All labs and demos presented in this blog were created in a CLOSED loop lab environment with no internet access to ensure safe labs.
SPECIAL NOTE: Linux is CASE/case/Case sensitive so the three examples of the word "case" I just presented would be interpreted differently.
Lab 1: WPA and WPA Cracking with Cowpatty
Now in Backtrack 5r2 all interfaces default to being off. In this tutorial I am showing you a short cut to bringing an interface up and creating what is referred to as a "mon" reference interface. Now the "mon" interface is not a physical interface but rather represents a physical one or one can think of it as a shortcut/virtual interface which is running off of a promiscuous driver. So unlike a normal network interface which listens for packets or frames that are addressed only to it's MAC (hardware address) a promiscuous network interface will listen for and is able to show and capture/copy all network traffic regardless of its destination.The creation of a :"mon" interface is fairly common activity when doing Pen Testing or other security activities in BackTrack 5r2.
The program used to create a "mon" interface is called: airmon-ng and the command required is as follows:
airmon-ng strart <interface name>
Now in this case I always, not sure why yet, get this warning. This however is a good opportunity to show you what to do and how easy it is to deal with. You will notice the two "kill: commands I issued just bellow.
The "kill" command with the "-9" switch is a very simple way to tell Linux to stop a process ID or PID.
To use the command one simply needs to do the following:
kill - 9 <process ID or PID Number>
ifconfig -a
or
ifconfig mon0
The "-a" switch will show ALL interfaces for the sake of this demo I have edited the other interfaces out and am showing just "mon0" but in a real lab environment you would see many more each one representing a network interface. One can also just type the second command to show just one interface.
IMPORTANT: only bring up the interfaces you intend to use. This lab laptop has two wireless interfaces a internal and a PCMCIA dual antenna wireless interface. I usually choose this one because it has a stronger power output although for the sake of this lab it is really not necessary. More about cards, antennas and such in future labs.
Now remember the key to doing Pen Testing and in this case cracking WPA is to be able to capture but not be seen data. First off we need to do some simple reconnaissance so we will issue the following command.
airodump-ng is a scanning utility that shows all wireless networks in a area and provides data such as channels, encryption etc. In this case I added the "mon0" interface as the point from where to look for wireless access points and associated clients.
Now for the sake of this lab I have edited the results to just show our AP (Access Point) in this case it is called "Linux Lab". The BSSID is the MAC (Media Access Control or Hardware Address) address of the AP. The MAC address is hard coded into the AP. For now assume that it can not be changed (it can be spoofed or faked, but this is for another lab).
For now we are interested in three pieces of data which can be surmised from this one simple command. It should be noted that we do not have a IP (Internet Protocol) address and we are not connected to the Linux Lab network. In essence we are just listening and looking. As a matter of fact everything up to this point has been LEGAL.
Why, because this is all broadcast data which is publicly available if one knows how to find it.
Now back to the lab the three pieces of data we are interested in are:
1) The MAC address of the AP.
2) The MAC address of a associated computer.
3) The Channel the AP is broadcasting on.
1) The MAC address of the AP is: 00:1F:33:41:89:B4
2) The MAC address of a associated computer is: 00:0E:35:4F:5A:BE
3) The Channel the AP is broadcasting on is 9
Do you see where all this information was attained? The lower part shows the BSSID and then the STATION. The station is a computer associated with the access point. The channel is found above under the "CH". We will skip over the remaining data for now but will come back to it in future labs.
With this data we are ready to move forward.
Now in order to crack WPA or WPA2 we need to get a copy of the encrypted key used in authentication.
Before I explain how to do this lets look at what is really happening here.
The following explanation comes from Wikipedia.
The Four-Way Handshake
The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange or WPA2-PSK has provided the shared secret key PMK (Pairwise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through acryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:
- The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
- The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC).
- The AP sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
- The STA sends a confirmation to the AP.
All the above messages are sent as EAPOL-Key frames.
As soon as the PTK is obtained it is divided into five separate keys:
PTK (Pairwise Transient Key – 64 bytes)
- 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
- 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
- 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
- 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
- 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station
The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.
[edit]The Group Key Handshake
The GTK used in the network may need to be updated due to the expiry of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP.
To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake:
- The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA, and protects the data from tampering, by use of a MIC.
- The STA acknowledges the new GTK and replies to the AP.
GTK ( Groupwise Transient Key – 32 bytes)
- 16 bytes of Group Temporal Encryption Key – Used to encrypt Multicast data packets
- 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on Multicast packet transmitted by AP
- 8 bytes of Michael MIC Authenticator Rx Key – This is currently not used as stations do not send multicast traffic
The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.
Now presented this if you are interested in what is really going on. We will see the actual packets soon.
WARNING the remaining part of this lab should be done ONLY in a closed lab environment due to that it is considered to be ILLEGAL!!!!
As you may remember in the previous screen capture we have the following:
1) The MAC address of the AP is: 00:1F:33:41:89:B4
2) The MAC address of a associated computer is: 00:0E:35:4F:5A:BE
3) The Channel the AP is broadcasting on is 9
But they are already talking to each other. This is not really good for us. We have two options now.
1) We can start a capture on the AP and wait for a new client to join. Remember we want the 4-way handshake.
