Attacking Wi-Fi Networks

Attacking Wi-Fi Networks

Now we are going to see how you can exploit vulnerabilities of Wi-Fi security protocols and gain access to protected wireless networks.

WEP

Given the low security level provided by the WEP encryption scheme, less and less networks are configured to use it.

Still, it's useful to know how to deal with them as corporations or individuals could still be using this configuration for various compatibility reasons.

The main flaws of WEP encryption are:

  • Weak authentication scheme

  • Short Initialization Vector (IV) and subsequent frequent reuse

  • vulnerable to replay attacks

  • Weak frame integrity protection

  • Low resistance to related key attacks enabling efficient statistical attacks

The key of all attacks directed against WEP key recovery is getting a sufficient amount of encrypted packets to be able to successfully execute the statistical attacks.

In a medium-sized network, the actual traffic between legitimate clients could be enough to gather the required encrypted data very quickly but this will not always be the case.

Setup your environment with the following guidelines:

  • Access Point SSID: LabNetwork

  • Use WEP Encryption

  • Set WEP key size to 40bit and choso your key (10 hexadecimal characters)

  • 1 vicitim STA (associated to Lab Network), this shouldn't be the same device you will use for the attack!

  • The attacker machine

Have a note of your AP channel as you'll need it later.

1. Start airmon-ng and airodump-ng

# Attacker machine
> airmon-ng start <interface>
# -w save all caputred data into a collection 
# of files all sharing the same filename prefix
> airodump-ng -c <channel> -w wep_attack <interface>

airodump-ng will start scanning. As you can see LabNetwork is listed in the command output with the encryption correctly identified as WEP.

We can also see our victim client associated stations section.

#Data column indicates the number of data frames collected thus far on a particular network while #/s displays the data frames capture rate as frames per second.

You do want high values for these columns in order to succeed.

2. Deauthentication attack: Increment packet rate

If LabNetwork does not produce a lot of traffic, we might need to have a way to increment the packet rate.

When deauthenticated from a wireless network, normally a client will try to re-authenticate shortly later (just as the IEEE 802.11 standard specifies a management frame for this purpose, this is sent completely unencrypted and requires no authentication from the sender).

deauth frames aren't encrypted. They are not useful per se to increase the number of collected IVs.

On the other hand, after re-associating a client, the client will most certainly send some gratuitous ARP or DHCP messages and this traffic is clearly valuable as it's sent encrypted.

To deauthenticate a client:

> aireplay-ng -0 10 -c <client_mac> -a <bssid> <interface>

This will increase the number of data frames.

Deauthentication attacks force the victim to actually disconnect from the network. If you abuse this techniques, chances are that your attack will be noticed! So keep this is in mind when pentesting a real-world wireless network.

2.1 ARP Replay Attack

ARP replay is the most effective way to generate new IVs. Once you sniff an ARP request generated by a STA, you can re-inject that packet due to WEP's lack of message replay countermeasures.

As it's a broadcast message, the AP will forward the request to the associated STAs and each of these request will contain a new IV for you to collect.

The ARP replay attack is a bit more complicated than simple deauthentication. As such, it will be useful to get an overview of the attack before diving into it.

Steps of an ARP Replay attack:

  1. Stations normally communicate with the AP while the attacker machine is not yet operating. aireplay-ng -1 15 -a <bssid> -e <ssid> <interface>. This will associate your adapter to the specified network. You have to provide both the BSSID and SSID. The -1 stands for fake authentication, while the number on the right is the delay between authentication attempts. When successful, you should see something like Association successful

  2. The attacking machine associates itself with the AP, with Open Authentication system, this is only a matter of exchanging 4 frames without providing any credentials. In the aircrack-ng terminology, this is called fake authentication.

    1. During the real attack, you can find that your adapter constantly receives deauthentication messages from the victim AP. You can try this variation for "picky APs": aireplay-ng -1 6000 -1 10 -o 1 -a <bssid> -e <ssid> <interface>

      1. -q 10 enables keep-alive packets. This command causes this packets to be sent every 10 seconds to maintain the authentication status. The long re-authentication time permits these packets to be sent.

