Upload
spencer-morgan
View
220
Download
2
Tags:
Embed Size (px)
Citation preview
Hacking 802.11 WirelessHacking 802.11 Wireless
Prabhaker MatetiPrabhaker Mateti
Wright State UniversityWright State University
22
Talk OutlineTalk Outline
Wireless LAN OverviewWireless LAN OverviewWireless Network SniffingWireless Network SniffingWireless SpoofingWireless SpoofingWireless Network ProbingWireless Network ProbingAP WeaknessesAP WeaknessesDenial of ServiceDenial of ServiceMan-in-the-Middle AttacksMan-in-the-Middle AttacksWar DrivingWar DrivingWireless Security Best PracticesWireless Security Best PracticesConclusionConclusion
33
AckAck
There is nothing new in this talk. It is an There is nothing new in this talk. It is an overview what has been known for a overview what has been known for a couple of years.couple of years.
Several figures borrowed from many Several figures borrowed from many sources on the www.sources on the www.
Apologies that I lost track of the original Apologies that I lost track of the original sources.sources.
Wireless LAN OverviewWireless LAN Overview
55
OSI ModelOSI Model
Application
Presentation
Session
Transport
Network
Data Link
Physical802.11b
802.11 MAC header
802.11 PLCP header
66
Network LayersNetwork Layers
77
IEEE 802.11IEEE 802.11
Published in June 1997Published in June 19972.4GHz operating frequency2.4GHz operating frequency1 to 2 Mbps throughput1 to 2 Mbps throughputCan choose between frequency hopping Can choose between frequency hopping
or direct sequence spread modulationor direct sequence spread modulation
88
IEEE 802.11bIEEE 802.11b
19991999 Data Rate: 11 MbpsData Rate: 11 Mbps Reality: 5 to 7 MbpsReality: 5 to 7 Mbps 2.4-Ghz band; runs on 3 channels2.4-Ghz band; runs on 3 channels shared by cordless phones, microwave ovens, shared by cordless phones, microwave ovens,
and many Bluetooth productsand many Bluetooth products Only direct sequence modulation is specifiedOnly direct sequence modulation is specified Most widely deployed todayMost widely deployed today
99
ChannelsChannels
1010
Physical LayerPhysical Layer
802.11a802.11a 802.11g802.11g 802.11b802.11b
Standard Standard ApprovedApproved
September 1999September 1999 September 1999September 1999 September September 19991999
Available Available BandwidthBandwidth
300MHz300MHz 83.5MHz83.5MHz 83.5MHz83.5MHz
Unlicensed Unlicensed Frequencies Frequencies of Operationof Operation
5.15-5.35GHz5.15-5.35GHz
5.725-5.825GHz5.725-5.825GHz
2.4-2.4835GHz2.4-2.4835GHz 2.4-2.4835GHz2.4-2.4835GHz
Number of Number of Non-Non-
overlapping overlapping ChannelsChannels
4(Indoor)4(Indoor)
4(Indoor/Outdoor)4(Indoor/Outdoor)
4(Indoor/Outdoor)4(Indoor/Outdoor)
3(Indoor/Outdoor)3(Indoor/Outdoor) 3(Indoor/3(Indoor/Outdoor)Outdoor)
Data Rate Per Data Rate Per ChannelChannel
6,9,12,18,24,36,486,9,12,18,24,36,48,54Mbps,54Mbps
1,2,5.5,111,2,5.5,11
6,9,12,18,22,24,33,36,48,6,9,12,18,22,24,33,36,48,54Mbps54Mbps
1,2,5.5,11Mbps1,2,5.5,11Mbps
ModulationModulation OFDMOFDM DSSS,OFDMDSSS,OFDM
PBCC(O),CCK-OFDM(O)PBCC(O),CCK-OFDM(O)DSSSDSSS
CCKCCK
1111
The Unlicensed Radio Frequency The Unlicensed Radio Frequency SpectrumSpectrum
5.15-5.35
5.725-5.825GHz
IEEE 802.11a
HiperLAN/2
1212
Channel Plan – 802.11/11b/11gChannel Plan – 802.11/11b/11g
1313
2.412
2.437
2.462
Non-overlapping channels
Channel Spacing (5MHz)Channel Spacing (5MHz)
1414
IEEE 802.11aIEEE 802.11a
Data Rate: 54 MbpsData Rate: 54 MbpsReality:Reality: 25 to 27 Mbps25 to 27 MbpsRuns on 12 channelsRuns on 12 channelsNot backward compatible with 802.11bNot backward compatible with 802.11bUses Orthogonal Frequency Division Uses Orthogonal Frequency Division
Multiplexing (OFDM)Multiplexing (OFDM)
1515
IEEE 802.11gIEEE 802.11g
An extension to 802.11bAn extension to 802.11bData rate: 54 Mbps Data rate: 54 Mbps 2.4-Ghz band2.4-Ghz band
1616
IEEE 802.1XIEEE 802.1X General-purpose port based network access General-purpose port based network access
control mechanism for 802 technologies control mechanism for 802 technologies Authentication is mutual, both the user (not the Authentication is mutual, both the user (not the
station) and the AP authenticate to each other. station) and the AP authenticate to each other. supplicant - entity that needs to be authenticated supplicant - entity that needs to be authenticated
before the LAN access is permitted (e.g., before the LAN access is permitted (e.g., station); station);
authenticator - entity that supports the actual authenticator - entity that supports the actual authentication (e.g., the AP); authentication (e.g., the AP);
authentication server - entity that provides the authentication server - entity that provides the authentication service to the authenticator authentication service to the authenticator (usually a RADIUS server). (usually a RADIUS server).
