Attacking Wi-Fi Networks
Attacking Wi-Fi Networks
Now we are going to see how you can exploit vulnerabilities of Wi-Fi security protocols and gain access to protected wireless networks.
WEP
Given the low security level provided by the WEP encryption scheme, less and less networks are configured to use it.
Still, it's useful to know how to deal with them as corporations or individuals could still be using this configuration for various compatibility reasons.
The main flaws of WEP encryption are:
Weak authentication scheme
Short Initialization Vector (IV) and subsequent frequent reuse
vulnerable to replay attacks
Weak frame integrity protection
Low resistance to related key attacks enabling efficient statistical attacks
The key of all attacks directed against WEP key recovery is getting a sufficient amount of encrypted packets to be able to successfully execute the statistical attacks.
In a medium-sized network, the actual traffic between legitimate clients could be enough to gather the required encrypted data very quickly but this will not always be the case.
Setup your environment with the following guidelines:
Access Point SSID: LabNetwork
Use WEP Encryption
Set WEP key size to 40bit and choso your key (10 hexadecimal characters)
1 vicitim STA (associated to Lab Network), this shouldn't be the same device you will use for the attack!
The attacker machine
Have a note of your AP channel as you'll need it later.
1. Start airmon-ng
and airodump-ng
airmon-ng
and airodump-ng
airodump-ng
will start scanning. As you can see LabNetwork
is listed in the command output with the encryption correctly identified as WEP.
We can also see our victim client associated stations section.
#Data
column indicates the number of data frames collected thus far on a particular network while#/s
displays the data frames capture rate as frames per second.You do want high values for these columns in order to succeed.
2. Deauthentication attack: Increment packet rate
If LabNetwork
does not produce a lot of traffic, we might need to have a way to increment the packet rate.
When deauthenticated from a wireless network, normally a client will try to re-authenticate shortly later (just as the IEEE 802.11 standard specifies a management frame for this purpose, this is sent completely unencrypted and requires no authentication from the sender).
deauth frames aren't encrypted. They are not useful per se to increase the number of collected IVs.
On the other hand, after re-associating a client, the client will most certainly send some gratuitous ARP or DHCP messages and this traffic is clearly valuable as it's sent encrypted.
To deauthenticate a client:
This will increase the number of data frames.
Deauthentication attacks force the victim to actually disconnect from the network. If you abuse this techniques, chances are that your attack will be noticed! So keep this is in mind when pentesting a real-world wireless network.
2.1 ARP Replay Attack
ARP replay is the most effective way to generate new IVs. Once you sniff an ARP request generated by a STA, you can re-inject that packet due to WEP's lack of message replay countermeasures.
As it's a broadcast message, the AP will forward the request to the associated STAs and each of these request will contain a new IV for you to collect.
The ARP replay attack is a bit more complicated than simple deauthentication. As such, it will be useful to get an overview of the attack before diving into it.
Steps of an ARP Replay attack:
Stations normally communicate with the AP while the attacker machine is not yet operating.
aireplay-ng -1 15 -a <bssid> -e <ssid> <interface>
. This will associate your adapter to the specified network. You have to provide both the BSSID and SSID. The-1
stands for fake authentication, while the number on the right is the delay between authentication attempts. When successful, you should see something likeAssociation successful
The attacking machine associates itself with the AP, with Open Authentication system, this is only a matter of exchanging 4 frames without providing any credentials. In the
aircrack-ng
terminology, this is called fake authentication.During the real attack, you can find that your adapter constantly receives deauthentication messages from the victim AP. You can try this variation for "picky APs":
aireplay-ng -1 6000 -1 10 -o 1 -a <bssid> -e <ssid> <interface>
-q 10
enables keep-alive packets. This command causes this packets to be sent every 10 seconds to maintain the authentication status. The long re-authentication time permits these packets to be sent.-o 1
forcesaireplay-ng
to send one set of packets at a time, these can be necessary as some APs can get confused by aireplay-ng's default behavior.Do not close opened terminal windows as
aireplay-ng
will need to continue running while performing the attack.
Once the attacker is associated, the attacker starts to passively scan for ARP request, listen for broadcasted ARP request frames.
Now we need to listen for ARP requests sent by clients on the network. Obviously this will not work if your STA is the only associated one.
aireplay-ng -3 -b <bssid> <interface>
After a while, STA1 sends an ARP request to all of the nodes in the network, and the AP forwards it and the attacker is thus able to capture the frame.
After a few minutes you should capture at least an ARP request.
At this point, the attacker can flood the network by re-injecting the same ARP frame over and over. Simply put: the attacker floods the AP with ARP requests.
Almost instantly
aireplay-ng
will start to re-inject the captured ARP request.
Following the protocol, the AP simply forwards each received ARP using a new IV every time.
airodump-ng will show the increase in received frames as you are flooding the AP.
By collecting all of these frames, the attacker can then mount one of the statistical attacks.
Question: Given that the traffic is encrypted, how can the attacker actually identify an ARP request?
Luckily, ARP request have a fixed payload size (36 bytes) so they can be easily identified. They always have a broadcast destination address(FF:FF:FF:FF:FF:FF
) that is transmitted in plain text in the frame header.
3. Cracking the key with aircrack-ng
aircrack-ng
is a software that encapsulates a series of cracking techniques for both WEP and WPA network keys.
This command needs packets in order to crack the WEP key. The minimum amount of packets depend on the key length.
40 bit keys will require about 5000 IVs to be cracked while 104 bits keys could require a number ten times higher or more.
The number should be taken with care as they could vary if the AP implements some sort of protection.
As you do not know they key length of the attack, a good strategy is first trying with 64 bits.
If that fails for more than 10000 IVs, just try again with a key of 128 bits.
Now aircrack-ng
will start reading all of the IVs from the specified files then the cracking process will begin. If the number of IVs isn't sufficient, aircrack-ng
will just wait for airodump-ng
to get more so you do not need to restart the command.
PTW attack with aircrack-ng
WEP cracking technique developed in 2007 that exploits correlations discovered between RC4 keystream and the key itself.
Statistical analysis votes for each byte of the key are collected and shown in the output window.
The more votes a byte receives, the more likely the byte will be found in the real network key.
The key that gets the most votes is the most probable key but is not guaranteed to be the real one. aircrack-ng
uses brute force to determine the WEP key from the statistical guesses.
This technique only requires ARP requests/responses in order to work as they are used to improve the speed of the cracking process.
So the usual network traffic will not be useful and you will need to launch an active attack with some of the ARP generation techniques.
KoreK attack
PWT is the fastest and default technique used by aircrack-ng but it requires ARP. As a fallback, you can still use the old pre-PTW technique that uses a combination of KoreK statistical methods.
Cracking speed can be much slower, moreover the required number of IVs is at least an order of magnitude higher. You can switch to KoreK attacks by using the -K
flag when you launch aircrack-ng
.
WPA and WPA2
The Four-Way Handshake
Attacks against WPA/WPA2 keys are much less diversified than those targeting WEP. Until now, WPA has proved to be robust security measure to provide effective privacy for wireless networks. WPA and its successor WPA2 fixed the various flaws that plagued WEP, making it impossible to just look at the traffic to get information about the key.
When a new client wants to join a WPA/WPA2 protected network, it must first authenticate itself, proving it owns the shared key. After association, the two parties start what is called the four-way handshake, which is a process that permits the mutual authentication between the AP (called Authenticator) and the STA (called Supplicant).
During the communication, the PSK is never sent through the wireless medium. The PSK is only used to generate a PTK (Pairwise Transient Key) that is used as session-only encryption key.
Since the PSK is never transmitted, both AP and STA need a secure way to generate the PTK. This is what the 4-way handshake does.
Steps of the 4-way handshake
Step 0
At first the shared passphrase is used to generate the so-called PMK (Pairwise Master Key), which is 256bits long.
Both the STA and AP independently calculate this value combining the PSK and SSID name.
Step 1/4
When the handshake starts, the AP sends the STA a message containing a nonce
, a security cryptographic random number. In the WPA specification, this number is called Anonce
(as Authenticator Nonce).
Step 2/4
STA generates another nonce, called SNonce
(Supplicant Nonce), and builds the PTK containing the PMK, both nonces, the MAC addresses of AP and STA and processing this product through a cryptographic hash function called PBKDF2-SAH1
.
Step 3/4
STA then sends its SNonce
to the AP that can now build the PTK. As it uses the same information, both PTKs will be the same without the original PSK ever being transmitted over the air. This third message also contains a MIC (Message Integrity Code) which is used to authenticate the sending STA.
Step 4/4
Finally, the AP replies back with a message containing the GTK (Group Temporal Key) used to decrypt multicast and broadcast traffic. This message is also authenticated by means of MIC. An acknowledgment concludes the process.
Perform an attack
Capturing the Handshake
Setup LAB
AP SSID: LabNetwork, channel 11, WPA enabled.
1 vicitim STA associated to the AP
The attacker PC
Capturing the handshake is actually quite simple. Launch airodump-ng
and start sniffing on the correct channel:
If we wanted to perform a totally passive attack, we could have waited for a new client to join the network but this could require more time.
Write down the client MAC address and launch the deauth attack against it:
If the victim STA is inside the reachable area of your wireless card, it will be forced to rejoin the network and you should be able to get a new 4-way handshake (airodump-ng
notifies when the handshake reception happens).
Now that we have captured the handshake and it is stored into a file, it's time to crack it!
Use aircrack-ng against the handshake
aircrack-ng
has two cracking options when it comes to WPA/WPA2 keys:
Dictionary Attack (also available for WEP)
Pure brute force attack
Before using brute force, it is always recommended to at least try a dictionary attack, this is because it may be possible to recover the password (even if long or complex) with a fraction of the time if compared with a brute force attempt.
The syntax is very simple, you only have to provide a wordlist file (or comma-separated list) and the path to your .cap
file containing the captured handshake. This is the file saved by airodump-ng
at the previous step.
Build a wordlist with crunch
crunch
will generate all of the possible combination of words between the two length values.
Notes on Speed
If you want to compare your computing power, you can run a simple test with
aircrack-ng
itself:aircrack-ng -S
Exploiting GPU power tools
oclHascat
: supports many hashing functions and cryptographic algorithms but if you want to be able to discover the key from a WPA/WPA2 handshake, you'll need to transform the.cap
file to a format understandable by the program (.hccap
). There's an online tool for this purpose. You can also useaircrack-ng
with the-J
option.Pyrit
John the Ripper
"Cracking as a Service" can be an option for those without a powerful GPU. These services only require you to upload the .cap
file containing the 4-way handshake and specify the target SSID. Once you have uploaded the file, you often choose between a series of different dictionaries so if you have a clue of the key, you can better restrict the search. Please note that most powerful services need you to pay a small fee.
CloudCracker
Space-time tradeoff
As the last option available in your toolbox, we will present you an alternative bruteforce method that can be particularly useful in some occasions.
A recent trend in the password cracking field make use of the time-space tradeoff to pre-calculate large amount of hashes and store them in so-called rainbow-tables.
Rainbow tables
Brute forcing a WPA or WPA2 key is only possible when you get a 4-way handshake from a client and the AP. Both parties generates a PTK that is uses to encrypt subsequent communications.
MICS are computed using the generate PTK and thus provide guarantee that both parties originally had the same PSK.
Every PSK you want to try against the handshake, you first need to calculate the PMK. Then using the values obtained from the handshake, generate the PTK. Finally you calculate the MIC and compare it with the one in the handshake. If they are equal, you have foudn the correct PSK.
Beware this process is slow!
In fact, the algorithm used to calculate the PMK, called PBKDF2
requires running 4096 iterations of the HMAC algorithm that is actually designed to be computationally expensive.
One way to speed up this process is to pre-calculate the PMK for all of the various passphrases in your wordlist.
In theory, this would be a huge speed improvement as now every time you want to crack WPA handshake, you only have to generate the PTK and compare MICs; both of these operations are much faster than the PBKDF2
function.
However, WPA authors thought about this possibility when they were designing the protocol and they came up with a pretty clever but simple solution.
The calculation of the PMK does not only depend on the used PSK but it also depends on the network's SSID value!
Given that you cannot have universally acceptable PMKs but you must calculate them for each SSID name you are interested in cracking.
Even with the mentioned limitation, a rainbow table approach is still applicable to WPA cracking. It is also the case that a lot of APs are configured with standard factory values like "default", "linksys", "dlink" or similar vendor-related SSIDs.
With these theoretic bases, let's figure out how to create a PMKs database.
Pyrit
Python-based application compatible with Linux, Mac OS X and BSD. pyrit
uses a file-based storage to persist its database:
pyrit
will "connect" to the local file and get some statistics about currently stored passwords. At first, obviously you will have 0 passwords.
Let's import some passwords from our wordlist:
pyrit
will process the input file and automatically discard all duplicates and all the words that are not suitable for a PSK (also short). Will also remove all the unusable passwords.
Note you will need large wordlists to have any success while cracking WPA.
Now to generate the PMKs, we must provide pyrit
with at least one SSID. In order to do this, we use create_essid
command:
This last command will not actually start the building process. In fact, try to re-eval the database:
Still, our newly added SSID does not have calculated PMKs. The number of calculated PMKs for our LabNetwork
SSID is still zero. The last step of the process is launching the batch
command which has a very simple syntax:
At this point, pyrit
will start building your database for the included SSIDs and password combinations. Database generation could be a very long process, depending on the power of your CPU and the number of passwords you imported. pyrit
can make use of the computational power of modern GPUs, like oclHashCat
, so you are encouraged to run it on a desktop PC with a recent video card installed.
