Wireless hacking septafiansyah

1,489 views

Published on

Published in: Technology, Business
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
1,489
On SlideShare
0
From Embeds
0
Number of Embeds
624
Actions
Shares
0
Downloads
58
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide
  • 802.11 Most wireless LAN products operate in unlicensed radio bands 2.4 GHz is most popular Available in most parts of the world,No need for user licensing,Most wireless LANs use spread-spectrum radio Resistant to interference, secure Two popular methods Frequency Hopping (FH) Direct Sequence (DS) 802.11a Ultra-high spectrum efficiency 5 GHz band is 300 MHz (vs. 83.5 MHz @ 2.4 GHz) More data can travel over a smaller amount of bandwidth High speed Up to 54 Mbps Less interference , Fewer products using the frequency , 2.4 GHz band shared by cordless phones, microwave ovens, Bluetooth, and WLANs Disadvantages Standards and Interoperability , Standard not accepted worldwide , No interoperability certification available for 802.11a products Not compatible or interoperable with 802.11b , Legal issues , License-free spectrum in 5 GHz band not available worldwide Market Beyond LAN-LAN bridging, there is limited interest for 5 GHz adoption 802.11g is a high-speed extension to 802.11b Compatible with 802.11b , High speed up to 54 Mbps , 2.4 GHz (vs. 802.11a, 5 GHz) , Adaptive Rate Shifting , Provides higher speeds and higher capacity requirements for applications Wireless Public Access Compatible with existing 802.11b standard , Leverages Worldwide spectrum availability in 2.4 GHz , Likely to be less costly than 5 GHz alternatives Provides easy migration for current users of 802.11b WLANs , Delivers backward support for existing 802.11b products , Provides path to even higher speeds in the future
  • EAP-SIM  Dalam sebuah jaringan berbasis GSM, koneksi mobile melakukan otentikasi SIM melalui RADIUS protokol atau dikenal sebagai EAP-SIM. dimana client akan melewati otorisasi provisioning, otentikasi dan layanan yang sama seperti yang sudah ada pada layanan GSM tanpa perubahan pada elemen jaringan selular. EAP-AKA   Pada jaringan berbasis UMTS, pada EAP-AKA otentikasi diimplementasikan dengan fungsi yang berasal dari key jaringan akses, biasanya diambil dari Modul Subscriber Identity Universal (USIM). Metode AKA didasarkan pada mekanisme challenge dan respon untuk otentikasi bersama. Hal ini dapat tentunya membuat lebih aman. EAP-TLS  didefinisikan dalam RFC5216. Keamanan Transport Layer Protocol (TLS) yang kuat, dengan penggunaan PKI (infrastruktur kunci publik) untuk mengamankan otentikasi bersama antara client ke server dan sebaliknya. Kedua klien dan server harus diberi sertifikat digital ditandatangani oleh Otoritas Sertifikat (CA) yang menyatakan bahwa link tersebut sudah aman. EAP-TTLS  Tunnel TLS metode EAP (EAP-TTLS) sangat mirip dengan EAP-PEAP dalam cara kerjanya. Tidak memerlukan klien diotentikasi ke server dengan sertifikat digital yang ditandatangani oleh CA. Server menggunakan tunnel yang aman dari TLS untuk mengotentikasi klien dengan password dan dengan mekanisme pertukaran key. Dan pada EAP-TTLS menggunakan username dan password sebagai tambahannya sedangkan pada EAP-TLS tidak ada username dan password
  • Wi-Fi Protected Access ( WPA ) and Wi-Fi Protected Access II ( WPA2 ) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy) . [1] WPA2 Main article: IEEE 802.11i-2004 WPA2 has replaced WPA. WPA2, which requires testing and certification by the Wi-Fi Alliance, implements the mandatory elements of IEEE 802.11i. In particular, it introduces CCMP ( Counter Cipher Mode with Block Chaining Message Authentication Code Protocol ) , a new AES -based encryption mode with strong security. [6] Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark. [7] Encryption protocol TKIP (Temporal Key Integrity Protocol)  The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet. Used by WPA. CCMP   An AES-based encryption mechanism that is stronger than TKIP. Used by WPA2. Among informal names are "AES" and "AES-CCMP". According to the 802.11n specification, this encryption protocol must be used to achieve the fast 802.11n high bitrate schemes , though not all implementations enforce this. [24] Otherwise, the data rate will not exceed 54 MBit/s. EAP extensions under WPA and WPA2 Enterprise In April 2010, the Wi-Fi Alliance announced the inclusion of additional Extensible Authentication Protocol (EAP) [25] types to its certification programs for WPA- and WPA2- Enterprise certification programs. [26] This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance. As of 2010 the certification program includes the following EAP types: EAP-TLS (previously tested) EAP-TTLS/MSCHAPv2 (April 2005 [27] ) PEAPv0/EAP-MSCHAPv2 (April 2005) PEAPv1/EAP-GTC (April 2005) PEAP-TLS EAP-SIM (April 2005) EAP-AKA (April 2009 [28] ) EAP-FAST (April 2009)
  • Wireless hacking septafiansyah

    1. 1. By : Septafiansyah Dwi Putra ITB
    2. 2.  Radio Frequency Basics  Mobile telephony  Cellular Digital Packet Data (CDPD)  Private data networks  Bluetooth  3G  Etc
    3. 3.  Immediate communication, mobile user  Two-way, interactive  Broadcast  Convenience  Bandwidth limitations  Roaming (no fixed location)
    4. 4.  A wireless LAN or WLAN is a wireless local area network that uses radio waves as its carrier.  The last link with the users is wireless, to give a network connection to all users in a building or campus.  The backbone network usually uses cables Wireless LANs operate in almost the same way as wired LANs, using the same networking protocols and supporting the most of the same applications.
    5. 5. The wireless LAN connects to a wired LAN  There is a need of an access point that bridges wireless LAN traffic into the wired LAN.  The access point (AP) can also act as a repeater for wireless nodes, effectively doubling the maximum possible di
    6. 6.  802.11a offers speeds with a theoretically maximum rate of 54Mbps in the 5 GHz band  802.11b offers speeds with a theoretically maximum rate of 11Mbps at in the 2.4 GHz spectrum band  802.11g is a new standard for data rates of up to a theoretical maximum of 54 Mbps at 2.4 GHz. 
    7. 7.  Wired Equivalent Privacy (WEP) – A protocol to protect link-level data during wireless transmission between clients and access points.  Services:  Authentication: provides access control to the network by denying access to client stations that fail to authenticate properly.  Confidentiality: intends to prevent information compromise from casual eavesdropping  Integrity: prevents messages from being modified while in transit between the wireless client and the access point.
    8. 8. Means:  Based on cryptography  Non-cryptographic  Both are identity-based verification mechanisms (devices request access based on the SSID – Service Set Identifier of the wireless network).
    9. 9.  Authentication techniques
    10. 10.  Cryptographic techniques  WEP Uses RC4 symmetric key, stream cipher algorithm to generate a pseudo random data sequence. The stream is XORed with the data to be transmitted  Key sizes: 40bits to 128bits  Unfortunately, recent attacks have shown that the WEP approach for privacy is vulnerable to certain attack regardless of key size
    11. 11.  Data integrity is ensured by a simple encrypted version of CRC (Cyclic Redundant Check)  Also vulnerable to some attacks
    12. 12.  Security features in Wireless products are frequently not enabled.  Use of static WEP keys (keys are in use for a very long time). WEP does not provide key management.  Cryptographic keys are short.  No user authentication occurs – only devices are authenticated. A stolen device can access the network.  Identity based systems are vulnerable.  Packet integrity is poor.
    13. 13.  3Com Dynamic Security Link  CISCO LEAP - Lightweight Extensible Authentication Protocol  IEEE 802.1x – Port-Based Network Access Control  RADIUS Authentication Support  EAP-MD5  EAP-TLS  EAP-TTLS  PEAP - Protected EAP  TKIP - Temporal Key Integrity Protocol  IEEE 802.11i
    14. 14.  Windows  Wireless NIC drivers are easy to get  Wireless hacking tools are few and weak  Unless you pay for AirPcap devices or OmniPeek  Linux  Wireless NIC drivers are hard to get and install  Wireless hacking tools are much better
    15. 15.  For Linux, the best chipsets to use are Orinoco, Prism2.x/3, Atheros, and Cisco  A good resource is at Madwifi  Go to http://madwifi-project.org/wiki/Compatibility
    16. 16. Service Set Identifier (SSID)  An identifier to distinguish one access point from another Initialization Vector (IV)  Part of a Wired Equivalent Privacy (WEP) packet  Used in combination with the shared secret key to cipher the packet's data
    17. 17. SSID can be found from any of these frames  Beacons  Sent continually by the access point (unless disabled)  Probe Requests  Sent by client systems wishing to connect  Probe Responses  Response to a Probe Request  Association and Reassociation Requests  Made by the client when joining or rejoining the network If SSID broadcasting is off, just send adeauthentication frame to force a reassociation
    18. 18.  Each MAC must be entered into the list of approved addresses  High administrative effort, low security  Attacker can just sniff MACs from clients and spoof them
    19. 19.  In Windows, just select it from the available wireless networks  Click on set up a wireless network from a home or small office.  And then input the SSID
    20. 20.  In Windows Vista Rund regedt32 Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCla ss{4D36E972-E325-11CE-BFC1-08002BE10318} Find REG_SZ name NetworkAddress and change it  SMAC is easier
    21. 21.  Many Wi-Fi cards allow you to change the MAC in Windows' Device Manager
    22. 22.  Brute-force keyspace – takes weeks even for 40-bit keys (use Cain & Abel)  Collect Initialization Vectors, which are sent in the clear, and correlate them with the first encrypted byte  This makes the brute-force process much faster
    23. 23.  Aircrack-ng or AirSnort (old)  kismet  Cain & Abel  WLAN-Tools  DWEPCrack  WEPAttack  Cracks using the weak IV flaw  Best countermeasure – use WPA/WPA2
    24. 24.  This demo is conducted in my home  Network configuration. Linksys Access point WEP 64 bit key Passcode ??? SSID DIJIANG
    25. 25.  WPA/WPA2 is strong  No major weaknesses  However, if you use a weak Pre-Shared Key, it can be found with a dictionary attack  Tool: Aircrack-ng
    26. 26.  Change the default setting  Filtering MAC Address  100% safe = imposible

    ×