With the security vulnerabilities of the WEP wireless network implementations being evident, the 802.11 standards were updated to apply a greater degree of security around the confidentiality and integrity of wireless networks. This was done with the design of the Wi-Fi Protected Access (WPA) standard that was first implemented in the 802.11i standard in 2003. The WPA standard was further updated with WPA2 in 2006, thereby becoming the standard for Wi-Fi Protected Access networks. WPA2 has three different versions, which each utilize their own authentication mechanisms:

• WPA-Personal: This type of WPA2 implementation is often found in residential or small-to-medium business settings. WPA2 makes use of a pre-shared key, which is derived from the combination of a passcode and the broadcast Service Set Identifier (SSID) of the wireless network. This passcode is configured by the user and can be anything from 8 to 63 characters in length. This passcode is then salted with the SSID, along with the 4,096 interactions of the SHA1 hashing algorithm.
• WPA-Enterprise: The enterprise version of WPA/WPA2 makes use of a RADIUS authentication server. This allows for the authentication of the user and devices, and severely reduces the ability of brute-forcing pre-shared keys.
• Wi-Fi Protected Setup (WPS): This is a simpler version of authentication that makes use of a PIN code versus a passcode or passphrase. Initially developed as an easier way to connect devices to wireless networks, we will see how this implementation can be cracked, revealing both the PIN code and the passcode utilized in the wireless network implementation.

For our purposes, we will focus on testing the WPA-Personal and WPS implementations. In the case of WPA-Personal, authentication and encryption is handled through the use of a four-way handshake:

1. The access point transmits a random number to the client, referred to as an ANonce.
2. The client creates another random number called an SNonce. The SNonce, ANonce, and the passcode the user entered are combined to create what is referred to as a Message Integrity Check (MIC). The MIC and SNonce are sent back to the access point.
3. The access point hashes the ANonce, SNonce, and pre-shared key together and, if they match, authenticates the client. It then sends an encryption key to the client.
4. The client acknowledges the encryption key.

There are two key vulnerabilities within the WPA-Personal implementation that we will focus on:

• Weak pre-shared key: In the WPA-Personal implementation, the user is the one that configures the settings on the access point. Often, users will configure the access point with a short, easy-to-remember passcode. As shown previously, we were able to sniff the traffic between an access point and client. If we are able to capture the four-way handshake, we have all of the information necessary to reverse the passcode and then authenticate to the network.

• WPS: The Wi-Fi Protected Setup is a user-friendly way for end users to connect devices to a wireless network through the use of a PIN. Devices such as printers and entertainment devices will often make use of this technology. All a user has to do is push a button on a WPS-enabled access point and the same on a WPS-enabled access point, and then a connection can be established. The drawback is that this method of authentication is done through the use of a PIN. This PIN can be reversed, revealing not only the WPS PIN but also the wireless passcode.