Hacking Wi-Fi Beyond Script Kiddie and WEP Jakob Nelson March 8, 2018 This is to always be the SECOND slide.

First Things FIRST! - Ethics Wi-Fi Hacking has a very low probability of being detected. People have networks all around us. They can be tempting. IF IT’S NOT YOURS DON’T PLAY WITH IT! It isn’t hard or expensive to build up some lab systems to try out these techniques. I will be providing documentation on how I created it. Use this slide for all instructor curriculum content. 2

What We Will Cover Some theory of wireless communications Some theory of cryptography The basic standards – 802.11 A,B,G,N,AC Pre-shared key networks What features a wireless card should have If we have time – Getting 802.11 AC to work in Linux Use this slide for all instructor curriculum content. 3

What We Will NOT Cover 802.1x and enterprise Wi-Fi implementations Isolated client attacks In depth WEP cracking Post penetration exploitation Use this slide for all instructor curriculum content. 4

Documentation: www.jakobnelson.com/ Use this slide for all instructor curriculum content. 5

Theory of Wireless Station – A client that can connect to an access point. Access Point – A central device which can accommodate multiple stations connecting at the same time. What is the difference between a router and an access point? Use this slide for all instructor curriculum content. 6

Theory of Wireless Time Division Multiple Access (TDMA) Non-overlapping 2.4 GHz (20MHz bandwidth) channels 802.11b,g,n: 2,6,11 Non-overlapping 2.4 GHz (40 MHz bandwidth) channels 802.11n - 3 Number of overlapping 2.4 GHz channels (in the US) – 1-11 Number of 5 GHz channels – LOTS of them! See: https://en.wikipedia.org/wiki/List_of_WLAN_channels Use this slide for all instructor curriculum content. 7

Cryptography Theory What is a stream cipher? It’s an algorithm that makes pseudorandom bits. How is the cipher text created: XOR pseudorandom bits with plain text to create cipher text. Algorithm: RC4 Use this slide for all instructor curriculum content. 8

Cryptography Theory The key is made up of the IV and the Pre-Shared Key. What is broken: Short IV Length: 3 bytes = 2**24 = ~16.8M IVs Many different attacks lead to key recovery. WEP IS BROKEN… DO NOT USE IT! Use this slide for all instructor curriculum content. 9

Cryptography Theory https://en.wikipedia.org/wiki/File:Wep-crypt-alt.svg Use this slide for all instructor curriculum content. 10

What are we going to target? WEP Packets… lots of data packets. Really we want the IVs, but packets can be decrypted later! Use this slide for all instructor curriculum content. 11

Let’s get hands on!

Activate Monitor Mode! Airmon-ng Run the following: # airmon-ng Select a device Put the device in to monitor mode: # airmon-ng start wlan0 4. Kill off all the processes that will interfere with your adapter: # airmon-ng check kill 5. Run it again to verify that we have killed off all the processes.

Start the Scan! Airodump-ng Run the following: # airodump-ng <your monitor interface> This will do a scan of 2.4 GHz ranges. Did you get packets? If you have a 5 GHz capable card, try this: # airodump-ng –b a <your monitor interface>

Networks you should see: 2.4 GHz (B,G,N): Target1 - c4:6e1f:16:72:0c Target3 – 30:91:8f:f3:22:35 Target4 – 04:95:e6:59:4c:f1 5 GHz (N): Target2 - 30:91:8f:f3:22:3b Target4 - 04:95:e6:59:4c:f5 Target5 - c8:3a:35:5e:8a:81

Saving your sniffed traffic: Please target specific networks or SSIDs. Remember that they are on a variety of channels. Save packets using –w Filter for the correct bssid with –d

Target1 Strategy: Collect a bunch of WEP packets (about 60k) and use aircrack-ng Start sniffing on the appropriate channel and BSSID! Open up another window and navigate to the directory where you are writing the captured packets. Run Aircrack-ng against it: # aircrack-ng <file name>

What if all my stuff is broken? Look at the packet capture files for this target.

Try these different files and options: File: Target1-Original.cap Pay attention to the number of IVs. File: Target1-56315iv.cap Options: None (default is –f 2) -f 13 -f 14

Cryptography Theory What is a block cypher? An algorithm that operates on a block of data. What is a nonce? AP Nonce – 256 bit Station Nonce – 256 bit * Technically these are authenticator and supplicant nonce values. Use this slide for all instructor curriculum content. 22

Cryptography Theory What is a MIC? Message Integrity Check Keys: PMK – Pairwise Master Key (This is the pre shared key) PTC – Pairwise Transient Key (Computed based on two nonce values) GTK – Group Transient Key (for multicast and broadcast data) Use this slide for all instructor curriculum content. 23

Four-way Handshake (WPA2) https://en.wikipedia.org/wiki/File:4-way-handshake.svg Use this slide for all instructor curriculum content. 24

Cryptography Theory AES-CCMP AES-CTR mode with CBC MAC More Info: https://en.wikipedia.org/wiki/IEEE_802.11i-2004 Use this slide for all instructor curriculum content. 25

What are we going to target? The 4-way handshake Use this slide for all instructor curriculum content. 26

Breaking WPA Breaking WPA relies on guessing the password. I selected the password from early in the rockyou.txt list. (Time 39s to crack in VM with 2 cores and 4 GB RAM). Pay attention to the k/s (keys / second) rate near the top of the screen and write it down.

Target2 and Target3 Strategy: Get a handshake (should be disassociating itself every 60 seconds) Start sniffing on the appropriate channel and BSSID! Run Aircrack-ng against it: # aircrack-ng –w <dictionary> <file name>

What if all my stuff is broken? A handshake is provided in the following files: Target2-handshake.cap and Target3-handshake.cap

Target4 Strategy: Collect a handshake, but this time, use coWPAtty to crack it. Start sniffing on the appropriate channel and BSSID! Open up another window and navigate to the directory where you are writing the captured packets. Run coWPAtty against it: # cowpatty -d <pmk file> -s <essid> -r <capture file>

What if all my stuff is broken? A handshake is provided in the following files: Target4-handshake.cap

What was the advantage of this? Precompute PMKs for given SSID (ESSID). It’s faster to test them against a handshake when found. ~1800 keys/second with Aircrack-ng 250,000 keys / second with coWPAtty Advantages in pentesting?

How do I make my own PMK file? Use genpmk tool: genpmk –f <wordlist> -d <output file> -s <essid>

Are there better tools for this? Yes, a better tool exists: Pyrit Uses a database of passwords, and ESSIDs. Precomputes all the passwords for all the ESSIDs. Uses GPU Lots faster, but it doesn’t really work for this training session.

So you got:

Target5 Strategy: 1. Deauth a client using aireplay-ng 2. Crack with aircrack-ng Start sniffing on the appropriate channel and BSSID! Open up another window and navigate to the directory where you are writing the captured packets. Run Aircrack-ng against it: # aircrack-ng <file name>

What if all my stuff is broken? Look at Target5-handshake.cap (Sorry, this is going to be exactly the same exercise done on Target2 and Target3)

Target ALL THE THINGS!!!! Strategy: Use wifite… Let it scan, press ctrl+c DON’T use all! You can attack any of the Target access points previously used. Have fun!

What if all my stuff is broken? Check out my website in a few days for updates and suggestions on making things work.

I’m Out! Use this slide for all instructor curriculum content. 43