😈Wireless Security Protocols😈

########################
##[WEP, WPA, WPA2 and WPA3]##
########################

A very short overview of Wireless Security Protocols including WEP, WPA, WPA2 and
WPA3. For each of them we’ll try to point out both their strengths and weaknesses
and describe some of the possible attacks.

Jump on specific Wireless Security Protocol:

1●WEP – Wired Equivalent Privacy

2●WPA – Wi-Fi Protected Access

3●WPA2 – Wi-Fi Protected Access II

4●WPA3 – Wi-Fi Protected Access

=====================================

1. WEP [Wired Equivalent Privacy]

Wired Equivalent Privacy:

Wired Equivalent Privacy (WEP), introduced as part of the original 802.11 standard
ratified in 1997, it’s probably the most used WiFi Security protocol out there.
It’s pretty recognizable by its key of 10 or 26 hexadecimal digits (40 or 104
bits). In 2004, both WEP-40 and WEP-104 were declared deprecated. There were 128-
bit (most common) and 256-bit WEP variants, but with ever increasing computing
power enable attackers to exploit numerous security flaws. All in all, this
protocol is “dead”.

It uses the RC4 cipher to ensure privacy and a CRC-32 Checksum to ensure integrity
of the data transmitted. First, a secret key k is shared between the users of the
network (not specified how by the protocol)

To send a message M, one has to compute the integrity checksum c(M) of the message
and concatenate it: one has now M.c(M). Then, one encrypts <M.c(M)> by XORing it
with a RC4 stream generated by k and a public initialisation vector (IV) of 24
bits, named v. We note it RC4 (v, k).

The result C =<M.c(M)> ⊕ RC4(v, k) is sent to the network, and the user who knows k
can get the message by XORing C with RC4(v, k).

●The RC4 stream cipher used by WEP is based upon two algorithms:

○The first one being RC4-Key Scheduled Algorithm (KSA), which transforms a key of
length 1 to 256 bits into a initial permutation S of the numbers 0 to N. The
internal state of RC4 consists of two numbers i and j used as pointers to elements
of S.

○The second algorithm is RC4-Pseudo Random Generation Algorithm (PRGA). It

generates a single byte of keystream from the current internal state of RC4 and
then updates the internal state. Originally, N=255, but the algorithm can work with
different values of N.

○With CRC32 original message is XORed with a constant of 32 bits followed by as

many 0 as necessary to reach the length of the message. The result becomes the new
“message” and the operation is repeated until the length of the result is under the
length of the constant. It is important to note that this hash function is linear
and unkeyed.

●WEP Attacks:

○Packet Injections

○Fake Authentication

○FMS Attack, statistical, 2001

○KoreK Attack, statistical, 2004

○ChopChop Attack, fake ARP, 2004

○Fragmentation Attack, fragmentation, 2005

○PTW Attack (Pychkine, Tews, Weinmann) , statistical, 2007

Packet Injection=>

This allows an outsider to generate a large amount of traffic on a network without

being associated to it in any way. First, he must capture a packet of specific
type. Although hidden behind encryption, packet type can be easily guessed based on
packet size.

An ARP request packet is always 28 bytes. By re-injecting it into the network, AP

will respond to this forged request sending out packets to legitimate clients.
Additional traffic is used to gather encrypted packets faster, and with more
packets more the chance he’ll break the WEP faster.

Fake Authentication=>

Fake Authentication attack allows an attacker to join a WEP protected network even
if he doesn’t know the root key. There are two ways a client can authenticate
itself in an WEP protected network:

○Fake Authentication attack allows an attacker to join a WEP protected network even
if he doesn’t know the root key. There are two ways a client can authenticate
itself in an WEP protected network:

○The first method is Open System authentication, basically unprotected.

The second method is called Shared Key authentication. This one uses the secret
root key and a challenge-response authentication. Client asks AP to connect, AP
sends a frame containing a challenge (random byte string, cleartext) and the client
answers with a WEP encrypted frame. If ok, AP answers back with success.

Attacker who sniffs out that handshake can join the network itself. Besides AP
challenge, all bytes in 3rd frame are constant. Challenge is transmitted in
cleartext in 2nd frame, so attacker can recover key stream (and IV) which is used
to encrypt 3rd frame. With that he can now initiate authentication handshake and
construct a valid frame (num. 3).

