░█░█░█▀█░█▀█░▀▀▄░█▀█░▀█▀░▀█▀░█▀█░█▀▀░█░█░█▀▀
░█▄█░█▀▀░█▀█░▄▀░░█▀█░░█░░░█░░█▀█░█░░░█▀▄░▀▀█
░▀░▀░▀░░░▀░▀░▀▀▀░▀░▀░░▀░░░▀░░▀░▀░▀▀▀░▀░▀░▀▀▀

WPA2Attacks

Types of WiFi Authentication

WiFi authentication types are crucial for securing wireless networks and protecting data from unauthorized access. The main types include WEP, WPA, WPA2, and WPA3, each progressively enhancing security standards.

1. WEP (Wired Equivalent Privacy)

The original WiFi security protocol, WEP provides basic encryption but is now considered outdated and insecure due to vulnerabilities that make it easy to breach.

2. WPA (WiFi Protected Access)

Introduced as an interim improvement over WEP, WPA offers better encryption through TKIP (Temporal Key Integrity Protocol), but it is still less secure than newer standards.

3. WPA2 (WiFi Protected Access II)

A significant advancement over WPA, WPA2 uses AES (Advanced Encryption Standard) for robust security. It has been the standard for many years, providing strong protection for most networks.

4. WPA3 (WiFi Protected Access III)

The latest standard, WPA3 enhances security with features like individualized data encryption and more robust password-based authentication, making it the most secure option currently available.

WPA Modes

WPA has two primary operating modes:

• WPA-Personal: Uses pre-shared keys (PSK) and is designed for personal use (home environments)
• WPA-Enterprise: Specially designed for organizational environments with enhanced security features

WPA/WPA2 Personal (PSK)

Wi-Fi Protected Access (WPA) Personal was created to replace Wired Equivalent Privacy (WEP). WPA originally implemented the Temporal Key Integrity Protocol (TKIP), which used a dynamic per-packet key to address WEP's vulnerabilities, particularly those involving initialization vector attacks. Additionally, WPA introduced Message Integrity Checks (MICs), improving security over the Cyclic Redundancy Checks (CRCs) used by WEP. WPA2 introduced support for CCMP and AES encryption modes to provide more secure communications.

Although WPA/WPA2 Personal does not support some of the more robust security features seen in WPA/WPA2 Enterprise, it is still widely used for residential routers and in some business settings. Due to the nature of a reused pre-shared key (Wi-Fi Password), it omits certain protections that are standard in more secure wireless environments.

Common methods for capturing the pre-shared key include: - Handshake Capture - PMKID Capture
- Wi-Fi Protected Setup attacks - Evil-Twin/Social Engineering attacks

With these techniques, an adversary will likely be able to retrieve the clear text version of the pre-shared key and subsequently compromise the wireless network.

WPA/WPA2 Enterprise (MGT)

Wi-Fi Protected Access Enterprise was developed to meet the need for stronger wireless encryption standards. By utilizing 802.1X security, WPA Enterprise offers more secure communication through the Extensible Authentication Protocol (EAP). Unlike its personal counterpart, WPA/WPA2 Enterprise relies heavily on authentication methods, with one of the key differences being its use of a RADIUS server for authentication.

The standard employs Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) to provide better encryption for client devices. WPA Enterprise offers various configuration options to accommodate different use cases, providing flexibility for network administrators. It also addresses vulnerabilities associated with pre-shared key attacks, such as dictionary and brute-force attacks, by supporting diverse authentication methods.

However, misconfigurations and inherent design flaws have exposed vulnerabilities in the enterprise standard, making it susceptible to attacks such as: - Evil-twin attacks (used to capture authentication hashes) - Security downgrading of clients to retrieve plaintext credentials

WPA Personal Technical Overview

Wi-Fi Protected Access (WPA) was introduced in 2003 as a replacement for the broken WEP encryption system and was designed to work on the same hardware. WEP used a 40-bit or 104-bit key, which, when combined with a 24-bit initialization vector (IV), resulted in an overall 64-bit or 128-bit seed. This static key system was one of WEP's major vulnerabilities as it never changed.

In contrast, the WPA protocol implemented the Temporal Key Integrity Protocol (TKIP), which dynamically generates a new 128-bit key for each packet and includes Message Integrity Checks (MIC). This prevents the types of attacks that compromised WEP by adding per-packet key mixing and other security improvements.

Additionally, WPA2 employs the Advanced Encryption Standard (AES), enhancing security through the Counter-Mode/CBC-Mac Protocol (CCMP). AES keys used in WPA2 can be 128, 192, or 256 bits long, offering stronger encryption.

The PSK in WPA2-PSK stands for Pre-Shared Key, which is a secret key shared between the access point and the clients. However, this key is derived from the passphrase set by the network user or administrator. If a weak passphrase is chosen, the network becomes vulnerable to dictionary attacks.

WPA2 Connection Cycle

Let's examine the typical connection process between clients and access points, known as the connection cycle. We will focus on a basic WPA2 (PSK) authentication whose general connection cycle follows this sequence:

1. Beacon Frames
2. Probe Request and Response
3. Authentication Request and Response
4. Association Request and Response
5. 4-Way Handshake
6. Disassociation/Deauthentication

1. Beacon Frames

Beacon frames are primarily used by the access point to communicate its presence to the client or station. They include information such as supported ciphers, authentication types, SSID, and supported data rates.

2. Probe Requests and Responses

The probe request and response process allows the client to discover nearby access points (APs). The client sends a probe request, which can include the specific SSID (Service Set Identifier) of the desired network or be a general broadcast to find any available networks. If the SSID is hidden, the client still sends a request with the SSID in its probe. The AP responds with information about itself for the client.

3. Authentication Request and Response

Authentication requests are sent by the client to the access point to begin the connection process. These frames are primarily used to identify the client to the access point.

4. Association/Reassociation Requests

After sending an authentication request and undergoing the authentication process, the client sends an association request to the access point. The access point then responds with an association response to indicate whether the client is able to associate with it.

5. 4-Way Handshake

After the association/reassociation request, a 4-way handshake is formed between the AP and client. This process securely establishes a shared encryption key (Pairwise Transient Key) between the client and access point by exchanging nonce values and confirming mutual authentication.

6. Disassociation/Deauthentication Frames

Disassociation and Deauthentication frames are sent by the access point to a client, and they serve to terminate the connection between them. Each frame contains a reason code, explaining why the client is being disconnected from the network. In Wi-Fi penetration testing, these frames are often crafted for capturing handshakes or launching denial-of-service attacks.

Examining the raw network traffic will help us better understand this process. After successfully capturing a valid handshake, the capture file can then be opened in Wireshark for detailed analysis.

4-Way Handshake Process

When connecting to the wireless network, both the client and the wireless access point (AP) must ensure that they both have/know the correct wireless network key, while never transmitting the key across the network. Instead, a series of encrypted messages, including nonces (random numbers) and MAC addresses, is exchanged to verify the key without revealing it.

Once the key has been verified, it is used to generate several encryption keys, including the Message Integrity Check (MIC) key. The MIC ensures that each packet has not been tampered with during transmission, confirming the data's integrity and authenticity.

WPA/WPA2 Attack Methods

There are three primary methods to attack WPA/WPA2-Personal networks:

1. Check if WPS is enabled and brute-force the PIN
2. Capture the 4-way handshake and perform a dictionary attack to recover the PSK
3. Execute a PMKID attack on vulnerable access points

WPS Brute-force Attack

Detect WPS-enabled networks:

airodump-ng wlan0mon -c 1 --wps

Alternative WPS detection:

wash -i wlan0mon

Enhanced WPS scan with JSON output:

wash -i -j wlan0mon

Using Reaver to brute-force the WPS PIN:

airmon-ng stop wlan0mon
reaver -i mon0 -c 1 -b 28:B2:BD:F4:FF:F1

4-Way Handshake Capture and Cracking

This section covers the process of capturing the 4-Way Handshake, which is essential for cracking WPA/WPA2-PSK networks. We'll analyze the captured handshake to ensure it is complete and valid, then demonstrate how to crack the handshake to reveal the Pre-Shared Key (PSK).

To perform this type of offline cracking attack, we need to capture a valid 4-way handshake by sending deauthentication frames to force a client to disconnect from an AP. When the client reauthenticates (usually automatically), the attacker can capture the WPA 4-way handshake. This handshake is a collection of keys exchanged during the authentication process between the client and the associated AP.

Capture handshake:

airodump-ng wlan0mon -c 1 -w WPA2

Force deauthentication:

aireplay-ng -0 5 -a 80:2D:BF:FE:13:83 -c 8A:00:A9:9B:ED:1A wlan0mon

Crack the captured handshake:

aircrack-ng -w /opt/wordlist.txt WPA-01.cap

PMK Caching and PMKID Attack

Access Point (AP) roaming occurs when a client moves outside the range of an AP and connects to another AP. Similar to handoffs in cellular networks, this roaming can impact connectivity, as each time a client transitions between APs, a new 4-way handshake must be performed. Many routers store the PMKID from the initial exchange in a PMK Security Association (PMKSA) cache. This way, when a client disconnects and reconnects, the 4-way handshake doesn't need to be repeated. Instead, the router directly requests the PMKSA from the client, verifies it, and then quickly re-associates the client with the access point.

Unlike cracking a four-way handshake, generating the PMKID is less complex. As attackers, we can intercept the Access Point and Station MAC addresses, along with the ESSID, giving us three of the four primary inputs required to generate the PMKID. As a result, it requires less computational power to generate the PMKID versus cracking a traditional handshake. However, this may vary on a case-by-case basis.

PMKID Attack Process: 1. Retrieve PMKID 2. Guess Wi-Fi passphrase using dictionary 3. Create PMK hash 4. Create PMKID hash and compare with retrieved PMKID hash

The main advantage of this attack is that no regular users (clients) are required – because the attacker directly communicates with the AP (a "client-less" attack).

Once the interface is in monitor mode, the next step is to scan for the target network and determine if it is vulnerable to the PMKID attack. This can be done using hcxdumptool, specifying the interface with the -i flag. To include relevant statuses in the command output, the --enable_status option is used, with three statuses being sufficient for most cases. Additionally, the -o flag allows saving the scan results to a .pcap file for further analysis.

Status Codes: - EAPOL - ASSOCIATION and REASSOCIATION
- EAPOL and ASSOCIATION and REASSOCIATION

PMKID capture command:

hcxdumptool -i wlan0mon --enable_status=3

Penetration Testing Methodology

Evaluating Passphrases

This involves assessing the strength and security of WiFi network passwords or passphrases. Penetration testers employ various techniques, such as dictionary attacks, brute force attacks, and password cracking tools, to evaluate the resilience of passphrases against unauthorized access.

Evaluating Configuration

Penetration testers analyze the configuration settings of WiFi routers and access points to identify potential security vulnerabilities. This includes scrutinizing encryption protocols, authentication methods, network segmentation, and other configuration parameters to ensure they adhere to best security practices.

Testing the Infrastructure

This phase focuses on probing the robustness of the WiFi network infrastructure. Penetration testers conduct comprehensive assessments to uncover weaknesses in network architecture, device configurations, firmware versions, and implementation flaws that could be exploited by attackers to compromise the network.

Testing the Clients

Penetration testers evaluate the security posture of WiFi clients, such as laptops, smartphones, and IoT devices, that connect to the network. This involves testing for vulnerabilities in client software, operating systems, wireless drivers, and network stack implementations to identify potential entry points for attackers.

IEEE 802.11 MAC Frame Structure

All 802.11 frames utilize the MAC frame. This frame is the foundation for all other fields and actions that are performed between the client and access point, and even in ad-hoc networks. The MAC data frame consists of 9 fields:

IEEE 802.11 Frame Types

• Management (00): These frames are used for management and control, allowing the access point and client to control the active connection.
• Control (01): Control frames are used for managing the transmission and reception of data frames within WiFi networks. They provide quality control functionality.
• Data (10): Data frames are used to contain data for transmission.

