13 – Return of the WEP SKA

Lucky, or unlucky number 13 as it may be if you are superstitious, it’s time to return to the good old WEP SKA which had been tried in two previous lessons here and here but I am now using my Netgear router instead of the D-Link I had been using previously, both of which are recommended for the OSWP certification and gave it a shot again and what do you know I obtained the XOR, this means I am going to cover this now properly and get this working rather than working around it like I had previously, we will look at the packets in wireshark and see if there is anything different compared to the D-Link, even though there are many different attacks they will not work on every access point so it’s always worth trying a different method and trying harder!

Configure your router as follows:1 - Router Configuration SKAEnable monitor mode on your card, I am using the number ‘1’ at the end in order to specify channel 1 while enabling monitor mode2 - Enable montior modeStart airodump-ng in order to obtain the XOR

airodump-ng mon0 -c 1 –bssid 2C:B0:5D:XX:XX:XX -w SKA_OUT

“airodump-ng” runs airodump-ng
“mon0” is the interface of the card
“-c 1” is to run on channel 1
“–bssid” is for the MAC address of the access point
“-w” is the name of the file to write to which is SKA_OUT in this case
3 - Run airodump-ng to obtain the XOR Output of airodump-ng looks like the following
4 - airodump-ng outputNow we can see there is a client associated so let’s de-authenticate it with aireplay-ng

aireplay-ng -0 1 -a “2C:B0:5D:XX:XX:XX -c F4:09:D8:XX:XX:XX mon0

“-0″ – means deauthentication
“1” – is the number of deauths to send (feel free to increase this!)
“-a 2C:B0:5D:XX:XX:XX” – is the MAC address of the access point
“-c F4:09:D8:XX:XX:XX” – is the MAC address of the client you are deauthing
“mon0″ – is the interface name

5 aireplay-ng deauth
 Now if we look at airodump-ng again we will see the following output up the top right as we have successfully obtained the XOR and this can be seen up the top where it says 151 bytes keystream followed by the access point MAC address
6 - airodump-ng output XOR obtained
 Running an ‘ls’ in our current working directory you will see there is a file that now ends with a .xor extension
7 - ls to check for the XOR
Looking through the capture file here though even with a full keystream now it seems there are some issues with injecting the XOR in order to authenticate with the access point, I mainly put this down to the de-authentication that is being used below so I switched to a different method of de-authentication seen in the next image
8 - XOR failed authentication with the access pointRestarting and running airodump-ng from the start again in order to obtain the capture file then running aireplay-ng in order to de-authenticate with the following

aireplay-ng -1 6000 -o 1 -q 10 -e test -a 2C:B0:5D:XX:XX:XX -h F4:09:D8:XX:XX:XX mon0

“aireplay-ng” starts aireplay-ng
“-1” is for fake-authentication
“6000” means reauthenticate every 6000 seconds, the long period also causes keep alive packets to be sent
“-o 1” means send only one packet at a time, the default is to send multiple and can confuse some access points
“-q 10” means send a keep alive packet every 10 seconds
“-e” is for specifying the SSID of the access point eg test
“-a” is for specifying the client MAC address or your card MAC address, you may need to spoof it to be that of the client
“-h” is for specifying the MAC address of the access point
“mon0” is the interface of the wireless card

It should look like the following

9 - aireplay-ng alternative method
Looking at airodump-ng we have obtained 151 bytes of a keystream and checking the working directory there is also a XOR file located here also
10 - airodump-ng output XOR obtained again
In order to properly test this out though I stopped the previous instance of airodump-ng that was running and started a fresh one while removing my connected client from the access point
11 - fresh airodump-ng instanceNow for the fake authentication with the access point

aireplay-ng -1 0 -e test -y SKA_OUT2-01-2C-B0-5D-XX-XX-XX.xor -a 2C:B0:5D:XX:XX:XX -h F4:09:D8:XX:XX:XX mon0

“aireplay-ng” is to start aireplay-ng
“-1” is for fake authentication
“0” is for setting the re-association timing in seconds
“SKA_OUT2-01-2C-B0-5D-XX-XX-XX.xor” is the XOR file obtained from the previous steps
“-a” is the MAC address of the client you want to spoof or a random MAC of your choice
“-h” is the MAC address of the access point
“mon0” is the interface of your wireless card

12 - Shared Key Fake Authentication working
airodump-ng then looks like the following, as you can see the client MAC address is now associated with the access point
13 - airodump-ng output successNow to analyse the captured keystream with wireshark to see what went on using the following filters

(wlan_mgt.fixed.auth.alg == 1) || (wlan_mgt.fixed.listen_ival == 0x000a) || (wlan_mgt.fixed.aid == 0x0001) || (wlan.fc == 0xb040)

“||” stands for OR
“wlan_mgt.fixed.auth.alg == 1” will filter all the Authentication packets
“wlan_mgt.fixed.listen_ival == 0x000a” will filter all the Association request packets
“wlan_mgt.fixed.aid == 0x0001” will filter all the Association response packets
“wlan.fc == 0xb040” will filter all the data packets

Starting up wireshark against the capture file from airodump-ng

14 - starting wireshark with the capture file
Using the filter above in wireshark to get rid of the noise and focus on the packets we want to look at easier
15 - wireshark packets to check
Packet 1:Authentication request sent by the client to the access point

16 - packet 1 authentication request
Packet 2:Challenge text is sent from the access point

16 - packet 2 challenge text sent
Packet 3:Client sends the encrypted challenge response to the access point

17 - packet 3 encrypted challenge sent
Packet 4:Authentication is successful in the fourth packet

18 - packet 4 success message
Now if you look closely you will also see an association request and association response follow close behind these packets as seen belowPacket 5:

Association Request

19 - association request follows
Packet 6:Association Response

20 - association response follows
Now I also captured a XOR keystream injection when using it to do a fake authentication, analysed the packet capture and noticed one difference compared to the first packet seen above.
21 - XOR injection packet 1

The vendor specific information is removed but everything else looks and works as you would expect.

Lesson learned:

As per the previous Shared Key Authentication attempts in which failure was witnessed with some perseverance an attacker can obtain a keystream by either de-authenticating a client on your network or being passive and waiting for a client to connect manually in order to obtain a keystream without any active attack being carried out and then authenticate to the access point when the client is not on the network anymore or spoof another MAC address and authenticate with the network that way, the problem here though is that this may set of an alarm somewhere that something is wrong and a new MAC has authenticated with the network that is not authorised. As with every other lesson learned on WEP though, just don’t use it and leave well alone.



Leave a Reply