1

Wireless Hacking

Joffrey Czarny, SRC TELiNDUS

jczarny@src.telindus.com

State of the Art Wireless Hacking Workshop

2

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Agenda

> Wireless tools> LIVE Demos > Questions & Answers

3

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Wireless tools

> Wardriving tools

> Traffic analyzer

> WEP keys cracker

> WPA Pre-shared keys cracker

4

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Wireless tools

> Wardriving tools:

> Active Detection : Netstumbler

> Passive Detection : Kismet; Dstumbler; Airsnort…

> Traffic analyzer: Airtraf

> WEP keys cracker: Airsnort; Aircrack; wepcrack Dwepcrack…

> WPA Pre-shared keys cracker : cowpatty, Aircrack

5

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Wardriving tools

6

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Wardriving tools

> Passive detection: Listening to all wireless traffic and extract

information from packets obtained.

> Active detection: Sending wireless probe requests and

analyze the network answers.

7

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Network Stumbler

ACTIVE DETECTION

8

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Kismet

PASSIVE DETECTION

9

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Dstumbler BSD_airtools

PASSIVE DETECTION

10

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Traffic analyzer

11

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Traffic analyzer

> Airtraf is a Wireless traffic analyzer

> It is possible to:

> Detect Wireless networks

> Identify Access Points and clients

> Analyze TCP connections

> Generate statistics from protocol and users

> Bandwidth use

12

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Airtraf

13

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

WEP keys cracker

14

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

WEP keys cracker> Statistic attacks on weak initialization vector value (IV )

> Airsnort

> Aircrack

> Wepcrack ( perl script )

> Dwepdump & Dwepcrack bsd_airtools

15

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

WEP keys cracker> Bruteforce or dictionary attacks:

> weplab

> wepdecrypt

16

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

WPA Pre-shared keys cracker

17

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

WPA Pre-shared keys cracker

> Dictionary attacks

> Aircrack (release 2.2)

> Cowpatty

18

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

LIVE Demos

Wardriving

WEP keys cracker

WPA Pre-shared keys cracker

FakeAP & Bluetooth attack (if enough time)

>

<<

>>

19

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Questions & Answers

20

Sta

te o

f th

e A

rt

Wir

ele

ss

Ha

ck

ing

14

/15

.10

.20

05

Additional Resources> NetStumbler > www.netstumbler.com

> Kismet > www.kismetwireless.net

> Bsd_airtools > www.dachb0den.com/projects/bsd-airtools.html

> Airtraf > airtraf.sourceforge.net

> Airsnort > airsnort.shmoo.com

> Aircrack > www.cr0.net:8040/code/network/aircrack/

> Weplab > weplab.sourceforge.net

> Wepdecrypt > wepdecrypt.sourceforge.net

> Cowpatty > new.remote-exploit.org/index.php/Codes_main

> Void11 > www.wlsec.net/void11

21

Thank you for your attention

Joffrey Czarnyjczarny@src.telindus.com