Day 11: If you'd like to WPA, press the star key!

Note:

Hey! Before you go through this writeup try the task first by your self and if you get stuck come back and checkout the writeup.

What is WPA?

Wi-Fi Protected Access (WPA) is a security protocol developed to secure wireless networks. Introduced as a successor to the outdated and vulnerable Wired Equivalent Privacy (WEP) standard, WPA offers robust encryption and enhanced security features to protect against unauthorised access and eavesdropping on wireless networks. WPA has evolved through several iterations:

1. WPA (2003): Introduced as an interim solution to address WEP vulnerabilities, using the Temporal Key Integrity Protocol (TKIP) for encryption.
2. WPA2 (2004): A more secure standard that implemented Advanced Encryption Standard (AES) for encryption.
3. WPA3 (2018): The latest iteration, designed to address modern security challenges with features like Simultaneous Authentication of Equals (SAE) for improved password security and forward secrecy.

What is the WPA Handshake?

The WPA handshake is a critical process that occurs when a client (e.g., a laptop or smartphone) connects to a WPA-secured Wi-Fi network. This handshake is part of the authentication and key exchange mechanism to establish a secure connection between the client and the wireless access point (AP).

Here’s how it works in WPA2:

1. Initial Connection: The client sends a request to join the wireless network, providing the network’s SSID and pre-shared key (PSK).
2. Four-Way Handshake: A four-step process ensures both the client and the AP agree on encryption keys:
   • Step 1: The AP generates a random number (nonce) and sends it to the client.
   • Step 2: The client generates its own nonce and uses both nonces and the PSK to compute a cryptographic hash (the Pairwise Transient Key, or PTK). It then sends its nonce and a Message Integrity Code (MIC) to the AP.
   • Step 3: The AP verifies the client’s hash and responds with its own MIC and an encryption key confirmation.
   • Step 4: The client confirms the AP’s response, completing the handshake.

This handshake ensures that both the client and the AP possess the correct credentials and establish a unique encryption key for their session.

Significance in Security:

• The WPA handshake is essential for ensuring data confidentiality and integrity over Wi-Fi networks.
• However, the handshake can be captured by attackers using tools like Wireshark or aircrack-ng, who then attempt to brute-force or crack the PSK offline.
• To mitigate risks, WPA3 introduces stronger protections, such as making handshake brute-forcing significantly more difficult.

Understanding the WPA handshake helps highlight the importance of using strong, complex passwords and keeping network firmware up-to-date to protect against potential vulnerabilities.

Start the machine and ssh into to.

Q: What is the BSSID of our wireless interface?

A: To get the BSSID of our interface run

iw dev

The addr field of the output will contain the BSSID.

Q:What is the SSID and BSSID of the access point? Format: SSID, BSSID

A: To find the access point and related SSID and BSSID we need to scan for it. To do that lets put our Wifi adapter into monitor mode,

sudo ip link set dev wlan2 down
sudo iw dev wlan2 set type monitor
sudo ip link set dev wlan2 up

Now if we check the details of wlan2 we can see that it is in Monitor mode.

glitch@wifi:~$ sudo iw dev wlan2 info
Interface wlan2
	ifindex 5
	wdev 0x200000001
	addr 02:00:00:00:02:00
	type monitor
	wiphy 2
	channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
	txpower 20.00 dBm

We can start scanning to gather SSID and BSSID information.

sudo airodump-ng wlan2 

Q: What is the BSSID of the wireless interface that is already connected to the access point?

A: Run the following command to collect information related to the specified BSSID and store it to a file.

sudo airodump-ng -c 6 --bssid 02:00:00:00:00:00 -w output-file wlan2

This file will be needed for a later question.

Give this command 1 to 5 minutes to gather the needed information.

After sometime the STATION section should show the BSSID (MAC) of the connected device.

Q: What is the PSK after performing the WPA cracking attack?

A: Keep the previous command running and open another terminal and connect to VM over ssh.

As we saw previously the user is connected to the access point, to crack the PSK we need to capture the WPA handshake.

To do that we have to kick the user off the network so that they reinitiate a WPA handshake.

We can do this using a Deauth attack.

What is a Deauth attack.

A Deauthentication (Deauth) attack disrupts Wi-Fi connections by exploiting unencrypted management frames in protocols like WPA/WPA2. Attackers send fake deauth frames to disconnect devices from the access point (AP).

Common Uses:

1. Denial of Service (DoS): Blocking devices from accessing Wi-Fi.
2. Capturing WPA Handshakes: Forcing reauthentication to capture handshakes for password cracking.
3. Rogue AP Attacks: Pushing clients to connect to fake APs.

Defence:

Use WPA3, enable Protected Management Frames (PMF), and monitor networks for unusual activity.

We can use airreplay-ng to perform a relay attack.

While the arodump-ng is running open another terminal and run,

sudo aireplay-ng -0 1 -a 02:00:00:00:00:00 -c 02:00:00:00:01:00 wlan2

-0 flag tells aireplay to perform a deauth attack and the number 1 indicates how many times, in our case only once. The -a indicates the BSSID of the access point and -c indicates the BSSID of the client to deauthenticate.

Head back to the first terminal running airodump after sometime, we will see the WPA handshake shown on the top-right of our output as WPA handshake: 02:00:00:00:00:00

This information is being stored to the output file.

We can stop the capture.

We now can try to crack the captured handshake for the password.

For this we can use the aircrack-ng command. We will use the rockyou.txt wordlist provided to guess the password.

sudo aircrack-ng -a 2 -b 02:00:00:00:00:00 -w /home/glitch/rockyou.txt output*cap

The -a 2 flag indicates the WPA/WPA2 attack mode.

The -b indicates the BSSID of the access point, and the -w flag indicates the dictionary list to use for the attack

After sometime aircrack should say KEY FOUND! [ REDACTED ] and the key is the flag for the question.

Q: If you enjoyed this task, feel free to check out the Networking module.

A: No answer needed!