When doing wireless assessments, I end up generating a ton of different scripts for various things that I thought it would be worth sharing. I'm going to try write some of them up. This is the first one on decrypting WPA/2 PSK traffic. The second will cover some tricks/scripts for rogue access-points. If you are keen on learn further techniques or advancing your wifi hacking knowledge/capability as a whole, please check out the course Hacking by Numbers: Unplugged, I'll be teaching at BlackHat Las Vegas soon.
When hackers find a WPA/2 network using a pre-shared key, the first thing they try and do most times, is to capture enough of the 4-way handshake to attempt to brute force the pairwise master key (PMK, or just the pre-shared key PSK). But, this often takes a very long time. If you employ other routes to find the key (say a client-side compromise) that can still take some time. Once you have the key, you can of course associate to the network and perform your layer 2 hackery. However, if you had been capturing traffic from the beginning, you would now be in a position to decrypt that traffic for analysis, rather than having to waste time by only starting your capture now. You can use the airdecap-ng tool from the aircrack-ng suite to do this:
airdecap-ng -b <BSSID of target network> -e <ESSID of target network> -p <WPA passphrase> <input pcap file>
However, because the WPA 4-way handshake generates a unique temporary key (pairwise temporal key PTK) every time a station associates, you need to have captured the two bits of random data shared between the station and the AP (the authenticator nonce and supplicant nonce) for that handshake to be able to initialise your crypto with the same data. What this means, is that if you didn't capture a handshake for the start of a WPA/2 session, then you won't be able to decrypt the traffic, even if you have the key.
So, the trick is to de-auth all users from the AP and start capturing right at the beginning. This can be done quite simply using aireplay-ng:
aireplay-ng --deauth=5 -e <ESSID>
Although, broadcast de-auth's aren't always as successful as a targeted one, where you spoof a directed deauth packet claiming to come from the AP and targeting a specific station. I often use airodump-ng to dump a list of associated stations to a csv file (with --output-format csv), then use some grep/cut-fu to excise their MAC addresses. I then pass that to aireplay-ng with:
cat <list of associated station MACs>.txt | xargs -n1 -I% aireplay-ng --deauth=5 -e <ESSID> -c % mon0
This tends to work a bit better, as I've seen some devices which appear to ignore a broadcast de-auth. This will make sure you capture the handshake so airdecap can decrypt the traffic you capture. Any further legitimate disconnects and re-auths will be captured by you, so you shouldn't need to run the de-auth again.
We had published a network protocol analysis challenge for free entry to our BlackHat 2012 Vegas training courses and received seven correct answers. We'd like to thank those who attempted this challenge and hope that they find it useful.
The winner, Peter Af Geijerstam managed to respond first, with the correct answer. As a result, he wins a free place on any of our Hacking By Numbers courses. Here is a brief solution for it:
If you start by running the client and server binaries provided in the challenge zip file, you'll observe the following output from the client:
And we can see the same challenge (177) and 16-byte response values in the network traffic:
Now, we can summarise the authentication protocol as below and work out our attack strategy:
Client->Server : HELLO Server->Client: R Client->Server: RESP (MD5(R+secret)) Server->Client: OK/Incorrect Response
The attacker had both R and MD5(R+secret) values from the network traffic capture file and he also knew something about the shared secret format (7 alphanumeric excluding uppercase characters). Therefore, he can run a brute force attack on the 16-byte MD5 hash value with a narrowed charset and known message format which would be [abcdefghijklmnopqrstuvwxyz0123456789]. There are several public hash cracking tools which support raw md5 hashes, such as hashcat. we can run hashcat with the following options:
cudaHashcat-plus32.exe --attack-mode 3 --custom-charset1 abcdefghijklmnopqrstuvwxyz0123456789 hash.txt 448?1?1?1?1?1?1?1
It would take about 43 minutes for a NVIDIA GeForce 405 graphic card to recover the shared secret:
And the shared secret value is: bm28lg1. In order to calculate the session key value (kc) we can simply set the R to 448 in authentication server source code instead of the random value and compile it. By running the client binary using the recovered secret key value (bm28lg1), we will get the session key:
And the session key value is : 07e0f7a7cbc2d8b3dba6b7d3b69c3236
I saw a similar solution (in Spanish) on the internet posted here . I also received a question not about the challenge itself, but the source code of the authentication client and why I'v set resp buffer size it to 128 bytes while the client response length is always 21 bytes (basically why I've wasted 107 bytes of 1MB default stack). The answer is that the server not only processes RESP messages from the client, but also need to receive and decrypt MSG messages (which is marked as not implemented in both source codes). MSG messages clearly have a bigger size than 21 bytes and in order to use the same RESP buffer for incoming data, I set its size to 128 bytes which is purely an arbitrary number in this case and should be changed to a more suitable size based on the encryption algorithm's block sizes which are not implemented in the current code.
If you have questions or recommendations regarding this challenge (or similar ones), please drop me an email to the address inside the challenge file.
With data breaches happening almost on a monthly basis these days, everyone is turning to encryption in order to protect their information. Bob, a rather tech-savvy gentleman, works for a FTSE 100 company and they've written their own secure message implementation. You've been tasked to perform a penetration test and noticed that after compromising their shared document server, an internal web application leaked the source code used by the company for the client and the server.
From a cursory glance, Bob is tasked with sending a short message to his office every day over the Internet. The company installed the client software onto his shiny machine and it works by first authenticating him to the server, using a shared secret. The software then allows him to create a message, encrypt it and send it onto the server. As part of the assessment, you've compromised a number of servers and are now in the process of intercepting Bob's network traffic, in order to decrypt his communications.
By observing bob's password history, you've become aware that Bob's secret key length is 7 characters long, and contains alpha-numeric characters with no upper-case letters.
The client has been informed of your progress so far and has categorically stated that this encryption method cannot be broken. We want you to prove this to be incorrect by telling us the shared secret and calculating the encryption key (kc), which is used to decrypt Bob's messages.
The Exfiltrated Files:
The files you will need can be downloaded from here. They include:
The first person to correctly send us the shared secret and encryption key (email/twitter) will win a free pass to any of our BlackHat 2012 training courses and a limited edition anniversary t-shirt. You'll also get to hang out with us at Vegas (worth more than anything we feel!)
Thanks for all the entries, it's great to see people enjoying a good challenge. We do have a winner, once he has confirmed how he did it and what course he would like to attend, we will let you all know.
Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices as an authentication token. As an example of such attempts, RSA SecureID software tokens are available for iPhone, Nokia and the Windows platforms. Obviously, mobile phones would not be able to provide the level of tamper-resistance that hardware tokens would, but I was interested to know how easy/hard it could be for a potential attacker to clone RSA SecureID software tokens. I used the Windows version of the RSA SecurID Software Token for Microsoft Windows version 4.10 for my analysis and discovered the following issues:
Device serial number of tokens can be calculated by a remote attacker :
Every instance of the installed SecurID software token application contains a hard drive plug-in (implemented in tokenstoreplugin.dll) that has a unique device serial number. This serial number can be used for "Device Binding" and the RSA documentation defines it as follows:
“Before the software token is issued by RSA Authentication Manager, an additional extension attribute (<DeviceSerialNumber/>) can be added to the software token record to bind the software token to a specific devicedevice serial number is used to bind a token to a specific device. If the same user installs the application on a different computer, the user cannot import software tokens into the application because the hard drive plug-in on the second computer has a different device serial number from the one to which the user's tokens are bound”.Reverse engineering the Hard-Disk plugin (tokenstoreplugin.dll) indicated that the device serial number is dependent on the system's host name and current user's windows security identifier (SID). An attacker, with access to these values, can easily calculate the target token's device serial number and bypass the above mentioned protection. Account SIDs can be enumerated in most of the Microsoft active directory based networks using publicly available tools, if the “enumeration of SAM accounts and shares” security setting was not set to disabled. Host names can be easily resolved using internal DNS or Microsoft RPC. The following figures show the device serial number generation code:
device_serial_number=Left(SHA1(host_name+user_SID+“RSA Copyright 2008”),10)
Token's copy protection:
The software token information, including the secret seed value, is stored in a SQLite version 3 database file named RSASecurIDStorage under the “%USERPROFILE%\Local Settings\Application Data\RSA\RSA SecurID Software Token Library” directory. This file can be viewed by any SQLite database browser, but sensitive information such as the checksum and seed values are encrypted. RSA documentation states that this database file is both encrypted and copy protected: “RSA SecurID Software Token for Windows uses the following data protection mechanisms to tie the token database to a specific computer:
• Binding the database to the computer's primary hard disk drive
• Implementing the Windows Data Protection API (DPAPI)
These mechanisms ensure that an intruder cannot move the token database to another computer and access the tokens. Even if you disable copy protection, the database is still protected by DPAPI.”
The RSASecurIDStorage database file has two tables: PROPERTIES and TOKENS. The DatabaseKey and CryptoChecksum rows found in the PROPERTIES tables were found to be used for copy protection purpose as shown in the figure below:
Reverse engineering of the copy protection mechanism indicated that:
In order to counter the aforementioned issues, I would recommend the use of "trusted platform module" (TPM) bindings, which associates the software token with the TPM chip on the system (TPM chip for mobiles? there are vendors working on it).
This year, for the fourth time, myself and some others here at SensePost have worked together with the team from ITWeb in the planning of their annual Security Summit. A commercial conference is always (I suspect) a delicate balance between the different drivers from business, technology and 'industry', but this year's event is definitely our best effort thus far. ITWeb has more than ever acknowledged the centrality of good, objective content and has worked closely with us as the Technical Committee and their various sponsors to strike the optimal balance. I don't think we have it 100% right yet, and there are some improvements and initiatives that will unfortunately only manifest at next year's event, but this year's program (here and here) is nevertheless first class and comparable with almost anything else I've seen.
<Shameless plug>If you're in South Africa, and you haven't registered, I highly recommend that you do</Shameless plug>This year's Summit explores the idea that trust in CyberSpace is "broken" and that, one for one, all the pillars we relied on to tame the Internet and make it a safe place to do business in, have failed. Basically the event poses the question: "What now"?
We've tried hard to get all our speakers to align in some way with this theme. Sadly, as is often he case, we had fewer submissions from local experts then we hoped, but we were able to round up a pretty killer program, including an VIP list of visiting stars.
After the plenaries each day, the program is divided into themed tracks where talks on a topic are grouped together. Where possible we've tried to include as many different perspectives and opinions as possible. Here's a brief summary of my personal highlights:
Its gonna be excellent. See you there!