wireless security null seminar
DESCRIPTION
Wireless Security 1) Introduction to WLAN Security 2) Wardriving 3) WPA / WPA2 PSK (Personal) Cracking TRANSCRIPT
Wireless Security
Nilesh Sapariya CEH v8 , CCNA
Security Engineer
About me :
Agenda
1) Introduction to WLAN Security
2) WLAN Architectures
3) WPA / WPA2 PSK (Personal) Cracking
WLAN
1 ) In computing, Wireless LAN or Wireless Local Area Network is a term to refer to a Local Area Network that does not need cables to connect the different devices.
2) Instead, radio wave are used to communicate
From Fixed Device to Mobile Device
These Device’s don’t have LAN Port
Only and Best Mode of Connectivity
V VVV V V
V VVV V V
D D D D
D D D OO
O O
Wireless is a more efficient, many-to-one access method
AP
O
“Right-sized” Edge (One port supports multiple users and devices simultaneously)
With Wi-Fi Ports Can Be Easily Cut In Half
7
L
12 VOIP phones7 Desktop PC’s5 Laptop PCs
1 Wireless AP (mobile devices, guests, etc.)
6 Conference room & public area ports5 Other devices (printer, copier, fax, etc.)12 Ports (reserved for future use)
D
V
F
O
C
AP
V VVV V V
V VVV V V
D D D D
D D D
AP
OO
O O F F FFFF
F F FFFF
L L L LL
C C C C C CO
Existing Wired Network Edge (1:1 ratio of ports to devices)
Representative 12-person Workgroup
Wi-Fi Comes Problem
Challenging Wi-Fi
Environment
Client DensityAnd
Diversity Challenges
Security againstUncontrolled Wireless
Devices and Infrastructure attacks
RF Noise Metal Objects with Wheels
Building Materials
Security Risk
Uncontrolled Wireless Devices• Rogue APs• Laptops acting as bridges• Misconfigured WLAN Settings on laptops• Ad-Hoc networks
Attacks against WLAN infrastructure• Denial of Service/flooding• Man-in-the-Middle• WEP (Wired Equivalent Privacy ) cracking (aircrack-ng –
famous tool)• WPA/WPA2 ( Wireless protected access ) cracking
(aircrack-ng – famous tool)
Security Risk
Ad HocAccess Point MAC
Spoofing
?
Server
Rogue User
Mis-configured Access Point
Office
And More such kind of Attacks
Wireless Standards - 802.11a, 802.11b/g/n, and 802.11ac
• 1997 IEEE ( Institute of Electrical and Electronics Engineering ) created First WLAN
• Called as 802.11 • 802.11 only supports max network BW = 2
Mbps (to slow for most of application )
WLAN Operation
• Wireless LAN (WLAN) Can operate in 2 different frequency ranges
• 2.4GHz (802.11 b/g/n ) • 4.9 or 5GHz (802.11 a/h/j/n)• Note : your wireless card can only be on one
channel ( it has single radio ) • Every country has allowed channel ,users and
maximum power levels
• Fair distribution of clients across channels
• eg. Channel 1, 6, 11
• Fair distribution of clients across bands
• eg. 2.4-GHz and 5-GHz
Channel 11
Channel 6
Channel 1
WLAN Setup
802.11a/b/g/n
Antennas
Policy
Mobility
Forwarding
Encryption
Authentication
Management
“Fat” Access Point”
Centralized Management Centralized Security
“Thin” Access Points
Policy
Mobility
Forwarding
Encryption
Authentication
Management
802.11a/b/g/n
Antennas
Many devices to manage Many entry points to secure
Centralized Mobility Controller
Wardriving
• How to find SSID in your area • How to find hidden SSID • Tools used :-i. inSSIDerii. Common view for wifi
Understanding WPA / WPA2 (Wi-Fi Protected Access )
Wireless Encryption
• The main source of vulnerability associated with wireless networks are the methods of encryption. There are a few different type of wireless encryption including:
• WEP• WPA• WPA2
WEP
• Stands for Wired Equivalent Privacy.• WEP is recognizable by the key of 10 or
26 hexadecimal digits.
WPA or WPA2
• Stands for Wi-Fi Protected Access• Created to provide stronger security• Still able to be cracked if a short password is
used. • If a long passphrase or password is used, these
protocol are virtually not crackable.• WPA-PSK and TKIP or AES use a Pre-Shared
Key (PSK) that is more than 7 and less than 64 characters in length.
Why WPA ?
WEP (Wired Equivalent Privacy )broken beyond repair
if you are using 64 bit or 128 bit key WEP will be broken
Weaknesses of WEP
1. Poor key management
• WEP uses same key for authentication/encryption• Provides no mechanism for session key refreshing• Static Key encryption used
2. One-way authentication
WEP Replacement
Long Term Solution Use CCMP ( Counter Mode Cipher
Block Chaining Message Authentication Code Protocol )
Based on AES Hardware Change Require
Personal Enterprise Personal Enterprise
Intermediate solution by Wifi-Alliance
Use TKIP (Temporal Key Integrity Protocol )
Based on WEP Hardware change not required Firmware update
PSK PSK802.1x + Radius 802.1x + Radius
WPA WPA2
Difference between WPA-Personal & WPA-Enterprise
Wireless Architecture How to create profile for WPA-
Personal and WPA-Enterprise
WEP :Static Key Encryption
Static WEP Key
Static WEP Key
Probe Request-Response
Authentication RR , Association RR
Data Encrypted with Key
WPA :Non Static Key
Static WEP Key
Static WEP Key
Probe request response
Authentication , Association
Dynamic Key Generated First
Data Encrypted with Dynamic Key
How are dynamic keys Created ?
WPA / WPA2 PSK(Personal) Cracking
WPA Pre-shared Key
Passphrase (8-63 )
PBKDF2
Pre-Shared Key 256 bit
Passphrase (8-63 )
PBKDF2
Pre-Shared Key 256 bit
PBKDF2
• Password Based Key Derivation Function • RFC 2898 • PBKDF2 (Passphrase, SSID,ssidLen,4096,256 )• 4096 - Number of times the passphrase is
hashed • 256 - Intended Key Length of PSK
How does the Client know ?
• Beacon Frames ?• Probe Response Packets from the AP ? • Can be used to create a WPA/WPA2 Honeypot
as well!
How WEP Works
1) We try to collect large number of data packets
2) Bunch of large data packet contains weak IV 3) We Run it with the algorithm or aircrak-ng
and get the key
Then how to crack WPA-PSK ?
Lets “ Shake the hand” #4-way Handshake Probe Request Response
Authentication RR, Association RR Supplicant Authenticator
Pre-Shared Key 256 bit Pre-Shared Key 256 bit
Message 1
ANounce ANounce
PTK
SNounce
Message 2Snounce
PTK
Message 3
Key Installation Key Installed
Message 4Key Install Acknowledgement
+ MIC
Key Installed
Pairwise Transient Key
• PTK = Function (PTK ,ANounce, SNounce, Authenticator MAC ,Supplicant MAC )
PMK= Pre-Shared Key (Pairwise master Key) ANounce = Random by AP SNounce = Random by Client Authentication MAC = AP MAC Supplicant MAC = Client MAC MIC – Message Integrity Check ( Signature Algorithm )
WPA Working: Block Diagram
Passphrase (8-63 )
PBKDF2
Pre-Shared Key 256 bit
4 Way Handshake
SNonceAnonceAP MAC
Client MAC
PTK
WPA-PSK Susceptible to Dictionary Attack
WPA / WPA2 PSK(Personal) Cracking
DEMO
External Wireless Card
• Alfa Networks AWUS036H USB based card
• Already integrated with Backtrack and Kali
• Allows for packet sniffing • Allows for packet injection• We will use this in our
Demo session
Software Setup
• Run Kali Linux on VM machine • Connecting Alfa Adapter
Understanding Wireless Sniffing
• Wireless : Monitor mode • When you put card in monitor mode then it will
accept all the packet it is seeing in the current channel
• Inbuilt tool in Kali which helps in quickly put card into monitoring mode and sniff the packets
• Will use Tool name : airmon-ng to put card in to monitor mode ( part of aircrack sweet of tools )
Some Basic Terms
• MAC address or physical address is a unique identifier assigned to network interfaces for communications
• Access point >> Wireless router
• SSID (service set identifier) >> Network Name
• BSSID (basic service set identification ) >> MAC address of the access point
Using KaliLinux or BT
• Some Basic Backtrack Terms >>• Wlan0 – wireless interface• Mon0 – monitor mode• Handshake :-refers to the negotiation process between
the computer and a WiFi server using WPA encryption. Needed to crack WPA/WPA2.
• Dictionary - consisting the list of common passowords.• .cap file – used to store packets.
Tools Used
• Airmon-ng >> Placing different cards in monitor mode
Airodump-ng (Packet snniffer ) >> Tool used to listen to wireless routers in the area.
Aireplay-ng ( Packet injector ) >> Aireplay-ng is used to inject frames. – The primary function is to generate traffic for the
later use in aircrack-ng for cracking the WEP and WPA-PSK keys.
• Aircrack-ng >> Cracks WEP and WPA (Dictionary attack) keys.
Lets Hack
Lets Start
This will list all of the wireless cards that support monitor (not injection) mode.
The “(monitor mode enabled)” message means that the card has successfully been put into monitor mode. Note the name of the new monitor interface, mine is mon0.
• Airodump will now list all of the wireless networks in your area.
• airodump-ng –c [channel] –bssid [bssid] –w /root/Desktop/ [monitor interface]Replace [channel] with the channel of your target network. Paste the network BSSID where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled interface, (mon0).
• Airodump with now monitor only the target network, allowing us to capture more specific information about it.
NOTE : • What we’re really doing now is
waiting for a device to connect or reconnect to the network, forcing the router to send out the four-way handshake that we need to capture in order to crack the password.
aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0
Upon hitting Enter, you’ll see aireplay-ng send the packets, and within moments, you should see this message appear on the airodump-ng screen!
Final Step
• aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap
• -a is the method aircrack will use to crack the handshake, 2=WPA method.-b stands for bssid, replace [router bssid] with the BSSID of the target router, mine is 00:14:BF:E0:E8:D5.-w stands for wordlist, replace [path to wordlist] with the path to a wordlist that you have downloaded. I have a wordlist called “wpa.txt” in the root folder./root/Desktop/*.cap is the path to the .cap file containing the password
If the phrase is in the wordlist, then aircrack-ng will show it too you like this
Thank you
Email: [email protected] : @nilesh_loganxContact : 8898813662