Grey bar Blue bar
Share this:

Thu, 9 May 2013

Wifi Hacking & WPA/2 PSK traffic decryption

When doing wireless assessments, I end up generating a ton of different scripts for various things that I thought it would be worth sharing. I'm going to try write some of them up. This is the first one on decrypting WPA/2 PSK traffic. The second will cover some tricks/scripts for rogue access-points. If you are keen on learn further techniques or advancing your wifi hacking knowledge/capability as a whole, please check out the course Hacking by Numbers: Unplugged, I'll be teaching at BlackHat Las Vegas soon.


When hackers find a WPA/2 network using a pre-shared key, the first thing they try and do most times, is to capture enough of the 4-way handshake to attempt to brute force the pairwise master key (PMK, or just the pre-shared key PSK). But, this often takes a very long time. If you employ other routes to find the key (say a client-side compromise) that can still take some time. Once you have the key, you can of course associate to the network and perform your layer 2 hackery. However, if you had been capturing traffic from the beginning, you would now be in a position to decrypt that traffic for analysis, rather than having to waste time by only starting your capture now. You can use the airdecap-ng tool from the aircrack-ng suite to do this:


airdecap-ng -b <BSSID of target network> -e <ESSID of target network> -p <WPA passphrase> <input pcap file>


However, because the WPA 4-way handshake generates a unique temporary key (pairwise temporal key PTK) every time a station associates, you need to have captured the two bits of random data shared between the station and the AP (the authenticator nonce and supplicant nonce) for that handshake to be able to initialise your crypto with the same data. What this means, is that if you didn't capture a handshake for the start of a WPA/2 session, then you won't be able to decrypt the traffic, even if you have the key.


So, the trick is to de-auth all users from the AP and start capturing right at the beginning. This can be done quite simply using aireplay-ng:


aireplay-ng --deauth=5 -e <ESSID>

Although, broadcast de-auth's aren't always as successful as a targeted one, where you spoof a directed deauth packet claiming to come from the AP and targeting a specific station. I often use airodump-ng to dump a list of associated stations to a csv file (with --output-format csv), then use some grep/cut-fu to excise their MAC addresses. I then pass that to aireplay-ng with:


cat <list of associated station MACs>.txt | xargs -n1 -I% aireplay-ng --deauth=5 -e <ESSID> -c % mon0

This tends to work a bit better, as I've seen some devices which appear to ignore a broadcast de-auth. This will make sure you capture the handshake so airdecap can decrypt the traffic you capture. Any further legitimate disconnects and re-auths will be captured by you, so you shouldn't need to run the de-auth again.


In summary:


  • Don't forget how useful examining traffic can be, and don't discount that as an option just because it's WPA/2

  • Start capturing as soon as you get near the network, to maximise how much traffic you'll have to examine

  • De-auth all connected clients to make sure you capture their handshakes for decryption


Once again, I'll be teaching a course covering this and other techniques at BlackHat Las Vegas, please check it out or recommend it to others if you think it's worthwhile. We're also running a curriculum of other courses at BH, including a brand new mobile hacking course.

    Mon, 25 Jun 2012

    Solution for the BlackHat Challenge

    We had published a network protocol analysis challenge for free entry to our BlackHat 2012 Vegas training courses and received seven correct answers. We'd like to thank those who attempted this challenge and hope that they find it useful.

    The winner, Peter Af Geijerstam managed to respond first, with the correct answer. As a result, he wins a free place on any of our Hacking By Numbers courses. Here is a brief solution for it:

    If you start by running the client and server binaries provided in the challenge zip file, you'll observe the following output from the client:

    And we can see the same challenge (177) and 16-byte response values in the network traffic:

    So, this indicates that the client and server are running a simple challenge-response authentication protocol with a 3-digit random number (R) as the challenge and a 16-byte response value which should be calculated using the R and the shared secret value. We need to figure out the response calculation formula in order to fully understand this simple authentication protocol. This can be done by reading the provided source code. If the source code was not available then we'd have to use a disassembler, such as IDA Pro, in order to find out the formula. The following code snippet shows a function call to HMAC(char *msg, char *key,byte *mac) to calculate the response value:

    And inside HMAC function we can see calls to Windows CryptoAPI to calculate MD5 hash value of (msg+secret):

    Now, we can summarise the authentication protocol as below and work out our attack strategy:

    Client->Server : HELLO Server->Client: R Client->Server: RESP (MD5(R+secret)) Server->Client: OK/Incorrect Response

    The attacker had both R and MD5(R+secret) values from the network traffic capture file and he also knew something about the shared secret format (7 alphanumeric excluding uppercase characters). Therefore, he can run a brute force attack on the 16-byte MD5 hash value with a narrowed charset and known message format which would be [448][abcdefghijklmnopqrstuvwxyz0123456789]. There are several public hash cracking tools which support raw md5 hashes, such as hashcat. we can run hashcat with the following options:

    cudaHashcat-plus32.exe --attack-mode 3 --custom-charset1 abcdefghijklmnopqrstuvwxyz0123456789 hash.txt 448?1?1?1?1?1?1?1

    It would take about 43 minutes for a NVIDIA GeForce 405 graphic card to recover the shared secret:

    And the shared secret value is: bm28lg1. In order to calculate the session key value (kc) we can simply set the R to 448 in authentication server source code instead of the random value and compile it. By running the client binary using the recovered secret key value (bm28lg1), we will get the session key:

    And the session key value is : 07e0f7a7cbc2d8b3dba6b7d3b69c3236

    I saw a similar solution (in Spanish) on the internet posted here . I also received a question not about the challenge itself, but the source code of the authentication client and why I'v set resp buffer size it to 128 bytes while the client response length is always 21 bytes (basically why I've wasted 107 bytes of 1MB default stack). The answer is that the server not only processes RESP messages from the client, but also need to receive and decrypt MSG messages (which is marked as not implemented in both source codes). MSG messages clearly have a bigger size than 21 bytes and in order to use the same RESP buffer for incoming data, I set its size to 128 bytes which is purely an arbitrary number in this case and should be changed to a more suitable size based on the encryption algorithm's block sizes which are not implemented in the current code.

    If you have questions or recommendations regarding this challenge (or similar ones), please drop me an email to the address inside the challenge file.

    Thu, 21 Jun 2012

    BlackHat Challenge

    This year marks a special anniversary for us at SensePost in that we've been training at BlackHat for over a decade now. To celebrate this, we thought we'd give away a free ticket to any of our courses on offer at this year's BlackHat Briefings in Las Vegas.

    With data breaches happening almost on a monthly basis these days, everyone is turning to encryption in order to protect their information. Bob, a rather tech-savvy gentleman, works for a FTSE 100 company and they've written their own secure message implementation. You've been tasked to perform a penetration test and noticed that after compromising their shared document server, an internal web application leaked the source code used by the company for the client and the server.

    From a cursory glance, Bob is tasked with sending a short message to his office every day over the Internet. The company installed the client software onto his shiny machine and it works by first authenticating him to the server, using a shared secret. The software then allows him to create a message, encrypt it and send it onto the server. As part of the assessment, you've compromised a number of servers and are now in the process of intercepting Bob's network traffic, in order to decrypt his communications.

    By observing bob's password history, you've become aware that Bob's secret key length is 7 characters long, and contains alpha-numeric characters with no upper-case letters.

    The Challenge:

    The client has been informed of your progress so far and has categorically stated that this encryption method cannot be broken. We want you to prove this to be incorrect by telling us the shared secret and calculating the encryption key (kc), which is used to decrypt Bob's messages.

    The Exfiltrated Files:

    The files you will need can be downloaded from here. They include:

    1. The challenge PCAP file - Please note that the PCAP file only contains the authentication protocol traffic and not the encrypted messages.
    2. Obtained client/server source files
    The Rules:

    The first person to correctly send us the shared secret and encryption key (email/twitter) will win a free pass to any of our BlackHat 2012 training courses and a limited edition anniversary t-shirt. You'll also get to hang out with us at Vegas (worth more than anything we feel!)

