SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas...

SHARKFEST ‘10 | Stanford University | June 14–17, 2010

Wireless SecurityJune 16, 2010

Thomas d’Otreppe de BouvetteAuthor of Aircrack-ng

SHARKFEST ‘10Stanford UniversityJune 14-17, 2010


Agenda

• WEP• WPA• Choose hardware• Wireless reconaissance

– Airgraph-ng– GISKismet


WEP

• Still broken but still used

• Sometimes you can’t crack the key

• « What can I do? »


WEP• Check if you have enough data packets.

– ~30K are needed for 64 bit with PTW– ~80K for 128 bit with PTW

• Switch to KoreK starting from 150-200K packets– ~200K for 64 bit with KoreK– ~500K for 128 bit with KoreK

• Usually, if you can’t crack, as a rule of thumb, just get more (data) packets

• More than enough and still can’t crack the key, split the capture file and crack them individually


WEP – Split files

• Pcap-util:• http://www.badpenguin.co.uk/files/pcap-util• Perl script• Works on Linux/Windows


WEP – Split files (2)


WEP – Split files (3)

• Has several options:– Split in files of X Mb– Extract packets that falls within a period of time– Extract packets that match a libpcap filter

• Just need to split in smaller files so:– perl pcap-util split large.pcap small 3


WEP – PTW limitations

• Works with 64 and 128 bit keys• Works in 2 phases:

– Phase 1: ARP– Phase 2: Then use all other data packets (some

packets are ignored because known to be unusable for PTW)

• List of usable packets can be found at– http://aircrack-ng.org/doku.php?id=supported_packets


WEP – WEP Cloaking ™

• « Motorol AirDefese WEP Cloaking™ provides protection for wireless infrastructure secured by legacy encryption protocols. This is an add-on module to Motorola AirDefense Enterprise, the market leading Wireless Intrusion Prevention System. »

• Solution: airdecloak-ng, but sometimes aircrack-ng can crack it directly


WEP – WEP Cloaking ™ (2)

aircrack-ng wep_cloaking_full_speed_dl.pcap

-b 00:12:BF:12:32:29 -K -n 64 -d 1F:1F:1F



• Not all packets were filtered out but enough to crack the key


WEP – Broken capture file

• Aircrack-ng: – Invalid packet capture length 0 - corrupted file?

• Wireshark


WEP – Broken capture file (2)


WEP – Broken capture file (3)

• Mark first packet• Mark the last good packet• File – Save as …• Select « first to last marked packet »• Select an output filename then save it• DONE


Agenda

• WEP

• WPA• Choose hardware• Wireless reconaissance



WPA

WPA is at the same time easy and hard to crack– Easy to get the handshake

– But the passphrase can be really complex


WPA• 802.11i group launched when flaws were found in

WEP

• 2 link-layer protocols:– TKIP (WPA1): Draft 3 of 802.11i group (backward

compatible with legacy hardware).– CCMP (WPA2): final 802.11i standard

• 2 authentication methods:– Personal: PSK (Shared key, 8-63 characters)– Enterprise: MGT (Radius server)


WPA-PSK – 4 way handshake


WPA - Location

• You need to be located not too far from the client and the AP to hear the whole 4-way handshake.

• Aircrack-ng can work with less than the 4 EAPOL packets


WPA – Good Location

AP Client

Attacker

AP ClientAttacker


WPA – Bad location

• Only hear the AP:

• Only hear the client: AP Client Attacker

AP ClientAttacker


WPA – Airbase-ng

• Act as an AP with airbase-ng and get the handshake => Just need to be in the range of the client:

airbase-ng -z 2 -W 1 –y -c 6 –F dump -e “Philips WiFi” rausb0

• Location problem solved ;), you just need the client:

ClientAttackerFake AP


WPA – Airbase-ng (2)

DEMO


WPA - Debug

• Aircrack-ng/cowpatty/pyrit/OTHER TOOL doesn’t see the handshake, why?

• So, how does it look in capture files and how do we debug it?


WPA - Debug

DEMO


WPA – Cracking

• Once you have the handshake, it’s time to crack it

• Two methods come to mind:– Using a wordlist– Bruteforcing

• Bruteforce not doable since minimum key length is 8 characters, so we need a good dictionary


WPA - Dictionary• Having the right dictionary is important !

• Here are a few tips to build yours:– Use generic dictionaries, add things like:

• Language used• Phone numbers (IE, use JTR to generate all possible phone numbers)• City and different things around• Other things that come to your mind, …

– Use programs to « add » words:• John The Ripper (and Markov)• Wyd• …

• Combine all of these …• … and you may end up with huge dictionaries.


