KRACK attack overview
KRACK stands for Key Reinstallation AttaCKs. It's a tranche of vulnerabilities publicly disclosed in October 2017 by a team from KU Leuven. The attack is the exploitation of a fundamental flaw in the WPA2 handshake, allowing resending of a stage of the handshake in order to overwrite cryptographic data. This chapter will cover the attack at a theoretical level and provide some guidance on the successful identification and exploitation of this vulnerability.
Let's look at the WPA2 handshake, the standard for which can be found in the IEEE 802.11 standards, accessible here: http://ieeexplore.ieee.org/document/7792308/. For this explanation we are starting post-association and authentication stage as the vulnerability is not affected by those.
The Pairwise Transient Key (PTK) used for encryption is made up of five attributes:
A shared secret key known as the Pairwise Master Key (PMK)
A nonce value created by the access point (ANonce)
A nonce value created by the user station...
