Time for action – bypassing shared authentication

Bypassing shared authentication is a bit more challenging than the previous exercises, so follow the steps carefully:

  1. Let's first set up shared authentication for our Wireless Lab network. I have done this on my access point by setting the security mode as WEP and Authentication as Shared Key:
    Time for action – bypassing shared authentication
  2. Let's now connect a legitimate client to this network using the shared key we have set in step 1.
  3. In order to bypass SKA, we will first start sniffing packets between the access point and its clients. However, we would also like to log the entire shared authentication exchange. To do this, we use the airodump-ng utility using the airodump-ng wlan0mon -c 11 --bssid <mac> -w keystream command. The -w option, which is new here, requests airodump-ng to store the packets in a file whose name is prefixed with the word keystream. Incidentally, it might be a good idea to store different sessions of packet captures in different files. This allows you to analyze them long after the trace has been collected:
    Time for action – bypassing shared authentication
  4. We can either wait for a legitimate client to connect to the access point or force a reconnect using the deauthentication technique used previously. Once a client connects and the SKA succeeds, airodump-ng will capture this exchange automatically by sniffing the air. An indication that the capture has succeeded is when the AUTH column reads WEP.
  5. The captured keystream is stored in a file prefixed with the word keystream in the current directory. In my case, the name of the file is keystream-01-00-21-91-D2-8E-25.xor.
  6. If this doesn't work, you can use aireplay-ng -4 -h <Connected Device MAC> -a <AP BSSID> wlan0mon to generate an .xor file. This requires a connected device to be on the target WEP protected network and will generate packets spoofing their MAC address to identify the XOR stream and key.
    Time for action – bypassing shared authentication
  7. In order to fake a SKA, we will use the aireplay-ng tool. We run the aireplay-ng -1 0 -e "Wireless Lab" -y keystream-01-00-21-91-D2-8E-25.xor -a <mac> -h AA:AA:AA:AA:AA:AA wlan0mon command. This aireplay-ng command uses the keystream we just retrieved and tries to authenticate with the access point with the SSID, Wireless Lab and the MAC address, 00:21:91:D2:8E:25, and uses an arbitrary client MAC address, AA:AA:AA:AA:AA:AA.
  8. Fire up Wireshark and sniff all packets of interest by applying a wlan.addr == AA:AA:AA:AA:AA:AA filter. We can verify this using Wireshark. You should see a trace on the Wireshark screen, as shown in the following screenshot:
    Time for action – bypassing shared authentication
  9. The first packet is the authentication request sent by the aireplay-ng tool to the access point:
    Time for action – bypassing shared authentication
  10. The second packet consists of the access point sending the client challenge text, as shown in the following screenshot:
    Time for action – bypassing shared authentication
  11. In the third packet, the tool sends the encrypted challenge to the access point:
    Time for action – bypassing shared authentication
  12. As the aireplay-ng tool used the derived keystream for encryption, the authentication succeeds and the access point sends a success message in the fourth packet:
    Time for action – bypassing shared authentication
  13. After the authentication succeeds, the tool fakes an association with the access point, which succeeds as well. If you check the wireless logs in your access point's administrative interface, you should now see a wireless client with the MAC address, AA:AA:AA:AA:AA:AA connected:
    Time for action – bypassing shared authentication

What just happened?

We were successful in deriving the keystream from a shared authentication exchange, and we used it to fake an authentication to the access point.

Have a go hero – filling up the access point's tables

Access points have a maximum client count after which they start refusing connections. By writing a simple wrapper over aireplay-ng, it is possible to automate and send hundreds of connection requests from random MAC addresses to the access point. This will end up filling the internal tables and once the maximum client count is reached, the access point will stop accepting new connections. This is typically what is called a Denial of Service (DoS) attack and can force the router to reboot or make it dysfunctional. This can lead to all the wireless clients being disconnected and being unable to use the authorized network.

Check whether you can verify this in your lab!

Pop quiz – WLAN authentication

Q1. How can you force a wireless client to reconnect to the access point?

  1. By sending a deauthentication packet
  2. By rebooting the client
  3. By rebooting the access point
  4. All of the above

Q2. What does Open Authentication do?

  1. It provides decent security
  2. It provides no security
  3. It requires the use of encryption
  4. None of the above

Q3. How does breaking SKA work?

  1. By deriving the keystream from the packets
  2. By deriving the encryption key
  3. By sending deauthentication packets to the access point
  4. By rebooting the access point
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.21.5