You are here: Home // Wi-Fi // WPA Attacks // Attacking WPA-PSK - Part 1

A A A
Home Intelligence Gathering Wi-Fi Vulnerable by Design Misc Contact
Search...
MostRead in Wi-Fi
Attacking WPA-PSK
Without Wireless
Clients
WPA2-PSK Evil Twin
Attack
WPA2-PSK Rainbow
Table Attack
Wi-Fi Protected Setup
KoreK's ChopChop
Attack - Part 1
Attacking WPA-PSK - Part 1
Details
Category: WPA/2
Published on Saturday, 18 January 2014 13:57
Introduction
The process of a wireless client authenticating and joining a WPA protected
network, is much more complex than it was for WEP. WPA packets are
encrypted with dynamic keys, which are established during the authentication
process (and then changed at regular intervals), but they are derived from a
master key held by both parties. This key is called the Pre-Shared Key (PSK)
or Pairwise Master Key (PMK).

Pre-Shared Key
The PSK is a 256-bit key which is derived using the Password Based Key
Derivation Function (PBKDF2), documented under RFC 2898. The PBKDF2 is
a SHA1 based function which takes several inputs.
PSK = PBKDF2(Passphrase, SSID, SSIDlen, 4096, 256)
where:
4096 is the number of times the function is performed
256 is the size of the final key

The 4-Way Handshake
The purpose of this handshake phase is to derive the Pairwise Transient Key
(PTK), which is the temporary encryption key used to encrypt data; and to
confirm the identity of the wireless client (i.e. do they have the correct
passphrase to join).
Packet 1
Key Descriptor Version: RC4 Cipher, HMAC-MD5 MIC (1)
Key Type: Pairwise Key
The two lines above are two examples that confirm the access point is using
WPA TKIP, as the RC4 cipher is mentioned.
Replay Counter: 0
The replay counter is set to a value n, it may not always be 0 as in this case,
but is used by the access point and client to track concurrent handshake
packets.
Install: Not set
Key MIC: Not set
Note that the Install and Key MIC fields are not yet set. The value in the field
below is the ANonce, as it is generated and sent by the access point.
WPA Key Nonce: f7449f4ffb86488e5e23961b6eeb8625d3c0b11a5da73fe7...

Packet 2
Install: Not set
Key MIC: SetReplay Counter: 0
This is the SNonce, as it is generated and sent by the client. Using the
ANonce, SNonce and other information (see below) the client has already
generated the PTK, calculated the MIC and included it in this packet.
WPA Key Nonce:
2fac8f76e7794763726ccbdb00ef275e97417b91b2e16a13...
WPA Key MIC: 8f4aeb8b937b5f48b1a9c741b382f61c

Packet 3
Install: Set
Key ACK: Set
The access point checks the MIC sent by the client in Packet 2 by using the
same information. It sends a reply with the Install and Key ACK fields set -
this instructs the client that the PSK (and thus Passphrase) it's using is
correct and that it can continue to use it for communication.
Replay Counter: 1
The Replay Counter is increased by 1.
Key MIC: Set
WPA Key MIC: 5ec94d0a78b6a929501149624b9fa0b0
Copyright 2014 - Material is f or educational purposes only
JComments
< Prev Next >

Packet 4
Replay Counter: 1
To indicate that this is the last packet in the handshake, the Key ACK bit is set
back to 0.
Key ACK: Not set
WPA Key MIC: f3e29f4334b9f4ee8f999ec1823281e8

Pairwise Transient Key
This is the key used to encrypt data whilst it is in transit, it's derived using the
PBKDF2 function.
PTK = PBKDF2(PSK, ANonce, SNonce, AMAC, SMAC)
where:
AMAC is the MAC address of the Access Point
SMAC is the MAC address of the client (supplicant)
Add comment