AdSense

Monday, October 17, 2016

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.8 - Automating attacks against WPA/WPA2


3.8 - Automating attacks against WPA/WPA2

- Previously introduced Gerix Wifi Cracker software helps to automate attacks against Wi-Fi encryption, both for WEP and WPA/WPA2 versions.

- For starting Gerix from the "kali" command shell:



- Gerix is launched:



In this practice the AP will be set to WPA2 with AES-CMMP encryption, being the key A54321z$:



- Clicking the Configuration tab:



- The option Enable/Disable Monitor Mode creates the virtual mon0 attached to the physical interface wlan0:



Gerix includes a small real-time log that informs the user about the performed actions:



- One good practice from the attacker's point of view is to change the MAC address, with the purpose of covering tracks of the attack. The option Set random MAC address does the trick:



- Next, Gerix is forced to scan available networks in the sorroundings:



- As usual, the "spaniard" network is choosen for being attacked:



Clicking the WPA tab, the WPA attack is started. The functionality Start Sniffing and Logging is enabled:



- Gerix detects the "spaniard" network, with MAC address 00:25:F2:9B:91:23 , using WPA2-CCMP encryption. Also, the client "roch" whith MAC addresss 28:C6:8E:63:15:6B is detected:



Because it is necessary to capture some packets from the WPA handshake process, a deauthentication set of messages needs to be sent to the victim, which MAC address is introduced:



- The deauthentication process starts:



aireplay-ng sends 4 packets directed to the victim, "roch":




For starting the bruteforce cracking attack, a dictionary is added: diccionario.txt



- The attack is launched clicking the tab Aircrack-ng - Crack WPA password:



After 2 minutes and 13 seconds, the key is found: A54321z$







WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.7 - Speeding attacks against WPA/WPA2 encryption


3.7 - Speeding attacks against WPA/WPA2 encryption

- So far so good, but trouble could arise if the dictionary contains hundred of thousands of entries, because in that case the resources taken by CPU in terms of time and processing could be huge.

- The function PBKDF2 hashes the passphrase and the SSID over 4096 times, before outputting the 256 Pre Shared Key. Then, this obtained key is verified against the MIC used in the four-way WPA handshake. To speed up the whole process, it is possible to precalculate the Pre Shared Key for the passphrase.

- For that purpose, the tool genpmk (generator of PMK, Pairwise Master Key) can be used:



- The option -f takes the used dictionary, -s is about the SSID, and the -d option indicates the name of the output file, for instance "archivoPMK":



- It is important to notice that both the passphrase and the SSID are used to calculate the PMK. The process can take a lot of time, depending on the size of the dictionary. A message is periodically output every 1000 passphrases:



- So on ... until more than 789000 entries of diccionario.txt, the generation of PMK file is ended up:



- The command ls shows the new created file "archivoPMK":



- Now, there are a number of tools designed to take profit of "archivoPMK", for instance airolib-ng and Pyrit:

a) airolib-ng

- The command "airolib_ng" creates the database "archivoAircrackPMK" based on former database "archivoPMK":



- The command ls shows the new created file "archivoAircrackPMK":



- Feeding aircrack-ng with database "archivoAircrackPMK" and "archivoWPA-01.cap", the key is found in just 8 seconds !!



So, the difference in time is huge, from 18 minutes to 8 seconds. Although the creation of "archivoPMK" takes a lot of time, depending of the dictionary size, it could be calculated just once for each specific dictionary and SSID. So, whenever the passphrase is changed by the network administrator, the precalculated database could be apply to speed up the cracking of the key.

b) Pyrit

- Even faster, just in 3 seconds, the tool Pyrit offers the same results:





WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.6 - Attack against WPA/WPA2 Personal encryption


3.6 - Attack against WPA/WPA2 Personal encryption

3.6.1 - WPA/WPA2 encryption

- Wi-Fi Protected Access (WPA) is a security protocol promoted by the Wi-Fi Alliance, and usually referred as IEEE 802.11i. WPA2 is the strongest version of WPA, and from 2006 it is mandatory to be included for all devices under Wi-Fi trademark. However. WPA2 may not work with some outdated wireless interface cards. WPA uses a message integrity check called Michael to verify the integrity of the packets, replacing the cyclic redundancy check (CRC) used by WEP, designed to prevent an attacker from capturing, altering or resending data packets. The newest version WPA2 includes an even stronger integrity check than Michael.

There are 2 main modes for WPA/WPA2, each one used depending on the scenario applied:

- WPA/WPA2 Personal: also known as WPA-PSK (Pre-shared key), its purpose is to be used for home and small office areas, not needing an authentication server. Clients authenticate with the AP using a pre shared 256 bits key generated with a password or passphrase. The password is entered as a string of 8 to 63 ASCII characters, and the 256 bits is generated once the PBKDF function is applied, adding SSID as the salt and 4096 iterations of HMAC-SHA1. This Shared Kye mode is vulnerable to password cracking like brute force dictionary attacks. Precalculated rainbow tables can be used to speed up the cracking of passwords, so it is also recommended not to use common SSIDs. WPA Personal works with TKIP, and WPA2 Personal works with CCMP.

- WPA/WPA2 Enterprise: also known as WPA-802.1x mode, its purpose is to be used for enterprise scenarios, needing a RADIUS authentication server. Although the setup is harder, it includes more complex security for protection against dictionary attacks on short passwords. The protocol used for authentication is the Extensible Authentication Protocol (EAP). It will be studied later at 6.9.

The three main encryption algorithms used with WPA/WPA2 are:

- Temporal Key Integrity Protocol (TKIP): used with WPA, a RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key, instead or reusing it. This helps to prevent attacks like those suffered by WEP.

- Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP): only available for WPA2, based in AES is considerer stronger than TKIP.

- Extensible Authentication Protocol (EAP): used both with WPA and WPA2, available for Entreprise mode, requires a RADIUS server for authentication.

About WPA-PSK, because its wide usage in wireless scenarios, a deeper detail consideration will be done. The way it works about authentication consists of a four-way handshake. The per-session key, or Pairwise Transient
Key (PTK), is made with 6 parameters: the PSK key, the SSID, 2 MACs (one from the Supplicant or client, and the other from the Authenticator or AP), and 2 other Nounces (one from the client and other from the AP). The resultant key is used to encrypt all data between the AP and the client.




- An attacker sniffing the handshake can get 5 of the 6 parameters, with the exception of the PSK. The combination of the PSK and the SSID is called the Password Based Key Derivation Function (PBKDF). During a brute-force dictionary attack a 256 bits shared PTK key derived of combining PBKDF with the other 4 parameters is created for each word contained in the dictionary. Each created PTK is verified checking the Message Integrity Check (MIC) in handshaked packets. If matched, the passphrase would be correct. So, security for WPA/WPA2 is related with the difficulty for a dictionary to identify the passphrase. On the other hand, a good attack would rely on the strength of the used dictionary.


3.6.2 - Attack against WPA-PSK with aircrack-ng

- In this case we will take as example the WPA-PSK TKIP encryption, always in the knowledge that attacks against WPA2-PSK CMP ara performed in the exactly same way.

- The AP is set to the WPA-PSK TKIP encryption with the Pre-Shared key "A54321z$", as we can see at next screen capture:



Because the capture of the interesting packets happens when a legitimate client connects to the AP, the attacker "kali" can either force a client to reconnect it through a deauthentication process, or waiting for a client to connect by itself.

- Anyway, starting airodump-ng with the option --write the results of the captures are stored at the file "archivoWPA":



- A new file .cap and its derivatives are created:




For cracking the WPA-PSK key a dictionary is needed, so that all the passphrases contained in that dictionary are compared with the real passphrase.

- The program aircrack-ng is used:



- 18 minutes and 7 seconds later, the key is found: A54321$



- Using airdecap-ng, there is the option to decrypt the packets contained in archivoWPA-01.cap:



- Decrypted packets are stored at the file archivoWPA-01-dec.cap:




3.6.3 - Connecting to the AP

- Once the key is found, the attacker "kali" can use the next script to connect to the AP, inside the file wpa-supp.conf:



- Then, the wpa_supplicant command invokes the just created file wpa-supp.conf:



- After some instants the attacker "kali" achieves its goal of joining the AP:



- It can verified with airodump-ng that the attacker "kali", whose MAC address is 00:C0:CA:72:1A:36, is associated to the AP 00:25:F2:9B:91:23:



Because DHCP is enabled by default, "kali" recieves an IP:



- Also, "kali" has got access to the internal LAN, pinging the default gateway:



- "kali" is even able to access the Internet, pinging Google's public DNS server:







WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.5 - Korek Chopchop attack against WEP


3.5 - Korek Chopchop attack against WEP

- Unlike previous attack against WEP encryption, the goal of Korek chopchop attack is not to find the WEP key, but just decrypt an specific packet sent within the attacked network. Actually, Korek chopchop attack decrypts a WEP data packet without knowing the WEP key. As said before, its purpose is not intended to find the WEP key, but to reveal the plaintext. Once replay_dec-X.cap is achieved, Whireshark can be helpful to decrypt the choosen packet. Korek attack chopchop is based on polynomial math about Cyclic Redundancy Check (CRC).

- The initial setup for the lab is the same as previous practices. To launch the attack, aireplay-ng is used with -4 option (meaning chopchop attack):



- After reading some packets (55 in this case), aireplay-ng asks about the selected packet is ok to be decrypted. If answer is Yes, the attack starts immediately decrypting the packet and saving the result in replay_src-0918-224820.cap file:



The attack is finished:



- aireplay-ng indicates where captured packets are saved:




- replay_src--0918-224820.cap file and its derivatives has been created:



- Using Wireshark, the file replay_src--0918-224820.cap can be decrypted:



It can be verified that the packet is the same selected by aireplay-ng (8842 2C00 28C6 etc... ), being a frame control sent by the AP Motorola 00:25:F2:9B:91:23 with destination to the client "roch", whose wireless interface card is Netgear 28:C6:8E:63:15:6B:



- Also, the file replay_dec-0918-224925.cap can be decrypted, again with Wireshark's help:



- In this case, the packet is sent by 173.194.46.69 (Google) to the client "roch" (192.168.0.15), because of an https connection:




WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.4 - Hirte attack against WEP encryption


3.4 - Hirte attack against WEP encryption

- The Hirte attack extends the Caffe-Latte attack using fragmentation techniques. As the same way that with Caffe-Latte attack, there is no need of AP in the viccinity for the Hirte attack to be launched, being enough a WEP client isolated from the legitimate AP.

- Fragmentation attacks use the fact that the first 8 bytes of the encrypted packet consist of the Link Layer Control (LLC) header. Because this is sent into plaintext, the attacker can XOR it with the encrypted packet, achieving the first 8 bytes of the RC4 keystream, and using this keystream along with the matching IV to create encrypted packets. However, the amount of data it can fit into 8 bytes is only 4 bytes because the last 4 bytes are devoted to the WEP ICV. Fragmentation helps to send a maximum of 16 fragments per packet, allowing to send a packet of reassembled size 64 bytes. This fact will be used to inject packets like ARP request and replies.

- The Hirte attack sniffs an ARP packet and relocates the IP address in the ARP header to convert the reassembled packet into an ARP request for the wireless client. The client responds with an ARP reply, allowing the attacker to gather new data packets encrypted with the WEP key. Once enough number of packets are gathered, aircrack-ng can crack the WEP key rapidly.

- For this practice, the lab set is exactly the same that at previous Caffe-Latte attack. Now, the command airbase-ng uses the option -N to specify the Hirte attack, instead of the option -L for Caffe-Latte.

- After the legitimate AP is unplug, the client "roch" connects to the created fake aP by the attacker "kali". Only 1 minute later than the association,at 21:55:13, the Hirte attack is started up:



- Airodump-ng detects the association between the victim "roch" and the fake AP, writing the captured packets to the file Hirte-WEP:



The file hirteWEP-01.cap and its derivatives are created:



- As usual, aircrack-ng finds the WEP key A8925DC44A5432DE814CE109F9 after no much time: