The following article demonstrates the process of testing any Wi-Fi capable device against a key reinstallation attack. I’ll demonstrate the processes of executing the test using Kali Linux installed in the VirtualBox on a Windows machine. Then I’ll illustrate the process of testing recently patched Windows 10 as well as testing unpatched Android 7.0 mobile phone against the key Reinstallation Attack. This article also explores a newly discovered vulnerability of WPA2 named KRACK Attack (key reinstallation attack) in little more detail, as it’s one of the biggest vulnerabilities found in WPA2 to this day (patched only by a handful operating systems and Wi-Fi product manufacturers). The main issue introduced by KRACK attack is that it allows attackers to intercept all wirelessly transferred information in an unencrypted format, and do so without the knowledge of the wireless WPA/WPA2 network password. Serious? You bet…
First I’ll talk about the most recent type of attack associated with the Wi-Fi Protected Access II (WPA2) protocol and summarize what KRACK Attack issue is and why it makes WPA2 protocol so vulnerable. I’ll introduce WPA2 and show that it’s the most popular type of Wi-Fi protocol today. Then I’ll explain in detail how to use Kali Linux installed on a VirtualBox to serve as a testing machine.
What is Wi-Fi Protected Access II (WPA2)
So, first of all, what is WPA2?
In 2004, Wi-Fi Alliance established a new security protocol called WPA2, which was primarily created to reinforce the common security of WLANs by further enhancing the overall safety of wireless networks. According to authors of the survey on security scheme and attacking methods of WPA/WPA2, published in 2010, the strategy intent behind creating WPA2 was mainly to “to defeat forgery attack, replay attack, weak-key attack” (Liu, Jin & Wang, 2010).
“It is almost impossible to overestimate the amount of time and money that will be saved if wireless security is set forth as a guiding tenet of wireless architecture.” (Swaminatha & Elden, 2002).
In 2006 Kaspersky Security Network (KSN) examined close to 32 million Wi-Fi hotspots and released the statistics which demonstrated the massive popularity and acceptance of the WPA2 protocol. Figure 1 illustrates that WPA2 is currently used on 68% of all wireless networks in the world. It also showed that 22% of all wireless networks are unsecured and WEP, as well as original WPA protocol, are quickly losing ground to WPA2.
Figure 1 – Research on unsecured Wi-Fi networks across the world – Legezo (2016).
Above statistics (Figure 1) shows, that any vulnerability associated with WPA2 security algorithm will introduce a huge risk, which brings me to a most recent vulnerability discovered in the WPA2 protocol.
About WPA2 Vulnerability – KRACK Attack (Key Reinstallation Attack)
The most recent WPA2 vulnerability is documented under the name ‘KRACK Attack,’ alternatively also called the ‘Key Reinstallation Attack.’ KRACK attack is likely the most severe weakness which has been discovered in the WPA2 protocol and the first vulnerability that allows the attacker to read the WPA2 encrypted traffic without awareness of the actual wireless password. The issue currently impacts most if not all Wi-Fi devices, such as devices that use Android, Windows or Linux operating systems, including wireless devices manufactured by the major Wi-Fi product vendors.
The KRACK attack was first exposed in May 2017 by Mathy Vanhoef and Frank Piessens, two researchers at KU Leuven (the largest university in Belgium). The authors published the research paper titled ‘Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2’ in October 2017 which caused a worldwide concern about the future of the WPA2 security.
“This attack abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key”, and according to authors of the research paper, “attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.” (Vanhoef & Piessen, 2017).
Key Reinstallation Attack – Proof-of-Concept
The following video (Figure 2) illustrates the Key Reinstallation Attack against an Android smartphone. As we can see, given the wireless nature of the offense, the victim is not aware that attacker is capable of decrypting the complete wirelessly transmitted information. According to authors, this attack is “exceptionally devastating against Linux and Android 6.0” (and above) who contain the vulnerability, which “makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices” Krackattacks.com. (2017)
Figure 2 – KRACK Attacks: Bypassing WPA2 against Android and Linux – YouTube (2017).
So, let’s prepare our test environment:
CONFIGURE KALI LINUX VIRTUALBOX AS A KRACK ATTACK TESTING VM
I have a Windows computer and also an Android device and I wish to find out if they are prone to WPA2 KRACK Attack. To do so, I’ll use Kali Linux, which I’ll install on top of VirtualBox and which I’ll effectively turn into a Wi-Fi hotspot broadcasting a test Wi-Fi network called ‘testnetwork’. Any device that connects to this Wi-fi network will immediately be tested against the WPA2 Krack Attack. I’ll outline the entire process from scratch, including the installation of Kali in VirtualBox.
So, what do we need? Well, essentially just a spare Wireless USB adapter, rest of the process only requires downloading VirtualBox and Kali ISO. Here we go:
- Download and install Oracle VirtualBox + Oracle VM VirtualBox Extension Pack – Both programs should be at least version 5.2.0. Download URL: http://download.virtualbox.org/virtualbox/
- You’ll need a spare Wireless USB adapter. This is a requirement only if you’re planning to install Kali Linux onto a VirtualBox and be able to connect to Wi-fi network virtually. Otherwise, you should be able to use any old laptop and turn it into a Wi-Fi broadcasting machine. Anyhow, doing the process virtually seems easier to me. And also, regular Wi-Fi cards typically found in the laptops sometimes do not work for this purpose. Anyhow, there are two wireless USB adapters that are generally known to work in Kali Linux:TP-Link N150 Wireless High Gain USB Adapter (TL-WN722N) – https://www.amazon.ca/gp/product/B002SZEOLG/ – this is a cheap product, usually can be purchased for about $15 on Amazon.I am using Alfa Network IEEE 802.11 B/G/N Long-Range USB Adapter (model AWUS036NHR). This is a far better device and can be purchased for approx. $60 from Amazon: https://www.amazon.ca/s/keywords=AWUS036NHR or directly from manufacturer: https://www.alfa.com.tw/products_show.php?pc=34&ps=8
- Download Kali 64 bit Linux – You can get the ISO file for 64-bit version from https://www.kali.org/downloads/
VirtualBox and KALI Installation Instructions
Install Wireless USB Adapter on your Windows Operating System
- Once this is done, you’ll see the wireless card attached to the system:
Install VirtualBox and Extension Pack onto your Windows OS
- First, install Oracle VirtualBox
- Then install Oracle VM VirtualBox Extension Pack
Note: Use the download files from the requirements section above.
Install Kali Linux as a Virtual OS in Oracle VirtualBox
- Open VirtualBox, then simply create a new Linux Machine. This is how I have configured mine:
- I gave Kali about 6GB RAM and 20 GB of HDD (Dynamically allocated VDI) – That should be more than sufficient.
- Once you’re done with the installation, you’ll see Kali Linux installed
- Right-click on your Kali Virtual Machine and go to settings. In the Network Settings, disable Network Adapter
- Then in USB settings, Enable USB Controller and set it to USB 2.0 and add in your Wireless USB adapter.
The above is somewhat of a critical setting because Kali Linux needs to see a wireless USB card attached to a host OS in order to connect to Wi-Fi
- The next step is to actually install Kali Linux. To do so, attach Kali ISO file to VirtualBox
- Once done, simply press the OK button and start the Kali machine. You
- You’ll be taken through an installation process. Typically people select Graphical Install option, which is somewhat easier to walk through:
During installation, you’ll be able to setup your root credentials, select Wireless card, configure disk, install GNU Grub, etc.
- Once the Kali GNU/Linux is installed, start it by using the first option from the Grub menu:
- Then, log in as ‘root’ user and you should be in the virtual copy of Kali Linux
Enable Wireless USB Adapter in Kali Linux installed in Oracle VirtualBox
- Once logged into Kali using your root credentials, go to top right-hand corner and make sure to turn off your Wi-Fi:
- Once done, Wi-Fi will be enabled, but not yet connected to a Wi-Fi network
- The next step is to click on Wi-Fi settings and configure connection to our own Wireless WPA2 network, the one on which we’ll demonstrate the use of KRACK Attack
- For these purposes, I’ve created a Wi-Fi network I called: SKG2
- Going to properties of this network, we can see that it’s infact a Wi-Fi Protected Access II (WPA2) type of network and I was able to successfully connect to it, using Kali installed as a virtual machine in VirtualBox:
This confirms that we’re able to use Wireless USB adapter and thus we’ll later should be able to use Kali Linux to create our own Wireless ‘testnetwork’ hotspot, to which we will connect from any computer or device to do the test.
Turn Kali Linux Installed in VirtualBox to a Test Server for WPA2 Key Reinstallation Attack
Let’s run the instructions provided by Mathy Vanhoef, Postdoctoral Researcher in Computer Security at KU Leuven who discovered this particular vulnerability. Instructions are posted on Github: https://github.com/vanhoefm/krackattacks-scripts
So, first of all, in Kali, open Terminal (there is an icon on the side panel). We’ll first need to update all packages, this is done by running:
sudo apt update
The result should look like this:
Once the packages are updated, let’s install all the dependencies for the KRACK scripts:
apt-get install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils python-scapy python-pycryptodome
Now, that we have all the dependencies installed, let’s clone the Krack Attack scripts. Run the following command:
git clone https://github.com/vanhoefm/krackattacks-scripts.git
The scripts are cloned into our Kali Linux computer. The next step is to disable hardware encryption.
First, navigate to the folder:
The result should look like this:
Now we need to disable Wi-Fi in the Kali network manager, because we’re planning to start broadcasting our own network on the WLAN0.
So, let’s turn WIFI off in Kali:
After disabling Wi-Fi, let’s execute which will allow the scripts to use Wi-Fi and create test network.
sudo rfkill unblock wifi
Now, to create a test Wi-Fi network that fakes an attack against a client, we’ll use krack-test-client.py script. This is a tool that will test all devices connecting to our new Wi-Fi network for vulnerability against the Key Reinstallation Attack.
Run the following command if you want to see the complete instructions contained in this script:
cd krackattack/ ./krack-test-client.py --help
Otherwise, let’s just follow these instructions:
1. Let’s compile our modified hostapd instance. This has to be done only once.
cd ../hostapd cp defconfig .config make -j 2
2. Now, because some hardware encryption engines have bugs that interfere with the test script, let’s disable hardware encryption. Execute:
cd ../krackattack/ ./disable-hwcrypto.sh
It’s recommended to reboot after executing this script.
3. Now, let’s create a new Wireless network, to which we’ll connect with devices that we need to test. The only command we have to execute is:
This is the tests for key reinstallations in the 4-way handshake.
Once executed, we’ll have a new Wi-Fi WPA2 network created, with SSID: testnetwork
Now, that we have the basics out of the way, we can finally get to testing our devices.
Testing patched Windows 10 against Key Reinstallation Attack
My Windows 10 machine was updated with the latest security updates just recently, so I should be protected against KRACK attack.
So, let’s test it. Now that we have the WPA2 ‘testnetwork’ Wi-Fi running on Kali Linux, we should be able to see it in Windows. And surely I can:
Let’s connect to testnetwork. To do so, use the default password: abcdefgh
BTW: If you don’t like the default SSID name, you can change it by modifying hostapd.conf file.
Anyhow, as soon as our Windows computer is connected to testnetwork, we should be able to see that Kali Linux is automatically testing all of the traffic that occurs on this network in order to determine if the Windows 10 computer connected to testnetwork Wi-Fi is prone to KRACK Attack.
Following is the result of my test (see screenshot below), where we see how testing script keeps sending encrypted message 3’s to the client.
As we can see, the test confirms, that my Windows computer, is not vulnerable to pairwise key reinstallation in the 4-way handshake.
Note: Windows client *must* request an IP using DHCP for this test to start.
The result of my test says: “Client DOESN’T seem vulnerable to pairwise key reinstallation in the 4-way handshake“.
Note: If you see the following message: ‘Client is vulnerable to pairwise key reinstallations in the 4-way handshake!‘, it means your OS is not patched and not protected against KRACK attack and intruders can likely decrypt all your information.
Now, we can interrupt the test above, and let’s run the second test by using KRACK Attack, key reinstallations in the group key handshake (or other parametheres, using the –tptk and –tptk-rand options, to test against other variants of key reinstallation attack.
So, if we wanted to check key reinstallations in the group key handshake, we’ll execute it like this (screenshot below) and we’ll again see our test Wi-Fi network called ‘testnetwork’:
In this way, we can execute also –tptk and –tptk-rand parameter tests:
./krack-test-client.py --group ./krack-test-client.py --tptk ./krack-test-client.py --tptk-rand
Testing unpatched Android 7.0 against Key Reinstallation Attack
My Android 7.0 test mobile phone, was not updated since July 2018, so I know for a fact that it’s vulnerable to KRACK Attack.
Here is a screenshot, to prove that it’s indeed an old kernel and old security patch:
Let’s see if our scripts running on Kali Linux can detect it that we’re vulnerable to Krack Attack.
Again, I created a new Wireless network in Kali, to which I’ll connect using my Android device. I’ve executed:
Once running, I’ve connected my Android phone to the ‘testnetwork’ Wi-Fi:
And immediately I can see the results in Kali, letting me know that my Android client is Vulnerable to group key reinstallation in the 4-way handshake.
I hope you enjoyed this tutorial.
Key Reinstallation Attack – Prevention
Unfortunately, as of Nov 2017, the issues still haven’t been addressed by the update of the WPA2 protocol. The recommended solution is to update the wireless devices as soon as the product vendors release the security updates. General online consensus is that there is a need for Wi-Fi standard modernization which can effectively stop this type of attack.
As a response to a general concern, the Wi-Fi Alliance eventually released a statement (Wi-fi.org, 2017) in which they conversed a future plan to fix the exposed weaknesses of WPA2. However, as of now, there is no solution for the issue.
Swaminatha, T. M., & Elden, C. R. (2002). Wireless security and privacy: best practices and design techniques. Addison-Wesley Longman Publishing Co., Inc..
Legezo, D. (2016). Research on unsecured Wi-Fi networks across the world. [online] Securelist – Information about Viruses, Hackers and Spam. Available at: https://securelist.com/research-on-unsecured-wi-fi-networks-across-the-world/76733/ [Accessed 9 Nov. 2017].
Liu, Y., Jin, Z., & Wang, Y. (2010, September). Survey on security scheme and attacking methods of WPA/WPA2. In Wireless Communications Networking and Mobile Computing (WiCOM), 2010 6th International Conference on (pp. 1-4). IEEE.
Krackattacks.com. (2017). KRACK Attacks: Breaking WPA2. [online] Available at: https://www.krackattacks.com/#paper [Accessed 9 Nov. 2017].
Vanhoef, M. & Piessen, F. (2017). [online] Available at: https://papers.mathyvanhoef.com/ccs2017.pdf [Accessed 9 Nov. 2017].
Wi-fi.org. (2017). Wi-Fi Alliance® security update | Wi-Fi Alliance . [online] Available at: https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-security-update [Accessed 9 Nov. 2017].
YouTube. (2017). KRACK Attacks: Bypassing WPA2 against Android and Linux. [online] Available at: https://www.youtube.com/watch?v=Oh4WURZoR98&feature=youtu.be [Accessed 9 Nov. 2017].