WPA Cracking and Kismet/GPS Extras

Posted by William & Posted by Re@lity
With WEP conquered it's time to move on to it's successor... WPA! The following explains cowpatty usage and some interesting notes on WPA. The end of the post has a primer on using a GPS, Kismet, and gpsdrive.

Equipment

Note: You do not need the exact equipment listed here to try a WPA attack. Any prism or atheros card will work for monitoring and deauthenticating.
The equipment I used for the WPA testing is: - Netgear WG511 (prismGT) - Cisco Aironet CB21AG-A-K9 A/B/G card (Used wpa_supplicant to authenticate to access point) - Netgear WGR614 Wireless Router (set to channel 8)

Configuration

The Netgear WG511 was set into monitor mode and ran Ethereal to monitor traffic:
ifconfig eth0 up iwconfig eth0 mode monitor channel 8

The WPA client card was the Cisco card and wpa_supplicant was used.
wpa_supplicant.conf configuration 

network={
ssid="Zemfira"
proto=WPA
key_mgmt=WPA-PSK
psk="alsurules"
scan_ssid=1
}
wpa_supplicant command
wpa_supplicant -i ath0 -c /etc/wpa_supplicant.conf -D madwifi
The access point was simply set to WPA-PSK with the passphrase alsurules and put on channel 8.

Interesting Observations

Many of you might have tried to use cowpatty without much success because it gave an error message on how a 4-way handshake was not found and that is because of some strange behavior between the client and access point when initiating WPA authentication for the first time. I set the WG511 card to monitor channel 8 then inserted the Cisco card and ran wpa_supplicant but would only receive two EAPOL frames instead of the four required by cowpatty. Now that the card was authenticated I deauthenticated it with the WG511 then I got the entire four-way handshake. Only after the card was authenticated and I kicked it off would I get the four-way handshake so I decided to look into this and the results were interesting.

When you run wpa_supplicant it looks for the Access Point but the configuration file does not specify a channel so an authentication request is sent on each channel until the Access Point point responds then the WPA authentication proceeds but initial WPA authentication is spread over a few channels (this is explained below). Now the Access Point I used would broadcast its presence over a range of 9 channels. Channel 8 was set on the Access Point but it broadcasted beacons out on channels 4 thru 12 so the initial WPA authentication was spread over that range of channels. To explain this in further detail it seems a predefined range is used by the Access Point, a Netgear WGR614 in this test, to listen for clients. Four channels above and below the main channel are used always.

PLEASE VERIFY THIS ON YOUR ACCESS POINTS.
POST BRAND AND MODEL AND IF THE RANGES ARE CONSISENT. POST RESULTS IN FORUM.

Example
If channel 8 is used channels 4, 5, 6, 7, 8, 9, 10, 11, 12 are used (9 channels in all) but do you see how its four channels above 8 that are used 9,10,11,12 and four channels below the main channel 4,5,6,7. This is always the case. So if the channel is set to channel 11 then the range would be 6, 7, 8, 9, 10, 11, 12, 13, 14.

This explains why many of you could not get cowpatty to find the complete four-way handshake since it was spread across a range of channels. So the only solution is to deauthenticate an already authenticated station and capture the WPA re-authentication. This will work because after the initial WPA authentication the card will be set on the Access Points main channel, which is the channel on which the WG511 is monitoring, and the problem of the WPA authentication being spread over a range of channels is nonexistent.

To test the range of channels your Access Point broadcasts itself on set a card into monitor mode and run Ethereal. Change the channel on which your card monitors incrementing from channel 1 to channel 14 and record on which channels you see your Access Point broadcasting beacons.

The Attack

The attack consists of running running Ethereal with the WG511 to capture traffic on the Access Point channel. Authenticate a station to your Access Point using wpa_supplicant. I used my WG511 card to monitor and inject traffic you can use an atheros card or prism card (with wlanng drivers) to do the same.

1)Create a deauthentication packet with airforge:
airforge 00:09:5E:3C:80:31 00:23:3A:4F:10:11 deauth.cap
Syntax: airforge [bssid] [dst mac] [packet-name]

With airforge specify the bssid, mac address of who you want to deauthenticate, and name the packet.
2) Inject deauth.cap packet with aireplay:
aireplay -m 26 -u 0 -v 12 -w 0 -x 1 -r deauth.cap eth0
Syntax: aireplay -r [packet] [interface]

Input name of the packet created with airforge and the interface on which you want to inject in this case the same one that is monitoring. Let aireplay inject for abou 10 seconds then stop it.

3)In Ethereal type EAPOL in the display filter dialog and if all goes well you should see four EAPOL packets .
The handshake consists of four specific packets. Expand the 802.1x Authentication tree and then the Key Information subtree. This portion of the packet contains the specific options we are looking for.

The four-way handshake consists of the following four packets. Take note of the Key Information since the values must match the packets you receive.

Packet One
Packet Two
Packet Three
Packet Four

Cowpatty uses packets 2 thru 4 to attack WPA. Cowpatty identifies the passphrase used to generate the PMK and packets 2 thru 4 provide the necessary info to carry out the attack. Many articles exist on how WPA authenticates so I will not go into detail on how it actually does it go here http://wifinetnews.com/archives/002452.html for info on WPA weakness.

Once you have he four requires packets save the packet capture.

4)Using cowpatty to bruteforce passphrase:

cowpatty -f dictionary.txt -r capture.cap -s Zemfira
Syntax: cowpatty -f [dict-file] -r [pcap file] -s [network-ssid]

Specify your dictionary file then the saved packet capture and most importantly the SSID of the network. The SSID must be correct if not the PMK generation will be off. If all goes well and a you have the correct word within your dictionary file cowpatty will give you the passphrase.

Utilizing John the Ripper to Enhance Cowpatty

John can be utilized to create permutations of the words within a dictionary file to increases the chances of guessing the password with cowpatty. Using John will yield forty-nine permutations per word.

The commands are:
john -w:dictionary.txt -rules -session:johnrestore.dat -stdout:63 | cowpatty -r capture.cap -f--s Zemfira
Syntax: john -w:[word-file] -rules -session:johnrestore.dat -stdout:63 | cowpatty -r [pcap-file] -f--s [ssid]

Identifying WPA Networks

To identify WPA networks just run Kismet from the latest Auditor release. Previous versions of Kismet either present a Y for WEP encrypted networks or N for non-WEP encrypted networks, but in the new version of Kismet an O is presented for encrypted networks not using WEP. Simply select the network and press I (information command) and view the Encrypt: field and if you see WPA then you got a WPA network.

GPS Use with Kismet and gpsdrive

Here is a quick guide to configuring a GPS for use with Kismet and how to configure gpsdrive to use Kismet's GPS info to plot Access Points on its map.
1)Configure your GPS:
Syntax entered is case sensitive!!
- Press ALT+F2 enter the command
start-gps-daemon
- Enter GPS device location and baud rate. Valid device location(port) are /dev/ttyUSB0 for USB GPS's and /dev/ttySx for serial GPS's where x is the serial port number. The baud rate on most GPS devices is 4800. - To confirm you are receiving data on your shell type telnet localhost 2947 and once you connect press r and enter and if the device location(port) and buadrate are correct you shoud see raw GPS data being output. The output will look similar to this

GPSD,R=1
$PRWIRID,12,01.05,07/29/96,0003,*46
$GPRMC,235247,V,4333.1694,N,10813.0065,W,0.000,0.0,120815,12.3,E*42
$PRWIZCH,00,0,00,0,00,0,00,0,00,0,00,0,00,0,00,0,00,0,00,0,00,0,00,0*4D
2)Configure SQL database:
Gpsdrive uses a SQL database in conjuction with Kismet to gather the necessary information to plot Access Points on its map.
- Start the mysql service
/etc/init.d/mysql start
- Go to the /usr/share/doc/gpsdrive directory within this directory is the create.sql database template. Create sql database using the template: 
mysql < create.sql
3) Start Kismet and then gpsdrive. In gpsdrive check the Use SQL option on the left tab.
Gpsdrive should begin to plot the Access Points on its map!
Note: Close gpsdrive first before you close Kismet or else gpsdrive will hang!
To delete the database and create a new one or to backup your database:
  • The mysql database file is within the folder /var/lib/mysql/geoinfo
  • To create new database delete the geoinfo directory and proceed through steps 1 thru 2 again.
  • To backup just copy the folder to another directory
~ William & Re@lity

Note: This WPA usage of "multi-channel" broadcasting is an interesting issue.
I would like to assess the behaviour further with other AP's, regarding any emerging patterns of channel usage. Particularly interesting is how the AP or client responds when the chosen channels are not available (blocked, etc). I'd like, eventually, to test & document here MitM/bridging variations that may be possible with WPA. Please post to forum (http://forum.remote-exploit.org/index.php) any info about your WPA experiments, etc.
Thanks - Re@lity.


Free Projects