Cracking

WPA/WPA2 Personal + Enterprise for Fun and Prot

Vivek Ramachandran Founder, SecurityTube.net vivek@securitytube.net

SecurityTube.net

Shameless Self PromoHon

B.Tech, ECE IIT GuwahaH

802.1x, Cat65k Cisco Systems

WEP Cloaking Defcon 19

Cae LaNe ANack Toorcon 9

Media Coverage CBS5, BBC

MicrosoP Security Shootout

Trainer, 2011

Wi-Fi Malware, 2011

SecurityTube.net

SecurityTube.net

Students in 65+ Countries

SecurityTube.net

Backtrack 5 Wireless PenetraHon TesHng

hNp://www.amazon.com/BackTrack-Wireless-PenetraHon-TesHng-Beginners/dp/1849515581/

SecurityTube.net

Agenda
WPA/WPA2 PSK Cracking Speeding up the cracking process AP-less WPA/WPA2 PSK Cracking Hole 196 WPS ANack Windows 7+ Wi-Fi Backdoors WPA/WPA2 Enterprise PEAP, EAP-TTLS
SecurityTube.net

Understanding WPA/WPA2

SecurityTube.net

Why WPA - WEP Broken Beyond Repair

IEEE WG admi6ed that WEP cannot hold any water. Recommended users to upgrade to WPA, WPA2

2001 - The insecurity of 802.11, Mobicom, July 2001 N. Borisov, I. Goldberg and D. Wagner. 2001 - Weaknesses in the key scheduling algorithm of RC4. S. Fluhrer, I. ManHn, A. Shamir. Aug 2001. 2002 - Using the Fluhrer, ManHn, and Shamir ANack to Break WEP A. Stubbleeld, J. Ioannidis, A. Rubin. 2004 KoreK, improves on the above technique and reduces the complexity of WEP cracking. We now require only around 500,000 packets to break the WEP key.

2005 Adreas Klein introduces more correlaHons between the RC4 key stream and the key. 2007 PTW extend Andreas technique to further simplify WEP Cracking. Now with just around 60,000 90,000 packets it is possible to break the WEP key.

AirTight 2007

SecurityTube.net

We need WEPs Replacement

WPA Intermediate soluHon by Wi-Fi Alliance Uses TKIP Based on WEP Hardware changes not required Firmware update WPA2 Long Term soluHon (802.11i) Uses CCMP Based on AES Hardware changes required

Personal PSK

Enterprise 802.1x + Radius

Personal PSK

Enterprise 802.1x + Radius

SecurityTube.net

WEP
StaCc WEP Key Probe Request-Response AuthenHcaHon RR, AssociaHon RR Data Encrypted with Key StaCc WEP Key

SecurityTube.net

WPA: No StaHc Keys

StaCc WEP Key Probe Request-Response AuthenHcaHon RR, AssociaHon RR Dynamic Key Generated First StaCc WEP Key

Data Encrypted with Dynamically Key

How are Dynamic Keys Created?

SecurityTube.net

WPA/WPA2 PSK (Personal) Cracking

SecurityTube.net

WPA Pre-Shared Key

Pre-Shared Key 256 bit

PBKDF2

Passphrase (8-63)

SecurityTube.net

PBKDF2
Password Based Key DerivaHon FuncHon RFC 2898 PBKDF2(Passphrase, SSID, ssidLen, 4096, 256) 4096 Number of Hmes the passphrase is hashed 256 Intended Key Length of PSK

SecurityTube.net

Lets Shake Hands: 4-Way Handshake

Supplicant Probe Request-Response AuthenHcaHon RR, AssociaHon RR Pre-Shared Key 256 bit
Message 1 ANounce

AuthenHcator

Pre-Shared Key 256 bit ANounce

SecurityTube.net

4 Way Handshake: Message 1

Supplicant Probe Request-Response AuthenHcaHon RR, AssociaHon RR Pre-Shared Key 256 bit
Message 1 ANounce

AuthenHcator

Pre-Shared Key 256 bit

Snounce PTK

SecurityTube.net

4 Way Handshake: Message 2

Supplicant Probe Request-Response AuthenHcaHon RR, AssociaHon RR Pre-Shared Key 256 bit
Message 1 ANounce

AuthenHcator

Pre-Shared Key 256 bit

Snounce PTK Message 2 SNounce

SecurityTube.net

4 Way Handshake: Message 3

Supplicant Probe Request-Response AuthenHcaHon RR, AssociaHon RR Pre-Shared Key 256 bit
Message 1 ANounce

AuthenHcator

Pre-Shared Key 256 bit

Snounce PTK
Message 3 aHon Key Install

Message 2 Snounce + MIC

PTK

Key Installed

SecurityTube.net

4 Way Handshake: Message 4

Supplicant Probe Request-Response AuthenHcaHon RR, AssociaHon RR Pre-Shared Key 256 bit
Message 1 ANounce

AuthenHcator

Pre-Shared Key 256 bit

Snounce PTK
Message 3 aHon Key Install

Message 2 Snounce + MIC

PTK

Key Installed

Message 4 Key Install Acknowledgement

SecurityTube.net

Key Installed

Demo

How does the Handshake look like?

SecurityTube.net

A Quick Block Diagram

4 Way Handshake SNonce ANonce AP MAC Client MAC Pre-Shared Key 256 bit

PBKDF2 (SSID)

PTK Passphrase (8-63)

SecurityTube.net

WPA-PSK DicHonary ANack

4 Way Handshake SNonce ANonce AP MAC Client MAC Pre-Shared Key 256 bit

PBKDF2 (SSID) PTK Passphrase (8-63)

DicHonary
SecurityTube.net

Verify by Checking the MIC

Demo

WPA/WPA2 Personal Cracking

SecurityTube.net

BoNleneck in the WPA-PSK DicHonary ANack

4 Way Handshake SNonce ANonce AP MAC Client MAC Pre-Shared Key 256 bit (PMK)

PBKDF2 (SSID) PTK Passphrase (8-63)

DicHonary
SecurityTube.net

Verify by Checking the MIC

PBKDF2
Requires SSID
List of commonly used SSIDs

Requires Passphrase
Can be provided from a DicHonary

PMK can be pre-computed using the above

SecurityTube.net

Other Parameters in Key Cracking

Snonce, Anonce, Supplicant MAC, AuthenHcator MAC varies and hence cannot be pre-calculated PTK will be dierent based on the above MIC will be dierent as well Thus these cannot be pre-calculated in any way

SecurityTube.net

Speeding up Cracking
4 Way Handshake SNonce ANonce AP MAC Client MAC Pre-Shared Key 256 bit (PMK)

Pre-Calculated List of PMK for a 1. Given SSID 2. DicHonary of Passphrases

PTK

Verify by Checking the MIC

SecurityTube.net

Plaqorms
MulH-Cores ATI-Stream Nvidia CUDA . In the Cloud
Amazon EC2

SecurityTube.net

Fast Cracking Demo

Pyrit
hNp://code.google.com/p/pyrit/

SecurityTube.net

Demo

Speeding up WPA/WPA2 Personal Cracking

SecurityTube.net

In the Cloud EC2 Cluster Compute

SecurityTube.net

AP-less WPA/WPA2 PSK Cracking

SecurityTube.net

Understanding Clients
Client

SSID: default

SSID Default SecurityTube ProtectedAP .

CredenCals ********

SecurityTube.net

An Isolated Client

SecurityTube.net

Demo

Isolated Client Behavior

SecurityTube.net

Demo

CreaHng a Catch All Honeypot

SecurityTube.net

Cracking WPA with Only Client?

Supplicant Probe Request-Response AuthenHcaHon RR, AssociaHon RR Pre-Shared Key 256 bit
Message 1 ANounce

Hacker Honeypot

Pre-Shared Key 256 bit

Snounce PTK Message 2 Snounce + MIC

n DeAuthenHcaHo

SecurityTube.net

WPA-PSK DicHonary ANack

4 Way Handshake SNonce ANonce AP MAC Client MAC Pre-Shared Key 256 bit

PBKDF2 (SSID) PTK Passphrase (8-63)

DicHonary
SecurityTube.net

Verify by Checking the MIC

Demo

WPA/WPA2 AP-less Cracking

SecurityTube.net

WPA/WPA2 Personal Safe for use in SMB Long + Random Passphrase?

SecurityTube.net

WPA/WPA2 GTK Misuse Vulnerability (Hole 196)

SecurityTube.net

PTK and GTK

Access Point

Client 1

Client 2

Client 3

PTK1 GTK-Common

PTK1 GTK-Common

PTK1 GTK-Common

Pairwise Transient Key (PTK) Unique for All Clients Group Temporal Key (GTK) Same for All Clients
SecurityTube.net

Abusing the GTK

Insider ANack
Malicious Insider can gain access to the common GTK Use GTK to send trac to Clients on behalf of the AP MulHple ANacks possible
MITM RedirecHon DoS
SecurityTube.net

ARP Spoong ANack

Wired LAN Access Point

1. Gateway ARP Update Malicious Insider User Laptop

SecurityTube.net

DoS using Replay ANack ProtecHon

PN = 1000 PN = 1000

PN = 1001

PN = 1001 Malicious Insider

PN = 1500

PN = 1500

PN = 1002

SecurityTube.net

WPS ANack

SecurityTube.net

Whats Wrong with WPS?

images from Google Image Search

SecurityTube.net

DemonstraHon
WPS Bruteforce Demo

SecurityTube.net

Windows 7 Wi-Fi Backdoors

SecurityTube.net

GeneraHon 2.0 of Client SoPware Hosted Network

Available Windows 7 and Server 2008 R2 onwards Virtual adapters on the same physical adapter SoPAP can be created using virtual adapters With this feature, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same ;me ac;ng as a so<ware AP allowing other wireless-capable devices to connect to it.
hNp://msdn.microsoP.com/en-us/library/dd815243%28v=vs.85%29.aspx

DHCP server included

SecurityTube.net

CreaHng a Hosted Network

SecurityTube.net

Client sHll remains connected to hard AP!

SecurityTube.net

DemonstraHon
Demo of Hosted Network

SecurityTube.net

Wi-Fi Backdoor
Easy for malware to create a backdoor They key could be:
Fixed Derived based on MAC address of host, Hme of day etc.

As host remains connected to authorized network, user does not noHce a break in connecHon No Message or Prompt displayed
SecurityTube.net

Makes a Rogue AP on every Client!

Rogue AP

Rogue AP

Rogue AP

SecurityTube.net

Why is this cool?

VicHm will never noHce anything unusual unless he visits his network sexngs
has to be decently technical to understand

ANacker connects to vicHm over a private network

no wired side network logs: rewalls, IDS, IPS Dicult, if not impossible to trace back Dicult to detect even while aNack is ongoing J

Abusing legiHmate feature, not picked up by AVs, AnH-Malware More Stealth? Monitor air for other networks, when a specic network comes up, then start the Backdoor

SecurityTube.net

DemonstraHon
Demo of Metasploit + Hosted Network

SecurityTube.net

WPA-Enterprise

SecurityTube.net

WPA-Enterprise
Supplicant AuthenHcator AssociaHon EAPoL Start EAP Request IdenHty EAP Response IdenHty EAP Packets EAP Success 4 Way Handshake Data Transfers
SecurityTube.net

AuthenHcaHon Server

EAP Request IdenHty EAP Packets EAP Success PMK to AP

WPA/WPA2 Enterprise
EAP Type PEAP EAP-TTLS EAP-TLS LEAP EAP-FAST . Real World Usage Highest High Medium Low Low .

SecurityTube.net

PEAP
Protected Extensible AuthenHcaHon Protocol Typical usage:
PEAPv0 with EAP-MSCHAPv2 (most popular) PEAPv1 with EAP-GTC
NaHve support on Windows

Other uncommon ones

Uses Server Side CerHcates for validaHon PEAP-EAP-TLS

PEAPv0/v1 with EAP-SIM (Cisco)

AddiHonally uses Client side CerHcates or Smartcards Supported only by MicrosoP

SecurityTube.net

Source: Layer3.wordpress.com

SecurityTube.net

Understanding the Insecurity

Server side cerHcates
Fake ones can be created Clients may not prompt or user may accept invalid cerHcates

Setup a Honeypot with FreeRadius-WPE

Client connects Accepts fake cerHcate Sends authenHcaHon details over MSCHAPv2 in the TLS tunnel ANackers radius server logs these details Apply dicHonary / reduced possibility bruteforce aNack using Asleap by Joshua Wright

SecurityTube.net

Network Architecture
BT5 VM

Honeypot AP setup by ANacker FreeRadius-WPE + Wireshark 1 eth1

Wireshark 2

mon0

SecurityTube.net

DemonstraHon
PEAP Cracking with Honeypot

SecurityTube.net

Windows PEAP Hacking Summed Up in 1 Slide J

SecurityTube.net

EAP-TTLS
EAP-Tunneled Transport Layer Security Server authenHcates with CerHcate Client can opHonally use CerHcate as well No naHve support on Windows
3rd party uHliHes to be used

Versions
EAP-TTLSv0 EAP-TTLSv1
SecurityTube.net

Inner AuthenHcaHon in EAP-TTLS

MSCHAPv2 MSCHAP CHAP PAP

SecurityTube.net

DemonstraHon
EAP-TTLS Cracking with Honeypot

SecurityTube.net

Leverage the Cloud

SecurityTube.net

EAP-TLS Peace of Mind!

Strongest security of all the EAPs out there Mandates use of both Server and Client side cerHcates Required to be supported to get a WPA/WPA2 logo on product Unfortunately, this is not very popular due to deployment challenges

SecurityTube.net

SecurityTube Wi-Fi Security DVD

hNp://www.securitytube.net/
SecurityTube.net