1. Security Issues in 802.11 Wireless Networks
Prabhaker Mateti
Wright State University

2. Talk Outline Wireless LAN Overview Wireless Network Sniffing
Wireless Spoofing
Wireless Network Probing
AP Weaknesses
Denial of Service
Man-in-the-Middle Attacks
War Driving
Wireless Security Best Practices
Conclusion
Mateti
WiFi Security

3. Ack
This talk is an overview of what has been known for a couple of years.
Figures borrowed from many sources on the www.
Apologies that I lost track of the original sources.
Mateti
WiFi Security

4. This talk is based on …
Prabhaker Mateti, “Hacking Techniques in Wireless Networks”, in The Handbook of Information Security, Editor: Bidgoli, John Wiley, 2005
InternetSecurity/
Mateti
WiFi Security

5. Without security issues
Wireless LAN Overview
Without security issues

6. OSI Model Application Presentation Session Transport Network Data Link
MAC header
802.11
Physical
PLCP header
Mateti
WiFi Security

7. IEEE 802.11 Published in June 1997 2.4GHz operating frequency
1 to 2 Mbps throughput
Can choose between frequency hopping or direct sequence spread modulation
Mateti
WiFi Security

8. IEEE 802.11b 1999 Data Rate: 11 Mbps Reality: 5 to 7 Mbps
2.4-Ghz band; runs on 3 channels
shared by cordless phones, microwave ovens, and many Bluetooth products
Only direct sequence modulation is specified
Most widely deployed today
Mateti
WiFi Security

9. IEEE 802.11a Data Rate: 54 Mbps Reality: 25 to 27 Mbps
Runs on 12 channels
Not backward compatible with b
Uses Orthogonal Frequency Division Multiplexing (OFDM)
Mateti
WiFi Security

10. IEEE 802.11g An extension to 802.11b Data rate: 54 Mbps 2.4-Ghz band
Mateti
WiFi Security

11. Final draft expected in 2010 Data rate: 600 Mbps 2.4-Ghz band
IEEE n
An extension to a/b/g
Final draft expected in 2010
Data rate: 600 Mbps
2.4-Ghz band
Mateti
WiFi Security

12. 802 .11 Terminology: Station (STA)
Device that contains IEEE conformant MAC and PHY interface to the wireless medium, but does not provide access to a distribution system
Most often end-stations available in terminals (work-stations, laptops etc.)
Typically Implemented in a PC-Card
Built into recent laptops and PDAs
Mateti
WiFi Security

13. Station Architecture Ethernet-like driver interface
supports virtually all protocol stacks
Frame translation according to IEEE 802.1H
Ethernet Types 8137 (Novell IPX) and 80F3 (AARP) encapsulated via the Bridge Tunnel encapsulation scheme
IEEE frames: translated to
All other Ethernet Types: encapsulated via the RFC 1042 (Standard for the Transmission of IP Datagrams over IEEE 802 Networks) encapsulation scheme
Maximum Data limited to 1500 octets
Transparent bridging to Ethernet
Platform
Computer
PC-Card
Hardware
Radio
WMAC controller with
Station Firmware
(WNIC-STA)
Driver
Software
(STADr)
frame format
802.3 frame format
Ethernet V2.0 / 802.3
frame format
Protocol Stack
Mateti
WiFi Security

14. Radio Frequency Spectrum
GHz
IEEE a
HiperLAN/2
Mateti
WiFi Security

15. Channel Spacing (5MHz) 2.462 2.437 2.412 Non-overlapping channels
Mateti
WiFi Security

16. Terminology: Access-Point (AP)
A transceiver that serves as the center point of a stand-alone wireless network or as the connection point between wireless and wired networks.
Device that contains IEEE conformant MAC and PHY interface to the wireless medium, and provide access to a Distribution System for associated stations (i.e., AP is a STA)
Most often infra-structure products that connect to wired backbones
Implemented in a “box” containing a STA PC-Card.
Mateti
WiFi Security

17. Access-Point (AP) Architecture
Stations select an AP and “associate” with it
APs support
Roaming
Power Management
Time synchronization functions (Beaconing)
Traffic flows through AP
Bridge
Software
PC-Card
Hardware
Radio
WMAC controller with
Access Point Firmware
(WNIC-AP)
Driver
(APDr)
frame format
802.3 frame format
Ethernet V2.0 / 802.3
frame format
Kernel Software (APK)
Ethernet
Interface
Mateti
WiFi Security

18. Basic Configuration
Mateti
WiFi Security

19. Terminology: Basic Service Set (BSS)
A set of stations controlled by a single “Coordination Function” (that determines when a station can transmit or receive)
Similar to a “cell” in pre IEEE terminology
A BSS may or may not have an AP
Mateti
WiFi Security

20. Basic Service Set (BSS)
Mateti
WiFi Security

21. Terminology: Distribution System (DS)
A system to interconnect a set of BSSs
Integrated: A single AP in a standalone network
Wired: Using cable to interconnect the AP
Wireless: Using wireless to interconnect the AP
Mateti
WiFi Security

22. Terminology: Independent Basic Service Set (IBSS)
A BSS forming a self-contained network in which no access to a Distribution System is available
A BSS without an AP
One of the stations in the IBSS can be configured to “initiate” the network and assume the Coordination Function
Diameter of the cell determined by coverage distance between two wireless stations
Mateti
WiFi Security

23. Independent Basic Service Set (IBSS)
Mateti
WiFi Security

24. Terminology: Extended Service Set (ESS)
A set of one or more BSS interconnected by a Distribution System (DS)
Traffic always flows via AP
Diameter of the cell is double the coverage distance between two wireless stations
Mateti
WiFi Security

