1 / 45

WLAN Security: Cracking WEP/WPA

Wireless LANs 2011. WLAN Security: Cracking WEP/WPA. รศ. ดร . อนันต์ ผลเพิ่ม Assoc. Prof. Anan Phonphoem, Ph.D. anan.p@ku.ac.th http://www.cpe.ku.ac.th/~anan Computer Engineering Department Kasetsart University, Bangkok, Thailand. Secret Key (40-bit or 128-bit). IV. Initialization

verne
Download Presentation

WLAN Security: Cracking WEP/WPA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless LANs2011 WLAN Security:Cracking WEP/WPA รศ. ดร. อนันต์ผลเพิ่ม Assoc. Prof. Anan Phonphoem, Ph.D. anan.p@ku.ac.th http://www.cpe.ku.ac.th/~anan Computer Engineering Department Kasetsart University, Bangkok, Thailand

  2. Secret Key (40-bit or 128-bit) IV Initialization Vector (IV) Pseudo-Random Number Generator RC-4 Key Sequence Cipher Text Bitwise XOR Plain Text + Integrity Algorithm (CRC-32) Integrity Check Value (ICV) WEP Block Diagram Secret Key (40-bit or 128-bit) IV WEPFrame Pseudo-Random Number Generator Key Sequence Plain Text Bitwise XOR Cipher Text Encryption Block Decryption Block Integrity Check Value (ICV) Integrity Algorithm Sender Site Receiver Site

  3. Secret Key (40-bit or 128-bit) IV Initialization Vector (IV) Pseudo-Random Number Generator RC-4 Key Sequence Cipher Text Bitwise XOR Plain Text + Integrity Algorithm (CRC-32) Integrity Check Value (ICV) WEP – Encoding

  4. Clear Text Clear Text Encrypted 4 bytes 4 bytes WEP Frame Frame Header IV Header Frame Body ICV Trailer FCS

  5. WEP – Decryption Secret Key (40-bit or 128-bit) IV Pseudo-Random Number Generator Key Sequence Plain Text Bitwise XOR Cipher Text Integrity Check Value (ICV) Integrity Algorithm

  6. Cracking WEP

  7. Cracking Steps • Reconnaissance (Collect target info.) [kismet] • Run promiscuous mode [iwconfig, airmon] • Collect data [airodump] • Crack key [aircrack]

  8. Default SSIDs

  9. 1) Reconnaissance (Collect target info.)

  10. Kismet (Reconnaissance)

  11. Kismet (AP Info.)

  12. Kismet (Client Info.)

  13. 2) Run promiscuous mode

  14. 3 4 1 2 Regular Behavior Station 1 transmits to all (broadcast)

  15. 3 4 1 2 Intention to Eavesdrop Promiscuous mode Station 1 transmits to station 4

  16. iwconfig

  17. iwlist

  18. Promiscuous Mode Setup • By using iwconfig

  19. Promiscuous Mode Setup • By using airmon-ng

  20. Promiscuous Mode Setup

  21. 3) Collect data

  22. airodump From Kismet

  23. Airodump problem root@APMoose:~/toulouse# airodump-ng mon0 ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill /dev/rfkill is “Linux ‘s Subsystem kernel for controlling radio transmisster (activated/deactivated)” anan@APMoose:~$ rfkill list 0: phy0: Wireless LAN Soft blocked: no  software can reactivate Hard blocked: no  software cannot reactivate 1: acer-wireless: Wireless LAN Soft blocked: no Hard blocked: no 2: acer-bluetooth: Bluetooth Soft blocked: no Hard blocked: no 4: hci0: Bluetooth Soft blocked: no Hard blocked: no Solve by: root@APMoose:~/toulouse# rfkill unblock all

  24. airodump

  25. airodump data files

  26. 4) Crack Key

  27. aircrack • For non-encryption

  28. aircrack

  29. WEP Cracking Demo

  30. Cracking WPA

  31. Cracking Steps • Start the wireless interface in monitor mode on the specific AP channel • Start airodump-ng on AP channel with filter for bssid to collect authentication handshake • Use aireplay-ng to deauthenticate the wireless client • Run aircrack-ng to crack the pre-shared key using the authentication handshake http://www.aircrack-ng.org/doku.php?id=cracking_wpa

  32. 1) Start Monitoring Mode

  33. Check interface

  34. iwconfig

  35. Start monitoring mode

  36. 2) Start airodump-ngcollect authentication handshake

  37. Start airodump-ng Moose# airodump-ng-c 6 --bssid 00:1E:F7:xx:xx:xx -w pskmon0

  38. Start airodump-ng less parameter Moose# airodump-ng-w pskmon0

  39. 3) Deauthenticate client

  40. aireplay Moose# aireplay-ng-01-a 00:12:01:xx:xx:xx-c 00:23:11:xx:xx:xx mon0

  41. 4) Crack

  42. Need a dictionary Moose# aircrack-ng –b 00:12:01:xx:xx:xx -psk*.cap

  43. With dictionary Moose# aircrack-ng-w password.lst -psk*.cap

  44. Handshake found http://www.aircrack-ng.org/doku.php?id=cracking_wpa

  45. Successfully Crack http://www.aircrack-ng.org/doku.php?id=cracking_wpa

More Related