WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.10 - Attack against WPA/WPA2 Enterprise and RADIUS authenticacion

3.10 - Attack against WPA/WPA2 Enterprise and RADIUS authenticacion

- WPA/WPA2 Enterprise, also known as 802.1x mode or WPA (as opposed to WPA-PSK), has the purpose of providing authentication services for enterprise enviroment networks. WPA/WPA2 Enterprise works hand to hand with a RADIUS server. The protocol used for authentication is usually the Extensible Authentication Protocol (EAP), which is available in a lot of different versions. The most important EAP versions are:

• EAP - PEAP: supported by Microsoft and Cisco, it uses only a server side certificate. The EAP - PEAP - MSCHAPv2, natively integrated with Windows, is the most popular of all EAP versions as Wi-Fi security mechanism.
• EAP - TLS: it is considered the most secure, because a certificate is necessary both at the server and the client sides.
• EAP - TTLS: the server uses a certificate, but the client can optionally authenticate with a Certification Authority to the server, which simplifies a lot the whole process. It is faster, but less secure than TLS.
• EAP - FAST: Cisco propietary, used to replace the obsolete LEAP.

- At this practice, an attack against WPA-Entreprise with RADIUS using EAP-PEAP wil be exposed, but exactly the same method could be use to crack EAP-TTLS. In both cases, the trick consists of capturing the MSCHAP

challenge/response pair, and applying a dictionary attack with the tool Asleap.

- The most used protocol for EAP-PEAP with Windows devices is MSCHAP, which is the Microsoft version of the Challenge Handshake Authentication Protocol (CHAP). There are two different versions: MS-CHAPv1 and MS-CHAPv2. MSCHAPv2 is often used as an authentication option for RADIUS servers, providing security for Wi-Fi under the WPA Enterprise scenario.The Challenge Handshake Authentication Protocol (CHAP) is used to authenticate a user or a host to an authenticating entity, for instance a RADIUS server. The verification is based on a key secret shared by the client and the server or authenticator. The whole process consists of a 3 way handshake. After the intial establishment phase, the authenticator sends a "challenge" message to the client. The client responds with a one-way hash, calculated with the challenge and the secret combined. The authenticator compares the received hash with its own calculation of the hash value. If both hashes match, the authenticator acknowledges as valid the authentication. At random intervals the authenticator sends a new challenge to the peer.

- The topology used for this practice will be a little bit different than other practices, because in this case it is necessary to introduce RADIUS server authenticators. On the one hand, the victim "roch" should authenticate with the legitimate AP using the services of a legitimate RADIUS server. However, let's suppose that for any reason an attacker has achieved the goal of forcing the victim to connect to a rogue AP, which is using the services of a Free Radius server running on a "kali" Linux machine. For instance:

- In this practice, to setup an AP honeypot will be used a D-Link Access Point, broadcasting an ESSID called "withRadius". The honeypot will try to fake a supposedly real network, which could work for instance with Windows Server 2003, 2008 or 2012 Radius server, integrated with Active Directory.

- Because an external RADIUS server is going to be used, WPA/WPA2 Enterprise is needed:

- The AP is pointing as a client to the FreeRadius server, which is running on the "kali" attacker with IP 192.168.0.198, listening on port 1812. Also, a Shared Secret is needed ("test"), shared between the AP and the FreeRadius server:

- Verifiying that "kali"s IP (FreeRadius server) is 192.168.0.198:

- On the server side, FreeRadius is configured to use EAP-PEAP by default, at eap.conf file:

- Also, FreeRadius needs to be aware of its client D-Link AP, whose IP is 192.168.0.2:

- As said before, both AP client (192.168.0.12) and FreeRadius server (192.168.0.198) have to share a secret key ("test"):

- The shared key is introduced at the clients.conf file for the client 192.168.0.2:

- Then, FreeRadius server is started at "kali", listening on port 1812 to authentication requests:

- A victim user "daniel" from "roch", tries to join the "withRadius" wireless network, and he is prompted for authentication:

- Previously, the certification validation option for EAP has been turned off at the client "roch", with the purpose of showing the potential weakness of this type of authentication. Of course, if a certificate (fake, created by FreeRadius at the attacker "kali") is offered and accepted by the user, the result would be the same. Because the "validate server certificate" is off, the victim is not able to verify if a certificate is either fake of truthful. Not only that, if the "Connect to these servers" option is also turned off, an attacker could get a real certificate from any list of authorized authorities. In case of been accepted by the client, the result would be again the same:

- The connection is succesful:

- FreeRadius debugs the success of the authentication process:

- In the meanwhile, the process of the mschap username / challenge / response is being tailing from radius.log:

- Finally, the tool Asleap, after a brute force attack with the help of the wordlist "diccionario.txt", is able to crack the password for user "daniel": abcdefghi

- It is important to notice that in this practice, and for the purpose of a more clear demonstration, valid credentials have been introduced. However, if non valid credentials had been used, the log would have captured them in the same way, and eventually Asleap also would have been able to crack them.

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.9 - AP-less attack against WPA/WPA2

3.9 - AP-less attack against WPA/WPA2

- In previous practices WPA/WPA2 was cracked after capturing the 4 way handshake between AP and client.

- Now, it will be shown how to crack WPA/WPA2 just using the client, with no access point. In this case the 4 way handshake packets won't be necessary, because 2 of them (either the pair 1 and 2, or the pair 3 and 4) will be enough to be known. To achieve that goal, the first step is to create a honeypot where the client will try to connect, sending the message 1 and receiving the answer 2.

- Let's remember a previous picture:

- The attacker "kali" creates a honeypot imititating the legitimate AP, with same ESSID "spaniard" and MAC address 00:25:F2:9B:91:23 (both learnt easily with airodump-ng):

- Also, airodump-ng creates a file called sinAP.cap, where all the interesting packets will be stored:

- The victim "roch" connects to the honeypot and associates to it, in the false believe that it has connected to the legitimate AP:

- airodump-ng detects the association of the victim "roch":

- Also, the file sinAP.cap is created:

- Next, brute-force attack is launched with aircrack-ng:

- A few instants later, the key is found:

- This practice is even lighter than previous practices trying to find the WPA/WPA2 key, because there are less steps involved. The legitimate AP has not been used at all, because no deauthentication packets have been sent to the AP.

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.8 - Automating attacks against WPA/WPA2

3.8 - Automating attacks against WPA/WPA2

- Previously introduced Gerix Wifi Cracker software helps to automate attacks against Wi-Fi encryption, both for WEP and WPA/WPA2 versions.

- For starting Gerix from the "kali" command shell:

- Gerix is launched:

- In this practice the AP will be set to WPA2 with AES-CMMP encryption, being the key A54321z$:

- Clicking the Configuration tab:

- The option Enable/Disable Monitor Mode creates the virtual mon0 attached to the physical interface wlan0:

- Gerix includes a small real-time log that informs the user about the performed actions:

- One good practice from the attacker's point of view is to change the MAC address, with the purpose of covering tracks of the attack. The option Set random MAC address does the trick:

- Next, Gerix is forced to scan available networks in the sorroundings:

- As usual, the "spaniard" network is choosen for being attacked:

- Clicking the WPA tab, the WPA attack is started. The functionality Start Sniffing and Logging is enabled:

- Gerix detects the "spaniard" network, with MAC address 00:25:F2:9B:91:23 , using WPA2-CCMP encryption. Also, the client "roch" whith MAC addresss 28:C6:8E:63:15:6B is detected:

- Because it is necessary to capture some packets from the WPA handshake process, a deauthentication set of messages needs to be sent to the victim, which MAC address is introduced:

- The deauthentication process starts:

- aireplay-ng sends 4 packets directed to the victim, "roch":

- For starting the bruteforce cracking attack, a dictionary is added: diccionario.txt

- The attack is launched clicking the tab Aircrack-ng - Crack WPA password:

- After 2 minutes and 13 seconds, the key is found: A54321z$

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.7 - Speeding attacks against WPA/WPA2 encryption

3.7 - Speeding attacks against WPA/WPA2 encryption

- So far so good, but trouble could arise if the dictionary contains hundred of thousands of entries, because in that case the resources taken by CPU in terms of time and processing could be huge.

- The function PBKDF2 hashes the passphrase and the SSID over 4096 times, before outputting the 256 Pre Shared Key. Then, this obtained key is verified against the MIC used in the four-way WPA handshake. To speed up the whole process, it is possible to precalculate the Pre Shared Key for the passphrase.

- For that purpose, the tool genpmk (generator of PMK, Pairwise Master Key) can be used:

- The option -f takes the used dictionary, -s is about the SSID, and the -d option indicates the name of the output file, for instance "archivoPMK":

- It is important to notice that both the passphrase and the SSID are used to calculate the PMK. The process can take a lot of time, depending on the size of the dictionary. A message is periodically output every 1000 passphrases:

- So on ... until more than 789000 entries of diccionario.txt, the generation of PMK file is ended up:

- The command ls shows the new created file "archivoPMK":

- Now, there are a number of tools designed to take profit of "archivoPMK", for instance airolib-ng and Pyrit:

a) airolib-ng

- The command "airolib_ng" creates the database "archivoAircrackPMK" based on former database "archivoPMK":

- The command ls shows the new created file "archivoAircrackPMK":

- Feeding aircrack-ng with database "archivoAircrackPMK" and "archivoWPA-01.cap", the key is found in just 8 seconds !!

- So, the difference in time is huge, from 18 minutes to 8 seconds. Although the creation of "archivoPMK" takes a lot of time, depending of the dictionary size, it could be calculated just once for each specific dictionary and SSID. So, whenever the passphrase is changed by the network administrator, the precalculated database could be apply to speed up the cracking of the key.

b) Pyrit

- Even faster, just in 3 seconds, the tool Pyrit offers the same results: