Bypassing WLAN Authentication

Bypassing WLAN Authentication
Bypassing WLAN Authentication
"A false sense of security is worse than being unsure."
A false sense of security is worse than being insecure, as you may
not be prepared to face the eventuality of being hacked.
WLANs have weak authentication schemas, which can be easily broken and bypassed. In this
chapter, we will look at the various authentication schemas used in WLANs and learn how to
beat them.
In this chapter, we will look at the following:
Uncovering hidden SSIDs
Beating MAC filters
Bypassing Open Authentication
Bypassing Shared Key Authentication
Hidden SSIDs
In the default configuration mode, all access points send out their SSIDs in the Beacon
frames. This allows clients in the vicinity to discover them easily. Hidden SSIDs is a
configuration where the access point does not broadcast its SSID in the Beacon frames. Thus,
only clients which know the SSID of the access point can connect to it.
Unfortunately, this measure does not provide robust security, but most network
administrators think it does. We will now look at how to uncover hidden SSIDs.
Bypassing WLAN Authentication
Time for action – uncovering hidden SSIDs
Follow these instructions to get started:
Using Wireshark, if we monitor the Beacon frames of the Wireless Lab network,
we are able to see the SSID in plain text. You should see Beacon frames as shown in
the following screenshot:
Configure your access point to set the Wireless Lab network as a hidden SSID. The
actual configuration option to do this may differ across access points. In my case, I
need to check the Invisible option in the Visibility Status option as shown next:
[ 52 ]
Chapter 3
Now if you look at the Wireshark trace, you will find that the SSID Wireless Lab has
disappeared from the Beacon frames. This is what hidden SSIDs are all about:
[ 53 ]
Bypassing WLAN Authentication
In order to bypass them, first we will use the passive technique of waiting for a
legitimate client to connect the access point. This will generate Probe Request and
Probe Response packets which will contain the SSID of the network, thus revealing
its presence:
Alternatively, you can use aireplay-ng to send Deauthentication packets to
all stations on behalf of the Wireless Lab access point by typing aireplayng -0 5 -a 00:21:91:D2:8E:25 mon0. The -0 option is for choosing a
Deauthentication attack, and 5 is the number of Deauthentication packets to send.
Finally, -a specifies the MAC address of the access point you are targeting:
[ 54 ]
Chapter 3
The preceding Deauthentication packets will force all legitimate clients to disconnect
and reconnect. It would be a good idea to add a filter for Deauthentication packets
to view them in an isolate way:
The Probe Responses from the access point will end up revealing its hidden SSID.
These packets will show up on Wireshark as shown next. Once the legitimate clients
connect back, we can see the Hidden SSID using the Probe Request and Probe
Response frames. You could use the filter (wlan.bssid == 00:21:91:d2:8e:25) &&
!(wlan.fc.type_subtype == 0x08) to monitor all non-Beacon packets to and fro from
the access point. The && sign stands for the logical AND operator and the ! sign
stands for the logical NOT operator:
[ 55 ]
Bypassing WLAN Authentication
What just happened?
Even though the SSID is hidden and not broadcast, whenever a legitimate client tries to
connect to the access point, they exchange Probe Request and Probe Response packets.
These packets contain the SSID of the access point. As these packets are not encrypted, they
can be very easily sniffed from the air and the SSID can be found.
In many cases, all clients may be already connected to the access point and there may be
no Probe Request/Response packets available in the Wireshark trace. Here, we can forcibly
disconnect the clients from the access point by sending forged Deauthentication packets
on the air. These packets will force the clients to reconnect back to the access point, thus
revealing the SSID.
Have a go hero – selecting Deauthentication
In the previous exercise, we sent broadcast Deauthentication packets to force reconnection
of all wireless clients. Try and check how you can selectively target individual clients using
It is important to note that even though we are illustrating many of these concepts using
Wireshark, it is possible to orchestrate these attacks with other tools like aircrack-ng
suite as well. We will encourage you to explore the entire aircrack-ng suite of tools and
other documentation located on their website:
[ 56 ]
Chapter 3
MAC filters
MAC filters are an age old technique used for authentication and authorization and have
their roots in the wired world. Unfortunately, they fail miserably in the wireless world.
The basic idea is to authenticate based on the MAC address of the client. This list of allowed
MAC addresses will be maintained by the network administrator and will be fed into the
access point. We will know look at how easy it is to bypass MAC filters.
Time for action – beating MAC filters
Let the games begin:
Let us first configure our access point to use MAC filtering and then add the client
MAC address of the victim laptop. The settings pages on my router look as follows:
[ 57 ]
Bypassing WLAN Authentication
Once MAC filtering is enabled only the allowed MAC address will be able to
successfully authenticate with the access point. If we try to connect to the access
point from a machine with a non-whitelisted MAC address, the connection will fail
as shown next:
Behind the scenes, the access point is sending Authentication failure messages to
the client. The packet trace would resemble the following:
[ 58 ]
Chapter 3
In order to beat MAC filters, we can use airodump-ng to find the MAC addresses
of clients connected to the access point. We can do this by issuing the commands
airodump-ng -c 11 -a --bssid 00:21:91:D2:8E:25 mon0. By specifying
the bssid, we will only monitor the access point which is of interest to us. The -c
11 sets the channel to 11 where the access point is. The -a ensures that in the client
section of the airodump-ng output, only clients associated and connected to an
access point are shown. This will show us all the client MAC addresses associated
with the access point:
Once we find a whitelisted client's MAC address, we can spoof the MAC address of
the client using the macchanger utility which ships with BackTrack. You can use the
command macchanger –m 60:FB:42:D5:E4:01 wlan0 to get this done. The
MAC address you specify with the -m option is the new spoofed MAC address for
the wlan0 interface:
[ 59 ]
Bypassing WLAN Authentication
As you can clearly see, we are now able to connect to the access point after spoofing
the MAC address of a whitelisted client.
What just happened?
We monitored the air using airodump-ng and found the MAC address of legitimate clients
connected to the wireless network. We then used the macchnager utility to change our
wireless card's MAC address to match the client's. This fooled the access point into believing
that we are the legitimate client, and it allowed us access to its wireless network.
You are encouraged to explore the different options of the airodump-ng utility by going
through the documentation on their website:
Open Authentication
The term Open Authentication is almost a misnomer, as it actually provides no
authentication at all. When an access point is configured to use Open Authentication, it will
successfully authenticate all clients which connect to it.
We will now do an exercise to authenticate and connect to an access point using Open
Time for action – bypassing Open Authentication
Let us now look at how to bypass Open Authentication:
We will first set our lab access point Wireless Lab to use Open Authentication. On
my access point this is simply done by setting Security Mode to None:
[ 60 ]
Chapter 3
We then connect to this access point using the command iwconfig wlan0 essid
"Wireless Lab" and verify that the connection has succeeded and that we are
connected to the access point:
Note that we did not have to supply any username / password / passphrase to get
through Open Authentication.
[ 61 ]
Bypassing WLAN Authentication
What just happened?
This is probably the simplest hack so far. As you saw, it was not trivial to break Open
Authentication and connect to the access point.
Shared Key Authentication
Shared Key Authentication uses a shared secret such as the WEP key to authenticate the
client. The exact exchange of information is illustrated next (taken from http://www.
The wireless client sends an authentication request to the access point, which responds
back with a challenge. The client now needs to encrypt this challenge with the shared
key and send it back to the access point, which decrypts this to check if it can recover the
original challenge text. If it succeeds, the client successfully authenticates, else it sends an
authentication failed message.
The security problem here is that an attacker passively listening to this entire communication
by sniffing the air has access to both the plain text challenge and the encrypted challenge. He
can apply the XOR operation to retrieve the keystream. This keystream can be used to encrypt
any future challenge sent by the access point without needing to know the actual key.
In this exercise, we will learn how to sniff the air to retrieve the challenge and the encrypted
challenge, retrieve the keystream, and use it to authenticate to the access point without
needing the shared key.
[ 62 ]
Chapter 3
Time for action – bypassing Shared Authentication
Bypassing Shared Authentication is a bit more challenging than previous exercises, so follow
the steps carefully.
Let us first set up Shared Authentication for our Wireless Lab network. I have done
this on my access point by setting the Security Mode as WEP and Authentication as
Shared Key:
[ 63 ]
Bypassing WLAN Authentication
Let us now connect a legitimate client to this network using the shared key we have
set in step 1.
In order to bypass Shared Key Authentication, we will first start sniffing packets
between the access point and its clients. However, we would also like to log the
entire shared authentication exchange. To do this we use airodump-ng using the
command airodump-ng mon0 -c 11 --bssid 00:21:91:D2:8E:25 -w
keystream. The -w option which is new here, requests airodump-ng to store the
packets in a file whose name is prefixed with the word "keystream". On a side note,
it might be a good idea to store different sessions of packet captures in different
files. This allows you to analyze them long after the trace has been collected:
We can either wait for a legitimate client to connect to the access point or force
a reconnect using the Deauthentication technique used previously. Once a client
connects and the shared key authentication succeeds, airodump-ng will capture
this exchange automatically by sniffing the air. An indication that the capture has
succeeded is when the AUTH column reads SKA that is, Shared Key Authentication as
shown next:
[ 64 ]
Chapter 3
The captured keystream is stored in a file prefixed with the word keystream in
the current directory. In my case the name of the file is keystream-01-00-2191-D2-8E-25.xor as shown next:
In order to fake a shared key authentication, we will use the aireplay-ng
tool. We run the command aireplay-ng -1 0 -e Wireless Lab -y
keystream-01-00-21-91-D2-8E-25.xor -a 00:21:91:D2:8E:25 -h
aa:aa:aa:aa:aa:aa mon0. aireplay-ng uses the keystream we retrieved in
step 5 and tries to authenticate with the access point with SSID Wireless Lab
and MAC address 00:21:91:D2:8E:25 and uses an arbitrary client MAC address
aa:aa:aa:aa:aa:aa. Fire up Wireshark and sniff all packets of interest by applying
a filter wlan.addr == aa:aa:aa:aa:aa:aa:
aireplay-ng lets us know if the authentication succeeded or not in the output:
[ 65 ]
Bypassing WLAN Authentication
We can verify the same using Wireshark. You should see a trace as shown next on
the Wireshark screen:
The first packet is the authentication request sent by the aireplay-ng tool to the
access point:
[ 66 ]
Chapter 3
10. The second packet consists of the access point sending the client a challenge text
as shown:
[ 67 ]
Bypassing WLAN Authentication
11. In the third packet, the tool sends the encrypted challenge to the access point:
12. As aireplay-ng used the derived keystream for encryption, the authentication
succeeds and the access point sends a success message in the fourth packet:
[ 68 ]
Chapter 3
13. After authentication succeeds, the tool fakes an association with the access point,
which succeeds as well:
14. If you check the wireless logs in your access point's administrative interface, you
should now see a wireless client with MAC address AA:AA:AA:AA:AA:AA connected:
[ 69 ]
Bypassing WLAN Authentication
What just happened?
We were successful in deriving the keystream from a shared authentication exchange, and
we used it to fake an authentication to the access point.
Have a go hero – filling up the access point's tables
Access points have a maximum client count after which they start refusing connections. By
writing a simple wrapper over aireplay-ng, it is possible to automate and send hundreds
of connection requests from random MAC addresses to the access point. This would end up
filling the internal tables and once the maximum client count is reached, the access point
would stop accepting new connections. This is typically what is called a Denial of Service
(DoS) attack and can force the router to reboot or make it dysfunctional. This could lead to
all the wireless clients being disconnected and being unable to use the authorized network.
Check if you can verify this in your lab!
Pop quiz – WLAN authentication
1. You can force a wireless client to re-connect to the access point by?
a. Sending a Deauthentication packet
b. Rebooting the client
c. Rebooting the access point
d. All of the above
2. Open Authentication:
a. Provides decent security
b. No security
c. Requires use of encryption
d. None of the above
3. Breaking Shared Key Authentication works by?
a. Deriving the keystream from the packets
b. Deriving the encryption key
c. Sending Deauthentication packets to the access point
d. Rebooting the access point
[ 70 ]
Chapter 3
In this chapter, we have learnt the following about WLAN authentication:
Hidden SSIDs is a security through obscurity feature, which is relatively simple
to beat.
MAC address filters do not provide any security as MAC addresses can be sniffed
from the air from the wireless packets. This is possible because the MAC addresses
are unencrypted in the packet.
Open Authentication provides no real authentication at all.
Shared Key Authentication is bit tricky to beat but with the help of the right tools we
can derive the store the keystream, using which it is possible to answer all future
challenges sent by the access point. The result is that we can authenticate without
needing to know the actual key.
In the next chapter, we will look at different WLAN encryption mechanisms—WEP,
WPA, and WPA2, and look at the insecurities which plague them.
[ 71 ]
WLAN Encryption Flaws
"640 K is more memory than anyone will ever need."
Bill Gates, Founder, Microsoft
Even with the best of intentions, the future is always unpredictable. The
WLAN committee designed WEP and then WPA to be fool proof encryption
mechanisms but over time, both these mechanism had flaws, which have been
widely publicized and exploited in the real world.
WLAN encryption mechanisms have had a long history of being vulnerable to cryptographic
attacks. It started with WEP in early 2000, which eventually was broken entirely. In recent
times, attacks are slowly targeting WPA. Even though there is no public attack available
currently to break WPA in all general conditions, there are attacks which are feasible under
special circumstances.
In this chapter, we shall look at the following:
Different encryption schemas in WLANs
Cracking WEP encryption
Cracking WPA encryption
WLAN encryption
WLANs transmit data over the air and thus there is an inherent need to protect data
confidentially. This is best done using encryption. The WLAN committee (IEEE 802.11)
formulated the following protocols for data encryption:
Wired Equivalent Privacy (WEP)
WiFi Protected Access (WPA)
WiFi Protection Access v2 (WPAv2)
WLAN Encryption Flaws
Here, we will look at each of these encryption protocols and demonstrate various attacks
against them.
WEP encryption
The WEP protocol was known to be flawed as early as 2000, but surprisingly it is still
continuing to be used and the access points still ship with WEP-enabled capabilities.
There are many cryptographic weaknesses in WEP and they were discovered by Walker,
Arbaugh, Fluhrer, Martin, Shamir, KoreK, and many others. Evaluation of WEP from a
cryptographic standpoint is beyond the scope of this book, as it involves understanding
complex math. Here, we will look at how to break WEP encryption using readily available
tools on the BackTrack platform. This includes the entire Aircrack-Ng suite of tools—
airmon-ng, aireplay-ng, airodump-ng, aircrack-ng, and others.
Let us now first set up WEP in our test lab and see how we can break it.
Time for action – cracking WEP
Follow the given instructions to get started:
Let us first connect to our access point Wireless Lab and go to the settings area that
deals with Wireless Encryption mechanisms:
[ 74 ]
Chapter 4
On my access point, this can be done by setting the Security Mode to WEP. We will
also need to set the WEP key length. As shown in the following screenshot, I have
set WEP to use 128 bit keys. I have set the Default WEP Key to WEP Key 1 and have
set the value in hex to abcdefabcdefabcdefabcdef12 as the 128 bit WEP key. You can
set this to whatever you choose:
Once the settings are applied, the access point should now be offering WEP as the
encryption mechanism of choice. Let us now set up the attacker machine.
[ 75 ]
WLAN Encryption Flaws
Let us bring up Wlan0 by issuing the command ifconfig wlan0 up. Then we
will run airmon-ng start wlan0 to create mon0, the monitor mode interface, as
shown in the following screenshot. Verify the mon0 interface has been created using
iwconfig command:
Let's run airodump-ng to locate our lab access point using the command
airodump-ng mon0. As you can see in the following screenshot, we are able to see
the Wireless Lab access point running WEP:
[ 76 ]
Chapter 4
For this exercise, we are only interested in the Wireless Lab, so let us enter
airodump-ng –bssid 00:21:91:D2:8E:25 --channel 11 --write
WEPCrackingDemo mon0 to only see packets for this network. Additionally,
we will request airodump-ng to save the packets into a pcap file using the
--write directive:
[ 77 ]
WLAN Encryption Flaws
Now let us connect our wireless client to the access point and use the WEP key as
abcdefabcdefabcdefabcdef12. Once the client has successfully connected,
airodump-ng should report it on the screen:
If you do an ls in the same directory, you will be able to see files prefixed with
WEPCrackingDemo-* as shown in the following screenshot. These are traffic-dump
files created by airodump-ng:
If you notice the airodump-ng screen, the number of data packets listed under the
#Data column is very few in number (only 68). In WEP cracking, we need a large
number of data packets, encrypted with the same key to exploit weaknesses in the
protocol. So, we will have to force the network to produce more data packets. To do
this, we will use the aireplay-ng tool:
[ 78 ]
Chapter 4
10. We will capture ARP packets on the wireless network using aireplay-ng and
inject them back into the network, to simulate ARP responses. We will be starting
aireplay-ng in a separate window, as shown in the next screenshot. Replaying
these packets a few thousand times, we will generate a lot of data traffic on the
network. Even though aireplay-ng does not know the WEP key, it is able to
identify the ARP packets by looking at the size of the packets. ARP is a fixed header
protocol and thus the size of the ARP packet can be easily determined and can be
used for identifying them even within encrypted traffic. We will run aireplayng with the options that are discussed next. The -3 option is for ARP replay, -b
specifies the BSSID of our network, and -h specifies the client MAC address that we
are spoofing. We need to do this, as replay attack will only work for authenticated
and associated client MAC addresses.
11. Very soon you should see that aireplay-ng was able to sniff ARP packets and has
started replaying them into the network:
12. At this point, airodump-ng will also start registering a lot of data packets. All
these sniffed packets are being stored in the WEPCrackingDemo-* files that we
saw previously:
[ 79 ]
WLAN Encryption Flaws
13. Now, let us start with the actual cracking part! We fire up aircrack-ng with
the options WEPCRackingDemo-01.cap in a new window. This will start the
aircrack-ng software and it will begin working on cracking the WEP key using the
data packets in the file. Note that it is a good idea to have airodump-ng—collecting
the WEP packets, aireplay-ng—doing the replay attack, and Aircrack-ng—
attempting to crack the WEP key based on the captured packets, all at the same
time. In this experiment, all of them are open in separate windows:
14. Your screen should look like the following screenshot, when aircrack-ng is
working on the packets to crack the WEP key:
[ 80 ]
Chapter 4
15. The number of data packets required to crack the key is non-deterministic, but
generally in the order of a hundred thousand or more. On a fast network (or using
aireplay-ng), this should take 5-10 minutes at most. If the number of data
packets currently in the file are not sufficient, then aircrack-ng will pause as
shown in the following screenshot and wait for more packets to be captured, and
will then restart the cracking process again:
16. Once enough data packets have been captured and processed, Aircrack-ng
should be able to break the key. Once it does, it proudly displays it in the terminal
and exits as shown in the following screenshot:
[ 81 ]
WLAN Encryption Flaws
17. It is important to note that WEP is totally flawed and any WEP key (no matter how
complex) will be cracked by Aircrack-ng. The only requirement is that a great
enough number of data packets, encrypted with this key, need to be made available
to Aircrack-ng.
What just happened?
We set up WEP in our lab and successfully cracked the WEP key. In order to do this, we
first waited for a legitimate client of the network to connect to the access point. After this,
we used the aireplay-ng tool to replay ARP packets into the network. This caused the
network to send ARP replay packets, thus greatly increasing the number of data packets sent
over the air. We then used aircrack-ng to crack the WEP key by analyzing cryptographic
weaknesses in these data packets.
Note that, we can also fake an authentication to the access point using the Shared Key
Authentication bypass technique, we learnt in the last chapter. This can come in handy, if
the legitimate client leaves the network. This will ensure we can spoof an authentication and
association and continue to send our replayed packets into the network.
Have a go hero – fake authentication with WEP cracking
In the previous exercise, if the legitimate client had suddenly logged off the network, we
would not be able to replay the packets as the access point will not accept packets from unassociated clients.
Your challenge would be to fake an authentication and association using the Shared Key
Authentication bypass we learnt in the last chapter, while WEP cracking is going on. Log off
the legitimate client from the network and verify if you are still able to inject packets into the
network and if the access point accepts and responds to them.
WPA (or WPA v1 as it is referred to sometimes) primarily uses the TKIP encryption algorithm.
TKIP was aimed at improving WEP, without requiring completely new hardware to run it.
WPA2 in contrast mandatorily uses the AES-CCMP algorithm for encryption, which is much
more powerful and robust than TKIP.
Both WPA and WPA2 allow for either EAP-based authentication, using Radius servers
(Enterprise) or a Pre-Shared Key (PSK) (Personal)-based authentication schema.
[ 82 ]
Chapter 4
WPA/WPA2 PSK is vulnerable to a dictionary attack. The inputs required for this attack are
the four-way WPA handshake between client and access point, and a wordlist containing
common passphrases. Then, using tools like Aircrack-ng, we can try to crack the WPA/
WPA2 PSK passphrase.
An illustration of the four-way handshake is shown in the following screenshot:
The way WPA/WPA2 PSK works is that, it derives the per-sessions key called Pairwise
Transient Key (PTK), using the Pre-Shared Key and five other parameters—SSID of Network,
Authenticator Nounce (ANounce), Supplicant Nounce (SNounce), Authenticator MAC
address (Access Point MAC), and Suppliant MAC address (Wi-Fi Client MAC). This key is
then used to encrypt all data between the access point and client.
An attacker who is eavesdropping on this entire conversation, by sniffing the air can get all
the five parameters mentioned in the previous paragraph. The only thing he does not have
is the Pre-Shared Key. So how is the Pre-Shared Key created? It is derived by using the WPAPSK passphrase supplied by the user, along with the SSID. The combination of both of these
are sent through the Password Based Key Derivation Function (PBKDF2), which outputs the
256-bit shared key.
[ 83 ]
WLAN Encryption Flaws
In a typical WPA/WPA2 PSK dictionary attack, the attacker would use a large dictionary of
possible passphrases with the attack tool. The tool would derive the 256-bit Pre-Shared Key
from each of the passphrases and use it with the other parameters, described aforesaid to
create the PTK. The PTK will be used to verify the Message Integrity Check (MIC) in one of
the handshake packets. If it matches, then the guessed passphrase from the dictionary was
correct, otherwise it was incorrect. Eventually, if the authorized network passphrase exists in
the dictionary, it will be identified. This is exactly how WPA/WPA2 PSK cracking works! The
following figure illustrates the steps involved:
In the next exercise, we will look at how to crack a WPA PSK wireless network. The exact
same steps will be involved in cracking a WPA2-PSK network using CCMP(AES) as well.
[ 84 ]
Chapter 4
Time for action – cracking WPA-PSK weak passphrase
Follow the given instructions to get started:
Let us first connect to our access point Wireless Lab and set the access point to use
WPA-PSK. We will set the WPA-PSK passphrase to abcdefgh, so that it is vulnerable
to a dictionary attack:
[ 85 ]
WLAN Encryption Flaws
We start airodump-ng with the command airodump-ng –bssid
00:21:91:D2:8E:25 –channel 11 –write WPACrackingDemo mon0, so that it
starts capturing and storing all packets for our network:
Now we can wait for a new client to connect to the access point, so that we can
capture the four-way WPA handshake or we can send a broadcast de-authentication
packet to force clients to reconnect. We do the latter to speed things up:
As soon as we capture a WPA handshake, airodump-ng will indicate it on the
top-right corner of the screen with a WPA Handshake: followed by the access
point's BSSID:
[ 86 ]
Chapter 4
We can stop airodump-ng now. Let's open up the cap file in Wireshark and view
the four-way handshake. Your Wireshark terminal should look like the following
screenshot. I have selected the first packet of the four-way handshake in the
trace file, in the following screenshot. The handshake packets are the ones whose
protocol is EAPOL Key:
Now we will start the actual key cracking exercise! For this, we need a dictionary
of common words. BackTrack ships with a dictionary file darc0de.lst located as
shown in the following screenshot. It is important to note that in WPA cracking,
you are just as good as your dictionary. BackTrack ships with some dictionaries, but
these may be insufficient. Passwords that people choose depend on a lot of things.
This includes things like, which country the users belong to, common names and
phrases in that region, security awareness of the users, and a host of other things. It
may be a good idea to aggregate country- and region-specific word lists, when going
out for a penetration test:
[ 87 ]
WLAN Encryption Flaws
We will now invoke aircrack-ng with the pcap file as input and a link to the
dictionary file as shown in the screenshot:
Aircrack-ng uses the dictionary file to try various combinations of passphrases
Please note that, as this is a dictionary attack, the prerequisite is that the passphrase
must be present in the dictionary file you are supplying to aircrack-ng. If the
passphrase is not present in the dictionary, the attack will fail!
and tries to crack the key. If the passphrase is present in the dictionary file, it will
eventually crack it and your screen will look similar to the one in the screenshot:
[ 88 ]
Chapter 4
What just happened?
We set up WPA-PSK on our access point with a common passphrase abcdefgh. We then
used a de-authentication attack to have legitimate clients to reconnect to the access point.
When we reconnect, we capture the four-way WPA handshake between the access point
and the client.
As WPA-PSK is vulnerable to a dictionary attack, we feed the capture file containing the
WPA four-way handshake and a list of common passphrases (in the form of a wordlist) to
Aircrack-ng. As the passphrase abcdefgh is present in the wordlist, Aircrack-ng is
able to crack the WPA-PSK shared passphrase. It is very important to note again that in
WPA dictionary-based cracking, you are just as good as the dictionary you have. Thus, it is
important to compile together a large and elaborate dictionary before you begin. Though
BackTrack ships with its own dictionary, it may be insufficient at times, and would need more
words, especially based on the localization factor.
Have a go hero – trying WPA-PSK cracking with Cowpatty
Cowpatty is a tool, which can also crack a WPA-PSK passphrase using a dictionary attack.
This tool is included with BackTrack. I leave it as an exercise for you to use Cowpatty to
crack the WPA-PSK passphrase.
Also, try setting an uncommon passphrase, not present in the dictionary, and try the attack
again. You will now be unsuccessful in cracking the passphrase, with both Aircrack-ng
and Cowpatty.
It is important to note that, the same attack applies even to a WPA2 PSK network. I would
encourage you to verify this independently.
Speeding up WPA/WPA2 PSK cracking
We have already seen in the previous section that if we have the correct passphrase in
our dictionary, cracking WPA-Personal will work everytime like a charm. So why we don't
just create a large elaborate dictionary of millions of common passwords and phrases
people use? This would help us a lot and most of the time, we would end up cracking the
passphrase. It all sounds great, but we are missing one key component here—time taken.
One of the more CPU and time-consuming calculations is that of the Pre-Shared Key using
the PSK passphrase and the SSID through the PBKDF2. This function hashes the combination
of both over 4,096 times before outputting the 256 bit Pre-Shared Key. The next step of
cracking involves using this key along with parameters in the four-way handshake and
verifying against the MIC in the handshake. This step is computationally inexpensive. Also,
the parameters will vary in the handshake everytime and hence, this step cannot be precomputed. Thus to speed up the cracking process we need to make the calculation of the
Pre-Shared Key from the passphrase as fast as possible.
[ 89 ]
WLAN Encryption Flaws
We can speed this up by pre-calculating the Pre-Shared Key, also called the Pairwise Master
Key (PMK) in the 802.11 standard parlance. It is important to note that, as the SSID is also
used to calculate the PMK, with the same passphrase but a different SSID, we would end up
with a different PMK. Thus, the PMK depends on both the passphrase and the SSID.
In the next exercise, we will look at how to pre-calculate the PMK and use it for WPA/WPA2
PSK cracking.
Time for action – speeding up the cracking process
We can pre-calculate the PMK for a given SSID and wordlist using the genpmk tool
with the command genpmk –f /pentest/passwords/wordlists/darkc0de.
lst –d PMK-Wireless-Lab –s "Wireless Lab" as shown in the following
screenshot. This creates the file PMK-Wireless-Lab that contains the pregenerated PMK:
We now create a WPA-PSK network with the passphrase sky sign (present in the
dictionary we used) and capture a WPA-handshake for that network. We now use
Cowpatty to crack the WPA passphrase as shown in the following screenshot:
[ 90 ]
Chapter 4
It takes approximately 7.18 seconds for Cowpatty to crack the key, using the precalculated PMKs as shown in the screenshot:
[ 91 ]
WLAN Encryption Flaws
We now use aircrack-ng with the same dictionary file and the cracking
process takes over 22 minutes. This shows how much we are gaining because
of the pre-calculation:
In order to use these PMKs with aircrack-ng, we need to use a tool called
airolib-ng. We will give it the options airolib-ng PMK-Aircrack --import
cowpatty PMK-Wireless-Lab, where PMK-Aircrack is the aircrack-ng
compatible database to be created and PMK-Wireless-Lab is the genpmk
compliant PMK database, which we had created previously:
We now feed this database to aircrack-ng and the cracking process speeds
up remarkably. The command we use is aircrack-ng –r PMK-Aircrack
[ 92 ]
Chapter 4
There are other tools available on BackTrack like, Pyrit that can leverage
multi-CPU systems to speed up cracking. We give the pcap filename with the
-r option and the genpmk compliant PMK file with the -i option. Even on the
same system used with the previous tools, Pyrit takes around three seconds
to crack the key, using the same PMK file created using genpmk as shown in the
following screenshot:
[ 93 ]
WLAN Encryption Flaws
What just happened?
We looked at various different tools and techniques to speed up WPA/WPA2-PSK cracking.
The whole idea is to pre-calculate the PMK for a given SSID and a list of passphrases in
our dictionary.
Decrypting WEP and WPA packets
In all the exercises, we have done till now, we have cracked WEP and WPA keys using various
techniques. But what do we do with this information? The first step would be to decrypt
data packets, we have captured using these keys.
In the next exercise, we will decrypt the WEP and WPA packets in the same trace file that we
captured over the air, using the keys we cracked.
Time for action – decrypting WEP and WPA packets
We will decrypt packets from the same WEP capture file, we created earlier
WEPCrackingDemo-01.cap. For this, we will use another tool in the Aircrackng suite called Airdecap-ng. We run the following command as shown in the
following screenshot: airdecap-ng -w abcdefabcdefabcdefabcdef12
WEPCrackingDemo-01.cap, using the WEP key we cracked previously:
The decypted files are stored in a file named WEPCrackingDemo-01-dec.cap. We
use the tshark utility to view the first ten packets in the file. Please note that, you
may see something different based on what you captured:
[ 94 ]
Chapter 4
WPA/WPA2 PSK would work in exactly the same way as with WEP using the
airdecap-ng utility as shown in the following figure, with the airdecap-ng –p
abdefgh WPACrackingDemo-01.cap –e "Wireless Lab" command:
What just happened?
We just saw, how we can decrypt WEP and WPA/WPA2-PSK encrypted packets using
Airdecap-ng. It is interesting to note, that we can do the same using Wireshark. We would
encourage you to explore, how this can be done by consulting the Wireshark documentation.
[ 95 ]
WLAN Encryption Flaws
Connecting to WEP and WPA networks
We can also connect to the authorized network after we have cracked the network key. This
can come in handy, during penetration testing. Logging onto the authorized network with
the cracked key is the ultimate proof you can provide your client that his network is insecure.
Time for action – connecting to a WEP network
Use the iwconfig utility to connect to a WEP network, once you have the key. In a
past exercise, we broke the WEP key—abcdefabcdefabcdefabcdef12:
What just happened?
We saw how to connect to a WEP network.
[ 96 ]
Chapter 4
Time for action – connecting to a WPA network
In the case of WPA, the matter is a bit more complicated. The iwconfig utility cannot
be used with WPA/WPA2 Personal and Enterprise, as it does not support it. We will
use a new tool called WPA_supplicant, for this lab. To use WPA_supplicant for a
network, we will need to create a configuration file as shown in the screenshot. We
will name this file wpa-supp.conf:
We will then invoke the WPA_supplicant utility with the following options -Dwext
-iwlan0 –c wpa-supp.conf to connect to the WPA network, we just cracked
as shown. Once the connection is successful, WPA_supplicant will give you a
message Connection to XXXX completed:
[ 97 ]
WLAN Encryption Flaws
For both the WEP and WPA networks, once you are connected, you want to use
Dhcpclient3 to grab a DHCP address from the network as shown next:
What just happened?
The default Wi-Fi utility iwconfig cannot be used to connect to WPA/WPA2 networks. The
de-facto tool for this is WPA_Supplicant. In this lab, we saw how we can use it to connect
to WPA network.
Pop quiz – WLAN encryption flaws
1. What packets are used for Packet Replay?
a. De-authentication packet
b. Associated packet
c. Encrypted ARP packet
d. None of the above
[ 98 ]
Chapter 4
2. WEP can be cracked:
a. Always
b. Only when a weak key/passphrase is chosen
c. Under special circumstances only
d. Only if the access point runs old software
3. WPA can be cracked:
a. Always
b. Only if a weak key/passphrase is chosen
c. If the client contains old firmware
d. Even with no client connected to the wireless network
In this chapter, we have learnt the following about WLAN encryption:
WEP is flawed and no matter what the WEP key is, with enough data packet samples
it is always possible to crack WEP.
WPA/WPA2 is cryptographically un-crackable currently, however, under special
circumstances, such as when a weak passphrase is chosen in WPA/WPA2-PSK, it is
possible to retrieve the passphrase using dictionary attacks.
In the next chapter, we will look at different attacks on the WLAN Infrastructure,
such as rogue access points, evil twins, bit flipping attacks, and so on.
[ 99 ]
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF