Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download WirelessHacks - Wright State University
Document related concepts
Computer security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Distributed firewall wikipedia , lookup
Airborne Networking wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Wireless USB wikipedia , lookup
Deep packet inspection wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Policies promoting wireless broadband in the United States wikipedia , lookup
IEEE 802.11 wikipedia , lookup
UniPro protocol stack wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
Hacking 802.11 Wireless Prabhaker Mateti Wright State University Talk Outline Wireless LAN Overview Wireless Network Sniffing Wireless Spoofing Wireless Network Probing AP Weaknesses Denial of Service Man-in-the-Middle Attacks War Driving Wireless Security Best Practices Conclusion 2 Ack There is nothing new in this talk. It is an overview what has been known for a couple of years. Several figures borrowed from many sources on the www. Apologies that I lost track of the original sources. 3 Wireless LAN Overview OSI Model Application Presentation Session Transport Network 802.11b Data Link 802.11 MAC header Physical 802.11 PLCP header 5 Network Layers 6 IEEE 802.11 Published in June 1997 2.4GHz operating frequency 1 to 2 Mbps throughput Can choose between frequency hopping or direct sequence spread modulation 7 IEEE 802.11b 1999 Data Rate: 11 Mbps Reality: 5 to 7 Mbps 2.4-Ghz band; runs on 3 channels shared by cordless phones, microwave ovens, and many Bluetooth products Only direct sequence modulation is specified Most widely deployed today 8 Channels 9 Physical Layer 802.11a 802.11g 802.11b Standard Approved September 1999 September 1999 September 1999 Available Bandwidth 300MHz 83.5MHz 83.5MHz Unlicensed Frequencies of Operation 5.15-5.35GHz 5.725-5.825GHz 2.4-2.4835GHz 2.4-2.4835GHz Number of Nonoverlapping Channels 4(Indoor) 4(Indoor/Outdoor) 4(Indoor/Outdoor) 3(Indoor/Outdoor) 3(Indoor/Outdo or) Data Rate Per Channel 6,9,12,18,24,36,48 ,54Mbps 1,2,5.5,11 6,9,12,18,22,24,33,36,48, 54Mbps 1,2,5.5,11Mbps Modulation OFDM DSSS,OFDM PBCC(O),CCK-OFDM(O) DSSS CCK 10 The Unlicensed Radio Frequency Spectrum 5.15-5.35 5.725-5.825GHz IEEE 802.11a HiperLAN/2 11 Channel Plan – 802.11/11b/11g 12 Channel Spacing (5MHz) 2.462 2.437 2.412 Non-overlapping channels 13 IEEE 802.11a Data Rate: 54 Mbps Reality: 25 to 27 Mbps Runs on 12 channels Not backward compatible with 802.11b Uses Orthogonal Frequency Division Multiplexing (OFDM) 14 IEEE 802.11g An extension to 802.11b Data rate: 54 Mbps 2.4-Ghz band 15 IEEE 802.1X General-purpose port based network access control mechanism for 802 technologies Authentication is mutual, both the user (not the station) and the AP authenticate to each other. supplicant - entity that needs to be authenticated before the LAN access is permitted (e.g., station); authenticator - entity that supports the actual authentication (e.g., the AP); authentication server - entity that provides the authentication service to the authenticator (usually a RADIUS server). 16 IEEE 802.1X Extensible Authentication Protocol (EAP) Can provide dynamic encryption key exchange, eliminating some of the issues with WEP Roaming is transparent to the end user Microsoft includes support in Windows XP 17 802.1x Architecture 18 IEEE 802.11e Currently under development Working to improve security issues Extensions to MAC layer, longer keys, and key management systems Adds 128-bit AES encryption 19 Stations and Access Points 802 .11 Terminology: Station (STA) Device that contains IEEE 802.11 conformant MAC and PHY interface to the wireless medium, but does not provide access to a distribution system Most often end-stations available in terminals (work-stations, laptops etc.) Typically Implemented in a PC-Card 21 Station Architecture Ethernet-like driver interface Frame translation according to IEEE Std 802.1H supports virtually all protocol stacks Ethernet Types 8137 (Novell IPX) and 80F3 (AARP) encapsulated via the Bridge Tunnel encapsulation scheme IEEE 802.3 frames: translated to 802.11 All other Ethernet Types: encapsulated via the RFC 1042 (Standard for the Transmission of IP Datagrams over IEEE 802 Networks) encapsulation scheme Maximum Data limited to 1500 octets Radio Hardware PC-Card Hardware 802.11 frame format WMAC controller with Station Firmware (WNIC-STA) 802.3 frame format Driver Software (STADr) Platform Computer Ethernet V2.0 / 802.3 frame format Protocol Stack Transparent bridging to Ethernet 22 Terminology: Access-Point (AP) A transceiver that serves as the center point of a stand-alone wireless network or as the connection point between wireless and wired networks. Device that contains IEEE 802.11 conformant MAC and PHY interface to the wireless medium, and provide access to a Distribution System for associated stations (i.e., AP is a STA) Most often infra-structure products that connect to wired backbones Implemented in a “box” containing a STA PCCard. 23 Access-Point (AP) Architecture Stations select an AP and “associate” with it APs support roaming Power Management time synchronization functions (beaconing) Traffic typically flows through AP Radio Hardware PC-Card Hardware 802.11 frame format WMAC controller with Access Point Firmware (WNIC-AP) 802.3 frame format Driver Software (APDr) Bridge Software Ethernet V2.0 / 802.3 frame format Kernel Software (APK) Ethernet Interface Bridge Hardware 24 Basic Configuration 25 Infrastructure and Ad Hoc Modes 26 Terminology: Basic Service Set (BSS) A set of stations controlled by a single “Coordination Function” (=the logical function that determines when a station can transmit or receive) Similar to a “cell” in pre IEEE terminology A BSS may or may not have an AP 27 Basic Service Set (BSS) BSS 28 Terminology: Distribution System (DS) A system to interconnect a set of BSSs Integrated; A single AP in a standalone network Wired; Using cable to interconnect the AP Wireless; Using wireless to interconnect the AP 29 Terminology: Independent Basic Service Set (IBSS) A BSS forming a self-contained network in which no access to a Distribution System is available A BSS without an AP One of the stations in the IBSS can be configured to “initiate” the network and assume the Coordination Function Diameter of the cell determined by coverage distance between two wireless stations 30 