Advanced Penetration testing

Slides:



Advertisements
Similar presentations
Overview How to crack WEP and WPA
Advertisements

By Wild King. Generally speaking, a rainbow table is a lookup table which is used to recover the plain-text password that derives from a hashing or cryptographic.
1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).
Crack WEP Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Password Cracking Lesson 10. Why crack passwords?
Analysis of the i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
MIS Week 12 Site:
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
MIS Week 13 Site:
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
MIS Week 11 Site:
Wireless Attacks. Set up the APs Computer IP: Subnet Mask: Router IP address: –
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Ethical Hacking Defeating Wireless Security. 2 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information.
1 WPA, what else? UNAM, Mexico City November 27-28, 2008 Thomas d’Otreppe de Bouvette Aircrack-ng.
Password Cracking By Allison Ramondetta & Christine Giordano.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
Distributed WPA Cracking CSCI Distributed Systems Spring 2011 University of Colorado Rodney Beede Ryan Kroiss Arpit Sud
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
Password cracking Patrick Sparrow, Matt Prestifillipo, Bill Kazmierski.
Cracking WPA/WPA2 in the Cloud
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
WPA Cracking with Rainbow Tables For Educational Purposes Only Kurt Wondra November 18 th, 2010  1) Scanning for Vulnerable Networks  2) Capturing Usable.
Doc.: IEEE /0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: Authors:
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Module 48 (Wireless Hacking)
[blank page for bug work-around]
WiFi Troubleshooting & Performance Monitoring
Re-evaluating the WPA2 Security Protocol
Development Environment
OSA vs WEP WPA and WPA II Tools for hacking
Advanced Penetration testing
Taken from Hazim Almuhimedi presentation modified by Graciela Perera
Penetration Testing Offline Password Cracking
I have edited and added material.
Wireless Attacks: WEP Module Type: Basic Method Module Number: 0x00
Presented By: Rohit Maurya
Practical stuff Crack the WPA key of this laptop (SSID: « Philips WiFi »). Rules: Do not attack anything else on this laptop. You can use aircrack-ng but.
Password Cracking Lesson 10.
Advanced Penetration testing
Week 1 – Taster Session dmuhackers DMU Hackers.
Wireless Hacking.
Advanced Penetration testing
Intro to Ethical Hacking
WEEK 1.
Motions to Address Some Letter Ballot 52 Comments
Hacking Wi-Fi Beyond Script Kiddie and WEP
Advanced Penetration testing
Advanced Penetration testing
Wireless Network Security
Advanced Penetration testing
Kiran Subramanyam Password Cracking 1.
Getting Started: Amazon AWS Account Creation
July 2002 Threat Model Tim Moore Tim Moore, Microsoft.
LAB 9 – INTRUSION DETECTION AND PREVENTION SYSTEMS
Cyber Operation and Penetration Testing Online Password Cracking Cliff Zou University of Central Florida.
Breaking into Wi-Fi Networks
11i PSK use in 11s: Consider Dangerous
Roaming timings and PMK lifetime
Exercise: Hashing, Password security, And File Integrity
There are two different types of computer network:
Roaming timings and PMK lifetime
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
11i PSK use in 11s: Consider Dangerous
Advanced Penetration testing
Presentation transcript:

Advanced Penetration testing MIS 5212.001 Week 13 Site: http://community.mis.temple.edu/mis5212sec001s16/

Tonight's Plan Introduction Attacking WPA2-PSK Rainbow Tables John the Ripper Next Week MIS 5212.001

In The News http://www.ehackingnews.com/2015/11/malware-detected-in-martels-cameras.html http://komonews.com/news/nation-world/ransomware-hospital-hacking-present-growing-cybersecurity-threats http://windowsitpro.com/security/dod-about-be-under-siege-hackers-and-it-plans-pay-them http://thehackernews.com/2016/03/fbi-ublock-iphone.html http://www.internet2.edu/blogs/detail/10079 (Splunk Certification) http://www.reuters.com/article/us-usa-cyber-reddit-idUSKCN0WY52O MIS 5212.001

In The News http://www.itworld.com/article/3051014/flaw-in-popular-door-controllers-allow-hackers-to-easily-unlock-secure-doors.html http://www.csoonline.com/article/3051123/leadership-management/cybersecurity-spending-more-does-not-necessarily-mean-better.html http://www.securityweek.com/thousands-printers-hacked-spew-anti-semitic-fliers http://www.bbc.com/news/technology-35916425?intlink_from_url=http://www.bbc.com/news/topics/62d838bb-2471-432c-b4db-f134f98157c2/cybersecurity&link_location=live-reporting-story http://securityaffairs.co/wordpress/45678/malware/petya-ransomware.html MIS 5212.001

In The News What I Noted http://www.theregister.co.uk/2016/03/31/free_x86_mainframes_for_all_virtual_mainframes_that_is/ http://www.theregister.co.uk/2016/03/31/legion_of_demons_found_in_ancient_auto_drug_dispensing_cabinets/ http://www.theregister.co.uk/2016/03/31/cisco_snort_scramble_to_plug_malware_hole/ http://www.theregister.co.uk/2016/03/30/bash_shell_comes_to_windows_10/ http://www.theregister.co.uk/2016/03/30/router_infecting_malware_gets_remastered/ MIS 5212.001

WPA2-PSK Recall from last week: The PMK is generated using the following relatively processor intensive function, pseudo code: PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256) This means that the concatenated string of the passphrase, SSID, and the SSID length is hashed 4096 times to generate a value of 256 bits MIS 5212.001

WPA2-PSK Also, Recall from last week: PTK = PRF-512(PMK, "Pairwise key expansion", Min(AP_Mac, Client_Mac) || Max(AP_Mac, Client_Mac) || Min(ANonce, SNonce) || Max(ANonce, SNonce)) The PTK is a keyed-HMAC function using the PMK on the two MAC addresses and the two nonces from the first two packets of the 4-Way Handshake. MIS 5212.001

WPA2-PSK Finally, recall: MIC = HMAC_MD5(MIC Key, 16, 802.1x data) A MIC value is calculated, using the MIC Key from the PTK and the EAPoL message. MIS 5212.001

WPA2-PSK So, we captured the Mac Addresses and the ANonce and SNonce from the four way handshake Source: http://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/ MIS 5212.001

WPA2-PSK Now, if we had the right passphrase, SSID, and SSID length; we have everything we need to generate our own key. But we don’t have this information! At least not directly MIS 5212.001

Process Collect data from four handshake Mac Addresses ANonce and SNonce MIC and EAP Read in value from a dictionary list Calculate PMK using dictionary word and SSID Calculate PTK using above information Calculate MIC of frame using PTK Compare calculated MIC to observed MIC If equal, done! If not equal read in next PMK and start over MIS 5212.001

Automation Several tools exist to automate this process Cowpatty Pre-installed in Kali http://www.willhackforsushi.com/?page_id=50 Aircrack-ng http://aircrack-ng.org/downloads.html MIS 5212.001

Limitations Slow (Very slow) Each time you want to check a passphrase you have to go through the 4,096 hashes Each time you go after another SSID, you start over again Calculations are limited by the capabilities of the CPU installed MIS 5212.001

A Better Way Pre-Computed Hash Tables (Rainbow) PMK is derived from the PSK and SSID Possible to precompute PMK’s for a given SSID Top 1000 most common SSIDs published https://wigle.net/ Or http://www.renderlab.net/projects/WPA-tables/ Cowpatty will accept precomputed hash tables See genpmk in a couple of pages MIS 5212.001

WIGLE MIS 5212.001

From Wigle.net MIS 5212.001

More Tools (genpmk) Basic tool to precompute hashes Can speed up attacks by a factor of 1300 “genpmk” written by Josh Wright Pre-installed in Kali Packaged with Cowpatty MIS 5212.001

But I Want To Do This Myself CUDA Acceleration Parallel computing architecture developed by nVIDIA http://www.nvidia.com/object/cuda_home_new.html Pyrite – CUDA acceleration of Cowpatty PMK tables Included in Kali Pyrite also supports AMD/ATI 43XX cards (they typically cost less) Could also go to the cloud MIS 5212.001

End of Material for Test MIS 5212.001

Rainbow Tables In this instance, Pre-Computed hashes of likely combinations of passphrases, SSIDs, and SSID lengths stored in tables These tables use two functions, the hashing function and a reduction function creating a chain and storing only the first and last passphrase (In this case the PMK) The table is then sorted for faster lookups See: http://en.wikipedia.org/wiki/Rainbow_table MIS 5212.001

John The Ripper (JtR) John the Ripper password cracker http://www.openwall.com/john/ There is also a “Commercial” version available at: http://www.openwall.com/john/pro/ Includes support for CUDA and OpenCL along with a wide variety of hash types (Not just WPA2-PSK) Pre-installed in Kali MIS 5212.001

JtR For JtR to work, you need to provide it with file(s) containing hashes of user passwords - and those hashes have to be of a supported type. JtR will successfully crack those hashes that correspond to weak passwords, but it will fail to crack those that are strong. MIS 5212.001

JtR and Kali As several other tools have done, will not launch from drop down Open terminal and type: “john --test” this will launch a diagnostic and give you benchmarking numbers for how your system performs Note: this is one instance where running in a VM is a bad idea. Performance will be poor Consider installing directly on a test machine MIS 5212.001

JtR Usage At it’s core, very simple Find a file with hashes in it Run: john passwordlist ~/file MIS 5212.001

First Lets Add a User Run command adduser happy Use password chess when prompted MIS 5212.001

Now Extract Password File Run command unshadow as follows This extracts the passwd and shadow file and combines them together to create a file you can go after If you were an attacker, this is what is meant by extracting or harvesting password files In Windows you would go after the SAM file MIS 5212.001

Now we Crack Run the john command as follows This tells john to use a wordlist that is preinstalled in Kali (and has chess as an entry) And tells john to apply it against the file: file_to_crack MIS 5212.001

Checking Work Using the show command Note: If you have not recently updated Kali 2.0 you may get errors. MIS 5212.001

Final Thoughts MIS 5212.001

Next Week In The News Presentation MIS 5212.001

Questions ? MIS 5212.001

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.