aircrack-ng/airodump-ng WPA/WPA2 handshake bug

[darkAudax]

This came out my investigation for the following thread:  http://tinyshell.be/aircrackng/forum/index.php?topic=4054

Jano sent me some files which were not working with aircrack-ng. Basically aircrack-ng would fail to find the passphrase even though it was in the password file. I am sending you this by e-mail instead of posting to the trac system because Jano does not want the capture files to be public.

His e-mail and files are at the end. I am also including my "fixed" file: alice.fixed4.cap I simply selected two correct handshake packets. The PSK is "ulwnbe5izzpx06zmxgk2zvgj".

Basically the root problem is that aircrack-ng fails to properly select handshake packets when there are lots of bits and pieces of handshakes in the capture. I looked at the source code to see how it selects the handshake. I have documented this below plus documented what I think the criteria should be. Please see if you agree. If you do agree then aircrack-ng plus airodump-ng would need to be updated.

Currently how EAPOL packets are determined:

Packet 1 Pairwise Key = 1, Install = 0, ACK = 1, MIC = 0

Packet 2 Pairwise Key = 1, Install = 0, ACK = 0, MIC = 0

Packet 3 Pairwise Key = 1, Install = 1, ACK = 1, MIC = 1

Packet 4 Pairwise Key = 1, Install = 0, ACK = 1, MIC = 0 NOTE: In the aircrack-ng code, packets 2 and 4 are grouped together.

Here is the revised criteria: Packet 1 Pairwise Key = 1, Install = 0, ACK = 1, MIC = 0

Packet 2 Pairwise Key = 1, Install = 0, ACK = 0, MIC = 0 Plus it has (Vendor Specific: WPA Tag number 22) or (RSN Information Tag number 48). IE WPA or WPA2.

Packet 3 Pairwise Key = 1, Install = 1, ACK = 1, MIC = 1

Packet 4 Pairwise Key = 1, Install = 0, ACK = 1, MIC = 0 Plus it has no tags, unlike packet 2 which does have tags.

Valid combinations are packets 2/3 or packets 3/4.

Here is additional criteria to be added:

When it is packet 2/3 then: Replay counter field must be consecutive. Examples: 0/1, 23/24, 67/68.

When it is packet 3/4 then: Replay counter field must have the same value.

Additionally, the frame numbers for both packets 2/3 and 3/4 should be fairly close to each other. Possibly have an additional criteria that require the frame numbers to be within say 20 of each other. Normally they would be very, very close. However, if the network is busy then maybe they could be further apart.

Some personal notes which cannot be used in programming: WPA / WPA2

Packet 1 Key Information: 0x89 / 0x8A

Packet 2 Key Information: 0x109 / 0x10A

Packet 3 Key information: 0x1C9 / 0x13CA

Packet 4 Key information: 0x109 / 0x30A

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ E-MAIL from Jano:

- This is the files, i tested with reduced .cap file, but i have the same result - Thanks for attention

Jano

jano:~/Pentest/cowpatty$ ./cowpatty -r Alice_reduced.cap -f dict -s Alice-93689788 cowpatty 4.3 - WPA-PSK dictionary attack.

Collected all necessary data to mount crack against WPA/PSK passphrase. Starting dictionary attack.  Please be patient. key no. 1000: appointment key no. 2000: canonize key no. 3000: contraceptive key no. 4000: division

The PSK is "ulwnbe5izzpx06zmxgk2zvgj".

4092 passphrases tested in 77.15 seconds:  53.04 passphrases/second _

jano:~/Pentest/cowpatty$ ./cowpatty -n -r Alice_reduced.cap -f dict -s Alice-93689788 cowpatty 4.3 - WPA-PSK dictionary attack.

Collected all necessary data to mount crack against WPA/PSK passphrase. Starting dictionary attack.  Please be patient. key no. 1000: appointment key no. 2000: canonize key no. 3000: contraceptive key no. 4000: division Unable to identify the PSK from the dictionary file. Try expanding your passphrase list, and double-check the SSID.  Sorry it didn't work out.

4092 passphrases tested in 74.08 seconds:  55.24 passphrases/second

jano:~/Pentest/cowpatty$ aircrack-ng -w Dict_Alice_not_found.txt Alice_reduced.cap Opening Alice_reduced.cap Read 18 packets.

#  BSSID              ESSID                     Encryption

1  00:1C:A2:D6:D3:84  Alice-93689788            WPA (1 handshake)

Choosing first network as target.

Opening Alice_reduced.cap Reading packets, please wait...

Aircrack-ng 1.0 rc2 r1421

[00:00:04] 1616 keys tested (325.25 k/s)

Current passphrase: osahm6ezxmcvzfiq2pcs5vz0  

[edgan]

I would say forget the replay counter. I have seen handshakes work just fine without them. Why make it more strict than it has to be?

[edgan]

I have analyzed Jano's capture file. It highlights a number of different issues. I have summarized them in the post linked below.

 http://forum.aircrack-ng.org/index.php?topic=4054.msg30718#msg30718

[misterx]

See also #721

[dandart@…]

I've got Pairwise 1111, Install 0010, Ack 1010, Mic 0111, Secure 0111, Encrypted key data 0010. These handshakes are also not detected correctly. (They are valid, right?)

[misterx]

Could you upload it?