Overview of Mobile Networking ECE 544 2015 Prof. D. Raychaudhuri Slides courtesy of Dr. Sam Nelson.
Ethical Hacking Defeating Wireless Security. 2 Contact Sam Bowne Sam Bowne Computer Networking and...
-
Upload
alexina-charles -
Category
Documents
-
view
217 -
download
2
Transcript of Ethical Hacking Defeating Wireless Security. 2 Contact Sam Bowne Sam Bowne Computer Networking and...
Ethical HackingEthical HackingDefeating Wireless Defeating Wireless
SecuritySecurity
2
ContactContact
Sam BowneSam Bowne Computer Networking and Information Computer Networking and Information
TechnologyTechnology City College San FranciscoCity College San Francisco Email: [email protected]: [email protected] Web: samsclass.infoWeb: samsclass.info
3
Two Hacking ClassesTwo Hacking ClassesCNIT 123: Ethical Hacking and Network DefenseCNIT 123: Ethical Hacking and Network Defense
Has been taught since Spring 2007 (four times)Has been taught since Spring 2007 (four times)
Face-to-face and Online sections available Fall 2008Face-to-face and Online sections available Fall 2008
CNIT 124: Advanced Ethical HackingCNIT 124: Advanced Ethical HackingTaught for the first time in Spring 2008Taught for the first time in Spring 2008
4
Certified Ethical HackerCertified Ethical Hacker Those two classes prepare students for Those two classes prepare students for
CEH CertificationCEH Certification
5
Certificate in Network Certificate in Network SecuritySecurity
6
Associate of Science Degree Associate of Science Degree
EquipmentEquipment
Wireless Network Interface Cards Wireless Network Interface Cards (NICs) and Drivers(NICs) and Drivers
8
The GoalThe Goal
All wireless NICs can connect to an All wireless NICs can connect to an Access PointAccess Point
But hacking requires more than that, But hacking requires more than that, because we need to dobecause we need to do Sniffing Sniffing – collecting traffic addressed to other – collecting traffic addressed to other
devicesdevices Injection Injection – transmitting forged packets which – transmitting forged packets which
will appear to be from other deviceswill appear to be from other devices
9
Windows v. LinuxWindows v. Linux
The best wireless hacking software is The best wireless hacking software is written in Linuxwritten in Linux The Windows tools are inferior, and don't The Windows tools are inferior, and don't
support packet injectionsupport packet injection But all the wireless NICs are designed for But all the wireless NICs are designed for
WindowsWindows And the drivers are written for WindowsAnd the drivers are written for Windows Linux drivers are hard to find and confusing to Linux drivers are hard to find and confusing to
install install
Wireless SecurityWireless Security
11
Three Security SettingsThree Security Settings
No securityNo security WEP (Wired Equivalent Privacy)WEP (Wired Equivalent Privacy)
Old and brokenOld and broken Easily hackedEasily hacked
WPA and WPA2 (Wi-Fi Protected Access)WPA and WPA2 (Wi-Fi Protected Access) Very secureVery secure The only significant vulnerability is to a The only significant vulnerability is to a
dictionary attack, if the key is a common worddictionary attack, if the key is a common word
Wireless Security in San Wireless Security in San FranciscoFrancisco
Measured by Measured by CCSF CCSF students on students on Nov 18, 2008Nov 18, 2008
WEP is the WEP is the most popular most popular security security technique!technique!
12
Cracking WEPCracking WEP
Tools and PrinciplesTools and Principles
14
A Simple WEP CrackA Simple WEP Crack
The Access Point and Client are using The Access Point and Client are using WEP encryptionWEP encryption
The hacker device just listens The hacker device just listens
HackerListening
WEP-Protected
WLAN
15
Listening is SlowListening is Slow
You need to capture 50,000 to 200,000 You need to capture 50,000 to 200,000 "interesting" packets to crack a 64-bit "interesting" packets to crack a 64-bit WEP keyWEP key The "interesting" packets are the ones The "interesting" packets are the ones
containing Initialization Vectors (IVs)containing Initialization Vectors (IVs) Only about ¼ of the packets contain IVsOnly about ¼ of the packets contain IVs So you need 200,000 to 800,000 packetsSo you need 200,000 to 800,000 packets
It can take hours or days to capture that It can take hours or days to capture that many packetsmany packets
16
Packet InjectionPacket Injection
A second hacker machine A second hacker machine injects packets to create more injects packets to create more "interesting packets""interesting packets"
HackerListening
andInjecting
WEP-Protected
WLAN
17
Injection is MUCH FasterInjection is MUCH Faster
With packet injection, the listener can With packet injection, the listener can collect 200 IVs per secondcollect 200 IVs per second
5 – 10 minutes is usually enough to crack 5 – 10 minutes is usually enough to crack a 64-bit keya 64-bit key
Cracking a 128-bit key takes an hour or soCracking a 128-bit key takes an hour or so Link l_14rLink l_14r
Cracking WEPCracking WEP
The AttackThe Attack
19
AirodumpAirodump
Sniffs packets to find networksSniffs packets to find networks
20
AireplayAireplay
Finds an ARP packet and replays it to Finds an ARP packet and replays it to make cracking fastermake cracking faster
21
DataData
This makes the #Data value go up much This makes the #Data value go up much fasterfaster
We need at least 50,000 Data (IVs) to We need at least 50,000 Data (IVs) to crack WEPcrack WEP
22
AircrackAircrack
The captured IVs make the keyspace The captured IVs make the keyspace much smallermuch smaller
Aircrack performs a brute-force attack on Aircrack performs a brute-force attack on all remaining keysall remaining keys