Presentation is loading. Please wait.

Presentation is loading. Please wait.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10.

Published bySkyler Newsum Modified over 9 years ago

Similar presentations

Presentation on theme: "SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10."— Presentation transcript:

1 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10 Stanford University June 14-17, 2010

2 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconaissance – Airgraph-ng – GISKismet

3 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP Still broken but still used Sometimes you can’t crack the key « What can I do? »

4 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP Check if you have enough data packets. – ~30K are needed for 64 bit with PTW – ~80K for 128 bit with PTW Switch to KoreK starting from 150-200K packets – ~200K for 64 bit with KoreK – ~500K for 128 bit with KoreK Usually, if you can’t crack, as a rule of thumb, just get more (data) packets More than enough and still can’t crack the key, split the capture file and crack them individually

5 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Split files Pcap-util: http://www.badpenguin.co.uk/files/pcap-util Perl script Works on Linux/Windows

6 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Split files (2)

7 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Split files (3) Has several options: – Split in files of X Mb – Extract packets that falls within a period of time – Extract packets that match a libpcap filter Just need to split in smaller files so: – perl pcap-util split large.pcap small 3

8 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – PTW limitations Works with 64 and 128 bit keys Works in 2 phases: – Phase 1: ARP – Phase 2: Then use all other data packets (some packets are ignored because known to be unusable for PTW) List of usable packets can be found at – http://aircrack-ng.org/doku.php?id=supported_packets http://aircrack-ng.org/doku.php?id=supported_packets

9 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ « Motorol AirDefese WEP Cloaking™ provides protection for wireless infrastructure secured by legacy encryption protocols. This is an add-on module to Motorola AirDefense Enterprise, the market leading Wireless Intrusion Prevention System. » Solution: airdecloak-ng, but sometimes aircrack-ng can crack it directly

10 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ (2) aircrack-ng wep_cloaking_full_speed_dl.pcap -b 00:12:BF:12:32:29 -K -n 64 -d 1F:1F:1F

11 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ (3)

12 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – WEP Cloaking ™ (4) Not all packets were filtered out but enough to crack the key

13 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Broken capture file Aircrack-ng: – Invalid packet capture length 0 - corrupted file? Wireshark

14 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Broken capture file (2)

15 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP – Broken capture file (3) Mark first packet Mark the last good packet File – Save as … Select « first to last marked packet » Select an output filename then save it DONE

16 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconaissance – Airgraph-ng – GISKismet

17 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA WPA is at the same time easy and hard to crack – Easy to get the handshake – But the passphrase can be really complex

18 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA 802.11i group launched when flaws were found in WEP 2 link-layer protocols: – TKIP (WPA1): Draft 3 of 802.11i group (backward compatible with legacy hardware). – CCMP (WPA2): final 802.11i standard 2 authentication methods: – Personal: PSK (Shared key, 8-63 characters) – Enterprise: MGT (Radius server)

19 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA-PSK – 4 way handshake

20 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Location You need to be located not too far from the client and the AP to hear the whole 4-way handshake. Aircrack-ng can work with less than the 4 EAPOL packets

21 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Good Location

22 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Bad location Only hear the AP: Only hear the client:

23 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Airbase-ng Act as an AP with airbase-ng and get the handshake => Just need to be in the range of the client: airbase-ng -z 2 -W 1 –y -c 6 –F dump -e “Philips WiFi” rausb0 Location problem solved ;), you just need the client:

24 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Airbase-ng (2) DEMO

25 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Debug Aircrack-ng/cowpatty/pyrit/OTHER TOOL doesn’t see the handshake, why? So, how does it look in capture files and how do we debug it?

26 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Debug DEMO

27 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Cracking Once you have the handshake, it’s time to crack it Two methods come to mind: – Using a wordlist – Bruteforcing Bruteforce not doable since minimum key length is 8 characters, so we need a good dictionary

28 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA - Dictionary Having the right dictionary is important ! Here are a few tips to build yours: – Use generic dictionaries, add things like: Language used Phone numbers (IE, use JTR to generate all possible phone numbers) City and different things around Other things that come to your mind, … – Use programs to « add » words: John The Ripper (and Markov) Wyd … Combine all of these … … and you may end up with huge dictionaries.

29 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – Cracking hardware Processing big dictionaries takes time CPU too slow => Use GPU and FPGA

30 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – GPU performance Pyrit performance

31 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WPA – GPU Crackers Quite easy to set up … – apt-get install backtrack-cuda … but – Don’t forget the power bill ;) – Creating dictionaries takes time Online services available: – Cloud computing: http://www.wpacracker.comhttp://www.wpacracker.com – GPU: http://tools.question-defense.comhttp://tools.question-defense.com

32 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 WEP WPA Choose hardware Wireless reconnaissance – Airgraph-ng – GISKismet

33 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Often asked: « What is the best antenna? » Depends on your needs: – Long or short links? Low or High power antenna – Point to Point or Point to Multi point ? Directionnal antenna or omni – Frequency? 2.4Ghz/5Ghz (4.9/5.2/5.8/…) –...

34 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Antenna pattern: Vertical pattern: Look at the horizon Horizontal pattern: Look at the ground from the sky

35 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Omni Great for Point to Multipoint connections (ie, AP) Theory: radiate in all directions Highest power is not the best one

36 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Omni 5dbi

37 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Omni 9dbi

38 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Sector 120°

39 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Grid

40 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas Home made - Biquad

41 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Antennas So, don’t just get the most powerful Check the law Look at the specs of the cards – RX sensitivity: ability to hear – TX power: needed for long distance links – Important: Both takes the rate, the frequency and modulation into account Example: Ubiquiti SRC datasheet

42 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Choose hardware - Cables Cables have losses – Thin: high loss, usually for short links (bend easily) – Thick: low loss, for long links (can’t be bent easily) – Loss depends on the frequency Connectors also have losses: around 0.5dB A few cables (loss for 100 feet at 2.4Ghz) – RG174: ~60dB – RG58: ~25dB – LMR 200: ~16.5dB – LMR 400: ~6.7dB

43 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconnaissance – Airgraph-ng – GISKismet

44 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng Airgraph-ng creates a picture of the networks. Usage examples: – Display a network map – Network monitor Uses the CSV output of airodump-ng. Part of the suite (can be found in scripts/)

45 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Graph types Client to Access Point Relationship graph (CAPR) : – Client to Access Point Relationship – Focus more on clients than AP – AP without clients aren’t graphed – Colors for each type of encryption Green: WPA Yellow: WEP Red: Open Black: Unknown Client Probe Graph (CPG): – Links between clients and AP

46 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Examples Parameters: – Input file: Airodump-ng CSV file (.csv) – Graph type: CAPR (Client – AP Relationship): Connected clients CPG (Common Probe Graph): Probed SSID – Output file: Picture file name Examples: – CAPR: airgraph-ng.py -i sharkfest-01.csv -g CAPR -o sharkfest-capr.png – CPG: airgraph-ng.py -i sharkfest-01.csv -g CPG -o sharkfest-cpg.png

47 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Examples (2) CAPR

48 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Airgraph-ng – Examples (3) CPG

49 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Agenda WEP WPA Choose hardware Wireless reconnaissance – Airgraph-ng – GISKismet

50 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet « GISKismet is a wireless recon visualization tool to represent data gathered using Kismet in a flexible manner » Display Access Points on Google earth => require GPS. Also work with airodump-ng

51 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet (2) Store information in a database (SQLite) Input: Kismet newcore XML (netxml) Outputs a KML file Filter data: – Input: limited to things like channel, ESSID, … – Output: Flexible, SQL order

52 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet (3) Importing data: – giskismet –x dump-01.kismet.netxml Will create a file called wireless.dbl (SQLite3 database with 2 tables: – Clients: all clients – Wireless: all AP Exporting: giskismet –q SQL_ORDER –o OUTPUT_FILE.kml

53 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 GISKismet (4) SQL Queries: All: select * from wireless SSID starting with ‘SpeedTouch’: select * from wireless where ESSID like 'SpeedTouch%' AP from Aruba Networks: select * from wireless where Manuf = 'Aruba Networks' Hotspots: select * from wireless where ESSID like '%hotspot%' Channel 6: select * from wireless where channel = 6

54 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 ?

55 Links Pcap-util : http://www.badpenguin.co.uk/files/pcap-utilhttp://www.badpenguin.co.uk/files/pcap-util List of supported packets for PTW: http://aircrack-ng.org/doku.php?id=supported_packets John The Ripper: http://www.openwall.com/john/http://www.openwall.com/john/ Markov: http://openwall.info/wiki/john/markovhttp://openwall.info/wiki/john/markov Wyd: http://www.remote-exploit.org/?page_id=418http://www.remote-exploit.org/?page_id=418 « Next generation wireless recon … » (Shmoocon 2009) http://spl0it.org/files/talks/Abraham-Smith- NextGenerationWirelessRecon-VisualizingTheAirwaves- ShmooCon2009.pdfhttp://spl0it.org/files/talks/Abraham-Smith- NextGenerationWirelessRecon-VisualizingTheAirwaves- ShmooCon2009.pdf (short: http://preview.tinyurl.com/nbsssp)http://preview.tinyurl.com/nbsssp Cable loss calculator: http://www.ocarc.ca/coax.htmhttp://www.ocarc.ca/coax.htm

Download ppt "SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10."

Similar presentations

Anatomy of an 802.11 Wi-Fi Enterprise Wireless LAN Chris De Herrera Pacific Crest Bank Chief Information Officer Webmaster, Tablet PC Talk, CEWindows.NET.

Anatomy of an Wi-Fi Enterprise Wireless LAN Chris De Herrera Pacific Crest Bank Chief Information Officer Webmaster, Tablet PC Talk, CEWindows.NET.
Overview How to crack WEP and WPA

Overview How to crack WEP and WPA
1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).

1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).
Wireless Cracking By: Christopher Zacky.

Wireless Cracking By: Christopher Zacky.
Crack WPA Lab Last Update 2014.06.11 1.0.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
MIS 5212.001 Week 12 Site:

MIS Week 12 Site:
WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”

WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.

Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.
Security in IEEE 802.11 wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.

Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
MIS 5212.001 Week 13 Site:

MIS Week 13 Site:
The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.

The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.
December 17, 2002 1 Wi-Fi Mark Faggiano GBA 576. December 17, 20022 Purpose of the Project  I hear Wi-Fi, WLAN, 802.11 everywhere  What does it all.

December 17, Wi-Fi Mark Faggiano GBA 576. December 17, Purpose of the Project  I hear Wi-Fi, WLAN, everywhere  What does it all.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Wireless Insecurity.

Wireless Insecurity.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.

 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.

Similar presentations

Ads by Google