![Page 2: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/2.jpg)
Wireless Communica>ons
• Transmissionofdatawithouttheuseofwires• Fewcmtoseveralkm
• Modula'onofradiowaves• modula'onistheprocessofvaryingoneormoreproper'esofaperiodicwaveform• withamodula'ngsignalthattypicallycontainsinforma'on
• FederalCommunica'onsCommission(FCC)regulatestheuseoftheradiospecturm• 9kHzto300Ghz• hHps://en.wikipedia.org/wiki/Radio_spectrum
• Partsoftheradiospectrumareallocatedfordifferentapplica'ons• Somepartsaresoldorlicensedtooperators• Somepartsarefree
![Page 3: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/3.jpg)
Advantages & Disadvantages
• Makescommunica'onpossiblewherecablesdon’treach• Convenience
• Theairmediumisopentoeveryone• Theboundariesofatransmissioncannotbeconfined
![Page 4: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/4.jpg)
WiFi
• CommercialnameoftheprotocolIEEE802.11• Itisoneofthemostubiquitouswirelessnetworks
• HomeNetworks• EnterpriseNetworks
• Communica'onisbasedonframes• Essen'allyissequenceofbits
• 802.11definesthemeaning• Vendorsimplementtheprotocol
• 2.4GhzIndustrialScien'ficMedical(ISM)and5Ghz• Rangedependsontransmissionpower,antennatype,thecountry,andtheenvironment• Typical100^
![Page 5: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/5.jpg)
Channels
• Theequipmentcanbesetinonlyonechannelata'me• Eachcountryhasitsownrules
• Allowedbandwidth• Allowedpowerlevels
• Strongersignalispreferred
![Page 6: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/6.jpg)
Modes of Opera>on
• Master• ActsasanAP
• Managed• Actsasaclient,thedefaultmode
• AdHoc• NoAP,directcommunica'on,nomul'-hop
• Mesh• NoAP,directcommunica'on,mul'-hop
• Repeater• Repeatsincomingsignals
• Promiscuous• Monitoralltrafficofanetwork,requiresassocia'on
• Monitor• Monitoralltraffic,noassocia'onrequired
![Page 7: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/7.jpg)
Deployment Architectures
Infrastructure P2P/Ad-hoc
![Page 8: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/8.jpg)
Frame Types
• Management• Ini'aliza'on,maintainandfinaliza'on
• Control• Managementofthedataexchange
• Data• Encapsula'onofinforma'on
• hHp://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf
![Page 9: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/9.jpg)
Introduc>on
![Page 10: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/10.jpg)
Beaconing
• TheAPadver'setheirpresence• Onceevery100ms• TheytransmitamessageoftypeBeacon
• Itcontainsthenameofthenetwork(SSID)• Capabili'es
![Page 11: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/11.jpg)
802.11 Security Modes: Open Access
• OpenAccess• Noprotec'on(whitelists)
![Page 12: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/12.jpg)
802.11 Security Modes:WEP
• BasedonRC4Encryp'on• Broken
![Page 13: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/13.jpg)
802.11 Security Modes: WPA/WPA2
• BasedonAES• Muchmoresecure• Currentstandard
![Page 14: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/14.jpg)
States of a Client
![Page 15: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/15.jpg)
WPA2
![Page 16: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/16.jpg)
Key Hierarchy
![Page 17: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/17.jpg)
WPA/WPA2 Four Way Handshake
Client APPassphrase Passphrase
![Page 18: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/18.jpg)
WPA/WPA2 Four Way Handshake
Client APPassphrase Passphrase
ComputePSKComputePSK
ComputePMK(=PSK) ComputePMK(=PSK)
![Page 19: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/19.jpg)
Computa>on of PSK
• Passphraseisasecret“phrase”youchooseduringtheAPconfigura'on• 8-63characterslong
• Itisalsothesecretyouinsertinyourdevicewhenyouconnecttoanetwork• SSIDisthenameofnetwork• PBKDF2hashes3components4096'mes• Heavycomputa'on
PBKDF2
Passphrase SSID SSIDLength
PSK
![Page 20: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/20.jpg)
WPA/WPA2 Four Way Handshake
Client APPassphrase Passphrase
ComputePSKComputePSK
Nonce_AComputePMK(=PSK) ComputePMK(=PSK)
![Page 21: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/21.jpg)
WPA/WPA2 Four Way Handshake
Client APPassphrase Passphrase
ComputePSKComputePSK
Nonce_A
ComputePTK
ComputePMK(=PSK) ComputePMK(=PSK)
![Page 22: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/22.jpg)
Computa>on of PTK
• PMKisderivedfromthePassphrase• Nonce_AisarandomnumberchosenbytheAPandreceivedthroughthefirstmessage• Nonce_Cisarandomnumberchosenbytheclient• MAC_AthehardwareaddressoftheAP• MAC_Cthehardwareaddressoftheclient
PMK
Nonce_A Nonce_C
PTK
MAC_A
MAC_C
![Page 23: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/23.jpg)
WPA/WPA2 Four Way Handshake
Client APPassphrase Passphrase
ComputePSKComputePSK
Nonce_A
ComputePTK
ComputePMK(=PSK) ComputePMK(=PSK)
Nonce_C+MIC
![Page 24: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/24.jpg)
WPA/WPA2 Four Way Handshake
Client APPassphrase Passphrase
ComputePSKComputePSK
Nonce_A
ComputePTK
ComputePMK(=PSK) ComputePMK(=PSK)
Nonce_C+MICVerifyMICAuthen'cateClient
![Page 25: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/25.jpg)
WPA/WPA2 Four Way Handshake
Client APPassphrase Passphrase
ComputePSKComputePSK
Nonce_A
ComputePTK
ComputePMK(=PSK) ComputePMK(=PSK)
Nonce_C+MICVerifyMICAuthen'cateClient
KeyInstalla'on+MIC
![Page 26: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/26.jpg)
WPA/WPA2 Four Way Handshake
Client APPassphrase Passphrase
ComputePSKComputePSK
Nonce_A
ComputePTK
ComputePMK(=PSK) ComputePMK(=PSK)
Nonce_C+MICVerifyMICAuthen'cateClient
KeyInstalla'on+MICVerifyMICAuthen'cateAP
![Page 27: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/27.jpg)
WPA/WPA2 Four Way Handshake
Client APPassphrase Passphrase
ComputePSKComputePSK
Nonce_A
ComputePTK
ComputePMK(=PSK) ComputePMK(=PSK)
Nonce_C+MICVerifyMICAuthen'cateClient
KeyInstalla'on+MIC
KeyInstalled+MIC
VerifyMICAuthen'cateAP
![Page 28: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/28.jpg)
Cracking WPA/WPA2
• IfaHackerispresentata4-wayhandshake• Nonce_A• Nonce_C• MAC_A• MAC_C• BUTNOTPMK• HemustcomputethePMK
• TocomputethePMK(=PSK)• SSID• SSIDlength• BUTNOTpassphrase
• Whatcanhedo???
![Page 29: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/29.jpg)
Cracking WPA/WPA2
• Createadic'onaryofpossiblepassphrases• hHp://www.aircrack-ng.org/doku.php?id=faq#where_can_i_find_good_wordlists
• Chooseapassphrase• CreatethePMK• UsetoPMKtoproducePTK• UsethiskeytogeneratetheMICofmessage3• IftheMICsmatchthecorrectpassphrasewasused• Ifnot…repeat
![Page 30: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/30.jpg)
Lab Setup
• Externalcard• AlphaAWUS036H• Providesstrongersignal
• AP• WNDR3700• WNR1000• LinksysWRT54GL
• OS• KaliLinuxonVM• So^warepen-tes'ngtools
![Page 31: 802.11 Security: WPA/WPA2 CrackingWireless Communica>ons • Transmission of data without the use of wires • Few cm to several km • Modulaon of radio waves • modulaon is the](https://reader034.vdocuments.us/reader034/viewer/2022051805/5ff9ee9ce3375423875b8adb/html5/thumbnails/31.jpg)
Other AQacks
• Deauthen'ca'onFlooding• Makeeveryoneloosetheirconnec'on
• BeaconFlooding• Floodaclientwithfakenetworknames
• Authen'ca'onRequestFlooding• BurdentheAPwithinvalidauthen'ca'onrequests
• EvilTwin• CreateanetworkwiththesamenameinwhichtheaHackercanseeeverything
• Crackthekey(WEP)