HACKING WIRELESS

NETWORKS THE IN DEPTH STORY OF WHAT ARE WE HACKING

BY : MANDEEP SINGH JADON

( InfoSec enthusiastic)

WHO AM I ?

Mandeep Singh jadon

Unfortunate things about me :

Doing a unique thing called “BTECH”

From UPTU

Fortunate things about me

I troll

Founder at Ultimate 1337 trolls (https://www.facebook.com/1337trolls/)

Am into the Infosec field

Part time bug bounty hunter

Eager to learn new stuff

I am passionate about singing

I am a Facebook Addict

What this session will cover

What is WLAN .

Basic Terminologies .

Wireless Sniffing

Details Of Wlan from a networking perspective

Security Measures Like Mac SSID Hiding and Mac Filters

Bypassing them

WLAN Authentication

WEP And WPA in detail

Cracking Them

Introduction to WPS Attack

New trends in Wireless Attacks (Takeaways)

Security tips

And Trolls …. Lot Of Trolls ……

What is WLAN ??

A Wireless local area network (WLAN) links two or more devices

using some wireless distribution method and usually providing a

connection through an access point to the wider Internet .

Most modern WLANs are based on IEEE 802.11 standards, marketed

under the Wi-Fi brand name.

Terminologies in WLAN

Access Point (AP) - A network device that serves as a

communications "hub" for wireless clients. (basically known as router) .

Basic service set (BSS) - It is a set of all stations that can communicate

with each other. Every BSS has an identification (ID) called the BSSID,

which is the MAC address of the access point servicing the BSS.

SSID (Service Set Identity) - It is also known as the "wireless

network name", the SSID is a 32 character, case sensitive name given to a Basic Service Set established by an access point.

Continued …

WEP (Wireless Encryption Protocol) - WEP is a mechanism for authenticating WLAN clients and for end data encryption in 802.11wireless LANs.

WPA (Wi-Fi Protected Access) – It is introduced during 2006 by the Wi-Fi Alliance, WPA employs techniques developed by Cisco and others, namely TKIP and MIC, to generate unique and dynamic keys for WEP's RC4-based encryption.

Beacon frame - It is one of the management frames in IEEE 802.11 based WLANs. It contains all the information about the network. Beacon frames are transmitted periodically to announce the presence of a wireless LAN. Beacon frames are transmitted by the Access Point (AP) in an infrastructure BSS.

Continued ..

IEEE 802.11 – It is a set of media access control (MAC)

and physical layer (PHY) specifications for implementing wireless

local area network (WLAN)

4 Way Handshake – It’s a cryptographic message exchange

between the AP and The client which authenticates the client to

connect to the AP

SO WHY WIRELESS SECURITY????

• Everyday we’ve been using wifi for our day to day

work such as Social media , banking ,

development, research , education and endless

other things.

• Sensitive information is literally flowing in air

inviting hackers to intrude them .

The awful challenges in wireless !!

You can’t see it , so how will you protect it :p

With the arrival of wireless cards , the malicious guy can break into

the network miles away !!! (Passive)

Very difficult to locate the attacker .

(Directional Antennae )

Wireless Sniffing

Exactly same as wired sniffing .

“The promiscuous mode”

Listens all the traffic whether it is destined to that or not .

HOW DO WE DO ???

AIRMON-NG

DEMO !!

The Band and Channel theory

WLAN Operate following bands

2.4 GHz (802.11b/g/n)

3.6 GHz (802.11y)

4.9 GHz (802.11y) Public Safety WLAN

5 GHz (802.11a/h/j/n/ac)

Each band is divided to various channels .

AT ANY TIME YOUR WIRELESS INTERFACE CAN BE ONY AT ONE CHANNEL

Problem ??? Lets Hop with airodump-ng

Channel Ranges for the Bands

DEMO TIME

WLAN PACKET TYPES

3 Types

i. Management

ii. Control

iii. Data

Read more :

http://www.wildpackets.com/resources/compendium/wireless_lan/

wlan_packet_types

In case you’re thirsty http://standards.ieee.org/about/get/802/802.11.html

Beacon frame

Beacon frame is one of the management frames in IEEE 802.11 based

WLANs. It contains all the information about the network. Beacon frames are

transmitted periodically to announce the presence of a wireless

LAN. Beacon frames are transmitted by the Access Point (AP) in an

infrastructure Basic service set (BSS). (wikipedia)

YES . . . . EVERYTHING IS IN PLAINTEXT

Demo time !!

ANALYSIS Of Beacon Frames

Analysis of Beacon Frames

Injecting Arbitrary Beacon frames in the

network (MDK)

AP AND CLIENT COMMUNICATION

The behind the scenes of whats

happening .

Courtesy : IEEE docs

Don’t believe until you see ….

Now we HACK !!!!!!!!!

Security measure : Hidden SSID

Blocking the SSID broadcasting in the beacon frames

But is it a security measure ? ? ?

Really ??

I mean really ?? :p

Lets see a DEMO

Where is the actual problem ?

The “probe request ” and “Probe response” contains the SSID

Whenever a legitimate client connects to the AP it has previously

connected to , it will send these probe request packets .