      2. -o 1 forces aireplay-ng to send one set of packets at a time, these can be necessary as some APs can get confused by aireplay-ng's default behavior.

      3. Do not close opened terminal windows as aireplay-ng will need to continue running while performing the attack.

  3. Once the attacker is associated, the attacker starts to passively scan for ARP request, listen for broadcasted ARP request frames.

    1. Now we need to listen for ARP requests sent by clients on the network. Obviously this will not work if your STA is the only associated one. aireplay-ng -3 -b <bssid> <interface>

  4. After a while, STA1 sends an ARP request to all of the nodes in the network, and the AP forwards it and the attacker is thus able to capture the frame.

    1. After a few minutes you should capture at least an ARP request.

  5. At this point, the attacker can flood the network by re-injecting the same ARP frame over and over. Simply put: the attacker floods the AP with ARP requests.

    1. Almost instantly aireplay-ng will start to re-inject the captured ARP request.

  6. Following the protocol, the AP simply forwards each received ARP using a new IV every time.

    1. airodump-ng will show the increase in received frames as you are flooding the AP.

  7. By collecting all of these frames, the attacker can then mount one of the statistical attacks.

Question: Given that the traffic is encrypted, how can the attacker actually identify an ARP request?

Luckily, ARP request have a fixed payload size (36 bytes) so they can be easily identified. They always have a broadcast destination address(FF:FF:FF:FF:FF:FF) that is transmitted in plain text in the frame header.

3. Cracking the key with aircrack-ng

aircrack-ng is a software that encapsulates a series of cracking techniques for both WEP and WPA network keys.

This command needs packets in order to crack the WEP key. The minimum amount of packets depend on the key length.

40 bit keys will require about 5000 IVs to be cracked while 104 bits keys could require a number ten times higher or more.

The number should be taken with care as they could vary if the AP implements some sort of protection.

As you do not know they key length of the attack, a good strategy is first trying with 64 bits.

If that fails for more than 10000 IVs, just try again with a key of 128 bits.

> aircrack-ng -n <key_length> <.cap file(s)>
# -n speficiy the WEP key length (default: 128bits/WEP-104)

> aircrack-ng -e LabNetwork wep_attack*.cap

Now aircrack-ng will start reading all of the IVs from the specified files then the cracking process will begin. If the number of IVs isn't sufficient, aircrack-ng will just wait for airodump-ng to get more so you do not need to restart the command.

PTW attack with aircrack-ng

WEP cracking technique developed in 2007 that exploits correlations discovered between RC4 keystream and the key itself.

Statistical analysis votes for each byte of the key are collected and shown in the output window.

The more votes a byte receives, the more likely the byte will be found in the real network key.

The key that gets the most votes is the most probable key but is not guaranteed to be the real one. aircrack-ng uses brute force to determine the WEP key from the statistical guesses.

This technique only requires ARP requests/responses in order to work as they are used to improve the speed of the cracking process.

So the usual network traffic will not be useful and you will need to launch an active attack with some of the ARP generation techniques.

KoreK attack

PWT is the fastest and default technique used by aircrack-ng but it requires ARP. As a fallback, you can still use the old pre-PTW technique that uses a combination of KoreK statistical methods.

Cracking speed can be much slower, moreover the required number of IVs is at least an order of magnitude higher. You can switch to KoreK attacks by using the -K flag when you launch aircrack-ng.

WPA and WPA2

The Four-Way Handshake

Attacks against WPA/WPA2 keys are much less diversified than those targeting WEP. Until now, WPA has proved to be robust security measure to provide effective privacy for wireless networks. WPA and its successor WPA2 fixed the various flaws that plagued WEP, making it impossible to just look at the traffic to get information about the key.

When a new client wants to join a WPA/WPA2 protected network, it must first authenticate itself, proving it owns the shared key. After association, the two parties start what is called the four-way handshake, which is a process that permits the mutual authentication between the AP (called Authenticator) and the STA (called Supplicant).

