You are on page 1of 71

Cracking WPA/WPA2 Personal + Enterprise for Fun and Profit

WPA/WPA2 Personal + Enterprise for Fun and Profit Vivek Ramachandran Founder, SecurityTube.net

Vivek Ramachandran Founder, SecurityTube.net vivek@securitytube.net

©SecurityTube.net

Shameless Self PromoHon

Shameless Self PromoHon B.Tech , ECE IIT GuwahaH Media Coverage CBS5, BBC 802.1x, Cat65k Cisco Systems

B.Tech, ECE IIT GuwahaH

Shameless Self PromoHon B.Tech , ECE IIT GuwahaH Media Coverage CBS5, BBC 802.1x, Cat65k Cisco Systems

Media Coverage CBS5, BBC

PromoHon B.Tech , ECE IIT GuwahaH Media Coverage CBS5, BBC 802.1x, Cat65k Cisco Systems WEP Cloaking

802.1x, Cat65k Cisco Systems

Media Coverage CBS5, BBC 802.1x, Cat65k Cisco Systems WEP Cloaking Defcon 19 MicrosoP Security Shootout Trainer,

WEP Cloaking Defcon 19

BBC 802.1x, Cat65k Cisco Systems WEP Cloaking Defcon 19 MicrosoP Security Shootout Trainer, 2011 ©SecurityTube.net

MicrosoP Security Shootout

Systems WEP Cloaking Defcon 19 MicrosoP Security Shootout Trainer, 2011 ©SecurityTube.net Caffe LaNe ANack Toorcon

Trainer, 2011

©SecurityTube.net

Defcon 19 MicrosoP Security Shootout Trainer, 2011 ©SecurityTube.net Caffe LaNe ANack Toorcon 9 Wi-Fi Malware, 2011

Caffe LaNe ANack Toorcon 9

Defcon 19 MicrosoP Security Shootout Trainer, 2011 ©SecurityTube.net Caffe LaNe ANack Toorcon 9 Wi-Fi Malware, 2011

Wi-Fi Malware, 2011

SecurityTube.net

SecurityTube.net Students in 65+ Countries ©SecurityTube.net
SecurityTube.net Students in 65+ Countries ©SecurityTube.net

Students in 65+ Countries

©SecurityTube.net

Backtrack 5 Wireless PenetraHon TesHng

Backtrack 5 Wireless PenetraHon TesHng hNp://www.amazon.com/BackTrack-Wireless-PenetraHon-TesHng-Beginners/dp/1849515581/

hNp://www.amazon.com/BackTrack-Wireless-PenetraHon-TesHng-Beginners/dp/1849515581/

©SecurityTube.net

Agenda

WPA/WPA2 PSK Cracking Speeding up the cracking process AP-less WPA/WPA2 PSK Cracking Hole 196 WPS ANack Windows 7+ Wi-Fi Backdoors WPA/WPA2 Enterprise – PEAP, EAP-TTLS

©SecurityTube.net

Understanding WPA/WPA2

©SecurityTube.net

Why WPA - WEP Broken Beyond Repair

IEEE WG admi6ed that WEP cannot hold any water. Recommended users to upgrade to WPA,
IEEE WG admi6ed that WEP cannot
hold any water. Recommended users
to upgrade to WPA, WPA2
© AirTight 2007

2001 - The insecurity of 802.11, Mobicom, July 2001

N. Borisov, I. Goldberg and D. Wagner.

2001 - Weaknesses in the key scheduling algorithm of RC4.

S. Fluhrer, I. ManHn, A. Shamir. Aug 2001.

2002 - Using the Fluhrer, ManHn, and Shamir ANack to Break WEP

A. Stubblefield, J. Ioannidis, A. Rubin.

2004 – KoreK, improves on the above technique and reduces the

complexity of WEP cracking. We now require only around

500,000 packets to break the WEP key.

2005 – Adreas Klein introduces more correlaHons between the

RC4 key stream and the key.

2007 – PTW extend Andreas technique to further simplify WEP

Cracking. Now with just around 60,000 – 90,000 packets it is

possible to break the WEP key.

