No announcement yet.

Hacking WiFi

This is a sticky topic.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacking WiFi

    Hacking WiFi

    Summarize what your training will cover, attendees will read this to get an idea of what they should know before your training, and what they will learn after. Use this to inform about how technical your class is, what tools will be used, what materials to read in advance to get the most out of your training. This abstract is the primary way people will be drawn to your session.

    Wireless Networks (WiFi) are the most used type of network nowadays and most people don't know really how vulnerable they are, even WPA/WPA2 Enterprise.

    In this workshop we will cover most WiFi encryptions being used today, how they work behind the scenes and the theory of the cracking process. Also, you will be able to apply this knowledge on the spot with some real-life-scenario WiFi networks.

    Some encryption are mathematically difficult to crack, where the cracking process could take lifetimes. But not to worry, there still are ways to get around this with an attack called Man-in-the-middle (MITM). Be wary! You never know to whom's Internet Access Point you're connecting and who's eavesdropping on you.

    Ever wondered how to get somebody's passwords of a website? After this workshop you will be able to supplant a website without the victim ever knowing it with Wifiphishing or DNS Spoofing the client's router.

    What to know before
    Linux commands (sed, awk, grep and the basic ones)
    Basic shell scripting
    Basic knowledge about WEP/WPA/WPA2/WPS

    What you will learn
    How WiFi security works
    How to audit a wireless network
    How to perform and automate WiFi attacks (WEP/WPA/WPA2 (personal & enterprise)/WPS)
    How to use the cloud to crack passwords (, AWS EC2)
    How to use your own GPU to crack passwords. (in case you have one)

    How technical is the class
    40% theory and concepts
    60% writing and testing commands/scripts and attacking wifis.

    What tools are we going to use
    aircrack-ng (ifconfig, iwconfig, airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, airbase-ng, airdecap-ng)
    Reaver (reaver, wash)
    Radius Servers (radiusd)

    What to read in advance
    Vivek Ramachandran & Cameron Buchanan, 2015, Kali Linux Wireless Penetration Testing Beginner’s Guide, Birmingham B3 2PB, United Kingdom.

    Philippe Delteil is Computer Science Engineer from the University of Chile, he gave his first talk at DEF CON 26 Skytalks, called "Macabre stories of a hacker in the public health sector", his country's government sent 3 officials to record the talk, over 3 Ministries shut down all their information systems afraid that Philippe would reveal some serious bugs and that DEF CON attendees would hack the government, but the systems only were down from Friday to Monday, the only days hackers work. While living in Brazil he hacked over 3,000 WiFi routers of the biggest ISP. Most of the time, he gives classes for free in various topics: CTF, pentesting, programming, Basic computer knowledge. He's been working with WiFi hacking during the last 3 months. He has a company with a very clever name: Info-sec.

    Guillermo Pilleux has a B.CS. in Computer Science at University de Chile. Former student of "Introduction to CTF and Pentesting" workshop. Trainee in Info-Sec company doing Wifi hacking research. Founder and CEO of OneClick, an automation solution for real estate bill paying. Worked in Guatemala for Opticality doing HTR (Handwritten-text-recognition) research. DEF CON 27 will be his first time at DEF CON, he hopes to survive.

    Detailed Outline:
    Note: This is the most important section on the application. You must provide a detailed outline containing the main points and navigation through your workshop - show how you intend to begin, where you intend to lead the class and how you plan to get there. Your outline should be in simple text. Please do not submit slides, Docs, or PDFs as an outline. The review board likes submissions that include references to prior works and research you used in developing your workshop. The more detailed your outline then the better we are able to review your class against other submissions (and the higher chance you have of being accepted).

    Map road for a successful workshop:

    VM configs, checking, last minute difficulties, defeating Murphy's Law.
    History of Wifi
    How does it work?
    WLAN Infrastructure Attacks: WEP
    Theory, vulnerabilities
    Practice attacks
    Attack Automatization
    WLAN Infrastructure Attacks: WPA/WPA2
    Theory, vulnerabilities
    Practice attacks
    Attack Automation
    Cracking passwords using the cloud.
    Attack Automatization
    Client Attacks
    Caffe Latte attack, Hirte Attack (WEP)
    DoS (deauth, dissociation)
    MITM (eavesdropping, evil twin)
    Pwned WiFi attacks:
    AP Login Attack (break into the AP if default passwords were modified)
    Session/DNS hijacking.

    The workshop will begin by giving an introduction to WiFi networks, focusing on the main points of their usage, their vulnerabilities and the lack of knowledge of their "unsafety".

    Afterwards, the main subject will be presented by giving a more technical definitions of WiFi, to get to know how it works and start digging into the "Attacks on WLAN Infrastructure". We will start with the oldest encryption protocol, WEP, still found in the wild (we'll provide evidence).

    For every encryption algorithm, there will be a little history lesson, an explanation of the fundamental cores, how to crack it or bypass it and finally get practical with it by trying to hack the networks we will provide. The algorithms covered later on will be WPA/WPA2/WPA_Enterprise.

    Thereon, WPS will be exposed, with the same modality explained beforehand.

    Once the "Attacks on WLAN Infrastructure" section is done, the new subject presented will be "Client Attacks".
    This section will cover the oldie but goodie Caffe Late and Hirte Attacks for WEP clients, eavesdropping on a wireless with a MITM attack by setting up a soft AP and using tshark/wireshark to sniff packets. Also, how we can create a DoS attack with deauth and dissociation packets.

    Let's go WIFIshing!
    When scanning wifi networks with airodump-ng, we will be able to see the stations or clients as well. Sometimes clients are authenticated but dissociated from a specific network. We will leverage this situation on our favor by deploying 4 evil twins with the same ESSID but with different encryption protocols. This way, we will know which kind of encryption that specific network is using when the client connects to one of our fake AP.

    Once inside the pwned network, the next objective is to get inside the router. To do so, we will try the naive way first which is to try the router default passwords. If the credentials were changed then we will proceed to use a dictionary attack.

    A simple DNS spoof attack will be presented with it's theory behind it and there will be time for the attendees to try out their own spoof for their favorite website.

    Our previous work:
    WEP Cracking
    WPA/WPA2 Cracking
    Malicious DNS

    Vivek Ramachandran & Cameron Buchanan, 2015, Kali Linux Wireless Penetration Testing Beginner’s Guide, Birmingham B3 2PB, United Kingdom.
    PGP Key:

  • #2
    Students will need:
    • Adapter model Alfa AWUS036NHA, it costs US $40 in the US but around US $20 in China.

    The ideal is that the students have the same adapter, because during our tests some Alfa adapters (some even more expensive) didn't work as expected.

    The reason that some of the Alfa adapters did not work as expected is because Alfa changed chipsets without changing the model. So older versions were great and some newer ones not so much so. The one he specified is a good adapter.
    PGP Key:


    • #3
      无线网络(Wifi)是现在最常用的网络模式并且人们并不是真的知道它有多么可被攻击,即使时是使用WPA/WPA2 企业级加密。

      在本次的研讨会中,我们将介绍现在广泛应用的wifi加密方式与他们如何工作的以及破解理论。此外,你将可 以在一些真实场景的无线网络应用这些知识。
      一些加密方法在数学方面很难破解,因为破解可能需要使用毕生的时间。不过不用担心,我们依旧有方法通过中间 人(MITM)攻击来解决这个问题。注意!你永远不知道你正在连接的热点是哪个网络接入点,谁在监听你。 有没有想过如何获得某人的密码?在本次研讨会之后,你就会在受害者什么都不知道的情况下通过wifi钓鱼或 DNS客户端欺骗来获得密码。 你需要提前了解:• Linux命令行(sed、awk、grep和基础命令);• 基本的shell脚本;• 关于WEP/WPA/WPA2/WPS的基本知识。 在这里你将学到:• Wifi安全是如何运作的;• 如何监听一个Wifi网络;• 如何进行并自动化Wifi攻击(WEP/WPA/WPA2(个人级与企业级)/WPS);• 如何使用云计算破解密码(、亚马逊云计算 EC2);• 如何使用你自己的GPU破解密码(如果你有GPU)。
      这门课的课时计划• 40%理论和概念;• 60%编写并测试命令/脚本并对wifi进行攻击。 我们将使用这些工具: •aircrack-ng (ifconfig, iwconfig, airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, airbase-ng, airdecap-ng);•Reaver (reaver, wash);•Radius Servers (radiusd);•Pyrit;•tshark/Wireshark/tcpdump;•Ettercap。你需要提前阅读的内容:•Vivek Ramachandran & Cameron Buchanan, 2015, Kali Linux Wireless Penetration Testing Beginner’s Guide, Birmingham B3 2PB, United Kingdom 译者注:中文版书名为《Kali Linux无线渗透测试指南》 ISBN:9787115483683 各大电商有售。

      Philippe Delteil是智利大学的计算机科学工程师,他在Defcon 26 Skytalks上发表了他的第一个演讲,称为“公共卫生部门的黑客恐怖故事”,他的国家政府派出3名官员 来记录谈话,超过3部委关闭他们所有的信息系统,以避免Philippe会发现一些严重的错误,而且Def con的参与者会破坏政府,但这些系统只在周五到周一暂停服务,就是黑客们开工的时候。
      大多数时候,他在各种网站上免费提供各种课程:CTF,渗透测试,编程,基本的计算机知识。在过去的3个月 里,他一直在研究Wifi黑客攻击。

      Guillermo Pilleux在智利大学计算机科学专业取得了计算机科学学士学位。 “CTF和渗透测试简介”研讨会的前学生。 Info-Sec公司的实习生,在做Wifi黑客攻击研究。
      OneClick的创始人兼首席执行官,OneClick是一种房地产账单支付的自动化解决方案。曾在危地 马拉从事光学领域的HTR(手写文本识别)研究。
      Defcon 27将是他第一次在Defcon,他希望能够讲好

      PGP Key:


      • #4
        Slides of the workshop here