7 – Shared Key Authentication (SKA) Alternative Method

As you have seen in the previous lesson we could not obtain the XOR with the easiest method so instead we have to work a little bit harder and either forge some packets of our own in order authenticate to the access point or maybe even do this with another method…

First of all snippets from the aireplay-ng man page for the fragmentation and chopchop attacks:

Fragmentation:

Pros
– Can obtain the full packet length of 1500 bytes XOR. This
means you can subsequently pretty well create any size of
packet.

– May work where chopchop does not

– Is extremely fast. It yields the XOR stream extremely quickly
when successful.

Cons
– Setup to execute the attack is more subject to the device
drivers. For example, Atheros does not generate the correct
packets unless the wireless card is set to the mac address you
are spoofing.

– You need to be physically closer to the access point since if
any packets are lost then the attack fails.

Chopchop

Pro
– May work where frag does not work.

Cons
– Cannot be used against every access point.

– The maximum XOR bits is limited to the length of the packet
you chopchop against.

– Much slower then the fragmentation attack.

First before we begin we can try a fakeauth with aireplay-ng and see if we have any success:

aireplay-ng –fakeauth 0 -o 1 -e test -a 00:18:E7:XX.XX.XX -h 00:C0:CA:XX:XX:XX mon0 –ignore-negative-one

Look in “man airodump-ng” to see the meaning of the switches used.1 - Try fake authFailure to authenticate looks like the following2 - Fake auth failureNow let’s try a fragmentation attack on the access point so get your card listening with airodump-ng and let’s get to it!3 - airodump startOutput4 - airodump outputFragment attack:

aireplay-ng –fragment -b 00:18:E7:XX:XX:XX -h F4:09:D8:XX:XX:XX mon0

“aireplay-ng” – start aireplay-ng
“–fragment” – running a fragmentation attack
“-b 00:18:E7:XX:XX:XX” – the access point MAC
“-h F4:09:D8:XX:XX:XX” – your MAC address
“mon0” – the monitor interface5 - aireplay fragmentation attackWhen a packet appears accept with either a “y” or “n” and let it run for a bit, you will know fairly quickly if it works or not, an example of this failing is below as you will have a stream of failure and then it will eventually ask you to select yes or no for a new packet.6 - fragmentation failureChop Chop attack:

aireplay-ng –chopchop -b 00:18:E7:XX:XX:XX -h F4:09:D8:XX:XX:XX mon0

“aireplay-ng” – start aireplay-ng
“–chopchop” – running a fragmentation attack
“-b 00:18:E7:XX:XX:XX” – the access point MAC
“-h F4:09:D8:XX:XX:XX” – your MAC address
“mon0” – the monitor interface7 - chopchop failureOutput failure8 - chopchop failureThis AP is quite tricky and I can see why it is recommended for the OWSP training, rather than pulling my hair out though and repeating the same thing again and again expecting different results I had to use an interactive packet replay attack, I could use some other options here also but we will have a look at these at a different time or you could even try them yourself as an extra exercise! The process looks like the following to crack the SKA key on this tricky access point

Leave airodump-ng running on your channel and writing the output to a file with -w:
airodump-ng -c 6 mon0 -w SKA
9 - airodump-ng start
Next run aireplay-ng with an interactive packet replay attack:
aireplay-ng -2 -b 00:18:E7:C5:49:DA -d FF:FF:FF:FF:FF:FF -t 1 mon0
“-2” sets the interactive replay
“-b 00:14:6C:7E:40:80” selects packets with the MAC of the access point you are testing
“-d FF:FF:FF:FF:FF:FF” selects packets with a broadcast destination
“-t 1” selects packets with the “To Distribution System” flag set on
“mon0” your wirless interface
Leave this running for a few minutes, you will see the packets increasing here which is a good thing.
10 - interactive packet replay
Then run aircrack against the pcap to crack the key, select the BSSID you wish to run it against. You should also take note that in the image below I have obtained 31848 IV’s which will definitely help in the cracking process.
Running aircrack is simple with:
aircrack-ng SKA-01.cap
11 - Running Aircrack-ng WEP SKA
 Success looks like this:
12 - WEP SKA Key Cracked with no authentication
This ends the WEP SKA tutorial, let’s move onto the more common “Open System Authentication” as this is the default, most people would not bother changing the default on a router. This is more or a history lesson than anything else, although I still see a lot of WEP around the place and people seem to think hiding it is ok too!
Lesson learned:
Shared Key Authentication even though it sounds like an added security feature adds no security to your access point. It is very easy to obtain the keystream used in the handshake by capturing the challenge frames in the shared key authentication. Data can be easily intercepted and decrypted with share key authentication than with open system authentication. Using open authentication though means any wireless client can connect to the access point but you should use neither as they are clearly very broken for some time now.
 

6 – Shared Key Authentication (SKA)

Things are starting to get a bit more interesting now and I hope you are enjoying this series so far as much as I am writing about it.

Shared Key Authentication (SKA) uses a shared secret which you can think of as a password that allows you to connect to and authenticate with the access point from the client.

The exchange of information can be seen in the diagram below:Shared Key Authentication (SKA) DiagramWhat you see above is the client send an authentication request to the access point which responds back with a challenge. The client then has to encrypt the challenge with the shared key and send it back to the access point which will then decrypt it to check if it can recover the original challenge text. If it is successful the client will then authenticate or else it will send an authentication failed message.

The downfall here is that an attacker can be passively listening to the entire communication while sniffing in the air as both encrypted and plain text unencrypted challenges can be viewed. We can however apply a XOR operation here in order to retrieve the key-stream, this key-stream can then be used to encrypt any future challenge sent by the access point without needing to know the key.

Doing what we have been doing in the previous lessons we are going to put the card into monitor mode and start airodump-ng in order to sniff the air around us and retrieve the challenge, encrypted challenge and the key-stream so that we can then use it to authenticate with the access point without knowing the shared key.

On the router keeping the previous settings but removing the MAC filtering and this time enable WEP with Shared Key Authentication like in the image below:1 - Router ConfigurationFirst things first you already have the card in monitor mode don’t you so let’s start up airodump-ng sniffing packets between the access point and the target client but this time we are also going to save them using the “-w” filter to write to a file for later use.

airodump-ng mon0 -c 6 –bssid AP_MAC -w SKA_out

This will start airodump-ng on interface “mon0” set on channel 6 with the access point mac after the “–bssid” and write to a file with the “-w” option, the file is called SKA_out but you can name it whatever you want and you can then use these packets again and analyze them further, you could have done this in the previous lessons too but I didn’t want to hit you with too much at the start.2 - airodump-ng writeOnce you have run airodump-ng you will see the following similar output3 - airodump-ng outputNotice under “AUTH” there is currently nothing specified, only two things can exist her “SKA” or “PSK”. We can see however that a client is attached to this access point currently and we can either de-authenticate the client in order to force them to reconnect or wait for a client to connect manually and do the same passively.

Let’s de-authenticate the client in order to speed up this process, it’s always handy to have wireshark open also and be looking to see what may have gone wrong if things aren’t going as expected, it’s a good habit to get into.

aireplay-ng -0 1 -a 00:18:E7:XX:XX:XX -c F4:09:D8:XX:XX:XX mon0

“-0” – means deauthentication
“1” – is the number of deauths to send (feel free to increase this!)
“-a 00:18:E7:XX:XX:XX” – is the MAC address of the access point
“-c F4:09:D8:XX:XX:XX” – is the MAC address of the client you are deauthing
“mon0” – is the interface name4 - deauthenticate clientNow if you return to airodump-ng that you left running you should see some changes to your output: 5 - SKA foundLooking above now you see “Broken SKA:” followed by the access point MAC address and “AUTH” has also changed to “SKA” for Shared Key Authentication. You can stop airodump now and look at the packets with wireshark to see what you have obtained.

Running “ls” in your directory you will see the files airodump has created for you:6 - File output SKAHaving a closer look things are unfortunately not as they should be at this stage as a stream should have appeared up where it says “Broken SKA:”. Looking in wireshark though it appears there is an issue here for me anyway which I am not going to dwell on for very long as well there are other ways to get around WEP and I have tried a few cards and different AP’s with the same result, I have also found some tickets for this and it may be a bug in airodump-ng.

Start wireshark on the capture with the following command to load it directly into wireshark for you, handy isn’t it!

wireshark name_of_cap.cap &7 - Wireshark checkIn wireshark use the following filter to see the exchange take place:

(wlan.addr == 00:18:E7:XX.XX.XX) && (wlan.fc.type_subtype == 0x0b)7.1 - Wireshark checkingLet’s break down each packet a bit further to see what is going on here.

Packet 1:7.2 - Wireshark checking packet 1

Authentication request and 11 bytes of Vendor Specific information is attached.

Packet 2:7.3 - Wireshark checking packet 2Challenge text is sent

Packet 3:7.4 - Wireshark checking packet 3Packet 3 here is interesting as under the WEP parameters the WEP ICV shows as not verified which is due the the ICV not being encrypted and is just a CRC-32 check that is appended to the end of the frame, based on the encrypted payload, now I have tried spoofing the MAC etc and the only way I seem to be able to get around this is to use a different attack method which you will see soon, the data is the encrypted text.

Packet 4:7.5 - Wireshark checking packet 4Rather than focus and obsess on this for too long I am going to move on to further tutorials but if you were to obtain a XOR here you can then replay it with the following command and authenticate without knowing the PSK which was the reason behind this lesson and obtain a fake authentication with the access point.

aireplay-ng -1 0 -e test -y sharedkey.xor -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 mon0

“-1” means fake authentication
“0” means only authenticate once
“-e test” is your access point SSID
“-y sharedkey.xor” is the name of file containing the PRGA XOR bits captured by airodump
“-a 00:18:E7:XX:XX:XX” is your access point MAC address
“-h F4:09:D8:XX:XX:XX” is your MAC address on your card
“mon0” is the interface name

Let me know if you have difficulty here also as I have searched myself and can find very little on this subject that leads to an answer anyway, this is quite possibly a bug in airodump but I could be wrong. If you have a similar issue please leave a comment. I may come back to this again in the future but don’t really see the point unless I stumble across this on one of my other routers, for now let’s just move on to the next lesson and crack the WEP key of this access point by trying some alternative methods.

To look at a successful pcap refer to the following download link from the aircrack site, you will see it does not include an additional 11 bytes like mine does above.

 

 

5 – Bypassing MAC Filters

MAC filtering is very much like hiding your SSID as it just does not work and instead lulls you into a false sense of security, often thought of as security through obscurity. It is an old security access control used for authentication and authorization in the wired world but fails miserably in the wireless world as you will soon see in the following lesson.

The MAC address is stored in a table on the router and referred to for authentication, if the MAC trying to connect exists you are granted access and if not you are refused.

First configure MAC filtering on the access point in order to continue, we will keep the previous open configuration settings used in the previous lesson.

1 - router configure MAC address filteringNow only the two MAC addresses that have been added can connect to the access point, if we try to connect to the access point as we did previously it will show as not associated:

2 - iwconfig not associatedLet’s put the card into monitor mode to see what is going on here and have a look with airodump-ng as we did previously but this time be a little bit more exact about our filters in order to remove as much noise as possible from our airodump-ng output.

airodump-ng -c 6 -a –bssid AP_MAC mon0

“-c 6” sets the channel

“-a” ensures that the clients only associated with the access point are displayed

“–bssid” is used for setting the access point MAC address

3 - airodump-ng connected devicesOutput then looks a lot cleaner as you can see:

4 - airodump outputLooking at the above output we can see the MAC of the access point and an associated client MAC address which we can now use to connect to the access point and spoof it.

Spoofing the MAC can be done a few different ways and there are tools out there that will do this for you very easily, lets look at one option by using built in system tools and connect to the access point to verify it is working.

Lets check our current card MAC address first with ifconfig and grep

“ifconfig” runs ifconfig

“| grep wlan0” Using a pipe to continue and search for “wlan0” to display that line which also has the “HWaddr” associated with it.

5 - MAC address check

Using the client MAC found with airodump-ng we can now spoof the MAC address and connect

Put the interface down:
ifconfig wlan0 down

Change the MAC address of the card:
ifconfig wlan0 hw ether F4:09:D8:XX:XX:XX

Put the interface back up:
ifconfig wlan0 up

Check the MAC has been changed:
ifconfig | grep wlan0

6 - MAC changedLet’s try and connect to the access point again:

7 - Connected with MACExcellent, we have now fully authenticated with the open access point that has MAC filtering enabled and bypassed this feature which doesn’t really add any security to stop an attacker.

Lesson Learned:

Don’t rely on MAC filtering to protect your network from attackers, as you can see it does not provide any security to protect you on a wireless network as an attacker can find a client connected in the air and spoof them in order to authenticate and connect.

 

4 – Bypassing Open Authentication

As from the previous lesson we uncovered a hidden SSID for an open network called “test” which had no encryption enabled and was well just invisible, for this lesson we will make the network visible and keep no authentication set in order to connect to the network via the terminal and thus bypass the open authentication of the access point.

Configure your router as follows:

1 - Router ConfigurationFirst make sure your interface is up before proceeding

ifconfig wlan0 up

then check it is up with

iwconfig wlan0

Connect to the access point with

iwconfig wlan0 essid “test”

Check you are connected with

iwconfig wlan0

2 - Connect to open access pointCongratulations you have connected to an open access point with no authentication, you can now browse to the access point management interface for example because you are connected or alternatively capture all the packets flowing through the network or even run a MITM attack.

Lesson Learned:

Don’t trust or use open wi-fi it’s just not safe and you don’t know what is actually going on when connected, it would be extremely easy for an attacker to steal your credit card details or social networking user name and password. This is like receiving a postcard from someone, anyone can read your message.

 

3 – Uncovering Hidden SSID’s

Wireless networks are known for some time now to have weak authentication schemes which can be easily broken or bypassed even when stronger encryption is in use.

Before we go any further though we need to know what frames are as they are required for communication to take place.

1 – Management Frames

Used for maintaining access between the Access Point and the wireless clients. They contain the following sub-types:

– Authentication
– De-Authentication
– Association Request
– Reassociation Request
– Reassociation Request
– Disassociation
– Beacon
– Probe Request

2 – Control Frames

These are responsible for ensuring a proper exchange of data between the Access Point and wireless clients. They contain the following sub-types:

– Request to Send (RTS)
– Clear to Send (CTS)
– Acknowledgement (ACK)

3 – Data Frames

You might be able to guess but this is where the carrying is done as such and the actual data is sent via the wireless networks and it has no sub-types.

Let’s get to it!

We are going to have a look at uncovering hidden SSID’s now as people think hiding their network instead of configuring encryption is going to make them invisible and safe but this is not the case as you will see shortly as the default configuration of most access points is to send out their SSID in the beacon frames but a hidden SSID does not broadcast it’s SSID in the beacon frames so only clients that know the correct SSID can connect.

Configure the router for this scenario with no encryption and make it invisible:

1 - Configure routerBefore we begin make sure you have wireless injection working and monitor mode enabled as outlined here.

Now to start airodump-ng and see what we can see in the air:

2 - start airodump-ngAs you can see there is now an access point with a BSSID (MAC Address) of 00:18:E7:XX:XX:XX, “OPN” encryption on channel 6 with an ESSID of “<length:   0>”, let’s uncover this and find out the hidden name!

3 - airodump-ng captureStart up wireshark as per this previous step and select “mon0” as your interface and use the following filter to view these packets only and get rid of the excess noise:

wlan.addr == AP_MAC_ADDRESS

4 - wireshark capture mon0 MACYou have two options here to uncover the hidden SSID.

Option 1:

Wait for a device to connect to the network which will generate probe request and probe response packets which will contain the SSID of the access point. Simple and passive but may take ages if nothing is going to connect in the next few hours.

Manual connection looks like this in airodump-ng listening when you manually connect:

5 - Manual connectAs you can see above the SSID is now known as test and you will also see the Probe Response in Wireshark:

5 - Manual connect wiresharkLooking inside the packets you will find the SSID under the management frame also:

5.1 - Manual connect wiresharkOption 2:

Send a few de-authentication packets with aireplay-ng

aireplay-ng -0 5 -a AP_MAC mon0

“-0” is for choosing the type of wireless de-authentication attack.

“5” is the number of de-authentication packets to send

“-a” specifies the access point MAC address you are targeting

The de-authentication packets will force any legitimate clients to disconnect and reconnect. By adding the following expression to wireshark you will be able to capture these de-authentication packets.

wlan.fc.type_subtype == 0x0c

OR add to the previous filter and use

(wlan.addr == AP_MAC_ADDRESS) && (wlan.fc.type_subtype == 0x0c)

One device is connected to the access point currently from the previous example so it will be disconnected and reconnect getting the same result but with an active rather than a passive approach.

Sending the de-authentication packets to the access point gives a warning about how it is better to target a client but we are being lazy in this scenario and just targeting the access point, we will target the client in future lessons though.

6 - De-authentication aireplay-ngThe wireshark filter we had running will also show us these de-authentication packets only as we were using a filter for that specific purpose:

7 - De-authentication wiresharkOnce again airodump-ng will show you the SSID also and uncover the hidden name of the access point:

8 - De-authentication airodump-ngLesson Learned:

Don’t think you can hide you access point and use no encryption as someone will uncover it and connect to your network! This is not secure in the slightest and you are just asking to be compromised.
 

2 – Wireless Regulatory Domains

It is very important to understand the laws of your country, if you go outside of the legal power levels you can get into trouble so don’t do it!

In a terminal window type the following

tail -f -n 0 /var/log/messages

Now to check your card type quickly and simply just unplug the card and plug it back in and you should see some output like below:

1 - Unplug and checkYou can see plenty of information about your card here.

To set a regulatory domain on the card for example let’s say Ireland run:

iw reg set IE

2 - Setting regulatory domain

In the previous window where we left tail running on /var/log/messages you will see the following output showing you the card regulatory configuration has changed:

3 - Country code changed IEIf you try to set certain channels they may fail as they are used by different country’s, this is also the same for the power levels on the card itself and what you are aloud to operate at. An example of this is that I can set my card to a txpower of 20 Decibel-milliwatts (dBm) here in Ireland but if you were in the US you can set to 27 dBM and in Bolivia you can set 30 dBm. These power levels may be illegal and you cannot operate at these levels without a license.

Converting your dBm to milliwatts can be done with the following calculations

The power conversion of dBm to mW is given by the formula:
P(mW) = 1mW · 10(P(dBm)/ 10)

Which means:
1dBm = 1.258925mW

Now to calculate 20 dBm

P(mW) = 1mW · 10(20dBm/ 10) = 100mW

27 dBm

P(mW) = 1mW · 10(27dBm/ 10) = 501.18mW

30 dBm

P(mW) = 1mW · 10(30dBm/ 10) = 1000mW

You can see the difference in the above conversions is quite significant.

 

1 – Wireless Assessment’s a warning in advance

The following tutorial series is aimed at security researchers who have either gone through some wireless auditing themselves before and want a quick refresher or people with an interest in auditing wireless networks for security purposes, I would love to hear stories regarding tricky access point’s also and how obstacles were overcome, I am not interested in people trying to break into their neighbours wireless for example and will not provide any assistance for these questions.

For best results as you are researching you should buy or borrow some routers to play with so your not kicking people off your own Wi-Fi as this get’s annoying for you and anyone else in your house if you keep de-authenticating your clients after a while! That’s how I started years ago though so I can’t lecture you on this but it will make it much easier when changing configurations etc on your router.

The purpose of this is to go over all of this again and obtain 10 CPE’s from the OSWP certification offered by offensive security as I see it as a challenge and a fun way to also gain a new cert to show I know my stuff in this area, anyone can do this, you just need to practice and you will eventually get it. I have not yet signed up but will do so on completion of this course tutorial, these are effectively pre-study notes without any prior knowledge of the course material as I will have to abide by an NDA once I start using the study material which I am excited to start using!
TL;DR
Don’t perform any of this against anyone you are not authorised to perform a wireless assessment on.