Hacking 802.11 Wireless Prabhaker Mateti Wright State University

Hacking 802.11 WirelessHacking 802.11 Wireless

Prabhaker MatetiPrabhaker Mateti

Wright State UniversityWright State University

22

Talk OutlineTalk Outline

Wireless LAN OverviewWireless LAN OverviewWireless Network SniffingWireless Network SniffingWireless SpoofingWireless SpoofingWireless Network ProbingWireless Network ProbingAP WeaknessesAP WeaknessesDenial of ServiceDenial of ServiceMan-in-the-Middle AttacksMan-in-the-Middle AttacksWar DrivingWar DrivingWireless Security Best PracticesWireless Security Best PracticesConclusionConclusion

33

AckAck

There is nothing new in this talk. It is an There is nothing new in this talk. It is an overview what has been known for a overview what has been known for a couple of years.couple of years.

Several figures borrowed from many Several figures borrowed from many sources on the www.sources on the www.

Apologies that I lost track of the original Apologies that I lost track of the original sources.sources.

Wireless LAN OverviewWireless LAN Overview

55

OSI ModelOSI Model

Application

Presentation

Session

Transport

Network

Data Link

Physical802.11b

802.11 MAC header

802.11 PLCP header

66

Network LayersNetwork Layers

77

IEEE 802.11IEEE 802.11

Published in June 1997Published in June 19972.4GHz operating frequency2.4GHz operating frequency1 to 2 Mbps throughput1 to 2 Mbps throughputCan choose between frequency hopping Can choose between frequency hopping

or direct sequence spread modulationor direct sequence spread modulation

88

IEEE 802.11bIEEE 802.11b

19991999 Data Rate: 11 MbpsData Rate: 11 Mbps Reality: 5 to 7 MbpsReality: 5 to 7 Mbps 2.4-Ghz band; runs on 3 channels2.4-Ghz band; runs on 3 channels shared by cordless phones, microwave ovens, shared by cordless phones, microwave ovens,

and many Bluetooth productsand many Bluetooth products Only direct sequence modulation is specifiedOnly direct sequence modulation is specified Most widely deployed todayMost widely deployed today

99

ChannelsChannels

1010

Physical LayerPhysical Layer

802.11a802.11a 802.11g802.11g 802.11b802.11b

Standard Standard ApprovedApproved

September 1999September 1999 September 1999September 1999 September September 19991999

Available Available BandwidthBandwidth

300MHz300MHz 83.5MHz83.5MHz 83.5MHz83.5MHz

Unlicensed Unlicensed Frequencies Frequencies of Operationof Operation

5.15-5.35GHz5.15-5.35GHz

5.725-5.825GHz5.725-5.825GHz

2.4-2.4835GHz2.4-2.4835GHz 2.4-2.4835GHz2.4-2.4835GHz

Number of Number of Non-Non-

overlapping overlapping ChannelsChannels

4(Indoor)4(Indoor)

4(Indoor/Outdoor)4(Indoor/Outdoor)

4(Indoor/Outdoor)4(Indoor/Outdoor)

3(Indoor/Outdoor)3(Indoor/Outdoor) 3(Indoor/3(Indoor/Outdoor)Outdoor)

Data Rate Per Data Rate Per ChannelChannel

6,9,12,18,24,36,486,9,12,18,24,36,48,54Mbps,54Mbps

1,2,5.5,111,2,5.5,11

6,9,12,18,22,24,33,36,48,6,9,12,18,22,24,33,36,48,54Mbps54Mbps

1,2,5.5,11Mbps1,2,5.5,11Mbps

ModulationModulation OFDMOFDM DSSS,OFDMDSSS,OFDM

PBCC(O),CCK-OFDM(O)PBCC(O),CCK-OFDM(O)DSSSDSSS

CCKCCK

1111

The Unlicensed Radio Frequency The Unlicensed Radio Frequency SpectrumSpectrum

5.15-5.35

5.725-5.825GHz

IEEE 802.11a

HiperLAN/2

1212

Channel Plan – 802.11/11b/11gChannel Plan – 802.11/11b/11g

1313

2.412

2.437

2.462

Non-overlapping channels

Channel Spacing (5MHz)Channel Spacing (5MHz)

1414

IEEE 802.11aIEEE 802.11a

Data Rate: 54 MbpsData Rate: 54 MbpsReality:Reality: 25 to 27 Mbps25 to 27 MbpsRuns on 12 channelsRuns on 12 channelsNot backward compatible with 802.11bNot backward compatible with 802.11bUses Orthogonal Frequency Division Uses Orthogonal Frequency Division

Multiplexing (OFDM)Multiplexing (OFDM)

1515

IEEE 802.11gIEEE 802.11g

An extension to 802.11bAn extension to 802.11bData rate: 54 Mbps Data rate: 54 Mbps 2.4-Ghz band2.4-Ghz band

1616

IEEE 802.1XIEEE 802.1X General-purpose port based network access General-purpose port based network access

control mechanism for 802 technologies control mechanism for 802 technologies Authentication is mutual, both the user (not the Authentication is mutual, both the user (not the

station) and the AP authenticate to each other. station) and the AP authenticate to each other. supplicant - entity that needs to be authenticated supplicant - entity that needs to be authenticated

before the LAN access is permitted (e.g., before the LAN access is permitted (e.g., station); station);

authenticator - entity that supports the actual authenticator - entity that supports the actual authentication (e.g., the AP); authentication (e.g., the AP);

authentication server - entity that provides the authentication server - entity that provides the authentication service to the authenticator authentication service to the authenticator (usually a RADIUS server). (usually a RADIUS server).

1717

IEEE 802.1XIEEE 802.1X

Extensible Authentication Protocol (EAP) Extensible Authentication Protocol (EAP) Can provide dynamic encryption key Can provide dynamic encryption key

exchange, eliminating some of the issues exchange, eliminating some of the issues with WEPwith WEP

Roaming is transparent to the end userRoaming is transparent to the end userMicrosoft includes support in Windows XPMicrosoft includes support in Windows XP

1818

802.1x Architecture802.1x Architecture

1919

IEEE 802.11eIEEE 802.11e

Currently under developmentCurrently under developmentWorking to improve security issuesWorking to improve security issuesExtensions to MAC layer, longer keys, and Extensions to MAC layer, longer keys, and

key management systemskey management systemsAdds 128-bit AES encryptionAdds 128-bit AES encryption

Stations and Access PointsStations and Access Points

2121

802 .11 Terminology: Station (STA)802 .11 Terminology: Station (STA)

Device that contains IEEE 802.11 Device that contains IEEE 802.11 conformant MAC and PHY interface to the conformant MAC and PHY interface to the wireless medium, but does not provide wireless medium, but does not provide access to a distribution systemaccess to a distribution system

Most often end-stations available in Most often end-stations available in terminals (work-stations, laptops etc.)terminals (work-stations, laptops etc.)

Typically Implemented in a PC-CardTypically Implemented in a PC-Card

2222

Station ArchitectureStation Architecture

Ethernet-like driver interfaceEthernet-like driver interface supports virtually all protocol stackssupports virtually all protocol stacks

Frame translation according to IEEE Frame translation according to IEEE Std 802.1HStd 802.1H

Ethernet Types 8137 (Novell IPX) and Ethernet Types 8137 (Novell IPX) and 80F3 (AARP) 80F3 (AARP) encapsulated via the Bridge Tunnel encapsulated via the Bridge Tunnel encapsulation schemeencapsulation scheme

IEEE 802.3 frames: translated to IEEE 802.3 frames: translated to 802.11802.11

All other Ethernet Types: encapsulated All other Ethernet Types: encapsulated via the RFC 1042 (Standard for the via the RFC 1042 (Standard for the Transmission of IP Datagrams over Transmission of IP Datagrams over IEEE 802 Networks) encapsulation IEEE 802 Networks) encapsulation schemescheme

Maximum Data limited to 1500 octetsMaximum Data limited to 1500 octets

Transparent bridging to EthernetTransparent bridging to Ethernet

Platform Computer

Platform Computer

PC-Card Hardware

PC-Card HardwareRadio

Hardware

Radio Hardware

WMAC controller withStation Firmware

(WNIC-STA)

WMAC controller withStation Firmware

(WNIC-STA)

Driver Software(STADr)

Driver Software(STADr)

802.11 frame format

802.3 frame format

Ethernet V2.0 / 802.3frame format

Protocol StackProtocol Stack

2323

Terminology: Access-Point (AP) Terminology: Access-Point (AP) A transceiver that serves as the center point of a A transceiver that serves as the center point of a

stand-alone wireless network or as the stand-alone wireless network or as the connection point between wireless and wired connection point between wireless and wired networks.networks.

Device that contains IEEE 802.11 conformant Device that contains IEEE 802.11 conformant MAC and PHY interface to the wireless medium, MAC and PHY interface to the wireless medium, and provide access to a Distribution System for and provide access to a Distribution System for associated stations (i.e., AP is a STA)associated stations (i.e., AP is a STA)

Most often infra-structure products that connect Most often infra-structure products that connect to wired backbonesto wired backbones

Implemented in a “box” containing a STA PC-Implemented in a “box” containing a STA PC-Card.Card.

2424

Access-Point (AP) ArchitectureAccess-Point (AP) Architecture

Stations select an AP Stations select an AP and “associate” with itand “associate” with it

APs supportAPs support roamingroaming Power ManagementPower Management time synchronization time synchronization

functions (beaconing)functions (beaconing)

Traffic typically flows Traffic typically flows through APthrough AP

BridgeSoftware

BridgeSoftware

PC-Card Hardware

PC-Card HardwareRadio

Hardware

Radio Hardware

WMAC controller withAccess Point Firmware

(WNIC-AP)

WMAC controller withAccess Point Firmware

(WNIC-AP)

Driver Software(APDr)

Driver Software(APDr)

802.11 frame format

802.3 frame format

Ethernet V2.0 / 802.3frame format

Kernel Software (APK)Kernel Software (APK)

BridgeHardware

BridgeHardware

EthernetInterface

EthernetInterface

2525

Basic ConfigurationBasic Configuration

2626

Infrastructure and Ad Hoc ModesInfrastructure and Ad Hoc Modes

2727

Terminology: Basic Service Set Terminology: Basic Service Set (BSS)(BSS)

A set of stations controlled by a single A set of stations controlled by a single “Coordination Function” (=the logical “Coordination Function” (=the logical function that determines when a station function that determines when a station can transmit or receive)can transmit or receive)

Similar to a “cell” in pre IEEE terminologySimilar to a “cell” in pre IEEE terminologyA BSS may or may not have an APA BSS may or may not have an AP

2828

Basic Service Set (BSS) Basic Service Set (BSS)

BSS

2929

Terminology: Distribution Terminology: Distribution System (DS)System (DS)

A system to interconnect a set of BSSsA system to interconnect a set of BSSs Integrated; A single AP in a standalone Integrated; A single AP in a standalone

networknetworkWired; Using cable to interconnect the APWired; Using cable to interconnect the APWireless; Using wireless to interconnect Wireless; Using wireless to interconnect

the APthe AP

3030

Terminology: Independent Basic Terminology: Independent Basic Service Set (IBSS) Service Set (IBSS)

A BSS forming a self-contained network in which A BSS forming a self-contained network in which no access to a Distribution System is availableno access to a Distribution System is available

