You are on page 1of 71

Cracking  WPA/WPA2  Personal  +   Enterprise  for  Fun  and  Profit  

Vivek  Ramachandran   Founder,  SecurityTube.net   vivek@securitytube.net      

©SecurityTube.net  

Shameless  Self  PromoHon  

B.Tech,  ECE   IIT  GuwahaH  

802.1x,  Cat65k   Cisco  Systems  

WEP  Cloaking   Defcon  19  

Caffe  LaNe  ANack   Toorcon  9  

Media  Coverage   CBS5,  BBC  

MicrosoP     Security  Shootout  

Trainer,  2011  

Wi-­‐Fi  Malware,  2011  

©SecurityTube.net  

SecurityTube.net  

Students  in  65+  Countries    
©SecurityTube.net  

amazon.Backtrack  5  Wireless  PenetraHon  TesHng   hNp://www.net   .com/BackTrack-­‐Wireless-­‐PenetraHon-­‐TesHng-­‐Beginners/dp/1849515581/     ©SecurityTube.

Agenda   •  •  •  •  •  •  •  WPA/WPA2  PSK  Cracking   Speeding  up  the  cracking  process   AP-­‐less  WPA/WPA2  PSK  Cracking   Hole  196   WPS  ANack   Windows  7+  Wi-­‐Fi  Backdoors   WPA/WPA2  Enterprise  –  PEAP.net   .  EAP-­‐TTLS   ©SecurityTube.

net   .Understanding  WPA/WPA2   ©SecurityTube.

 Shamir.  Aug  2001.   2002  -­‐  Using  the  Fluhrer.  WPA2   2001  -­‐  The  insecurity  of  802.11.  Now  with  just  around  60.000  packets  to  break  the  WEP  key.net   .  Recommended  users   to  upgrade  to  WPA.  A.  Borisov.  Fluhrer.000  –  90.  ManHn.  Ioannidis.  A.  We  now  require  only  around   500.  and  Shamir  ANack  to  Break  WEP   A.  J.  Mobicom.  Rubin.000  packets  it  is   possible  to  break  the  WEP  key.   2005  –  Adreas  Klein  introduces  more  correlaHons  between  the   RC4  key  stream  and  the  key.  Stubblefield.  ManHn.   ©  AirTight  2007     ©SecurityTube.  July  2001     N.   2004  –  KoreK.  improves  on  the  above  technique  and  reduces  the   complexity  of  WEP  cracking.  I.     2007  –  PTW  extend  Andreas  technique  to  further  simplify  WEP   Cracking.   S.   2001  -­‐  Weaknesses  in  the  key  scheduling  algorithm  of  RC4.Why  WPA  -­‐  WEP  Broken  Beyond  Repair   IEEE  WG  admi6ed  that  WEP  cannot   hold  any  water.  Goldberg  and  D.  I.  Wagner.

11i)   •  Uses  CCMP   •  Based  on  AES   •  Hardware  changes  required     Personal   PSK   Enterprise   802.1x  +  Radius   Personal   PSK   Enterprise   802.1x  +  Radius   ©SecurityTube.net   .We  need  WEP’s  Replacement     WPA   •  Intermediate  soluHon  by  Wi-­‐Fi  Alliance   •  Uses  TKIP     •  Based  on  WEP   •  Hardware  changes  not  required   •  Firmware  update   WPA2   •  Long  Term  soluHon  (802.

net   .WEP   StaCc   WEP  Key   Probe  Request-­‐Response     AuthenHcaHon  RR.  AssociaHon  RR   Data  Encrypted  with  Key   StaCc   WEP  Key   ©SecurityTube.

net   .WPA:  No  StaHc  Keys   StaCc   WEP  Key   Probe  Request-­‐Response     AuthenHcaHon  RR.  AssociaHon  RR   Dynamic  Key  Generated  First     StaCc   WEP  Key   Data  Encrypted  with  Dynamically  Key   How  are  Dynamic  Keys  Created?   ©SecurityTube.

WPA/WPA2  PSK  (Personal)  Cracking   ©SecurityTube.net   .

WPA  Pre-­‐Shared  Key   Pre-­‐Shared  Key  256  bit   PBKDF2   Passphrase  (8-­‐63)   ©SecurityTube.net   .

net   .  ssidLen.  4096.  256)   4096  –  Number  of  Hmes  the  passphrase  is   hashed   •  256  –  Intended  Key  Length  of  PSK   •  •  •  •  ©SecurityTube.PBKDF2   Password  Based  Key  DerivaHon  FuncHon     RFC  2898   PBKDF2(Passphrase.  SSID.

