Konrad Jędrzejczyk in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

1. WiFi practical hacking
"Show me the passwords!"
BY KONRAD JĘDRZEJCZYK

2. Whoami
• VP Threat Detection Analysis, Financial Institution
• Senior Threat Hunter, Pepsico Consulting Polska Sp. z o.o.
• Senior Incident Response Analyst, Royal Bank of Scotland S.A.
• IT Infrastructure Risk Analyst, Royal Bank of Scotland S.A.
• IT Security Incident Manager, ING Services Polska Sp. z o.o.
• IT Forensic Expert, ProCertiv Sp. z o.o.
• IT Security Expert (Co-Founder), Collective Systems
The opinions expressed here are my own and do not necessarily represent those of my employer.
WHOAMI 2

3. WHOAMI 3
http://podstawczynski.com/retro/pics_small/IMG_2443.jpg

4. Hz
PREPARATION 4
https://www.wifiki.eu
2.4 GHz (802.11b/g/n)
3.65 GHz (802.11y)
4.9 GHz (802.11j) public safety WLAN
5 GHz (802.11a/h/j/n/ac/ax)
5.9 GHz (802.11p)
60 GHz (802.11ad/ay)
900 MHz (802.11ah)

5. Theory...
THEORY 5
https://www.wigle.net/stats

6. THEORY 6
http://www.aliexpress.com
Theory...

7. Antenna - theory
PREPARATION 7
https://www.wifiki.eu

8. Antenna - theory
PREPARATION 8
https://www.wifiki.eu

9. Antenna - theory
PREPARATION 9
https://www.wifiki.eu

10. Antenna - reality
PREPARATION 10

11. PREPARATION 11
Hardware & Software

12. HARDWARE 12
Hardware & Software

13. OPENWRT = WORMHOLE ATTACK + MITM +3G 13
Hardware & Software

14. HARDWARE 14
Hardware & Software

15. HARDWARE 15
Hardware & Software

16. HARDWARE 16
Hardware & Budget

17. PREPARATION 17
Software & Aircrack-ng

18. PREPARATION 18
Checking hardware/driver capabilities
Iw list |
less

19. PREPARATION 19
Checking hardware/driver capabilities
Iw list |
less

20. PREPARATION 20
Checking hardware/driver capabilities
Iw list |
less

21. PREPARATION 21
Checking hardware/driver capabilities
Iw list |
less

22. PREPARATION 22
KISMET = WiFi+GPS
Iw list |
less

23. PREPARATION 23
KISMET = WiFi+GPS
Iw list |
less

24. Kismet-[date+hour].nettxt
PREPARATION 24
Network 4253: BSSID DC:53:7C:B7:AF:A2
Manuf : CompalBr
First : Wed Mar 21 16:05:29 2018
Last : Wed Mar 21 16:05:50 2018
Type : infrastructure
BSSID : DC:53:7C:B7:AF:A2
SSID 1
Type : Beacon
SSID : "House of Cards"
First : Wed Mar 21 16:05:29 2018
Last : Wed Mar 21 16:05:50 2018
Max Rate : 144.4
Beacon : 10
Packets : 3
WPS : Configured
Encryption : WPA+PSK
Encryption : WPA+TKIP
Encryption : WPA+AES-CCM
WPA Version: WPA+WPA2
Channel : 8
Frequency : 2447 - 3 packets, 100.00%
Max Seen : 1000
LLC : 3
Data : 0
Crypt : 0
Fragments : 0
Retries : 0
Total : 3
Datasize : 0
Min Pos : Lat 52.238670 Lon 20.988529 Alt 148.658997 Spd 0.000000
Max Pos : Lat 52.238674 Lon 20.988548 Alt 149.800995 Spd 0.000000
Peak Pos : Lat 52.238674 Lon 20.988548 Alt 148.658997
Avg Pos : AvgLat 52.238673 AvgLon 20.988536 AvgAlt 149.156900
Last BSSTS : Feb 26 09:02:14
Seen By : wlan0mon (wlan0mon) bc17995e-2d40-11e8-925d-5905352b2c03 3 packets
Wed Mar 21 16:05:50 2018
Client 1: MAC DC:53:7C:B7:AF:A2
Manuf : CompalBr
First : Wed Mar 21 16:05:29 2018
Last : Wed Mar 21 16:05:50 2018
Type : From Distribution
MAC : DC:53:7C:B7:AF:A2
Channel : 8
Frequency : 2447 - 3 packets, 100.00%
Max Seen : 1000
LLC : 3
Data : 0
Crypt : 0
Fragments : 0
Retries : 0
Total : 3
Datasize : 0
Min Pos : Lat 52.238670 Lon 20.988529 Alt 148.658997 Spd 0.000000
Max Pos : Lat 52.238674 Lon 20.988548 Alt 149.800995 Spd 0.000000
Peak Pos : Lat 52.238674 Lon 20.988548 Alt 148.658997
Avg Pos : AvgLat 52.238673 AvgLon 20.988536 AvgAlt 149.156900
Seen By : wlan0mon (wlan0mon) bc17995e-2d40-11e8-925d-5905352b2c03 3 packets
Wed Mar 21 16:05:50 2018

25. Gathering Intel - wrong
PREPARATION 25
https://raw.githubusercontent.com/adamziaja/wardriving/master/wardriving_4.png

26. Gathering Intel - wrong
PREPARATION 26
https://raw.githubusercontent.com/adamziaja/wardriving/master/wardriving_4.png

27. Gathering Intel – Correct
PREPARATION 27

28. Gathering Intel
PREPARATION 28
https://sklep.batis.pl https://allegro.pl

29. PREPARATION 29
Hardware & Software

30. PREPARATION 30
Hardware & Software

31. OPENWRT = WORMHOLE ATTACK + MITM +3G 31
Hardware & Software

32. OpenWrt as tool for Attacker
http://wiki.openwrt.org/toh/start
OPENWRT WILL TURN CHEAP HARDWARE TO YOUR BEST WIFI CARD 32

33. Gathering Intel – Overkill
PREPARATION - OVERKILL 33

34. 34

35. 35

36. 36
#!/bin/bash
MAC="$(echo $1 | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6)";
result="$(grep -i -A 4 ^$MAC ./oui.txt)";
if [ "$result" ]; then
echo "For the MAC $1 the following information is found:"
echo "$result"
else
echo "MAC $1 is not found in the database."
fi

37. 37
Airgraph-ng

38. 38
Airgraph-ng

39. 39

40. 40

41. 41

42. 42

43. 43

44. PREPARATION 44
Gathering Intel & Mobile

45. PREPARATION 45
Gathering Intel & Mobile

46. MAC
MAC 46

47. First described by Stefan Viehbock.
“When poor design meets poor implementation.”
Still, there is only 11,000 possible combinations.
reaver -i mon0 -b 0A:0B:0C:0D:0E:0F
44443338 checksum
PIN part 2 – 1000 possibilities
PIN part 1 – 10000 possibilities
802.11 Auth
802.11 Assoc
EAP initiation
Receive
Send M4
Increment 1st
half of PIN
802.11
Deauth
Send M6
Increment 2nd
half of PIN/fix
checksum
Dump AP
Configuration (M7)
M5
NACK
NACKReceive
M7
WPS – WiFi Protected Setup
WPS 47

48. WPS?
PREPARATION 48

49. WPS?
PREPARATION 49

50. WPS - Currently Implemented
Safeguards:
• Limiting the number of attempts that can be made in a given timeframe
• Using a different PIN for every pairing attempt
• Limiting the pairing time
• Disabling WPS …however, there is a good chance that it will be disabled only in web api…
WPS 50

51. Don’t Underestimate the “Luck Factor”
http://zaufanatrzeciastrona.pl/wp-content/uploads/2014/02/superbowl.jpg
TALK TO ME:D 51

52. Practical?
52

53. Theory...
THEORY 53
https://www.wigle.net/stats

54. Global corporate solutions & WiFi
CORPORATE 54

55. Global corporate solutions & WiFi
CORPORATE 55

56. Global corporate solutions & WiFi
CORPORATE 56

57. WPA/WPA2 Connection
Supplicant (Client) Authenticator
Supplicant Random number
(Snonce nonce generated by supplicant),
Message Integrity Code (MIC)
Security parameters (RSN)
Authenticator Random Number
(Anonce nonce generated by authenticator),
Authenticator MAC
Resend Random number,
Encrypted by PTK
Confirm both PTK and GTK are installed
Pairwise Master Key
(PMK)
Pairwise Transient
Key (PTK)
WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 57

