Skip to content

WPA

WPA (Wi-Fi Protected Access) Personal

  • Also known as WPA-PSK (Pre shared key)
  • Shares the same key but greater size of 256-bits
  • Uses Temporary Key Integrity Protocol(TKIP), which dynamically generates a 128 bit key for every packet
  • Uses RC4
  • Takes the Hash(IV + SharedKey) as input to RC4
  • No Forward Secrecy (No Per-Session Key)
    • Old sessions can be decrypted when key is broken
    • All new sessions can be decrypted when key is broken
  • If key is known to mutable people anyone can manipulate data from anyone
  • PTK is used to encrypt unicast traffic
  • GTK is used for multicast and broadcast traffic.

4-way handshake

  1. Using the Preshared master Key (PSK) generate the Pairwise Master Key (PMK) on both the AP and the Device
  2. AP Generates the Group Master Key (GMK). From Random
  3. AP sends APNonce to Client (Message 1)
  4. Client sends SNonce to the AP (Message 2)
  5. AP generates the Pairwise Transient Key (PTK) and Breaks down into
    • 128bit Key Conformation Key (KCK) for computing Message Integrity Code on EAPOL messages
    • 128bit Key Encryption Key (KEK) for Distributing group keys that are sent from the AP to the client
    • 128bit Temporal Key (TK) for Encrypting Unicast data packets
    • 64bit Message Integrity Code Key for integrity protection on unicast data packets transmitted by the AP
    • 64bit Message Integrity Code Key for integrity protection on unicast data packets transmitted by the Client
  6. AP generates the Group Temporal Key (GTK) either from the Group Master Key (GMK) or could be random
    • 128bit Group Encryption Key (GEK) for encryption on Multicast data packets
    • 64bit Group Integrity Key (GIK) for data authentication on Multicast data packets transmitted by the AP
    • 64bit Group Integrity Key (GIK) for data authentication on Multicast data packets transmitted by the Client
  7. GTK is transfered encrypted with the PTK and sent to the Client.
  8. Client Acknowledges the Keys

Generate PMK:

from pbkdf2 import PBKDF2
ssid = 'home' 
phrase = 'qwerty123'
print("SSID: {}".format(ssid))
print("Pass phrase: {}".format(phrase))
#PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
print("Pairwise Master Key: {}".format(PBKDF2(phrase, ssid, 4096).read(32).encode("hex")))

Generate PTK:

PTK = PsudoRandomFunction(PMK + ApNonce + SNonce + Client_Mac + AP_Mac)
PTK = KCK || KEK || TK || MICkey_AP || MICkey_MS

Generate PMK and PMKID:

import hmac
import hashlib
import base64

ssid = b'home' 
sharedpassword = b'qwerty123'
pmk = hashlib.pbkdf2_hmac('sha256', ssid, sharedpassword, 4096)
print(pmk.hex())

#The PMKID is the generated ID that is used to specify the PMK that is used in the connection.
access_point_mac = b"B84BF0D5FADC"
client_mac = b"C6083610EF29"
pmkid = hmac.new(key=pmk, b'PMK Name' + access_point_mac + client_mac, digestmod="sha1")
#Since the PMKID is generated by using the PMK as input and other

PMKID

PMKID is what is used for handing off clients between Access points. This attack is not easier but does make it easier to gather the correct packet to crack the password. It makes a single request to the AP and retrieves the response, instead of needing to be sniffing for the 4 way handshake.

The PMKID is located in 802.11 management frames.

source

Frame Encryption

Once the Access Point and the device have the PTK. Message 3 of the 4 way handshake
And once it is verified on both devices. Message 4 of the 4 way handshake.

The per packet key is made using a mix of the PTK and the packet_number.
The Nonce is appended to the beginning of the packet.
Nonces should be unique similar to IV and similar attacks when nonce repeats.

Bruteforce

  • If attackers have the first handshake bruteforce is possible.
    • Ranbowtables exist for the top 1000 SSIDs

Hashcat Crack:

./hashcat-cli32.bin wordlist -r rules/d3ad0ne.rule --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap

John Crack:

john --incremental:all --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w -  capture_file.cap

Packet spoofing/decryption

  • Packet spoofing and decryption attacks on TKIP,
    • Inject an arbitrary amount of packets with a 112 byte payload
    • Can inject manipulate packets

Security Issues

  • key rotation issues
  • shared encryption
  • passive handshake capture attacks.

Predicting Group Keys (33c3)

  • May use Jiffy Time to generate key
  • May use MD5(epoc)

Private master key is generated once at boot when entropy is bad and not changed at anypoint during operation.

PDF_256(0, Initalization_Counter, Local_address + Time + result + LoopCounter)