Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Issues in 802.11 Wireless Networks Prabhaker Mateti Wright State University www.wright.edu/~pmateti.

Similar presentations


Presentation on theme: "Security Issues in 802.11 Wireless Networks Prabhaker Mateti Wright State University www.wright.edu/~pmateti."— Presentation transcript:

1 Security Issues in Wireless Networks Prabhaker Mateti Wright State University

2 2 Talk Outline Wireless LAN Overview Wireless LAN Overview Wireless Network Sniffing Wireless Network Sniffing Wireless Spoofing Wireless Spoofing Wireless Network Probing Wireless Network Probing AP Weaknesses AP Weaknesses Denial of Service Denial of Service Man-in-the-Middle Attacks Man-in-the-Middle Attacks War Driving War Driving Wireless Security Best Practices Wireless Security Best Practices Conclusion Conclusion MatetiWiFi Security

3 3 Ack This talk is an overview of what has been known for a couple of years. This talk is an overview of what has been known for a couple of years. Figures borrowed from many sources on the www. Figures borrowed from many sources on the www. Apologies that I lost track of the original sources. Apologies that I lost track of the original sources. MatetiWiFi Security

4 4 This talk is based on … Prabhaker Mateti, “Hacking Techniques in Wireless Networks”, in The Handbook of Information Security, Editor: Bidgoli, John Wiley, 2005 Prabhaker Mateti, “Hacking Techniques in Wireless Networks”, in The Handbook of Information Security, Editor: Bidgoli, John Wiley, InternetSecurity/ InternetSecurity/ InternetSecurity/ InternetSecurity/ MatetiWiFi Security

5 Wireless LAN Overview Without security issues

6 6 OSI Model Application Presentation Session Transport Network Data Link Physical MAC header PLCP header MatetiWiFi Security

7 7 IEEE Published in June 1997 Published in June GHz operating frequency 2.4GHz operating frequency 1 to 2 Mbps throughput 1 to 2 Mbps throughput Can choose between frequency hopping or direct sequence spread modulation Can choose between frequency hopping or direct sequence spread modulation MatetiWiFi Security

8 8 IEEE b Data Rate: 11 Mbps Data Rate: 11 Mbps Reality: 5 to 7 Mbps Reality: 5 to 7 Mbps 2.4-Ghz band; runs on 3 channels 2.4-Ghz band; runs on 3 channels shared by cordless phones, microwave ovens, and many Bluetooth products shared by cordless phones, microwave ovens, and many Bluetooth products Only direct sequence modulation is specified Only direct sequence modulation is specified Most widely deployed today Most widely deployed today MatetiWiFi Security

9 9 IEEE a Data Rate: 54 Mbps Data Rate: 54 Mbps Reality:25 to 27 Mbps Reality:25 to 27 Mbps Runs on 12 channels Runs on 12 channels Not backward compatible with b Not backward compatible with b Uses Orthogonal Frequency Division Multiplexing (OFDM) Uses Orthogonal Frequency Division Multiplexing (OFDM) MatetiWiFi Security

10 10 IEEE g An extension to b An extension to b Data rate: 54 Mbps Data rate: 54 Mbps 2.4-Ghz band 2.4-Ghz band MatetiWiFi Security

11 11 IEEE n An extension to a/b/g An extension to a/b/g Final draft expected in 2010 Final draft expected in 2010 Data rate: 600 Mbps Data rate: 600 Mbps 2.4-Ghz band 2.4-Ghz band MatetiWiFi Security

12 Terminology: Station (STA) Device that contains IEEE conformant MAC and PHY interface to the wireless medium, but does not provide access to a distribution system Device that contains IEEE conformant MAC and PHY interface to the wireless medium, but does not provide access to a distribution system Most often end-stations available in terminals (work-stations, laptops etc.) Most often end-stations available in terminals (work-stations, laptops etc.) Typically Implemented in a PC-Card Typically Implemented in a PC-Card Built into recent laptops and PDAs Built into recent laptops and PDAs MatetiWiFi Security

13 13 Station Architecture Ethernet-like driver interface Ethernet-like driver interface supports virtually all protocol stacks supports virtually all protocol stacks Frame translation according to IEEE 802.1H Frame translation according to IEEE 802.1H Ethernet Types 8137 (Novell IPX) and 80F3 (AARP) encapsulated via the Bridge Tunnel encapsulation scheme Ethernet Types 8137 (Novell IPX) and 80F3 (AARP) encapsulated via the Bridge Tunnel encapsulation scheme IEEE frames: translated to IEEE frames: translated to All other Ethernet Types: encapsulated via the RFC 1042 (Standard for the Transmission of IP Datagrams over IEEE 802 Networks) encapsulation scheme All other Ethernet Types: encapsulated via the RFC 1042 (Standard for the Transmission of IP Datagrams over IEEE 802 Networks) encapsulation scheme Maximum Data limited to 1500 octets Maximum Data limited to 1500 octets Transparent bridging to Ethernet Transparent bridging to Ethernet MatetiWiFi Security Platform Computer Platform Computer PC-Card Hardware PC-Card Hardware Radio Hardware Radio Hardware WMAC controller with Station Firmware (WNIC-STA) WMAC controller with Station Firmware (WNIC-STA) Driver Software (STADr) Driver Software (STADr) frame format frame format Ethernet V2.0 / frame format Protocol Stack

14 14 Radio Frequency Spectrum GHz IEEE a HiperLAN/2 MatetiWiFi Security

15 Non-overlapping channels Channel Spacing (5MHz) MatetiWiFi Security

16 16 Terminology: Access-Point (AP) A transceiver that serves as the center point of a stand-alone wireless network or as the connection point between wireless and wired networks. A transceiver that serves as the center point of a stand-alone wireless network or as the connection point between wireless and wired networks. Device that contains IEEE conformant MAC and PHY interface to the wireless medium, and provide access to a Distribution System for associated stations (i.e., AP is a STA) Device that contains IEEE conformant MAC and PHY interface to the wireless medium, and provide access to a Distribution System for associated stations (i.e., AP is a STA) Most often infra-structure products that connect to wired backbones Most often infra-structure products that connect to wired backbones Implemented in a “box” containing a STA PC- Card. Implemented in a “box” containing a STA PC- Card. MatetiWiFi Security

17 17 Access-Point (AP) Architecture Stations select an AP and “associate” with it Stations select an AP and “associate” with it APs support APs support Roaming Roaming Power Management Power Management Time synchronization functions (Beaconing) Time synchronization functions (Beaconing) Traffic flows through AP Traffic flows through AP Bridge Software Bridge Software PC-Card Hardware PC-Card Hardware Radio Hardware Radio Hardware WMAC controller with Access Point Firmware (WNIC-AP) WMAC controller with Access Point Firmware (WNIC-AP) Driver Software (APDr) Driver Software (APDr) frame format frame format Ethernet V2.0 / frame format Kernel Software (APK) Bridge Hardware Bridge Hardware Ethernet Interface Ethernet Interface MatetiWiFi Security

18 18 Basic Configuration MatetiWiFi Security

19 19 Terminology: Basic Service Set (BSS) A set of stations controlled by a single “Coordination Function” (that determines when a station can transmit or receive) A set of stations controlled by a single “Coordination Function” (that determines when a station can transmit or receive) Similar to a “cell” in pre IEEE terminology Similar to a “cell” in pre IEEE terminology A BSS may or may not have an AP A BSS may or may not have an AP MatetiWiFi Security

20 20 Basic Service Set (BSS) BSS MatetiWiFi Security

21 21 Terminology: Distribution System (DS) A system to interconnect a set of BSSs A system to interconnect a set of BSSs Integrated: A single AP in a standalone network Integrated: A single AP in a standalone network Wired: Using cable to interconnect the AP Wired: Using cable to interconnect the AP Wireless: Using wireless to interconnect the AP Wireless: Using wireless to interconnect the AP MatetiWiFi Security

22 22 Terminology: Independent Basic Service Set (IBSS) A BSS forming a self-contained network in which no access to a Distribution System is available A BSS forming a self-contained network in which no access to a Distribution System is available A BSS without an AP A BSS without an AP One of the stations in the IBSS can be configured to “initiate” the network and assume the Coordination Function One of the stations in the IBSS can be configured to “initiate” the network and assume the Coordination Function Diameter of the cell determined by coverage distance between two wireless stations Diameter of the cell determined by coverage distance between two wireless stations MatetiWiFi Security

23 23 Independent Basic Service Set (IBSS) IBSS MatetiWiFi Security

24 24 Terminology: Extended Service Set (ESS) A set of one or more BSS interconnected by a Distribution System (DS) A set of one or more BSS interconnected by a Distribution System (DS) Traffic always flows via AP Traffic always flows via AP Diameter of the cell is double the coverage distance between two wireless stations Diameter of the cell is double the coverage distance between two wireless stations MatetiWiFi Security

25 25 Terminology: Service Set Identifier (SSID) Network name Network name Up to 32 bytes long Up to 32 bytes long One network (ESS or IBSS) has one SSID One network (ESS or IBSS) has one SSID E.g., “WSU Wireless”; E.g., “WSU Wireless”; Known Defaults for many vendors Known Defaults for many vendors “101” for 3COM “101” for 3COM “tsunami” for Cisco “tsunami” for Cisco MatetiWiFi Security

26 26 Terminology: Basic Service Set Identifier (BSSID) Cell identifier Cell identifier One BSS has one BSSID One BSS has one BSSID 6 bytes long 6 bytes long BSSID = MAC address of AP BSSID = MAC address of AP MatetiWiFi Security

27 Communication CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) instead of Collision Detection CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) instead of Collision Detection WLAN adapter cannot send and receive traffic at the same time on the same channel WLAN adapter cannot send and receive traffic at the same time on the same channel Hidden Node Problem Hidden Node Problem Four-Way Handshake Four-Way Handshake MatetiWiFi Security

28 28 Four-Way Handshake SourceDestination RTS – Request to Send CTS – Clear to Send DATA ACK MatetiWiFi Security

29 29 Infrastructure operation modes Root Mode Root Mode Repeater Mode Repeater Mode MatetiWiFi Security

30 Packet Structure Graphic Source: Network Computing Magazine August 7, byte header 4 addresses MatetiWiFi Security

31 Physical Layer Packet Structure Graphic Source: Network Computing Magazine August 7, byte header (PLCP, Physical Layer Convergence Protocol) Always transferred at 1 Mbps MatetiWiFi Security

32 Frames Format depends on type of frame Format depends on type of frame Control Frames Control Frames Management Frames Management Frames Data Frames Data Frames MatetiWiFi Security

33 Frame Formats Frame Control Duration ID Addr 1Addr 2Addr 3Addr 4 Sequence Control CRC Frame Body MAC Header Bytes: Protocol Version TypeSubType To DS Retry Pwr Mgt More Data WEPRsvd Frame Control Field Bits: DS FromMore Frag MatetiWiFi Security

34 34 Address Field Description Addr. 1 = All stations filter on this address. Addr. 2 = Transmitter Address (TA), Identifies transmitter to address the ACK frame to. Addr. 3 = Dependent on To and From DS bits. Addr. 4 = Only needed to identify the original source of WDS (Wireless Distribution System) frames. Protocol Version TypeSubType To DS Retry Pwr Mgt More Data WEPRsvd Frame Control Field Bits: DS FromMore Frag To DS From DS Address 1 DA BSSID RA Address 2 SA BSSID SA TA Address 3 BSSID SA DA Address 4 N/A SA MatetiWiFi Security

35 35 Type field descriptions Type and subtype identify the function of the frame: Type=00Management Frame Type=00Management Frame Beacon (Re)Association Probe (De)Authentication Power Management Type=01Control Frame Type=01Control Frame RTS/CTS ACK Type=10Data Frame Type=10Data Frame Protocol Version TypeSubType To DS Retry Pwr Mgt More Data WEPRsvd Frame Control Field Bits: DS FromMore Frag MatetiWiFi Security

36 Management Frames Beacon Beacon Timestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameters Timestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameters Traffic Indication Map Traffic Indication Map Probe Probe SSID, Capabilities, Supported Rates SSID, Capabilities, Supported Rates Probe Response Probe Response Timestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameters Timestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameters Same for Beacon except for TIM Same for Beacon except for TIM MatetiWiFi Security

37 37 Management Frames (cont’d) Association Request Association Request Capability, Listen Interval, SSID, Supported Rates Capability, Listen Interval, SSID, Supported Rates Association Response Association Response Capability, Status Code, Station ID, Supported Rates Capability, Status Code, Station ID, Supported Rates Re-association Request Re-association Request Capability, Listen Interval, SSID, Supported Rates, Current AP Address Capability, Listen Interval, SSID, Supported Rates, Current AP Address Re-association Response Re-association Response Capability, Status Code, Station ID, Supported Rates Capability, Status Code, Station ID, Supported Rates MatetiWiFi Security

38 38 Management Frames (cont’d) Dis-association Dis-association Reason code Reason code Authentication Authentication Algorithm, Sequence, Status, Challenge Text Algorithm, Sequence, Status, Challenge Text De-authentication De-authentication Reason Reason MatetiWiFi Security

39 39 Association + Authentication State 1: Unauthenticated Unassociated State 2: Authenticated Unassociated Deauthentication Successful authentication Disassociation State 3: Authenticated Associated Successful association Deauthentication MatetiWiFi Security

40 40 Authentication To control access to the infrastructure via authentication. To control access to the infrastructure via authentication. The station first needs to be authenticated by the AP in order to join the APs network. The station first needs to be authenticated by the AP in order to join the APs network. Stations identify themselves to other stations (or APs) prior to data traffic or association. Stations identify themselves to other stations (or APs) prior to data traffic or association. Two authentication subtypes: Two authentication subtypes: Open system. Open system. shared key. shared key. MatetiWiFi Security

41 41 Open System Authentication A sends an authentication request to B A sends an authentication request to B B sends the result back to A B sends the result back to A MatetiWiFi Security

42 42 Shared Key Authentication MatetiWiFi Security

43 43 Access Point Discovery Beacons sent out 10x second Beacons sent out 10x second Advertise capabilities Advertise capabilities Station queries access points Station queries access points Requests features Requests features Access points respond Access points respond With supported features With supported features Authentication just a formality Authentication just a formality May involve more frames May involve more frames Probe request Probe request Authentication request Authentication request Association request Association request Probe response Probe response Authentication response Authentication response Association response Association response MatetiWiFi Security

44 44 Association Next Step after authentication Next Step after authentication Association enables data transfer between Client and AP Association enables data transfer between Client and AP The Client sends an association request frame to the AP who replies to the client with an association response frame either allowing or disallowing the association The Client sends an association request frame to the AP who replies to the client with an association response frame either allowing or disallowing the association MatetiWiFi Security

45 45 Association To establish relationship with AP To establish relationship with AP Stations scan frequency band to and select AP with best communications quality Stations scan frequency band to and select AP with best communications quality Active Scan: send a “Probe request” on specific channels and assess response Active Scan: send a “Probe request” on specific channels and assess response Passive Scan: assess communications quality from beacon message Passive Scan: assess communications quality from beacon message AP maintains list of associated stations in MAC FW AP maintains list of associated stations in MAC FW Record station capability (data-rate) Record station capability (data-rate) To allow inter-BSS relay To allow inter-BSS relay Station’s MAC address is also maintained in bridge learn table associated with the port it is located on Station’s MAC address is also maintained in bridge learn table associated with the port it is located on MatetiWiFi Security

46 WEP: Wired Equivalent Privacy Designed to be computationally efficient, self- synchronizing, and exportable Designed to be computationally efficient, self- synchronizing, and exportable Data headers remain unencrypted. Data headers remain unencrypted. The cipher used is RC4(v, k) The cipher used is RC4(v, k) Shared key k: Manual distribution among clients. Shared key k: Manual distribution among clients. MatetiWiFi Security46

47 47 WEP Encryption WEP encryption key: a shared 40- or 104-bit long number. WEP encryption key: a shared 40- or 104-bit long number. WEP keys are used for authentication and encryption of data. WEP keys are used for authentication and encryption of data. A 32-bit integrity check value (ICV) is calculated that provides data integrity for the MAC frame. The ICV is appended to the end of the frame data. A 32-bit integrity check value (ICV) is calculated that provides data integrity for the MAC frame. The ICV is appended to the end of the frame data. A 24-bit initialization vector (IV) is appended to the WEP key. A 24-bit initialization vector (IV) is appended to the WEP key. IV and WEP encryption key are input to a pseudo-random number generator (PRNG) to generate a bit sequence that is the same size as the combination of [data+ICV]. IV and WEP encryption key are input to a pseudo-random number generator (PRNG) to generate a bit sequence that is the same size as the combination of [data+ICV]. The PRNG bit sequence is bit-wise XORed with [data+ICV] to produce the encrypted portion of the payload that is sent between the wireless AP and the wireless client. The PRNG bit sequence is bit-wise XORed with [data+ICV] to produce the encrypted portion of the payload that is sent between the wireless AP and the wireless client. The IV is added to the front of the encrypted [data+ICV] which becomes the payload for the wireless MAC frame. The IV is added to the front of the encrypted [data+ICV] which becomes the payload for the wireless MAC frame. The result is IV+ encrypted [data+ICV]. The result is IV+ encrypted [data+ICV]. MatetiWiFi Security

48 48 WEP Decryption IV is obtained from the front of the MAC payload. IV is obtained from the front of the MAC payload. WEP encryption key is concatenated with the IV. WEP encryption key is concatenated with the IV. The concatenated WEP encryption key and IV is used as the input of the same PRNG to generate a bit sequence of the same size as the combination of the [data + ICV]. The concatenated WEP encryption key and IV is used as the input of the same PRNG to generate a bit sequence of the same size as the combination of the [data + ICV]. The PRNG bit sequence is XORed with the encrypted [data+ICV] to decrypt the [data+ICV] portion of the payload. The PRNG bit sequence is XORed with the encrypted [data+ICV] to decrypt the [data+ICV] portion of the payload. The ICV for the data portion of the payload is calculated and compared with the value included in the incoming frame. The ICV for the data portion of the payload is calculated and compared with the value included in the incoming frame. The WEP key remains constant over a long duration (days and months) but the IV can be changed frequently depending on the degree of security needed. The WEP key remains constant over a long duration (days and months) but the IV can be changed frequently depending on the degree of security needed. MatetiWiFi Security

49 WEP MatetiWiFi Security HdrData Append ICV = CRC32(Data) Data HdrICV Encrypted Data HdrIVICV Select and insert IV Per-packet Key = IV || RC4 Base Key RC4 Encrypt Data || ICV Remove IV from packet Per-packet Key = IV || RC4 Base Key RC4 Decrypt Data || ICV Check ICV = CRC32(Data) 24 bits

50 WEP Protocol Key is shared by all clients and the base station. Key is shared by all clients and the base station. PRNG – Pseudo Random Number Gen PRNG – Pseudo Random Number Gen MatetiWiFi Security50

51 51 WEP.. cont MatetiWiFi Security

52 52 Drawbacks of WEP Protocol The determination and distribution of WEP keys are not defined The determination and distribution of WEP keys are not defined There is no defined mechanism to change the WEP key either per authentication or periodically for an authenticated connection There is no defined mechanism to change the WEP key either per authentication or periodically for an authenticated connection No mechanism for central authentication, authorization, and accounting No mechanism for central authentication, authorization, and accounting No per-frame authentication mechanism to identify the frame source. No per-frame authentication mechanism to identify the frame source. No per-user identification and authentication No per-user identification and authentication MatetiWiFi Security

53 53 Initialization Vector (IV) Over a period, same plaintext packet should not generate same ciphertext packet Over a period, same plaintext packet should not generate same ciphertext packet IV is random, and changes per packet IV is random, and changes per packet Generated by the device on the fly Generated by the device on the fly 24 bits long 24 bits long 64 bit encryption: IV + 40 bits WEP key 64 bit encryption: IV + 40 bits WEP key 128 bit encryption: IV bits WEP key 128 bit encryption: IV bits WEP key MatetiWiFi Security

54 54MatetiWiFi Security

55 Mateti 55

56 56 Wireless Threats Passive eavesdropping and traffic analysis Passive eavesdropping and traffic analysis Message injection and active eavesdropping Message injection and active eavesdropping Message deletion and interception Message deletion and interception Masquerading and malicious access points Masquerading and malicious access points Session hijacking Session hijacking Denial of service (DoS) Denial of service (DoS) MatetiWiFi Security

57 57 Network Sniffing Sniffing is eavesdropping, a reconnaissance technique Sniffing is eavesdropping, a reconnaissance technique A sniffer is a program that intercepts and decodes network traffic broadcast through a medium A sniffer is a program that intercepts and decodes network traffic broadcast through a medium Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B Sniffing is Sniffing is not a TCP/IP problem not a TCP/IP problem enabled by the media, Ethernet and , at the physical and data link layers enabled by the media, Ethernet and , at the physical and data link layers MatetiWiFi Security

58 58 Wireless Network Sniffing Wireless LAN sniffers can be used to gather information about the wireless network from a distance with a directional antenna Wireless LAN sniffers can be used to gather information about the wireless network from a distance with a directional antenna RF monitor mode of a wireless card allows every frame appearing on a channel to be copied as the radio of the station tunes to various channels. Analogous to wired Ethernet card in promiscuous mode RF monitor mode of a wireless card allows every frame appearing on a channel to be copied as the radio of the station tunes to various channels. Analogous to wired Ethernet card in promiscuous mode A station in monitor mode can capture packets without associating with an AP or ad-hoc network A station in monitor mode can capture packets without associating with an AP or ad-hoc network Many wireless cards permit RF monitor mode Many wireless cards permit RF monitor mode MatetiWiFi Security

59 Passive Scanning Eavesdropper does NOT transmit packets. Eavesdropper does NOT transmit packets. A wlan can be “listened to” outside a building using readily available technology A wlan can be “listened to” outside a building using readily available technology MatetiWiFi Security59

60 60 Passive Scanning A passive scanner instructs the wireless card to listen to each channel for a few messages A passive scanner instructs the wireless card to listen to each channel for a few messages Passive scanners are capable of gathering the passwords from the HTTP sites and the telnet sessions sent in plain text Passive scanners are capable of gathering the passwords from the HTTP sites and the telnet sessions sent in plain text An attacker can passively scan without transmitting at all. These attacks do not leave any trace of the attacker’s presence on the network An attacker can passively scan without transmitting at all. These attacks do not leave any trace of the attacker’s presence on the network MatetiWiFi Security

61 61 Passive Scanning: Why? Scanning is a reconnaissance technique Scanning is a reconnaissance technique Detection of SSID Detection of SSID Collecting the MAC addresses Collecting the MAC addresses Collecting the frames for cracking WEP Collecting the frames for cracking WEP MatetiWiFi Security

62 A Basic “Attack” Behind the scenes of a completely passive wireless pre-attack session using kismet

63 63 Kismet Kismet is a wireless sniffer Kismet is a wireless sniffer Setting up Kismet is fairly straightforward Setting up Kismet is fairly straightforward Google on “Kismet” for articles Google on “Kismet” for articles MatetiWiFi Security

64 64 Starting Kismet The mysqld service is started. The gpsd service is started on serial port 1. The wireless card is placed into monitor mode. kismet is launched. MatetiWiFi Security

65 65 Detection Kismet picks up some wireless jabber! In order to take a closer look at the traffic, disengage “autofit” mode by pressing “ss” to sort by SSID. WEP? yes or no. 4 TCP packets IP’s detected type strength MatetiWiFi Security

66 66 Network Details Network details for the address are viewed by pressing the “i” key. MatetiWiFi Security

67 67 Network Details Network details for the address are viewed by pressing the “i” key. MatetiWiFi Security

