Distributed WPA Cracking CSCI5673 - Distributed Systems Spring 2011 University of Colorado Rodney Beede Ryan Kroiss Arpit Sud 2011-05-02.

Slides:

Advertisements

Similar presentations

1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).

Advertisements

Crack WEP Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.

Wireless Cracking By: Christopher Zacky.

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005

Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.

MIS Week 12 Site:

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

MIS Week 13 Site:

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID

Encryption, Privacy, & Authentication Chris R Chris H Mindy C.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

Wireless Security Issues Implementing a wireless LAN without compromising your network Marshall Breeding Director for Innovative Technologies and Research.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

Wireless Network Security Lab Last Update Copyright 2011 Kenneth M. Chipps Ph.D.

1. A router is a device in computer networking that forwards data packets to their destinations, based on their addresses. The work a router does it called.

MIS Week 11 Site:

WIRELESS SECURITY ASHIMA SOOD PEYTON GREENE. OVERVIEW History Introduction to Wireless Networking Wireless Network Security Methods Securing Wireless.

Google MapReduce Simplified Data Processing on Large Clusters Jeff Dean, Sanjay Ghemawat Google, Inc. Presented by Conroy Whitney 4 th year CS – Web Development.

Distributed Computing Systems Project 2 – Distributed Shell Due: Friday, April 4 th.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

A History of WEP The Ups and Downs of Wireless Security.

Wireless Network Security Dr. John P. Abraham Professor UTPA.

Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)

MapReduce: Simplified Data Processing on Large Clusters Jeffrey Dean and Sanjay Ghemawat.

Environment => Office, Campus, Home  Impact How, not Whether A Checklist for Wireless Access Points.

1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.

Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.

1 WPA, what else? UNAM, Mexico City November 27-28, 2008 Thomas d’Otreppe de Bouvette Aircrack-ng.

WEP Protocol Weaknesses and Vulnerabilities

WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)

Abusing : Weaknesses in LEAP Challenge/Response – Defcon 2003 Slide 1 Weaknesses in LEAP Challenge/Response Joshua Wright

CS 525M – Mobile and Ubiquitous Computing Seminar Bradley Momberger Randy Chong.

Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.

.  TJX used WEP security  They lost 45 million customer records  They settled the lawsuits for $40.9 million.

Wi-Fi: How it Works and Security Measures. What is Wi-Fi? Any wireless local area network (WLAN) product that meets the Institute of Electrical and Electronics.

1 Wireless Threats 1 – Cracking WEP Cracking WEP in Chapter 5 of Wireless Maximum Security by Peikari, C. and Fogie, S.

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

PZAPR Parallel Zip Archive Password Recovery CSCI High Perf Sci Computing Univ. of Colorado Spring 2011 Neelam Agrawal Rodney Beede Yogesh Virkar.

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

IEEE Security Specifically WEP, WPA, and WPA2 Brett Boge, Presenter CS 450/650 University of Nevada, Reno.

Cracking WPA/WPA2 in the Cloud

WLAN Security1 Security of WLAN Máté Szalay

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.

WPA Cracking with Rainbow Tables For Educational Purposes Only Kurt Wondra November 18 th, 2010  1) Scanning for Vulnerable Networks  2) Capturing Usable.

Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.

Doc.: IEEE /0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: Authors:

EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Chapter3 Wireless how safe it is NOT! By: Brett Hoff.

Module 48 (Wireless Hacking)

Re-evaluating the WPA2 Security Protocol

OSA vs WEP WPA and WPA II Tools for hacking

Practical stuff Crack the WPA key of this laptop (SSID: « Philips WiFi »). Rules: Do not attack anything else on this laptop. You can use aircrack-ng but.

Advanced Penetration testing

Advanced Penetration testing

Wireless LAN Security 4.3 Wireless LAN Security.

