(d`Otreppe) Wireless Security - SharkFest
advertisement
Wireless Security June 16, 2010 Thomas d’Otreppe de Bouvette Author of Aircrack-ng SHARKFEST ‘10 Stanford University June 14-17, 2010 SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Agenda • • • • WEP WPA Choose hardware Wireless reconaissance – Airgraph-ng – GISKismet SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP • Still broken but still used • Sometimes you can’t crack the key • « What can I do? » SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP • Check if you have enough data packets. – ~30K are needed for 64 bit with PTW – ~80K for 128 bit with PTW • Switch to KoreK starting from 150-200K packets – ~200K for 64 bit with KoreK – ~500K for 128 bit with KoreK • Usually, if you can’t crack, as a rule of thumb, just get more (data) packets • More than enough and still can’t crack the key, split the capture file and crack them individually SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP – Split files • • • • Pcap-util: http://www.badpenguin.co.uk/files/pcap-util Perl script Works on Linux/Windows SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP – Split files (2) SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP – Split files (3) • Has several options: – Split in files of X Mb – Extract packets that falls within a period of time – Extract packets that match a libpcap filter • Just need to split in smaller files so: – perl pcap-util split large.pcap small 3 SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP – PTW limitations • Works with 64 and 128 bit keys • Works in 2 phases: – Phase 1: ARP – Phase 2: Then use all other data packets (some packets are ignored because known to be unusable for PTW) • List of usable packets can be found at – http://aircrack-ng.org/doku.php?id=supported_packets SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP – WEP Cloaking ™ • « Motorol AirDefese WEP Cloaking™ provides protection for wireless infrastructure secured by legacy encryption protocols. This is an add-on module to Motorola AirDefense Enterprise, the market leading Wireless Intrusion Prevention System. » • Solution: airdecloak-ng, but sometimes aircrack-ng can crack it directly SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP – WEP Cloaking ™ (2) aircrack-ng wep_cloaking_full_speed_dl.pcap -b 00:12:BF:12:32:29 -K -n 64 -d 1F:1F:1F SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP – WEP Cloaking ™ (3) SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP – WEP Cloaking ™ (4) • Not all packets were filtered out but enough to crack the key SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP – Broken capture file • Aircrack-ng: – Invalid packet capture length 0 - corrupted file? • Wireshark SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP – Broken capture file (2) SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WEP – Broken capture file (3) • • • • • • Mark first packet Mark the last good packet File – Save as … Select « first to last marked packet » Select an output filename then save it DONE SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Agenda • WEP • WPA • Choose hardware • Wireless reconaissance – Airgraph-ng – GISKismet SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA WPA is at the same time easy and hard to crack – Easy to get the handshake – But the passphrase can be really complex SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA • 802.11i group launched when flaws were found in WEP • 2 link-layer protocols: – TKIP (WPA1): Draft 3 of 802.11i group (backward compatible with legacy hardware). – CCMP (WPA2): final 802.11i standard • 2 authentication methods: – Personal: PSK (Shared key, 8-63 characters) – Enterprise: MGT (Radius server) SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA-PSK – 4 way handshake SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA - Location • You need to be located not too far from the client and the AP to hear the whole 4-way handshake. • Aircrack-ng can work with less than the 4 EAPOL packets SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA – Good Location AP Client AP Attacker Client Attacker SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA – Bad location • Only hear the AP: • Only hear the client: Attacker AP Client AP Client Attacker SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA – Airbase-ng • Act as an AP with airbase-ng and get the handshake => Just need to be in the range of the client: airbase-ng -z 2 -W 1 –y -c 6 –F dump -e “Philips WiFi” rausb0 • Location problem solved ;), you just need the client: Client Attacker Fake AP SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA – Airbase-ng (2) DEMO SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA - Debug • Aircrack-ng/cowpatty/pyrit/OTHER TOOL doesn’t see the handshake, why? • So, how does it look in capture files and how do we debug it? SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA - Debug DEMO SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA – Cracking • Once you have the handshake, it’s time to crack it • Two methods come to mind: – Using a wordlist – Bruteforcing • Bruteforce not doable since minimum key length is 8 characters, so we need a good dictionary SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA - Dictionary • Having the right dictionary is important ! • Here are a few tips to build yours: – Use generic dictionaries, add things like: • • • • Language used Phone numbers (IE, use JTR to generate all possible phone numbers) City and different things around Other things that come to your mind, … – Use programs to « add » words: • John The Ripper (and Markov) • Wyd • … • Combine all of these … • … and you may end up with huge dictionaries. SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA – Cracking hardware • Processing big dictionaries takes time • CPU too slow => Use GPU and FPGA SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA – GPU performance • Pyrit performance SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 WPA – GPU Crackers • Quite easy to set up … – apt-get install backtrack-cuda • … but – Don’t forget the power bill ;) – Creating dictionaries takes time • Online services available: – Cloud computing: http://www.wpacracker.com – GPU: http://tools.question-defense.com SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 • WEP • WPA • Choose hardware • Wireless reconnaissance – Airgraph-ng – GISKismet SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Choose hardware - Antennas • Often asked: « What is the best antenna? » • Depends on your needs: – Long or short links? Low or High power antenna – Point to Point or Point to Multi point ? Directionnal antenna or omni – Frequency? 2.4Ghz/5Ghz (4.9/5.2/5.8/…) – ... SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Choose hardware - Antennas Antenna pattern: • Vertical pattern: Look at the horizon • Horizontal pattern: Look at the ground from the sky SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Choose hardware - Antennas Omni • Great for Point to Multipoint connections (ie, AP) • Theory: radiate in all directions • Highest power is not the best one SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Choose hardware - Antennas • Omni 5dbi SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Choose hardware - Antennas • Omni 9dbi SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Choose hardware - Antennas • Sector 120° SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Choose hardware - Antennas • Grid SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Choose hardware - Antennas • Home made - Biquad SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Choose hardware - Antennas • So, don’t just get the most powerful • Check the law • Look at the specs of the cards – RX sensitivity: ability to hear – TX power: needed for long distance links – Important: Both takes the rate, the frequency and modulation into account • Example: Ubiquiti SRC datasheet SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Choose hardware - Cables • Cables have losses – Thin: high loss, usually for short links (bend easily) – Thick: low loss, for long links (can’t be bent easily) – Loss depends on the frequency • Connectors also have losses: around 0.5dB • A few cables (loss for 100 feet at 2.4Ghz) – – – – RG174: ~60dB RG58: ~25dB LMR 200: ~16.5dB LMR 400: ~6.7dB SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Agenda • WEP • WPA • Choose hardware • Wireless reconnaissance – Airgraph-ng – GISKismet SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Airgraph-ng • Airgraph-ng creates a picture of the networks. • Usage examples: – Display a network map – Network monitor • Uses the CSV output of airodump-ng. • Part of the suite (can be found in scripts/) SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Airgraph-ng – Graph types • Client to Access Point Relationship graph (CAPR) : – – – – Client to Access Point Relationship Focus more on clients than AP AP without clients aren’t graphed Colors for each type of encryption • • • • Green: WPA Yellow: WEP Red: Open Black: Unknown • Client Probe Graph (CPG): – Links between clients and AP SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Airgraph-ng – Examples • Parameters: – Input file: Airodump-ng CSV file (.csv) – Graph type: • CAPR (Client – AP Relationship): Connected clients • CPG (Common Probe Graph): Probed SSID – Output file: Picture file name • Examples: – CAPR: airgraph-ng.py -i sharkfest-01.csv -g CAPR -o sharkfest-capr.png – CPG: airgraph-ng.py -i sharkfest-01.csv -g CPG -o sharkfest-cpg.png SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Airgraph-ng – Examples (2) • CAPR SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Airgraph-ng – Examples (3) • CPG SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Agenda • • • • WEP WPA Choose hardware Wireless reconnaissance – Airgraph-ng – GISKismet SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 GISKismet • « GISKismet is a wireless recon visualization tool to represent data gathered using Kismet in a flexible manner » • Display Access Points on Google earth => require GPS. • Also work with airodump-ng SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 GISKismet (2) • • • • Store information in a database (SQLite) Input: Kismet newcore XML (netxml) Outputs a KML file Filter data: – Input: limited to things like channel, ESSID, … – Output: Flexible, SQL order SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 GISKismet (3) • Importing data: – giskismet –x dump-01.kismet.netxml • Will create a file called wireless.dbl (SQLite3 database with 2 tables: – Clients: all clients – Wireless: all AP • Exporting: giskismet –q SQL_ORDER –o OUTPUT_FILE.kml SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 GISKismet (4) SQL Queries: • All: select * from wireless • SSID starting with ‘SpeedTouch’: select * from wireless where ESSID like 'SpeedTouch%' • AP from Aruba Networks: select * from wireless where Manuf = 'Aruba Networks' • Hotspots: select * from wireless where ESSID like '%hotspot%' • Channel 6: select * from wireless where channel = 6 SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 ? SHARKFEST ‘10 | Stanford University | June 14 –17, 2010 Links • Pcap-util : http://www.badpenguin.co.uk/files/pcap-util • List of supported packets for PTW: http://aircrack-ng.org/doku.php?id=supported_packets • John The Ripper: http://www.openwall.com/john/ • Markov: http://openwall.info/wiki/john/markov • Wyd: http://www.remote-exploit.org/?page_id=418 • « Next generation wireless recon … » (Shmoocon 2009) http://spl0it.org/files/talks/Abraham-SmithNextGenerationWirelessRecon-VisualizingTheAirwavesShmooCon2009.pdf (short: http://preview.tinyurl.com/nbsssp) • Cable loss calculator: http://www.ocarc.ca/coax.htm SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
