WPA Cracking with Rainbow Tables For Educational Purposes Only Kurt Wondra November 18 th, 2010  1) Scanning for Vulnerable Networks  2) Capturing Usable.

Slides:



Advertisements
Similar presentations
Overview How to crack WEP and WPA
Advertisements

SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.
1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).
Home Wireless Security David Mitchell 12/11/2007.
Crack WEP Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Wireless Cracking By: Christopher Zacky.
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
WLAN Security: Cracking WEP/WPA
MIS Week 12 Site:
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Encryption, Privacy, & Authentication Chris R Chris H Mindy C.
The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.
1. A router is a device in computer networking that forwards data packets to their destinations, based on their addresses. The work a router does it called.
Wireless Attacks. Set up the APs Computer IP: Subnet Mask: Router IP address: –
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
What Password Cracking Password cracking is the process of recovering secret passwords from data that has been stored in or transmitted by a computer.
Ethical Hacking Defeating Wireless Security. 2 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
Steps To Set Up Your Home Wireless Network You can use a wireless network to share Internet access, files, printers, and more. Or you can use it to surf.
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
1. Insert the Resource CD into your CD-ROM drive, click Start and choose Run. In the field that appears, enter F:\XXX\Setup.exe (if “F” is the letter of.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
Wireless Encryption: WEP and cracking it. Eric Shea.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
Hands-On Ethical Hacking and Network Defense Lecture 14 Cracking WEP Last modified
WEP Protocol Weaknesses and Vulnerabilities
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
CS 525M – Mobile and Ubiquitous Computing Seminar Bradley Momberger Randy Chong.
20 November 2015 RE Meyers, Ms.Ed., CCAI CCNA Discovery Curriculum Review Networking for Home and Small Businesses Chapter 7: Wireless Technologies.
.  TJX used WEP security  They lost 45 million customer records  They settled the lawsuits for $40.9 million.
Wi-Fi: How it Works and Security Measures. What is Wi-Fi? Any wireless local area network (WLAN) product that meets the Institute of Electrical and Electronics.
WEP – Wireless Encryption Protocol A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University.
Distributed WPA Cracking CSCI Distributed Systems Spring 2011 University of Colorado Rodney Beede Ryan Kroiss Arpit Sud
Encryption Protocols used in Wireless Networks Derrick Grooms.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
KSU 2015-Summer Cyber Security | Group 1 | Seul Alice Bang Get a Wifi Password.
 Houses  In businesses  Local institutions  WEP – Wired Equivalent Privacy -Use of Initialization Vectors (IVs) -RC4 Traffic Key (creates keystreams)
University of Kansas Motivation Wireless networks based on the IEEE standard require lengthy layer two configuration parameters to be set SSID (Network.
Wireless Security John Himmelein Erick Andrew Christian Adam Varun Bapna.
Wireless Security Presented by Colby Carlisle. Wireless Networking Defined A type of local-area network that uses high-frequency radio waves rather than.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
IEEE Security Specifically WEP, WPA, and WPA2 Brett Boge, Presenter CS 450/650 University of Nevada, Reno.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Erik Nicholson COSC 352 March 2, WPA Wi-Fi Protected Access New security standard adopted by Wi-Fi Alliance consortium Ensures compliance with different.
Wireless Hacking Lesson 13. Reminder As a reminder, remember that the tools and techniques that you learn this semester are only to be used on systems.
Doc.: IEEE /0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: Authors:
EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Re-evaluating the WPA2 Security Protocol
OSA vs WEP WPA and WPA II Tools for hacking
Wireless Protocols WEP, WPA & WPA2.
Wireless Attacks: WEP Module Type: Basic Method Module Number: 0x00
Presented By: Rohit Maurya
We will talking about : What is WAP ? What is WAP2 ? Is there secure ?
Only For Education Purpose
Wireless Security Ian Bodley.
Hacking Wi-Fi Beyond Script Kiddie and WEP
Breaking into Wi-Fi Networks
Presentation transcript:

WPA Cracking with Rainbow Tables For Educational Purposes Only Kurt Wondra November 18 th, 2010  1) Scanning for Vulnerable Networks  2) Capturing Usable Packets  3) Injection (Deauthentication of Connected Client)  4) Hash Comparison with Rainbow Tables (with Aircrack-ng suite and coWPAtty

Personal RouterAircrack-ng SuiteWireless Card Requirements For A Successful Attack Any personal, business, or enterprise router operating on WPA (TKIP/AES) or WPA2 (CCMP) with a weak password is vulnerable to this attack. This is illegal without complete ownership of the target router. The Aircrack-ng suite is an open source Linux package with tools for cracking WEP and WPA/WPA2. For ease of use, this entire suite of tools is included with the Backtrack 4 live CD. A wireless network card capable of monitor mode and packet injection. You can test your card for packet injection ability by running the command: aireplay-ng --test ‘ ‘ ‘

Introduction Although WiFi Protected Access (WPA) and WiFi Protected Access Revision 2 (WPA2) are not vulnerable to the same exploits that WEP is, a plain text WPA PSK (Preshared Key) can actually be gathered more quickly then WEP if the proper counter-measures are not in place on your Access Point. The primary reason an attack on RC4 (the stream cipher that governs WEP) is possible is because only 24 bits of Pseudo- random data is sent with the cleartext password as a payload. WPA however, uses a much stronger encryption scheme.

The Vulnerability (Cont) In addition to simply stronger encryption (by means of TKIP/AES), WPA uses a salted hash equivalent of the pre-shared key. A salt is pseudo-random bits of data added to the process of creating a password or passphrase. This effectively creates exponentially stronger passwords. A salt can be anything that the designer of the algorithm or key generation process decides to use – as long as it is seemingly random. In the case of WPA, the SSID is salted in to each and every password.

The Vulnerability (Cont) Once we (the security community) were able to determine that the salt for WPA PSK’s is the SSID of the router, we are able to start to develop tools to work along side the salt and develop patterns for successful key retrieval. It is important to note here the importance of a salt – if the process that derives the key remains hidden, the encryption can very nearly never be reversed. In the case of WPA, tools have been developed to use the known salt and compare the (still encrypted) hash we retrieve from the router with the hash of over a million words, phrases, common passwords, etc. Unlike WEP, there is simply no practical way to retrieve the password if it does not exists within our dictionary.

(Prep, 1A) Determining Interface Name To determine the unique device name that Backtrack has assigned to your wireless device, type: [SAMPLE CODE] iwconfig Let’s get started. As mentioned previously, your wireless network card must support several different functions to perform this attack. Because of this, Backtrack may assign it one of several interface names. [IMPLEMENTATION CODE] iwconfig

(2) Forcing device into Monitor Mode To change from managed (standard) mode to monitor mode we simply use the built-in tool ‘Airmon-ng’ of the Aircrack-ng suite: In order to gather the two required elements for a successful attack (MAC address and channel of the target router) we need to force our wireless card into monitor mode. We will simply be gathering readable information at this point. [IMPLEMENTATION CODE] airmon-ng start mon0 [SAMPLE CODE] airmon-ng start

(3A) Scanning for Vulnerable Networks In order to capture the plain text WPA key of the router, you must first identify the target network. The Aircrack-ng suite makes this process a one-liner. To show all networks within wireless range, regardless of the security mechanisms that govern them (WEP/WPA/WPA2) type the following: [SAMPLE CODE] airodump-ng [IMPLEMENTATION CODE] airodump-ng mon0

(3B) Identifying Network Requirements On the screen to follow, you will be presented with advanced information regarding the wireless networks in range of your supported wireless network card. To successfully attack a WPA-protected AP, you must gather two elements using the screenshot below as a guide; the MAC address and channel of the target router. Guide to Gathering Required Information from the target AP: MAC Address: Yellow Underline Current Channel: Green Underline At this time I recommend copying or physically writing down the two required elements. In this case, the AP’s MAC Address is 00:17:3F:F3:A1:FC and the current channel it operates on: 1. Remember that a router can hop channels from time to time.

Before we can narrow down our results and target a specific AP, we must learn how to properly formulate an Airodump-ng command. Airodump-ng requires several aspects to be defined from the required elements we collected in Step 3B and previous steps. They are listed below and color- coordinated to match up with the next step for your convenience. Refer back to this table if you need help completing the command in step 3D with your configuration. (3C) Airodump Command Requirements SwitchReplacementsSettings in Example Attack -c 1 -b 00:17:3F:F3:A1:FC -w WPASample [N/A] mon0

Now that we've identified the WPA-protected network we wish to attack, we must run another scan using Airodump to narrow down our packet capture results to a single AP. We can then run Aircrack to compare the hash found in our dumpfile with the pre-computed hashes for over 1,000,000 words, phrases, and common passwords in our (salted) rainbow table. To get started, type the following: (3D) Targeting a Vulnerable Network [IMPLEMENTATION CODE] airodump-ng -c 1 -b 00:17:3F:F3:A1:FC -w WPASample mon0 [SAMPLE CODE] airodump-ng -c -b -w

[SAMPLE CODE] Aireplay-ng a -c (4) Deauthentication with Aireplay [IMPLEMENTATION CODE] aireplay-ng a 00:17:3F:F3:A1:FC -c 00:23:6C:92:C8:20 mon0 Now that we are capturing all the information obtained from our scan (in step 4B) into a single dump file, we will communicate with the target router and tell it to send us an encrypted and hashed version of the clear text password. Technically speaking, we are looking for the TKIP “four-way handshake” with the Access Point. This is done with the following command: When a wireless client initially connects to the router, a handshake is given. We will force the client to disconnect and reconnect obtaining the four-way handshake.

(5A) Confirming Requirements Let’s confirm that we received a handshake. Switch back to the console where we ran Airodump-ng and confirm that: [ WPA handshake: 01:23:45:67:89:10] exists in the upper right-hand corner of your display. We’re almost done! Sit tight for just a few more steps. Note: Press Control + C on your keyboard to quit Airodump once you get a handshake.

(5B) Confirming Requirements, Cont In theory, everything that needs to be done with a persistent connection to the target router has been accomplished. If we wanted to, we could completely power off our target router and unplug our wireless network card. The rest of the work can be accomplished offline. As mentioned previously a FOUR-WAY handshake is required to successfully recover the WPA pre-shared key. You can optionally test for this with the -c switch as seen below. If you are confident, you have captured a valid four-way handshake, please proceed to Step 6. [SAMPLE CODE] cowpatty -c -r [IMPLEMENTATION CODE] cowpatty -c -r /root/WPASample.cap

(6) Recovering the WPA PSK Let’s do what we came for! coWPAtty (included as part of Backtrack 4) is a tool that can be used to check the hash found in our dumpfile against the hash of a dictionary file. If they are identical, the key is then converted from hash to clear text and displayed in human-readable format. Assuming that the WPA PSK is in the dictionary, it will be displayed within about 7 minutes of running coWPAtty. This assumes that you are using the official 33GB rainbow tables from the Church of Wifi. Enter this final command to start the crack: [SAMPLE CODE] cowpatty -d -r -s [IMPLEMENTATION CODE] cowpatty -d /root/RTBelkin -r /root/WPASample.cap -s Belkin

(7) Identifying the WPA PSK That’s it! There’s the human-readable WPA Pre-shared Key (password). [SAMPLE CODE] cowpatty -d -r -s [IMPLEMENTATION CODE] cowpatty -d /root/RTBelkin -r /root/WPASample.cap -s Belkin

(8) The Old Way Prior to Rainbow tables (which pre-compute hashes for 1,000,000 words with the salt for each and every SSID already embedded, you could still perform this type of attack but it was much slower. In fact, using Rainbow tables is estimated to be 10,000 times faster than a traditional dictionary attack. That’s right: 10 to the 4 th times faster! [SAMPLE CODE] cowpatty -f -r -s [IMPLEMENTATION CODE] cowpatty -f /root/MillionWords -r /root/WPASample.cap -s Belkin coWPAtty supports a traditional dictionary file when you replace the -d switch with the -f switch. Let’s see how long it’ll take to recover the passphrase “cobblestone” this time…

(9) Questions Are there any questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.