Академический Документы
Профессиональный Документы
Культура Документы
SecurityTube.net
Trainer, 2011
SecurityTube.net
SecurityTube.net
hNp://www.amazon.com/BackTrack-Wireless-PenetraHon-TesHng-Beginners/dp/1849515581/
SecurityTube.net
Agenda
WPA/WPA2
PSK
Cracking
Speeding
up
the
cracking
process
AP-less
WPA/WPA2
PSK
Cracking
Hole
196
WPS
ANack
Windows
7+
Wi-Fi
Backdoors
WPA/WPA2
Enterprise
PEAP,
EAP-TTLS
SecurityTube.net
Understanding WPA/WPA2
SecurityTube.net
2001 - The insecurity of 802.11, Mobicom, July 2001 N. Borisov, I. Goldberg and D. Wagner. 2001 - Weaknesses in the key scheduling algorithm of RC4. S. Fluhrer, I. ManHn, A. Shamir. Aug 2001. 2002 - Using the Fluhrer, ManHn, and Shamir ANack to Break WEP A. Stubbleeld, J. Ioannidis, A. Rubin. 2004 KoreK, improves on the above technique and reduces the complexity of WEP cracking. We now require only around 500,000 packets to break the WEP key.
2005 Adreas Klein introduces more correlaHons between the RC4 key stream and the key. 2007 PTW extend Andreas technique to further simplify WEP Cracking. Now with just around 60,000 90,000 packets it is possible to break the WEP key.
AirTight 2007
SecurityTube.net
Personal PSK
Personal PSK
SecurityTube.net
WEP
StaCc
WEP
Key
Probe
Request-Response
AuthenHcaHon
RR,
AssociaHon
RR
Data
Encrypted
with
Key
StaCc
WEP
Key
SecurityTube.net
SecurityTube.net
SecurityTube.net
PBKDF2
Passphrase (8-63)
SecurityTube.net
PBKDF2
Password
Based
Key
DerivaHon
FuncHon
RFC
2898
PBKDF2(Passphrase,
SSID,
ssidLen,
4096,
256)
4096
Number
of
Hmes
the
passphrase
is
hashed
256
Intended
Key
Length
of
PSK
SecurityTube.net
AuthenHcator
SecurityTube.net
AuthenHcator
Snounce PTK
SecurityTube.net
AuthenHcator
SecurityTube.net
AuthenHcator
Snounce
PTK
Message
3 aHon
Key
Install
PTK
Key Installed
SecurityTube.net
AuthenHcator
Snounce
PTK
Message
3 aHon
Key
Install
PTK
Key Installed
Key Installed
Demo
SecurityTube.net
PBKDF2 (SSID)
SecurityTube.net
DicHonary
SecurityTube.net
Demo
SecurityTube.net
DicHonary
SecurityTube.net
PBKDF2
Requires
SSID
List
of
commonly
used
SSIDs
Requires
Passphrase
Can
be
provided
from
a
DicHonary
SecurityTube.net
SecurityTube.net
Speeding
up
Cracking
4
Way
Handshake
SNonce
ANonce
AP
MAC
Client
MAC
Pre-Shared
Key
256
bit
(PMK)
PTK
Plaqorms
MulH-Cores
ATI-Stream
Nvidia
CUDA
.
In
the
Cloud
Amazon
EC2
SecurityTube.net
SecurityTube.net
Demo
SecurityTube.net
SecurityTube.net
SecurityTube.net
Understanding
Clients
Client
SSID: default
CredenCals ********
SecurityTube.net
An Isolated Client
SecurityTube.net
Demo
SecurityTube.net
Demo
SecurityTube.net
Hacker Honeypot
SecurityTube.net
DicHonary
SecurityTube.net
Demo
SecurityTube.net
SecurityTube.net
SecurityTube.net
Client 1
Client 2
Client 3
PTK1 GTK-Common
PTK1 GTK-Common
PTK1 GTK-Common
Pairwise
Transient
Key
(PTK)
Unique
for
All
Clients
Group
Temporal
Key
(GTK)
Same
for
All
Clients
SecurityTube.net
SecurityTube.net
PN = 1001
PN = 1500
PN = 1002
SecurityTube.net
WPS ANack
SecurityTube.net
DemonstraHon
WPS
Bruteforce
Demo
SecurityTube.net
SecurityTube.net
SecurityTube.net
SecurityTube.net
SecurityTube.net
DemonstraHon
Demo
of
Hosted
Network
SecurityTube.net
Wi-Fi
Backdoor
Easy
for
malware
to
create
a
backdoor
They
key
could
be:
Fixed
Derived
based
on
MAC
address
of
host,
Hme
of
day
etc.
As
host
remains
connected
to
authorized
network,
user
does
not
noHce
a
break
in
connecHon
No
Message
or
Prompt
displayed
SecurityTube.net
Rogue AP
Rogue AP
SecurityTube.net
Abusing legiHmate feature, not picked up by AVs, AnH-Malware More Stealth? Monitor air for other networks, when a specic network comes up, then start the Backdoor
SecurityTube.net
DemonstraHon
Demo
of
Metasploit
+
Hosted
Network
SecurityTube.net
WPA-Enterprise
SecurityTube.net
WPA-Enterprise
Supplicant
AuthenHcator
AssociaHon
EAPoL
Start
EAP
Request
IdenHty
EAP
Response
IdenHty
EAP
Packets
EAP
Success
4
Way
Handshake
Data
Transfers
SecurityTube.net
AuthenHcaHon Server
WPA/WPA2
Enterprise
EAP
Type
PEAP
EAP-TTLS
EAP-TLS
LEAP
EAP-FAST
.
Real
World
Usage
Highest
High
Medium
Low
Low
.
SecurityTube.net
PEAP
Protected
Extensible
AuthenHcaHon
Protocol
Typical
usage:
PEAPv0
with
EAP-MSCHAPv2
(most
popular)
PEAPv1
with
EAP-GTC
NaHve
support
on
Windows
SecurityTube.net
Source: Layer3.wordpress.com
SecurityTube.net
Client connects Accepts fake cerHcate Sends authenHcaHon details over MSCHAPv2 in the TLS tunnel ANackers radius server logs these details Apply dicHonary / reduced possibility bruteforce aNack using Asleap by Joshua Wright
SecurityTube.net
Network
Architecture
BT5
VM
Wireshark 2
mon0
SecurityTube.net
DemonstraHon
PEAP
Cracking
with
Honeypot
SecurityTube.net
SecurityTube.net
EAP-TTLS
EAP-Tunneled
Transport
Layer
Security
Server
authenHcates
with
CerHcate
Client
can
opHonally
use
CerHcate
as
well
No
naHve
support
on
Windows
3rd
party
uHliHes
to
be
used
Versions
EAP-TTLSv0
EAP-TTLSv1
SecurityTube.net
SecurityTube.net
DemonstraHon
EAP-TTLS
Cracking
with
Honeypot
SecurityTube.net
SecurityTube.net
SecurityTube.net
hNp://www.securitytube.net/
SecurityTube.net