1. Dr. Igor Santos

2.  Introduction to Wi-Fi networks  Encryption  WEP  WPA  Vulnerabilities  Attacks  Setting up a secure Wi-Fi network  Captive Portals 2

3. Introducción a las redes Wi-Fi 3

4.  What is a Wi-Fi?  Set of interconnected computers through a Wireless "bridge / router" or Access Point  Main devices in a Wi-Fi network  Network cards  Access Points and Access Points (AP)  Antennas 4

5.  Typical topology 5

6. 6 Wi-Fi network cards

7.  Modes 1. Ad-hoc: interconnection between devices without the need for an AP ▪ It is similar to point-to-point connection via crossover ethernet cable (however, several PCs can be connected ad-hoc) ▪ AP manages the media → increased collisions → lowers performance 7

8. 2. Managed or Infrastructure: connected to an AP that manages connections (STA <> AP) ▪ The card leaves all responsibility to the AP to manage traffic ▪ Sometimes it is necessary to know the ESSID (network id) of the network that manages the AP to access → detect it by entering monitor mode. 8

9. 3. Master: as an AP, provides service and manages the connections (AP <> STA) ▪ PCs can be converted into APs ▪ HostAP: http://hostap.epitest.fihttp://hostap.epitest.fi ▪ Advantages ▪ A PC is much more powerful than an AP, many possibilities (filtering, security enhancements, routing, DHCP...) ▪ Recycling of obsolete equipment, cheap APs ▪ Shortcomings ▪ Not all cards can work in Master mode (Prism / Hermes / Atheros). 9

10. 4. Monitor: allows to to capture packets without associating with an AP or ad-hoc network ▪ Monitors a specific channel without transmitting packets (passively) ▪ The card does not check the packet CRC's ▪ It is NOT THE SAME as promiscuous mode ▪ Promiscuous : in LAN networks, connected ▪ Monitor: in WiFi networks, not connected ▪ Not all cards support monitor mode ▪ http://kmuto.jp/debian/hcl/index.cgi http://kmuto.jp/debian/hcl/index.cgi ▪ http://linux-wless.passys.nl http://linux-wless.passys.nl 10

11. 11 Access Points

12.  Interconnects Ethernet LANs with wireless users or networks  Alternatives  Commercial APs  Commercial APs with free software  APs comerciales con software libre ▪ Install Custom Firmware on commercial AP  “Homemade” APs ▪ Obsolete PC + WiFi card in Master mode 12

13.  Functionalities  They manage the physical media  They selectively retransmit data  They may have additional services ▪ DHCP ▪ Remote management (web, telnet, ssh) ▪ IP, MAC, etc.. filtering 13

14.  Concepts  BSSID (Basic Service Set Identifier) ▪ Unique address that identifies the AP that creates the wireless network ▪ MAC address  ESSID (Extended Service Set Identifier) ▪ Unique name of up to 32 characters to identify the wireless network 14

15.  Channel ▪ Wi-Fi works in the 2.4GHz bandwith ▪ It is divided in 13 channels of 22 Mhz ▪ Different frequency ranges within that band ▪ They overlap-> Interferences! ▪ Recommendation ▪ Use channels of 1, 6 and 11 so they do not overlap each other 15

16. 16

17. 17 Wi-Fi antennas

18.  They manage to increase the coverage and performance of a wireless node  Several scenarios  AP inside a building  Exterior APs ▪ Point to point connection ▪ Point-to-multipoint ▪ Hot-spot 18

19.  There are different types of antennas  Omnidirectional ▪ In all directions ▪ Ideal for APs or hot-spots  Directives ▪ Towards a direction or a small sector ▪ Ideal for: ▪ Users of an AP ▪ Interconnection LAN-to-LAN 19

20.  Homemade antennas 20

21. 21 Encryption

22.  WEP (Wired Equivalent Privacy)  Included in the 802.11 standard  Protection based on the RC4 algorithm  Use keys of 64, 128 and 256 bits (actually 40, 104 or 232 bits: because Initialization Vector - IV = 24 bits, different in each package)  The key may be generated from a passphrase or entered directly by the user  The key must be known to all clients (shared secret) 22

23.  WPA (Wi-Fi Protected Access)  Workaround prior to 802.11i (WPA2)  Improvements over WEP ▪ Dynamic key distribution with limited duration (TKIP - Temporal Key Integrity Protocol) ▪ Harder Initialization Vector: 48 bits, minimizing key reuse ▪ Integrity: from ICV (Integrity Check Value) to MIC (Michael): based on the encryption key 23

24.  Dos modalities  Personal -WPA (PSK) ▪ Though for simple environments ▪ Pre-Shared Key (PSK): shared secret  WPA-Enterprise (RADIUS) ▪ Though for complex environments ▪ Every user has his/her login/password ▪ 802.1x ▪ Supplicant (STA) ▪ Authenticator (AP) ▪ Auth server (RADIUS) 24

25.  WPA2  Approved by the IEEE and accepted by Wi-Fi Alliance in 2004  Also known as 802.11i or RSN (Robust Security Network)  Improvements ▪ 802.1x-based authentication ▪ AES-based encryption ▪ Dynamic key management (GKH, PKH) ▪ Support for ad-hoc networks 25

26.  PORTADA VULNERABILIDADES 26 Wi-Fi vulnerabilities

27.  WiFi networks have the same problems / bugs / vulnerabilities than wired networks  Besides, they have additional problems related to its wireless features  Radio Scanners  Radio jamming (DoS)  Flexibility vs. Security... 27

28.  vulnerabilities  Access: wardriving  WEP Encryption: Attacks like FSM, KoreK, etc  WPA and WPA2 Encryption: Dictionary Attracks  Man-in-the-Middle Attacks ▪ Rogue APs ▪ Vulnerabilities in APs when "bridge“ mode: ARP Poisoning  Denial of Service(DoS) 28

29. 29 WEP vulnerabilities

30.  Walker (Intel) (2000)  "WEP is not a good way to provide privacy for wireless communications"  Using a stream cipher algorithm (RC4) in an environment in which the keys are repeated a mistake  Main problem -> Initialization Vectors  If the Initialization Vectors are repeated and we know lots of plaintext is easy to break the encryption 30

31. 31

32.  Borisov et al. (2001)  Alphabet Building Attack (the "keystream" is derivable by a known plaintext attack)  Arbaugh (2001)  Attack "Inductive Chosen Plain Text" (build a Databse with all the "keystreams" for a WEP key in a relatively short time)  Fluhrer, Mantin, Shamir (2001)  “Weaknesses in the Key Scheduling Algorithm of RC4” (few bits determine many bits in the first permutation algorithm) 32

33.  KoreK (2004)  “KoreK Attacks”: set of enhancements to the attack FMS - Fluhrer, Mantin, Shamir (2001) ▪ Only about 200,000 Initialization Vectors are needed  "Attack chop-chop": Reverse Inductive Attack (Arbaugh 2001) ▪ It sends an encrypted ARP request to the AP with one byte less ▪ The AP will repeat only those packets that verify the CRC ▪ After 256 attempts, it will find the valid byte of that particular iteration ▪ Requests can be send in parallel (more speed) ▪ Gradually all the "keystream“ can be derived 33

34.  Reinjection of packets to generate new traffic (new Initialization Vectors) ▪ ARP requests ▪ ICMP Traffic ▪ DHCP requests 34

35.  Klein (2005)  Improvements to the correlations found by FMS and RC4 KoreK  Bittau et al. (2006)  Packet fragmentation attack between STA and AP  Ramachandran y Ahmad (2007)  “Caffe-latte attack” (getting the user key, not the AP one)  Hirte (2007)  Improved "caffe-latte attack" (no need for ARPs) 35

36.  Tews, Weinmann, Pyshki (2007)  “Breaking 104-bit WEP in less than 60 seconds” (improved KoreK’s approach by using the contribution from Klein)  Performance ▪ 50% success with 40.000 Initialization Vectors ▪ 95% success with 85.000 Initialization Vectors  Beck y Tews (2008)  Improvements from the approaches by Tews, Weinmann and Pyshki (reduces the number of needed packages from 90000-40000 to 24,000 ) 36

37.  WEP cracking  Capture traffic that contains Initialization Vectors (NOT Beacon Frames) ▪ If there are no users connected to the AP, then the traffic cannot be generated ▪ Fake Association ▪ If there is no much traffic ▪ Reinject  Use one of the methods (Korek, …) to obtain the key 37

38.  Brute force  For WEP40, is reasonable ▪ 2 40 ▪ On a Pentium Core2Duo: 42 days (300,000 K / S) ▪ In a cluster of FPGAs: 13 minutes (1.386M K / S)  For WEP104, IT IS NOT ▪ 2 104 = 20 x 10 30 ▪ On a Pentium Core2Duo: 2.14 trillion years ▪ In a cluster of FPGAs: 464 billion years  Dictionary attacks  Keys already broken in other APs  Default keys 38

39.  Many manufacturers configure default WEP  ESSID recognizable as WLAN_XX or equivalent  Deductible WEP passphrase generated according to: ▪ A common prefix for each manufacturer ▪ BSSID ▪ The XX WLAN_XX  Other unknown data ▪ You can try brute force the 16,384 possibilities  WlanDecrypter generates these possible keys depending on the BSSID and ESSID  Only one encrypted packet capture is needed ▪ WlanInject to generate a false association if there is no traffic 39

40.  GNU/Linux Tools  aircrack, aircrack-ng ▪ Continuous development ▪ Highly recommended  WepLab ▪ Centered in WEP, few updates ▪ GUI (wxWepLab)  Assistants ▪ Airoscript ▪ wesside-ng y easside-ng ▪ spoonwep2. 40

41.  Tools for Microsoft Windows  Privative Software ▪ CommView for WiFi (TamoSoft) ▪ OmniPeek (WildPackets) ▪ AirMagnet WiFi Analyzer (AirMagnet) 41

42.  Ports of free software (partial functionality)  Ports de software libre (parcial functionality ) ▪ airsnort: obsolete ▪ WepLab ▪ Doesn’t support Windows capture ▪ Required Wireshark or other capture programs ▪ aircrack y aircrack-ng ▪ Currently widely used ▪ Capture and reinjection with some drivers 42

43.  A few years ago it was said that WEP was bad, but better than nothing  Today it is almost the opposite:  Protecting a network with WEP makes it easy to crack because it is a challenge very accessible to casual crackers  There are security protocols, so WEP should be discarded ALWAYS 43

44. 44 WPA-PSK vulnerabilities

45.  WPA-PSK vulnerabilities  The system used by WPA for the exchange of information used for the key generation is weak  Preset Keys are "unsafe" (WPA-PSK) ▪ Subject to dictionary attacks ▪ No need to capture lots of traffic, capture only key exchange 45

46. 1. Capture initial handshake  4 packets WPA from user authentication against an AP  de autenticación de un cliente contra un AP 2. Brute force or dictionary attack to extract the key  Success depends on the dictionary  Éxito depende del diccionario  It is also possible to use Rainbow Tables 46

47.  Many manufacturers configure default WPA  ESSID recognizable ▪ WLAN_XXXX ▪ JAZZTEL_XXX  BSSID also needed  Online Tools ▪ http://www.seguridadwireless.net/wpamagickey1.php http://www.seguridadwireless.net/wpamagickey1.php ▪ http://www.seguridadwireless.net/wpamagickey.php http://www.seguridadwireless.net/wpamagickey.php 47

48.  CoWPAtty  In its fourth version cracks WPA2  There are "rainbow tables" of the most common challenges (English) for common ESSIDs (linksys, tsunami, comcomcom, etc..)  wpa_crack  Proof of concept  SpoonWpa  GUI assistant  wpacracker.com  Cracking WPA using cloud computing (17 US$) 48

49.  WPA_XXXX / JAZZTEL_XXXX?  http://www.seguridadwireless.net/wpamagickey1.php http://www.seguridadwireless.net/wpamagickey1.php  http://www.seguridadwireless.net/wpamagickey.php http://www.seguridadwireless.net/wpamagickey.php  Test default passphrase “12345670”  WPA-PSK? 1. Obtain the ESSID 2. Obtain authentication:  De authenticate: aireplay-ng - 0 3. Pre-computed tables for that ESSID  Crack: aircrack-ng, cowpatty 49

50. 4. Without tables for that ESSID  Generate tables: genpmk (in parallel if possible)  Goto 3 50

51.  WIFISLAX!!! 51 Other Tools

52.  WIFISLAX 4.0  LiveCD Linux  Wifi Audit Tools  http://www.wifislax.com/wifislax-4-0-el-regreso http://www.wifislax.com/wifislax-4-0-el-regreso 52

53. 53 Setting up a secure Wi-Fi network

54.  WPA2 encryption with strong and not predictable password  Disable beacon frames  Set MAC filtering  Disable DHCP  Setup different IP range set than the default (192.168.1.X)  Limit the number of clients that can be connected 54

55.  Implementation in Microsoft Windows  Client: Windows XP SP2+ / Vista / 7  Authenticator: AP hardware (WRT54g)  RADIUS server: Microsoft Internet Authentication Server (IAS) / FreeRADIUS.net 55

56.  Implementation in GNU/Linux  Client ▪ wpa_supplicant ▪ Xsupplicant ▪ wireless-tools: iwconfig + iwpriv  Authenticator: hostapd (service of HostAP)  RADIUS server: FreeRADIUS, OpenRADIUS, Radiator, etc. 56

57. 57 Captive portals

58.  Client validation system for wireless nodes  Depending on the user type, it assigns bandwidth and gives access to different services  Usually based on temporal "tokens" managed by HTTP-SSL (443/TCP) 58

59. 59

60.  Authentication process 60

61.  http://www.flickr.com/photos/87546268@N00/76197417/ (AP) http://www.flickr.com/photos/87546268@N00/76197417/ (AP)  http://www.flickr.com/photos/13522901@N00/5182549507/ http://www.flickr.com/photos/13522901@N00/5182549507/  http://www.flickr.com/photos/laughingsquid/176520387 http://www.flickr.com/photos/laughingsquid/176520387  http://www.flickr.com/photos/pittpics/504774599 http://www.flickr.com/photos/pittpics/504774599  http://www.flickr.com/photos/hatemaster/2197840114 http://www.flickr.com/photos/hatemaster/2197840114  http://www.flickr.com/photos/rayj1839/4940079038 http://www.flickr.com/photos/rayj1839/4940079038  http://www.flickr.com/photos/atelier_tee/5551668917 http://www.flickr.com/photos/atelier_tee/5551668917  http://www.flickr.com/photos/meredithfarmer/318077155 http://www.flickr.com/photos/meredithfarmer/318077155  http://www.flickr.com/photos/87793853@N00/2078979917/ http://www.flickr.com/photos/87793853@N00/2078979917/ 61