Attacks on wireless networks. Part 3. WPA
This article is a logical continuation of this and this article.
In the third part of a series of articles on attacks on wireless networks, attacks on a protocol that until recently was considered to be fairly secure - WPA, will be considered.
1. WPA-TKIP
For more than a week, the attention of computer and some about computer media has been riveted to a new vulnerability in the WPA-TKIP protocol, discovered by researchers and members of the aircrack-ng team, Martin Beck and Eric Tuz. We will try to answer the question, does this really mean the collapse of another wireless security system?
')
Actually, not everything is so bad, because as a result of exploiting the vulnerability, the primary key cannot be restored. You can only find out the key used to verify the integrity and key stream. Based on this, without knowing the primary key, it becomes possible to transfer packets to the network. Packets are received back according to a scheme similar to easside-ng.
Already, this vulnerability can be tested using the tkiptun-ng test program added to the unstable aircrack-ng branch a few days ago. Full instructions for use promise to add soon. So far, it’s just known that to launch an attack, you need to change the MAC of your adapter to the client’s MAC that is being attacked. Also, the attacked access point must support QoS or WMM, use WPA + TKIP (not AES), and the time for changing the temporary key must be more than 3600 seconds . If all this is present, then you can run:
tkiptun-ng -h <MAC adapter> -a <MAC access point> -m 80 -n 100 <interface>
After successful execution, you will receive a key stream with which you can create packages and launch them into the network.
Currently, the functionality of tkiptun-ng is limited to this. It is not enough to declare WPA-TKIP hacked, but there are reasons to think about a complete transition to WPA2, which is not affected by this vulnerability.
2. Classic WPA Hacking
The second method is much older and the first attempts to implement it appeared in 2004 with the release of the cowpatty program. The essence of the attack is in the enumeration of all possible combinations of the key to its definition. The method guarantees success, but if the key is long enough and not in the dictionaries, then you can consider yourself protected from this attack. But, in this way, both wpa-tkip and wpa2-ccmp networks are hacked, but only in PSK mode. This attack is built into the aircrack-ng package.
First you need to catch the client authentication in order to restore the main key on the basis of it. This is easiest to do by running airodump-ng and waiting for authentication, or by launching a deauthentication attack ( aireplay-ng -0 <number of deauthentication> )
After a while, airodump-ng will show that authentication is captured and written to a file. After that, you just need to run aircrack-ng <authentication file> and wait. You can speed up the process using a large dictionary with frequently used words. The use of specialized microcontrollers or, as we described earlier, video cards, will help speed up the process. Without this, going through all the possible keys will take too much time.
So, as before, we recommend using only WPA2 with a fairly long and unusual key.
Author: Kozhara Yaroslav , Glaive Security Group
UPD. Publication date : November 23, 2008
In the third part of a series of articles on attacks on wireless networks, attacks on a protocol that until recently was considered to be fairly secure - WPA, will be considered.
1. WPA-TKIP
For more than a week, the attention of computer and some about computer media has been riveted to a new vulnerability in the WPA-TKIP protocol, discovered by researchers and members of the aircrack-ng team, Martin Beck and Eric Tuz. We will try to answer the question, does this really mean the collapse of another wireless security system?
')
Actually, not everything is so bad, because as a result of exploiting the vulnerability, the primary key cannot be restored. You can only find out the key used to verify the integrity and key stream. Based on this, without knowing the primary key, it becomes possible to transfer packets to the network. Packets are received back according to a scheme similar to easside-ng.
Already, this vulnerability can be tested using the tkiptun-ng test program added to the unstable aircrack-ng branch a few days ago. Full instructions for use promise to add soon. So far, it’s just known that to launch an attack, you need to change the MAC of your adapter to the client’s MAC that is being attacked. Also, the attacked access point must support QoS or WMM, use WPA + TKIP (not AES), and the time for changing the temporary key must be more than 3600 seconds . If all this is present, then you can run:
tkiptun-ng -h <MAC adapter> -a <MAC access point> -m 80 -n 100 <interface>
After successful execution, you will receive a key stream with which you can create packages and launch them into the network.
Currently, the functionality of tkiptun-ng is limited to this. It is not enough to declare WPA-TKIP hacked, but there are reasons to think about a complete transition to WPA2, which is not affected by this vulnerability.
2. Classic WPA Hacking
The second method is much older and the first attempts to implement it appeared in 2004 with the release of the cowpatty program. The essence of the attack is in the enumeration of all possible combinations of the key to its definition. The method guarantees success, but if the key is long enough and not in the dictionaries, then you can consider yourself protected from this attack. But, in this way, both wpa-tkip and wpa2-ccmp networks are hacked, but only in PSK mode. This attack is built into the aircrack-ng package.
First you need to catch the client authentication in order to restore the main key on the basis of it. This is easiest to do by running airodump-ng and waiting for authentication, or by launching a deauthentication attack ( aireplay-ng -0 <number of deauthentication> )
After a while, airodump-ng will show that authentication is captured and written to a file. After that, you just need to run aircrack-ng <authentication file> and wait. You can speed up the process using a large dictionary with frequently used words. The use of specialized microcontrollers or, as we described earlier, video cards, will help speed up the process. Without this, going through all the possible keys will take too much time.
So, as before, we recommend using only WPA2 with a fairly long and unusual key.
Author: Kozhara Yaroslav , Glaive Security Group
UPD. Publication date : November 23, 2008
Source: https://habr.com/ru/post/50454/
All Articles