LAB 9: WiFi security
PA 197
Michal Snajdr snajdr@ics.muni.cz
Michal Snajdr snajdr@ics.muni.cz
LAB 9: WiFi security
1/31
Warning
All of the advice/information that I'll give is purely for educational purposes. MU will not be responsible for any illegal use of this tutorial. Don't hack any wireless network, unless you are the owner of that network.
Michal Snajdr snajdr@ics.muni.cz
LAB 9: WiFi security
2/31
We will try.
Wifi security - vulnerabilities
► Hidden SSID
► MAC filtering
► Weaknesses in WEP encryption
► Security vs. Comfort (Is WPS secure?)
► WPA/WPA2 capture handshake
► Homework: WPA2 attacks
Michal Snajdr snajdr@ics.muni.cz
LAB 9: WiFi security
3/31
Lab prerequisities
1. Hardware
► laptop with a WiFi module (must support monitor mode)
2. Software
► airmon-ng - a bash script designed to turn wireless cards into monitor mode
► airodump-ng - a packet capture tool for aircrack-ng
► aireplay-ng - inject ARP-request packets into a wireless network to generate traffic
► aircrack-ng - a 802.11 WEP / WPA-PSK key cracker
□       gi        - =
Michal Snajdr snajdr@ics.muni.cz
LAB 9: WiFi security
4/31
Why is WiFi security so important?
► WiFi connection is very popular (flexible, comfortable, cheap)
► number of devices is rapidly increasing due to Internet of Things (loT)
► we transfer sensitive data Vulnerabilities
► connect to devices in network (capture webcam, access to shared network storage, control intelligent things - heating, light ...)
► capture and analyze sensitive data —>► identity theft
► set up fake AP with stronger signal —>► MITM attack
□       gi        - =
Michal Snajdr snajdr@ics.muni.cz
LAB 9: WiFi security
5/31
Initial scheme
hidden SSID
ATTACKER
VICTIM
Topology:
► SSID: (hidden) - in all labs we will only use the PA197* SSIDs!
► Encryption: None
► MAC filtering: enabled
< □ ►   4 31 ►   <       >■   < ►
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security
6/31
LAB 1: Get started
1. Start wireless card in monitor mode
1.1 airmon-ng - can see available device
1.2 airmon-ng check kill - to kill blocking application (in some cases it is not needed)
1.3 airmon-ng start wlanO - start monitor mode on specific device (in my case wlanO)     create a new virtual interface
1.4 in next steps we will only use this one (e.g. wlanOmon, monO. ..)
2. Start scanning networks airodump-ng wlanOmon
► lists all of the wireless networks in your area
► useful information about them like channel, SSID, encryption...
► display hidden SSID of network (when capture new client association)
Michal Snajdr snajdr@ics.muni.cz
LAB 9: WiFi security
7/31
LAB 2: MAC filtering
MAC addresses are broadcast unencrypted in header of frame, so it can be captured with a tool such as Wireshark. For this purpose we will use airodump-ng with additional options.
airodump-ng —bssid AA:AA:AA:AA:AA:AA -c B wlanOmon
► --bssid AA:AA:AA:AA:AA:AA (equivalent for -d) is the BSSID of the AP
► -c B (equivalent for --channel) is the channel the AP is operating on
► wlanOmon is the monitoring wireless adapter
To read SSI D from of network we need to capture client associanting to AP:
► wait for client connecting (if no client currently connected on target network
► disconnect client, most of implementation will reconnect without user notice
aireplay-ng -0 1 -c CLIENT-BSSID -a AP-BSSID wlanOmon -0 1 stands for deauth attack repeat 1 time
Michal Š naj d r snajdr@ics.muni.cz LAB 9: WiFi security
8/31
Connecting to wireless network from command line
Above mentioned method we can capture (or use a script to save to file) allowed MAC addresses. If we want to connect to a 'secured' AP we can change the MAC address in OS (Linux ip link set <DEV> address <MAC> or tool macchanger, interface need to be in down state; in Windows it is in the settings of the adapter)
iwconfig <DEV> essid <WIFINAME> key <PASSWORD>
► password is for WEP secured network, skip now, will be next step ► input is secret key for network or key s:<ASCIIPASSWORD>
Request address on from DHCP server dhclient <DEV>
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 9/31
WEP - Wired Equivalent Privacy
► the oldest encryption of WiFi (1997)
► at the time was suppose to provide confidentiality comparable to a traditional wired network.