Advanced Penetration testing

Advanced Penetration testing

Advanced Penetration testing

Advanced Penetration testing

Presentation transcript:

Distributed WPA Cracking CSCI Distributed Systems Spring 2011 University of Colorado Rodney Beede Ryan Kroiss Arpit Sud

Topics The Team Introduction WPA 1/2 Architecture Master Node Worker Node Test Methodology Results & Conclusions Future Work Questions

Introduction Cracking WiFi o WEP - easy o WPA - hard Brute Force o Not practical o 8 character minimum Dictionary o Common passwords coWPAtty by Joshua Wright o Generate rainbow table o Search rainbow table

Introduction - Our Idea Distributed key generation o Already done Distributed table lookup o Not done Web service Fast lookup Modify existing code

WPA a.k.a. WPA1 WPA stands for WiFi Protected Access Meant to replace WEP o WEP failed to meet its security goals Comes in two flavours o WPA-PSK* (Pre-Shared Key) which uses TKIP o WPA-Enterprise more secure but requires RADIUS authentication server * also known as WPA-Personal

WPA2 Successor to WPA Makes PSK more secure as it uses CCMP instead of TKIP Both WPA-PSK and WPA2-PSK are susceptible to password cracking attacks No known attacks against Enterprise flavors o The Lesson is....

Attacking WPA-PSK Authentication handshake required for cracking WPA- PSK Authentication handshake happens when a client connects to AP (and also when the client "thinks" it is no longer authenticated) Packet capture is 3-step process o Place wireless card in monitor mode("listen all") o Start packet capture o Send a deauthentication packet to wireless client to induce authentication handshake A script is provided that performs the above 3 steps

Architecture

Master Node Java web application Accepts jobs o Upload.cap file o SSID name Queues job o Runs 1 at a time Tracks worker status o NOT LOADED o LOADED o RUNNING o FINISHED o ERROR

Master Node (cont) Start / Kill worker clients o Remote ssh o Hand out table offsets Records web app log Job Run 1.User submits job 2.Master saves to NFS share 3.Master tells workers 1.When ready 2.TCP packet 3.Location of files and output destination 4.Master checks SOLUTION file

Started by master Loads rainbow table into memory o 1000 files x 40MB = 40GB (5GB per worker) Giant byte array with pointers per SSID Creates socket to listen for messages from master Possible message types o START o STATUS o KILL Worker Node

Worker Node (cont) STATUS - returns worker status KILL - kills current job (if applicable) START command creates new thread o Looks up SSID o Finds corresponding portion of rainbow table o Leverages coWPAtty for password look up o If password is found  Worker outputs solution to file  Master tells other workers to stop o Otherwise, workers report FINISHED after reading through table

Original coWPAtty Read records in rainbow table Records contain length, passphrase, and PMK PMK -> PTK (requires capture data) PTK -> MAC Grab key MIC Compare with MIC found in capture data

Serial versus Distributed Serial o Run once and done o Reads data from disk o Runs on one machine o Quick start-up time o Less opportunity for optimizations Distributed o Runs as a service o Loads data into memory o Runs on N machines o Slow start-up time o More opportunity for optimizations

Test Methodology 996,358 word rainbow table o 1,000 SSIDs o 40MB / SSID o 40GB total size 8 worker nodes 1 master node Cisco C210 M1 (on loan from Cisco) o Two Intel Xeon E5540 (2.5GHz)  8 logical CPUs o 72GB RAM o Sixteen 10K RPM SAS 6.0 gbps 146GB drives  RAID5

Test Methodology (cont) Packet capture data with SSID linksys available in SVN Test data created with the following keys: o First in Dictionary: !8zj39le o Middle in Dictionary: }ttringe o Last in Dictionary: korrelie Gathered data for time taken to find solution from Master and worker logs Compared to original coWPAtty running on a single node Results shown on next slide are average of times recorded by the 3 of us

Results & Conclusions First in dictionary o Serial = 8 milliseconds o Distributed = 5 milliseconds Middle in dictionary o Serial = 3056 milliseconds o Distributed = 742 milliseconds Last in dictionary o Serial = 6014 milliseconds o Distributed = 767 milliseconds Seemingly small o Scalable o Ideal for web service

Future Work GUI client for data capture Distribute table generation Hybrid disk/memory approach Thousands of heterogeneous clients o Like Rewrite in Java or C++ o Simpler code Improved data structures

Questions? cracking/ Tips for a secure PSK wireless network: Use a unique SSID (not linksys or home) Have a long* & unique key; use special characters *max. 63 characters