    Good luck!

    Update:

    Thanks for all the entries, it's great to see people enjoying a good challenge. We do have a winner, once he has confirmed how he did it and what course he would like to attend, we will let you all know.

    Thu, 17 May 2012

    A closer look into the RSA SecureID software token

    Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices as an authentication token. As an example of such attempts, RSA SecureID software tokens are available for iPhone, Nokia and the Windows platforms. Obviously, mobile phones would not be able to provide the level of tamper-resistance that hardware tokens would, but I was interested to know how easy/hard it could be for a potential attacker to clone RSA SecureID software tokens. I used the Windows version of the RSA SecurID Software Token for Microsoft Windows version 4.10 for my analysis and discovered the following issues:

    Device serial number of tokens can be calculated by a remote attacker :

    Every instance of the installed SecurID software token application contains a hard drive plug-in (implemented in tokenstoreplugin.dll) that has a unique device serial number. This serial number can be used for "Device Binding" and the RSA documentation defines it as follows:

    Before the software token is issued by RSA Authentication Manager, an additional extension attribute (<DeviceSerialNumber/>) can be added to the software token record to bind the software token to a specific devicedevice serial number is used to bind a token to a specific device. If the same user installs the application on a different computer, the user cannot import software tokens into the application because the hard drive plug-in on the second computer has a different device serial number from the one to which the user's tokens are bound”.
    Reverse engineering the Hard-Disk plugin (tokenstoreplugin.dll) indicated that the device serial number is dependent on the system's host name and current user's windows security identifier (SID). An attacker, with access to these values, can easily calculate the target token's device serial number and bypass the above mentioned protection. Account SIDs can be enumerated in most of the Microsoft active directory based networks using publicly available tools, if the “enumeration of SAM accounts and shares” security setting was not set to disabled. Host names can be easily resolved using internal DNS or Microsoft RPC. The following figures show the device serial number generation code:

    The SecureID device serial number calculation can be represented with the following formula:

    device_serial_number=Left(SHA1(host_name+user_SID+“RSA Copyright 2008”),10)

    Token's copy protection:

    The software token information, including the secret seed value, is stored in a SQLite version 3 database file named RSASecurIDStorage under the “%USERPROFILE%\Local Settings\Application Data\RSA\RSA SecurID Software Token Library” directory. This file can be viewed by any SQLite database browser, but sensitive information such as the checksum and seed values are encrypted. RSA documentation states that this database file is both encrypted and copy protected: “RSA SecurID Software Token for Windows uses the following data protection mechanisms to tie the token database to a specific computer:

    • Binding the database to the computer's primary hard disk drive

    • Implementing the Windows Data Protection API (DPAPI)

    These mechanisms ensure that an intruder cannot move the token database to another computer and access the tokens. Even if you disable copy protection, the database is still protected by DPAPI.”

    The RSASecurIDStorage database file has two tables: PROPERTIES and TOKENS. The DatabaseKey and CryptoChecksum rows found in the PROPERTIES tables were found to be used for copy protection purpose as shown in the figure below:

    Reverse engineering of the copy protection mechanism indicated that:

    • The CryptoChecksum value is encrypted using the machine's master key, which can only be decrypted on the same computer system, unless the attacker can find a way to import the machine key and other supporting data to their machine
    • The DatabaseKey is encrypted using the current logged-on user's master key and provides token binding to that user account
    Previous research on the Microsoft Windows DPAPI internals has made offline decryption of the DPAPI protected data possible. This means that if the attacker was able to copy the RSA token database file along with the encryption master keys to their system (for instance by infecting a victim's machine with a rootkit), then it would be possible to decrypt the token database file on their machine. The detailed attack steps to clone a SecurID software token by copying the token database file from a victim's system are as follows:
    1. Copy the token database file, RSASecurIDStorage, from the user profile directory
    2. Copy the user's master key from %PROFILEDIR%\Application Data\Microsoft\Protect\%SID%; the current master key's GUID can be read from Preferred file as shown in the figure below:
    3. Copy the machine's master key from the %WINDIR%\system32\Microsoft\Protect\ directory. Microsoft Windows protects machine keys against tampering by using SHA1 hash values, which are stored and handled by the Local Security Authority Subsystem Service (LSASS) process in Microsoft Windows operating systems. The attacker should also dump these hash values from LSA using publicly available tools like lsadump.
    4. Having all the required master keys and token database file, install and deploy a windows machine and change the machine and user SIDs to the victim's system SID by using available tools such as newSID.
    5. Overwrite the token database file, user and machine master keys with the ones copied from victim's system. You would also need to find a way to update the DPAPI_SYSTEM value in LSA secrets of the Windows machine. Currently, this is the only challenge that I was not able to solve , but it should be possible to write a tool similar to lsadump which updates LSA secrets.
    6. When the above has been performed, you should have successfully cloned the victim's software token and if they run the SecurID software token program on your computer, it will generate the exact same random numbers that are displayed on the victim's token.
    In order to demonstrate the possibility of the above mentioned attack, I installed and activated token A and token B on two separate windows XP virtual machines and attempted to clone token B on the virtual machine that was running token A. Taking the above steps, token B was successfully cloned on the machine running token A as shown in the following figures:

    In order to counter the aforementioned issues, I would recommend the use of "trusted platform module" (TPM) bindings, which associates the software token with the TPM chip on the system (TPM chip for mobiles? there are vendors working on it).

    Wed, 9 May 2012

    ITWeb Security Summit 2012

    This year, for the fourth time, myself and some others here at SensePost have worked together with the team from ITWeb in the planning of their annual Security Summit. A commercial conference is always (I suspect) a delicate balance between the different drivers from business, technology and 'industry', but this year's event is definitely our best effort thus far. ITWeb has more than ever acknowledged the centrality of good, objective content and has worked closely with us as the Technical Committee and their various sponsors to strike the optimal balance. I don't think we have it 100% right yet, and there are some improvements and initiatives that will unfortunately only manifest at next year's event, but this year's program (here and here) is nevertheless first class and comparable with almost anything else I've seen.

    Dominic White was interviewed for a short video that sums it all up quite nicely.

    <Shameless plug>If you're in South Africa, and you haven't registered, I highly recommend that you do</Shameless plug>
    This year's Summit explores the idea that trust in CyberSpace is "broken" and that, one for one, all the pillars we relied on to tame the Internet and make it a safe place to do business in, have failed. Basically the event poses the question: "What now"?

    We've tried hard to get all our speakers to align in some way with this theme. Sadly, as is often he case, we had fewer submissions from local experts then we hoped, but we were able to round up a pretty killer program, including an VIP list of visiting stars.

    After the plenaries each day, the program is divided into themed tracks where talks on a topic are grouped together. Where possible we've tried to include as many different perspectives and opinions as possible. Here's a brief summary of my personal highlights:

    Plenaries:

    Mobility:
    • Charl van der Walt (me!) - "What's the deal with Mobile and Africa"
    • Tyrone Erasmus (MWR) - "Pilfering information from the masses"
    Enterprise Resource Planning:
    • Juan Pablo Perez Etchegoyen (Onapsis) - "Cyber-Attacks on SAP & ERP systems: Is Our Business-Critical Infrastructure Exposed?"
    • Chris John Riley - "SAP (in)security: Scrubbing SAP clean with SOAP"
    • Ian de Villiers (SensePost) - "Systems Applications Proxy Pwnage"
    Electronic Money:
    • Jon Matonis - "Cryptography in a World of Digital Currencies"
    Security & Politics:
    Finally, there's excellent looking full-day workshop titled "Security in an era of BYOD" with Dan Crisp and Lynn Terwoerds.

    Its gonna be excellent. See you there!