25. Terminology: Service Set Identifier (SSID)
Network name
Up to 32 bytes long
One network (ESS or IBSS) has one SSID
E.g., “WSU Wireless”;
Known Defaults for many vendors
“101” for 3COM
“tsunami” for Cisco
Mateti
WiFi Security

26. Terminology: Basic Service Set Identifier (BSSID)
Cell identifier
One BSS has one BSSID
6 bytes long
BSSID = MAC address of AP
Mateti
WiFi Security

27. Communication
CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) instead of Collision Detection
WLAN adapter cannot send and receive traffic at the same time on the same channel
Hidden Node Problem
Four-Way Handshake
Mateti
WiFi Security

28. Four-Way Handshake Source Destination RTS – Request to Send
CTS – Clear to Send
DATA
ACK
Mateti
WiFi Security

29. Infrastructure operation modes
Root Mode
Repeater Mode
Mateti
WiFi Security

30. 802.11 Packet Structure 30 byte header 4 addresses
Mateti
WiFi Security
Graphic Source: Network Computing Magazine August 7, 2000

31. 802.11 Physical Layer Packet Structure
24 byte header (PLCP, Physical Layer Convergence Protocol)
Always transferred at 1 Mbps
Mateti
WiFi Security
Graphic Source: Network Computing Magazine August 7, 2000

32. 802.11 Frames Format depends on type of frame Control Frames
Management Frames
Data Frames
Mateti
WiFi Security

33. 802.11 Frame Formats Bytes: 2 2 6 6 6 2 6 0-2312 4 Frame Addr 1 Addr 2
Duration
Frame
Control ID
Addr 1
Addr 2
Addr 3
Sequence
Addr 4
Body
Control
CRC
MAC Header
Bits: 2 2 4 1 1 1 1 1 1 1 1
Protocol To
From
More
Pwr
More
Version
Type
SubType
Retry
WEP
Rsvd DS DS
Frag
Mgt
Data
Frame Control Field
Mateti
WiFi Security

34. Address Field Description
Protocol
Version
Type
SubType To DS
Retry
Pwr
Mgt
More
Data
WEP
Rsvd
Frame Control Field
Bits: 2 2 4 1
From
Frag
To DS
From DS
Address 1 DA
BSSID RA
Address 2 SA TA
Address 3
Address 4
N/A
Addr. 1 = All stations filter on this address.
Addr. 2 = Transmitter Address (TA), Identifies transmitter to address the ACK frame to.
Addr. 3 = Dependent on To and From DS bits.
Addr. 4 = Only needed to identify the original source of WDS (Wireless Distribution System) frames.
Mateti
WiFi Security

35. Type field descriptions
Protocol
Version
Type
SubType To DS
Retry
Pwr
Mgt
More
Data
WEP
Rsvd
Frame Control Field
Bits: 2 2 4 1
From
Frag
Type and subtype identify the function of the frame:
Type=00 Management Frame
Beacon (Re)Association
Probe (De)Authentication
Power Management
Type=01 Control Frame
RTS/CTS ACK
Type=10 Data Frame
Mateti
WiFi Security

36. 802.11 Management Frames Beacon Probe Probe Response
Timestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameters
Traffic Indication Map
Probe
SSID, Capabilities, Supported Rates
Probe Response
Same for Beacon except for TIM
Mateti
WiFi Security

37. Management Frames (cont’d)
Association Request
Capability, Listen Interval, SSID, Supported Rates
Association Response
Capability, Status Code, Station ID, Supported Rates
Re-association Request
Capability, Listen Interval, SSID, Supported Rates, Current AP Address
Re-association Response
Mateti
WiFi Security

38. Management Frames (cont’d)
Dis-association
Reason code
Authentication
Algorithm, Sequence, Status, Challenge Text
De-authentication
Reason
Mateti
WiFi Security

39. Association + Authentication
State 1:
Unauthenticated
Unassociated
Successful authentication
Deauthentication
State 2:
Authenticated
Unassociated
Deauthentication
Successful association
Disassociation
State 3:
Authenticated
Associated
Mateti
WiFi Security

40. Authentication
To control access to the infrastructure via authentication.
The station first needs to be authenticated by the AP in order to join the APs network.
Stations identify themselves to other stations (or APs) prior to data traffic or association.
Two authentication subtypes:
Open system.
shared key.
Mateti
WiFi Security

41. Open System Authentication
A sends an authentication request to B
B sends the result back to A
Mateti
WiFi Security

42. Shared Key Authentication
Mateti
WiFi Security

43. Access Point Discovery
Beacons sent out 10x second
Advertise capabilities
Station queries access points
Requests features
Access points respond
With supported features
Authentication just a formality
May involve more frames
Probe request
Authentication request
Association request
Probe response
Authentication response
Association response
Mateti
WiFi Security

44. Association Next Step after authentication
Association enables data transfer between Client and AP
The Client sends an association request frame to the AP who replies to the client with an association response frame either allowing or disallowing the association
Mateti
WiFi Security

45. Association To establish relationship with AP
Stations scan frequency band to and select AP with best communications quality
Active Scan: send a “Probe request” on specific channels and assess response
Passive Scan: assess communications quality from beacon message
AP maintains list of associated stations in MAC FW
Record station capability (data-rate)
To allow inter-BSS relay
Station’s MAC address is also maintained in bridge learn table associated with the port it is located on
Mateti
WiFi Security

