Chapter 8 Wireless Hacking Last modified 4-21-14.
-
Upload
rosamund-booth -
Category
Documents
-
view
228 -
download
0
Transcript of Chapter 8 Wireless Hacking Last modified 4-21-14.
![Page 1: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/1.jpg)
Chapter 8Chapter 8
Wireless Hacking Wireless Hacking
Last modified 4-21-14
![Page 2: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/2.jpg)
Session EstablishmentSession Establishment
![Page 3: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/3.jpg)
Infrastructure v. Ad HocInfrastructure v. Ad Hoc
InfrastructureInfrastructure– Uses an access pointUses an access point– Most common modeMost common mode
Ad HocAd Hoc– Devices connect peer-to-peerDevices connect peer-to-peer– Like an Ethernet crossover cableLike an Ethernet crossover cable
![Page 4: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/4.jpg)
ProbesProbes
Client sends a Client sends a probe request probe request for the for the SSID (Service Set Identifier) SSID (Service Set Identifier) it is looking it is looking forfor
It repeats this request on every channel, It repeats this request on every channel, looking for a looking for a probe responseprobe response
After the response, client sends After the response, client sends authentication requestauthentication request
![Page 5: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/5.jpg)
AuthenticationAuthentication
If system uses If system uses open authenticationopen authentication, the , the AP accepts any connectionAP accepts any connection
The alternate system, The alternate system, shared-key shared-key authenticationauthentication, is almost never used, is almost never used– Used only with WEPUsed only with WEP
WPA security mechanisms have no effect WPA security mechanisms have no effect on authentication—they take effect lateron authentication—they take effect later
![Page 6: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/6.jpg)
AssociationAssociation
Client sends an Client sends an association requestassociation request
AP sends an AP sends an association responseassociation response
![Page 7: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/7.jpg)
Security MechanismsSecurity Mechanisms
![Page 8: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/8.jpg)
Basic Security MechanismsBasic Security Mechanisms
MAC filteringMAC filtering
"Hidden" networks"Hidden" networks– Omit SSID from beaconsOmit SSID from beacons– Microsoft recommends announcing your SSIDMicrosoft recommends announcing your SSID– Because Vista and later versions of Windows Because Vista and later versions of Windows
look for beacons before connectinglook for beacons before connecting– This makes Vista more secure, because it is This makes Vista more secure, because it is
not continuously sending out probe requests, not continuously sending out probe requests, inviting AP impersonation attacksinviting AP impersonation attacks
![Page 9: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/9.jpg)
Responding to Broadcast Probe Responding to Broadcast Probe RequestsRequests
Clients can send Clients can send broadcast probe broadcast probe requestsrequests
Do not specify SSIDDo not specify SSID
APs can be configured to ignore themAPs can be configured to ignore them
![Page 10: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/10.jpg)
WPA v. WPA2WPA v. WPA2
802.11i specifies encryption standards802.11i specifies encryption standards
WPA implements only part of 802.11iWPA implements only part of 802.11i– TKIP (Temporal Key Integrity Protocol)TKIP (Temporal Key Integrity Protocol)
WPA2 implements bothWPA2 implements both– TKIPTKIP– AES (Advanced Encryption Standard)AES (Advanced Encryption Standard)
![Page 11: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/11.jpg)
PSK v. 802.1xPSK v. 802.1x
WPA-PSK (Wi-Fi Protected Access Pre-WPA-PSK (Wi-Fi Protected Access Pre-Shared Key)Shared Key)– Uses Pre-Shared KeyUses Pre-Shared Key
WPA-EnterpriseWPA-Enterprise– Uses 802.1x and a RADIUS serverUses 802.1x and a RADIUS server– EAP (Extensible Authentication Protocol), which EAP (Extensible Authentication Protocol), which
may be one ofmay be one ofEAP-TTLSEAP-TTLS
PEAPPEAP
EAP-FASTEAP-FAST
![Page 12: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/12.jpg)
Four-Way HandshakeFour-Way Handshake
Both WPA-PSK and WPA Enterprise useBoth WPA-PSK and WPA Enterprise use
Four-way handshakeFour-way handshake– Pairwise transient keyPairwise transient key
Used for unicast communicationUsed for unicast communication
– Group temporal keyGroup temporal keyUsed for multicast and broadcast communicationUsed for multicast and broadcast communication
![Page 13: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/13.jpg)
Three Encryption OptionsThree Encryption OptionsWEP (Wired Equivalent Privacy)WEP (Wired Equivalent Privacy)– Uses RC4Uses RC4– Flawed & easily exploitedFlawed & easily exploited
TKIPTKIP– A quick replacement for WEPA quick replacement for WEP– Runs on old hardwareRuns on old hardware– Still uses RC4Still uses RC4– No major vulnerabilities are knownNo major vulnerabilities are known
AES-CCMP (Advanced Encryption StandardAES-CCMP (Advanced Encryption Standard with with Cipher Block Chaining Message Authentication Code Cipher Block Chaining Message Authentication Code Protocol)Protocol)– Most secure, recommendedMost secure, recommended
![Page 14: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/14.jpg)
Equipment Equipment
![Page 15: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/15.jpg)
ChipsetChipset
Manufacturer's chipset driver limits your Manufacturer's chipset driver limits your control of the wireless NICcontrol of the wireless NIC– Most NICs can't be used for wireless hackingMost NICs can't be used for wireless hacking
Recommended Network CardsRecommended Network Cards– Ubuiquiti SRC, Atheros chipset, USBUbuiquiti SRC, Atheros chipset, USB– Alfa AWUS050NH, Ralink RT2770F chipset, Alfa AWUS050NH, Ralink RT2770F chipset,
USBUSB– Both support 802.11a/b/g/n and external Both support 802.11a/b/g/n and external
antennasantennas
![Page 16: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/16.jpg)
Link Ch 8aLink Ch 8a
![Page 17: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/17.jpg)
Windows x. LinuxWindows x. Linux
WindowsWindows– Wireless NIC drivers are easy to getWireless NIC drivers are easy to get– Wireless hacking tools are few and weakWireless hacking tools are few and weak
Unless you pay for AirPcap devices (link Ch 819) Unless you pay for AirPcap devices (link Ch 819) or OmniPeekor OmniPeek
Linux Linux – Wireless NIC drivers are hard to get and Wireless NIC drivers are hard to get and
installinstall– Wireless hacking tools are much betterWireless hacking tools are much better
![Page 18: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/18.jpg)
KaliKali
Includes many drivers already Includes many drivers already Can be used from a virtual machine with a Can be used from a virtual machine with a USB NICUSB NIC
For other NIC types, you can't use For other NIC types, you can't use VMware for wireless hackingVMware for wireless hacking– Install Kali on the bare metalInstall Kali on the bare metal– Boot from a USB with Kali on itBoot from a USB with Kali on it– Boot from a LiveCD of KaliBoot from a LiveCD of Kali
![Page 19: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/19.jpg)
OmniPeekOmniPeek
WildPackets now packages AiroPeek & WildPackets now packages AiroPeek & EtherPeek together into OmniPeekEtherPeek together into OmniPeek
A Windows-based sniffer for wireless and A Windows-based sniffer for wireless and wired LANswired LANs
Only supports a few wireless NICsOnly supports a few wireless NICs– See links Ch 801, Ch 802See links Ch 801, Ch 802
![Page 20: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/20.jpg)
AntennasAntennas
Omnidirectional Omnidirectional antenna sends and antenna sends and receives in all receives in all directionsdirections
Directional antennas Directional antennas focus the waves in focus the waves in one directionone direction– The Cantenna shown The Cantenna shown
is a directional antennais a directional antenna
![Page 21: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/21.jpg)
YagiYagi
![Page 22: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/22.jpg)
Panel (or Panel) AntennaPanel (or Panel) Antenna
From digdice.comFrom digdice.com
![Page 23: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/23.jpg)
![Page 24: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/24.jpg)
Link Ch 8bLink Ch 8b
![Page 25: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/25.jpg)
Global Positioning System (GPS)Global Positioning System (GPS)
Locates you using signals Locates you using signals from a set of satellitesfrom a set of satellites
Works with war-driving Works with war-driving software to create a map of software to create a map of access pointsaccess points
![Page 26: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/26.jpg)
Discovery and MonitoringDiscovery and Monitoring
Discovery tools use 802.11 management Discovery tools use 802.11 management framesframes– Probe requests/responsesProbe requests/responses– BeaconsBeacons
Source and destination addresses of an Source and destination addresses of an 802.11 frame is always unencrypted802.11 frame is always unencrypted– Tools can map associations between clients Tools can map associations between clients
and APsand APs
![Page 27: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/27.jpg)
Finding Wireless NetworksFinding Wireless Networks
Active DiscoveryActive Discovery– Send out broadcast probe requestsSend out broadcast probe requests– Record responsesRecord responses– Misses APs that are configured to ignore themMisses APs that are configured to ignore them– NetStumbler does thisNetStumbler does this
Passive DiscoveryPassive Discovery– Listen on every channelListen on every channel– Record every AP seenRecord every AP seen– Much better techniqueMuch better technique
![Page 28: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/28.jpg)
NetStumbler ScreenNetStumbler Screen
![Page 29: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/29.jpg)
WardrivingWardriving
![Page 30: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/30.jpg)
WardrivingWardriving
Finding Wireless networks with a portable Finding Wireless networks with a portable devicedevice– Image from Image from
overdrawnoverdrawn.net.net
![Page 31: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/31.jpg)
CCSF Wardriving
![Page 32: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/32.jpg)
VistumblerVistumbler
Link Ch 8jLink Ch 8j
![Page 33: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/33.jpg)
Google Sniffing
Link Ch 8k
![Page 34: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/34.jpg)
iPhoneiPhone
The iPhone combines GPS, Wi-Fi, and cell The iPhone combines GPS, Wi-Fi, and cell tower location technology to locate youtower location technology to locate you
You can wardrive with the Android phone You can wardrive with the Android phone and Wifiscanand Wifiscan
![Page 35: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/35.jpg)
WiGLEWiGLE
Collects wardriving data from usersCollects wardriving data from users
Has over 16 million recordsHas over 16 million records– Link Ch 825Link Ch 825
![Page 36: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/36.jpg)
Kismet ScreenshotKismet Screenshot
For Kismet, see link Ch 811For Kismet, see link Ch 811
![Page 37: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/37.jpg)
Kismet DemoKismet Demo
– Use the Linksys WUSB54G ver 4 nicsUse the Linksys WUSB54G ver 4 nics– Boot from the Kali 2 CDBoot from the Kali 2 CD– Start, Kali, Radio Network Analysis, 80211, Start, Kali, Radio Network Analysis, 80211,
All, KismetAll, Kismet
![Page 38: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/38.jpg)
WEP Crack with CainWEP Crack with Cain
You need an AirPCap Wi-Fi cardYou need an AirPCap Wi-Fi card
![Page 39: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/39.jpg)
Cain from www.oxid.it/cain.htmlCain from www.oxid.it/cain.html
![Page 40: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/40.jpg)
Sniffing Wireless TrafficSniffing Wireless Traffic
Easy if traffic is unencryptedEasy if traffic is unencrypted
Man-in-the-middle (MITM) attacks Man-in-the-middle (MITM) attacks common and easycommon and easy
May violate wiretap lawsMay violate wiretap laws
If you can't get you card into "Monitor If you can't get you card into "Monitor mode" you'll see higher level traffic but not mode" you'll see higher level traffic but not 802.11 management frames802.11 management frames
![Page 41: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/41.jpg)
Demo: Wireless Sniffing on MacDemo: Wireless Sniffing on Mac
![Page 42: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/42.jpg)
De- authentication DoS AttackDe- authentication DoS Attack
Unauthenticated Management FramesUnauthenticated Management Frames– An attacker can spoof a de-authentication An attacker can spoof a de-authentication
frame that looks like it came from the access frame that looks like it came from the access pointpoint
– aireplay-ng can do thisaireplay-ng can do this
![Page 43: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/43.jpg)
Rogue AP SuppressionRogue AP Suppression
![Page 44: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/44.jpg)
Identifying Wireless Network Identifying Wireless Network DefensesDefenses
![Page 45: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/45.jpg)
SSID SSID
SSID can be found from any of these framesSSID can be found from any of these frames– BeaconsBeacons
Sent continually by the access point (unless disabled)Sent continually by the access point (unless disabled)
– Probe RequestsProbe Requests Sent by client systems wishing to connectSent by client systems wishing to connect
– Probe ResponsesProbe ResponsesResponse to a Probe RequestResponse to a Probe Request
– Association and Reassociation RequestsAssociation and Reassociation RequestsMade by the client when joining or rejoining the networkMade by the client when joining or rejoining the network
If SSID broadcasting is off, just send a If SSID broadcasting is off, just send a deauthentication frame to force a reassociationdeauthentication frame to force a reassociation
![Page 46: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/46.jpg)
MAC Access ControlMAC Access Control
CCSF used this technique for yearsCCSF used this technique for years
Each MAC must be entered into the list of Each MAC must be entered into the list of approved addressesapproved addresses
High administrative effort, low securityHigh administrative effort, low security
Attacker can just sniff MACs from clients Attacker can just sniff MACs from clients and spoof themand spoof them
![Page 47: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/47.jpg)
Gaining Access Gaining Access (Hacking 802.11)(Hacking 802.11)
![Page 48: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/48.jpg)
Specifying the SSIDSpecifying the SSID
In Windows, just select it from the In Windows, just select it from the available wireless networksavailable wireless networks– In Vista, right-click the network icon in the taskbar tray In Vista, right-click the network icon in the taskbar tray
and click "Connect to a Network"and click "Connect to a Network"– If the SSID is hidden, click "Set up a connection or If the SSID is hidden, click "Set up a connection or
network" and then click "Manually connect to a network" and then click "Manually connect to a wireless network"wireless network"
![Page 49: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/49.jpg)
Changing your MACChanging your MAC
Bwmachak changes a NIC under Windows Bwmachak changes a NIC under Windows for Orinoco cardsfor Orinoco cards
SMAC is SMAC is easy easy
link Ch 812link Ch 812
![Page 50: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/50.jpg)
Device ManagerDevice Manager
Many Wi-Fi Many Wi-Fi cards allow cards allow you to you to change the change the MAC in MAC in Windows' Windows' Device Device ManagerManager
![Page 51: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/51.jpg)
HotSpotterHotSpotter
Hotspotter--Like SSLstrip, it silently Hotspotter--Like SSLstrip, it silently replaces a secure WiFi connection with an replaces a secure WiFi connection with an insecure oneinsecure one
Less effective since Windows XP SP2, Less effective since Windows XP SP2, because Windows machines no longer because Windows machines no longer probe for known networks as muchprobe for known networks as much– Link Ch 8eLink Ch 8e
![Page 52: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/52.jpg)
Attacks Against the WEP Algorithm Attacks Against the WEP Algorithm
Brute-force keyspace – takes weeks even Brute-force keyspace – takes weeks even for 40-bit keysfor 40-bit keys
Collect Initialization Vectors, which are Collect Initialization Vectors, which are sent in the clear, and correlate them with sent in the clear, and correlate them with the first encrypted bytethe first encrypted byte– This makes the brute-force process much This makes the brute-force process much
fasterfaster
![Page 53: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/53.jpg)
Tools that Exploit WEP Tools that Exploit WEP Weaknesses Weaknesses
AirSnort AirSnort
WLAN-Tools WLAN-Tools
DWEPCrack DWEPCrack
WEPAttack WEPAttack – Cracks using the weak IV flawCracks using the weak IV flaw
Best countermeasure – use WPABest countermeasure – use WPA
![Page 54: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/54.jpg)
WPAWPAWPA is strongWPA is strong
No major weaknessesNo major weaknesses
However, if you use a weak Pre-Shared However, if you use a weak Pre-Shared Key, it can be found with a dictionary attackKey, it can be found with a dictionary attack
ButBut– PSK is hashed 4096 times, can be up to 63 PSK is hashed 4096 times, can be up to 63
characters long, and includes the SSIDcharacters long, and includes the SSID
Tools: Airodump-ng, coWPAtty, rainbow Tools: Airodump-ng, coWPAtty, rainbow tablestables
![Page 55: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/55.jpg)
WPS (Wi-Fi Protected Setup)WPS (Wi-Fi Protected Setup)
Intended to make WPA easier to useIntended to make WPA easier to use
Included in almost all modern Wi-Fi Included in almost all modern Wi-Fi routersrouters
Uses a key with only 10,500 possible Uses a key with only 10,500 possible valuesvalues
Subject to a trivial brute-force attackSubject to a trivial brute-force attack
![Page 56: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/56.jpg)
Cracking WPSCracking WPS
Link Ch 8dLink Ch 8d
![Page 57: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/57.jpg)
Attacking WPA EnterpriseAttacking WPA Enterprise
This means attacking EAPThis means attacking EAP
Techniques depend on the specific EAP Techniques depend on the specific EAP type usedtype used– LEAPLEAP– EAP-TTLS and PEAPEAP-TTLS and PEAP
![Page 58: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/58.jpg)
Detecting EAP type with Detecting EAP type with WiresharkWireshark
![Page 59: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/59.jpg)
Lightweight Extensible Lightweight Extensible Authentication Protocol (LEAP)Authentication Protocol (LEAP)
![Page 60: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/60.jpg)
What is LEAP?What is LEAP?
A proprietary protocol from Cisco Systems A proprietary protocol from Cisco Systems developed in 2000 to address the security developed in 2000 to address the security weaknesses common in WEP weaknesses common in WEP
LEAP is an 802.1X schema using a LEAP is an 802.1X schema using a RADIUS serverRADIUS server
As of 2004, 46% of IT executives in the As of 2004, 46% of IT executives in the enterprise said that they used LEAP in their enterprise said that they used LEAP in their organizations organizations
![Page 61: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/61.jpg)
The Weakness of LEAPThe Weakness of LEAP
LEAP is fundamentally weak because it LEAP is fundamentally weak because it provides zero resistance to offline provides zero resistance to offline dictionary attacksdictionary attacks
It solely relies on MS-CHAPv2 (Microsoft It solely relies on MS-CHAPv2 (Microsoft Challenge Handshake Authentication Challenge Handshake Authentication Protocol version 2) to protect the user Protocol version 2) to protect the user credentials used for Wireless LAN credentials used for Wireless LAN authentication authentication
![Page 62: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/62.jpg)
MS-CHAPv2MS-CHAPv2
MS-CHAPv2 is notoriously weak becauseMS-CHAPv2 is notoriously weak because– It does not use a SALT in its NT hashesIt does not use a SALT in its NT hashes– Uses a weak 2 byte DES keyUses a weak 2 byte DES key– Sends usernames in clear textSends usernames in clear text
Because of this, offline dictionary and brute Because of this, offline dictionary and brute force attacks can be made much more efficient force attacks can be made much more efficient by a very large (4 gigabytes) database of likely by a very large (4 gigabytes) database of likely passwords with pre-calculated hashes passwords with pre-calculated hashes – Rainbow tablesRainbow tables
![Page 63: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/63.jpg)
Cisco's DefenseCisco's Defense
LEAP is secure if the passwords are long LEAP is secure if the passwords are long and complexand complex– 10 characters long with random upper case, 10 characters long with random upper case,
lower case, numeric, and special characters lower case, numeric, and special characters
The vast majority of passwords in most The vast majority of passwords in most organizations do not meet these stringent organizations do not meet these stringent requirementsrequirements– Can be cracked in a few days or even a few Can be cracked in a few days or even a few
minutes minutes
![Page 64: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/64.jpg)
AsleapAsleap
Grabs and decrypts weak LEAP Grabs and decrypts weak LEAP passwords from Cisco wireless access passwords from Cisco wireless access points and corresponding wireless cards points and corresponding wireless cards
Integrated with Air-Jack to knock Integrated with Air-Jack to knock authenticated wireless users off targeted authenticated wireless users off targeted wireless networks wireless networks – When the user reauthenticates, their When the user reauthenticates, their
password will be sniffed and cracked with password will be sniffed and cracked with Asleap Asleap
![Page 65: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/65.jpg)
CloudCrackerCloudCracker
Kills PPTP and, apparently, LEAP deadKills PPTP and, apparently, LEAP deadLink Ch 8fLink Ch 8f
![Page 66: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/66.jpg)
Microsoft: Don't Use PPTP and Microsoft: Don't Use PPTP and MS-CHAPMS-CHAP
Microsoft recommends PEAP, L2TP/IPsec, Microsoft recommends PEAP, L2TP/IPsec, IPSec with IKEv2, or SSTP insteadIPSec with IKEv2, or SSTP instead
Link Ch 8gLink Ch 8g
![Page 67: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/67.jpg)
EAP-TTLS and PEAPEAP-TTLS and PEAP
![Page 68: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/68.jpg)
TLS TunnelTLS Tunnel
EAP-TTLS and PEAP both use a TLS EAP-TTLS and PEAP both use a TLS tunnel to protect a less secure tunnel to protect a less secure inner inner authenticated protocolauthenticated protocol
Inner authentication protocolsInner authentication protocols– MS-CHAPv2MS-CHAPv2– EAP-GTC (one-time passwords)EAP-GTC (one-time passwords)– CleartextCleartext
![Page 69: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/69.jpg)
Attacking TLSAttacking TLS
No known way to defeat the encryptionNo known way to defeat the encryptionBut AP impersonation can workBut AP impersonation can work
– Trick target into connecting to MITM instead Trick target into connecting to MITM instead of serverof server
– Misconfigured clients won't validate the Misconfigured clients won't validate the identity of the RADIUS server so it can be identity of the RADIUS server so it can be spoofedspoofed
– FreeRADIUS-WPE does this (link Ch 8h)FreeRADIUS-WPE does this (link Ch 8h)
![Page 70: Chapter 8 Wireless Hacking Last modified 4-21-14.](https://reader035.fdocuments.in/reader035/viewer/2022062217/56649e855503460f94b87ec5/html5/thumbnails/70.jpg)
Protecting EAP-Protecting EAP-TTLS and PEAPTTLS and PEAP
Check the Check the "Validate the "Validate the Server Server Certificate" on all Certificate" on all wireless clientswireless clients
Link Ch 8iLink Ch 8i