Hacking WiFi
Abstract:
Summarize what your training will cover, attendees will read this to get an idea of what they should know before your training, and what they will learn after. Use this to inform about how technical your class is, what tools will be used, what materials to read in advance to get the most out of your training. This abstract is the primary way people will be drawn to your session.
Wireless Networks (WiFi) are the most used type of network nowadays and most people don't know really how vulnerable they are, even WPA/WPA2 Enterprise.
In this workshop we will cover most WiFi encryptions being used today, how they work behind the scenes and the theory of the cracking process. Also, you will be able to apply this knowledge on the spot with some real-life-scenario WiFi networks.
Some encryption are mathematically difficult to crack, where the cracking process could take lifetimes. But not to worry, there still are ways to get around this with an attack called Man-in-the-middle (MITM). Be wary! You never know to whom's Internet Access Point you're connecting and who's eavesdropping on you.
Ever wondered how to get somebody's passwords of a website? After this workshop you will be able to supplant a website without the victim ever knowing it with Wifiphishing or DNS Spoofing the client's router.
What to know before
Linux commands (sed, awk, grep and the basic ones)
Basic shell scripting
Basic knowledge about WEP/WPA/WPA2/WPS
What you will learn
How WiFi security works
How to audit a wireless network
How to perform and automate WiFi attacks (WEP/WPA/WPA2 (personal & enterprise)/WPS)
How to use the cloud to crack passwords (GpuHash.me, AWS EC2)
How to use your own GPU to crack passwords. (in case you have one)
How technical is the class
40% theory and concepts
60% writing and testing commands/scripts and attacking wifis.
What tools are we going to use
aircrack-ng (ifconfig, iwconfig, airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, airbase-ng, airdecap-ng)
Reaver (reaver, wash)
Radius Servers (radiusd)
Pyrit
tshark/Wireshark/tcpdump
Ettercap
What to read in advance
Vivek Ramachandran & Cameron Buchanan, 2015, Kali Linux Wireless Penetration Testing Beginner’s Guide, Birmingham B3 2PB, United Kingdom.
Philippe Delteil is Computer Science Engineer from the University of Chile, he gave his first talk at DEF CON 26 Skytalks, called "Macabre stories of a hacker in the public health sector", his country's government sent 3 officials to record the talk, over 3 Ministries shut down all their information systems afraid that Philippe would reveal some serious bugs and that DEF CON attendees would hack the government, but the systems only were down from Friday to Monday, the only days hackers work. While living in Brazil he hacked over 3,000 WiFi routers of the biggest ISP. Most of the time, he gives classes for free in various topics: CTF, pentesting, programming, Basic computer knowledge. He's been working with WiFi hacking during the last 3 months. He has a company with a very clever name: Info-sec.
Guillermo Pilleux has a B.CS. in Computer Science at University de Chile. Former student of "Introduction to CTF and Pentesting" workshop. Trainee in Info-Sec company doing Wifi hacking research. Founder and CEO of OneClick, an automation solution for real estate bill paying. Worked in Guatemala for Opticality doing HTR (Handwritten-text-recognition) research. DEF CON 27 will be his first time at DEF CON, he hopes to survive.
Detailed Outline:
Note: This is the most important section on the application. You must provide a detailed outline containing the main points and navigation through your workshop - show how you intend to begin, where you intend to lead the class and how you plan to get there. Your outline should be in simple text. Please do not submit slides, Docs, or PDFs as an outline. The review board likes submissions that include references to prior works and research you used in developing your workshop. The more detailed your outline then the better we are able to review your class against other submissions (and the higher chance you have of being accepted).
Map road for a successful workshop:
VM configs, checking, last minute difficulties, defeating Murphy's Law.
Introduction
History of Wifi
How does it work?
WLAN Infrastructure Attacks: WEP
Theory, vulnerabilities
Practice attacks
Attack Automatization
WLAN Infrastructure Attacks: WPA/WPA2
Theory, vulnerabilities
Practice attacks
Attack Automation
Cracking passwords using the cloud.
WPS
Attacks
Attack Automatization
Client Attacks
Caffe Latte attack, Hirte Attack (WEP)
DoS (deauth, dissociation)
MITM (eavesdropping, evil twin)
WiFishing
Pwned WiFi attacks:
AP Login Attack (break into the AP if default passwords were modified)
Session/DNS hijacking.
The workshop will begin by giving an introduction to WiFi networks, focusing on the main points of their usage, their vulnerabilities and the lack of knowledge of their "unsafety".
Afterwards, the main subject will be presented by giving a more technical definitions of WiFi, to get to know how it works and start digging into the "Attacks on WLAN Infrastructure". We will start with the oldest encryption protocol, WEP, still found in the wild (we'll provide evidence).
For every encryption algorithm, there will be a little history lesson, an explanation of the fundamental cores, how to crack it or bypass it and finally get practical with it by trying to hack the networks we will provide. The algorithms covered later on will be WPA/WPA2/WPA_Enterprise.
Thereon, WPS will be exposed, with the same modality explained beforehand.
Once the "Attacks on WLAN Infrastructure" section is done, the new subject presented will be "Client Attacks".
This section will cover the oldie but goodie Caffe Late and Hirte Attacks for WEP clients, eavesdropping on a wireless with a MITM attack by setting up a soft AP and using tshark/wireshark to sniff packets. Also, how we can create a DoS attack with deauth and dissociation packets.
Let's go WIFIshing!
When scanning wifi networks with airodump-ng, we will be able to see the stations or clients as well. Sometimes clients are authenticated but dissociated from a specific network. We will leverage this situation on our favor by deploying 4 evil twins with the same ESSID but with different encryption protocols. This way, we will know which kind of encryption that specific network is using when the client connects to one of our fake AP.
Once inside the pwned network, the next objective is to get inside the router. To do so, we will try the naive way first which is to try the router default passwords. If the credentials were changed then we will proceed to use a dictionary attack.
A simple DNS spoof attack will be presented with it's theory behind it and there will be time for the attendees to try out their own spoof for their favorite website.
Our previous work:
WEP Cracking https://medium.com/hacking-info-sec/...s-aec9e1d0d0b1
WPA/WPA2 Cracking https://medium.com/hacking-info-sec/...2-cd1c496d195c
Malicious DNS https://medium.com/hacking-info-sec/...o-29fc939bc741
References:
https://www.slideshare.net/dgsweiger...acks-explained
Vivek Ramachandran & Cameron Buchanan, 2015, Kali Linux Wireless Penetration Testing Beginner’s Guide, Birmingham B3 2PB, United Kingdom.
Abstract:
Summarize what your training will cover, attendees will read this to get an idea of what they should know before your training, and what they will learn after. Use this to inform about how technical your class is, what tools will be used, what materials to read in advance to get the most out of your training. This abstract is the primary way people will be drawn to your session.
Wireless Networks (WiFi) are the most used type of network nowadays and most people don't know really how vulnerable they are, even WPA/WPA2 Enterprise.
In this workshop we will cover most WiFi encryptions being used today, how they work behind the scenes and the theory of the cracking process. Also, you will be able to apply this knowledge on the spot with some real-life-scenario WiFi networks.
Some encryption are mathematically difficult to crack, where the cracking process could take lifetimes. But not to worry, there still are ways to get around this with an attack called Man-in-the-middle (MITM). Be wary! You never know to whom's Internet Access Point you're connecting and who's eavesdropping on you.
Ever wondered how to get somebody's passwords of a website? After this workshop you will be able to supplant a website without the victim ever knowing it with Wifiphishing or DNS Spoofing the client's router.
What to know before
Linux commands (sed, awk, grep and the basic ones)
Basic shell scripting
Basic knowledge about WEP/WPA/WPA2/WPS
What you will learn
How WiFi security works
How to audit a wireless network
How to perform and automate WiFi attacks (WEP/WPA/WPA2 (personal & enterprise)/WPS)
How to use the cloud to crack passwords (GpuHash.me, AWS EC2)
How to use your own GPU to crack passwords. (in case you have one)
How technical is the class
40% theory and concepts
60% writing and testing commands/scripts and attacking wifis.
What tools are we going to use
aircrack-ng (ifconfig, iwconfig, airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, airbase-ng, airdecap-ng)
Reaver (reaver, wash)
Radius Servers (radiusd)
Pyrit
tshark/Wireshark/tcpdump
Ettercap
What to read in advance
Vivek Ramachandran & Cameron Buchanan, 2015, Kali Linux Wireless Penetration Testing Beginner’s Guide, Birmingham B3 2PB, United Kingdom.
Philippe Delteil is Computer Science Engineer from the University of Chile, he gave his first talk at DEF CON 26 Skytalks, called "Macabre stories of a hacker in the public health sector", his country's government sent 3 officials to record the talk, over 3 Ministries shut down all their information systems afraid that Philippe would reveal some serious bugs and that DEF CON attendees would hack the government, but the systems only were down from Friday to Monday, the only days hackers work. While living in Brazil he hacked over 3,000 WiFi routers of the biggest ISP. Most of the time, he gives classes for free in various topics: CTF, pentesting, programming, Basic computer knowledge. He's been working with WiFi hacking during the last 3 months. He has a company with a very clever name: Info-sec.
Guillermo Pilleux has a B.CS. in Computer Science at University de Chile. Former student of "Introduction to CTF and Pentesting" workshop. Trainee in Info-Sec company doing Wifi hacking research. Founder and CEO of OneClick, an automation solution for real estate bill paying. Worked in Guatemala for Opticality doing HTR (Handwritten-text-recognition) research. DEF CON 27 will be his first time at DEF CON, he hopes to survive.
Detailed Outline:
Note: This is the most important section on the application. You must provide a detailed outline containing the main points and navigation through your workshop - show how you intend to begin, where you intend to lead the class and how you plan to get there. Your outline should be in simple text. Please do not submit slides, Docs, or PDFs as an outline. The review board likes submissions that include references to prior works and research you used in developing your workshop. The more detailed your outline then the better we are able to review your class against other submissions (and the higher chance you have of being accepted).
Map road for a successful workshop:
VM configs, checking, last minute difficulties, defeating Murphy's Law.
Introduction
History of Wifi
How does it work?
WLAN Infrastructure Attacks: WEP
Theory, vulnerabilities
Practice attacks
Attack Automatization
WLAN Infrastructure Attacks: WPA/WPA2
Theory, vulnerabilities
Practice attacks
Attack Automation
Cracking passwords using the cloud.
WPS
Attacks
Attack Automatization
Client Attacks
Caffe Latte attack, Hirte Attack (WEP)
DoS (deauth, dissociation)
MITM (eavesdropping, evil twin)
WiFishing
Pwned WiFi attacks:
AP Login Attack (break into the AP if default passwords were modified)
Session/DNS hijacking.
The workshop will begin by giving an introduction to WiFi networks, focusing on the main points of their usage, their vulnerabilities and the lack of knowledge of their "unsafety".
Afterwards, the main subject will be presented by giving a more technical definitions of WiFi, to get to know how it works and start digging into the "Attacks on WLAN Infrastructure". We will start with the oldest encryption protocol, WEP, still found in the wild (we'll provide evidence).
For every encryption algorithm, there will be a little history lesson, an explanation of the fundamental cores, how to crack it or bypass it and finally get practical with it by trying to hack the networks we will provide. The algorithms covered later on will be WPA/WPA2/WPA_Enterprise.
Thereon, WPS will be exposed, with the same modality explained beforehand.
Once the "Attacks on WLAN Infrastructure" section is done, the new subject presented will be "Client Attacks".
This section will cover the oldie but goodie Caffe Late and Hirte Attacks for WEP clients, eavesdropping on a wireless with a MITM attack by setting up a soft AP and using tshark/wireshark to sniff packets. Also, how we can create a DoS attack with deauth and dissociation packets.
Let's go WIFIshing!
When scanning wifi networks with airodump-ng, we will be able to see the stations or clients as well. Sometimes clients are authenticated but dissociated from a specific network. We will leverage this situation on our favor by deploying 4 evil twins with the same ESSID but with different encryption protocols. This way, we will know which kind of encryption that specific network is using when the client connects to one of our fake AP.
Once inside the pwned network, the next objective is to get inside the router. To do so, we will try the naive way first which is to try the router default passwords. If the credentials were changed then we will proceed to use a dictionary attack.
A simple DNS spoof attack will be presented with it's theory behind it and there will be time for the attendees to try out their own spoof for their favorite website.
Our previous work:
WEP Cracking https://medium.com/hacking-info-sec/...s-aec9e1d0d0b1
WPA/WPA2 Cracking https://medium.com/hacking-info-sec/...2-cd1c496d195c
Malicious DNS https://medium.com/hacking-info-sec/...o-29fc939bc741
References:
https://www.slideshare.net/dgsweiger...acks-explained
Vivek Ramachandran & Cameron Buchanan, 2015, Kali Linux Wireless Penetration Testing Beginner’s Guide, Birmingham B3 2PB, United Kingdom.
Comment