WPA2 KRACK Attack

October 17, 2017

Introduction:

The security and Wi-Fi world took some beatings when a vulnerability was found in the WPA2 protocol.
The discovery is done by Mathy Vanhoef, a Wi-Fi security researcher.
He discovered the vulnerability while working on another paper.
The problem exists in the 4-way handshake of WPA2.


Some explanation:

When a Client connects to an Access point there is a 4-way handshake to secure the connection.
The installation of the final key is done in message 3 of the handshake. After the installation of the key, data will be encrypted between client and ap.
In this mechanism is a build in flaw that when message 3 is not received the access point will resend this message. So the client could receive multiple message 3 responses from the AP and the client will always reinstall the key and set the Nonce counter back on 0.

For detailed description visit https://www.krackattacks.com

 

Class A Vendor reactions:

Aruba networks
Aerohive
Ruckus Wireless

 

CVE codes:

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

 

PoC Video:

https://www.youtube.com/watch?v=Oh4WURZoR98

 

Poc Code:

Unavailable at the moment