vivek hacktivity 2012

SecurityTube.net

Cracking WPA/WPA2 Personal + Enterprise for Fun and Prot

Vivek Ramachandran Founder, SecurityTube.net [email protected]

SecurityTube.net

Shameless Self PromoHon

WEP Cloaking Defcon 19

Cae LaNe ANack Toorcon 9

MicrosoP Security Shootout

Wi-Fi Malware, 2011

802.1x, Cat65k Cisco Systems

B.Tech, ECE IIT GuwahaH

Media Coverage CBS5, BBC Trainer, 2011

SecurityTube.net

SecurityTube.net

Students in 65+ Countries

SecurityTube.net

Backtrack 5 Wireless PenetraHon TesHng

hNp://www.amazon.com/BackTrack-Wireless-PenetraHon-TesHng-Beginners/dp/1849515581/

SecurityTube.net

Agenda

WPA/WPA2 PSK Cracking Speeding up the cracking process AP-less WPA/WPA2 PSK Cracking Hole 196 WPS ANack Windows 7+ Wi-Fi Backdoors WPA/WPA2 Enterprise PEAP, EAP-TTLS

SecurityTube.net

Understanding WPA/WPA2

SecurityTube.net

Why WPA - WEP Broken Beyond Repair

AirTight 2007

2001 - The insecurity of 802.11, Mobicom, July 2001 N. Borisov, I. Goldberg and D. Wagner.

2001 - Weaknesses in the key scheduling algorithm of RC4. S. Fluhrer, I. ManHn, A. Shamir. Aug 2001.

2002 - Using the Fluhrer, ManHn, and Shamir ANack to Break WEP A. Stubbleeld, J. Ioannidis, A. Rubin.

2004 KoreK, improves on the above technique and reduces the complexity of WEP cracking. We now require only around 500,000 packets to break the WEP key.

2005 Adreas Klein introduces more correlaHons between the RC4 key stream and the key.

2007 PTW extend Andreas technique to further simplify WEP Cracking. Now with just around 60,000 90,000 packets it is possible to break the WEP key.

IEEE WG admi6ed that WEP cannot hold any water. Recommended users

to upgrade to WPA, WPA2

SecurityTube.net

We need WEPs Replacement

WPA WPA2

Intermediate soluHon by Wi-Fi Alliance Uses TKIP

Based on WEP Hardware changes not required Firmware update

Long Term soluHon (802.11i) Uses CCMP

Based on AES Hardware changes required

Personal Enterprise Personal Enterprise

PSK PSK 802.1x + Radius 802.1x + Radius

SecurityTube.net

WEP

Probe Request-Response AuthenHcaHon RR, AssociaHon RR

StaCc WEP Key StaCc

WEP Key

Data Encrypted with Key

SecurityTube.net

WPA: No StaHc Keys

Probe Request-Response AuthenHcaHon RR, AssociaHon RR

StaCc WEP Key StaCc

WEP Key

Data Encrypted with Dynamically Key

Dynamic Key Generated First

How are Dynamic Keys Created?

SecurityTube.net

WPA/WPA2 PSK (Personal) Cracking

SecurityTube.net

WPA Pre-Shared Key

Passphrase (8-63)

PBKDF2

Pre-Shared Key 256 bit

SecurityTube.net

PBKDF2

Password Based Key DerivaHon FuncHon RFC 2898 PBKDF2(Passphrase, SSID, ssidLen, 4096, 256) 4096 Number of Hmes the passphrase is hashed

256 Intended Key Length of PSK

SecurityTube.net

Lets Shake Hands: 4-Way Handshake

AuthenHcator Supplicant Probe Request-Response AuthenHcaHon RR, AssociaHon RR

Pre-Shared Key 256 bit Pre-Shared Key 256 bit

Message 1

ANounce ANounce

SecurityTube.net

4 Way Handshake: Message 1



Message 1

ANounce

Snounce

PTK

SecurityTube.net




Message 1

ANounce

Snounce

PTK Message 2 SNounce

SecurityTube.net




Message 1

ANounce

Snounce

PTK Message 2 Snounce + MIC

Message 3

Key InstallaHon

PTK

Key Installed

SecurityTube.net




Message 1

ANounce

Snounce


Message 3

Key InstallaHon

PTK

Message 4 Key Install Acknowledgement

Key Installed

Key Installed

SecurityTube.net

Demo

How does the Handshake look like?

SecurityTube.net

A Quick Block Diagram

Passphrase (8-63)

PBKDF2 (SSID)


SNonce ANonce AP MAC

Client MAC

4 Way Handshake

PTK

SecurityTube.net

WPA-PSK DicHonary ANack

Passphrase (8-63)

PBKDF2 (SSID)



Client MAC

4 Way Handshake

PTK

DicHonary Verify by Checking the MIC

SecurityTube.net

Demo

WPA/WPA2 Personal Cracking

SecurityTube.net

BoNleneck in the WPA-PSK DicHonary ANack

Passphrase (8-63)

PBKDF2 (SSID)

Pre-Shared Key 256 bit (PMK)


Client MAC

4 Way Handshake

PTK


SecurityTube.net

PBKDF2

Requires SSID List of commonly used SSIDs

Requires Passphrase Can be provided from a DicHonary

PMK can be pre-computed using the above

SecurityTube.net

Other Parameters in Key Cracking

Snonce, Anonce, Supplicant MAC, AuthenHcator MAC varies and hence cannot be pre-calculated

PTK will be dierent based on the above MIC will be dierent as well

Thus these cannot be pre-calculated in any way

SecurityTube.net

Speeding up Cracking


Client MAC

4 Way Handshake

PTK

Verify by Checking the MIC

Pre-Shared Key 256 bit (PMK)

Pre-Calculated List of PMK for a 1. Given SSID 2. DicHonary of Passphrases

SecurityTube.net

Plaqorms

MulH-Cores ATI-Stream Nvidia CUDA . In the Cloud Amazon EC2

SecurityTube.net

Fast Cracking Demo

Pyrit hNp://code.google.com/p/pyrit/

SecurityTube.net

Demo

Speeding up WPA/WPA2 Personal Cracking

SecurityTube.net

In the Cloud EC2 Cluster Compute

SecurityTube.net

AP-less WPA/WPA2 PSK Cracking

SecurityTube.net

Understanding Clients

SSID: default

Client

SSID CredenCals

Default

SecurityTube

ProtectedAP ********

.

SecurityTube.net

An Isolated Client

SecurityTube.net

Demo

Isolated Client Behavior

SecurityTube.net

Demo

CreaHng a Catch All Honeypot

SecurityTube.net

Cracking WPA with Only Client?

Hacker Honeypot

Supplicant Probe Request-Response AuthenHcaHon RR, AssociaHon RR


Message 1

ANounce

Snounce


DeAuthenHcaHon

SecurityTube.net

WPA-PSK DicHonary ANack

Passphrase (8-63)

PBKDF2 (SSID)



Client MAC

4 Way Handshake

PTK


SecurityTube.net

Demo

WPA/WPA2 AP-less Cracking

SecurityTube.net

WPA/WPA2 Personal Safe for use in SMB Long + Random Passphrase?

SecurityTube.net

WPA/WPA2 GTK Misuse Vulnerability (Hole 196)

SecurityTube.net

PTK and GTK

PTK1 GTK-Common

PTK1 GTK-Common

PTK1 GTK-Common

Pairwise Transient Key (PTK) Unique for All Clients Group Temporal Key (GTK) Same for All Clients

Access Point

Client 1 Client 2 Client 3

SecurityTube.net

Abusing the GTK

Insider ANack Malicious Insider can gain access to the common GTK

Use GTK to send trac to Clients on behalf of the AP

MulHple ANacks possible MITM RedirecHon DoS

SecurityTube.net

ARP Spoong ANack

Wired LAN

Access Point

User Laptop Malicious Insider

1. Gateway ARP Update

SecurityTube.net

DoS using Replay ANack ProtecHon PN = 1000 PN = 1000

PN = 1001

PN = 1500

PN = 1001

PN = 1500

PN = 1002

Malicious Insider

SecurityTube.net

WPS ANack

SecurityTube.net

Whats Wrong with WPS?

images from Google Image Search

SecurityTube.net

WPS Bruteforce Demo

DemonstraHon

SecurityTube.net

Windows 7 Wi-Fi Backdoors

SecurityTube.net

Available Windows 7 and Server 2008 R2 onwards Virtual adapters on the same physical adapter SoPAP can be created using virtual adapters

DHCP server included With this feature, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same ;me ac;ng as a so

SecurityTube.net

CreaHng a Hosted Network

SecurityTube.net

Client sHll remains connected to hard AP!

SecurityTube.net

Demo of Hosted Network

DemonstraHon

SecurityTube.net

Wi-Fi Backdoor

Easy for malware to create a backdoor They key could be: Fixed Derived based on MAC address of host, Hme of day etc.

As host remains connected to authorized network, user does not noHce a break in connecHon

No Message or Prompt displayed

SecurityTube.net

Makes a Rogue AP on every Client!

Rogue AP Rogue AP

Rogue AP

SecurityTube.net

Why is this cool?

VicHm will never noHce anything unusual unless he visits his network sexngs has to be decently technical to understand

ANacker connects to vicHm over a private network no wired side network logs: rewalls, IDS, IPS Dicult, if not impossible to trace back Dicult to detect even while aNack is ongoing J

Abusing legiHmate feature, not picked up by AVs, AnH-Malware

More Stealth? Monitor air for other networks, when a specic network comes up, then start the Backdoor

SecurityTube.net

Demo of Metasploit + Hosted Network

DemonstraHon

SecurityTube.net

WPA-Enterprise

SecurityTube.net

WPA-Enterprise

AssociaHon

AuthenHcator Supplicant

AuthenHcaHon Server

EAPoL Start

EAP Request IdenHty EAP Response IdenHty

EAP Request IdenHty

EAP Packets

EAP Packets EAP Success

EAP Success PMK to AP

4 Way Handshake

Data Transfers

SecurityTube.net

WPA/WPA2 Enterprise

EAP Type Real World Usage

PEAP Highest

EAP-TTLS High

EAP-TLS Medium

LEAP Low

EAP-FAST Low

. .

SecurityTube.net

PEAP

Protected Extensible AuthenHcaHon Protocol Typical usage: PEAPv0 with EAP-MSCHAPv2 (most popular)

NaHve support on Windows PEAPv1 with EAP-GTC

Other uncommon ones PEAPv0/v1 with EAP-SIM (Cisco)

Uses Server Side CerHcates for validaHon PEAP-EAP-TLS AddiHonally uses Client side CerHcates or Smartcards Supported only by MicrosoP

SecurityTube.net Source: Layer3.wordpress.com

SecurityTube.net

Understanding the Insecurity

Server side cerHcates Fake ones can be created Clients may not prompt or user may accept invalid cerHcates

Setup a Honeypot with FreeRadius-WPE Client connects Accepts fake cerHcate Sends authenHcaHon details over MSCHAPv2 in the TLS tunnel ANackers radius server logs these details Apply dicHonary / reduced possibility bruteforce aNack using Asleap by Joshua Wright

SecurityTube.net

Network Architecture

BT5 VM

FreeRadius-WPE + Wireshark 1

eth1

mon0 Wireshark 2

Honeypot AP setup by ANacker

SecurityTube.net

PEAP Cracking with Honeypot

DemonstraHon

SecurityTube.net

Windows PEAP Hacking Summed Up in 1 Slide J

SecurityTube.net

EAP-TTLS

EAP-Tunneled Transport Layer Security Server authenHcates with CerHcate Client can opHonally use CerHcate as well No naHve support on Windows 3rd party uHliHes to be used

Versions EAP-TTLSv0 EAP-TTLSv1

SecurityTube.net

Inner AuthenHcaHon in EAP-TTLS

MSCHAPv2 MSCHAP CHAP PAP

SecurityTube.net

EAP-TTLS Cracking with Honeypot

DemonstraHon

SecurityTube.net

Leverage the Cloud

SecurityTube.net

EAP-TLS Peace of Mind!

Strongest security of all the EAPs out there Mandates use of both Server and Client side cerHcates

Required to be supported to get a WPA/WPA2 logo on product

Unfortunately, this is not very popular due to deployment challenges

SecurityTube.net

SecurityTube Wi-Fi Security DVD

hNp://www.securitytube.net/

vivek hacktivity 2012

Documents

key dynamic key

shared key passphrase

wpa wep

rc4 key stream

intended key length

complexity of wep cracking

key derivahon funchon

wep hardware changes