CEH.V6.-.Module.20.Hacking.Wireless.Networks

Reproduction is strictly prohibited temporal key

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: by passive scanners like Kismet or Airsnort EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited WarDriving Tool: Shtumble shtumble detects nearby access points, allows to select one, starts DHCP if appropriate (usually), and performs WEP or WPA or other WEP WPA custom config for known networks EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Shtumble: Screenshot Radio off, no networks in view Associated, and a few networks available EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Temporal Key Integrity Protocol (TKIP) Secret key is created during 4-way handshake authentication It dynamically changes secret key Function is used to create new keys based on the original secret key created during authentication Initialization vectors increases to 48 bits First 4 bits indicate QoS traffic class Remaining 44 bits are used as a counter Over 500 trillion key streams are possible Initialization vectors are hashed It is harder to detect key streams with the same initialization vectors EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited LEAP: The Lightweight Extensible Authentication Authentication Protocol Proprietary, closed solution: closed • LEAP was started (without many details) by Cisco as unaffected by WEP vulnerabilities (Cisco 2002) LEAP conducts mutual authentication: • Client is assured that the access point is an authorized one • Uses per-session keys that can be renewed regularly: • Makes the collection of a pad or weak IVs more difficult • Secret key can be changed before the collection is complete • The user is authenticated, instead of the hardware: • MAC address access control lists are not needed • LEAP requires an authentication server (RADIUS) to (RADIUS) support the access points EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited LEAP Attacks Dictionary attacks • Password-based scheme • Passwords should be guessable (Joshua Wright 2003) LEAP LEAP access points do not use weak IVs • Use MS-CHAP v2, show the same weaknesses as MS-CHAP (Wright 2003) • There are many variants of the Extensible Authentication Protocol, such as EAP-TLS and PEAP PEAP EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited LEAP Attack Tool: ASLEAP ASLEAP is an hacking tool, released as a proof-of-concept to demonstrate weakness in LEAP and uses off-line dictionary di attack to break LEAP passwords Features: • Recovers weak LEAP passwords (duh) • Can read live from any wireless interface in RFMON mode • Can monitor a single channel, or perform channel hopping to look for targets • Handles dictionary and genkeys files up to 4 TB in size EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working of ASLEAP This tool works as follows: Scans the 802.11 packets by putting the wireless interface in RFMON mode Hops channels to look for targets (WLAN networks that uses LEAP) De-authenticates the users on LEAP networks forcing them to re-authenticate by providing their user name and password Records the LEAP exchange information to a libcap file The information captured above is then analyzed offline and compared with values in al dictionary to guess the password EC-Co...
View Full Document

Ask a homework question - tutors are online