Airodump would see these packets and would figure out the things for us

ATTACK SENARIO

a. Non violence type

b. Violence type

AGAIN DEMO

Security Measure : Mac Filters

In computer networking, MAC Filtering (or GUI filtering, or layer 2

address filtering) refers to a security access control method whereby

the 48-bit address assigned to each network card is used to

determine access to the network. (wiki)

How does it work in wireless ?

Whitelisting the allowed mac in the AP .

but ……………

Are they really secure ….. Really ?? :p

The Problem Mac address cannot be changed , but can be spoofed very easily

Since Mac will be the only auth mechanism in the current case , so

once it is spoofed we can enter the network .

Mac addresses are visible in the WLAN Header so the attacker can

easily get the legitimate MAC .

In the wireless world it simply does not make sense :p

TWO ATTTACK scenarios

a) Gandhi Attack

b) Bhagat singh Attack

WLAN AUTHENTICATION

Two types :

i. Open Auth

ii. Shared Auth

OPEN AUTH

No auth at all

Simple 2 packet exchange between the client and the AP

Shared Authentication

WEP ? Why care for it ?

WEP Algorithm !!

Two processes are applied to the plaintext

data. One encrypts the plaintext; the other

protects the data from being modified by

unauthorized personnel. The 40-bit secret key

is connected with a 24-bit Initialization Vector

(IV) resulting in a 64-bit total key size

The PRNG ( RC4 ) outputs a pseudo random

key sequence based on the input key. The

resulting sequence is used to encrypt the

data by doing a bitwise XOR.

To prevent unauthorized data modification,

an integrity algorithm , CRC-32 operates on

the plaintext to produce the ICV

1. WEP ENCRYPTION

The IV, plaintext, and ICV triplet forms the

actual data sent in the data frame.

2. WEP Decryption

The IV of the incoming message is used to

generate the key sequence necessary to

decrypt the incoming message.

Combining the ciphertext with the proper

key sequence will give the original

plaintext and ICV .

The decryption is verified by performing

the Integrity check algorithm on the

recovered plaintext and comparing the

output of the ICV' to the ICV submitted

with the message.

If the ICV' is not equal to the ICV, the

received message is in error, and an error

indication is sent to the MAC

management and back to the sending

station

WEP CRACKING

The IVS are not all strong . Some are “Weak IV” (cryptographically) .

So to crack WEP collect a large no. of these weak IVS (not uniformly

distributed) .

DEMO TIME !!

WPA/WPA2 (The Current Trend)

Prerequisite ….

PBKDF2 (Used to generate PSKs Dynamically each time the

supplicant connects to the authenticator )

key = PBKDF2(passphrase, SSID, 4096, 256)

It uses the HMAC algorithm to create a digest of the input.

http://www.ietf.org/rfc/rfc2898.txt :)

Yeah !!!! The 4 way handshake

Don’t believe until you see !!!

Lets see the 4 way handshake

with the eyes of wireshark !!

WPA PSK Cracking

Things we know :

SNONCE

ANONCE

AP MAC

CLIENT MAC

Things we don’t know The Damn Passphrase

We’ll capture the handshake and generate our

own PTK and match with the PTK of the current

session . That’s it .

DEMO TIME (Cracking WPA/WPA2

PSK)

STEPS :

1. Start up the monitor mode .

2. Capture the air .

3. Get the handshake

4. Use aircrack to do the dictionary attack against the handshake

IF you are lucky : WPS enabled AP

WPS stands for Wi-Fi Protected Setup and it is a wireless networking

standard that tries to make connections between a router and wireless devices faster and easier. It works only for wireless networks

that have WPA Personal or WPA2 Personal security .

How WPS Works

o Every router that supports WPS has a an eight-digit device pin printed on the back. When you try to connect a wireless laptop or wireless

printer to your wireless network, it will ask you for that 8 digit pin

o They Split the 8 digits into 2 sets of 4. All that has to happen now is the

first 4 have to be found first. 4 digits only have a 10,000 possible

number combination. Once the first 4 numbers are found, the router proclaims “ You've found the first four “

o Short Demo ……

Advanced Attacks … (Takeaways)

The most recent one . PIXIEWPS (https://github.com/wiire/pixiewps) .

Evil Twin attack .

Rogue AP Attack .

Jamming

Cloud Cracking (eg using Amazon EC2 engine)

Safety Techniques .

Keep in mind you can be hacked Anytime …… :p

Always use WPA2 PSK encryption accompanied

by Mac Filtering .

Turn off WPS .

Do keep an eye on the network in which you are

currently connected to .

Keep a check on the connected clients .

Periodically change the SSID as well as the Key .

Change the Default Router Password .

Laptop physical security should be maintained

Use VPN in public WIFI . Disable DHCP if you can . (My personal tip )

Acknowledgements .

standards.ieee.org

www.securitytube.net

Wikipedia.org

Ways to reach me

https://www.facebook.com/mandeep.jadon.5

https://twitter.com/1337tr0lls

https://www.linkedin.com/in/mandeepjadon

https://github.com/mandeepjadon (I do a bit coding too )

Feedbacks are always a motivational force

THANKS