SlideShare a Scribd company logo

Hacking wireless networks

Sahil Rai
Sahil Rai

CEHv8 Modual 15 Hacking Wireless Networks

EducationTechnology
1 of 16
Wireless Network Penetration Testing • Wep Cracking Live Demonstration  Automated WEP Cracking With CLI (ECSA)  Automated WEP Cracking with Gerix (CEHV8) • Wpa Cracking Live Demonstration  Automated Wpa Cracking With CLI (ECSA)  Automated Wpa Cracking with Gerix (CEHV8) • Bypass Mac Filtering Live Demonstration (ECSA) • WPA 2 Cracking using Reaver (WPS Brute force) (ECSA) • Wi-Fi Security Assessment Live Demonstration (ECSA) © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
List of WLAN channels Amendments Freq-(GHz) Speed (Mbps) Range (Ft) 802.11a 5 54 24-75 802.11b 2.4 11 150-150 802.11g 2.4 54 150-150 802.11i Define WPA Enterprise /WPA Personal for Wi-Fi 802.11n 2.4,5 54 100 802.11( Wimax) 10-66 70-100 30 miles Bluetooth 2.4 1-3 25  Each ranges divided into multiple channels  Every Country has allowed channels, users and maximum Frequency levels. © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
IEEE 802.11b/g/n Channel © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
Encryption & Authentication used in IEEE 802.11 Environment:  Wired Equivalent Privacy (WEP) – WEP uses RC4 encryption algorithm which has several weaknesses. WEP relies on secret key “shared” between a wireless device and the AP  Wi-Fi Protected Access (WPA) – WPA protocol implements majority of IEE 802.11i standard requirements. WPA makes use of Temporal Key Integrity Protocol (TKIP) instead of RC4 used in its predecessor WEP. To offer greater security  WPA Personal – Commonly referred as WPA – Pre shared key (PSK). The clients authenticate with the AP’s using the 256 bit keys.  WPA Enterprise – Mainly designed for Enterprise networks and requires authentication using RADIUS server. Extensible Authentication Protocol (EAP) is used for authentication, which comes in different flavors (EAP-TLS, EAP-TTLS).  RADIUS protocol inherently only allows for password based authentication i.e. the password is sent as MD5 Hash or response to a challenge, (EAP) is an authentication framework included in Windows Client and Windows Server operating systems
Wi-Fi authentication mode Probe Request Probe Response ( Security Parameters ) Open System Authentication Request Open System Authentication Response Association Request ( Security Parameters ) Association Response Handshake Completed open system authentication (ssid beaconing)
Wi-Fi authentication mode Authentication Request sent to AP AP Sends Challenge txt Client encrypt challenge txt and sends it back to AP AP decrypts challenge text , and if correct authenticates client Handshake Completed Shared key authentication process
1. Authentication Request ( Encrypted Challenge ) 2. Authentication Response ( Challenge ) 0 0 0 Sniffing packets (packet capture) Sniffing packets (packet capture) © HaCkHiPp0-TeaM R0oTx:Sahil_Rai
Wi-Fi vulnerability assessment checklist • Vulnerability assessments can help you find and fix WLAN weaknesses before attackers take advantage of them  Wireless Sniffing • Wireless Card can be only on one channel at a time • Can not sniff on all channels and band at the same time • Wireless card needs to be capable of operate a/b/g/n/h ?  For each discovered 802.11 access point, document:  Media Access Control (MAC) address (BSSID)  Extended service set identifier (ESSID)  Channel Number  Average/Peak signal-to-noise ratio (SNR)  Beaconed security parameters (i.e., WEP, Wpa, wpa2 security)
Wep Cracking: Lab Test Requirement • • • • Airmon-ng Airodump-ng Aireplay-ng Aircrack-ng • Tp-link wlan card supporting only Seamlessly compatible with 802.11b/g . © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
Wpa Cracking: Lab Test Requirement • • • • • Airmon-ng Airodump-ng Aireplay-ng Aircrack-ng Dictionary File • Tp-link wlan card supporting only Seamlessly compatible with 802.11b/g. © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
WPA 2 Cracking Using Reaver (WPS Brute force) Penetration-Testing Tool (Reaver) Cracking WPA/Wpa2 using reaver, it uses a brute force attack on the access point's WPS (Wi-Fi Protected Setup) and may be able to recover the WPA/WPA2 passphrase in 4-10 hours but it also depends on the AP. there is no need to get a handshake. © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
Bypass Mac address binding
Wi-Fi Security Assessment  Wi-Fi authentication process using centralized authentication server Client Request Connection AP send the EAP request to determine identity EAP response with identity Forward the identity to the radius . Send a request to the wireless client via AP specifying the authentication mechanism to be used The wireless client responds to the RADIUS server with its credential via the Ap Sends an encrypted authentication key Global authentications key to the AP if the credentials are encrypted with per station unicast acceptable session key
Wi-Fi cracking commands details Where: Wep/ Wpa Cracking           -c 5 is the channel for the wireless network --bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminate extraneous traffic. -w capture is file name prefix for the file which will contain the IVs. wlan0 is the interface name. -1 means fake authentication 0 reassociation timing in seconds -e teddy is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:09:5B:EC:EE:F2 is our card MAC address wlan0 is the wireless interface name Where: Wep/ Wpa Cracking       -1 means fake authentication 0 reassociation timing in seconds -e hhippo is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:0F:B5:88:AC:82 is our card MAC address Wlan0 is the wireless interface name
Where:    -5 means the fragmentation attack -b 00:14:6C:7E:40:80 is the access point MAC address -h 00:09:5B:EC:EE:F2 is the MAC address of our card and must match the MAC used in the fake authentication  wlan0is the wireless interface name Where:    -2 means use interactive frame selection -r arp-request defines the file name from which to read the arp packet wlan0 defines the interface to use Where:       -0 means generate an arp packet -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:09:5B:EC:EE:F2 is MAC address of our card -k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255) -l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255) -y fragment-0203-180343.xor is file to read the PRGA from (NOTE: Change the file name to the actual file name out in step 4 above)  -w arp-request is name of file to write the arp packet to
Thank You © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai http://hackhippo.blogspot.com

Recommended

Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacksn|u - The Open Security Community
 
Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Mandeep Jadon
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Wifi hacking
Wifi hackingWifi hacking
Wifi hackingHarshit Varshney
 
Pentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityPentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityAyoma Wijethunga
 
Wireless Device and Network level security
Wireless Device and Network level securityWireless Device and Network level security
Wireless Device and Network level securityChetan Kumar S
 
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSuper Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSystem ID Warehouse
 
Wifi Security
Wifi SecurityWifi Security
Wifi SecurityAgris Ameriks
 

Recommended

Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacksn|u - The Open Security Community
 
Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Mandeep Jadon
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Wifi hacking
Wifi hackingWifi hacking
Wifi hackingHarshit Varshney
 
Pentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityPentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityAyoma Wijethunga
 
Wireless Device and Network level security
Wireless Device and Network level securityWireless Device and Network level security
Wireless Device and Network level securityChetan Kumar S
 
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSuper Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSystem ID Warehouse
 
Wifi Security
Wifi SecurityWifi Security
Wifi SecurityAgris Ameriks
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsAirTight Networks
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_kRama Krishna M
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless networkSyed Ubaid Ali Jafri
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefencePrakashchand Suthar
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngOpen Knowledge Nepal
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacksprimeteacher32
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hackingarushi bhatnagar
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
802.11 Wireless, WEP, WPA lecture
802.11 Wireless, WEP, WPA lecture802.11 Wireless, WEP, WPA lecture
802.11 Wireless, WEP, WPA lectureMartyn Price
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless HackingVIKAS SINGH BHADOURIA
 
Wifi Security
Wifi SecurityWifi Security
Wifi SecurityShital Kat
 
Wireless hacking and security
Wireless hacking and securityWireless hacking and security
Wireless hacking and securityAdel Zalok
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Fábio Afonso
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!edwardo
 
WIFI Hacking
WIFI HackingWIFI Hacking
WIFI HackingSuraj Bohara
 
Wpa3
Wpa3Wpa3
Wpa3Bhavya Dashora
 
Wlan security
Wlan securityWlan security
Wlan securityUpasona Roy
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and ProtectionChandrak Trivedi
 
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News
 
Wi-fi Hacking
Wi-fi HackingWi-fi Hacking
Wi-fi HackingPaul Gillingwater, MBA
 

More Related Content

What's hot

Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsAirTight Networks
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_kRama Krishna M
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngOpen Knowledge Nepal
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
802.11 Wireless, WEP, WPA lecture
802.11 Wireless, WEP, WPA lecture802.11 Wireless, WEP, WPA lecture
802.11 Wireless, WEP, WPA lectureMartyn Price
 
Wireless hacking and security
Wireless hacking and securityWireless hacking and security
Wireless hacking and securityAdel Zalok
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Fábio Afonso
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!edwardo
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and ProtectionChandrak Trivedi
 

What's hot (20)

Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutions
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_k
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless network
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ng
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hacking
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
802.11 Wireless, WEP, WPA lecture
802.11 Wireless, WEP, WPA lecture802.11 Wireless, WEP, WPA lecture
802.11 Wireless, WEP, WPA lecture
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
Wireless hacking and security
Wireless hacking and securityWireless hacking and security
Wireless hacking and security
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!
 
WIFI Hacking
WIFI HackingWIFI Hacking
WIFI Hacking
 
Wpa3
Wpa3Wpa3
Wpa3
 
Wlan security
Wlan securityWlan security
Wlan security
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
 

Viewers also liked

The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News
 
How to crack a router for username and password
How to crack a router for username and passwordHow to crack a router for username and password
How to crack a router for username and passwordComp-Info Tech
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?Rob Gillen
 
What IT Professionals Need to Know about Sniffing Wireless Traffic in 2016
What IT Professionals Need to Know about Sniffing Wireless Traffic in 2016What IT Professionals Need to Know about Sniffing Wireless Traffic in 2016
What IT Professionals Need to Know about Sniffing Wireless Traffic in 2016Priyanka Aash
 
Signaling system 7 (ss7)
Signaling system 7 (ss7)Signaling system 7 (ss7)
Signaling system 7 (ss7)usman zulfqar
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolIssar Kapadia
 
Wifi Password Hack 2013 - free internet connection from anywhere
Wifi Password Hack 2013 - free internet connection from anywhereWifi Password Hack 2013 - free internet connection from anywhere
Wifi Password Hack 2013 - free internet connection from anywhereHome
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hackingSahil Rai
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffersleminhvuong
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Viren Rao
 

Viewers also liked (20)

The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
 
Wi-fi Hacking
Wi-fi HackingWi-fi Hacking
Wi-fi Hacking
 
Wi-Fi Technology
Wi-Fi TechnologyWi-Fi Technology
Wi-Fi Technology
 
Virtualization
VirtualizationVirtualization
Virtualization
 
How to crack a router for username and password
How to crack a router for username and passwordHow to crack a router for username and password
How to crack a router for username and password
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
 
Hacking tools
Hacking toolsHacking tools
Hacking tools
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
 
What IT Professionals Need to Know about Sniffing Wireless Traffic in 2016
What IT Professionals Need to Know about Sniffing Wireless Traffic in 2016What IT Professionals Need to Know about Sniffing Wireless Traffic in 2016
What IT Professionals Need to Know about Sniffing Wireless Traffic in 2016
 
Ss7 tutorial
Ss7 tutorialSs7 tutorial
Ss7 tutorial
 
Signaling system 7 (ss7)
Signaling system 7 (ss7)Signaling system 7 (ss7)
Signaling system 7 (ss7)
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection tool
 
SS7
SS7SS7
SS7
 
Wifi Password Hack 2013 - free internet connection from anywhere
Wifi Password Hack 2013 - free internet connection from anywhereWifi Password Hack 2013 - free internet connection from anywhere
Wifi Password Hack 2013 - free internet connection from anywhere
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hacking
 
man in the middle
man in the middleman in the middle
man in the middle
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffers
 
Wardriving
WardrivingWardriving
Wardriving
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
 

Similar to Hacking wireless networks

Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008ClubHack
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 
RSA - WLAN Hacking
RSA - WLAN HackingRSA - WLAN Hacking
RSA - WLAN HackingJohn Rhoton
 
Wireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way HandshakeWireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way Handshakedata68
 
Wireless security837
Wireless security837Wireless security837
Wireless security837mark scott
 
Ap&ac system development 2014
Ap&ac system development 2014Ap&ac system development 2014
Ap&ac system development 2014TOM LIU
 
HP HPE6-A85 Practice Test Questions
HP HPE6-A85 Practice Test QuestionsHP HPE6-A85 Practice Test Questions
HP HPE6-A85 Practice Test QuestionsPassquestionExamTrai
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?Tom Isaacson
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Networking Fundamentals
Networking FundamentalsNetworking Fundamentals
Networking FundamentalsMD SAQUIB KHAN
 
802 11 3
802 11 3802 11 3
802 11 3rphelps
 
Wi Fi Technology - What you don't see you don't care...
Wi Fi Technology - What you don't see you don't care...Wi Fi Technology - What you don't see you don't care...
Wi Fi Technology - What you don't see you don't care...Rogelio Gomez
 

Similar to Hacking wireless networks (20)

Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
 
Aircrack
AircrackAircrack
Aircrack
 
Wifi cracking
Wifi crackingWifi cracking
Wifi cracking
 
RSA - WLAN Hacking
RSA - WLAN HackingRSA - WLAN Hacking
RSA - WLAN Hacking
 
Wireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way HandshakeWireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way Handshake
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
 
Wi-Fi Module
Wi-Fi ModuleWi-Fi Module
Wi-Fi Module
 
Ap&ac system development 2014
Ap&ac system development 2014Ap&ac system development 2014
Ap&ac system development 2014
 
HP HPE6-A85 Practice Test Questions
HP HPE6-A85 Practice Test QuestionsHP HPE6-A85 Practice Test Questions
HP HPE6-A85 Practice Test Questions
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?
 
net work iTM3
net work iTM3net work iTM3
net work iTM3
 
Wireless lan security(10.8)
Wireless lan security(10.8)Wireless lan security(10.8)
Wireless lan security(10.8)
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Networking Fundamentals
Networking FundamentalsNetworking Fundamentals
Networking Fundamentals
 
Wi fi security
Wi fi securityWi fi security
Wi fi security
 
WLAN and IP security
WLAN and IP securityWLAN and IP security
WLAN and IP security
 
802 11 3
802 11 3802 11 3
802 11 3
 
Wi Fi Technology - What you don't see you don't care...
Wi Fi Technology - What you don't see you don't care...Wi Fi Technology - What you don't see you don't care...
Wi Fi Technology - What you don't see you don't care...
 

Recently uploaded

Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 

Recently uploaded (20)

Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 

Hacking wireless networks

  • 1. Wireless Network Penetration Testing • Wep Cracking Live Demonstration  Automated WEP Cracking With CLI (ECSA)  Automated WEP Cracking with Gerix (CEHV8) • Wpa Cracking Live Demonstration  Automated Wpa Cracking With CLI (ECSA)  Automated Wpa Cracking with Gerix (CEHV8) • Bypass Mac Filtering Live Demonstration (ECSA) • WPA 2 Cracking using Reaver (WPS Brute force) (ECSA) • Wi-Fi Security Assessment Live Demonstration (ECSA) © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
  • 2. List of WLAN channels Amendments Freq-(GHz) Speed (Mbps) Range (Ft) 802.11a 5 54 24-75 802.11b 2.4 11 150-150 802.11g 2.4 54 150-150 802.11i Define WPA Enterprise /WPA Personal for Wi-Fi 802.11n 2.4,5 54 100 802.11( Wimax) 10-66 70-100 30 miles Bluetooth 2.4 1-3 25  Each ranges divided into multiple channels  Every Country has allowed channels, users and maximum Frequency levels. © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
  • 3. IEEE 802.11b/g/n Channel © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
  • 4. Encryption & Authentication used in IEEE 802.11 Environment:  Wired Equivalent Privacy (WEP) – WEP uses RC4 encryption algorithm which has several weaknesses. WEP relies on secret key “shared” between a wireless device and the AP  Wi-Fi Protected Access (WPA) – WPA protocol implements majority of IEE 802.11i standard requirements. WPA makes use of Temporal Key Integrity Protocol (TKIP) instead of RC4 used in its predecessor WEP. To offer greater security  WPA Personal – Commonly referred as WPA – Pre shared key (PSK). The clients authenticate with the AP’s using the 256 bit keys.  WPA Enterprise – Mainly designed for Enterprise networks and requires authentication using RADIUS server. Extensible Authentication Protocol (EAP) is used for authentication, which comes in different flavors (EAP-TLS, EAP-TTLS).  RADIUS protocol inherently only allows for password based authentication i.e. the password is sent as MD5 Hash or response to a challenge, (EAP) is an authentication framework included in Windows Client and Windows Server operating systems
  • 5. Wi-Fi authentication mode Probe Request Probe Response ( Security Parameters ) Open System Authentication Request Open System Authentication Response Association Request ( Security Parameters ) Association Response Handshake Completed open system authentication (ssid beaconing)
  • 6. Wi-Fi authentication mode Authentication Request sent to AP AP Sends Challenge txt Client encrypt challenge txt and sends it back to AP AP decrypts challenge text , and if correct authenticates client Handshake Completed Shared key authentication process
  • 7. 1. Authentication Request ( Encrypted Challenge ) 2. Authentication Response ( Challenge ) 0 0 0 Sniffing packets (packet capture) Sniffing packets (packet capture) © HaCkHiPp0-TeaM R0oTx:Sahil_Rai
  • 8. Wi-Fi vulnerability assessment checklist • Vulnerability assessments can help you find and fix WLAN weaknesses before attackers take advantage of them  Wireless Sniffing • Wireless Card can be only on one channel at a time • Can not sniff on all channels and band at the same time • Wireless card needs to be capable of operate a/b/g/n/h ?  For each discovered 802.11 access point, document:  Media Access Control (MAC) address (BSSID)  Extended service set identifier (ESSID)  Channel Number  Average/Peak signal-to-noise ratio (SNR)  Beaconed security parameters (i.e., WEP, Wpa, wpa2 security)
  • 9. Wep Cracking: Lab Test Requirement • • • • Airmon-ng Airodump-ng Aireplay-ng Aircrack-ng • Tp-link wlan card supporting only Seamlessly compatible with 802.11b/g . © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
  • 10. Wpa Cracking: Lab Test Requirement • • • • • Airmon-ng Airodump-ng Aireplay-ng Aircrack-ng Dictionary File • Tp-link wlan card supporting only Seamlessly compatible with 802.11b/g. © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
  • 11. WPA 2 Cracking Using Reaver (WPS Brute force) Penetration-Testing Tool (Reaver) Cracking WPA/Wpa2 using reaver, it uses a brute force attack on the access point's WPS (Wi-Fi Protected Setup) and may be able to recover the WPA/WPA2 passphrase in 4-10 hours but it also depends on the AP. there is no need to get a handshake. © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai
  • 13. Wi-Fi Security Assessment  Wi-Fi authentication process using centralized authentication server Client Request Connection AP send the EAP request to determine identity EAP response with identity Forward the identity to the radius . Send a request to the wireless client via AP specifying the authentication mechanism to be used The wireless client responds to the RADIUS server with its credential via the Ap Sends an encrypted authentication key Global authentications key to the AP if the credentials are encrypted with per station unicast acceptable session key
  • 14. Wi-Fi cracking commands details Where: Wep/ Wpa Cracking           -c 5 is the channel for the wireless network --bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminate extraneous traffic. -w capture is file name prefix for the file which will contain the IVs. wlan0 is the interface name. -1 means fake authentication 0 reassociation timing in seconds -e teddy is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:09:5B:EC:EE:F2 is our card MAC address wlan0 is the wireless interface name Where: Wep/ Wpa Cracking       -1 means fake authentication 0 reassociation timing in seconds -e hhippo is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:0F:B5:88:AC:82 is our card MAC address Wlan0 is the wireless interface name
  • 15. Where:    -5 means the fragmentation attack -b 00:14:6C:7E:40:80 is the access point MAC address -h 00:09:5B:EC:EE:F2 is the MAC address of our card and must match the MAC used in the fake authentication  wlan0is the wireless interface name Where:    -2 means use interactive frame selection -r arp-request defines the file name from which to read the arp packet wlan0 defines the interface to use Where:       -0 means generate an arp packet -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:09:5B:EC:EE:F2 is MAC address of our card -k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255) -l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255) -y fragment-0203-180343.xor is file to read the PRGA from (NOTE: Change the file name to the actual file name out in step 4 above)  -w arp-request is name of file to write the arp packet to
  • 16. Thank You © HaCkHiPp0-TeaM ! 2013 R0oTx:Sahil_Rai http://hackhippo.blogspot.com

Editor's Notes

  1. RC4 was designed by Ron Rivest of RSA Security in 1987  Transport Layer Security (TLS)