InformIT

Cracking Wi-Fi Protected Access (WPA), Part 2

Date: Mar 11, 2005

Return to the article

Concluding his two-part series, Seth Fogie describes in detail how WPA-PSK can be cracked.

In part 1 of this series, we looked at the internals of WPA as compared to WEP, and saw how this wireless protection method can be cracked with only four packets of data. With a solid understanding of how keys are created, transmitted, validated, and then used to set up the encryption between two wireless devices, we're ready to investigate how WPA can be cracked.

Starting the Crack

First, it's important to note the efforts that the designers of WPA went through to secure WPA. The four-way handshake was designed to occur over an insecure channel using plaintext, but still provide a means of authenticating and initializing a secure connection between two devices. At no time is any key actually transmitted over the air. The pre-shared key (PSK) is first converted to a primary master key (PMK), which is then used to create the primary transient key (PTK). The PTK is broken down into several parts, one of which is the MIC (Message Authentication Code) Key. This value is then used to create a message digest value (hash) that is appended to each packet for validation. Note that a hash, by definition, cannot be used to re-create the original data. As a result, at no time is sensitive data exposed to an attacker.

The problem isn't directly related to the algorithm or WPA initialization process, but is instead tied to the simple fact that the process can be reproduced. This fact, combined with the reality that most users select poor passwords, provides an opportunity that can be exploited.

NOTE

Both the WPA and 802.11i documentation recommend a minimum 20-character password. Unfortunately, this small tip is buried in a lot of highly technical information, and therefore unavailable to the typical SOHO user.

To illustrate how the attack works, let's dissect a successful crack using a program written by Joshua Wright, who has made headlines with his security research. His work prompted Cisco to release a warning about the insecurities of LEAP, and eventually lead to the release of EAP-Fast. Mr. Wright also produced the first publicly available WPA cracking tool for Linux. While KisMAC had this ability for several months prior to the release of coWPAtty, the use of that tool requires a Mac.

Using coWPAtty

To perform the crack, we'll use coWPAtty. While it would be nice to show the details by hand, this feat would be almost impossible because WPA employs several hashing algorithms (HMAC, SHA1, and MD5). Manually working through these calculations would take a very long time, and is well beyond the scope of this article.

NOTE

You can find coWPAtty in a bootable Linux project called Auditor (under the guise of wpa-psk-bf) and online at SourceForge.

Using coWPAtty is simple. The help menu provides several hints as to what we need to prepare prior to using this program:

colinux:/downloads/wpa# ./cowpatty
cowpatty - WPA-PSK dictionary attack. <jwright@hasborg.com>
cowpatty: Must supply a list of passphrases in a file with -f.
      Use "-f -" to accept words on stdin.
Usage: cowpatty [options]

    -f   Dictionary file
    -r   Packet capture file
    -s   Network SSID
    -h   Print this help information and exit
    -v   Print verbose information (more -v for more verbosity)
    -V   Print program version and exit

coWPAtty is a brute-force cracking tool, which means that it systematically attempts to crack the WPA-PSK by testing numerous passwords, in order, one at a time. The quality of this type of tool is related to its speed; in other words, how fast it can test each password. Unfortunately, coWPAtty is not very fast, and can try a maximum of 30–60 words per second. That may sound like a lot, but assuming that coWPAtty can test 45 words per second, by the end of day a cracker would have tested only 3,888,000 words. When you compare this number to the fact that there are 208,827,064,576 possible ways to create the minimum eight-letter password, it would take more than 53710 days just to be sure that the passphrase isn't as simple as "aaaaaaaa." Combine the requirement that all WPA-PSK passwords have to be greater than eight characters, and you have a problem.

Still, coWPAtty can quickly rule out the standard weak passwords. In addition, it was written in such a way that it provides an excellent teaching tool to demonstrate WPA's weakness.

Using coWPAtty is fairly straightforward. You need to provide a password list, a capture file with a complete EAP four-way handshake, as well as the SSID for the target network. The following sections outline the steps to collect the handshake and SSID.

Collecting Data

Prior to using coWPAtty, we need to capture a WPA-PSK TKIP/EAP/802.1x negotiation session between an access point and a node. This can be accomplished using any number of sniffers, including Ethereal and tcpdump.

