AP-ocalypse: Release the KRACKen

Transcript

1. AP-ocalypse: Release the KRACKen Presented by: Grant Boudreau, Consultant, Cyber

   Security, MNP LLP

2. ~# cat agenda.txt • Briefly recap Aircrack-ng • Break Wi-Fi

   Protected Setup (WPS) • The KRACK Attack • Build a software-based Wi-Fi jammer • Airgeddon – Bash script by v1s1t0r that pulls it all together • Questions

3. ~# cat DISCLAIMER.txt It goes without saying… all the demos

   in this presentation are illegal to do in out the real world. This presentation is for educational purposes only. Feel free to try out these hacks in your own personal lab to play and have fun. The software-based Wi-Fi jammer has even more repercussions if you decide to market and sell one. So don’t… So be safe and have fun in a personal test lab!!

4. Intro to Wi-Fi Hacking Recap ~# more recap.txt

5. ~# more recap.txt Hardware Requirements • Need to support injection

   • Model revisions can have different chipsets • Ex: Rev1 may have Atheros chipset, Rev2 may have a TI chipset • Best to do research before just buying any wireless NIC • Antenna that fits desired task Picture Source: https://www.raymond.cc/blog/best-compatible-usb-wireless-adapter-for-backtrack-5-and-aircrack-ng/

6. ~# more recap.txt Software – Aircrack-ng Suite • Airmon-ng •

   Used to enable and disable monitor mode on the wireless NIC • Airodump-ng • Used for packet capturing of raw 802.11 frames • Collects WEP weak IVs (Initialization Vector) • With a GPS receiver, can log coordinates of found APs Picture Source: https://www.aircrack-ng.org/

7. ~# more recap.txt Software – Aircrack-ng Suite (con’t) • Aireplay-ng

   • Primary function: generate traffic for later use in aircrack-ng • Different attacks: • Deauthentication • Fake authentication • Interactive packet replay • Hand-crafted ARP request injection • ARP request reinjection • Aircrack-ng • An 802.11 WEP and WPA/WPA2-PSK key cracking program. Picture Source: https://www.aircrack-ng.org/

8. Break Wi-Fi Protected Setup (WPS) ~# more break_wps.txt

9. ~# more break_wps.txt What is WPS? • WPS is a

   method to connect to a wireless network. WPS’ goal is to make connecting to wireless networks faster and easier. It has to be used with WPA/WPA2 security protocols. (Does not work with WEP) • Methods of connecting: • Press the WPS button on the wireless router and device and they’ll connect automatically without knowledge of the SSID or password. • Press the WPS button on the wireless router. Then find the wireless router on the wireless device to connect to it without using a password. • Using the 8 digit PIN that the router generates. Enter this PIN on the client device. • Using the 8 digit PIN that the client generates. Enter this PIN on the router. • Over 100 million possible 8-digit PINs.

10. ~# more break_wps.txt Where WPS went wrong • In 2011,

    a researcher (Stefan Viehböck) realised you didn’t need to try all 100 million possible 8-digit PINS. • Last digit is only a checksum calculated by the first 7-digits, therefore the PIN is only 7-digits in length. • It doesn’t validate the PIN in the form of 7-digits. It checks the first 4-digits, and only if those are right moves onto the next 3-digits. Sources: https://nakedsecurity.sophos.com/2014/09/02/using-wps-may-be-even-more-dangerous/ https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

11. ~# more break_wps.txt Where WPS went wrong (con’t) • With

    a little math, we can determine that we only need to guess 11,000 PINs instead of the original 100 million PINs or 108. • Recalculated formula -> 10,000 + 1000 = 11,000 (104) + (103) = 11,000 Sources: https://nakedsecurity.sophos.com/2014/09/02/using-wps-may-be-even-more-dangerous/ https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

12. ~# more break_wps.txt Enter: Reaver • Brute force attack against

    WPS PINs in order to retrieve WPA/WPA2 passphrases. • Source: https://github.com/t6x/reaver-wps-fork-t6x (Already installed in Kali) • Simple syntax: reaver -i [interface] -b [router MAC address] –vv (verbosity level) • Comes with a scanner named Wash • Wash scans for WPS enabled Wi-Fi networks and gives details about them. • Simple syntax: wash -i [interface] Source: https://tools.kali.org/wireless-attacks/reaver

13. ~# more break_wps.txt Reaver Demo

14. ~# more break_wps.txt Reaver Demo (con’t)

15. ~# more break_wps.txt Reaver Demo (con’t)

16. ~# more break_wps.txt Reaver Demo (con’t) 20638 seconds OR 343.967

    minutes OR 5.733 hours

17. ~# more break_wps.txt How to Mitigate These Attacks • Upgrade

    router firmware • Enable WPS lock – added protection but not 100% hacker proof • Turn off WPS • Side note: Some models don’t actually turn off WPS, even though the admin interface says it is off. Be sure to test that it is off.