©SecurityTube.net

We need WEP’s Replacement

WPA

Intermediate soluHon by Wi-Fi Alliance Uses TKIP Based on WEP Hardware changes not required Firmware update

Hardware changes not required •   Firmware update Personal P S K Enterprise 802.1x + Radius

Personal

PSK

Enterprise

802.1x + Radius

WPA2

Long Term soluHon (802.11i) Uses CCMP Based on AES Hardware changes required

•   Based on AES •   Hardware changes required Personal Enterprise P S K 802.1x

Personal

Enterprise

PSK

802.1x + Radius

©SecurityTube.net

WEP

Probe Request-Response
Probe Request-Response
AuthenHcaHon RR, AssociaHon RR Data Encrypted with Key
AuthenHcaHon RR, AssociaHon RR
Data Encrypted with Key

StaCc

WEP Key

©SecurityTube.net

StaCc

WEP Key

WPA: No StaHc Keys

Probe Request-Response StaCc AuthenHcaHon RR, AssociaHon RR WEP Key Dynamic Key Generated First Data Encrypted
Probe Request-Response
StaCc
AuthenHcaHon RR, AssociaHon RR
WEP Key
Dynamic Key Generated First
Data Encrypted with Dynamically Key
How are Dynamic Keys Created?

©SecurityTube.net

StaCc WEP Key
StaCc
WEP Key

WPA/WPA2 PSK (Personal) Cracking

©SecurityTube.net

WPA Pre-Shared Key

WPA Pre-Shared Key Pre-Shared Key 256 bit PBKDF2 Passphrase (8-63) ©SecurityTube.net

Pre-Shared Key 256 bit

WPA Pre-Shared Key Pre-Shared Key 256 bit PBKDF2 Passphrase (8-63) ©SecurityTube.net
PBKDF2
PBKDF2

Passphrase (8-63)

WPA Pre-Shared Key Pre-Shared Key 256 bit PBKDF2 Passphrase (8-63) ©SecurityTube.net

©SecurityTube.net

WPA Pre-Shared Key Pre-Shared Key 256 bit PBKDF2 Passphrase (8-63) ©SecurityTube.net

PBKDF2

Password Based Key DerivaHon FuncHon RFC 2898 PBKDF2(Passphrase, SSID, ssidLen , 4096, 256) 4096 – Number of Hmes the passphrase is hashed 256 – Intended Key Length of PSK

©SecurityTube.net

Lets “Shake Hands”: 4-Way Handshake

Probe Request-Response
Probe Request-Response
“Shake Hands”: 4-Way Handshake Probe Request-Response AuthenHcaHon RR, AssociaHon RR Message 1 ANounce
AuthenHcaHon RR, AssociaHon RR Message 1 ANounce
AuthenHcaHon RR, AssociaHon RR
Message 1
ANounce

Supplicant

AuthenHcator

Pre-Shared Key 256 bit

Pre-Shared Key 256 bit

ANounce

©SecurityTube.net

4 Way Handshake: Message 1

Probe Request-Response
Probe Request-Response
AuthenHcaHon RR, AssociaHon RR Message 1 ANounce
AuthenHcaHon RR, AssociaHon RR
Message 1
ANounce
AuthenHcaHon RR, AssociaHon RR Message 1 ANounce Supplicant AuthenHcator Pre-Shared Key 256 bit Pre-Shared

Supplicant

AuthenHcator

Pre-Shared Key 256 bit

Pre-Shared Key 256 bit

Snounce

PTK

©SecurityTube.net

4 Way Handshake: Message 2

Probe Request-Response AuthenHcaHon RR, AssociaHon RR Pre-Shared Key 256 bit Pre-Shared Key 256 bit Snounce
Probe Request-Response
AuthenHcaHon RR, AssociaHon RR
Pre-Shared Key 256 bit
Pre-Shared Key 256 bit
Snounce
Message 1
ANounce
PTK
Message 2
SNounce

Supplicant

AuthenHcator

©SecurityTube.net

4 Way Handshake: Message 3

4 Way Handshake: Message 3 Probe Request-Response AuthenHcaHon RR, AssociaHon RR Message 1 ANounce PTK Message
Probe Request-Response AuthenHcaHon RR, AssociaHon RR Message 1 ANounce PTK Message 2 Snounce + MIC
Probe Request-Response
AuthenHcaHon RR, AssociaHon RR
Message 1
ANounce
PTK
Message 2
Snounce + MIC
Message
3
Key InstallaHon

Supplicant

AuthenHcator

Pre-Shared Key 256 bit

Pre-Shared Key 256 bit

Snounce

PTK

Supplicant AuthenHcator Pre-Shared Key 256 bit Pre-Shared Key 256 bit Snounce PTK Key Installed ©SecurityTube.net

Key Installed

©SecurityTube.net

4 Way Handshake: Message 4

4 Way Handshake: Message 4 Probe Request-Response AuthenHcaHon RR, AssociaHon RR Message 1 ANounce PTK Message
Probe Request-Response AuthenHcaHon RR, AssociaHon RR Message 1 ANounce PTK Message 2 Snounce + MIC
Probe Request-Response
AuthenHcaHon RR, AssociaHon RR
Message 1
ANounce
PTK
Message 2
Snounce + MIC
Message
3
Key InstallaHon
Message 4
Key Install Acknowledgement

Supplicant

AuthenHcator

Pre-Shared Key 256 bit

Pre-Shared Key 256 bit

Snounce

PTK

AuthenHcator Pre-Shared Key 256 bit Pre-Shared Key 256 bit Snounce PTK Key Installed Key Installed ©SecurityTube.net

Key Installed

Key Installed

©SecurityTube.net

Demo

How does the Handshake look like?

©SecurityTube.net

A Quick Block Diagram

Pre-Shared Key 256 bit

A Quick Block Diagram Pre-Shared Key 256 bit PBKDF2 (SSID) Passphrase (8-63) 4 Way Handshake SNonce
A Quick Block Diagram Pre-Shared Key 256 bit PBKDF2 (SSID) Passphrase (8-63) 4 Way Handshake SNonce
PBKDF2 (SSID)
PBKDF2 (SSID)

Passphrase (8-63)

Pre-Shared Key 256 bit PBKDF2 (SSID) Passphrase (8-63) 4 Way Handshake SNonce ANonce AP MAC Client

4 Way Handshake

SNonce ANonce AP MAC Client MAC

Key 256 bit PBKDF2 (SSID) Passphrase (8-63) 4 Way Handshake SNonce ANonce AP MAC Client MAC

PTK

©SecurityTube.net

WPA-PSK DicHonary ANack

Pre-Shared Key 256 bit

WPA-PSK DicHonary ANack Pre-Shared Key 256 bit PBKDF2 (SSID) Passphrase (8-63) DicHonary 4 Way Handshake SNonce
WPA-PSK DicHonary ANack Pre-Shared Key 256 bit PBKDF2 (SSID) Passphrase (8-63) DicHonary 4 Way Handshake SNonce
PBKDF2 (SSID)
PBKDF2 (SSID)

Passphrase (8-63)

ANack Pre-Shared Key 256 bit PBKDF2 (SSID) Passphrase (8-63) DicHonary 4 Way Handshake SNonce ANonce AP

DicHonary

4 Way Handshake

SNonce ANonce AP MAC Client MAC

(8-63) DicHonary 4 Way Handshake SNonce ANonce AP MAC Client MAC PTK Verify by Checking the
(8-63) DicHonary 4 Way Handshake SNonce ANonce AP MAC Client MAC PTK Verify by Checking the

PTK

Verify by Checking the MIC

©SecurityTube.net

Demo

WPA/WPA2 Personal Cracking

©SecurityTube.net

BoNleneck in the WPA-PSK DicHonary ANack

Pre-Shared Key 256 bit (PMK)

PBKDF2 (SSID)
PBKDF2 (SSID)
DicHonary ANack Pre-Shared Key 256 bit (PMK) PBKDF2 (SSID) Passphrase (8-63) DicHonary 4 Way Handshake SNonce

Passphrase (8-63)

Pre-Shared Key 256 bit (PMK) PBKDF2 (SSID) Passphrase (8-63) DicHonary 4 Way Handshake SNonce ANonce AP

DicHonary

4 Way Handshake

SNonce ANonce AP MAC Client MAC

(8-63) DicHonary 4 Way Handshake SNonce ANonce AP MAC Client MAC PTK Verify by Checking the
(8-63) DicHonary 4 Way Handshake SNonce ANonce AP MAC Client MAC PTK Verify by Checking the

PTK

Verify by Checking the MIC

©SecurityTube.net

Requires SSID

PBKDF2

List of commonly used SSIDs

Requires Passphrase

Can be provided from a DicHonary

PMK can be pre-computed using the above

©SecurityTube.net

Other Parameters in Key Cracking

Snonce, Anonce, Supplicant MAC, AuthenHcator MAC varies and hence cannot be “pre-calculated” PTK will be different based on the above MIC will be different as well

Thus these cannot be pre-calculated in any way

©SecurityTube.net

Speeding up Cracking

Pre-Shared Key 256 bit (PMK)

Speeding up Cracking Pre-Shared Key 256 bit (PMK) Pre-Calculated List of PMK for a 1. Given
Speeding up Cracking Pre-Shared Key 256 bit (PMK) Pre-Calculated List of PMK for a 1. Given

Pre-Calculated List of PMK for a

1. Given SSID

2. DicHonary of Passphrases

4 Way Handshake

SNonce ANonce AP MAC Client MAC

of Passphrases 4 Way Handshake SNonce ANonce AP MAC Client MAC PTK Verify by Checking the
of Passphrases 4 Way Handshake SNonce ANonce AP MAC Client MAC PTK Verify by Checking the

PTK

Verify by Checking the MIC

©SecurityTube.net

MulH-Cores ATI-Stream Nvidia CUDA …. In the Cloud

Amazon EC2

Plaqorms

©SecurityTube.net

Fast Cracking Demo

Pyrit

hNp://code.google.com/p/pyrit/

Fast Cracking Demo •   Pyrit hNp://code.google.com/p/pyrit/ ©SecurityTube.net

©SecurityTube.net

Demo

Speeding up WPA/WPA2 Personal Cracking

©SecurityTube.net

In the Cloud – EC2 Cluster Compute

In the Cloud – EC2 Cluster Compute ©SecurityTube.net
In the Cloud – EC2 Cluster Compute ©SecurityTube.net

©SecurityTube.net

AP-less WPA/WPA2 PSK Cracking

©SecurityTube.net

Understanding Clients

Client

Understanding Clients Client SSID: default SSID CredenCals Default … SecurityTube … ProtectedAP
Understanding Clients Client SSID: default SSID CredenCals Default … SecurityTube … ProtectedAP

SSID: default

SSID

CredenCals

Default

SecurityTube

ProtectedAP

********

….

CredenCals Default … SecurityTube … ProtectedAP ******** …. … ©SecurityTube.net

©SecurityTube.net

An Isolated Client

An Isolated Client ©SecurityTube.net

©SecurityTube.net

Demo

Isolated Client Behavior

©SecurityTube.net

Demo

CreaHng a Catch All Honeypot

©SecurityTube.net

Cracking WPA with Only Client?

Cracking WPA with Only Client? Probe Request-Response AuthenHcaHon RR, AssociaHon RR Message 1 ANounce Message 2
Probe Request-Response AuthenHcaHon RR, AssociaHon RR Message 1 ANounce Message 2 Snounce + MIC DeAuthenHcaHon
Probe Request-Response
AuthenHcaHon RR, AssociaHon RR
Message 1
ANounce
Message 2
Snounce + MIC
DeAuthenHcaHon

Supplicant

Hacker

Honeypot

Pre-Shared Key 256 bit

Pre-Shared Key 256 bit

Snounce

PTK

©SecurityTube.net

WPA-PSK DicHonary ANack

Pre-Shared Key 256 bit

WPA-PSK DicHonary ANack Pre-Shared Key 256 bit PBKDF2 (SSID) Passphrase (8-63) DicHonary 4 Way Handshake SNonce
WPA-PSK DicHonary ANack Pre-Shared Key 256 bit PBKDF2 (SSID) Passphrase (8-63) DicHonary 4 Way Handshake SNonce
PBKDF2 (SSID)
PBKDF2 (SSID)

Passphrase (8-63)

ANack Pre-Shared Key 256 bit PBKDF2 (SSID) Passphrase (8-63) DicHonary 4 Way Handshake SNonce ANonce AP

DicHonary

4 Way Handshake

SNonce ANonce AP MAC Client MAC

(8-63) DicHonary 4 Way Handshake SNonce ANonce AP MAC Client MAC PTK Verify by Checking the
(8-63) DicHonary 4 Way Handshake SNonce ANonce AP MAC Client MAC PTK Verify by Checking the

PTK

Verify by Checking the MIC

©SecurityTube.net

Demo

WPA/WPA2 AP-less Cracking

©SecurityTube.net

WPA/WPA2 Personal – Safe for use in SMB Long + Random Passphrase?

©SecurityTube.net

WPA/WPA2 GTK Misuse Vulnerability (Hole 196)

©SecurityTube.net

PTK and GTK

Access Point Client 2
Access Point
Client 2

Client 3

Client 1

PTK1

GTK-Common

PTK1

GTK-Common

PTK1

GTK-Common

Pairwise Transient Key (PTK) – Unique for All Clients Group Temporal Key (GTK) – Same for All Clients

©SecurityTube.net

Abusing the GTK

Insider ANack

Malicious Insider can gain access to the common GTK Use GTK to send traffic to Clients on behalf of the AP MulHple ANacks possible

MITM RedirecHon DoS

©SecurityTube.net

ARP Spoofing ANack

ARP Spoofing ANack Access Point 1. Gateway ARP Update Malicious Insider User Laptop ©SecurityTube.net Wired LAN
Access Point
Access Point
ARP Spoofing ANack Access Point 1. Gateway ARP Update Malicious Insider User Laptop ©SecurityTube.net Wired LAN
ARP Spoofing ANack Access Point 1. Gateway ARP Update Malicious Insider User Laptop ©SecurityTube.net Wired LAN

1. Gateway ARP Update

Malicious Insider

User Laptop

©SecurityTube.net

Wired LAN

DoS using Replay ANack ProtecHon

PN = 1000

PN = 1000

PN = 1001 PN = 1500 PN = 1002
PN = 1001
PN = 1500
PN = 1002
ProtecHon PN = 1000 PN = 1000 PN = 1001 PN = 1500 PN = 1002

Malicious Insider

PN = 1001

PN = 1500

©SecurityTube.net

WPS ANack

©SecurityTube.net

What’s Wrong with WPS?

What’s Wrong with WPS? images from Google Image Search ©SecurityTube.net
What’s Wrong with WPS? images from Google Image Search ©SecurityTube.net
What’s Wrong with WPS? images from Google Image Search ©SecurityTube.net

images from Google Image Search

©SecurityTube.net

DemonstraHon

WPS Bruteforce Demo

©SecurityTube.net

Windows 7 Wi-Fi Backdoors

©SecurityTube.net

GeneraHon 2.0 of Client SoPware – Hosted Network

Available Windows 7 and Server 2008 R2 onwards Virtual adapters on the same physical adapter SoPAP can be created using virtual adapters

DHCP server included

With this feature, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same ;me ac;ng as a so<ware AP allowing other wireless-capable devices to connect to it.

hNp://msdn.microsoP.com/en-us/library/dd815243%28v=vs.85%29.aspx

©SecurityTube.net

CreaHng a Hosted Network

CreaHng a Hosted Network ©SecurityTube.net

©SecurityTube.net

Client sHll remains connected to hard AP!

Client sHll remains connected to hard AP! ©SecurityTube.net

©SecurityTube.net

DemonstraHon

Demo of Hosted Network

©SecurityTube.net

Wi-Fi Backdoor

Easy for malware to create a backdoor They key could be:

Fixed Derived based on MAC address of host, Hme of day etc.

As host remains connected to authorized network, user does not noHce a break in connecHon No Message or Prompt displayed

©SecurityTube.net

Makes a Rogue AP on every Client!

