Professional Documents
Culture Documents
Ryan Curtin
LUG@GT
Goals
Setting Up
By the end of this presentation (if you stay awake), you will:
Checking Injection
WEP
Understand the different types of wireless keys as well as
WPA
their advantages and disadvantages
Questions and Comments?
Understand the legal ramifications of cracking wireless keys
Have a basic idea of the theory behind the cracking of each
key type
Know how to use software to crack wireless keys
Goals
Setting Up
Most of the work can be done with the aircrack-ng package.
Checking Injection
WEP
None of these attacks can be performed if you are using
WPA
ndiswrapper for your network drivers, or other drivers that do
Questions and Comments?
not support promiscuous (or monitor) mode.
Starting / stopping promiscuous mode:
airmon-ng stop wlan0
airmon-ng check wlan0
airmon-ng start wlan0 <channel>
Goals
Setting Up
Before starting, make sure your card can inject packets into an
Checking Injection AP!
WEP
WPA
aireplay-ng -9 -e <ESSID> -a <MAC> wlan0
Questions and Comments? Make sure the percentage of ping replies is not incredibly
small, otherwise it may be difficult to collect data.
Goals
Setting Up
The slide title is not redundant! WEP stands for wired
Checking Injection equivalent privacy, not wireless encryption protocol.
WEP
WEP Encryption 64-bit or 128-bit keys
Cracking WEP
Using aircrack-ng
Using aircrack-ng (2) Uses RC4 stream cipher with CRC-32 checksum
WPA
Goals
Setting Up
Different methods have been developed:
Checking Injection
WEP
2001: Fluhrer, Mantin, and Shamir publish WEP flaws and a
WEP Encryption passive attack
Cracking WEP
Using aircrack-ng
Using aircrack-ng (2) 2005: FBI demonstrates WEP cracking in three minutes
WPA
Goals
Setting Up
1. Gather important data: access point MAC, ESSID, channel
Checking Injection airodump-ng wlan0
WEP
WEP Encryption
Cracking WEP
2. Start capture of IVs
Using aircrack-ng
Using aircrack-ng (2)
airodump-ng -c <channel> -bssid <MAC> -w
WPA
<outputfile> wlan0
Questions and Comments?
Leave this running! You want to capture around 50k IVs
to ensure success (maybe more)
Goals
Setting Up
Checking Injection
4 Reinject ARP packets to get more IVs
WEP
aireplay-ng -3 -b <MAC> wlan0
WEP Encryption Run until you have a substantial number of IVs (in your
Cracking WEP
Using aircrack-ng airodump-ng process)
Using aircrack-ng (2)
Goals
Setting Up
WPA with TKIP appeared as an interim solution to the WEP
Checking Injection problem while 802.11i was prepared; 802.11i is WPA2.
WEP
WPA
WPA: Wi-Fi Protected Access
WPA Encryption
Cracking WPA-PSK
TKIP: Temporal Key Integrity Protocol
Using aircrack-ng
Rainbow Tables
TKIP also uses RC4 cipher (for legacy WEP hardware)
Questions and Comments?
Use AES instead if possible!
IV length increased to 48 bits
WPA-PSK (pre-shared key): common consumer
environment setup
Goals
Setting Up
The WPA PSK initialization process is reproducible!
Checking Injection
WEP
WPA
WPA Encryption
Therefore, we must capture a WPA handshake and then try to
Cracking WPA-PSK replicate it.
Using aircrack-ng
Rainbow Tables
Goals
Setting Up
1. Gather important data: access point MAC, ESSID, channel;
Checking Injection optional: ESSID of connected client
WEP airodump-ng wlan0
WPA
WPA Encryption
Cracking WPA-PSK
2. Start capture of handshakes
Using aircrack-ng
Rainbow Tables
airodump-ng -c <channel> -bssid <MAC> -w
Questions and Comments?
<outputfile> wlan0
Leave this running! Watch for WPA handshake:
xx:xx:xx:xx:xx:xx
Goals
Setting Up
Rainbow Tables: a giant collection of potential common
Checking Injection passphrases
WEP
WPA
Available from:
WPA Encryption
Cracking WPA-PSK Church of Wifi Rainbow Tables:
Using aircrack-ng
Rainbow Tables http://www.renderlab.net/projects/WPA-tables/
Questions and Comments?
The Schmoo Group: http://rainbowtables.shmoo.com/
Google Search:
http://www.google.com/#q=wpa+rainbow+tables
Goals
Setting Up
Checking Injection
WEP
WPA