AdSense

Monday, October 17, 2016

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.5 - Korek Chopchop attack against WEP


3.5 - Korek Chopchop attack against WEP

- Unlike previous attack against WEP encryption, the goal of Korek chopchop attack is not to find the WEP key, but just decrypt an specific packet sent within the attacked network. Actually, Korek chopchop attack decrypts a WEP data packet without knowing the WEP key. As said before, its purpose is not intended to find the WEP key, but to reveal the plaintext. Once replay_dec-X.cap is achieved, Whireshark can be helpful to decrypt the choosen packet. Korek attack chopchop is based on polynomial math about Cyclic Redundancy Check (CRC).

- The initial setup for the lab is the same as previous practices. To launch the attack, aireplay-ng is used with -4 option (meaning chopchop attack):



- After reading some packets (55 in this case), aireplay-ng asks about the selected packet is ok to be decrypted. If answer is Yes, the attack starts immediately decrypting the packet and saving the result in replay_src-0918-224820.cap file:



The attack is finished:



 - aireplay-ng indicates where captured packets are saved:




- replay_src--0918-224820.cap file and its derivatives has been created:



- Using Wireshark, the file replay_src--0918-224820.cap can be decrypted:



It can be verified that the packet is the same selected by aireplay-ng (8842 2C00 28C6 etc... ), being a frame control sent by the AP Motorola 00:25:F2:9B:91:23 with destination to the client "roch", whose wireless interface card is Netgear 28:C6:8E:63:15:6B:
- Also, the file replay_dec-0918-224925.cap can be decrypted, again with Wireshark's help:
- In this case, the packet is sent by 173.194.46.69 (Google) to the client "roch" (192.168.0.15), because of an https connection:




Posted by at
Labels:

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.4 - Hirte attack against WEP encryption


3.4 - Hirte attack against WEP encryption

- The Hirte attack extends the Caffe-Latte attack using fragmentation techniques. As the same way that with Caffe-Latte attack, there is no need of AP in the viccinity for the Hirte attack to be launched, being enough a WEP client isolated from the legitimate AP.

- Fragmentation attacks use the fact that the first 8 bytes of the encrypted packet consist of the Link Layer Control (LLC) header. Because this is sent into plaintext, the attacker can XOR it with the encrypted packet, achieving the first 8 bytes of the RC4 keystream, and using this keystream along with the matching IV to create encrypted packets. However, the amount of data it can fit into 8 bytes is only 4 bytes because the last 4 bytes are devoted to the WEP ICV. Fragmentation helps to send a maximum of 16 fragments per packet, allowing to send a packet of reassembled size 64 bytes. This fact will be used to inject packets like ARP request and replies.

- The Hirte attack sniffs an ARP packet and relocates the IP address in the ARP header to convert the reassembled packet into an ARP request for the wireless client. The client responds with an ARP reply, allowing the attacker to gather new data packets encrypted with the WEP key. Once enough number of packets are gathered, aircrack-ng can crack the WEP key rapidly.

- For this practice, the lab set is exactly the same that at previous Caffe-Latte attack. Now, the command airbase-ng uses the option -N to specify the Hirte attack, instead of the option -L for Caffe-Latte.

- After the legitimate AP is unplug, the client "roch" connects to the created fake aP by the attacker "kali". Only 1 minute later than the association,at 21:55:13, the Hirte attack is started up:



- Airodump-ng detects the association between the victim "roch" and the fake AP, writing the captured packets to the file Hirte-WEP:



The file hirteWEP-01.cap and its derivatives are created:



- As usual, aircrack-ng finds the WEP key A8925DC44A5432DE814CE109F9 after no much time:






Posted by at
Labels:

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.3 - Caffe-Latte attack against WEP


3.3 - Caffe-Latte attack against WEP

- The Caffe-Latte attack takes advantage of the WEP's Message Modification's flaw. The most interesting characteristic of Caffe-Latte attack is that no AP is needed to perform it. Actually, the attacker takes the information used to crack the WEP key from packets sent by the victim trying to authenticate with the AP, although it is not present. The attacker "kali" will monitor the air finding clients sending probing messages. Then, a fake AP is set using Airbase-ng. When the client connects to the fake AP authentication messages are sent, and after association the DHCP request phase starts. Just at this point, the Caffe-Latte attack is launched by the attacker.

- To perform this attack, let's set the legitimate AP with SSID=prueba, and WEP with Shared Key Authentication:




The WEP key generated by the AP is A8925DC44A5432DE814CE109F9:



The victim "roch" is connected to the wireless network, so that it can have cached and stored the WEP key:



This attack is based on the fact that clients, just after being started, are usually configured to send probe messages for SSIDs that they have previoulsy connected. For instance, Windows clients cache and store WEP keys of previous connected networks. This option is known as Preferred Network List (PNL), consisting of a list of pre used networks. A very similar configuration is enabled for Linux. For instance, Debian pre used networks are stored under Network Connections option.

- Every time a client connects to the same AP, the Windows wireless manager automatically uses that stored key. This is done with the purpose of helping users, not being necessary to introduce the key every time the computer is turned on.

- However, from the security perspective, it can be considered a flaw. It can be checked at next screenshot, option "Connect automatically when this network is in range" is ticked:




- As said before, the WEP key is cached and stored by Windows clients:



 - Because this attack does not require the client to be close to the legitimate AP, it means that the WEP key can be cracked just using the client isolated. To verify it the AP is going to be unplug during the whole practice, simulating that the AP is far away to the client.

- Now, given this scenario, let's start the attack form "kali". Using airbase-ng tool, a fake AP is created with the same SSID=prueba and an arbitrary MAC address like AA:AA:AA:AA:AA:AA. Of course, in a real attack, a less suspicious MAC address would be used:



It is important to notice the options used with the command airbase-ng:

                      - L = Caffe-Latte attack
                      - W 1 = WEP encryption


- Then, the client "roch" is started within an scenario where there is no legitimate AP turned on (remember that it has been unpluged). Wireshark detects the victim "roch" (Netgear wireless card interface with MAC 28:C6:8E:63:15:6B) desperately sending Broadcast messages looking for the legitimate "prueba" AP, which is actually unplug:



- The victim "roch" will not find the legitimate "prueba" AP, but the fake "prueba" AP created by the attacker "kali'.

Because there is no mutual authentication between client and AP, just the client authenticating with the AP, it won't be any problem for the assocciation process to success. In other words, the fake AP (the attacker) has got the role to decide or approve that the assocciation of the client cand be achieved. It is quite interesting that WEP allows any fake AP to perform an assocciation process without knowing the used key.




Once the client is connected to the fake AP, it will send out DHCP requests which will eventually timeout because the fake AP is not a DHCP server. Then, not receiving any dynamic IP, the client will start the so called Automatic Private IP Addressing (APIPA), which assigns to itself an IP like 169.254.x.x. After this auto configuration process, the client will send Gratuitous ARP broadcast packets with the purpose of announcing itself to the rest of the network.

- The attacker "kali"captures these Gratuitous ARP packets and modifies them using the Message Modification WEP flaw, converting them into ARP request packets for the client. The Message Modification WEP flaw allows to flip bits in a WEP encrypted packet, adjusting the ICV to make the packet valid.

- Then, the fake AP resends a few thousand of these spurious ARP request packets back into the wireless network. The client receives them and believes that someone is asking for its MAC address using ARP, replying back.

- When the victim "roch" replies, the packets include the WEP key, and they are captured by the attacker "kali". Once the attacker collects enough packets, aircrack-ng will be able to crack the WEP key.

- It is important to note that the attacker is able to run the attack without any knowledge of the WEP key.

- After 2 minutes since the attacker "kali" has created the fake AP, the victim "roch" is associated, and just immediately the Caffe-Latte attack is launched (see the last line) at 10:52:51:



With the purpose of collecting packets sent between the victim "roch" and the fake AP, airodump-ng writes to the file CaffeLatteWEP:



- The CaffeLatteWEP-01 file and its derivatives are created:



- After some minutes of gathering a large number of exchanged packets, aircrack-ng is used to obtain the WEP key A8925DC44A5432DE814CE109F9:



- Again, it is important to remember the most remarkable feature ot this attack, which differences it from other WEP attacks, and which gives its new great value: no legitimate AP has been used to perform the whole attack, no legitimate AP has been present in the viccinity. Just the isolated client, maybe roaming thousands of miles away from the attacked network, looking for a wireless connection sending to the air in clear text a copy of the cached and stored WEP key. So, unlike to other attacks against WEP encryption, the attacker does not need to be in the viccinity of any AP, which converts Caffe-Latte attack into a very powerful attack.

- No need to say, to prevent this attack, the solution would consist of removing all networks from the Preferred Network List (PNL) whenever the client is roaming. However, almost nobody does it, due to the fact of the inconvenience created every time the user wants to join a network, because he would need to introduce the WEP key manually, usually a very long hexadecimal key difficult to remember.






Posted by at
Labels:

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.2 - Bypassing WEP Shared Key Authentication


3.2 - Bypassing WEP Shared Key Authentication

- Unlike previous practice's attack, the goal of this attack is to bypass WEP authentication directly, without obtaining the Shared Key, but being able for the attacker to connect directly to the AP even with a fake MAC address.

- This is a more efficient attack against WEP encryption because the steps and processing involved are less that at the previous practice.

- In this case, let's set the AP with WEP (64 bits) encryption:



- From the attacker "kali"s command shell, the legitimate client "roch"s connection is detected:



- Either from a deauthentication or a reconnection of the legitimate client "roch", packets between the AP and "roch "are captured and stored at sharedkeyWEP file:



The file sharedkeyWEP and its derivatives are created, but the one that has got interest for the practice is sharedkeyWEP-01-00-25-F2-9B-91-23.xor:



- Now, the aireplay-ng command is used in a quite different way than before:

a) first, the injected packet contains the keystream used for WEP to authenticate "roch" with the AP.

b) second, "kali" uses a fake MAC address like AA:AA:AA:AA:AA:AA to cover any track of the attack.



Now, it can be verified that "kali" has joined sucessfully the network "spaniard":



Even receiving an IP through DHCP:



"kali" is now part of the network "spaniard", being able to ping the default gateway 102.168.0.1:


Also, "kali" has got access to the Internet using the AP external interface, pinging Google's public DNS:



Airodump-ng detects both clients, the legitimate "roch" and the attacker "kali", connected to the "spaniard" network:



- Also, the AP detects both clients connected, what is funny because "kali" shows the obviously fake MAC address AA:AA:AA:AA:AA:AA.

Of course, in a real attack, "kali" would have choosen a less suspicious MAC than AA:AA:AA:AA:AA:AA



As a conclusion of this practice, the attacker "kali" has been able to connect a network directly, bypassing WEP Shared Key authentication, without needing to perform the steps of obtaining the encryption key, and faking its own MAC address for covering the attack.



Posted by at
Labels:

Sunday, October 16, 2016

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.1 - Attack against WEP encryption



3.1 - Attack against WEP encryption

3.1.1 - WEP encryption

- Wired Equivalent Privacy (WEP) is a security algorithm introduced by the University of California Berkeley, accepted as part of the IEEE 802.11 standards for wireless networks. Because of the great number of flaws inherent to WEP, it is nowadays considered obsolote. However, due to the fact that almost all Wi-Fi routers offer WEP as an option, and because there are a lot of available wireless networks using WEP, it is neccesary and interesting to study this standard. From the criptographic point of view, WEP uses the stream cipher RC4 for confidentiality, and CRC-32 checksum for integrity. There are two main versions of WEP, although working in a similar manner. All of them use a so called initialization vector (IV), what is a fixed size input generated randomly, that is eventually XOR operated with the keystream.






- WEP-40 uses a 40 bits key which is concatenated with a 24 bits IV to form the 64 bits RC4 key. The 40 bits key is formed by a string of 10 hexadecimal characters (4 bits for 1 char).

- WEP-104 uses a 104 bit key which is concatenated with a 24 bits IV to form the 128 bits RC4 key. The 104 bits key is formed by a string of 26 hexadecimal characters (4 bits for 1 char).

There are also two main authentication systems for WEP: Open and Shared Key.

- Open System authentication: the client does not need to provide any credentials to authenticate with the AP; actually, no authentication occurs, and WEP keys are used just for encrypting data frames.

- Shared Key authentication: a four step challenge-response handshake is used:

a) the client sends a request message to the AP.
b) the AP replies with a clear text challenge.
c) the client encrypts the text challenge with the WEP key, sending back to the AP.
d) the AP decrypts the response, if matches the AP sends back a positive reply.

- After the authentication, the WEP key is used to encrypt the data with RC4. Although it may seem that Shared Key method is safer than Open System, because the last one lacks of authentication, the truth is just the contrary. Due to the fact that challenge frames can be captured during the handshake in Shared Key, the keystream could be obtained.

- RC4 is a stream cipher, so same key must not be used twice. The initialization vector, transmitted unencrypted, tries to prevent any repetition. But a lenght of 24 bits is not enough to ensure this, so it could happen that two identical IVs were generated if busy traffic. A passive attack would consist on simulating replay packets and sniffing the responses for subsequent analysis. For the WEP-104 just 40.000 packets would be enough to obtain the WEP key with a 50% of probability, and around 85.000 data packets would ensure the 95% of probability of success. Using ARP packets reinjection, around 40.000 packets can be captured in less than 1 minute. So, cracking WEP is just a matter or time, just using software tools like aircrack-ng.


3.1.2 - Attack against WEP encryption

- First of all, the AP is set to use WEP encryption of 128 bits whith Shared Key Authentication.

- Introducing the passphrase AbCdEf12345$ a Network Key is generated: 1792424e9b00a0d2a4a8bc180a





- From the client "roch"s side, properties of the network are arranged:



- Then, "roch" is connected to the network:



 - This process of connection for the client "roch" has been captured by the attacker "kali" with airodump-ng. The option - - write means that captures are stored at the .cap file called "archivoWEP":



- At previous screenshot it can be noticed that the number of data packets is very small, #Data = 61. For WEP cracking a larger number of packets is needed, so the network is forced to create more data packets.

- The tool aireplay-ng captures packets from the wireless network and reinjects them back simulating ARP responses. In this way a lot of traffic is generated for the network. Aireplay-ng identifies ARP packets by looking at their size. ARP protocol uses a fixed header that can be easily identified. It is essential that the victim client is already authenticated and associated to the AP.

- Option -3 means ARP replay, -b is for the BSSID, and -h for the victim's,"roch", whose MAC address is being spoofed:











Due to the replay attack, the number of captured packets by airdump-ng is dramatically increased, from #Data = 61 to now #Data = 44376:



- In the meanwhile, "archivoWEP-01.cap" and some other derived files are storing the created packets by aireplay-ng:



- At this point of the attack, aircrack-ng is ready to be launched, using packets stored at "archivoWEP-01.cap":



- Due to the great amount of stored packets, it takes just an instant to find the key:



- Using the airdacp-ng command, captured packets at "archivoWEP-01.cap" can be decrypted:




3.1.3 - Connecting to the AP

- Once the attacker "kali" has been able to crack the WEP key, it is time for it to connect to the network. At the present moment of the practice "kali" is in "Not-Associated" mode:



- Using the iwconfig command, the SSID and the key, the attacker "kali" can connect to the network:



 - The success of the connection is verified:



- Also, airodump-ng captures the fact that now there are 2 clients connected to the AP: the legitimate one ("roch"), and the attacker one ("kali"):



- In the same way, the AP detects both connected clients:



- Because DHCP is enabled by default, the AP assigns a dynamic IP to "kali":



- Now, the attack is a complete success because "kali" is authenticated and associated to the network, pinging any of the internal hosts, for instance the default gateway:



- Also, "kali" has got connection to the Internet, being able to ping Google's public DNS server:





Posted by at
Labels:
Subscribe to: Posts (Atom)