3.6 - Attack against WPA/WPA2 Personal encryption
3.6.1 - WPA/WPA2 encryption
- Wi-Fi Protected Access (WPA) is a security protocol promoted by the Wi-Fi Alliance, and usually referred as IEEE 802.11i. WPA2 is the strongest version of WPA, and from 2006 it is mandatory to be included for all devices under Wi-Fi trademark. However. WPA2 may not work with some outdated wireless interface cards. WPA uses a message integrity check called Michael to verify the integrity of the packets, replacing the cyclic redundancy check (CRC) used by WEP, designed to prevent an attacker from capturing, altering or resending data packets. The newest version WPA2 includes an even stronger integrity check than Michael.
There are 2 main modes for WPA/WPA2, each one used depending on the scenario applied:
- WPA/WPA2 Personal: also known as WPA-PSK (Pre-shared key), its purpose is to be used for home and small office areas, not needing an authentication server. Clients authenticate with the AP using a pre shared 256 bits key generated with a password or passphrase. The password is entered as a string of 8 to 63 ASCII characters, and the 256 bits is generated once the PBKDF function is applied, adding SSID as the salt and 4096 iterations of HMAC-SHA1. This Shared Kye mode is vulnerable to password cracking like brute force dictionary attacks. Precalculated rainbow tables can be used to speed up the cracking of passwords, so it is also recommended not to use common SSIDs. WPA Personal works with TKIP, and WPA2 Personal works with CCMP.
- WPA/WPA2 Enterprise: also known as WPA-802.1x mode, its purpose is to be used for enterprise scenarios, needing a RADIUS authentication server. Although the setup is harder, it includes more complex security for protection against dictionary attacks on short passwords. The protocol used for authentication is the Extensible Authentication Protocol (EAP). It will be studied later at 6.9.
The three main encryption algorithms used with WPA/WPA2 are:
- Temporal Key Integrity Protocol (TKIP): used with WPA, a RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key, instead or reusing it. This helps to prevent attacks like those suffered by WEP.
- Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP): only available for WPA2, based in AES is considerer stronger than TKIP.
- Extensible Authentication Protocol (EAP): used both with WPA and WPA2, available for Entreprise mode, requires a RADIUS server for authentication.
About WPA-PSK, because its wide usage in wireless scenarios, a deeper detail consideration will be done. The way it works about authentication consists of a four-way handshake. The per-session key, or Pairwise Transient
Key (PTK), is made with 6 parameters: the PSK key, the SSID, 2 MACs (one from the Supplicant or client, and the other from the Authenticator or AP), and 2 other Nounces (one from the client and other from the AP). The resultant key is used to encrypt all data between the AP and the client.
- An attacker sniffing the handshake can get 5 of the 6 parameters, with the exception of the PSK. The combination of the PSK and the SSID is called the Password Based Key Derivation Function (PBKDF). During a brute-force dictionary attack a 256 bits shared PTK key derived of combining PBKDF with the other 4 parameters is created for each word contained in the dictionary. Each created PTK is verified checking the Message Integrity Check (MIC) in handshaked packets. If matched, the passphrase would be correct. So, security for WPA/WPA2 is related with the difficulty for a dictionary to identify the passphrase. On the other hand, a good attack would rely on the strength of the used dictionary.
3.6.2 - Attack against WPA-PSK with aircrack-ng
- In this case we will take as example the WPA-PSK TKIP encryption, always in the knowledge that attacks against WPA2-PSK CMP ara performed in the exactly same way.
- The AP is set to the WPA-PSK TKIP encryption with the Pre-Shared key "A54321z$", as we can see at next screen capture:
- Because the capture of the interesting packets happens when a legitimate client connects to the AP, the attacker "kali" can either force a client to reconnect it through a deauthentication process, or waiting for a client to connect by itself.
- Anyway, starting airodump-ng with the option --write the results of the captures are stored at the file "archivoWPA":
- A new file .cap and its derivatives are created:
- For cracking the WPA-PSK key a dictionary is needed, so that all the passphrases contained in that dictionary are compared with the real passphrase.
- The program aircrack-ng is used:
- 18 minutes and 7 seconds later, the key is found: A54321$
- Using airdecap-ng, there is the option to decrypt the packets contained in archivoWPA-01.cap:
- Decrypted packets are stored at the file archivoWPA-01-dec.cap:
3.6.3 - Connecting to the AP
- Once the key is found, the attacker "kali" can use the next script to connect to the AP, inside the file wpa-supp.conf:
- Then, the wpa_supplicant command invokes the just created file wpa-supp.conf:
- After some instants the attacker "kali" achieves its goal of joining the AP:
- It can verified with airodump-ng that the attacker "kali", whose MAC address is 00:C0:CA:72:1A:36, is associated to the AP 00:25:F2:9B:91:23:
- Because DHCP is enabled by default, "kali" recieves an IP:
- Also, "kali" has got access to the internal LAN, pinging the default gateway:
- "kali" is even able to access the Internet, pinging Google's public DNS server: