What’s in a Name?

hello-my-name-is-wifiMost home users select their wireless network name without much thought to the actual name except to make it easy for them to see and connect to. So many people never think that the networks name also known as the Service Set Identifier or SSID could be a security risk. Okay, a security risk may be a reach, but let’s just say some SSIDs are more secure than others, and I will list some dos and don’ts when selecting an SSID.

Before the list lets discuss what makes the SSID important. Hackers need to gather several pieces of information including the SSID to crack a networks WPA/WPA2 password. Hackers have pre-configured tables with this information including common or default SSID names and if you’re using one of these common names you have made their job easier and your network more of a target.

  • Do change the SSID from the factory set default wireless network name.
  • Don’t select a name in top 1000 most common SSIDs. Now this list is very long and at first glance you will notice a lot of factory given default names (dlink, Linksys, 2wire, Netgear, etc…), so as mentioned above change the default name.
  • Don’t use your first or last name, address, phone number, or anything else personal. Broadcasting personal information identifies who owns the network, and may aid the hacker in cracking the wireless password.
  • Do be unique when selecting an SSID, but too much creativity may draw attention to the networks name along with attempts to hack the network. With a maximum of 32 characters you have some creative capabilities, but also think camouflage, so the network name blends in with the other networks in range and does not stand out.
  • Do follow these rules even if your SSID is hidden or not being broadcast. Hidden network SSIDs can very easily be discovered and they are not immune.

The most important thing to learn is to always change the SSID from the default. Having a unique SSID can not only make the hackers job more difficult, but it may signal to the hacker that if the name was changed other settings were changed as well persuading the hacker to look for an easier target.

The To DS and From DS Fields

Currently I’m studying for the Certified Wireless Analysis Professional (CWAP) exam and I’m rereading the study guide and I found the chapters that examined the different fields and elements present in the MAC header most interesting. I had a rough idea, but during my studies learned a great deal more about the unique fields and elements dedicated to wireless that keep the network functioning and help packets get delivered. Two fields of particular interest are the To Distribution System (To DS) and From Distribution System (From DS) and how these fields determine if the frame is leaving or entering the wireless environment.

Distribution System

Just a quick definition of the distribution system and basically the DS is the infrastructure that connects multiple access points together to form an Extended Service Set (ESS). The DS is typically an 802.3 Ethernet wired network, but it doesn’t have to be, and the DS can even be a wireless back haul.

MAC Header & Frame Control Field

Lets now look at the MAC header which can contain four address fields. The number of address fields is a major difference between Ethernet frames, which only use two address fields, and wireless frames that could use as many as four address fields. Each address field is 6 bytes in length to hold a standard 48 bit MAC address, and most wireless frames will only use three of the address fields, and wireless frames being transmitted in a wireless distribution system would be the only frames using all four address fields.

The MAC header contains the Frame Control Field consisting of 11 sub fields (see pic below) including the To DS and From DS fields. The To DS and From DS fields are each 1 bit and can be occupied with a 1 or a 0 and there are four possible combinations using these two fields.

MAC Header

The To DS and From DS fields are important for assessing the packet since the bit combination of these fields identifies if the frame is entering or leaving the wireless environment. The fields can also show if the packet is part of an ad hoc network, or part of a wireless distribution system, and if the frame is a Management or Control frame not intended to leave the wireless environment.

To DS and From DS fields are both 0

The frame is either part of an ad-hoc network or the frame is not intended to leave the wireless environment. The screen shot below shows a Beacon Management frame with a status of not leaving the DS or network (see the highlighted line). Management and Control frames will always have the To DS and From DS fields set to 0 and are never sent to the distribution system network.

An Ad-hoc network connects multiple wireless devices together, and typically does not connect to a wired network, so there is no DS involved or requirement to have the fields set to 1.

beacon

To DS field is 1 and From DS field is 0

The frame is leaving the wireless environment and is intended for a computer on the distribution system network. For example after a wireless station authenticates it will need to obtain an IP address and that request will be forwarded by the AP to the DHCP server that resides on the distribution system network.

To DS field is 0 and From DS field is 1

The packet is entering the wireless environment coming from the DS. The screen shot below shows a Data (Type/Subtype field) frame capture in Wireshark, and the highlighted line shows the To DS and From DS fields along with a status of the frame coming from the DS to the station via the access point.

datatods0fromds1

To DS and From DS fields are both 1

When both the To DS and From DS are set to 1 the packet is involved with a wireless distribution system (WDS) network. WDS networks are used to connect multiple networks together, typically for building-to-building connectivity, or a WDS can connect access points together to from a wireless mesh network.

Address Fields

As mentioned the MAC header can contain four addresses and these addresses can change depending on how the To DS and From DS fields are set. Here is quick reference for how the address fields are set for each To DS and From DS combination.

To DS and From DS are both 0

Address 1 = Destination
Address 2 = Source
Address 3 = BSSID

To DS field is 1 and From DS field is 0

Address 1 = BSSID
Address 2 = Source
Address 3 = Destination

To DS field is 0 and From DS field is 1

Address 1 = Destination
Address 2 = BSSID
Address 3 = Source

To DS and From DS are both 1

Address 1 = Receiver
Address 2 = Transmitter
Address 3 = Destination
Address 4 = Source

 Conclusion

When observing packets in a sniffer or pen testing a wireless network It is important to look at the To DS and From DS fields to verify the direction of flow for the packet and how these fields then relate to the MAC addresses in the header.

Wireshark 802.11 Display Filters

Wireshark 802.11 frame type and subtype display filters to quickly sort packet captures.

displayfilter

Management Frames
Control Frames
Data Frames
Association Request
Association Response
Reassociation Request
Reassociation Response
Probe Request
Probe Response
Beacon
ATIM
Disassociation
Authentication
Deauthentication
Action Frames
Block ACK Request
Block ACK
Power Save Poll
Request to Send
Clear to Send
ACK
CFP End
CFP End ACK
Data + CF ACK
Data + CF Poll
Data + CF ACK + CF Poll
Null Data
Null Data + CF ACK
Null Data + CF Poll
Null Data + CF ACK + CF Poll
QoS Data
QoS Data + CF ACK
QoS Data + CF Poll
QoS Data + CF ACK + CF Poll
Null QoS Data
Null QoS Data + CF Poll
Null QoS Data + CF ACK + CF Poll
wlan.fc.type==0
wlan.fc.type==1
wlan.fc.type==2
wlan.fc.type_subtype==0
wlan.fc.type_subtype==1
wlan.fc.type_subtype==2
wlan.fc.type_subtype==3
wlan.fc.type_subtype==4
wlan.fc.type_subtype==5
wlan.fc.type_subtype==8
wlan.fc.type_subtype==9
wlan.fc.type_subtype==10
wlan.fc.type_subtype==11
wlan.fc.type_subtype==12
wlan.fc.type_subtype==13
wlan.fc.type_subtype==24
wlan.fc.type_subtype==25
wlan.fc.type_subtype==26
wlan.fc.type_subtype==27
wlan.fc.type_subtype==28
wlan.fc.type_subtype==29
wlan.fc.type_subtype==30
wlan.fc.type_subtype==31
wlan.fc.type_subtype==33
wlan.fc.type_subtype==34
wlan.fc.type_subtype==35
wlan.fc.type_subtype==36
wlan.fc.type_subtype==37
wlan.fc.type_subtype==38
wlan.fc.type_subtype==39
wlan.fc.type_subtype==40
wlan.fc.type_subtype==41
wlan.fc.type_subtype==42
wlan.fc.type_subtype==43
wlan.fc.type_subtype==44
wlan.fc.type_subtype==46
wlan.fc.type_subtype==47

How to Fix the SIOCSIFFLAGS Error in Kali Linux

I recently rebuilt my laptop and reloaded the applications I use for pentesting including Virtualbox and Kali Linux. If you need help setting up Kali Linux in Virtualbox here is a great link that walks through the setup process.

Once I had Kali up and running in my virtual environment I plugged in my ALFA wireless adapter and made sure the USB device was running in the virtual environment.

I ran iwconfig to verify the wireless interface.

iwconfig

So far so good and I ran ifconfig to verify the interface was up, but the only interface returned was the loopback.

loopback

After discovering the wireless interface was not up and I ran ifconfig wlan0 up to bring it up and got the SIOCSIFFLAGS error.

siocsifflags

I wrote about this error a while back when I was running Backtrack 5 and I first started using the Fern WiFi Cracker. I decided to expand on that post plus I was asked about creating a script to run all the commands at one time instead of typing them individually. The script should be run every time Kali is booted, but after your adapter is plugged in and recognized.

First open a text editor and type in the script shown in the screen shot below. I prefer the gedit text editor and since that is not loaded in Kali I used Leafpad and coming from the Windows world it reminds me of Notepad.

script

Name the file and save it to the Root directory.

saveas2

Open the Terminal window and do a quick ls command to verify the file is present.

lscommand

To run the script type ./<file name>

filepremissions

You’ll probably get an error message about permissions denied and running the chmod 755 <file name> command will adjust the permissions on the file as needed.

chmodalfa

Rerun the script ./<file name>

runscript

If there are no errors you are good to go and can run ifconfig to verify the wireless interface is up.

ifconfig

I will run the script every time I boot Kali whether or not the interface shows as being up in the ifconfig results.

Trouble shooting wireless issues in Kali Linux can be a frustrating process, but use your Google Fu skills and you’ll find a lot of good links and people offering up advice. Good Luck!

Changing Your MAC Address Using Macchanger

Macchanger is a free utility used to change the MAC address of the network adapter. Macchanger can randomly assign a MAC address or assign a specific MAC address of your choosing.

Usage

There are several instances changing the MAC address is necessary, but I use the utility while pentesting a wireless network with MAC filtering enabled and have to assign an approved MAC address to the wireless adapter.

Install

The Macchanger utility is included with Kali Linux, but to install the application, update it, or verify your using the most up to date version run the following command. In the screen shot that follows the install command confirms that the newest version is already installed.

#apt-get install macchanger

macchangeinstall

Help

Help with Macchanger can be accessed by running the following two commands.

#macchanger --help

#man macchanger

Assign a Random MAC Address

I’m using an Alfa USB wireless adapter and I will run the following commands to verify the adapters interface and the permanent MAC address.

#ifconfig

#ifconfig wlan1

Macchanger can also be used to verify the manufacture burned in MAC address by running the following command.

#macchanger--show wlan1

Change the MAC address using one of the following commands.

#macchanger -r wlan1

#macchanger -A wlan1

Error Message

If you get an error message the MAC address can’t be changed and the adapter is busy take the adapter down and then rerun Macchanger. (Only the OUI portion of the MAC address is shown in the screen shot and the last 3 octets are blocked out)

adapterbusy

#ifconfig wlan1 down 

#macchanger -A wlan1

changemac

Bring the interface back up and verify the MAC address is changed.

#ifconfig wlan1 up 

#macchanger --show wlan1

changemac2

To return the MAC address to the vendor burned in address run the following command. You may have to take the interface down first.

#ifconfig wlan1 down

#macchanger --permanent wlan1

Assign a Specific MAC Address

The following command will assign a specific MAC address.

#macchanger --mac=aa:bb:cc:11:22:33 wlan1

macspec

Using the Macchanger GUI

If you’re not comfortable running commands there is a Macchanger GUI. A couple of commands will have to be run from the terminal window. One to install the Macchanger GUI application and the second to start the GUI application.

#apt-get install macchanger-gtk

#macchanger-gtk

macchangegtk

After the GUI opens select the options to change the MAC address and click the Change MAC button.

As you can see Macchanger is a great utility to change the MAC address and is simple to use and offers a GUI application as well. Let me know any questions in the comments section below or share any commands you find easier to use with Macchanger, or pass along any other utilities you use to change the MAC address.

Thanks for visiting my blog and happy pentesting!

Security Tips for Your Home Wireless Network

October is National Cyber Security Awareness month and this past October there was no shortage of great security awareness articles and advice being posted including tips to secure your home router and wireless network. The tips listed here are nothing new and it is important to know when configuring your home router no one setting can secure the network. Configuring a combination of settings for multiple layers of security will make the network and router secure.

Selecting a Channel

The first tip isn’t so much about security as it is about performance of the wireless network. If you’re not using an 802.11n router look to upgrade and before setting up the router do a quick scan for the other wireless networks in the area and the channels they are using. A free scanning utility from Metageek called InSSIDer for Home can be used to scan the wireless environment. After scanning the environment more than likely what you will find is the 2.4 GHz band and channels are very crowded and interference from these overlapping networks may affect performance of your network. The 5 GHz band will be less crowded and setting up the network to use a channel in this band should result in less interference from neighboring networks and overall better performance.

Screen Shot Courtesy of the Metageek Web Site

Screen Shot Courtesy of the Metageek Web Site

One trade-off is the 5 GHz network will have a smaller coverage footprint compared to the 2.4 GHz network. In some instances, such as in an apartment or condo complex you may want a smaller coverage area and might even adjust the routers power to a lower level to reduce the area of coverage. Again, taking advantage of the InSSIDer application you can test router placement and powers levels. InSSIDer can report the signal strength to find the best location for the router, and this up front surveying and planning will not only help network performance, but should cut down on the support issues.

WPA2 Encryption

Wireless network transmissions essentially have no borders and anyone within range of those transmissions could potentially capture the network traffic. Encryption of the wireless traffic is crucial and using the latest and greatest encryption standard of WPA2 is recommended. It is important to select a completely random passphrase with a minimum of 20 characters for the WPA2 key. You can read my earlier blog post for the importance of using WPA2 encryption and tips on selecting a secure WPA2 passphrase. 

Never Use WEP Encryption

WEP was the original encryption standard for wireless networks and was proven crackable. Numerous utilities freely available on the internet can crack WEP encryption in minutes!

Change the Admin Password

Many, if not all default SOHO (small office home office) router passwords are widely known, or easily found on the internet with a simple search. You can configure every security setting on the router, but leaving the Admin password as the default or selecting something that is easily guessed will defeat all the security you setup. Someone logging into the router can change any setting you have made or worse yet lock you out of your own router or brick the device.

Disable SSID Broadcast

Disabling the broadcast of the network SSID sounds like a great security option and some people think this will completely hide the network, but this is for from true. Anyone with a little knowledge and the right utilities can scan the airwaves and discover the hidden network SSID, so disabling the SSID broadcast should never be relied on as an end all security setting. Always combine the hidden SSID setting with the other settings mentioned to have strength with multiple security layers.

Disable Management of the Router from a Wireless Client

Force clients to be physically plugged into the router with a network cable to log in to the management interface. This setting will  not allow wireless clients to access the routers management interface to make any configuration or security changes.

Apply Firmware Updates to the Router

Every router has internal software called firmware loaded on it that manages the capabilities of the router. The router vendors occasionally release updates to their firmware to either improve functionality or patch vulnerabilities. Checking every so often for firmware updates will guarantee your router has all the latest features and security patches applied.

Conclusion

As mentioned a layered method of security works best to guarantee your router and wireless network is secure as possible. Someone trying to get access to your network would likely move on to an easier target after discovering the multiple layers of security.

For additional security tips be sure to check out the links below. Thanks! Dale

Securing Your Home Network

Security is Your Responsibility When Using Free Wi-Fi

Hotel Customers Want WiFi But Most Ignore the Risks

How Stores Use Your Phone’s WiFi to Track Your Shopping Habits

Cracking WPA using Fern WiFi Cracker

Note: For this demo I’m using a lab environment network that is not routed to the internet. I will be using the Fern WiFi Cracker open source wireless security tool included in the Kali Linux and Backtrack 5 r3 security distros. Before attempting to use Fern or any other utility in Kali or Backtrack please make sure to read the help and MAN pages for a complete description of the program options and switches. This demo is for wireless pentesting educational purposes and to emphasize the insecurities of using a weak or common dictionary word for wireless network authentication and encryption security key or passphrase.

Fern Wi-fi Cracker can crack WEP, WPA, and WPA2 secured wireless networks. Fern basically takes the command line utilities to crack these networks and puts them in a GUI. Very simple to use… scary easy! Fern also provides some extra functionality for hijacking sessions and locating a computers geolocation via its Mac address, but I have not tested with these features.

For this demo I will be using Backtrack 5 r3 running in VMware Workstation on a Win 7 host.

Originally I was using Fern in Kali and ran into some issues with my wireless adapter and with the program freezing or not opening after updating it. I have the fixes I discovered in another blog post for anyone else that may have these same problems.

Router Setup

I’m using an old Cisco/Linksys 802.11g wireless router for this demo and all the settings are defaulted except the security settings, which I set to WPA Personal with a Shared Key passphrase of “password”. The word password should never be used for a real password or passphrase and I’m using it here since I know the Fern program will quickly crack it. In real world situations a WPA/WPA2 passphrase should be completely random and not a common dictionary word. For help on creating a secure WPA/WPA2 passphrase please read my earlier blog post.

wpakey

Setup the Wireless Adapter

Plug in the USB wireless adapter (I’m using the Alfa AWUS036H 802.11b/g USB wireless adapter) and open the Terminal and run iwconfig to verify the USB adapter interface.

iwconfig

On occasions I have had to bring the wireless adapter interface up using the following command.

#ifconfig wlan0 up

Starting the Fern Program

To start Fern from the Terminal type in the following commands

#cd /pentest/wireless/fern-wifi-cracker
#python execute.py

or start Fern via the GUI using the Backtrack menu

Applications/Backtrack/Exploitation Tools/Wireless Exploitation Tools/WLAN Exploitation/fern-wifi-cracker

Using the Fern Program

Select the Interface and Fern enables monitor mode. If your wireless interface does not show in the list hit the Refresh button and try again.

interface

Before starting the scan double-click on any blank area of the Fern home screen to bring up the Access Point Scan Preferences screen. You can set the channel option to scan a single channel or leave it at the default All Channels. One nice feature is to check the Enable XTerms option which will have Fern open up the Terminal windows during its usage to see what the program is doing in the background. Click OK when done.

xterms

Back on the Fern home screen click the Scan for Access points button.

scanaps

Two Terminal windows will open; one showing the WEP enabled networks (no screen shot), and another showing the WPA enabled networks. The top part of the WPA Scan Terminal window shows the networks being found, and the lower part shows any connected client devices. For a WPA attack to work it requires a connected client. The most important part of the attack will kick the client off the wireless network and capture the 4-way handshake when the client device re-authenticates to the network. If the network you want to pentest has no connected client your out of luck!

wpanetworks

On Ferns home screen the networks being detected will start populating next to the WiFi WEP or WiFi WPA buttons. (I have been seeing less and less WEP enabled networks, so that is a good thing!)

networks

Clicking on the WiFi WEP or WiFi WPA button will bring up the Attack screen and the top pane will list the networks found. Select the AP to crack, but before clicking the Attack button to the right let’s go over a couple of settings.

networkwpa

I will use the Regular Attack option, but there is a WPS Attack option and I believe Fern uses the Reaver utility to launch the WPS attack. You can read more about Reaver by clicking here.

Common.txt is the wordlist that comes with the Fern program, but any wordlist you download or have created on your own can be used by hitting the Browse button and pointing Fern to the alternative wordlist file.

wordlist

With the Regular Attack and the wordlist selected hit the Attack button.

attackbutton

Fern will start the attack and on the left side of the screen the attack steps will turn yellow as Fern works through the various steps. The most important step is capturing the 4-way handshake and Fern will open an aireplay-ng Terminal window showing the progress of deauthentication (if XTerms is checked in the preferences) of the connected client.

settings

It may take several attempts to deauth a client and capture the 4-way handshake.

deauth

Once Fern has captured the handshake it will start the bruteforce attack. Viola! If the WPA key is in the wordlist being used it will display the found key in Red.

wpakeyfound

As I mentioned I setup a passphrase I knew would be found quickly, and from start to finish this attack took under 4 minutes!

Back on the Fern main screen is a Key Database button and it now shows one entry.

database

Clicking the Key Database button will display the found keys.

database2

Conclusion

Using a common dictionary word for a WPA or WPA2 passphrase makes it easier to hack with utilities like Fern. The Fern utility is free to download and simple to use, and not everyone is going to use it for legit wireless pentesting purposes.

