1 / 29

Cloud-Based WPA/WPA2 Cracking Tool for Penetration Testing

Learn how to crack WPA/WPA2 in the cloud with a tailored architecture, wordlist generator, and distributed password list creator. Get insights on automation tools and PMK generation for effective wireless penetration testing.

bfields
Download Presentation

Cloud-Based WPA/WPA2 Cracking Tool for Penetration Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cracking WPA/WPA2 in the Cloud Vivek Ramachandran Founder, SecurityTube.net

  2. Shameless Self Promotion B.Tech, ECE IIT Guwahati Caffe Latte Attack Toorcon 9 WEP Cloaking Defcon 19 802.1x, Cat65k Cisco Systems Media Coverage CBS5, BBC Trainer, 2011 Wi-Fi Malware, 2011 Microsoft Security Shootout

  3. Backtrack 5 Wireless Penetration Testing http://www.amazon.com/BackTrack-Wireless-Penetration-Testing-Beginners/dp/1849515581/

  4. SecurityTube.net Training Students in 75+ Countries

  5. Pentester Academy

  6. Agenda • WPA/WPA2 Cracking • Using Cloud Services • Architecture • Infrastructure vs Platform as a Service • Automation Tool

  7. WPA-Personal – Passphrase Based Pre-Shared Key 256 bit PBKDF2 Passphrase (8-63)

  8. Eavesdropping the 4 Way Handshake Supplicant Authenticator Probe Request-Response Authentication RR, Association RR Pre-Shared Key 256 bit Pre-Shared Key 256 bit Message 1 ANounce Snounce PTK PTK Message 2 Snounce + MIC Message 3 Key Installation Key Installed Message 4 Key Install Acknowledgement Key Installed

  9. WPA-PSK Dictionary Attack 4 Way Handshake SNonce ANonce AP MAC Client MAC Pre-Shared Key 256 bit PBKDF2 (SSID) PTK Passphrase (8-63) Dictionary Verify by Checking the MIC

  10. Open Source Tools Available!

  11. PBKDF2 • Password Based Key Derivation Function • RFC 2898 • PBKDF2(Passphrase, SSID, ssidLen, 4096, 256) • 4096 – Number of times the passphrase is hashed • 256 – Intended Key Length of PSK

  12. PMK Generator Architecture Wordlist Generator PMK Generator SQL Database Amazon RDS SSID List

  13. Worker Architecture Master Worker-1 Worker-2 Worker-3 Amazon SQS (Message Queue) Worker-4 Worker-5 Worker-6

  14. Distributed Message Queue

  15. Relational Database in the Cloud

  16. Workflow • Distributed password list creator • Password and SSID inserted into Message Queue • Worker machines create PMK from (Password, SSID) and store in Amazon RDS

  17. Handshake Verification PMK, Handshake Master Worker-1 Worker-2 Worker-3 Amazon SQS (Message Queue) Worker-4 Worker-5 Worker-6

  18. Benchmark • 1000 PMKs created / Second / Instance • 130,000 PMK Verifications / Second / Instance • 100 Worker Instances were run

  19. Costs Involved – PMK Creation • Total cost of 100 instances / hour - $6 • Total PMK Creation - 360 million/ hour • Cost of startup amortized • Stored for future use for a given SSID – Wordlist combination

  20. Costs Involved – PMK Verification • Total cost of 100 instances / hour - $6 • Total PMK Verifications - 45 Billion / hour • Cost of startup amortized • Permutation based WordList only to be generated once

  21. Google AppEngine

  22. Architecture PMK, Handshake Resident Instance Task-1 Task-2 Task-3 POST based Data Passing Task-4 Task-5 Task-6

  23. Chigu - Amazon EC2 • Automatically setup multiple machines on EC2 with pre-created AMI • Bring up master, upload “job” • Job consists of the following: • Wordlist Creation • PMK generation • Handshake verification

  24. Chigu in Action

  25. Chigu Public Release • Beta release available now • Testers please email vivek@securitytube.net • Version 1 to be released March 15th 2014 • Custom AMI for Amazon and Controller • Google Appengine Application and Controller • http://Chigu.SecurityTube.net

  26. WPA-Enterprise Authenticator Authentication Server Supplicant Association EAPoL Start EAP Request Identity EAP Request Identity EAP Response Identity EAP Packets EAP Packets EAP Success EAP Success PMK to AP 4 Way Handshake Data Transfers

  27. Source: Layer3.wordpress.com

  28. MS-CHAPv2 Cracked in Minutes

  29. CloudCracker.com

More Related