18. The KRACK Attack ~# more krack.txt

19. ~# more krack.txt What is the KRACK Attack? • Discovered

    by Mathy Vanhoef of imec-DistriNet, KU Leuven, 2017 • KRACK – Key Reinstallation AttaCK • Attackers can use the Key Reinstallation attack to read information that was previously assumed to be safely encrypted. • Can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on… • Weaknesses are in the WPA/WPA2 protocol itself, not in products or implementations. • Originally discovered in 2016. Details of the attack released in October 2017. A follow up paper was released in October 2018. Source: https://www.krackattacks.com/

20. ~# more krack.txt How Does the KRACK Attack Work? •

    Main attack is against the 4-way handshake of the WPA/WPA2 protocol. (Personal/Enterprise Wi-Fi, doesn’t matter) • The idea is to trick a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. In this case, message 3 of the 4-way handshake can be replayed. Source: https://www.krackattacks.com/

21. ~# more krack.txt How Does the KRACK Attack Work? (con’t)

    Source: https://dalewifisec.wordpress.com/tag/4-way-handshake/ PMK – Pairwise Master Key GMK – Group Master Key PTK – Pairwise Transient Key GTK – Group Temporal Key

22. ~# more krack.txt How Does the KRACK Attack Work? (con’t)

    • By abusing the retransmission of message 3, the encryption protocol can be attacked. • Packets can be replayed, decrypted, and/or forged. • https://www.youtube.com/watch?v=Oh4WURZoR98 • KRACK Attacks: Bypassing WPA2 against Android and Linux by Mathy Vanhoef Source: https://www.krackattacks.com/

23. ~# more krack.txt How to Mitigate These Attacks • Patch

    your devices

24. Software-Based Wi-Fi Jammer ~# more wifijammer.txt

25. ~# cat DISCLAIMER.txt Again, this is for educational purposes only!

    Feel free to try out these hacks in your own personal lab to play and have fun. The software-based Wi-Fi jammer has even more repercussions if you decide to market and sell one. So don’t… So be safe and have fun in a personal test lab!!

26. ~# more wifijammer.txt Requirements • Wi-Fi adapter that supports injection

    • Preferably one that Linux supports out of the box. • Raspberry Pi + MicroSD card + case • MicroSD or SD Card reader to image the OS to the card • Power Pack (if you chose to make it portable) • Linux (I’ll use Kali for this)

27. ~# more wifijammer.txt Step 1 – Install OS • First

    thing that needs to be done is to install Kali on the Raspberry Pi. • Download the ARM-based ISO from Offensive Security: • https://www.offensive-security.com/kali-linux-arm-images/ • Follow instructions from Offensive Security: • https://docs.kali.org/kali-on-arm/install-kali-linux-arm-raspberry-pi • Use dd in Unix/Linux • Use Win32 Disk Imager in Windows

28. ~# more wifijammer.txt Step 2 – Get Software • Once

    Kali is setup, make sure it’s up to date. • apt-get update; apt-get dist-upgrade • Python 2.7 is already installed on Kali. • Install scapy • pip install scapy

29. ~# more wifijammer.txt Step 3 – Get the Script •

    Dan McInerney already built a neat Python Wi-FI jammer script. • https://github.com/DanMcInerney/wifijammer • Make a directory and git clone Dan’s project

30. ~# more wifijammer.txt Step 4 – Test it Out!

31. ~# more wifijammer.txt Step 4 – Test it Out! (con’t)

32. ~# more wifijammer.txt Step 4 – Test it Out! (con’t)

33. ~# more wifijammer.txt Additional Information • Python wifijammer -a [AP

    MAC Addr] -c [channel] • Tweak the OS to autologin and run the script automatically. • + power pack = ??? • Use better adapter/antenna for wider range. • Tool used for Red Teaming. • ie: If cameras are on Wi-Fi, it’ll knock them out. • This build is close to D3PHACE’s build. Google it and you’ll find it.

34. Airgeddon – A Wi-Fi Hacking Bash Script ~# more airgeddon.txt

35. ~# more airgeddon.txt What is Airgeddon? • Multi-use bash script

    for Linux systems to audit wireless networks. • Has lots of features to make life easier when hacking Wi-Fi. Source: https://github.com/v1s1t0r1sh3r3/airgeddon

36. ~# more airgeddon.txt

37. ~# more airgeddon.txt

38. ~# more airgeddon.txt Airgeddon – WEP Menu

39. ~# more airgeddon.txt Airgeddon – WPA/WPA2 Menu

40. ~# more airgeddon.txt Airgeddon – WPS Menu

41. ~# more airgeddon.txt Airgeddon – DOS Menu

42. ~# cat key_take_aways.txt 1. Always be sure to have the

    latest firmware on your wireless access point. 2. Turn off WPS if not needed and verify that it is actually off. 3. Use strong passwords (beating a dead horse…). 4. Use WPA3.

43. ~# cat oh-nos.txt 4. Use WPA3. Enter The Dragon (Blood)

44. Questions? ~# cat possible_answers.txt

45. Thank you! =) ~# shutdown –h now