Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on...
Transcript of Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on...
![Page 1: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/1.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 1/54
Packin’ the PMKOf the robustness of WPA/WPA2 authentication
Cedric Blancher and Simon Marechal
Computer Security Research LabEADS Innovation Works
Special guestUndisclosed entity ;)
BA-Con - September 30th - October 1st 2008
http://ba-con.com.ar/
![Page 2: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/2.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 2/54
Agenda
1 WPA/WPA2 authentication
2 WPA-PSK assessmentHow does that work ?Theoritical attack costImplementation comparisonsPassphrase strength assessmentLimits of practical attacks
3 WPA-EAP thoughtsEAP authenticationPwning the Master KeyPractical considerations
4 Conclusion
![Page 3: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/3.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 3/54
Introduction
Wi-Fi security...
WEP is crippled and broken
WPA came up to replace it
Now, we have WPA2
Questions
What are WPA and WPA2 good at ?
How long will they stand ?
![Page 4: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/4.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 3/54
Introduction
Wi-Fi security...
WEP is crippled and broken
WPA came up to replace it
Now, we have WPA2
Questions
What are WPA and WPA2 good at ?
How long will they stand ?
![Page 5: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/5.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 4/54
Agenda
1 WPA/WPA2 authentication
2 WPA-PSK assessmentHow does that work ?Theoritical attack costImplementation comparisonsPassphrase strength assessmentLimits of practical attacks
3 WPA-EAP thoughtsEAP authenticationPwning the Master KeyPractical considerations
4 Conclusion
![Page 6: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/6.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 5/54
Authentication modes
Preshared secret (PSK)
EAP
EAP Auth PMK 4 Way Handshake PTK
PSK PBKDF2
Key hierarchy
Authentication leads to Master Key (MK)
Pairwise Master Key (PMK) derived from MK
![Page 7: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/7.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 6/54
One key to rule them all...
From MK come all further keys
Pairwise Master Key
Key exchange keys
Encryption keys
Authentication keys if applicable
KEK
PMK 4 Way Handshake PTK TEK
TMK
Conclusion
Owning the Master Key == Owning everything else
![Page 8: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/8.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 7/54
The Preshared Key option
MK is your PSK
PMK is derived from MK
PMK
PSK PBKDF2
PSK situation
Owning the PSK == Owning MK
![Page 9: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/9.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 8/54
The EAP option
Authentication between client and RADIUS
MK derived from authentication
Client
EAP Auth MK
RADIUS
MK pushed to AP by RADIUS
EAP situation
Owning client+RADIUS == Owning MK
![Page 10: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/10.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 9/54
Agenda
1 WPA/WPA2 authentication
2 WPA-PSK assessmentHow does that work ?Theoritical attack costImplementation comparisonsPassphrase strength assessmentLimits of practical attacks
3 WPA-EAP thoughtsEAP authenticationPwning the Master KeyPractical considerations
4 Conclusion
![Page 11: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/11.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 10/54
Calculating the PMK
The master key (MK)
it is your secret key, password or passphrase
8 to 63 printable ASCII characters (betweencode 32 and 126)
The pairwise master key (PMK)
derives from the master key and AP data usingthe PBKDF2 function
the derivation function is time consuming
![Page 12: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/12.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 11/54
The attack
Retrieving the relevant data
it must be captured during the handshake
it is possible to force this handshake
only works for a single SSID
Testing a master key
1 for every potential MK, compute thecorresponding PMK
2 compute the PTK (four HMAC-SHA1 calls usingPMK and nonces)
3 finally, get the MIC (one HMAC-SHA1 call) andcompare it with the captured handshake
![Page 13: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/13.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 11/54
The attack
Retrieving the relevant data
it must be captured during the handshake
it is possible to force this handshake
only works for a single SSID
Testing a master key
1 for every potential MK, compute thecorresponding PMK
2 compute the PTK (four HMAC-SHA1 calls usingPMK and nonces)
3 finally, get the MIC (one HMAC-SHA1 call) andcompare it with the captured handshake
![Page 14: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/14.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 11/54
The attack
Retrieving the relevant data
it must be captured during the handshake
it is possible to force this handshake
only works for a single SSID
Testing a master key
1 for every potential MK, compute thecorresponding PMK
2 compute the PTK (four HMAC-SHA1 calls usingPMK and nonces)
3 finally, get the MIC (one HMAC-SHA1 call) andcompare it with the captured handshake
![Page 15: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/15.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 11/54
The attack
Retrieving the relevant data
it must be captured during the handshake
it is possible to force this handshake
only works for a single SSID
Testing a master key
1 for every potential MK, compute thecorresponding PMK
2 compute the PTK (four HMAC-SHA1 calls usingPMK and nonces)
3 finally, get the MIC (one HMAC-SHA1 call) andcompare it with the captured handshake
![Page 16: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/16.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 11/54
The attack
Retrieving the relevant data
it must be captured during the handshake
it is possible to force this handshake
only works for a single SSID
Testing a master key
1 for every potential MK, compute thecorresponding PMK
2 compute the PTK (four HMAC-SHA1 calls usingPMK and nonces)
3 finally, get the MIC (one HMAC-SHA1 call) andcompare it with the captured handshake
![Page 17: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/17.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 12/54
The PBKDF2 function
Algorithm of PBKDF2
x1 = HMAC_SHA1(MK, SSID + ’\1’);x2 = HMAC_SHA1(MK, SSID + ’\2’);for(i=1;i<4096;i++) {
x1 = HMAC_SHA1(MK, x1);x2 = HMAC_SHA1(MK, x2);
}return x1 + x2;
Cost
8192 calls to HMAC-SHA1
![Page 18: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/18.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 13/54
The HMAC-SHA1 function
Algorithm for HMAC(secret, value)
put secret in two 64 bytes buffers, Bi and Bo,padding with zeroes
Bisecret0000000000000000000000000000000000000000000000000000000000
Bosecret0000000000000000000000000000000000000000000000000000000000
![Page 19: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/19.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 14/54
The HMAC-SHA1 function
Algorithm for HMAC(secret, value)
XOR Bi with 0x36
XOR Bo with 0x5c
BiESUDSB6666666666666666666666666666666666666666666666666666666666
Bo/9?.9(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
![Page 20: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/20.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 15/54
The HMAC-SHA1 function
Algorithm for HMAC(secret, value)
append value to Bi
BiESUDSB6666666666666666666666666666666666666666666666666666666666value
![Page 21: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/21.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 16/54
The HMAC-SHA1 function
Algorithm for HMAC(secret, value)
append SHA1(Bi) to Bo
Bo/9?.9(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\e7de45e0b885228e9a48a9add37b504eba7fd3c4
![Page 22: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/22.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 17/54
The HMAC-SHA1 function
Algorithm for HMAC(secret, value)
get SHA1(Bo)
330b72d384df41adf440e1d8aeb543ab73eecb8a
Summary
HMAC SHA1(s, v) =SHA1((s ⊕ 0x5c)||SHA1((s ⊕ 0x36)||v))
![Page 23: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/23.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 18/54
The SHA1 function
Description
it is a cryptographic hash function
works on 64 bytes blocks by padding user inputs
produces a 20 bytes digest
the main part of this function is called ”BODY”
other parts have an amortized cost of zero
![Page 24: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/24.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 19/54
The HMAC trick
Reminder
we want SHA1(Bo || SHA1(Bi || value))
What will be computed
BODY(secret ^ 0x5c)
BODY(value + padding)
⇒ hash1
BODY(secret ^ 0x36)
BODY(hash1 + padding)
⇒ result
if the secret isconstant . . .
. . . two BODYcalls could becached
![Page 25: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/25.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 19/54
The HMAC trick
Reminder
we want SHA1(Bo || SHA1(Bi || value))
What will be computed
BODY(secret ^ 0x5c)
BODY(value + padding)
⇒ hash1
BODY(secret ^ 0x36)
BODY(hash1 + padding)
⇒ result
if the secret isconstant . . .