With possession of the WPA key a person can associate to network and have a gateway to the internet, or they could launch other attacks. For example, with possession of the WPA key the attack could be expanded to include decryption of the data traffic of the legitimate clients on the wireless network.

Thanks for reading and stay wireless secure!

Fern WiFi Cracker Maintenance and Support

Some support issues and other odd things I have researched while using the Fern WiFi Cracker program on Kali Linux and/or Backtrack 5.

Installing Fern

I’m not sure what version of Backtrack started including Fern, but to install the program use the following command.

# apt-get install fern-wifi-cracker

Issue #1: When I started using Fern the program locked up or froze, and updating the program seemed to fix the issue. There are times when the program seems to not respond after clicking on buttons, but after a few seconds it starts working.

After starting Fern look in the lower left corner to see if any updates are available. An internet connection is required to check for and download any updates. Click the update button to download and install the update.

fernupdate

Fern will show the progress.

fernupdate1

Restart of the Fern program.

fernrestart

The Fern program will report no more available updates.

noupdate

Issue #2: After updating Fern the program would not open and running this command fixed the issue. (I only experienced this with Kali and not in any of the Backtrack 5 distros)

#chmod +x /usr/share/fern-wifi-cracker/execute.py

I found the above fix in this discussion thread with a Google search.

Wireless Adapter Issues in Kali

If you’re getting the SIOCSIFFLAGS (see screen shot below) error message when bringing up your wireless adapter run the following commands.

#rmmod rtl8187
#rfkill block all
#rfkill unblock all
#modprobe rtl8187
#rfkill unblock all
#ifconfig wlan0 up

siocsifflags

I discovered that if I shutdown or restart Kali the error does show up again with the next login. You can read more on this post about the error and creating a batch file to run all the commands at the same time.

General Wireless Troubleshooting Help on the Kali Support Site

If you’re having issues with your wireless adapter check the Kali support documentation or do some Google searches. I found a lot of good information on the internet. Good luck and happy pentesting!

Keys, Keys, and Even More Keys!

I thought I had a good understanding of how the WPA/WPA2 encryption key generation process worked, that was, until I read Chapter 5 of the CWSP (Certified Wireless Security Professional) Study Guide. I was definitely amazed and a little confused of what all happens in the background when a client authenticates and the encryption keys are created. Dealing mostly with personal or small office wireless environments I took a special interest in the process to generate the encryption keys in small office home office (SOHO) networks. I’m a firm believer that a strong passphrase is mandatory when using WPA/WPA2 Personal, and part of writing this blog was not only my way to fully understand the encryption key creation process, but at the same time to stress how important it is to select a completely random WPA/WPA2 passphrase. An easily guessed passphrase or a common dictionary word can expose your wireless network and connected devices to hacking or decryption of the data. The passphrase will not only authenticate clients to the access point, but it is also the initial seeding material to create the master keys that are then used to create the transient and temporal keys that encrypt the unicast data frames and broadcast and multicast frames.

Definitions

Let’s start by defining the alphabet soup of letters and give some quick definitions to the important terms being used in the article.

WPA/WPA2 Passphrase: Selected by the network owner and entered as a simple ASCII character string from 8 to 63 characters. The passphrase is configured on the access point and manually entered on the client devices that will join the APs wireless network.

Authenticator: In a SOHO network this will be the access point.

Supplicant: Any device wanting to join an access points service set.

Pre-Shared key (PSK): The result when the passphrase goes through the passphrase to PSK mapping formula.

PMK (Pairwise Master Key): Is the highest order key and derived from the pre-shared key (PSK).

GMK (Group Master Key): Generated by the authenticator (access point) and is the seeding material for the group temporal key.

4-Way Handshake: Uses the pseudo-random function to create and distribute the dynamic encryption keys.

Nonce: A randomly generated value only used once.

PTK (Pairwise Transient Key): Final encryption key used to encrypt unicast data traffic.

GTK (Group Temporal Key): Final encryption key used to encrypt broadcast and multicast traffic.

Selecting the Passphrase

The first step is to choose the passphrase and enter it in the security section of the wireless routers management interface. Notice I did not say select a password! As mentioned before avoid using common dictionary words, and don’t use your name, address, phone number, pet’s names, favorite sports team name, etc… It is recommended to select a completely random passphrase and using a passphrase generator is the best option to select a random passphrase. For help on selecting a highly secure passphrase read my earlier blog post on creating a secure WPA/WPA2 passphrase.

WPA/WPA2 passphrases are static and susceptible to offline dictionary attacks, and it will become very clear why this passphrase be absolutely random for maximum security of the wireless network.

The graphic below shows the encryption key generation process and can be referenced throughout the article.

WPA/WPA2 Encryption Key Generation

WPA/WPA2 Encryption Key Generation

Passphrase to PSK Mapping

Manually enter the passphrase on the client devices that will be joining the wireless network. The passphrase authenticates the device to the APs wireless network, and behind the scenes the passphrase will go through the “passphrase to PSK mapping” function to transform it into the 256-bit Pre-Shared Key (PSK).

Here is the formula to convert a passphrase to the PSK.

PSK = PBKDF2(PassPhrase, ssid, ssidLength, 4096, 256)

The whole point of the passphrase to PSK mapping formula is to simplify configuration for the average home network user. Anyone can remember an 8 to 63 character passphrase compared to a 256-bit PSK.

Master Keys

The PSK will become the Pairwise Master Key (PMK), so basically the PSK is equal to the PMK.

The authenticator (access point) generates the Group Master Key (GMK). The GMK is derived by the authenticator and used to create the Group Temporal Key (GTK). The GTK will be used by the AP and all the authenticated clients to encrypt multicast and broadcast traffic.

4-Way Handshake

The graphic below is from Chapter 5 of the CWSP Study Guide to further explain the 4-way handshake process.

4wayhandshake2

The 4-way handshake is a 4 frame exchange (not including acknowledgements) between the supplicant and the authenticator. Using a pseudo-random function (PRF) the 4-way handshake will create the Pairwise Transient Key (PTK) by combining the PMK, an authenticator nonce, a supplicant nonce, the authenticator’s MAC address (AA), and the supplicant’s MAC address (SPA).

Here is the pseudo-random function formula and below the formula is a brief description for the 4 frames exchanged during the 4-way handshake.

PTK = PRF (PMK + ANonce + SNonce + AA + SPA)

Message 1: The authenticator sends its ANonce to the supplicant. The supplicant now has all the information needed to generate the PTK using the pseudo-random function. The PTK protects the unicast data traffic.

Message 2: The supplicant will send its SNonce to the authenticator. The authenticator now has all the information needed to generate a matching PTK using the pseudo-random function.

Message 3: The authenticator generates the GTK from the GMK and transfers the GTK to the supplicant. The GTK is encrypted using the PTK and a secure exchange takes place. The GTK protects the broadcast and multicast traffic.

Message 4: An acknowledgement that the client has successfully installed the PTK and GTK.

The client is now authenticated and possesses the dynamic encryption keys and can securely send and receive traffic through the access point.

Conclusion

In a SOHO network the passphrase is not only used for keeping unwanted devices from joining the network, but also the seeding material to create the transient and temporal encryption keys. If an attacker obtains the passphrase they could not only join the wireless network, but they could crack the PTK encryption key. If an attacker captures a 4-way handshake exchange between a client and the access point, and with possession of the passphrase the attacker has all the variables needed to duplicate the PTK. With the PTK the attacker can decrypt any unicast encrypted data frames between the individual client and the AP. Passphrase secrecy and having a passphrase that is not susceptible to dictionary cracking methods is vital for the security of any network using WPA/WPA2 Personal.

Extra Security Note: Having one person control the passphrase is probably a harder thing to do in a home network, but in a small office environment ideally one person should know the passphrase and enter it on the devices needing to connect to the wireless network. The less people who know the passphrase the more secure the network will be!

Evil Twin Access Point Attack Explained

Anywhere public Wi-Fi is available is an opportunity for an attacker to use that insecure hot spot to attack unsuspecting victims. One specific Wi-Fi hot spot attack called an “Evil Twin” access point can impersonate any genuine Wi-Fi hot spot. Attackers will make sure their evil twin AP is just like the free hot spot network, and users are then duped when connecting to an evil twin AP and the attacker can execute numerous attacks to take advantage of the unaware victim.

The graphic below shows a typical client connection at a Wi-Fi hot spot. The user searches for the available wireless networks within range and then connects to the public Wi-Fi network. I’m simplifying the process, but the result is the user gets connected to the hot spot network which supplies a gateway to the internet. The user can now surf the web, login to web sites, check email, watch videos or stream music, etc…

Typical Hot Spot Connection

Typical Hot Spot Connection

As the user is enjoying their coffee along with the free Wi-Fi the attacker is busy setting up the evil twin AP. The Attacker is not going to have a bunch of extra hardware, and you won’t see someone with a Netgear router or antennas sticking out every where to draw attention themselves. The attacker will more than likely have a laptop to launch the attack, and they could be in the same physical space or could be launching the attack from their vehicle in the parking lot.

A typical evil twin AP attack is shown in the next graphic, and I will explain the steps in more detail.

Evil Twin AP Attack

Evil Twin AP Attack

I will start with our user, the victim, being connected to the free Wi-Fi hot spot on channel 6. You can refer to the first graphic for the typical hot spot connection.

Step 1: The attacker will set up a software AP on their laptop using free utilities from the internet. This software AP will mimic the hot spot network, and the only difference is the attacker will set up the software AP on a different channel. The software AP is a clone or the “evil twin” of the hot spot network.

Step 2: The attacker will jam the hot spot APs wireless signal. The graphic shows a hardware jamming device that blocks the physical radio frequency. The attacker could use deauthentication frames for an attack of the communication layer, but the result is to break the user’s connection with the hot spot network.

Step 3: The clients laptop, which is always scanning for a better connection (feature of wireless roaming) sees the evil twin AP advertising the same SSID network name as the hot spot network and connects.

Step 4: The attacker will have software running on their laptop to assign an IP address to the victim that just connected to the evil twin AP. Basically every device on the internet is assigned a unique IP address so network traffic is properly routed. An IP address is the equivalent of a street address the postal service uses to deliver mail.

Thrown in the mix the attacker will have a second wireless adapter plugged into their laptop to establish a connection back to the hot spot network and the attacker will bridge the software evil twin AP to the second wireless card. The traffic from any victim connecting to the evil twin AP will route through the attacker’s machine and back out to the hot spot network. The victim has no idea their traffic is now being routed through the attacker’s laptop. With the network traffic routing though the attacker they can search for passwords, credit card numbers, read emails, see the web sites being visited, etc… The attacker can also inject themselves into the middle of the conversation by editing the frames in transit.

There are two different scenarios for an evil twin attack. The first, shown in the graphic above happens when a user is already connected to the legitimate hot spot AP and gets disconnected then reconnects to the attacker’s evil twin AP thinking it is the real hot spot network. The second scenario is the attacker has the evil twin AP set up and the user connects to the fake AP thinking it is a hot spot network provided by a legitimate business. Either way the user ends up connected to the attacker’s evil twin AP.

Now for a double dose of bad news! It is difficult to notice if you’re connecting to an authentic hot spot network or an evil twin AP, and there isn’t a perfect defense against the attack. As mentioned the attacker will attempt to configure the evil twin as a precise copy of the hot spot network so users will not suspect anything is wrong. The best option when using public Wi-Fi is to have a VPN connection. VPN is short for virtual private network and a VPN will create an encrypted tunnel between your device and the VPN server. The encrypted tunnel will secure the traffic and anyone eavesdropping on your traffic or connected in the middle of your conversation can not interpret or interfere with the wireless transmissions. Plenty of companies offer personal VPN services and there is a lot of different plans and fees to choice from.

The next time you’re at the local coffee shop be a little extra observant when connecting to the free Wi-Fi network. If something doesn’t feel right you may want to trust your gut and skip connecting to the hot spot network.

Thanks for stopping by my blog and reading the post. If you’re looking for more security tips when using public Wi-Fi please read my earlier blog post Security Is Your Responsibility When Using Free Wi-Fi.