Presentation is loading. Please wait.

Presentation is loading. Please wait.

Breaking into Wi-Fi Networks

Published byEce Yavaş Modified over 5 years ago

Similar presentations

Presentation on theme: "Breaking into Wi-Fi Networks"— Presentation transcript:

1 Breaking into Wi-Fi Networks

2 Disclaimer... Unauthorized access to a network is unlawful and can lead to criminal charges. Whether or not this applies to open networks is widely disputed and varies between states

3 Useful Tools Aircrack-ng: A 802.11 WEP and WPA key cracking program.
Pyrit – A WPA/WPA2 key cracker which utilizes your GPU Cowpatty -Another useful tool for WPA/WPA2 key cracking Crunch – A wordlist generator Reaver – A tool to break WPS

4 Wi-Fi Basics Operates over 2.4 GHz and 5 GHz Infrastructure mode
Wireless devices connect to a single access point and communicate through it Ad hoc mode All wireless nodes communicate with each other directly In both cases all devices must agree on a SSID We will be focusing on infrastructure mode

5 The SSID and BSSID The BSSID (basic service set identification) is the MAC address of the access point. The SSID is the human readable name of the access point. This is what you see when you look at a list of nearby wireless networks.

6 Making the SSID 'hidden' By making the network hidden, access points no longer send their SSID in beacon packets and will no longer respond to broadcast probe requests Many people think that by hiding their network that will keep unauthorized users from finding and connecting to their network Security through obscurity is not secure!

7 Circumventing a hidden SSID
Association requests to the access point require the SSID Every authorized client needs to transmit the SSID to the access point in order to connect to the network All an unauthorized user needs to do is wait for someone to connect to the access point

8 ...or we could force their hand
We can boot a user off the network using a deauthentication attack. Using aireplay-ng we can send a deauthentication packet to the client, claiming to be the access point. After deauthenticating, the user will automatically reconnect.

9 MAC Address Filtering Essentially a white listing policy where the only devices allowed to connect to the access point are those with approved MAC addresses At one time MAC addresses were static things burned right into the hardware of wireless cards – making MAC filtering somewhat effective.

10 Those days are long gone
Changing your MAC address is very trivial Most modern cards/drivers support MAC address spoofing All you need to do is find the MAC address of an authorized client and match their MAC address.

11 WEP – Wired Equivalent Policy
WEP was introduced as a means of making wireless data confidential Uses the stream cipher RC4 to encrypt data 64 bit WEP uses a 40 bit key (ten hexadecimal characters) concatenated with a 24 bit initialization vector 128 bit WEP works in the same way but with 26 hexadecimal characters. Most devices also allow the user to enter the key 13 ASCII characters Officially retired in 2004

12 Attacking WEP with a Dictionary
Feed some cracking software a dictionary and a .cap file with the hopes that it will brute force the password. Dictionary attacks are uncommon because there is no real standard on how to translate a password into a WEP key It is much easier to attack the weak cipher which WEP uses to encrypt it's data

13 Attacking WEP With Aircrack-ng
WEP can be easily broken because vulnerabilities in the RC4 shift cipher it uses to encrypt data The IVs (initialization vectors) are perpended to the secret key which means that if an attacker captures enough data packets, a couple of seconds of analysis can break the key.

14 WPS- Wi-Fi Protected Setup
WPS adds a simple way to allow people to connect to the network without worrying about having to remember difficult passwords This can be implemented in different ways: A button the access point A shared PIN between the access point and station A USB NFC

15 The Online Brute Force Attack
The pin WPS uses is eight digits long but the last digit is used as a checksum so you only need to guess combinations! When trying to gain access with the PIN the registrar reports the validity of the first and second half of the PINS separately meaning that we need to guess at most 11,000 different pins Reaver was developed to take advantage of this attack. In many cases reaver can break WPS within four hours The only mitigation for this attack is to disable WPS

16 WPA -Wi-Fi Protected Access
WPA is the response to the vulnerabilities in WEP WPA uses 256-bit keys (an improvement over 64 and 128 bit WEP keys) WPA also introduced message integrity checks to determine if packets were captured It originally used the temporal key integrity protocol (TKIP) which employed a per-packet key system which is much more secure than the fixed key used in WEP TKIP was eventually replaced with Advanced Encryption Standard (AES)

17 WPA vs WPA2 WPA2 was designed to replace WPA in 2006
The primary change was a mandatory use of AES and the introduction of CCMP as a replacement for TKIP WPA has been shown to be vulnerable due to the use of TKIP but current attacks do not give away the key. The most common way a WPA network is broken into is through WPS WPA2 has some very obscure vulnerabilities but they usually require the attacker to already have access to the network

18 The Four Way Handshake

19 Step 0: Monitor Mode Iwconfig → find wireless interface
Sudo ifconfig [wireless interface] down Sudo iwconfig [wireless interface] mode monitor Sudo ifconfig [wireless interface] up

20 Step 1: Capture Handshake
Airodump-ng [interface name] Find network, BSSID, and channel Airodump-ng -w [output file] -c [channel] –bssid [bssid] [interfacename]

21 Step 2: Deauthenticate New terminal
Aireplay-ng –deauth 2 -a [access point] -c [target client] [interface]

22 What next? We need a list of passwords which we can test against the handshake For very good passwords this can take a very, very long time Imagine an 8 character long password which contains upper and lowercase letters with numbers… ( )^8= 2.18*10^14 possible passwords Luckily most people suck at making passwords

23 Crunch Crunch is a tool which lets us create large lists of possible passwords Note that these password lists can get very large very fast A lowercase only 8 character password list is about TB Some examples: Crunch 4 4 → generates a list of words aaaa – zzzz Crunch 1 4 → generates a list of words a - zzzz

24 More Crunchy Goodness Using the -t flag followed by ',' '%', or '^'] we can get more specific words @=lowercase ,=uppercase %=numbers ^=symbols Crunch 4 4 -t → aaaa – zzzz Crunch 4 4 -t ,,,, → AAAA-ZZZZ Crunch 4 4 -t → 00aA – 99zZ Crunch 5 5 -t → A2aaa - A2zzz

25 Step 3: Break the Key Aircrack-ng -w [wordlist] [capfile]

26 How can we make this faster?
Pyrit is an alternative to aircrack-ng for breaking WPA keys. It uses your GPU over the CPU to crack password hashes much faster Very large GPU clusters can guess millions of passwords per second Cowpatty is another alternative to pyrit and aircrack-ng There are very large precomputed hash tables online which can be used to crack passwords to common SSIDs

Download ppt "Breaking into Wi-Fi Networks"

Similar presentations

Overview How to crack WEP and WPA

Overview How to crack WEP and WPA
1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).

1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).
Crack WEP Lab Last Update 2014.08.12 1.1.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WEP Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
ACM Wi-Fi Workshop Presented By: Chris Rawlings Brad Emge.

ACM Wi-Fi Workshop Presented By: Chris Rawlings Brad Emge.
Wireless Cracking By: Christopher Zacky.

Wireless Cracking By: Christopher Zacky.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Crack WPA Lab Last Update 2014.06.11 1.0.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Security in IEEE 802.11 wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.

Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.

 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.

Similar presentations

Ads by Google