3.6
- Attack against WPA/WPA2 Personal encryption
3.6.1
- WPA/WPA2 encryption
- Wi-Fi
Protected Access (WPA) is a security protocol promoted by the Wi-Fi
Alliance, and usually referred as IEEE 802.11i. WPA2 is the
strongest version of WPA, and from 2006 it is mandatory to be
included for all devices under Wi-Fi trademark. However. WPA2 may not
work with some outdated wireless interface cards. WPA uses a message
integrity check called Michael to verify the integrity of the
packets, replacing the cyclic redundancy check (CRC) used by WEP,
designed to prevent an attacker from capturing, altering or resending
data packets. The newest version WPA2 includes an even stronger
integrity check than Michael.
There
are 2 main modes for WPA/WPA2, each one used depending on the
scenario applied:
-
WPA/WPA2 Personal: also known as WPA-PSK (Pre-shared key), its
purpose is to be used for home and small office areas, not needing an
authentication server. Clients authenticate with the AP using a pre
shared 256 bits key generated with a password or passphrase. The
password is entered as a string of 8 to 63 ASCII characters, and the
256 bits is generated once the PBKDF function is applied, adding SSID
as the salt and 4096 iterations of HMAC-SHA1. This Shared Kye mode is
vulnerable to password cracking like brute force dictionary attacks.
Precalculated rainbow tables can be used to speed up the cracking of
passwords, so it is also recommended not to use common SSIDs. WPA
Personal works with TKIP, and WPA2 Personal works with CCMP.
-
WPA/WPA2 Enterprise: also known as WPA-802.1x mode, its purpose is to
be used for enterprise scenarios, needing a RADIUS authentication
server. Although the setup is harder, it includes more complex
security for protection against dictionary attacks on short
passwords. The protocol used for authentication is the Extensible
Authentication Protocol (EAP). It will be studied later at 6.9.
The
three main encryption algorithms used with WPA/WPA2 are:
-
Temporal Key Integrity Protocol (TKIP): used with WPA, a RC4 stream
cipher is used with a 128-bit per-packet key, meaning that it
dynamically generates a new key, instead or reusing it. This helps to
prevent attacks like those suffered by WEP.
-
Counter Cipher Mode with Block Chaining Message Authentication Code
Protocol (CCMP): only available for WPA2, based in AES is considerer
stronger than TKIP.
-
Extensible Authentication Protocol (EAP): used both with WPA and
WPA2, available for Entreprise mode, requires a RADIUS server for
authentication.
About
WPA-PSK, because its wide usage in wireless scenarios, a deeper
detail consideration will be done. The way it works about
authentication consists of a four-way handshake. The per-session key,
or Pairwise Transient
Key
(PTK), is made with 6 parameters: the PSK key, the SSID, 2 MACs (one
from the Supplicant or client, and the other from the Authenticator
or AP), and 2 other Nounces (one from the client and other from the
AP). The resultant key is used to encrypt all data between the AP and
the client.
- An
attacker sniffing the handshake can get 5 of the 6 parameters, with
the exception of the PSK. The combination of the PSK and the SSID is
called the Password Based Key Derivation Function (PBKDF). During a
brute-force dictionary attack a 256 bits shared PTK key derived of
combining PBKDF with the other 4 parameters is created for each word
contained in the dictionary. Each created PTK is verified checking
the Message Integrity Check (MIC) in handshaked packets. If matched,
the passphrase would be correct. So, security for WPA/WPA2 is related
with the difficulty for a dictionary to identify the passphrase. On
the other hand, a good attack would rely on the strength of the used
dictionary.
3.6.2
- Attack against WPA-PSK with aircrack-ng
- In
this case we will take as example the WPA-PSK TKIP encryption, always
in the knowledge that attacks against WPA2-PSK CMP ara performed in
the exactly same way.
- The
AP is set to the WPA-PSK TKIP encryption with the Pre-Shared key
"A54321z$", as we can see at next screen capture:
- Because
the capture of the interesting packets happens when a legitimate
client connects to the AP, the attacker "kali" can either
force a client to reconnect it through a deauthentication process, or
waiting for a client to connect by itself.
- Anyway,
starting airodump-ng with the option --write the
results of the captures are stored at the file "archivoWPA":
- A
new file .cap and its derivatives are created:
- For
cracking the WPA-PSK key a dictionary is needed, so that all the
passphrases contained in that dictionary are compared with the real
passphrase.
- The
program aircrack-ng is used:
- 18
minutes and 7 seconds later, the key is found: A54321$
- Using
airdecap-ng, there is the option to decrypt the packets
contained in archivoWPA-01.cap:
- Decrypted
packets are stored at the file archivoWPA-01-dec.cap:
3.6.3
- Connecting to the AP
- Once
the key is found, the attacker "kali" can use the next
script to connect to the AP, inside the file wpa-supp.conf:
- Then,
the wpa_supplicant command invokes the just created file
wpa-supp.conf:
- After
some instants the attacker "kali" achieves its goal of
joining the AP:
- It
can verified with airodump-ng that the attacker "kali",
whose MAC address is 00:C0:CA:72:1A:36, is associated to the AP
00:25:F2:9B:91:23:
- Because
DHCP is enabled by default, "kali" recieves an IP:
- Also,
"kali" has got access to the internal LAN, pinging the
default gateway:
- "kali"
is even able to access the Internet, pinging Google's public DNS
server:
