How to verify if the wireless network is vulnerable to Key Reinstallation Attack (KRACK)?

Key Reinstallation Attack (KRACK) is a critical flaw in the WPA2 protocol (CVE-2017-13077 to CVE-2017-13088):

1. Understand KRACK Vulnerability

KRACK exploits the WPA2 4-way handshake to force the reinstallation of an already-used encryption key, allowing attackers to:

Decrypt network traffic.
Inject malicious packets (e.g., ransomware, malware).
Hijack client connections.

Affected Devices:

All WPA2 networks (Personal and Enterprise).
Clients (laptops, smartphones, IoT) and access points (APs) with outdated firmware.

2. Tools Required

A wireless NIC supporting monitor mode (e.g., Alfa AWUS036ACH).
Linux machine (Kali Linux recommended).
Scripts/Tools:
- krack-test (GitHub)
- airodump-ng (capture handshakes).
- Wireshark (analyze packets).
- scapy (craft custom packets).

3. Testing Steps

A. For WPA2-Personal (PSK) Networks

Capture the 4-Way Handshake:
- Start monitoring the target network:
```
airodump-ng -c <channel> --bssid <AP_MAC> -w capture wlan0mon
```
- Wait for a client to connect (or deauth a client to force reconnection):
```
aireplay-ng -0 1 -a <AP_MAC> -c <Client_MAC> wlan0mon
```
- Verify the handshake is captured using aircrack-ng capture.cap.
Test for KRACK Using krack-test:
- Clone the KRACK test suite:
```
git clone https://github.com/vanhoefm/krackattacks
```
- Run the test script against the captured handshake:
```
./krack-test.py --pcap capture.cap
```
- Vulnerability Indicators:
  - Script detects retransmitted Message 3 or Group Key Handshake.
  - Wireshark shows replayed/duplicate handshake messages.

B. For WPA2-Enterprise (802.1X) Networks

Capture the 4-Way Handshake (same as above).
Exploit the Extended Key ID (if supported):
- Enterprise networks use key separation, but some implementations reuse keys.
- Use scapy to forge retransmissions of handshake messages:
```
# Example: Replay Message 3 of the 4-way handshake
sendp(radio_tap/ieee80211/dot11_4whs_msg3, iface="wlan0mon", count=10)
```
- Monitor if the client re-installs the PTK (Pairwise Transient Key).
Check for Client/AP Patches:
- Most modern devices (post-2017) are patched.
- Manually verify firmware versions of APs/clients (e.g., Cisco, Aruba, Windows 10+).

4. Signs of Vulnerability

Active Exploitation:
- Attackers can decrypt traffic using tools like ettercap or wireshark.
- Clients disconnect or experience instability during testing.
Passive Detection:
- APs/clients accept retransmitted handshake messages.
- No encryption errors when replaying packets.

5. Remediation

Patch All Devices:
- Update AP firmware (e.g., Cisco, Ubiquiti, OpenWRT).
- Ensure client OSes are updated (Windows, iOS, Android, Linux).
Enable WPA3:
- WPA3 uses Simultaneous Authentication of Equals (SAE) and is immune to KRACK.
Disable Legacy Protocols:
- Remove support for WPA-TKIP and WEP.

6. Automated Scanners

Nessus/Qualys: Use vulnerability scanners to detect unpatched APs/clients.
Acrylic Wi-Fi Professional: Scans for KRACK vulnerabilities in networks.

Example of a Vulnerable Network

# Running krack-test.py
[+] Detected retransmitted Message 3 in 4-way handshake.
[!] AP is vulnerable to CVE-2017-13077 (Key Reinstallation).

Note: KRACK primarily exploits client-side vulnerabilities, so even if the AP is patched, unpatched clients remain at risk. Always test both ends of the connection!

How to Check if PMF (Protected Management Frames) is Enabled on a Wi-Fi Network

Protected Management Frames (PMF) is a security feature defined in IEEE 802.11w that protects Wi-Fi management frames (e.g., deauthentication, disassociation) from forgery and eavesdropping. This prevents attacks like deauthentication attacks (e.g., using aireplay-ng).

Methods to Check PMF Status

1. Using Wireshark (Packet Capture Analysis)

Capture Wi-Fi traffic in monitor mode (e.g., using airodump-ng or Wireshark).
Look for Beacon frames or Association Response frames:
- PMF Capable (802.11w): Indicates support.
- PMF Required: Forces clients to use PMF (stronger security).

Steps:

Start capturing on the target Wi-Fi channel:

airodump-ng -c <channel> --bssid <AP_MAC> -w pmf_check wlan0mon

Open the .pcap file in Wireshark.
Filter for wlan.fc.type_subtype == 0x08 (Beacon frames).
Check the RSN (Robust Security Network) Information Element:
- If "Management Frame Protection Capable" is present → PMF is supported.
- If "Management Frame Protection Required" is present → PMF is enforced.

2. Using `iw` Command (Linux)

If you are connected to the network (or have access to a Linux machine with Wi-Fi):

iw dev wlan0 scan | grep -A 10 "SSID Name" | grep "RSN" -A 5

Look for Management Frame Protection: Yes or MFPC (Capable) / MFPR (Required).

Example Output:

RSN:     * Version: 1
     * Group cipher: CCMP
     * Pairwise ciphers: CCMP
     * Authentication suites: PSK
     * Capabilities: MFPC (PMF capable), MFPR (PMF required)

MFPC (Capable) → PMF is optional (clients can connect without it).
MFPR (Required) → PMF is mandatory (more secure).

3. Using Windows (`netsh` Command)

If connected to the network:

Open Command Prompt as Administrator.
Run:
```
netsh wlan show networks mode=bssid
```
Look for your target SSID and check the "Security settings" section.
- If "Management Frame Protection Supported" appears → PMF is enabled.

4. Using Android (Wi-Fi Analyzer Apps)

Apps like Wi-Fi Analyzer or NetX may show 802.11w or PMF status in AP details.

Interpretation of Results

Status	Security Implication
PMF Disabled	Vulnerable to deauth attacks (`aireplay-ng -0`).
PMF Capable (MFPC)	Optional (some clients may not use it).
PMF Required (MFPR)	Best security (blocks deauth attacks).

5. Use `wpa_cli` (Linux)

For WPA2-Personal:

Run:
```
wpa_cli -i wlan0
```
In the CLI, type scan_results and note the BSSID.
Type bssid <BSSID> and check the RSN flags:
- [MFPC] → PMF Capable.
- [MFPR] → PMF Required.

6. Check RADIUS Server Settings (White-Box)

If you have insider access, verify if the RADIUS server (e.g., FreeRADIUS, NPS) enforces PMF:
- Look for ieee80211w = 1 (PMF optional) or ieee80211w = 2 (PMF required) in the RADIUS client configuration.

7. Checking Access Point Configuration (White Box):

If you have been provided with access to the configuration interface of the wireless access point (as part of the white box testing), you can directly check the PMF settings.

Steps:
1. Log in to the access point's web interface or command-line interface.
2. Navigate to the wireless settings for the specific SSID you are testing.
3. Look for options related to security, WPA2/WPA3, and advanced settings.
4. You should find a setting labeled something like:
  - Protected Management Frames (PMF)
  - Management Frame Protection (MFP)
  - 802.11w
  - Secure Management Frames
5. The setting will likely have options like "Enabled," "Disabled," "Optional," or "Required."
Interpreting the Results:
- Enabled/Required: PMF is actively enforced. Clients that don't support PMF might not be able to connect.
- Optional: PMF is supported, and clients that support it will use it, but clients that don't can still connect without it. This is less secure than "Enabled/Required."
- Disabled: PMF is not enabled on the network

Key Notes for Both Networks

WPA2 + PMF: PMF is optional in WPA2 (defined in 802.11w) but mandatory in WPA3.
WPA3 Networks: PMF is always required, so this check is irrelevant for WPA3.

Example Scenarios

Scenario 1: PMF Disabled (Vulnerable)

Attackers can use aireplay-ng to deauth clients:

aireplay-ng -0 10 -a <AP_MAC> -c <Client_MAC> wlan0mon

Clients will disconnect and may reveal handshakes for cracking (WPA2-Personal).

Scenario 2: PMF Enabled (Secure)

Deauth attacks fail. You’ll see errors like:

aireplay-ng: Got a deauth/disassoc packet. Is PMF enabled on the AP?

Recommendations

Enable PMF in "Required" mode for both WPA2-Enterprise and WPA2-Personal.
Migrate to WPA3 (PMF is enforced by default).

Fly In Matrix

Saturday, April 5, 2025