|
|
WPA/802.11i vastly improves the security of wireless networks. While the previous chapter outlined a variety of unique attacks against WEP, none of those attacks are nearly as effective against even the weakest WPA-protected network. This extra protection comes at the price of added complexity to the protocol. This chapter gives a brief primer on the cryptographic options available in WPA, as well as enough details about the protocol that the attacks against WPA can be properly explained. After that, it moves on to all of the practical attacks that can be launched against WPA-protected networks.
Both WPA and 802.11i raise the bar substantially when it comes to hacking wireless networks. Of course, nothing is bulletproof, and WPA/802.11i both have their flaws. Some readers may be surprised to see them covered in the same section; however, the biggest difference between 802.11i (commonly referred to as WPA2) and WPA is the type of encryption used (RC4 vs. AES) and the protocol used for confidentiality and integrity (TKIP vs. CCMP).
Despite the rhetoric flying around the Internet, RC4 is not, in fact, broke. RC4 is a very elegant algorithm with a lot of history. The next time someone starts talking about how broken RC4 is (or how doomed WPA is since it uses RC4), ask them if they know that it's possibly securing their SSL traffic. The trick (as with all cryptographic tools) is in its use. RC4 is used carefully in WPA. While AES is certainly more robust in the long term, don't just assume WPA is insecure because RC4 is allegedly "broke."
There are a few attacks against TKIP (and hence WPA) that don't affect CCMP and, therefore, don't affect WPA2/802.11i in most configurations. The most well-known weakness is Michael, the algorithm used in WPA to protect the integrity of packets. This weakness can, in theory, be exploited to create a DoS attack against networks using WPA. Of course, a microwave can be exploited to DoS wireless networks as well, so this isn't much of a head turner.
A much more interesting (cryptographically) attack has also been found against TKIP, however. This attack, discovered by three researchers in Norway (Moen, Raddum, and Hole), is the first unexpected chink in TKIP's armor. It describes an attack that can recover a temporal key in 2105 operations (as opposed to brute-force, which would be 2 128). Though hardly a practical concern yet, it might be one of those things that people keep optimizing away until it turns into a real problem.
Before covering the details of WPA cracking, it helps to review some background. WPA and 802.11i are much more complicated than WEP. You have to spend a lot of time studying the standards and various other resources to understand them in detail. For the sake of brevity, they will not be covered in excruciating detail here. The goal of this section is to cover the basics.
WPA/802.11i can be run in either home or enterprise mode. Home mode means that the AP and all the clients are using a pre-shared key (PSK). Enterprise mode means that the organization is using a RADIUS server for authentication. Despite the name, many businesses use PSK (home) mode because it's much easier to deploy. Figure 7-1 shows the authentication details when using a pre-shared key with WPA.
Notice that the pairwise master key (PMK) is computed from the PSK and SSID without any dynamic information. That means when you type your passphrase into the OS, it will probably not store your plaintext PSK. It will compute the PMK once and store that instead. On Windows, the PMK is stored in the registry; on Linux, it is usually stored in the wpa_supplicant.conf file. The PMK is created by hashing the passphrase 4096 times. When the IEEE created WEP, they didn't specify a technique for converting passphrases to keys, which leads to the 21-bit Newsham attack (described in the previous chapter). WPA has no such deficiency.
Once the client has the PMK, it engages the AP in a protocol to create a new, temporary key called the pairwise transient key (PTK). These temporary keys are created dynamically every time the client connects (and then possibly changed periodically). The temporarily created keys are a function of the PMK, a random number (supplied by the AP, A-nonce), another random number (supplied by the client, S-nonce), and the MAC addresses of the client and AP. The reason the keys are created from so many variables is to ensure they are unique and nonrepeating.
The AP verifies the client actually has the PMK by checking the Message Integrity Code (MIC) field during the authentication exchange. The Message Integrity Check is a cryptographic hash of the packet. The MIC is used simultaneously to prevent tampering of packets and to verify that the client has the key. If the client does not have the PMK, it can't successfully derive the PTK. If the client can't derive the PTK, it can't compute the correct hash of the packet. The client verifies that the AP has the PMK in the same way.
When attacking WPA, you are most interested in recovering the PMK. If the network is set up in pre-shared key mode, the PMK allows you to read all the other clients' traffic (with some finagling) and to authenticate yourself successfully.
When authenticating to a WPA-based network in enterprise mode, the PMK is created dynamically, every time a user connects. This means that even if you recovered a PMK magically, you would only be able to impersonate a single user for a specific connection.
When the PMKs are created dynamically, the client must somehow talk to an authentication server. The authentication server and the client exchange messages, and the server ultimately decides whether to accept or reject the user. For the client to talk to the authentication server, the AP must forward it packets. The AP is careful to forward only packets from the client that are for authentication purposes. The AP will not forward normal data packets until the client is properly authenticated.
Assuming the RADIUS server accepts, the user and the authentication server both derive the same PMK. The details of how the PMK is created vary depending on the authentication type, but the important thing is that it is a cryptographically strong random number both sides can compute. The authentication server then tells the AP to let the user connect and also sends the PMK to the AP. Because the PMKs are created dynamically, the AP must remember which PMK corresponds to which user.
When the AP and client both have the PMK, they engage in the same four-way handshake illustrated in Figure 7-1. This process ensures both the AP and the client have the (dynamically generated) PMK. Figure 7-2 shows the enterprise-based authentication process.
In Figure 7-2, you probably noticed that many packets have EAP in them. EAP stands for Extensible Authentication Protocol. Basically, EAP is a protocol designed to carry arbitrary authentication protocols-sort of an authentication meta-protocol. EAP allows devices, such as access points, to be ignorant of specific authentication protocol details.
802.1X is a protocol designed to authenticate users on wired LANs. 802.1X uses EAP for authentication, and WPA/WPA2 uses 802.1X. When the client sends authentication packets to the AP, it uses EAPOL (EAP over LAN), a standard specified in the 802.1X documentation. When the AP talks to the authentication server, it encapsulates the body of the EAP authentication packet in a RADIUS packet.
When an AP is using WPA in enterprise mode, it does not know how you authenticate to the network. All the AP does is pass messages back and forth between you and the authentication (aka RADIUS) server. Eventually, the AP expects the RADIUS server to let it know whether or not to let you in. If the RADIUS server does allow the client, it will also have to send the user's PMK to the AP.
As you might have guessed, there are quite a few different authentication techniques implemented on top of EAP. Some of the most popular are EAP-TLS (certificate-based authentication) and PEAP. The details of these and how to attack them are coming up later in the chapter.
Generally speaking, it's not important to understand where 802.1X ends, EAP/ EAPOL begins, and RADIUS comes into play. It is important to realize that when using enterprise authentication, the client and the authentication server send each other specially formatted authentication packets. To do this, the AP must proxy messages back and forth until the authentication server tells the AP to stop or to allow the client access.
|
Popularity: |
7 |
|
Simplicity: |
4 |
|
Impact: |
9 |
|
Risk Rating: |
7 |
The most straightforward attack against WPA-PSK is a dictionary attack. This attack exploits our human propensity for choosing easy to remember passwords. Basically, you just grab a dictionary file, start hashing the words, and hope you get the right PMK. Because this attack is pretty obvious, the IEEE put a lot of work into making it as difficult as possible.
Figure 7-1 shows that the PMK is derived by hashing the user's pre-shared key 4096 times. While hashing the PSK 4096 times is no problem for legitimate users, it definitely slows down an attacker trying to guess the PSK.
Figure 7-1 also shows that the PMK is not just a hash of the PSK, but also of the SSID of the network, which makes precomputing hashes ineffective. The result is that if two networks use the same passphrase but have different SSIDs, the PMK will be different. If WPA didn't do this, you could generate a big dictionary file of common passwords, hash them all once, and look up passphrases for every network without recomputing the hashes. Making the PMK depend on the SSID means that you need to hash dictionary words for every SSID you are interested in.
Finally, it is important to note that cracking WPA2-PSK is no harder than cracking WPA-PSK. In both cases, the same hashing function is used to generate the PMK. The only difference is that in WPA2 a different function is used to create the MIC during a four-way handshake. This means that hash tables created for WPA also work for WPA2 when using cowpatty.
Cracking WPA-PSK Using cowpatty cowpatty is the tool of choice for cracking WPA-PSK. cowpatty was created by Joshua Wright and is designed to run on Linux, though compiling it on other flavors of UNIX shouldn't be too difficult. To use cowpatty, you need a capture file containing the four-way handshake detailed previously in Figure 7-1. You will also need to know the SSID of the network you are interested in cracking.
You need the four-way handshake because in order to verify that you successfully guessed the passphrase, cowpatty has to run through the entire PTK derivation process. To do this, cowpatty needs the A-nonce and S-nonce values exchanged in the handshake. Once it has those, it checks to see if you compute the same MIC for a packet in the handshake that the user did. If not, you guessed the wrong passphrase.
Assume your scanner identified a network named Beleriand operating on channel 3 with a BSSID of 00:14:bf:3a:6c:ef and that the client you have targeted to deauth has an address of 00:0a:95:f3:2f:ab. You would issue the following commands to capture packets, deauth the user, and attempt the dictionary attack with cowpatty:
[root@phoenix:/home/johnycsh/cowpatty-3.1beta1]$ iwconfig ath0 channel 3 [root@phoenix:/home/johnycsh/cowpatty-3.1beta1]$ tcpdump -i ath0 -s 0 -w de-auth-beleriand.pcap & <switch terminals> [root@phoenix:/home/johnycsh/airbase/tools/pcap2air]$ ./pcap2air -i ath0 -r madwifi -c 3 -f ../../dist-pcaps/std-pcaps/disassoc.pcap -d 00:0a:95:F3:2F:AB -s 00:14:bf:3a:6c:ef -b 00:14:bf:3a:6c:ef -n 4 <switch terminals> [root@phoenix:/home/johnycsh/cowpatty-3.1beta1]$ killall tcpdump [root@phoenix:/home/johnycsh/cowpatty-3.1beta1]$ ./cowpatty -r /de-auth-beleriand.pcap -s Beleriand -f ./dict cowpatty 3.1beta1 - WPA-PSK dictionary attack. <jwright@hasborg.com> Collected all necessary data to mount crack against WPA/PSK passphrase. Starting dictionary attack. Please be patient. key no. 1000: apportion key no. 2000: cantabile key no. 3000: contract key no. 4000: divisive The PSK is "exclusive". 4092 passphrases tested in 100.48 seconds: 40.73 passphrases/second
Creating Hash Tables with cowpatty cowpatty has integrated support for creating hash tables. This means that if there is a popular SSID (say, linksys) that you would like to crack fairly often, you can hash the dictionary file once and save it, instead of rehashing all the time.
If you wanted to be able to attack networks named Beleriand quickly, you could use the genpmk tool, which is bundled with cowpatty, as follows:
[root@phoenix:/home/johnycsh/cowpatty-3.1beta1]$ ./genpmk -f ./dict -d ./Beleriand-hashed-dict -s Beleriand genpmk 1.0 - WPA-PSK precomputation attack. <jwright@hasborg.com> File ./hashed-dict does not exist, creating. key no. 1000: apportion key no. 2000: cantabile key no. 3000: contract key no. 4000: divisive 4093 passphrases tested in 97.83 seconds: 41.84 passphrases/second
The file Beleriand-hashed-dict now contains all the hashes of the words in the dict file for the SSID Beleriand. Rerunning the attack using the precomputed hash tables goes much faster:
[root@phoenix:/home/johnycsh/cowpatty-3.1beta1]$ ./cowpatty -r /de-auth-beleriand.pcap -s Beleriand -d ./Beleriand-hashed-dict The PSK is "exclusive". 4092 passphrases tested in 0.07 seconds: 62363.79 passphrases/second
Notice the massive increase in speed since cowpatty is no longer computing any hashes.
