WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.7 - Speeding attacks against WPA/WPA2 encryption

3.7 - Speeding attacks against WPA/WPA2 encryption

- So far so good, but trouble could arise if the dictionary contains hundred of thousands of entries, because in that case the resources taken by CPU in terms of time and processing could be huge.

- The function PBKDF2 hashes the passphrase and the SSID over 4096 times, before outputting the 256 Pre Shared Key. Then, this obtained key is verified against the MIC used in the four-way WPA handshake. To speed up the whole process, it is possible to precalculate the Pre Shared Key for the passphrase.

- For that purpose, the tool genpmk (generator of PMK, Pairwise Master Key) can be used:

- The option -f takes the used dictionary, -s is about the SSID, and the -d option indicates the name of the output file, for instance "archivoPMK":

- It is important to notice that both the passphrase and the SSID are used to calculate the PMK. The process can take a lot of time, depending on the size of the dictionary. A message is periodically output every 1000 passphrases:

- So on ... until more than 789000 entries of diccionario.txt, the generation of PMK file is ended up:

- The command ls shows the new created file "archivoPMK":

- Now, there are a number of tools designed to take profit of "archivoPMK", for instance airolib-ng and Pyrit:

a) airolib-ng

- The command "airolib_ng" creates the database "archivoAircrackPMK" based on former database "archivoPMK":

- The command ls shows the new created file "archivoAircrackPMK":

- Feeding aircrack-ng with database "archivoAircrackPMK" and "archivoWPA-01.cap", the key is found in just 8 seconds !!

- So, the difference in time is huge, from 18 minutes to 8 seconds. Although the creation of "archivoPMK" takes a lot of time, depending of the dictionary size, it could be calculated just once for each specific dictionary and SSID. So, whenever the passphrase is changed by the network administrator, the precalculated database could be apply to speed up the cracking of the key.

b) Pyrit

- Even faster, just in 3 seconds, the tool Pyrit offers the same results:

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.6 - Attack against WPA/WPA2 Personal encryption

3.6 - Attack against WPA/WPA2 Personal encryption

3.6.1 - WPA/WPA2 encryption

- Wi-Fi Protected Access (WPA) is a security protocol promoted by the Wi-Fi Alliance, and usually referred as IEEE 802.11i. WPA2 is the strongest version of WPA, and from 2006 it is mandatory to be included for all devices under Wi-Fi trademark. However. WPA2 may not work with some outdated wireless interface cards. WPA uses a message integrity check called Michael to verify the integrity of the packets, replacing the cyclic redundancy check (CRC) used by WEP, designed to prevent an attacker from capturing, altering or resending data packets. The newest version WPA2 includes an even stronger integrity check than Michael.

There are 2 main modes for WPA/WPA2, each one used depending on the scenario applied:

- WPA/WPA2 Personal: also known as WPA-PSK (Pre-shared key), its purpose is to be used for home and small office areas, not needing an authentication server. Clients authenticate with the AP using a pre shared 256 bits key generated with a password or passphrase. The password is entered as a string of 8 to 63 ASCII characters, and the 256 bits is generated once the PBKDF function is applied, adding SSID as the salt and 4096 iterations of HMAC-SHA1. This Shared Kye mode is vulnerable to password cracking like brute force dictionary attacks. Precalculated rainbow tables can be used to speed up the cracking of passwords, so it is also recommended not to use common SSIDs. WPA Personal works with TKIP, and WPA2 Personal works with CCMP.

- WPA/WPA2 Enterprise: also known as WPA-802.1x mode, its purpose is to be used for enterprise scenarios, needing a RADIUS authentication server. Although the setup is harder, it includes more complex security for protection against dictionary attacks on short passwords. The protocol used for authentication is the Extensible Authentication Protocol (EAP). It will be studied later at 6.9.

The three main encryption algorithms used with WPA/WPA2 are:

- Temporal Key Integrity Protocol (TKIP): used with WPA, a RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key, instead or reusing it. This helps to prevent attacks like those suffered by WEP.

- Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP): only available for WPA2, based in AES is considerer stronger than TKIP.

- Extensible Authentication Protocol (EAP): used both with WPA and WPA2, available for Entreprise mode, requires a RADIUS server for authentication.

About WPA-PSK, because its wide usage in wireless scenarios, a deeper detail consideration will be done. The way it works about authentication consists of a four-way handshake. The per-session key, or Pairwise Transient

Key (PTK), is made with 6 parameters: the PSK key, the SSID, 2 MACs (one from the Supplicant or client, and the other from the Authenticator or AP), and 2 other Nounces (one from the client and other from the AP). The resultant key is used to encrypt all data between the AP and the client.

