Attacking WPA/WPA2

How it works

WPA

WPA employs the following process:

Generation of Keystream:
- A Transmit Key (TK), Transmit Address, and TKIP Sequence Counter (TSC) serve as input to the RC4 algorithm, resulting in the generation of a keystream.
- The Initialization Vector (IV) or TK Sequence, Transmit Address (MAC destination address), and TK are combined using a hash or mixing function, producing a 128-bit and 104-bit key.
- This key is combined with RC4 to create a keystream of the same length as the original message.
MIC Calculation:
- The MAC Service Data Unit (MSDU) and the Message Integrity Check (MIC) are combined using the Michael algorithm.
Fragmentation:
- The combination of MSDU and MIC is fragmented to generate the MAC Protocol Data Unit (MPDU).
ICV Calculation:
- A 32-bit Integrity Check Value (ICV) is calculated for the MPDU.
Encryption:
- The combination of MPDU and ICV is subjected to a bitwise XOR operation with the keystream, resulting in the generation of the encrypted data.
MAC Frame:
- The IV is added to the encrypted data to create the final MAC frame.

WPA2

WPA2, in its CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) implementation, generates additional authentication data (AAD). This data is created using a MAC header and is incorporated into the encryption process, which utilizes both AES (Advanced Encryption Standard) and CCMP encryption techniques. This integration ensures the protection of the non-encrypted portion of the data frame from any tampering or distortion.

To facilitate this encryption, the protocol employs a sequenced packet number (PN) and a segment of the MAC header to generate a Nonce, a random number used in the encryption process. The protocol takes plaintext data, temporal keys, AAD, and the Nonce as input for data encryption, utilizing both AES and CCMP algorithms. The inclusion of a PN in the CCMP header safeguards against replay attacks.

The AES and CCMP algorithms work together to produce encrypted text and an encrypted MIC (Message Integrity Code) value. These elements, along with the assembled MAC header, CCMP header, encrypted data, and encrypted MIC, come together to form the complete WPA2 MAC frame.

Cracking WPA/WPA2 keys

Just remember that a NIC supporting monitor mode is needed.

PreviousAttacking WEP NextMobile Devices

Last updated 1 year ago

How it works

WPA

WPA employs the following process:

Generation of Keystream:

A Transmit Key (TK), Transmit Address, and TKIP Sequence Counter (TSC) serve as input to the RC4 algorithm, resulting in the generation of a keystream.
The Initialization Vector (IV) or TK Sequence, Transmit Address (MAC destination address), and TK are combined using a hash or mixing function, producing a 128-bit and 104-bit key.
This key is combined with RC4 to create a keystream of the same length as the original message.

MIC Calculation:

The MAC Service Data Unit (MSDU) and the Message Integrity Check (MIC) are combined using the Michael algorithm.

Fragmentation:

The combination of MSDU and MIC is fragmented to generate the MAC Protocol Data Unit (MPDU).

ICV Calculation:

A 32-bit Integrity Check Value (ICV) is calculated for the MPDU.

Encryption:

The combination of MPDU and ICV is subjected to a bitwise XOR operation with the keystream, resulting in the generation of the encrypted data.

MAC Frame:

The IV is added to the encrypted data to create the final MAC frame.

WPA2