Post on 15-Dec-2015
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Wireless SecurityJune 16, 2010
Thomas d’Otreppe de BouvetteAuthor of Aircrack-ng
SHARKFEST ‘10Stanford UniversityJune 14-17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Agenda
• WEP• WPA• Choose hardware• Wireless reconaissance
– Airgraph-ng– GISKismet
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WEP
• Still broken but still used
• Sometimes you can’t crack the key
• « What can I do? »
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WEP• Check if you have enough data packets.
– ~30K are needed for 64 bit with PTW– ~80K for 128 bit with PTW
• Switch to KoreK starting from 150-200K packets– ~200K for 64 bit with KoreK– ~500K for 128 bit with KoreK
• Usually, if you can’t crack, as a rule of thumb, just get more (data) packets
• More than enough and still can’t crack the key, split the capture file and crack them individually
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WEP – Split files
• Pcap-util:• http://www.badpenguin.co.uk/files/pcap-util• Perl script• Works on Linux/Windows
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WEP – Split files (3)
• Has several options:– Split in files of X Mb– Extract packets that falls within a period of time– Extract packets that match a libpcap filter
• Just need to split in smaller files so:– perl pcap-util split large.pcap small 3
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WEP – PTW limitations
• Works with 64 and 128 bit keys• Works in 2 phases:
– Phase 1: ARP– Phase 2: Then use all other data packets (some
packets are ignored because known to be unusable for PTW)
• List of usable packets can be found at– http://aircrack-ng.org/doku.php?id=supported_packets
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WEP – WEP Cloaking ™
• « Motorol AirDefese WEP Cloaking™ provides protection for wireless infrastructure secured by legacy encryption protocols. This is an add-on module to Motorola AirDefense Enterprise, the market leading Wireless Intrusion Prevention System. »
• Solution: airdecloak-ng, but sometimes aircrack-ng can crack it directly
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WEP – WEP Cloaking ™ (2)
aircrack-ng wep_cloaking_full_speed_dl.pcap
-b 00:12:BF:12:32:29 -K -n 64 -d 1F:1F:1F
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WEP – WEP Cloaking ™ (4)
• Not all packets were filtered out but enough to crack the key
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WEP – Broken capture file
• Aircrack-ng: – Invalid packet capture length 0 - corrupted file?
• Wireshark
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WEP – Broken capture file (3)
• Mark first packet• Mark the last good packet• File – Save as …• Select « first to last marked packet »• Select an output filename then save it• DONE
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Agenda
• WEP
• WPA• Choose hardware• Wireless reconaissance
– Airgraph-ng– GISKismet
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WPA
WPA is at the same time easy and hard to crack– Easy to get the handshake
– But the passphrase can be really complex
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WPA• 802.11i group launched when flaws were found in
WEP
• 2 link-layer protocols:– TKIP (WPA1): Draft 3 of 802.11i group (backward
compatible with legacy hardware).– CCMP (WPA2): final 802.11i standard
• 2 authentication methods:– Personal: PSK (Shared key, 8-63 characters)– Enterprise: MGT (Radius server)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WPA - Location
• You need to be located not too far from the client and the AP to hear the whole 4-way handshake.
• Aircrack-ng can work with less than the 4 EAPOL packets
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WPA – Good Location
AP Client
Attacker
AP ClientAttacker
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WPA – Bad location
• Only hear the AP:
• Only hear the client: AP Client Attacker
AP ClientAttacker
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WPA – Airbase-ng
• Act as an AP with airbase-ng and get the handshake => Just need to be in the range of the client:
airbase-ng -z 2 -W 1 –y -c 6 –F dump -e “Philips WiFi” rausb0
• Location problem solved ;), you just need the client:
ClientAttackerFake AP
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WPA - Debug
• Aircrack-ng/cowpatty/pyrit/OTHER TOOL doesn’t see the handshake, why?
• So, how does it look in capture files and how do we debug it?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WPA – Cracking
• Once you have the handshake, it’s time to crack it
• Two methods come to mind:– Using a wordlist– Bruteforcing
• Bruteforce not doable since minimum key length is 8 characters, so we need a good dictionary
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WPA - Dictionary• Having the right dictionary is important !
• Here are a few tips to build yours:– Use generic dictionaries, add things like:
• Language used• Phone numbers (IE, use JTR to generate all possible phone numbers)• City and different things around• Other things that come to your mind, …
– Use programs to « add » words:• John The Ripper (and Markov)• Wyd• …
• Combine all of these …• … and you may end up with huge dictionaries.
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WPA – Cracking hardware
• Processing big dictionaries takes time• CPU too slow => Use GPU and FPGA
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
WPA – GPU Crackers• Quite easy to set up …
– apt-get install backtrack-cuda
• … but– Don’t forget the power bill ;)– Creating dictionaries takes time
• Online services available:– Cloud computing: http://www.wpacracker.com– GPU: http://tools.question-defense.com
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
• WEP• WPA
• Choose hardware• Wireless reconnaissance
– Airgraph-ng– GISKismet
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Choose hardware - Antennas
• Often asked: « What is the best antenna? »
• Depends on your needs:– Long or short links? Low or High power antenna– Point to Point or Point to Multi point ?
Directionnal antenna or omni– Frequency? 2.4Ghz/5Ghz (4.9/5.2/5.8/…)– ...
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Choose hardware - Antennas
Antenna pattern:• Vertical pattern: Look at the horizon• Horizontal pattern: Look at the ground from
the sky
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Choose hardware - Antennas
Omni• Great for Point to
Multipoint connections (ie, AP)
• Theory: radiate in all directions
• Highest power is not the best one
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Choose hardware - Antennas
• Home made - Biquad
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Choose hardware - Antennas• So, don’t just get the most powerful
• Check the law
• Look at the specs of the cards– RX sensitivity: ability to hear– TX power: needed for long distance links– Important: Both takes the rate, the frequency and
modulation into account
• Example: Ubiquiti SRC datasheet
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Choose hardware - Cables• Cables have losses
– Thin: high loss, usually for short links (bend easily)– Thick: low loss, for long links (can’t be bent easily)– Loss depends on the frequency
• Connectors also have losses: around 0.5dB
• A few cables (loss for 100 feet at 2.4Ghz)– RG174: ~60dB– RG58: ~25dB– LMR 200: ~16.5dB– LMR 400: ~6.7dB
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Agenda
• WEP• WPA• Choose hardware• Wireless reconnaissance
– Airgraph-ng– GISKismet
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Airgraph-ng
• Airgraph-ng creates a picture of the networks.
• Usage examples:– Display a network map– Network monitor
• Uses the CSV output of airodump-ng.
• Part of the suite (can be found in scripts/)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Airgraph-ng – Graph types• Client to Access Point Relationship graph (CAPR) :
– Client to Access Point Relationship– Focus more on clients than AP– AP without clients aren’t graphed– Colors for each type of encryption
• Green: WPA• Yellow: WEP• Red: Open• Black: Unknown
• Client Probe Graph (CPG):– Links between clients and AP
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Airgraph-ng – Examples• Parameters:
– Input file: Airodump-ng CSV file (.csv)– Graph type:
• CAPR (Client – AP Relationship): Connected clients• CPG (Common Probe Graph): Probed SSID
– Output file: Picture file name
• Examples:– CAPR: airgraph-ng.py -i sharkfest-01.csv -g CAPR -o
sharkfest-capr.png– CPG: airgraph-ng.py -i sharkfest-01.csv -g CPG -o
sharkfest-cpg.png
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Agenda
• WEP• WPA• Choose hardware• Wireless reconnaissance
– Airgraph-ng
– GISKismet
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
GISKismet
• « GISKismet is a wireless recon visualization tool to represent data gathered using Kismet in a flexible manner »
• Display Access Points on Google earth => require GPS.
• Also work with airodump-ng
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
GISKismet (2)
• Store information in a database (SQLite)• Input: Kismet newcore XML (netxml)• Outputs a KML file• Filter data:
– Input: limited to things like channel, ESSID, …– Output: Flexible, SQL order
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
GISKismet (3)
• Importing data:– giskismet –x dump-01.kismet.netxml
• Will create a file called wireless.dbl (SQLite3 database with 2 tables:– Clients: all clients– Wireless: all AP
• Exporting: giskismet –q SQL_ORDER –o OUTPUT_FILE.kml
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
GISKismet (4)SQL Queries:• All: select * from wireless• SSID starting with ‘SpeedTouch’:
select * from wireless where ESSID like 'SpeedTouch%'• AP from Aruba Networks:
select * from wireless where Manuf = 'Aruba Networks'• Hotspots:
select * from wireless where ESSID like '%hotspot%'• Channel 6:
select * from wireless where channel = 6
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Links• Pcap-util : http://www.badpenguin.co.uk/files/pcap-util
• List of supported packets for PTW:http://aircrack-ng.org/doku.php?id=supported_packets
• John The Ripper: http://www.openwall.com/john/
• Markov: http://openwall.info/wiki/john/markov
• Wyd: http://www.remote-exploit.org/?page_id=418
• « Next generation wireless recon … » (Shmoocon 2009)
http://spl0it.org/files/talks/Abraham-Smith-NextGenerationWirelessRecon-VisualizingTheAirwaves-ShmooCon2009.pdf (short: http://preview.tinyurl.com/nbsssp)
• Cable loss calculator: http://www.ocarc.ca/coax.htm