During the communication, the PSK is never sent through the wireless medium. The PSK is only used to generate a PTK (Pairwise Transient Key) that is used as session-only encryption key.

Since the PSK is never transmitted, both AP and STA need a secure way to generate the PTK. This is what the 4-way handshake does.

Steps of the 4-way handshake

Step 0

At first the shared passphrase is used to generate the so-called PMK (Pairwise Master Key), which is 256bits long.

Both the STA and AP independently calculate this value combining the PSK and SSID name.

Step 1/4

When the handshake starts, the AP sends the STA a message containing a nonce , a security cryptographic random number. In the WPA specification, this number is called Anonce (as Authenticator Nonce).

Step 2/4

STA generates another nonce, called SNonce (Supplicant Nonce), and builds the PTK containing the PMK, both nonces, the MAC addresses of AP and STA and processing this product through a cryptographic hash function called PBKDF2-SAH1.

Step 3/4

STA then sends its SNonce to the AP that can now build the PTK. As it uses the same information, both PTKs will be the same without the original PSK ever being transmitted over the air. This third message also contains a MIC (Message Integrity Code) which is used to authenticate the sending STA.

Step 4/4

Finally, the AP replies back with a message containing the GTK (Group Temporal Key) used to decrypt multicast and broadcast traffic. This message is also authenticated by means of MIC. An acknowledgment concludes the process.

Perform an attack

Capturing the Handshake

Setup LAB

  • AP SSID: LabNetwork, channel 11, WPA enabled.

  • 1 vicitim STA associated to the AP

  • The attacker PC

Capturing the handshake is actually quite simple. Launch airodump-ng and start sniffing on the correct channel:

airodump-ng -w <outfile> -c <channel> <interface>

If we wanted to perform a totally passive attack, we could have waited for a new client to join the network but this could require more time.

Write down the client MAC address and launch the deauth attack against it:

aireplay-ng -0 1 -a <BSSID> -c <client_mac> <iface>

If the victim STA is inside the reachable area of your wireless card, it will be forced to rejoin the network and you should be able to get a new 4-way handshake (airodump-ng notifies when the handshake reception happens).

Now that we have captured the handshake and it is stored into a file, it's time to crack it!

Use aircrack-ng against the handshake

aircrack-ng has two cracking options when it comes to WPA/WPA2 keys:

  1. Dictionary Attack (also available for WEP)

  2. Pure brute force attack

Before using brute force, it is always recommended to at least try a dictionary attack, this is because it may be possible to recover the password (even if long or complex) with a fraction of the time if compared with a brute force attempt.

aircrack-ng -w <wordlist(s)> <.cap file>

# Example:
aircrack-ng -w /usr/share/wordlists/nmap.st wpa-file.cap

The syntax is very simple, you only have to provide a wordlist file (or comma-separated list) and the path to your .cap file containing the captured handshake. This is the file saved by airodump-ng at the previous step.

Build a wordlist with crunch

crunch will generate all of the possible combination of words between the two length values.

crunch <min_length> <max_length>

# Hint: start with a minimum length of 8 as routers and APs require 
#  a passphrase at least that long. 
# crunch will output the words to the console by default. 

# consult "man crunch" for a complete reference

crunch 8 8 -o my_words.lst # to generate 1.8 TB of data

# without dumping words into a file and save disk space:
crunch 8 8 | aircrack-ng -e LabNetwork file.cap -w -

Notes on Speed

  • If you want to compare your computing power, you can run a simple test with aircrack-ng itself: aircrack-ng -S

  • Exploiting GPU power tools

    • oclHascat: supports many hashing functions and cryptographic algorithms but if you want to be able to discover the key from a WPA/WPA2 handshake, you'll need to transform the .cap file to a format understandable by the program (.hccap). There's an online tool for this purpose. You can also use aircrack-ng with the -J option.

    • Pyrit

    • John the Ripper

oclHashCat -m 2500 <.hccap file> <wordlist_file>
# -m 2500 crack a WPA/WPA2 handshake

"Cracking as a Service" can be an option for those without a powerful GPU. These services only require you to upload the .cap file containing the 4-way handshake and specify the target SSID. Once you have uploaded the file, you often choose between a series of different dictionaries so if you have a clue of the key, you can better restrict the search. Please note that most powerful services need you to pay a small fee.

  • CloudCracker

Space-time tradeoff

As the last option available in your toolbox, we will present you an alternative bruteforce method that can be particularly useful in some occasions.

A recent trend in the password cracking field make use of the time-space tradeoff to pre-calculate large amount of hashes and store them in so-called rainbow-tables.

Rainbow tables

Brute forcing a WPA or WPA2 key is only possible when you get a 4-way handshake from a client and the AP. Both parties generates a PTK that is uses to encrypt subsequent communications.

MICS are computed using the generate PTK and thus provide guarantee that both parties originally had the same PSK.

Every PSK you want to try against the handshake, you first need to calculate the PMK. Then using the values obtained from the handshake, generate the PTK. Finally you calculate the MIC and compare it with the one in the handshake. If they are equal, you have foudn the correct PSK.

Beware this process is slow!

In fact, the algorithm used to calculate the PMK, called PBKDF2 requires running 4096 iterations of the HMAC algorithm that is actually designed to be computationally expensive.

One way to speed up this process is to pre-calculate the PMK for all of the various passphrases in your wordlist.

In theory, this would be a huge speed improvement as now every time you want to crack WPA handshake, you only have to generate the PTK and compare MICs; both of these operations are much faster than the PBKDF2 function.

However, WPA authors thought about this possibility when they were designing the protocol and they came up with a pretty clever but simple solution.

The calculation of the PMK does not only depend on the used PSK but it also depends on the network's SSID value!

Given that you cannot have universally acceptable PMKs but you must calculate them for each SSID name you are interested in cracking.

Even with the mentioned limitation, a rainbow table approach is still applicable to WPA cracking. It is also the case that a lot of APs are configured with standard factory values like "default", "linksys", "dlink" or similar vendor-related SSIDs.

With these theoretic bases, let's figure out how to create a PMKs database.

Pyrit

Python-based application compatible with Linux, Mac OS X and BSD. pyrit uses a file-based storage to persist its database:

> pyrit eval

pyrit will "connect" to the local file and get some statistics about currently stored passwords. At first, obviously you will have 0 passwords.

Let's import some passwords from our wordlist:

> pyrit -i <wordlist_file> import_passwords

pyrit will process the input file and automatically discard all duplicates and all the words that are not suitable for a PSK (also short). Will also remove all the unusable passwords.

Note you will need large wordlists to have any success while cracking WPA.

Now to generate the PMKs, we must provide pyrit with at least one SSID. In order to do this, we use create_essid command:

> pyrit -e <ssid> create_essid

This last command will not actually start the building process. In fact, try to re-eval the database:

> pyrit eval

Still, our newly added SSID does not have calculated PMKs. The number of calculated PMKs for our LabNetwork SSID is still zero. The last step of the process is launching the batch command which has a very simple syntax:

> pyrit batch

At this point, pyrit will start building your database for the included SSIDs and password combinations. Database generation could be a very long process, depending on the power of your CPU and the number of passwords you imported. pyrit can make use of the computational power of modern GPUs, like oclHashCat, so you are encouraged to run it on a desktop PC with a recent video card installed.

Now launch this command to initiate the attack against the handshake:

> pyrit -r <.cap file> attack_db

pyrit will try all of the different PMKs in its database very quickly and will eventually output the found key if it was initially in your wordlist. The focal point here is the speed.

Having a pre-built database for a given SSID can tremendously speed up your attack.

Pre-built hash files

On the internet you can find pre-built PMKs databases for the most common SSID names.

WPS: Wireless Protected Setup

In 2011, Stefan Viehbock published a paper describing a new attack against WPS (Wireless Protected Setup).

WPS was designed a simple and secure way to setup a protected wireless network.

Stefan also found that design and implementation flaws in various devices may lead to a very effective attack method that can disclose the wireless encryption key.

WPS provides 3 different setup alternative methods:

  • Push-Button-Connect

  • Internal-Registrar

  • External-Registrar

While the former two methods require stronger authentication procedures (physical access or web interface access) the External-Registrar method only requires the client to provide a PIN (8 digits).

Normally, bruteforcing a 8 digits number will require testing for 10^8 (=1000000000) combinations but the actual form of authentication used by WPS highly reduces this number.

This is the representation of the WPS PIN number:

1st half of PIN (4 bits)

2nd half of PIN (4 bits)

0, 1, 2, 3

4, 5, 6, 7 (7 = checksum digit)

It's divided into two halves of 4 digits each. The last digit of the 2nd half is a checksum meaning it is always calculated from the other digits.

The authentication process works like this:

  1. Both AP and client initialize encryption keys and internal state

  2. Client proves possession of 1st half of the PIN

  3. Client proves possession of 2nd half of the PIN

  4. AP sends network security configuration

At every step, if the client is sending wrong data the AP terminates the process and sends a NACK packet.

This behavior, combined with the split PIN allows us to build a quite optimized brute force attack.

How many combinations do we need to try?

Splitting the PIN get us from 10^8 to 10^4 + 10^4 (=20000) while having a checksum digit reduces the number of guesses for the 2nd half and we get the final result of only 10^4 + 10^3 (=11000) combinations.

There are two tools that can help to exploit this vulnerability:

  • Reaver

  • Bully

Reaver (& wash)

Developed by Tactical Network Solutions. It has both an open-source and a paid version that features a friendlier GUI and other goodies.

reaver also comes with aa secondary tool called washthat can be used to find vulnerable APs.

To be able to attack WPS, you must first be sure the target AP has WPS enabled. Inside reaver package you can find wash that servers this purpose.

With your monitor interface up and running, launch:

> wash -i <interface>

wash will start hopping through the wireless channels and will list discovered APs that support WPS.

wash output offers other useful information apart from signal level (RSSI column) you can find WPS Locked column. If the value is YES you will find the corresponding AP disabled WPS due to internal anti-bruteforce protection mechanisms, being a major hurdle for the WPS attacks.

Bully

bully is opensourced on GitHub. It has some advantages over reaver such as fewer dependencies and a build process optimized for embedded devices. It also has features to handle anomalous scenarios.

Once you are sure your target AP is vulnerable to the attack (with bash) you can launch bully with the following command:

> bully -b <BSSID> <interface>

Where BSSID is the target AP's MAC address.

bully will start trying every possible PIN in randomized order. On average, you will need to try 50% of the possible PIN numbers which is roughly 5500 WPS requests. The time it could take varies depending from the AP as well as the quality of the signal.

In the best scenario, you will probably need a few hours to complete the attack and get the WPA/WPA2 key back.

WPS attacks have been around since 2011. Since then, many vendors have upgraded their devices and AP firmware now contains a protection against PIN bruteforce. This protection is called WPS Lockdown and it's simply a self-defense procedure that temporarily disables WPS registration if a repeated number of attempts to register is detected.

When your attack is detected, an AP can lockdown the WPS registration procedure for a time that varies between a few seconds to one hour or more. Some devices could even require a complete reboot.

If bully detects a lockout, it will normally display the following output and then wait for 43 seconds before next attempt. On the other hand, you can also disable lockout detection in bully and force it to continue the attack but this is not recommended.

> bully -b <BSSID> -L <interface>

The -L switch is used to disable lockdown detection.

A better option to avoid being locked out is to add a certain delay after every PIN attempt. By adding a pause between each try, you could bypass the attack detection system and get a smoother bruteforce attack.

This will increase the needed time to test each PIN; most of the time, this will be the only viable solution given that newer firmware disables WPS registration for hours after multiple authentication attempts are detected in a few seconds.

The syntax to use to enable delay for the bully command goes as follows:

> bully -b <BSSID> -1 <seconds> -2 <seconds> <interface>

Where the -1 option controls the delay in the first phase of the attack (first half of the PIN) and -2 options sets the delay value for the second phase. Values of 60 seconds or more are recommended for most APs.

▶️ WEP Cracking

▶️ WPA Capture Attacks

Last updated