Ethical HackingEthical HackingDefeating Wireless Defeating Wireless

SecuritySecurity

2

ContactContact

Sam BowneSam Bowne Computer Networking and Information Computer Networking and Information

TechnologyTechnology City College San FranciscoCity College San Francisco Email: sbowne@ccsf.eduEmail: sbowne@ccsf.edu Web: samsclass.infoWeb: samsclass.info

3

Two Hacking ClassesTwo Hacking ClassesCNIT 123: Ethical Hacking and Network DefenseCNIT 123: Ethical Hacking and Network Defense

Has been taught since Spring 2007 (four times)Has been taught since Spring 2007 (four times)

Face-to-face and Online sections available Fall 2008Face-to-face and Online sections available Fall 2008

CNIT 124: Advanced Ethical HackingCNIT 124: Advanced Ethical HackingTaught for the first time in Spring 2008Taught for the first time in Spring 2008

4

Certified Ethical HackerCertified Ethical Hacker Those two classes prepare students for Those two classes prepare students for

CEH CertificationCEH Certification

5

Certificate in Network Certificate in Network SecuritySecurity

6

Associate of Science Degree Associate of Science Degree

EquipmentEquipment

Wireless Network Interface Cards Wireless Network Interface Cards (NICs) and Drivers(NICs) and Drivers

8

The GoalThe Goal

All wireless NICs can connect to an All wireless NICs can connect to an Access PointAccess Point

But hacking requires more than that, But hacking requires more than that, because we need to dobecause we need to do Sniffing Sniffing – collecting traffic addressed to other – collecting traffic addressed to other

devicesdevices Injection Injection – transmitting forged packets which – transmitting forged packets which

will appear to be from other deviceswill appear to be from other devices

9

Windows v. LinuxWindows v. Linux

The best wireless hacking software is The best wireless hacking software is written in Linuxwritten in Linux The Windows tools are inferior, and don't The Windows tools are inferior, and don't

support packet injectionsupport packet injection But all the wireless NICs are designed for But all the wireless NICs are designed for

WindowsWindows And the drivers are written for WindowsAnd the drivers are written for Windows Linux drivers are hard to find and confusing to Linux drivers are hard to find and confusing to

install install

Wireless SecurityWireless Security

11

Three Security SettingsThree Security Settings

No securityNo security WEP (Wired Equivalent Privacy)WEP (Wired Equivalent Privacy)

Old and brokenOld and broken Easily hackedEasily hacked

WPA and WPA2 (Wi-Fi Protected Access)WPA and WPA2 (Wi-Fi Protected Access) Very secureVery secure The only significant vulnerability is to a The only significant vulnerability is to a

dictionary attack, if the key is a common worddictionary attack, if the key is a common word

Wireless Security in San Wireless Security in San FranciscoFrancisco

Measured by Measured by CCSF CCSF students on students on Nov 18, 2008Nov 18, 2008

WEP is the WEP is the most popular most popular security security technique!technique!

12

Cracking WEPCracking WEP

Tools and PrinciplesTools and Principles

14

A Simple WEP CrackA Simple WEP Crack

The Access Point and Client are using The Access Point and Client are using WEP encryptionWEP encryption

The hacker device just listens The hacker device just listens

HackerListening

WEP-Protected

WLAN

15

Listening is SlowListening is Slow

You need to capture 50,000 to 200,000 You need to capture 50,000 to 200,000 "interesting" packets to crack a 64-bit "interesting" packets to crack a 64-bit WEP keyWEP key The "interesting" packets are the ones The "interesting" packets are the ones

containing Initialization Vectors (IVs)containing Initialization Vectors (IVs) Only about ¼ of the packets contain IVsOnly about ¼ of the packets contain IVs So you need 200,000 to 800,000 packetsSo you need 200,000 to 800,000 packets

It can take hours or days to capture that It can take hours or days to capture that many packetsmany packets

16

Packet InjectionPacket Injection

A second hacker machine A second hacker machine injects packets to create more injects packets to create more "interesting packets""interesting packets"

HackerListening

andInjecting

WEP-Protected

WLAN

17

Injection is MUCH FasterInjection is MUCH Faster

With packet injection, the listener can With packet injection, the listener can collect 200 IVs per secondcollect 200 IVs per second

5 – 10 minutes is usually enough to crack 5 – 10 minutes is usually enough to crack a 64-bit keya 64-bit key

Cracking a 128-bit key takes an hour or soCracking a 128-bit key takes an hour or so Link l_14rLink l_14r

Cracking WEPCracking WEP

The AttackThe Attack

19

AirodumpAirodump

Sniffs packets to find networksSniffs packets to find networks

20

AireplayAireplay

Finds an ARP packet and replays it to Finds an ARP packet and replays it to make cracking fastermake cracking faster

21

DataData

This makes the #Data value go up much This makes the #Data value go up much fasterfaster

We need at least 50,000 Data (IVs) to We need at least 50,000 Data (IVs) to crack WEPcrack WEP

22

AircrackAircrack

The captured IVs make the keyspace The captured IVs make the keyspace much smallermuch smaller

Aircrack performs a brute-force attack on Aircrack performs a brute-force attack on all remaining keysall remaining keys