Korean/Swiss hybrid teams are highly encouraged
- From a Wireshark pcap file, using Scapy, manually extract the necessary elements in order to derive the encryption and integrity keys
- Using Python and Scapy, code your own version of the cracking tool
aircrack
, a brute-forcing tool that finds a WPA network passphrase from a 4-way handshake
You will need Scapy but not the Alfa interfaces this time. Please refer to the MAC Security Lab for important information about Monitor Mode, Python, Scapy, WiFi interfaces, etc.
In this first part, you will recover the the Python script wpa_key_derivation.py.
You will also need the capture file wpa_handshake.cap containing a WPA authentication. You will also need the file pbkdf2_math.py, which allows to calculate the 4096 rounds for the passphrase hash. All these files need to be copied to the same folder in your local machine.
- Open the capture file wpa_key_derivation.py using Wireshark
- Execute the script using
python wpa_key_derivation.py
- Try to identify the values shown by the script in the Wireshark capture
- Analyse the script. In particular, pay attention to the variable
data
containing the payload of the frame. Compare this data to the payload of the 4th frame of the handshake (hint: the last bytes are different!). Read Important info for an explanation. - Modify the script sot that it obtains directly from the
pcap
all the values that are currently hardcoded (ssid
,APmac
,Clientmac
, nonces…) - ATTENTION: some of the parameters cannot be easily obtained (for example the nonces). You will need to extract them from the raw data of the frame. This is how you access the raw data payload:
frame.load
aircrack-ng
uses the 4th message of the 4-way handshake to test the passphrases using a dictionary. This message does note contain any encrypted data, but it is authenticated using a MIC that can be uses as an "oracle" to test the different keys derived from the passphrases in the dictionary.
Using your previously created script as a starting point, create a new script scaircrack.py
. This new script should be able to:
- Read a passphrase from a dictionary file (wordlist)
- Derive the keys from this passphrase, nonces, etc., calculate the MIC on the last message of the 4-way handshake using Michael
- Recover the MIC contained within the last message of the 4-way handshake
- Compare both MICs
- Identical → the passphrase you used is correct
- Different → try a new passphrase
- The last message of the 4-way handshake contains a MIC in the payload. When you calculate your own MIC, you need to change the last bytes of the payload containing the MIC to
\x00
(read this part many times until you understand what it means... see the last message in Wireshark to help you understand) - The calculation of the MIC in the authentication does not use Michael. It can use MD5 or SHA-1 and it is truncated to 16 bytes (32 digits/chars). The 4-way handshake contains the necessary information in the filed Key Information
- The command
b2a_hex(variable)
is equivalent tovariable.encode("hex")
- it returns a string with the hex representation of the binary data contained invariable
. Each byte invariable
will be converted to its hex representation with two digits. - The command
a2b_hex(variable)
is equivalent tovariable.decode("hex")
- this function is the inverse ofb2a_hex(variable)
Fork of the original repo. Then, a Pull Request containing :
- The names of the students. You can add this to the
README.md
wpa_key_derivation.py
script modified for the automatic recovery of the parameters from the capture file. Modifications must be extensively commented/documented- Screen grab of your script in action
scaircrack.py
script extensively commented/documented + the wordlist file- Screen grab of your script in action