Embed Size (px)
Citation preview
1
MD5 Cracking
One way hash. Used in online passwords and file
verification.
2
Lets destroy an MD5 hash
Lets use “steiner” Md5('steiner')= 7bfd4d773bec1249bb691bbad9d968a8
Input into rcrack. ./rcrack *.rt -h 7bfd4d773bec1249bb691bbad9d968a8
Wait
3
MD5 hashing
Tables vary greatly in size. Each added character add's exponential
growth md5_loweralpha-numeric_1-8 36.4 GB
4
General Wireless Vulnerabilities
Invasion and resource stealing Traffic redirection Denial of service Rogue access points
5
The Wired Equivalent Privacy Protocol
6
Goals
Confidentiality Prevent casual eavesdropping
Access control Protect access to network infrastructure
Data integrity Prevent tampering with transmitted messages
7
Logistics
A key is shared between the client and access point
Key length is 40 bits or 104 bits Keys are static and whenever a key
changes, all clients must update
8
RC4 Stream Cipher
Key
RC4 Key Setup
Pseudo Random Number
Generator
Plain Text
Cipher TextXOR
Key Stream
9
WEP Implementation of RC4
Checksum of the plain text is computed to provide data integrity
24 bit Initialization vector (IV) is used to increase the size of the secret key
IV also makes it harder to crack by changing the key stream every time
IV is pre-pended to the cipher text, that way client can decrypt the message
10
Encryption Process
RC4
XOR
Key Stream
Integrity Check Algorithm
Cipher TextIV
KeyIV
Plain Text
ICVPlain Text
11
Decryption Process
RC4XOR
Key Stream
Integrity Check Algorithm
Cipher TextIV
Key
Plain Text
ICVPlain Text
12
WEP Authentication
Client sends message to access point (AP) requesting authentication
AP sends plain text stream to client Client chooses IV and encrypts plain
text stream Client sends IV and cipher text to AP
for verification
13
WEP Frame
802.11 Header
IVKey
NumberPayload ICV
WEP Frame
14
WEP Flaws and Exploits
15
Database Attack
Some access points allow traffic to be encrypted or unencrypted
Hacker sends packets to the access point broadcast messages, AP responds with encrypted version
Hacker records key stream and puts it in database for later use
When client gets sent message with IV that is in the database, hacker XORs the two to get the plain text
16
Key Scheduling Attack
Some IVs are weak and through statistical analysis can reveal information about the key
Active attack involves de-authenticating client repeatedly until enough packets have been received to analyze
Utilizes the fact that several bytes of IP traffic can be easily predicted
17
Message Injection
Hacker can listen to authentication process and determine a key stream for a particular IV
Using this key stream, hacker can create packets and inject them into the network
WEP allows for IVs to be reused without triggering an alarm
18
WEP Cracking Tools
19
Linux Security Distributions
Several live CDs are available that contain all tools necessary to hack WEP
Common applications include: Aircrack Suite
- wesside-ng- aireplay-ng- aircrack-ng
Airsnort Kismet
20
How to Protect Against and Attack
21
Newer Security Protocols
Stop using WEP and use a newer protocol like WPA
Make you password harder to crack by using the maximum number of characters and using random ASCII characters ***(deprecated)***
22
Authentication
Evil Twin Attack Hacker can force user off the AP, then use the
same SSID to pose as the AP
How do you know who has control of an access point?
Enterprise systems can use a server to authenticate users
23
Other Suggestions
Wireless IDS Can monitor network to prevent rogue access
points If attacker attempts to break into wireless
LAN, the IDS can triangulate his location
Use end to end encryption VPNs
24
Demo
Locate target Do research Get AP MAC and client MAC Input into wesside-ng If necessary, spoof a clients MAC
25
Lan Manager (LM) Hashes
Used by Microsoft Windows passwords are stored using this
algorithm Only hashes 7 characters at a time. Makes cracking considerably easier
26
Lets break my windows
Get Hash Input into ophcrack wait
