Transcript (d`Otreppe) Wireless Security - SharkFest
Wireless Security
June 16, 2010
Thomas d’Otreppe de Bouvette
Author of Aircrack-ng
SHARK
FEST
‘10
Stanford University June 14-17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Agenda
• • • •
WEP
WPA Choose hardware Wireless reconaissance – Airgraph-ng – GISKismet
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP
• Still broken but still used • Sometimes you can’t crack the key • « What can I do? »
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP
• Check if you have enough data packets.
– ~30K are needed for 64 bit with PTW – ~80K for 128 bit with PTW • Switch to KoreK starting from 150-200K packets – ~200K for 64 bit with KoreK – ~500K for 128 bit with KoreK • • Usually, if you can’t crack, as a rule of thumb, just get more (data) packets More than enough and still can’t crack the key, split the capture file and crack them individually
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP – Split files
• • • • Pcap-util: http://www.badpenguin.co.uk/files/pcap-util Perl script Works on Linux/Windows
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP – Split files (2)
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP – Split files (3)
• Has several options: – Split in files of X Mb – Extract packets that falls within a period of time – Extract packets that match a libpcap filter • Just need to split in smaller files so: –
perl pcap-util split large.pcap small 3 SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP – PTW limitations
• • • Works with 64 and 128 bit keys Works in 2 phases: – Phase 1: ARP – Phase 2: Then use all other data packets (some packets are ignored because known to be unusable for PTW) List of usable packets can be found at – http://aircrack-ng.org/doku.php?id=supported_packets
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP – WEP Cloaking ™
• « Motorol AirDefese WEP Cloaking™ provides protection for wireless infrastructure secured by legacy encryption protocols. This is an add-on module to Motorola AirDefense Enterprise, the market leading Wireless Intrusion Prevention System. » • Solution: airdecloak-ng, but sometimes aircrack-ng can crack it directly
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP – WEP Cloaking ™ (2)
aircrack-ng wep_cloaking_full_speed_dl.pcap -b 00:12:BF:12:32:29 -K -n 64 -d 1F:1F:1F SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP – WEP Cloaking ™ (3)
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP – WEP Cloaking ™ (4)
• Not all packets were filtered out but enough to crack the key
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP – Broken capture file
• Aircrack-ng: – Invalid packet capture length 0 - corrupted file?
• Wireshark
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP – Broken capture file (2)
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WEP – Broken capture file (3)
• • • • • • Mark first packet Mark the last good packet File – Save as … Select « first to last marked packet » Select an output filename then save it DONE
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Agenda
• • • • WEP
WPA
Choose hardware Wireless reconaissance – Airgraph-ng – GISKismet
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA
WPA is at the same time easy and hard to crack – Easy to get the handshake – But the passphrase can be really complex
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA
• 802.11i group launched when flaws were found in WEP • 2 link-layer protocols: – TKIP (WPA1): Draft 3 of 802.11i group (backward compatible with legacy hardware).
– CCMP (WPA2): final 802.11i standard • 2 authentication methods: – Personal: PSK (Shared key, 8-63 characters) – Enterprise: MGT (Radius server)
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA-PSK – 4 way handshake
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA - Location
• You need to be located not too far from the client and the AP to hear the whole 4-way handshake.
• Aircrack-ng can work with less than the 4 EAPOL packets
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA – Good Location
AP Client Attacker AP Attacker Client
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA – Bad location
• Only hear the AP: Attacker AP Client • Only hear the client: AP Client Attacker
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA – Airbase-ng
• Act as an AP with airbase-ng and get the handshake => Just need to be in the range of the client:
airbase-ng -z 2 -W 1 –y -c 6 –F dump -e “Philips WiFi” rausb0
• Location problem solved ;), you just need the client: Client Attacker Fake AP
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA – Airbase-ng (2)
DEMO
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA - Debug
• Aircrack-ng/cowpatty/pyrit/OTHER TOOL doesn’t see the handshake, why?
• So, how does it look in capture files and how do we debug it?
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA - Debug
DEMO
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA – Cracking
• Once you have the handshake, it’s time to crack it • Two methods come to mind: – – Using a wordlist Bruteforcing • Bruteforce not doable since minimum key length is 8 characters, so we need a good dictionary
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA - Dictionary
• Having the right dictionary is important !
• Here are a few tips to build yours: – Use generic dictionaries, add things like: • Language used • Phone numbers (IE, use JTR to generate all possible phone numbers) • City and different things around • Other things that come to your mind, … – Use programs to « add » words: • John The Ripper (and Markov) • Wyd • … • • Combine all of these … … and you may end up with huge dictionaries.
