An Introduction to Wireless Hacking

Transcript

1. An Introduction to Wireless Hacking PRESENTED BY GRANT BOUDREAU, OSCP,

   OSWP CONSULTANT, CYBER SECURITY MNP LLP

2. Few things about me…

3. Overview • Hardware requirements • Software - Aircrack-ng Suite •

   WEP Cracking • WPA/WPA2 Cracking • WPA/WPA2 Cracking with John the Ripper • Questions

4. Hardware Requirements Source: https://www.raymond.cc/blog/best-compatible-usb-wireless-adapter-for-backtrack-5-and-aircrack-ng/

5. Hardware Requirements • Need to support injection • Model revisions

   can have different chipsets • Ex: Rev1 may have Atheros chipset, Rev2 may have a TI chipset • Best to do research before just buying any wireless NIC Wireless NICs

6. Hardware Requirements • Omnidirectional – Spherical pattern Antennas Source: https://rcexplorer.se/projects/2009/06/understanding-antenna-gain/

   Source: https://www.geckoandfly.com/10213/wireless-router-antenna-distance-coverage-comparison/

7. Hardware Requirements • Directional – Directional pattern Antennas Source: https://rcexplorer.se/projects/2009/06/understanding-antenna-gain/

   Source: https://www.geckoandfly.com/10213/wireless-router-antenna-distance-coverage-comparison/

8. Hardware Requirements • Yagi – Even more directional Antennas Source:

   https://www.caworldwifi.com/900Mhz-14-db-gain-Yagi-Antenna.html Source: https://www.ubersignal.com/wilson-yagi-antenna-700-800-900-mhz-with-n-female-connector-301111.html

9. Software – Aircrack-ng Suite Source: https://www.aircrack-ng.org/

10. Software - Aircrack-ng Suite • Airmon-ng • Airodump-ng • Aireplay-ng

    • Aircrack-ng Aircrack-ng Essentials

11. Software - Aircrack-ng Suite • Used to enable and disable

    monitor mode on the wireless NIC • Example usage: • airmon-ng <start|stop> <interface name> [channel] • airmon-ng <check|check kill> Airmon-ng

12. Software - Aircrack-ng Suite • Used for packet capturing of

    raw 802.11 frames • Collects WEP weak IVs (Initialization Vector) • With a GPS receiver, can log coordinates of found APs • Example usage: • airodump-ng <options><interface name> Airodump-ng

13. Software - Aircrack-ng Suite • Primary function: generate traffic for

    later use in aircrack-ng • Different attacks: • Deauthentication • Fake authentication • Interactive packet replay • Hand-crafted ARP request injection • ARP request reinjection • Example usage: • aireplay-ng <options> <replay interface> Aireplay-ng

14. Software - Aircrack-ng Suite • An 802.11 WEP and WPA/WPA2-PSK

    key cracking program. • Example usage: • aircrack-ng [options] <capture file(s)> Aircrack-ng

15. WEP Cracking ONE OF MANY WAYS… Source: https://play.google.com/store/apps/details?id=handy.wep.password

16. WEP Cracking • Write down wireless NIC MAC address and

    put the wireless NIC in monitor mode. Step 1

17. WEP Cracking • Use airodump-ng to collect info on SSIDs

    Step 2

18. WEP Cracking • Use aireplay-ng to fake authenticate to the

    AP and replay ARP requests. Step 3

19. WEP Cracking • Use aircrack-ng to crack the password Step

    4

20. WEP Cracking

21. WPA/WPA2 Cracking Source: https://dilanwarnakulasooriya.wordpress.com/2012/08/14/crack-wireless-wap-key-using-reaver/

22. WPA/WPA2 Cracking • Write down wireless NIC MAC address and

    put the wireless NIC in monitor mode. Step 1

23. WPA/WPA2 Cracking • Use airodump-ng to collect info on SSIDs

    Step 2

24. WPA/WPA2 Cracking • Use aireplay-ng to deauthenticate a client from

    the AP to capture the 4-way handshake Step 3

25. WPA/WPA2 Cracking • Use aircrack-ng to crack the password Step

    4
26. None

27. WPA/WPA2 Cracking with JTR Source: https://www.kitploit.com/2014/12/john-ripper-180-jumbo-1-fast-password.html/

28. WPA/WPA2 Cracking with JTR • Write down wireless NIC MAC

    address and put the wireless NIC in monitor mode. Step 1

29. WPA/WPA2 Cracking with JTR • Use airodump-ng to collect info

    on SSIDs Step 2

30. WPA/WPA2 Cracking with JTR • Use aireplay-ng to deauthenticate a

    client from the AP to capture the 4-way handshake Step 3

31. WPA/WPA2 Cracking with JTR • Password was changed from mastersword

    to mastersword123. mastersword123 is not in the shortlist.txt password list. Step 4

32. WPA/WPA2 Cracking with JTR • Need to edit JTR’s word

    mangling rules to reflect the additional digits at the end of the password. Edit /etc/john/john.conf and add $[0-9]$[0-9]$[0-9] in the [List.Rules:WordList] section. Step 4 – continued

33. WPA/WPA2 Cracking with JTR • Test the new changes to

    see if they worked. Step 4 – continued

34. WPA/WPA2 Cracking with JTR • Use aircrack-ng with JTR to

    get the WPA2 password. Step 5

35. WPA/WPA2 Cracking with JTR • Use aircrack-ng with JTR to

    get the WPA2 password. Step 5 – continued

36. In walks in the KRACKen • The weaknesses are in

    the Wi-Fi standard itself. • The adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. • Patch all the things! KRACK - Key Reinstallation Attack Source: https://dribbble.com/shots/2594100-Kraken

37. In Conclusion… Source: http://theandroidpoint.com/hack-wifi-using-wps-wpa-tester-premium-wps-connect/

38. In Conclusion • 1) Only do this within your private

    lab. Once packet injection is done, the whole process becomes illegal. • 2) It can be very fun! But can also be frustrating when trying to get everything to work. • 3) If things aren’t working right, try separating the wireless devices. The closer they are, the more issues can happen. All my devices were just over a metre of each other.

39. Questions?

40. Thank you! Twitter: @gzboudreau Podcast: https://eastcoastinfosec.ca/