Authentication Cracking: 4-Way Handshake Crack

Summary

Excerpt From Wi-Fi Vulnerabilities Part 2 webinar
Find Out More on Authentication Cracking: 4-Way Handshake Crack by CTO Dr. Brett Walkenhorst
CTO, Dr. Brett Walkenhorst, discusses how weak passwords can be exploited by offline dictionary attacks and how WPA personal networks can be compromised by using the 4-way handshake approach, along with the cryptographic components of this procedure. By emphasizing how easy it is to crack a shared secret on a personal network, as opposed to how difficult it is to crack enterprise credentials, the 4-way handshake method sets personal networks apart from enterprise networks. Even with cryptographic safeguards in place, adversaries can effectively guess passwords from a dictionary if they have access to sufficient processing power due to the meticulous process of generating keys and confirming integrity. The video below offers information on the attacker’s strategy and methods to protect attacks from happening.

Video Transcript

One of the most common ways that people will crack authentication for a WPA personal network is by using the four way handshake. And as I mentioned, this is really about authentication within the personal network. It's authentication plus the derivation of session keys. What we're most interested in is authentication because in a personal network, we have a persistent shared secret, and that's all I need.

With an enterprise network, it's different. Right? Each user has independent credentials, and the pairwise master key that's generated is gonna be different every time because of the way that that exchange takes place. So I can't really get much by cracking a four way handshake with an enterprise network.

But But when it comes to a personal network, I can get everything I need. I can get that shared secret if I can use this information properly. So let's dig into this a little bit because there's some information cryptographic information in these messages that I can use to try to get the password.

And it's not hard to do. I have to simply use an offline dictionary attack. And if I use enough elements in my dictionary, it's just a matter of time before I get your password if your password is relatively weak. So another plug for strong passwords. You can avoid many of these attacks by ensuring that your shared secret is sufficiently complex and unique.

But if I can guess it and it's in a dictionary of of some, you know, ten million different passwords. I can get that in a matter of minutes or hours if I if I have decent computational resources. So here's how this works with the four way handshake. My access point is going to initiate the exchange.

It generates a knot, some random sequence that's gonna seed a hash function later on. So the nonce it generates, it's gonna share openly with the client. It can't be encrypted because we haven't established keys yet. And I don't know if you're even legitimate, so I can't conduct some cryptographic exchange.

So this is available to anywhere and anyone who's listening. And that's the nature, unfortunately, of Wi Fi is there's no switches that prevent unauthorized users from sniffing packets that are intended only for one specific destination address. This stuff goes everywhere. Electromagnetic waves can't be stopped. Well, you can stop them, but it's expensive.

And we've talked about that some other time. But, basically, this goes everywhere. So anyone who can hear these packets gets access to all of the information in those packets. They're not encrypted. So I can get the anons just by listening to this exchange. Now what the client does is it takes that anons, It generates its own nonce called the s nonce, and it derives what's called the PTK or pairwise transient key.

The equation at a high level for that is by at the bottom of the slide. So with some hashing function seeded with what's called the PMK and salted with additional data fields, including the two nonces that are generated by both of the parties to the exchange as well as the MAC addresses of both of those parties.

Well, if I listen to the first two messages, I have the a nonce, the s nonce, and the both MAC addresses. The s nons gets sent back in message two along with something called a MIC. So the MIC is a message integrity code that ensures that whatever I've sent is actually coming from me because I use a key to encrypt it or to hash it and create this field called an HMAC that I send along with it.

And you can look at the HMAC, and if you have the same key, you can hash it and get the same the same mick to confirm that that you are who you say you are, that the person sending that packet is the right person. So in this case, I use the NIC to confirm that I've got the right PTK.

Alright. This is a lot of acronyms and a lot of keys, so let me try to just kinda go through this one more time. There's nonsense that are generated. The client generates a PTK, part of which is used to hash the payload of message two into a mic.

When the access point gets message two, it now knows the s naught, so we can do the same math with the equation at the bottom to create its PTK. If they both got the same PTK, they should both get the same NIC by hashing the payload of message two.

If they don't get the same NIC, that means they don't have the same PTK, and the access point says, sorry, buddy. You don't have the same pass you don't have the right password. If they did get the same NIC, the access point confirms that and sends message three along with its NIC so the client can verify that the access point also has the right password, and then they're good to go.

At this point, they both have created a pairwise transient key, which there are three parts to it. One of which is used to create the mix, and another one is used for cryptographic encryption of of payloads. So so all of this stuff is generated during this exchange. But as an attacker, all I need is messages one and two, and I have everything I need except for the PMK.

Well, that sounds like a problem, and it is. Because if I had the p I k MK, I wouldn't need to to listen to this exchange. I would have what I need. So what I do is that's not crackable. Two hundred fifty six bits is a lot of bits.

I'm not gonna crack that. But But what I can do is use a dictionary of common pass phrases, and I know how to go from pass phrase to pre shared key. And I know how to go from pre shared key to pairwise master key. Now I can compute for every one of those pass phrases.

I can compute the PMK. I can use that to compute the PTK, and I can use that to compute the MC and verify whether I got the right result. You can see this a lot of math. So it takes a fair bit of work to compute all of these hashes, and that's intentional, by the way, to make these kinds of attacks harder.

But they're still possible. And with increasing computational capabilities, they become easier and easier over time. So I can run these attacks with all of the pass for passwords in my dictionary, and when I get a match, I know I got the right password.