7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
1/76
Introduction to WiFi security andAircrack-ng
Thomas dOtreppe, Author of Aircrack-ng
1
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
2/76
~# whoami
Author of Aircrack-ng and OpenWIPS-ng Work at NEK Advanced Securities Group
2
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
3/76
Agenda
IEEE 802.11 Wifi Networks Wireless Frames Network interaction Choose hardwareAircrack-ng suite
3
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
4/76
IEEE 802.11
Institute of Electrical and Electronics Engineers Leading authority Split in committees and working groups
802 committee: Network related norms.11 working group: Wireless LAN
Texts available for download
4
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
5/76
802.11 Protocols
Lots of them Main protocols:
802.11
802.11a/b/g/n/ac802.11i
5
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
6/76
802.11
Standard released in 1997 Rates: 1-2Mbit
Infrared/Radio (DSSS/FHSS) CSMA/CA
6
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
7/76
802.11b
Amendment CCK coding
New rates: 5.5 and 11Mbit 2.4GHz ISM band 14 overlapping channels 22MHz channels
7
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
8/76
802.11b (2)
8
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
9/76
802.11a
5GHz band More expensive => less crowded
More than 14 channels (no overlap) OFDM Max rate: 54Mbit
9
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
10/76
802.11g
~= 802.11a on 2.4GHz Backward compatible with 802.11b
10
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
11/76
802.11n
Work started in 2004 Final: September 2009 Single user MIMO
2.4GHz and 5GHz 40/80MHz channels MCS rates - http://mcsindex.com Greenfield mode
11
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
12/76
802.11n (2)
12
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
13/76
802.11ac
Ran out of single letters, hence why 2 letters First draft: January 2011
5GHz only Multi user MIMO Different MCS rates Up to 1Gbit/s+/user 80/160MHz channels
13
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
14/76
802.11ac MCS rates 1x1
14
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
15/76
802.11 Networks
3 main modes of wireless operationsInfrastructure
WDSAd HocMonitor Mode
15
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
16/76
802.11 Networks - Infrastructure
16
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
17/76
802.11 Networks - WDS
17
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
18/76
802.11 Networks Ad Hoc
18
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
19/76
802.11 Frames
Frame format 3 Types of frames
ManagementControlData
19
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
20/76
802.11 Frame
20
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
21/76
802.11 Frame ToDS/FromDS fields
ToDS FromDS Address 1 Address 2 Address 3 Address 4
0 0 DA SA BSSID
0 1 DA BSSID SA
1 0 BSSID SA DA
1 1 RA TA DA SA
21
DA: Des.na.on Address RA: Recipient Address SA: Source Address TA: Transmier Address BSSID: Basic Service Set Iden.fier MAC of the Access Point
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
22/76
802.11 Frames Management Frames
Type Subtype Meaning
0 0 Associa.on Request
0 1 Associa.on Response
0 2 Reassocia.on Request
0 3 Reassoca.on Response
0 4 Probe Request
0 5 Probe Response
0 6 Measurement Pilot
0 7 Reserved
22
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
23/76
802.11 Frames Management Frames (2)
Type Subtype Meaning
0 8 Beacon
0 9 ATIM
0 10 Disassocia.on
0 11 Authen.ca.on
0 12 Deauthen.ca.on
0 13 Ac.on
0 14 Ac.on No ACK
0 15 Reserved
23
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
24/76
802.11 Frames Control Frames
24
Type Subtype Meaning
1 0-6 Reserved
1 7 Control Wrapper
1 8 Block ACK request
1 9 Block ACK
1 10 PS Poll
1 11 RTS
1 12 CTS
1 13 ACK
1 14 CF End
1 15 CF End + CF ACK
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
25/76
802.11 Frames Data Frames
Type Subtype Meaning
2 0 Data
2 1 Data + CF ACK
2 2 Data + CF Poll
2 3 Data + CF ACK + CF Poll
2 4 Null Func.on (no data)
2 5 CF ACK (no data)
2 6 CF Poll (no data)
2 7 CF ACK + CF Poll (no data)
25
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
26/76
802.11 Frames Data Frames (2)
Type Subtype Meaning
2 8 QoS data
2 9 QoS data + CF ACK
2 10 QoS data + CF Poll
2 11 QoS data + CF ACK + CF Poll
2 12 QoS Null (no data)
2 13 Reserved
2 14 QoS CF Poll (no data)
2 15 QoS CF ACK (no data)
26
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
27/76
Network interaction
Connection to a network Open networks
WEP networks WPA networks
27
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
28/76
Network interaction
28
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
29/76
Network interaction Open Networks
Network_Interaction.pcap
29
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
30/76
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
31/76
Network Interaction WEP - Encrypt
31
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
32/76
Network Interaction WEP - Decrypt
32
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
33/76
Network Interaction WEP
33
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
34/76
Network Interaction WPA
IEEE created 802.11i working group when WEPflaws discovered
2 Link layer protocolsTKIP -> WPA1CCMP -> WPA2
2 flavorsPersonal: PSKEnterprise
34
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
35/76
Network Interaction WPA
WPA 1Based on 3rd draft of 802.11iUses TKIPBackward compatible with old hardware
WPA 2802.11iUses CCMP (AES)Not compatible with old hardware
35
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
36/76
Network Interaction WPA PSK
36
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
37/76
Network Interaction WPA Authentication
37
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
38/76
Network Interaction WPA GTK
38
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
39/76
Network Interaction WPA PTK
Construction
39
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
40/76
Network Interaction WPA Encryption and
data integrity
TKIP:MIC + ICV
CCMPMIC
40
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
41/76
Choosing hardware
Wireless adapterAntenna
Omni vs directionalAntenna patternSome math
41
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
42/76
Choose a card
Recommended chipsetsAtheros (Internal/PCI/Cardbus/Expresscard)Realtek 8187Ralink (802.11n)
Better if with an antenna connector How to find the chipset?
Sometimes advertisedRun Linux and use airmon-ng/dmesg/lspci/lsusbThrough Windows driver
42
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
43/76
Choose an antenna Omni/directional
Bigger != Better Different gain = different RF propagation
Omnidirectional:Radiate in all directions, like a light bulb
Directional:
Radiate in a single direction, like a camera zoom
43
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
44/76
Choose an antenna Omnidirectional
44
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
45/76
Choose an antenna Omnidirectional (2)
45
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
46/76
Choose an antenna Omnidirectional (3)
46
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
47/76
Choose an antenna Directional
47
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
48/76
Choose an antenna Directional (2)
48
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
49/76
Choose an antenna - Math
dB measures signal against normalized value: 1mWdB power = 10 * log (signal / reference)
How much dB is 100mW?10* log(100mW/1mW) = 20dBm
49
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
50/76
Choose an antenna dBm - mW
A 3dB increase = 2 times the power
50
dBm mW
0 1
10 10
15 32
17 50
20 100
23 20027 512
30 1000
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
51/76
Choose an antenna Cables/connectors
Cables & connectors add loss If broken, even moreAdapters: ~0.5db Cables: depends on thickness
51
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
52/76
Choose an antenna - Exercise
Example with an antenna and then add a cable (realvalues)
Alfa AWUS036H: 500mWAntenna: 5dB
Cable: RG58, 2 meters (~1dB/meter)
52
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
53/76
Aircrack-ng suite
What is it? Different tools Installation Drivers installation
53
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
54/76
Aircrack-ng suite
What is it?Aircrack-ng is an 802.11 WEP and WPA-PSK keys crackingprogram that can recover keys once enough data packets havebeen captured. It implements the standard FMS attack along with
some optimizations like KoreK attacks, as well as the all-new PTWattack, thus making the attack much faster compared to other WEPcracking tools.
In fact, Aircrack-ng is a set of tools for auditing wireless networks.
Lots of scripts use it Important to know the tools to correctly use the
scripts
54
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
55/76
Airmon-ng
55
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
56/76
Airodump-ng
56
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
57/76
Aireplay-ng
57
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
58/76
Packetforge-ng
Generates WEP encrypted frame (ping/ARP/) Requires keystream (XOR file)
58
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
59/76
Aircrack-ng
59
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
60/76
Airbase-ng
60
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
61/76
Airdecap-ng
Decrypt captures (WEP/WPA) Confirm key/passphrase
61
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
62/76
Other tools
Airolib-ng Airtun-ng Ivstools Etc Scripts
Airgraph-ngAiroscript-ng Etc
62
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
63/76
Aircrack-ng - Installation
Compilation of stable or latest devel is the same Requirements:
Gcc/make: build-essentialOpenSSL development: libssl-dev or openssl-devOptional: SQLite development package
63
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
64/76
Aircrack-ng Installation (2)
make && make install Options:
unstable: easside-ng, tkiptun-ng, etc:sqlite: Airolib-ngCan be combined:
make sqlite=true unstable=true make sqlite=true unstable=true install
64
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
65/76
Aircrack-ng Compat-wireless
Up to date wireless drivers for stable kernels No need to patch it anymore Most cases: Latest version Ive heard funny names for it ;)
Compact wireless
Combat wireless
65
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
66/76
Aircrack-ng Compat-wireless (2)
RequiresKernel headers/sourcesGcc/make
Download latest stable Two step installation process
1.make2.make install
Sometimes install firmware66
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
67/76
Break
15 minutes break
67
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
68/76
Exercises
WEPWith clientWithout client
WPAWith clientWithout AP
68
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
69/76
Exercises Important notes
Kill network managers/other software using the cardto avoid issues
Target:ESSID: aircrackng
69
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
70/76
Exercise WEP Cracking With client
1. Put the card in monitor mode2. Identify network3. Record traffic on fixed channel4. Deauth client
Will generate ARPARP will be replayed
5. Crack capture file70
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
71/76
Exercise WEP Cracking Without client
1. Put the card in monitor mode2. Identify network3. Record traffic on fixed channel4. Fake client
Fake authentication Several options
ARP Replay Interactive frame replay Chopchop Fragmentation
5. Crack capture file71
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
72/76
Exercise WPA Cracking
Hard and easy to crackEasy: just get the handshakeHard:
Need to be close to target(s)Passphrase length: 8-63 chars
No real client => No handshake => No cracking
72
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
73/76
Exercise WPA Cracking With AP
1. Put the card in monitor mode2. Identify network3. Deauth client or wait for connection4. Crack the capture
73
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
74/76
Exercise WPA Cracking Without AP
1. Put the card in monitor mode2. Identify client through probes3. Start airbase-ng in WPA mode4. Crack capture file
74
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
75/76
75
7/28/2019 MB-6 Introduction to WiFi Security and Aircrack-Ng
76/76
Links - Contact
Learn more: http://aircrack-ng.org http://www.nekasg.com
2 day training @ DerbyCon: http://www.derbycon.com 802.11 Wireless Networks, Matthew Gast
Contact: [email protected] [email protected]
Business cards are on the desk