Test Your Access Point For KRACK (FT Handshakes) using Kali Linux
Security researcher Vanhoefm, who discovered the severe flaw in WPA implementation dubbed – the KRACK ( Key Reinstallation Attack ) has now released a script that can check your router for KRACK using Kali Linux. The script is now available in ‘vanhoefm’ repository. All you have to do is setup Kali Linux, download KRACK Test repo, install some dependencies and run this script against an access point or client.
WPA2 and The Four Way Handshake
If a client wants to join a WiFi network with WPA security, a process known as 4 way handshake will be executed between the client and access point. the purpose of this handshake is to verify the client that wants to join the network have valid credentials as well as the generation of secret key which will be used for encrypting all the traffic between the access point and the client known as the PTK.
The 4 Way handshake looks like this.
Once the WPA Handshake is completed, all the data will be encrypted using the newly generated key.
What happens during the encryption process is the Pairwise Transfer Key or the PTK and Nonce (Packet Number) are mixed to obtain a key string known as the ‘Per Packet Key’. Here the Nonce is the numeracal value of the packet number which will be incremented by one for every packets.
This Per Packet Key is supposed to be unique and should not be used more than once .In other words, Nonce is not supposed to be repeated. Nonce reuse means the same key is used to encrypt multiple data packets.
The KRACK Attack or Key Re installation Attacks is performed by creating a fake access point with same ESSID but in a different channel which will be used for performing man in the middle attack against 4 way handshakes.
Consider the handshake shown above. Once the client receives the third packet, it installs the key in the device and send back acknowledgement to the access point. At this poit what the attacker does is, it blocks the 4th packet and prevent it from reaching the access point.
The Access point waits for the acknowledgement from the client device and if it does not receive the acknowledgement, Access point will think that client didn’t receive the third packet and so it will resend it again. This is repeated multiple times which causes the key to be installed multiple times. This will increment the packet number to reset and replay counter used by the encryption protocol.
This will lead to the decryption of the packets, replay attacks and various man in the middle attacks.
You can download the complete presentation from here.
First update and upgrade your Kali Linux current version to get latest packages by executing
sudo apt update
sudo apt upgrade
sudo apt dist-upgrade
This KRACK Kali script requires various libraries that may not be installed. So lets install them one by one.
sudo apt install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils python-scapy python-pycryptodome
Open up the Network Manager and disable WiFi. Now execute the below command so that our script can use WiFi
sudo rfkill unblock wifi
Download the folder that contains the KRACK Kali Test scripts from below link
or clone the repository by executing the command
git clone https://github.com/vanhoefm/krackattacks-test-ap-ft.git
Now you have the script ready to run.
Running The KRACK Kali Script
python krack-ft-test.py –help
for help. This will explain everything in detail about the procedures to be followed.
First, disable hardware encryption by running
Reboot the system after running this command.
Create a wpa_supplicant configuration file to connect to the network like the one shown below and save it by the name wifi.conf.
Now connect to this network using the command
sudo wpa_supplicant -D nl80211 -i wlan0 -c wifi.conf
sudo krack-ft-test.py wpa_supplicant -D nl80211 -i wlan0 -c network.conf
which whill create another monitor interface which will perform the tests.
Now fire up another terminal and roam to a different access point in the same network using wpa_cli. Scan for access points and roam to it using the command
and generate traffic between AP and Client using
sudo arping -I wlan0 10.9.3.45
To know if the AP is vulnerable, go back to the previous terminal where we ran krack-ft-test.py to see the result.
Is your Access Point Vulnerable?
Almost every offices, home, markets, hospitals has Wireless networks. Almost all the wireless network uses WPA protocol as the best method of securing WiFi network. This revelation spread a wave of panic around the globe.
Most of the Wireless device vendors have already written patches and are available for download as firmware update. All you have to do is download and install the updated firmware to your device. But most the IOT devices that are actively running are helpless; there is nothing we can do about them.
This project is under a 2-clause BSD license
Copyright 2017 Mathy Vanhoef
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.