WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.1 - Attack against WEP encryption

3.1 - Attack against WEP encryption

3.1.1 - WEP encryption

- Wired Equivalent Privacy (WEP) is a security algorithm introduced by the University of California Berkeley, accepted as part of the IEEE 802.11 standards for wireless networks. Because of the great number of flaws inherent to WEP, it is nowadays considered obsolote. However, due to the fact that almost all Wi-Fi routers offer WEP as an option, and because there are a lot of available wireless networks using WEP, it is neccesary and interesting to study this standard. From the criptographic point of view, WEP uses the stream cipher RC4 for confidentiality, and CRC-32 checksum for integrity. There are two main versions of WEP, although working in a similar manner. All of them use a so called initialization vector (IV), what is a fixed size input generated randomly, that is eventually XOR operated with the keystream.

- WEP-40 uses a 40 bits key which is concatenated with a 24 bits IV to form the 64 bits RC4 key. The 40 bits key is formed by a string of 10 hexadecimal characters (4 bits for 1 char).

- WEP-104 uses a 104 bit key which is concatenated with a 24 bits IV to form the 128 bits RC4 key. The 104 bits key is formed by a string of 26 hexadecimal characters (4 bits for 1 char).

There are also two main authentication systems for WEP: Open and Shared Key.

- Open System authentication: the client does not need to provide any credentials to authenticate with the AP; actually, no authentication occurs, and WEP keys are used just for encrypting data frames.

- Shared Key authentication: a four step challenge-response handshake is used:

a) the client sends a request message to the AP.

b) the AP replies with a clear text challenge.

c) the client encrypts the text challenge with the WEP key, sending back to the AP.

d) the AP decrypts the response, if matches the AP sends back a positive reply.

- After the authentication, the WEP key is used to encrypt the data with RC4. Although it may seem that Shared Key method is safer than Open System, because the last one lacks of authentication, the truth is just the contrary. Due to the fact that challenge frames can be captured during the handshake in Shared Key, the keystream could be obtained.

- RC4 is a stream cipher, so same key must not be used twice. The initialization vector, transmitted unencrypted, tries to prevent any repetition. But a lenght of 24 bits is not enough to ensure this, so it could happen that two identical IVs were generated if busy traffic. A passive attack would consist on simulating replay packets and sniffing the responses for subsequent analysis. For the WEP-104 just 40.000 packets would be enough to obtain the WEP key with a 50% of probability, and around 85.000 data packets would ensure the 95% of probability of success. Using ARP packets reinjection, around 40.000 packets can be captured in less than 1 minute. So, cracking WEP is just a matter or time, just using software tools like aircrack-ng.

3.1.2 - Attack against WEP encryption

- First of all, the AP is set to use WEP encryption of 128 bits whith Shared Key Authentication.

- Introducing the passphrase AbCdEf12345$ a Network Key is generated: 1792424e9b00a0d2a4a8bc180a

- From the client "roch"s side, properties of the network are arranged:

- Then, "roch" is connected to the network:

- This process of connection for the client "roch" has been captured by the attacker "kali" with airodump-ng. The option - - write means that captures are stored at the .cap file called "archivoWEP":

- At previous screenshot it can be noticed that the number of data packets is very small, #Data = 61. For WEP cracking a larger number of packets is needed, so the network is forced to create more data packets.

- The tool aireplay-ng captures packets from the wireless network and reinjects them back simulating ARP responses. In this way a lot of traffic is generated for the network. Aireplay-ng identifies ARP packets by looking at their size. ARP protocol uses a fixed header that can be easily identified. It is essential that the victim client is already authenticated and associated to the AP.

