Encryption Cracking Tools

By definition, this section is devoted to tools created to break 802.11-specific Layer 2 cryptographic protection. This is by no means limited to cracking WEP. The spread of 802.11i-related wireless security solutions has brought other, different challenges to the hacking community and right now there are tools "in the wild" designed to attack 802.1x authentication. Although these attacks are currently limited to cracking Cisco EAP-LEAP–based authentication systems, there is no doubt that attacks against other EAP types will eventually surface. The most basic form of 802.1x authentication is based on a weak EAP-MD5 method, which can be attacked without using any specific cracking tools. We review such attacks in the next chapter. At the moment, there are no tools designed to attack more secure replacements for WEP, namely TKIP and CCMP. Nevertheless, there are hints that successful attacks against TKIP preshared key (PSK) authentication are possible (see Chapter 8). Even with the "ultrasecure" AES-based CCMP there is always a possibility of dictionary and brute force attacks and the potential for development of cracking tools to launch these attacks. As always, humans ("wetware") remain the weakest link. As to the "good old" practical WEP cracking, now it goes much further than Wepcrack and AirSnort. There are means to accelerate cracking WEP and make even the most idle wireless networks give away their precious WEP keys. The tools, capable of smashing WEP into pieces rather than waiting for enough data to passively crack the key, have existed for quite a while; however, we have yet to see a literature source describing them in detail (apart from the one you are holding in your hands, of course).

Currently, there are four classes of wireless encryption cracking tools:

• WEP crackers

• Tools to retrieve WEP keys stored on the client hosts

• Traffic injection tools accelerating WEP cracking and making network reckon without knowing WEP key possible

• Tools to attack 802.1x authentication systems

Within each class there are different methodologies and approaches, dictating several tools per class in the majority of cases. In the description of these classes, we walk through the properties of each tool to build the knowledge base necessary for constructing the logical framework of penetration test and attack that we outline in Chapters 7 and 8.

WEP Crackers

For a variety of reasons we outlined in Chapter 1, WEP is with us to stay, no matter how good and secure the replacements for WEP are. Just to refresh your memory, a few of these reasons are as follows:

• WEP is easy to set up and any 802.11-compliant system supports it.

• Legacy hardware might not support new security protocols and companies might not want to throw it away after investing millions in acquiring it and setting it up.

• Newer hardware will fall back to the security level of legacy hardware to interoperate.

• Many users and system administrators are security-ignorant or just plain lazy and won't upgrade their firmware and drivers to support more secure replacements for WEP.

• There is more effort and cost involved in setting up newer wireless security systems, forcing users to upgrade and invest in personnel training. Some companies might opt against it for financial or administration reasons.

• Implementing the final 802.11i/WPAv2 CCMP will require a complete hardware upgrade that won't be considered reasonable by many.

• There is still a circulating opinion that WEP is sufficiently secure for small office and home office networks. Unfortunately, there are "security professionals" unfamiliar with the reality who still support this opinion.

For these reasons, attacks against WEP are not obsolete even if WEP is; the tools to run these attacks should be reviewed with a great attention.

AirSnort

The most commonly used WEP cracking tool is AirSnort from the Shmoo group (http://airsnort.shmoo.com; see Figure 6-1).

Figure 6.1. Shmoo group AirSnort in action.

[View full size image]

AirSnort has a very intuitive GTK+ interface and is straightforward to use for both network discovery and WEP cracking. It supports both Prism and Hermes chipset cards with the applied Shmoo patch. AirSnort can dump the logged data in a pcap file format, as well as open and crack pcap-format files collected using other tools like Kismet. This opens a variety of interesting possibilities linked to WEP cracking; for instance, packet collection using a PDA followed by cracking the WEP key on the auditor's desktop that lacks wireless interfaces. Alternatively, you might try to port AirSnort to StrongArm CPU and embedded Linux distributions. The majority of CF 802.11b cards are Prism-based, which should be a great help to anyone trying to port AirSnort to Intimate, OpenZaurus, Familiar, or Embeddix.

Wepcrack

Although AirSnort is the most popular WEP cracking tool that uses the Fluhrer, Mantin, and Shamir (FMS) attack against WEP, Wepcrack was the first tool to implement the theoretical attack described by these famous cryptologists in practice. Wepcrack is a collection of Perl scripts that includes WEPcrack.pl, WeakIVGen.pl, prism-getIV.pl, and prism-decode.pl. Prism-getIV.pl takes a pcap-format file as an input (e.g., perl prism-getIV.pl <Kismet-`date`.dump>) and collects packets with initialization vectors (IVs; see Chapter 11) that match the pattern known to weaken WEP keys. It also dumps the first byte of the encrypted output and places it and the weak IVs in a log file called IVFile.log. IVFile.log is used as an input to crack WEP with WEPcrack.pl. Real-time WEP cracking a la AirSnort using Wepcrack is straightforward:

arhontus:~# tcpdump -i wlan0 -w - | perl prism-getIV.pl

Then edit your crontab (crontab -e) to run perl WEPcrack.pl <IVFile.log> command at the chosen interval (e.g., every three minutes).

To be analyzed by prism-getIV and WEPcrack scripts, the dumped file should be generated using a libpcap library that understands 802.11 frame format. This is not a problem for current versions of libpcap (get it from http://www.tcpdump.org/#current).

Although AirSnort is considered to be a more advanced WEP cracking tool than the Wepcrack scripts, there are several advantages to using Wepcrack:

• It is educational. If you want to know how the FMS attack works, reading the code of Wepcrack scripts is probably the best way to learn about it. In fact, WeakIVGen.pl is included as a proof-of-concept tool that generates a weak IVs file from a given decimal-format WEP key value. Thus, by reading its code you can learn how the weak IVs come about. Also, the prism-decode.pl script demonstrates how pcap() format dump files can be decoded to display the 802.11 header information, which could be useful for anyone developing a 802.11 sniffer in Perl or otherwise (also see Perlskan.pl).

• You can run Wepcrack scripts without X-server and GUIs (similar to the older AirSnort 0.9 version). This has multiple advantages, including preserving CPU cycles, battery power, and endless scripting possibilities.

• It is flexible and enables you to implement possible improvements to the FMS attack and integrate with other wireless security auditing tools, such as Kismet and Wellenreiter.

• You don't care about the card chipset as long as you can put it into the RFMON mode (think of WEP cracking on 802.11a networks, WEP cracking using HostAP drivers, etc.).

• You can run Wepcrack on PDAs as long as Perl is installed. At the same time, no port of AirSnort to Intimate, Familiar, or Embeddix running on StrongArm CPU architecture machines exists at the moment.

Thus, the very first publicly available WEP cracking tool remains very useful and cannot be dismissed by a serious wireless security auditor or enthusiast.

Dweputils

A part of the BSD-airtools suite, Dweputils consist of dwepdump, dwepcrack, and dwepkeygen. Dweputils employ an improved FMS attack as outlined in the H1kari's "Practical Exploitation of RC4 Weaknesses in WEP Environments" article at http://www.dachb0den.com/projects/bsd-airtools/wepexp.txt. Because this chapter is devoted to utilities and not the description of attack methodology, we return to this article and other details of improved WEP attacks in the appropriate section of Chapter 8.

Dwepdump is a prism2dump-like pcap-format file dump utility, specifically written to provide data for dwepcrack and non-FMS brute-forcing attacks against WEP. Current specific features of dwepdump include:

• Logging only weak keys for use with the dwepcrack -w option.

• Ongoing statistics showing how many weak IVs have already been found (n.x -> n:x when x >= 60 you can attempt cracking).

• Ability to specify the maximum packet size, so you only capture small packets. This makes cracking via key space brute-forcing faster.

• You do not need to specify an interface, so that multiple pcap files can be filtered together into a single one. This is useful if you have a lot of standard pcap files dumped with tcpdump, and so on, and want to filter out the weak IVs or converge weak IV dumps for cracking.

• Use of advanced IV filtering methods beyond the standard FMS attack for faster capture time.

Thus, when cracking WEP with dwepcrack, using dwepdump for data collection is preferable to using prism2dump or any other pcap-format file-dumping tools such as tcpdump or Ethereal.

Dwepcrack is a WEP cracking utility created for all kinds of known attacks to determine a WEP key. It implements several techniques in a single package, which lets you run a full test of WEP key security using all currently available methodologies for WEP cracking. In particular, dwepcrack supports the following:

• The optimizations of FMS attack described in the "Practical Exploitation of RC4 Weaknesses in WEP Environments" article

• An ability to crack WEP using both FMS and brute-force attacks

• An ability to brute-force the entire key space and use dictionary lists

• Optimized method of 40-bit keys brute-forcing

• Symmetric multiprocessing support with the -j option

Please note that in the modular dwepcrack source code weakksa.c an improved FMS attack implementation and brute.c WEP brute-forcing implementation are separate. This makes the analysis of the attacks and possible additional modifications easier. Dwepcrack is straightforward to run:

arhontus:~# dwepcrack -h

usage: -j <jobs> -b -e -w -f <fudge> -s <logfile> [wordfile]

   -j: number of processes to run (useful for smp systems)

   -b: brute force key by exhausting all probable possibilities

   -e: search the entire key width (will take a while)

   -w: use weak ksa attack (= modified FMS attack - Authors)

   -f: fudge the probability scope by specified count (might take a while)

   -s: file uses 104-bit wep

For the last option, use dwepstumbler to try and determine WEP key size or you can just assume it is 104-bit; the majority of modern WEP keys are.

Wep_tools

Wep_tools is Mike Newsham's original toolkit for WEP keyspace brute-forcing and dictionary attacks. It is particularly efficient against the original standard 40-bit WEP keys, because it implements a specific attack on a common 40-bit WEP-from-passphrase generation routine. When cracking 128-bit WEP keys with Wep_tools, you are limited to the dictionary attack in practical terms. Wep_tools are straightforward to compile and run on Linux machines:

arhontus:~# ./wep_crack

Usage:  ./wep_crack [-b] [-s] [-k num] packfile [wordfile]

   -b        Bruteforce the key generator

   -s        Crack strong keys

   -k num    Crack only one of the subkeys

             without using a key generator

Wordfile must be specified when -b is not used.

"Packfile" refers to a pcap-format file, wordfile is a Dictionary.txt file, and the "strong keys" option refers to 128(104)-bit WEP (there were times when people considered it to be strong). Please note that you select between the brute-force and dictionary attacks and can't run both simultaneously (with a single wep_crack process anyway). Once the key is obtained, use wep_decrypt utility to decipher the pcap-format traffic dumps:

arhontus:~# ./wep_decrypt

usage:  ./wep_decrypt [-g keystr] [-k hexkeystr] [-s] [infile [outfile]]

   -g keystr       String to derive keys from

   -k hexkeystr    Hex keys, separated by spaces or colons

   -s              Use stronger 128-bit keys

A key must be specified with -g or -k.

By default, wep_decrypt reads from stdin and outputs to stdout. The key to decrypt the file can be specified as a string of hex characters, optionally separated by spaces or colons, or as an ASCII string. If an ASCII string is used, the actual keying material will be generated using the string in the weak fashion (used by older drivers), which creates easy-to-crack 40-bit WEP keys. Because many vendors now mitigate this vulnerability, we do not recommend using an ASCII format key with wep_decrypt.

802.11 Basics: WEP Key Length If you are not familiar with 802.11 networking you might be confused by our mention of 40-bit, 64-bit, 104-bit, and 128-bit WEP keys. Officially the keys are defined as 64-bit and 128-bit and this is the length you are likely to encounter in your vendor manuals for obvious marketing reasons. In reality, the first 24 bits are the IV, and IVs are transmitted in cleartext. Thus, the real shared secret is 40 and 104 bits. In this book the length values mentioned are interchangeable. Please note that the same principle would apply to proprietary WEP implementations with a larger key length. Always check how much of this key space is actually given to the IV (the more, the better).

WepAttack

WepAttack is an open source tool similar to Wep_tools, but with significant improvements. Just like Wep_tools, WepAttack uses brute-forcing or dictionary attacks to find the right key from the encrypted data pcap dump file. However, the project page states that only a single captured WEP-encrypted data packet is required to start an attack. The WepAttack project page is located at Sourceforge (http://sourceforge.net/projects/wepattack/). The full documentation of WepAttack operation theory is available in German from the project page.

WepAttack is very simple to install and use. It requires Zlib and LibPcap libraries that can be found at http://www.gzip.org/zlib/and http://www.tcpdump.org, respectively. After installing the libraries and downloading wepattack sources, you should simply change to src directory and run make. To run the brute-force attack on a Kismet-XXX.dump file using a dictionary file located in /usr/share/dict/british-english-large use the following command:

arhontus:~$./wepattack -f Kismet-XXX.dump -w /usr/share/dict/british-english-large

The output should look similar to this:

Extraction of necessary data was successful!

Founded BSSID:

1)  00 30 BD 9E 50 7C / Key 0

1 network loaded...

Accepting wordlist data...

++++++++++ Packet decrypted! ++++++++++

BSSID: 00 30 BD 9E 50 7C / Key 0   WepKey: 43 30 44 45 31 45 45 37 43 30 47 47 45 

(C0DE1EE7C0FFE)

Encryption: 128 Bit

time: 0.003213 sec      words: 21

The possibility to crack WEP without collecting massive amounts of encrypted data makes the dictionary attacks against 802.11 networks still using WEP a serious threat. An attacker can easily integrate WepAttack with Kismet, running it against the pcap dump file automatically while wardriving. As long as a few encrypted packets can be captured, the network can be attacked using this tool. Thus, a wardriver can collect a few weak WEP keys in addition to the casual network discovery without the need to park nearby and sniff the attacked WLAN for hours.

Tools to Retrieve WEP Keys Stored on the Client Hosts

At the moment the only such tool we are aware of is the LucentRegCrypto utility. Lucent Orinoco Client Manager saves WEP keys in the Windows registry under a crackable encryption and obfuscation. Known examples of where the key might be stored include the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class

\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class

\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class

\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class

\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006

String Value: Encryption

LucentRegCrypto can be used to encrypt WEP keys to reg value or to decrypt reg value back into a WEP key. If you use Lucent Orinoco Client Manager, employ LucentRegCrypto to check if attackers can obtain the value of your network WEP from a machine to which they might have had temporary physical access or on which they managed to plant a backdoor. Using LucentRegCrypto is straightforward:

>_LucentRegCrypto -e [<secret>] -d [<value>] -f <file name>]

Use the leading slash for hex secret value.

On Linux machines the WEP key is usually stored unencrypted in /etc/pcmcia/wireless.opts:

# Generic example (describe all possible settings)

# Encryption key : 4567-89AB-CD, s:password

    KEY="value"

The security of a key stored in such a way relies exclusively on the wireless.opts file permissions (check them on your system), which is clearly not sufficient. Developing a utility to encrypt the WEP key value in wireless.opts is a useful and a worthwhile task.

Traffic Injection Tools Used to Accelerate WEP Cracking

As you probably know or have already guessed, the more wireless traffic you collect, the higher your chances are of obtaining the correct WEP key and the less time is needed to get it. Nothing stands in the way of rein jecting traffic into the WEP-protected WLAN without even being connected to it. This is because the original implementation of WEP, unlike TKIP and CCMP, does not include any traffic replay protection tools. You'll need to be able to monitor the traffic and reinject WEP-encrypted packets back into the network. To perform this task you will need a card in the RFMON mode, listening to the packets flying by and retransmitting the packets that pass a certain sanity check. That's right, we are going to use a card in a monitor mode to transmit data. A common myth is that 802.11 devices cannot transmit in the RFMON mode. In reality it is possible to transmit in the monitor mode, but you won't be able to ACK the replies coming back. Thus, normal bidirectional communication is impossible. In terms of traffic injection to accelerate WEP cracking or cause a DoS flood attack, ACKing is not important.

A tool specifically designed to reinject traffic for improved WEP cracking efficiency is reinj from the Wnet suite for BSD written by H1kari, an author of BSD-Airtools. We review the complete Wnet suite later in the chapter when dealing with wireless frame-generating tools, as creating custom 802.11 frames is the main function and design purpose of the Wnet library and utilities. Here we briefly review the reinj utility.

When launched, reinj injects ARP requests and TCP ACKs into the attacked WLAN. Both content and length of these packets are known and they generate known encrypted responses (ARP reply or TCP RST) as well. This makes the behavior of the tool very predictable and traffic generation more reliable. Of course there are other highly predictable response-generating packet types to try if a similar technique is being used (e.g. TCP SYNs or DHCP requests).

Reinj is easy to use (reinj <dev> <bssid> <tries> <interval>) and will monitor the responses received in an attempt to determine if the injection technique has worked (i.e., the additional traffic has been generated). If there is no reply, reinj will sniff for a better packet to reinject. Of course, you need to know the BSSID to inject the traffic, so you'll first need to sniff it out.

When reinj detects what it considers to be an ARP or a TCP ACK packet, it attempts to reinject it into a network to generate more traffic. It does this five times in a row to verify the responses, and then starts injecting at the interval you specified in the command line. Of course, the duplicates reinj adds to the WLAN do not weaken the network cryptographically, but the responses these duplicate packets are aimed to initiate do. Thus, when reinj locks on the target and starts forcing the hosts on a WLAN to transmit encrypted data, cracking WEP becomes an easier and less time-consuming task, especially when using an improved FMS attack as implemented by dwepcrack. Even idle wireless networks can be successfully cracked, and (thanks to certain chatty network protocols) we have yet to see an idle WLAN.

A tandem use of BSD-airtools and Wnet reinj makes OpenBSD (under which both tools compile and run) a superb platform for advanced WEP cracking. How about Linux? Unfortunately, there is no known Linux tool implementing an improved dwepcrack-style FMS attack against WEP. As for traffic injection aimed at decreasing WEP key cracking time, you can use WepWedgie, run from a looping shell script, and set to ping the target network on a presumed broadcast address. This should generate enough traffic to saturate the target network until the key is broken. Because WepWedgie is a complex and very advanced tool that does far more than simple traffic duplication and reinjection, it is covered in great detail in a separate section devoted to encrypted traffic injection and its use in penetrating WLANs without knowing the WEP key.

802.1x Cracking Tools

With the advent of 802.1x (the detailed protocol description is provided in Chapters 10 and 13), the appearance of attacks and specific tools targeting this security protocol is inevitable. At the moment 802.1x authentication using Cisco EAP-LEAP takes the heaviest impact from the hacking community. The reason for this is probably the abundance of EAP-LEAP supporting networks due to the widespread use of Cisco wireless equipment and the fact that LEAP, like older EAP-MD5, relies on password and not certificate-based authentication. The main target of attacks against EAP-LEAP is its reliance on MS-CHAPv2 for user authentication. Thus, the attacks against EAP-LEAP are actually attacks against MS-CHAPv2 used in the clear and any other wireless authentication method employing it would be just as vulnerable. The purpose of this chapter is to describe the tools available to the hacking community; thus the peculiarities of the attack against EAP-LEAP (well, MS-CHAPv2) are outlined in Chapter 8. Right now you will learn about two utilities designed to snatch and crack user passwords from the LEAP challenge/response exchange and a simple Perl script for LEAP authentication brute-forcing.

Asleap-imp and Leap

The first tool is Asleap-imp, presented by Joshua Wright at Defcon 11. The "imp" in the tool name stands for improved. At the time of writing, Asleap-imp was not released to the general public, but we expect that as the book comes out it will be widely available.

Asleap-imp consists of two programs. The first program, genkeys, produces a list of MD4 hashes from a password list. The list is built as a "password ^Tab^ hash" table and can be used for dictionary-type attacks against any protocol or password file generated with MD4. The second program, asleap, implements the attack itself in the following sequence:

Because waiting for EAP-LEAP logins can take a lot of time, Asleap-imp bypasses the problem by knocking the authenticated users off the WLAN. To do this, the tool scans through all 802.11 channels, identifies active clients, and sends a spoofed EAP-LEAP Logoff frame to the target. This frame is followed by a spoofed deauthentication frame to disconnect the target host from the wireless network. Thus, a new challenge/response exchange is triggered. This exchange is saved in a pcap-format file to allow password cracking on a different machine (e.g., the auditor's desktop with more CPU power, disk space, and very long password list).

The second tool is leap by DaBubble, Bishop, and Evol. Unlike Asleap-imp, it was released to the general public via the Packetstorm Web site (http://www.packetstormsecurity.org) at the time of writing. The principle behind leap and Asleap-imp action is the same; however, leap lacks documentation and does not automate challenge/response grabbing and host deauthentication and deassociation. Also, you will need to generate the password:hash list yourself. To produce the list, you can modify chaptest.c, which comes with the tool, or use the MD4 reference implementation code (RFC 1320) modified to run against a word list. After the list is produced and challenge/response strings are captured, place them into bfnthash.c at:

//Enter challenge response here

char *challengeResponse = "";

//Enter challenge here

char *challenge  = "";

Two other variables you might want to modify are NUM_HASHES (the maximum amount of hashes to read from the password:hash list, default = 10,000) and the limit of bfnthash threads to run (defaults to < 200). Compile bfnthash, launch it giving the password:hash list file name and the amount of threads to run as an input, and hope that the user password is on the list.

Leapcrack

Both attack tools against 802.1x/EAP-LEAP implement improved and intelligent dictionary attacks against the protocol's authentication mechanism. Plain old EAP-LEAP user password brute-forcing is another option to consider. The tool to accomplish it is Leapcrack written for the BSD operating system. Leapcrack consists of the Francisco Luis Roque network discovery script shown in the BSD tools for wireless network discovery and traffic logging section and another Perl script, anwrap.pl. Anwrap.pl is a wrapper for the ancontrol BSD command, which acts as a dictionary attack tool against LEAP-enabled Cisco-hardware-based wireless networks. The script traverses the supplied user and password lists, attempts the authentication, and logs the results to a file. To run anwrap.pl you need a Cisco Aironet card, a brought-up interface, and an installed libexpect-perl library. Using the script is easy:

arhontus:~# perl anwrap.pl

Usage : anwrap.pl <userfile> <passwordfile> <logfile>

Ron Sweeney <sween@modelm.org>

Brian Barto <brian@bartosoft.com>

Keep in mind that running anwrap.pl against NT networks with implemented lockout policies will severely disrupt the performance of RADIUS authentication.