wifi security

Posted by fierce at 2020-02-27

0 × 00 Preface

In many smart home environments, WiFi is the first and most important threshold for security. Generally, smart home devices are in the NAT network, and the way of operation through the external network is very limited. Even routers have firewalls in the external network, and most functions are only open to the internal network devices. When the threshold of WiFi is broken, the consequences will be unimaginable.

0 × 01 breakthrough point

Router WPS function vulnerability

Router users are often too cumbersome to do any encryption security settings, which leads to many security problems. WPS is used to simplify the security settings and network management of Wi Fi wireless. It supports two modes: pin mode and PBC mode. By default, the router turns on WPS in production, but is it really safe! On December 28, 2011, Stefan viehbock, a security expert, announced that he had discovered the WPS (Wi Fi protected setup) vulnerability in the wireless router, which could easily break the pin code used by WPS in a few hours to connect to the WiFi network of the wireless router.

Personal identification number (PIN)

Someone may ask what is pin code? WPS technology will randomly generate an eight digit string as a personal identification number (PIN), which is a set of eight digit numbers at the bottom of your route except for the background address account password, through which you can quickly log in without entering the router name and password.

Pin codes are divided into the first half of four and the second half of four. If the first four codes are wrong, the router will send the error message directly instead of looking at the last four codes, which means that only 10000 groups of numbers need to be tried to get the correct first four codes. Once there is no error message, the first four codes are correct, and we can start to try the last four codes. The last four codes are simpler than the first four codes, because the last one of the eight codes is the check code, which is generated by the first seven numbers, so there are only three numbers to be tested, a total of 1000 combinations. This makes the original password combination (seven digits + check code) which should be up to 10 million groups, instantly reduced to only 11000 groups, greatly reducing the time required for cracking

Calculate the default pin code according to the route MAC address

In addition, a faster way to crack WiFi is to calculate the default production pin code according to the routing MAC address (MAC is the physical address of the router, which is the only identification mark). For example, the following software can also find the pin code shared by others!

Grab the handshake packet and crack it

The advance condition is that there is a client to connect to WiFi. In addition, the author won't say how to crack WEP. The little friends who use them are willing to do what they want. Just briefly introduce the principle. A TCP packet goes into a bar and says to the waiter, "give me a beer.". The waiter said, "would you like a beer?". The TCP packet said, "yes, a beer." the waiter said, "OK."

When a wireless client connects with a wireless AP, it first issues a connection authentication request (handshake application: Hello!)

After receiving the request, the wireless AP sends a random message to the wireless client (are you?)

The wireless client encrypts the received random information and then sends it to the wireless AP (this is my business card)

The wireless AP checks whether the encryption result is correct. If it is correct, it agrees to connect (oh, it's my own person

Generally speaking, the "handshake packet" refers to capturing the "original information" and the encrypted "ciphertext" when the wireless AP and one of its legal clients are authenticating. Use deauth to verify the attack. In other words, force the legitimate wireless client to be disconnected from the AP. When it is disconnected from the WLAN, the wireless client will automatically try to reconnect to the AP. In the process of reconnection, packet communication is generated, and then use airdump to capture a four handshake process between the wireless client and the wireless client, and generate a cap packet containing four handshakes. Then use the dictionary to crack violently

In addition, it also mentions the black industry in this industry. When we catch the handshake bag with data, the black industry will often help us a lot. GPU speed is hundreds of times faster than our ordinary device running password. So I don't recommend running password by myself! Send it to the teams, Only 10-30rmb is charged for running out the password (according to the pricing of running passwords, there are common packages and diamond bags, and the dictionary of common packages only uses 10 g dictionaries. Diamond bags will use more than 50g dictionaries, which will also be more expensive). However, some teams will charge for electricity (even for running out the password, there will be a certain fee)... In addition, such devices are very power consuming It's easy for ordinary people to consume. They usually use such machines to mine when they are idle

Distributed cracking

The protagonists in "hacker's quest" all use distributed cracking. Take Mitnick in the movie. In the plot, he gets the encrypted ciphertext of xiacunmian, Generally speaking, it takes decades to hundreds of years for a computer to run out of the password. At this time, Mitnick used disguise to cheat a university security guard. He sneaked in to use the University's supercomputer, and only used a few hours to get the desired result! The protagonist of blood Monday, Miura Chunma, used a puppet network (chicken) to get his password in half an hour. )On the evening of September 26, 2009, zerone wireless security team and anywlan wireless portal successfully completed the first distributed cracking project in China. In addition, distributed cracking is just a thought. It's not a solution. It doesn't matter if you can't break it.

WiFi share

The core function of this kind of software is to integrate WiFi account passwords from all over the country. This must include some malicious sharing and some unintentional sharing When you use this kind of software, you can easily find the correct password in the database according to the nearby ssid.mac address. This is convenient for users and also convenient for the ill intentioned children's shoes ~ ~ evening news on September 5, 2013, the new MIUI function released at Xiaomi technology's annual conference today - self sharing of WiFi password caused controversy, and many netizens accused Xiaomi of this behavior will lead to WiFi Serious security risks, some coffee shop owners even accused millet of this act as theft. From August 2, 2013 to the end of the conference, 320000 public Wi Fi passwords were shared in one month, and he was very angry about the new function. He said: "we only have two options: 1. Refuse to provide the WiFi password of home / company to friends who use Xiaomi mobile phone. 2. Change the WiFi password of your home / company as soon as friends who use Xiaomi's mobile phone leave. " I would like to advise you that you must not rely on such software

Weak password

The password space of wpa-psk can't be too vast to describe, so it's a fool's behavior to directly attack a dictionary. But as a password, there is a difference between a strong password and a weak password. A strong password is a password with very little hope of cracking. A weak password is a password with great hope of cracking. Of course, the strength is also a relative concept, He also relies on the plus security system. The bank's password is generally 6 bits. A password with such a small password space is generally weak. But the bank's ATM only allows you to try three times a day. Three times the password does not lock the card. With such a mechanism, a 6-bit password is no longer a weak password. A dictionary composed of weak passwords is called a weak password dictionary

There is a certain connection and regular password

Example: someone once broke such a wpa-psk password, ix1v7051242. If you don't know the background of this password, you can think it's amazing. Such a strong password can also be broken. Such a password is available on an AP such as tele2 in Spain, and there are fields of tele2 in the AP? ESSID. The last 8 digits of such a password are the same. There are only four real passwords. The four digit password is easy to be attacked by dictionary because of its small password space. This is also the default password for AP. So this password is cracked because the random password generated by AP itself is a weak password. It's AP's manufacturers who have reduced their own security practices. For example, some restaurants, hotels, public institutions, etc. SSID will always be changed to Pinyin. The password is of course related to SSID. The most common is the phone number of this unit!

social engineering

More or less, purposeful social workers master the personal information of WiFi users. Otherwise, how can they be called purposeful social workers? Ha ha~~

For example, let's talk about a goal. We can combine the birthdays of people related to the goal, initials (i.e., initials), Pinyin, mobile phone numbers, lovers of general goals, secret lovers, important people, without excluding friends. We have the highest success rate. We also have the goal's name, birthday, mobile phone number, email number, internet name (i.e., ID.) which works well for heikuo. The characters we are used to, Of course, there are also common passwords!!!. there are some special numbers. Special days (wedding anniversary. Start love) and other information to generate a dictionary.]

For example, a little black broad who lives in the security circle has a high sense of security, Know that AP needs to use a very powerful password, such as hack! @ (1024). But he is lazy enough to use this password there. Then heikuo registered his account on a website of a forum and habitually entered the strong password that he was proud of. Then these websites were generated a dictionary (combined according to the leaked password) by the black (drag Library) social engineer according to the password, and then he did not I'll tell you more. There are many examples like this! How did the hacker in operation swordfish enter the national security information network in one minute. It's a program that works on the Internet to collect passwords for him. And that's how he quickly cracked it. And the real hackers of such dictionaries are not willing to publish them.

0 × 02 actual combat

Grab the handshake packet and crack it

The choice of network card is also very important. Generally, if you use the built-in network card of notebook to crack, you must see if there is any driver for Kali. I use 8187 card, and I won't say if Kali has its own driver. This example is based on the grasp handshake packet cracking

It means to start the monitoring mode of the network card. After typing this command, the device name is WLAN = mon0. Generally, the device name should be followed after the command

Select the target before capturing the packet. This command means to detect the wireless network. Select the target, the first choice is to connect more clients. Copy the BSSID (MAC address). Remember the channel (CH)

-Parameter C is to select the target channel. If the channel is used for the target AP, do not add -- BSSID. This parameter is to save the name of the handshake package with the precise target ~ ~ - W. after obtaining it, a mobi-01.cap handshake package will be generated in the current directory. Instead of closing the shell, open another shell

Airplay-ng-0 10-A (MAC of AP) - C (MAC of client)

-W. select the dictionary mobi-01.cap, i.e. the grab handshake package

PS: I don't recommend running the password myself. I directly mount the USB stick handshake package copy to the USB stick. Send the package to the running bag team through QQ. Then the correct password is added to my dictionary. The figure above will appear (after the successful crack)! In addition, the use of passwords has certain regularity

Solution 2: exploit the function vulnerability of router WPS

Airdump ng mon0 check the wireless situation nearby. The dot "." in MB indicates that pin code can be run. Use wash - I mon0 - C to see if WPS is enabled

Adjust the parameter (- C after which, the target channel is 1 as an example) the target signal is very good:

0 × 03 when entering the wireless network

Look at my Mac block!

Client screenshot simulation host use MAC filtering function! .

Use MAC filtering on routers. Is there no way for hackers? .no!

Because the router only accepts packets from the white list, Kali cannot get the domain name IP from the DNS server

Camouflage MAC address Internet because there are two wireless clients. All data packets will be sent to two clients. It is inevitable that data packets will be lost!

Is it really useful to turn off DHCP?

First of all, I simulate the administrator of WiFi. DHCP is off, and I set a gateway IP that only I know

It can be clearly seen that. Kali is not in the network segment used by the administrator. However, in the OSI layer 2 environment. Kali grabs ARP messages from routers and clients


-----Wechat ID: ikanxue-----

See snow Institute, committed to safety research for 16 years!

Look at the snow crowd test: the second phase of project has been released, and 100000 bonus is waiting for you!

Reading through snow: new mode of paid reading