This video is based on the Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 on the demonstration how weakness we discovered in WPA2 can be used to attack Android and Linux devices First, I will use an Android device to connect to our Wi-Fi testnetwork which now will be the network in present Notice that the network uses WPA2 encryption as indicated by the lock symbol Additionally, on visiting, for example, match.
com, Android would use HTTPS as an extra layer of protection This is indicated by the green HTTPS lock and also especially mentioned when viewing the web page info In other words, all transmitted information is securely protected using both WPA2 and HTTPS Let's now start the tools that will be used to attack Android and Linux device First, the following command is used to start a WPA2 attack script Notice that I include the protected Wi-Fi network that will be attacked on that will only target one specific device.
The tools starts by searching for the protected Wi-Fi network we will attack And then we will clone this network on a different channel This malicious clone of the network enables the attacker to reliably manipulate handshake messages which is required to abuse the weakness we discovered.
Second, you make sure the victim can access the internet to our malicious network Additionally, a more step of executing the sslstrip tool This tool will try to remove the additional HTTPS protection of improperly configured websites Finally, I am going to use wireshark to capture any data that the client will be transmitting You're now ready to carry out the attack So let's go to the smartphone and then connect to the WPA2-protected test network Once the victim enabled the Wi-Fi Android will search for the test network Once that it discover that network, it will try to connect to the real test network, which is not what we want Fortunately, we can solve this by sending special Wi-Fi frames that command the Android into switching to a different channel This tricks Android into connecting with the malicious cloned of the network Essentially, we now have a man in the middle position between the victim and the real Wi-Fi network This allows us to reliably manipulate the messages and carry out the key reinstallation attack against the 4-way handshake Normally, after executing such an attack the victim will reuse nonces when encrypting data frames and this allows us to recover any encrypted data However, due to the implementation bug Android and Linux will not reinstall the actual secret key Instead, they will reinstall an all-zero encryption key This makes a trial to intercept and manipulate all data that is transmitted by these devices When we now go to Wireshark, we can already see that a significant amount of data was intercepted Note that normally all these data encrypted using WPA2 and therefore isn't readable by the attacker.
However, without knowing the password of this protected wifi network we can read all the packets that the victim is sending This clearly demonstrates that we have successfully bypass WPA2 Let's now visit a website on the Android device of the victim And particular, you will again visit the match.
com As you can now see, there is no longer a green HTTPS lock on the address bar of the browser This means the website is no longer using HTTPS as an additional layer of protection Note that you're able to bypass HTTPS using sslstrip tool although this matter of bypassing HTTPS does not working in proper configured websites it does work against a significance fraction Unfortunately, many users do not realize HTTPS is no longer used and therefore will continue to login using their real e-mail address and password The attacker is now able to intercept the e-mail address and password of the victim.
Of course, this is only a demonstration using a fake account meaning the login fails Nevertheless, the attacker is able to see which password we try to use So let's go to the attacker and search for the login attempt We can see that the attacker was indeed able to intercept the username and password that the victim used To avoid being a victim of this attack against WPA2, you must update all your Wi-Fi devices.