5

As mentioned in the title, I've questions regarding an ARP Poisoning on a WPA Personal and WPA Enterprise.

I'm gonna do an example (please let me know if I'm wrong):

I need to send the ARP reply to the Victim (C), updating the record of the gateway (A) with the MAC of my machine (B).
Then I need to send the ARP reply to the Router (host A), updating the record of the victim (C) with the MAC of my machine (B).
After that I would simply allow ip forwarding on machine.

So, we should have:
C->B->A
A->B->C

Because, if that is correct, I believe that in WPA Personal, in order to the decrypt the traffic that you have received from the client (victim) you would need to generate the PTK used by the victim (which in this case I believe is possible, because you could generate the PMK having the PSK. Then sniff ANonce, SNonce, AP_MAC, CLIENT_MAC and generate the PTK).


Again, if what I've said is correct, how would be possible to decrypt the traffic of the WPA Enterprise that has multiple passwords, making therefore not possible to generate the PMK?

loopOfNegligence
  • 177
  • 1
  • 11
  • You can sniff the traffic by putting the antenna in monitor mode without needing to reroute (ARP poisoning) the traffic to your computer as destination. Exactly what is your question? Or what you want to achieve? – Azteca Mar 06 '17 at 05:38
  • No you can't sniff the nonce because that's sent only in the first two packets of the handshake, I think I'll elaborate some more on your other question. – Azteca Mar 06 '17 at 05:41
  • @Azteca, my intent was simply to perform an ARP poisoning and understand exactly how it works. I know that i can sniff the traffic without redirecting it through me, but in order to do that I would need to generate the PTK, instead I've been told that with ARP poisoning there is no need to know the encryption key. – loopOfNegligence Mar 06 '17 at 09:04
  • About the ARP poisoning you are right, that's the right way to do it. ARP poison both targets and reroute the traffic with `iptables` or whichever method of your choice. But bear in mind you won't be able to decrypt unless you have the Key. Just as you said. – Azteca Mar 06 '17 at 19:09
  • Good to know! But, again, I've been told to be wrong.That the path I've mentioned is wrong, because the correct one would be: target(C)--> router(A)--->attacker(B) -->router(A)--> internet. And that due to the path mentioned above, I wouldn't need the PTK to decrypt the traffic because the router would decrypt the traffic for me. So, I'm confused... anyway, If what I've said is correct, it shouldn't be difficult to calculate the PTK used to encrypt the traffic of the poisoned client (if we have sniffed the very beginning of the handshake). – loopOfNegligence Mar 07 '17 at 16:20
  • Well, I'm not sure exactly how that works, specially the part when the router sends you the unencrypted data to you, and you back to the router, and then back to the internet, that would be outbound traffic, but what about inbound? You would receive unencrypted traffic then back to the router? And then the target would get it unencrypted too? he wouldn't need the PTK, Or the router would somehow encrypt it again?. But the rest you got it right for all I know, you would need to test that out or Ask another/reformulate question specifying THIS scenario. – Azteca Mar 07 '17 at 17:24
  • Yes, I will ask new question with this specific scenario. – loopOfNegligence Mar 07 '17 at 20:32

2 Answers2

1

Because, if that is correct, I believe that in WPA Personal, in order to the decrypt the traffic that you have received from the client (victim) you would need to generate the PTK used by the victim

If you are doing ARP poisoning in the manner you suggest, the only encryption on the traffic is between your machine and the AP. You don't need the victims PTK at any point.

While your traffic flow illustrates the logical flow of data, the physical flow of data is somewhat different (V = victim, A = attacker, GW = gateway, AP = access point) with the inverse for return traffic:

V -> AP -> A -> AP -> GW

802.11 encryption is only between the client and AP so since you are not intercepting the flow of data from V -> AP, you don't need to decrypt that data. The flow from AP -> A you will be able to decrypt in either WPA-Personal or WPA-Enterprise as this will be using the PTK generated between AP and A during the association process.

Again, if what I've said is correct, how would be possible to decrypt the traffic of the WPA Enterprise that has multiple passwords, making therefore not possible to generate the PMK?

You weren't entirely correct, but if you were trying to decrypt V -> AP traffic and WPA-Enterprise were used, you would be out of luck unless the EAP method employed was broken and leaked information.

At the point of the 802.1X authentication, the client is not associated to the network and doesn't have any IP information. There is no way ARP poisoning from a wireless client in this scenario will affect the 802.1X traffic.

Edit: I meant to also mention that if the AP is also the GW (i.e. most consumer based wireless gateway devices) then this type of attack may not be possible. As L2/L3 devices they may very well recognize that a packet to the gateway is destined to a L3 interface on the device itself and not for another L2 device and route it itself.

YLearn
  • 3,967
  • 1
  • 17
  • 34
  • I answered the questions as stated, but on the network side there are often limitations on how effective such an ARP attack would be based on features/configuration of the wireless deployment. That would likely be an entirely different question deserving of it's own answers. – YLearn Oct 03 '17 at 03:30
0

I need to send the ARP reply to the Victim......

Hacking Wi-Fi is not like hacking wired connections, there's no need to redirect traffic to you since in Wi-Fi all packets are sent through the air, so you can just sniff it, but following your example yes, this would work at the point of redirecting traffic, but everything would be encrypted.

because you could generate the PMK having the PSK

The PMK is the same as the PSK in a PSK Network, unless you're calling the passphrase that you type when connecting to the network PSK, then you're right.

Then sniff ANonce, SNonce, AP_MAC, CLIENT_MAC and generate the PTK).

This is only sent during the four way handshake, which is the very beginig of the connection.

how would be possible to decrypt the traffic of the WPA Enterprise that has multiple passwords, making therefore not possible to generate the PMK?

WPA Enterprise is a whole new subject, you need to be more specific. Just to start there are many authentication methods under the AES encryption for WPA.

  • PEAP (Protected EAP)
  • EAP-TTLS
  • EAP-TLS
  • LEAP
  • EAP-FAST

But basically you need to fool the client to accept a false certificate, receive the MD5 Hash of the EAP Response ID + Password + Radius challenge and Brute force it.

Azteca
  • 1,116
  • 7
  • 16
  • 1
    PMK (Pairwise Master Key) is not the same as PSK (Pre Shared Key). PMK is generated with PSK and the SSID, is not the same. – OscarAkaElvis Mar 06 '17 at 07:58
  • @Azteca, I've been told that is not how ARP poisoning works. That the path I've mentioned is wrong, because the correct one would be: target(C)--> router(A)--->attacker(B) -->router(A)--> internet Like I said before, know that i can sniff the traffic without redirecting it through me, but in order to do that I would need to generate the PTK, instead I've been told that with ARP poisoning there is no need to know the encryption key because of the path that I've been told to be the correct one regarding ARP poisoning, in which basically the router decrypts the traffic for me. – loopOfNegligence Mar 06 '17 at 09:15
  • @OscarAkaElvis, yeah I've read on the web that PMK is generated with PSK and the SSID. I've also read that PMK is generated only with the PSK. So, which one is correct? – loopOfNegligence Mar 06 '17 at 09:18
  • 1
    @OscarAkaElvis In a Pre-shared key Network the is PSK is the PMK, I think you're confusing with the "Passphrase" which goes along with the SSID into the pbkdf2 function to create the PSK/PMK. – Azteca Mar 06 '17 at 18:51
  • @loopOfNegligence It depends, some people call the "Passphrase" the PSK because that's what you need to share for people to connect, but it's not actually a "Key" the "Key" is generated with a function called Password-Based Key Derivation Function 2 (PBKDF2) which the first input is this passphrase, and the second input is the SSID, along with some other defaults, this generates a 256 bits **KEY**, called PSK or PMK. – Azteca Mar 06 '17 at 18:59
  • @loopOfNegligence & OskarAkaElvis Here, if you like Wikipedia as a source, the official name of [WPA2 is 802.11i](https://en.wikipedia.org/wiki/IEEE_802.11i-2004#Protocol_operation) here you can read about the PSK is the PMK. Or you can look for other sources using different names. But in the end you can call it PMK since it generates the PTK. And call the PSK passphrase, just understand how it works. – Azteca Mar 06 '17 at 19:05
  • 1
    The statement "*Just to start there are many encryptions*" is incorrect. There is really just one encryption in modern wireless, AES. What you list are EAP protocols, which are authentication mechanisms and may or may not make use of TLS tunnels or other methods to maintain security of the authentication. – YLearn Oct 03 '17 at 03:11
  • @YLearn You are correct, thanks for the correction, just fixed it. – Azteca Oct 03 '17 at 03:46
  • @Azteca, much better, but still not entirely accurate. EAP authentication methods are not under AES or even WPA/WPA2. EAP is it's own authentication framework with many different mechanisms under it and is entirely independent of encryption employed. – YLearn Oct 03 '17 at 04:55