Cracking WLAN Authentication: Exploring Security Flaws in SSID, MAC Filtering, and Shared Key Methods

Chapter 3: Bypassing WLAN Authentication

Author: Vivek Ramachandran, Cameron Buchanan Translator: 飞龙 License: CC BY-NC-SA 4.0 Keyword: WLAN authentication

Introduction

The illusion of security is worse than insecurity. – Anonymous

The illusion of security is worse than insecurity because you cannot prepare for the possibility of being hacked.

WLAN authentication modes may be weak and can be cracked and bypassed. In this chapter, we will examine some of the basic authentication modes used in WLANs and learn how to crack them.

3.1 Hidden SSID

In default configuration mode, all access points send their SSID in the beacon frames. This allows nearby clients to easily discover them. A hidden SSID is a configuration option where the access point does not broadcast its SSID in the beacon frames. Thus, only clients that know the SSID of the access point can connect to it.

Unfortunately, this method does not provide reliable security, but network administrators consider it secure. A hidden SSID should not be viewed as a security measure. Let’s now see how to discover hidden SSIDs.

Practice Time – Discovering Hidden SSIDs

Follow the guidelines below to get started:

1. Using Wireshark, if we monitor the beacon frames in the Wireless Lab network, we can view the SSID in plaintext. You should see beacon frames like this:
2. Configure your access point to hide the Wireless Lab network’s SSID. This configuration may vary across different access points. Here, I need to check the Visibility Status option for the Invisible option, like this:
3. Now, if you check Wireshark’s logs, you’ll find that the SSID of Wireless Lab has disappeared from the beacon frames. This is what hiding the SSID does:
4. To bypass this in beacon frames, we first use passive techniques to wait for normal clients to connect to the access point. This generates probe requests and responses containing the network’s SSID, thus revealing its existence.
5. Alternatively, you can use aireplay-ng to send deauthentication packets to all routers representing the Wireless Lab access point by entering: aireplay-ng -0 5 -a --ignore-negative mon0, where is the router’s MAC address. The -0 option is used to select the deauthentication attack, 5 is the number of packets to transmit. Lastly, -a specifies the MAC address of the targeted access point.
6. The deauthentication process will force all normal clients to disconnect and reconnect. Adding a filter to the deauthentication packets to view them individually is a good idea.
7. The probe responses from the access point will eventually reveal the SSID. These packets will appear in Wireshark. Once normal clients reconnect, we can view the hidden SSID through probe request and response frames. You can use the filter (wlan.bssid == 00:21:91:d2:8e:25) && !(wlan.fc.type_subtype == 0x08) to monitor all non-beacon packets to or from the access point. The && symbol represents a logical AND operator, while the ! symbol represents a logical NOT operator:

What Just Happened?

Even though the SSID is hidden and not broadcast, when normal clients attempt to connect to the access point, they exchange probe request and response packets. These packets contain the SSID of the access point. Since these packets are not encrypted, they can be easily sniffed to discover the SSID.

We will involve probe requests in later chapters, for other purposes, such as tracking.

In many cases, all clients may have already connected to the access point, and there may be no probe request or response packets in the Wireshark logs. Here, we can force clients to disconnect from the access point by sending fake deauthentication packets. These packets will force the clients to reconnect to the access point, thus capturing the SSID.

Try It – Selective Deauthentication

In the previous exercise, we broadcast deauthentication packets to force all wireless clients to reconnect. Try verifying how to use the aireplay-ng tool to perform it selectively on a specific client.

Note that while we demonstrated many concepts using Wireshark, other tools can also perform the attack, such as the aircrack-ng suite. We recommend exploring the entire aircrack-NG suite and other documentation on the main site: http://www.aircrack-ng.org.

3.2 MAC Filtering

MAC filtering is an old trick rooted in wired networks for authentication and authorization. Unfortunately, in the wireless world, they fall apart significantly.

The basic idea is authentication based on the client’s MAC address. A MAC filter is a piece of identifying code assigned to network interfaces, which routers can check against a list of allowed MAC addresses. The list of allowed MAC addresses is maintained by the network administrator and stored on the access point. Let’s now see how easy it is to bypass a MAC filter.

Practice Time – Bypassing MAC Filters

Let’s follow the guidelines below to get started:

1. Let’s first configure our access point to use MAC filtering and then add the victim laptop’s client MAC address. On my router, the settings page looks like this:
2. Once MAC filtering is enabled, only the allowed MAC addresses can be successfully authenticated by the access point. If we attempt to connect from a machine not on the MAC address whitelist, it will fail.
3. Behind this scenario, the access point sends an authentication failure message to the client. The packet capture looks like this:
4. To bypass the MAC filter, we can use airodump-ng to find the MAC addresses of clients connected to the access point. We can do this by entering the airodump-ng -c 11 -a --bssid mon0 command. By specifying the bssid command, we monitor only the access point that we are interested in. The -c 11 command sets the channel the access point is on to 11. The -a command ensures that only relevant clients, and connections to the access point, appear in the output’s client section. This will show us all clients associated with the access point and its corresponding MAC addresses.
5. Once we’ve found a client MAC address on the whitelist, we can use the tool macchanger to change the client’s MAC address. Kali has this tool by default. You can complete this by using the macchanger –m wlan0 command. The MAC address you specify with the -m command is the new MAC address for your wlan0 interface.
6. You can see that after changing the MAC address to match the whitelist client, we can now connect to the access point.

What Just Happened?

We monitored the airwaves using airodump-ng to find a MAC address of a legitimate user connected to the wireless network. We then used the macchanger tool to change our wireless card’s MAC address to match the client. This tricks the access point into thinking we are a legitimate client, allowing us access to its wireless network.

We encourage you to explore the different options of the airodump-NG tool by accessing the main site’s documentation: http://www.aircrack-ng.org/doku.php?id=airodump-ng.

3.3 Open Authentication

The term “open authentication” is a misnomer because it actually does not offer any authentication. When the access point is configured to use open authentication, all clients that connect to it can be successfully authenticated.

We will now use open authentication to gain authentication and connect to the access point.

Practice Time – Bypassing Open Authentication

Let’s now see how we can bypass open authentication.

1. We will first set our Wireless Lab access point to open authentication. On my access point, this can be easily done by setting the Security Mode to Disable Security.
2. We then use the iwconfig wlan0 essid Wireless Lab command to connect to this access point and verify if our connection to the access point was successful.
3. Note that we did not provide any username/password to connect via open authentication.

What Just Happened?

This was likely the simplest exercise so far. You can see that there was no barrier to connecting to an open authentication network and establishing a connection to the access point.

3.4 Shared Key Authentication

Shared key authentication uses a shared key, such as WEP, to authenticate clients. The exchange of information is shown in this diagram:

A wireless client sends an authentication request to the access point, which replies with a challenge. The client now needs to encrypt this challenge using the shared key and send it back to the access point. The access point then decrypts it to check if it can restore the original challenge text. If successful, the client is authenticated; if not, it sends an authentication failure message.

The security flaw here is that an attacker can passively listen to the entire communication and gain access to the plaintext and encrypted text of the challenge by sniffing the air. They can use XOR operations to obtain the keystream. This keystream can then be used to encrypt any future challenges sent by the access point without knowing the actual key.

The common form of this shared authentication is WEP, or Wired Equivalent Privacy. It’s easy to crack and is aided by countless tools that make breaking into WEP networks easy.

In this exercise, we will understand how to sniff the airwaves to capture both the plaintext and the encrypted challenge, obtain the keystream, and use it to authenticate to the access point without needing the shared key.

Practice Time – Bypassing Shared Key Authentication

Bypassing shared key authentication is more challenging than the previous exercises, so follow the steps closely:

1. Let’s first set up shared key authentication for our Wireless Lab network. We have done so on my access point by setting the security mode to WEP and authentication to Shared Key.
2. We now connect a legitimate client to this network using the shared key we set in step one.
3. To bypass shared key authentication, we need to sniff the packets exchanged between the access point and clients. However, we also need to capture the entire shared key exchange. To do this, we’ll use the airodump-ng tool with the command airodump-ng mon0 -c 11 --bssid -w keystream. The -w option specifies that Airodump-NG should store information in files prefixed by keystream. It’s a good idea to store different packet capture sessions in different files. This allows you to analyze them even after a long time.
4. We can either wait for a normal client to connect to the access point or use the deauthentication technique we’ve used before to force a reconnection. Once the client connects and succeeds in shared key authentication, airodump-ng will automatically capture this change by sniffing the air. When the AUTH column shows WEP, it indicates successful capture.
5. The captured keystreams are stored in files prefixed by keystream in the current directory. In my case, the file is named keystream-01-00-21-91-D2-8E-25.xor.
6. To forge shared key authentication, we use the aireplay-ng tool. We execute the command aireplay-ng -1 0 -e "Wireless Lab" -y keystream-01-00-21-91-D2-8E-25.xor -a -h AA:AA:AA:AA:AA:AA mon0. This aireplay-ng command uses the keystream we obtained earlier and attempts authentication with the SSID Wireless Lab for the access point with MAC address 00:21:91:D2:8E:25. Start Wireshark and use the filter wlan.addr == AA:AA:AA:AA:AA:AA to sniff all packets of interest. We can verify it using Wireshark. You should see logs in the Wireshark interface like this:
7. The first packet is the authentication request sent from aireplay-ng to the access point:
8. The second packet consists of the challenge text sent from the access point to the client, like this:
9. The third packet is where this tool sends the encrypted challenge text back to the access point.
10. Since the aireplay-ng tool uses the exported keystream for encryption, the authentication is successful, and the access point sends a success message in the fourth packet.
11. After authentication success, this tool forges association with the access point, like this:
12. If you check your access point management interface’s wireless logs, you will see a client with MAC address AA:AA:AA:AA:AA:AA establishes a connection.

What Just Happened?

We successfully exported the keystream from the shared key authentication exchange and used it to impersonate the access point for authentication.

Try It – Overflowing Access Point’s Tables

An access point has a limited number of clients it can accommodate, beyond which it will reject additional connections. By writing a small wrapper for aireplay-ng, we can automatically send hundreds of connection requests from random MAC addresses to the access point. This will overflow the router’s internal tables, and once the maximum number of clients is reached, the access point will stop accepting new connections. This is often referred to as a denial of service (DoS) tool and can force the router to reboot or make it non-functional. It can also result in all wireless clients losing connectivity and being unable to use the authenticated network.

Quiz – WLAN Authentication

Q1 How do you force wireless clients to reconnect to an access point?

1. Send a deauthentication packet
2. Restart the client
3. Restart the access point
4. All of the above

Q2 What does open authentication do?

1. Provides adequate security
2. Does not provide any authentication
3. Requires encryption
4. None of the above

Q3 How do you crack shared key authentication?

1. Export the keystream from packets
2. Export the encryption key
3. Send a deauthentication packet to the access point
4. Restart the access point

Summary

In this chapter, we explored WLAN authentication. Hidden SSIDs act as “security through obscurity” strategy and are easily cracked. MAC address filtering does not provide any security, as they can be sniffed from wireless packets with unencrypted MAC addresses. Open authentication does not provide any actual authentication. Cracking shared key authentication is more involved, but with the right tools, we can export and store the keystream, which we can use to respond to all future challenges sent by the access point, ultimately gaining authentication without knowing the actual key.

In the next chapter, we will look into the different WLAN encryption mechanisms – WEP, WPA, and WPA2 – and examine their insecurities.