The few weaknesses inherent within the authentication handshake process for WPA/WPA2 PSKs have been known for a long time. This blog post does not serve anything that is new or has not been previously seen in the wild or conference talks and actually references other sites (such as RFCs) that can supply further information. It does, however, provide some clarity in to what is actually performed during the authentication and thus cracking process, but was mainly an exercise for me to learn how everything works at a lower level. Perhaps it will be useful to someone else in the same scenario. IntroOverview
During the authentication process the supplicant (client) and authenticator (access point) each attempt to prove that they independently know the pre-shared-key (`PSK`) passphrase without disclosing the key directly. This is done by each encrypting a message using the Pairwise-Master-Key (`PMK`) that they have generated, transmitting each way, and then decrypting the message they've each received. The four-way handshake is used to establish a new key called the Pairwise-Transient-Key (`PTK`), which is comprised of the following concatenated data:
![]()
The result is then processed through a Pseudo-Random-Function (PRF). Another key that is used for decrypting multicast traffic, named the Group-Temporal-Key, is also created during this handshake process.
![]()
Sharing beautiful knowledge of the world. Ardamax keylogger 4.0.2 serial key generator. This WPA-PSK calculator provides an easy way to convert a SSID and WPA Passphrase to the 256-bit pre-shared ('raw') key used for key derivation. Wireless Pre-Shared Key Cracking (WPA, WPA2) v1.0 Author: Darren Johnson compared to the hash that was captured during the 4-way handshake, if they are the same we have got the correct WPA pass-phrase This process can be seen in Screenshot 4. Screenshot 4.
Actual Handshake Process
[!]At this point an attacker would have been able to intercept enough of the handshake to perform a password cracking attack. Construction of the PMK
Pairwise-Master-Keys are used during the creation of the Pairwise-Transient-Keys and are never actually transmitted across the network. They are derived from the Pre-Shared-Keys (Enterprise WiFi uses a key created by EAP, but that is out of scope for this article) along with the other information such as SSID, SSID Length. The PMKs are created using the Password-Based Key Derivation Function #2 (PBKDF2), with the SHA1 hashing function used with HMAC as the message authentication code:
HMAC-SHA1 is the Pseudo Random Function used, whilst 4096 iterations of this function are used to create the 256 bit PMK. The SSID is used as a salt for the resulting key, and of course the PSK (passphrase in this instance) is used as the basis for this entire process.
The HMAC function used:
H(K XOR opad, H(K XOR ipad, passphrase))
Further information on HMAC-SHA1 from RFC2104 can be seen below, but is out of my depth:
Here is a simple Python script that can be used to compute the raw key from the SSID and PSK passphrase. Within the Python module I've used (can be installed via python-pip) the default MAC and hash algorithm is HMAC-SHA1:
Construction of the PTK
The creation of the Pairwise-Transient-Keys is performed via a another PRF (using an odd combination of SHA1, ending in a 512 bit string), which uses a combination of the PMK, AP MAC Address, Client MAC Address, AP Nonce, Client Nonce. The result is this 512 bit Pairwise-Transient-Key, which is actually a concatenation of five separate keys and values, each with their own purpose and use:
The resulting order:
The only reference to a usable PRF512 function within Python was an excerpt of code from a question on Stack Overflow from back in 2012:
Some sample code just to get a visualisation of what happens in the background:
The PMK and PTK are then printed to the terminal, with the first 16 bytes of the PTK being the KCK.
What is actually computed for cracking?
Once the second packet of the handshake has been captured an attacker has enough information to attempt to compute the Pairwise-Transient-Key (using an assumed PSK passphrase), which can then be used to extract the Key-Confirmation-Key and compute the Message Integrity Code. It is this MIC that is used during the comparison with the genuine MIC to determine the validity of the assumed PSK.
This whole process is re-run for every dictionary entry (or brute force attempt) in during password cracking, which is the reason why for the slow performance of Hashcat, Cowpatty, and John The Ripper (although I still manage 100k hashes P/s with Oclhashcat, which goes to show how fantastically optimised Atom's code is).
The MIC is calculated using HMAC_MD5, which takes its input from the KCK Key within the PTK. Unfortunately I wasn't able to come up with some Python code to compute the MIC, even after reviewing aircrack-ng and Cowpatty source code (my C skills are severely lacking). Expand on the above and let me know if anyone has an idea!
Conclusions
If anything, knowing the amount of computation that is performed for each attempt at comparing the MICs puts me at somewhat ease regarding the security of using PSK auth on personal networks, however it does prove how invaluable random passphrases are within various cryptographic implementations such as this, especially passphrases that are longer and contain more entropy. Use a 15 character passphrase for your PSK, which includes a combination of upper and lower alpha, numeric, and special characters, which isn't a dictionary word. Oh, and also change it regularly. If I or anyone else happen to crack your passphrase, then an attacker wouldn't get much use of it is void should they go back there in a months time can't connect because it's changed to a new value.
More importantly, don't use PSK authentication for your corporate networks. Whilst there are some vulnerabilities within certain EAP configurations they are a lot easier to squash than an offline attack such as what is capable against PSKs.
If any of the aforementioned information is incorrect please feel free to drop me an email and I'll make the necessary amendments and credit appropriately.
References
I have used some external sources to further understand these processes. They are in no particular order:
WPA encryption Key GeneratorCreate a WPA KeyWpa Pre Shared Key Vizio
This WPA Key Generator generate a WPA encryption key that you can use to secure your Wireless network. generate the WPA Encryption key, copy it and paste it into your wireless router's configuration panel. Restart your DSL modem/router.
Wpa Shared Key GeneratorAlso check the WEP Key generatorWi-Fi Protected Access
Wi-Fi Protected Access (WPA and WPA2) are systems to secure wireless (Wi-Fi) networks. They were created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP). WPA implements the majority of the IEEE802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. WPA2 implements the full standard, but will not work with some older network cards. Both provide good security, with two significant issues:
Wpa-psk Key Generator
WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user; however, it can also be used in a less secure 'pre-shared key' (PSK) mode, where every user is given the same passphrase. Key generator sims 4 mac cheats. The Wi-Fi Alliance calls the pre-shared key version WPA-Personal or WPA2-Personal and the 802.1X authentication version WPA-Enterprise or WPA2-Enterprise.
Source: Wikipedia
Setup Wpa Pre Shared Key LinksysWEP Key GeneratorComments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |