Attacks on wireless networks. Part 1
In the last article on wireless networks, we looked at the first stage — information gathering, or wardriving. Now, we will demonstrate several ways to obtain unauthorized access to wireless networks, as well as recommendations for protection against them.
First, we will list the protection options that can be used on the access point to protect the network from other users:
It is important to note that these methods do not ensure the confidentiality of data transmitted over the network; they simply restrict access to the network. That is, even if all of these tools are enabled on the access point, the attacker can, by turning on his wireless adapter in “monitor mode”, listen to the air and catch all the transmitted information. The following methods cryptographically protect data:
Today we will look at the bypass of the first four protection systems. The main tool for such manipulations is the Aircrack-ng suite software package. We recommend using the Linux OS, since this package is more developed in the Linux version, and more importantly, suitable drivers that allow attacking wireless networks are more widely represented under Linux (On Windows platforms, only CACE adapters - Airpcap are supported). Detailed instructions for installing the correct drivers and the Aircrack-ng itself can be found here . Now we proceed to the process itself.
')
For convenience, we will use the following notation:
00: aa: aa: aa: aa: aa - MAC address of the access point
00: cc: cc: cc: cc: cc - MAC address of the client connected to this point
00: ff: ff: ff: ff: ff - the MAC address of our adapter
wlan0 is our wireless interface name
When connecting to an access point on which name hiding is activated, the client will always send this name. Therefore, we just have to wait for one client and that's it. To do this, run
airodump-ng wlan0 -c <channel where the access point is located>
and if in the outermost column you see <Length: X>, where X is a certain number, then this network hides its name. Next you need to wait a bit until someone connects, and then the value in the column will change to the name of the network automatically. Or, if you haven't managed to catch anything for a long time, you can start deauthentication with the command
aireplay-ng wlan0 -0 100 -b 00: aa: aa: aa: aa: aa , where 100 is the number of client authentication
This operation will start sending packets that instruct clients connected to the access point to disconnect from it. They will disconnect and after a few seconds they will start connecting again, sending the name of the network in the connection request. Accordingly, airodump-ng will immediately show it. For greater deauthentication effectiveness, it is better to attack a specific connected client.
aireplay-ng wlan0 -0 100 -b 00: aa: aa: aa: aa: aa -c 00: ss: ss: ss: ss: ss
Also for the purposes of disclosing the name of the network can use kismet. This program automatically displays the network name when a client connects to it.
To connect to an access point that filters users by the MAC address of their adapter, you only need to know the MAC address of the already connected client. Knowing the address in Linux OS, run
ifconfig wlan0 down
ifconfig wlan0 hw ether 00: cc: cc: cc: cc: cc
ifconfig wlan0 up
or for Windows OS, use the MAC changer utility. Next you need to wait until
The legitimate client will disconnect, and then connect, or use the deauthentication attack on the legitimate client.
If you are trying to do fake authentication with the command
aireplay-ng wlan0 -1 4000 -a 00: aa: aa: aa: aa: aa
and instead of a success message you get
Sending Authentication Request
AP rejects open-system authentication
Please specify a PRGA-file (-y),
It is necessary to obtain a copy of the authentication with a shared key. Program airodump-ng it can. Run it and wait until the AUTH field for the selected network is equal to SKA. This means that the program has caught the authentication and saved it to a file called sharedkey - *. Xor. Next, perform
aireplay-ng -1 4000 -e <network name> -y sharedkey- <your file> .xor -a 00: aa: aa: aa: aa: aa -h 00: ff: ff: ff: ff: ff wlan0
and you are authenticated. If SKA does not appear in airodump-ng for a long time, then it is possible, as in the case of name disclosure, to deauthenticate an existing client.
The encryption algorithm used by WEP at the beginning of this century was cracked, and after that several times already there were even greater vulnerabilities in it that allowed to restore the encryption key even faster. The first program that broke the WEP key was called airsnort and could do it, catching 8-10 million packets. Later, aircrack-ng allowed it to be done 10 times faster. And in 2005, with the arrival of aircrack-ptw, the required number of packages decreased to 20-80 thousand, depending on the key length.
In order not to wait until the adapter hits 80,000 packages, we will generate these packages ourselves. And the best package for this purpose is ARP. It can be obtained in several ways. But we will start with fake authentication, without which the access point will simply ignore our sending packets.
aireplay-ng wlan0 -1 4000 -a 00: aa: aa: aa: aa: aa
And run Airodump-ng to save the packages.
airodump-ng wlan0 -c 6 -w save , where 6 is a network channel, save is a save
Next, the easiest way:
aireplay-ng wlan0 -3 -a 00: aa: aa: aa: aa: aa
In this case, the adapter catches packets and waits for ARP packets. When the program appears, it automatically begins to relay it, generating new packets that we need to break the key. After that run the program:
aircrack-ng save - *. cap
and wait until it gives you the network key.
You can also create this ARP package yourself. For this we need a key stream (keystream). You can get it in two ways. The first is the chop-chop attack, which is slower but more often.
aireplay-ng wlan0 -4 -b 00: aa: aa: aa: aa: aa
Soon the program will catch the package and, if its size is more than 56 bytes, you can press 'y'. After some time, the stream will be extracted and saved in replay_dec - *. Xor. If the program generated an error, try running it like this:
aireplay-ng wlan0 -4 -b 00: aa: aa: aa: aa: aa -h 00: ff: ff: ff: ff: ff
And be sure to run fake authentication before this.
Another option is a fragmentation attack. It is much faster, but it does not work on all access points.
aireplay-ng wlan0 -5 -b 00: aa: aa: aa: aa: aa
After successful execution, you will also receive a fragment file - *. Xor
Next, having the file with the key stream, we create the package:
packetforge-ng -0 -a 00: aa: aa: aa: aa: aa -h 00: ff: ff: ff: ff: ff -k 255.255.255.255 -l 255.255.255.255 -y <file with stream> -w arp , where arp is the file to save the package.
Now we will constantly send this package:
aireplay-ng wlan0 -2 -r arp
And also, as in the first version, we launch aircrack-ng and wait for the network key to be displayed.
As you can see, all these 4 methods have vulnerabilities and are easily bypassed, so even a combination of SSID cloaking + Mac filtering + SKA + WEP will take more time for the attacker, but in the end he will achieve his goal. Therefore, we recommend using only WPA2 with long keys in the case of PSK and a reliable external authentication system in the case of WPA2-Enterprise. The remaining methods do not provide an adequate level of security.
In the next article, we look at more exotic attacks on WEP (caffe-latte, client fragmentation and network connectivity, without knowing the wep key), as well as attacks on WPA and ways to protect against them.
First, we will list the protection options that can be used on the access point to protect the network from other users:
- SSID Cloaking - hide network name. Access is allowed only to customers who know this name.
- MAC Filtering - filtering by MAC addresses. Access is allowed only to clients whose network adapter addresses are written to the access point.
- Shared key Authentication - shared key authentication. Access is allowed only to those customers who have been tested using the shared key.
It is important to note that these methods do not ensure the confidentiality of data transmitted over the network; they simply restrict access to the network. That is, even if all of these tools are enabled on the access point, the attacker can, by turning on his wireless adapter in “monitor mode”, listen to the air and catch all the transmitted information. The following methods cryptographically protect data:
- WEP is the most commonly used wireless security method. Provides encryption of all data transmitted over the network. Authentication, as such, does not have - if you do not know the key, you can not decrypt the data. The disadvantage of this method is a very weak algorithm, the key is cracked by an attacker in less than 5 minutes.
- WPA and WPA2 Pre-Shared Key - strong authentication and data encryption system. Access is through a shared key. The security level is equal to the complexity of the shared key, as the system is subject to brute force attacks.
- WPA and WPA2 Enterprise is a variant of the previous system, but an external 802.1x EAP authenticator is used to verify identity, which allows the use of certificates, smart cards, etc.
Today we will look at the bypass of the first four protection systems. The main tool for such manipulations is the Aircrack-ng suite software package. We recommend using the Linux OS, since this package is more developed in the Linux version, and more importantly, suitable drivers that allow attacking wireless networks are more widely represented under Linux (On Windows platforms, only CACE adapters - Airpcap are supported). Detailed instructions for installing the correct drivers and the Aircrack-ng itself can be found here . Now we proceed to the process itself.
')
For convenience, we will use the following notation:
00: aa: aa: aa: aa: aa - MAC address of the access point
00: cc: cc: cc: cc: cc - MAC address of the client connected to this point
00: ff: ff: ff: ff: ff - the MAC address of our adapter
wlan0 is our wireless interface name
1. Bypass SSID Cloaking
When connecting to an access point on which name hiding is activated, the client will always send this name. Therefore, we just have to wait for one client and that's it. To do this, run
airodump-ng wlan0 -c <channel where the access point is located>
and if in the outermost column you see <Length: X>, where X is a certain number, then this network hides its name. Next you need to wait a bit until someone connects, and then the value in the column will change to the name of the network automatically. Or, if you haven't managed to catch anything for a long time, you can start deauthentication with the command
aireplay-ng wlan0 -0 100 -b 00: aa: aa: aa: aa: aa , where 100 is the number of client authentication
This operation will start sending packets that instruct clients connected to the access point to disconnect from it. They will disconnect and after a few seconds they will start connecting again, sending the name of the network in the connection request. Accordingly, airodump-ng will immediately show it. For greater deauthentication effectiveness, it is better to attack a specific connected client.
aireplay-ng wlan0 -0 100 -b 00: aa: aa: aa: aa: aa -c 00: ss: ss: ss: ss: ss
Also for the purposes of disclosing the name of the network can use kismet. This program automatically displays the network name when a client connects to it.
2. MAC Filtering bypass
To connect to an access point that filters users by the MAC address of their adapter, you only need to know the MAC address of the already connected client. Knowing the address in Linux OS, run
ifconfig wlan0 down
ifconfig wlan0 hw ether 00: cc: cc: cc: cc: cc
ifconfig wlan0 up
or for Windows OS, use the MAC changer utility. Next you need to wait until
The legitimate client will disconnect, and then connect, or use the deauthentication attack on the legitimate client.
3. Bypass Shared Key Authentication
If you are trying to do fake authentication with the command
aireplay-ng wlan0 -1 4000 -a 00: aa: aa: aa: aa: aa
and instead of a success message you get
Sending Authentication Request
AP rejects open-system authentication
Please specify a PRGA-file (-y),
It is necessary to obtain a copy of the authentication with a shared key. Program airodump-ng it can. Run it and wait until the AUTH field for the selected network is equal to SKA. This means that the program has caught the authentication and saved it to a file called sharedkey - *. Xor. Next, perform
aireplay-ng -1 4000 -e <network name> -y sharedkey- <your file> .xor -a 00: aa: aa: aa: aa: aa -h 00: ff: ff: ff: ff: ff wlan0
and you are authenticated. If SKA does not appear in airodump-ng for a long time, then it is possible, as in the case of name disclosure, to deauthenticate an existing client.
4. Breaking Wep Key
The encryption algorithm used by WEP at the beginning of this century was cracked, and after that several times already there were even greater vulnerabilities in it that allowed to restore the encryption key even faster. The first program that broke the WEP key was called airsnort and could do it, catching 8-10 million packets. Later, aircrack-ng allowed it to be done 10 times faster. And in 2005, with the arrival of aircrack-ptw, the required number of packages decreased to 20-80 thousand, depending on the key length.
In order not to wait until the adapter hits 80,000 packages, we will generate these packages ourselves. And the best package for this purpose is ARP. It can be obtained in several ways. But we will start with fake authentication, without which the access point will simply ignore our sending packets.
aireplay-ng wlan0 -1 4000 -a 00: aa: aa: aa: aa: aa
And run Airodump-ng to save the packages.
airodump-ng wlan0 -c 6 -w save , where 6 is a network channel, save is a save
Next, the easiest way:
aireplay-ng wlan0 -3 -a 00: aa: aa: aa: aa: aa
In this case, the adapter catches packets and waits for ARP packets. When the program appears, it automatically begins to relay it, generating new packets that we need to break the key. After that run the program:
aircrack-ng save - *. cap
and wait until it gives you the network key.
You can also create this ARP package yourself. For this we need a key stream (keystream). You can get it in two ways. The first is the chop-chop attack, which is slower but more often.
aireplay-ng wlan0 -4 -b 00: aa: aa: aa: aa: aa
Soon the program will catch the package and, if its size is more than 56 bytes, you can press 'y'. After some time, the stream will be extracted and saved in replay_dec - *. Xor. If the program generated an error, try running it like this:
aireplay-ng wlan0 -4 -b 00: aa: aa: aa: aa: aa -h 00: ff: ff: ff: ff: ff
And be sure to run fake authentication before this.
Another option is a fragmentation attack. It is much faster, but it does not work on all access points.
aireplay-ng wlan0 -5 -b 00: aa: aa: aa: aa: aa
After successful execution, you will also receive a fragment file - *. Xor
Next, having the file with the key stream, we create the package:
packetforge-ng -0 -a 00: aa: aa: aa: aa: aa -h 00: ff: ff: ff: ff: ff -k 255.255.255.255 -l 255.255.255.255 -y <file with stream> -w arp , where arp is the file to save the package.
Now we will constantly send this package:
aireplay-ng wlan0 -2 -r arp
And also, as in the first version, we launch aircrack-ng and wait for the network key to be displayed.
5. Protection
As you can see, all these 4 methods have vulnerabilities and are easily bypassed, so even a combination of SSID cloaking + Mac filtering + SKA + WEP will take more time for the attacker, but in the end he will achieve his goal. Therefore, we recommend using only WPA2 with long keys in the case of PSK and a reliable external authentication system in the case of WPA2-Enterprise. The remaining methods do not provide an adequate level of security.
In the next article, we look at more exotic attacks on WEP (caffe-latte, client fragmentation and network connectivity, without knowing the wep key), as well as attacks on WPA and ways to protect against them.
Source: https://habr.com/ru/post/50174/
All Articles