1717
IEEE 802.1XIEEE 802.1X
Extensible Authentication Protocol (EAP) Extensible Authentication Protocol (EAP) Can provide dynamic encryption key Can provide dynamic encryption key
exchange, eliminating some of the issues exchange, eliminating some of the issues with WEPwith WEP
Roaming is transparent to the end userRoaming is transparent to the end userMicrosoft includes support in Windows XPMicrosoft includes support in Windows XP
1818
802.1x Architecture802.1x Architecture
1919
IEEE 802.11eIEEE 802.11e
Currently under developmentCurrently under developmentWorking to improve security issuesWorking to improve security issuesExtensions to MAC layer, longer keys, and Extensions to MAC layer, longer keys, and
key management systemskey management systemsAdds 128-bit AES encryptionAdds 128-bit AES encryption
Stations and Access PointsStations and Access Points
2121
802 .11 Terminology: Station (STA)802 .11 Terminology: Station (STA)
Device that contains IEEE 802.11 Device that contains IEEE 802.11 conformant MAC and PHY interface to the conformant MAC and PHY interface to the wireless medium, but does not provide wireless medium, but does not provide access to a distribution systemaccess to a distribution system
Most often end-stations available in Most often end-stations available in terminals (work-stations, laptops etc.)terminals (work-stations, laptops etc.)
Typically Implemented in a PC-CardTypically Implemented in a PC-Card
2222
Station ArchitectureStation Architecture
Ethernet-like driver interfaceEthernet-like driver interface supports virtually all protocol stackssupports virtually all protocol stacks
Frame translation according to IEEE Frame translation according to IEEE Std 802.1HStd 802.1H
Ethernet Types 8137 (Novell IPX) and Ethernet Types 8137 (Novell IPX) and 80F3 (AARP) 80F3 (AARP) encapsulated via the Bridge Tunnel encapsulated via the Bridge Tunnel encapsulation schemeencapsulation scheme
IEEE 802.3 frames: translated to IEEE 802.3 frames: translated to 802.11802.11
All other Ethernet Types: encapsulated All other Ethernet Types: encapsulated via the RFC 1042 (Standard for the via the RFC 1042 (Standard for the Transmission of IP Datagrams over Transmission of IP Datagrams over IEEE 802 Networks) encapsulation IEEE 802 Networks) encapsulation schemescheme
Maximum Data limited to 1500 octetsMaximum Data limited to 1500 octets
Transparent bridging to EthernetTransparent bridging to Ethernet
Platform Computer
Platform Computer
PC-Card Hardware
PC-Card HardwareRadio
Hardware
Radio Hardware
WMAC controller withStation Firmware
(WNIC-STA)
WMAC controller withStation Firmware
(WNIC-STA)
Driver Software(STADr)
Driver Software(STADr)
802.11 frame format
802.3 frame format
Ethernet V2.0 / 802.3frame format
Protocol StackProtocol Stack
2323
Terminology: Access-Point (AP) Terminology: Access-Point (AP) A transceiver that serves as the center point of a A transceiver that serves as the center point of a
stand-alone wireless network or as the stand-alone wireless network or as the connection point between wireless and wired connection point between wireless and wired networks.networks.
Device that contains IEEE 802.11 conformant Device that contains IEEE 802.11 conformant MAC and PHY interface to the wireless medium, MAC and PHY interface to the wireless medium, and provide access to a Distribution System for and provide access to a Distribution System for associated stations (i.e., AP is a STA)associated stations (i.e., AP is a STA)
Most often infra-structure products that connect Most often infra-structure products that connect to wired backbonesto wired backbones
Implemented in a “box” containing a STA PC-Implemented in a “box” containing a STA PC-Card.Card.
2424
Access-Point (AP) ArchitectureAccess-Point (AP) Architecture
Stations select an AP Stations select an AP and “associate” with itand “associate” with it
APs supportAPs support roamingroaming Power ManagementPower Management time synchronization time synchronization
functions (beaconing)functions (beaconing)
Traffic typically flows Traffic typically flows through APthrough AP
BridgeSoftware
BridgeSoftware
PC-Card Hardware
PC-Card HardwareRadio
Hardware
Radio Hardware
WMAC controller withAccess Point Firmware
(WNIC-AP)
WMAC controller withAccess Point Firmware
(WNIC-AP)
Driver Software(APDr)
Driver Software(APDr)
802.11 frame format
802.3 frame format
Ethernet V2.0 / 802.3frame format
Kernel Software (APK)Kernel Software (APK)
BridgeHardware
BridgeHardware
EthernetInterface
EthernetInterface
2525
Basic ConfigurationBasic Configuration
2626
Infrastructure and Ad Hoc ModesInfrastructure and Ad Hoc Modes
2727
Terminology: Basic Service Set Terminology: Basic Service Set (BSS)(BSS)
A set of stations controlled by a single A set of stations controlled by a single “Coordination Function” (=the logical “Coordination Function” (=the logical function that determines when a station function that determines when a station can transmit or receive)can transmit or receive)
Similar to a “cell” in pre IEEE terminologySimilar to a “cell” in pre IEEE terminologyA BSS may or may not have an APA BSS may or may not have an AP
2828
Basic Service Set (BSS) Basic Service Set (BSS)
BSS
2929
Terminology: Distribution Terminology: Distribution System (DS)System (DS)
A system to interconnect a set of BSSsA system to interconnect a set of BSSs Integrated; A single AP in a standalone Integrated; A single AP in a standalone
networknetworkWired; Using cable to interconnect the APWired; Using cable to interconnect the APWireless; Using wireless to interconnect Wireless; Using wireless to interconnect
the APthe AP
3030
Terminology: Independent Basic Terminology: Independent Basic Service Set (IBSS) Service Set (IBSS)
A BSS forming a self-contained network in which A BSS forming a self-contained network in which no access to a Distribution System is availableno access to a Distribution System is available
A BSS without an APA BSS without an AP One of the stations in the IBSS can be One of the stations in the IBSS can be
configured to “initiate” the network and assume configured to “initiate” the network and assume the Coordination Functionthe Coordination Function
Diameter of the cell determined by coverage Diameter of the cell determined by coverage distance between two wireless stationsdistance between two wireless stations
3131
Independent Basic Service Set Independent Basic Service Set (IBSS)(IBSS)
IBSS
3232
Terminology: Extended Service Terminology: Extended Service Set (ESS)Set (ESS)
A set of one or more BSS interconnected A set of one or more BSS interconnected by a Distribution System (DS)by a Distribution System (DS)
Traffic always flows via APTraffic always flows via APDiameter of the cell is double the coverage Diameter of the cell is double the coverage
distance between two wireless stationsdistance between two wireless stations
3333
ESS: single BSS (with int. DS)ESS: single BSS (with int. DS)
BSS
3434
ESS: with wired DSESS: with wired DS
BSS
BSS
Distribution
System
3535
ESS: with wireless DSESS: with wireless DS
BSS
BSS
Distribution
System
3636
Terminology: Service Set Terminology: Service Set Identifier (SSID)Identifier (SSID)
““Network name” Network name” Upto 32 octets longUpto 32 octets longOne network (ESS or IBSS) has one SSIDOne network (ESS or IBSS) has one SSIDE.g., “WSU Wireless”; defaults: “101” for E.g., “WSU Wireless”; defaults: “101” for
3COM and “tsunami” for Cisco3COM and “tsunami” for Cisco
3737
Terminology: Basic Service Set Terminology: Basic Service Set Identifier (BSSID)Identifier (BSSID)
““cell identifier”cell identifier”One BSS has one BSSID One BSS has one BSSID Exactly 6 octets longExactly 6 octets longBSSID = MAC address of APBSSID = MAC address of AP
3838
802.11 Communication802.11 Communication
CSMA/CA (Carrier Sense Multiple CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) instead of Access/Collision Avoidance) instead of Collision Detection Collision Detection
WLAN adapter cannot send and receive WLAN adapter cannot send and receive traffic at the same time on the same traffic at the same time on the same channelchannel
Hidden Node ProblemHidden Node ProblemFour-Way HandshakeFour-Way Handshake
3939
Hidden Node ProblemHidden Node Problem
4040
Four-Way HandshakeFour-Way Handshake
Source DestinationRTS – Request to Send
CTS – Clear to Send
DATA
ACK
4141
Infrastructure operation modesInfrastructure operation modes
Root ModeRoot Mode
Repeater ModeRepeater Mode
4242
FramesFrames
4343
Ethernet Packet StructureEthernet Packet Structure
Graphic Source: Network Computing Magazine August 7, 2000
•14 byte header•2 addresses
4444
802.11 Packet Structure802.11 Packet Structure
Graphic Source: Network Computing Magazine August 7, 2000
•30 byte header•4 addresses
4545
Ethernet Physical Layer Packet Ethernet Physical Layer Packet StructureStructure
•8 byte header (Preamble)
Graphic Source: Network Computing Magazine August 7, 2000
4646
802.11 Physical Layer Packet 802.11 Physical Layer Packet StructureStructure
Graphic Source: Network Computing Magazine August 7, 2000
•24 byte header (PLCP, Physical Layer Convergence Protocol)•Always transferred at 1 Mbps
4747
Frame FormatsFrame Formats
MAC Header format differs per Type:MAC Header format differs per Type: Control Frames (several fields are omitted)Control Frames (several fields are omitted) Management FramesManagement Frames Data FramesData Frames
FrameControl
DurationID Addr 1 Addr 2 Addr 3 Addr 4Sequence
Control CRCFrameBody
2 2 6 6 6 62 0-2312 4
802.11 MAC Header
Bytes:
ProtocolVersion
Type SubTypeToDS
RetryPwrMgt
MoreData
WEP Rsvd
Frame Control Field
Bits: 2 2 4 1 1 1 1 1 1 1 1
DSFrom More
Frag
4848
Address Field DescriptionAddress Field Description
Addr. 1 = Addr. 1 = All stations filter on this address.All stations filter on this address.Addr. 2 = Addr. 2 = Transmitter Address (TA), Identifies transmitter to Transmitter Address (TA), Identifies transmitter to address the ACK frame to.address the ACK frame to.Addr. 3 = Addr. 3 = Dependent on Dependent on ToTo and and From DS From DS bits.bits.Addr. 4 = Addr. 4 = Only needed to identify the original source of WDS Only needed to identify the original source of WDS
((Wireless Distribution System)Wireless Distribution System) frames frames
ProtocolVersion
Type SubTypeToDS
RetryPwrMgt
MoreData
WEP Rsvd
Frame Control Field
Bits: 2 2 4 1 1 1 1 1 1 1 1
DSFrom More
Frag
To DS
0
0
1
1
From DS
0
1
0
1
Address 1
DA
DA
BSSID
RA
Address 2
SA
BSSID
SA
TA
Address 3
BSSID
SA
DA
DA
Address 4
N/A
N/A
N/A
SA
4949
Type field descriptionsType field descriptions
Type and subtype identify the function of the frame:Type and subtype identify the function of the frame: Type=00Type=00 Management Frame Management Frame
Beacon Beacon (Re)Association(Re)Association
ProbeProbe (De)Authentication (De)Authentication
Power ManagementPower Management
Type=01Type=01 Control FrameControl FrameRTS/CTS RTS/CTS ACKACK
Type=10Type=10 Data FrameData Frame
ProtocolVersion
Type SubTypeToDS
RetryPwrMgt
MoreData
WEP Rsvd
Frame Control Field
Bits: 2 2 4 1 1 1 1 1 1 1 1
DSFrom More
Frag
5050
Management FramesManagement Frames
BeaconBeacon Timestamp, Beacon Interval, Capabilities, SSID, Timestamp, Beacon Interval, Capabilities, SSID,
Supported Rates, parametersSupported Rates, parameters Traffic Indication MapTraffic Indication Map
ProbeProbe SSID, Capabilities, Supported RatesSSID, Capabilities, Supported Rates
Probe ResponseProbe Response Timestamp, Beacon Interval, Capabilities, SSID, Timestamp, Beacon Interval, Capabilities, SSID,
Supported Rates, parametersSupported Rates, parameters same for Beacon except for TIMsame for Beacon except for TIM
5151
Management Frames (cont’d)Management Frames (cont’d)
Association RequestAssociation Request Capability, Listen Interval, SSID, Supported RatesCapability, Listen Interval, SSID, Supported Rates
Association ResponseAssociation Response Capability, Status Code, Station ID, Supported RatesCapability, Status Code, Station ID, Supported Rates
Re-association RequestRe-association Request Capability, Listen Interval, SSID, Supported Rates, Capability, Listen Interval, SSID, Supported Rates,
Current AP AddressCurrent AP Address
Re-association ResponseRe-association Response Capability, Status Code, Station ID, Supported RatesCapability, Status Code, Station ID, Supported Rates
5252
Management Frames (cont’d)Management Frames (cont’d)
Dis-associationDis-associationReason codeReason code
AuthenticationAuthenticationAlgorithm, Sequence, Status, Challenge TextAlgorithm, Sequence, Status, Challenge Text
De-authenticationDe-authenticationReasonReason
5353
SynchronizationSynchronization Necessary for keeping frequency hopping synchronized, and other functions Necessary for keeping frequency hopping synchronized, and other functions
like Power Saving.like Power Saving. AP periodically transmits special type of frames called Beacon Frames AP periodically transmits special type of frames called Beacon Frames MS uses info in Beacon frames to synchronize to the AP.MS uses info in Beacon frames to synchronize to the AP.
5454
Control Frame FormatControl Frame Format
5555
AuthenticationAuthentication
5656
AuthenticationAuthentication
To control access to the infrastructure via To control access to the infrastructure via an authenticationan authentication
The station first needs to be authenticated The station first needs to be authenticated by the AP in order to join the APs network. by the AP in order to join the APs network.
Stations identify themselves to other Stations identify themselves to other stations (or APs) prior to data traffic or stations (or APs) prior to data traffic or associationassociation
802.11 defines two authentication 802.11 defines two authentication subtypes: Open system and shared keysubtypes: Open system and shared key
5757
Open system authenticationOpen system authentication
A sends an authentication request to B. A sends an authentication request to B. B sends the result back to A B sends the result back to A
5858
Shared Key AuthenticationShared Key Authentication Uses WEP KeysUses WEP Keys
5959
Access Point DiscoveryAccess Point Discovery Beacons sent out 10x secondBeacons sent out 10x second – – Advertise capabilitiesAdvertise capabilities Station queries access pointsStation queries access points – – Requests featuresRequests features Access points respondAccess points respond – – With supported featuresWith supported features Authentication just a formalityAuthentication just a formality – – May involve more framesMay involve more frames Features used by war drivingFeatures used by war driving SoftwareSoftware
Probe requestProbe request Authentication requestAuthentication request Association requestAssociation request Probe responseProbe response Authentication responseAuthentication response Association responseAssociation response
6060
AssociationAssociation
6161
AssociationAssociation
Next Step after authenticationNext Step after authentication Association enables data transfer between MS and AP.Association enables data transfer between MS and AP. The MS sends an association request frame to the AP who The MS sends an association request frame to the AP who
replies to the client with an association response frame either replies to the client with an association response frame either allowing are disallowing the association. allowing are disallowing the association.
6262
AssociationAssociation To establish relationship with APTo establish relationship with AP Stations scan frequency band to and select AP with best Stations scan frequency band to and select AP with best
communications qualitycommunications quality Active Scan (sending a “Probe request” on specific channels and Active Scan (sending a “Probe request” on specific channels and
assess response)assess response) Passive Scan (assessing communications quality from beacon Passive Scan (assessing communications quality from beacon
message)message) AP maintains list of associate stations in MAC FWAP maintains list of associate stations in MAC FW
Record station capability (data-rate)Record station capability (data-rate) To allow inter-BSS relayTo allow inter-BSS relay
Station’s MAC address is also maintained in bridge learn Station’s MAC address is also maintained in bridge learn table associated with the port it is located ontable associated with the port it is located on
6363
Association + AuthenticationAssociation + Authentication
State 1:Unauthenticated
Unassociated
State 2:AuthenticatedUnassociated
DeauthenticationSuccessful
authentication
Disassociation
State 3:Authenticated
Associated
Successful authentication or
reassociation
Deauthentication
6464
Starting an ESSStarting an ESS The infrastructure network is identified by its The infrastructure network is identified by its
ESSID ESSID All Access-Points will have been set according All Access-Points will have been set according
to this ESSIDto this ESSID Wireless stations will be configured to set their Wireless stations will be configured to set their
desired SSID to the value of ESSIDdesired SSID to the value of ESSID On power up, stations will issue Probe Requests On power up, stations will issue Probe Requests
and will locate the AP that they will associate and will locate the AP that they will associate with:with: ““best” Access-Point with matching ESSID best” Access-Point with matching ESSID ““best” Access-Point if the SSID has been set to “ANY” best” Access-Point if the SSID has been set to “ANY”
6565
Starting an IBSSStarting an IBSS Station configured for IBSS operation will:Station configured for IBSS operation will:
““look” for Beacons that contain a network name (SSID) that matches the look” for Beacons that contain a network name (SSID) that matches the one that is configured one that is configured
When Beacons with matching Network Name are received and are When Beacons with matching Network Name are received and are issued by an AP, Station will associate to the APissued by an AP, Station will associate to the AP
When Beacons with matching Network Name are received and are When Beacons with matching Network Name are received and are issued by another Station in IBSS mode, the station will join this IBSSissued by another Station in IBSS mode, the station will join this IBSS
When no beacons are received with matching Network Name, Station When no beacons are received with matching Network Name, Station will issue beacons itself.will issue beacons itself.
All Stations in an IBSS network will participate in sending beacons.All Stations in an IBSS network will participate in sending beacons. All stations start a random timer prior to the point in time when next All stations start a random timer prior to the point in time when next
Beacon is to be sent.Beacon is to be sent. First station whose random timer expires will send the next beaconFirst station whose random timer expires will send the next beacon
6666
DIFSContention Window
Slot time
Defer Access
Backoff-Window Next Frame
Select Slot and Decrement Backoff as long as medium is idle.