68 68 More network details More network details for the address are viewed by pressing the “i” key, then scrolling down to view more information. MatetiWiFi Security

69 69 traffic dump A dump of “printable” traffic can be had by pressing the “d” key. \MAILSLOTS? Could this be a post office computer? (that is a joke. feel free to laugh at this point. thank you.) MatetiWiFi Security

70 70 packet list A list of packet types can be viewed by selecting a wireless point and pressing “p” MatetiWiFi Security

71 71 gpsmap A map of the area is printed A map of the area is printed: # gpsmap –S2 – s10 -r gpsfile MatetiWiFi Security

72 72 wireshark - Beacon The *.dump files Kismet generates can be opened with tcpdump or wireshark This is an beacon frame. MatetiWiFi Security

73 73 wireshark – Probe Request....an Probe Request from the same machine MatetiWiFi Security

74 74 wireshark - Registration oooh... a NETBIOS registration packet for “MSHOME”... MatetiWiFi Security

75 75 wireshark - Registration...another registration packet, this time from “LAP10”... MatetiWiFi Security

76 76 wireshark – DHCP request...a DHCP request... it would be interesting to spoof a response to this... MatetiWiFi Security

77 77 wireshark – Browser request...a NETBIOS browser request... MatetiWiFi Security

78 78 wireshark – Browser announce...an SMB host announcement... revealing an OS major version of 5 and an OS minor version of 1... We have a Windows XP client laptop searching for an access point. This particular target ends up being nothing more than a lone client crying out for a wireless server to connect to. Spoofing management frames to this client would most likely prove to be pointless... MatetiWiFi Security

79 79 Passive Scanning This simple example demonstrates the ability to monitor even client machines which are not actively connected to a wireless access point. This simple example demonstrates the ability to monitor even client machines which are not actively connected to a wireless access point. In a more “chatty” environment, so much more is possible. In a more “chatty” environment, so much more is possible. All of this information was captured passively. Kismet did not send a single packet on the airwaves. All of this information was captured passively. Kismet did not send a single packet on the airwaves. This type of monitoring can not be detected, but preventive measures can be taken. This type of monitoring can not be detected, but preventive measures can be taken. MatetiWiFi Security

80 80 Detection of SSID SSID occurs in the following frame types: beacon, probe requests, probe responses, association requests, and reassociation requests. SSID occurs in the following frame types: beacon, probe requests, probe responses, association requests, and reassociation requests. Management frames are always in the clear, even when WEP is enabled. Management frames are always in the clear, even when WEP is enabled. Merely collect a few frames and note the SSID. Merely collect a few frames and note the SSID. What if beacons are turned off? Or SSID is hidden? What if beacons are turned off? Or SSID is hidden? MatetiWiFi Security

81 81 When the Beacon displays a null SSID … Patiently wait. Recall that management frames are in the clear. Patiently wait. Recall that management frames are in the clear. Wait for an associate request; Associate Request and Response both contain the SSID. Wait for an associate request; Associate Request and Response both contain the SSID. Wait for a Probe Request; Probe Responses contain SSID. Wait for a Probe Request; Probe Responses contain SSID. MatetiWiFi Security

82 82 Beacon transmission is disabled... Wait for a voluntary Associate Request to appear. Or Wait for a voluntary Associate Request to appear. Or Actively probe by injecting spoofed frames, and then sniff the response Actively probe by injecting spoofed frames, and then sniff the response MatetiWiFi Security

83 83 Collecting the MAC Addresses Attacker gathers legitimate MAC addresses for use later in spoofed frames. Attacker gathers legitimate MAC addresses for use later in spoofed frames. The source and destination MAC addresses are always in the clear in all the frames. The source and destination MAC addresses are always in the clear in all the frames. The attacker sniffs these legitimate addresses The attacker sniffs these legitimate addresses MatetiWiFi Security

84 84 WEP Attacks Systematic procedures in cracking the WEP. Systematic procedures in cracking the WEP. Need to collect a large number of frames. Need to collect a large number of frames. Collection may take hours to days. Collection may take hours to days. Time required depends heavily on saturation of access point Time required depends heavily on saturation of access point Cracking may take a few seconds to a couple of hours. Cracking may take a few seconds to a couple of hours. Cracking uses “weakness” in IV Cracking uses “weakness” in IV Four types of attacks Four types of attacks Passive attacks to decrypt traffic based on statistical analysis Passive attacks to decrypt traffic based on statistical analysis Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext Active attacks to decrypt traffic, based on tricking the access point Active attacks to decrypt traffic, based on tricking the access point Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic MatetiWiFi Security

85 85 What is a “Weak” IV? Key Scheduling Algorithm (KSA) creates an IV-based on the base key Key Scheduling Algorithm (KSA) creates an IV-based on the base key A flaw in the WEP implementation of RC4 allows “weak” IVs to be generated A flaw in the WEP implementation of RC4 allows “weak” IVs to be generated Those IVs give away info about the bytes of the key they were derived from Those IVs give away info about the bytes of the key they were derived from An attacker will collect enough weak IVs to reveal bytes of the base key An attacker will collect enough weak IVs to reveal bytes of the base key MatetiWiFi Security

86 Initialization Vector, IV IV is only 24 bits providing 16,777,216 different RC4 cipher streams for a given WEP key IV is only 24 bits providing 16,777,216 different RC4 cipher streams for a given WEP key Chances of duplicate IVs are: Chances of duplicate IVs are: 1% after 582 encrypted frames 1% after 582 encrypted frames 10% after 1881 encrypted frames 10% after 1881 encrypted frames 50% after 4,823 encrypted frames 50% after 4,823 encrypted frames 99% after 12,430 encrypted frames 99% after 12,430 encrypted frames Increasing Key size will not make WEP any safer. Why? Increasing Key size will not make WEP any safer. Why? Walker, “IEEE i wireless LAN: Unsafe at any key size”, Oct 2000 Walker, “IEEE i wireless LAN: Unsafe at any key size”, Oct 2000http://www.dis.org/wl/pdf/unsafe.pdf MatetiWiFi Security86

87 87 UC Berkeley Study Bit flipping Bit flipping Bits are flipped in WEP encrypted frames, and ICV CRC32 is recalculated Bits are flipped in WEP encrypted frames, and ICV CRC32 is recalculated Replay Replay Bit flipped frames with known IVs re-sent Bit flipped frames with known IVs re-sent AP accepts frame since CRC32 is correct AP accepts frame since CRC32 is correct Layer 3 device will reject, and send predictable response Layer 3 device will reject, and send predictable response Response database built and used to derive key Response database built and used to derive key MatetiWiFi Security

88 88 UC Berkeley Study Predicted PlainText Cisco 1234 XXYYZZCisco XXYYZZ1234 PlainText CipherText Stream Cipher WEP PlainText Data Is XORed with the WEP Stream Cipher to Produce the Encrypted CipherText If CipherText Is XORed with Guessed PlainText, the Stream Cipher Can Be Derived MatetiWiFi Security

89 89 UC Berkeley Study Bit Flipped Frame Sent Attacker Anticipates Response from Upper Layer Device and Attempts to Derive Key Frame Passes ICV Forwarded to Dest MAC Upper Layer Protocol Fails CRC Sends Predictable Error Message to Source MAC AP WEP Encrypts Response and Forwards to Source MAC MatetiWiFi Security

90 Wireless Spoofing

91 91 Wireless Spoofing The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but non- existent values, or with legitimate values that belong to others. The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but non- existent values, or with legitimate values that belong to others. The attacker would have collected these legitimate values through sniffing. The attacker would have collected these legitimate values through sniffing. MatetiWiFi Security

92 92 MAC Address Spoofing Probing is sniffable by the sys admins. Probing is sniffable by the sys admins. Attacker wishes to be hidden. Attacker wishes to be hidden. Use MAC address of a legitimate card. Use MAC address of a legitimate card. APs can filter based on MAC addresses. APs can filter based on MAC addresses. MatetiWiFi Security

93 93 IP spoofing Replacing the true IP address of the sender (or, in some cases, the destination) with a different address. Replacing the true IP address of the sender (or, in some cases, the destination) with a different address. Defeats IP address based trust. Defeats IP address based trust. IP spoofing is an integral part of many attacks. IP spoofing is an integral part of many attacks. MatetiWiFi Security

94 94 Frame Spoofing Frames themselves are not authenticated in Frames themselves are not authenticated in Construction of the byte stream that constitutes a spoofed frame is facilitated by libraries. Construction of the byte stream that constitutes a spoofed frame is facilitated by libraries. The difficulty here is not in the construction of the contents of the frame, but in getting it radiated (transmitted) by the STA or an AP. This requires control over the firmware. The difficulty here is not in the construction of the contents of the frame, but in getting it radiated (transmitted) by the STA or an AP. This requires control over the firmware. MatetiWiFi Security

95 Wireless Network Probing

96 96 Wireless Network Probing Send cleverly constructed packets to a target that triggers useful responses. Send cleverly constructed packets to a target that triggers useful responses. This activity is known as probing or active scanning. This activity is known as probing or active scanning. The target can discover that it is being probed. The target can discover that it is being probed. MatetiWiFi Security

97 97 Active Attacks Attacker can connect to an AP and obtain an IP address from the DHCP server. Attacker can connect to an AP and obtain an IP address from the DHCP server. A business competitor can use this kind of attack to get the customer information which is confidential to an organization. A business competitor can use this kind of attack to get the customer information which is confidential to an organization. MatetiWiFi Security

98 98 Detection of SSID Beacon transmission is disabled, and the attacker does not wish to wait … Beacon transmission is disabled, and the attacker does not wish to wait … Inject a probe request frame using a spoofed source MAC address. Inject a probe request frame using a spoofed source MAC address. The probe response frame from the APs will contain, in the clear, the SSID and other information similar to that in the beacon frames. The probe response frame from the APs will contain, in the clear, the SSID and other information similar to that in the beacon frames. MatetiWiFi Security

99 99 Detection of APs and stations Certain bits in the frames identify that the frame is from an AP. Certain bits in the frames identify that the frame is from an AP. If we assume that WEP is either disabled or cracked, the attacker can also gather the IP addresses of the AP and the stations. If we assume that WEP is either disabled or cracked, the attacker can also gather the IP addresses of the AP and the stations. MatetiWiFi Security

100 100 Detection of Probing The frames that an attacker injects can be sniffed by a sys admin. The frames that an attacker injects can be sniffed by a sys admin. GPS-enabled equipment can identify the physical coordinates of a transmitting device. GPS-enabled equipment can identify the physical coordinates of a transmitting device. MatetiWiFi Security

101 AP Weaknesses

102 102 Poorly Constructed WEP keys The default WEP keys used are often too trivial. The default WEP keys used are often too trivial. APs use simple techniques to convert the user’s key board input into a bit vector. APs use simple techniques to convert the user’s key board input into a bit vector. Usually 5 or 13 ASCII printable characters are directly mapped by concatenating their ASCII 8-bit codes into a 40- bit or 104-bit WEP key. Usually 5 or 13 ASCII printable characters are directly mapped by concatenating their ASCII 8-bit codes into a 40- bit or 104-bit WEP key. A stronger 104-bit key can be constructed from 26 hexadecimal digits. A stronger 104-bit key can be constructed from 26 hexadecimal digits. It is possible to form an even stronger 104 bit WEP key by truncating the MD5 hash of an arbitrary length pass phrase. It is possible to form an even stronger 104 bit WEP key by truncating the MD5 hash of an arbitrary length pass phrase. MatetiWiFi Security

103 103 Defeating MAC Filtering Typical APs permit access to only those stations with known MAC addresses. Typical APs permit access to only those stations with known MAC addresses. Easily defeated by the attacker Easily defeated by the attacker Spoofs his frames with a MAC address that is registered with the AP from among the ones that he collected through sniffing. Spoofs his frames with a MAC address that is registered with the AP from among the ones that he collected through sniffing. That a MAC address is registered can be detected by observing the frames from the AP to the stations That a MAC address is registered can be detected by observing the frames from the AP to the stations MatetiWiFi Security

104 104 Rogue Networks Rogue AP = an unauthorized access point Rogue AP = an unauthorized access point Network users often set up rogue wireless LANs to simplify their lives Network users often set up rogue wireless LANs to simplify their lives Rarely implement security measures Rarely implement security measures Network is vulnerable to War Driving and sniffing and you may not even know it Network is vulnerable to War Driving and sniffing and you may not even know it Trojan AP = Rogue AP with malicious intent Trojan AP = Rogue AP with malicious intent MatetiWiFi Security

105 105 Trojan AP Mechanics Create a competing wireless network. Create a competing wireless network. AP can be actual AP or HostAP of Linux AP can be actual AP or HostAP of Linux Create or modify captive portal behind AP Create or modify captive portal behind AP Redirect users to “splash” page Redirect users to “splash” page DoS or theft of user credentials, or … DoS or theft of user credentials, or … Bold attacker will visit ground zero. Bold attacker will visit ground zero. Not-so-bold will drive-by with an amp. Not-so-bold will drive-by with an amp. MatetiWiFi Security

106 106 Equipment Flaws Numerous flaws in equipment from well-known manufacturers Numerous flaws in equipment from well-known manufacturers Search on “access point vulnerabilities” Search on “access point vulnerabilities” Ex 1: Receiving a request for a file named config.img via TFTP, an AP sends its configuration. The image includes the administrator’s password required by the HTTP user interface, the WEP encryption keys, MAC address, and SSID. Ex 1: Receiving a request for a file named config.img via TFTP, an AP sends its configuration. The image includes the administrator’s password required by the HTTP user interface, the WEP encryption keys, MAC address, and SSID. Ex 2: An AP returns the WEP keys, MAC filter list, administrator’s password when sent a UDP packet to port containing the string “gstsearch”. Ex 2: An AP returns the WEP keys, MAC filter list, administrator’s password when sent a UDP packet to port containing the string “gstsearch”. MatetiWiFi Security

107 Denial of Service

108 108 Denial of Service A system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. A system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. DoS attacks are difficult to prevent DoS attacks are difficult to prevent Difficult to stop an on-going attack Difficult to stop an on-going attack Victim and its clients may not even detect the attacks Victim and its clients may not even detect the attacks Duration may range from milliseconds to hours. Duration may range from milliseconds to hours. A DoS attack against an individual station enables session hijacking A DoS attack against an individual station enables session hijacking MatetiWiFi Security

109 109 Jamming The hacker can use a high power RF signal generator to interfere with the ongoing wireless connection, making it useless. The hacker can use a high power RF signal generator to interfere with the ongoing wireless connection, making it useless. Can be avoided only by physically finding the jamming source. Can be avoided only by physically finding the jamming source. MatetiWiFi Security

110 110 Flooding with Associations AP inserts the data supplied by the STA in the Association Request into a table called the association table AP inserts the data supplied by the STA in the Association Request into a table called the association table specifies a maximum value of 2007 concurrent associations to an AP. The actual size of this table varies among different models of APs specifies a maximum value of 2007 concurrent associations to an AP. The actual size of this table varies among different models of APs. When this table overflows, the AP would refuse further clients When this table overflows, the AP would refuse further clients Attacker authenticates several non-existing STA using legitimate-looking but randomly generated MAC addresses. The attacker then sends a flood of spoofed associate requests so that the association table overflows Attacker authenticates several non-existing STA using legitimate-looking but randomly generated MAC addresses. The attacker then sends a flood of spoofed associate requests so that the association table overflows Enabling MAC filtering in the AP will prevent this attack Enabling MAC filtering in the AP will prevent this attack MatetiWiFi Security

111 111 Deauth/Disassoc Management frame Attacker must spoof AP MAC address in Src Addr and BSSID Sequence Control field handled by firmware (not set by attacker) MatetiWiFi Security

112 112 Forged Dissociation Attacker sends a spoofed Disassociation frame where the source MAC address is set to that of the AP. Attacker sends a spoofed Disassociation frame where the source MAC address is set to that of the AP. To prevent Reassociation, the attacker continues to send Disassociation frames for a desired period. To prevent Reassociation, the attacker continues to send Disassociation frames for a desired period. MatetiWiFi Security

113 113 Forged Deauthentication After an Association Response frame is observed, the attacker sends a spoofed Deauthentication frame where the source MAC address is spoofed to that of the AP. After an Association Response frame is observed, the attacker sends a spoofed Deauthentication frame where the source MAC address is spoofed to that of the AP. The station is now unassociated and unauthenticated, and needs to reconnect. The station is now unassociated and unauthenticated, and needs to reconnect. To prevent a reconnection, the attacker continues to send Deauthentication frames for a desired period. To prevent a reconnection, the attacker continues to send Deauthentication frames for a desired period. Neither MAC filtering nor WEP protection will prevent this attack Neither MAC filtering nor WEP protection will prevent this attack MatetiWiFi Security

114 114 First Stage – Deauth Attack Airopeek Trace of Deauth Attack MatetiWiFi Security

115 115 First Stage – Deauth Attack Decode of Deauthentication Frame Decode of Deauthentication Frame MatetiWiFi Security

116 116 Power Management Power-management schemes place a system in sleep mode when no activity occurs Power-management schemes place a system in sleep mode when no activity occurs The Client can be configured to be in continuous aware mode (CAM) or Power Save Polling (PSP) mode The Client can be configured to be in continuous aware mode (CAM) or Power Save Polling (PSP) mode MatetiWiFi Security

117 117 Power Saving Attacker steals packets for a station while the station is in Doze state. Attacker steals packets for a station while the station is in Doze state. The protocol requires a station to inform the AP through a successful frame exchange that it wishes to enter the Doze state from the Active state. The protocol requires a station to inform the AP through a successful frame exchange that it wishes to enter the Doze state from the Active state. Periodically the station awakens and sends a PS-Poll frame to the AP. The AP will transmit in response the packets that were buffered for the station while it was dozing. Periodically the station awakens and sends a PS-Poll frame to the AP. The AP will transmit in response the packets that were buffered for the station while it was dozing. This polling frame can be spoofed by an attacker causing the AP to send the collected packets and flush its internal buffers. This polling frame can be spoofed by an attacker causing the AP to send the collected packets and flush its internal buffers. An attacker can repeat these polling messages so that when the legitimate station periodically awakens and polls, AP will inform that there are no pending packets. An attacker can repeat these polling messages so that when the legitimate station periodically awakens and polls, AP will inform that there are no pending packets. MatetiWiFi Security

118 Man-in-the-Middle Attacks

119 119 Man-in-the-Middle Attacks Attacker on host X inserts X between all communication between hosts B and C, and neither B nor C is aware of the presence of X. Attacker on host X inserts X between all communication between hosts B and C, and neither B nor C is aware of the presence of X. All messages sent by B do reach C but via X, and vice versa. All messages sent by B do reach C but via X, and vice versa. The attacker can merely observe the communication or modify it before sending it out. The attacker can merely observe the communication or modify it before sending it out. MatetiWiFi Security

120 120 Wireless MITM Attack A hacker uses a Trojan AP to hijack mobile nodes by sending a stronger signal than the actual AP is sending to those nodes. A hacker uses a Trojan AP to hijack mobile nodes by sending a stronger signal than the actual AP is sending to those nodes. The clients then associates with the Trojan AP, sending its data into the wrong hands. The clients then associates with the Trojan AP, sending its data into the wrong hands. MatetiWiFi Security

121 121 Wireless MITM Attack Assume that station B was authenticated with C, a legitimate AP. Assume that station B was authenticated with C, a legitimate AP. Attacker X is a laptop with two wireless cards. Through one card, he presents X as an AP. Attacker X is a laptop with two wireless cards. Through one card, he presents X as an AP. Attacker X sends Deauthentication frames to B using the C’s MAC address as the source, and the BSSID he has collected. Attacker X sends Deauthentication frames to B using the C’s MAC address as the source, and the BSSID he has collected. B is deauthenticated and begins a scan for an AP and may find X on a channel different from C. B is deauthenticated and begins a scan for an AP and may find X on a channel different from C. There is a race condition between X and C. There is a race condition between X and C. If B associates with X, the MITM attack succeeded. X will re-transmit the frames it receives from B to C. These frames will have a spoofed source address of B. If B associates with X, the MITM attack succeeded. X will re-transmit the frames it receives from B to C. These frames will have a spoofed source address of B. MatetiWiFi Security

122 122 First Stage – Deauth Attack Attack machine uses vulnerabilities to get information about AP and clients. Attack machine uses vulnerabilities to get information about AP and clients. Attack machine sends deauthentication frames to victim using the AP’s MAC address as the source Attack machine sends deauthentication frames to victim using the AP’s MAC address as the source MatetiWiFi Security

123 123 Second Stage – Client Capture Victim’s card scans channels to search for new AP Victim’s card scans channels to search for new AP Victim’s card associates with Trojan AP on the attack machine Victim’s card associates with Trojan AP on the attack machine Attack machine’s fake AP is duplicating MAC address and ESSID of real AP Attack machine’s fake AP is duplicating MAC address and ESSID of real AP Fake AP is on a different channel than the real one Fake AP is on a different channel than the real one MatetiWiFi Security

124 124 Third Stage – Connect to AP Attack machine associates with real AP using MAC address of the victim’s machine. Attack machine associates with real AP using MAC address of the victim’s machine. Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols MatetiWiFi Security

125 125 The Monkey – Jack Attack MatetiWiFi Security

126 126 Monkey-Jack Detection Why do I hear my MAC Address as the Src Addr? Is this an attack? Am I being spoofed? MatetiWiFi Security

127 127 Beginning of a MITM IDS Algorithm MatetiWiFi Security

128 128 ARP Poisoning ARP poisoning is an attack technique that corrupts the ARP cache that the OS maintains with wrong MAC addresses for some IP addresses. ARP poisoning is an attack technique that corrupts the ARP cache that the OS maintains with wrong MAC addresses for some IP addresses. ARP cache poisoning is an old problem in wired networks. ARP cache poisoning is an old problem in wired networks. ARP poisoning is one of the techniques that enables the man-in-the-middle attack. ARP poisoning is one of the techniques that enables the man-in-the-middle attack. ARP poisoning on wireless networks can affect wired hosts too. ARP poisoning on wireless networks can affect wired hosts too. MatetiWiFi Security

129 129 Session Hijacking Session hijacking occurs when an attacker causes a user to lose his connection, and the attacker assumes his identity and privileges for a period. Session hijacking occurs when an attacker causes a user to lose his connection, and the attacker assumes his identity and privileges for a period. An attacker disables temporarily the user’s system, say by a DoS attack or a buffer overflow exploit. The attacker then takes the identity of the user. The attacker now has all the access that the user has. When he is done, he stops the DoS attack, and lets the user resume. The user may not detect the interruption if the disruption lasts no more than a couple of seconds. An attacker disables temporarily the user’s system, say by a DoS attack or a buffer overflow exploit. The attacker then takes the identity of the user. The attacker now has all the access that the user has. When he is done, he stops the DoS attack, and lets the user resume. The user may not detect the interruption if the disruption lasts no more than a couple of seconds. Hijacking can be achieved by forged disassociation DoS attack. Hijacking can be achieved by forged disassociation DoS attack. Corporate wireless networks are set up so that the user is directed to an authentication server when his station attempts a connection with an AP. After the authentication, the attacker employs the session hijacking described above using spoofed MAC addresses. Corporate wireless networks are set up so that the user is directed to an authentication server when his station attempts a connection with an AP. After the authentication, the attacker employs the session hijacking described above using spoofed MAC addresses. MatetiWiFi Security

130 War Driving “The benign act of locating and logging wireless access points while in motion.” -- (http://www.wardrive.net/). “The benign act of locating and logging wireless access points while in motion.” -- (http://www.wardrive.net/).http://www.wardrive.net/ of course useful to attackers. of course useful to attackers. Drive around (or walk) Drive around (or walk) Possible: 10 mile range using a parabolic dish antenna. Possible: 10 mile range using a parabolic dish antenna. “PC cards” vary in power: 25mW mW “PC cards” vary in power: 25mW mW MatetiWiFi Security130

131 Wireless Hacking Tools

132 Attack Freeware Many open source also Many open source also Airsnort (Linux) Airsnort (Linux) WEPcrack (Linux) WEPcrack (Linux) Kismet (Linux) Kismet (Linux) Wellenreiter (Linux) Wellenreiter (Linux) NetStumbler (windows) NetStumbler (windows) MiniStumbler (PocketPC) MiniStumbler (PocketPC) BSD – Airtools (*BSD) BSD – Airtools (*BSD) Aerosol (Windows) Aerosol (Windows) WiFiScanner (Linux) WiFiScanner (Linux) BackTrack 5 Linux Penetration Tools Distro BackTrack 5 Linux Penetration Tools Distro Details of a few follow Details of a few follow MatetiWiFi Security

133 Network Security Tools AiroPeek / AiroPeek NX: Wireless frame sniffer / analyzer, Windows AiroPeek / AiroPeek NX: Wireless frame sniffer / analyzer, Windows AirTraf: Wireless sniffer / analyzer / “IDS” AirTraf: Wireless sniffer / analyzer / “IDS” AirSnort: WEP key “cracker” AirSnort: WEP key “cracker” BSD Airtools: Ports for common wireless tools, very useful BSD Airtools: Ports for common wireless tools, very useful MatetiWiFi Security

134 134 Airsnarf Simplifies HostAP, httpd, dhcpd, Net::DNS, and iptables setup Simplifies HostAP, httpd, dhcpd, Net::DNS, and iptables setup Simple example of a rogue AP Simple example of a rogue AP MatetiWiFi Security

135 135 Ettercap Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. MatetiWiFi Security

136 136 libradiate Radiate is a C library similar in practice to Libnet but designed for " frame reading, creation and injection." Radiate is a C library similar in practice to Libnet but designed for " frame reading, creation and injection." Libnet builds layer 3 and above Libnet builds layer 3 and above Libradiate builds frames Libradiate builds frames Disperse, an example tool built using libradiate, is fully functional Disperse, an example tool built using libradiate, is fully functional MatetiWiFi Security

137 137 libradiate Frame types and subtypes Frame types and subtypes Beacon transmitted often announcing a WLAN Beacon transmitted often announcing a WLAN Probe request: A client frame- "anyone out there?" Probe request: A client frame- "anyone out there?" Association: client and server exchange- "can i play?" Association: client and server exchange- "can i play?" Disassociate: "no soup for you!" Disassociate: "no soup for you!" RTS/CTS: ready/clear to send frames RTS/CTS: ready/clear to send frames ACK: Acknowlegement ACK: Acknowlegement Radiate allows construction of these frames very easily. Radiate allows construction of these frames very easily. MatetiWiFi Security

138 138 netstumbler Access point enumeration tool, Windows, free Access point enumeration tool, Windows, free Supports GPS but lacks features required by a real wireless security hacker... Supports GPS but lacks features required by a real wireless security hacker MatetiWiFi Security

139 139MatetiWiFi Security

140 140 stumbverter (2002) thanks to for map data! MatetiWiFi Security

141 Wireless Geographic Logging Engine: Making maps of wireless networks since 2001 Wireless Geographic Logging Engine: Making maps of wireless networks since Million Wifi Networks! Sep 27, Million Wifi Networks! Sep 27, 2011 Download Wigle Wifi for Android Download Wigle Wifi for AndroidWigle WifiWigle Wifi Download the JiGLE Java Client Download the JiGLE Java Client Download the DiGLE Windows Native client Download the DiGLE Windows Native client MatetiWiFi Security141

142 142 kismet: wireless network sniffer Segregates traffic Segregates traffic Detects IP blocks Detects IP blocks decloaks SSID’s decloaks SSID’s Detects factory default configurations Detects factory default configurations Detects netstumbler clients Detects netstumbler clients Maps wireless points Maps wireless points MatetiWiFi Security

143 143 air-jack A family of tools based on the air-jack driver A family of tools based on the air-jack driver wlan-jack: spoofs a deauthentication frame to force a wireless user off the net wlan-jack: spoofs a deauthentication frame to force a wireless user off the net essid-jack: wlan-jacks a victim then sniffs the SSID when the user reconnects essid-jack: wlan-jacks a victim then sniffs the SSID when the user reconnects Monkey-jack: wlan-jacks a victim, then plays man-in- the-middle between the attacker and the target Monkey-jack: wlan-jacks a victim, then plays man-in- the-middle between the attacker and the target kracker-jack: monkey-jacks a WLAN connection kracker-jack: monkey-jacks a WLAN connection lynn attack.ppt 02-lynn attack.ppt 02-lynn attack.ppt 02-lynn attack.ppt MatetiWiFi Security

144 Wireless Security Best Practices

145 145 Location of the APs Network segmentation Network segmentation Treat the WLAN as an untrusted network Treat the WLAN as an untrusted network RF signal shaping RF signal shaping Continually check for unauthorized (“rogue/Trojan”) APs Continually check for unauthorized (“rogue/Trojan”) APs MatetiWiFi Security

146 146 Proper Configuration Change the default passwords Change the default passwords Use WEP, however broken it may be Use WEP, however broken it may be Don't use static keys, change them frequently Don't use static keys, change them frequently Don't allow connections with an empty SSID Don't allow connections with an empty SSID Don't broadcast your SSID Don't broadcast your SSID Use a VPN and MAC address filtering with strong mutual authentication Use a VPN and MAC address filtering with strong mutual authentication Wireless IDS/monitoring (e.g., Wireless IDS/monitoring (e.g., MatetiWiFi Security

147 147 Proper Configuration Most devices have multiple management interfaces Most devices have multiple management interfaces HTTP HTTP Telnet Telnet FTP FTP TFTP TFTP SNMP SNMP Disable unneeded services / interfaces Disable unneeded services / interfaces Stay current with patches Stay current with patches MatetiWiFi Security

148 148 Remedies Secure Protocol Techniques Secure Protocol Techniques Encrypted messages Encrypted messages Digitally signed messages Digitally signed messages Encapsulation/tunneling Encapsulation/tunneling Use strong authentication Use strong authentication MatetiWiFi Security

149 149 Wireless IDS A wireless intrusion detection system (WIDS) is often a self-contained computer system with specialized hardware and software to detect anomalous behavior. A wireless intrusion detection system (WIDS) is often a self-contained computer system with specialized hardware and software to detect anomalous behavior. The special wireless hardware is more capable than the commodity wireless card, including the RF monitor mode, detection of interference, and keeping track of signal-to-noise ratios. The special wireless hardware is more capable than the commodity wireless card, including the RF monitor mode, detection of interference, and keeping track of signal-to-noise ratios. It also includes GPS equipment so that rogue clients and APs can be located. It also includes GPS equipment so that rogue clients and APs can be located. A WIDS includes one or more listening devices that collect MAC addresses, SSIDs, features enabled on the stations, transmit speeds, current channel, encryption status, beacon interval, etc. A WIDS includes one or more listening devices that collect MAC addresses, SSIDs, features enabled on the stations, transmit speeds, current channel, encryption status, beacon interval, etc. MatetiWiFi Security

150 150 Wireless IDS WIDS computing engine should be powerful enough that it can dissect frames and WEP- decrypt into IP and TCP components. These can be fed into TCP/IP related intrusion detection systems. WIDS computing engine should be powerful enough that it can dissect frames and WEP- decrypt into IP and TCP components. These can be fed into TCP/IP related intrusion detection systems. Unknown MAC addresses are detected by maintaining a registry of MAC addresses of known stations and APs. Unknown MAC addresses are detected by maintaining a registry of MAC addresses of known stations and APs. Can detect spoofed known MAC addresses because the attacker could not control the firmware of the wireless card to insert the appropriate sequence numbers into the frame. Can detect spoofed known MAC addresses because the attacker could not control the firmware of the wireless card to insert the appropriate sequence numbers into the frame. MatetiWiFi Security

151 151 Wireless Auditing Periodically, every wireless network should be audited. Periodically, every wireless network should be audited. Several audit firms provide this service for a fee. Several audit firms provide this service for a fee. A security audit begins with a well-established security policy. A security audit begins with a well-established security policy. A policy for wireless networks should include a description of the geographical volume of coverage. A policy for wireless networks should include a description of the geographical volume of coverage. The goal of an audit is to verify that there are no violations of the policy. The goal of an audit is to verify that there are no violations of the policy. MatetiWiFi Security

152 152 IEEE 802.1X General-purpose port based network access control mechanism for 802 technologies General-purpose port based network access control mechanism for 802 technologies Authentication is mutual, both the user (not the station) and the AP authenticate to each other. Authentication is mutual, both the user (not the station) and the AP authenticate to each other. supplicant - entity that needs to be authenticated before the LAN access is permitted (e.g., station); supplicant - entity that needs to be authenticated before the LAN access is permitted (e.g., station); authenticator - entity that supports the actual authentication (e.g., the AP); authenticator - entity that supports the actual authentication (e.g., the AP); authentication server - entity that provides the authentication service to the authenticator (usually a RADIUS server). authentication server - entity that provides the authentication service to the authenticator (usually a RADIUS server). MatetiWiFi Security

153 153 IEEE 802.1X Extensible Authentication Protocol (EAP) Extensible Authentication Protocol (EAP) Can provide dynamic encryption key exchange, eliminating some of the issues with WEP Can provide dynamic encryption key exchange, eliminating some of the issues with WEP Roaming is transparent to the end user Roaming is transparent to the end user Microsoft includes support in Windows Microsoft includes support in Windows MatetiWiFi Security

154 x Architecture MatetiWiFi Security

155 155 Cisco LEAP Overview Provides centralized, scalable, user-based authentication Provides centralized, scalable, user-based authentication Algorithm requires mutual authentication Algorithm requires mutual authentication Network authenticates client, client authenticates network Network authenticates client, client authenticates network Uses 802.1X for authentication messaging Uses 802.1X for authentication messaging APs will support WinXP’s EAP-TLS also APs will support WinXP’s EAP-TLS also Dynamic WEP key support with WEP key session timeouts Dynamic WEP key support with WEP key session timeouts MatetiWiFi Security

156 156 LEAP Authentication Process Start Broadcast Key AP Sends Client Broadcast Key, Encrypted with Session Key Identity RADIUS Server Authenticates Client Request Identity Client Authenticates RADIUS Server Key Length Client AP RADIUS Server Derive KeyDerive Key Identity AP Blocks All Requests Until Authentication Completes MatetiWiFi Security

157 157 Ratified: 2004 Ratified: 2004 Replaces broken WEP and stopgap measures such as WPA Replaces broken WEP and stopgap measures such as WPA Mutual authentication Mutual authentication EAP-TLS/802.1X/RADIUS EAP-TLS/802.1X/RADIUS Data confidentiality and integrity Data confidentiality and integrity CCMP (special mode of AES) replaces TKIP CCMP (special mode of AES) replaces TKIP Key management protocols Key management protocols Discovery and Negotiation Discovery and Negotiation Coordination with Authentication Coordination with Authentication IEEE i MatetiWiFi Security

158 i Takes base 802.1X and adds several features Takes base 802.1X and adds several features Wireless implementations are divided into two groups: legacy and new Wireless implementations are divided into two groups: legacy and new Both groups use 802.1x for credential verification, but the encryption method differs Both groups use 802.1x for credential verification, but the encryption method differs Legacy networks must use 104-bit WEP, TKIP and MIC Legacy networks must use 104-bit WEP, TKIP and MIC New networks will be same as legacy, except that they must replace WEP/TKIP with advanced encryption standard – operation cipher block (AES-OCB) New networks will be same as legacy, except that they must replace WEP/TKIP with advanced encryption standard – operation cipher block (AES-OCB) MatetiWiFi Security

159 i Architecture PHY MAC_SAP MAC 802.1X Uncontrolled Port 802.1X Controlled Port Station Management Entity 802.1X Authenticator/Supplicant Data Link Physical PMD i State Machines WEP/TKIP/CCMP Data TK PTK  PRF(PMK) (PTK = KCK | KEK | TK) MatetiWiFi Security

160 160 Wi-Fi Protected Access (WPA) Security solution based on IEEE standards Security solution based on IEEE standards Replacement for WEP Replacement for WEP Designed to run on existing hardware as a software upgrade, Wi-Fi Protected Access is derived from and expected to be compatible with the IEEE i standard Designed to run on existing hardware as a software upgrade, Wi-Fi Protected Access is derived from and expected to be compatible with the IEEE i standard TKIP (Temporal Key Integrity Protocol) TKIP (Temporal Key Integrity Protocol) User authentication via 802.1x and EAP User authentication via 802.1x and EAP MatetiWiFi Security

161 161 WPA All of WPA All of WPA Support for CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) based on AES cipher as an alternative to TKIP Support for CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) based on AES cipher as an alternative to TKIP MatetiWiFi Security

162 162 Temporal Key Integrity Protocol (TKIP) 128-bit shared secret – “temporal key” (TK) 128-bit shared secret – “temporal key” (TK) Mixes the transmitter's MAC address with TK to produce a Phase 1 key. Mixes the transmitter's MAC address with TK to produce a Phase 1 key. The Phase 1 key is mixed with an initialization vector (iv) to derive per-packet keys. The Phase 1 key is mixed with an initialization vector (iv) to derive per-packet keys. Each key is used with RC4 to encrypt one and only one data packet. Each key is used with RC4 to encrypt one and only one data packet. Defeats the attacks based on “Weaknesses in the key scheduling algorithm of RC4” by Fluhrer, Mantin and Shamir" Defeats the attacks based on “Weaknesses in the key scheduling algorithm of RC4” by Fluhrer, Mantin and Shamir" TKIP is backward compatible with current APs and wireless NICs TKIP is backward compatible with current APs and wireless NICs MatetiWiFi Security

163 163 Message Integrity Check (MIC) MIC prevents bit-flip attacks MIC prevents bit-flip attacks Implemented on both the access point and all associated client devices, MIC adds a few bytes to each packet to make the packets tamper-proof. Implemented on both the access point and all associated client devices, MIC adds a few bytes to each packet to make the packets tamper-proof. MatetiWiFi Security

164 164 References 1. Jon Edney and William A. Arbaugh, Real Security: Wi-Fi Protected Access and i, 480 pages, Addison Wesley, 2003, ISBN: Matthew S. Gast, Wireless Networks: The Definitive Guide, 464 pages, O’Reilly & Associates, April 2002, ISBN: Changhua He, "Analysis Of Security Protocols For Wireless Networks",PhD dissertation, Stanford University, December Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, WarDriving: Drive, Detect, Defend, A Guide to Wireless Security, ISBN: , Syngress, IEEE, IEEE standards documents, 5. IEEE, IEEE standards documents, 6. Tom Karygiannis and Les Owens, Wireless Network Security: , Bluetooth and Handheld Devices, National Institute of Standards and Technology Special Publication , November nistpubs/800-48/NIST_SP_ pdf nistpubs/800-48/NIST_SP_ pdfhttp://cs-www.ncsl.nist.gov/publications/ nistpubs/800-48/NIST_SP_ pdf 7. Prabhaker Mateti, TCP/IP Suite, The Internet Encyclopedia, Hossein Bidgoli (Editor), John Wiley 2003, ISBN Prabhaker Mateti, ``Hacking Techniques in Wireless Networks'', in The Handbook of Information Security, edited by Bidgoli, John Wiley, Bruce Potter and Bob Fleck, Security, O'Reilly & Associates, 2002; ISBN: Joshua Wright, Understanding the WPA/WPA2 Break, MatetiWiFi Security


Download ppt "Security Issues in 802.11 Wireless Networks Prabhaker Mateti Wright State University www.wright.edu/~pmateti."

Similar presentations


Ads by Google