. . . two BODYcalls could becached
![Page 26: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/26.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 19/54
The HMAC trick
Reminder
we want SHA1(Bo || SHA1(Bi || value))
What will be computed
BODY(secret ^ 0x5c)
BODY(value + padding)
⇒ hash1
BODY(secret ^ 0x36)
BODY(hash1 + padding)
⇒ result
if the secret isconstant . . .
. . . two BODYcalls could becached
![Page 27: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/27.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 20/54
The BODY function – initialization
Algorithm
unsigned i n t K [ 8 0 ] ;memcpy (K, i n p u t , 6 4 ) ;a = c t x [ 0 ] ; b = c t x [ 1 ] ; c = c t x [ 2 ] ;d = c t x [ 3 ] ; e = c t x [ 4 ] ;
Operation count
32 bits memory assignments : 22
![Page 28: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/28.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 21/54
The BODY function – input expansion
Expand the input
K[ i ] = K[ i −3] ˆ K[ i −8] ˆK[ i −14] ˆ K[ i −16] ;
K[ i ] = r o t a t e l e f t (K[ i ] , 1 ) ;
Operation count
32 bits memory assignment : 1
elementary operations : 4
done 64 times
![Page 29: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/29.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 22/54
The BODY function – rounds
Algorithm
STEP( v , w, x , y , z ,m, c ) :z += F (w, x , y ) + c + K[m] ;z += r o t a t e l e f t ( v , 1 ) ;w = r o t a t e l e f t (w , 3 0 ) ;
Operation count
32 bits memory assignments : 2
elementary operations : 5 + cost of F
4 rounds of 20 steps
the average F cost is 3.75 operations
![Page 30: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/30.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 23/54
The BODY function – ending
Algorithm
a += c t x [ 0 ] ; b += c t x [ 1 ] ; c += c t x [ 2 ] ;d += c t x [ 3 ] ; e += c t x [ 4 ] ;
Operation count
32 bits memory assignments : 5
elementary operations : 5
![Page 31: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/31.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 24/54
The BODY function – summary
Elementary operations count
initialization : 0
input expansion : 4 times 64
rounds : 8.75 times 80
ending : 5
total : 961
Comparison with MD5
MD5 BODY function : 496
if cracking a single MD5 : 317
![Page 32: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/32.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 25/54
The PBKDF2 function cost
Elementary operations count
it requires 8192 HMAC-SHA1 calls using thesame secrets
that is, 2 + 8192 ∗ 2 calls to SHA1
that means 15.7M elementary operations
![Page 33: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/33.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 26/54
The PBKDF2 function theoritical speed
Hypothesis : perfect processors
memory fetch/stores are free
no penalties
Speeds
for a perfect SSE2 implementation running at3Ghz on a single x86 core, about 500 checks/s
for a perfect native CELL (PS3, 7 SPUs)implementation, about 2,840 checks/s
for a perfect Linux CELL implementation, about2,440 checks/s
![Page 34: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/34.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 27/54
Real world implementations
Aircrack
650 checks/s on Xeon E5405 (4x2Ghz)
650 checks/s on Opteron 2216 (4x2.4Ghz)
”pipe multithreading”, fails on AMD
Pico Computing products
on a LX25 FPGA, 430 checks/s
on a FX60 FPGA, 1,000 checks/s
Pyrit (GPU Project)
around 6,000 checks/s on Tesla C870
![Page 35: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/35.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 28/54
Other cracking methods
WPA-PSK ”rainbow tables”
really PMK lookup tables
precomputation of 1,000,000 passwords for 1000SSIDs
Jason Crawford CELL implementation
”Lockheed Breaks WPA-Encrypted WirelessNetwork With 8 Clustered Sony PlayStations”
why did I bother, it is already broken :/
unknown performance
![Page 36: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/36.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 29/54
Implementation on the cell architecture
CELL benchmark
not a real cracker, just a bench
under Linux, so only 6 SPUs are available
pipeline filled by cracking 16 passwords at thesame time
Result
2,300 checks/s
close to theoritical 2,400 checks/s
expected on CELL
![Page 37: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/37.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 29/54
Implementation on the cell architecture
CELL benchmark
not a real cracker, just a bench
under Linux, so only 6 SPUs are available
pipeline filled by cracking 16 passwords at thesame time
Result
2,300 checks/s
