NetworkSecurityAssignment

WiFisecurityonWPAPSK/WPA2PSK

Summitedto:

Prof. Francesco Gringoli

Preparedby: WasyhunAsefa

Introduction Wirelesssecurityhasmanychallenges.Amongmanyofthemthefollowingissuesaremoredominant Itsevenimpossibletothinktoprotectradiosignals WiFicoveragecanextendbeyondourboundaryorwalls.Somebodycanstillusethesameradiosignal. Thereismobileclientsthatmakesecuritymuchmorechallenging Itsmoredifficulttolocateattackerandpassivepacketsniffer.Theycanbemilesaway.

Wirelesspacketsniffingcanbedonebyusingaircrackngwhichissimilartopacketsniffing.Inordertoachievethisweput ourWiFicardinmonitormode(promiscuousmode).Thiswaywecanaccepteverypacketintheair. Steps Step1:Gotorootmodeandchecktheinterfacesavailable

Step2:Sincewehavetoworkwithourwirelesscardfirstwehavetobringupthewirelessinterfaceandthenwe havetoputitinthemonitormodeforpurposeofpacketsniffing.Whiledoingthatwealsolaunchwireshark

Aswecanseefromabovecapturewehaveenabledthemonitormodeandalsoopenwiresharkto
capturethetrafficontheair.Themonitorinterfacemon0 canbeseeninwiresharkwindow WiFisniffingismorecomplicatedduetothreedifferentoperatingfrequenciesassignedbythestandard: 1. 2. 3. 2.4GHz(assignedto802.11b/g/n) 3.6GHz(alreadyoccupiedby802.11y) 4.9/5.0GHz(for802.11a/h/j/n)

Since most of UniBs Access points configured to use channel one which is around 2.412GHz we set monitor interface to channel1 Thenthestatusinformationwillbeasfollows
Thefirstchannelisaround 2.412GHz

LetscaptureWiFisignalonchannel1

This how traffic sniffing done in the wireless world because the radio transmission is vulnerable to any active or passive attacker.

RevisitingWirelessFrames
Wirelesscommunicationusesframestocommunicate.Theframeheaderandtrailercontentgivenbelow:

AboveallFramecontrolhasmorecomplexstructure:

Protocol:settozero(setto0)unlessitsbecomebackwardincompatible. Type:Defineifframeismanagement(setto00),control(setto01)orData(setto10)witheachsubtype.
ToDS FromDS Interpretation 0 0 STAtoSTAinsameIBSS,noAPisinvolved 0 1 ExitDS(generatedbyAP) 1 0 EnterDS(sentfromAPportaccessentity 1 1 UsedinWiFiDS(WDS)itsAPreplay MoreFrag:indicatemoreframefragmenttocomeincaseoflargeframes Retry:indicateifcurrentframeisoriginal(setto0)orretransmitted(setto1)

PowerMgmt:showifSTAisinpowersavemode(setto1)orActivemode(setto0) MoreData:showAPhasmoredatatodeliverbecausetheSTAgoestoinpowersavemode ProtectedFrame:indicatewhethercurrentframeisencryptedornot.

Duration/ID: used to set NAV (Network Allocation Vector). Its a minimum amount of time STA need to wait before transmitting. Address1/2/3/4:representsthefollowingaddress 1. 2. SourceandDestinationAddress BSSIDaddress

Sequencecontrol: Sequencenumberofthepacket Fragmentnumberofthepacket

QoSControl:relatedtoQosofthenetworkandservices; FrameBody:itcontainstheactualtransmitteddataandmanagementframedetail. FCS:itsCRCcheckoverframebodyandheaderinformation.Itcanbebeatenbyhackersandcanbemodified.

WLANAuthentication
Authenticationinwirelesssystemtakestwoforms: Openauthentication: Noactualauthenticationtakesplacebetweenthem. Onlytwopacketsexchangebetweenthemandauthenticationends.

Sharedkeyauthentication

ThechallengeisencryptedusingWEPkey.WEPusesRC4streamcipher.

WiredEquivalentPrivacy(WEP)
ItsthefirstencryptionstandardmadeavailableforWiFi. UseRC4(i.esymmetrickeyencryption:bothAPandSTAshassamepresharedkey)

TheactualIVvalues

 WEPSTEP1:generatecryptokeyusingcryptosalt Itsrandomperpacket Usedinencryption

WEPSTEP3:Ciphertextgenerator

KSA:keyschedulingalgorithm PRGA:pseudo RandomGeneratorAlgorithm WEPSTEP2:Generation Integritycheckvalue

ConcatenateddataandICV

WEPDecryption

IfICVcomputedinAPissameastheonesentbySTAthenintegrityofthemessageiskeptandits neverbeenaltered

WEPcracking Step1:Bringupthewirelessinterfaceandseeifinterfaceiscreatedbyissueiwconfig Step2:Useairodumpngtolocateouraccesspointandsnifffortraffic Step3:wecanseefromthecapturethesecuritymethodimplemented

 Step4:toselecttheAPthatwearereallyinterestedinbyissuethefollowingcommand root@ubuntu:~#airodumpngbssid00:21:91:D2:8E:25channel1writeWEPCrackingDemomon0 Step5:letsanalyzetheframe root@ubuntu:~#wireshark& InWEPcrackingtherearetwomethods

PassiveWay:wesniffforweakIVsthatrevealinformationaboutWEPkey :wehavetocollectenoughIVstocrackWEPbecausetheydependonweakkey Activeway:whentimeisnotinoursideweusereplayattacktosimulatethenetwork :ARPreplaybysendingandreceivingARPrequestandresponserespectively ARPreplayStep1:CaptureARPreplay

CapturedARPpacketrepeatedblindlyuntillnetworkreplythenwehaveawinner

ARPpacketarefixedsizeandhasMACaddressofdestination

Step1:letscapturestrafficonmonitormode root@ubuntu:~#airodumpngchannel1mon0 Step2:letsnowselectourbssidandsave root@ubuntu:~#airodumpngchannel1mon0writeonlinecrackingbssidMAC_AddofAP Step3:nowletsblindlysendARPreplayattack root@ubuntu:~#aireplayngarpreplayessid_namemon0 Step4:letsbreakconnectionbetweennodeandAP root@ubuntu:~#aireplayngdeauth0essid_namemon0 Step5:letssendARPrequestandsimulateARPresponse root@ubuntu:~#aireplayngarpreplayessid_namehclient_MACmon0 Step6:at this point airodumpng register the packet sniffed in onlinecracking pcap file. Now lets go to real crackingpart.Wepasstheonlinecracking01.capfiletoaircrackng root@ubuntu:~#aircrackngonlinecracking01.cap

UnderstandingWPA/WPA2
WPA:isintermediatesolutionforWiFisecurityusesTKIP(TemporalKeyIntegrityprotocol)thatbasedonWEP.

WPAPSK: is vulnerable to dictionary attack. Input required for this attack is the WPA 4way handshake between AP and
clientandwordlistcontainingcommonpassphrase.

PMK(pairwisemasterkey):allkeyderivedfrom it.ItsgeneratedbothinAPandclient

Itslongrandomvaluesentasachallengeforclient

PTKaredynamickeyforeachsession.Thatwhat WPAisbetterthanWEP.MICvalueareintegrity valuethatidentifieslegaluser.MICcheckpass thetesttheAPorderthesupplicanttoinstallthe key

ThehackingofWPAPSKisdonebyimplementingDictionaryattack:

Stepsforthehackingasfollows Step1:snifftheairforpackets

Step2:CaptureandsavethedesiredAPsniffedtraffic

step3: lets connect new client and capture the 4way WPA handshake packets or send deauth packet to force clienttoreconnect Step4:airodumpngwillshowthehandshakeandwelaunchtocapturethepacketinwireshark.Concentrateon EAPOLpackets.Itcapturesauthentication,4wayhandshakepacketthatenableustocrackit.

Step5:Wepreparethedictionarywithcommonpassphrasepasstoaircrackng

AndfinallywearedonewithcrackingWPAPSKwirelessnetwork. Reference: 1. IEEE802.11i 2. IEEEstd802.112007 3. LectureSlide 4. Webmaterials