WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.1 - Attack against WEP encryption

3.1 - Attack against WEP encryption

3.1.1 - WEP encryption

- Wired Equivalent Privacy (WEP) is a security algorithm introduced by the University of California Berkeley, accepted as part of the IEEE 802.11 standards for wireless networks. Because of the great number of flaws inherent to WEP, it is nowadays considered obsolote. However, due to the fact that almost all Wi-Fi routers offer WEP as an option, and because there are a lot of available wireless networks using WEP, it is neccesary and interesting to study this standard. From the criptographic point of view, WEP uses the stream cipher RC4 for confidentiality, and CRC-32 checksum for integrity. There are two main versions of WEP, although working in a similar manner. All of them use a so called initialization vector (IV), what is a fixed size input generated randomly, that is eventually XOR operated with the keystream.

- WEP-40 uses a 40 bits key which is concatenated with a 24 bits IV to form the 64 bits RC4 key. The 40 bits key is formed by a string of 10 hexadecimal characters (4 bits for 1 char).

- WEP-104 uses a 104 bit key which is concatenated with a 24 bits IV to form the 128 bits RC4 key. The 104 bits key is formed by a string of 26 hexadecimal characters (4 bits for 1 char).

There are also two main authentication systems for WEP: Open and Shared Key.

- Open System authentication: the client does not need to provide any credentials to authenticate with the AP; actually, no authentication occurs, and WEP keys are used just for encrypting data frames.

- Shared Key authentication: a four step challenge-response handshake is used:

a) the client sends a request message to the AP.

b) the AP replies with a clear text challenge.

c) the client encrypts the text challenge with the WEP key, sending back to the AP.

d) the AP decrypts the response, if matches the AP sends back a positive reply.

- After the authentication, the WEP key is used to encrypt the data with RC4. Although it may seem that Shared Key method is safer than Open System, because the last one lacks of authentication, the truth is just the contrary. Due to the fact that challenge frames can be captured during the handshake in Shared Key, the keystream could be obtained.

- RC4 is a stream cipher, so same key must not be used twice. The initialization vector, transmitted unencrypted, tries to prevent any repetition. But a lenght of 24 bits is not enough to ensure this, so it could happen that two identical IVs were generated if busy traffic. A passive attack would consist on simulating replay packets and sniffing the responses for subsequent analysis. For the WEP-104 just 40.000 packets would be enough to obtain the WEP key with a 50% of probability, and around 85.000 data packets would ensure the 95% of probability of success. Using ARP packets reinjection, around 40.000 packets can be captured in less than 1 minute. So, cracking WEP is just a matter or time, just using software tools like aircrack-ng.

3.1.2 - Attack against WEP encryption

- First of all, the AP is set to use WEP encryption of 128 bits whith Shared Key Authentication.

- Introducing the passphrase AbCdEf12345$ a Network Key is generated: 1792424e9b00a0d2a4a8bc180a

- From the client "roch"s side, properties of the network are arranged:

- Then, "roch" is connected to the network:

- This process of connection for the client "roch" has been captured by the attacker "kali" with airodump-ng. The option - - write means that captures are stored at the .cap file called "archivoWEP":

- At previous screenshot it can be noticed that the number of data packets is very small, #Data = 61. For WEP cracking a larger number of packets is needed, so the network is forced to create more data packets.

- The tool aireplay-ng captures packets from the wireless network and reinjects them back simulating ARP responses. In this way a lot of traffic is generated for the network. Aireplay-ng identifies ARP packets by looking at their size. ARP protocol uses a fixed header that can be easily identified. It is essential that the victim client is already authenticated and associated to the AP.

- Option -3 means ARP replay, -b is for the BSSID, and -h for the victim's,"roch", whose MAC address is being spoofed:

- Due to the replay attack, the number of captured packets by airdump-ng is dramatically increased, from #Data = 61 to now #Data = 44376:

- In the meanwhile, "archivoWEP-01.cap" and some other derived files are storing the created packets by aireplay-ng:

- At this point of the attack, aircrack-ng is ready to be launched, using packets stored at "archivoWEP-01.cap":

- Due to the great amount of stored packets, it takes just an instant to find the key:

- Using the airdacp-ng command, captured packets at "archivoWEP-01.cap" can be decrypted:

3.1.3 - Connecting to the AP

- Once the attacker "kali" has been able to crack the WEP key, it is time for it to connect to the network. At the present moment of the practice "kali" is in "Not-Associated" mode:

- Using the iwconfig command, the SSID and the key, the attacker "kali" can connect to the network:

- The success of the connection is verified:

- Also, airodump-ng captures the fact that now there are 2 clients connected to the AP: the legitimate one ("roch"), and the attacker one ("kali"):

- In the same way, the AP detects both connected clients:

- Because DHCP is enabled by default, the AP assigns a dynamic IP to "kali":

- Now, the attack is a complete success because "kali" is authenticated and associated to the network, pinging any of the internal hosts, for instance the default gateway:

- Also, "kali" has got connection to the Internet, being able to ping Google's public DNS server:

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.10 - WiFishing: creation of multiple honeypots

2.10 - WiFishing: creation of multiple honeypots

- The creation of just 1 fake Access Point or honeypot is not always enough, because the victim would connect automatically to only one AP matching the stored network configuration. How the attacker would force the client to connect to its own fake AP, and not other one available, without knowing a priori the preferred type of encryption of the victim?

- For that reason, and for the purpose of penetration testing, it is very handy to create several fake APs with the same SSID, but each of one matching diferent types of encryption methods: for instance Open, WEP, WPA-PSK and WPA2-PSK, with TKIP or AES-CCMP.

- So, taking 4 different encryption options, it would be necessary to create 4 virtual interfaces: mon0, mon1, mon2 and mon3, using airmon-ng start wlan0 repeatedly at the attacker "kali" machine.

- mon0:

- mon1:

- mon2:

- mon3:

- Now, there are 4 virtual interfaces working in monitor mode:

- The command airbase-ng holds interesting options to fake APs:

- For creating WEP, option -W 1 is available:

- For creating WPA option -z is used, being 2 for TKIP and 4 for AES-CCMP. Same for WPA2 using -Z:

- The first honeypot called "puntodeacceso" doesn't have any encryption, it is Open, so no option is used. MAC address will be AA:AA:AA:AA:AA:AA, working in mon0 monitor interface:

- The second honeypot is also called "puntodeacceso" and uses WEP encryption (-W 1). MAC address will be BB:BB:BB:BB:BB:BB, working in mon1 monitor interface:

- The third honeypot is also called "puntodeacceso" and uses WPA-PSK TKIP encryption (-z 2). MAC address will be CC:CC:CC:CC:CC:CC, working in mon2 monitor interface:

- The fourth honeypot is also called "puntodeacceso" and uses WPA2-PSK TKIP encryption (-Z 2). MAC address will be DD:DD:DD:DD:DD:DD, working in mon3 monitor interface:

- It can be verified the existence of the 4 honeypots, all sharing the same ESSID, each one with different type of encryptions and different number of MAC addresses:

 - The question that arises now is: Which one would the victim "roch" pick up to connect to?

- Based on the Preferred Network List, in this case the client "roch" has got a stored network called "puntodeacceso":

- Also, the configuration forces to connect automattically to the network "punto de acceso"when it is in range:

- The stored security configuration uses WPA with TKIP encryption:

- So, no doubt that the picked up honeypot to be connected by the victim "roch" (whose MAC adress is 28:C6:8E:63:15:6B) will be the third honeypot, which uses WPA-TKIP and has got CC:CC:CC:CC:CC:CC as MAC address, because it is the only one that matches the stored configuration:

- This practice has shown how to create the appropiate bait for a victim, offering fake APS or honeypots with different encryptions modes, assuming that one of them would match the stored security configuration mode by the victim.

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.9 - Automating the creation of a honeypot

2.9 - Automating the creation of a honeypot

- Gerix Wifi Cracker is a software tool designed to automate attacks against Wi-Fi networks. Due to the fact that a Graphical User Guide (GUI) is available, the easiness of use is improved in comparison with command shell:

- For starting Gerix from the "kali" command shell:

- Gerix is launched:

- On the Configuration tab, and selecting wlan0 interface, clicking Enable/Disable Monitor Mode puts wlan0 in promiscuous/monitoring mode:

- The virtual interface mon0 is created. To change the MAC address, so that it cannot be recognized, Set random MAC address tab is clicked:

- Now, both mon0 and wlan0 have changed their MAC address numbers. It is important to write down the MAC address 58:6D:BC:54:58:C9, because it will be the MAC associated to the fake AP "honeypot":

- Clicking the tab Fake AP, the honeypot is created without any authentication. Of course, in a real environmente, an attacker would use a less suspicious network name like "honeypot":

- Gerix announces the creation of the honeypot. Actually, it can be checked that the real command shell is airbase-ng, working behind the Gerix GUI:

- Now, "kali" detects its owned created fake AP, wich ESSID is "honeypot", and MAC address 58:6D:BC:54:58:C9. So far, no client is associated to "honeypot":

- From "roch", Vistumbler detects "honeypot" with all its features:

- Now, it is time to connect the victim "roch" to the network:

- The association is succesful:

- Gerix announces that a client with MAC 28:C6:86:63:15:6B ("roch"s MAC address) has associated to the network whose ESSID is "honeypot":

- Also, airodump-ng detects "roch" connected to "honeypot":

- So, the deception to the victim has been a success. The same attack could have been done using another AP's legitimate name.