Rogue AP
Rogue AP

Rogue AP

Makes a Rogue AP on every Client! Rogue AP R o g u e A P

Rogue AP

Makes a Rogue AP on every Client! Rogue AP R o g u e A P

©SecurityTube.net

Why is this cool?

VicHm will never noHce anything unusual unless he visits his network sexngs

has to be decently technical to understand

ANacker connects to vicHm over a private network

no wired side network logs: firewalls, IDS, IPS Difficult, if not impossible to trace back Difficult to detect even while aNack is ongoing J

Abusing legiHmate feature, not picked up by AVs, AnH-Malware

More Stealth? Monitor air for other networks, when a specific network comes up, then start the Backdoor

©SecurityTube.net

DemonstraHon

Demo of Metasploit + Hosted Network

©SecurityTube.net

WPA-Enterprise

©SecurityTube.net

WPA-Enterprise

AuthenHcator AuthenHcaHon Supplicant Server AssociaHon EAPoL Start EAP Request IdenHty EAP Request IdenHty EAP
AuthenHcator
AuthenHcaHon
Supplicant
Server
AssociaHon
EAPoL Start
EAP Request IdenHty
EAP Request IdenHty
EAP Response IdenHty
EAP Packets
EAP Packets
EAP Success
EAP Success
PMK to AP
4 Way Handshake
Data Transfers

©SecurityTube.net

WPA/WPA2 Enterprise

EAP Type

Real World Usage

PEAP

Highest

EAP-TTLS

High

EAP-TLS

Medium

LEAP

Low

EAP-FAST

Low

….

….

©SecurityTube.net

PEAP

Protected Extensible AuthenHcaHon Protocol Typical usage:

PEAPv0 with EAP-MSCHAPv2 (most popular)

NaHve support on Windows

PEAPv1 with EAP-GTC

Other uncommon ones

PEAPv0/v1 with EAP-SIM (Cisco)

Uses Server Side CerHficates for validaHon PEAP-EAP-TLS

AddiHonally uses Client side CerHficates or Smartcards Supported only by MicrosoP

©SecurityTube.net

Source: Layer3.wordpress.com

©SecurityTube.net

Understanding the Insecurity

Server side cerHficates

Fake ones can be created Clients may not prompt or user may accept invalid cerHficates

Setup a Honeypot with FreeRadius-WPE

Client connects Accepts fake cerHficate Sends authenHcaHon details over MSCHAPv2 in the TLS tunnel ANacker’s radius server logs these details Apply dicHonary / reduced possibility bruteforce aNack using Asleap by Joshua Wright

©SecurityTube.net

Network Architecture

BT5 VM

Honeypot AP setup by ANacker eth1 FreeRadius-WPE + Wireshark 1 Wireshark 2 mon0
Honeypot AP setup by ANacker
eth1
FreeRadius-WPE
+ Wireshark 1
Wireshark 2
mon0

©SecurityTube.net

DemonstraHon

PEAP Cracking with Honeypot

©SecurityTube.net

Windows PEAP Hacking Summed Up in 1 Slide J

Windows PEAP Hacking Summed Up in 1 Slide J ©SecurityTube.net

©SecurityTube.net

EAP-TTLS

EAP-Tunneled Transport Layer Security Server authenHcates with CerHficate Client can opHonally use CerHficate as well No naHve support on Windows

3 rd party uHliHes to be used

Versions

EAP-TTLSv0 EAP-TTLSv1

©SecurityTube.net

Inner AuthenHcaHon in EAP-TTLS

MSCHAPv2 MSCHAP CHAP PAP

©SecurityTube.net

DemonstraHon

EAP-TTLS Cracking with Honeypot

©SecurityTube.net

Leverage the Cloud

Leverage the Cloud ©SecurityTube.net

©SecurityTube.net

EAP-TLS – Peace of Mind!

Strongest security of all the EAPs out there Mandates use of both Server and Client side cerHficates Required to be supported to get a WPA/WPA2 logo on product Unfortunately, this is not very popular due to deployment challenges

©SecurityTube.net

SecurityTube Wi-Fi Security DVD

SecurityTube Wi-Fi Security DVD hNp://www.securitytube.net/ ©SecurityTube.net

hNp://www.securitytube.net/

©SecurityTube.net