The document provides an overview of cracking WiFi networks using aircrack-ng and related tools. It discusses network basics like MAC addresses and wireless modes like managed and monitor. It then covers specific attacks like deauth attacks to disconnect clients, capturing handshakes using airodump-ng and packet injection with aireplay-ng. Finally it discusses cracking encrypted networks starting with older WEP encryption through WPA and WPA2 using captured handshakes and wordlist attacks with aircrack-ng. The document serves as a guide to common WiFi cracking techniques.
Message authentication provides a way to verify that a received message is from the alleged source and has not been altered. It includes mechanisms for non-repudiation by the source. Authentication functions include lower level authenticators and higher level functions that use authenticators to verify message authenticity. Message authentication codes are appended to messages by the sender and verified by the receiver recomputing the code. MAC attacks aim to find the key or authenticate incorrect messages without finding the key. Hash functions map messages to fixed length values to verify integrity.
Mitm(man in the middle) ssl proxy attacksJaeYeoul Ahn
This material is related at the Security of SSL Service as HTTPS. I used it for my security class at E-government course on the Kookmin university in south Korea.
MikroTik is a Linux-based router that can be installed and fully operated on a regular PC. It has many features, including performing functions like NAT, bandwidth management, and filtering at the 3-layer network level, allowing it to efficiently route high bandwidth and perform operations like NAT and filtering on low-end hardware. MikroTik also offers stability, security, and ease of configuration through its web interface and command line tools.
This document provides instructions for cracking wireless networks encrypted with WEP and WPA. It discusses the theoretical vulnerabilities in WEP that can be exploited to decrypt the network key. For WEP cracking, it describes how to use airodump to capture initialization vectors (IVs), aircrack to crack the key using the IVs, and aireplay to force traffic if needed. It also covers differences between WPA and WEP, capturing the handshake for WPA networks, and dictionary attacks to crack weak WPA passwords.
Public-key cryptography uses message authentication codes (MACs) and digital signatures to verify the authenticity and integrity of messages. MACs are calculated using a secret key shared between the sender and receiver. Digital signatures are generated using the sender's private key and can be verified by the receiver using the sender's public key. Common MAC algorithms include HMAC, which uses a cryptographic hash function combined with a secret key. Asymmetric encryption algorithms like RSA enable confidential communication by encrypting messages with the public key while only the holder of the private key can decrypt.
5. message authentication and hash functionChirag Patel
1) Message authentication can be achieved through message encryption, message authentication codes (MACs), or hash functions.
2) MACs provide authentication by appending a fixed-size block that depends on the message and a secret key. Receivers can verify messages by recomputing the MAC.
3) Hash functions map variable-length data to fixed-length outputs and are easy to compute but infeasible to reverse or find collisions. Common hash functions include MD5 and SHA-512.
Now we hear a word “DMVPN” more and more often, then what is “DMVPN” and what is the advantages DMVPN owning? Here we give a brief introduction of DMVPN.
HMAC authentication uses cryptographic hashing and a secret key to validate the integrity of messages and prevent replay attacks. It works by generating a HMAC signature for the message content and additional request data using a hash algorithm like MD5 or SHA1. This signature is included in the Authorization header when making authenticated API requests. The server can then recompute the HMAC and verify the signature to validate the request is not altered and the client has access. Parameters must be in a consistent order and unicode encoded for the signature to validate properly.
This document summarizes Natasha Rooney's presentation on QUIC and the evolution of HTTP. Some key points include:
- QUIC aims to improve performance over TCP by eliminating head-of-line blocking and reducing latency through 0-RTT connections.
- It achieves this by multiplexing streams over a UDP connection and integrating TLS 1.3 for encryption to provide security.
- Early results show QUIC reducing page load times by 15-18% for video and 3.6-8% for search queries on Google's services.
- As QUIC becomes more widely adopted, it may continue to improve performance for a "long tail" of users on slower or more unreliable networks.
The document discusses network security and techniques for providing message authentication and integrity, including message digests, message authentication codes, and hash functions. It describes how message digests and MACs can detect modifications to messages and prevent masquerading by using secret keys. It also covers attacks like preimage attacks and collision attacks that aim to undermine these integrity protections.
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky
Two underground magazines have published code enabling denial-of-service attacks through TCP half-open connections. While the origin of attacks is difficult to identify, some reports have been able to trace attacks back to their source. The document provides recommendations for internet service providers and their customers to implement input source filtering on routers to reduce the impact of these spoofing attacks. It also notes that while a complete solution does not yet exist, steps can be taken to lessen the attacks' effects.
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...Amazon Web Services
This document provides a summary of a presentation on encryption. It discusses why encryption is important for compliance with regulations like PCI DSS and HIPAA. It covers different encryption techniques like block ciphers and stream ciphers. It describes how protocols like TLS work and how certain ciphers like RC4 have been broken over time. It discusses attacks like BEAST and ways crypto failures can occur. It emphasizes that encryption is difficult and recommends following best practices around key management and the challenges of real-world implementation.
This document discusses cracking WEP encryption on wireless networks. It explains that monitor mode allows a wireless card to capture all network traffic, including unencrypted data. It also describes how to use tools like aircrack-ng, wep_crack, and WEPAttack to perform dictionary attacks and brute force the 5 or 13 byte encryption keys by exploiting weaknesses in the WEP algorithm and capturing large numbers of packets with duplicate initialization vectors. With enough captured packets, these tools can typically recover WEP keys within minutes, regardless of the passphrase complexity.
MACs based on Hash Functions, MACs based on Block CiphersMaitree Patel
This document discusses message authentication codes (MACs) based on hash functions and block ciphers. It describes Hash-based MACs (HMAC) which uses a cryptographic hash function combined with a secret key to authenticate messages. HMAC provides integrity and authentication using public/private keys. The document also covers MACs based on block ciphers, specifically the Data Authentication Algorithm (DAA) which is based on DES-CBC, and Cipher-based MAC (CMAC) which fixes security issues with CBC-MAC and can use existing encryption functions to resist attacks. CMAC chains the cipher and XORs the message blocks to generate the authentication tag.
Solving HTTP Problems With Code and ProtocolsNatasha Rooney
The document discusses HTTP and protocols related to transporting data over the internet. It describes the layered model including the physical, network, transport, and application layers. It then focuses on protocols like HTTP/1, SPDY, HTTP/2 and QUIC that operate at the application layer, with the goal of improving performance by reducing latency through techniques like header compression, multiplexing, and avoiding head-of-line blocking. It also discusses how QUIC aims to solve issues with TCP by operating over UDP while providing encryption, reliability and other features normally provided by TCP.
This document discusses public key cryptography and the RSA algorithm. It begins by outlining some misconceptions about public key encryption. It then provides an overview of the key concepts behind public key cryptosystems, including the use of public and private key pairs to enable encryption, digital signatures, and key exchange. The document goes on to provide detailed explanations of the RSA algorithm, including how it uses large prime numbers and modular arithmetic to encrypt and decrypt messages securely. It discusses the security of the RSA algorithm and analyzes approaches for attacking it, such as brute force key searching and mathematical attacks based on factoring the private key.
This document discusses various topics related to transport layer security (TLS) including:
- A brief history of TLS and its predecessors SSL.
- An overview of the TLS handshake process and how it establishes encryption between a client and server.
- Explanations of key TLS concepts like public-key cryptography, certificates, and different types of encryption.
- Performance considerations for TLS including reducing latency in the handshake process and optimizing TLS configuration.
- Methods for improving TLS performance such as using session tickets, TLS false start, HTTP/2, and content delivery networks.
This document discusses techniques for distributing public keys and Hash-based Message Authentication Code (HMAC). It begins with an overview of public key cryptography and the need for secure key distribution. It then describes several approaches for distributing public keys, including using a public key authority, public key certificates, and a publicly available directory. The document also provides background on HMAC, describing how it uses cryptographic hash functions and a secret key to authenticate messages and ensure integrity. It includes the HMAC algorithm details, parameters, and a graphical representation of the process.
Dos on 802.11 and other security issues ( Case Study ) Shrobon Biswas
This is a paper which demonstrates the blunders in the WEP encryption protocol and how to stage and spet up the attacks making use of such gory loopholes .
There is also a presentation i uploaded with the same name . Check that out if you liked the document .
This document discusses post-connection attacks that can be performed after connecting to a target WiFi network. It begins by explaining how programs like Netdiscover, Autoscan, and Nmap can be used to gather detailed information about connected clients. It then covers man-in-the-middle attacks like ARP poisoning using tools like arpspoof and MITMf. ARP poisoning allows intercepting and modifying traffic between a client and router. Finally, it discusses session hijacking, DNS spoofing, and using Wireshark to analyze intercepted traffic, as well as challenges protecting against MITM attacks.
This paper introduce practical techniques used by hackers to break the wireless security.
We recommend that the reader should have basic knowledge of wireless operation.
This document discusses WPA exploitation in wireless networks. It begins by explaining basic wireless networking concepts like WiFi, MAC addresses, and SSIDs. It then describes how wireless networks are vulnerable due to weak encryption methods like WEP. The document outlines stronger encryption methods like WPA and WPA2, but notes they can still be cracked with tools if a weak password is used. It proceeds to explain how tools like Aircrack-ng, Reaver, and John the Ripper can be used to crack wireless network encryption keys through techniques like packet sniffing, dictionary attacks, and exploiting WPS pins. In the end, it emphasizes the importance of using long, complex passwords to keep wireless networks secure.
The document discusses the steps involved in performing a wireless penetration test. It involves identifying wireless networks and devices connected through wireless scanning. Common vulnerabilities like weak encryption types are identified. The goals are to find low hanging vulnerabilities like in access points. The steps include wireless reconnaissance, identifying networks, vulnerability research through protocol analysis, and exploitation using tools like airodump-ng for packet sniffing and aireplay-ng for de-authentication attacks to capture handshakes for cracking passwords using aircrack-ng.
A tutorial showing you how to crack wifi passwords using kali linux!edwardo
1. The document provides instructions for cracking WiFi passwords through the command line interface (CMD) on a Kali Linux system. It outlines 5 steps: starting the wireless card in monitor mode, capturing wireless traffic with airodump-ng, identifying the target access point, checking if it has WPS enabled with wash, and cracking the password with reaver if WPS is enabled.
2. It explains some key information displayed during the capturing process like the BSSID, signal strength, encryption, and ESSID.
3. The full process took around 5 hours to crack a 19 character WPA2 password on a virtual machine, but the time can vary depending on hardware. Turning off WPS is
This session covered cyber security and ethical hacking topics such as network hacking, Kali Linux, IPV4 vs IPV6, MAC addresses, wireless hacking techniques like deauthentication attacks, cracking WEP and WPA encryption, and post-connection attacks including ARP spoofing and MITM attacks. The presenter emphasized the importance of securing networks by using strong passwords, disabling WPS, and enabling HTTPS to prevent hacking attempts.
This document discusses cracking WEP secured wireless networks. It begins by explaining that WEP is an outdated protocol with known weaknesses that can be cracked within minutes using readily available software. It then provides details on WEP authentication methods and how the encryption works. The main weakness discussed is that the 24-bit initialization vector is not long enough to ensure uniqueness, allowing the key to be cracked. The document concludes by demonstrating how to enable monitor mode, attack a target network to capture packets, and use those packets to crack the WEP key in minutes using aircrack-ng software on BackTrack Linux. It advises moving to more secure WPA or WPA2 encryption.
The document summarizes a presentation on wireless security. It discusses wireless standards like 802.11b, 802.11a, and 802.11g and security standards like WEP, WPA, and WPA2. It describes vulnerabilities in WEP like weak IVs and keys. It also explains attacks like identity theft through MAC spoofing and defenses like strong encryption, authentication, and regular key changes.
The document summarizes a presentation on wireless security. It discusses wireless standards like 802.11b, 802.11a, and 802.11g and security standards like WEP, WPA, and WPA2. It describes vulnerabilities in WEP like weak IVs and keys. It also explains attacks like identity theft through MAC spoofing and defenses like strong encryption, authentication, and monitoring.
The document discusses various reconnaissance and access attacks against Cisco networks, as well as countermeasures. It covers passive sniffing, port scans, ping sweeps, password attacks, trust exploitation, IP spoofing, DHCP/ARP attacks, and DoS/DDoS attacks. Defenses include switched networks, encryption, firewall rules, DHCP snooping, dynamic ARP inspection, rate limiting, and storm control.
Aircrack-ng is a suite of tools used to recover wireless encryption keys. It consists of a detector, packet sniffer, and cracker for WEP and WPA/WPA2-PSK encryption. It works with wireless network interfaces in monitor mode to sniff 802.11 traffic. Aircrack-ng can recover WEP keys by capturing packets with airodump-ng and then using statistical attacks like PTW or FMS/Korek cracking methods to determine the encryption key from the captured initialization vectors.
This document provides an overview of AirCrack-ng, a suite of tools for assessing WiFi network security. It discusses the tools in the AirCrack-ng suite like aircrack-ng for cracking WEP and WPA/WPA2 keys. It also describes commands used like airmon-ng to put interfaces in monitor mode and airodump-ng to capture handshakes. The document explains how to use captured handshakes and wordlists with aircrack-ng to crack network passwords if the password is in the wordlist. It also discusses how to perform WiFi deauthentication attacks to capture new handshakes by forcing clients to reconnect.
Netcat is a tool that can be used for port scanning, banner grabbing, file transfer, remote shell access, and chatting over networks using TCP or UDP. It allows viewing open ports on a system through port scanning. Banner grabbing determines the service, version, and OS by connecting to an open port. File transfer and chat are done by setting up Netcat in server and client modes. Remote shell access can be provided through a bind shell, which binds a shell like cmd.exe to a port, or a reverse shell, which sends a shell from the client to a listening Netcat server.
Netcat is a tool that can read and write data across networks using TCP or UDP. It can perform functions like port scanning to view open ports, banner grabbing to identify services and versions, file transfers between systems, and creating listening shells to provide remote access to systems. Netcat is useful for tasks like transferring files or chatting between systems and can also be used to set up backdoors and bind or reverse shells for remote command line access.
This document discusses security issues with wireless LANs and various methods to improve security. It begins by explaining how wireless networks are vulnerable without proper security since there are no physical boundaries. It then describes several original IEEE 802.11 security features like authentication modes, SSIDs, and WEP. Potential attacks on wireless LANs are listed, and solutions like limiting transmission ranges, MAC address filtering, 802.1x authentication, VPNs, and the new 802.11i standard are outlined.
This ppt includes what is wireless hacking, types of wi-fi eg,wep,wpa,wpa/psk and terms related to it .this also conclude how to crack the wireless hacking ,the tools and commands required for it. this is very usefull . catch it..... :)
The document discusses wireless network penetration testing techniques. It demonstrates automated cracking of WEP and WPA networks using tools like aircrack-ng. It also covers bypassing MAC address filtering and cracking WPA2 networks using Reaver by exploiting WPS. The document provides information on wireless standards like 802.11a/b/g/n and their characteristics. It describes common wireless encryption and authentication methods including WEP, WPA, WPA2 etc. Finally, it includes checklists for wireless vulnerability assessments and requirements for wireless cracking labs.
The document discusses various 802.11 wireless networking standards including 802.11a, 802.11b, 802.11g, 802.11e, 802.11i, 802.11n and the developing 802.11ac. It also covers wireless network modes of infrastructure and ad-hoc, security threats like eavesdropping, man-in-the-middle attacks and denial of service. Additional topics include WEP, WPA, WPA2 and techniques to improve wireless security.
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfNeo4j
Presented at Gartner Data & Analytics, London Maty 2024. BT Group has used the Neo4j Graph Database to enable impressive digital transformation programs over the last 6 years. By re-imagining their operational support systems to adopt self-serve and data lead principles they have substantially reduced the number of applications and complexity of their operations. The result has been a substantial reduction in risk and costs while improving time to value, innovation, and process automation. Join this session to hear their story, the lessons they learned along the way and how their future innovation plans include the exploration of uses of EKG + Generative AI.
Best Programming Language for Civil EngineersAwais Yaseen
The integration of programming into civil engineering is transforming the industry. We can design complex infrastructure projects and analyse large datasets. Imagine revolutionizing the way we build our cities and infrastructure, all by the power of coding. Programming skills are no longer just a bonus—they’re a game changer in this era.
Technology is revolutionizing civil engineering by integrating advanced tools and techniques. Programming allows for the automation of repetitive tasks, enhancing the accuracy of designs, simulations, and analyses. With the advent of artificial intelligence and machine learning, engineers can now predict structural behaviors under various conditions, optimize material usage, and improve project planning.
Comparison Table of DiskWarrior Alternatives.pdfAndrey Yasko
To help you choose the best DiskWarrior alternative, we've compiled a comparison table summarizing the features, pros, cons, and pricing of six alternatives.
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfjackson110191
These fighter aircraft have uses outside of traditional combat situations. They are essential in defending India's territorial integrity, averting dangers, and delivering aid to those in need during natural calamities. Additionally, the IAF improves its interoperability and fortifies international military alliances by working together and conducting joint exercises with other air forces.
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
Transcript: Details of description part II: Describing images in practice - T...BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
5. Network Basics
A network is nothing but a number of devices connected together sharing data and
resources!
All devices (wired or wireless) achieve this using same principle:
One device acts as a server and server contains data which is shared between
connected devices
In most Wi-Fi devices , server is a router and the shared data is the INTERNET!
All devices have a MAC address.
Each Packet has the source MAC address and Destination MAC Address.
7. Wireless Modes
There are eight modes that 802.11 wireless cards can operate in: Master (acting as an
access point), Managed (client, also known as station), Ad hoc, Repeater, Mesh, Wi-Fi
Direct, TDLS and Monitor mode.
However we are only going to talk about 2 modes :
Managed Mode : Here our Wi-Fi card acts like a client i.e. Only directed packets are received by
our card.
Monitor Mode : Here our Wi-Fi(NIC) card will sniff all the packets near it
(whether directed to it or not.)
8. Sniffing using airodump-ng
Airodump-ng is a program that is a part of aircrack-ng package, it's a
packet sniffer that allows us to capture all the packets that are in our
Wi-Fi card range. We can also scan all Wi-Fi networks around us and
gather info about them.
Using Airodump-ng:
> airmon-ng start [interface]
> airodump-ng [mon_interface]
10. Lets see how we can compact our view to only our target.
For instance, I only want to view BMSCE_Hostel
> airodump-ng –channel [CH] --bssid [BSSID] –write [filename] [interface]
12. De-auth Attack
This attack is used to disconnect any device from any network within our range even if network
is protected with a key.
Hacker send deauthentication packets to the router pretending to be target
machine(by spoofing its MAC address)
At the same time , the hacker send packets to the target machine (pretending to be
router) telling it that it needs to re-authenticate itself.
We’ll be using a tool called aireplay-ng.
> aireplay-ng –deauth[number of packets] –a [AP’s BSSID] [INTERFACE]
--To de-authenticate all clients in a specific network
> aireplay-ng –deauth[number of packets] –a [AP’s BSSID] –c [target’s BSSID] [INTERFACE]
--To de-authenticate a specific client in a specific network
14. Creating a Fake AP(honeypot)
Fake Access Point are made usually open to attract more number of people and sniff packets in between.
To accomplish this , we will need two Networks card:
1. NIC1 – One connected to internet (can be wired also)
2. NIC2 – Other to broadcast the AP.
17. WEP is an old encryption , but it is still used in some networks.
It uses an algorithm called RC4.
Each packet is encrypted at the AP and then is decrypted at the client.
WEP ensures that each packet has a unique key stream by using a 24-bit
random Initializing Vector (IV) , this IV is contained in text as plain text.
Now what do you think is the flaw in this encryption?
24-bit is a very short number and in a busy network , we can get 2 packets with same IVs.
Then we can use aircrack-ng to determine the key stream and WEP key using statistical attacks.
Now , there are two cases which would occur:
Basic Case : Traffic of network is high i.e. large number of packets
are transferred between sender and receiver.
Idle AP : The network is shallow , there is no exchange of packet
whatsoever. Or no clients are connected to it.
18. Tackling the Basic Case:
This is a easy one to handle, we can just run airodump-ng to log all the traffic from target network:
> airodump-ng –channel [CH] --bssid [BSSID] –write [filename] [interface]
Ex: airodump-ng –channel 6 –bssid 11:22:33:44:55:66 –write out wlan0mon
At the same time , we shall use the aircrack-ng to try and crack the key using the capture file
> aircrack-ng [filename]
Ex: aircrack-ng out01.cap
20. The Idle AP case
In this case , we have to inject packets into the traffic in order to force the router to
create new packets with new IVs.