46. WEP: Wired Equivalent Privacy
Designed to be computationally efficient, self-synchronizing, and exportable
Data headers remain unencrypted.
The cipher used is RC4(v, k)
Shared key k: Manual distribution among clients.
Mateti
WiFi Security

47. WEP Encryption
WEP encryption key: a shared 40- or 104-bit long number.
WEP keys are used for authentication and encryption of data.
A 32-bit integrity check value (ICV) is calculated that provides data integrity for the MAC frame. The ICV is appended to the end of the frame data.
A 24-bit initialization vector (IV) is appended to the WEP key.
IV and WEP encryption key are input to a pseudo-random number generator (PRNG) to generate a bit sequence that is the same size as the combination of [data+ICV].
The PRNG bit sequence is bit-wise XORed with [data+ICV] to produce the encrypted portion of the payload that is sent between the wireless AP and the wireless client.
The IV is added to the front of the encrypted [data+ICV] which becomes the payload for the wireless MAC frame.
The result is IV+ encrypted [data+ICV].
Mateti
WiFi Security

48. WEP Decryption IV is obtained from the front of the MAC payload.
WEP encryption key is concatenated with the IV.
The concatenated WEP encryption key and IV is used as the input of the same PRNG to generate a bit sequence of the same size as the combination of the [data + ICV].
The PRNG bit sequence is XORed with the encrypted [data+ICV] to decrypt the [data+ICV] portion of the payload.
The ICV for the data portion of the payload is calculated and compared with the value included in the incoming frame.
The WEP key remains constant over a long duration (days and months) but the IV can be changed frequently depending on the degree of security needed.
Mateti
WiFi Security

49. WEP 24 bits Append ICV = CRC32(Data) Select and insert IV
Hdr
Data
Append ICV = CRC32(Data)
ICV
Encrypted Data IV
Select and insert IV
Per-packet Key = IV || RC4 Base Key
RC4 Encrypt Data || ICV
Remove IV from packet
RC4 Decrypt Data || ICV
Check ICV = CRC32(Data)
24 bits
Mateti
WiFi Security

50. WEP Protocol Key is shared by all clients and the base station.
PRNG – Pseudo Random Number Gen
Mateti
WiFi Security

51. WEP .. cont
Mateti
WiFi Security

52. Drawbacks of WEP Protocol
The determination and distribution of WEP keys are not defined
There is no defined mechanism to change the WEP key either per authentication or periodically for an authenticated connection
No mechanism for central authentication, authorization, and accounting
No per-frame authentication mechanism to identify the frame source.
No per-user identification and authentication
Mateti
WiFi Security

53. Initialization Vector (IV)
Over a period, same plaintext packet should not generate same ciphertext packet
IV is random, and changes per packet
Generated by the device on the fly
24 bits long
64 bit encryption: IV bits WEP key
128 bit encryption: IV bits WEP key
Mateti
WiFi Security

54. Mateti
WiFi Security

55. WiFi Security
Mateti
WiFi Security

56. Wireless Threats Passive eavesdropping and traffic analysis
Message injection and active eavesdropping
Message deletion and interception
Masquerading and malicious access points
Session hijacking
Denial of service (DoS)
Mateti
WiFi Security

57. Network Sniffing Sniffing is eavesdropping, a reconnaissance technique
A sniffer is a program that intercepts and decodes network traffic broadcast through a medium
Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B
Sniffing is
not a TCP/IP problem
enabled by the media, Ethernet and , at the physical and data link layers
Mateti
WiFi Security

58. Wireless Network Sniffing
Wireless LAN sniffers can be used to gather information about the wireless network from a distance with a directional antenna
RF monitor mode of a wireless card allows every frame appearing on a channel to be copied as the radio of the station tunes to various channels. Analogous to wired Ethernet card in promiscuous mode
A station in monitor mode can capture packets without associating with an AP or ad-hoc network
Many wireless cards permit RF monitor mode
Mateti
WiFi Security

59. Passive Scanning Eavesdropper does NOT transmit packets.
A wlan can be “listened to” outside a building using readily available technology
Mateti
WiFi Security

60. Passive Scanning
A passive scanner instructs the wireless card to listen to each channel for a few messages
Passive scanners are capable of gathering the passwords from the HTTP sites and the telnet sessions sent in plain text
An attacker can passively scan without transmitting at all. These attacks do not leave any trace of the attacker’s presence on the network
Mateti
WiFi Security

61. Passive Scanning: Why? Scanning is a reconnaissance technique
Detection of SSID
Collecting the MAC addresses
Collecting the frames for cracking WEP
Mateti
WiFi Security

62. A Basic “Attack”
Behind the scenes of a completely passive wireless pre-attack session using kismet

63. Kismet Kismet is a wireless sniffer
Setting up Kismet is fairly straightforward
Google on “Kismet” for articles
Mateti
WiFi Security

64. Starting Kismet The mysqld service is started.
The gpsd service is started on serial port 1.
The wireless card is placed into monitor mode.
kismet is launched.
Mateti
WiFi Security

65. Detection
Kismet picks up some wireless jabber! In order to take a closer look at the traffic, disengage “autofit” mode by pressing “ss” to sort by SSID.
type
WEP? yes or no.
4 TCP packets
IP’s detected
strength
Mateti
WiFi Security

66. Network Details
Network details for the address are viewed by pressing the “i” key.
Mateti
WiFi Security

67. Network Details
Network details for the address are viewed by pressing the “i” key.
Mateti
WiFi Security

68. More network details
More network details for the address are viewed by pressing the “i” key, then scrolling down to view more information.
Mateti
WiFi Security