Independent Basic Service Set (IBSS) IBSS 31 Terminology: Extended Service Set (ESS) A set of one or more BSS interconnected by a Distribution System (DS) Traffic always flows via AP Diameter of the cell is double the coverage distance between two wireless stations 32 ESS: single BSS (with int. DS) BSS 33 ESS: with wired DS BSS BSS 34 ESS: with wireless DS BSS BSS 35 Terminology: Service Set Identifier (SSID) “Network name” Upto 32 octets long One network (ESS or IBSS) has one SSID E.g., “WSU Wireless”; defaults: “101” for 3COM and “tsunami” for Cisco 36 Terminology: Basic Service Set Identifier (BSSID) “cell identifier” One BSS has one BSSID Exactly 6 octets long BSSID = MAC address of AP 37 802.11 Communication CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) instead of Collision Detection WLAN adapter cannot send and receive traffic at the same time on the same channel Hidden Node Problem Four-Way Handshake 38 Hidden Node Problem 39 Four-Way Handshake Source Destination 40 Infrastructure operation modes Root Mode Repeater Mode 41 Frames 42 Ethernet Packet Structure •14 byte header •2 addresses 43 Graphic Source: Network Computing Magazine August 7, 2000 802.11 Packet Structure •30 byte header •4 addresses 44 Graphic Source: Network Computing Magazine August 7, 2000 Ethernet Physical Layer Packet Structure •8 byte header (Preamble) 45 Graphic Source: Network Computing Magazine August 7, 2000 802.11 Physical Layer Packet Structure •24 byte header (PLCP, Physical Layer Convergence Protocol) •Always transferred at 1 Mbps 46 Graphic Source: Network Computing Magazine August 7, 2000 Frame Formats Bytes: 2 2 Frame Control 6 Duration ID Addr 1 6 Addr 2 6 2 6 Sequence Control Addr 3 0-2312 Frame Body Addr 4 4 CRC 802.11 MAC Header Bits: 2 Protocol Version 2 4 Type SubType 1 To DS 1 1 1 1 1 1 1 From DS More Frag Retry Pwr Mgt More Data WEP Rsvd Frame Control Field MAC Header format differs per Type: Control Frames (several fields are omitted) Management Frames Data Frames 47 Address Field Description Bits: 2 Protocol Version 2 4 Type SubType 1 To DS 1 1 1 1 1 1 1 From DS More Frag Retry Pwr Mgt More Data WEP Rsvd Frame Control Field To DS From DS Address 1 Address 2 Address 3 Address 4 0 0 DA SA BSSID N/A 0 1 DA BSSID SA N/A 1 0 BSSID SA DA N/A 1 1 RA TA DA SA Addr. 1 = All stations filter on this address. Addr. 2 = Transmitter Address (TA), Identifies transmitter to address the ACK frame to. Addr. 3 = Dependent on To and From DS bits. Addr. 4 = Only needed to identify the original source of WDS (Wireless Distribution System) frames 48 Type field descriptions Bits: 2 Protocol Version 2 4 Type SubType 1 To DS 1 1 1 1 1 1 1 From DS More Frag Retry Pwr Mgt More Data WEP Rsvd Frame Control Field Type and subtype identify the function of the frame: Type=00 Management Frame Beacon (Re)Association Probe (De)Authentication Power Management Type=01 Control Frame RTS/CTS Type=10 ACK Data Frame 49 Management Frames Beacon Probe Timestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameters Traffic Indication Map SSID, Capabilities, Supported Rates Probe Response Timestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameters same for Beacon except for TIM 50 Management Frames (cont’d) Association Request Association Response Capability, Status Code, Station ID, Supported Rates Re-association Request Capability, Listen Interval, SSID, Supported Rates Capability, Listen Interval, SSID, Supported Rates, Current AP Address Re-association Response Capability, Status Code, Station ID, Supported Rates 51 Management Frames (cont’d) Dis-association Authentication Reason code Algorithm, Sequence, Status, Challenge Text De-authentication Reason 52 Synchronization Necessary for keeping frequency hopping synchronized, and other functions like Power Saving. AP periodically transmits special type of frames called Beacon Frames MS uses info in Beacon frames to synchronize to the AP. 53 Control Frame Format 54 Authentication 55 Authentication To control access to the infrastructure via an authentication The station first needs to be authenticated by the AP in order to join the APs network. Stations identify themselves to other stations (or APs) prior to data traffic or association 802.11 defines two authentication subtypes: Open system and shared key 56 Open system authentication A sends an authentication request to B. B sends the result back to A 57 Shared Key Authentication Uses WEP Keys 58 Access Point Discovery Beacons sent out 10x second – Advertise capabilities Station queries access points – Requests features Access points respond – With supported features Authentication just a formality – May involve more frames Features used by war driving Software Probe request Authentication request Association request Probe response Authentication response Association response 59 Association 60 Association Next Step after authentication Association enables data transfer between MS and AP. The MS sends an association request frame to the AP who replies to the client with an association response frame either allowing are disallowing the association. 61 Association To establish relationship with AP Stations scan frequency band to and select AP with best communications quality AP maintains list of associate stations in MAC FW Active Scan (sending a “Probe request” on specific channels and assess response) Passive Scan (assessing communications quality from beacon message) Record station capability (data-rate) To allow inter-BSS relay Station’s MAC address is also maintained in bridge learn table associated with the port it is located on 62 Association + Authentication State 1: Unauthenticated Unassociated Successful authentication Deauthentication Successful authentication or reassociation Deauthentication State 2: Authenticated Unassociated Disassociation State 3: Authenticated Associated 63 Starting an ESS The infrastructure network is identified by its ESSID All Access-Points will have been set according to this ESSID Wireless stations will be configured to set their desired SSID to the value of ESSID On power up, stations will issue Probe Requests and will locate the AP that they will associate with: “best” Access-Point with matching ESSID “best” Access-Point if the SSID has been set to “ANY” 64 Starting an IBSS Station configured for IBSS operation will: “look” for Beacons that contain a network name (SSID) that matches the one that is configured When Beacons with matching Network Name are received and are issued by an AP, Station will associate to the AP When Beacons with matching Network Name are received and are issued by another Station in IBSS mode, the station will join this IBSS When no beacons are received with matching Network Name, Station will issue beacons itself. All Stations in an IBSS network will participate in sending beacons. All stations start a random timer prior to the point in time when next Beacon is to be sent. First station whose random timer expires will send the next beacon 65 Inter-Frame Spacing Free access when medium is free longer than DIFS DIFS Contention Window PIFS DIFS Busy Medium SIFS Backoff-Window Next Frame Slot time Defer Access Inter frame spacing required for MAC protocol traffic Select Slot and Decrement Backoff as long as medium is idle. SIFS = Short interframe space PIFS = PCF interframe space DIFS = DCF interframe space Back-off timer expressed in terms of number of time slots 66 Data Frames and their ACK DIFS Src Data SIFS Ack Dest DIFS Contention Window Next MPDU Other Defer Access Backoff after Defer Acknowledgment are to arrive at within the SIFS The DCF interframe space is observed before medium is considered free for use 67 Traffic flow - Inter-BSS AP-1000 or AP-500 Bridge learn table STA-1 STA2 2 2 Avaya Wireless PC-Card Association table STA1 STA- BSS-A 2 Inter-BSS Relay Associate ACK STA-1 Packet for STA-2 Associate ACK Packet for STA-2 STA-2 68 Traffic flow - ESS operation AP-1000 or AP-500 AP-1000 or AP-500 Bridge learn table STA1 2 STA2 1 Bridge learn table STA2 2 STA1 1 Avaya Wireless PC-Card Avaya Wireless PC-Card Association table STA2 Association table STA1 Packet for STA-2 Packet for STA-2 ACK ACK BSS-B STA-1 BSS-A STA-2 69 Traffic flow - WDS operation AP-1000 or AP-500 Bridge learn table STA2 2 STA2 1 AP-1000 or AP-500 Bridge learn table STA2 2 STA2 1 Avaya Wireless PC-Card Association table STA1 WDS Relay Avaya Wireless PC-Card Association table STA2 WDS Relay Packet for STA-2 ACK Packet for STA-2 Packet for STA-2 ACK ACK BSS-B STA-1 BSS-A STA-2 70 Wireless Network Sniffing Network Sniffing Sniffing is a reconnaissance technique Sniffing is eavesdropping on the network. A sniffer is a program that intercepts and decodes network traffic broadcast through a medium. Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B. Sniffing is not a TCP/IP problem enabled by the media, Ethernet and 802.11, as the physical and data link layers. 72 Wireless Network Sniffing An attacker can passively scan without transmitting at all. A passive scanner instructs the wireless card to listen to each channel for a few messages. RF monitor mode of a wireless card allows every frame appearing on a channel to be copied as the radio of the station tunes to various channels. Analogous to wired Ethernet card in promiscuous mode. A station in monitor mode can capture packets without associating with an AP or ad-hoc network. Many wireless cards permit RFmon mode. 73 Passive Scanning A corporate network can be accessed from outside a building using readily available technology by an eavesdropper 74 Passive Scanning Wireless LAN sniffers can be used to gather information about the wireless network from a distance with a directional antenna. These applications are capable of gathering the passwords from the HTTP sites and the telnet sessions sent in plain text. These attacks do not leave any trace of the hacker’s presence on the network 75 Passive Scanning Scanning is a reconnaissance technique Detection of SSID Collecting the MAC addresses Collecting the frames for cracking WEP 76 A Basic Attack Behind the scenes of a completely passive wireless pre-attack session Installing Kismet Setting up Kismet is fairly straightforward. Google on “Kismet” http://www.kismetwireless.net/ 78 Starting Kismet The mysqld service is started. The gpsd service is started on serial port 1. The wireless card is placed into monitor mode. kismet is launched. 79 Detection Kismet picks up some wireless jabber! In order to take a closer look at the traffic, disengage “autofit” mode by pressing “ss” to sort by SSID. type WEP? yes or no. 4 TCP packets IP’s detected strength 80 Network Details Network details for the 0.0.0.0 address are viewed by pressing the “i” key. 81 Network Details Network details for the 169.254.187.86 address are viewed by pressing the “i” key. 82 More network details More network details for the 169.254.187.86 address are viewed by pressing the “i” key, then scrolling down to view more information. 83 traffic dump A dump of “printable” traffic can be had by pressing the “d” key. \MAILSLOTS? Could this be a postal office computer? (that is a joke. feel free to laugh at this point. thank you.) 84 packet list A list of packet types can be viewed by selecting a wireless point and pressing “p” 85 gpsmap A gpsmap is printed of the area using # gpsmap –S2 – s10 -r gpsfile 86 ethereal - beacon The *.dump files Kismet generates can be opened with tcpdump or ethereal as shown here. This is an 802.11 beacon frame. 87 ethereal – probe request ....an 802.11 Probe Request from the same machine 88 ethereal - registration oooh... a NETBIOS registration packet for “MSHOME”... 89 ethereal - registration ...another registration packet, this time from “LAP10”... 90 ethereal – DHCP request ...a DHCP request... it would be interesting to spoof a response to this... 91 ethereal – browser request ...a NETBIOS browser request... 92 ethereal – browser announce ...an SMB host announcement... revealing an OS major version of 5 and an OS minor version of 1... We have a Windows XP client laptop searching for an access point. This particular target ends up being nothing more than a lone client crying out for a wireless server to connect to. Spoofing management frames to this client would most 93 likely prove to be pointless... Passive Scanning This simple example demonstrates the ability to monitor even client machines which are not actively connected to a wireless access point In a more “chatty” environment, so much more is possible All of this information was captured passively. Kismet did not send a single packet on the airwaves. This type of monitoring can not be detected, but preventive measures can be taken. 94 Detection of SSID SSID occurs in the following frame types: beacon, probe requests, probe responses, association requests, and reassociation requests. Management frames are always in the clear, even when WEP is enabled. Merely collect a few frames and note the SSID. What if beacons are turned off? Or SSID is hidden? 95 When the Beacon displays a null SSID … Patiently wait. Recall that management frames are in the clear. Wait for an associate request; Associate request and response both contain the SSID Wait for a probe request; Probe responses contain SSID 96 Beacon transmission is disabled ... Wait for a voluntary associate request to appear. Or Actively probe by injecting spoofed frames, and then sniff the response 97 Collecting the MAC Addresses Attacker gathers legitimate MAC addresses for use later in spoofed frames. The source and destination MAC addresses are always in the clear in all the frames. The attacker sniffs these legitimate addresses 98 Collecting frames for cracking WEP Systematic procedures in cracking the WEP. Need to collect a large number (millions) of frames. Collection may take hours to days. Cracking is few seconds to a couple of hours. 99 Cracking WEP Wired Equivalent Privacy (WEP) Designed to be computationally efficient, self-synchronizing, and exportable All users of a given AP share the same encryption key Data headers remain unencrypted so anyone can see the source and destination of the data stream 101 Initialization Vector (IV) Over a period, same plaintext packet should not generate same ciphertext packet IV is random, and changes per packet Generated by the device on the fly 24 bits long 64 bit encryption: IV + 40 bits WEP key 128 bit encryption: IV + 104 bits WEP key 102 WEP Encryption WEP encryption key: a shared 40- or 104-bit long number WEP keys are used for authentication and encryption of data A 32-bit integrity check value (ICV) is calculated that provides data integrity for the MAC frame. The ICV is appended to the end of the frame data. A 24-bit initialization vector (IV) is appended to the WEP key. The combination of [IV+WEP encryption key] is used as the input of a pseudo-random number generator (PRNG) to generate a bit sequence that is the same size as the combination of [data+ICV]. The PRNG bit sequence, is bit-wise XORed with [data+ICV] to produce the encrypted portion of the payload that is sent between the wireless AP and the wireless client. The IV is added to the front of the encrypted [data+ICV] which becomes the payload for the wireless MAC frame. The result is IV+encrypted [data+ICV]. 103 Decryption The IV is obtained from the front of the MAC payload. The WEP encryption key is concatenated with the IV. The concatenated WEP encryption key and IV is used as the input of the same PRNG to generate a bit sequence of the same size as the combination of the data and the ICV which is the same bit sequence as that of the sending wireless node. The PRNG bit sequence is XORed with the encrypted [data+ICV] to decrypt the [data+ICV] portion of the payload. The ICV for the data portion of the payload is calculated and compared with the value included in the incoming frame. If the values match, the data is sent from the wireless client and unmodified in transit. The WEP key remains constant over a long duration but the IV can be changed frequently depending on the degree of security needed. 104 WEP Protocol 105 WEP: Wired Equivalent Privacy 106 What is an IV? Encrypted Octets Bits IV MSDU ICV 0-2304 4 Initialization Vector Pad Key ID 24 6 2 IV is short for Initialization Vector 24 bits long 64 bit encryption: 24 bits IV + 40 bits WEP key 128 bit encryption: 24 bits IV + 104 bits WEP key 107 What is a “Weak” IV? In the RC4 algorithm the Key Scheduling Algorithm (KSA) creates an IV-based on the base key A flaw in the WEP implementation of RC4 allows “weak” IVs to be generated Those IVs “give away" info about the key bytes they were derived from An attacker will collect enough weak IVs to reveal bytes of the base key 108 WEP problem discovery timeline In October 2000, Jesse Walker was one of the first people to identify several of the problems within WEP. In February 2001 three researchers (Fluhrer, Mantin, and Shamir) found a flaw in the RC4 key setup algorithm which results in total recovery of the secret key. In June 2001 Tim Newsham found a problem in the algorithm that some vendors used to automatically generate WEP keys. He also built code to perform dictionary attacks against WEPintercepted traffic. 109 WEP Attacks (cont.) Four types of attacks Passive attacks to decrypt traffic based on statistical analysis. Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext. Active attacks to decrypt traffic, based on tricking the access point. Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic. Time required to gather enough wireless traffic depends heavily on the network saturation of target access point 110 Drawbacks of WEP Protocol The determination and distribution of WEP keys are not defined There is no defined mechanism to change the WEP key either per authentication or periodically for an authenticated connection No mechanism for central authentication, authorization, and accounting No per-frame authentication mechanism to identify the frame source. No per-user identification and authentication 111 Fluhrer Paper/AirSnort Utility Key recovery possible due to statistical analysis of plaintext and “weak” IV Leverages “weak” IVs—large class of weak IVs that can be generated by RC4 Passive attack, but can be more effective if coupled with active attack Two major implementations AirSnort AT&T/Rice University tests (not released) 112 UC Berkeley Study Bit flipping Bits are flipped in WEP encrypted frames, and ICV CRC32 is recalculated Replay Bit flipped frames with known IVs resent AP accepts frame since CRC32 is correct Layer 3 device will reject, and send predictable response Response database built and used to derive key 113 UC Berkeley Study Stream Cipher 1234 PlainText Cisco WEP CipherText XXYYZZ PlainText Data Is XORed with the WEP Stream Cipher to Produce the Encrypted CipherText Predicted PlainText Cisco If CipherText Is XORed CipherText Stream Cipher with Guessed XXYYZZ WEP 1234 PlainText, the Stream Cipher Can Be Derived 114 UC Berkeley Study Bit Flipped Frame Sent Frame Passes ICV Forwarded to Dest MAC Attacker Anticipates Response from Upper Layer Device and Attempts to Derive Key AP WEP Encrypts Response and Forwards to Source MAC Upper Layer Protocol Fails CRC Sends Predictable Error Message to Source MAC 115 Message Integrity Check (MIC) The MIC will protect WEP frames from being tampered with The MIC is computed from seed value, destination MAC, source MAC, and payload The MIC is included in the WEP encrypted payload 116 Message Integrity Check MIC uses a hashing algorithm to stamp frame The MIC is still pre-standards, awaiting 802.11i ratification WEP Frame—No MIC DA SA IV Data ICV WEP Encrypted WEP Frame—MIC DA SA IV Data SEQ MIC ICV WEP Encrypted 117 Temporal Key Integrity Protocol (TKIP) Base key and IV hashed Transmit WEP Key changes as IV changes Key hashing is still pre-standards, awaiting 802.11i ratification 118 WEP and TKIP Implementations WEP today uses an IV and base key; this includes weak IVs which can be compromised TKIP uses the IV and base key to hash a new key—thus a new key every packet; weak keys are mitigated WEP Encryption Today IV Base Key Plaintext Data RC4 XOR TKIP IV CipherText Data IV Stream Cipher Base Key Plaintext Data Hash XOR CipherText Data Packet Key RC4 Stream Cipher 119 Wireless Spoofing Wireless Spoofing The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but nonexistent values, or with legitimate values that belong to others. The attacker would have collected these legitimate values through sniffing. 121 MAC Address Spoofing Probing is sniffable by the sys admins. Attacker wishes to be hidden. Use MAC address of a legitimate card. APs can filter based on MAC addresses. 122 IP spoofing Replacing the true IP address of the sender (or, in some cases, the destination) with a different address. Defeats IP address based trust. IP spoofing is an integral part of many attacks. 123 Frame Spoofing Frames themselves are not authenticated in 802.11. Construction of the byte stream that constitutes a spoofed frame is facilitated by libraries. The difficulty here is not in the construction of the contents of the frame, but in getting, it radiated (transmitted) by the station or an AP. This requires control over the firmware. 124 Wireless Network Probing Wireless Network Probing Send cleverly constructed packets to a target that trigger useful responses. This activity is known as probing or active scanning. The target can discover that it is being probed. 126 Active Attacks Attacker can connect to an AP and obtain an IP address from the DHCP server. A business competitor can use this kind of attack to get the customer information which is confidential to an organization. 127 Detection of SSID Beacon transmission is disabled, and the attacker does not wish to wait … Inject a probe request frame using a spoofed source MAC address. The probe response frame from the APs will contain, in the clear, the SSID and other information similar to that in the beacon frames. 128 Detection of APs and stations Certain bits in the frames identify that the frame is from an AP. If we assume that WEP is either disabled or cracked, the attacker can also gather the IP addresses of the AP and the stations. 129 Detection of Probing The frames that an attacker injects can be sniffed by a sys admin. GPS-enabled equipment can identify the physical coordinates of a transmitting device. 130 AP Weaknesses Poorly Constructed WEP key The default WEP keys used are often too trivial. APs use simple techniques to convert the user’s key board input into a bit vector. Usually 5 or 13 ASCII printable characters are directly mapped by concatenating their ASCII 8-bit codes into a 40-bit or 104-bit WEP key. A stronger 104-bit key can be constructed from 26 hexadecimal digits. It is possible to form an even stronger104 bit WEP key by truncating the MD5 hash of an arbitrary length pass phrase. 132 Defeating MAC Filtering Typical APs permit access to only those stations with known MAC addresses. Easily defeated by the attacker Spoofs his frames with a MAC address that is registered with the AP from among the ones that he collected through sniffing. That a MAC address is registered can be detected by observing the frames from the AP to the stations. 133 Rogue AP 134 Rogue Networks Rogue AP = an unauthorized access point Network users often set up rogue wireless LANs to simplify their lives Rarely implement security measures Network is vulnerable to War Driving and sniffing and you may not even know it 135 Access Point Stronger or Closer Access Point SSID: “goodguy” SSID: “badguy” Wi-Fi Card SSID: “goodguy” “ANY” “badguy” 136 Trojan AP Corporate back-doors Corporate espionage 137 Trojan AP Mechanics Create a competing wireless network. AP can be actual AP or HostAP of Linux Create or modify captive portal behind AP Redirect users to “splash” page DoS or theft of user credentials, or WORSE Bold attacker will visit ground zero. Not-so-bold will drive-by with an amp. 138 Choose your Wi-Fi weapon... Cisco Gear @ 100mW (20dBm) Senao Gear @ 200mW (23dBm) Use a 15dBd antenna with a Senao for 38dBd total... 6 WATTS! Normal Gear @ 25mW (14dBm) Vs 25mW? No contest! 139 140 141 142 143 Airsnarf Nothing special Simplifies HostAP, httpd, dhcpd, Net::DNS, and iptables setup Simple example rogue AP 144 Equipment Flaws Numerous flaws in equipment from well-known manufacturers Search on www.securityfocus.com with “access point vulnerabilities” Ex 1: by requesting a file named config.img via TFTP, an attacker receives the binary image of the AP configuration. The image includes the administrator’s password required by the HTTP user interface, the WEP encryption keys, MAC address, and SSID. Ex 2: yet another AP returns the WEP keys, MAC filter list, administrator’s password when sent a UDP packet to port 27155 containing the string “gstsearch”. 145 Denial of Service Denial of Service A system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. DOS attacks are difficult to prevent Difficult to stop an on-going attack Victim and its clients may not even detect the attacks. Duration may range from milliseconds to hours. A DOS attack against an individual station enables session hijacking. 147 Jamming The hacker can use a high power RF signal generator to interfere with the ongoing wireless connection, making it useless. Can be avoided only by physically finding the jamming source. 148 Flooding with Associations AP inserts the data supplied by the station in the Association Request into a table called the association table. 802.11 specifies a maximum value of 2007 concurrent associations to an AP. The actual size of this table varies among different models of APs. When this table overflows, the AP would refuse further clients. Attacker authenticates several non-existing stations using legitimate-looking but randomly generated MAC addresses. The attacker then sends a flood of spoofed associate requests so that the association table overflows. Enabling MAC filtering in the AP will prevent this attack. 149 Deauth/Disassoc Management frame • Attacker must spoof AP MAC address in Src Addr and BSSID • Sequence Control field handled by firmware (not set by attacker) 150 Forged Dissociation Attacker sends a spoofed Disassociation frame where the source MAC address is set to that of the AP. To prevent Reassociation, the attacker continues to send Disassociation frames for a desired period. 151 Forged Deauthentication When an Association Response frame is observed, the attacker sends a spoofed Deauthentication frame where the source MAC address is spoofed to that of the AP. The station is now unassociated and unauthenticated, and needs to reconnect. To prevent a reconnection, the attacker continues to send Deauthentication frames for a desired period. Neither MAC filtering nor WEP protection will prevent this attack. 152 First Stage – Deauth Attack Airopeek Trace of Deauth Attack 153 First Stage – Deauth Attack Decode of Deauthentication Frame 154 Power Management Power-management schemes place a system in sleep mode when no activity occurs The MS can be configured to be in continuous aware mode (CAM) or Power Save Polling (PSP) mode. 155 Power Saving Attacker steals packets for a station while the station is in Doze state. The 802.11 protocol requires a station to inform the AP through a successful frame exchange that it wishes to enter the Doze state from the Active state. Periodically the station awakens and sends a PS-Poll frame to the AP. The AP will transmit in response the packets that were buffered for the station while it was dozing. This polling frame can be spoofed by an attacker causing the AP to send the collected packets and flush its internal buffers. An attacker can repeat these polling messages so that when the legitimate station periodically awakens and polls, AP will inform that there are no pending packets. 156 Man-in-the-Middle Attacks Man-in-the-Middle Attacks Attacker on host X inserts X between all communication between hosts B and C, and neither B nor C is aware of the presence of X. All messages sent by B do reach C but via X, and vice versa. The attacker can merely observe the communication or modify it before sending it out. 158 MITM Via Deauth/DeAssoc A hacker may use a Trojan AP to hijack mobile nodes by sending a stronger signal than the actual AP is sending to those nodes. The MS then associates with the Trojan AP, sending its data into the wrong hands. 159 MITM Attack Attacker takes over connections at layer 1 and 2 Attacker sends Deauthenticate frames Race condition between attacker and AP Attacker associates with client Attacker associates with AP Attacker is now inserted between client and AP Example: Monkey jack, part of AirJack (http://802.11ninja.net/airjack/ ) 160 Wireless MITM Assume that station B was authenticated with C, a legitimate AP. Attacker X is a laptop with two wireless cards. Through one card, he presents X as an AP. Attacker X sends Deauthentication frames to B using the C’s MAC address as the source, and the BSSID he has collected. B is deauthenticated and begins a scan for an AP and may find X on a channel different from C. There is a race condition between X and C. If B associates with X, the MITM attack succeeded. X will re-transmit the frames it receives from B to C. These frames will have a spoofed source address of B. 161 The Monkey - Jack Attack attacker victim Before Monkey-Jack 162 The Monkey - Jack Attack After Monkey-Jack 163 First Stage – Deauth Attack Attack machine uses vulnerabilities to get information about AP and clients. Attack machine sends deauthentication frames to victim using the AP’s MAC address as the source 164 Second Stage – Client Capture Victim’s 802.11 card scans channels to search for new AP Victim’s 802.11 card associates with Trojan AP on the attack machine Attack machine’s fake AP is duplicating MAC address and ESSID of real AP Fake AP is on a different channel than the real one 165 Third Stage – Connect to AP Attack machine associates with real AP using MAC address of the victim’s machine. Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols 166 The Monkey – Jack Attack 167 Monkey-Jack Detection Why do I hear my MAC Address as the Src Addr? Is this an attack? Am I being spoofed? 168 Beginning of a MITM IDS Algorithm 169 ARP Poisoning ARP poisoning is an attack technique that corrupts the ARP cache that the OS maintains with wrong MAC addresses for some IP addresses. ARP cache poisoning is an old problem in wired networks. ARP poisoning is one of the techniques that enables the man-in-the-middle attack. ARP poisoning on wireless networks can affect wired hosts too. 170 Session Hijacking Session hijacking occurs when an attacker causes a user to lose his connection, and the attacker assumes his identity and privileges for a period. An attacker disables temporarily the user’s system, say by a DOS attack or a buffer overflow exploit. The attacker then takes the identity of the user. The attacker now has all the access that the user has. When he is done, he stops the DOS attack, and lets the user resume. The user may not detect the interruption if the disruption lasts no more than a couple of seconds. Hijacking can be achieved by forged disassociation DOS attack. Corporate wireless networks are set up so that the user is directed to an authentication server when his station attempts a connection with an AP. After the authentication, the attacker employs the session hijacking described above using spoofed MAC addresses. 171 War Driving War Driving “The benign act of locating and logging wireless access points while in motion.” -(http://www.wardrive.net/). This “benign” act is of course useful to the attackers. 173 War chalking 174 Typical Equipment 175 “Special” Equipment Possible: 8 mile range using a 24dB gain parabolic dish antenna. PC cards vary in power. Typical: 25mW (14dBm) Cisco: 100mW (20dBm) Senao: 200mW (23dBm) 176 War Driving Default installation allows any wireless NIC to access the network Drive around (or walk) and gain access to wireless networks Provides direct access behind the firewall 177 Software Tools 178 802.11 Attack Tools The following are all freeware Airsnort (Linux) WEPcrack (Linux) Kismet (Linux) Wellenreiter (Linux) NetStumbler (windows) MiniStumbler (PocketPC) BSD – Airtools (*BSD) Aerosol (Windows) 179 802.11 Network Security Tools AiroPeek / AiroPeek NX: Wireless frame sniffer / analyzer, Windows AirTraf: Wireless sniffer / analyzer / “IDS” AirSnort: WEP key “cracker” BSD Airtools: Ports for common wireless tools, very useful NetStumbler: Access point enumeration tool, Windows, free 180 Ettercap Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. 181 Weapons Of Mass Disruption Many tools are new and notable in the world of wireless attacking: libradiate – a library airtraf kismet air-jack family thc-rut - The Hacker's Choice 182 libradiate Radiate is a C library similar in practice to Libnet but designed for "802.11 frame reading, creation and injection." Libnet builds layer 3 and above Libradiate builds 802.11 frames Disperse, an example tool built using libradiate, is fully functional 183 libradiate Frame types and subtypes Beacon transmitted often announcing a WLAN Probe request: A client frame- "anyone out there?" Association: client and server exchange- "can i play?" Disassociate: "no soup for you!" RTS/CTS: ready/clear to send frames ACK: Acknowlegement Radiate allows construction of these frames very easily. 184 airtraf more a tool for the good guys, but noteworthy none the less http://airtraf.sourceforge.net/ http://www.elixar.com (Elixar, Inc) 185 netstumbler ‘stumbler certainly deserves a mention, as it is and was the most popularized wireless network detection tool around windows based, it supports GPS but lacks in many features required by a REAL wireless security hacker... http://www.netstumbler.com 186 stumbler vs. stumbverter thanks to fr|tz @ 187 www.mindthief.net for map data! stumbler vs. stumbverter thanks to fr|tz @ 188 www.mindthief.net for map data! stumbler vs. stumbverter thanks to fr|tz @ 189 www.mindthief.net for map data! kismet A wireless network sniffer that Segregates traffic Detects IP blocks decloaks SSID’s Detects factory default configurations Detects netstumbler clients Maps wireless points 190 kismet 191 kismet 192 kismet - gpsmap Included with kismet, gpsmap gives a great look at captured wireless nodes. ./gpsmap –S 2 –s 12 -r 193 kismet - gpsmap Included with kismet, gpsmap gives a great look at captured wireless nodes. ./gpsmap –S 2 –s 14 –r -t 194 kismet - gpsmap Included with kismet, gpsmap gives a great look at captured wireless nodes. ./gpsmap –r –t 195 air-jack Not a tool, a family of post-detection tools based on the air-jack driver. wlan-jack: spoofs a deauthentication frame to force a wireless user off the net. Shake, repeat forever. Victim is GONE! essid-jack: wlan-jacks a victim then sniffs the SSID when the user reconnects. Monkey-jack: wlan-jacks a victim, then plays man-inthe-middle between the attacker and the target. kracker-jack: monkey-jacks a WLAN connection protected by MAC protected, IPSec secured VPN! 196 air-jack http://802.11ninja.net/ Robert Baird & Mike Lynn’s excellent presentation lays out the attacks available to air-jack users. http://www.blackhat.com/presentations/bh-usa02/baird-lynn/bh-us-02-lynn-802.11attack.ppt 197 thc-rut a set of post-detection tools 198 Wireless Security Best Practices Location of the APs Network segmentation Treat the WLAN as an untrusted network RF signal shaping Continually check for unauthorized (“rogue/Trojan”) APs 200 Proper Configuration Change the default passwords Use WEP, however broken it may be Don't use static keys, change them frequently Don't allow connections with an empty SSID Don't broadcast your SSID Use a VPN and MAC address filtering with strong mutual authentication Wireless IDS/monitoring (e.g., www.airdefense.net) 201 Proper Configuration Most devices have multiple management interfaces HTTP Telnet FTP TFTP SNMP Disable unneeded services / interfaces Stay current with patches 202 Remedies Secure Protocol Techniques Encrypted messages Digitally signed messages Encapsulation/tunneling Use strong authentication 203 Wireless IDS A wireless intrusion detection system (WIDS) is often a self-contained computer system with specialized hardware and software to detect anomalous behavior. The special wireless hardware is more capable than the commodity wireless card, including the RF monitor mode, detection of interference, and keeping track of signal-to-noise ratios. It also includes GPS equipment so that rogue clients and APs can be located. A WIDS includes one or more listening devices that collect MAC addresses, SSIDs, features enabled on the stations, transmit speeds, current channel, encryption status, beacon interval, etc. 204 Wireless IDS WIDS computing engine should be powerful enough that it can dissect frames and WEPdecrypt into IP and TCP components. These can be fed into TCP/IP related intrusion detection systems. Unknown MAC addresses are detected by maintaining a registry of MAC addresses of known stations and APs. Can detect spoofed known MAC addresses because the attacker could not control the firmware of the wireless card to insert the appropriate sequence numbers into the frame. 205 Wireless Auditing Periodically, every wireless network should be audited. Several audit firms provide this service for a fee. A security audit begins with a well-established security policy. A policy for wireless networks should include a description of the geographical volume of coverage. The goal of an audit is to verify that there are no violations of the policy. 206 Newer Standards and Protocols 207 WLAN Security Timeline 208 Cisco LEAP Overview Provides centralized, scalable, user-based authentication Algorithm requires mutual authentication Uses 802.1X for 802.11 authentication messaging Network authenticates client, client authenticates network APs will support WinXP’s EAP-TLS also Dynamic WEP key support with WEP key session timeouts 209 LEAP Authentication Process Client AP Start Request Identity Identity RADIUS Server AP Blocks All Requests Until Authentication Completes Identity RADIUS Server Authenticates Client Client Authenticates RADIUS Server Derive Key Broadcast Key Key Length Derive Key AP Sends Client Broadcast Key, Encrypted with Session Key 210 802.11i Takes base 802.1X and adds several features Wireless implementations are divided into two groups: legacy and new Both groups use 802.1x for credential verification, but the encryption method differs Legacy networks must use 104-bit WEP, TKIP and MIC New networks will be same as legacy, except that they must replace WEP/TKIP with advanced encryption standard – operation cipher block (AES-OCB) 211 Wi-Fi Protected Access (WPA) Security solution based on IEEE standards Replacement for WEP Designed to run on existing hardware as a software upgrade, Wi-Fi Protected Access is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard Two main features are: enhanced encryption using TKIP user authentication via 802.1x and EAP 212 Other Vulnerabilities In February 2002, Arunesh Mishra and William Arbaugh described several design flaws in the combination of the IEEE 802.1X and IEEE 802.11 protocols that permit man-in-the-middle and session hijacking attacks. LEAP-enabled Cisco wireless networks are vulnerable to dictionary attacks (a la “anwrap”) Attackers can compromise other VPN clients within a “wireless DMZ” and piggyback into the protected network. 213 Secure LAN (SLAN) Intent to protect link between wireless client and (assumed) more secure wired network Similar to a VPN and provides server authentication, client authentication, data privacy, and integrity using per session and per user short life keys Simpler and more cost efficient than a VPN Cross-platform support and interoperability, not highly scaleable, though Supports Linux and Windows Open Source (slan.sourceforge.net) 214 SLAN Architecture 215 SLAN Steps 1. 2. 3. 4. 5. Client/Server Version Handshake Diffie-Hellman Key Exchange Server Authentication (public key fingerprint) Client Authentication (optional) with PAM on Linux IP Configuration – IP address pool and adjust routing table 216 SLAN Client Client Application ie Web Browser Encrypted Traffic to SLAN Server Encrypted Traffic Plaintext Traffic SLAN Driver Physical Driver Plaintext Traffic Encrypted Traffic User Space Process 217 Intermediate WLAN 11-100 users Can use MAC addresses, WEP and rotate keys if you want. Some vendors have limited MAC storage ability SLAN also an option Another solution is to tunnel traffic through a VPN 218 Intermediate WLAN Architecture 219 VPN Provides a scaleable authentication and encryption solution Does require end user configuration and a strong knowledge of VPN technology Users must re-authenticate if roaming between VPN servers 220 VPN Architecture 221 VPN Architecture 222 Enterprise WLAN 100+ users Reconfiguring WEP keys not feasible Multiple access points and subnets Possible solutions include VLANs, VPNs, custom solutions, and 802.1x 223 VLANs Combine wireless networks on one VLAN segment, even geographically separated networks. Use 802.1Q VLAN tagging to create a wireless subnet and a VPN gateway for authentication and encryption 224 VLAN Architecture 225 Customized Gateway Georgia Institute of Technology Allows students with laptops to log on to the campus network Uses VLANs, IP Tables, and a Web browser No end user configuration required User access a web site and enters a userid and password Gateway runs specialized code authenticating the user with Kerberos and packet filtering with IPTables, adding the user’s IP address to the allowed list to provide network access 226 Gateway Architecture 227 Temporal Key Integrity Protocol (TKIP) 128-bit shared secret – “temporal key” (TK) Mixes the transmitter's MAC address with TK to produce a Phase 1 key. The Phase 1 key is mixed with an initialization vector (iv) to derive per-packet keys. Each key is used with RC4 to encrypt one and only one data packet. Defeats the attacks based on “Weaknesses in the key scheduling algorithm of RC4” by Fluhrer, Mantin and Shamir" TKIP is backward compatible with current APs and wireless NICs 228 Message Integrity Check (MIC) MIC prevents bit-flip attacks Implemented on both the access point and all associated client devices, MIC adds a few bytes to each packet to make the packets tamper-proof. 229 Conclusion Some predictions are that the market for wireless LANs will be $2.2 billion in 2004, up from $771 million in 2000. Current 802.11 security state is not ideal for sensitive environments. Wireless Networks at home … 230 References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. John Bellardo and Stefan Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”, 2003, Usenix 2003 Proceedings. http://www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf Jon Edney and William A. Arbaugh, Real 802.11 Security: Wi-Fi Protected Access and 802.11i, 480 pages, Addison Wesley, 2003, ISBN: 0-321-13620-9 Jamil Farshchi, Wireless Intrusion Detection Systems, November 5, 2003, http://www.securityfocus.com/infocus/1742 Retrieved Jan 20, 2004 Rob Flickenger, Wireless Hacks: 100 Industrial-Strength Tips & Tools, 286 pages, O'Reilly & Associates, September 2003, ISBN: 0-596-00559-8 Matthew S. Gast, 802.11 Wireless Networks: The Definitive Guide, 464 pages, O’Reilly & Associates, April 2002, ISBN: 0596001835. Vikram Gupta, Srikanth Krishnamurthy, and Michalis Faloutsos, “Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks”, Proceedings of 2002 MILCOM Conference, Anaheim, CA, October 2002. Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, WarDriving: Drive, Detect, Defend, A Guide to Wireless Security, ISBN: 1931836035, Syngress, 2004. IEEE, IEEE 802.11 standards documents, http://standards.ieee.org/wireless/ Tom Karygiannis and Les Owens, Wireless Network Security: 802.11, Bluetooth and Handheld Devices, National Institute of Standards and Technology Special Publication 800-48, November 2002. http://cswww.ncsl.nist.gov/publications/ nistpubs/800-48/NIST_SP_800-48.pdf Prabhaker Mateti, TCP/IP Suite, The Internet Encyclopedia, Hossein Bidgoli (Editor), John Wiley 2003, ISBN 0471222011. Robert Moskowitz, “Debunking the Myth of SSID Hiding”, Retrieved on March 10, 2004. http://www.icsalabs.com/html/communities/WLAN/wp_ssid_hiding. pdf. Bruce Potter and Bob Fleck, 802.11 Security, O'Reilly & Associates, 2002; ISBN: 0-596-00290-4. William Stallings, Wireless Communications & Networks, Prentice Hall, 2001, ISBN: 0130408646. http://www.warchalking.org/ “Collaboratively creating a hobo-language for free wireless networking.” Joshua Wright, “Detecting Wireless LAN MAC Address Spoofing”, Retrieved on Jan 20, 2004. http://home.jwu.edu/jwright/ 231 232
