174: ~60dB – RG58: ~25dB – LMR 200: ~16.5dB – LMR 400: ~6.7dB

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconnaissance – Airgraph-ng – GISKismet

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng Airgraph-ng creates a picture of the networks. Usage examples: – Display a network map – Network monitor Uses the CSV output of airodump-ng. Part of the suite (can be found in scripts/)

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Graph types Client to Access Point Relationship graph (CAPR) : – Client to Access Point Relationship – Focus more on clients than AP – AP without clients aren’t graphed – Colors for each type of encryption Green: WPA Yellow: WEP Red: Open Black: Unknown Client Probe Graph (CPG): – Links between clients and AP

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Examples Parameters: – Input file: Airodump-ng CSV file (.csv) – Graph type: CAPR (Client – AP Relationship): Connected clients CPG (Common Probe Graph): Probed SSID – Output file: Picture file name Examples: – CAPR: airgraph-ng.py -i sharkfest-01.csv -g CAPR -o sharkfest-capr.png – CPG: airgraph-ng.py -i sharkfest-01.csv -g CPG -o sharkfest-cpg.png

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Examples (2) CAPR

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Examples (3) CPG

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconnaissance – Airgraph-ng – GISKismet

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet « GISKismet is a wireless recon visualization tool to represent data gathered using Kismet in a flexible manner » Display Access Points on Google earth => require GPS. Also work with airodump-ng

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet (2) Store information in a database (SQLite) Input: Kismet newcore XML (netxml) Outputs a KML file Filter data: – Input: limited to things like channel, ESSID, … – Output: Flexible, SQL order

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet (3) Importing data: – giskismet –x dump-01.kismet.netxml Will create a file called wireless.dbl (SQLite3 database with 2 tables: – Clients: all clients – Wireless: all AP Exporting: giskismet –q SQL_ORDER –o OUTPUT_FILE.kml

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet (4) SQL Queries: All: select * from wireless SSID starting with ‘SpeedTouch’: select * from wireless where ESSID like 'SpeedTouch%' AP from Aruba Networks: select * from wireless where Manuf = 'Aruba Networks' Hotspots: select * from wireless where ESSID like '%hotspot%' Channel 6: select * from wireless where channel = 6

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 ?

Links Pcap-util : List of supported packets for PTW: John The Ripper: Markov: Wyd: « Next generation wireless recon … » (Shmoocon 2009) NextGenerationWirelessRecon-VisualizingTheAirwaves- ShmooCon2009.pdfhttp://spl0it.org/files/talks/Abraham-Smith- NextGenerationWirelessRecon-VisualizingTheAirwaves- ShmooCon2009.pdf (short: Cable loss calculator: