2 Case Study on Wireless Hacking Read It and WEP (not Weep) A store with the point-of-sale system connected through Wi-Fi /w WEP (Wired Equivalent Privacy) encryptionA hacker at the parking lot turns laptop with Wi-Fi card and directional antenna to promiscuous modeaircrack-ngairodump-ng to sniff frames including WEP initialization vectors (IVs)Look for SSID (service set identifier) of interest and its MAC addressaireplay-ng to spoof as a client to capture ARP and replay it to collect enough IVsaircrack-ng to crack WEP key from the capture fileDisable the promiscuous modeEnter WEP key and get an IP address from the DHCP server
3 Background on IEEE 802.11 Wireless LAN Frequencies and channelsISM (industrial, scientific, medical) unlicensed bands2.4 GHz: b/g/n, channels 1-14, non-overlapping channels: 1, 6, 115 GHz: a/n, channels , all non-overlappingSession establishmentClients scan channels, to send a broadcast probe request and wait for probe responses from APs with SSID (Service Set Identifier)APs also broadcast beacons periodicallyWindows Vista and later: clients wait for beaconsClients send an authentication request to a selected APClients send an association request to the AP
4 Security Mechanisms Basic Authentication: identity and encryption key MAC filtering: source MAC address pre-configured at APsHidden wireless networks: omitted SSID in beaconsResponding to broadcast probe requests: all pre-configured clients and APs, APs ignore any broadcast probe requestsAuthentication: identity and encryption keyWPA-PSK (Wi-Fi Protected Access, Pre-Shared Key)A 8~63-ASCII-character PSK known by APs and clients to derive encryption keysWPA EnterpriseLeverage 802.1x EAP (extensible authentication protocol) from clients to APs and extended to wired RADIUS serverFour-way handshake between clients and APsPairwise transit key (PTK) for unicast, group temporal key (GTK) for multicast/broadcastEncryption: at layer 2Wired Equivalent Privacy (WEP)RC4, no real authentication to generate the key (known in advance)Temporal Key Integrity Protocol (TKIP)RC4, a quick replacement to WEPAdvanced Encryption Standard (AES)
5 Equipments for Hacking Wireless adaptersChipsetOpen hardware for re-written drivers allowing low-level control: Atheros, Ralink RT73/RT2770F (merged to Mediatek), ref.: aircrack-ng.orgBand supportBoth 2.4 GHz and 5 GHzAntenna supportExternal antenna for long-range attacksInterfacePCMCIA being phased out, Express Card on laptop, USB with Virtual Machine, ref.: Ubiquiti SRC with Atheros on PCMCIA, Alfa with Ralink on USBOperating systems: Windows LinuxBackTrack Linux distribution: preinstalled with all tools and drivers for all popular wireless adapters; run on VM, launch from a LiveCD on USBMiscellaneous goodiesAntennasOmnidirectional antenna with a wide focus and small gain, ref.: HyperLinkTech, FAB-corp, Pasadena NetworksGPSTo plot AP locations on a map, ref.: Garmin, MagellanAPsTo run OpenWRT or DD-WRT on some off-the-shelf APs
6 Discovery and Monitoring (1/2) Finding wireless networksActive discoveryNetStumbler: broadcast probe requests to get responses from APsMany APs configured to ignore probe requestsPassive discoveryWhen APs are configured to not announce SSID or not to respond to probe requestsListen to beacons to list BSSID (Basic SSID, i.e., MAC address of the AP) and mark SSID as unknownListen to other clients talking to that BSSID to find the SSIDDiscovery toolsWar-driving to find APsWar-flying with GPS to survey an areaUser-uploaded WiGLE.net: map of APsKismet: support GPS-tracking, distributed deployment, GUIairodump-ng: part of aircrack-ng, simpler than KismetSaved to PCAP files
7 Discovery and Monitoring (2/2) Sniffing wireless trafficViolation of law in some US states if neither party does not knowMany unencrypted wireless networks when difficult to do authentication: hot spots, airports, etc.wireshark on Windows with AirPcap USB adaptersThwarting wireless sniffingWPA-PSK, WPA EnterpriseUpper layer encryption: VPN
8 Denial of Service Attacks built-in mechanism: forced disconnectIncorrect encryption key, overloading, etc.Abused for DoS attacksDe-authentication (deauth) attackSpoof de-authentication frames to disconnectFrom client to AP or from AP to clientClient drivers try to reconnect quicklySend more than one deauth frameairplay-ng: part of aircrack-ngDeauth attack: 64 deauth to AP from client, 64 deauth to client from APFind SSID by observing client’s probe requests as it reconnects
9 Encryption Attacks WPA vs. WEP WEP /w authentication vs. /wo authentication/w key rotation vs. /wo key rotationCrack again and again vs. crack once for allWEPKeystreamGenerated by WEP key and IV (Initiation Vector, pseudo-randomly generated for each frame and put into frame header)TX: XOR plain text to get cipher textRX: Use WEP key and IV from frame header to generate a keystream, XOR cipher text to get plain textDuplicate IVs in two frames compare their cipher texts guess the keystream guess WEP keyARP frames with little or no difference more duplicate IVs easier to guess the keystream and WEP key
10 Encryption Attacks Passive Attack Capture enough data frames, parse IVs, deduce WEP key60,000 IVs to crack a 104-bit keyairodump-ng: capture to a PCAP fileaircrack-ng: analyze statistically on a PCAP file to get WEP keyWatch the rate at which IVs are collected to tell how much longer it will take to gather enough to crack the keyStops with KEY FOUND
11 Encryption Attacks ARP Replay with Fake Authentication Replay broadcast ARP requestsFrom a client to an APAP broadcasts with a new IV each timeThe client replays ARP and generates new ARPIn 5 minutes, enough frames and IVs collectedSpoof a valid client’s MAC addressFake authentication attackOpen authentication without sending actual dataStepsairodump-ng: capture to a PCAP fileaireplay-ng: run fake authentication attackOpen another window to launch ARP replay attack with aireplay-ng againaircrack-ng: crack on the captured PCAP fileWEP countermeasures: Don’t use WEP ever.
12 Authentication Attacks WPA PSK About password brute forcingWPA PSKPSK shared among all users of a wireless networkFour-way handshake between clients and APs: Using PSK and SSID to derive encryption keysPSK, 8~63 characters, hashed 4096 times with SSIDTrillions of guessesCapture four-way handshake to crack PSK offlineWait or deauth to kick a client off (its driver will reconnect)Brute forcingaircrack-ng with dictionary and PCAPcoWPAtty: use SSID-specific rainbow tables (40GB)Use top 1000 SSIDs from WiGLE.netPyrit: offload hashing to GPU with multiple coresWPA-PSK mitigating controlsComplex PSK and unique SSIDBut could be disclosed by a single user
13 Authentication Attacks WPA Enterprise Identifying 802.1x EAP (extensible authentication protocol) typesCapture EAP handshakeWireshark shows EAP typeUnencrypted username in RADIUS server in EAP handshakeLEAP (lightweight EAP)Cisco solution /w clear text MSCHAPv2 challenge/responseasleep: offline brute-force attack with LEAP handshake and wordlistAvoid using LEAP just like WEPEAP-TTLS and PEAPA TLS (Transport Layer Security, successor of SSL) tunnel between an unauthenticated client and RADIUS serverAP relays and has no visibilityLess secure inner authentication protocol often in clear textAP impersonation and man-in-the-middle attackAct as a terminating end of the TLS tunnel, if the client is misconfigured not to check the identity of RADIUS server access inner auth protocolhostapd: Turn your card into an APasleep: offline brute-force on inner authentication protocolCountermeasure: Check the box to validate server certificate on all clients
14 Summary WEP WPA-PSK WPA Enterprise Passive attack & ARP replay with fake authenticationCracked in 5 minDon’t use it!WPA-PSKCould be brute-forced, though high complexityOne PSK fits all put other users at riskWPA EnterpriseLEAPCould be brute-forced, needs extremely complex passwordsEAP-TTLS and PEAPRelatively secure with multilayered encryptionSubject to AP impersonation and man-in-the-middle attackAlways have clients check server certificate
15 Homework #4 Ch6 & Ch8 (Total: 200) Due: 6/9 (Mon) in the final exam in printed hardcopy (format: problem, solution with explanation, screen dumps)(40 points) Use all of WHOIS, Robtex, and PhishTank to trace back on a phishing found in your mailbox. If you don’t find one, create one account and post the address onto Web to solicit some. Show and discuss your findings.(40 points) On Windows with some running processes connecting to the Internet, use FTK Imager to dump memory and then Volatility Framework to analyze the memory dump. Show processes with connections, and check whether they have DLLs.(30 points) Retrieve Poison Ivy RAT from the Internet. Use a program tracing tool you are familiar with to trace this RAT. Show how you trace the RAT with your tracing tool and summarize what modules this RAT contains.(30 points) Setup your own client and an AP, or find an existing AP, running no encryption. Use wireshark or airodump-ng to sniff and decode data frames. Show and discuss your findings.(60 points) Setup your own client and an AP to run WEP. Use the aircrack-ng suite to crack the WEP key by running through the steps of frame capturing, fake authentication attack, ARP replay attack, and key cracking. Show and discuss the steps you run through.