Cracking WiFi Networks - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Cracking WiFi Networks

Description:

Cracking Wi-Fi Networks. Peter MacLellan. Northeastern ... Algorithm Weakness. Software/Techniques. Cracking WPA. Conclusions Best Practices. Questions ... – PowerPoint PPT presentation

Number of Views:107
Avg rating:3.0/5.0
Slides: 26
Provided by: peterma62
Category:

less

Transcript and Presenter's Notes

Title: Cracking WiFi Networks


1
Cracking Wi-Fi Networks
  • Peter MacLellan
  • Northeastern University
  • Candidate BSCS 2008

2
Overview
  • Quick Legal Issues
  • Available Security Features
  • Cracking WEP
  • Algorithm Weakness
  • Software/Techniques
  • Cracking WPA
  • Conclusions Best Practices
  • Questions

3
Legal Issues
  • Laws on WiFi access go generally on a state by
    state basis, are vague and generally untested
  • Title 18 of the U.S.Code
  • Illegal to connect to federal government
    agencies, financial and interstate commerce
    institutions
  • Be smart-only connect to a network
  • That is yours you own it
  • You have legitimate permission to do so

4
Available Security Features
  • MAC (Media Access Control) Filtering
  • MAC can be spoofed
  • WEP (Wired Equivalent Privacy)
  • Known to be practically insecure since 2001
  • WPA (Wi-Fi Protected Access)
  • Practically secure interim fix for WEP
  • WPA2
  • Practically secure Implements full IEEE
    802.11i-2004 standard

5
Access Point Admin Application
  • Security features are set in the Access Points
    administration application (available via a web
    browser)
  • Its important to change the admin users
    password from the get go
  • A compromised network is much more appealing to a
    hacker if the hacker has full control over its
    settings

6
Overview
  • Quick Legal Issues
  • Available Security Features
  • Cracking WEP
  • Algorithm Weakness
  • Software/Techniques
  • Cracking WPA
  • Conclusions Best Practices
  • Questions

7
RC4
  • WEP security uses the RC4 stream cipher invented
    by Ron Rivest of RSA Security in 1987
  • RC4 is a stream cipher
  • A stream cipher takes a key and a message
  • The key is used to generate a pseudo-random bit
    string which is then XORed with the message to
    produce ciphertext
  • Decryption happens in the same manner

8
WEPs Use of RC4
  • For WEP, the key used is a concatenation of an
    Initialization Vector (IV, pseudo-random bits)
    and the key you set on the AP
  • The use of the IV adds security to WEP by
    eliminating a 1-to-1 mapping between message and
    ciphertext

K
9
Attacks on WEP (1 of 3)
  • In 2001, Fluhrer, Mantin and Shamir discovered
    that the first few bytes of RC4 data are
    non-random
  • In order for this attack to work, the IVs need to
    fulfill a so-called "resolved condition, i.e.
    weak IVs
  • In response, manufacturers made Access Points
    which avoided using weak IVs
  • 4 million frames needed for this attack

10
Attacks on WEP (2 of 3)
  • In 2004, a person using the pseudonym KoreK
    posted a family of statistical attacks against
    WEP that do not need weak IVs
  • Frames needed for key-recovery was reduced to
    about 500,000 packets (down from 4 million)
  • aircrack-ng is based on this attack

11
Attacks on WEP (3 of 3)
  • In 2007, Erik Tews, Ralf-Philipp Weinmann, and
    Andrei Pyshkin optimized the previous attacks
  • Working at 802.11g data rates, they showed they
    could crack 128-bit WEP with just 85,000 packets,
    a success rate of 95...in less than 60 seconds
  • This is the basis for aircrack-ptw

12
WEP Packets
  • Frames contain a plaintext header followed by
    encrypted data
  • Packet lengths arent hidden
  • BSSID are easily spoofed for retransmission of
    packets
  • For key recovery, both plaintext and ciphertext
    must be known

13
ARP Requests
  • Address Resolution Protocol
  • Standard method for finding a host's hardware
    address when only its network layer address is
    known.
  • Example Your computer asking for its IP address
  • We dont know the secret key so we cannot
    generate our own ARP request.
  • The solution is to capture an ARP request and
    replay it

14
Aircrack-ng
  • Found at www.aircrack-ng.org/
  • Steps for installing software (for active
    attacks)
  • Must be running Linux and have a compatible card
  • Patch drivers for card to enable injection
  • Install aircrack-ng
  • Install aircrack-ptw

15
Why Crack WEP?
  • Though WEP was cracked in 2001, empirical
    evidence shows that 70 of networks still use it
  • http//eprint.iacr.org/2007/120

16
Example Site Survey
17
Overview
  • Quick Legal Issues
  • Available Security Features
  • Cracking WEP
  • Algorithm Weakness
  • Software/Techniques
  • Cracking WPA
  • Conclusions Best Practices
  • Questions

18
WPA Encryption
  • WPA still uses RC4 for encryption with the added
    security of TKIP
  • TKIP Temporal Key Integrity Protocol
  • Rekeying protocol ensures that every packet is
    encoded with a different key
  • Message integrity check disallows forged packets
  • Known WEP attacks not possible

19
WPA Attack
  • Two types of WPA authentication
  • WPA Business
  • WPA Personal
  • WPA Business uses RADIUS server for
    authentication
  • WPA Personal uses four-way handshake for
    authentication
  • Only WPA Personal can be cracked using
    information from the four-way handshake

20
WPA Dictionary Attack
  • Four-way handshake uses the network name as a
    step in masking the contents of the key
  • Impossible to keep a full dictionary of
    password-ciphertext pairs for all networks (this
    can be done for common names)
  • Instead, generate a list of probable passwords
    that can be used to compute handshake and compare
    it to known handshake offline, on the fly

21
Password Generation
  • Research has shown that most passwords include
    English words
  • Hackers/University Researchers have compiled
    lists that contain the most probable words and
    numbers
  • I wrote a program that combines all the possible
    words with all the possible numbers which is then
    piped to aircrack-ng

22
Overview
  • Quick Legal Issues
  • Available Security Features
  • Cracking WEP
  • Algorithm Weakness
  • Software/Techniques
  • Cracking WPA
  • Conclusions Best Practices
  • Questions

23
Best Practices
  • Always change the password of the APs
    administrator application
  • Select WPA as the encryption protocol and use a
    password not based on an English word
  • Use MAC Address filtering
  • Dont piggyback off of another persons network
  • Check your ISPs license agreement to see if you
    can share your connection

24
Overview
  • Quick Legal Issues
  • Available Security Features
  • Cracking WEP
  • Algorithm Weakness
  • Software/Techniques
  • Cracking WPA
  • Conclusions Best Practices
  • Questions

25
Cracking Wi-Fi Networks
  • Peter MacLellan
  • Northeastern University
  • Candidate BSCS 2008

For more information http//www.ccs.neu.edu/home/
peter/wifi
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Cracking WiFi Networks" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!