SIFS
PIFSDIFS
Free access when medium
is free longer than DIFS
Busy Medium
Inter-Frame SpacingInter-Frame Spacing
Inter frame spacing required for MAC protocol trafficInter frame spacing required for MAC protocol traffic SIFS = Short interframe spaceSIFS = Short interframe space PIFS = PCF interframe spacePIFS = PCF interframe space DIFS = DCF interframe spaceDIFS = DCF interframe space
Back-off timer expressed in terms of number of time Back-off timer expressed in terms of number of time slotsslots
6767
Ack
Data
Next MPDU
Src
Dest
Other
Contention Window
Defer Access Backoff after Defer
DIFS
SIFS
DIFS
Acknowledgment are to arrive at within the Acknowledgment are to arrive at within the SIFSSIFS
The DCF interframe space is observed before The DCF interframe space is observed before medium is considered free for usemedium is considered free for use
Data Frames and their ACKData Frames and their ACK
6868
Traffic flow - Inter-BSSTraffic flow - Inter-BSS
AP-1000 or AP-500AP-1000 or AP-500
Avaya Wireless PC-CardAvaya Wireless PC-Card
Association table
Inter-BSS Relay
Bridge learn table
STA-1STA-1
BSS-A
Associate
STA-2STA-2
AssociatePacket for STA-2ACK Packet for STA-2
ACK
STA-1
STA-1
2
STA-2
STA-2
2
6969
Traffic flow - ESS operationTraffic flow - ESS operation
STA-1STA-1 STA-2STA-2BSS-A
BSS-B
Backbone
Packet for STA-2
ACK
Packet for STA-2
ACK
AP-1000 or AP-500AP-1000 or AP-500
Avaya Wireless PC-CardAvaya Wireless PC-Card
Association table
Bridge learn table
AP-1000 or AP-500AP-1000 or AP-500
Avaya Wireless PC-CardAvaya Wireless PC-Card
Association table
Bridge learn table
STA-1
STA-2
1
STA-1
STA-2
STA-1
2STA-
2
2
1
7070
Traffic flow - WDS operationTraffic flow - WDS operation
STA-1STA-1 STA-2STA-2BSS-A
BSS-B
Packet for STA-2
ACK
Packet for STA-2
ACK
AP-1000 or AP-500AP-1000 or AP-500
Avaya Wireless PC-CardAvaya Wireless PC-Card
Association table
Bridge learn table
AP-1000 or AP-500AP-1000 or AP-500
Avaya Wireless PC-CardAvaya Wireless PC-Card
Association table
Bridge learn table
STA-1
STA-2
2
STA-1
STA-2
STA-1
2STA-
2
2
2
Wireless
Backbone
WDS Relay
WDS RelayPacket for STA-2
ACK
Wireless Network SniffingWireless Network Sniffing
7272
Network SniffingNetwork Sniffing Sniffing is a reconnaissance techniqueSniffing is a reconnaissance technique Sniffing is eavesdropping on the network. Sniffing is eavesdropping on the network. A A sniffersniffer is a program that intercepts and is a program that intercepts and
decodes network traffic broadcast through a decodes network traffic broadcast through a medium. medium.
Sniffing is the act by a machine S of making Sniffing is the act by a machine S of making copies of a network packet sent by machine A copies of a network packet sent by machine A intended to be received by machine B. intended to be received by machine B.
Sniffing is Sniffing is not a TCP/IP problemnot a TCP/IP problem enabled by the media, Ethernet and 802.11, as the enabled by the media, Ethernet and 802.11, as the
physical and data link layers.physical and data link layers.
7373
Wireless Network SniffingWireless Network Sniffing An attacker can passively scan without transmitting at An attacker can passively scan without transmitting at
all.all. A A passivepassive scanner instructs the wireless card to listen to scanner instructs the wireless card to listen to
each channel for a few messages.each channel for a few messages. RF monitor mode of a wireless card allows every frame RF monitor mode of a wireless card allows every frame
appearing on a channel to be copied as the radio of the appearing on a channel to be copied as the radio of the station tunes to various channels. Analogous to wired station tunes to various channels. Analogous to wired Ethernet card in promiscuous mode.Ethernet card in promiscuous mode.
A station in monitor mode can capture packets without A station in monitor mode can capture packets without associating with an AP or ad-hoc network.associating with an AP or ad-hoc network.
Many wireless cards permit RFmon mode.Many wireless cards permit RFmon mode.
7474
Passive ScanningPassive Scanning A corporate network can be accessed from A corporate network can be accessed from
outside a building using readily available outside a building using readily available technology by an eavesdropper technology by an eavesdropper
7575
Passive ScanningPassive Scanning Wireless LAN sniffers can be used to gather information about the Wireless LAN sniffers can be used to gather information about the
wireless network from a distance with a directional antenna. wireless network from a distance with a directional antenna. These applications are capable of gathering the passwords from the These applications are capable of gathering the passwords from the
HTTP sites and the telnet sessions sent in plain text.HTTP sites and the telnet sessions sent in plain text. These attacks do not leave any trace of the hacker’s presence on These attacks do not leave any trace of the hacker’s presence on
the networkthe network
7676
Passive ScanningPassive Scanning
Scanning is a reconnaissance techniqueScanning is a reconnaissance techniqueDetection of SSIDDetection of SSIDCollecting the MAC addressesCollecting the MAC addressesCollecting the frames for cracking WEPCollecting the frames for cracking WEP
A Basic AttackA Basic Attack
Behind the scenes of a completely Behind the scenes of a completely passivepassive wireless pre-attack wireless pre-attack
sessionsession
7878
Installing KismetInstalling Kismet
Setting up Kismet is fairly straightforward.Setting up Kismet is fairly straightforward.Google on “Kismet”Google on “Kismet”http://www.kismetwireless.net/http://www.kismetwireless.net/
7979
Starting KismetStarting Kismet
The mysqld The mysqld service is service is started.started.
The gpsd The gpsd service is service is started on started on serial port 1.serial port 1.
The wireless The wireless card is card is placed into placed into monitor monitor mode.mode.
kismet is kismet is launched.launched.
8080
DetectionDetection
Kismet picks Kismet picks up some up some wireless wireless jabber! In jabber! In order to take order to take a closer look a closer look at the traffic, at the traffic, disengage disengage “autofit” “autofit” mode by mode by pressing “ss” pressing “ss” to sort by to sort by SSID.SSID.
WEP? yes or no.WEP? yes or no.
4 TCP packets4 TCP packets
IP’s detectedIP’s detected
typetype
strengthstrength
8181
Network DetailsNetwork Details
Network details for Network details for the 0.0.0.0 the 0.0.0.0 address are address are viewed by viewed by pressing the “i” pressing the “i” key.key.
8282
Network DetailsNetwork Details
Network details for Network details for the the 169.254.187.86 169.254.187.86 address are address are viewed by viewed by pressing the “i” pressing the “i” key.key.
8383
More network detailsMore network details
More network More network details for the details for the 169.254.187.86 169.254.187.86 address are address are viewed by viewed by pressing the “i” pressing the “i” key, then scrolling key, then scrolling down to view more down to view more information.information.
8484
traffic dumptraffic dump
A dump of A dump of “printable” traffic “printable” traffic can be had by can be had by pressing the “d” pressing the “d” key.key.
\MAILSLOTS? \MAILSLOTS? Could this be a Could this be a postal office postal office computer? computer?
(that is a joke. feel free to (that is a joke. feel free to laugh at this point. thank laugh at this point. thank you.)you.)
8585
packet listpacket list
A list of packet A list of packet types can be types can be viewed by viewed by selecting a selecting a wireless point and wireless point and pressing “p”pressing “p”
8686
gpsmapgpsmap
A gpsmap is A gpsmap is printed of the area printed of the area using using
# gpsmap –S2 –# gpsmap –S2 –s10 -r s10 -r gpsfilegpsfile
8787
ethereal - beaconethereal - beacon
The *.dump files The *.dump files Kismet generates Kismet generates can be opened can be opened with tcpdump or with tcpdump or ethereal as shown ethereal as shown here.here.
This is an 802.11 This is an 802.11 beacon frame.beacon frame.
8888
ethereal – probe requestethereal – probe request
....an 802.11 ....an 802.11 Probe Request Probe Request from the same from the same machinemachine
8989
ethereal - registrationethereal - registration
oooh... a oooh... a NETBIOS NETBIOS registration packet registration packet for “MSHOME”...for “MSHOME”...
9090
ethereal - registrationethereal - registration
...another ...another registration registration packet, this time packet, this time from “LAP10”...from “LAP10”...
9191
ethereal – DHCP requestethereal – DHCP request
...a DHCP ...a DHCP request... it would request... it would be interesting to be interesting to spoof a response spoof a response to this...to this...
9292
ethereal – browser requestethereal – browser request
...a NETBIOS ...a NETBIOS browser request...browser request...
9393
ethereal – browser announceethereal – browser announce
...an SMB host ...an SMB host announcement... announcement... revealing an OS revealing an OS major version of 5 major version of 5 and an OS minor and an OS minor version of 1...version of 1...We have a We have a Windows XP client Windows XP client laptop searching laptop searching for an access for an access point.point.
This particular target ends up being nothing more than a This particular target ends up being nothing more than a lone client crying out for a wireless server to connect to. lone client crying out for a wireless server to connect to. Spoofing management frames to this client would most Spoofing management frames to this client would most likely prove to be pointless...likely prove to be pointless...
9494
Passive ScanningPassive Scanning
This simple example demonstrates the ability to This simple example demonstrates the ability to monitor even client machines which are not monitor even client machines which are not actively connected to a wireless access pointactively connected to a wireless access point
In a more “chatty” environment, so much more is In a more “chatty” environment, so much more is possiblepossible
All of this information was captured All of this information was captured passivelypassively. . Kismet did not send a single packet on the Kismet did not send a single packet on the airwaves.airwaves.
This type of monitoring can not be detected, but This type of monitoring can not be detected, but preventive measures can be taken.preventive measures can be taken.
9595
Detection of SSIDDetection of SSID
SSID occurs in the following frame types: SSID occurs in the following frame types: beacon, probe requests, probe responses, beacon, probe requests, probe responses, association requests, and reassociation association requests, and reassociation requests.requests.
Management frames are always in the clear, Management frames are always in the clear, even when WEP is enabled.even when WEP is enabled.
Merely collect a few frames and note the SSID.Merely collect a few frames and note the SSID. What if beacons are turned off? Or SSID is What if beacons are turned off? Or SSID is
hidden?hidden?
9696
When the Beacon displaysWhen the Beacon displaysa null SSID …a null SSID …
Patiently wait.Patiently wait.Recall that management frames are in the Recall that management frames are in the
clear.clear.Wait for an associate request; Associate Wait for an associate request; Associate
request and response both contain the request and response both contain the SSIDSSID
Wait for a probe request; Probe responses Wait for a probe request; Probe responses contain SSIDcontain SSID
9797
Beacon transmission is disabled ...Beacon transmission is disabled ...
Wait for a voluntary associate request to Wait for a voluntary associate request to appear. Orappear. Or
Actively probe by injecting spoofed Actively probe by injecting spoofed frames, and then sniff the responseframes, and then sniff the response
9898
Collecting the MAC AddressesCollecting the MAC Addresses
Attacker gathers legitimate MAC Attacker gathers legitimate MAC addresses for use later in spoofed frames.addresses for use later in spoofed frames.
