1 Replies - 443 Views - Last Post: 30 November 2017 - 02:24 PM

#1 modi123_1  Icon User is online

  • Suitor #2
  • member icon

Reputation: 13768
  • View blog
  • Posts: 54,954
  • Joined: 12-June 08

WPA2 bug - aka "KRACK" - disclosed..

Posted 16 October 2017 - 09:57 AM

Keep yo' devices updated and be on the look out.


The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.

That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.
At its heart, the flaw is found in the cryptographic nonce, a randomly generated number that's used only once to prevent replay attacks, in which a hacker impersonates a user who was legitimately authenticated. In this case, an attacker can trick a victim into reinstalling a key that's already in use. Reusing the nonce can allow an adversary to attack the encryption by replaying, decrypting, or forging packets.
Windows and latest versions of Apple's iOS are largely immune from the flaws, according to security researcher Kevin Beaumont, in a blog post. However, Vanhoef said the security issue is "exceptionally devastating" for Android 6.0 Marshmallow and above.
White explained, however, that sites and services that provide content over strict HTTPS (known as HSTS) will encrypt traffic from the browser to the server.

In other words, it's still safe to access sites that encrypt your data over an insecure network.


Per their site:


Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux.

Linux's wpa_supplicant v2.6 is also vulnerable to the installation of an all-zero encryption key in the 4-way handshake [...] all Android versions higher than 6.0 are also affected by the attack

Is This A Good Question/Topic? 0
  • +

Replies To: WPA2 bug - aka "KRACK" - disclosed..

#2 Radius Nightly  Icon User is offline

  • D.I.C Head

Reputation: 22
  • View blog
  • Posts: 226
  • Joined: 07-May 15

Re: WPA2 bug - aka "KRACK" - disclosed..

Posted 30 November 2017 - 02:24 PM

Its old one, i mean older then a month, IDK if Mathy Vanhoef fall down from Mars today, back in 2008. i was using wrong pre-shared key to get connected to EDULAB, Cisco Center and CarNET Center to test security, after someone stole 20 laptops from there and bring down another ISP and government site (each PC on network was limited to 512KB/sec speed, lots of Firewalls all around the place, 30+ terminals, more then 200 computers, 6 servers and one Super Computer; damn i still want that big baby PSU, but without 3 air conditioning systems in 10x10 meters LOL). You can get connected, you are like isolated from the internet, but not from other clients (at this point, you can do lots of things). To avoid firewalls i used Intel EAP/PEAP (because classic one didnt gave me anything "powerful") with standard/limited information (such as guest/student/visitor username and password (if have one) to log in), didnt steal other information and has been connected to the internet (without real information to allow me nice connection), later i found one vulnerable router where i can connect using LAN cable (it was in locked cabinet that has big holes, so guests can access it for cable connection (for future work they are gonna need username/password, and its free one for guests), in the place where any guest can access it, and new cameras doesnt cover it, but connecting on WiFi or LAN doesnt make differences, everything was limited in the same way). After setting up both, LAN and WiFi to work together as one (i think it confuses whole Cisco Firewall set ups), i gained around 150MBPS speed (such a limit), at the same time i was able to get on one server that has no password protection and pull out 2GBPS speed. I tried it again, worked fine with Vista SP1 and Intel WiFi, with external (some Chinese USB WiFi), XP SP2 and Vista SP2 didnt made it that far, but connecting to WPA2 in this way was still working.

To crack WPA, nonsense to break password, because its combined from lots of characters and length (0-9, A-Z, a-z, special characters), it works with WEP well (0-9 and A-Z) where under 400K pockets password can be captured in 4 ways. So for WPA its easier to crack PIN, its similar to SIMs PUK, you forgot PIN, you have PUK, on WPA, you forgot password, you have PIN. Its numeric only, 8 characters long, where last number are index for previous 7, makes possibilities 0000000-9999999, thats much faster to crack then password.
Protection against this are WPS, usually it block your BSSID after eg. 5 tries for 24h. Changing BSSID usually doesnt help your progress to continue trying PINs because WPS usually at that stage block easier new BSSIDs. WPS also may change PIN all the time, until owner needs it. But old APs who have WPS disabled by default or dont have WPS at all are vulnerable.
And there is easier and faster way. Attacker will send deauthentication to target (router/AP), easy way to notice this is constantly disconnects, your device disconnect, reconnect, in a loop (until your device connect to attacker), and all clients (users who are connected with valid information) will get disconnected. Attacker then represent himself as target AP (same SSID, same channel, sometimes same MAC/ID, sometimes hidden AP to avoid detection from others), when clients try to reconnect, if attacker (who now represents himself as a real AP that clients looking for) are in range (its attacker, he probably have equipment and good position), clients will connect to the attacker (Chuck Norris Handshake approved), giving him password (so he can use password to connect to AP), but he can continue to be AP who staying between client and real AP (like repeater), capturing anything, stealing privacy, or representing you online in several ways (similar to cookie steal), so your online life can get worse, if he try to modify pockets from real AP to your device (to send you wrong information), your device will usually drop them (and usually you can notice 100% CPU usage for no reason).

Security becoming more advanced, peoples becoming greater and smarter, if something exists, it can be broken, so never let your guard down. Its impossible for signals to exist without any kind of interruption, so stay safe.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1