Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 48 (Wireless Hacking)

Published byEthan Montgomery Modified over 6 years ago

Similar presentations

Presentation on theme: "Module 48 (Wireless Hacking)"— Presentation transcript:

1 Module 48 (Wireless Hacking)
At the end of this Module, you'll understand the fundamental ideas behind Wireless Hacking. You'll know about IEEE , wireless channels, and SSIDs. You'll know how the handshake works. You'll also know about the differences between WEP, WPA, and WPA2 wireless encryption. Module 48

2 Wireless IEEE family of standards define how wireless LANs are implemented b/g work in the range of GHz This bandwidth range is broken up into 14 overlapping channels (1-14) US Channels 1-11 are supported (most commonly used are nonoverlapping channels 1, 6, and 11) Use of channels above 11 is prohibited in the U.S. Module 48

3 SSID SSID: Service Set IDentifier (network name)
BSSID (Basic SSID): MAC address of the Access Point (AP) ESSID (Extended SSID): name for one or more APs providing the same service to get to a wired LAN. Module 48

4 802.11 Handshake Probe Request Probe Response Auth Request
Auth Challenge Auth Response Auth Success Associate Request Associate Response Data Module 48

5 Wireless Encryption Open
WEP (Wired Equivalent Privacy*) uses RC4 stream cipher and CRC32 for integrity check WPA (Wifi Protected Access) uses Temporal Key Integrity Protocol (TKIP) Message Integrity Check (Michael) subject to reinjection and spoofing WPA2 uses Advanced Encryption Standard (AES) encryption Module 48 *for small values of private

6 WEP Authentication Can use Open System Authentication (common) in which no authentication occurs, the Station just encrypts packets using the Key. Or shared key authentication can be used. Access Point Station Auth Request Auth Challenge (cleartext) Auth Response (RC4[Key,cleartext]) Auth Success Module 48

7 ARP and FMS Attack ARP (Address Resolution Protocol) IP control packet translates layer 3 network (IP) addresses ( ) to layer 2 datalink (MAC) addresses (00:04:4A:E6:2D:7D) Fluhrer, Mantin, and Shamir (FMS) devised an attack against WEP encryption based on the use of ARP requests. Module 48

8 WEP Cracking Details The WEP Key is a string of 10 hex digits (4 bits each). WEP uses this 40 bit key and dynamically generated 24-bit initialization vector (IV) to encrypt traffic. The IVs are transmitted in clear text. RC4 is a stream cipher, so if a known message is sent many times with many different IVs the stream cipher can be decrypted. ARP packets are small and have both a known structure and reply. In particular, they all have a common length. WEP is cracked by sniffing an ARP packet, then replaying it over and over again to generate many encrypted replies with different IVs. Module 48

9 How Does WPA Encryption Work?
The Access Point and client Station share a secret Pairwise Master Key (PMK). The AP and Station use a four-way handshake to establish a Pairwise Transient Key (PTK) If the four-way handshake can be captured, then a dictionary attack can be mounted to verify the PMK. If a connection is dropped it can be re-established by repeating the handshake. Module 48

11 How is WPA Cracked? Dictionary attack on Pairwise Master Key.
Resources for dictionary attacks: Wireless AP-specific wordlists (often include regionally meaningful sports team names and phrases) Module 48

12 How do I get kali to use my host's wireless connection?
You don't usually use the host wireless connection. Better to use a USB Wireless adapter. Recommended adapter: ALFA AWUS036NHR Practical applications next Thursday Module 48

Download ppt "Module 48 (Wireless Hacking)"

Similar presentations

Security in Wireless Networks Juan Camilo Quintero D. 1041718.

Security in Wireless Networks Juan Camilo Quintero D
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
WLAN security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

Similar presentations

Ads by Google