Management Frame Sub-Types

Primarily, for WiFi penetration testing, we focus on management frames. These frames are used to control the connection between the access point and client. To filter them in Wireshark, specify type 00 and subtypes as follows:

Beacon Frames (1000)

Beacon frames are primarily used by the access point to communicate its presence to the client or station. They include information such as supported ciphers, authentication types, SSID, and supported data rates.

Probe Request (0100) and Probe Response (0101)

The probe request and response process allows the client to discover nearby access points. A client sends a probe request with the SSID of the access point, and the access point responds with information about itself.

Authentication Request and Response (1011)

Authentication requests are sent by the client to the access point to begin the connection process. These frames are primarily used to identify the client to the access point.

Association/Reassociation Request and Responses (0000, 0001, 0010, 0011)

After sending an authentication request and undergoing the authentication process, the client sends an association request to the access point. The access point then responds with an association response to indicate whether the client is able to associate with it or not.

Disassociation/Deauthentication (1010, 1100)

Disassociation and Deauthentication frames are sent from the access point to the client. They are designed to terminate the connection between the access point and the client. These frames contain a reason code that indicates why the client is being disconnected from the access point. These frames are utilized for handshake captures and denial of service attacks during WiFi penetration testing efforts.

The Connection Cycle

1. Beacon Frames
2. Probe Request and Response
3. Authentication Request and Response
4. Association Request and Response
5. Some form of handshake or other security mechanism
6. Disassociation/Deauthentication

Authentication Methods

Open System Authentication

Open System Authentication is straightforward and does not require any shared secret or credentials for initial access. This type of authentication is typically used in open networks where no password is needed, allowing any device to connect to the network without prior verification.

Process: 1. The client (station) sends an authentication request to the access point to begin the authentication process 2. The access point sends the client back an authentication response, which indicates whether the authentication was accepted 3. The client then sends the access point an association request 4. The access point responds with an association response to indicate whether the client can stay connected

Shared Key Authentication

Shared Key Authentication involves the use of a shared key. In this system, both the client and the access point verify each other's identities by computing a challenge-response mechanism based on the shared key.

Authentication with WEP

1. Authentication request: The client sends the access point an authentication request
2. Challenge: The access point responds with a custom authentication response which includes challenge text for the client
3. Challenge Response: The client responds with the encrypted challenge, which is encrypted with the WEP key
4. Verification: The AP decrypts this challenge and sends back either an indication of success or failure

Authentication with WPA

WPA utilizes a form of authentication that includes a four-way handshake. This replaces the association process with more verbose verification:

1. Authentication Request: The client sends an authentication request to the AP to initiate the authentication process
2. Authentication Response: The AP responds with an authentication response, indicating readiness to proceed with authentication
3. Pairwise Key Generation: The client and the AP calculate the PMK from the PSK (password)
4. Four-Way Handshake: The client and access point undergo each step of the four-way handshake, which involves nonce exchange, derivation, and other actions to verify that both the client and AP know the PSK

Working with WiFi Cards

Basic Configuration Commands

Check current wireless card:

sudo iw reg get

Change region:

sudo iw reg set US

Set transmission power:

sudo iwconfig wlan0 txpower 30

List all capabilities of card:

iw list

Interface Modes

Managed Mode

Managed mode allows the interface to act as a client or station. In this mode, the card actively searches for nearby networks (APs) to establish a connection.

sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode managed
sudo iwconfig wlan0 essid HTB-Wifi

Ad-hoc Mode

Ad-hoc mode operates in a decentralized, peer-to-peer approach, allowing wireless interfaces to communicate directly with one another. This mode is commonly found in residential mesh systems for their backhaul bands.

sudo iwconfig wlan0 mode ad-hoc
sudo iwconfig wlan0 essid HTB-Mesh

Master Mode

Master mode (access point/router mode) requires a management daemon to respond to stations or clients connecting to the network. Commonly, hostapd is used for this task.

Create configuration file:

nano open.conf

Configuration content:

interface=wlan0
driver=nl80211
ssid=HTB-Hello-World
channel=2
hw_mode=g

Start hostapd:

sudo hostapd open.conf

Mesh Mode

Mesh mode allows the interface to join a self-configuring and routing network. This mode is commonly used for business applications requiring large coverage across a physical space.

Monitor Mode

Monitor mode (also known as promiscuous mode) is a specialized operating mode for wireless network interfaces. In this mode, the network interface can capture all wireless traffic within its range, regardless of the intended recipient.

sudo iw wlan0 set monitor control
sudo ifconfig wlan0 up

Aircrack-ng Suite

The Aircrack-ng suite provides comprehensive tools for wireless network auditing:

• Monitoring: Packet capture and export of data to text files for further processing by third-party tools
• Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
• Testing: Checking WiFi cards and driver capabilities (capture and injection)
• Cracking: WEP and WPA PSK (WPA 1 and 2)

Airmon-ng

Airmon-ng can enable and disable monitor mode on wireless interfaces.

Start airmon-ng:

sudo airmon-ng start wlan0

Stop airmon-ng:

airmon-ng stop wlan0mon

Check for interference:

sudo airmon-ng check

Kill interfering processes (only if needed):

sudo airmon-ng check kill

Start Airmon on specific channel:

airmon-ng start wlan0 11

Airodump-ng

Airodump-ng can capture raw 802.11 frames and provides detailed network information:

Basic usage:

sudo airodump-ng wlan0mon

Dump on specific channel:

sudo airodump-ng -c 11 wlan0mon

Supported bands: - a uses 5 GHz - b uses 2.4 GHz
- g uses 2.4 GHz

airodump-ng --band abg wlan0mon

Write to file:

sudo airodump-ng wlan0mon -w filedump

Airgraph-ng

Airgraph-ng creates graphs of wireless networks using CSV files generated by Airodump-ng. It produces two distinct types of graphs:

1. Clients to AP Relationship Graph: Illustrates connections between wireless clients and Access Points
2. Clients Probe Graph: Shows probed networks by wireless clients

Aireplay-ng

Aireplay-ng generates wireless traffic for use in aircrack-ng for cracking WEP and WPA-PSK keys. It supports various attacks including: - Deauthentication attacks for capturing WPA handshake data - Fake authentications - Interactive packet replay - Hand-crafted ARP request injection - ARP-request reinjection

Airdecap-ng

Airdecap-ng decrypts wireless capture files once the network key has been obtained. It can: - Remove wireless headers from an open network capture (unencrypted capture) - Decrypt WEP-encrypted capture files using a hexadecimal WEP key - Decrypt WPA/WPA2-encrypted capture files using the passphrase

Aircrack-ng

Aircrack-ng can crack WEP and WPA/WPA2 networks that use pre-shared keys or PMKID, providing the final step in the wireless security assessment process.

WPS (Wi-Fi Protected Setup) Security Analysis

WPS was originally developed by Cisco in 2006 as a method to enable convenience and ease of use for users with little knowledge. Either through the push of a button or entering of a PIN, users are able to easily connect their devices to their wireless network. Since then, multiple different exploitation tools have been developed with the intent to abuse the PIN. WPS PINs are eight digits in length, making them significantly easier to crack compared to traditional WPA methods.

Although convenient, WPS is susceptible to online PIN cracking and offline PIN cracking methods. WPS utilizes a series of EAP messages exchanged between a station (enrollee) and an access point (registrar). During this process, valuable information is disclosed—information that can be exploited for these attack methods. While traditional online PIN cracking takes hours to complete, offline PIN cracking can be as quick as a few minutes when the access point is vulnerable.

WPS utilizes HMAC-SHA-256, which is considered a fairly secure hashing function. However, due to the lack of possible PIN combinations, randomness in nonce values, and information disclosed in the communications between the access point and the client, we are able to crack these PINs relatively quickly and retrieve the PSK for normal WPA communications.

When assessing wireless access points, it is always important to check for WPS vulnerabilities. As such, possessing the skills to test for WPS-related vectors is crucial for all wireless penetration testers.

WPS Connection Methods

There are four methods to connect to a WPS-enabled access point. Each of them is detailed below: