wpa

WPA

WPA Phishing Attack

A Social Engineer Attack against WPA2 Enterprise

Written By Douglas Berdeaux

Douglas@WeakNetLabs.com

2

ABSTRACT

For a penetration tester, WPA2 Enterprise key retrieval is limited to chance. WPA/WPA2 has yet

to be “cracked,” if even possible, in the sense of how a WEP key can be retrieved.1 WPA has a longer

Initialization Vector2 that has a less possible chance of being reused, and countermeasures, like MIC, for

stopping replay attacks in the same way SSWR3 works with WEP. This attack is similar to a simpler

FreeRADIUS WPE4 Attack. Leaving all of this up to chance, a penetration tester should have at his

arsenal as many attack methods and styles as possible. This method, phishes a WPA/WPA2-Enterprise

key by embedding a fake WPA/WPA2 Enterprise login window into a webpage. This attack is then

strengthened when added to an on-site rogue Wireless AP attack. This paper is intended for those

already familiar with phishing, WEP cracking, up to date WPA key retrieval methods, the Aircrack-ng

Suite, and simple PHP/Unix skills.

1 Attacking WEP with the Aircrack-ng Suite and packet replay involves replaying packets over and over that are

injected into a network using a wireless radio in RFMON Monitor Mode. 2 48 bits as opposed to WEP 24bits.

3 Scripted Security for Wireless Routers, 2010 WeakNet Labs.

4 FreeRADIUS WPE (Wireless Pwnage Edition) Attack uses an actual RADIUS Server, in which credentials are

entered and then the hash is saved to a file. This hash could then be later decrypted offline, with a large dictionary attack. This method, too, is left up to chance, but is far more advanced in setup.

3

BEGIN

WPA and WPA2 have yet to be “cracked,” if even possible, in the same sense as that of the late

WEP (Wireless Equivalency Privacy). Attacking and cracking WEP is rather simple and can be done in

seconds. Though there have been a few breakthroughs, like retrieving the MIC, or Michael Integrity

Check, which is used as a countermeasure, and the offline dictionary attack against a packet capture file

which contains the 4 way handshake, attacks to recover a WPA/WPA2 key still rely heavily on chance.

Social engineering attacks have become more popular among professional penetration testers,

and also have become more technical. Long ago, a pen-tester could simply call a few of its company’s

employees under false pretenses and retrieve passwords, login info, and more. With security awareness

from a few of today’s leading computer security experts,5 these attacks have become much harder to

pull off. Methods for Social Engineering have evolved over the years accordingly. New attacks have

been designed to create real false pretenses like phishing, for example, in which an attacker designs a

webserver to pretend to be another webserver. ARP poisoning, and DNS spoofing attacks take this

attack to a more advanced level at which the victim’s browser states that he or she is, in fact, at the

actual site which requires a secure login.

Rogue AP’s are the biggest threat to Wireless Security today. This is due to the 802.11 protocol

being a shared medium. The RF waves released from an antenna propagate in all directions,6 even if

focused using a semi directional or directional antenna. These attacks are, in fact, a type of social

engineering attack. New tools have been developed for attackers to pretend to be AP’s like Airbase-ng

in the Aircrack-ng Suite. This tool allows an attacker to create a pseudo radio in Master mode and send

beacons, allow incoming connections,7 and with a little help from iptables route packets, just as if the

radio where an actual AP. In fact, with a little bit of strong networking knowledge, an attacker can

bridge the connection of his Rogue AP radio to a second radio, which has an internet connection

another wireless router. To get a victim to connect to an attackers fake AP is rather simple, as the

victims radio will send to the AP with the highest TX/RX power. This means that on site attacks are

required, and the higher EIRP8 of the attackers’ radio, the better.

WPA WPA, or WPA Phishing Attack, uses all of the above concepts to attack WPA2 Enterprise

networks, with a bit of its own style. In this attack, Airbase-ng is used to create a rogue wireless access

point in the vicinity of the environment in which the pen-tester has been hired to assess. The attacker’s

machine also hosts a DHCP server to serve IP addresses, and an HTTP/PHP server to host the actual

phisher.

5 Chris Hadnagy, Mati Aharoni, Jim O’Gorman, and Paul Hand of Social-Engineer.org

6 Isotropic Radiators are perfect spheres of radiation, like that of a glowing star. An omnidirectional antenna, such

as those on a typical consumer based wireless router, do not propagate in a sphere shape, but more like a Taurus, or donut shape. 7 DHCP server required.

8 Equivalent Isotropic Radiated Power, or output power from the antenna.

4

The attack then uses simple tools to ARP poison and DNS spoof the victim, redirecting all HTTP

through the local webserver which hosts the actual phisher until credentials are detected in log file.

THE PHISHER The phisher is coded to perform OS/Browser detection and then serve a webpage according to

the results. This simple web page is a false error web page in which a false WPA/WPA2 authentication

window is embedded.

Figure 0: The phisher for Windows XP.

As you can see in the above image, this is the simple design for use with Windows XP. The OS

detection is necessary to make the victim believe that he or she needs to re-authenticate with the

Wirelsss AP. The browser detection is necessary as the text fields all vary in height. If, however, a

username were retrieved from an attacker in either an offline social engineer attack, or from a wireless

sniffing device, it can then be placed into the username field to give the victim a better sense of realness

in observing the false login/re-authentication window like so:

<input type=”text” value=”victim name” /> Code Sample 0: How to input a username into the text field.

5

The OS/Browser detection changes the padding width from the top of the check box to the

three fields in the form. It also changes the embedded background images, the image of the

WPA2/enterprise login window, and the OK button accordingly. An example would be for Windows XP

(NT 5.1) Using MSIE requires a longer center text box width than that of using Windows XP (NT 5.1) With

Chrome or Firefox. Many small differences like this across different OS’s and browser has made the task

of arrangement quite tedious!

Below is an image of how the user agent appears to the webserver from a Microsoft Windows

XP / IE Bowser machine.

Figure 1: The User Agent passed to lighttpd

Figure 2: Normal MITM attack operation.

The above image displays normal MITM9 attack using Airbase-ng. The attacker’s [red] traffic is

from the radio in Master Mode. The [Green] traffic is from a separate radio in Managed Mode,

9 Man In The Middle

6

associated and authenticated with a valid session to the AP. Traffic from the victim can traverse to the

attacker, to the AP, back to the attacker, and then finally back to the victim. One can imagine the

devastating effects from this simple attack.

In the WPA Phishing Attack, the traffic is stopped by the attacker which displays a fake

WPA/WPA2 login page for the corresponding OS data gathered from the PHP server using regular

expressions.

Once the wpa-credcheck.php script detects a login attempt the attacker is notified via his or her

web browser. The attack happens a second time to simulate bad credentials. This creates the illusion

that a typo has occurred or for those who put in false credentials to a network they don’t know. After

the second set of credentials is detected, the attacker stops the ARP poisoning and DNS spoofing

allowing traffic to pass through as a normal MITM operation would take place. The URL in the browser

that the victim was trying to access is now passed right to the browser via PHP. This creates a seamless

false login experience for the victim, and gives the pen-tester a better payload; the WPA2-Enterprise

username and password.

Figure 3: The Flow

The above image illustrates the flow of WPA Phishing Attack in a sequential manner. During “A”

the user is browsing the web fine. Once the computer attaches to the rogue access point, “B” occurs,

forcing the user to enter login credentials to continue. Finally after entering credentials in “C” the victim

then flows directly to the second radio and out to the AP. This is an interrupt attack. This attack

interrupts the normal network operation of the victim user.

7

The Line-Out10 attack is much simpler, as it occurs when a victim user opens his or her laptop

and connects directly to the attacker.

UP AND RUNNING IN THE LAB

Start the webserver, lighttpd with php5 [fastcgi] enabled.

Start Firefox and point URLbar to wpa-credcheck.php

Check to see if there a Wireless device in monitor mode.

Kill any dhclient/dhcp servers/dns-spoofing/ettercap-nging.

Gather the device and create a VAP or enable monitor mode.

Gather ESSID [name of router being broadcasted]

Start Airbase-ng

Bring up pseudo interface at0 and give IP and netmask

Add a route and make changes to iptables

Start DHCP server

Make sure web server is started

Start Dsniff’s DNSspoof and Ettercap-ng MITM attack once a client connects.

NOTE

All of this is available in a .sh file in WeakNet Linux WEAKERTHAN 2. All settings, tested, that

worked across a range of different adapter types and drivers was developed. The php scripts used are

available in the web server root directory /var/www

10

Just like reel “fishing” the fisherman lets his line out into the open waves waiting for a fish to come along. All puns intended.

8

Figure 4: Side by side comparison of the OSX phisher and the real login, showing even the drop

shadow below the window.

RFERENCES Airbase-ng:

http://www.aircrack-ng.org/doku.php?id=airbase-ng

Aircrack-ng Suite and Cracking WPA:

http://www.aircrack-ng.org/doku.php?id=cracking_wpa

SSWR (Scripted Security for Wireless Routers):

http://weaknetlabs.com/SSWR/wepguard.pdf

Social Engineering:

http://www.secmaniac.com/download/

http://social-engineer.org/

WeakNet Linux WEAKERTHAN2:

http://weaknetlabs.com/linux