KRACK (Key Reinstallation AttaCK)

By -


KRACK (Key Reinstallation AttaCK)
Brief, Impact, Recommendation & References


Introduction
A severe flaw in most secured WPA2 Protocol of WIFI Standard, successful exploitation of which allow an attacker in range of WIFI enabled devices or network to read data in transit (i.e. such as username, password and credit card details etc.) and is potentially at risk of leakage and can modify depends on WIFI implementations. 


The Weakness is in the WI-FI standard itself and thus even secured implemented WPA2 WIFI network can also be prone to attack.
KRACK (Key Reinstallation AttaCK) exploit a weakness in Four-way handshake process between a user’s device trying to connect and a WI-FI Network. It allows an attacker unauthorized access to the network without knowing the password and the possibility of performing Man-In-The-Middle Attack to sniff or modifying the data.

KRACK Attack: Example against 4-way handshake  
In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. A client initiate a connection and join a network, execute the 4-way handshake to generate encryption key. The same encryption key will install after receiving message 3 of 4-way handshake. Once the key is installed, the same encryption key is used to encrypt the normal data using the encryption protocol. In case of message drop or lost, Access Point will retransmit the message 3 if it did not receive an appropriate acknowledgement response and client receive message 3 multiple times and will reinstall the same encryption key and thereby reset the transmit packet number (nonce) and receive replay counter used by encryption protocol.
An attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged.
 
Impact: 
  1. Data in transit can be read by the attacker.
  2. Data in transit may be modified if WIFI implemented with WPA-TKIP or GCMP protocols and more can be done.
Ways to protect yourself 
  1. Update your devices, operating systems and perimeter devices with latest update and configure them to automatic updates with latest patches
  2. Keep all your IT devices up to date and upgraded with latest versions.
  3. Use VPN, will encrypt all your internet traffic and could protect you from this types of attack.
  4. Always use SLL over your application like Secured HTTP, FTP and more.
  5. Use LAN connection instead of WIFI for your critical business functions till patch is available for your AP/Device/System.


Affected Vendor Products:

Refer link: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
 
Vendors released KRACK Patched:

Refer link: https://www.fixkrack.com/
 

Comments

Post a Comment

Popular posts from this blog

Payment Gateway Security Testing Checklist

By -
Below given are some of the possible testing scenarios, which may prove to be useful in performing payment gateway testing. Whether all the types of payment options available through the payment gateway are selectable or not.  Whether each payment option is showing its specification and requirements after being selected by the user.What happens, after the failure of the payment process or if the session ends.  To check, if the payment gateway is allowing to enter data in the blank fields of the card number, card name, expiry date and CVV number.  To examine, how the payment gateway system behaves or responds, after leaving one or more fields, blank such as leaving CVV number field, blank, etc.  Whether the user is being redirected to the application page, after the successful completion of the payment process.  Applying language change, during the payment process. Checking successful integration of
Read more

Network Security VAPT Checklist

By -
Network Security VAPT Checklist Lets talk about the scope first. If you are given a 500 machines to perform VAPT, then here is your scope. Single machine can have 65535 ports open. Any single port can deploy any service software from the world. For example FTP can be run on smartftp, pureftpd etc. Any single FTP software version (for example pureftpd 1.3.3a) can have number of vulnerabilities available. So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. Here are some quick tools and test cases that one can perform on commonly found ports in the network pentest. Ø   Identify live hosts ·          Ping ·          Hping ·          Nmap Ø   Identify OS type ·
Read more

How to dump Database using Sqlmap

By -
Image
Database Dump using SQLMap Find out the parameter of application that is vulnerable to SQL injection . Vulnerable Parameter  : “User ID” Enter ‘ and then click on Submit button. will get the SQL Error. Now Intercept the Request in burp. Copy the incepted request and save it in sqlmap installed directory. Open CMD and go to the directory where SQL map is installed (C:/sqlmap) and type sqlmap.py –r sqlinjection (filename) –-dbs and then enter. (dbs is used for dump database name). Then type Y and enter. Type N and enter, it display all the database . Now we have to find out the table in database. Type sqlmap.py –r sqlinjection –D dvwa(database name) –tables.     In the above snap we got the table name in dvwa database. Then we have find out the column name. type sqlmap.py –r sqlinjection –d dvwa –T users –column. Now we are going to dump the userid and password from column. Type sqlmap.py –r sqlinje
Read more