How dangerous can a handshake be?

A few weeks ago I took a mobile security class at university which also included a portion about wifi-security.
Along those studies, I stumbled upon the process of performing a dictionary attack against the current consumer-grade, “standard”, WPA2.
I knew tools like aircrack existed, however, I never knew how these tools worked under the hood. Therefore, it was clear that I want to build something similar with my newly acquired knowledge and took it upon myself to start working on this after my exam was over.

Therefore, here I want to document how I tackled this problem, and how I succeeded in creating v0.1 of cr4gg, which performs the dictionary attack.

We start off by explaining the 4-Way Handshake the involved parties have to go through to authenticate each other.

4 Way Handshake

We assume that a pre-shared key (PSK) was exchanged between the user accessing the Access-Point (AP) and the AP itself. In most cases this is your usual wifi password you use to access your router for the first time, however, this could also be a more complex system using EAP.

Now, we start off by looking at the following figure to gain a high-level overview of the message-flow.

Firstly, the AP and the Mobile Station (STA) exchange Nonces, the AP sends an Authenticator-Nonce (ANonce) and the STA a Supplicant-Nonce (SNonce). Additionally, STA generates a pairwise-master key (PMK) from the PSK, subsequently STA generates a pairwise-transient key (PTK) from it and both Nonces. The first 16 bytes of the PTK are called the key-confirmation key (KCK) and this key is used to sign the SNonce of STA, producing the MIC that is seen in the second message.

Now, after the STA sends the SNonce, the AP is able to construct the PTK as well. Additionally, it knows that the SNonce really comes from STA as the MIC confirms it. In the third message, the AP confirms that both parties have the same PTK by sending it’s ANonce again but attaching an additional MIC to it. Lastly, the STA ACKs that it received the third message.

Architecture

The following figure depicts a high-level overview of the authentication architecture we use to guess the correct passphrase.

As we limit ourselves to the passphrase-based authentication mechanism, we construct our PMK-guess from the passphrase and the SSID of the AP. With the PMK, the MAC-Addresses, and the Nonces we are able to construct our guess for the PTK. The PRF function is described in the following figure.

Where A and B are as depicted in Figure 2. There the split of the PTK can be seen conceptually, but a more detailled version is seen in Figure 4.

Using the KCK as our key, we generate our integrity-code based on the packet content, and derive our guessed MIC (gMIC). After we obtain this gMIC we are able to compare it to our real MIC (rMIC) we got from the packet capture. If the MICs are the same, our guess of the passphrase was correct, if it is not, we choose our next passphrase and repeat the process.

If you want to take a look at the source code, check cr4gg out on Github!.

Ethics Disclaimer

This project’s solely purpose is to gain more knowledge about wifi security and the language go. Do not use this tool to attack networks you do not have the permission to pentest on. I also think that publishing this tool is not harmful as more sophisticated tools like aircrack and cowpatty already exist.

References