2. CodeStock is proudly partnered with:
RecruitWise and Staff with Excellence - www.recruitwise.jobs
Send instant feedback on this session via Twitter:
Send a direct message with the room number to @CodeStock
d codestock 406 This session is great!
For more information on sending feedback using Twitter while at
CodeStock, please see the “CodeStock README” in your CodeStock guide.
3. what we do
consulting training design debugging
who we are
Founded by top experts on Microsoft – Jeffrey Richter, Jeff Prosise, and John Robbins – our
mission is to help our customers achieve their goals through advanced software-based
consulting and training solutions.
how we do it Training
• On-site instructor-led training
Consulting & Debugging • Virtual instructor-led training
• Architecture, analysis, and design services • Devscovery conferences
• Full lifecycle custom software development
• Content creation Design
• Project management • User Experience Design
• Debugging & performance tuning • Visual & Content Design
• Video & Animation Production
wintellect.com
4. Don’t Be Stupid
The following presentation describes
real attacks on real systems. Please
note that most of the attacks
described would be considered ILLEGAL
if attempted on systems that you do
not have explicit permission to test
and attack. I assume no responsibility
for any actions you perform based on
the content of this presentation or
subsequent conversations. Please
remember this basic guideline: With
knowledge comes responsibility.
5. Disclaimer
The content of this presentation
represents my personal views and
thoughts at the present time. This
content is not endorsed by, or
representative in any way of my
employer nor is it intended to be a
view into my work or a reflection on
the type of work that I or my group
performs. It is simply a hobby and
personal interest and should be
considered as such.
7. Required Gear
• Network Adapter that supports
“Monitor” mode.
– Equivalent to promiscuous mode on a
normal NIC
• Windows, MAC, or Linux
– Linux tools tend to be more readily
available
8. Wireless Packet Frames
• Management Frames • Control Frames
– Authentication – Request to Send
– De-authentication (RTS)
– Association Request – Clear to Send (CTS)
– Association Response – Acknowledgment (AWK)
– Re-association • Data Frames
Request
– Re-association
Response
– Disassociation
– Beacon
– Probe Request
– Probe Response
10. Packet Sniffing
• Determine the channel of the
network we are interested in
– required for sniffing data packets
– airodump-ng
• iwconfig mon0 channel 11 (demo
pre/post)
11. Packet Injection
• aireplay-ng
– Inject packets onto a specific
wireless network without specific
association to that network
– Can target specific channels, mask
MAC addresses, etc.
– Does not require association
14. DEMO: Hidden SSID
• Show packet capture with the SSID
• Hide SSID
• Prove it is now hidden
• Solve for X
– Passive (wait for valid client) –
wireshark filter
– Use aireplay-ng to send deauth packet to
force the discovery
• Probe Request/Probe Response packets
16. DEMO: MAC Filters
• Enable MAC Filtering on the WAP
• Prove that a client cannot connect
• Use airodump-ng to show associated
clients
• Use macchanger to spoof the
whitelisted address and connect.
18. DEMO: Shared Key
Authentication
• Illustration (steal picture from
Wikipedia/netgear?)
• Configured AP for Shared Key/Update
Client
• Use airodump-ng to capture/log the
authentication scheme + keystream
– Wait for valid client or send deauth pkt
• Use aireplay-ng to pass back the
captured auth pkt
• TIP: DOS by filling up AP tables
(wrapper around airreplay-ng)
20. DEMO: WEP Encryption
• Capture data packets (ARP) from a
known/trusted client (airodump-ng)
• Replay them/re-inject between 10-
100,000 times (aireplay-ng)
• Crack them (aircrack-ng)
• “Guaranteed” crack
22. DEMO: WPA/2 Encryption
• Vulnerable to dictionary attacks
• Collect authentication handshake
• Select dictionary file and run the
cracker
• Works for WPA, WPA2, AES, TKIP