wpa
Post on 24-Oct-2014
54 Views
Preview:
TRANSCRIPT
WPA
WPA Phishing Attack
A Social Engineer Attack against WPA2 Enterprise
Written By Douglas Berdeaux
Douglas@WeakNetLabs.com
2
ABSTRACT
For a penetration tester, WPA2 Enterprise key retrieval is limited to chance. WPA/WPA2 has yet
to be “cracked,” if even possible, in the sense of how a WEP key can be retrieved.1 WPA has a longer
Initialization Vector2 that has a less possible chance of being reused, and countermeasures, like MIC, for
stopping replay attacks in the same way SSWR3 works with WEP. This attack is similar to a simpler
FreeRADIUS WPE4 Attack. Leaving all of this up to chance, a penetration tester should have at his
arsenal as many attack methods and styles as possible. This method, phishes a WPA/WPA2-Enterprise
key by embedding a fake WPA/WPA2 Enterprise login window into a webpage. This attack is then
strengthened when added to an on-site rogue Wireless AP attack. This paper is intended for those
already familiar with phishing, WEP cracking, up to date WPA key retrieval methods, the Aircrack-ng
Suite, and simple PHP/Unix skills.
1 Attacking WEP with the Aircrack-ng Suite and packet replay involves replaying packets over and over that are
injected into a network using a wireless radio in RFMON Monitor Mode. 2 48 bits as opposed to WEP 24bits.
3 Scripted Security for Wireless Routers, 2010 WeakNet Labs.
4 FreeRADIUS WPE (Wireless Pwnage Edition) Attack uses an actual RADIUS Server, in which credentials are
entered and then the hash is saved to a file. This hash could then be later decrypted offline, with a large dictionary attack. This method, too, is left up to chance, but is far more advanced in setup.
3
BEGIN
WPA and WPA2 have yet to be “cracked,” if even possible, in the same sense as that of the late
WEP (Wireless Equivalency Privacy). Attacking and cracking WEP is rather simple and can be done in
seconds. Though there have been a few breakthroughs, like retrieving the MIC, or Michael Integrity
Check, which is used as a countermeasure, and the offline dictionary attack against a packet capture file
which contains the 4 way handshake, attacks to recover a WPA/WPA2 key still rely heavily on chance.
Social engineering attacks have become more popular among professional penetration testers,
and also have become more technical. Long ago, a pen-tester could simply call a few of its company’s
employees under false pretenses and retrieve passwords, login info, and more. With security awareness
from a few of today’s leading computer security experts,5 these attacks have become much harder to
pull off. Methods for Social Engineering have evolved over the years accordingly. New attacks have
been designed to create real false pretenses like phishing, for example, in which an attacker designs a
webserver to pretend to be another webserver. ARP poisoning, and DNS spoofing attacks take this
attack to a more advanced level at which the victim’s browser states that he or she is, in fact, at the
actual site which requires a secure login.
Rogue AP’s are the biggest threat to Wireless Security today. This is due to the 802.11 protocol
being a shared medium. The RF waves released from an antenna propagate in all directions,6 even if
focused using a semi directional or directional antenna. These attacks are, in fact, a type of social
engineering attack. New tools have been developed for attackers to pretend to be AP’s like Airbase-ng
in the Aircrack-ng Suite. This tool allows an attacker to create a pseudo radio in Master mode and send
beacons, allow incoming connections,7 and with a little help from iptables route packets, just as if the
radio where an actual AP. In fact, with a little bit of strong networking knowledge, an attacker can
bridge the connection of his Rogue AP radio to a second radio, which has an internet connection
another wireless router. To get a victim to connect to an attackers fake AP is rather simple, as the
victims radio will send to the AP with the highest TX/RX power. This means that on site attacks are
required, and the higher EIRP8 of the attackers’ radio, the better.
WPA WPA, or WPA Phishing Attack, uses all of the above concepts to attack WPA2 Enterprise
networks, with a bit of its own style. In this attack, Airbase-ng is used to create a rogue wireless access
point in the vicinity of the environment in which the pen-tester has been hired to assess. The attacker’s
machine also hosts a DHCP server to serve IP addresses, and an HTTP/PHP server to host the actual
phisher.
5 Chris Hadnagy, Mati Aharoni, Jim O’Gorman, and Paul Hand of Social-Engineer.org
6 Isotropic Radiators are perfect spheres of radiation, like that of a glowing star. An omnidirectional antenna, such
as those on a typical consumer based wireless router, do not propagate in a sphere shape, but more like a Taurus, or donut shape. 7 DHCP server required.
8 Equivalent Isotropic Radiated Power, or output power from the antenna.
4
The attack then uses simple tools to ARP poison and DNS spoof the victim, redirecting all HTTP
through the local webserver which hosts the actual phisher until credentials are detected in log file.
THE PHISHER The phisher is coded to perform OS/Browser detection and then serve a webpage according to
the results. This simple web page is a false error web page in which a false WPA/WPA2 authentication
window is embedded.
Figure 0: The phisher for Windows XP.
As you can see in the above image, this is the simple design for use with Windows XP. The OS
detection is necessary to make the victim believe that he or she needs to re-authenticate with the
Wirelsss AP. The browser detection is necessary as the text fields all vary in height. If, however, a
username were retrieved from an attacker in either an offline social engineer attack, or from a wireless
sniffing device, it can then be placed into the username field to give the victim a better sense of realness
in observing the false login/re-authentication window like so:
<input type=”text” value=”victim name” /> Code Sample 0: How to input a username into the text field.
5
The OS/Browser detection changes the padding width from the top of the check box to the
three fields in the form. It also changes the embedded background images, the image of the
WPA2/enterprise login window, and the OK button accordingly. An example would be for Windows XP
(NT 5.1) Using MSIE requires a longer center text box width than that of using Windows XP (NT 5.1) With
Chrome or Firefox. Many small differences like this across different OS’s and browser has made the task
of arrangement quite tedious!
Below is an image of how the user agent appears to the webserver from a Microsoft Windows
XP / IE Bowser machine.
Figure 1: The User Agent passed to lighttpd
Figure 2: Normal MITM attack operation.
The above image displays normal MITM9 attack using Airbase-ng. The attacker’s [red] traffic is
from the radio in Master Mode. The [Green] traffic is from a separate radio in Managed Mode,
9 Man In The Middle
6
associated and authenticated with a valid session to the AP. Traffic from the victim can traverse to the
attacker, to the AP, back to the attacker, and then finally back to the victim. One can imagine the
devastating effects from this simple attack.
In the WPA Phishing Attack, the traffic is stopped by the attacker which displays a fake
WPA/WPA2 login page for the corresponding OS data gathered from the PHP server using regular
expressions.
Once the wpa-credcheck.php script detects a login attempt the attacker is notified via his or her
web browser. The attack happens a second time to simulate bad credentials. This creates the illusion
that a typo has occurred or for those who put in false credentials to a network they don’t know. After
the second set of credentials is detected, the attacker stops the ARP poisoning and DNS spoofing
allowing traffic to pass through as a normal MITM operation would take place. The URL in the browser
that the victim was trying to access is now passed right to the browser via PHP. This creates a seamless
false login experience for the victim, and gives the pen-tester a better payload; the WPA2-Enterprise
username and password.
Figure 3: The Flow
The above image illustrates the flow of WPA Phishing Attack in a sequential manner. During “A”
the user is browsing the web fine. Once the computer attaches to the rogue access point, “B” occurs,
forcing the user to enter login credentials to continue. Finally after entering credentials in “C” the victim
then flows directly to the second radio and out to the AP. This is an interrupt attack. This attack
interrupts the normal network operation of the victim user.
7
The Line-Out10 attack is much simpler, as it occurs when a victim user opens his or her laptop
and connects directly to the attacker.
UP AND RUNNING IN THE LAB
Start the webserver, lighttpd with php5 [fastcgi] enabled.
Start Firefox and point URLbar to wpa-credcheck.php
Check to see if there a Wireless device in monitor mode.
Kill any dhclient/dhcp servers/dns-spoofing/ettercap-nging.
Gather the device and create a VAP or enable monitor mode.
Gather ESSID [name of router being broadcasted]
Start Airbase-ng
Bring up pseudo interface at0 and give IP and netmask
Add a route and make changes to iptables
Start DHCP server
Make sure web server is started
Start Dsniff’s DNSspoof and Ettercap-ng MITM attack once a client connects.
NOTE
All of this is available in a .sh file in WeakNet Linux WEAKERTHAN 2. All settings, tested, that
worked across a range of different adapter types and drivers was developed. The php scripts used are
available in the web server root directory /var/www
10
Just like reel “fishing” the fisherman lets his line out into the open waves waiting for a fish to come along. All puns intended.
8
Figure 4: Side by side comparison of the OSX phisher and the real login, showing even the drop
shadow below the window.
RFERENCES Airbase-ng:
http://www.aircrack-ng.org/doku.php?id=airbase-ng
Aircrack-ng Suite and Cracking WPA:
http://www.aircrack-ng.org/doku.php?id=cracking_wpa
SSWR (Scripted Security for Wireless Routers):
http://weaknetlabs.com/SSWR/wepguard.pdf
Social Engineering:
http://www.secmaniac.com/download/
http://social-engineer.org/
WeakNet Linux WEAKERTHAN2:
http://weaknetlabs.com/linux
top related