Now launch this command to initiate the attack against the handshake:
pyrit
will try all of the different PMKs in its database very quickly and will eventually output the found key if it was initially in your wordlist. The focal point here is the speed.
Having a pre-built database for a given SSID can tremendously speed up your attack.
Pre-built hash files
On the internet you can find pre-built PMKs databases for the most common SSID names.
Church of WiFi WPA-PSK Lookup Tables
2 databases
172000 words X 1000 SSIDs: 7GB
1 Million words X 1000 SSIDs: 33GB
Google
SSID rainbow table
SSID PMK database
WPS: Wireless Protected Setup
In 2011, Stefan Viehbock published a paper describing a new attack against WPS (Wireless Protected Setup).
WPS was designed a simple and secure way to setup a protected wireless network.
Stefan also found that design and implementation flaws in various devices may lead to a very effective attack method that can disclose the wireless encryption key.
WPS provides 3 different setup alternative methods:
Push-Button-Connect
Internal-Registrar
External-Registrar
While the former two methods require stronger authentication procedures (physical access or web interface access) the External-Registrar method only requires the client to provide a PIN (8 digits).
Normally, bruteforcing a 8 digits number will require testing for 10^8 (=1000000000) combinations but the actual form of authentication used by WPS highly reduces this number.
This is the representation of the WPS PIN number:
It's divided into two halves of 4 digits each. The last digit of the 2nd half is a checksum meaning it is always calculated from the other digits.
The authentication process works like this:
Both AP and client initialize encryption keys and internal state
Client proves possession of 1st half of the PIN
Client proves possession of 2nd half of the PIN
AP sends network security configuration
At every step, if the client is sending wrong data the AP terminates the process and sends a NACK
packet.
This behavior, combined with the split PIN allows us to build a quite optimized brute force attack.
How many combinations do we need to try?
Splitting the PIN get us from 10^8 to 10^4 + 10^4 (=20000) while having a checksum digit reduces the number of guesses for the 2nd half and we get the final result of only 10^4 + 10^3 (=11000) combinations.
There are two tools that can help to exploit this vulnerability:
Reaver
Bully
Reaver (& wash)
Developed by Tactical Network Solutions. It has both an open-source and a paid version that features a friendlier GUI and other goodies.
reaver
also comes with aa secondary tool called wash
that can be used to find vulnerable APs.
To be able to attack WPS, you must first be sure the target AP has WPS enabled. Inside reaver
package you can find wash
that servers this purpose.
With your monitor interface up and running, launch:
wash
will start hopping through the wireless channels and will list discovered APs that support WPS.
wash
output offers other useful information apart from signal level (RSSI
column) you can find WPS Locked
column. If the value is YES
you will find the corresponding AP disabled WPS due to internal anti-bruteforce protection mechanisms, being a major hurdle for the WPS attacks.
Bully
bully
is opensourced on GitHub. It has some advantages over reaver
such as fewer dependencies and a build process optimized for embedded devices. It also has features to handle anomalous scenarios.
Once you are sure your target AP is vulnerable to the attack (with bash
) you can launch bully
with the following command:
Where BSSID is the target AP's MAC address.
bully
will start trying every possible PIN in randomized order. On average, you will need to try 50% of the possible PIN numbers which is roughly 5500 WPS requests. The time it could take varies depending from the AP as well as the quality of the signal.
In the best scenario, you will probably need a few hours to complete the attack and get the WPA/WPA2 key back.
WPS attacks have been around since 2011. Since then, many vendors have upgraded their devices and AP firmware now contains a protection against PIN bruteforce. This protection is called WPS Lockdown and it's simply a self-defense procedure that temporarily disables WPS registration if a repeated number of attempts to register is detected.
When your attack is detected, an AP can lockdown the WPS registration procedure for a time that varies between a few seconds to one hour or more. Some devices could even require a complete reboot.
If bully
detects a lockout, it will normally display the following output and then wait for 43 seconds before next attempt. On the other hand, you can also disable lockout detection in bully
and force it to continue the attack but this is not recommended.
The -L
switch is used to disable lockdown detection.
A better option to avoid being locked out is to add a certain delay after every PIN attempt. By adding a pause between each try, you could bypass the attack detection system and get a smoother bruteforce attack.
This will increase the needed time to test each PIN; most of the time, this will be the only viable solution given that newer firmware disables WPS registration for hours after multiple authentication attempts are detected in a few seconds.
The syntax to use to enable delay for the bully command goes as follows:
Where the -1
option controls the delay in the first phase of the attack (first half of the PIN) and -2
options sets the delay value for the second phase. Values of 60 seconds or more are recommended for most APs.
Last updated