04 Encryption and Authentication Mechanisms.v7

8/8/2019 04 Encryption and Authentication Mechanisms.v7

1/28

WLSAT Section 3

04 - Cracking 802.11 Encryption & Authentication.v7 2007 Institute for Network Professionals1/12/11 1 www.inpnet.org www.HOTLabs.org

Section 4Cracking 802.11 Encryption and Authentication

In the previous section we showed the vulnerabilities of Open Wireless LANs. In this section well showsome of the techniques and tools used to break the wireless encryption. Once you have cracked the

encryption, you can use all the tools from the previous section to see what everyone is doing.

Some of these techniques are specific to vendor and protocol specific attacks. Well use both Windows

and Linux tools to crack encryption and authentication!


2/28

WLSAT Section 3


LAB 4.1: LEAP Cracking- Asleap/Pre-Hashed DictionaryFile

The purpose of this lab is to learn how to break Encryption and Authentication

methods used in securing wireless networks.

WEP encryption used for confidentiality and integrity on a wireless LAN utilizesa weak implementation of RC4 encryption. The RC4 keys initialization vectorsgenerated by a WEP Network connection are weak and therefore able to be

cracked. In order to successfully crack WEP 800,000 to 1,000,000 WEPencrypted frames must be captured. In this lab you will capture and crack aWEP key.

WPA-PSK uses a passphrase for authenticating wireless clients to the network.The WPA passphrase is an 8-63 ascii character text string that is used to

authenticate wireless users. The WPA passphrase is susceptible to a dictionaryattack and this lab will show you how to capture and crack a WPA key.

LEAP authentication is a Cisco proprietary mechanism to allow users to connectto a wireless network using a username and a password. The username is sent

in cleartext and the password is hashed to protect it in transit on the wirelessnetwork. The hashing of the password can be broken with a tool called Asleap.

Product Information

Source

Omnipeek PersonaL

Free

http://wildpackets.com

Asleap

http://asleap.sourceforge.net/

Where, When, Why

You have already learned how to capture passwords, web traffic, emailcontent, and sniff open wireless networks. But most enterprise class wireless

LANs implement some form of encryption and authentication. Some of thosesecurity mechanisms are weak and therefore susceptible to attack. A wirelesspen tested must know how to identify those threats and know the susceptibilityof the network to attack. Also, it is necessary to be able to perform the cracksto illustrate to a customer the weaknesses of the wireless network security.

Requirements / Dependencies

Omnipeek Personal Wireshark Airpcap USB adapter


3/28

WLSAT Section 3


Aircrack Tamosoft Commview Aireplay Nokia N800 wireless client CoWPAtty Asleap Large Dictionary file

Running an ASLEAP Crack against a LEAP Authentication

Step 1. Prepare to Capture the LEAP authentication with Omnipeek .Step 2. Instructor will tell you went to start the capture and on what channel .Step 3. Start your capture to catch the LEAP conversation.Step 4. Save capture file as a TCP Dump file.Step 5. Open a command prompt.Step 6. Change to the Asleap directory .Step 7. Run Asleapagainst the capture file using the pre hashed dictionary.


4/28

WLSAT Section 3


Lab 4.2: WEP Cracking and Acceleration

Aircrack-ng is used to statically attack traffic gathered by WEP encryptedwireless routers in order to crack the WEP key used. It can also be used to

brute-force WPA keys. Once these keys are cracked then one can associatewith the access point as a legitimate user.

Product Information

Source

http://www.aircrack-ng.org

Free / Open Source (GPL, MPL)


Where, When, Why

Attack

This tool is designed to recover/crack WEP keys and/or WPA keys

Usage and Features

Recover/crack WEP or WPA keys

Requirements / Dependencies Linux or Windows operating system Captured traffic of target access point Time


5/28

WLSAT Section 3


Lab Part 1 - Using Airodump-ng, Aircrack-ng and Aireplay-ng to quickly crack aWEP key

What you will do in this lab:

Use Airodump-ng to find a target Capture encrypted traffic Use aireplay-ng to accelerate IV collection time Recover the WEP key using a statistical attack using aircrack-ng

Step 1. Configure your access point for a 64-bit WEP key of 009E4DD7E8 and have yourN800 act as a client and connect to your access point. In this tutorial the accesspoint SSID is LinksysL but yours will be as assigned earlier. Start hitcast on yourN800s to generate traffic.Launch Airodump-ng to view your access pointand N800 as potential targets.

Step 2. From a command prompt type the following command:./ath_monitor to set your card in monitor modeairodump-ng ath0


6/28

WLSAT Section 3


We see plenty of potential targets that are encrypted a few of which haveauthenticated wireless clients with traffic.

Step 3. Once you have located the N800s traffic on your network we need to switchchannels to monitor only that channel. My 'linksysL' access point is on channel 6as should yours by default.

Step 4. From a command prompt type the following command:airodump-ng -w /tmp/linksysL_traffic -channel6 ath0

Now we can see that we are just on channel 6 and that we have one

wireless station (00:13:46:9F:AC:36) that is connected to theaccess point linksysL . Since we are dumping into a capture file,everything that our card can see will be logged. The Data packets arewhat are of interest to us when cracking WEP keys; the more you collectthe less time it takes to statistically attack and recover the key. With

only 1 client authenticated and little traffic, it will take a long time tocollect these packets (we will see how using a replay attack this can bedramatically decreased).

Step 5. Now you wait! As each unique initialization vector (IV) is collected (indicated bythe increase in #Data packets) you get closer to having enough IV's to send toaircrack-ng to be attacked.But you have probably noticed that it can take a very long time to collect enoughIVs to crack the key right? For a 64 bit you want anywhere from 300,000 to700,000 unique IV's and for 128 bit and higher then you want 1 million or higher.

So we need to find a way to generate a lot more traffic so that we can collect IVs

faster; we can do so with aireplay-ng. From a command prompt type:

Aireplay-ng -3 -b 00:18:39:C8:F3:0F -h00:13:46:9F:AC:36 ath0Where b is YOUR ACCESS POINT MAC and h is YOURN800s MAC It is telling aireplay that you want to launch a type 3 attack. Which isan ARP replay attack in which an ARP packet is picked out of the air and


7/28

WLSAT Section 3


'replayed' or constantly thrown back at the router causing the router torespond with traffic in the form of an ARP reply.

312,631 unique IV's should be enough for us to start an attack against a 64bit key, so let's start. (You have no idea how strong the key will be so a

good rule is always start with the least and move up. We can specify theguessed key strength with the -n switch).

Step 6. From a command prompt type the following command:aircrack-ng /tmp/linksysL_traffic*.cap -n 64

This will give you a list of all the networks where data has beencollected. Since we didn't supply the -IVs switch, it collected all trafficinstead of just the IVs. We see that we have 357,169 IVs for thelinksysL network. Just type 5 in to select that network and thescript will do the rest.


8/28

WLSAT Section 3


Since we had enough IVs it only took 18 seconds to recover the 64 bit keyused. 00:9E:4D:D7:E8

Step 7. Now you can connect to the target access point as a legitimate user.What you learned in this Lab:

In this Lab you learned to use Product to:

Pick a WEP enabled wireless access point as a target Collected unique IVs Statistically attacked the IVs in order to recover the WEP key


9/28

WLSAT Section 3


Lab 4.3: WPA Cracking

Aircrack-ng can also be used to brute-force WPA Pre-Shared Keys (PSK). Oncethese keys are cracked then one can associate with the access point as a

legitimate user.

Product Information

Source




Where, When, Why

Attack


Usage and Features




10/28

WLSAT Section 3



Use Airodump-ng to find a target Capture encrypted traffic Use aireplay-ng to deauth a client Recover the WPA key using aircrack-ng

Lab Part 1 - Using Airodump-ng, Aireplay-ng, and Aircrack-ng to crack a WPA key

Step 0 - Configure your access point with a WPA-PSK key of applesauce andhave your N800 act as a client and connect to your access point. In thistutorial the access point SSID is LinksysL but yours will be as assigned earlier.

Start hitcast on your N800s to generate traffic.

Step 8. Launch Airodump-ng to find your access point and N800 as potentialtargets (making sure we log to a capture file so that we can capture the 4-Way

handshake).

Step 9. From a command prompt type the following command:airodump-ng -w /tmp/wpa_linksysL channel 6

ath0


11/28

WLSAT Section 3


Step 10. Noticing that our linksysL network has now switched to WPA with TKIPcipher, our previous WEP type attack where we collect unique IVs is no longeruseful to us. In order to crack a WPA key, we need to see the EAPOL 4-Wayhandshake that takes place at the very beginning of the association with the

access point; obviously we have missed that as a client is already associated withthe access point. We have 2 options:

1 Wait for someone else (or the same client) to associate and

authenticate with the access point.

