Attacking WPA-PSK

WPA / WPA2 Introduction 

It’s probably apparent by now that WEP needed to be replaced.  To accomplish this the Wi-Fi Alliance came up with a new standard called IEEE 802.11i – Wi-Fi Protected Access.  WPA is actually based on the draft version of 802.11i and does not implement all the features of the standard.  WPA was intended to be a quick fix for WEP, whilst the full implementation of 802.11i – WPA2 was developed.


The first major change within WPA was its use of the Temporal Key Integrity Protocol (TKIP).  WEP used an encryption key for data encryption which remained the same for every packet; whereas TKIP employs a dynamic encryption key scheme.

The second change was to rid the standard of the old CRC ICV checksum method.  The main weakness we have seen with CRC, is that it did not provide sufficiant protection against packet manipulation, easily allowing the injection of “valid” packets.  This was replaced with a Message Integrity Check (MIC) algorithm called Michael.  Michael is not as strong as the version used in WPA2, but the hardware requirements meant that this was not backward compatible with the hardware of older WEP equipment.


A second encryption protocol was introduced as part of WPA2 called Counter Mode Cipher Block Chaining Message Authentication Code Protocol (thankfully shortened to CCMP), based on the Advanced Encryption Standard (AES).  It’s complete departure from the RC4 based encyption used by WEP and meant that new hardware was required to support this standard.

Attack Vectors

Over recent years, weaknesses have been demonstrated in TKIP, including the ability to decrypt packets being sent to a client.  Though these are complex and difficult to implement.  The most viable attacks against WPA/2 networks are against weak passphrases and Wi-Fi Protected Setup (WPS).


The process of a wireless client authenticating and joining a WPA protected network, is much more complex than it was for WEP.  WPA packets are encrypted with dynamic keys, which are established during the authentication process (and then changed at regular intervals), but they are derived from a master key held by both parties.  This key is called the Pre-Shared Key (PSK) or Pairwise Master Key (PMK).

Pre-Shared Key

The PSK is a 256-bit key which is derived using the Password Based Key Derivation Function (PBKDF2), documented under RFC 2898.  The PBKDF2 is a SHA1 based function which takes several inputs.

PSK = PBKDF2(Passphrase, SSID, SSIDlen, 4096, 256) where:

    • 4096 is the number of times the function is performed
    • 256 is the size of the final key

The 4-Way Handshake

The purpose of this handshake phase is to derive the Pairwise Transient Key (PTK), which is the temporary encryption key used to encrypt data; and to confirm the identity of the wireless client (i.e. do they have the correct passphrase to join).

Source: wiki

Source: wiki

Packet 1

Key Descriptor Version: RC4 Cipher, HMAC-MD5 MIC (1)
Key Type: Pairwise Key

The two lines above are two examples that confirm the access point is using WPA TKIP, as the RC4 cipher is mentioned.

Replay Counter: 0

The replay counter is set to a value n, it may not always be 0 as in this case, but is used by the access point and client to track concurrent handshake packets.

Install: Not set
Key MIC: Not set

Note that the Install and Key MIC fields are not yet set.  The value in the field below is the ANonce, as it is generated and sent by the access point.

WPA Key Nonce: f7449f4ffb86488e5e23961b6eeb8625d3c0b11a5da73fe7…

Packet 2

Install: Not set
Key MIC: SetReplay Counter: 0

This is the SNonce, as it is generated and sent by the client.  Using the ANonce, SNonce and other information (see below) the client has already generated the PTK, calculated the MIC and included it in this packet.

WPA Key Nonce: 2fac8f76e7794763726ccbdb00ef275e97417b91b2e16a13…
WPA Key MIC: 8f4aeb8b937b5f48b1a9c741b382f61c

Packet 3

Install: Set
Key ACK: Set

The access point checks the MIC sent by the client in Packet 2 by using the same information.  It sends a reply with the Install and Key ACK fields set – this instructs the client that the PSK (and thus Passphrase) it’s using is correct and that it can continue to use it for communication.

Replay Counter: 1

The Replay Counter is increased by 1.

Key MIC: Set
WPA Key MIC: 5ec94d0a78b6a929501149624b9fa0b0

Packet 4

Replay Counter: 1

To indicate that this is the last packet in the handshake, the Key ACK bit is set back to 0.

Key ACK: Not set
WPA Key MIC: f3e29f4334b9f4ee8f999ec1823281e8

Pairwise Transient Key

This is the key used to encrypt data whilst it is in transit, it’s derived using the PBKDF2 function.



    • AMAC is the MAC address of the Access Point
    • SMAC is the MAC address of the client (supplicant)