AdSense

Monday, October 17, 2016

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.3 - Caffe-Latte attack against WEP


3.3 - Caffe-Latte attack against WEP

- The Caffe-Latte attack takes advantage of the WEP's Message Modification's flaw. The most interesting characteristic of Caffe-Latte attack is that no AP is needed to perform it. Actually, the attacker takes the information used to crack the WEP key from packets sent by the victim trying to authenticate with the AP, although it is not present. The attacker "kali" will monitor the air finding clients sending probing messages. Then, a fake AP is set using Airbase-ng. When the client connects to the fake AP authentication messages are sent, and after association the DHCP request phase starts. Just at this point, the Caffe-Latte attack is launched by the attacker.

- To perform this attack, let's set the legitimate AP with SSID=prueba, and WEP with Shared Key Authentication:




The WEP key generated by the AP is A8925DC44A5432DE814CE109F9:



The victim "roch" is connected to the wireless network, so that it can have cached and stored the WEP key:



This attack is based on the fact that clients, just after being started, are usually configured to send probe messages for SSIDs that they have previoulsy connected. For instance, Windows clients cache and store WEP keys of previous connected networks. This option is known as Preferred Network List (PNL), consisting of a list of pre used networks. A very similar configuration is enabled for Linux. For instance, Debian pre used networks are stored under Network Connections option.

- Every time a client connects to the same AP, the Windows wireless manager automatically uses that stored key. This is done with the purpose of helping users, not being necessary to introduce the key every time the computer is turned on.

- However, from the security perspective, it can be considered a flaw. It can be checked at next screenshot, option "Connect automatically when this network is in range" is ticked:




- As said before, the WEP key is cached and stored by Windows clients:



- Because this attack does not require the client to be close to the legitimate AP, it means that the WEP key can be cracked just using the client isolated. To verify it the AP is going to be unplug during the whole practice, simulating that the AP is far away to the client.

- Now, given this scenario, let's start the attack form "kali". Using airbase-ng tool, a fake AP is created with the same SSID=prueba and an arbitrary MAC address like AA:AA:AA:AA:AA:AA. Of course, in a real attack, a less suspicious MAC address would be used:



It is important to notice the options used with the command airbase-ng:

                      - L = Caffe-Latte attack
                      - W 1 = WEP encryption


- Then, the client "roch" is started within an scenario where there is no legitimate AP turned on (remember that it has been unpluged). Wireshark detects the victim "roch" (Netgear wireless card interface with MAC 28:C6:8E:63:15:6B) desperately sending Broadcast messages looking for the legitimate "prueba" AP, which is actually unplug:



- The victim "roch" will not find the legitimate "prueba" AP, but the fake "prueba" AP created by the attacker "kali'.

Because there is no mutual authentication between client and AP, just the client authenticating with the AP, it won't be any problem for the assocciation process to success. In other words, the fake AP (the attacker) has got the role to decide or approve that the assocciation of the client cand be achieved. It is quite interesting that WEP allows any fake AP to perform an assocciation process without knowing the used key.




Once the client is connected to the fake AP, it will send out DHCP requests which will eventually timeout because the fake AP is not a DHCP server. Then, not receiving any dynamic IP, the client will start the so called Automatic Private IP Addressing (APIPA), which assigns to itself an IP like 169.254.x.x. After this auto configuration process, the client will send Gratuitous ARP broadcast packets with the purpose of announcing itself to the rest of the network.

- The attacker "kali"captures these Gratuitous ARP packets and modifies them using the Message Modification WEP flaw, converting them into ARP request packets for the client. The Message Modification WEP flaw allows to flip bits in a WEP encrypted packet, adjusting the ICV to make the packet valid.

- Then, the fake AP resends a few thousand of these spurious ARP request packets back into the wireless network. The client receives them and believes that someone is asking for its MAC address using ARP, replying back.

- When the victim "roch" replies, the packets include the WEP key, and they are captured by the attacker "kali". Once the attacker collects enough packets, aircrack-ng will be able to crack the WEP key.

- It is important to note that the attacker is able to run the attack without any knowledge of the WEP key.

- After 2 minutes since the attacker "kali" has created the fake AP, the victim "roch" is associated, and just immediately the Caffe-Latte attack is launched (see the last line) at 10:52:51:



With the purpose of collecting packets sent between the victim "roch" and the fake AP, airodump-ng writes to the file CaffeLatteWEP:



- The CaffeLatteWEP-01 file and its derivatives are created:



- After some minutes of gathering a large number of exchanged packets, aircrack-ng is used to obtain the WEP key A8925DC44A5432DE814CE109F9:



- Again, it is important to remember the most remarkable feature ot this attack, which differences it from other WEP attacks, and which gives its new great value: no legitimate AP has been used to perform the whole attack, no legitimate AP has been present in the viccinity. Just the isolated client, maybe roaming thousands of miles away from the attacked network, looking for a wireless connection sending to the air in clear text a copy of the cached and stored WEP key. So, unlike to other attacks against WEP encryption, the attacker does not need to be in the viccinity of any AP, which converts Caffe-Latte attack into a very powerful attack.

- No need to say, to prevent this attack, the solution would consist of removing all networks from the Preferred Network List (PNL) whenever the client is roaming. However, almost nobody does it, due to the fact of the inconvenience created every time the user wants to join a network, because he would need to introduce the WEP key manually, usually a very long hexadecimal key difficult to remember.






WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.2 - Bypassing WEP Shared Key Authentication


3.2 - Bypassing WEP Shared Key Authentication

- Unlike previous practice's attack, the goal of this attack is to bypass WEP authentication directly, without obtaining the Shared Key, but being able for the attacker to connect directly to the AP even with a fake MAC address.

- This is a more efficient attack against WEP encryption because the steps and processing involved are less that at the previous practice.

- In this case, let's set the AP with WEP (64 bits) encryption:



- From the attacker "kali"s command shell, the legitimate client "roch"s connection is detected:



- Either from a deauthentication or a reconnection of the legitimate client "roch", packets between the AP and "roch "are captured and stored at sharedkeyWEP file:



The file sharedkeyWEP and its derivatives are created, but the one that has got interest for the practice is sharedkeyWEP-01-00-25-F2-9B-91-23.xor:



- Now, the aireplay-ng command is used in a quite different way than before:

a) first, the injected packet contains the keystream used for WEP to authenticate "roch" with the AP.

b) second, "kali" uses a fake MAC address like AA:AA:AA:AA:AA:AA to cover any track of the attack.



Now, it can be verified that "kali" has joined sucessfully the network "spaniard":



Even receiving an IP through DHCP:



"kali" is now part of the network "spaniard", being able to ping the default gateway 102.168.0.1:


Also, "kali" has got access to the Internet using the AP external interface, pinging Google's public DNS:



Airodump-ng detects both clients, the legitimate "roch" and the attacker "kali", connected to the "spaniard" network:



- Also, the AP detects both clients connected, what is funny because "kali" shows the obviously fake MAC address AA:AA:AA:AA:AA:AA.

Of course, in a real attack, "kali" would have choosen a less suspicious MAC than AA:AA:AA:AA:AA:AA



As a conclusion of this practice, the attacker "kali" has been able to connect a network directly, bypassing WEP Shared Key authentication, without needing to perform the steps of obtaining the encryption key, and faking its own MAC address for covering the attack.



Sunday, October 16, 2016

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.1 - Attack against WEP encryption



3.1 - Attack against WEP encryption

3.1.1 - WEP encryption

- Wired Equivalent Privacy (WEP) is a security algorithm introduced by the University of California Berkeley, accepted as part of the IEEE 802.11 standards for wireless networks. Because of the great number of flaws inherent to WEP, it is nowadays considered obsolote. However, due to the fact that almost all Wi-Fi routers offer WEP as an option, and because there are a lot of available wireless networks using WEP, it is neccesary and interesting to study this standard. From the criptographic point of view, WEP uses the stream cipher RC4 for confidentiality, and CRC-32 checksum for integrity. There are two main versions of WEP, although working in a similar manner. All of them use a so called initialization vector (IV), what is a fixed size input generated randomly, that is eventually XOR operated with the keystream.






- WEP-40 uses a 40 bits key which is concatenated with a 24 bits IV to form the 64 bits RC4 key. The 40 bits key is formed by a string of 10 hexadecimal characters (4 bits for 1 char).

- WEP-104 uses a 104 bit key which is concatenated with a 24 bits IV to form the 128 bits RC4 key. The 104 bits key is formed by a string of 26 hexadecimal characters (4 bits for 1 char).

There are also two main authentication systems for WEP: Open and Shared Key.

- Open System authentication: the client does not need to provide any credentials to authenticate with the AP; actually, no authentication occurs, and WEP keys are used just for encrypting data frames.

- Shared Key authentication: a four step challenge-response handshake is used:

a) the client sends a request message to the AP.
b) the AP replies with a clear text challenge.
c) the client encrypts the text challenge with the WEP key, sending back to the AP.
d) the AP decrypts the response, if matches the AP sends back a positive reply.

- After the authentication, the WEP key is used to encrypt the data with RC4. Although it may seem that Shared Key method is safer than Open System, because the last one lacks of authentication, the truth is just the contrary. Due to the fact that challenge frames can be captured during the handshake in Shared Key, the keystream could be obtained.

- RC4 is a stream cipher, so same key must not be used twice. The initialization vector, transmitted unencrypted, tries to prevent any repetition. But a lenght of 24 bits is not enough to ensure this, so it could happen that two identical IVs were generated if busy traffic. A passive attack would consist on simulating replay packets and sniffing the responses for subsequent analysis. For the WEP-104 just 40.000 packets would be enough to obtain the WEP key with a 50% of probability, and around 85.000 data packets would ensure the 95% of probability of success. Using ARP packets reinjection, around 40.000 packets can be captured in less than 1 minute. So, cracking WEP is just a matter or time, just using software tools like aircrack-ng.


3.1.2 - Attack against WEP encryption

- First of all, the AP is set to use WEP encryption of 128 bits whith Shared Key Authentication.

- Introducing the passphrase AbCdEf12345$ a Network Key is generated: 1792424e9b00a0d2a4a8bc180a





- From the client "roch"s side, properties of the network are arranged:



- Then, "roch" is connected to the network:



- This process of connection for the client "roch" has been captured by the attacker "kali" with airodump-ng. The option - - write means that captures are stored at the .cap file called "archivoWEP":



- At previous screenshot it can be noticed that the number of data packets is very small, #Data = 61. For WEP cracking a larger number of packets is needed, so the network is forced to create more data packets.

- The tool aireplay-ng captures packets from the wireless network and reinjects them back simulating ARP responses. In this way a lot of traffic is generated for the network. Aireplay-ng identifies ARP packets by looking at their size. ARP protocol uses a fixed header that can be easily identified. It is essential that the victim client is already authenticated and associated to the AP.

- Option -3 means ARP replay, -b is for the BSSID, and -h for the victim's,"roch", whose MAC address is being spoofed:











Due to the replay attack, the number of captured packets by airdump-ng is dramatically increased, from #Data = 61 to now #Data = 44376:



- In the meanwhile, "archivoWEP-01.cap" and some other derived files are storing the created packets by aireplay-ng:



- At this point of the attack, aircrack-ng is ready to be launched, using packets stored at "archivoWEP-01.cap":



- Due to the great amount of stored packets, it takes just an instant to find the key:



- Using the airdacp-ng command, captured packets at "archivoWEP-01.cap" can be decrypted:




3.1.3 - Connecting to the AP

- Once the attacker "kali" has been able to crack the WEP key, it is time for it to connect to the network. At the present moment of the practice "kali" is in "Not-Associated" mode:



- Using the iwconfig command, the SSID and the key, the attacker "kali" can connect to the network:



- The success of the connection is verified:



- Also, airodump-ng captures the fact that now there are 2 clients connected to the AP: the legitimate one ("roch"), and the attacker one ("kali"):



- In the same way, the AP detects both connected clients:



- Because DHCP is enabled by default, the AP assigns a dynamic IP to "kali":



- Now, the attack is a complete success because "kali" is authenticated and associated to the network, pinging any of the internal hosts, for instance the default gateway:



- Also, "kali" has got connection to the Internet, being able to ping Google's public DNS server:





WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.10 - WiFishing: creation of multiple honeypots


2.10 - WiFishing: creation of multiple honeypots

- The creation of just 1 fake Access Point or honeypot is not always enough, because the victim would connect automatically to only one AP matching the stored network configuration. How the attacker would force the client to connect to its own fake AP, and not other one available, without knowing a priori the preferred type of encryption of the victim?

- For that reason, and for the purpose of penetration testing, it is very handy to create several fake APs with the same SSID, but each of one matching diferent types of encryption methods: for instance Open, WEP, WPA-PSK and WPA2-PSK, with TKIP or AES-CCMP.

- So, taking 4 different encryption options, it would be necessary to create 4 virtual interfaces: mon0, mon1, mon2 and mon3, using airmon-ng start wlan0 repeatedly at the attacker "kali" machine.

- mon0:



- mon1:



- mon2:



- mon3:



- Now, there are 4 virtual interfaces working in monitor mode:































- The command airbase-ng holds interesting options to fake APs:



- For creating WEP, option -W 1 is available:



- For creating WPA option -z is used, being 2 for TKIP and 4 for AES-CCMP. Same for WPA2 using -Z:



- The first honeypot called "puntodeacceso" doesn't have any encryption, it is Open, so no option is used. MAC address will be AA:AA:AA:AA:AA:AA, working in mon0 monitor interface:




- The second honeypot is also called "puntodeacceso" and uses WEP encryption (-W 1). MAC address will be BB:BB:BB:BB:BB:BB, working in mon1 monitor interface:



- The third honeypot is also called "puntodeacceso" and uses WPA-PSK TKIP encryption (-z 2). MAC address will be CC:CC:CC:CC:CC:CC, working in mon2 monitor interface:



- The fourth honeypot is also called "puntodeacceso" and uses WPA2-PSK TKIP encryption (-Z 2). MAC address will be DD:DD:DD:DD:DD:DD, working in mon3 monitor interface:



- It can be verified the existence of the 4 honeypots, all sharing the same ESSID, each one with different type of encryptions and different number of MAC addresses:



 - The question that arises now is: Which one would the victim "roch" pick up to connect to?

Based on the Preferred Network List, in this case the client "roch" has got a stored network called "puntodeacceso":




Also, the configuration forces to connect automattically to the network "punto de acceso"when it is in range:



- The stored security configuration uses WPA with TKIP encryption:



- So, no doubt that the picked up honeypot to be connected by the victim "roch" (whose MAC adress is 28:C6:8E:63:15:6B) will be the third honeypot, which uses WPA-TKIP and has got CC:CC:CC:CC:CC:CC as MAC address, because it is the only one that matches the stored configuration:



This practice has shown how to create the appropiate bait for a victim, offering fake APS or honeypots with different encryptions modes, assuming that one of them would match the stored security configuration mode by the victim.