- An attacker sniffing the handshake can get 5 of the 6 parameters, with the exception of the PSK. The combination of the PSK and the SSID is called the Password Based Key Derivation Function (PBKDF). During a brute-force dictionary attack a 256 bits shared PTK key derived of combining PBKDF with the other 4 parameters is created for each word contained in the dictionary. Each created PTK is verified checking the Message Integrity Check (MIC) in handshaked packets. If matched, the passphrase would be correct. So, security for WPA/WPA2 is related with the difficulty for a dictionary to identify the passphrase. On the other hand, a good attack would rely on the strength of the used dictionary.

3.6.2 - Attack against WPA-PSK with aircrack-ng

- In this case we will take as example the WPA-PSK TKIP encryption, always in the knowledge that attacks against WPA2-PSK CMP ara performed in the exactly same way.

- The AP is set to the WPA-PSK TKIP encryption with the Pre-Shared key "A54321z$", as we can see at next screen capture:

- Because the capture of the interesting packets happens when a legitimate client connects to the AP, the attacker "kali" can either force a client to reconnect it through a deauthentication process, or waiting for a client to connect by itself.

- Anyway, starting airodump-ng with the option --write the results of the captures are stored at the file "archivoWPA":

- A new file .cap and its derivatives are created:

- For cracking the WPA-PSK key a dictionary is needed, so that all the passphrases contained in that dictionary are compared with the real passphrase.

- The program aircrack-ng is used:

- 18 minutes and 7 seconds later, the key is found: A54321$

- Using airdecap-ng, there is the option to decrypt the packets contained in archivoWPA-01.cap:

- Decrypted packets are stored at the file archivoWPA-01-dec.cap:

3.6.3 - Connecting to the AP

- Once the key is found, the attacker "kali" can use the next script to connect to the AP, inside the file wpa-supp.conf:

- Then, the wpa_supplicant command invokes the just created file wpa-supp.conf:

- After some instants the attacker "kali" achieves its goal of joining the AP:

- It can verified with airodump-ng that the attacker "kali", whose MAC address is 00:C0:CA:72:1A:36, is associated to the AP 00:25:F2:9B:91:23:

- Because DHCP is enabled by default, "kali" recieves an IP:

- Also, "kali" has got access to the internal LAN, pinging the default gateway:

- "kali" is even able to access the Internet, pinging Google's public DNS server:

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.5 - Korek Chopchop attack against WEP

3.5 - Korek Chopchop attack against WEP

- Unlike previous attack against WEP encryption, the goal of Korek chopchop attack is not to find the WEP key, but just decrypt an specific packet sent within the attacked network. Actually, Korek chopchop attack decrypts a WEP data packet without knowing the WEP key. As said before, its purpose is not intended to find the WEP key, but to reveal the plaintext. Once replay_dec-X.cap is achieved, Whireshark can be helpful to decrypt the choosen packet. Korek attack chopchop is based on polynomial math about Cyclic Redundancy Check (CRC).

- The initial setup for the lab is the same as previous practices. To launch the attack, aireplay-ng is used with -4 option (meaning chopchop attack):

- After reading some packets (55 in this case), aireplay-ng asks about the selected packet is ok to be decrypted. If answer is Yes, the attack starts immediately decrypting the packet and saving the result in replay_src-0918-224820.cap file:

- The attack is finished:

- aireplay-ng indicates where captured packets are saved:

- replay_src--0918-224820.cap file and its derivatives has been created:

- Using Wireshark, the file replay_src--0918-224820.cap can be decrypted:

- It can be verified that the packet is the same selected by aireplay-ng (8842 2C00 28C6 etc... ), being a frame control sent by the AP Motorola 00:25:F2:9B:91:23 with destination to the client "roch", whose wireless interface card is Netgear 28:C6:8E:63:15:6B:

- Also, the file replay_dec-0918-224925.cap can be decrypted, again with Wireshark's help:

- In this case, the packet is sent by 173.194.46.69 (Google) to the client "roch" (192.168.0.15), because of an https connection:

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.4 - Hirte attack against WEP encryption

3.4 - Hirte attack against WEP encryption

- The Hirte attack extends the Caffe-Latte attack using fragmentation techniques. As the same way that with Caffe-Latte attack, there is no need of AP in the viccinity for the Hirte attack to be launched, being enough a WEP client isolated from the legitimate AP.

- Fragmentation attacks use the fact that the first 8 bytes of the encrypted packet consist of the Link Layer Control (LLC) header. Because this is sent into plaintext, the attacker can XOR it with the encrypted packet, achieving the first 8 bytes of the RC4 keystream, and using this keystream along with the matching IV to create encrypted packets. However, the amount of data it can fit into 8 bytes is only 4 bytes because the last 4 bytes are devoted to the WEP ICV. Fragmentation helps to send a maximum of 16 fragments per packet, allowing to send a packet of reassembled size 64 bytes. This fact will be used to inject packets like ARP request and replies.

- The Hirte attack sniffs an ARP packet and relocates the IP address in the ARP header to convert the reassembled packet into an ARP request for the wireless client. The client responds with an ARP reply, allowing the attacker to gather new data packets encrypted with the WEP key. Once enough number of packets are gathered, aircrack-ng can crack the WEP key rapidly.

- For this practice, the lab set is exactly the same that at previous Caffe-Latte attack. Now, the command airbase-ng uses the option -N to specify the Hirte attack, instead of the option -L for Caffe-Latte.

- After the legitimate AP is unplug, the client "roch" connects to the created fake aP by the attacker "kali". Only 1 minute later than the association,at 21:55:13, the Hirte attack is started up:

- Airodump-ng detects the association between the victim "roch" and the fake AP, writing the captured packets to the file Hirte-WEP:

- The file hirteWEP-01.cap and its derivatives are created:

- As usual, aircrack-ng finds the WEP key A8925DC44A5432DE814CE109F9 after no much time:

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.3 - Caffe-Latte attack against WEP

3.3 - Caffe-Latte attack against WEP

- The Caffe-Latte attack takes advantage of the WEP's Message Modification's flaw. The most interesting characteristic of Caffe-Latte attack is that no AP is needed to perform it. Actually, the attacker takes the information used to crack the WEP key from packets sent by the victim trying to authenticate with the AP, although it is not present. The attacker "kali" will monitor the air finding clients sending probing messages. Then, a fake AP is set using Airbase-ng. When the client connects to the fake AP authentication messages are sent, and after association the DHCP request phase starts. Just at this point, the Caffe-Latte attack is launched by the attacker.

- To perform this attack, let's set the legitimate AP with SSID=prueba, and WEP with Shared Key Authentication:

- The WEP key generated by the AP is A8925DC44A5432DE814CE109F9:

- The victim "roch" is connected to the wireless network, so that it can have cached and stored the WEP key:

- This attack is based on the fact that clients, just after being started, are usually configured to send probe messages for SSIDs that they have previoulsy connected. For instance, Windows clients cache and store WEP keys of previous connected networks. This option is known as Preferred Network List (PNL), consisting of a list of pre used networks. A very similar configuration is enabled for Linux. For instance, Debian pre used networks are stored under Network Connections option.

- Every time a client connects to the same AP, the Windows wireless manager automatically uses that stored key. This is done with the purpose of helping users, not being necessary to introduce the key every time the computer is turned on.

- However, from the security perspective, it can be considered a flaw. It can be checked at next screenshot, option "Connect automatically when this network is in range" is ticked:

- As said before, the WEP key is cached and stored by Windows clients:

- Because this attack does not require the client to be close to the legitimate AP, it means that the WEP key can be cracked just using the client isolated. To verify it the AP is going to be unplug during the whole practice, simulating that the AP is far away to the client.

- Now, given this scenario, let's start the attack form "kali". Using airbase-ng tool, a fake AP is created with the same SSID=prueba and an arbitrary MAC address like AA:AA:AA:AA:AA:AA. Of course, in a real attack, a less suspicious MAC address would be used:

- It is important to notice the options used with the command airbase-ng:

                      - L = Caffe-Latte attack

                      - W 1 = WEP encryption

- Then, the client "roch" is started within an scenario where there is no legitimate AP turned on (remember that it has been unpluged). Wireshark detects the victim "roch" (Netgear wireless card interface with MAC 28:C6:8E:63:15:6B) desperately sending Broadcast messages looking for the legitimate "prueba" AP, which is actually unplug:

- The victim "roch" will not find the legitimate "prueba" AP, but the fake "prueba" AP created by the attacker "kali'.

- Because there is no mutual authentication between client and AP, just the client authenticating with the AP, it won't be any problem for the assocciation process to success. In other words, the fake AP (the attacker) has got the role to decide or approve that the assocciation of the client cand be achieved. It is quite interesting that WEP allows any fake AP to perform an assocciation process without knowing the used key.

- Once the client is connected to the fake AP, it will send out DHCP requests which will eventually timeout because the fake AP is not a DHCP server. Then, not receiving any dynamic IP, the client will start the so called Automatic Private IP Addressing (APIPA), which assigns to itself an IP like 169.254.x.x. After this auto configuration process, the client will send Gratuitous ARP broadcast packets with the purpose of announcing itself to the rest of the network.

- The attacker "kali"captures these Gratuitous ARP packets and modifies them using the Message Modification WEP flaw, converting them into ARP request packets for the client. The Message Modification WEP flaw allows to flip bits in a WEP encrypted packet, adjusting the ICV to make the packet valid.

- Then, the fake AP resends a few thousand of these spurious ARP request packets back into the wireless network. The client receives them and believes that someone is asking for its MAC address using ARP, replying back.

- When the victim "roch" replies, the packets include the WEP key, and they are captured by the attacker "kali". Once the attacker collects enough packets, aircrack-ng will be able to crack the WEP key.

- It is important to note that the attacker is able to run the attack without any knowledge of the WEP key.

- After 2 minutes since the attacker "kali" has created the fake AP, the victim "roch" is associated, and just immediately the Caffe-Latte attack is launched (see the last line) at 10:52:51:

- With the purpose of collecting packets sent between the victim "roch" and the fake AP, airodump-ng writes to the file CaffeLatteWEP:

- The CaffeLatteWEP-01 file and its derivatives are created:

- After some minutes of gathering a large number of exchanged packets, aircrack-ng is used to obtain the WEP key A8925DC44A5432DE814CE109F9:

- Again, it is important to remember the most remarkable feature ot this attack, which differences it from other WEP attacks, and which gives its new great value: no legitimate AP has been used to perform the whole attack, no legitimate AP has been present in the viccinity. Just the isolated client, maybe roaming thousands of miles away from the attacked network, looking for a wireless connection sending to the air in clear text a copy of the cached and stored WEP key. So, unlike to other attacks against WEP encryption, the attacker does not need to be in the viccinity of any AP, which converts Caffe-Latte attack into a very powerful attack.

- No need to say, to prevent this attack, the solution would consist of removing all networks from the Preferred Network List (PNL) whenever the client is roaming. However, almost nobody does it, due to the fact of the inconvenience created every time the user wants to join a network, because he would need to introduce the WEP key manually, usually a very long hexadecimal key difficult to remember.

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.2 - Bypassing WEP Shared Key Authentication

3.2 - Bypassing WEP Shared Key Authentication

- Unlike previous practice's attack, the goal of this attack is to bypass WEP authentication directly, without obtaining the Shared Key, but being able for the attacker to connect directly to the AP even with a fake MAC address.

- This is a more efficient attack against WEP encryption because the steps and processing involved are less that at the previous practice.

- In this case, let's set the AP with WEP (64 bits) encryption:

- From the attacker "kali"s command shell, the legitimate client "roch"s connection is detected:

- Either from a deauthentication or a reconnection of the legitimate client "roch", packets between the AP and "roch "are captured and stored at sharedkeyWEP file:

- The file sharedkeyWEP and its derivatives are created, but the one that has got interest for the practice is sharedkeyWEP-01-00-25-F2-9B-91-23.xor:

- Now, the aireplay-ng command is used in a quite different way than before:

a) first, the injected packet contains the keystream used for WEP to authenticate "roch" with the AP.

b) second, "kali" uses a fake MAC address like AA:AA:AA:AA:AA:AA to cover any track of the attack.

- Now, it can be verified that "kali" has joined sucessfully the network "spaniard":

- Even receiving an IP through DHCP:

- "kali" is now part of the network "spaniard", being able to ping the default gateway 102.168.0.1:

- Also, "kali" has got access to the Internet using the AP external interface, pinging Google's public DNS:

- Airodump-ng detects both clients, the legitimate "roch" and the attacker "kali", connected to the "spaniard" network:

- Also, the AP detects both clients connected, what is funny because "kali" shows the obviously fake MAC address AA:AA:AA:AA:AA:AA.

- Of course, in a real attack, "kali" would have choosen a less suspicious MAC than AA:AA:AA:AA:AA:AA

- As a conclusion of this practice, the attacker "kali" has been able to connect a network directly, bypassing WEP Shared Key authentication, without needing to perform the steps of obtaining the encryption key, and faking its own MAC address for covering the attack.