A BSS without an APA BSS without an AP One of the stations in the IBSS can be One of the stations in the IBSS can be

configured to “initiate” the network and assume configured to “initiate” the network and assume the Coordination Functionthe Coordination Function

Diameter of the cell determined by coverage Diameter of the cell determined by coverage distance between two wireless stationsdistance between two wireless stations

3131

Independent Basic Service Set Independent Basic Service Set (IBSS)(IBSS)

IBSS

3232

Terminology: Extended Service Terminology: Extended Service Set (ESS)Set (ESS)

A set of one or more BSS interconnected A set of one or more BSS interconnected by a Distribution System (DS)by a Distribution System (DS)

Traffic always flows via APTraffic always flows via APDiameter of the cell is double the coverage Diameter of the cell is double the coverage

distance between two wireless stationsdistance between two wireless stations

3333

ESS: single BSS (with int. DS)ESS: single BSS (with int. DS)

BSS

3434

ESS: with wired DSESS: with wired DS

BSS

BSS

Distribution

System

3535

ESS: with wireless DSESS: with wireless DS

BSS

BSS

Distribution

System

3636

Terminology: Service Set Terminology: Service Set Identifier (SSID)Identifier (SSID)

““Network name” Network name” Upto 32 octets longUpto 32 octets longOne network (ESS or IBSS) has one SSIDOne network (ESS or IBSS) has one SSIDE.g., “WSU Wireless”; defaults: “101” for E.g., “WSU Wireless”; defaults: “101” for

3COM and “tsunami” for Cisco3COM and “tsunami” for Cisco

3737

Terminology: Basic Service Set Terminology: Basic Service Set Identifier (BSSID)Identifier (BSSID)

““cell identifier”cell identifier”One BSS has one BSSID One BSS has one BSSID Exactly 6 octets longExactly 6 octets longBSSID = MAC address of APBSSID = MAC address of AP

3838

802.11 Communication802.11 Communication

CSMA/CA (Carrier Sense Multiple CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) instead of Access/Collision Avoidance) instead of Collision Detection Collision Detection

WLAN adapter cannot send and receive WLAN adapter cannot send and receive traffic at the same time on the same traffic at the same time on the same channelchannel

Hidden Node ProblemHidden Node ProblemFour-Way HandshakeFour-Way Handshake

3939

Hidden Node ProblemHidden Node Problem

4040

Four-Way HandshakeFour-Way Handshake

Source DestinationRTS – Request to Send

CTS – Clear to Send

DATA

ACK

4141

Infrastructure operation modesInfrastructure operation modes

Root ModeRoot Mode

Repeater ModeRepeater Mode

4242

FramesFrames

4343

Ethernet Packet StructureEthernet Packet Structure

Graphic Source: Network Computing Magazine August 7, 2000

•14 byte header•2 addresses

4444

802.11 Packet Structure802.11 Packet Structure


•30 byte header•4 addresses

4545

Ethernet Physical Layer Packet Ethernet Physical Layer Packet StructureStructure

•8 byte header (Preamble)


4646

802.11 Physical Layer Packet 802.11 Physical Layer Packet StructureStructure


•24 byte header (PLCP, Physical Layer Convergence Protocol)•Always transferred at 1 Mbps

4747

Frame FormatsFrame Formats

MAC Header format differs per Type:MAC Header format differs per Type: Control Frames (several fields are omitted)Control Frames (several fields are omitted) Management FramesManagement Frames Data FramesData Frames

FrameControl

DurationID Addr 1 Addr 2 Addr 3 Addr 4Sequence

Control CRCFrameBody

2 2 6 6 6 62 0-2312 4

802.11 MAC Header

Bytes:

ProtocolVersion

Type SubTypeToDS

RetryPwrMgt

MoreData

WEP Rsvd

Frame Control Field

Bits: 2 2 4 1 1 1 1 1 1 1 1

DSFrom More

Frag

4848

Address Field DescriptionAddress Field Description

Addr. 1 = Addr. 1 = All stations filter on this address.All stations filter on this address.Addr. 2 = Addr. 2 = Transmitter Address (TA), Identifies transmitter to Transmitter Address (TA), Identifies transmitter to address the ACK frame to.address the ACK frame to.Addr. 3 = Addr. 3 = Dependent on Dependent on ToTo and and From DS From DS bits.bits.Addr. 4 = Addr. 4 = Only needed to identify the original source of WDS Only needed to identify the original source of WDS

((Wireless Distribution System)Wireless Distribution System) frames frames

ProtocolVersion

Type SubTypeToDS

RetryPwrMgt

MoreData

WEP Rsvd

Frame Control Field

Bits: 2 2 4 1 1 1 1 1 1 1 1

DSFrom More

Frag

To DS

0

0

1

1

From DS

0

1

0

1

Address 1

DA

DA

BSSID

RA

Address 2

SA

BSSID

SA

TA

Address 3

BSSID

SA

DA

DA

Address 4

N/A

N/A

N/A

SA

4949

Type field descriptionsType field descriptions

Type and subtype identify the function of the frame:Type and subtype identify the function of the frame: Type=00Type=00 Management Frame Management Frame

Beacon Beacon (Re)Association(Re)Association

ProbeProbe (De)Authentication (De)Authentication

Power ManagementPower Management

Type=01Type=01 Control FrameControl FrameRTS/CTS RTS/CTS ACKACK

Type=10Type=10 Data FrameData Frame

ProtocolVersion

Type SubTypeToDS

RetryPwrMgt

MoreData

WEP Rsvd

Frame Control Field

Bits: 2 2 4 1 1 1 1 1 1 1 1

DSFrom More

Frag

5050

Management FramesManagement Frames

BeaconBeacon Timestamp, Beacon Interval, Capabilities, SSID, Timestamp, Beacon Interval, Capabilities, SSID,

Supported Rates, parametersSupported Rates, parameters Traffic Indication MapTraffic Indication Map

ProbeProbe SSID, Capabilities, Supported RatesSSID, Capabilities, Supported Rates

Probe ResponseProbe Response Timestamp, Beacon Interval, Capabilities, SSID, Timestamp, Beacon Interval, Capabilities, SSID,

Supported Rates, parametersSupported Rates, parameters same for Beacon except for TIMsame for Beacon except for TIM

5151

Management Frames (cont’d)Management Frames (cont’d)

Association RequestAssociation Request Capability, Listen Interval, SSID, Supported RatesCapability, Listen Interval, SSID, Supported Rates

Association ResponseAssociation Response Capability, Status Code, Station ID, Supported RatesCapability, Status Code, Station ID, Supported Rates

Re-association RequestRe-association Request Capability, Listen Interval, SSID, Supported Rates, Capability, Listen Interval, SSID, Supported Rates,

Current AP AddressCurrent AP Address

Re-association ResponseRe-association Response Capability, Status Code, Station ID, Supported RatesCapability, Status Code, Station ID, Supported Rates

5252

Management Frames (cont’d)Management Frames (cont’d)

Dis-associationDis-associationReason codeReason code

AuthenticationAuthenticationAlgorithm, Sequence, Status, Challenge TextAlgorithm, Sequence, Status, Challenge Text

De-authenticationDe-authenticationReasonReason

5353

SynchronizationSynchronization Necessary for keeping frequency hopping synchronized, and other functions Necessary for keeping frequency hopping synchronized, and other functions

like Power Saving.like Power Saving. AP periodically transmits special type of frames called Beacon Frames AP periodically transmits special type of frames called Beacon Frames MS uses info in Beacon frames to synchronize to the AP.MS uses info in Beacon frames to synchronize to the AP.

5454

Control Frame FormatControl Frame Format

5555

AuthenticationAuthentication

5656

AuthenticationAuthentication

To control access to the infrastructure via To control access to the infrastructure via an authenticationan authentication

The station first needs to be authenticated The station first needs to be authenticated by the AP in order to join the APs network. by the AP in order to join the APs network.

Stations identify themselves to other Stations identify themselves to other stations (or APs) prior to data traffic or stations (or APs) prior to data traffic or associationassociation

802.11 defines two authentication 802.11 defines two authentication subtypes: Open system and shared keysubtypes: Open system and shared key

5757

Open system authenticationOpen system authentication

A sends an authentication request to B. A sends an authentication request to B. B sends the result back to A B sends the result back to A

5858

Shared Key AuthenticationShared Key Authentication Uses WEP KeysUses WEP Keys

5959

Access Point DiscoveryAccess Point Discovery Beacons sent out 10x secondBeacons sent out 10x second – – Advertise capabilitiesAdvertise capabilities Station queries access pointsStation queries access points – – Requests featuresRequests features Access points respondAccess points respond – – With supported featuresWith supported features Authentication just a formalityAuthentication just a formality – – May involve more framesMay involve more frames Features used by war drivingFeatures used by war driving SoftwareSoftware

Probe requestProbe request Authentication requestAuthentication request Association requestAssociation request Probe responseProbe response Authentication responseAuthentication response Association responseAssociation response

6060

AssociationAssociation

6161

AssociationAssociation

Next Step after authenticationNext Step after authentication Association enables data transfer between MS and AP.Association enables data transfer between MS and AP. The MS sends an association request frame to the AP who The MS sends an association request frame to the AP who

replies to the client with an association response frame either replies to the client with an association response frame either allowing are disallowing the association. allowing are disallowing the association.

6262

AssociationAssociation To establish relationship with APTo establish relationship with AP Stations scan frequency band to and select AP with best Stations scan frequency band to and select AP with best

communications qualitycommunications quality Active Scan (sending a “Probe request” on specific channels and Active Scan (sending a “Probe request” on specific channels and

assess response)assess response) Passive Scan (assessing communications quality from beacon Passive Scan (assessing communications quality from beacon

message)message) AP maintains list of associate stations in MAC FWAP maintains list of associate stations in MAC FW

Record station capability (data-rate)Record station capability (data-rate) To allow inter-BSS relayTo allow inter-BSS relay

Station’s MAC address is also maintained in bridge learn Station’s MAC address is also maintained in bridge learn table associated with the port it is located ontable associated with the port it is located on

6363

Association + AuthenticationAssociation + Authentication

State 1:Unauthenticated

Unassociated

State 2:AuthenticatedUnassociated

DeauthenticationSuccessful

authentication

Disassociation

State 3:Authenticated

Associated

Successful authentication or

reassociation

Deauthentication

6464

Starting an ESSStarting an ESS The infrastructure network is identified by its The infrastructure network is identified by its

ESSID ESSID All Access-Points will have been set according All Access-Points will have been set according

to this ESSIDto this ESSID Wireless stations will be configured to set their Wireless stations will be configured to set their

desired SSID to the value of ESSIDdesired SSID to the value of ESSID On power up, stations will issue Probe Requests On power up, stations will issue Probe Requests

and will locate the AP that they will associate and will locate the AP that they will associate with:with: ““best” Access-Point with matching ESSID best” Access-Point with matching ESSID ““best” Access-Point if the SSID has been set to “ANY” best” Access-Point if the SSID has been set to “ANY”

6565

Starting an IBSSStarting an IBSS Station configured for IBSS operation will:Station configured for IBSS operation will:

““look” for Beacons that contain a network name (SSID) that matches the look” for Beacons that contain a network name (SSID) that matches the one that is configured one that is configured

When Beacons with matching Network Name are received and are When Beacons with matching Network Name are received and are issued by an AP, Station will associate to the APissued by an AP, Station will associate to the AP

When Beacons with matching Network Name are received and are When Beacons with matching Network Name are received and are issued by another Station in IBSS mode, the station will join this IBSSissued by another Station in IBSS mode, the station will join this IBSS

When no beacons are received with matching Network Name, Station When no beacons are received with matching Network Name, Station will issue beacons itself.will issue beacons itself.

All Stations in an IBSS network will participate in sending beacons.All Stations in an IBSS network will participate in sending beacons. All stations start a random timer prior to the point in time when next All stations start a random timer prior to the point in time when next

Beacon is to be sent.Beacon is to be sent. First station whose random timer expires will send the next beaconFirst station whose random timer expires will send the next beacon

6666

DIFSContention Window

Slot time

Defer Access

Backoff-Window Next Frame

Select Slot and Decrement Backoff as long as medium is idle.

SIFS

PIFSDIFS

Free access when medium

is free longer than DIFS

Busy Medium

Inter-Frame SpacingInter-Frame Spacing

Inter frame spacing required for MAC protocol trafficInter frame spacing required for MAC protocol traffic SIFS = Short interframe spaceSIFS = Short interframe space PIFS = PCF interframe spacePIFS = PCF interframe space DIFS = DCF interframe spaceDIFS = DCF interframe space

Back-off timer expressed in terms of number of time Back-off timer expressed in terms of number of time slotsslots

6767

Ack

Data

Next MPDU

Src

Dest

Other

Contention Window

Defer Access Backoff after Defer

DIFS

SIFS

DIFS

Acknowledgment are to arrive at within the Acknowledgment are to arrive at within the SIFSSIFS

The DCF interframe space is observed before The DCF interframe space is observed before medium is considered free for usemedium is considered free for use

Data Frames and their ACKData Frames and their ACK

6868

Traffic flow - Inter-BSSTraffic flow - Inter-BSS

AP-1000 or AP-500AP-1000 or AP-500

Avaya Wireless PC-CardAvaya Wireless PC-Card

Association table

Inter-BSS Relay

Bridge learn table

STA-1STA-1

BSS-A

Associate

STA-2STA-2

AssociatePacket for STA-2ACK Packet for STA-2

ACK

STA-1

STA-1

2

STA-2

STA-2

2

6969

Traffic flow - ESS operationTraffic flow - ESS operation

STA-1STA-1 STA-2STA-2BSS-A

BSS-B

Backbone

Packet for STA-2

ACK

Packet for STA-2

ACK

AP-1000 or AP-500AP-1000 or AP-500


Association table

Bridge learn table

AP-1000 or AP-500AP-1000 or AP-500


Association table

Bridge learn table

STA-1

STA-2

1

STA-1

STA-2

STA-1

2STA-

2

2

1

7070

Traffic flow - WDS operationTraffic flow - WDS operation

STA-1STA-1 STA-2STA-2BSS-A

BSS-B

Packet for STA-2

ACK

Packet for STA-2

ACK

AP-1000 or AP-500AP-1000 or AP-500


Association table

Bridge learn table

AP-1000 or AP-500AP-1000 or AP-500


Association table

Bridge learn table

STA-1

STA-2

2

STA-1

STA-2

STA-1

2STA-

2

2

2

Wireless

Backbone

WDS Relay

WDS RelayPacket for STA-2

ACK

Wireless Network SniffingWireless Network Sniffing

7272

Network SniffingNetwork Sniffing Sniffing is a reconnaissance techniqueSniffing is a reconnaissance technique Sniffing is eavesdropping on the network. Sniffing is eavesdropping on the network. A A sniffersniffer is a program that intercepts and is a program that intercepts and

decodes network traffic broadcast through a decodes network traffic broadcast through a medium. medium.

Sniffing is the act by a machine S of making Sniffing is the act by a machine S of making copies of a network packet sent by machine A copies of a network packet sent by machine A intended to be received by machine B. intended to be received by machine B.

Sniffing is Sniffing is not a TCP/IP problemnot a TCP/IP problem enabled by the media, Ethernet and 802.11, as the enabled by the media, Ethernet and 802.11, as the

physical and data link layers.physical and data link layers.

7373

Wireless Network SniffingWireless Network Sniffing An attacker can passively scan without transmitting at An attacker can passively scan without transmitting at

all.all. A A passivepassive scanner instructs the wireless card to listen to scanner instructs the wireless card to listen to

each channel for a few messages.each channel for a few messages. RF monitor mode of a wireless card allows every frame RF monitor mode of a wireless card allows every frame

appearing on a channel to be copied as the radio of the appearing on a channel to be copied as the radio of the station tunes to various channels. Analogous to wired station tunes to various channels. Analogous to wired Ethernet card in promiscuous mode.Ethernet card in promiscuous mode.

A station in monitor mode can capture packets without A station in monitor mode can capture packets without associating with an AP or ad-hoc network.associating with an AP or ad-hoc network.

Many wireless cards permit RFmon mode.Many wireless cards permit RFmon mode.

7474

Passive ScanningPassive Scanning A corporate network can be accessed from A corporate network can be accessed from

outside a building using readily available outside a building using readily available technology by an eavesdropper technology by an eavesdropper

7575

Passive ScanningPassive Scanning Wireless LAN sniffers can be used to gather information about the Wireless LAN sniffers can be used to gather information about the

wireless network from a distance with a directional antenna. wireless network from a distance with a directional antenna. These applications are capable of gathering the passwords from the These applications are capable of gathering the passwords from the

HTTP sites and the telnet sessions sent in plain text.HTTP sites and the telnet sessions sent in plain text. These attacks do not leave any trace of the hacker’s presence on These attacks do not leave any trace of the hacker’s presence on

the networkthe network

7676

Passive ScanningPassive Scanning

Scanning is a reconnaissance techniqueScanning is a reconnaissance techniqueDetection of SSIDDetection of SSIDCollecting the MAC addressesCollecting the MAC addressesCollecting the frames for cracking WEPCollecting the frames for cracking WEP

A Basic AttackA Basic Attack

Behind the scenes of a completely Behind the scenes of a completely passivepassive wireless pre-attack wireless pre-attack

sessionsession

7878

Installing KismetInstalling Kismet

Setting up Kismet is fairly straightforward.Setting up Kismet is fairly straightforward.Google on “Kismet”Google on “Kismet”http://www.kismetwireless.net/http://www.kismetwireless.net/

7979

Starting KismetStarting Kismet

The mysqld The mysqld service is service is started.started.

The gpsd The gpsd service is service is started on started on serial port 1.serial port 1.

The wireless The wireless card is card is placed into placed into monitor monitor mode.mode.

kismet is kismet is launched.launched.

8080

DetectionDetection

Kismet picks Kismet picks up some up some wireless wireless jabber! In jabber! In order to take order to take a closer look a closer look at the traffic, at the traffic, disengage disengage “autofit” “autofit” mode by mode by pressing “ss” pressing “ss” to sort by to sort by SSID.SSID.

WEP? yes or no.WEP? yes or no.

4 TCP packets4 TCP packets

IP’s detectedIP’s detected

typetype

strengthstrength

8181

Network DetailsNetwork Details

Network details for Network details for the 0.0.0.0 the 0.0.0.0 address are address are viewed by viewed by pressing the “i” pressing the “i” key.key.

8282

Network DetailsNetwork Details

Network details for Network details for the the 169.254.187.86 169.254.187.86 address are address are viewed by viewed by pressing the “i” pressing the “i” key.key.

8383

More network detailsMore network details

More network More network details for the details for the 169.254.187.86 169.254.187.86 address are address are viewed by viewed by pressing the “i” pressing the “i” key, then scrolling key, then scrolling down to view more down to view more information.information.

8484

traffic dumptraffic dump

A dump of A dump of “printable” traffic “printable” traffic can be had by can be had by pressing the “d” pressing the “d” key.key.

\MAILSLOTS? \MAILSLOTS? Could this be a Could this be a postal office postal office computer? computer?

(that is a joke. feel free to (that is a joke. feel free to laugh at this point. thank laugh at this point. thank you.)you.)

8585

packet listpacket list

A list of packet A list of packet types can be types can be viewed by viewed by selecting a selecting a wireless point and wireless point and pressing “p”pressing “p”

8686

gpsmapgpsmap

A gpsmap is A gpsmap is printed of the area printed of the area using using

# gpsmap –S2 –# gpsmap –S2 –s10 -r s10 -r gpsfilegpsfile

8787

ethereal - beaconethereal - beacon

The *.dump files The *.dump files Kismet generates Kismet generates can be opened can be opened with tcpdump or with tcpdump or ethereal as shown ethereal as shown here.here.

This is an 802.11 This is an 802.11 beacon frame.beacon frame.

8888

ethereal – probe requestethereal – probe request

....an 802.11 ....an 802.11 Probe Request Probe Request from the same from the same machinemachine

8989

ethereal - registrationethereal - registration

oooh... a oooh... a NETBIOS NETBIOS registration packet registration packet for “MSHOME”...for “MSHOME”...

9090

ethereal - registrationethereal - registration

...another ...another registration registration packet, this time packet, this time from “LAP10”...from “LAP10”...

9191

ethereal – DHCP requestethereal – DHCP request

...a DHCP ...a DHCP request... it would request... it would be interesting to be interesting to spoof a response spoof a response to this...to this...

9292

ethereal – browser requestethereal – browser request

...a NETBIOS ...a NETBIOS browser request...browser request...

9393

ethereal – browser announceethereal – browser announce

...an SMB host ...an SMB host announcement... announcement... revealing an OS revealing an OS major version of 5 major version of 5 and an OS minor and an OS minor version of 1...version of 1...We have a We have a Windows XP client Windows XP client laptop searching laptop searching for an access for an access point.point.

This particular target ends up being nothing more than a This particular target ends up being nothing more than a lone client crying out for a wireless server to connect to. lone client crying out for a wireless server to connect to. Spoofing management frames to this client would most Spoofing management frames to this client would most likely prove to be pointless...likely prove to be pointless...

9494

Passive ScanningPassive Scanning

This simple example demonstrates the ability to This simple example demonstrates the ability to monitor even client machines which are not monitor even client machines which are not actively connected to a wireless access pointactively connected to a wireless access point

In a more “chatty” environment, so much more is In a more “chatty” environment, so much more is possiblepossible

All of this information was captured All of this information was captured passivelypassively. . Kismet did not send a single packet on the Kismet did not send a single packet on the airwaves.airwaves.

This type of monitoring can not be detected, but This type of monitoring can not be detected, but preventive measures can be taken.preventive measures can be taken.

9595

Detection of SSIDDetection of SSID

SSID occurs in the following frame types: SSID occurs in the following frame types: beacon, probe requests, probe responses, beacon, probe requests, probe responses, association requests, and reassociation association requests, and reassociation requests.requests.

Management frames are always in the clear, Management frames are always in the clear, even when WEP is enabled.even when WEP is enabled.

Merely collect a few frames and note the SSID.Merely collect a few frames and note the SSID. What if beacons are turned off? Or SSID is What if beacons are turned off? Or SSID is

hidden?hidden?

9696

When the Beacon displaysWhen the Beacon displaysa null SSID …a null SSID …

Patiently wait.Patiently wait.Recall that management frames are in the Recall that management frames are in the

clear.clear.Wait for an associate request; Associate Wait for an associate request; Associate

request and response both contain the request and response both contain the SSIDSSID

Wait for a probe request; Probe responses Wait for a probe request; Probe responses contain SSIDcontain SSID

9797

Beacon transmission is disabled ...Beacon transmission is disabled ...

Wait for a voluntary associate request to Wait for a voluntary associate request to appear. Orappear. Or

Actively probe by injecting spoofed Actively probe by injecting spoofed frames, and then sniff the responseframes, and then sniff the response

9898

Collecting the MAC AddressesCollecting the MAC Addresses

Attacker gathers legitimate MAC Attacker gathers legitimate MAC addresses for use later in spoofed frames.addresses for use later in spoofed frames.

The source and destination MAC The source and destination MAC addresses are always in the clear in all the addresses are always in the clear in all the frames. frames.

The attacker sniffs these legitimate The attacker sniffs these legitimate addressesaddresses

9999

Collecting frames for cracking WEPCollecting frames for cracking WEP

Systematic procedures in cracking the Systematic procedures in cracking the WEP.WEP.

Need to collect a large number (millions) Need to collect a large number (millions) of frames.of frames.

Collection may take hours to days.Collection may take hours to days.Cracking is few seconds to a couple of Cracking is few seconds to a couple of

hours.hours.

Cracking WEPCracking WEP

101101

Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP)

Designed to be computationally efficient, Designed to be computationally efficient, self-synchronizing, and exportableself-synchronizing, and exportable

All users of a given AP share the same All users of a given AP share the same encryption keyencryption key

Data headers remain unencrypted so Data headers remain unencrypted so anyone can see the source and anyone can see the source and destination of the data streamdestination of the data stream

102102

Initialization Vector (IV)Initialization Vector (IV)

Over a period, same plaintext packet Over a period, same plaintext packet should not generate same ciphertext should not generate same ciphertext packetpacket

IV is random, and changes per packetIV is random, and changes per packetGenerated by the device on the flyGenerated by the device on the fly24 bits long24 bits long64 bit encryption: IV + 40 bits WEP key64 bit encryption: IV + 40 bits WEP key128 bit encryption: IV + 104 bits WEP key128 bit encryption: IV + 104 bits WEP key

103103

WEP EncryptionWEP Encryption WEP encryption key: a shared 40- or 104-bit long numberWEP encryption key: a shared 40- or 104-bit long number WEP keys are used for authentication and encryption of dataWEP keys are used for authentication and encryption of data A 32-bit integrity check value (ICV) is calculated that provides data A 32-bit integrity check value (ICV) is calculated that provides data

integrity for the MAC frame.integrity for the MAC frame. The ICV is appended to the end of the frame data.The ICV is appended to the end of the frame data. A 24-bit initialization vector (IV) is appended to the WEP key.A 24-bit initialization vector (IV) is appended to the WEP key. The combination of [IV+WEP encryption key] is used as the input of The combination of [IV+WEP encryption key] is used as the input of

a pseudo-random number generator (PRNG) to generate a bit a pseudo-random number generator (PRNG) to generate a bit sequence that is the same size as the combination of [data+ICV].sequence that is the same size as the combination of [data+ICV].

The PRNG bit sequence, is bit-wise XORed with [data+ICV] to The PRNG bit sequence, is bit-wise XORed with [data+ICV] to produce the encrypted portion of the payload that is sent between produce the encrypted portion of the payload that is sent between the wireless AP and the wireless client.the wireless AP and the wireless client.

The IV is added to the front of the encrypted [data+ICV] which The IV is added to the front of the encrypted [data+ICV] which becomes the payload for the wireless MAC frame. becomes the payload for the wireless MAC frame.

The result is IV+encrypted [data+ICV].The result is IV+encrypted [data+ICV].

104104

DecryptionDecryption The IV is obtained from the front of the MAC payload.The IV is obtained from the front of the MAC payload. The WEP encryption key is concatenated with the IV.The WEP encryption key is concatenated with the IV. The concatenated WEP encryption key and IV is used as the input The concatenated WEP encryption key and IV is used as the input

of the same PRNG to generate a bit sequence of the same size as of the same PRNG to generate a bit sequence of the same size as the combination of the data and the ICV which is the same bit the combination of the data and the ICV which is the same bit sequence as that of the sending wireless node. sequence as that of the sending wireless node.

The PRNG bit sequence is XORed with the encrypted [data+ICV] to The PRNG bit sequence is XORed with the encrypted [data+ICV] to decrypt the [data+ICV] portion of the payload.decrypt the [data+ICV] portion of the payload.

The ICV for the data portion of the payload is calculated and The ICV for the data portion of the payload is calculated and compared with the value included in the incoming frame. If the compared with the value included in the incoming frame. If the values match, the data is sent from the wireless client and values match, the data is sent from the wireless client and unmodified in transit.unmodified in transit.

The WEP key remains constant over a long duration but the IV can The WEP key remains constant over a long duration but the IV can be changed frequently depending on the degree of security needed. be changed frequently depending on the degree of security needed.

105105

WEP ProtocolWEP Protocol

106106

WEP: Wired Equivalent Privacy WEP: Wired Equivalent Privacy

107107

What is an IV?What is an IV?

IV is short for IV is short for Initialization VectorInitialization Vector 24 bits long24 bits long 64 bit encryption: 24 bits IV + 40 bits WEP key64 bit encryption: 24 bits IV + 40 bits WEP key 128 bit encryption: 24 bits IV + 104 bits WEP key128 bit encryption: 24 bits IV + 104 bits WEP key

IV MSDU ICV

Initialization Vector Pad Key ID

24 6 2

0-2304 4

Octets

Bits

Encrypted

108108

What is a “Weak” IV?What is a “Weak” IV?

In the RC4 algorithm the Key Scheduling In the RC4 algorithm the Key Scheduling Algorithm (KSA) creates an IV-based on Algorithm (KSA) creates an IV-based on the base keythe base key

A flaw in the WEP implementation of RC4 A flaw in the WEP implementation of RC4 allows “weak” IVs to be generatedallows “weak” IVs to be generated

Those IVs “give away" info about the key Those IVs “give away" info about the key bytes they were derived frombytes they were derived from

An attacker will collect enough weak IVs to An attacker will collect enough weak IVs to reveal bytes of the base keyreveal bytes of the base key

109109

WEP problem discovery WEP problem discovery timelinetimeline

In October 2000, Jesse Walker was one of the In October 2000, Jesse Walker was one of the first people to identify several of the problems first people to identify several of the problems within WEP.within WEP.

In February 2001 three researchers (Fluhrer, In February 2001 three researchers (Fluhrer, Mantin, and Shamir) found a flaw in the RC4 key Mantin, and Shamir) found a flaw in the RC4 key setup algorithm which results in total recovery of setup algorithm which results in total recovery of the secret key. the secret key.

In June 2001 Tim Newsham found a problem in In June 2001 Tim Newsham found a problem in the algorithm that some vendors used to the algorithm that some vendors used to automatically generate WEP keys. He also built automatically generate WEP keys. He also built code to perform dictionary attacks against WEP-code to perform dictionary attacks against WEP-intercepted traffic. intercepted traffic.

110110

WEP Attacks (cont.)WEP Attacks (cont.) Four types of attacksFour types of attacks

Passive attacks to decrypt traffic based on statistical analysis. Passive attacks to decrypt traffic based on statistical analysis. Active attack to inject new traffic from unauthorized mobile stations, Active attack to inject new traffic from unauthorized mobile stations,

based on known plaintext. based on known plaintext. Active attacks to decrypt traffic, based on tricking the access point. Active attacks to decrypt traffic, based on tricking the access point. Dictionary-building attack that, after analysis of about a day's worth Dictionary-building attack that, after analysis of about a day's worth

of traffic, allows real-time automated decryption of all traffic. of traffic, allows real-time automated decryption of all traffic.

Time required to gather enough wireless traffic depends heavily Time required to gather enough wireless traffic depends heavily on the network saturation of target access pointon the network saturation of target access point

111111

Drawbacks of WEP ProtocolDrawbacks of WEP Protocol The determination and distribution of WEP keys The determination and distribution of WEP keys

are not defined are not defined There is no defined mechanism to change the There is no defined mechanism to change the

WEP key either per authentication or periodically WEP key either per authentication or periodically for an authenticated connection for an authenticated connection

No mechanism for central authentication, No mechanism for central authentication, authorization, and accounting authorization, and accounting

No per-frame authentication mechanism to No per-frame authentication mechanism to identify the frame source. identify the frame source.

No per-user identification and authentication No per-user identification and authentication

112112

Fluhrer Paper/AirSnort UtilityFluhrer Paper/AirSnort Utility

Key recovery possible due to statistical analysis Key recovery possible due to statistical analysis of plaintext and “weak” IVof plaintext and “weak” IV Leverages “weak” IVs—large class of weak IVs that Leverages “weak” IVs—large class of weak IVs that

can be generated by RC4can be generated by RC4 Passive attack, but can be more effective if coupled Passive attack, but can be more effective if coupled

with active attackwith active attack Two major implementationsTwo major implementations

AirSnort AirSnort AT&T/Rice University tests (not released)AT&T/Rice University tests (not released)

113113

UC Berkeley StudyUC Berkeley Study

Bit flippingBit flipping Bits are flipped in WEP encrypted frames, and ICV Bits are flipped in WEP encrypted frames, and ICV

CRC32 is recalculatedCRC32 is recalculated

ReplayReplay Bit flipped frames with known IVs resentBit flipped frames with known IVs resent AP accepts frame since CRC32 is correctAP accepts frame since CRC32 is correct Layer 3 device will reject, and send predictable Layer 3 device will reject, and send predictable

responseresponse Response database built and used to derive keyResponse database built and used to derive key

114114


Predicted PlainTextCisco

1234

XXYYZZCisco

XXYYZZ 1234

PlainText

CipherText

CipherText

Stream Cipher

Stream Cipher

WEP

WEP

PlainText Data Is XORed with the WEP Stream Cipher to Produce the Encrypted CipherText

If CipherText Is XORed with Guessed PlainText, the Stream Cipher Can Be Derived

115115


Bit Flipped Frame Sent

Attacker Anticipates Response from Upper

Layer Device and Attempts to Derive Key

Frame Passes ICV Forwarded to Dest MAC

Upper Layer Protocol Fails CRC Sends Predictable Error Message to Source MAC

AP WEP Encrypts Response and Forwards to Source MAC

116116

Message Integrity Check (MIC)Message Integrity Check (MIC)

The MIC will protect WEP frames from The MIC will protect WEP frames from being tampered withbeing tampered with

The MIC is computed from seed value, The MIC is computed from seed value, destination MAC, source MAC, and destination MAC, source MAC, and payloadpayload

The MIC is included in the WEP encrypted The MIC is included in the WEP encrypted payloadpayload

117117

Message Integrity CheckMessage Integrity Check MIC uses a hashing algorithm to stamp frameMIC uses a hashing algorithm to stamp frame The MIC is still pre-standards, awaiting 802.11i The MIC is still pre-standards, awaiting 802.11i

ratificationratification

WEP Frame—No MIC

WEP Frame—MIC

DA SA IV Data ICV

DA SA IV Data SEQ MIC ICV

WEP Encrypted

WEP Encrypted

118118

Temporal Key Integrity Protocol Temporal Key Integrity Protocol (TKIP)(TKIP)

Base key and IV hashedBase key and IV hashedTransmit WEP Key changes as IV changesTransmit WEP Key changes as IV changes

Key hashing is still pre-standards, awaiting Key hashing is still pre-standards, awaiting 802.11i ratification802.11i ratification

119119

WEP and TKIP ImplementationsWEP and TKIP Implementations WEP today uses an IV and base key; this includes weak IVs which WEP today uses an IV and base key; this includes weak IVs which

can be compromisedcan be compromised TKIP uses the IV and base key to hash a new key—thus a new key TKIP uses the IV and base key to hash a new key—thus a new key

every packet; weak keys are mitigatedevery packet; weak keys are mitigated

WEP Encryption Today TKIP

IVBase Key

Plaintext Data

StreamCipher

CipherTextData

RC4 XOR

IVBaseKey

PlaintextData

StreamCipher

CipherTextData

Hash XOR

RC4

IVPacket

Key

Wireless SpoofingWireless Spoofing

121121

Wireless SpoofingWireless Spoofing

The attacker constructs frames by filling The attacker constructs frames by filling selected fields that contain addresses or selected fields that contain addresses or identifiers with legitimate looking but non-identifiers with legitimate looking but non-existent values, or with legitimate values existent values, or with legitimate values that belong to others.that belong to others.

The attacker would have collected these The attacker would have collected these legitimate values through sniffing.legitimate values through sniffing.

122122

MAC Address SpoofingMAC Address Spoofing

Probing is sniffable by the sys admins.Probing is sniffable by the sys admins.Attacker wishes to be hidden.Attacker wishes to be hidden.Use MAC address of a legitimate card.Use MAC address of a legitimate card.APs can filter based on MAC addresses.APs can filter based on MAC addresses.

123123

IP spoofingIP spoofing

Replacing the true IP address of the Replacing the true IP address of the sender (or, in some cases, the destination) sender (or, in some cases, the destination) with a different address.with a different address.

Defeats IP address based trust.Defeats IP address based trust. IP spoofing is an integral part of many IP spoofing is an integral part of many

attacks.attacks.

124124

Frame SpoofingFrame Spoofing

Frames themselves are not authenticated in Frames themselves are not authenticated in 802.11.802.11.

Construction of the byte stream that constitutes Construction of the byte stream that constitutes a spoofed frame is facilitated by libraries.a spoofed frame is facilitated by libraries.

The difficulty here is not in the construction of The difficulty here is not in the construction of the contents of the frame, but in getting, it the contents of the frame, but in getting, it radiated (transmitted) by the station or an AP. radiated (transmitted) by the station or an AP. This requires control over the firmware.This requires control over the firmware.

Wireless Network ProbingWireless Network Probing

126126

Wireless Network ProbingWireless Network Probing

Send cleverly constructed packets to a Send cleverly constructed packets to a target that trigger useful responses. target that trigger useful responses.

This activity is known as This activity is known as probingprobing or or activeactive scanningscanning..

The target can discover that it is being The target can discover that it is being probed.probed.

127127

Active AttacksActive Attacks

Attacker can connect to an AP and obtain an IP Attacker can connect to an AP and obtain an IP address from the DHCP server. address from the DHCP server.

A business competitor can use this kind of attack A business competitor can use this kind of attack to get the customer information which is to get the customer information which is confidential to an organization. confidential to an organization.

128128

Detection of SSIDDetection of SSID

Beacon transmission is disabled, and the Beacon transmission is disabled, and the attacker does not wish to wait …attacker does not wish to wait …

Inject a probe request frame using a Inject a probe request frame using a spoofed source MAC address. spoofed source MAC address.

The probe response frame from the APs The probe response frame from the APs will contain, in the clear, the SSID and will contain, in the clear, the SSID and other information similar to that in the other information similar to that in the beacon frames. beacon frames.

129129

Detection of APs and stationsDetection of APs and stations

Certain bits in the frames identify that the Certain bits in the frames identify that the frame is from an AP. frame is from an AP.

If we assume that WEP is either disabled If we assume that WEP is either disabled or cracked, the attacker can also gather or cracked, the attacker can also gather the IP addresses of the AP and the the IP addresses of the AP and the stations.stations.

130130

Detection of ProbingDetection of Probing

The frames that an attacker injects can be The frames that an attacker injects can be sniffed by a sys admin.sniffed by a sys admin.

GPS-enabled equipment can identify the GPS-enabled equipment can identify the physical coordinates of a transmitting physical coordinates of a transmitting device.device.

AP WeaknessesAP Weaknesses

132132

Poorly Constructed WEP keyPoorly Constructed WEP key

The default WEP keys used are often too trivial.The default WEP keys used are often too trivial. APs use simple techniques to convert the user’s APs use simple techniques to convert the user’s

key board input into a bit vector. key board input into a bit vector. Usually 5 or 13 ASCII printable characters are directly Usually 5 or 13 ASCII printable characters are directly

mapped by concatenating their ASCII 8-bit codes into a 40-mapped by concatenating their ASCII 8-bit codes into a 40-bit or 104-bit WEP key. bit or 104-bit WEP key.

A stronger 104-bit key can be constructed from 26 A stronger 104-bit key can be constructed from 26 hexadecimal digits. hexadecimal digits.

It is possible to form an even stronger104 bit It is possible to form an even stronger104 bit WEP key by truncating the MD5 hash of an WEP key by truncating the MD5 hash of an arbitrary length pass phrase.arbitrary length pass phrase.

133133

Defeating MAC FilteringDefeating MAC Filtering

Typical APs permit access to only those Typical APs permit access to only those stations with known MAC addresses. stations with known MAC addresses.

Easily defeated by the attacker Easily defeated by the attacker Spoofs his frames with a MAC address that is Spoofs his frames with a MAC address that is

registered with the AP from among the ones that registered with the AP from among the ones that he collected through sniffing. he collected through sniffing.

That a MAC address is registered can be detected That a MAC address is registered can be detected by observing the frames from the AP to the by observing the frames from the AP to the stations.stations.

134134

Rogue APRogue AP

135135

Rogue NetworksRogue Networks

Rogue AP = an unauthorized access pointRogue AP = an unauthorized access pointNetwork users often set up rogue wireless Network users often set up rogue wireless

LANs to simplify their livesLANs to simplify their livesRarely implement security measuresRarely implement security measuresNetwork is vulnerable to War Driving and Network is vulnerable to War Driving and

sniffing and you may not even know itsniffing and you may not even know it

136136

Access Point

SSID: “goodguy”

SSID: “badguy”

Stronger or CloserAccess Point

“ANY”

Wi-Fi Card

SSID: “goodguy”“badguy”

137137

Trojan APTrojan AP

Corporate back-doorsCorporate back-doorsCorporate espionageCorporate espionage

138138

Trojan AP MechanicsTrojan AP Mechanics

Create a competing wireless network.Create a competing wireless network. AP can be actual AP or HostAP of LinuxAP can be actual AP or HostAP of Linux Create or modify captive portal behind APCreate or modify captive portal behind AP Redirect users to “splash” pageRedirect users to “splash” page DoS or theft of user credentials, or WORSEDoS or theft of user credentials, or WORSE Bold attacker will visit ground zero.Bold attacker will visit ground zero. Not-so-bold will drive-by with an amp.Not-so-bold will drive-by with an amp.

139139

Normal Gear @ 25mW(14dBm)

Cisco Gear @ 100mW(20dBm)

Senao Gear @ 200mW(23dBm)

Use a 15dBd antenna with a Senao for 38dBd total...

6 WATTS!

Vs 25mW?

No contest!

Choose your Wi-Fiweapon...

140140

141141

142142

143143

144144

AirsnarfAirsnarf

Nothing specialNothing specialSimplifies HostAP, httpd, dhcpd, Simplifies HostAP, httpd, dhcpd,

Net::DNS, and iptables setupNet::DNS, and iptables setupSimple example rogue APSimple example rogue AP

145145

Equipment FlawsEquipment Flaws Numerous flaws in equipment from well-known Numerous flaws in equipment from well-known

manufacturers manufacturers Search on Search on www.securityfocus.comwww.securityfocus.com with “access point with “access point

vulnerabilities” vulnerabilities” Ex 1: by requesting a file named config.img via TFTP, an Ex 1: by requesting a file named config.img via TFTP, an

attacker receives the binary image of the AP attacker receives the binary image of the AP configuration. The image includes the administrator’s configuration. The image includes the administrator’s password required by the HTTP user interface, the WEP password required by the HTTP user interface, the WEP encryption keys, MAC address, and SSID. encryption keys, MAC address, and SSID.

Ex 2: yet another AP returns the WEP keys, MAC filter Ex 2: yet another AP returns the WEP keys, MAC filter list, administrator’s password when sent a UDP packet to list, administrator’s password when sent a UDP packet to port 27155 containing the string “gstsearch”. port 27155 containing the string “gstsearch”.

Denial of ServiceDenial of Service

147147

Denial of ServiceDenial of Service

A system is not providing services to authorized A system is not providing services to authorized clients because of resource exhaustion by clients because of resource exhaustion by unauthorized clients. unauthorized clients.

DOS attacks are difficult to preventDOS attacks are difficult to prevent Difficult to stop an on-going attackDifficult to stop an on-going attack Victim and its clients may not even detect the Victim and its clients may not even detect the

attacks. attacks. Duration may range from milliseconds to hours. Duration may range from milliseconds to hours. A DOS attack against an individual station A DOS attack against an individual station

enables session hijacking.enables session hijacking.

148148

JammingJamming

The hacker can use a high power RF signal generator to The hacker can use a high power RF signal generator to interfere with the ongoing wireless connection, making it interfere with the ongoing wireless connection, making it useless.useless.

Can be avoided only by physically finding the jamming source.Can be avoided only by physically finding the jamming source.

149149

Flooding with AssociationsFlooding with Associations AP inserts the data supplied by the station in the AP inserts the data supplied by the station in the

Association Request into a table called the Association Request into a table called the association association table.table.

802.11 specifies a maximum value of 2007 concurrent 802.11 specifies a maximum value of 2007 concurrent associations to an AP. The actual size of this table varies associations to an AP. The actual size of this table varies among different models of APs. among different models of APs.

When this table overflows, the AP would refuse further When this table overflows, the AP would refuse further clients.clients.

Attacker authenticates several non-existing stations Attacker authenticates several non-existing stations using legitimate-looking but randomly generated MAC using legitimate-looking but randomly generated MAC addresses. The attacker then sends a flood of spoofed addresses. The attacker then sends a flood of spoofed associate requests so that the associationassociate requests so that the association table table overflows.overflows.

Enabling MAC filtering in the AP will prevent this attack.Enabling MAC filtering in the AP will prevent this attack.

150150

Deauth/Disassoc Management frameDeauth/Disassoc Management frame

• Attacker must spoof AP MAC address in Src Addr and BSSID• Sequence Control field handled by firmware (not set by attacker)

151151

Forged DissociationForged Dissociation

Attacker sends a spoofed Disassociation Attacker sends a spoofed Disassociation frame where the source MAC address is frame where the source MAC address is set to that of the AP. set to that of the AP.

To prevent Reassociation, the attacker To prevent Reassociation, the attacker continues to send Disassociation frames continues to send Disassociation frames for a desired period.for a desired period.