close to theoritical 2,400 checks/s
expected on CELL
![Page 38: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/38.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 30/54
My implementation
NVidia CUDA cracker
(almost) full fledged cracker, needs input from amodified aircrack-ng
CUDA is easy : from no knowledge to this in 4days
Result
4,400 checks/s on a 8800 gts
12,000 checks/s on a gtx280
might not be too hard to do better
roughly equivalent to Pyrit
![Page 39: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/39.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 30/54
My implementation
NVidia CUDA cracker
(almost) full fledged cracker, needs input from amodified aircrack-ng
CUDA is easy : from no knowledge to this in 4days
Result
4,400 checks/s on a 8800 gts
12,000 checks/s on a gtx280
might not be too hard to do better
roughly equivalent to Pyrit
![Page 40: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/40.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 31/54
The best bang for the buck
Raw cost comparisons
Type checks/s cost checks/s/$
LX25 430 385$ 1.1Q6600 800* 190$ 4.2Q9550 900* 325$ 2.77CELL 2300 400$ 5.75
gtx280 12,000 440$ 27.3gtx260 9200* 300$ 30.6
But . . .
speeds marked with a * are not actualbenchmarks, but interpolated results
the CELL costs of 400$ is for a wholePlayStation
![Page 41: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/41.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 32/54
Password strength assessment function
A function F gives the strength s of password p :F (p) = s.
Desirable properties
1 compute F (p) effectively for any given p
2 for a given smax , enumerate and generate allpasswords {p0, p1, . . . pn} whereF (pi ) < smax , 1 ≤ i ≤ n
3 generate the set {pa, pa+1, . . . pb} whereF (pi ) < smax , a ≤ i ≤ b without generating{p0, . . . pa−1}
4 assess the strength on a detailled scale
![Page 42: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/42.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 32/54
Password strength assessment function
A function F gives the strength s of password p :F (p) = s.
Desirable properties
1 compute F (p) effectively for any given p
2 for a given smax , enumerate and generate allpasswords {p0, p1, . . . pn} whereF (pi ) < smax , 1 ≤ i ≤ n
3 generate the set {pa, pa+1, . . . pb} whereF (pi ) < smax , a ≤ i ≤ b without generating{p0, . . . pa−1}
4 assess the strength on a detailled scale
![Page 43: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/43.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 33/54
Well known methods
Dictionnary checks
it is weak if it is in a dictionnary⇒ limited to ”known” passwords
Charset complexity
a strong password contains letters, numbers and atleast three special characters⇒ Weak passwords could still be created
Cracking tests
it is weak if it is cracked in less than 4 hours withjohn on my computer⇒ requires computing ressources compatible with therisk analysis
![Page 44: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/44.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 33/54
Well known methods
Dictionnary checks
it is weak if it is in a dictionnary⇒ limited to ”known” passwords
Charset complexity
a strong password contains letters, numbers and atleast three special characters⇒ Weak passwords could still be created
Cracking tests
it is weak if it is cracked in less than 4 hours withjohn on my computer⇒ requires computing ressources compatible with therisk analysis
![Page 45: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/45.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 33/54
Well known methods
Dictionnary checks
it is weak if it is in a dictionnary⇒ limited to ”known” passwords
Charset complexity
a strong password contains letters, numbers and atleast three special characters⇒ Weak passwords could still be created
Cracking tests
it is weak if it is cracked in less than 4 hours withjohn on my computer⇒ requires computing ressources compatible with therisk analysis
![Page 46: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/46.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 34/54
A better method
Markov chains
the conditional probability distribution of letterLn in a password is a function of the previousletter, Ln−1, written P(Ln|Ln−1)
for example, P(sun) = P(s).P(u|s).P(n|u)
to keep friendly numbers,P ′(x) = −10.log(P(x))
P ′(sun) = P ′(s) + P ′(u|s) + P ′(n|u)
![Page 47: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/47.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 35/54
In practice
It works well
has all the desired properties
cracks more effectively than john -inc (in mytests !)