Lets  “Shake  Hands”:  4-­‐Way  Handshake   Supplicant   Probe  Request-­‐Response     AuthenHcaHon  RR.  AssociaHon  RR   Pre-­‐Shared  Key  256  bit     Message  1 ANounce   AuthenHcator   Pre-­‐Shared  Key  256  bit   ANounce   ©SecurityTube.net   .

 AssociaHon  RR   Pre-­‐Shared  Key  256  bit     Message  1 ANounce   AuthenHcator   Pre-­‐Shared  Key  256  bit   Snounce   PTK   ©SecurityTube.4  Way  Handshake:  Message  1   Supplicant   Probe  Request-­‐Response     AuthenHcaHon  RR.net   .

net   .4  Way  Handshake:  Message  2   Supplicant   Probe  Request-­‐Response     AuthenHcaHon  RR.  AssociaHon  RR   Pre-­‐Shared  Key  256  bit     Message  1 ANounce   AuthenHcator   Pre-­‐Shared  Key  256  bit   Snounce   PTK   Message  2   SNounce   ©SecurityTube.

net   .4  Way  Handshake:  Message  3   Supplicant   Probe  Request-­‐Response     AuthenHcaHon  RR.  AssociaHon  RR   Pre-­‐Shared  Key  256  bit     Message  1 ANounce   AuthenHcator   Pre-­‐Shared  Key  256  bit   Snounce   PTK     Message  3 aHon   Key  Install   Message  2   Snounce  +  MIC   PTK   Key  Installed   ©SecurityTube.

net   Key  Installed   .4  Way  Handshake:  Message  4   Supplicant   Probe  Request-­‐Response     AuthenHcaHon  RR.  AssociaHon  RR   Pre-­‐Shared  Key  256  bit     Message  1 ANounce   AuthenHcator   Pre-­‐Shared  Key  256  bit   Snounce   PTK     Message  3 aHon   Key  Install   Message  2   Snounce  +  MIC   PTK   Key  Installed   Message  4   Key  Install  Acknowledgement   ©SecurityTube.

net   .Demo   How  does  the  Handshake  look   like?   ©SecurityTube.

net   .A  Quick  Block  Diagram   4  Way  Handshake   SNonce    ANonce   AP  MAC   Client  MAC   Pre-­‐Shared  Key  256  bit   PBKDF2  (SSID)   PTK   Passphrase  (8-­‐63)   ©SecurityTube.

net   Verify  by  Checking  the  MIC   .WPA-­‐PSK  DicHonary  ANack   4  Way  Handshake   SNonce    ANonce   AP  MAC   Client  MAC   Pre-­‐Shared  Key  256  bit   PBKDF2  (SSID)   PTK   Passphrase  (8-­‐63)   DicHonary   ©SecurityTube.

Demo   WPA/WPA2  Personal  Cracking   ©SecurityTube.net   .

BoNleneck  in  the  WPA-­‐PSK  DicHonary   ANack   4  Way  Handshake   SNonce    ANonce   AP  MAC   Client  MAC   Pre-­‐Shared  Key  256  bit                              (PMK)   PBKDF2  (SSID)   PTK   Passphrase  (8-­‐63)   DicHonary   ©SecurityTube.net   Verify  by  Checking  the  MIC   .

net   .PBKDF2   •  Requires  SSID   –  List  of  commonly  used  SSIDs   •  Requires  Passphrase   –  Can  be  provided  from  a  DicHonary   •  PMK  can  be  pre-­‐computed  using  the  above     ©SecurityTube.

  AuthenHcator  MAC  varies  and  hence  cannot   be  “pre-­‐calculated”   •  PTK  will  be  different  based  on  the  above   •  MIC  will  be  different  as  well   Thus  these  cannot  be  pre-­‐calculated  in  any  way   ©SecurityTube.Other  Parameters  in  Key  Cracking   •  Snonce.net   .  Anonce.  Supplicant  MAC.

 Given  SSID   2.Speeding  up  Cracking   4  Way  Handshake   SNonce    ANonce   AP  MAC   Client  MAC   Pre-­‐Shared  Key  256  bit                              (PMK)   Pre-­‐Calculated  List  of  PMK   for  a     1.net   .  DicHonary  of  Passphrases   PTK   Verify  by  Checking  the  MIC   ©SecurityTube.

Plaqorms   •  •  •  •  •  MulH-­‐Cores   ATI-­‐Stream   Nvidia  CUDA   ….   In  the  Cloud   –  Amazon  EC2   ©SecurityTube.net   .

Fast  Cracking  Demo   •  Pyrit          hNp://code.google.com/p/pyrit/       ©SecurityTube.net   .

Demo   Speeding  up   WPA/WPA2  Personal  Cracking   ©SecurityTube.net   .

net   .In  the  Cloud  –  EC2  Cluster  Compute   ©SecurityTube.

net   .AP-­‐less  WPA/WPA2  PSK  Cracking   ©SecurityTube.