58. WPA/WPA2 Connection
Unauthenticated
Unassociated
Authenticated
Unassociated
Authenticated
Associated
Deauthentication
Authentication
(Re)association
Deauthentication
Disassociation
WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 58

59. Airodump-ng
WPA/WPA2 IN PRACTICE 59

60. WPA/WPA2 Deauth
HANDSHAKE 60

61. WPA/WPA2 Deauth
HANDSHAKE 61

62. Airodump-ng
HANDSHAKE 62

63. Airodump-ng
HANDSHAKE 63

64. hashcat?
HANDSHAKE 64
In order to make use of this new attack you need the following tools:
1: hcxdumptool v4.2.0 or higher: https://github.com/ZerBea/hcxdumptool
2: hcxtools v4.2.0 or higher: https://github.com/ZerBea/hcxtools
3: hashcat v4.2.0 or higher: https://github.com/hashcat/hashcat
hcxdumptool -o hashfile -i wlan0mon --filterlist=macfilter.txt --filtermode=2 --enable_status=3
./hashcat-m 16800 /root/hashtocrack -a 3 -w 3 '?u?u?u?u?u?u?u?u'

65. hashcat?
HANDSHAKE 65

66. WPA/WPA2
PASSWORD 66
https://cdn.vox-cdn.com/thumbor/F0F4q7C1MLIo_aWsnc-xManUDa4=/0x0:740x601/920x0/filters:focal(0x0:740x601):format(webp)/cdn.vox-cdn.com/uploads/chorus_asset/file/9007635/password_strength.png

67. Aircrack-ng
WPA/WPA2 IN PRACTICE 67

68. HASHCAT
HASHCAT 68

69. Hash file: hccap -> hccapx
HASHCAT 69
cap2hccapx to convert

70. Older = faster... same for HashCat?
HASHCAT 70

71. HASHCAT
CPU 71

72. X = Cn
Where:
X - Number of combinations
C - Number of characters in a charset
n - Password range (>=8)
Example:
8 char lowercase alpha
[a-z or (not and) A-Z] = 268
= 208827064576
Example for Radeon R9 270 OC (~98 kH/sek)
WPA/WPA2 Password Entropy
GPU 72
n Charset Time
Single R290 (~140 kH/s)
8 [0-9] = 10 12 minutes
8 [a-z] or [A-Z] = 26 17 days
8 [a-z + 0-9] or [A-Z + 0-9] = 36 233 days
9 [a-z] or [A-Z] = 26 1 year and 83 days
9 [a-z + 0-9] or [A-Z + 0-9] = 36 23 years
8 a-z + A-Z + 0-9 = 62 50 years
12 x R270 (12 x ~100 kH/s)
8 [a-z] or [A-Z] = 26 2 days
8 [a-z + 0-9] or [A-Z + 0-9] = 36 27 days
9 [a-z] or [A-Z] = 26 52 days
Single i5 CPU (~3,3 kH/s) depending on version
8 [a-z] or [A-Z] = 26 2 years and 1 month

73. HASHCAT
GO! GO! GO! 73

74. HASHCAT
 74

75. HASHCAT
 75

76. nothing
 76

77. 8 char lowercase alpha
[a-z or (not and) A-Z] = 268
= 208827064576
WPA/WPA2 Password Entropy
PASSWORD 77

78. 8 char lowercase alpha
[a-z or (not and) A-Z] = 268
= 208827064576
WPA/WPA2 Password Entropy
PASSWORD 78

79. 8 char lowercase alpha
[a-z or (not and) A-Z] = 268
= 208827064576
WPA/WPA2 Password Entropy
PASSWORD 79

80. WPA/WPA2 Password Entropy
PASSWORD 80
... and crunch
and CeWL
and... and... and

81. WPA/WPA2 Entropy in Practice
WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 81
paulina Paulina paulina! Paulina! Paulina!@# ,(15011, 'andziulka19994',
PaulinA!@# ,(15024, 'mariusz22',
paulina0 Paulina0 paulina0! Paulina0! PaUliNa0! ,(15003, 'demiano7'
paulina1 Paulina1 paulina1! Paulina1! P@ulin@1! ,(15004, 'Lampka',
(...) (...) (...) (...) Paulina2o15! ,(15005, 'paradyne',
paulina9 Paulina9 paulina9! Paulina9! paulinA1989! ,(15006, 'darek1054',
paulina!-! ,(15007, 'bandzior2911'
paulina10 Paulina10 paulina10! Paulina10! paulina19890101 ,(15008, 'Ruthless blade',
paulina11 Paulina11 paulina11! Paulina11! 89Paulina! ,(15009, 'SzYbKi',
(...) (...) (...) (...) 1paulina1 ,(15023, 'aramil23',
paulina99 Paulina99 paulina99! Paulina99! PaUlInA ,(15012, 'kasiq10',
.paulina ,(15013, 'diabelskapam'
paulina1970 Paulina1970 paulina1970! Paulina1970! paulinapaulina ,(15014, 'Janosik_13',
paulina1971 Paulina1971 paulina1971! Paulina1971! KonradPaulina ,(15015, 'Sztukens',
(...) (...) (...) (...) !!!PAULINA!!! ,(15016, 'superrolnik',
paulina2016 Paulina2016 paulina2016! Paulina2016! PaulinaDefCamp ,(15017, 'Henry102',
Real passwords from stolen and
publicly available sql file:
www.pobieramy24.pl.sql

82. WiFi & close ”air” support
WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 82
https://en.wikipedia.org/wiki/Joint_terminal_attack_controllerhttps://github.com/wifiphisher/wifiphisher

83. Frameworks: WiFi-Pumpkin
83

84. Frameworks: WiFi-Pumpkin
84

85. Frameworks: WiFi-Pumpkin
85

86. Frameworks: WiFi-Pumpkin
86

87. Frameworks: WiFi-Pumpkin
87

88. Frameworks: WiFi-Pumpkin
88

89. Frameworks: WiFi-Pumpkin
89

90. Frameworks: WiFi-Pumpkin
90

91. • airodump-ng
• airbase-ng
• airdecap-ng
• airmon-ng
• aireplay-ng
• airserv-ng
• tkiptun-ng
• sslstrip
• tcpdump
• ettercap
• … screen
AP
OpenWRT
You
FTP server
Comm-link
Wireless access point
Database server
Mail server
Switch
Laptop
Smart phone
Symbol Description
Legend Subtitle
Legend
OpenWrt – Everything You Need
OPENWRT = WORMHOLE ATTACK + MITM +3G 91

92. OpenWrt as tool for Attacker
OPENWRT WILL TURN CHEAP HARDWARE TO YOUR BEST WIFI CARD 92
Video...

93. WiFiPhisher (Captive Portal Attack)
93

94. WiFiPhisher
94

95. WiFiPhisher
WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 95

96. WiFiPhisher
96WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE?

97. WiFiPhisher
97WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE?

98. WiFiPhisher
98WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE?

99. WiFiPhisher
99WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE?

100. WiFiPhisher
100WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE?

101. WiFiPhisher
WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 101

102. WiFiPhisher
WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 102

103. STANDARD H FAILURE – NEXT TIME 103

104. C64 – YES:D 104
Most commonly used for WiFi operations:
Kali & OpenWRT
Alfa AWUS036NHA (does have problems, old only b/g/n)
TP-LINK:
3020 (small & old standards)
3220 (stable & old standards)
3040 (battery included & old standards)
WR1043ND v4 (modern standards & 16 MB flash will allow direct install of aircrack-ng)

105. TILL NEXT TIME 105
ROK liczba postępowań wszczętych liczba przestępstw stwierdzonych
2016 3401 2718
2015 3515 2452
Art. 267
§ 1. Kto bez uprawnienia uzyskuje dostęp do informacji dla niego nieprzeznaczonej, otwierając zamknięte pismo,
podłączając się do sieci telekomunikacyjnej lub przełamując albo omijając elektroniczne, magnetyczne,
informatyczne lub inne szczególne jej zabezpieczenie, podlega grzywnie, karze ograniczenia wolności albo
pozbawienia wolności do lat 2.
§ 2. Tej samej karze podlega, kto bez uprawnienia uzyskuje dostęp do całości lub części systemu
informatycznego.
§ 3.Tej samej karze podlega, kto w celu uzyskania informacji, do której nie jest uprawniony, zakłada lub posługuje
się urządzeniem podsłuchowym, wizualnym albo innym urządzeniem lub oprogramowaniem.
§ 4. Tej samej karze podlega, kto informację uzyskaną w sposób określony w § 1-3 ujawnia innej osobie.
§ 5. Ściganie przestępstwa określonego w § 1-4 następuje na wniosek pokrzywdzonego.
Przedawnienie – 5 lat