Page 1 of 4 123 ... LastLast
Results 1 to 10 of 37

Thread: How WPA functions? TKIP?

  1. #1
    Just burned his ISO
    Join Date
    Nov 2006
    Posts
    18

    Default How WPA functions? TKIP?

    Hey guys,

    I'm majoring in information assurance security and I have a couple questions regarding WPA security. Does anyone have a link to how WPA actually functions (I know there is several different keys involved, several hashes, but I can't find how they come into play)

    I also finished setting up a functional radius server for WPA encryption with EAP-PEAP authentication. This also includes using TKIP. Short of having individual keys for every user, does this server have any advantage over a fully random PSK? If I wanted to crack my WPA network, (sniffing for a successful authentication) and I brute force the key, will that let me decode ALL of the rest of the packets for that user or does the TKIP change things? Would that cracked key be a "master" key that would let me decode anything regardless of the TKIP?

    Any help would be appreciated =) I'm obviously falling a little short behind the "theory" of WPA!

    Sending Access-Accept of id 9 to 192.168.0.1 port 1207
    MS-MPPE-Recv-Key = 0x55b9f91123f80xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxx7750
    MS-MPPE-Send-Key = 0xa1503c5d4a50xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx6540
    EAP-Message = 0x03090004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "ryan"

    I believe the Recv key is the PMK????

  2. #2
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  3. #3
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    Quote Originally Posted by ryanfx View Post
    Hey guys,

    Sending Access-Accept of id 9 to 192.168.0.1 port 1207
    MS-MPPE-Recv-Key = 0x55b9f91123f80xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxx7750
    MS-MPPE-Send-Key = 0xa1503c5d4a50xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx6540
    EAP-Message = 0x03090004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "ryan"
    This looks like PEAP or EAP/MSCHAPv2. The MS-MPPE-Recv-Key attribute is part of MPPE which is a Microsoft built data encryption protocol used by common Windows PPTP vpn implementations. Its RC4 128bit. I am not sure how this plays out with WPA, hopefully the links that shaman provided can explain things better. Keep in mind the EAP is an authentication framework, not a real protocol.

    E

  4. #4
    Just burned his ISO
    Join Date
    Nov 2006
    Posts
    18

    Default

    thanks guys. Yes, it is my PEAP authentication, and thank you for those links. I'm still a little stumped, but I did figure out the rec. key is the PMK for sure. How this plays into TKIP or decrypting sniffed traffic I am still unsure of

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Google is your friend.

    Try things like "How TKIP works".

  6. #6
    Just burned his ISO
    Join Date
    May 2007
    Posts
    8

    Default

    Quote Originally Posted by ryanfx View Post
    thanks guys. Yes, it is my PEAP authentication, and thank you for those links. I'm still a little stumped, but I did figure out the rec. key is the PMK for sure. How this plays into TKIP or decrypting sniffed traffic I am still unsure of
    The TKIP key is derived from the PMK and some mac addresses, so, do the math

    Have you really read the links provided?

    I suggest to read the IEEE802.11 standard if you really want to understand how it works.

  7. #7
    Just burned his ISO
    Join Date
    Nov 2006
    Posts
    18

    Default

    Quote Originally Posted by wotterspoon View Post
    The TKIP key is derived from the PMK and some mac addresses, so, do the math

    Have you really read the links provided?

    I suggest to read the IEEE802.11 standard if you really want to understand how it works.
    yes I've read the links, I've also successfully decrypted the .cap file using the PMK that was supplied on the radius server readout. Thanks guys =D

  8. #8
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by ryanfx View Post
    yes I've read the links, I've also successfully decrypted the .cap file using the PMK that was supplied on the radius server readout. Thanks guys =D
    You cracked a radius servers "Master" PMK"????

    I'm impressed! And thats hard to do.
    Good work ryanfx
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  9. #9
    Just burned his ISO Chameleon-Digitz's Avatar
    Join Date
    May 2007
    Posts
    17

    Default

    Maybe it's just me, but it sounded like he said he 'decrypted' the cap, rather than crack WPA implementation of TKIP(RC4). If you already know the PMK <Insert w/e here>. It would seem that knowing the cipher & key usage is more important.

  10. #10
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by Chameleon-Digitz View Post
    Maybe it's just me, but it sounded like he said he 'decrypted' the cap, rather than crack WPA implementation of TKIP(RC4). If you already know the PMK <Insert w/e here>. It would seem that knowing the cipher & key usage is more important.
    After re-reading..it looks like your right. I misread what he said...I thought he cracked a radius server from scratch..without knowing the PMK...etc.

    Oh well...,
    I thought I had found some raw talent in the making here on cracking radius servers, but maybe he can in the future..who knows . Anyone who can crack WPA2 Enterprise..deserves a little credit.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •