In: Computer Science
These questions ONLY relate to the Cracking WPA
What vulnerabilities were demonstrated by using aircrack-ng?
What vulnerabilities were demonstrated by using aircrack-ng in Wireshark?
What would you tell the server administrator to do to mitigate the vulnerability from aircrack-ng?
What would you tell the server administrator to do to mitigate the vulnerability from Wireshark?
1. Aircrack-ng is not a single tool, but rather a suite of tools that can be used to hack a wireless network. In this article, though, it is used to secure a wireless network by discovering its vulnerabilities.
Security in networks is very vital for small as well as large organisations. Not only does it help in maintaining the confidentiality of a clients and employers data, but it is also important for retaining trade secrets to overcome competition. Wireless networks form an important mode of communication as wired networks tend to incur more infrastructure costs. But are wireless networks sufficiently secure? Lets have a look at a common scenario.
Wired Equivalent Privacy (WEP)
This algorithm is based on the RC4 stream cipher and CRC checksum
mechanism to provide confidentiality and integrity. Open System
authentication and Shared Key authentication are the two methods of
authentication used in WEP.
1. Open System authentication: In this case, the WLAN
client need not provide its credentials to the access point during
authentication. Any client can authenticate with the access
point.
2. Shared Key authentication: In this authentication
mechanism as shown in figure 1, the WEP key is used for
authentication in a four-step handshake process:
a. The client sends an authentication request to the access
point.
b. The access point responds to the request with a clear-text
challenge.
c. The client encrypts the challenge-text using the configured WEP
key and sends the encrypted message to the access point.
d. The access point decrypts the response and verifies if the
decrypted text matches the challenge-text. It authenticates the
client if the match is found.
In spite of the mechanisms used, this algorithm has a number of
vulnerabilities and can be easily cracked. Various techniques,
based on brute force attacks and analysis of the IVs
(initialisation vectors), were discovered that led to deprecation
of this algorithm.
Figure 2: WPA technique
Wi-Fi Protected Access (WPA)
WPA is a more secure algorithm that was developed in 2003 to
address a few of the vulnerabilities that existed in WEP. WPA is
mainly based on TKIP (temporal key integrity protocol), which uses
a unique encryption key for each data packet sent over the network.
The pre-shared key (PSK) used in TKIP is a 256-bit entity used for
authentication. Figure 2 gives diagrammatic representation of WPA
algorithm.
WPA is much more secure than WEP. This is because in the case of the latter, every data packet has the same key, which can be easy to find by capturing a sufficient number of packets. In WPA, its difficult to get the key because every data packet has a unique key. But there are also a few loopholes that can be exploited. WPA can be compromised using Denial of Service attacks.
Wi-Fi Protected Access II (WPA2)
WPA2, also known as RSN (robust security network), is the most
recent and highly secure algorithm, which enforces mandatory usage
of the AES (advanced encryption standard). Another significant
security enhancement has been the introduction of CCMP [counter
mode with CBC (cipher block chaining) MAC (message authentication
code) protocol]. CCMP uses AES instead of TKIP as the underlying
encryption mechanism and, hence, prevents various attacks that were
designed based on the RC4 cipher used in TKIP.
After some research, Eve concludes that WPA2 is secure enough to get rid of the kind of attacks Bobs office suffers from and, hence, configures the entire network over WPA2. Yet, even after such heightened countermeasures, Bobs network again gets compromised by some mischievous attackers. Alarmed at the situation, he again contacts Eve for help. During her research, she comes across one such tool that suits her needs. She advises Bob to use Aircrack-ng to internally spot the weak access points and enhance his networks security to avoid future attacks. Since Bob is unaware of the functionality of Aircrack-ng, Eve provides a brief overview.
Aircrack-ng stands for Aircrack new generation and is an advanced network auditing software used for sniffing and cracking wireless networks. It is mainly used for testing the weaknesses of wireless networks by breaking into the network using the WEP and WPA-PSK keys recovered by decrypting the gathered encrypted packets. This tool can be used across Linux as well as Windows platforms, but has limited support in Windows.
The block diagram given in Figure 3 gives a brief description of
the tool.
Bob is determined to patch up the weak links in his network; so he
asks Eve to demonstrate how the tool is used to prevent various
attacks. Eve tells him how to install the tool on the Ubuntu 14.04
platform and then gives the procedure to detect the vulnerable
access points.
2. PSK vulnerability
• In WPA the master key is used to generate transient session keys • With PSK, all devices are configured with the same passphrase (or password) that serves as the master key • Like any other password, the strength of the passphrase determines if it can be guessed using a dictionary attack • Once passphrase is guessed, an attacker can generate transient keys to decrypt all traffic • WPA-PSK and WPA2-PSK (also known as WPA-Personal, WPA2-Personal) are vulnerable to dictionary attack
3.The only way to mitigate attacks against WEP networks was to pretty much re-invent the wheel. In the meanwhile, people started implement some “restrictive” features to only allow “authorized” personnel into the networks. One of these attempts was a simple MAC Filtering technique, while WEPattack was thwarted by the use of WEP 128 and above, people still knew that hackers would get in, so they thought they would add a layer of security by only allowing MAC authorized clients to join to the network. This is a pain to actually manage, and more trouble than what it is really worth since it would take an attacker all but a few extra seconds to change their MAC address to impersonate some client who is already connected, and has authority to use the network.The attacker can now freely impersonate the other person on the network and connect to it freely, MAC filtering proved to do much of nothing at all. The next failed Mitigation technique was “Hiding SSIDs” We’ve all needed to connect to a Hidden SSID in our day, it can be somewhat inconvenient, typing the SSID name and then the password. The problem with this, is that SSIDs were not constructed to be hidden, therefore, one could fire up Wireshark, monitor the air around them, and essentially see what the SSID name is via a client connecting to it who is broadcasting probes.
4
To prevent your systems for being vulnerable to these attacks and improve their security, it is essential to apply one of the following fixes:
Fix #0: Patch your system.
Make sure you apply the latest patches available here or simply run the following command:
$ sudo apt-get dist-upgradeCOPY
Fix #1: Block connections with low MSS using filters.
These filters may break legitimate connections that rely on this setting, so practice caution when applying them.
$ iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROPCOPY
Fix #2: Disable SACK processing
To do this, you have to be a superuser, because regular admin users don’t have the permission to change this value.
$ echo 1 > /proc/sys/net/ipv4/tcp_sack