Tuesday, July 31, 2012

WPA Injection and Decryption in SILICA

Recently I've been in a position to speak with a lot of SILICA customers and get some feedback on the tool and how it's being used.  Of course I love to hear the compliments of how SILICA has made the life of the wireless penetration tester much easier but I was most surprised to find out how SILICA is not being used. Let me familiarize you with some of my new favorite features of SILICA.

As Dave pointed out in a previous post SILICA now has the ability to inject into WPA encrypted traffic in 3 different ways:


  • Client-side Injection - inject a client-side exploit into the target's browser.
  • Custom Injection - inject a custom payload of your choice!
  • Browser Auto-Complete Attack - pull saved passwords directly out of the browser. 

The most common responses that I get regarding injecting into WPA encrypted traffic is "it can't be done" and "the algorithm was designed to prevent that!".  As I have come to find out the security industry doesn't believe anything it hears - only what it sees with its own eyes (this was a lesson learned after being rushed by all the Apple fans when I released the details of the Apple ARP disclosure at INFILTRATE 2012).

The main thing to understand when injecting into WPA is the difference between anti-replay and anti-injection mechanisms.  When breaking WEP you have the ability to "replay" a packet that will illicit a response from the wireless AP each of which containing a small piece of a statistical puzzle that will eventually allow an attacker to derive the key.  WPA version 1 was designed to be a band-aid to the broken WEP algorithm (it's safe to think of it as an upgrade to WEP).  The industry's answer to the chaos and panic was to create an algorithm that was still compatible with the WEP devices but prevented a repeat of the same crypto errors.  But in the end - the only thing that was truly prevented was replay - not injection.

The one side effect to injecting into WPA traffic is that the AP will kick the target off the network for a short period of time - this is your only obstacle when injecting into a target device but the device will soon reconnect with your injection still in the browser/application ready to continue where it left off.

The ability to inject into a target's WPA traffic opens an attack vector as most users think they are protected on a WPA network.  The effects can be can be devastating.  What happens when you modify a patient's bloodtype in the medical industry, add/remove a 0 to a financial transaction or randomly insert dialogs from Quentin Tarantino movies into corporate emails?  The problem is actually quite serious.

Even if you are feeling generous and choose not to ruin or severely complicate lives with SILICA you can at least setup a custom phishing attack with the Custom Injection mode to harvest user names, passwords, PINs and tokens (just modify /su/Resouces/custom-injection.html to fit your needs).  SILICA will inject the contents of custom-injection.html into the target's browser - the rest is left up to your imagination.

I have never been on a wireless penetration test in which I was not able to get a WPA key in one way or another.  The truth is a WPA Pre-Shared Key (PSK) is usually common knowledge among employees and contractors alike.  You don't need to crack the key all the time as most people are willing to hand it over (or you can use the FakeAP attack in SILICA to break into a wireless device and pull the key off in plaintext).  When you have the key SILICA will do the rest to expose everything almost as if the data is traversing the network without any wireless encryption at all.

It goes without saying that if you have the ability to encrypt and inject into a target's browser then you also have the ability to decrypt a target's traffic as well.  Data is a valuable target - whether it be personal employee or proprietary data, network traffic or intellectual property.  Once you have the decrypted data all of this can be at your fingertips.  The quickest way to decrypt traffic using SILICA is to enter into Passive Session Hijacking mode.  This mode is typically used to hijack web sessions but it will also decrypt all WPA traffic for all clients on the network provided SILICA collects each of their handshakes (which it will do for you automatically).  SILICA will spawn Wireshark on a named pipe to which it will send all decrypted traffic for your viewing pleasure (eventually you will be able to run the collected traffic though STALKER.  You're welcome.).  

This is the point at which your wireless penetration test truly begins.


No comments: