Transcript Slide 1

WPA, what else?
Thomas d’Otreppe de Bouvette
Aircrack-ng
UNAM, Mexico City
November 27-28, 2008
1
Agenda
• WEP
• WPA – How does it work?
• WPA – Practice
– Location, location, location
– Cracking the key
– Bruteforce
• WPA - Tools
– Airbase-ng
– Tkiptun-ng
– Airolib-ng
• Practical stuff
2
WEP
• It was fun
• A few new attacks were created
– Caffe Latte
– Cfrag
• PTW2: Now needs less packets needed
by PTW to crack a key
• WEP Cloaking™ is now dead too
3
• WEP
• WPA – How does it work?
• WPA – Practice
– Location, location, location
– Cracking the key
– Bruteforce
• WPA - Tools
– Airbase-ng
– Tkiptun-ng
– Airolib-ng
• Practical stuff
4
WPA
• More and more networks use WPA
• WPA is a hot topic these days:
– CUDA
– New attack and tool: tkiptun-ng
5
WPA
• 802.11i group launched when flaws were found
in WEP
• 2 link-layer protocols:
– TKIP (WPA1): Draft 3 of 802.11i group
(backward compatible with legacy hardware).
– CCMP (WPA2): final 802.11i standard
• 2 authentication methods:
– Personal: PSK
– Enterprise: MGT
6
WPA-PSK – How does it work?
7
8
WPA-PSK – 4 way handshake
9
WPA-PSK – PTK Construction
Pairwise Master Key (256 bit)
ANonce
HASH
SNonce
Pairwise Transient Key
STA MAC Address
AP MAC Address
10
WPA-PSK – PMK Construction
Passphrase
SSID
PBKDF2
SSID Length
PMK
Number of iterations: 4096
Length of the result key:
256bits
11
12
13
14
15
• WEP
• WPA – How does it work?
• WPA – Practice
– Location, location, location
– Cracking the key
– Bruteforce
• WPA - Tools
– Airbase-ng
– Tkiptun-ng
– Airolib-ng
• Practical stuff
16
WPA – Location
• Need all packets from the 4 way
handshake => hear AP and Client
• In fact, aircrack-ng can work with less than
4 packets
• If too far, won’t get everything
17
WPA – Location (2)
Attacker
AP
Client
AP
Client
Attacker
18
WPA – Location (3)
AP
Client
AP
Attacker Client
Attacker
19
WPA – Cracking the key
• Processing Unit
– CPU
– GPU (CUDA and AMD Stream)
• Method:
– Wordlist
– Bruteforce
• « Rainbow » tables
20
WPA - CUDA
• Cracking with your nVidia
• Much faster than with a CPU (10-100x):
– Intel P4 3.2Ghz: ~150 keys/sec
– AMD Turion 64 X2 TL-60 (2Ghz): ~230 keys/sec
– Nvidia 280GTX: ~11000 keys/sec
• A few tools exists
– Commercial
– Open source: pyrit
• Planned in aircrack-ng (AMD Stream too)
21
WPA - Pyrit cracking speed
22
WPA - Bruteforce
• Let’s calculate how much time it will take to
crack a simple passphrase with
alphanumerical values (upper and lower
case).
• Smallest WPA passphrase: 8 characters
(max 63).
23
WPA - Bruteforce (2)
• 8 characters passphrase
• 62 possibilities per character: [A-Z][a-z][0-9]
• Using a 280GTX (11000keys/sec)
• 62^8 = 218 340 105 584 896 possible keys
• 218340105584896/11000k/s= 19 849 100 508
sec
• 19849100508 sec = 5 513 639 hours
• 5513639 hours = 229 735 days
• 229735 days = 630 years
24
630 years for a 8 char WPA key
• A bit too long for a simple passphrase.
• For a 12 characters passphrase,
bruteforce will take 9 309 091 680 years.
• Dictionnary attack and John The ripper are
still the best solution.
25
• WEP
• WPA – How does it work?
• WPA – Practice
– Location, location, location
– Cracking the key
– Bruteforce
• WPA - Tools
– Airbase-ng
– Tkiptun-ng
– Airolib-ng
• Practical stuff
26
Airbase-ng
“Airbase-ng is multi-purpose tool aimed at attacking
clients as opposed to the Access Point (AP) itself.”
Features:
• Soft AP/Ad hoc
• Karma
• Encrypt/Decrypt packets
• Capture WPA handshake from a client.
• Filtering to avoid disturbing nearby networks
27
Airbase-ng (2)
• Turn any monitor-mode capable card into
an AP
• Default mode: Karma
• Karmetasploit = airbase-ng + metasploit
28
Fun with airbase-ng
• Karma
– airbase-ng rausb0
• Soft AP:
– airbase-ng –y –e myAP –c 6 rausb0
– ifconfig at0 up 192.168.0.254
– ping/ssh/… it from the client
• Script to manipulate packets:
– airbase-ng –Y both rausb0
– ./test/replay.py at1
29
Fun with airbase-ng (2)
• WPA Handshake capture:
airbase-ng -z 2 -W 1 –y -c 6 -e home rausb0
• Location problem solved ;), you just need the
client:
Client
Attacker
Fake AP
30
Tkiptun-ng
• Exaggerated in the news, only a few
frames can be sent
• Work in Progress:
– Basic documentation written
– Not fully working yet
31
Tkiptun-ng (2)
• WPA TKIP + QoS (802.11e)
• Decrypt packets from the AP
• Modified chopchop
• Breaks the MIC key
• Save plaintext + keystream
32
Airolib-ng
• Create pre-computed WPA hash tables to be used with
aircrack-ng
• Uses a sqlite database
• Import/Export:
– Import passphrases/essid lists
– Cowpatty tables (genpmk)
– Pyrit can exports its hash tables to airolib-ng format
• Speed (once precomputed):
– EEE 701 (900Mhz, SD Card): ~9700keys/sec
– AMD Turion 64 X2 TL-60 (2Ghz, HDD 7200rpm): ~55500
keys/sec (~30000 keys/sec virtualized).
33
Conclusion
• Questions?
• Practical stuff
– WPA Cracking
– Fun: Aigraph-ng
34