- Option -3 means ARP replay, -b is for the BSSID, and -h for the victim's,"roch", whose MAC address is being spoofed:

- Due to the replay attack, the number of captured packets by airdump-ng is dramatically increased, from #Data = 61 to now #Data = 44376:

- In the meanwhile, "archivoWEP-01.cap" and some other derived files are storing the created packets by aireplay-ng:

- At this point of the attack, aircrack-ng is ready to be launched, using packets stored at "archivoWEP-01.cap":

- Due to the great amount of stored packets, it takes just an instant to find the key:

- Using the airdacp-ng command, captured packets at "archivoWEP-01.cap" can be decrypted:

3.1.3 - Connecting to the AP

- Once the attacker "kali" has been able to crack the WEP key, it is time for it to connect to the network. At the present moment of the practice "kali" is in "Not-Associated" mode:

- Using the iwconfig command, the SSID and the key, the attacker "kali" can connect to the network:

- The success of the connection is verified:

- Also, airodump-ng captures the fact that now there are 2 clients connected to the AP: the legitimate one ("roch"), and the attacker one ("kali"):

- In the same way, the AP detects both connected clients:

- Because DHCP is enabled by default, the AP assigns a dynamic IP to "kali":

- Now, the attack is a complete success because "kali" is authenticated and associated to the network, pinging any of the internal hosts, for instance the default gateway:

- Also, "kali" has got connection to the Internet, being able to ping Google's public DNS server:

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.10 - WiFishing: creation of multiple honeypots

2.10 - WiFishing: creation of multiple honeypots

- The creation of just 1 fake Access Point or honeypot is not always enough, because the victim would connect automatically to only one AP matching the stored network configuration. How the attacker would force the client to connect to its own fake AP, and not other one available, without knowing a priori the preferred type of encryption of the victim?

- For that reason, and for the purpose of penetration testing, it is very handy to create several fake APs with the same SSID, but each of one matching diferent types of encryption methods: for instance Open, WEP, WPA-PSK and WPA2-PSK, with TKIP or AES-CCMP.

- So, taking 4 different encryption options, it would be necessary to create 4 virtual interfaces: mon0, mon1, mon2 and mon3, using airmon-ng start wlan0 repeatedly at the attacker "kali" machine.

- mon0:

- mon1:

- mon2:

- mon3:

- Now, there are 4 virtual interfaces working in monitor mode:

- The command airbase-ng holds interesting options to fake APs:

- For creating WEP, option -W 1 is available:

- For creating WPA option -z is used, being 2 for TKIP and 4 for AES-CCMP. Same for WPA2 using -Z:

- The first honeypot called "puntodeacceso" doesn't have any encryption, it is Open, so no option is used. MAC address will be AA:AA:AA:AA:AA:AA, working in mon0 monitor interface:

- The second honeypot is also called "puntodeacceso" and uses WEP encryption (-W 1). MAC address will be BB:BB:BB:BB:BB:BB, working in mon1 monitor interface:

- The third honeypot is also called "puntodeacceso" and uses WPA-PSK TKIP encryption (-z 2). MAC address will be CC:CC:CC:CC:CC:CC, working in mon2 monitor interface:

- The fourth honeypot is also called "puntodeacceso" and uses WPA2-PSK TKIP encryption (-Z 2). MAC address will be DD:DD:DD:DD:DD:DD, working in mon3 monitor interface:

- It can be verified the existence of the 4 honeypots, all sharing the same ESSID, each one with different type of encryptions and different number of MAC addresses:

 - The question that arises now is: Which one would the victim "roch" pick up to connect to?

- Based on the Preferred Network List, in this case the client "roch" has got a stored network called "puntodeacceso":

- Also, the configuration forces to connect automattically to the network "punto de acceso"when it is in range:

- The stored security configuration uses WPA with TKIP encryption:

- So, no doubt that the picked up honeypot to be connected by the victim "roch" (whose MAC adress is 28:C6:8E:63:15:6B) will be the third honeypot, which uses WPA-TKIP and has got CC:CC:CC:CC:CC:CC as MAC address, because it is the only one that matches the stored configuration:

- This practice has shown how to create the appropiate bait for a victim, offering fake APS or honeypots with different encryptions modes, assuming that one of them would match the stored security configuration mode by the victim.

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.9 - Automating the creation of a honeypot

2.9 - Automating the creation of a honeypot

- Gerix Wifi Cracker is a software tool designed to automate attacks against Wi-Fi networks. Due to the fact that a Graphical User Guide (GUI) is available, the easiness of use is improved in comparison with command shell:

- For starting Gerix from the "kali" command shell:

- Gerix is launched:

- On the Configuration tab, and selecting wlan0 interface, clicking Enable/Disable Monitor Mode puts wlan0 in promiscuous/monitoring mode:

- The virtual interface mon0 is created. To change the MAC address, so that it cannot be recognized, Set random MAC address tab is clicked:

- Now, both mon0 and wlan0 have changed their MAC address numbers. It is important to write down the MAC address 58:6D:BC:54:58:C9, because it will be the MAC associated to the fake AP "honeypot":

- Clicking the tab Fake AP, the honeypot is created without any authentication. Of course, in a real environmente, an attacker would use a less suspicious network name like "honeypot":

- Gerix announces the creation of the honeypot. Actually, it can be checked that the real command shell is airbase-ng, working behind the Gerix GUI:

- Now, "kali" detects its owned created fake AP, wich ESSID is "honeypot", and MAC address 58:6D:BC:54:58:C9. So far, no client is associated to "honeypot":

- From "roch", Vistumbler detects "honeypot" with all its features:

- Now, it is time to connect the victim "roch" to the network:

- The association is succesful:

- Gerix announces that a client with MAC 28:C6:86:63:15:6B ("roch"s MAC address) has associated to the network whose ESSID is "honeypot":

- Also, airodump-ng detects "roch" connected to "honeypot":

- So, the deception to the victim has been a success. The same attack could have been done using another AP's legitimate name.

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.8 - Working at disallowed channels and exceeding power output limits

2.8 - Working at disallowed channels and exceeding power output limits

- Because every country in the world has got its own legislation regarding to the radio spectrum, it is important to know which are the channels and output power allowed in every place. Moreover, each wireless network interface has got its own default regulatory settings.  

- First of all, assuming we are in the United States (US), let's take for instance the US regulatory domain:

- This new setting is immediately detected by the log file of the system:

- In the US regulatory domain is perfectly possible to use channel 11:

- But it is not allowed channel 12:

- About the power output, maximum allowed is 27 dBm (500 mW):

- For that reason, 30 dBm ( 1 Watt) is rejected:

- Now, although being physically in the US, the regulatory domain can be changed, for instance to Bolivia (BO):

- Again, the log file records the news:

- Now, the system allows to use both channel 12 (2.467 GHz) and power 30 dBm (1 Watt), because Bolivian regulatory domains are different from the US:

- What to do for using the all over the world forbidden channel 14? the answer is to change to Japanese regulatory domain, because Japan is the only country in the world allowing channel 14:

- The log informs about the changes:

- Verifying that the wireless interface card is now working at the forbidden channel 14 (2.484 GHz):

- From this practice, we conclude that although in each country there are unlicensed wireless bands and strict power limits specified, all those regulations can be overwritten changing the regulatory domain to other country. In this way, the wireless interface card is forced to work at:

• disallowed channels
• more than allowed power transmission

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.7 - Discovering unauthorized clients

2.7 - Discovering unauthorized clients

- The method of discovering if there is any unauthorized client connected to an specific AP consists just on comparing the list of authorized clients with the list of the actually connected clients. There are two ways to detect what clients are connected to an specific AP:

a) checking the AP itself:

- The Access Control option allows to obtain the list of connected clients at a given instant:

- For example, in this case there are 5 clients connected to the lab's AP:

- Obviously, client "kali" shouldn't be on the authorized client list, so it could be easily considered an intruder.

b) using the airodump-ng command to explore the AP:

- It can be checked that boths ways of discovering clients yield identical output.