2) We want to force a client associated to have to re-associate to the AP. AGAIN NOT LEGAL MOVING FORWARD! USE IN LAB ENVIRONMENT ONLY!
We want to use a utility called aireplay-ng. The command goes like this:
aireplay-ng <option> <replay interface>
Detailed look:In this case: lets break down what I am showing.
-0 means de-authentication attack
1 means the number of times I want to launch it. (usually once is enough, remember you do not want to raise suspicion, when doing Pen Testing less is always best).
-a means this is the BSSID of the AP (remember BSSID is the same are MAC address of the AP)
-c
means this is the BSSID of the STATION (remember BSSID is the same are MAC address of the STATION)
mon0 is the interface
Now let me also show some other switches you can use (these will be covered in more detail in future labs)
Attackes
Attack 0: Deauthentication
Attack 1: Fake authentication
Attack 2: Interactive packet replay
Attack 3: ARP request replay attack
Attack 4: KoreK chopchop attack
Attack 5: Fragmentation attack
Attack 6: Cafe-latte attack
Attack 7: Client-oriented fragmentation attack
Attack 8: WPA Migration Mode – will be available in the next release-
Attack 1: Fake authentication
Attack 2: Interactive packet replay
Attack 3: ARP request replay attack
Attack 4: KoreK chopchop attack
Attack 5: Fragmentation attack
Attack 6: Cafe-latte attack
Attack 7: Client-oriented fragmentation attack
Attack 8: WPA Migration Mode – will be available in the next release-
Attack 9: Injection test
Filter options:
-b bssid : MAC address, Access Point-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
Replay options:
-x nbpps : number of packets per second-p fctrl : set frame control word (hex)
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-e essid : For fakeauth attack or injection test, it sets target AP SSID. This is optional when the SSID is not hidden.
-j : arpreplay attack : inject FromDS pkts
-g value : change ring buffer size (default: 8)
-k IP : set destination IP in fragments
-l IP : set source IP in fragments
-o npckts : number of packets per burst (-1)
-q sec : seconds between keep-alives (-1)
-y prga : keystream for shared key auth
”-B” or ”–bittest” : bit rate test (Applies only to test mode)
”-D” :disables AP detection. Some modes will not proceed if the AP beacon is not heard. This disables this functionality.
”-F” or ”–fast” : chooses first matching packet. For test mode, it just checks basic injection and skips all other tests.
”-R” disables /dev/rtc usage. Some systems experience lockups or other problems with RTC. This disables the usage.
Now you may have noticed that I received an error message. This is due to me going to fast and not regarding the fact that my AP is set to channel 9. Opps!
At this point my aireplay attack FAILED.
To solve the problem I need to set my wi-fi card to the same channel as the AP.
I use the iwconfig command with the channel I need:
iwocnfig <interface> channel <number>
The command is fairly straight forward. It sets the card to lock into a certain channel. For this particualr lab we need to lock the card into the same channel as the AP.
Now when we try the aireplay-ng we see that the attack was successful.
The first part the airodump-ng is straight forward the bssid you will recognize is for our AP the new part is the --write switch this is simply saying take the captured packets and write them to a file called <any_name_you want>.
You will know that you captured the correct packets when you see "WPA Handshake <BSSID>" on top.
You can also open the file in wireshark if you want.
In a new console window type: wireshark and it will launch. You will need to keep the console window open where you typed "wireshark" for as long as you are using wireshark if you launch it this way. In my opinion this is the fastest and easiest way to launch wire shark.
Next you need to open the CAP relating to you capture.
Here more files are present from other labs in the works. The one we need is demo3, you will have the name you gave it.
Once open you would want to find the frames called EAPOL this is the 4 way handshake.
This is just for informational purposes we do not need to run wireshark for this attack. However by doing so you can see what is contained in the 4 way handshake.
Now cowpatty is a dictionary attack utility and it can take a REALLY long time as can airocrack-ng. But we can speed up the process considerably by calculating the PMK (Pairwise Master Key) to do this we use genpmk utility.
For this lab we will use the default dictionary found in Backtrack.
genpmk is used to precompute the hash files in a similar way to Rainbow tables is used to pre-hash passwords in Windows LANMan attacks. There is a slight difference however in WPA in that the SSID of the network is used as well as the WPA-PSK to "salt" the hash. This means that we need a different set of hashes for each and every unique SSID i.e. a set for "linksys" a set for "tsunami" etc..
So to generate some hash files for a network using the SSID cuckoo we use:
genpmk -f <dictionary location > -d <output hash file> -s <AP Name>
Now we are ready for the last step. for this you now can run cowpatty.
We are using all the data and files we created earlier.
PMK-Linux-Lab was created above.
"Linux Lab" is the SSID of the AP.
"WPAFast..." was the captured 4 way handshake.
We need these 3 pieces of data to run cowpatty.
Above you can see cowpatty starting up.
And finally we see the password for the AP. In this case I choose a rather simple password. A more complex one may not have been cracked.
Well this concludes this demo. Please feel free to comment ideas, suggestions, questions etc.
And remember to use BackTrack 5r2 responsibly it is just a tool. You are the one who determines how to use it.
Until next demo Good Hacking Everyone
More than thanks.Very good explanation.
ReplyDelete