Hardware-accelerated WPA Cracking Finally, if you are really interested in cracking a WPAPSK network, you can use a hardware-accelerated version of cowpatty. Like the accelerated version of jc-wepcrack, this version uses a FPGA-based board from Pico Computing.
Fortunately, the SHA-1 algorithm lends itself to hardware implementation. A lowend LX25 card from Pico can try approximately 430 words a second. A 3.6-GHz P4 can do about 100. If you are interested in the hardware-accelerated version of cowpatty, be sure to visit http://www.openciphers.org for the latest details.
|
Popularity: |
6 |
|
Simplicity: |
4 |
|
Impact: |
6 |
|
Risk Rating: |
5 |
Okay, so either you successfully used cowpatty to get into a WPA-PSK network or you already knew the key. At any rate, you want to be able to read other users' packets. You would think this would be an easy thing to do.
The problem is that every user has a unique pairwise transient key (PTK) that was generated when they associated with the network. Even though you have the passphrase or the PMK, you don't know what PTK they generated.
This makes it very difficult to read packets that were captured in the past, even if you know the PMK. However, it doesn't stop users who know the PMK from snooping on each other once they decide they are interested. The solution is to simply deauth the user, forcing them to re-authenticate to the network. Once the user does that, you will see them negotiate the PTK with the AP. Because you know the PMK, you can derive the PTK as well and start decrypting the user's packets.
Decrypting Packet Captures with airdecap airdecap is one of the tools included with aircrack. It actually runs on Linux, OS X, and Windows. airdecap lets you decrypt WPA- and WEP-encrypted packets. When decrypting packets protected by WPA, you need to provide airdecap with either the PMK or passphrase. Assuming that you want to decrypt the same pcap file created in the earlier cowpatty example, you would issue the following command:
[johnycsh@phoenix:~/cowpatty-3.1beta1]$ airdecap -e Beleriand -p exclusive ./de-auth-beleriand.pcap Total number of packets read 598 Total number of WEP data packets 0 Total number of WPA data packets 230 Number of plaintext data packets 0 Number of decrypted WEP packets 0 Number of decrypted WPA packets 41
If you get zero decrypted WPA packets, either the passphrase is wrong, the SSID is wrong, or you don't have a four-way handshake in the pcap file. Lacking the four-way handshake is the most common reason for failure. Once airdecap has finished, a file named de-auth-beleriand-dec.pcap is created in the current directory. If you have somehow recovered the PMK but not the passphrase, you can pass the PMK directly into airdecap with -k.
The most effective way to prevent WPA-PSK attacks is to choose a good passphrase. Needless to say, dictionary words are out. Also, most operating systems don't make you actually type the password every time, so don't feel too bad about making users remember long random strings. They only have to remember it for as long as it takes to type it once. As always, it never hurts to change your passphrase regularly either.
Another good deterrent is to choose a unique SSID. If your SSID is linksys, someone has most likely already computed a hash table for your SSID. The easiest thing to do is append some random number to your SSID (which is why many default APs now look like linksys_SES_ random_number).
Remember, the only way someone can successfully decrypt your WPA-PSK session is if they recover the PMK. When using WPA-PSK, the most likely technique the attacker will use is a dictionary attack, so choose a strong passphrase. It's possible that your AP will actually support using different passphrases for different users. This would minimize the amount of damage an attacker could do if he successfully obtained the PMK or passphrase; however, this feature is pretty rare.
Finally, even if an attacker obtains the PMK he needs to capture the four-way handshake so he can derive your PTK. Most attackers accomplish this by transmitting a deauthentication packet to the victim. Though it's still not a very feasible defense (because OS/driver writers don't include the feature), the ability to ignore deauthentication packets would be one more hurdle for an attacker to overcome.
|
|
