WEP/WPA2 WiFi Password Security & Exploiting IP Based

Surveillance Cameras

By

Basiru Mohammed

Rajkumar Ramadhin

Alexander Martin

Introduction• With growing advancement in the "Internet of Things" we must take a

look at the security of networks and their associated devices and determine the threats associated with this rapidly growing field of technology.

• Surveillance cameras, baby monitors, household appliances, and other network devices are all connected through wireless networks. As these devices grow in popularity, so too does the threat they pose to privacy and security.

• Hardening the security of networks and IOT devices is vital in ensuring the safe use of these convenient and helpful appliances.

Basic Password Definitions

• Encryption- Scrambling information so that only someone with a corresponding key (cipher) can decrypt that information. The intent of Encryption is to protect data with the intent to later decrypt that data.

• Hashing- Uses an algorithm to map data of any size to a fixed length known as a hash value. Different than encryption in that it is not meant to be decrypted and there is no cipher. Each hash value is unique.

• Salting- Typically unique to password hashing. Salting adds extra data to the known data before it is hashed. This adds an extra layer of complexity from brute force decryption.

Salting

Increasing total Password Size and Character Types used makes a more secure password

Total characters in alphabet = 26 characters

• Every character makes it 26x stronger

• EX: a-z _ _ _ _ = 264 = 456,976 password possibilities

• EX2: a-z _ _ _ _ _ = 265 = 11,881,376 password possibilities

Capital and Lower Cases = 52 characters

• Combination of Upper and Lower case letters

• EX: _ _ _ _ of upper and lowers = 524 combination = 7,311,616

Add Special Characters and Numbers (!@#$ etc.) = 75 characters

• EX: _ _ _ _ of Numbers, Upper and Lower Letters, and Special Characters = 75^4 = 31,640,625

Different Ways to Attack Passwords

• Password Guessing – Default passwords, common passwords, Sports teams, Cars. Sometimes will require research on user background.

• Shoulder Surfing - Watching Password Input from behind user.

• Social Engineering - Ask or demand employee to reveal password. Often attacker will pose as a technician or authority to pressure user into giving password.

• Dictionary Attack - Attacker uses every word in dictionary in sequence to crack password.

• Brute Force Attack – Attacker uses every letter/character in sequence to eventually crack password.

• Reverse Engineer Password Hashes – Intercepting password hashes between system and server using a sniffer. Hash is reverse engineered to reveal password using precomputation.

• Precomputation (rainbow table) – Uses a rainbow table – A rainbow table is a table of common passwords with their hash equivalent. Very time consuming to generate a rainbow table. Simply compare the target hash to your table of hashes to figure out password. Defeated by salting which adds additional hash info and defeats ability to match that information together.

What we want to accomplish

• Research the encryption methods used in WEP and WPA2

• Distinguish what makes WPA2 more secured than WEP

• Attempt to crack the password of WEP• Possible tool: Kali Linux Airmon-NG and AirCrack to crack the password

• Attempt to crack the password of WPA2• Possible tool : Kali Linux Airmon-NG and AirCrack to crack the password

• Implement these attacks in a real world situation• Set up a test environment with WEP then WPA2

• Tools: IP camera and ALFA card(?)

What is WEP? • Wired Equivalent Privacy – meant to provide the security of wired LAN

• Introduced in 1997, implemented as 1999

•Uses RC4 algorithm

•Started with a 40-bit long key with 24-bit initialization vector

•Other failed attempts to fix WEP includes WEP2 and WEP+

What is WPA2?

• Introduced in 2004• Full implementation of 802.11i

• Substituted WPA-TKIP with WPA2-AES• Backward compatibility with WPA

• Utilizes AES-CCMP• Advanced Encryption Standard – Counter Mode with Cipher Block Chaining

Message Authentication Code Protocol

Pros and Cons of WPA2

• Not susceptible to the attacks of WEP

• Becomes vulnerable due to backward compatibility

• Vulnerability to Man-In-The-Middle attacks

• Vulnerable to KRACK attack due to affected 802.11i standard

Goals of project

• Our group will attempt to demonstrate four different exploits• 1. The cracking of WEP WiFi password protection.

• 2. The cracking of WPA2 WiFi password protection.

• 3. Performing a de-authentication attack to "kick" a device off of a desired network, thus disabling it.

• 4. Demonstrating the importance in updating a IP based surveillance camera default username and password.

What we plan to do?

• 1. Set up a test environment with WEP and WPA2 password protected wireless routers.

• 2. Crack WEP security using Wifite, or Kali Linux tool suite AirCrack.

• 3. Crack WPA2 security using Kali Linux tool suite AirCrack and perhaps using Hashcat for dictionary list attack.

• 4. Attempt a de-authentication attack taking a device offline using a bash script.

Dropkick.sh

Cracking WPA using Aircrack suite of tools

1. Putting network adapter into "Monitor" mode.

Verify monitor mode using iwconfigcommand

2.Use airodumpto begin monitoring for wifinetworks and clients in vicinity.

3. Copy target networks bssid and begin capturing packets using airodump.

4. Begin Deauthenticationattack to force new 4 way handshake

5. Cracking password using aircrack

Password cracked!

Cracking WPA using

Wifiteautomated attack tool

Links to videos of attacks w/ narration

• Link to Aircrack WPA attack

• Aircrack Attack

• Link to Wifite WPA attack

• Wifite Attack

Citations• 1. https://hakin9.org/crack-wpa-wpa2-wi-fi-routers-with-aircrack-ng-and-hashcat/

• 2. https://null-byte.wonderhowto.com/how-to/hack-wi-fi-hunting-down-cracking-wep-networks-0183712/

• 3. https://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wpa2-passwords-using-new-pmkid-hashcat-attack-0189379/

• 4. https://hackernoon.com/forcing-a-device-to-disconnect-from-wifi-using-a-deauthentication-attack-f664b9940142

• 5. https://www.tomsguide.com/us/cheap-security-cameras-poor-passwords,news-27495.html

• 6. https://hakin9.org/crack-wpa-wpa2-wi-fi-routers-with-aircrack-ng-and-hashcat/

• 7. https://julianoliver.com/output/log_2015-12-18_14-39

• 8. https://tools.kali.org/wireless-attacks/wifite

• 9. http://www.ivanescobar.com/wep%20vs%20wpa.pdf