05. WPA WPA2 Personal (PSK) Authentication

4-Way Handshake

4 EAPOL authentication messages between client & AP:

• PSK = Single Passphrase used for authentication.

  • Shared among all devices and the AP.
  • PSK length betwee 8 and 63 chars

• PMK = Pairwise-Master-Key. Generated by both Client & AP before 4-way handshake.

  • PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
  • HMAC-SHA1 is the Pseudo Random Function used.
  • 4096 iterations (makes bruteforce time-consuming)
  • PMK is 256-bits

• PTK = Pairwise-Transient-Keys. Generated by both Client & AP during 4-way handshake.

  • PTK = Hash(PMK||ANonce||SNonce||MAC_AP||MAC_Client)
  • PTK is used to encrypt data between client and AP
  • Change at least as every 65535 packets
  • PTK is 64-bits
  • PTK is split as follows:
    • 16 bytes (128 bits) Key Confirmation Key (KCK). Used to compute MIC for integrity.
    • 16 bytes Key Encryption Key(KEK). Used to encrypt additional data from the AP to the clients during the handshake.
    • 16 bytes Temporal Key (TK). Used to encrypt/decrypt messages after the handshake.
    • 8 bytes MIC Authenticator Tx Key (MIC Tx). Used to compute MIC on packets transmitted by AP.
    • 8 bytes MIC Authenticator Rx Key (MIC Rx). Used to compute MIC on packets transmitted by the client.

      . 128 bits -.- 128 bits -.- 128 bits -.- 64 bits -.- 64 bits -
     |    KCK    |     KEK    |     TK     |  MIC Tx   |   MIC Rx  |
    

WPA/WPA2-PSK Cracking

Attack requires the capture of a 4-way handshake. From this handshake, useful information for attacker is:

• SSID of target AP,
• Nonces (transmitted in cleartext),
• MAC addresses (Client & AP),
• Message's MIC computed with a valid PTK (used to verify guess)

Cracking Process:

1. Guess a given Passphrase (PSK)
2. Compute PMK for this Passphrase using: PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
3. Derivate PTK from the assumed PMK using: PTK = Hash(PMK||ANonce||SNonce||MAC_AP||MAC_Client)
4. Use generated PTK to compute a MIC for packet 2,3 or 4 of the captured handshake
5. If computed MIC = MIC of the captured packet => PSK guess is correct
6. Otherwise, go back to 1 & make a new guess.

Ref: https://cylab.be/blog/32/how-does-wpawpa2-wifi-security-work-and-how-to-crack-it

WPA/WPA2-PSK PMKID Bruteforce Attack

• Do not require any client connected to target AP (no need to send deauth/disassociation packets).
• Only interaction between attacker & AP.
• Lots of modern routers append an optional field at the end of the first EAPOL frame sent by the AP itself when someone is associating, the so called Robust Security Network, which includes something called PMKID.
• PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
• MAC_AP (BSSID), MAC_STA (Station's MAC) are known. "PMK Name" is constant.

Cracking Process:

1. Guess a given Passphrase (PSK)
2. Compute PMK for this passphrase using: PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
3. Compute PMKID from the generated PMK using: PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
4. If computed PMKID = PMKID extracted from first EAPOL frame => PSK guess is correct
5. Otherwise, go back to 1 & make a new guess