More Related Content Similar to Breaking wifi-faster (20) Breaking wifi-faster2. RECON 2006 - June 16th, 2006 © The OpenCiphers
Cracking WiFi… Faster!
FPGAs
Quick Intro (I swear!)
coWPAtty
WPA Overview
Precomputing tables
Performance
Airbase
jc-aircrack
jc-wepcrack
pico-wepcrack
Performance
Conclusion
3. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGAs
Quick Intro
Chip with a ton of general purpose logic
ANDs, ORs, XORs
FlipFlops (Registers)
BlockRAM (Cache)
DSP48’s (ALUs)
DCMs (Clock Multipliers)
4. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGAs
Virtex-4 LX25
5. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGAs
Virtex-4 LX25
IOBs (448)
6. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGAs
Virtex-4 LX25
IOBs
Slices (10,752)
7. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGAs
Virtex-4 LX25
IOBs
Slices
DCMs (8)
8. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGAs
Virtex-4 LX25
IOBs
Slices
DCMs
BlockRAMs (72)
9. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGAs
Virtex-4 LX25
IOBs
Slices
DCMs
BlockRAMs
DSP48s (48)
10. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGAs
Virtex-4 LX25
IOBs
Slices
DCMs
BlockRAMs
DSP48s
Programmable Routing Matrix
(~18 layers)
11. RECON 2006 - June 16th, 2006 © The OpenCiphers
Introduction to WPA
WiFi Protected Access
12. RECON 2006 - June 16th, 2006 © The OpenCiphers
Introduction to WPA
PSK
MK is your passphrase
It’s run through PBKDF2
to generate the PMK
13. RECON 2006 - June 16th, 2006 © The OpenCiphers
Introduction to WPA
PSK
MK is your passphrase
It’s run through PBKDF2
to generate the PMK
14. RECON 2006 - June 16th, 2006 © The OpenCiphers
Introduction to WPA
PSK
MK is your passphrase
It’s run through PBKDF2
to generate the PMK
15. RECON 2006 - June 16th, 2006 © The OpenCiphers
Introduction to WPA
PBKDF2
unsigned char hash[32];
t = sha1_hmac(MK, SSID, 1);
for(i = 1; i < 4096; i++)
t = sha1_hmac(MK, t);
memcpy(hash, &t, 20);
t = sha1_hmac(MK, SSID, 1);
for(i = 1; i < 4096; i++)
t = sha1_hmac(MK, t);
memcpy(hash + 20, &t, 12);
16. RECON 2006 - June 16th, 2006 © The OpenCiphers
Introduction to WPA
sha1_hmac
sha1(MK ^ 0x5c, sha1(MK ^ 0x36, t));
sha1init(ctx);
ctx = sha1update(ctx, MK ^ 0x36);
ctx = sha1update(ctx, t);
innersha1_ctx = sha1final(ctx);
sha1init(ctx);
ctx = sha1update(ctx, MK ^ 0x5c);
ctx = sha1update(ctx, innersha1_ctx);
outersha1_ctx = sha1final(ctx);
17. RECON 2006 - June 16th, 2006 © The OpenCiphers
Introduction to WPA
sha1_hmac
sha1(MK ^ 0x5c, sha1(MK ^ 0x36, t));
sha1init(ctx);
ctx = sha1update(ctx, MK ^ 0x36); You can cache
ctx = sha1update(ctx, t); some of the state
innersha1_ctx = sha1final(ctx); to reduce the number
of required SHA1’s
sha1init(ctx);
ctx = sha1update(ctx, MK ^ 0x5c);
ctx = sha1update(ctx, innersha1_ctx);
outersha1_ctx = sha1final(ctx);
18. RECON 2006 - June 16th, 2006 © The OpenCiphers
Introduction to WPA
For every possible PMK compute PTK and see if it
matches the handshake captured on the network
19. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGA coWPAtty
Uses 8 SHA-1 Cores
Uses BlockRAM to buffer the words fed to the
cores
As long as the machine is able to supply words
fast enough, the SHA-1 cores will be utilized fully
20. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGA coWPAtty
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
0
1
2
3
4
5
7
6
8
9
…
247
248
249
250
251
252
253
254
255
Computer
21. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGA coWPAtty
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
0
1
2
3
4
5
7
6
8
9
…
247
248
249
250
251
252
253
254
255
Computer
22. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGA coWPAtty
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
0
1
2
3
4
5
7
6
8
9
…
247
248
249
250
251
252
253
254
255
Computer
23. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGA coWPAtty
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
0
1
2
3
4
5
7
6
8
9
…
247
248
249
250
251
252
253
254
255
Computer
24. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGA coWPAtty
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
0
1
2
3
4
5
7
6
8
9
…
247
248
249
250
251
252
253
254
255
Computer
25. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGA coWPAtty
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
0
1
2
3
4
5
7
6
8
9
10
11
12
13
14
15
16
…
254
