The security problem is exacerbated by the fact that early attempts at encryption were flawed. Wired Equivalent Privacy (WEP) was found to be vulnerable to various statistical weaknesses in the encryption algorithm it employed to scramble data passed over the WLAN. While attempts were made to correct the problem, it's still a relatively simple feat to crack WEP and essentially pull the password right out of the air. In addition, WEP suffers from other problems that make it unacceptable for use in any secure environment.

The wireless community knew early on that these problems existed. However, they also realized that it would take years until the standardized correction was designed and implemented into new hardware. In the meantime, millions of users needed reliable protection. The Wi-Fi Alliance stepped up to the challenge and created an interim "standard" called Wi-Fi Protected Access (WPA).

WPA did an excellent job of patching the problems in WEP. With only a software upgrade, it corrected almost every security problem either created or ignored by WEP. However, WPA also created new problems:

• One flaw allowed an attacker to cause a denial-of-service attack, if the attacker could bypass several other layers of protection.
• A second flaw exists in the method with which WPA initializes its encryption scheme. Consequently, it's actually easier to crack WPA than it is to crack WEP. This flaw is the subject of this article.

WPA Options

As indicated by its name, WEP serves to provide privacy. However, as I mentioned, its algorithms are flawed. WEP also doesn't include any support for authorization. To correct this problem, WPA has two main components:

• The Temporal Key Integrity Protocol (TKIP) addresses the privacy concerns via enhanced encryption schemes.
• The authentication component uses 802.1x and an authentication server to provide user-level access.

The authentication mechanism comes in two varieties, which is necessary because WPA has to address two very different markets: enterprise and consumer. The following list outlines the general security requirements for each variety.

• Enterprise. Authorization, authentication, and auditing are all essential components for providing a secure resource to an enterprise user. As a result, it's possible to configure WPA to authenticate users, typically via a RADIUS server. (RADIUS is not the standard—just the most common way of implementing the standard.) During this process, the user obtains the primary master key (PMK), which is then used to set up the encryption algorithm used by TKIP. Because the PMK is derived as a result of the authentication process, there's no need for locally stored passwords. In addition, the authentication information is passed via an encrypted channel to protect it against eavesdroppers.
• Consumer. WPA is not just an enterprise solution. It was also created to help secure the small office home office (SOHO) user. However, the consumer environment offers little justification for an authentication server. As a result, WPA had to include some internal method to create the PMK used to initialize the TKIP encryption process. This solution was created by using a pre-shared password that's previously configured in the access point and all nodes.

The attacks discussed in this article affect only the consumer version of WPA, known as WPA Pre-Shared Key (WPA-PSK). The enterprise solution is not susceptible to this particular attack, but that doesn't make it any less dangerous. With the widespread understanding that WEP is flawed, many SOHO users have switched to WPA-PSK without realizing the risks involved.

WPA Fixes

As previously mentioned, WPA accomplished its goal: Almost any legacy wireless equipment can be upgraded to meet WPA "standards" with little effort. This section provides a very general outline of the problems found in WEP, and what WPA did to correct them. Note that most of these fixes are specifically corrected by the privacy component known as TKIP.

Weak IVs and Collisions

The initialization vector (IV) value is used to provide each packet with a unique key (IV plus pre-shared key). This unique key provides a serious obstacle to any attacker, simply because each packet must be treated as a unique target. Cracking one packet's password only provides access to that one packet.

However, WEP's implementation of the IV is flawed:

• The IV is only 24 bits. As a result, IVs are repeated every few hours. Therefore, over time, an attacker can leverage repeated IV values, known as collisions, to help gain access to the data.
• WEP's algorithm is flawed. This flaw led to the widely known WEP cracking scandal that has surrounded wireless networking for years.

WPA corrected these problems in the following manner:

• WPA increased the size of the IV to 48 bits, which provides at least 900 years of unique passwords and basically eliminates the problem of collision.
• WPA alters the values acceptable as IVs. This fix allows WPA to use the same algorithm as WEP, but plugs the hole by controlling the IV values going into the algorithm. Finally, a new password is generated automatically every 10,000 packets. This is well below the threshold of even the most successful WEP cracking efforts and all but eliminates the threat of a statistical attack.

Integrity Check Value (ICV)

WEP uses an integrity check value (ICV) to ensure that packets are not corrupted during transmission. This integrity check has little to offer in the way of security, however. The algorithm is widely used and easy to fool.

To correct this problem, WPA incorporates an algorithm known as Michael that creates a unique integrity value, using the sender's and receiver's MAC addresses. However, Michael uses a simple encryption scheme that can be cracked using brute-force methods. To compensate for this issue, if Michael detects more than two invalid packets in under a minute, it halts the network for one minute and resets all passwords. But this arrangement opens the doors for a malicious attacker to perform a denial-of-service attack by purposefully injecting faulty packets; to accomplish this goal, however, the attacker must first work through several other layers of protection.

Forgery and Replay

WEP has no protection against forgery or replay attacks. Any attacker can inject any packet into a network. In addition, an attacker can reuse a captured packet in this injection. WPA incorporates protections against these attacks via the 48-bit IV value.

First, the IV is created using the MAC address of the sending network card and a sequential counter value. This technique stops forgery attacks because an attacker must know the MAC and IV values that are encrypted into the packet. Second, the IV includes a sequential counter (TSC). When a packet is received, its counter value must fall within an accepted range or it will be dropped. As a result, replay attacks don't work because the fake TSC probably won't be within the valid range.

User Authentication

WEP offers little in the way of authentication. It's possible to set up a shared authentication system, but enabling this method opens other security risks and is considered dangerous. To compensate, WPA includes support for authentication via 802.1x Extensible Authentication Protocol over LAN (EAPoL), generally with a RADIUS server.

As you can see, WPA has helped to increase the security available to wireless network users. Of course, this statement assumes that the WLAN owner knows about these technologies and uses them. Unfortunately, this is not often the case.

The Components of WPA-PSK

On the surface, WPA-PSK (the consumer version) looks and works much like WEP. The user sets up the access point by selecting WPA-PSK and enters a password or passphrase. He then does the same on the wireless device, resets the connection, and soon is securely surfing the Internet. And this is how it should be: simple, quick, and intuitive.

Ironically, WPA is anything but simple when you look at how it works behind the scenes. Not only does WPA-PSK include all the components and complexities of WEP (such as the KSA, PRGA, XOR, and ICV), but it adds other algorithms and technologies such as MD5, SHA-1, HMAC, PMK, PTK, and more. The following sections focus only on the new components, which we'll examine closely to understand how they work. While this information may seem irrelevant, you have to understand the core technologies before you look at the cracking process.

Message Digest (MD5)

The Message Digest function is a widely used hashing algorithm that creates a unique digital signature based on the data input. The typical process is to pass a large file into the MD5 algorithm, which then creates a 128-bit "fingerprint." According to the specifications, no two MD5 hashes should be the same, and no MD5 value can be used to re-create the original data.

MD5 is fast and efficient and generally considered to be fairly secure. While collision flaws have recently been found within MD5 that affect its use as a reliable integrity tool in the future, MD5 is currently used to sign many types of files. For example, P2P programs, torrent files, JAR (Java) packages, and more are all validated via the MD5 algorithm.

Secure Hash Algorithm 1 (SHA-1)

The Secure Hash Algorithm 1 (SHA-1) is considered more secure than MD5. It works like MD5, but creates a unique 160-bit hash value based on the data input. The extra 32 bits indicate that SHA-1 is stronger than MD5; the assumption is that it takes more time to perform a brute-force attack on a longer hash value.

Hashing MAC (HMAC)

If you receive a message, how can you know for sure who it came from? The answer is found in a message authentication code (MAC), which generally combines a message and password via a block-cipher. The result is a small string that can be appended to the data to validate where it originated. Unfortunately, this process can require significant resources.

The Hashing MAC (HMAC) function borrows the speed and functionality of a hash algorithm and combines it with an authentication scheme. As a result, HMAC not only ensures data integrity, but provides a form of authentication. Let's take a closer look at the internals of the HMAC.

The following table describes the assumed and known values.

Here's how it works:

1.       Buffer K to 64 bytes using zeros (K0)

2.       XOR 64-byte K0 with 64-bit ipad value > K0 XOR ipad = K0i

3.       Append text (T) to K0i > K0 XOR ipad, T = K0i.t

4.       Hash K0i.t via MD5 or SHA-1 > H(K0 XOR ipad, T) = H(K0i.t)

5.       XOR 64-byte K0 with 64-bit opad value > K0 XOR opad = K0o

6.       Append #5 results with #4 results > K0opad, H(K0ipad.t)

7.       Hash #6 results to create HMAC hash > H(K0opad, H(K0ipad.t))

Here's the complete algorithm:

H(K0 XOR opad, H(K0 XOR ipad, T)) > HMAC hash

This will produce either a 128-bit or 160-bit hash, depending on the hash function selected. The results can also be truncated to reduce the overhead. As you'll see shortly, the HMAC functions—and more importantly the MAC—play an important part in the WPA-PSK process.

Starting the Crack

First, it's important to note the efforts that the designers of WPA went through to secure WPA. The four-way handshake was designed to occur over an insecure channel using plaintext, but still provide a means of authenticating and initializing a secure connection between two devices. At no time is any key actually transmitted over the air. The pre-shared key (PSK) is first converted to a primary master key (PMK), which is then used to create the primary transient key (PTK). The PTK is broken down into several parts, one of which is the MIC (Message Authentication Code) Key. This value is then used to create a message digest value (hash) that is appended to each packet for validation. Note that a hash, by definition, cannot be used to re-create the original data. As a result, at no time is sensitive data exposed to an attacker.

The problem isn't directly related to the algorithm or WPA initialization process, but is instead tied to the simple fact that the process can be reproduced. This fact, combined with the reality that most users select poor passwords, provides an opportunity that can be exploited.

NOTE

Both the WPA and 802.11i documentation recommend a minimum 20-character password. Unfortunately, this small tip is buried in a lot of highly technical information, and therefore unavailable to the typical SOHO user.

To illustrate how the attack works, let's dissect a successful crack using a program written by Joshua Wright, who has made headlines with his security research. His work prompted Cisco to release a warning about the insecurities of LEAP, and eventually lead to the release of EAP-Fast. Mr. Wright also produced the first publicly available WPA cracking tool for Linux. While KisMAC had this ability for several months prior to the release of coWPAtty, the use of that tool requires a Mac.

Using coWPAtty

To perform the crack, we'll use coWPAtty. While it would be nice to show the details by hand, this feat would be almost impossible because WPA employs several hashing algorithms (HMAC, SHA1, and MD5). Manually working through these calculations would take a very long time, and is well beyond the scope of this article.

NOTE

You can find coWPAtty in a bootable Linux project called Auditor (under the guise of wpa-psk-bf) and online at SourceForge.

Using coWPAtty is simple. The help menu provides several hints as to what we need to prepare prior to using this program:

colinux:/downloads/wpa# ./cowpatty

cowpatty - WPA-PSK dictionary attack. <jwright@hasborg.com>

cowpatty: Must supply a list of passphrases in a file with -f.

      Use "-f -" to accept words on stdin.

Usage: cowpatty [options]

    -f   Dictionary file

    -r   Packet capture file

    -s   Network SSID

    -h   Print this help information and exit

    -v   Print verbose information (more -v for more verbosity)

    -V   Print program version and exit

coWPAtty is a brute-force cracking tool, which means that it systematically attempts to crack the WPA-PSK by testing numerous passwords, in order, one at a time. The quality of this type of tool is related to its speed; in other words, how fast it can test each password. Unfortunately, coWPAtty is not very fast, and can try a maximum of 30–60 words per second. That may sound like a lot, but assuming that coWPAtty can test 45 words per second, by the end of day a cracker would have tested only 3,888,000 words. When you compare this number to the fact that there are 67,108,864 possible ways to create a two-letter password, it would take more than 20 days just to be sure that the passphrase isn't as simple as "yo." Combine the requirement that all WPA-PSK passwords have to be greater than eight characters, and you have a problem.

Still, coWPAtty can quickly rule out the standard weak passwords. In addition, it was written in such a way that it provides an excellent teaching tool to demonstrate WPA's weakness.

Using coWPAtty is fairly straightforward. You need to provide a password list, a capture file with a complete EAP four-way handshake, as well as the SSID for the target network. The following sections outline the steps to collect the handshake and SSID.

Collecting Data

Prior to using coWPAtty, we need to capture a WPA-PSK TKIP/EAP/802.1x negotiation session between an access point and a node. This can be accomplished using any number of sniffers, including Ethereal and tcpdump.

TIP

Older sniffers don't understand all the details of an EAP packet. I had to upgrade to the most recent version of Ethereal to obtain an accurate interpretation of the collected data.

Our illustration is a highly filtered capture of only four packets, each of which represents one of the parts of the four-way handshake. In a normal capture, you would see WLAN management packets and encrypted traffic from other connected devices. You must have all four packets associated with the handshake. The problem is how to differentiate one EAP packet from another.

Fortunately, the 802.11 specifications help. Figures 1-4 provide the details of each individual packet in Ethereal. Note that the ACK flag is set only when the packet originates from the Linksys AP. Also, note the encryption information that appears only in packets 2 and 3. Finally, the Install flag is set only in packet 3, which comes from the authenticator (discussed in part 1 of this series).

Figure 1 Packet 1.

Figure 2 Packet 2.

Figure 3 Packet 3.

Figure 4 Packet 4.

Joshua Wright's tool takes all these differences into consideration and automatically determines whether a packet capture contains the relevant data required to crack WPA. If any one of these packets is missing, cracking efforts will fail.

Finding the SSID

In typical wireless networking, learning the SSID is as easy as enabling your wireless network card. Most wireless client programs include a rudimentary scanner that can detect open wireless networks, and most include more advanced detail about the type of encryption and signal strength. However, if the wireless network is not broadcasting is SSID, you'll need to do one of three things:

• "Social engineer" the SSID from a user. This method isn't technical in nature; many people love to help others in need.
• Using a program such as Kismet, monitor the traffic for an extended period of time. Assuming that the WLAN has numerous users, the SSID will be passed the next time a user sends out a probe for the network. This can take some time if there's only one user, who is already connected to the WLAN.
• Use a program such as such as void11, wlan_jack, or essid_jack that causes the user to be completely disconnected (de-authenticated) from the network. If disconnected, a wireless device automatically attempts to re-authenticate, which causes the SSID to be sent over the air in plaintext.

Regardless of how you obtain the SSID, it's essential to the cracking process due to its use in converting the PSK into a PMK.

The Achilles Heel

coWPAtty is a password cracker. However, just like all password-cracking tools, it needs a target. In many cases, password crackers simply create a hash of a dictionary word and compare it to an existing password hash to see whether it matches. In other cases, such as this one, the target is not a simple hash of the original password. Instead, the target is buried several layers into the algorithm and requires significant work to attack.

The Achilles heel of WPA is the calculated MIC value that is used to validate messages 2–4 of the four-way handshake. In particular, coWPAtty targets the final EAPoL message; although any would work. Remember that this MIC value is created by passing the entire EAPoL message into an HMAC_MD5 hashing algorithm, which is secured by the MIC Key that was taken from the PTK.

Because both the MIC value (not the key) and the EAPoL message are passed as plaintext, an attacker can focus on the MIC hash value. The challenge is tied to the fact that an attacker must first convert the dictionary word to a PMK, using the correct algorithm with an accurate SSID value. Then the resulting value is plugged into another equation that also requires the MAC addresses and Nonce values of the supplicant and authenticator. The result of this calculation is the PTK, from which the attacker can strip the MIC Key. With this MIC Key, the attacker then performs the same HMAC_MD5 hash on the captured EAPoL message to see whether the selected password produces the same MIC as the captured MIC.

Sounds complex? This is why most of this article focused on the background of WPA-PSK. Imagine trying to explain this process without first describing the PMK, PTK, and their relationships to the MIC Key!

To help clarify how all this works, let's look at a step-by-step illustration revealing how a real four-way handshake can lead to a cracked password.

The Crack

First, the assumed and known values:

• SSID: linksys54gh
• SSID Length: 11
• Test password from a dictionary file or STDIN (radiustest)
• The four-way handshake is captured and stored in eapcap2.cap. (Refer to Figure 1.)

NOTE

To help us gain an insider's view of the cracking process, I added a few output commands to coWPAtty. The modifications only provide a look at how the program is collecting and manipulating data to produce its calculated MIC value. Nothing was altered that changes the way in which the program functions.

1.       Verification of capture. This part of the program verifies that all the required packets are in the capture file. This objective is accomplished by filtering out all packets that don't include the 802.1x Authentication type flag (0x888E). The remaining packets are then checked to be sure that a complete four-way handshake was captured.

2.       The packets are parsed for all relevant information. The following example lists important parts to be used during the cracking process. Figures are taken from previous Ethereal capture images.

o        Packet 1 (A>S): Provides no real data for the cracking process.

o        Packet 2 (S>A): Provides the SNonce value (green) shown in Figure 5.

Figure 5 Packet 2 with SNonce value highlighted.

o        Packet 3 (A>S): Provides the ANonce value (green) and the MAC addresses of both the Authenticator (blue) and Supplicant (red). The MAC addresses could be taken from any one of these packets (see Figure 6).

Figure 6 Packet 3 with ANonce value and MAC addresses highlighted.

o        Packet 4: (S>A): Provides the MIC value and EAPoL packet to be used when calculating the test MIC from the generated MIC Key (see Figure 7). Note that the MIC value is added after it's calculated. Until it's added, the data field is filled with 00 bytes.

Figure 7 Packet 4 with EAP frame data and MIC value highlighted.

3.       The selected test password is checked to be sure that it's not less than eight or greater than 63 characters, as required by 802.11i.

4.       The PMK is generated from the test password, using the following algorithm:

5.           PMK  = pdkdf2_SHA1(passphrase, SSID, SSID length, 4096)

PMK  = pbkdf2_sha1("radiustest","linksys54gh",11,4096)

6.       The PTKs are generated from the PMK, using the following algorithm:

7.           <li><p> =  PRF-X(PMK,</p></li>

8.               Len(PMK), "Pairwise key expansion",

9.               Min(AA,SA) || Max(AA,SA) || Min(ANonce,SNonce) || Max(ANonce,SNonce))

10.        

11.       PTK =  SHA1_PRF(

12.           9e99 88bd e2cb a743 95c0 289f fda0 7bc4   ;PMK

13.           1ffa 889a 3309 237a 2240 c934 bcdc 7ddb

14.           ,32,"Pairwise key expansion",        ;length of PMK & string

15.           000c 41d2 94fb 000d 3a26 10fb 893e e551   ;MAC and nonce values

16.           2145 57ff f3c0 76ac 9779 15a2 0607 2703

17.           8e9b ea9b 6619 a5ba b40f 89c1 dabd c104

18.           d457 411a ee33 8c00 fa8a 1f32 abfc 6cfb

19.           7943 60ad ce3a fb5d 159a 51f6,76)

20.        

21.       PTK =  ccbf 97a8 2b5c 51a4 4325 a77e 9bc5 7050

22.           daec 5438 430f 00eb 893d 84d8 b4b4 b5e8

23.           19f4 dce0 cc5f 2166 e94f db3e af68 eb76

    80f4 e264 6e6d 9e36 260d 89ff bf24 ee7e

24.    A MIC value is calculated, using the MIC Key from the PTK and the EAPoL message:

25.       MIC =  HMAC_MD5(MIC Key,

26.           16,

27.           802.1x data)

28.        

29.       MIC =  HMAC_MD5(

30.           ccbf 97a8 2b5c 51a4 4325 a77e 9bc5 7050   ;first 16 bytes of PTK

31.           ,16,                     ;length of PTK

32.           0103 005f fe01 0900 0000 0000 0000 0000   ;802.1x data

33.           1400 0000 0000 0000 0000 0000 0000 0000

34.           0000 0000 0000 0000 0000 0000 0000 0000

35.           0000 0000 0000 0000 0000 0000 0000 0000

36.           0000 0000 0000 0000 0000 0000 0000 0000

37.           0000 0000 0000 0000 0000 0000 0000 0000

38.           0000 )

MIC =  d0ca 4f2a 783c 4345 b0c0 0a12 ecc1 5f77

39.    The calculated MIC is compared to the captured MIC:

40.       Calculated MIC using EAP frame four with "radiustest" is

41.            d0ca 4f2a 783c 4345 b0c0 0a12 ecc1 5f77

42.        

43.       Capture MIC is

44.            d0ca 4f2a 783c 4345 b0c0 0a12 ecc1 5f77

45.        

CALCULATED MICS MATCH!!! Congratulations, the PSK is "radiustest".

Summary

The point of this pair of articles was to provide you with an understanding of how WPA-PSK can be cracked. To do this, we first examined why WPA was created; its variations; how it's used; the algorithms and key technologies included with WPA; and finally how WPA-PSK, combined with a weak password, can expose a wireless network to attackers.

As we've learned, cracking the password is no simple matter. Due to the WPA design, an attacker must have an insider's understanding of how the packets are created and how their data is used to secure a WPA-PSK network (or a tool that does this for the attacker). Our example provided a test using a previously known password. To successfully crack a random network, an attacker must have a large dictionary file, a powerful computer, and a little luck in order to obtain the password. Fortunately, this isn't as easy as it sounds.