Wireless Security - Authentication Attacks


As you probably know by now, authentication is the method of verifying the presented identity and credentials. Most of the authentication schemes used in wireless setups are secured with proper encryption.

We have already described the scenario based on EAP-authentication used in WPA/WPA2, with PSK authentication. By sniffing the 4-way handshake between the client and the authenticator (AP), one may perform a brute-force attack (example – offline dictionary attack) to break the encryption and derive the PSK value.

Another example can be LEAP (Lightweight Extensible Authentication Protocol). It was used in olden times as a mechanism to generate dynamic WEP keys. In this setup, the password hashes were flowing over-the-air hashed with MS-CHAP or MS-CHAPv2 algorithms (both of them are crack-able with an offline dictionary attack). A short description of the authentication attack that may be applied to LEAP would consist of the following steps −

  • The username is sent in a clear text.

  • There is a challenge text in clear text.

  • The response text is hashed.

  • Office dictionary attack, that can be used here (using aircrack-ng tool) to try all the combinations of the password inside "function(password,challenge) = response" mathematical formula, to find the right password.

Examples of such attacks will be illustrated step-by-step in the coming chapters.