255
Computer
26. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGA coWPAtty
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
0
1
2
3
4
5
7
6
8
9
10
11
12
13
14
15
16
…
254
255
Computer
27. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGA coWPAtty
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
0
1
2
3
4
5
7
6
8
9
10
11
12
13
14
15
16
…
254
255
Computer
28. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGA coWPAtty
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
0
1
2
3
4
5
7
6
8
9
10
11
12
13
14
15
16
…
254
255
Computer
29. RECON 2006 - June 16th, 2006 © The OpenCiphers
Performance Comparison
PC
Cowpatty
800MHz P3 ~25/sec
3.6GHz P4 ~60/sec
AMD Opteron ~70/sec
2.16GHz IntelDuo ~70/sec
Aircrack
3.6GHz P4 ~100/sec
FPGA
Cowpatty
LX25 ~430/sec
15 Cluster ~6,500/sec
FX60 ~1,000/sec
30. RECON 2006 - June 16th, 2006 © The OpenCiphers
Results
Decided to compute hash tables for a 1,000,000
passphrase wordlist for the top 1,000 SSIDs
“That million word list that I fed you incorporated a
430,000 word list from Mark Burnett and Kevin Mitnick
(of all people) and was made up of actual harvested
passwords acquired through some google hacking.
They are passwords that people have actually used. I
padded it out to 1 million by adding things like
websters dictionary, and other such lists, and then
stripped the short word (<8 chars.) out of it.”
31. RECON 2006 - June 16th, 2006 © The OpenCiphers
Results
Took RenderMan 1 month to compute on his
cluster
Found out that his wordlist had return characters
at the end of every line
(after computing for a month)
He sent me an email asking for help
A 15 card cluster did it in 2 days ;-)
32. RECON 2006 - June 16th, 2006 © The OpenCiphers
FPGA coWPAtty
+ + = ?
34. RECON 2006 - June 16th, 2006 © The OpenCiphers
Mac OS-X coWPAtty???
/
System/Library/PrivateFrameworks/Apple80211.
framework/Versions/Current/Resources/airport
airport AirPort v.427.2 (427.2.0)
Supported arguments:
<snip a whole bunch of semi-normal iwconfig-like features>
-P<arg> --psk=<arg> Create PSK from specified passphrase
and SSID.
The following additional arguments must be specified with this
command:
--ssid=<arg> Specify SSID when
35. RECON 2006 - June 16th, 2006 © The OpenCiphers
ghetto_pmk.pl
#!/usr/bin/perl
open(INFILE,"dictionary.txt");
my $start = time;
my $count = 0;
foreach (<INFILE>) {
chop($_);
$cmd = "airport --psk=$_ --ssid=linksys >> pmks.txt";
system $cmd;
$count++;
}
$elapsed = time - $start;
$perform = $count / $elapsed;
print "$count passphrases tested in $elapsed seconds: ";
print "$perform passphrases/secondn";
beetles-computer:~/Downloads beetle$ ./ghetto_pmk.pl
2253 passphrases tested in 217 seconds: 10.3824884792627 passphrases/second
39. RECON 2006 - June 16th, 2006 © The OpenCiphers
jc-aircrack
40. RECON 2006 - June 16th, 2006 © The OpenCiphers
jc-aircrack
41. RECON 2006 - June 16th, 2006 © The OpenCiphers
jc-wepcrack
42. RECON 2006 - June 16th, 2006 © The OpenCiphers
jc-wepcrack
43. RECON 2006 - June 16th, 2006 © The OpenCiphers
jc-wepcrack, no pico
44. RECON 2006 - June 16th, 2006 © The OpenCiphers
Accelerating brute forcing
45. RECON 2006 - June 16th, 2006 © The OpenCiphers
Current arch
46. RECON 2006 - June 16th, 2006 © The OpenCiphers
Future arch
47. RECON 2006 - June 16th, 2006 © The OpenCiphers
Pico client details
49. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
FPGA Core
Uses 32/48 custom RC4 cores
Uses BlockRAM for S-Boxes
Will try every key between a start and end
50. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4:
for(i = 0; i < 256; i++) // Initialization
S[i] = i;
for(i = j = 0; i < 256; i++) { // KSA
j += S[i] + K[i];
Swap(S[i], S[j]);
}
for(i = 1, j = 0; ; i++) { // PRGA
j += S[i];
Swap(S[i], S[j]);
PRGA[i – 1] = S[S[i] + S[j]];
}
51. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4:
for(i = 0; i < 256; i++) // Initialization
S[i] = i;
for(i = j = 0; i < 256; i++) { // KSA
j += S[i] + K[i]; // K is input
Swap(S[i], S[j]);
}
for(i = 1, j = 0; ; i++) { // PRGA
j += S[i];
Swap(S[i], S[j]);
PRGA[i – 1] = S[S[i] + S[j]]; // PRGA is output
}
52. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
RC4
Keygen
Key: 0
Key: 1
Key: 2
Start: 0
End: 16
PRGA: bling
53. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
RC4
Keygen
Start: 0
End: 16
PRGA: bling
PRGA: w00t!
