WPA,%20what%20else? - PowerPoint PPT Presentation

About This Presentation
Title:

WPA,%20what%20else?

Description:

In fact, aircrack-ng can work with less than 4 packets. If too far, won't get everything ... Exaggerated in the news, only a few frames can be sent. Work in Progress: ... – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 35
Provided by: Thom399
Category:
Tags: 20else | 20what | wpa | fact

less

Transcript and Presenter's Notes

Title: WPA,%20what%20else?


1
WPA, what else?
Thomas dOtreppe de Bouvette Aircrack-ng
  • UNAM, Mexico City
  • November 27-28, 2008

2
Agenda
  • WEP
  • WPA How does it work?
  • WPA Practice
  • Location, location, location
  • Cracking the key
  • Bruteforce
  • WPA - Tools
  • Airbase-ng
  • Tkiptun-ng
  • Airolib-ng
  • Practical stuff

2
3
WEP
  • It was fun
  • A few new attacks were created
  • Caffe Latte
  • Cfrag
  • PTW2 Now needs less packets needed by PTW to
    crack a key
  • WEP Cloaking is now dead too

3
4
  • WEP
  • WPA How does it work?
  • WPA Practice
  • Location, location, location
  • Cracking the key
  • Bruteforce
  • WPA - Tools
  • Airbase-ng
  • Tkiptun-ng
  • Airolib-ng
  • Practical stuff

4
5
WPA
  • More and more networks use WPA
  • WPA is a hot topic these days
  • CUDA
  • New attack and tool tkiptun-ng

5
6
WPA
  • 802.11i group launched when flaws were found in
    WEP
  • 2 link-layer protocols
  • TKIP (WPA1) Draft 3 of 802.11i group (backward
    compatible with legacy hardware).
  • CCMP (WPA2) final 802.11i standard
  • 2 authentication methods
  • Personal PSK
  • Enterprise MGT

6
7
WPA-PSK How does it work?
7
8
(No Transcript)
9
WPA-PSK 4 way handshake
9
10
WPA-PSK PTK Construction
11
WPA-PSK PMK Construction
12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
(No Transcript)
16
  • WEP
  • WPA How does it work?
  • WPA Practice
  • Location, location, location
  • Cracking the key
  • Bruteforce
  • WPA - Tools
  • Airbase-ng
  • Tkiptun-ng
  • Airolib-ng
  • Practical stuff

16
17
WPA Location
  • Need all packets from the 4 way handshake gt hear
    AP and Client
  • In fact, aircrack-ng can work with less than 4
    packets
  • If too far, wont get everything

18
WPA Location (2)
19
WPA Location (3)
20
WPA Cracking the key
  • Processing Unit
  • CPU
  • GPU (CUDA and AMD Stream)
  • Method
  • Wordlist
  • Bruteforce
  •  Rainbow  tables

21
WPA - CUDA
  • Cracking with your nVidia
  • Much faster than with a CPU (10-100x)
  • Intel P4 3.2Ghz 150 keys/sec
  • AMD Turion 64 X2 TL-60 (2Ghz) 230 keys/sec
  • Nvidia 280GTX 11000 keys/sec
  • A few tools exists
  • Commercial
  • Open source pyrit
  • Planned in aircrack-ng (AMD Stream too)

21
22
WPA - Pyrit cracking speed
22
23
WPA - Bruteforce
  • Lets calculate how much time it will take to
    crack a simple passphrase with alphanumerical
    values (upper and lower case).
  • Smallest WPA passphrase 8 characters (max 63).

23
24
WPA - Bruteforce (2)
  • 8 characters passphrase
  • 62 possibilities per character A-Za-z0-9
  • Using a 280GTX (11000keys/sec)
  • 628 218 340 105 584 896 possible keys
  • 218340105584896/11000k/s 19 849 100 508 sec
  • 19849100508 sec 5 513 639 hours
  • 5513639 hours 229 735 days
  • 229735 days 630 years

24
25
630 years for a 8 char WPA key
  • A bit too long for a simple passphrase.
  • For a 12 characters passphrase, bruteforce will
    take 9 309 091 680 years.
  • Dictionnary attack and John The ripper are still
    the best solution.

25
26
  • WEP
  • WPA How does it work?
  • WPA Practice
  • Location, location, location
  • Cracking the key
  • Bruteforce
  • WPA - Tools
  • Airbase-ng
  • Tkiptun-ng
  • Airolib-ng
  • Practical stuff

26
27
Airbase-ng
  • Airbase-ng is multi-purpose tool aimed at
    attacking clients as opposed to the Access Point
    (AP) itself.
  • Features
  • Soft AP/Ad hoc
  • Karma
  • Encrypt/Decrypt packets
  • Capture WPA handshake from a client.
  • Filtering to avoid disturbing nearby networks

27
28
Airbase-ng (2)
  • Turn any monitor-mode capable card into an AP
  • Default mode Karma
  • Karmetasploit airbase-ng metasploit

28
29
Fun with airbase-ng
  • Karma
  • airbase-ng rausb0
  • Soft AP
  • airbase-ng y e myAP c 6 rausb0
  • ifconfig at0 up 192.168.0.254
  • ping/ssh/ it from the client
  • Script to manipulate packets
  • airbase-ng Y both rausb0
  • ./test/replay.py at1

29
30
Fun with airbase-ng (2)
  • WPA Handshake capture
  • airbase-ng -z 2 -W 1 y -c 6 -e home rausb0
  • Location problem solved ), you just need the
    client

31
Tkiptun-ng
  • Exaggerated in the news, only a few frames can be
    sent
  • Work in Progress
  • Basic documentation written
  • Not fully working yet

31
32
Tkiptun-ng (2)
  • WPA TKIP QoS (802.11e)
  • Decrypt packets from the AP
  • Modified chopchop
  • Breaks the MIC key
  • Save plaintext keystream

32
33
Airolib-ng
  • Create pre-computed WPA hash tables to be used
    with aircrack-ng
  • Uses a sqlite database
  • Import/Export
  • Import passphrases/essid lists
  • Cowpatty tables (genpmk)
  • Pyrit can exports its hash tables to airolib-ng
    format
  • Speed (once precomputed)
  • EEE 701 (900Mhz, SD Card) 9700keys/sec
  • AMD Turion 64 X2 TL-60 (2Ghz, HDD 7200rpm)
    55500 keys/sec (30000 keys/sec virtualized).

34
Conclusion
  • Questions?
  • Practical stuff
  • WPA Cracking
  • Fun Aigraph-ng
Write a Comment
User Comments (0)
About PowerShow.com