Pierluigi Paganini
November 06, 2017
Last week I published a post warning of many industrial networking devices from various vendors are still vulnerable to the recently disclosed KRACK attack (Key Reinstallation Attack).
The Belgian researcher Mathy Vanhoef of imec-DistriNet, KU Leuven and his team of researchers discovered in the middle-October several key management flaws in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet communications stealing sensitive information (i.e. credit card numbers, passwords, chat messages, emails, and pictures).
The KRACK attack allows attackers to decrypt WiFi users’ data without cracking or knowing the password.
According to the researchers, the KRACK attack works against:
The KRACK attack works by exploiting a 4-way handshake of the WPA2 protocol that’s used to establish a key for encrypting traffic.
“When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value,” explained Vanhoef. “Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”
The attacker just needs to trick a victim into re-installing an already-in-use key, which is achieved by manipulating and replaying cryptographic handshake messages.
KRACK Detector is a script written in Python Language that can detect possible KRACK attacks against client devices on your network. It uses Python 2 for backward compatibility with older operating systems.
“KRACK Detector is a Python script to detect possible KRACK attacks against client devices on your network. The script is meant to be run on the Access Point rather than the client devices. It listens on the Wi-Fi interface and waits for duplicate message 3 of the 4-way handshake. It then disconnects the suspected device, preventing it from sending any further sensitive data to the Access Point.” states the description of the tool.
Network administrators have to run the script on the Access Point rather than the client devices, it listens on the Wi-Fi interface and waits for duplicate message 3 of the 4-way handshake. Once it detects a device sending the handshake message it then disconnects it in order to prevent it from sending any further sensitive data to the Access Point.
The presence of message 3 of the 4-way handshake is a necessary condition for the Krack attack, however, it might be retransmitted even if no attack is ongoing.
“In such a case the client device will be disconnected from the Wi-Fi network. Some client devices will take some time to re-authenticate themselves, losing the Wi-Fi connection for a few seconds.” reported the Kitploit.com.
No external Python packages are required, network administrators have to run the script as root and pass the Wi-Fi interface as a single argument.
Administrators need to use the actual Wi-Fi interface and not any bridge interface it connects to.
python krack_detect.py wlan0The tool also allows avoiding suspending suspected devices by using the “-n” flag
python krack_detect.py -n wlan0The tool is available on Github at the following link:
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – KRACK attack, KRACK Detector )
[adrotate banner=”5″]
[adrotate banner=”13″]
