WEP WPA WPS :: INDEX : Introduction :

Similar documents
WEP WPA WPS :: INDEX : Introduction :

MITM Man in the Middle

Wireless LAN Pen-Testing. Part I

ALEXANDRE BORGES BLOG

WiFi Security Assessments

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

Methodology: Security plan for wireless networks. By: Stephen Blair Mandeville A. Summary

Kali Linux Cookbook. Willie L. Pritchett David De Smet. Chapter No. 9 "Wireless Attacks"

0) What is the wpa handhake?

Wireless Encryption Protection

S /3133 Networking Technology, laboratory course A/B

Vulnerabilities of Wireless Security protocols (WEP and WPA2)

Building secure wireless access point based on certificate authentication and firewall captive portal

Offensive Security. Wireless Attacks - WiFu

Wifi Penetration. Wireless Communication and Computer/Network Forensics

WIRELESS SECURITY TOOLS

Authentication in WLAN

Capture and analysis of wireless traffic

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

Wireless LAN Security Mechanisms

Wireless Network Security. Pat Wilbur Wireless Networks March 30, 2007

SSI. Commons Wireless Protocols WEP and WPA2. Bertil Maria Pires Marques. Dez Dez

An Experimental Study Analysis of Security Attacks at IEEE Wireless Local Area Network

WPA Migration Mode: WEP is back to haunt you...

Project 3: Network Security

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security


Wireless Security: Secure and Public Networks Kory Kirk

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

PENETRATION TESTING ON A WIRELESS NETWORK.

A6210 WiFi USB Adapter ac USB 3.0 Dual Band User Manual

Analysis of Security and Penetration Tests for Wireless Networks with Backtrack Linux

Wireless Hacking Haifux. Wireless Hacking. Edri Guy. Mar 04,2013. See-Security. Mar Wireless Hacking - Haifux

Topics in Network Security

Introduction on Low level Network tools

The next generation of knowledge and expertise Wireless Security Basics

Virtual Access Points

CONNECTING THE RASPBERRY PI TO A NETWORK

Network Attacks. Common Network Attacks and Exploits

Wireless Networks. Welcome to Wireless

How To Secure A Wireless Network With A Wireless Device (Mb8000)

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

Configuring Security Solutions

Wireless Pre-Shared Key Cracking (WPA, WPA2)

NBG2105. User s Guide. Quick Start Guide. Wireless Mini Travel Router. Default Login Details. Version 1.00 Edition 1, 11/2012

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Practical Approach in Teaching Wireless LAN Security using Open Source Software

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

FinIntrusion Kit / Release Notes FINUSB SUITE SPECIFICATIONS. FINFISHER: FinIntrusion Kit 2.2 Release Notes

ECE 4893: Internetwork Security Lab 10: Wireless Security

9 Simple steps to secure your Wi-Fi Network.

N600 WiFi USB Adapter

Kvaser BlackBird Getting Started Guide

Configure WorkGroup Bridge on the WAP131 Access Point

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

BASIC INSTRUCTIONS TO CONFIGURE ZYXEL 660HW-D1 CPE USING THE WEB INTERFACE

CSC574: Computer and Network Security

CYBERTRON NETWORK SOLUTIONS

MN-700 Base Station Configuration Guide

Wireless LAN g USB Adapter

DefCon 22. Wireless Penetration Testing and How to WCTF

Chapter 3 Safeguarding Your Network

Setting up a WiFi Network (WLAN)

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

WLAN Security Networking with Confidence

WLAN Authentication and Data Privacy

Developing Network Security Strategies

NXC5500/2500. Application Note w Management Frame Protection. ZyXEL NXC Application Notes. Version 4.20 Edition 2, 02/2015

WHITE PAPER. WEP Cloaking TM Maximizing ROI from Legacy Wireless LAN

DV230 Web Based Configuration Troubleshooting Guide

WIRELESS NETWORK SECURITY

Wireless Tools. Training materials for wireless trainers

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Digicom Remote Control for the SRT

United States Trustee Program s Wireless LAN Security Checklist

Chapter 2 Configuring Your Wireless Network and Security Settings

Using Microsoft Vista and Windows XP to Manage Wireless Network Connections

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Hacking. Aims. Naming, Acronyms, etc. Sources

Nokia E90 Communicator Using WLAN

Penetration Testing Report. Client: xxxxxx Date: 19 th April 2014

Chapter 6 CDMA/802.11i

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Go Wireless. Open up new possibilities for work and play

VIVA 4G LTE Mini Router. Quick Start Guide

WUA Mbps Wireless USB Network Adapter

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Basic processes in IEEE networks

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

Self Help Guide IMPORTANT! Securing Your Wireless Network. This Guide refers to the following Products: Please read the following carefully; Synopsis:

A COMPARITIVE ANALYSIS OF WIRELESS SECURITY PROTOCOLS (WEP and WPA2)

Configuring Your Network s Security

Transcription:

WEP WPA WPS With clients Without clients :: INDEX : Introduction > Overview > Terms & Definitions [ Step 1 ] : Configuring the network interface [ Step 2 ] : Collecting the network info [ Step 3 ] : Capturing data [ Step 4 ] : Initializing the ARP request / relay [ Step 5 ] : Deauthenticating the client [ Step 6 ] : Decrypting the IVs Introduction : This guide was created to demonstrate the encryption vulnerabilities of WEP (Wired Equivalent Privacy). Breaking into a protected wireless network is illegal! The content and instructions contained herein are for educational purposes, only. I did not break the law when creating this example. All information in the screenshots is that of my own networks that I compromised for this demonstration. You may attempt the steps outlined at your own risk - on your own network. If you wish to hack an other wireless network you must get permission from the network owner. Breaking a WEP key involves using network monitoring software to capture weak IVs (initialization vectors) and a cracking software to decrypt them. The software we will be using in this guide is the aircrack-ng suite that is included with Backtrack linux. There are several flavors of linux that come with this software including Auditor, Backtrack, and Kali linux. In this guide we will be using Backtrack 5 R3. Generally, the idea is to use your wireless adapter to capture any weak IVs being sent to/from the Access Point. We capture these IVs by intercepting and relaying ARP requests to the Access Point causing it to reply with more IVs. Once enough data (IVs) has been collected it can be decrypted using the Aircrack-ng software to display the wep key in plain text. This guide will explain how all of this takes place and outline the steps involved in a successful hack.

[Intro] - Overview : In this scenario we are targetting a WEP encrypted network with open authentication that has at least 1 client connected. This is probably the easiest possible scenario in terms of hacking wifi networks. It works almost every time. Even if there isn't much network traffic - a deauth packet can still be issued to any idle clients to stimulate an ARP request. In this scenario we are making 3 assumptions : (1) You've got Backtrack running properly. (2) The target network is using WEP (open). (3) There is at least 1 client connected to the Access point. The lesson to be learned from this demonstration is that WEP should be avoided whenever possible. Instead you should use WPA-PSK with a strong password consisting of both letters AND numbers. [Intro] - Terms & Definitions : There are a few terms used throughout this guide that are important to know when beginning the processes. Aircrack-ng MAC Address Access Point BSSID ESSID Channel Network Interface Client / Station Capture ARP Request IV A set of tools included with Backtrack. Includes aircrack, airodump, aireplay, airdecap, airolib. A unique combination of letters/numbers assigned as a "permanent" identifier to network hardware. The technical term for the "Router" or "Gateway". Also referred to as a "WAP". The MAC Address of the Access Point. The Broadcast name of the Access Point. The frequency at which data is being broadcast. The device used to send/receive data. Example : wlan0 or mon0. A computer/device connected/associated to an Access point. The process/data that is collected when monitoring an Access point with Airodump. Is a packet sent to/from the router/client in an to establish or maintain a connection. "Initialization Vectors" are packets that contain a small encrypted portion of the wep key. - Throughout this guide the terms Client and Station will be used interchangeably as they refer to the same thing. - The terms Password and Key will also be used interchangeably as they too mean the same thing.

[Step 1] - Configuring the network interface : - When executing commands in the terminal it is necessary to declare which network interface you would like to use. - You can retrieve a list of available interfaces by entering the iwconfig command with no parameters. The Interface names will be listed in the left column. - Your wireless interface will be identified as an "IEEE 802.11" device. possible examples : wlan0, wlan1 or rausb0. - In this example, all we have to do to configure our interface is set it to "monitor mode". This can be done with a single command : iwconfig mode monitor mode monitor Sets the network interface to monitor mode. iwconfig wlan0 mode monitor - If you receive an error stating that the device is busy then you will have to turn it off first using the ifconfig command. If so, you will also have to turn the device back on again after setting it to monitor mode. ifconfig down ifconfig up - If you are unable to put your device into monitor mode using the iwconfig command - you can also try using the airmon-ng command. - Using airmon-ng will usually create a new device / interface to monitor traffic with. It's often named mon0. - In most cases iwconfig works just fine and it doesn't create any additional interfaces but airmon-ng will usually work when iwconfig does not. airmon-ng start airmon-ng start wlan0

