Ready to Start Your Career?

State of the Art Wifi Security - Attack on WPA / WPA2 Encryption - Part 2

By: siva

November 22, 2016

Introduction:

The security weaknesses of WEP led researchers to design a new standard under the name 802.11i. The main security protocols of the 802.11i standard are the Wireless Protected Access (WPA) and the Wireless Protected Access II (WPA2). Although these protocols provide significant higher security level than WEP they also present serious issues that can allow an attacker to recover the Passphrase , break into the wireless network and gain unauthorized access. Below we show some methods and techniques on how to break the wireless networks and recover the WPA/WPA2 passphrase.

Quick Note to Readers:

Before quickly diving into the next part, I would like to inform the readers to have a look into the first part of this post by title State of the Art - Wifi Security. Also, there are hundreds of quick post/tutorial videos in this topic , But this is my way of presentation and as always feel free to comment on the writing as well on the technical demo , which will help me to correct my future work. Also, some screen shots may not reveal actual attack results, but the command does, I did it on purpose and I encourage readers to obtain fluency on using the air-crack suite tools.

Methodology:

The methodology for recovering the WPA/WPA2 Passphrase that is used to secure the communications of a wireless network can be divided into two categories depending on the network topology:

Topology includes Access Point - Client
Topology includes the Client only

Scenarios:

In order to better understand each WPA/WPA2 Passphrase recovery attack, various real-life scenarios will be presented. Each scenario examines in detail the techniques, the tools and the benefits of different WPA/WPA2 Passphrase recovery attack.

Scenario #1:Crack the WPA/WPA2 Passphrase using the Access Point and a connected Wireless Client

Scenario #2:Crack the WPA/WPA2 Passphrase using only the Wireless Client

Required

Scenario #1:Crack the WPA/WPA2 Passphrase using the Access Point and a connected Client

The first scenario that will be presented in this describes how you can

recover the passphrase from a WPA/WPA2 secured wireless network where the topology includes an Access Point and at least one connected client. The Access Point with MAC address ‘00-1C-F0-AE-83-F8’ which will be our target network .The administrator of this network has enabled WPA (TKIP) encryption in order to secure the communications. The length of the WPA passphrase is 14 characters long. A legitimate client with MAC address ‘00:27:19:FF:F3:14’ is connected to this wireless network and is browsing the Internet.

STEP 1:

The first step of this lab scenario concerns the creation of a monitoring interface so

that we can later use it in order to locate the wireless network of interest and gather the

required information. The procedure for creating a monitoring interface is the same as in

the previous lab scenarios of this book. Open a Terminal Window and at the command

prompt type the following command:

sudo airmon-ng start wlan0

The airmon-ng tool replies with a success message

STEP 2:

The next step is to use the airodump-ng tool to locate the wireless network of interest and obtain useful information that will be used to recover the WPA Passphrase. At the Terminal Window issue the following command:

sudo airodump-ng mon0

The airodump-ng window opens and starts presenting all the nearby wireless networks together with their connected clients

Let’s focus only at the target network. At the terminal window type the following command in order to instruct airodump-ng to present information only for the wireless network of interest

airodump-ng --bssid 00:1C:F0:AE:83:F8 --channel 1

In the above airodump-ng output we can see that the Access Point of the current lab scenario advertises a wireless network with SSID ‘Target_Network’. This wireless network is secured under the WPA protocol, uses the TKIP encryption algorithm and the configured authentication method is the PreShared Key (PSK) authentication. The information that we need to write down in order to launch the WPA recover key attack is the following :

Network SSID:Target_Network
BSSID:00:1C:F0:AE:83:F8
CONNECTED CLIENT:00:27:19:FF:F3:14
Operating Channel:7

Having the above information you can proceed to the next steps of this lab attack scenario.

STEP 3:

In ‘Step 2’ of the scenario, we identified at least one connected client to the target wireless network (MAC address 00:27:19:FF:F3:14). The goal of this Step is to capture the 4-way authentication handshake between the Client and the Access Point and extract the information that will be used during the Passphrase recovery attack (SSID, Anonce, Snonce, AP-MAC address, Client-MAC address).

Since the Client is already connected we have the options either to wait for another client to connect and capture the 4-way handshake or de-authenticate the client and capture the handshake when he will try to automatically reconnect. The second option is faster so open a new Terminal Window and type the following command to launch a de-authentication attack against the connected client. Note:Don’t press enter yet!

aireplay-ng -0 15 -a 00:1C:F0:AE:83:F8 - c 00:27:19:FF:F3:14 mon0

Before executing the de-authentication attack command we have to configure airodump-ng to capture the 4-way handshake messages and store them in a file on the local disk. This file will be used as input in the next Step of this lab scenario in order to recover the Passphrase. So open a new Terminal Window and type the command:

airodump-ng --bssid 00:1C:F0:AE:83:F8 --channel 1 --write WPAattack mon0

Now at the Terminal window where the de-authentication attack command is typed press the enter key to launch the attack. The aireplay-ng tool spoofs the MAC address of the Access Point and sends 15 de-authentication frames to the connected wireless client (figure). The client is deceived that the de-authentication frame comes from the Access Point and immediately disconnects from the network.

Automatically the wireless connection manager of the client’s Operating System initiates the re-authentication process. The 4-way handshake takes place and the airodump-ng tool captures it and stores it to the defined file on the local disk (in our case in the WPAattack file). The successful 4-way authentication handshake capture is reported by airodump-ng at the top right of the output screen

STEP 4:

So far we have identified a wireless network with a connected client and we have captured the 4-way handshake. We can now launch the dictionary attack against the Passphrase. As we have described at the beginning of this Chapter, during this attack random Passphrases will be selected from a dictionary file in order to generate a possible PSK. The PSK will be combined with the captured values of the 4-way handshake to produce the PTK which in turn will be used to generate the MIC. If the MIC matches with the MIC captured in the 4-way handshake messages then the selected Passphrase is the one we are searching. If not the whole process will repeat over and over until the values in the dictionary file are exhausted.

The dictionary attack will be launched using the aircrack-ng tool. In order to launch the attack we need to provide to the aircrack-ng a dictionary file from which it will select the Passphrases.You can use larger files but as you are going to see the larger the file the longer it takes to complete the attack

Open a new Terminal window and issue the following command to instruct aircrack-ng to launch the dictionary attack against the WPA Passphrase:

aircrack-ng WPAattack -w /home/attacker/passlist.txt

The aircrack-ng tool selects one after another the Passphrases from the dictionary file and launches the attack descript at the beginning of this lab step. At the top of the window you can see the Passphrase values that are tested each time, the number of the tested values and the total time

It is very important to mention that if the Passphrase was not included in the dictionary file we used then aircrack-ng wouldn’t be able to recover it. Always remember that a dictionary attack is as good as the dictionary used for the attack

Scenario #2:Crack the WPA/WPA2 Passphrase using only the Wireless Client

The Second scenario that will be presented in this describes how you can

recover the passphrase from a WPA/WPA2 secured wireless network where the topology includes a wireless client that is not connected to the Network. The wireless client with MAC address ‘00-1C-F0-AE-83-F8’ is configured automatically to connect to configured wireless network with SSIS “Target Network”.The administrator of this network has enabled WPA (TKIP) encryption in order to secure the communications. The length of the WPA passphrase is 14 characters long.The wireless client is not in range within the office wireless network and has left its WNIC activated

In this scenario, we will demonstrate how we can recover the WPA/WPA2 Passphrase using only the wireless client. In most cases, a wireless client is not in range with the preferred Access point but his WNIC is activated and the wireless network manager is looking for access point to connect.

Every Operating system stores the configuration of a wireless connection (SSID , username, Key) in order to connect automatically to the preferred wireless network when it comes into range.

Using this feature we are going to exploit to attack the client and recover the WPA/WPA 2 passphrase.

STEP 1:

The first step of this lab scenario concerns the creation of a monitoring interface so

that we can later use it in order to locate the wireless network of interest and gather the

required information. The procedure for creating a monitoring interface is the same as in

the previous lab scenarios of this book. Open a Terminal Window and at the command

prompt type the following command:

sudo airmon-ng start wlan0

The airmon-ng tool replies with a success message

STEP 2:

sudo airodump-ng mon0

The airodump-ng window opens and starts presenting all the nearby wireless networks together with their connected clients

From the above screenshot we can see that the wireless client with MAC address 80:00:0B:6E:E3:E3:EE is trying to associate with its preferred access point. The indication “Not associated” under the BSSID column means that the wireless client is automatically looking to connect to its preferred Access point (in most cases it must be office or home network) that was connected in the past and now it’s not available.

STEP 3:

Since the Access point is not in range we can create a fake one with the same name

and characteristics and trick the client to connect to it. To do this we use airbase-ng tool which is part of the aircrack-ng suite which allows the creation of fake access points and can launch attacks to recover the WEP/WPA/WPA2 keys

airbase-ng -c 1 -a 00:CA:E5:C3:83:FB -e Target-network -W 1 -Z 4 mon0

C 1 :The channel where the fake access point will be operating
-a:The MAC address of the Access point
-e:The SSID of the wireless network that the fake Access point will advertise
-W 1:Sets the WEP flag in the beacon broadcasts
-Z4 Advertise a WPA2 secured network with AES-CCMP encryption
Mon0:The wireless interface that will be used

The following screenshot shows the the successful creation of a fake Access Point

STEP 4:

After creating a fake access point, the next step is to use airodump-ng tool to capture traffic between the fake Access Point and the wireless client (when it connects) and store it in files in the local disk. The following command does this:

airodump-ng --bssid 00:CA:E5:C3:83:FB --channel 1 --write WPAattack mon0

After issuing the above command we need to wait until the legitimate client connects to the fake Access point . Once it connects to it we will have the msg “client <bssid>associated” as shown in the following screenshot.

At this instant the airodump-ng tool which monitors the exchange of packets between the access point and the wireless client will capture the 4 way handshake In reality 4-way handshake packets are not fully exchanged bcoz the fake access point does not know the real paraphrase so it cannot send any info

The following screen shot (output from airodump-ng) shows that the capture of the 4-way handshake

STEP 5:

After capturing the 4-way handshake , we are now ready to crack the passphrase and the steps to do it will be the same as the previous scenario.

We can now launch the dictionary attack against the Passphrase. As we have described at the beginning of this Chapter, during this attack random Passphrases will be selected from a dictionary file in order to generate a possible PSK. The PSK will be combined with the captured values of the 4-way handshake to produce the PTK which in turn will be used to generate the MIC. If the MIC matches with the MIC captured in the 4-way handshake messages then the selected Passphrase is the one we are searching. If not the whole process will repeat over and over until the values in the dictionary file are exhausted.

Open a new Terminal window and issue the following command to instruct aircrack-ng to launch the dictionary attack against the WPA Passphrase:

aircrack-ng WPAattack -w /home/attacker/passlist.txt

The aircrack-ng tool selects one after another the Passphrases from the dictionary file and launches the attack described at the beginning of this lab step. At the top of the window you can see the Passphrase values that are tested each time, the number of the tested values and the total time

Conclusion:

With this I would end this writing and please remember that is just the beginning or a path way to encourage readers to dive deep into WiFi security and practice some advanced attack scenarios (in a controlled environment) to learn more. In the next part I would like to write up on Wireless Security Best Practices (Part 3 of the series) , So See you soon and Stay safe