1

WPA, what else?

UNAM, Mexico CityNovember 27-28, 2008

Thomas d’Otreppe de BouvetteAircrack-ng

2

Agenda

• WEP

• WPA – How does it work?

• WPA – Practice– Location, location, location– Cracking the key– Bruteforce

• WPA - Tools– Airbase-ng– Tkiptun-ng– Airolib-ng

• Practical stuff2

3

WEP

• It was fun

• A few new attacks were created– Caffe Latte– Cfrag

• PTW2: Now needs less packets needed by PTW to crack a key

• WEP Cloaking™ is now dead too3

4

• WEP

• WPA – How does it work?

• WPA – Practice– Location, location, location– Cracking the key– Bruteforce

• WPA - Tools– Airbase-ng– Tkiptun-ng– Airolib-ng

• Practical stuff4

5

WPA

• More and more networks use WPA

• WPA is a hot topic these days:– CUDA– New attack and tool: tkiptun-ng

5

6

WPA

• 802.11i group launched when flaws were found in WEP

• 2 link-layer protocols:– TKIP (WPA1): Draft 3 of 802.11i group (backward

compatible with legacy hardware).– CCMP (WPA2): final 802.11i standard

• 2 authentication methods:– Personal: PSK– Enterprise: MGT

6

7

WPA-PSK – How does it work?

7

8

9

WPA-PSK – 4 way handshake

9

10

WPA-PSK – PTK ConstructionPairwise Master Key (256 bit)

ANonce

SNonce

STA MAC Address

AP MAC Address

HA

SH Pairwise Transient Key

11

WPA-PSK – PMK ConstructionPassphrase

SSID

Number of iterations: 4096

SSID Length

PB

KD

F2

Length of the result key: 256bits

PMK

12

13

14

15

16

• WEP

• WPA – How does it work?

• WPA – Practice– Location, location, location– Cracking the key– Bruteforce

• WPA - Tools– Airbase-ng– Tkiptun-ng– Airolib-ng

• Practical stuff16

17

WPA – Location

• Need all packets from the 4 way handshake => hear AP and Client

• In fact, aircrack-ng can work with less than 4 packets

• If too far, won’t get everything

18

WPA – Location (2)

AP Client Attacker

AP ClientAttacker

19

WPA – Location (3)

AP Client

Attacker

AP ClientAttacker

20

WPA – Cracking the key

• Processing Unit– CPU– GPU (CUDA and AMD Stream)

• Method:– Wordlist– Bruteforce

• « Rainbow » tables

21

WPA - CUDA

• Cracking with your nVidia

• Much faster than with a CPU (10-100x):– Intel P4 3.2Ghz: ~150 keys/sec– AMD Turion 64 X2 TL-60 (2Ghz): ~230 keys/sec– Nvidia 280GTX: ~11000 keys/sec

• A few tools exists– Commercial– Open source: pyrit

• Planned in aircrack-ng (AMD Stream too)21

22

WPA - Pyrit cracking speed

22

23

WPA - Bruteforce

• Let’s calculate how much time it will take to crack a simple passphrase with alphanumerical values (upper and lower case).

• Smallest WPA passphrase: 8 characters (max 63).

23

24

WPA - Bruteforce (2)

• 8 characters passphrase• 62 possibilities per character: [A-Z][a-z][0-9]• Using a 280GTX (11000keys/sec)

• 62^8 = 218 340 105 584 896 possible keys• 218340105584896/11000k/s= 19 849 100 508 sec• 19849100508 sec = 5 513 639 hours• 5513639 hours = 229 735 days• 229735 days = 630 years

24

25

630 years for a 8 char WPA key

• A bit too long for a simple passphrase.

• For a 12 characters passphrase, bruteforce will take 9 309 091 680 years.

• Dictionnary attack and John The ripper are still the best solution.

25

26

• WEP

• WPA – How does it work?

• WPA – Practice– Location, location, location– Cracking the key– Bruteforce

• WPA - Tools– Airbase-ng– Tkiptun-ng– Airolib-ng

• Practical stuff26

27

Airbase-ng

“Airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself.”

Features:• Soft AP/Ad hoc• Karma• Encrypt/Decrypt packets• Capture WPA handshake from a client.• Filtering to avoid disturbing nearby networks

27

28

Airbase-ng (2)

• Turn any monitor-mode capable card into an AP

• Default mode: Karma

• Karmetasploit = airbase-ng + metasploit

28

29

Fun with airbase-ng

• Karma– airbase-ng rausb0

• Soft AP:– airbase-ng –y –e myAP –c 6 rausb0– ifconfig at0 up 192.168.0.254– ping/ssh/… it from the client

• Script to manipulate packets:– airbase-ng –Y both rausb0– ./test/replay.py at1

29

30

Fun with airbase-ng (2)

• WPA Handshake capture:airbase-ng -z 2 -W 1 –y -c 6 -e home rausb0

• Location problem solved ;), you just need the client:

ClientAttackerFake AP

31

Tkiptun-ng

• Exaggerated in the news, only a few frames can be sent

• Work in Progress:– Basic documentation written– Not fully working yet

31

32

Tkiptun-ng (2)

• WPA TKIP + QoS (802.11e)

• Decrypt packets from the AP

• Modified chopchop

• Breaks the MIC key

• Save plaintext + keystream

32

33

Airolib-ng

• Create pre-computed WPA hash tables to be used with aircrack-ng

• Uses a sqlite database

• Import/Export:– Import passphrases/essid lists– Cowpatty tables (genpmk)– Pyrit can exports its hash tables to airolib-ng format

• Speed (once precomputed):– EEE 701 (900Mhz, SD Card): ~9700keys/sec– AMD Turion 64 X2 TL-60 (2Ghz, HDD 7200rpm): ~55500

keys/sec (~30000 keys/sec virtualized).

34

Conclusion

• Questions?

• Practical stuff– WPA Cracking– Fun: Aigraph-ng