2 Force the already-associated client to disconnect and re-connect usinga forged deauth packet.

Step 11. For sake of time we will use the 2nd option; forging a deauthenticate packet usingthe aireplay-ng tool.

From a command prompt type the following command:

aireplay-ng -0 30 -a 00:18:39:C8:F3:0F -c00:13:46:9F:AC:36 ath0

where a is your ACCESS POINT MAC and c is YOURn800 MACThis will launch a deauth attack against the wireless client forcing them toreauthenticate therefore allowing us to sniff for the 4-Way handshake.

Step 12. Use aircrack-ng to verify that we have actually collected the 4-Wayhandshake.

Step 13. From a command prompt type the following command:aircrack-ng -w /root/wordlist.txt /tmp/*.cap


12/28

WLSAT Section 3


(This time we give it a large dictionary file to brute-force with).

Step 14. Seeing that we have collected the handshake, we choose the targetnetwork (3) and let the cracking phase take place.Step 15. Now you wait! The time it takes will depend on the key length and complexity,

the speed of your computer(s), and the size of your dictionary file.


13/28

WLSAT Section 3


Lab 4.4: Aircrack-ng

Aircrack-ng is used to statically attack traffic gathered by WEP encryptedwireless routers in order to crack the WEP key used. It can also be used to

brute-force WPA keys. Once these keys are cracked then one can associatewith the access point as a legitimate user.

Product Information

Source




Where, When, Why

Attack


Usage and Features




14/28

WLSAT Section 3



Use Airodump-ng to find a target Capture encrypted traffic Recover the WEP key

Lab Part 1 - Using Aircrack-ng to crack a WEP key

Step 1. Launch Airodump-ng to view potential targets. (It is not necessary tolog to a file at this point or choose a channel because we don't know anythingabout our target yet).

Step 2. From a command prompt type the following command:airodump-ng ath0 (run the ath_monitor script if you need setyour card in monitor mode first).

We see plenty of potential targets that are encrypted a few of which have

authenticated wireless clients with traffic.


15/28

WLSAT Section 3


Step 3. Pick your target and switch channels to monitor only that channel. For thistutorial I will use the 'linksysL' access point that is encrypted with WEP and onchannel 6.

Step 4. From a command prompt type the following command:airodump-ng -w /tmp/linksysL_traffic -channel6 ath0

Now we can see that we are just on channel 6 and that we have one wirelessstation (00:13:46:9F:AC:36) that is connected to the access pointlinksysL . Since we are dumping into a capture file, everything that ourcard can see will be logged. The Data packets are what are of interest to uswhen cracking WEP keys; the more you collect the less time it takes tostatistically attack and recover the key. With only 1 client authenticated andlittle traffic, it will take a long time to collect these packets (we will see how

using a replay attack this can be dramatically decreased).

Step 5. Now you wait! As each unique initialization vector (IV) is collected (indicated bythe increase in #Data packets) you get closer to having enough IV's to send toaircrack-ng to be attacked.

Step 6. Once you have enough then you can point the capture file at aircrack forcracking. For a 64 bit you want anywhere from 300,000 to 700,000 unique IV's

and for 128 bit and higher then you want 1 million and/or higher.

312,631 unique IV's should be enough for us to start an attack against a 64 bitkey, so let's start. (You have no idea how strong the key will be so a good ruleis always start with the least and move up. We can specify the guessed keystrength with the -n switch).

Step 7. From a command prompt type the following command:


16/28

WLSAT Section 3


aircrack-ng /tmp/linksysL_traffic*.cap -n 64

This will give you a list of all the networks where data has been collected.

Since we didn't supply the -IVs switch, it collected all traffic instead of justthe IVs. We see that we have 357,169 IVs for the linksysL network. Justtype 5 in to select that network and the script will do the rest.

Since we had enough IVs it only took 18 seconds to recover the 64 bit key used.

00:9E:4D:D7:E8

Step 1. Now you can connect to the target access point as a legitimate user.What you learned in this Lab:


Pick a WEP enabled wireless access point as a target Collected unique IVs Statistically attacked the IVs in order to recover the WEP key


17/28

WLSAT Section 3


Lab Part 2 - Using Aircrack-ng to crack a WPA key


Use airodump-ng to find a target

Capture encrypted traffic Recover the WPA key

Step 1. Launch Airodump-ng to find potential targets (making sure we log to acapture file so that we can capture the 4-Way handshake).

Step 2. From a command prompt type the following command:airodump-ng -w /tmp/wpa_linksysL channel 6

ath0

Step 3. Noticing that our linksysL network has now switched to WPA with TKIPcipher, our previous WEP type attack where we collect unique IVs is no longeruseful to us. In order to crack a WPA key, we need to see the EAPOL 4-Wayhandshake that takes place at the very beginning of the association with theaccess point; obviously we have missed that as a client is already associated withthe access point. We have 2 options:

1 Wait for someone else (or the same client) to associate andauthenticate with the access point.


18/28

WLSAT Section 3


2 Force the already-associated client to disconnect and re-connect usinga forged deauth packet.

Step 4. For sake of time we will use the 2nd option; forging a deauthenticate packet usingthe aireplay-ng tool that is a part of the aircrack-ng suite.

From a command prompt type the following command:

aireplay-ng -0 30 -a 00:18:39:C8:F3:0F -c00:13:46:9F:AC:36 ath0This will launch a deauth attack against the wireless client forcing them toreauthenticate therefore allowing us to sniff for the 4-Way handshake.

Step 5. Use aircrack-ng to verify that we have actually collected the 4-Wayhandshake.

Step 6. From a command prompt type the following command:aircrack-ng -w /tmp/Wordlists/large_dictionary_file.txt/tmp/wpa_linksysL*.cap

(This time we give it a large dictionary file to brute-force with).

Step 7. Seeing that we have collected the handshake, we choose the targetnetwork (3) and let the cracking phase take place.Step 8. Now you wait! The time it takes will depend on the key length and complexity,

the speed of your computer(s), and the size of your dictionary file. The supplieddictionary file is very large.


19/28

WLSAT Section 3


Step 9. We have the WPA key! 'security' was the word used as the key. Now wecan authenticate with the access point as a regular user.


20/28

WLSAT Section 3


Lab 4.5: Aireplay-ng

Aireplay-ng is a utility used to dramatically decrease the time it takes tocollect enough data in order to crack a WEP key or forge deauthentication

frames to cause a DoS attack.

Product Information

Source


GPL

http://www.aircrack-ng.org/

Where, When, Why

Attack

It can take a lot of valuable time to collect enough data on a WEP enabled

wireless network in order to crack a WEP key; time that Joe IT might not havein order to conduct his penetration test. Aireplay-ng will allow Joe todramatically reduce the time it takes in order to break into a WEP enabledaccess point so that he can spend more time focusing on other weaknesses ofthe client network.

Usage and Features

Different attack modes Can use live captured packets, forged packets, or archived packets


Linux operating system patched drivers for supported wireless card supported wireless card


Find a WEP enabled access point Launch a replay attack


21/28

WLSAT Section 3


Lab Part 1 - Using Aireplay-ng to sped up IV collection time

Step 1. Become root by typing su at a command prompt and type in the rootpassword .Step 2. Launch airodump-ng in order to view target access points.

Step 3. Find the target access point and switch airodump-ng to monitor onlythat channel. We will use linksysL on channel 6.

Step 4. From a command prompt type the following command:airodump-ng -w /tmp/linksysL_capture -channel6 ath0

Step 5. Now there is not a lot of traffic so we will be here for a long time collectingenough IVs in order to launch an attack against the WEP key. Launching a replayattack will help fix that.

Step 6. From a command prompt type the following command:Aireplay-ng -3 -b 00:18:39:C8:F3:0F -h00:13:46:9F:AC:36 ath0It is telling aireplay that you want to launch a type 3 attack. Which isan ARP replay attack in which an ARP packet is picked out of the air and


22/28

WLSAT Section 3


'replayed' or constantly thrown back at the router causing the router torespond with traffic in the form of an ARP reply. The -b switch is theMAC address of the router, -h is the MAC address of an authenticatedclient and then we supply the interface from which the replay attack will

be launched.

Step 7. At this rate the amount of time it will take is dramatically less and we can soonsend our packets off to aircrack-ng to be cracked. Overall it took us about10 minutes to collect the amount of traffic (128332 packets as seen in the pictureabove) that otherwise would have us sitting around for weeks.

NOTE: See the attached video created by muts of Backtracks entitled ClientlessWEP Cracking for a demonstration on how to crack a WEP key of an accesspoint with no connected clients as well as the Cracking WEP in 10 minutes to

see aireplay in action.

What you learned in this Lab:


1. Speed up an attack against a WEP enabled access point


23/28

WLSAT Section 3


Lab Part 2 - Using Aireplay-ng to deauthenticate a client


Locate a wireless client and forge a deauthenticate packet to force adisconnection/reconnection

Step 1. Become root by typing su at a command prompt and type in the rootpassword .Step 2. Launch airodump-ng in order to view possible targets by typing:

airodump-ng ath0

Step 3. Choose the client that you would like to deauthenticate and forge adeauth packet using aireplay-ng -0 attack. -b supplies the bssid of theaccess point and it is always more effective if you supply the -c station switchotherwise it will send to broadcast and that is not very reliable.


24/28

WLSAT Section 3


Step 4. From a command prompt type the following command:aireplay -0 10 -b 00:18:39:C8:F3:0F -c00:13:46:9F:AC:36 ath0

If successful this attack will force the station 00:13:46:9F:AC:36 todisconnect. This is useful in a denial of service attack, for sniffing for theEAPOL 4-Way handshake, or other credentials that might be passed at thebeginning of a session.


25/28

WLSAT Section 3


Lab 4.6: Airodump-ng

Airodump is a wireless discovery utility that will display all access pointswithin range of your wireless card as well as signal strength, encryption

status, wireless clients in the area, and log all information gathered to apacket capture file for analysis.

Product Information

Source




Where, When, WhyNetwork Analysis

Joe IT would use this tool when he needs an idea of what access points are inthe area and who is connecting to these access points, how much traffic ismoving on the network, what access points clients are probing for, and what

type of encryption is used on the networks. He can also very easily use thistool to log captured network traffic to a file.

Usage and Features

Display Access Points / Wireless Networks in range Displays encryption types used by the wireless networks Shows wireless clients that are probing for or associated with which ap logs captured traffic to a capture file


Linux or Windows operating system Wireless card with supported chipset (the ubiquity card has the supported

atheros based chipset)

Where to Go for More Information



26/28

WLSAT Section 3



View wireless traffic in range Log traffic to a capture file

Step 5. Put card into monitor mode by running the script ath_monitor at thecommand prompt.

Step 6. Launch airodump-ng with the appropriate parameters.

Step 7. Notice that we need to run this as root so type su followed by the root password.The parameters that need to be supplied can be seen in the picture above. Asimple way to launch the application with logging to a file and hop all channelswould be typed as follows:

airodump-ng -w /tmp/capture_file ath0Step 8. Once that command is executed the screen will display all information that can

be gathered in the area.


27/28

WLSAT Section 3


From the screenshot we can see in the top left hand corner we have theBSSID which is the MAC address of each access point that is in range. Wethen see the power or signal strength (usually a good indicator of how

close it is), followed by the beacons that are being sent from the accesspoint, the data that is airborne, channel, encryption type, and ESSID(SSID). If it is not broadcast then you will see a placeholder . On the bottom we see wireless stations (wireless clients that areeither associated to a certain access point or just in the area and

probing).

Step 9. Since we didn't specify a channel as a parameter, we are hoping all channels.(Notice the CH variable in the top left changing?) You can specify a certain

channel by stopping the script by clickingCTRLC and adding the --channelparameter:

airodump-ng -w /tmp/capture_file -channel nath0Then you will only listen on channel n .

Step 10. To view the traffic that we have captured, open the capture file in your favoriteprotocol analyzer. For this purpose we will use Wireshark. At the commandprompt type:

wireshark /tmp/capture_file and look for interestingtraffic. (More details about this will be giving as another lesson but as aquick example we can see that in our capture file we were able to watch

someone login to their web based email account).


28/28

WLSAT Section 3

What you learned in this Lab:


2. Find MAC addresses of access points within range3. Find broadcasted SSID's in range4. Capture and view traffic of wireless networks5. Find MAC address of wireless clients within range6. Get an overall picture of the type of traffic happening on your target

network

04 Encryption and Authentication Mechanisms.v7

Documents

Transcript of 04 Encryption and Authentication Mechanisms.v7