Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modern Approaches to Wi-Fi Attacks: Attacker View BY KONRAD JĘDRZEJCZYK.

Published byVictor Hines Modified over 8 years ago

Similar presentations

Presentation on theme: "Modern Approaches to Wi-Fi Attacks: Attacker View BY KONRAD JĘDRZEJCZYK."— Presentation transcript:

1

2 Modern Approaches to Wi-Fi Attacks: Attacker View BY KONRAD JĘDRZEJCZYK

3 Whoami Certified Offensive Security Wireless Professional (OSWP) Information Security Incident Response Analyst Previously: Infrastructure Risk Analyst Security Incident Manager Information Security Forensic Expert WHOAMI 3

4 Agenda WPA/WPA2 – is the hashing algorithm so insecure as we are led to believe? WPS – Weakest Possible Security approach OpenWRT = Wormhole attack + MitM +3G We're in! What next? AGENDA 4

5 WPA/WPA2 Connection WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 5

6 WPA/WPA2 Connection WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 6

7 Basic Package WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 7

8 Airodump-ng OPENWRT WILL TURN CHEAP HARDWARE TO YOUR BEST WIFI CARD 8

9 Airgraph-ng 9

10 10

11 X = C n Where: X - Number of combinations C - Number of characters in a charset n - Password range (>=8) Example: 8 char lowercase alpha [a-z or (not and) A-Z] = 26 8 = 208827064576 Example for Radeon HD6850 OC (49 kH/sek) WPA/WPA2 Password Entropy WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 11 nCharsetTime Single R290 (~140 kH/s) 8[0-9] = 1012 minutes 8[a-z] or [A-Z] = 2617 days 8[a-z + 0-9] or [A-Z + 0-9] = 36233 days 9[a-z] or [A-Z] = 261 year and 83 days 9[a-z + 0-9] or [A-Z + 0-9] = 3623 years 8a-z + A-Z + 0-9 = 6250 years 12 x R270 (12 x ~100 kH/s) 8[a-z] or [A-Z] = 262 days 8[a-z + 0-9] or [A-Z + 0-9] = 3627 days 9[a-z] or [A-Z] = 2652 days Single i5 CPU (~3,3 kH/s) depending on version 8[a-z] or [A-Z] = 262 years and 1 month

12 WPA/WPA2 Entropy in Practice WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 12

13 WPA/WPA2 Entropy in Practice WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 13 paulinaPaulinapaulina!Paulina!Paulina!@#,(15011, 'andziulka19994', PaulinA!@#,(15024, 'mariusz22', paulina0Paulina0paulina0!Paulina0!PaUliNa0!,(15003, 'demiano7' paulina1Paulina1paulina1!Paulina1!P@ulin@1!,(15004, 'Lampka', (...) Paulina2o15!,(15005, 'paradyne', paulina9Paulina9paulina9!Paulina9!paulinA1989!,(15006, 'darek1054', paulina!-!,(15007, 'bandzior2911' paulina10Paulina10paulina10!Paulina10!paulina19890101,(15008, 'Ruthless blade', paulina11Paulina11paulina11!Paulina11!89Paulina!,(15009, 'SzYbKi', (...) 1paulina1,(15023, 'aramil23', paulina99Paulina99paulina99!Paulina99!PaUlInA,(15012, 'kasiq10',.paulina,(15013, 'diabelskapam' paulina1970Paulina1970paulina1970!Paulina1970!paulinapaulina,(15014, 'Janosik_13', paulina1971Paulina1971paulina1971!Paulina1971!KonradPaulina,(15015, 'Sztukens', (...) !!!PAULINA!!!,(15016, 'superrolnik', paulina2016Paulina2016paulina2016!Paulina2016!PaulinaDefCamp,(15017, 'Henry102', Real passwords from stolen and publicly available sql file: www.pobieramy24.pl.sql

14 Any Help? WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 14

15 Don’t Underestimate the “Luck Factor” http://zaufanatrzeciastrona.pl/wp-content/uploads/2014/02/superbowl.jpg 15

16 Possible Safeguards Use non-standard passwords that are not present in password lists – force them to a brute-force Think before creating a password WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 16

17 First described by Stefan Viehbock. “When poor design meets poor implementation.” Still, there is only 11,000 possible combinations. reaver -i mon0 -b 0A:0B:0C:0D:0E:0F WPS – WiFi Protected Setup WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 17

18 Currently Implemented Safeguards Limiting the number of attempts that can be made in a given timeframe Using a different PIN for every pairing attempt Limiting the pairing time Disabling WPS …however, there is a good chance that it will be disabled only in web api… WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 18

19 OpenWrt – Tool for Attacker OPENWRT = WORMHOLE ATTACK + MITM +3G 19

20 OpenWrt – Tool for Attacker http://wiki.openwrt.org/toh/start OPENWRT = WORMHOLE ATTACK + MITM +3G 20

21 Call to Arms OPENWRT = WORMHOLE ATTACK + MITM +3G 21

22 Post-Analysis OPENWRT = WORMHOLE ATTACK + MITM +3G 22

23 Post-Analysis OPENWRT = WORMHOLE ATTACK + MITM +3G 23

24 airodump-ng airbase-ng airdecap-ng airmon-ng aireplay-ng airserv-ng tkiptun-ng sslstrip tcpdump ettercap … screen OpenWrt – Everything You Need OPENWRT = WORMHOLE ATTACK + MITM +3G 24

25 Classic MitM Attack OPENWRT = WORMHOLE ATTACK + MITM +3G 25

26 Social Engineering Toolkit WE'RE IN! WHAT NEXT? 26

27 When We Want More: Hydra WE'RE IN! WHAT NEXT? 27

28 http://3.bp.blogspot.com/ …or… WE'RE IN! WHAT NEXT? 28

29 ...and then: WE'RE IN! WHAT NEXT? 29

30 What Can We Do about This? WE'RE IN! WHAT NEXT? 30

31 What Can We Do about This? WE'RE IN! WHAT NEXT? 31 http://www.aliexpress.com/item-img/Wi-Fi-Rm-Pro-Smart-home-Automation-Intelligent-Controller-Wireless-Smart-Remote-Controller-For-iPhone-6/32270548754.html

32 WE'RE IN! WHAT NEXT? 32

33 Thank You Q&A 33

Download ppt "Modern Approaches to Wi-Fi Attacks: Attacker View BY KONRAD JĘDRZEJCZYK."

Similar presentations

Brute Force Attack Against Wi-Fi Protected Setup

Brute Force Attack Against Wi-Fi Protected Setup
Securing A Wireless Home Network. Wireless Facts Range about 50 - 200 feet from access point Security anyone can eavesdrop on an unsecured wireless network.

Securing A Wireless Home Network. Wireless Facts Range about feet from access point Security anyone can eavesdrop on an unsecured wireless network.
IT Security “Knowing the potential threat to YOU and your business” Ian McLachlan IT Manager.

IT Security “Knowing the potential threat to YOU and your business” Ian McLachlan IT Manager.
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Wireless Cracking By: Christopher Zacky.

Wireless Cracking By: Christopher Zacky.
Crack WPA Lab Last Update 2014.06.11 1.0.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
OPSEC Awareness Briefing Man-In-The-Middle Attacks (MITM)

OPSEC Awareness Briefing Man-In-The-Middle Attacks (MITM)
Wifi Penetration Wireless Communication and Computer/Network Forensics.

Wifi Penetration Wireless Communication and Computer/Network Forensics.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Modeling Wi-Fi Protected Setup Brute-Force Mitigations Using Markov Chains Progress Summary Lloyd Jones Progress Summary Lloyd Jones.

Modeling Wi-Fi Protected Setup Brute-Force Mitigations Using Markov Chains Progress Summary Lloyd Jones Progress Summary Lloyd Jones.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Wireless Router Setup. Internet Cable Internet Cable (Blue) Machine Cable (Yellow) Power Plug (Black) Reset Button (Red)

Wireless Router Setup. Internet Cable Internet Cable (Blue) Machine Cable (Yellow) Power Plug (Black) Reset Button (Red)
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
DIR-505 All-in-One Mobile Companion Greg Quinlan Technical Trainer.

DIR-505 All-in-One Mobile Companion Greg Quinlan Technical Trainer.
Thessaloniki 28-30 November 2014. Penetration Testing with Android Devices Hacking with our pocket device, made easy! Thomas Sermpinis a.k.a. Cr0wTom.

Thessaloniki November Penetration Testing with Android Devices Hacking with our pocket device, made easy! Thomas Sermpinis a.k.a. Cr0wTom.
Wireless Security. Why is it important? Wireless security is the prevention of unauthorized access or damage to computers using wireless networks. Over.

Wireless Security. Why is it important? Wireless security is the prevention of unauthorized access or damage to computers using wireless networks. Over.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

Similar presentations

Ads by Google