152152

Forged DeauthenticationForged Deauthentication When an Association Response frame is When an Association Response frame is

observed, the attacker sends a spoofed observed, the attacker sends a spoofed Deauthentication frame where the source MAC Deauthentication frame where the source MAC address is spoofed to that of the AP. address is spoofed to that of the AP.

The station is now unassociated and The station is now unassociated and unauthenticated, and needs to reconnect. unauthenticated, and needs to reconnect.

To prevent a reconnection, the attacker To prevent a reconnection, the attacker continues to send Deauthentication frames for a continues to send Deauthentication frames for a desired period. desired period.

Neither MAC filtering nor WEP protection will Neither MAC filtering nor WEP protection will prevent this attack.prevent this attack.

153153

First Stage – Deauth AttackFirst Stage – Deauth Attack

Airopeek Trace of Deauth AttackAiropeek Trace of Deauth Attack

154154


Decode of Deauthentication FrameDecode of Deauthentication Frame

155155

Power ManagementPower Management Power-management schemes place a system in sleep mode Power-management schemes place a system in sleep mode

when no activity occurs when no activity occurs The MS can be configured to be in continuous aware mode The MS can be configured to be in continuous aware mode

(CAM) or Power Save Polling (PSP) mode.(CAM) or Power Save Polling (PSP) mode.

156156

Power SavingPower Saving Attacker steals packets for a station while the station is Attacker steals packets for a station while the station is

in Doze state.in Doze state. The 802.11 protocol requires a station to inform the AP through The 802.11 protocol requires a station to inform the AP through

a successful frame exchange that it wishes to enter the Doze a successful frame exchange that it wishes to enter the Doze state from the Active state.state from the Active state.

Periodically the station awakens and sends a PS-Poll frame to Periodically the station awakens and sends a PS-Poll frame to the AP. The AP will transmit in response the packets that were the AP. The AP will transmit in response the packets that were buffered for the station while it was dozing. buffered for the station while it was dozing.

This polling frame can be spoofed by an attacker causing the AP This polling frame can be spoofed by an attacker causing the AP to send the collected packets and flush its internal buffers. to send the collected packets and flush its internal buffers.

An attacker can repeat these polling messages so that when the An attacker can repeat these polling messages so that when the legitimate station periodically awakens and polls, AP will inform legitimate station periodically awakens and polls, AP will inform that there are no pending packets.that there are no pending packets.

Man-in-the-Middle AttacksMan-in-the-Middle Attacks

158158

Man-in-the-Middle AttacksMan-in-the-Middle Attacks

Attacker on host X inserts X between all Attacker on host X inserts X between all communication between hosts B and C, communication between hosts B and C, and neither B nor C is aware of the and neither B nor C is aware of the presence of X. presence of X.

All messages sent by B do reach C but via All messages sent by B do reach C but via X, and vice versa. X, and vice versa.

The attacker can merely observe the The attacker can merely observe the communication or modify it before sending communication or modify it before sending it out. it out.

159159

MITM Via Deauth/DeAssocMITM Via Deauth/DeAssoc

A hacker may use a Trojan AP to hijack mobile nodes by A hacker may use a Trojan AP to hijack mobile nodes by sending a stronger signal than the actual AP is sending to sending a stronger signal than the actual AP is sending to those nodes. those nodes.

The MS then associates with the Trojan AP, sending its data The MS then associates with the Trojan AP, sending its data into the wrong hands.into the wrong hands.

160160

MITM Attack MITM Attack

Attacker takes over connections at layer 1 and 2Attacker takes over connections at layer 1 and 2 Attacker sends Deauthenticate framesAttacker sends Deauthenticate frames Race condition between attacker and AP Race condition between attacker and AP Attacker associates with clientAttacker associates with client Attacker associates with APAttacker associates with AP

Attacker is now inserted between client and APAttacker is now inserted between client and AP Example: Example:

Monkey jack, part ofMonkey jack, part of AirJack (AirJack (http://802.11ninja.net/airjack/http://802.11ninja.net/airjack/ ) )

161161

Wireless MITMWireless MITM Assume that station B was authenticated with C, a Assume that station B was authenticated with C, a

legitimate AP. legitimate AP. Attacker X is a laptop with two wireless cards. Through Attacker X is a laptop with two wireless cards. Through

one card, he presents X as an AP. one card, he presents X as an AP. Attacker X sends Deauthentication frames to B using the Attacker X sends Deauthentication frames to B using the

C’s MAC address as the source, and the BSSID he has C’s MAC address as the source, and the BSSID he has collected. collected.

B is deauthenticated and begins a scan for an AP and B is deauthenticated and begins a scan for an AP and may find X on a channel different from C. may find X on a channel different from C.

There is a race condition between X and C. There is a race condition between X and C. If B associates with X, the MITM attack succeeded. X If B associates with X, the MITM attack succeeded. X

will re-transmit the frames it receives from B to C. These will re-transmit the frames it receives from B to C. These frames will have a spoofed source address of B.frames will have a spoofed source address of B.

162162

The Monkey - Jack AttackThe Monkey - Jack Attack

Before Monkey-JackBefore Monkey-Jack

attacker victim

163163

The Monkey - Jack AttackThe Monkey - Jack Attack

After Monkey-JackAfter Monkey-Jack

164164


Attack machine uses vulnerabilities to get Attack machine uses vulnerabilities to get information about AP and clients.information about AP and clients.

Attack machine sends deauthentication Attack machine sends deauthentication frames to victim using the AP’s MAC frames to victim using the AP’s MAC address as the sourceaddress as the source

165165

Second Stage – Client CaptureSecond Stage – Client Capture

Victim’s 802.11 card scans channels to Victim’s 802.11 card scans channels to search for new APsearch for new AP

Victim’s 802.11 card associates with Victim’s 802.11 card associates with Trojan AP on the attack machineTrojan AP on the attack machineAttack machine’s fake AP is duplicating MAC Attack machine’s fake AP is duplicating MAC

address and ESSID of real APaddress and ESSID of real APFake AP is on a different channel than the Fake AP is on a different channel than the

real onereal one

166166

Third Stage – Connect to APThird Stage – Connect to AP

Attack machine associates with real AP Attack machine associates with real AP using MAC address of the victim’s using MAC address of the victim’s machine.machine.

Attack machine is now inserted and can Attack machine is now inserted and can pass frames through in a manner that is pass frames through in a manner that is transparent to the upper level protocolstransparent to the upper level protocols

167167

The Monkey – Jack AttackThe Monkey – Jack Attack

168168

Monkey-Jack DetectionMonkey-Jack Detection

Why do I hear my MAC Address as the Src Addr? Is this an attack? Am I being spoofed?

169169

Beginning of a MITM IDS AlgorithmBeginning of a MITM IDS Algorithm

170170

ARP PoisoningARP Poisoning

ARP poisoningARP poisoning is an attack technique that is an attack technique that corrupts the ARP cache that the OS maintains corrupts the ARP cache that the OS maintains with wrong MAC addresses for some IP with wrong MAC addresses for some IP addresses. addresses.

ARP cache poisoning is an old problem in wired ARP cache poisoning is an old problem in wired networks. networks.

ARP poisoning is one of the techniques that ARP poisoning is one of the techniques that enables the man-in-the-middle attack. enables the man-in-the-middle attack.

ARP poisoning on wireless networks can affect ARP poisoning on wireless networks can affect wired hosts too.wired hosts too.

171171

Session HijackingSession Hijacking Session hijackingSession hijacking occurs when an attacker causes a user to lose his occurs when an attacker causes a user to lose his

connection, and the attacker assumes his identity and privileges for connection, and the attacker assumes his identity and privileges for a period.a period.

An attacker disables temporarily the user’s system, say by a DOS An attacker disables temporarily the user’s system, say by a DOS attack or a buffer overflow exploit. The attacker then takes the attack or a buffer overflow exploit. The attacker then takes the identity of the user. The attacker now has all the access that the identity of the user. The attacker now has all the access that the user has. When he is done, he stops the DOS attack, and lets the user has. When he is done, he stops the DOS attack, and lets the user resume. The user may not detect the interruption if the user resume. The user may not detect the interruption if the disruption lasts no more than a couple of seconds. disruption lasts no more than a couple of seconds.

Hijacking can be achieved by forged disassociation DOS attack.Hijacking can be achieved by forged disassociation DOS attack. Corporate wireless networks are set up so that the user is directed Corporate wireless networks are set up so that the user is directed

to an authentication server when his station attempts a connection to an authentication server when his station attempts a connection with an AP. After the authentication, the attacker employs the with an AP. After the authentication, the attacker employs the session hijacking described above using spoofed MAC addresses.session hijacking described above using spoofed MAC addresses.

War DrivingWar Driving

173173


““The benign act of locating and logging The benign act of locating and logging wireless access points while in motion.” -- wireless access points while in motion.” -- ((http://http://www.wardrive.netwww.wardrive.net//).).

This “benign” act is of course useful to the This “benign” act is of course useful to the attackers.attackers.

174174

War chalkingWar chalking

175175

Typical EquipmentTypical Equipment

176176

““Special” EquipmentSpecial” Equipment

Possible: 8 mile range using a 24dB gain Possible: 8 mile range using a 24dB gain parabolic dish antenna.parabolic dish antenna.

PC cards vary in power.PC cards vary in power.Typical: 25mW (14dBm)Cisco: 100mW (20dBm)Senao: 200mW (23dBm)

177177


Default installation allows any wireless Default installation allows any wireless NIC to access the networkNIC to access the network

Drive around (or walk) and gain access to Drive around (or walk) and gain access to wireless networkswireless networks

Provides direct access behind the firewallProvides direct access behind the firewall

178178

Software ToolsSoftware Tools

179179

802.11 Attack Tools802.11 Attack Tools

The following are all freewareThe following are all freeware Airsnort (Linux)Airsnort (Linux) WEPcrack (Linux)WEPcrack (Linux) Kismet (Linux)Kismet (Linux) Wellenreiter (Linux)Wellenreiter (Linux) NetStumbler (windows)NetStumbler (windows) MiniStumbler (PocketPC)MiniStumbler (PocketPC) BSD – Airtools (*BSD)BSD – Airtools (*BSD) Aerosol (Windows)Aerosol (Windows) WiFiScanner (Linux)WiFiScanner (Linux)

180180

802.11 Network Security Tools802.11 Network Security Tools

AiroPeek / AiroPeek NX: Wireless frame AiroPeek / AiroPeek NX: Wireless frame sniffer / analyzer, Windowssniffer / analyzer, Windows

AirTraf: Wireless sniffer / analyzer / “IDS”AirTraf: Wireless sniffer / analyzer / “IDS” AirSnort: WEP key “cracker”AirSnort: WEP key “cracker” BSD Airtools: Ports for common wireless BSD Airtools: Ports for common wireless

tools, very usefultools, very useful NetStumbler: Access point enumeration NetStumbler: Access point enumeration

tool, Windows, freetool, Windows, free

181181

EttercapEttercap

Ettercap is a suite for man in the middle Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live attacks on LAN. It features sniffing of live connections, content filtering on the fly and connections, content filtering on the fly and many other interesting tricks.many other interesting tricks.

It supports active and passive dissection It supports active and passive dissection of many protocols (even ciphered ones) of many protocols (even ciphered ones) and includes many feature for network and and includes many feature for network and host analysis.host analysis.

182182

Weapons Of Mass DisruptionWeapons Of Mass Disruption

Many tools are new and notable in the Many tools are new and notable in the world of wireless attacking:world of wireless attacking: libradiate – a librarylibradiate – a library airtrafairtraf kismetkismet air-jack familyair-jack family thc-rut - The Hacker's Choicethc-rut - The Hacker's Choice

183183

libradiatelibradiate

Radiate is a C library similar in practice to Radiate is a C library similar in practice to Libnet but designed for "802.11 frame Libnet but designed for "802.11 frame reading, creation and injection."reading, creation and injection."

Libnet builds layer 3 and aboveLibnet builds layer 3 and aboveLibradiate builds 802.11 framesLibradiate builds 802.11 framesDisperse, an example tool built using Disperse, an example tool built using

libradiate, is fully functionallibradiate, is fully functional

184184

libradiatelibradiate

Frame types and subtypesFrame types and subtypes Beacon transmitted often announcing a WLANBeacon transmitted often announcing a WLAN Probe request: A client frame- "anyone out there?"Probe request: A client frame- "anyone out there?" Association: client and server exchange- "can i Association: client and server exchange- "can i

play?"play?" Disassociate: "no soup for you!"Disassociate: "no soup for you!" RTS/CTS: ready/clear to send framesRTS/CTS: ready/clear to send frames ACK: AcknowlegementACK: Acknowlegement

Radiate allows construction of these frames Radiate allows construction of these frames very easily. very easily.

185185

airtrafairtraf

more a tool for the good guys, but more a tool for the good guys, but noteworthy none the lessnoteworthy none the less

http://airtraf.sourceforge.net/http://airtraf.sourceforge.net/ http://www.elixar.comhttp://www.elixar.com (Elixar, Inc) (Elixar, Inc)

186186

netstumblernetstumbler

‘‘stumbler certainly deserves a mention, as stumbler certainly deserves a mention, as it is and was the most popularized wireless it is and was the most popularized wireless network detection tool aroundnetwork detection tool around

windows based, it supports GPS but lacks windows based, it supports GPS but lacks in many features required by a REAL in many features required by a REAL wireless security hacker...wireless security hacker...

http://www.netstumbler.comhttp://www.netstumbler.com

187187

stumbler vs. stumbverterstumbler vs. stumbverter

thanks to fr|tz @ thanks to fr|tz @ www.mindthief.net for map data! for map data!

188188



189189



190190

kismetkismet

A wireless network sniffer that A wireless network sniffer that Segregates trafficSegregates traffic Detects IP blocksDetects IP blocks decloaks SSID’sdecloaks SSID’s Detects factory default configurationsDetects factory default configurations Detects netstumbler clientsDetects netstumbler clients Maps wireless pointsMaps wireless points

191191

kismetkismet

192192

kismetkismet

193193

kismet - gpsmapkismet - gpsmap

./gpsmap –S 2 –s 12 -r./gpsmap –S 2 –s 12 -r

Included with kismet, Included with kismet, gpsmap gives a great look gpsmap gives a great look at captured wireless nodes.at captured wireless nodes.

194194


./gpsmap –S 2 –s 14 –r -t./gpsmap –S 2 –s 14 –r -t


195195


./gpsmap –r –t ./gpsmap –r –t


196196

air-jackair-jack Not a tool, a family of post-detection tools based on Not a tool, a family of post-detection tools based on

the air-jack driver.the air-jack driver. wlan-jack: spoofs a deauthentication frame to force a wlan-jack: spoofs a deauthentication frame to force a

wireless user off the net. Shake, repeat forever. wireless user off the net. Shake, repeat forever. Victim is GONE!Victim is GONE!

essid-jack: wlan-jacks a victim then sniffs the SSID essid-jack: wlan-jacks a victim then sniffs the SSID when the user reconnects.when the user reconnects.

Monkey-jack: wlan-jacks a victim, then plays man-in-Monkey-jack: wlan-jacks a victim, then plays man-in-the-middle between the attacker and the target.the-middle between the attacker and the target.

kracker-jack: monkey-jacks a WLAN connection kracker-jack: monkey-jacks a WLAN connection protected by MAC protected, IPSec secured VPN!protected by MAC protected, IPSec secured VPN!

197197

air-jackair-jack

http://802.11ninja.net/http://802.11ninja.net/Robert Baird & Mike Lynn’s excellent Robert Baird & Mike Lynn’s excellent

presentation lays out the attacks available presentation lays out the attacks available to air-jack users. to air-jack users.

http://www.blackhat.com/presentations/bh-usa-02/http://www.blackhat.com/presentations/bh-usa-02/baird-lynn/bh-us-02-lynn-802.11attack.pptbaird-lynn/bh-us-02-lynn-802.11attack.ppt

198198

thc-rutthc-rut

a set of post-detection toolsa set of post-detection tools

Wireless Security Best Wireless Security Best PracticesPractices

200200

Location of the APsLocation of the APs

Network segmentationNetwork segmentationTreat the WLAN as an untrusted networkTreat the WLAN as an untrusted network

RF signal shapingRF signal shapingContinually check for unauthorized Continually check for unauthorized

(“rogue/Trojan”) APs (“rogue/Trojan”) APs

201201

Proper ConfigurationProper Configuration

Change the default passwordsChange the default passwords Use WEP, however broken it may beUse WEP, however broken it may be Don't use static keys, change them frequentlyDon't use static keys, change them frequently Don't allow connections with an empty SSIDDon't allow connections with an empty SSID Don't broadcast your SSIDDon't broadcast your SSID Use a VPN and MAC address filtering with Use a VPN and MAC address filtering with

strong mutual authenticationstrong mutual authentication Wireless IDS/monitoring (e.g., Wireless IDS/monitoring (e.g.,

www.airdefense.net)www.airdefense.net)

202202

Proper ConfigurationProper Configuration

Most devices have multiple management Most devices have multiple management interfacesinterfacesHTTPHTTPTelnetTelnetFTPFTPTFTPTFTPSNMPSNMP

Disable unneeded services / interfacesDisable unneeded services / interfacesStay current with patchesStay current with patches

203203

RemediesRemedies

Secure Protocol TechniquesSecure Protocol TechniquesEncrypted messagesEncrypted messagesDigitally signed messagesDigitally signed messagesEncapsulation/tunnelingEncapsulation/tunneling

Use strong authenticationUse strong authentication

204204

Wireless IDSWireless IDS A wireless intrusion detection system (WIDS) is often a A wireless intrusion detection system (WIDS) is often a

self-contained computer system with specialized self-contained computer system with specialized hardware and software to detect anomalous behavior. hardware and software to detect anomalous behavior.

The special wireless hardware is more capable than the The special wireless hardware is more capable than the commodity wireless card, including the RF monitor commodity wireless card, including the RF monitor mode, detection of interference, and keeping track of mode, detection of interference, and keeping track of signal-to-noise ratios. signal-to-noise ratios.

It also includes GPS equipment so that rogue clients and It also includes GPS equipment so that rogue clients and APs can be located. APs can be located.

A WIDS includes one or more listening devices that A WIDS includes one or more listening devices that collect MAC addresses, SSIDs, features enabled on the collect MAC addresses, SSIDs, features enabled on the stations, transmit speeds, current channel, encryption stations, transmit speeds, current channel, encryption status, beacon interval, etc. status, beacon interval, etc.

205205

Wireless IDSWireless IDS WIDS computing engine should be powerful WIDS computing engine should be powerful

enough that it can dissect frames and WEP-enough that it can dissect frames and WEP-decrypt into IP and TCP components. These decrypt into IP and TCP components. These can be fed into TCP/IP related intrusion can be fed into TCP/IP related intrusion detection systems. detection systems.

Unknown MAC addresses are detected by Unknown MAC addresses are detected by maintaining a registry of MAC addresses of maintaining a registry of MAC addresses of known stations and APs. known stations and APs.

Can detect spoofed known MAC addresses Can detect spoofed known MAC addresses because the attacker could not control the because the attacker could not control the firmware of the wireless card to insert the firmware of the wireless card to insert the appropriate sequence numbers into the frame.appropriate sequence numbers into the frame.

206206

Wireless AuditingWireless Auditing

Periodically, every wireless network should be Periodically, every wireless network should be audited. audited.

Several audit firms provide this service for a fee. Several audit firms provide this service for a fee. A security audit begins with a well-established A security audit begins with a well-established

security policy. security policy. A policy for wireless networks should include a A policy for wireless networks should include a

description of the geographical volume of description of the geographical volume of coverage. coverage.

The goal of an audit is to verify that there are no The goal of an audit is to verify that there are no violations of the policy.violations of the policy.

207207

Newer Standards and ProtocolsNewer Standards and Protocols

208208

WLAN Security TimelineWLAN Security Timeline

209209

Cisco LEAP OverviewCisco LEAP Overview

Provides centralized, scalable, user-based Provides centralized, scalable, user-based authenticationauthentication

Algorithm requires mutual authenticationAlgorithm requires mutual authenticationNetwork authenticates client, client Network authenticates client, client

authenticates networkauthenticates networkUses 802.1X for 802.11 authentication Uses 802.1X for 802.11 authentication

messagingmessagingAPs will support WinXP’s EAP-TLS alsoAPs will support WinXP’s EAP-TLS also

Dynamic WEP key support with WEP key Dynamic WEP key support with WEP key session timeoutssession timeouts

210210

LEAP Authentication ProcessLEAP Authentication Process

Start

Broadcast Key AP Sends Client Broadcast Key, Encrypted with Session Key

Identity

RADIUS Server Authenticates Client

Request Identity

Client Authenticates RADIUS Server

Key Length

Client AP RADIUS Server

DeriveKeyDerive

Key

Identity

AP Blocks All Requests Until Authentication Completes

211211

802.11i802.11i Takes base 802.1X and adds several featuresTakes base 802.1X and adds several features Wireless implementations are divided into two Wireless implementations are divided into two

groups: legacy and new groups: legacy and new Both groups use 802.1x for credential verification, but Both groups use 802.1x for credential verification, but

the encryption method differsthe encryption method differs Legacy networks must use 104-bit WEP, TKIP Legacy networks must use 104-bit WEP, TKIP

and MICand MIC New networks will be same as legacy, except New networks will be same as legacy, except

that they must replace WEP/TKIP with advanced that they must replace WEP/TKIP with advanced encryption standard – operation cipher block encryption standard – operation cipher block (AES-OCB)(AES-OCB)

212212

Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)

Security solution based on IEEE standards Security solution based on IEEE standards Replacement for WEPReplacement for WEP Designed to run on existing hardware as a Designed to run on existing hardware as a

software upgrade, Wi-Fi Protected Access is software upgrade, Wi-Fi Protected Access is derived from and will be forward-compatible with derived from and will be forward-compatible with the upcoming IEEE 802.11i standardthe upcoming IEEE 802.11i standard

Two main features are:Two main features are: enhanced encryption using TKIP enhanced encryption using TKIP user authentication via 802.1x and EAPuser authentication via 802.1x and EAP

213213

Other VulnerabilitiesOther Vulnerabilities

In February 2002, Arunesh Mishra and William In February 2002, Arunesh Mishra and William Arbaugh described several design flaws in the Arbaugh described several design flaws in the combination of the IEEE 802.1X and IEEE combination of the IEEE 802.1X and IEEE 802.11 protocols that permit man-in-the-middle 802.11 protocols that permit man-in-the-middle and session hijacking attacks. and session hijacking attacks.

LEAP-enabled Cisco wireless networks are LEAP-enabled Cisco wireless networks are vulnerable to dictionary attacks (a la “anwrap”)vulnerable to dictionary attacks (a la “anwrap”)

Attackers can compromise other VPN clients Attackers can compromise other VPN clients within a “wireless DMZ” and piggyback into the within a “wireless DMZ” and piggyback into the protected network.protected network.

214214

Secure LAN (SLAN)Secure LAN (SLAN)

Intent to protect link between wireless client and Intent to protect link between wireless client and (assumed) more secure wired network(assumed) more secure wired network

Similar to a VPN and provides server Similar to a VPN and provides server authentication, client authentication, data privacy, authentication, client authentication, data privacy, and integrity using per session and per user short and integrity using per session and per user short life keyslife keys

Simpler and more cost efficient than a VPNSimpler and more cost efficient than a VPN Cross-platform support and interoperability, not Cross-platform support and interoperability, not

highly scaleable, thoughhighly scaleable, though Supports Linux and WindowsSupports Linux and Windows Open Source (slan.sourceforge.net)Open Source (slan.sourceforge.net)

215215

SLAN ArchitectureSLAN Architecture

216216

SLAN StepsSLAN Steps

1.1. Client/Server Version HandshakeClient/Server Version Handshake

2.2. Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

3.3. Server Authentication (public key Server Authentication (public key fingerprint)fingerprint)

4.4. Client Authentication (optional) with PAM Client Authentication (optional) with PAM on Linuxon Linux

5.5. IP Configuration – IP address pool and IP Configuration – IP address pool and adjust routing tableadjust routing table

217217

SLAN ClientSLAN Client

SLAN Driver

User Space Process

Physical Driver

Client Applicationie Web Browser

Plaintext Traffic

Plaintext Traffic Encrypted Traffic

Encrypted Traffic toSLAN Server

Encrypted Traffic

218218

Intermediate WLANIntermediate WLAN

11-100 users11-100 usersCan use MAC addresses, WEP and rotate Can use MAC addresses, WEP and rotate

keys if you want.keys if you want.Some vendors have limited MAC storage Some vendors have limited MAC storage

abilityabilitySLAN also an optionSLAN also an optionAnother solution is to tunnel traffic through Another solution is to tunnel traffic through

a VPNa VPN

219219

Intermediate WLAN ArchitectureIntermediate WLAN Architecture

220220

VPNVPN

Provides a scaleable authentication and Provides a scaleable authentication and encryption solutionencryption solution

Does require end user configuration and a Does require end user configuration and a strong knowledge of VPN technologystrong knowledge of VPN technology

Users must re-authenticate if roaming Users must re-authenticate if roaming between VPN serversbetween VPN servers

221221

VPN ArchitectureVPN Architecture

222222

VPN ArchitectureVPN Architecture

223223

Enterprise WLANEnterprise WLAN

100+ users100+ usersReconfiguring WEP keys not feasibleReconfiguring WEP keys not feasibleMultiple access points and subnetsMultiple access points and subnetsPossible solutions include VLANs, VPNs, Possible solutions include VLANs, VPNs,

custom solutions, and 802.1xcustom solutions, and 802.1x

224224

VLANsVLANs

Combine wireless networks on one VLAN Combine wireless networks on one VLAN segment, even geographically separated segment, even geographically separated networks. networks.

Use 802.1Q VLAN tagging to create a Use 802.1Q VLAN tagging to create a wireless subnet and a VPN gateway for wireless subnet and a VPN gateway for authentication and encryptionauthentication and encryption

225225

VLAN ArchitectureVLAN Architecture

226226

Customized GatewayCustomized Gateway

Georgia Institute of TechnologyGeorgia Institute of Technology Allows students with laptops to log on to the Allows students with laptops to log on to the

campus networkcampus network Uses VLANs, IP Tables, and a Web browserUses VLANs, IP Tables, and a Web browser No end user configuration requiredNo end user configuration required

User access a web site and enters a userid and User access a web site and enters a userid and passwordpassword

Gateway runs specialized code authenticating the user Gateway runs specialized code authenticating the user with Kerberos and packet filtering with IPTables, adding with Kerberos and packet filtering with IPTables, adding the user’s IP address to the allowed list to provide the user’s IP address to the allowed list to provide network accessnetwork access

227227

Gateway ArchitectureGateway Architecture

228228

Temporal Key Integrity Protocol Temporal Key Integrity Protocol (TKIP)(TKIP)

128-bit shared secret – “temporal key” (TK)128-bit shared secret – “temporal key” (TK) Mixes the transmitter's MAC address with TK to produce a Mixes the transmitter's MAC address with TK to produce a

Phase 1 key. Phase 1 key. The Phase 1 key is mixed with an initialization vector (iv) to The Phase 1 key is mixed with an initialization vector (iv) to

derive per-packet keys. derive per-packet keys. Each key is used with RC4 to encrypt one and only one data Each key is used with RC4 to encrypt one and only one data

packet. packet.

Defeats the attacks based on “Weaknesses in the key Defeats the attacks based on “Weaknesses in the key scheduling algorithm of RC4” by Fluhrer, Mantin and scheduling algorithm of RC4” by Fluhrer, Mantin and Shamir" Shamir"

TKIP is backward compatible with current APs and TKIP is backward compatible with current APs and wireless NICswireless NICs

229229

Message Integrity Check (MIC)Message Integrity Check (MIC)

MIC prevents bit-flip attacks MIC prevents bit-flip attacks Implemented on both the access point and Implemented on both the access point and

all associated client devices, MIC adds a all associated client devices, MIC adds a few bytes to each packet to make the few bytes to each packet to make the packets tamper-proof.packets tamper-proof.

230230

ConclusionConclusion

Some predictions are that the market for Some predictions are that the market for wireless LANs will be $2.2 billion in 2004, wireless LANs will be $2.2 billion in 2004, up from $771 million in 2000.up from $771 million in 2000.

Current 802.11 security state is not ideal Current 802.11 security state is not ideal for sensitive environments.for sensitive environments.

Wireless Networks at home …Wireless Networks at home …

231231

ReferencesReferences1.1. John Bellardo and Stefan Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”, John Bellardo and Stefan Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”,

2003, Usenix 2003 Proceedings. 2003, Usenix 2003 Proceedings. http://www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdfhttp://www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf 2.2. Jon Edney and William A. Arbaugh, Jon Edney and William A. Arbaugh, Real 802.11 Security: Wi-Fi Protected Access and 802.11iReal 802.11 Security: Wi-Fi Protected Access and 802.11i, 480 pages, Addison , 480 pages, Addison

Wesley, 2003, ISBN: 0-321-13620-9Wesley, 2003, ISBN: 0-321-13620-93.3. Jamil Farshchi, Wireless Intrusion Detection Systems, November 5, 2003, Jamil Farshchi, Wireless Intrusion Detection Systems, November 5, 2003, http://www.securityfocus.com/infocus/1742http://www.securityfocus.com/infocus/1742

Retrieved Jan 20, 2004 Retrieved Jan 20, 20044.4. Rob Flickenger, Rob Flickenger, Wireless Hacks: 100 Industrial-Strength Tips & ToolsWireless Hacks: 100 Industrial-Strength Tips & Tools, 286 pages, O'Reilly & Associates, September , 286 pages, O'Reilly & Associates, September

2003, ISBN: 0-596-00559-82003, ISBN: 0-596-00559-85.5. Matthew S. Gast, Matthew S. Gast, 802.11 Wireless Networks: The Definitive Guide802.11 Wireless Networks: The Definitive Guide, 464 pages, O’Reilly & Associates, April 2002, , 464 pages, O’Reilly & Associates, April 2002,

ISBN: 0596001835.ISBN: 0596001835.6.6. Vikram Gupta, Srikanth Krishnamurthy, and Michalis Faloutsos, “Denial of Service Attacks at the MAC Layer in Vikram Gupta, Srikanth Krishnamurthy, and Michalis Faloutsos, “Denial of Service Attacks at the MAC Layer in

Wireless Ad Hoc Networks”, Proceedings of 2002 MILCOM Conference, Anaheim, CA, October 2002.Wireless Ad Hoc Networks”, Proceedings of 2002 MILCOM Conference, Anaheim, CA, October 2002.7.7. Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, WarDriving: Drive, Detect, Defend, A Guide to WarDriving: Drive, Detect, Defend, A Guide to

Wireless SecurityWireless Security, ISBN: 1931836035, Syngress, 2004., ISBN: 1931836035, Syngress, 2004.8.8. IEEE, IEEE 802.11 standards documents, IEEE, IEEE 802.11 standards documents, http://http://standards.ieee.orgstandards.ieee.org/wireless//wireless/ 9.9. Tom Karygiannis and Les Owens, Wireless Network Security: 802.11, Bluetooth and Handheld Devices, National Tom Karygiannis and Les Owens, Wireless Network Security: 802.11, Bluetooth and Handheld Devices, National

Institute of Standards and Technology Special Publication 800-48, November 2002. Institute of Standards and Technology Special Publication 800-48, November 2002. http://cs-www.ncsl.nist.gov/publicationshttp://cs-www.ncsl.nist.gov/publications/ nistpubs/800-48/NIST_SP_800-48.pdf/ nistpubs/800-48/NIST_SP_800-48.pdf

10.10. Prabhaker Mateti, TCP/IP Suite, Prabhaker Mateti, TCP/IP Suite, The Internet EncyclopediaThe Internet Encyclopedia, Hossein Bidgoli (Editor), John Wiley 2003, ISBN , Hossein Bidgoli (Editor), John Wiley 2003, ISBN 0471222011.0471222011.

11.11. Robert Moskowitz, “Debunking the Myth of SSID Hiding”, Retrieved on March 10, 2004. Robert Moskowitz, “Debunking the Myth of SSID Hiding”, Retrieved on March 10, 2004. http://http://www.icsalabs.com/html/communities/WLAN/wp_ssid_hidingwww.icsalabs.com/html/communities/WLAN/wp_ssid_hiding. . pdfpdf..

12.12. Bruce Potter and Bob Fleck, Bruce Potter and Bob Fleck, 802.11 Security802.11 Security, O'Reilly & Associates, 2002; ISBN: 0-596-00290-4., O'Reilly & Associates, 2002; ISBN: 0-596-00290-4.13.13. William Stallings, William Stallings, Wireless Communications & Networks,Wireless Communications & Networks, Prentice Hall, 2001, ISBN: 0130408646. Prentice Hall, 2001, ISBN: 0130408646.14.14. http://www.warchalking.org/ “Collaboratively creating a hobo-language for free wireless networking.”http://www.warchalking.org/ “Collaboratively creating a hobo-language for free wireless networking.”15.15. Joshua Wright, “Detecting Wireless LAN MAC Address Spoofing”, Retrieved on Jan 20, 2004. Joshua Wright, “Detecting Wireless LAN MAC Address Spoofing”, Retrieved on Jan 20, 2004. http://http://

home.jwu.edu/jwrighthome.jwu.edu/jwright//

232232

Documents

Hacking 802.11 Wireless Prabhaker Mateti Wright State University