► uses a shared key for encrypting packets
► most common is 64-bit or 128-bit WEP
► 64-bit = 40-bit key + 24-bit Initialization Vector(IV) RC4 keystream (40 bit key = 5 character password)
► 128-bit = 104-bit key + 24-bit Initialization Vector(IV) RC4 keystream (104 bit key = 13 character password)
► WEP encryption is based on RC4 keystream XORed with plain-text
► exist (very rarely) 152-bit and a 256-bit WEP encryption (vendor specific implementations)
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 10/31
Topology
ATTACKER VICTIM
► administrator realized that MAC filtering is very bad protection and he needs some encryption -> enable WEP
► SSID: PA197-WEP
► MAC filtering: none
► encryption: WEP
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security
11/31
WEP attack
► known as PTW attack
► created by Andrei Pychkine, Erik Tews, and Ralf-Philipp Weinmann (in 2007)
► cryptanalytic method to discover a 104-bit WEP key
► needs only 40 000 captured packets to reach 50% probability of success (60 000 is 80% chance and 85 000 packet is about 95% chance to discover the WEP key)
► use deauth and ARP re-injection —>► 40 000 packets can be captured in less than minute under ideal conditions
► Let's it try ^
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 12/31
LAB 3: How simple is it to hack WEP
Start capturing data
airmon-ng start wlanO (only if monitor mode is not enabled) airodump-ng wlanOmon
► start scanning WiFi networks
► needs to find target of attack (BSSID, channel)
airodump-ng —bssid {BSSID} -c B —write {PATH} wlanOmon
► --bssid the BSSID of the AP
► -c the channel of AP
► --write (equivalent for -w) name of the file you want to save the captured data to (e.x. /root/Desktop/WEPattack )
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 13/31
LAB 3: How simple is it to hack WEP
Fake Authentication
► we need to capture a lot of IV's to recover the password
► at least 20 000, ideally 100 000 IV's
► AP ignores the packet from not associated MAC (send out "DeAuthentication" packet)
► open new terminal (first one captures data)
aireplay-ng -1 0 -e HackMe -a 08:86:30:74:22:76
-h BB:BB:BB:BB:BB:BB wlanOmon_
► attack mode: -1 0, ( —fakeauth={delay} can be used too) Fake authentication with AP. (0 is delay)
► -e HackMe Set target SSID for Fake Authentication attack
► -a 08:86:30:74:22:76 Set Access Point MAC address
► -h BB:BB:BB:BB:BB:BB MAC address client we are forging
► Next options
► -o {n-packets} Set the number (in our case only 1) of packets for every authentication and association attempt. Default is multiple and this confuses some APs
► -q 10 - Send keep alive packets every 10 secqpds
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security
14/31
LAB 3: How simple is it to hack WEP
Generate traffic to get new IVs
► now as we are authenticated so AP will accept ARP request packets
► each response include unique IV
► Aireplay-ng listen to the AP for ARP request, and inject them as soon as they find one
► it causes that data and the beacons should began to grow quickly
aireplay-ng -3 -b AA:AA:AA:AA:AA:AA -h BB:BB:BB:BB:BB:BB -e HackMe wlanOmon
► same tool but different attack mode (In previos command we use -1 fake authentication; now we use -3 arpreplay mode)
► -3 (or -arpreplay) Standard ARP-request replay
► -b AA:AA:AA:AA:AA:AA MAC address of access point
► -h BB:BB:BB:BB:BB:BB MAC address client we are forging
► -e HackMe Set target SSID
► wlanOmon is the monitoring wireless adapter
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security
15/31
LAB 3: How simply is to hack WEP
Cracking the password
► in the first terminal we can see a lot of sent packets
► we can try to crack the password from captured data
► open new (third) terminal
aircrack-ng -z /root/Desktop/WEPattack-Ol.cap
► -z Uses PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann) attack. (In case we don't specify type, airodump-ng analyze data and choose type based on captured data)
► /root/Desktop/WEPattack-Ol.cap path to file with captured IV's (*.cap/*.ivs file)
► if there is not enough captured IVs to crack key, aircrack-ng will wait for next capturing and try it crack again
► we must wait about 1-5 minutes to successful recovering WEP password (based on captured data)
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security
16/31
WPS - Is it secure?
Wifi Protected Setup designed to quickly & easily authenticate a client to an AP mainly aimed for home users
1. AP & the Client exchange a series of EAP messages
2. At the end of this transaction, the Client will have the encryption key & the AP's signature and is ready to connect
3. Client re-associates with the new credentials & signatures
4. The actual passphrase is not exchanged during WPS initiation (an eight digit PIN is used for authentication)
5. The client is first authenticated using the PIN and then the actual passphrase is exchanged
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 17/31
WPS PIN
► WPS PIN consists of 8 digits
► last digit is a checksum —>► 7 digits to guess
► the PIN is validated by dividing it into 2 halves
► first half leaves 104 = 10 000 guesses
► second half leaves 103 = 1000 guesses
► all together we need only 11 000 guesses instead of 108=100 000 000
► can use brute-force
► on-line attack reaver tool
► off-line attack - PixieDust attack reaver with PixieWPS (This attack is only applicable to vulnerable devices)
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 18/31
Topology
WPA2 encryption WPS enabled
ATTACKER VICTIM
► administrator improve WiFi security —> change WEP to WPA2
► SSID: PA197 (visible)
► encryption: WPA2
► WPS: enabled
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security
19/31
WPS offline attack
► lack of randomization in the components of the 2 halves of the PIN
► capture hashes and can start offline attack
Access Point
BEACON
WPS
E-S1 I PSK1 I PKe I PKr     E-S2 | PSK2 | PKe | PKr (1 st Half of PIN) (2n Half of PIN)
Online Attack
Paraphrase
Attacker
xxxxxx
Pin generated by reaver
Offline Attack
E-S1 I PSK1 I PKe I PKr  E-S2 | PSK2 | PKe | PKr (1st Half of PIN) (2n Half of PIN)
I
xxxxxxxx
(Actual PIN)
Received & Re-associates with Pass phrase
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 20/31
WPS online attack
► Simply try PIN and wait for response
► Speed of founding passphrase is individual
► Some firmware may be protected against brute-force by Lock down time
► This protection prolongs needed time hence decrease chance of successful attack
reaver -i monO -b AA:AA:AA:AA:AA:AA -vv
Attempts before Lock	Lock down time	Attempts per minute	Maximum attack time	Maximum attack time	Comment
11000	0 minutes	46.15	3.97 hours	0.17 days	no lock down
?7		4.20	43,65 hours	1,82 days	NetgearWGR614v10
3	1 minutes	2.82	65.08 hours	2.71 days	Requirement for WSC 2.0
15	60 minutes	0.25	737.31 hours	30.72 days	Lock down configurations making brute Force less practical
10	60 minutes	0.17	1103.97	46.00 days	
5	60 minutes	0.08	2203.97	91.83 days	
Assumed time per attempt: 1.3 seconds
Michal Š naj d r snajdr@ics.muni.cz LAB 9: Wi Fi security 21/31
WPA/WPA2
► currently the safest way to secure a WiFi connection
► all modern devices support WPA2 with AES (Advanced Encryption Standard)
► TKIP (Temporal Key Integrity Protocol) vs. AES (in mixed mode TKIP is there as a fallback method)
► TKIP is no longer considered secure
► hackable with dictionary attack or brute-force (expect short password)
► WPA/WPA2 with strong pass-phrase is not possible to hack in short time (with current technology) -
► brute-force lower+upper case characters, password length 8, AMD hd7970 + oclHashcat « 12 years 60 days
® http://calc.opensecurityresearch.com/
► in next lab we will try to capture data (handshake) required for an offline dictionary and brute-force attack
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security
22/31
WP2 PSK authentication
► when client associating with AP there is establisted new temporary key (PTK) for each session calculated from:
► PMK - Pair Master key (gennerated from SSID and password)
► ANonce - random 32 bit number generated by AP
► SNonce - random 32 bit number generated by client
► MAC of AP
► MAC of client
Wirless Client
Access Point
Key (PMK) is Known Generate SNonce
Key (PMK) is Known Generate ANonce
Message 1: EAPOL-Key(ANonce. Unicast)
Derive PTK
Message 2: EAPOL-KcyfSNoriüc, Unicast. MIC)
Derive PTK If needed
Generate GTK
jssage 3: EAPOL-Kevťlnstall PTK, Unicast. MIC. Encrypted GTK)
Message 4: EAPOL-KevfUnicast, MIC)
Install PTK and GTK
Install PTK
Michal Šnajdr snajdr@ics.muni.cz LAB 9: WiFi security
23/31
LAB 3: WPA/WPA2 attack
airodump-ng —bssid {BSSID} -c B —write {PATH} wlanOmon
► --bssid (equivalent for -d)is the BSSID of the AP
► -c N (equivalent for —channel) is the channel the AP is operating on
► —write /root/Desktop/WPAcrack (equivalent for -w)name of file you want to save captured data
We need to capture 4-way handshake from the connected client (in new terminal:)
aireplay-ng —deauth 2 -a {AP bssid} -c {client bssid} wlanOmon
► —deauth (equivalent for —0 ) is a short cut for the deauth mode and the 2 is the number of deauth packets to send.
► -a indicates the access point/router's BSSID, replace {AP bssid} with the BSSID of the target network
► -c indicates the client's BSSID, the device we're trying to deauth, noted in the previous picture. Replace the {client bssid} with the BSSID of the connected client, this will be listed under "STATION."
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security
24/31
LAB 5: WPA/WPA2 attack
► after succesful deauth we can see in top left corner "WPA handshake: [BSSID]". That is what we want. The 4-way handshake is captured so we can try to crack it now.
► the handshake is saved in *.cap file from airodump-ng
► based on this handshake we can try to discover the pass-phrase either by brute-force or dictionary attacks (Your Homework)
► brute-force = systematically checking all possible keys or passwords until the correct one is found (very fast for short passwords)
► dictionary attack = based on trying the strings only in a pre-arranged list of possible pass-phrases (tries only those possibilities which are deemed most likely to succeed)
► if we try brute-force we need a lot of luck and time
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 25/31
WPA2 Brute-force attack
► need *.cap file with handshake (using airodump-ng, wifite .. .)
► wpaclean cleans captured files to get only the 4-way handshake and a beacon
► take care of the right order of output and input file option! wpaclean <out.cap> <in.cap>
Using hashcat utility for attack. It requires input file in its own format
► converting the .cap file to a format cudaHashcat, oclHashcat or Hashcat
/root/hashcat-utils-master/src/cap2hccapx.bin input.pcap output.hccapx
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 26/31
Brute-Force Attack with Hashcat
► Hashcat running on CPU, cudaHashcat or oclHashcat can use power of GPU
hashcat -m 2500 -a 3 capture.hccap <MASK>
► -m 2500 means we are attacking a WPA/WPA2 handshake file
► -a 3 Brute Force Attack mode
► capture.hccap source file (generated using wpaclean and cap2hccapx)
► <MASK> type of characters to try (all combinations) MASK
► Built-in charsets
► ?l = abcdefghijklmnopqrstuvwxyz
► ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
► ?d = 0123456789
► ?s = special characters
► ?a = ?l?u?d?s
► own charset using .hcmask file (for specific charset, variable length.. .)
► ex. ?u?u?u?u?u?u?u?u try all 8 Letter passwords in^CAPS (exactlyt
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security
27/31
Brute-Force Attack
► How long it will take?
► Example:
► minimum password length (8 characters)
► only lowercase letters
► 268 combinations = 208 827 064 576
► Thinkpad T400 with Intel P8600 @ 2.40 Ghz   1300 hashes/s => 5 years
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 28/31
Key Reinstallation Attacks Breaking WPA2 by forcing nonce reuse
► published in late 2017
► known as KRACK
► by replaing message 3 of 4-way handshake allows attacker to weaken encryption and packets can be replayed, decrypted, and/or forged
► most implementation was vulnerable https://www.krackattacks.com/
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 29/31
How to protect your Wifi?
1. Never use WEP encryption!
2. Use WPA2 whenever it is possible
3. Disable WPS: Analyze whether your WiFi AP needs to be using WPS at all.
4. Increase timeout period: For advanced routers, we can increase the Receive timeout to slow down the attack
5. WPS Lock: Set the WPS Lock time to a large value
6. MAC Filtering: Of course really old-school, but sometimes can protect against script kiddies.
7. Physically Secure the Router
8. Update or replace old HW to secure against Krack attacks
9. use also application level encryption
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 30/31
References
► Reaver + PixieWPS, http://kalilinuxtutorials.com/reaver-pixewps/
► Brute forcing Wi-Fi Protected Setup,
https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
► Linux man page, http://linux.die.net/man/
► List of WPS Pixie Dust vulnerable device, https://docs.google.com/ spreadsheets/d/ItSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y
► Kismet tool,
https://www.kismetwireless.net/presentations/5hope-kismet.pdf
► Generic brute-force time calculation,
http://calc.opensecurityresearch.com/
► How to install hashcat-utils
https://www.incredigeek.com/home/install-hashcat-utils/
Michal Snajdr snajdr@ics.muni.cz LAB 9: WiFi security 31/31