a patch exists for john
Sample strength
”chall”, strength 100
”chando33”, strength 200
”chaneoH0”, strength 300
”chanlLr%”, strength 400
”chanereaAiO4”, strength 500
”% !”, strength 1097
![Page 48: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/48.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 35/54
In practice
It works well
has all the desired properties
cracks more effectively than john -inc (in mytests !)
a patch exists for john
Sample strength
”chall”, strength 100
”chando33”, strength 200
”chaneoH0”, strength 300
”chanlLr%”, strength 400
”chanereaAiO4”, strength 500
”% !”, strength 1097
![Page 49: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/49.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 36/54
Hypothesis
Attacker strength
Attacker Available time Ressources(GPUs)
Wardriver 15 minutes 1Individual 7 days 2
Large organisation 1 year 1024
Defender strength
worst case scenario : mac user :)
password is 12 characters or less
![Page 50: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/50.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 37/54
Not so good passwords
Statistics source
an Apple themed forum that got owned
clear text passwords published on 4chan
Passwords strength
628,753 passwords
mean strength : 245
median strength : 197
most common passwords ”base” : password,qwerty, apple, letmein
![Page 51: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/51.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 38/54
Strength of crackable passwords
Now
wardriver : 7.2M, markov strength of 169
individual : 14.5G, markov strength of 239
large organisation : 387.8T, markov strength of344
In 10 years, 32 times faster (Moore)
wardriver : 345.6M, markov strength of 202
individual : 464.5G, markov strength of 273
large organisation : 12409T, markov strength of388
![Page 52: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/52.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 39/54
Discovery ratio vs. computing power
100 200 300 400
0%
25%
50%
75%
90%
100%
Cracking capacity
Dis
cove
ryra
tio
Wardriver
IndividualOrganization
10 years projection
![Page 53: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/53.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 39/54
Discovery ratio vs. computing power
100 200 300 400
0%
25%
50%
75%
90%
100%
Cracking capacity
Dis
cove
ryra
tio
Wardriver
IndividualOrganization
10 years projection
![Page 54: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/54.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 39/54
Discovery ratio vs. computing power
100 200 300 400
0%
25%
50%
75%
90%
100%
Cracking capacity
Dis
cove
ryra
tio
Wardriver
IndividualOrganization
10 years projection
![Page 55: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/55.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 40/54
Agenda
1 WPA/WPA2 authentication
2 WPA-PSK assessmentHow does that work ?Theoritical attack costImplementation comparisonsPassphrase strength assessmentLimits of practical attacks
3 WPA-EAP thoughtsEAP authenticationPwning the Master KeyPractical considerations
4 Conclusion
![Page 56: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/56.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 41/54
Usual issues
EAP strength directly linked to good configuration
Good choice in EAP method
Proper RADIUS authentication
In particular...
Strictly verify RADIUS certificate to avoid MiM
![Page 57: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/57.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 42/54
Looking more carefully
AP acts as a relay between client and RADIUS server
AssocReq AP
Station IdReq IdReq RADIUS
EAP Auth.
Direct EAP communication between client andRADIUS
![Page 58: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/58.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 42/54
Looking more carefully
AP acts as a relay between client and RADIUS server
AssocReq AP
Station IdReq IdReq RADIUS
EAP Auth.
Direct EAP communication between client andRADIUS
![Page 59: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/59.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 43/54
What if...
There was an exploitable flaw within EAP ?
Ability to execute arbitrary code
Access to RADIUS database
Access to backend
Etc.
More importantly
Ability to generate RADIUS traffic !
![Page 60: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/60.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 44/54
Of MK transmission
AP notification
When authentication done, RADIUS notifies AP
EAP Success (3) or Failure (4)
MK sent using MS-MPPE-Recv-Key (attribute17)
HMAC-MD5 message (attribute 80)
![Page 61: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/61.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 45/54
Injecting arbitrary MK
Have your shellcode executed
Craft a EAP Success
Put your own MK in MS-MPPE-Recv-Key
Have it sent to AP
Small issue...