FMS Attack=>

Released in 2001 by Fluhrrer, Mantin and Shamir, it’s based on RC4 weakness
combined with the awarness of IV (Initialization Vector or a nonce, 3 bytes of the
per packet key).
Attacker can perform a manupulation on RC4, enabling him to guess a byte of the key
(5% probability). If key is wrong, attacker retries with a new key. To reach 50%
success rate, attacker will need to capture a lot of packets (up to 6 million).

If we know first “l” bytes of the per packet key, we can simulate “l” first steps
of RC4-KSA. Don’t want to go too deep in the math here, basically next byte of key
depends (is somewhat related) on the current one and that can be used to check if
we’re on the right track. With each iteration we’re getting one more byte of key,
eventually testing it. If it’s wrong, byte of the key is being switched with
another probable value and process is restarted.

KoreK Attack=>

This one is based on FMS attack (first appeared on netstumbler forum, 2004), but
lets attacker finds the key faster.

ChopChop Attack=>

Also found by “KoreK”, and opposed to exploiting a weakness in RC4, it attacks WEP
protocol itself (CRC32 checksum and the lack of replay protection). It gives an
attacker the ability to decryt a packet without knowing the key.

Flipping a bit in the cipher text and then calculating which bit in encrypted CRC32
value must be flipped so that the packet is still valid. Frequently mentioned is
approach is to take away last byte and try to guess its value.

By injecting the altered packet back into the network, packet ends up as invalid
because of incorrect ICV. The attacker can make it valid by XORing it with the
value that depends on the truncated byte (0-255). The attacker can bruteforce that
value. When found, AP (Access Point) will return the packet into the network.
Knowing this value, the attacker can calculate the byte of plaintext (and the
keystream). By repeating this operation, the attacker is able to decrypt a packet,
getting both plaintext and keystream without main password.

Fragmentation Attack=>

Great attack to run if there are no clients currently connected to the access
point. Similar to ChopChop attack it speeds up cracking process by injection
arbitrary packets into AP. It’s going to generate enough traffic to capture large
number of IVs improving your chance of cracking the key (aircrack-ng). The
“aireplay-ng” & “packetforge-ng” are standard toolkit for this attack.

Released by Bittau in 2005. By sniffing the packets, attacker can find/guess first
8 bytes of clear text. By XORing these 8 bytes with 8 corresponding bytes of cipher
text, he can obtain 8 bytes of keystream for a specific IV. Now, he can’t use that
to send whole packet, but WEP allows him to send a single packet in up to 16
fragments. So, the attacker now uses those 8 bytes of keystream to broadcast a
packet containing 64 bytes of known text in 16 fragments. AP on the receiving end
takes those fragments, deciphers & combines them into a single packet, encrypting
it and send it back to the network.

This packet is now 68 bytes long (64 bytes of known text, and 4 bytes ICV). Using
XOR, the attacker gets 68 bytes of keystream for a give IV. Repeating this over and
over again, attacker can get up to 1500 bytes of keystream for a IV. When he gets
that, it’s easy to get keystream of other IVs, simply by sending a broadcast packet
of 1500 bytes to AP. The AP will relay this encrypted with a new IV.

As C ⊕ M = K the attacker can get the keystream for other IVs and build a
dictionnary, allowing him to decipher packets on the network and create traffic.

PTW Attack=>

The Pyshkin Tews Winmann (PTW) attack, released in 2007.

What makes PTW powerful than all the other attacks is the fact it can make use of
every packet captured. It implements a key ranking strategy which instead of trying
all possible combinations of the key, picks a set number of likely keys and
continues the RC4 algorithm based on those. Using different voting strategies the
attacker can pick the most likely key byte at each decision in the tree to
determine the correct key.

The tests showed that only 35,000 to 40,000 packets were required to get a 50%
succes probability. Other sources state that we can get a probability of 95% with
85,000 frames.

The PTW attack is the default method used by Aircrack-ng to crack WEP keys.
=====================================

2. WPA [Wi-Fi Protected Access]

Wi-Fi Protected Access:

Wi-Fi Protected Access (WPA), became available in 2003, and it was the Wi-Fi
Alliance’s direct response and replacement to the increasingly apparent
vulnerabilities of the WEP encryption standard. The most common WPA configuration
is WPA-PSK (Pre-Shared Key). The keys used by WPA are 256-bit, a significant
increase over the 64-bit and 128-bit keys used in the WEP system.

Note: WPA-PSK basicaly means that Wi-Fi network has a password that is shared by
every single Wi-Fi network client.
WPA included message integrity checks (to determine if an attacker had
captured/altered packets passed between the access point and client) and the
Temporal Key Integrity Protocol (TKIP). TKIP employs a per-packet key system that
was radically more secure than the fixed key system used by WEP. The TKIP
encryption standard was later superseded by Advanced Encryption Standard (AES).

TKIP uses the same underlying mechanism as WEP, and consequently is vulnerable to a
number of similar attacks (e.g. Chop-Chop, MIC Key Recovery attack).

Usually people don’t attack WPA protocol directly, but supplementary system that
was rolled out with WPA – Wi-Fi Protected Setup (WPS).

Note: TKIP (temporal Key Integrity Protocol) – The RC4 stream cipher is used with a
128-bit per-packet key, meaning that it dynamically generates a new key for each
packet. Although still used, it’s considered obsolete after being replaced by CCMP
in 2009.

●WPA Attacks:

○Back and Tews’ Improved Attack on RC4, 2008, Inject

○Ohigashi-Morii Attack (Beck and Tews’ + Man in the middle), 2009, inject

○Michael Attacks, 2010, inject

○THe Hole196 Vulnerability, 2010, inject/dos/MITM

○Dictionary Attack against the handshake,key recovery

Back and Tews’ Attack=>

Released in 2008, exploits weakness in TKIP, allowing an attacker to decrypt ARP

packets and to inject traffic into a network, enabling a DoS or ARP poisoning.

Attack “requires” Quality of Service (QoS) to be enabled (practical aspect). That

allows several channels to be used. Each channel has its own TSC (TKIP Sequence
Counter). Channel 0 holds most of the traffic, other channels will have lower TSC.
Attack requires Key Renewal Interval to be longer than 15 min (time needed to
decrypt an ARP packet).

Attacker de-authenticates a station, then captures ARP packet. Next, he’ll perform
a modified ChopChop attack to recover ICV (Integrity Check Value) and MIC of the
packet. With that, attacker needs to guess the last part of the packet, IP address.
Finaly, he reverses MICHAEL algorithm and get MIC key. With that he can now inject
custom packet into the network.
}
{Defence: Disable QoS.}

Ohigashi-Morii Attack=>

From 2009, an improvement of the Beck-Tews attack on WPA-TKIP, more efficient for
all modes of WPA and not just those with QoS features.

Michael Attack=>

In 2010, Beck found that if the internal state of Michael reaches a certain point,
the Michael algorithm resets. With that, an attacker can inject some text in a
packet, add a string that resets Michael algorithm. Packet is changed but the
Michael’s result remains correct. Apparently, requirements of this attack are even
tighter compared to “Beck and Tews”.

The Hole196=>

In 2010, Sohail Ahmad found a hole in 802.11. This is a MITM attack, not a key-
recovering attack. The attacker has to be an authorized user of the network.

Two types of keys for data encryption:

○Pairwise Transient Key (PTK) – used to protect unicast data frames

○Group Temporal Key (GTK) – used to protect group addressed data frames (e.g.
broadcast ARP frames)

Attacker sends an ARP request (with his MAC and IP address of the AP), so the other
clients update their ARP tables. With that, all clients will send their packets to
the attacker. Attacker will receive packets decrypted by the AP, re-encrypting them
with his own key. Everyone can build and broadcast fake packets with GTK. Messages
sent with group keys, don’t have protection against spoofing.

The point of the attack is to send a message with a GTK key but directed to a
target MAC instead of a broadcasting MAC address (Detectable). By doing this in a
kinda “stealthy” way, only the victim will process that broadcast packet ( unless
the ARP table has static resolution for the MAC of the gateway), ending up with IP
poisoning, replacing the router.

●Possibilities:
○ARP Poisoning/MITM

○Buffer overflow

○Malware Injection

○WDoS

Defense : For enterprises client Isolation (PSPF) + endpoint security (ARP

poisoning detector like Snort or similar).<
=====================================
3. WPA2 [Wi-Fi Protected Access II]

Wi-Fi Protected Access II:

Of course, WPA2 replaced WPA. Certification began in September, 2004 and from March
13, 2006 it was mandatory for all new devices to bear the Wi-Fi trademark. Most
important upgrade is mandatory use of AES algorithms (instead of previous RC4) and
the introduction of CCMP (AES CCMP, Counter Cipher Mode with Block Chaining Message
Authentication Code Protocol, 128 Bit) as a replacement for TKIP (which is still
present in WPA2, as a fallback system and WPA interoperability).

As in previous version, attack on WPS is the most frequent one.

Note: WPA/WPA2 MGT (Management) means that the password is not a pre-shaed key,
instead authentication service is used, usually a RADIUS service which verifies
username/password of the Wi-Fi network client. MGT is most often tied to
corporate/professional environments.

●WPA2 Attacks:

○KRACK Attack

○PMKID Attack (PSK)

○WPS Attack

○Brute-force/Dictionary attack

○Hole 196

KRACK Attack=>

Discovered by Mathy Vanhoef and Frank Piessens in 2016. It’s a severe replay
attack.

The attack targets the four-way handshake used to establish a nonce (a kind of
“shared secret”) in the WPA2 protocol. The standard for WPA2 anticipates occasional
WiFi disconnections, and allows reconnection using the same value for the third
handshake (for quick reconnection and continuity). Because the standard does not
require a different key to be used in this type of re-connection, which could be
needed at any time, a replay attack is possible.

Defense : access points have configuration options that can disable EAPOL-Key frame
re-transmission during key installation.

Useful: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2

PMKID attack (PSK)=>

New exploit was anounced on August 4th, 2018, for Wi-Fi networks that use WPA/WPA2-
PSK (pre-shared key). The vulnerability allows attackers to obtain the PSK being
used for the particular SSID.

The attack was discovered accidentally while looking for new ways to attack the new
WPA3 security standard.

The main difference compared to other attacks is that in this attack, capture of a
full EAPOL 4-way handshake is not required. The new attack is performed on the RSN
IE (Robust Security Network Information Element) of a single EAPOL frame.

●The main advantages of this attack are as follow:

○No more regular users required – because the attacker directly communicates with
the AP (aka “client-less” attack).

○You wont need to wait for a complete 4-way handshake between the regular user and
the AP.

○No more eventual retransmissions of EAPOL frames (which can lead to uncrackable
results) and invalid passwords sent by the regular user.
There wont be lost EAPOL frames when the regular user or the AP is too far away
from the attacker.

○No more fixing of nonce and replay counter values required (resulting in slightly
higher speeds).

○No more special output format (pcap, hccapx, etc.) – final data will appear as
regular hex encoded string.

WPS Attack=>

WPS was introduced in 2006, and the goal of the protocol is to allow home users who
know little of wireless security to set up Wi-Fi Protected Access, as well as
making it easy to add new devices to an existing network without entering long
passphrases.

In December 2011 a flaw was revealed that affects wireless routers with the WPS
feature. That flaw allows a remote attacker to recover the WPS PIN in a few hours
with a brute-force attack and, with the WPS PIN, the network’s WPA/WPA2 pre-shared
key.

WPS enables client to send 8 digit pins to the access point, which verifies it and
then allows the client to connect. Pin contains only numbers, with WPS there’s a
delay because attacker needs to wait for AP response. So, attacker can try a few
keys per second (or one key per few seconds).

We have here 8 digits with 10 numbers, 108 (100.000.000). That’s too much. The 8th
digit is checksum of first 7 digits, so we have 107. Furthermore, the pin number
for verification goes in two halves, so we can independently verify the first 4 and
the last 4 digits. It’s far easier to guess 4 digits 2x than 8 digits 1 at once.
Finaly, math ends up with: 104 + 103 = 11,000 guesses.
While this tactic used to take a number of hours, the newer WPS Pixie-Dust attack
can crack networks in seconds. Since 2011, many routers now have protections to
detect and slow down (rate-limiting) or shut down a Reaver-type attack (lock with
too many failed PIN attempts).
Routers updated some settings to prevent WPS, but flaws still existed in the way
they implement encryption. It’s relatively difficult to create truly random
numbers, which is required to produce strong encryption. To achieve this, there’s
usually a function that takes “seed” and produces a pseudo-random number.

If there’s a use of long or varying “seed” number, you can get same result as a
number that’s actually random, but if you use an easily guessed “seed”, or even
worse, the same one again and again, you end up with weak encryption that’s easy to
break. This is what happened with those updated routers, the thing that WPS Pixie-
Dust attack exploits.

Defense : Use long passwords (12+) and different charsets (alphanum, special chars,
upper/lower case).

Brute-Force/Dictionary attack=>

This relies on capturing a WPA handshake, and then using a wordlist or brute-force
to try and crack the password. Depending on the password strength (length,
charset), it can be difficult or impossible to break it in a “reasonable” amount of
time.

Defense : Use long passwords (12+) and different charsets (alphanum, special chars,
upper/lower case)
======================================
4. WPA3 [Wi-Fi Protected Access III]

Wi-Fi Protected Access III:

In January 2018, the Wi-Fi Alliance announced WPA3 as a replacement to WPA2. The
new standard uses 128-bit encryption in WPA3- Personal mode (WPA-PSK, pre-shared
key) or 192-bit in WPA3 – Enterprise (RADIUS authentication server).

WPA3 will be much harder to attack because of its modern key establishment protocol
called “Simultaneous Authentication of Equals” (SAE) or the Dragonfly Key Exchange.
SAE improves security of the initial key exchange and offers better protection
against offline dictionary-based attacks.

WPA3 had claimed to be better than WPA2 in various ways like protecting from
offline dictionary attacks and forward secrecy, and WPA3 certification also was
aiming at making Wi-Fi network more secure. Whereas, the study revealed that there
have been many design flaws in WPA3 and these flaws have been analyzed
theoretically as well as empirically.

To obtain the password of the Wi-Fi network, hackers can either leverage cache-
based side channel leak or the timing. According to researchers, this technique can
be used to steal other sensitive information that is transmitted including the
passwords, emails, chat messages or even credit card numbers.

These password attacks can affect the dragonfly or Simultaneous Authentication of

Equals (SAE) handshake of WPA3. These attacks are of similar to the dictionary
attacks, and allow the hackers to steal passwords by abusing the cache-based side-
channel leaks or the timing.

The password encoding method of the protocol is targeted through the side-channel
attacks, as SAE's hash-to-curve algorithm is exploited through the cache-based
attack.

The denial-of-service attack has also been discovered by the researchers in which
various handshakes are initiated through WPA3 enabled Access Point.
Vulnerabilities=>

Hackers found that the Wi-Fi firmware of Cypress chips only executes 8 iterations
at minimum to prevent side-channel leaks. Although this makes attacks harder, it
does not prevent them. This strengthens our hypothesis that the backwards-
compatible countermeasures against our attacks are too costly for lightweight
devices.

■CVE-2019-13377: Timing-based side-channel attack against WPA3's Dragonfly

handshake when using Brainpool curves.

■CVE-2019-13456: Information leak in FreeRADIUS' EAP-pwd due to aborting when

needing more than 10 iterations.

The EAP-pwd protocol internally also uses Dragonfly, and provides authentication
based on a username and password in certain enterprise Wi-Fi networks. It is
vulnerable to the same attacks that we discovered against WPA3. On top of that, all
implementations of EAP-pwd that we tested were vulnerable to invalid curve attacks,
which enable to adversary to completely bypass authentication. Most implementations
were also vulnerable to reflection attacks. All combined, EAP-pwd implementations
are affected by the following vulnerabilities:

Flaws in EAP-pwd=>

CERT ID #VU871675: Overview of attacks specific to hostapd and wpa_supplicant (does

not cover other implementations).

CVE-2019-9495: Cache-based side-channel attack against the EAP-pwd implementation

of hostapd and wpa_supplicant.

CVE-2019-9497: Reflection attack against the EAP-pwd implementation of hostapd and

wpa_supplicant.

CVE-2019-9498: Invalid curve attack against the EAP-pwd server of hostapd resulting
in authentication bypass.

CVE-2019-9499: Invalid curve attack against the EAP-pwd client of wpa_supplicant

resulting in server impersonation.

CVE-2019-11234: Reflection attack against the EAP-pwd implementation of FreeRADIUS.

CVE-2019-11235: Invalid curve attack against the EAP-pwd server of FreeRADIUS

resulting in authentication bypass.

Notice: not all vulnerable products received a CVE identifier😈.

thanks for reading😊

hope you enjoyd and please share

#wifi #wpa #wpa3 #wpa2 #exploits

#hacker #LuLz

#Security_Freaks_Is_back_baby😈