TIP

Older sniffers don't understand all the details of an EAP packet. I had to upgrade to the most recent version of Ethereal to obtain an accurate interpretation of the collected data.

Our illustration is a highly filtered capture of only four packets, each of which represents one of the parts of the four-way handshake. In a normal capture, you would see WLAN management packets and encrypted traffic from other connected devices. You must have all four packets associated with the handshake. The problem is how to differentiate one EAP packet from another.

Fortunately, the 802.11 specifications help. Figures 1-4 provide the details of each individual packet in Ethereal. Note that the ACK flag is set only when the packet originates from the Linksys AP. Also, note the encryption information that appears only in packets 2 and 3. Finally, the Install flag is set only in packet 3, which comes from the authenticator (discussed in part 1 of this series).

Figure 1

Figure 1 Packet 1.

Figure 2

Figure 2 Packet 2.

Figure 3

Figure 3 Packet 3.

Figure 4

Figure 4 Packet 4.

Joshua Wright's tool takes all these differences into consideration and automatically determines whether a packet capture contains the relevant data required to crack WPA. If any one of these packets is missing, cracking efforts will fail.

Finding the SSID

In typical wireless networking, learning the SSID is as easy as enabling your wireless network card. Most wireless client programs include a rudimentary scanner that can detect open wireless networks, and most include more advanced detail about the type of encryption and signal strength. However, if the wireless network is not broadcasting is SSID, you'll need to do one of three things:

Regardless of how you obtain the SSID, it's essential to the cracking process due to its use in converting the PSK into a PMK.

The Achilles Heel

coWPAtty is a password cracker. However, just like all password-cracking tools, it needs a target. In many cases, password crackers simply create a hash of a dictionary word and compare it to an existing password hash to see whether it matches. In other cases, such as this one, the target is not a simple hash of the original password. Instead, the target is buried several layers into the algorithm and requires significant work to attack.

The Achilles heel of WPA is the calculated MIC value that is used to validate messages 2–4 of the four-way handshake. In particular, coWPAtty targets the final EAPoL message; although any would work. Remember that this MIC value is created by passing the entire EAPoL message into an HMAC_MD5 hashing algorithm, which is secured by the MIC Key that was taken from the PTK.

Because both the MIC value (not the key) and the EAPoL message are passed as plaintext, an attacker can focus on the MIC hash value. The challenge is tied to the fact that an attacker must first convert the dictionary word to a PMK, using the correct algorithm with an accurate SSID value. Then the resulting value is plugged into another equation that also requires the MAC addresses and Nonce values of the supplicant and authenticator. The result of this calculation is the PTK, from which the attacker can strip the MIC Key. With this MIC Key, the attacker then performs the same HMAC_MD5 hash on the captured EAPoL message to see whether the selected password produces the same MIC as the captured MIC.

Sounds complex? This is why most of this article focused on the background of WPA-PSK. Imagine trying to explain this process without first describing the PMK, PTK, and their relationships to the MIC Key!

To help clarify how all this works, let's look at a step-by-step illustration revealing how a real four-way handshake can lead to a cracked password.

The Crack

First, the assumed and known values:

NOTE

To help us gain an insider's view of the cracking process, I added a few output commands to coWPAtty. The modifications only provide a look at how the program is collecting and manipulating data to produce its calculated MIC value. Nothing was altered that changes the way in which the program functions.

  1. Verification of capture. This part of the program verifies that all the required packets are in the capture file. This objective is accomplished by filtering out all packets that don't include the 802.1x Authentication type flag (0x888E). The remaining packets are then checked to be sure that a complete four-way handshake was captured.
  2. The packets are parsed for all relevant information. The following example lists important parts to be used during the cracking process. Figures are taken from previous Ethereal capture images.
    • Packet 1 (A>S): Provides no real data for the cracking process.
    • Packet 2 (S>A): Provides the SNonce value (green) shown in Figure 5.
      Figure 5

      Figure 5 Packet 2 with SNonce value highlighted.

    • Packet 3 (A>S): Provides the ANonce value (green) and the MAC addresses of both the Authenticator (blue) and Supplicant (red). The MAC addresses could be taken from any one of these packets (see Figure 6).
      Figure 6

      Figure 6 Packet 3 with ANonce value and MAC addresses highlighted.

    • Packet 4: (S>A): Provides the MIC value and EAPoL packet to be used when calculating the test MIC from the generated MIC Key (see Figure 7). Note that the MIC value is added after it's calculated. Until it's added, the data field is filled with 00 bytes.
      Figure 7

      Figure 7 Packet 4 with EAP frame data and MIC value highlighted.

  3. The selected test password is checked to be sure that it's not less than eight or greater than 63 characters, as required by 802.11i.
  4. The PMK is generated from the test password, using the following algorithm: 
    PMK  = pdkdf2_SHA1(passphrase, SSID, SSID length, 4096)
PMK  = pbkdf2_sha1("radiustest","linksys54gh",11,4096)
  5. The PTKs are generated from the PMK, using the following algorithm: 
    <li><p> =  PRF-X(PMK,</p></li>
    Len(PMK), "Pairwise key expansion",
    Min(AA,SA) || Max(AA,SA) || Min(ANonce,SNonce) || Max(ANonce,SNonce))

PTK =  SHA1_PRF(
    9e99 88bd e2cb a743 95c0 289f fda0 7bc4   ;PMK
    1ffa 889a 3309 237a 2240 c934 bcdc 7ddb
    ,32,"Pairwise key expansion",        ;length of PMK & string
    000c 41d2 94fb 000d 3a26 10fb 893e e551   ;MAC and nonce values
    2145 57ff f3c0 76ac 9779 15a2 0607 2703
    8e9b ea9b 6619 a5ba b40f 89c1 dabd c104
    d457 411a ee33 8c00 fa8a 1f32 abfc 6cfb
    7943 60ad ce3a fb5d 159a 51f6,76)

PTK =  ccbf 97a8 2b5c 51a4 4325 a77e 9bc5 7050
    daec 5438 430f 00eb 893d 84d8 b4b4 b5e8
    19f4 dce0 cc5f 2166 e94f db3e af68 eb76
    80f4 e264 6e6d 9e36 260d 89ff bf24 ee7e
  6. A MIC value is calculated, using the MIC Key from the PTK and the EAPoL message: 
    MIC =  HMAC_MD5(MIC Key,
    16,
    802.1x data)

MIC =  HMAC_MD5(
    ccbf 97a8 2b5c 51a4 4325 a77e 9bc5 7050   ;first 16 bytes of PTK
    ,16,                     ;length of PTK
    0103 005f fe01 0900 0000 0000 0000 0000   ;802.1x data
    1400 0000 0000 0000 0000 0000 0000 0000
    0000 0000 0000 0000 0000 0000 0000 0000
    0000 0000 0000 0000 0000 0000 0000 0000
    0000 0000 0000 0000 0000 0000 0000 0000
    0000 0000 0000 0000 0000 0000 0000 0000
    0000 )
MIC =  d0ca 4f2a 783c 4345 b0c0 0a12 ecc1 5f77
  7. The calculated MIC is compared to the captured MIC: 
    Calculated MIC using EAP frame four with "radiustest" is
     d0ca 4f2a 783c 4345 b0c0 0a12 ecc1 5f77

Capture MIC is
     d0ca 4f2a 783c 4345 b0c0 0a12 ecc1 5f77

CALCULATED MICS MATCH!!! Congratulations, the PSK is "radiustest".

Summary

The point of this pair of articles was to provide you with an understanding of how WPA-PSK can be cracked. To do this, we first examined why WPA was created; its variations; how it's used; the algorithms and key technologies included with WPA; and finally how WPA-PSK, combined with a weak password, can expose a wireless network to attackers.

As we've learned, cracking the password is no simple matter. Due to the WPA design, an attacker must have an insider's understanding of how the packets are created and how their data is used to secure a WPA-PSK network (or a tool that does this for the attacker). Our example provided a test using a previously known password. To successfully crack a random network, an attacker must have a large dictionary file, a powerful computer, and a little luck in order to obtain the password. Fortunately, this isn't as easy as it sounds.

© 2024 Pearson Education, Informit. All rights reserved.

800 East 96th Street, Indianapolis, Indiana 46240