AdSense

Monday, October 17, 2016

WI-FI PT / 4 - ATTACKS MAN-IN-THE-MIDDLE / 4.2 - Eavesdropping with MITM attacks


4.2 - Wireless Eavesdropping with MITM attack

- The first step in this attack, as usual, is the attacker creating a virtual monitoring interface mon0 attached to the physical interface wlan0.

- Then, a fake AP called "mitm" is created using airbase-ng, broadcasting its beacon frames everywhere in the channel 6:



- After running airbase-ng there is a new interface called at0 (tap interface), that could be considered as the wire-side interface of the virtual fake AP. In contrast with mon0, that would be the wireless side interface:



The next step consists of establishing a bridge called "puente" between at0 and the physical Ethernet interface eth0:



- Interfaces eth0 and at0 are added to the bridge "puente":



Both interfaces are turned on:



Verifying that the bridge "puente" has been correctly created:



- The bridge "puente" is assigned an static IP 192.168.0.50 (also it could be do dynamically with DHCP):



A very important step is to prepare the attacker "kali "for being able to route and forward packets, turning IP Forwarding on:



At this moment of the attack, let's consider that the victim "roch" connects to the fake AP "mitm":




airbase-ng immediately detects that "roch" (28:C6:8E:63:15:6B) has connected to "mitm":



- One interesting aspect of the connection is that the victim "roch"automatically gets a dynamic IP, because at the wired-side the legitimate AP is running the DHCP service. So, as the victim connects to the network (through the fake AP), it is also considered a host of the network with the right of being assigned an IP and DNS services:



- Now, the victim "roch" can ping the default gateway of the network 192.168.0.1:



- Also, the victim "roch" has got access to the Internet pinging Google's public DNS 8.8.8.8:



- Because the attacker "kali" is located in the middle of the victim and the legitimate AP, he is able to sniff, see and analyze all the traffic sent and received by "roch". Let's see what happens when the victim "roch" decides to connect to www.ual.es:



- "kali" runs Wireshark, which allows the "Follow TCP stream" option to see all packets from a single TCP stream displaying them in order:



- Applying that option, the filter "tcp.stream eq 18" is generated automatically. Then, the whole conversation between the victim "roch" and "www.ual.es" is available for the attacker "kali" to be analyzed and eavesdropped.

- At next screenshot, "roch" (192.168.0.15) and "www.ual.es" (193.147.117.18) establish a TCP and HTTP session, what is being captured by the attacker "kali":


- It can be checked that 193.147.117.18 corresponds to www.ual.es:



- Also with whois:







WI-FI PT / 4 - ATTACKS MAN-IN-THE-MIDDLE / 4.1 - MITM wireless setup


4.1 - Man-In-The-Middle (MITM) wireless setup

The basic idea of a MITM attack consists of an attacker taking a position between the legitimates users of a network, so that the attacker can eavesdrop the communication, having access to connections of the victims, and relaying messages between them. The victims believe that the communications are being legitimate, although the truth is that the attacker has got actually the control of the process.

There are a lot of different architectures or layouts in a MITM attack, depending on the topology, characteristics and technologies available at the network. In this chapter, the used setup will consist of the victim "roch" trying to communicate with the legitimate AP, and the attacker "kali" intercepting and relaying packets between them.



In this setup, the attacker "kali" is connected to the Internet through a wired LAN with its Ethernet interface eth0. At the same time, "kali" creates a fake AP, broadcasting an ESSID equal to the legitimate's one. The victim "roch" would get connected to this fake AP, believing that he is connected to the legitimate AP.

For that purpose "kali" creates a bridge between its wired and virtual wireless interface, forwarding all the packets through the bridge towards and from the Internet.

The attacker "kali" has got access to analyze all the packets sent and received by the victim "roch", not only eavesdropping all the traffic over wireless, but also being able to modify it with malicious intentions, as it will be seen later. For instance, hijacking web sessions, creating denial of service attacks, redirecting to sites intentionally created for the attack, stealing cookies or passwords, redirectioning to ports, spoofing DNS requests and responses, etc ...



WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.10 - Attack against WPA/WPA2 Enterprise and RADIUS authenticacion


3.10 - Attack against WPA/WPA2 Enterprise and RADIUS authenticacion

- WPA/WPA2 Enterprise, also known as 802.1x mode or WPA (as opposed to WPA-PSK), has the purpose of providing authentication services for enterprise enviroment networks. WPA/WPA2 Enterprise works hand to hand with a RADIUS server. The protocol used for authentication is usually the Extensible Authentication Protocol (EAP), which is available in a lot of different versions. The most important EAP versions are:

  • EAP - PEAP: supported by Microsoft and Cisco, it uses only a server side certificate. The EAP - PEAP - MSCHAPv2, natively integrated with Windows, is the most popular of all EAP versions as Wi-Fi security mechanism.
  • EAP - TLS: it is considered the most secure, because a certificate is necessary both at the server and the client sides.
  • EAP - TTLS: the server uses a certificate, but the client can optionally authenticate with a Certification Authority to the server, which simplifies a lot the whole process. It is faster, but less secure than TLS.
  • EAP - FAST: Cisco propietary, used to replace the obsolete LEAP.

- At this practice, an attack against WPA-Entreprise with RADIUS using EAP-PEAP wil be exposed, but exactly the same method could be use to crack EAP-TTLS. In both cases, the trick consists of capturing the MSCHAP
challenge/response pair, and applying a dictionary attack with the tool Asleap.

- The most used protocol for EAP-PEAP with Windows devices is MSCHAP, which is the Microsoft version of the Challenge Handshake Authentication Protocol (CHAP). There are two different versions: MS-CHAPv1 and MS-CHAPv2. MSCHAPv2 is often used as an authentication option for RADIUS servers, providing security for Wi-Fi under the WPA Enterprise scenario.The Challenge Handshake Authentication Protocol (CHAP) is used to authenticate a user or a host to an authenticating entity, for instance a RADIUS server. The verification is based on a key secret shared by the client and the server or authenticator. The whole process consists of a 3 way handshake. After the intial establishment phase, the authenticator sends a "challenge" message to the client. The client responds with a one-way hash, calculated with the challenge and the secret combined. The authenticator compares the received hash with its own calculation of the hash value. If both hashes match, the authenticator acknowledges as valid the authentication. At random intervals the authenticator sends a new challenge to the peer.

- The topology used for this practice will be a little bit different than other practices, because in this case it is necessary to introduce RADIUS server authenticators. On the one hand, the victim "roch" should authenticate with the legitimate AP using the services of a legitimate RADIUS server. However, let's suppose that for any reason an attacker has achieved the goal of forcing the victim to connect to a rogue AP, which is using the services of a Free Radius server running on a "kali" Linux machine. For instance:



- In this practice, to setup an AP honeypot will be used a D-Link Access Point, broadcasting an ESSID called "withRadius". The honeypot will try to fake a supposedly real network, which could work for instance with Windows Server 2003, 2008 or 2012 Radius server, integrated with Active Directory.



- Because an external RADIUS server is going to be used, WPA/WPA2 Enterprise is needed:



- The AP is pointing as a client to the FreeRadius server, which is running on the "kali" attacker with IP 192.168.0.198, listening on port 1812. Also, a Shared Secret is needed ("test"), shared between the AP and the FreeRadius server:



- Verifiying that "kali"s IP (FreeRadius server) is 192.168.0.198:



- On the server side, FreeRadius is configured to use EAP-PEAP by default, at eap.conf file:




- Also, FreeRadius needs to be aware of its client D-Link AP, whose IP is 192.168.0.2:



- As said before, both AP client (192.168.0.12) and FreeRadius server (192.168.0.198) have to share a secret key ("test"):


- The shared key is introduced at the clients.conf file for the client 192.168.0.2:


- Then, FreeRadius server is started at "kali", listening on port 1812 to authentication requests:



- A victim user "daniel" from "roch", tries to join the "withRadius" wireless network, and he is prompted for authentication:



