Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hands-On Ethical Hacking and Network Defense Lecture 14 Cracking WEP Last modified 5-11-09.

Published byHubert Atkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Hands-On Ethical Hacking and Network Defense Lecture 14 Cracking WEP Last modified 5-11-09."— Presentation transcript:

1 Hands-On Ethical Hacking and Network Defense Lecture 14 Cracking WEP Last modified 5-11-09

2 Legal Concerns Defeating security to enter a network without permission is clearly illegal Defeating security to enter a network without permission is clearly illegal Even if the security is weak Even if the security is weak Sniffing unencrypted wireless traffic may also be illegal Sniffing unencrypted wireless traffic may also be illegal It could be regarded as an illegal wiretap It could be regarded as an illegal wiretap The situation is unclear, and varies from state to state The situation is unclear, and varies from state to state In California, privacy concerns tend to outweigh other considerations In California, privacy concerns tend to outweigh other considerations See links l14v, l14w See links l14v, l14w

3 Equipment Wireless Network Interface Cards (NICs) and Drivers

4 The Goal All wireless NICs can connect to an Access Point All wireless NICs can connect to an Access Point But hacking requires more than that, because we need to do But hacking requires more than that, because we need to do Sniffing – collecting traffic addressed to other devices Sniffing – collecting traffic addressed to other devices Injection – transmitting forged packets which will appear to be from other devices Injection – transmitting forged packets which will appear to be from other devices

5 Windows v. Linux The best wireless hacking software is written in Linux The best wireless hacking software is written in Linux The Windows tools are inferior, and don't support packet injection The Windows tools are inferior, and don't support packet injection But all the wireless NICs are designed for Windows But all the wireless NICs are designed for Windows And the drivers are written for Windows And the drivers are written for Windows Linux drivers are hard to find and confusing to install Linux drivers are hard to find and confusing to install

6 Wireless NIC Modes There are four modes a NIC can use There are four modes a NIC can use Master mode Master mode Managed mode Managed mode Ad-hoc mode Ad-hoc mode Monitor mode Monitor mode See link l_14j See link l_14j

7 Master Mode Master Mode Master Mode Also called AP or Infrastructure mode Also called AP or Infrastructure mode Looks like an access point Looks like an access point Creates a network with Creates a network with A name (SSID) A name (SSID) A channel A channel

8 Managed Mode Managed Mode Managed Mode Also called Client mode Also called Client mode The usual mode for a Wi-Fi laptop The usual mode for a Wi-Fi laptop Joins a network created by a master Joins a network created by a master Automatically changes channel to match the master Automatically changes channel to match the master Presents credentials, and if accepted, becomes associated with the master Presents credentials, and if accepted, becomes associated with the master

9 Typical Wireless LAN Access Point in Master Mode Clients in Managed Mode

10 Ad-hoc Mode Nodes in Ad-hoc Mode Peer-to-peer network Peer-to-peer network No master or Access Point No master or Access Point Nodes must agree on a channel and SSID Nodes must agree on a channel and SSID

11 Monitor Mode Does not associate with Access Point Does not associate with Access Point Listens to traffic Listens to traffic Like a wired NIC in Promiscuous Mode Like a wired NIC in Promiscuous Mode Monitor Mode Master Mode Managed Mode

12 Wi-Fi NICs To connect to a Wi-Fi network, you need a Network Interface Card (NIC) To connect to a Wi-Fi network, you need a Network Interface Card (NIC) The most common type is the PCMCIA card The most common type is the PCMCIA card Designed for laptop computers Designed for laptop computers

13 USB and PCI Wi-Fi NICs USB USB Can be used on a laptop or desktop PC Can be used on a laptop or desktop PC PCI PCI Installs inside a desktop PC Installs inside a desktop PC

14 Choosing a NIC For penetration testing (hacking), consider these factors: For penetration testing (hacking), consider these factors: Chipset Chipset Output power Output power Receiving sensitivity Receiving sensitivity External antenna connectors External antenna connectors Support for 802.11i and improved WEP versions Support for 802.11i and improved WEP versions

15 Wi-Fi NIC Manufacturers Each wireless card has two manufacturers Each wireless card has two manufacturers The card itself is made by a company like The card itself is made by a company like Netgear Netgear Ubiquiti Ubiquiti Linksys Linksys D-Link D-Link many, many others many, many others But the chipset (control circuitry) is made by a different company But the chipset (control circuitry) is made by a different company

16 Chipsets To find out what chipset your card uses, you must search on the Web To find out what chipset your card uses, you must search on the Web Card manufacturer's don't want you to know Card manufacturer's don't want you to know Major chipsets: Major chipsets: Prism Prism Cisco Aironet Cisco Aironet Hermes/Orinoco Hermes/Orinoco Atheros Atheros There are others There are others

17 Prism Chipset Prism chipset is a favorite among hackers Prism chipset is a favorite among hackers Completely open -- specifications available Completely open -- specifications available Has more Linux drivers than any other chipset Has more Linux drivers than any other chipset See link l_14d See link l_14d

18 Prism Chipset Prism chipset is the best choice for penetration testing Prism chipset is the best choice for penetration testing HostAP Linux Drivers are highly recommended, supporting: HostAP Linux Drivers are highly recommended, supporting: NIC acting as an Access Point NIC acting as an Access Point Use of the iwconfig command to configure the NIC Use of the iwconfig command to configure the NIC See link l_14h See link l_14h

19 Cisco Aironet Chipset Cisco proprietary – not open Cisco proprietary – not open Based on Prism, with more features Based on Prism, with more features Regulated power output Regulated power output Hardware-based channel-hopping Hardware-based channel-hopping Very sensitive – good for wardriving Very sensitive – good for wardriving Cannot use HostAP drivers Cannot use HostAP drivers Not useful for man-in-the-middle or other complex attacks Not useful for man-in-the-middle or other complex attacks

20 Hermes Chipset Lucent proprietary – not open Lucent proprietary – not open Lucent published some source code for WaveLAN/ORiNOCO cards Lucent published some source code for WaveLAN/ORiNOCO cards Useful for all penetration testing, but require Useful for all penetration testing, but require Shmoo driver patches (link l_14l) to use monitor mode Shmoo driver patches (link l_14l) to use monitor mode

21 Atheros Chipset The most common chipset in 802.11a devices The most common chipset in 802.11a devices Best Atheros drivers are MadWIFI (link l_14m) Best Atheros drivers are MadWIFI (link l_14m) Some cards work better than others Some cards work better than others Monitor mode is available, at least for some cards Monitor mode is available, at least for some cards

22 Other Cards If all else fails, you could use Windows drivers with a wrapper to make them work in Linux If all else fails, you could use Windows drivers with a wrapper to make them work in Linux DriverLoader (link l_14n) DriverLoader (link l_14n) NdisWrapper (link l_14o) NdisWrapper (link l_14o) But all you'll get is basic functions, not monitor mode or packet injection But all you'll get is basic functions, not monitor mode or packet injection Not much use for hacking Not much use for hacking

23 Cracking WEP Tools and Principles

24 A Simple WEP Crack The Access Point and Client are using WEP encryption The Access Point and Client are using WEP encryption The hacker device just listens The hacker device just listens Hacker Listening WEP- Protected WLAN

25 Listening is Slow You need to capture 50,000 to 200,000 "interesting" packets to crack a 64-bit WEP key You need to capture 50,000 to 200,000 "interesting" packets to crack a 64-bit WEP key The "interesting" packets are the ones containing Initialization Vectors (IVs) The "interesting" packets are the ones containing Initialization Vectors (IVs) Only about ¼ of the packets contain IVs Only about ¼ of the packets contain IVs So you need 200,000 to 800,000 packets So you need 200,000 to 800,000 packets It can take hours or days to capture that many packets It can take hours or days to capture that many packets

26 Packet Injection A second hacker machine injects packets to create more "interesting packet" A second hacker machine injects packets to create more "interesting packet" Hacker Listening WEP- Protected WLAN Hacker Injecting

27 Injection is MUCH Faster With packet injection, the listener can collect 200 IVs per second With packet injection, the listener can collect 200 IVs per second 5 – 10 minutes is usually enough to crack a 64-bit key 5 – 10 minutes is usually enough to crack a 64-bit key Cracking a 128-bit key takes an hour or so Cracking a 128-bit key takes an hour or so Link l_14r Link l_14r

28 AP & Client Requirements Access Point Access Point Any AP that supports WEP should be fine (they all do) Any AP that supports WEP should be fine (they all do) Client Client Any computer with any wireless card will do Any computer with any wireless card will do Could use Windows or Linux Could use Windows or Linux WEP- Protected WLAN

29 Listener Requirements NIC must support Monitor Mode NIC must support Monitor Mode Could use Windows or Linux Could use Windows or Linux But you can't use NDISwrapper But you can't use NDISwrapper Software Software Airodump (part of the Aircrack Suite) for Windows or Linux (see Link l_14q) Airodump (part of the Aircrack Suite) for Windows or Linux (see Link l_14q) BackTrack is a live Linux CD with Aircrack on it (and many other hacking tools) BackTrack is a live Linux CD with Aircrack on it (and many other hacking tools) Link l_14n Link l_14n Hacker Listening

30 Injector Requirements NIC must support injection NIC must support injection Must use Linux Must use Linux Software Software void11 and aireplay void11 and aireplay Link l_14q Link l_14q Hacker Injecting

31 Sources Aircrack-ng.org (link l_14a) Aircrack-ng.org (link l_14a) Wi-Foo (link l_14c) Wi-Foo (link l_14c) Vias.org (link l_14j) Vias.org (link l_14j) smallnetbuilder.com (link l_14p) smallnetbuilder.com (link l_14p)

Download ppt "Hands-On Ethical Hacking and Network Defense Lecture 14 Cracking WEP Last modified 5-11-09."

Similar presentations

Overview How to crack WEP and WPA

Overview How to crack WEP and WPA
AARP Tax-Aide Sonoma/Napa District Bill Dornbush, TC Guide to Printer Sharing.

AARP Tax-Aide Sonoma/Napa District Bill Dornbush, TC Guide to Printer Sharing.
Crack WEP Lab Last Update 2014.08.12 1.1.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WEP Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Wireless Cracking By: Christopher Zacky.

Wireless Cracking By: Christopher Zacky.
Crack WPA Lab Last Update 2014.06.11 1.0.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Presentation viewer : _ Mahmoud matter. Ahmed alasy Dr: Rasha Atallah.

Presentation viewer : _ Mahmoud matter. Ahmed alasy Dr: Rasha Atallah.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.

Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.

Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE Intercontinental Group 1.

FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE Intercontinental Group 1.
The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.

The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
December 17, 2002 1 Wi-Fi Mark Faggiano GBA 576. December 17, 20022 Purpose of the Project  I hear Wi-Fi, WLAN, 802.11 everywhere  What does it all.

December 17, Wi-Fi Mark Faggiano GBA 576. December 17, Purpose of the Project  I hear Wi-Fi, WLAN, everywhere  What does it all.
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
Wi-Fi Structures.

Wi-Fi Structures.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Wireless Insecurity.

Wireless Insecurity.
1. ---------------------- Integrity Check ---------------------- As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.

Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.

Similar presentations

Ads by Google