  CredenCals   …   …   ********   …   ©SecurityTube.net   .Understanding  Clients   Client   SSID:  default   SSID   Default   SecurityTube   ProtectedAP   ….

net   .An  Isolated  Client   ©SecurityTube.

Demo   Isolated  Client  Behavior   ©SecurityTube.net   .

net   .Demo   CreaHng  a  Catch  All  Honeypot   ©SecurityTube.

 AssociaHon  RR   Pre-­‐Shared  Key  256  bit     Message  1 ANounce   Hacker   Honeypot   Pre-­‐Shared  Key  256  bit   Snounce   PTK   Message  2   Snounce  +  MIC   n   DeAuthenHcaHo ©SecurityTube.Cracking  WPA  with  Only  Client?   Supplicant   Probe  Request-­‐Response     AuthenHcaHon  RR.net   .

net   Verify  by  Checking  the  MIC   .WPA-­‐PSK  DicHonary  ANack   4  Way  Handshake   SNonce    ANonce   AP  MAC   Client  MAC   Pre-­‐Shared  Key  256  bit   PBKDF2  (SSID)   PTK   Passphrase  (8-­‐63)   DicHonary   ©SecurityTube.

net   .Demo   WPA/WPA2  AP-­‐less  Cracking   ©SecurityTube.

net   .WPA/WPA2  Personal  –  Safe  for  use  in  SMB     Long  +  Random  Passphrase?   ©SecurityTube.

WPA/WPA2  GTK  Misuse  Vulnerability     (Hole  196)   ©SecurityTube.net   .

PTK  and  GTK   Access  Point   Client  1   Client  2   Client  3   PTK1   GTK-­‐Common   PTK1   GTK-­‐Common   PTK1   GTK-­‐Common   Pairwise  Transient  Key  (PTK)  –  Unique  for  All  Clients   Group  Temporal  Key  (GTK)  –  Same  for  All  Clients   ©SecurityTube.net   .

Abusing  the  GTK   •  Insider  ANack   –  Malicious  Insider  can  gain  access  to  the  common   GTK   –  Use  GTK  to  send  traffic  to  Clients  on  behalf  of  the   AP   –  MulHple  ANacks  possible   •  MITM   •  RedirecHon   •  DoS   ©SecurityTube.net   .

net   .  Gateway  ARP  Update   Malicious  Insider   User  Laptop   ©SecurityTube.ARP  Spoofing  ANack   Wired  LAN   Access  Point   1.

DoS  using  Replay  ANack  ProtecHon   PN  =  1000   PN  =  1000   PN  =  1001   PN  =  1001   Malicious  Insider   PN  =  1500   PN  =  1500   PN  =  1002   ©SecurityTube.net   .

WPS  ANack   ©SecurityTube.net   .

net   .What’s  Wrong  with  WPS?   images  from  Google  Image  Search   ©SecurityTube.

net   .DemonstraHon         WPS  Bruteforce  Demo   ©SecurityTube.

net   .Windows  7  Wi-­‐Fi  Backdoors   ©SecurityTube.

GeneraHon  2.0  of  Client  SoPware  –  Hosted   Network  
•  Available  Windows  7  and  Server  2008  R2  onwards   •  Virtual  adapters  on  the  same  physical  adapter   •  SoPAP  can  be  created  using  virtual  adapters       “With  this  feature,  a  Windows  computer  can  use  a  single   physical  wireless  adapter  to  connect  as  a  client  to  a  hardware   access  point  (AP),  while  at  the  same  ;me  ac;ng  as  a  so<ware   AP  allowing  other  wireless-­‐capable  devices  to  connect  to  it.”    
hNp://msdn.microsoP.com/en-­‐us/library/dd815243%28v=vs.85%29.aspx    

–  DHCP  server  included  

©SecurityTube.net  

CreaHng  a  Hosted  Network  

©SecurityTube.net  

Client  sHll  remains  connected  to  hard  AP!  

©SecurityTube.net  

net   .DemonstraHon         Demo  of  Hosted  Network   ©SecurityTube.

Wi-­‐Fi  Backdoor   •  Easy  for  malware  to  create  a  backdoor   •  They  key  could  be:   –  Fixed   –  Derived  based  on  MAC  address  of  host.net   .   •  As  host  remains  connected  to  authorized   network.  Hme  of   day  etc.  user  does  not  noHce  a  break  in   connecHon   •  No  Message  or  Prompt  displayed   ©SecurityTube.

net   .Makes  a  Rogue  AP  on  every  Client!   Rogue  AP   Rogue  AP   Rogue  AP   ©SecurityTube.

 IPS   –  Difficult.  AnH-­‐Malware   •  More  Stealth?  Monitor  air  for  other  networks.  IDS.Why  is  this  cool?   •  VicHm  will  never  noHce  anything  unusual  unless  he  visits  his   network  sexngs   –  has  to  be  decently  technical  to  understand   •  ANacker  connects  to  vicHm  over  a  private  network   –  no  wired  side  network  logs:  firewalls.  then  start  the  Backdoor   ©SecurityTube.  not  picked  up  by  AVs.  if  not  impossible  to  trace  back   –  Difficult  to  detect  even  while  aNack  is  ongoing  J   •  Abusing  legiHmate  feature.net   .  when  a  specific   network  comes  up.

net   .DemonstraHon         Demo  of  Metasploit  +  Hosted  Network   ©SecurityTube.

WPA-­‐Enterprise   ©SecurityTube.net   .

net   AuthenHcaHon   Server   EAP  Request  IdenHty     EAP  Packets     EAP  Success     PMK  to  AP     .WPA-­‐Enterprise   Supplicant   AuthenHcator   AssociaHon     EAPoL  Start     EAP  Request  IdenHty     EAP  Response  IdenHty     EAP  Packets     EAP  Success     4  Way  Handshake     Data  Transfers     ©SecurityTube.

  Real  World  Usage   Highest   High   Medium   Low   Low   ….net   .WPA/WPA2  Enterprise   EAP  Type   PEAP   EAP-­‐TTLS   EAP-­‐TLS   LEAP   EAP-­‐FAST   ….   ©SecurityTube.

net   .PEAP   •  Protected  Extensible  AuthenHcaHon  Protocol   •  Typical  usage:   –  PEAPv0  with  EAP-­‐MSCHAPv2  (most  popular)   –  PEAPv1  with  EAP-­‐GTC   •  NaHve  support  on  Windows   •  Other  uncommon  ones   •  Uses  Server  Side  CerHficates  for  validaHon   •  PEAP-­‐EAP-­‐TLS   –  PEAPv0/v1  with  EAP-­‐SIM  (Cisco)   –  AddiHonally  uses  Client  side  CerHficates  or  Smartcards   –  Supported  only  by  MicrosoP   ©SecurityTube.

wordpress.Source:  Layer3.com   ©SecurityTube.net   .

net   .Understanding  the  Insecurity   •  Server  side  cerHficates   –  Fake  ones  can  be  created   –  Clients  may  not  prompt  or  user  may  accept  invalid  cerHficates   •  Setup  a  Honeypot  with  FreeRadius-­‐WPE   –  –  –  –  –  Client  connects   Accepts  fake  cerHficate   Sends  authenHcaHon  details  over  MSCHAPv2  in  the  TLS  tunnel   ANacker’s  radius  server  logs  these  details   Apply  dicHonary  /  reduced  possibility  bruteforce  aNack  using   Asleap  by  Joshua  Wright   ©SecurityTube.

Network  Architecture   BT5  VM   Honeypot  AP  setup  by  ANacker   FreeRadius-­‐WPE   +  Wireshark  1   eth1   Wireshark  2   mon0   ©SecurityTube.net   .

net   .DemonstraHon         PEAP  Cracking  with  Honeypot   ©SecurityTube.

Windows  PEAP  Hacking  Summed  Up  in  1   Slide  J     ©SecurityTube.net   .

EAP-­‐TTLS   •  •  •  •  EAP-­‐Tunneled  Transport  Layer  Security   Server  authenHcates  with  CerHficate   Client  can  opHonally  use  CerHficate  as  well   No  naHve  support  on  Windows   –  3rd  party  uHliHes  to  be  used   •  Versions   –  EAP-­‐TTLSv0   –  EAP-­‐TTLSv1   ©SecurityTube.net   .

net   .Inner  AuthenHcaHon  in  EAP-­‐TTLS   •  •  •  •  •  MSCHAPv2   MSCHAP   CHAP   PAP   …   ©SecurityTube.

DemonstraHon         EAP-­‐TTLS  Cracking  with  Honeypot   ©SecurityTube.net   .

net   .Leverage  the  Cloud   ©SecurityTube.

EAP-­‐TLS  –  Peace  of  Mind!   •  Strongest  security  of  all  the  EAPs  out  there   •  Mandates  use  of  both  Server  and  Client  side   cerHficates   •  Required  to  be  supported  to  get  a  WPA/WPA2   logo  on  product   •  Unfortunately.  this  is  not  very  popular  due  to   deployment  challenges     ©SecurityTube.net   .

SecurityTube  Wi-­‐Fi  Security  DVD   hNp://www.net   .net/       ©SecurityTube.securitytube.