WPA + WPA2

Theory

WPA

WPA (Wi-Fi Protected Access) is a security protocol designed to secure wireless computer networks. It was introduced as a temporary solution to the weaknesses of the original Wired Equivalent Privacy (WEP) protocol and was later replaced by the more secure WPA2 protocol.

Here is a high-level overview of how the WPA protocol works:

When a client device attempts to connect to a wireless network, it sends a request to join the network and provides its authentication credentials (such as a password or passphrase). The access point responds with a challenge, which is a random string of characters that the client must use to authenticate itself. The client encrypts the challenge using the authentication credentials and sends the encrypted result back to the access point. The access point decrypts the encrypted response and verifies that it matches the challenge. If the response is correct, the access point authenticates the client and allows it to join the network. WPA uses a stronger encryption algorithm than WEP called Temporal Key Integrity Protocol (TKIP). TKIP dynamically generates encryption keys for each data packet transmitted over the network, making it more difficult for attackers to decrypt network traffic.

WPA also includes a message integrity check (MIC) feature that helps to prevent attacks against the encryption key. The MIC ensures that the data transmitted over the network has not been modified in transit by checking a hash value of the data against the MIC value.

In summary, the WPA protocol provides stronger security for wireless networks than the original WEP protocol. However, it has been superseded by the even more secure WPA2 protocol, which uses Advanced Encryption Standard (AES) encryption and a more robust four-way handshake process to secure wireless network traffic.

WPA2

WPA2 (Wi-Fi Protected Access II) is a security protocol used to secure wireless computer networks. WPA2 is an improvement over the previous security standard, WPA, and uses Advanced Encryption Standard (AES) encryption to secure network traffic.

WPA2 protocol works by creating a unique session key for each device connected to the network. This session key is used to encrypt all data transmitted over the network. The key is generated by a four-way handshake process that occurs between the access point and the device when they connect.

Here is a high-level overview of how the WPA2 protocol works:

  1. The client device sends a request to join the network.
  2. The access point sends a random number (nonce) to the client.
  3. The client uses this nonce along with the network name (SSID) and a pre-shared key (PSK) to create its own encryption key.
  4. The client sends this encryption key back to the access point, encrypted using the access point's public key.
  5. The access point decrypts the message and verifies the encryption key.
  6. The access point sends its own nonce to the client.
  7. The client uses this nonce, along with the encryption key, to create a message integrity code (MIC).
  8. The client sends the MIC to the access point, encrypted using the access point's public key.
  9. The access point decrypts the message and verifies the MIC.
  10. The client and access point use the encryption key to encrypt and decrypt data transmitted between them. This four-way handshake process creates a secure communication channel between the client and access point, using the encryption key derived from the pre-shared key. The session key is unique to each device and each session, which makes it difficult for attackers to intercept and decode network traffic.

Practical

Normal WPA(2)

# Run the following and wait for a handshake by a new client connecting to the network
sudo airodump-ng --bssid <AP bssid> --channel <channel> --write <cap file> wlan0mon

# deauth
sudo aireplay-ng --deauth 4 -a <AP bssid> -c <client MAC> wlan0mon

# Crack the capture file
aircrack-ng <file.cap> -w <wordlist.txt>

WPS

Put your wireless interface in monitor mode

wash -i wlan0mon
sudo reaver -b <BSSID> -i wlan0mon -v
sudo reaver -b <BSSID> -i wlan0mon -c <channel> -v
sudo airodump-ng wlan0mon --wps

Requirements

  • WPS must be enabled
  • WPS must be using pin authentication and not PBC (Push Button Configuration). With option, a physical button in the router must be pushed to activate the use of WPS for some time interval. PBC usually is active by default in modern routers, or WPS is directly disabled by default.

Reaver outputs the WPS pin if it can find it, and thanks to it it also retrieves the passphrase (WPA-PSK), which we can use to connect to the network. Even if it finds it, it's an slow attack, it can take a few hours to complete, depending on the router AP configuration and the value of the pin (if it's one of the last ones reaver tries)

These attacks usually fail, there are several possible sources of problems. Reaver can say that the AP is deauthenticating us, among other error messages. If WPS cracking doesn't work right away it probably won't work at all. Even if an AP's WPS is not locked the attacks can fail for other reasons. For example, some routers timeout WPS after a short time since it was activated.

There are APs that don't use a pin. With bully and reaver we can use the -p '' option to check if the pin is empty

Some APs use a pin that is linked to the first three bytes of the BSSID. Airgeddon contains them in known_pins.db

To check if a certain BSSID has known default pins, use the first three bytes of the AP (without the colon symbols, in this case XXYYZ for a BSSID= XX:YY:ZZ:AA:BB:CC)

sudo apt install airgeddon
source /usr/share/airgeddon/known_pins.db
echo ${PINDB["XXYYZZ"]}
14755989 48703970 06017637

Try manually the pins returned, if any

troubleshooting the reaver:

  1. If it says it cannot associate with the AP -> we need to associate manually with aireplay-ng --fakeauth in another terminal, and keep the fake auth running while we try the reaver attack (which we must run with the -A option, so that it doesn't try to associate itself to the AP, since we already are associated via aireplay-ng)

  2. Reaver says WPS transaction failed, re-trying last ping (we can see this with -vvv for debugging output). Then it retries the same pin all the time. Sometimes (we can see in the output) this is due to the use of NACK packets. We can try with the option -N (or --no-nacks) to not send them.

  3. If reaver says "Waiting for beacon from XX:XX:XX:XX:XX:XX" we need to specify the channel manually (-c parameter)

  4. The AP can have rate limiting enabled, and change state to locked (Lck) after some failed attempts. If we suspect the AP locked WPS, run wash again to check if it's in the Lck state. We can deauthenticate permanently all clients connected, so that someone complains or restarts the AP, so that we can continue bruteforcing pins. This is very clumsy and noisy, and if the rate limiting occurs fast it's probably going to be useless, as we will quickly lock WPS again. We can run this "permanent" deauth with:

sudo aireplay-ng --deauth 1000000000000 -a <AP bssid> wlan0mon

PixieWPS

The PixieWPS attack, disclosed in 2014, takes advantage of the weak random number generator used in a few chipsets, which means not all WPS implementations are vulnerable. As opposed to the brute force technique, this technique requires minimal interaction with the AP to gather the data needed for the attack, which is then brute forced offline. The current version of reaver, which has been forked from the original and subsequently improved on, integrates the PixieWPS attack.

wash -i wlan0mon
sudo reaver -b <BSSID> -i wlan0mon -c <channel> -v -K # PixieWPS Attack

Once it gathered the data, reaver automatically invoked the pixiewps utility to recover the WPS PIN, then used the resulting PIN to obtain the passphrase, which we likely wouldn't have gotten using a handshake cracking technique.

One alternative to this method is to use bully with -d, which will attempt to run PixieWPS with the values we recovered from bully. We would also need to specify verbosity to display these values, with -v 4. The output can be a bit confusing, but the data for PixieWPS starts with the display of the Enonce and ends with the output of E-Hash2.

PixieWPS should work when provided with only the required parameters. Sometimes we also need to provide the -m option as well. Once the PIN is recovered, we can provide it to bully to do a single PIN try, using -B -p followed by the PIN, to recover the passphrase.

WPA Migration Mode

Cisco has this feature, supports both WEP/WPA at the same time (if this is enabled it supports weak WEP).