PRGA: arg?
PRGA: samy is my hero
54. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
RC4
Keygen
3
4
5
Start: 0
End: 16
PRGA: bling
55. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
RC4
Keygen
Start: 0
End: 16
PRGA: bling
PRGA: meow
PRGA: bling
PRGA: yo
56. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4:
for(i = 0; i < 256; i++) // Initialization
S[i] = i; // S-Box must be reset
for(i = j = 0; i < 256; i++) { // KSA
j += S[i] + K[i];
Swap(S[i], S[j]);
}
for(i = 1, j = 0; ; i++) { // PRGA
j += S[i];
Swap(S[i], S[j]);
PRGA[i – 1] = S[S[i] + S[j]];
}
57. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
A
A
A
B
B
B
S
58. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
A
A
A
B
B
B
S
59. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
A
A
A
B
B
B
S
60. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
A
A
A
B
B
B
S
61. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
A
A
A
B
B
B
S
62. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
A
A
A
B
B
B
S
63. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
S
S
S
Read: 2 -> XX13
Read: 57 -> XX7A
Read: 3C -> XX25
64. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
S
S
S
Write: 02 -> 0213
Write: 57 -> 577A
Write: 3C -> 3C25
65. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
00: 0073
01: 019B
02: 0296
03: 03c2
04: 0431
05: 05df
06: 0609
07: 078c
…..
RC4:
for(i = 0; i < 256; i++) // Init
S[i] = i; // S-Box must
be reset
for(i = j = 0; i < 256; i++) { // KSA
j += S[i] + K[i];
Swap(S[i], S[j]);
}
for(i = 1, j = 0; ; i++) { // PRGA
j += S[i];
Swap(S[i], S[j]);
PRGA[i – 1] = S[S[i] + S[j]];
}
66. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
S
S
S
Read: 2 -> 13XX
Read: 57 -> 7AXX
Read: 3C -> 25XX
67. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
RC4
RC4
RC4
Computer
S
S
S
Write: 02 -> 1302
Write: 57 -> 7A57
Write: 3C -> 253C
68. RECON 2006 - June 16th, 2006 © The OpenCiphers
pico-wepcrack
+ +
= ?
70. RECON 2006 - June 16th, 2006 © The OpenCiphers
Performance Comparison
PC
jc-wepcrack
1.25GHz G4 ~150,000/sec
3.6GHz P4 ~300,000/sec
FPGA
pico-wepcrack
LX25 ~9,000,000/sec
15 Cluster ~135,000,000/sec
FX60 ~18,000,000/sec
71. RECON 2006 - June 16th, 2006 © The OpenCiphers
Conclusion
Get an FPGA and start cracking!
Make use if your hardware to break crypto
Add cool ascii matrix fx when you can :-)
Choose bad passwords (please!)
72. RECON 2006 - June 16th, 2006 © The OpenCiphers
Hardware Used
Pico E-12
Compact Flash
64 MB Flash
128 MB SDRAM
Gigabit Ethernet
Optional 450MHz PowerPC 405
73. RECON 2006 - June 16th, 2006 © The OpenCiphers
Hardware Used
Pico E-12 Super Cluster
15 - E-12’s
2 - 2.8GHz Pentium 4’s
2 - 120GB HDD
2 - DVD-RW
550 Watt Power Supply
74. RECON 2006 - June 16th, 2006 © The OpenCiphers
Greetz
Johny Cache (airbase/jc-wepcrack/jc-aircrack)
Josh Wright (cowpatty)
RenderMan (pmk hashtable monkey)
Beetle (ghettopmk!)
Audience (feel free to throw rotten fruit now!!)
75. RECON 2006 - June 16th, 2006 © The OpenCiphers
Questions?
I’ll give you a free set of hash tables!
David Hulton
dhulton@openciphers.org
http://www.openciphers.org
http://www.picocomputing.com
http://www.802.11mercenary.net
http://www.churchofwifi.org
Editor's Notes Introduction, welcome, blah blah
Overview of what we’re going to cover (in case anyone stumbled into the wrong talk, oh wait only one track, mwahahahaha, no escape!)
Explaining the different components in an fpga
This is the beast
Iobs are the links to the outside world
Slices allow you to create cool shiz
DCMs get you your nice clean timing
Blockrams are tiny ram blocks that are real fast and kind of like cache (and also the current bain of my existence)
Dsp48’s let you do 18x18 multiply and accumulates with 48-bit values…. Nifty for doing fast math and DSP stuff
Somehow the card gets a pmk, then it does the 4 way auth handshake and then life is happy (or sad if you’re a bad guy)
Pbkdf2 is the beast of the transformation
Master key is your passphrase
Pbkdf2 hashes it up to create a fairly secure pmk hash
Pbkdf2 basically just runs sha1 hmac about 8 thousand times
Inside sha1_hmac it will normally end up running ~ 4 sha1’s per hmac
Cool optimizations let you reduce it down to only 2 because you can cache some of the values
Once you generate a PMK you can verify it with the network traffic to see if it’s the right one
W3rd to fpgas
Uses a ring buffer to keep the SHA-1 cores fed
W00t! Performance rox
Supa fast when clustered together
Supa fast when clustered together
Ready for a demo????
Ok, with this I basically need to:
Make sure the WPA AP is setup and configured for WPA
Connect up with the presentation laptop
Switch display to auditor laptop
Setup card for monitor mode: ifconfig ath0 up; iwconfig ath0 mode Monitor channel 6
Find network and client in ethereal. might need to filter with: wlan.fc.type_subtype == 5 (probe response) or wlan.da/wlan.sa == mac
Use mac addresses to fire off airforge &lt;bssid&gt; &lt;dst mac&gt; deauth.pcap
Switch to eapol filter in ethereal
Run aireplay –m 26 –u 0 –v 12 –w 0 –x 10 –r deauth.pcap ath0
Ctrl+c once we see Start and Key in ethereal
Stop ethereal capture and save dump (only viewed packets) to file on flash drive and unmount flash drive
Switch display to cracker laptop
Plug flash drive into cracker laptop and mount drive
Swap to cowpatty image: swap2cowpatty.sh
Fire up cowpatty –f dict –r dump.pcap –s dachb0den –F 0
Watch the magic happen
Demo genpmk –f dict -s dachb0den –F 0 –d hashfile; cowpatty –d hashfile -r dump.pcap –s dachb0den
Beetle found some cool trix with Mac OS X
Tools, jc-aircrack, jc-wepcrack
Talk about lorcon a bit
Talk about file compatability, airodump works on OSX in real time.
Give live demo on how it works, what acceleration would do
(show the real time effects of the -x [bytes to brute force] flag)
Explain why accelerating statistics silly.
If this was written in corporate speak
“scale your key-cracking infrastructure to the next level while maintaining compatability with currently existing investments”
GetNewData()
48 gets a little iffy unless you’ve got really good cooling, 32 runs a lot more stable under normal conditions
W00t rc4, I hope this doesn’t leave people in the dust at all
When thinking about it as a module, you only need to worry about K as input and PRGA as output
High level view of how the cracker works
Initialization usually takes forever to do.
Method A of speeding it up
Even better method B
So, what do we have when we combine these wonderful things together?
Demo… With this we’ll want to do the following:
Reconfigure AP to WEP
Connect up to AP with presentation laptop
Switch display over to auditor laptop
Remount flash drive
Fire up ethereal again and find AP (might want to use wlan.fc.type_subtype == 5 for probe resp or 32 for data)
Filter on data and mac address of access point and/or client
Start ping on presentation laptop
Stop capture and save file to flash drive and unmount
Switch display to cracker laptop
Mount drive and fire up startwepcrack.sh capture.pcap 40
Have fun!
Preformance !!!
I really hope I’m drunk by now
Thanks everyone, you’ve been wonderful
Hopefully I’ll actually have more than just one set of hashtables by now…..