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA – Cracking hardware
• • Processing big dictionaries takes time CPU too slow => Use GPU and FPGA
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA – GPU performance
• Pyrit performance
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
WPA – GPU Crackers
• Quite easy to set up … –
apt-get install backtrack-cuda
• … but – Don’t forget the power bill ;) – Creating dictionaries takes time • Online services available: – Cloud computing: http://www.wpacracker.com
– GPU: http://tools.question-defense.com
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
• • • • WEP WPA
Choose hardware
Wireless reconnaissance – Airgraph-ng – GISKismet
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Choose hardware - Antennas
• Often asked: « What is the best antenna? » • Depends on your needs: – Long or short links? Low or High power antenna – Point to Point or Point to Multi point ? Directionnal antenna or omni – Frequency? 2.4Ghz/5Ghz (4.9/5.2/5.8/…) – ...
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Choose hardware - Antennas
• • Antenna pattern: Vertical pattern: Look at the horizon Horizontal pattern: Look at the ground from the sky
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Choose hardware - Antennas
• • • Omni Great for Point to Multipoint connections (ie, AP) Theory: radiate in all directions Highest power is not the best one
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Choose hardware - Antennas
• Omni 5dbi
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Choose hardware - Antennas
• Omni 9dbi
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Choose hardware - Antennas
• Sector 120°
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Choose hardware - Antennas
• Grid
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Choose hardware - Antennas
• Home made - Biquad
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Choose hardware - Antennas
• So, don’t just get the most powerful • Check the law • Look at the specs of the cards – RX sensitivity: ability to hear – TX power: needed for long distance links – Important: Both takes the rate, the frequency and modulation into account • Example: Ubiquiti SRC datasheet
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Choose hardware - Cables
• Cables have losses – Thin: high loss, usually for short links (bend easily) – Thick: low loss, for long links (can’t be bent easily) – Loss depends on the frequency • Connectors also have losses: around 0.5dB
• A few cables (loss for 100 feet at 2.4Ghz) – RG174: ~60dB – RG58: ~25dB – LMR 200: ~16.5dB
– LMR 400: ~6.7dB
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Agenda
• • • • WEP WPA Choose hardware
Wireless reconnaissance
–
Airgraph-ng
– GISKismet
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Airgraph-ng
• Airgraph-ng creates a picture of the networks.
• Usage examples: – Display a network map – Network monitor • Uses the CSV output of airodump-ng.
• Part of the suite (can be found in scripts/)
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Airgraph-ng – Graph types
• Client to Access Point Relationship graph (CAPR) : – Client to Access Point Relationship – Focus more on clients than AP – AP without clients aren’t graphed – Colors for each type of encryption • Green: WPA • Yellow: WEP • Red: Open • Black: Unknown • Client Probe Graph (CPG): – Links between clients and AP
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Airgraph-ng – Examples
• Parameters: – Input file: Airodump-ng CSV file (.csv) – Graph type: • CAPR (Client – AP Relationship): Connected clients • CPG (Common Probe Graph): Probed SSID – Output file: Picture file name • Examples: – CAPR: airgraph-ng.py -i sharkfest-01.csv -g CAPR -o
sharkfest-capr.png
– CPG: airgraph-ng.py -i sharkfest-01.csv -g CPG -o
sharkfest-cpg.png
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Airgraph-ng – Examples (2)
• CAPR
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
• CPG
Airgraph-ng – Examples (3)
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Agenda
• • • • WEP WPA Choose hardware Wireless reconnaissance – Airgraph-ng –
GISKismet
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
GISKismet
• « GISKismet is a wireless recon visualization tool to represent data gathered using Kismet in a flexible manner » • Display Access Points on Google earth => require GPS.
• Also work with airodump-ng
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
GISKismet (2)
• • • • Store information in a database (SQLite) Input: Kismet newcore XML (netxml) Outputs a KML file Filter data: – Input: limited to things like channel, ESSID, … – Output: Flexible, SQL order
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
GISKismet (3)
• Importing data: –
giskismet –x dump-01.kismet.netxml
• Will create a file called wireless.dbl (SQLite3 database with 2 tables: – Clients: all clients – Wireless: all AP • Exporting: giskismet –q SQL_ORDER –o
OUTPUT_FILE.kml
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
GISKismet (4)
• • • • • SQL Queries: All: select * from wireless SSID starting with ‘SpeedTouch’:
select * from wireless where ESSID like 'SpeedTouch%'
AP from Aruba Networks:
select * from wireless where Manuf = 'Aruba Networks'
Hotspots:
select * from wireless where ESSID like '%hotspot%'
Channel 6:
select * from wireless where channel = 6 SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
?
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Links
• • • • • • • Pcap-util : http://www.badpenguin.co.uk/files/pcap-util List of supported packets for PTW: http://aircrack-ng.org/doku.php?id=supported_packets John The Ripper: http://www.openwall.com/john/ Markov: http://openwall.info/wiki/john/markov Wyd: http://www.remote-exploit.org/?page_id=418 « Next generation wireless recon … » (Shmoocon 2009) http://spl0it.org/files/talks/Abraham-Smith NextGenerationWirelessRecon-VisualizingTheAirwaves ShmooCon2009.pdf
(short: http://preview.tinyurl.com/nbsssp ) Cable loss calculator: http://www.ocarc.ca/coax.htm
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010