But before we can inject any packet into the traffic, we have to authenticate our Wi-Fi
card with AP as APs’ ignore any request that are not associated with it.
This can be done easily by aireplay-ng:
If the fakeauth is successful , the value under AUTH column will change to “OPN”.
> aireplay-ng --fakeauth 0 –a[target MAC] –h [our MAC] [interface]
21. Now that we have authenticated with the AP,we can use a method called
• ARP Request Reply
22. ARP Request Reply
In this method , after authenticating with target AP, we will wait for an ARP Packet.
We will capture this packet and inject this packet again into the traffic
This will force the AP to generate a new packet with new IV.
This process is repeated until number of IVs captured is sufficient to crack the key.
> aireplay-ng --arpreplay –b [target MAC] –h [our MAC] [interface]
27. WPS(Wi-Fi Protected Setup)
WPS is a feature that allows users to connect to WPS enabled networks , using a WPS push
button or by clicking on WPS functionality.
Authentication is done using a 8 digit long pin,
This is relatively a very small number and can be brute forced i.e. can be guessed.
A tool called reaver can then recover WPA/WPA2 key from the pin.
28. We are going to use a tool called wash to scan all the WPS enabled network nearby:
> wash –i [interface]
Steps:
29. As mentioned before reaver tool is used to get WPS PIN and can also find WPA PSK(will
explain in coming slides)
> reaver –b [target BSSID] –c [channel] –i[interface]
31. In WPA,each packets is encrypted with a unique temporary key, this means no. of data
we collect is irrelevant.
THIS IS A PROBLEM !
Before trying to access a WPA/WPA2 Network ,we essentially need to know how they work.
When client(Supplicant) establishes a successful connection with an AP(Authenticator), To
encrypt and share keys, a 4-way handshake takes place!
32. Key Terminologies:
MSK (Master Session Key): The master session is the first key which is generated either from
802.1X/EAP.
GTK (Group Temporal Key) : Group temporal key is used to encrypt all broadcast and multicast traffic
between an access point and multiple client devices. GTK is the key which is shared between all client
devices associated with 1 access point. For every access point, there will be a different GTK which will be
shared between its associated devices.
GMK (Group Master Key) : Group master key is used in a 4-way handshake to create GTK discussed
above. GTK is generated on every access point and shared with the devices connected to this AP.
33. PTK(Pairwise Transient Key): Pairwise transit key is used to encrypt all unicast traffic
between a client station and the access point. PTK is unique between a client station
and access point. To generate PTK, client device and access point need the following
information.
PTK = PRF (PMK + Anonce + SNonce + Mac (AA)+ Mac (SA))
PMK(Pairwise Master Key): Pairwise master is key generated from master session
key (MSK).It is used to generate PTK.
38. WPA packets is not useful as they do not contain any info that can be used to crack the key.
The only packets that contain information that can help us crack the password is the
handshake packets.
• Every time a client connects to the AP , a 4-way handshake occurs as explained.
• By capturing the handshake , we can use aircrack to launch a word list attack against the
handshake.
39. Capturing a Handshake
Handshake packets are sent every time a client associates with target AP.
1. Start airodump-ng on target AP
2. Wait for a client to connect to AP. But do we have that much time? I mean
think for a network where no new clients will likely to connect to it for days ,
years in some cases.
Do we know something which can help???
>airodump-ng –channel[CH] –bssid[BSSID] –write[filename] [interface]
> aireplay-ng --deauth [number of packets] –a[AP MAC] –c [target MAC] [interface]
De-auth attack!!
We can de-authenticate a connected client for a short amount of time so that
it will connect back automatically to AP
42. Creating a wordlist
You can either download a wordlist from the internet(I’ll be sharing links 🧐 )
OR you can create your own wordlist by using a tool called crunch.
> ./crunch [min] [max] [characters = lower|upper|numbers|symbols] –t [pattern] –o [file]
Ex: ./crunch 6 8 123456!”$* -t a@@@@b –o wordlist
43. Now that we have created the wordlist , only thing left is using aircrack-ng to crack the key.
Aircrack-ng combines the password in wordlist with AP-name (ESSID) to compute the
Pairwise Master Key(PMK) and compare it with handshake .
>aircrack-ng [Handshake file] –w [wordlist]
Ex- aircrack-ng handshake01.cap –w listpass