You need to compute HMAC-MD5 message
![Page 62: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/62.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 46/54
Bypassing HMAC-MD5
You don’t know RADIUS secret
But you own the server...
Ideas
Read secret from conf/memory
Ask RADIUS to craft packet for you
Product dependant methods
![Page 63: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/63.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 47/54
In practice
Some stuff done or to do
EAP fuzzing (flaws)
EAP fingerprinting (id)
Exploits
Then...
Attacker can have his own MK sent back to AP
![Page 64: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/64.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 48/54
Not quite the end of it...
Still need to perform 4-Way Handshake
Hack a WPA/WPA2 supplicant !
Specific module for wpa supplicant
Step by step
Answer EAP Request from AP
Start EAP dialog to RADIUS
Trigger the vulnerability
Deliver exploit
Grab EAP Success from AP
![Page 65: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/65.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 49/54
When you’re done...
In the end...
Rogue client starts authenticating
Exploits RADIUS server
Gets authenticated with arbitrary MK
Finish WPA/WPA2 dialog with AP
Most importantly...
He can now access the network through Wi-Fi
![Page 66: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/66.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 49/54
When you’re done...
In the end...
Rogue client starts authenticating
Exploits RADIUS server
Gets authenticated with arbitrary MK
Finish WPA/WPA2 dialog with AP
Most importantly...
He can now access the network through Wi-Fi
![Page 67: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/67.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 50/54
Agenda
1 WPA/WPA2 authentication
2 WPA-PSK assessmentHow does that work ?Theoritical attack costImplementation comparisonsPassphrase strength assessmentLimits of practical attacks
3 WPA-EAP thoughtsEAP authenticationPwning the Master KeyPractical considerations
4 Conclusion
![Page 68: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/68.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 51/54
PSK selection
Recommandations
if possible, just use a random 64 bytes value, orone of the safer authentication schemes
passwords not derived from a known word andwith a strength of 400 or more on the Markovscale should be safe for the next years
just use ”chanereaAiO4”, it is safe !
Beware
the cracker might have a better model for hisattacks
”real” sentences might seem safe because theyare long, but are likely to be weak
crypto flaws might be discovered and exploited
![Page 69: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/69.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 51/54
PSK selection
Recommandations
if possible, just use a random 64 bytes value, orone of the safer authentication schemes
passwords not derived from a known word andwith a strength of 400 or more on the Markovscale should be safe for the next years
just use ”chanereaAiO4”, it is safe !
Beware
the cracker might have a better model for hisattacks
”real” sentences might seem safe because theyare long, but are likely to be weak
crypto flaws might be discovered and exploited
![Page 70: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/70.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 52/54
The future of PSK
Automatic key setup
several proprietary solutions, and a standard
automagically sets the network and securitysettings
removes user input, no more bad keys (hopefully)
Wi-Fi Protected Setup
standard from the Wi-Fi Alliance
authenticates the device by
in-band : entering a PIN code, pushing a buttonout-of-band : connecting an USB stick, readingRFIDs
might be attacked during the first association
![Page 71: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/71.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 53/54
EAP considerations
Recommandations
Carefully choose your EAP method
Ensure clients can authenticate RADIUS
Harden your RADIUS box
Proxy authentication to another AAA server
Beware
RADIUS certificate must checked, always
Against your very own CA, only
![Page 72: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/72.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 53/54
EAP considerations
Recommandations
Carefully choose your EAP method
Ensure clients can authenticate RADIUS
Harden your RADIUS box
Proxy authentication to another AAA server
Beware
RADIUS certificate must checked, always
Against your very own CA, only
![Page 73: Packin’ the PMK - Aircrack-ng · Aircrack 650 checks/s on Xeon E5405 (4x2Ghz) 650 checks/s on Opteron 2216 (4x2.4Ghz) "pipe multithreading", fails on AMD Pico Computing products](https://reader034.fdocuments.in/reader034/viewer/2022042105/5e8324f7d0564474aa52b6e8/html5/thumbnails/73.jpg)
Copyright c© 2008 EADS
Packin’ the PMK — Cedric Blancher and Simon Marechal — 54/54
The end...
Thank you all for your attention
Questions ?