69. traffic dump
A dump of “printable” traffic can be had by pressing the “d” key.
\MAILSLOTS? Could this be a post office computer?
(that is a joke. feel free to laugh at this point. thank you.)
Mateti
WiFi Security

70. packet list
A list of packet types can be viewed by selecting a wireless point and pressing “p”
Mateti
WiFi Security

71. gpsmap A map of the area is printed: # gpsmap –S2 –s10 -r gpsfile
Mateti
WiFi Security

72. wireshark - Beacon
The *.dump files Kismet generates can be opened with tcpdump or wireshark
This is an beacon frame.
Mateti
WiFi Security

73. wireshark – Probe Request
....an Probe Request from the same machine
Mateti
WiFi Security

74. wireshark - Registration
oooh... a NETBIOS registration packet for “MSHOME”...
Mateti
WiFi Security

75. wireshark - Registration
...another registration packet, this time from “LAP10”...
Mateti
WiFi Security

76. wireshark – DHCP request
...a DHCP request... it would be interesting to spoof a response to this...
Mateti
WiFi Security

77. wireshark – Browser request
...a NETBIOS browser request...
Mateti
WiFi Security

78. wireshark – Browser announce
...an SMB host announcement... revealing an OS major version of 5 and an OS minor version of 1...
We have a Windows XP client laptop searching for an access point.
This particular target ends up being nothing more than a lone client crying out for a wireless server to connect to. Spoofing management frames to this client would most likely prove to be pointless...
Mateti
WiFi Security

79. Passive Scanning
This simple example demonstrates the ability to monitor even client machines which are not actively connected to a wireless access point.
In a more “chatty” environment, so much more is possible.
All of this information was captured passively. Kismet did not send a single packet on the airwaves.
This type of monitoring can not be detected, but preventive measures can be taken.
Mateti
WiFi Security

80. Detection of SSID
SSID occurs in the following frame types: beacon, probe requests, probe responses, association requests, and reassociation requests.
Management frames are always in the clear, even when WEP is enabled.
Merely collect a few frames and note the SSID.
What if beacons are turned off? Or SSID is hidden?
Mateti
WiFi Security

81. When the Beacon displays a null SSID …
Patiently wait. Recall that management frames are in the clear.
Wait for an associate request; Associate Request and Response both contain the SSID.
Wait for a Probe Request; Probe Responses contain SSID.
Mateti
WiFi Security

82. Beacon transmission is disabled ...
Wait for a voluntary Associate Request to appear. Or
Actively probe by injecting spoofed frames, and then sniff the response
Mateti
WiFi Security

83. Collecting the MAC Addresses
Attacker gathers legitimate MAC addresses for use later in spoofed frames.
The source and destination MAC addresses are always in the clear in all the frames.
The attacker sniffs these legitimate addresses
Mateti
WiFi Security

84. WEP Attacks Systematic procedures in cracking the WEP.
Need to collect a large number of frames.
Collection may take hours to days.
Time required depends heavily on saturation of access point
Cracking may take a few seconds to a couple of hours.
Cracking uses “weakness” in IV
Four types of attacks
Passive attacks to decrypt traffic based on statistical analysis
Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext
Active attacks to decrypt traffic, based on tricking the access point
Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic
Mateti
WiFi Security

85. What is a “Weak” IV?
Key Scheduling Algorithm (KSA) creates an IV-based on the base key
A flaw in the WEP implementation of RC4 allows “weak” IVs to be generated
Those IVs give away info about the bytes of the key they were derived from
An attacker will collect enough weak IVs to reveal bytes of the base key
Mateti
WiFi Security

86. Initialization Vector, IV
IV is only 24 bits providing 16,777,216 different RC4 cipher streams for a given WEP key
Chances of duplicate IVs are:
1% after 582 encrypted frames
10% after 1881 encrypted frames
50% after 4,823 encrypted frames
99% after 12,430 encrypted frames
Increasing Key size will not make WEP any safer. Why?
Walker, “IEEE i wireless LAN: Unsafe at any key size”, Oct 2000
Mateti
WiFi Security

87. UC Berkeley Study Bit flipping Replay
Bits are flipped in WEP encrypted frames, and ICV CRC32 is recalculated
Replay
Bit flipped frames with known IVs re-sent
AP accepts frame since CRC32 is correct
Layer 3 device will reject, and send predictable response
Response database built and used to derive key
Mateti
WiFi Security

88. UC Berkeley Study Stream Cipher 1234
PlainText Data Is XORed with the WEP Stream Cipher to Produce the Encrypted CipherText
PlainText
CipherText
Cisco
WEP
XXYYZZ
Predicted PlainText
Cisco
If CipherText Is XORed with Guessed PlainText, the Stream Cipher Can Be Derived
CipherText
Stream Cipher
XXYYZZ
WEP
1234
Mateti
WiFi Security

89. UC Berkeley Study Bit Flipped Frame Sent
Frame Passes ICV Forwarded to Dest MAC
Upper Layer Protocol Fails CRC Sends Predictable Error Message to Source MAC
AP WEP Encrypts Response and Forwards to Source MAC
Attacker Anticipates Response from Upper Layer Device and Attempts to Derive Key
Mateti
WiFi Security

90. Wireless Spoofing

91. Wireless Spoofing
The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but non-existent values, or with legitimate values that belong to others.
The attacker would have collected these legitimate values through sniffing.
Mateti
WiFi Security

92. MAC Address Spoofing Probing is sniffable by the sys admins.
Attacker wishes to be hidden.
Use MAC address of a legitimate card.
APs can filter based on MAC addresses.
Mateti
WiFi Security

93. IP spoofing
Replacing the true IP address of the sender (or, in some cases, the destination) with a different address.
Defeats IP address based trust.
IP spoofing is an integral part of many attacks.
Mateti
WiFi Security

94. Frame Spoofing Frames themselves are not authenticated in 802.11.
Construction of the byte stream that constitutes a spoofed frame is facilitated by libraries.
The difficulty here is not in the construction of the contents of the frame, but in getting it radiated (transmitted) by the STA or an AP.  This requires control over the firmware.
Mateti
WiFi Security

95. Wireless Network Probing

96. Wireless Network Probing
Send cleverly constructed packets to a target that triggers useful responses. 
This activity is known as probing or active scanning.
The target can discover that it is being probed.
Mateti
WiFi Security

97. Active Attacks
Attacker can connect to an AP and obtain an IP address from the DHCP server.
A business competitor can use this kind of attack to get the customer information which is confidential to an organization.
Mateti
WiFi Security

98. Detection of SSID
Beacon transmission is disabled, and the  attacker does not wish to wait …
Inject a probe request frame using a spoofed source MAC address. 
The probe response frame from the APs will contain, in the clear, the SSID and other information similar to that in the beacon frames.
Mateti
WiFi Security

99. Detection of APs and stations
Certain bits in the frames identify that the frame is from an AP. 
If we assume that WEP is either disabled or cracked, the attacker can also gather the IP addresses of the AP and the stations.
Mateti
WiFi Security

100. Detection of Probing
The frames that an attacker injects can be sniffed by a sys admin.
GPS-enabled equipment can identify the physical coordinates of a transmitting device.
Mateti
WiFi Security

101. AP Weaknesses

102. Poorly Constructed WEP keys
The default WEP keys used are often too trivial.
APs use simple techniques to convert the user’s key board input into a bit vector. 
Usually 5 or 13 ASCII printable characters are directly mapped by concatenating their ASCII 8-bit codes into a 40-bit or 104-bit WEP key. 
A stronger 104-bit key can be constructed from 26 hexadecimal digits.
It is possible to form an even stronger 104 bit WEP key by truncating the MD5 hash of an arbitrary length pass phrase.
Mateti
WiFi Security

103. Defeating MAC Filtering
Typical APs permit access to only those stations with known MAC addresses. 
Easily defeated by the attacker
Spoofs his frames with a MAC address that is registered with the AP from among the ones that he collected through sniffing. 
That a MAC address is registered can be detected by observing the frames from the AP to the stations
Mateti
WiFi Security

104. Rogue Networks Rogue AP = an unauthorized access point
Network users often set up rogue wireless LANs to simplify their lives
Rarely implement security measures
Network is vulnerable to War Driving and sniffing and you may not even know it
Trojan AP = Rogue AP with malicious intent
Mateti
WiFi Security

105. Trojan AP Mechanics Create a competing wireless network.
AP can be actual AP or HostAP of Linux
Create or modify captive portal behind AP
Redirect users to “splash” page
DoS or theft of user credentials, or …
Bold attacker will visit ground zero.
Not-so-bold will drive-by with an amp.
So what are the mechanics behind a rogue access point?
Basically, the idea is to simply create a competing wireless network. A rogue AP is essentially a wireless network of its own, but with a purpose other than providing legitimate service to the Intranet. Instead, the main purpose is to steal credentials from unsuspecting users and use those credentials for illegitimate access to the target legitimate network.
The AP component of a rogue AP can be an actual access point or a simple wireless card running HostAP.
Off the backend of the AP, an attacker can create a captive portal, which accepts DNS and web queries, but redirects all users to a “splash” page of some sort. Depending on how open the wireless network is to begin with, we can simply sit as a “man in the middle” acting as a “repeater” of sorts, brokering wireless connections from the rogue wireless network, to the legitimate wireless network.
An attacker can simply deny service to all users or go so far as to steal usernames and passwords—perhaps even provide no interaction with the user and simply make the user a vector for some infection into the wired network.
If the attacker is bold, they can do this intermittently while using the network. One day, they are a legitimate user, the next, a rogue AP—yet another new insider threat for you.
A big antenna and amp can facilitate a drive-by rogue AP. Let’s see an example rogue AP setup in action.
Mateti
WiFi Security

106. Equipment Flaws
Numerous flaws in equipment from well-known manufacturers
Search on “access point vulnerabilities”
Ex 1: Receiving a request for a file named config.img via TFTP, an AP sends its configuration. The image includes the administrator’s password required by the HTTP user interface, the WEP encryption keys, MAC address, and SSID. 
Ex 2: An AP returns the WEP keys, MAC filter list, administrator’s password when sent a UDP packet to port containing the string “gstsearch”.  
Mateti
WiFi Security

107. Denial of Service

108. Denial of Service
A system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. 
DoS attacks are difficult to prevent
Difficult to stop an on-going attack
Victim and its clients may not even detect the attacks
Duration may range from milliseconds to hours. 
A DoS attack against an individual station enables session hijacking
Mateti
WiFi Security

109. Jamming
The hacker can use a high power RF signal generator to interfere with the ongoing wireless connection, making it useless.
Can be avoided only by physically finding the jamming source.
Mateti
WiFi Security

110. Flooding with Associations
AP inserts the data supplied by the STA in the Association Request into a table called the association table
specifies a maximum value of 2007 concurrent associations to an AP. The actual size of this table varies among different models of APs. 
When this table overflows, the AP would refuse further clients
Attacker authenticates several non-existing STA using legitimate-looking but randomly generated MAC addresses.  The attacker then sends a flood of spoofed associate requests so that the association table overflows
Enabling MAC filtering in the AP will prevent this attack
Mateti
WiFi Security

111. Deauth/Disassoc Management frame
Attacker must spoof AP MAC address in Src Addr and BSSID
Sequence Control field handled by firmware (not set by attacker)
Mateti
WiFi Security

112. Forged Dissociation
Attacker sends a spoofed Disassociation frame where the source MAC address is set to that of the AP.
To prevent Reassociation, the attacker continues to send Disassociation frames for a desired period.
Mateti
WiFi Security

113. Forged Deauthentication
After an Association Response frame is observed, the attacker sends a spoofed Deauthentication frame where the source MAC address is spoofed to that of the AP. 
The station is now unassociated and unauthenticated, and needs to reconnect. 
To prevent a reconnection, the attacker continues to send Deauthentication frames for a desired period. 
Neither MAC filtering nor WEP protection will prevent this attack
Mateti
WiFi Security

114. First Stage – Deauth Attack
Airopeek Trace of Deauth Attack
Mateti
WiFi Security

115. First Stage – Deauth Attack
Decode of Deauthentication Frame
Mateti
WiFi Security

116. Power Management
Power-management schemes place a system in sleep mode when no activity occurs
The Client can be configured to be in continuous aware mode (CAM) or Power Save Polling (PSP) mode
Mateti
WiFi Security

117. Power Saving
Attacker steals packets for a station while the station is in Doze state.
The protocol requires a station to inform the AP through a successful frame exchange that it wishes to enter the Doze state from the Active state.
Periodically the station awakens and sends a PS-Poll frame to the AP. The AP will transmit in response the packets that were buffered for the station while it was dozing.
This polling frame can be spoofed by an attacker causing the AP to send the collected packets and flush its internal buffers.
An attacker can repeat these polling messages so that when the legitimate station periodically awakens and polls, AP will inform that there are no pending packets.
Mateti
WiFi Security

118. Man-in-the-Middle Attacks

119. Man-in-the-Middle Attacks
Attacker on host X inserts X between all communication between hosts B and C, and neither B nor C is aware of the presence of X. 
All messages sent by B do reach C but via X, and vice versa. 
The attacker can merely observe the communication or modify it before sending it out. 
Mateti
WiFi Security

120. Wireless MITM Attack
A hacker uses a Trojan AP to hijack mobile nodes by sending a stronger signal than the actual AP is sending to those nodes.
The clients then associates with the Trojan AP, sending its data into the wrong hands.
Mateti
WiFi Security

121. Wireless MITM Attack
Assume that station B was authenticated with C, a legitimate AP.
Attacker X is a laptop with two wireless cards. Through one card, he presents X as an AP.
Attacker X sends Deauthentication frames to B using the C’s MAC address as the source, and the BSSID he has collected.
B is deauthenticated and begins a scan for an AP and may find X on a channel different from C.
There is a race condition between X and C.
If B associates with X, the MITM attack succeeded. X will re-transmit the frames it receives from B to C. These frames will have a spoofed source address of B.
Mateti
WiFi Security

122. First Stage – Deauth Attack
Attack machine uses vulnerabilities to get information about AP and clients.
Attack machine sends deauthentication frames to victim using the AP’s MAC address as the source
Mateti
WiFi Security

123. Second Stage – Client Capture
Victim’s card scans channels to search for new AP
Victim’s card associates with Trojan AP on the attack machine
Attack machine’s fake AP is duplicating MAC address and ESSID of real AP
Fake AP is on a different channel than the real one
Mateti
WiFi Security

124. Third Stage – Connect to AP
Attack machine associates with real AP using MAC address of the victim’s machine.
Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols
Mateti
WiFi Security

125. The Monkey – Jack Attack
Mateti
WiFi Security

126. Monkey-Jack Detection
Why do I hear my MAC Address as the Src Addr? Is this an attack? Am I being spoofed?
Mateti
WiFi Security

127. Beginning of a MITM IDS Algorithm
Mateti
WiFi Security

128. ARP Poisoning
ARP poisoning is an attack technique that corrupts the ARP cache that the OS maintains with wrong MAC addresses for some IP addresses.
ARP cache poisoning is an old problem in wired networks.
ARP poisoning is one of the techniques that enables the man-in-the-middle attack.
ARP poisoning on wireless networks can affect wired hosts too.
Mateti
WiFi Security

129. Session Hijacking
Session hijacking occurs when an attacker causes a user to lose his connection, and the attacker assumes his identity and privileges for a period.
An attacker disables temporarily the user’s system, say by a DoS attack or a buffer overflow exploit.  The attacker then takes the identity of the user.  The attacker now has all the access that the user has.  When he is done, he stops the DoS attack, and lets the user resume.  The user may not detect the interruption if the disruption lasts no more than a couple of seconds. 
Hijacking can be achieved by forged disassociation DoS attack.
Corporate wireless networks are set up so that the user is directed to an authentication server when his station attempts a connection with an AP.  After the authentication, the attacker employs the session hijacking described above using spoofed MAC addresses.
Mateti
WiFi Security

130. War Driving
“The benign act of locating and logging wireless access points while in motion.” -- (
of course useful to attackers.
Drive around (or walk)
Possible: 10 mile range using a parabolic dish antenna.
“PC cards” vary in power: 25mW mW
Mateti
WiFi Security

131. Wireless Hacking Tools

132. 802.11 Attack Freeware Many open source also
Airsnort (Linux)
WEPcrack (Linux)
Kismet (Linux)
Wellenreiter (Linux)
NetStumbler (windows)
MiniStumbler (PocketPC)
BSD – Airtools (*BSD)
Aerosol (Windows)
WiFiScanner (Linux)
BackTrack 5 Linux Penetration Tools Distro
Details of a few follow
Mateti
WiFi Security

133. 802.11 Network Security Tools
AiroPeek / AiroPeek NX: Wireless frame sniffer / analyzer, Windows
AirTraf: Wireless sniffer / analyzer / “IDS”
AirSnort: WEP key “cracker”
BSD Airtools: Ports for common wireless tools, very useful
Mateti
WiFi Security

134. Airsnarf Simplifies HostAP, httpd, dhcpd, Net::DNS, and iptables setup
Simple example of a rogue AP
Airsnarf is a rogue AP setup utility we will now demonstrate.
Simply put, it’s just a shell script that integrates and sets up several fairly standard Linux utilities to create a rogue access point, specifically:
HostAP for AP functionality, httpd to serve up the splash page, dhcpd to give out IPs/DNS/gateway, a simple Perl-based Net::DNS::Nameserver DNS redirect, and iptables to funnel all the DNS requests the gateway sees to a local port
All of these Linux utilities are publicly available.
(Demonstration)
Mateti
WiFi Security

135. Ettercap
Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
Mateti
WiFi Security

136. libradiate
Radiate is a C library similar in practice to Libnet but designed for " frame reading, creation and injection."
Libnet builds layer 3 and above
Libradiate builds frames
Disperse, an example tool built using libradiate, is fully functional
Mateti
WiFi Security

137. libradiate Radiate allows construction of these frames very easily.
Frame types and subtypes
Beacon transmitted often announcing a WLAN
Probe request: A client frame- "anyone out there?"
Association: client and server exchange- "can i play?"
Disassociate: "no soup for you!"
RTS/CTS: ready/clear to send frames
ACK: Acknowlegement
Radiate allows construction of these frames very easily.
Mateti
WiFi Security

138. netstumbler Access point enumeration tool, Windows, free
Supports GPS but lacks features required by a real wireless security hacker...
Mateti
WiFi Security

139. Mateti
WiFi Security

140. stumbverter (2002) thanks to fr|tz @ www.mindthief.net for map data!
Mateti
WiFi Security

141.
Wireless Geographic Logging Engine: Making maps of wireless networks since 2001
45 Million Wifi Networks! Sep 27, 2011
Download Wigle Wifi for Android
Download the JiGLE Java Client
Download the DiGLE Windows Native client
Mateti
WiFi Security

142. kismet: wireless network sniffer
Segregates traffic
Detects IP blocks
decloaks SSID’s
Detects factory default configurations
Detects netstumbler clients
Maps wireless points
Mateti
WiFi Security

143. air-jack A family of tools based on the air-jack driver
wlan-jack: spoofs a deauthentication frame to force a wireless user off the net
essid-jack: wlan-jacks a victim then sniffs the SSID when the user reconnects
Monkey-jack: wlan-jacks a victim, then plays man-in-the-middle between the attacker and the target
kracker-jack: monkey-jacks a WLAN connection
Mateti
WiFi Security

144. Wireless Security Best Practices

145. Location of the APs Network segmentation RF signal shaping
Treat the WLAN as an untrusted network
RF signal shaping
Continually check for unauthorized (“rogue/Trojan”) APs
Mateti
WiFi Security

146. Proper Configuration Change the default passwords
Use WEP, however broken it may be
Don't use static keys, change them frequently
Don't allow connections with an empty SSID
Don't broadcast your SSID
Use a VPN and MAC address filtering with strong mutual authentication
Wireless IDS/monitoring (e.g.,
Mateti
WiFi Security

147. Proper Configuration Most devices have multiple management interfaces
HTTP
Telnet
FTP
TFTP
SNMP
Disable unneeded services / interfaces
Stay current with patches
Mateti
WiFi Security

148. Remedies Secure Protocol Techniques Use strong authentication
Encrypted messages
Digitally signed messages
Encapsulation/tunneling
Use strong authentication
Mateti
WiFi Security

149. Wireless IDS
A wireless intrusion detection system (WIDS) is often a self-contained computer system with specialized hardware and software to detect anomalous behavior.
The special wireless hardware is more capable than the commodity wireless card, including the RF monitor mode, detection of interference, and keeping track of signal-to-noise ratios.
It also includes GPS equipment so that rogue clients and APs can be located.
A WIDS includes one or more listening devices that collect MAC addresses, SSIDs, features enabled on the stations, transmit speeds, current channel, encryption status, beacon interval, etc.
Mateti
WiFi Security

150. Wireless IDS
WIDS computing engine should be powerful enough that it can dissect frames and WEP-decrypt into IP and TCP components. These can be fed into TCP/IP related intrusion detection systems.
Unknown MAC addresses are detected by maintaining a registry of MAC addresses of known stations and APs.
Can detect spoofed known MAC addresses because the attacker could not control the firmware of the wireless card to insert the appropriate sequence numbers into the frame.
Mateti
WiFi Security

151. Wireless Auditing
Periodically, every wireless network should be audited.
Several audit firms provide this service for a fee.
A security audit begins with a well-established security policy.
A policy for wireless networks should include a description of the geographical volume of coverage.
The goal of an audit is to verify that there are no violations of the policy.
Mateti
WiFi Security

152. IEEE 802.1X
General-purpose port based network access control mechanism for 802 technologies
Authentication is mutual, both the user (not the station) and the AP authenticate to each other.
supplicant - entity that needs to be authenticated before the LAN access is permitted (e.g., station);
authenticator - entity that supports the actual authentication (e.g., the AP);
authentication server - entity that provides the authentication service to the authenticator (usually a RADIUS server).
Extensible Authentication Protocol (EAP) RFC 2284) that was first developed in the Internet community for Point-to-Point Protocol (PPP )
Authentication is mutual, both the user (not the wireless device as in the case of WEP) and the access point authenticate to each other.
Prevents rogue access points
EAP in 802.1x is called EAPOL (Extensible Authentication Protocol over LANs) and is based on three entities:
supplicant - entity that needs to be authenticated before the LAN access is permitted (i.e. the wireless client station);
authenticator - entity that supports the actual authentication (i.e. the access point);
authentication server - entity that provides the authentication service to the authenticator (usually a RADIUS server).
Mateti
WiFi Security

153. IEEE 802.1X Extensible Authentication Protocol (EAP)
Can provide dynamic encryption key exchange, eliminating some of the issues with WEP
Roaming is transparent to the end user
Microsoft includes support in Windows
Mateti
WiFi Security

154. 802.1x Architecture
Mateti
WiFi Security

155. Cisco LEAP Overview
Provides centralized, scalable, user-based authentication
Algorithm requires mutual authentication
Network authenticates client, client authenticates network
Uses 802.1X for authentication messaging
APs will support WinXP’s EAP-TLS also
Dynamic WEP key support with WEP key session timeouts
Mateti
WiFi Security

156. LEAP Authentication Process
Client AP
RADIUS Server
Start
AP Blocks All Requests Until Authentication Completes
Request Identity
Identity
Identity
RADIUS Server Authenticates Client
Client Authenticates RADIUS Server
Derive
Derive
Key
Key
Broadcast Key
AP Sends Client Broadcast Key, Encrypted with Session Key
Key Length
Mateti
WiFi Security

157. IEEE i
Ratified: 2004
Replaces broken WEP and stopgap measures such as WPA
Mutual authentication
EAP-TLS/802.1X/RADIUS
Data confidentiality and integrity
CCMP (special mode of AES) replaces TKIP
Key management protocols
Discovery and Negotiation
Coordination with Authentication
Mateti
WiFi Security

158. 802.11i Takes base 802.1X and adds several features
Wireless implementations are divided into two groups: legacy and new
Both groups use 802.1x for credential verification, but the encryption method differs
Legacy networks must use 104-bit WEP, TKIP and MIC
New networks will be same as legacy, except that they must replace WEP/TKIP with advanced encryption standard – operation cipher block (AES-OCB)
Mateti
WiFi Security

159. Authenticator/Supplicant Station Management Entity
802.11i Architecture
Data
802.1X
Authenticator/Supplicant
802.1X Controlled Port
802.1X Uncontrolled Port
MAC_SAP
Data Link
LAYER TK
802.11i State Machines
WEP/TKIP/CCMP
MAC
PTK  PRF(PMK)
(PTK = KCK | KEK | TK)
Physical
Station Management Entity
PHY
LAYER
PMD
Mateti
WiFi Security

160. Wi-Fi Protected Access (WPA)
2003
Security solution based on IEEE standards
Replacement for WEP
Designed to run on existing hardware as a software upgrade, Wi-Fi Protected Access is derived from and expected to be compatible with the IEEE i standard
TKIP (Temporal Key Integrity Protocol)
User authentication via 802.1x and EAP
Mateti
WiFi Security

161. WPA2
2004
All of WPA
Support for CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) based on AES cipher as an alternative to TKIP
Mateti
WiFi Security

162. Temporal Key Integrity Protocol (TKIP)
128-bit shared secret – “temporal key” (TK)
Mixes the transmitter's MAC address with TK to produce a Phase 1 key.
The Phase 1 key is mixed with an initialization vector (iv) to derive per-packet keys.
Each key is used with RC4 to encrypt one and only one data packet.
Defeats the attacks based on “Weaknesses in the key scheduling algorithm of RC4” by Fluhrer, Mantin and Shamir"
TKIP is backward compatible with current APs and wireless NICs
Mateti
WiFi Security

163. Message Integrity Check (MIC)
MIC prevents bit-flip attacks
Implemented on both the access point and all associated client devices, MIC adds a few bytes to each packet to make the packets tamper-proof.
Mateti
WiFi Security

164. References
Jon Edney and William A. Arbaugh, Real Security: Wi-Fi Protected Access and i, 480 pages, Addison Wesley, 2003, ISBN:
Matthew S. Gast, Wireless Networks: The Definitive Guide, 464 pages, O’Reilly & Associates, April 2002, ISBN:
Changhua He, "Analysis Of Security Protocols For Wireless Networks",PhD dissertation, Stanford University, December 2005
Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, WarDriving: Drive, Detect, Defend, A Guide to Wireless Security, ISBN: , Syngress, 2004
IEEE, IEEE standards documents,
Tom Karygiannis and Les Owens, Wireless Network Security: , Bluetooth and Handheld Devices, National Institute of Standards and Technology Special Publication , November nistpubs/800-48/NIST_SP_ pdf
Prabhaker Mateti, TCP/IP Suite, The Internet Encyclopedia, Hossein Bidgoli (Editor), John Wiley 2003, ISBN
Prabhaker Mateti, ``Hacking Techniques in Wireless Networks'', in The Handbook of Information Security, edited by Bidgoli, John Wiley, 2005
Bruce Potter and Bob Fleck, Security, O'Reilly & Associates, 2002; ISBN:
Joshua Wright, Understanding the WPA/WPA2 Break,
Mateti
WiFi Security