Previously, the certification validation option for EAP has been turned off at the client "roch", with the purpose of showing the potential weakness of this type of authentication. Of course, if a certificate (fake, created by FreeRadius at the attacker "kali") is offered and accepted by the user, the result would be the same. Because the "validate server certificate" is off, the victim is not able to verify if a certificate is either fake of truthful. Not only that, if the "Connect to these servers" option is also turned off, an attacker could get a real certificate from any list of authorized authorities. In case of been accepted by the client, the result would be again the same:



- The connection is succesful:



- FreeRadius debugs the success of the authentication process:



In the meanwhile, the process of the mschap username / challenge / response is being tailing from radius.log:



- Finally, the tool Asleap, after a brute force attack with the help of the wordlist "diccionario.txt", is able to crack the password for user "daniel": abcdefghi













- It is important to notice that in this practice, and for the purpose of a more clear demonstration, valid credentials have been introduced. However, if non valid credentials had been used, the log would have captured them in the same way, and eventually Asleap also would have been able to crack them.



WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.9 - AP-less attack against WPA/WPA2


3.9 - AP-less attack against WPA/WPA2

- In previous practices WPA/WPA2 was cracked after capturing the 4 way handshake between AP and client.

- Now, it will be shown how to crack WPA/WPA2 just using the client, with no access point. In this case the 4 way handshake packets won't be necessary, because 2 of them (either the pair 1 and 2, or the pair 3 and 4) will be enough to be known. To achieve that goal, the first step is to create a honeypot where the client will try to connect, sending the message 1 and receiving the answer 2.

- Let's remember a previous picture:



- The attacker "kali" creates a honeypot imititating the legitimate AP, with same ESSID "spaniard" and MAC address 00:25:F2:9B:91:23 (both learnt easily with airodump-ng):



- Also, airodump-ng creates a file called sinAP.cap, where all the interesting packets will be stored:



- The victim "roch" connects to the honeypot and associates to it, in the false believe that it has connected to the legitimate AP:



- airodump-ng detects the association of the victim "roch":



- Also, the file sinAP.cap is created:



- Next, brute-force attack is launched with aircrack-ng:



- A few instants later, the key is found:



- This practice is even lighter than previous practices trying to find the WPA/WPA2 key, because there are less steps involved. The legitimate AP has not been used at all, because no deauthentication packets have been sent to the AP.








WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.8 - Automating attacks against WPA/WPA2


3.8 - Automating attacks against WPA/WPA2

- Previously introduced Gerix Wifi Cracker software helps to automate attacks against Wi-Fi encryption, both for WEP and WPA/WPA2 versions.

- For starting Gerix from the "kali" command shell:



- Gerix is launched:



In this practice the AP will be set to WPA2 with AES-CMMP encryption, being the key A54321z$:



- Clicking the Configuration tab:



- The option Enable/Disable Monitor Mode creates the virtual mon0 attached to the physical interface wlan0:



Gerix includes a small real-time log that informs the user about the performed actions:



- One good practice from the attacker's point of view is to change the MAC address, with the purpose of covering tracks of the attack. The option Set random MAC address does the trick:



- Next, Gerix is forced to scan available networks in the sorroundings:



- As usual, the "spaniard" network is choosen for being attacked:



Clicking the WPA tab, the WPA attack is started. The functionality Start Sniffing and Logging is enabled:



- Gerix detects the "spaniard" network, with MAC address 00:25:F2:9B:91:23 , using WPA2-CCMP encryption. Also, the client "roch" whith MAC addresss 28:C6:8E:63:15:6B is detected:



Because it is necessary to capture some packets from the WPA handshake process, a deauthentication set of messages needs to be sent to the victim, which MAC address is introduced:



- The deauthentication process starts:



aireplay-ng sends 4 packets directed to the victim, "roch":




For starting the bruteforce cracking attack, a dictionary is added: diccionario.txt



- The attack is launched clicking the tab Aircrack-ng - Crack WPA password:



After 2 minutes and 13 seconds, the key is found: A54321z$