WPA – Cracking hardware

• Processing big dictionaries takes time• CPU too slow => Use GPU and FPGA


WPA – GPU performance• Pyrit performance


WPA – GPU Crackers• Quite easy to set up …

– apt-get install backtrack-cuda

• … but– Don’t forget the power bill ;)– Creating dictionaries takes time

• Online services available:– Cloud computing: http://www.wpacracker.com– GPU: http://tools.question-defense.com


• WEP• WPA

• Choose hardware• Wireless reconnaissance



Choose hardware - Antennas

• Often asked: « What is the best antenna? »

• Depends on your needs:– Long or short links? Low or High power antenna– Point to Point or Point to Multi point ?

Directionnal antenna or omni– Frequency? 2.4Ghz/5Ghz (4.9/5.2/5.8/…)– ...



Antenna pattern:• Vertical pattern: Look at the horizon• Horizontal pattern: Look at the ground from

the sky



Omni• Great for Point to

Multipoint connections (ie, AP)

• Theory: radiate in all directions

• Highest power is not the best one



• Omni 5dbi



• Omni 9dbi



• Sector 120°



• Grid



• Home made - Biquad


Choose hardware - Antennas• So, don’t just get the most powerful

• Check the law

• Look at the specs of the cards– RX sensitivity: ability to hear– TX power: needed for long distance links– Important: Both takes the rate, the frequency and

modulation into account

• Example: Ubiquiti SRC datasheet


Choose hardware - Cables• Cables have losses

– Thin: high loss, usually for short links (bend easily)– Thick: low loss, for long links (can’t be bent easily)– Loss depends on the frequency

• Connectors also have losses: around 0.5dB

• A few cables (loss for 100 feet at 2.4Ghz)– RG174: ~60dB– RG58: ~25dB– LMR 200: ~16.5dB– LMR 400: ~6.7dB


Agenda

• WEP• WPA• Choose hardware• Wireless reconnaissance



Airgraph-ng

• Airgraph-ng creates a picture of the networks.

• Usage examples:– Display a network map– Network monitor

• Uses the CSV output of airodump-ng.

• Part of the suite (can be found in scripts/)


Airgraph-ng – Graph types• Client to Access Point Relationship graph (CAPR) :

– Client to Access Point Relationship– Focus more on clients than AP– AP without clients aren’t graphed– Colors for each type of encryption

• Green: WPA• Yellow: WEP• Red: Open• Black: Unknown

• Client Probe Graph (CPG):– Links between clients and AP


Airgraph-ng – Examples• Parameters:

– Input file: Airodump-ng CSV file (.csv)– Graph type:

• CAPR (Client – AP Relationship): Connected clients• CPG (Common Probe Graph): Probed SSID

– Output file: Picture file name

• Examples:– CAPR: airgraph-ng.py -i sharkfest-01.csv -g CAPR -o

sharkfest-capr.png– CPG: airgraph-ng.py -i sharkfest-01.csv -g CPG -o

sharkfest-cpg.png


Airgraph-ng – Examples (2)

• CAPR


Airgraph-ng – Examples (3)

• CPG


Agenda

• WEP• WPA• Choose hardware• Wireless reconnaissance

– Airgraph-ng

– GISKismet


GISKismet

• « GISKismet is a wireless recon visualization tool to represent data gathered using Kismet in a flexible manner »

• Display Access Points on Google earth => require GPS.

• Also work with airodump-ng


GISKismet (2)

• Store information in a database (SQLite)• Input: Kismet newcore XML (netxml)• Outputs a KML file• Filter data:

– Input: limited to things like channel, ESSID, …– Output: Flexible, SQL order


GISKismet (3)

• Importing data:– giskismet –x dump-01.kismet.netxml

• Will create a file called wireless.dbl (SQLite3 database with 2 tables:– Clients: all clients– Wireless: all AP

• Exporting: giskismet –q SQL_ORDER –o OUTPUT_FILE.kml


GISKismet (4)SQL Queries:• All: select * from wireless• SSID starting with ‘SpeedTouch’:

select * from wireless where ESSID like 'SpeedTouch%'• AP from Aruba Networks:

select * from wireless where Manuf = 'Aruba Networks'• Hotspots:

select * from wireless where ESSID like '%hotspot%'• Channel 6:

select * from wireless where channel = 6


?


Links• Pcap-util : http://www.badpenguin.co.uk/files/pcap-util

• List of supported packets for PTW:http://aircrack-ng.org/doku.php?id=supported_packets

• John The Ripper: http://www.openwall.com/john/

• Markov: http://openwall.info/wiki/john/markov

• Wyd: http://www.remote-exploit.org/?page_id=418

• « Next generation wireless recon … » (Shmoocon 2009)

http://spl0it.org/files/talks/Abraham-Smith-NextGenerationWirelessRecon-VisualizingTheAirwaves-ShmooCon2009.pdf (short: http://preview.tinyurl.com/nbsssp)

• Cable loss calculator: http://www.ocarc.ca/coax.htm

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas...

Documents

Transcript of SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireless Security June 16, 2010 Thomas...