[Step 2] - Collecting the network info : - To perform the attack we must first gather a bit of information about the network. Everything we need can be collected using the airodump-ng command. - The required information includes: The BSSID (MAC Address of the target Access Point). The ESSID (Name of the Access Point). The MAC Address of any associated clients / stations. The Channel that the Access Point is broadcasting on. - After collecting the necessary information - you can terminate the airodump command by pressing Ctrl+C on the keyboard. - As you'll see in the see in the image below - Our selected target is using WEP which is vulnerable to our attack. airodump-ng airodump-ng wlan0

[Step 3] - Capturing data : - Now that we have the required information - we can lock in on the Access Point and start capturing data. - This step also uses the airodump-ng command however we will add some parameters so that it saves traffic to a file. - The first parameter to specify is the channel. This is done with the -c [Channel] parameter. - The next parameter to specify is the output filename. This is done with the -w [Filename] parameter. - Another parameter we will use is the --ivs parameter. This tells airodump only to save the IVs in our capture. - This will display the same output as it did before but will be focused on a specified channel and will also save any traffic to our capture file. - The capture file automatically appends a number to the filename as well as a.ivs extension. mycapture-01.ivs - This command should be kept running in the background while you complete the next steps. Do not terminate it. airodump-ng -c [Channel] -w [Filename] --ivs -c The channel the Access Point is broadcasting on. -w The output filename to write to. --ivs Save IVs to file. airodump-ng -c 11 -w mycapture --ivs wlan0

[Step 4] - Initializing the ARP request / relay : - Once you have started capturing data it is time to capture an ARP request and relay it back to the Access Point to increase the flow of IVs. - Since we have a client connected to the Access Point we can attempt to intercept one of their ARP requests. - We will use a standard ARP Request Replay (-3) attack with the aireplay-ng command. - This command requires 3 parameters : -b [BSSID], -h [Client MAC], and the network interface. - It may take a while to capture an ARP request - particularly on networks with little traffic. - Once an ARP Request has been captured - your aireplay-ng command will begin relaying it back to the Access Point at a rapid rate. This will be displayed in the aireplay-ng window and you will also see it in the airodump-ng window under the data column. - After you've collected about 50,000 IVs (displayed in the data column of airodump-ng) then you can proceed to attempt cracking the key. You should leave airodump and aireplay running while you crack it. - If you are unable to capture an ARP request by passively monitoring the network you can stimulate an ARP request by deauthenticating an associated client (see next step). aireplay-ng -3 -b [BSSID] -h [STATION MAC] -3 "ARP Relay" attack mode. -b BSSID (MAC Address) of target network. -h MAC Address of client. aireplay-ng -3 -b 6A:1C:A2:00:A1:3E -h 00:22:43:84:E4:D1 wlan0

[Step 5] - Deauthenticating the client : * If you were successful in capturing an ARP request in the previous step then you can skip this step. You do not need to deauthenticate any clients. - If you are unable to passively capture an ARP request then you can stimulate one by deauthenticating (kicking off) an associated client. This will cause the targetted client to re-authenticate / re-associate automatically and issue an ARP request. - If deauthenticating a particular client does not yield an ARP request then you can try deauthenticating another client. - You can also send a deauth packet to all clients by excluding the client parameter (-c) however it's best to specify one. - You shouldn't have to send any more than 3-5 deauth packets at a time. Too many could prevent the client from reconnecting. aireplay-ng -0 [Number of Packets] -a [BSSID] -c [STATION MAC] -0 "Deauthentication" attack mode. [Number of Packets] The number of deauth packets to send. -a BSSID (MAC Address) of target network. -c MAC Address of client. aireplay-ng -0 4 -a 6A:1C:A2:00:A1:3E -c 00:22:43:84:E4:D1 wlan0

[Step 6] - Decrypting the IVs : - After we have collected enough IVs we can begin decrypting the collected data. Usually about 100-200k is good for a 128 Bit wep key. 64 bit will work with much less. - We will crack the key using the aircrack-ng command. - Instead of specifying an exact number in the filename we will use a wildcard * (asterisk) to read all of our captured data. This is useful if you've ran airodump more than once resulting in multiple.ivs files. aircrack-ng -e [ESSID] [Filename] -e ESSID (name) of target network. [Filename] The output file name created with the airodump-ng command. aircrack-ng -e homenetwork mycapture*.ivs - In this example - my computer decrypted the 128-bit WEP key with just 50,000 IVs. - The recovered password / key is : E69F30EB2AC7528EACC71943B8. Copyright 2014 QuickFix PEI

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information