The source and destination MAC The source and destination MAC addresses are always in the clear in all the addresses are always in the clear in all the frames. frames.
The attacker sniffs these legitimate The attacker sniffs these legitimate addressesaddresses
9999
Collecting frames for cracking WEPCollecting frames for cracking WEP
Systematic procedures in cracking the Systematic procedures in cracking the WEP.WEP.
Need to collect a large number (millions) Need to collect a large number (millions) of frames.of frames.
Collection may take hours to days.Collection may take hours to days.Cracking is few seconds to a couple of Cracking is few seconds to a couple of
hours.hours.
Cracking WEPCracking WEP
101101
Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP)
Designed to be computationally efficient, Designed to be computationally efficient, self-synchronizing, and exportableself-synchronizing, and exportable
All users of a given AP share the same All users of a given AP share the same encryption keyencryption key
Data headers remain unencrypted so Data headers remain unencrypted so anyone can see the source and anyone can see the source and destination of the data streamdestination of the data stream
102102
Initialization Vector (IV)Initialization Vector (IV)
Over a period, same plaintext packet Over a period, same plaintext packet should not generate same ciphertext should not generate same ciphertext packetpacket
IV is random, and changes per packetIV is random, and changes per packetGenerated by the device on the flyGenerated by the device on the fly24 bits long24 bits long64 bit encryption: IV + 40 bits WEP key64 bit encryption: IV + 40 bits WEP key128 bit encryption: IV + 104 bits WEP key128 bit encryption: IV + 104 bits WEP key
103103
WEP EncryptionWEP Encryption WEP encryption key: a shared 40- or 104-bit long numberWEP encryption key: a shared 40- or 104-bit long number WEP keys are used for authentication and encryption of dataWEP keys are used for authentication and encryption of data A 32-bit integrity check value (ICV) is calculated that provides data A 32-bit integrity check value (ICV) is calculated that provides data
integrity for the MAC frame.integrity for the MAC frame. The ICV is appended to the end of the frame data.The ICV is appended to the end of the frame data. A 24-bit initialization vector (IV) is appended to the WEP key.A 24-bit initialization vector (IV) is appended to the WEP key. The combination of [IV+WEP encryption key] is used as the input of The combination of [IV+WEP encryption key] is used as the input of
a pseudo-random number generator (PRNG) to generate a bit a pseudo-random number generator (PRNG) to generate a bit sequence that is the same size as the combination of [data+ICV].sequence that is the same size as the combination of [data+ICV].
The PRNG bit sequence, is bit-wise XORed with [data+ICV] to The PRNG bit sequence, is bit-wise XORed with [data+ICV] to produce the encrypted portion of the payload that is sent between produce the encrypted portion of the payload that is sent between the wireless AP and the wireless client.the wireless AP and the wireless client.
The IV is added to the front of the encrypted [data+ICV] which The IV is added to the front of the encrypted [data+ICV] which becomes the payload for the wireless MAC frame. becomes the payload for the wireless MAC frame.
The result is IV+encrypted [data+ICV].The result is IV+encrypted [data+ICV].
104104
DecryptionDecryption The IV is obtained from the front of the MAC payload.The IV is obtained from the front of the MAC payload. The WEP encryption key is concatenated with the IV.The WEP encryption key is concatenated with the IV. The concatenated WEP encryption key and IV is used as the input The concatenated WEP encryption key and IV is used as the input
of the same PRNG to generate a bit sequence of the same size as of the same PRNG to generate a bit sequence of the same size as the combination of the data and the ICV which is the same bit the combination of the data and the ICV which is the same bit sequence as that of the sending wireless node. sequence as that of the sending wireless node.
The PRNG bit sequence is XORed with the encrypted [data+ICV] to The PRNG bit sequence is XORed with the encrypted [data+ICV] to decrypt the [data+ICV] portion of the payload.decrypt the [data+ICV] portion of the payload.
The ICV for the data portion of the payload is calculated and The ICV for the data portion of the payload is calculated and compared with the value included in the incoming frame. If the compared with the value included in the incoming frame. If the values match, the data is sent from the wireless client and values match, the data is sent from the wireless client and unmodified in transit.unmodified in transit.
The WEP key remains constant over a long duration but the IV can The WEP key remains constant over a long duration but the IV can be changed frequently depending on the degree of security needed. be changed frequently depending on the degree of security needed.
105105
WEP ProtocolWEP Protocol
106106
WEP: Wired Equivalent Privacy WEP: Wired Equivalent Privacy
107107
What is an IV?What is an IV?
IV is short for IV is short for Initialization VectorInitialization Vector 24 bits long24 bits long 64 bit encryption: 24 bits IV + 40 bits WEP key64 bit encryption: 24 bits IV + 40 bits WEP key 128 bit encryption: 24 bits IV + 104 bits WEP key128 bit encryption: 24 bits IV + 104 bits WEP key
IV MSDU ICV
Initialization Vector Pad Key ID
24 6 2
0-2304 4
Octets
Bits
Encrypted
108108
What is a “Weak” IV?What is a “Weak” IV?
In the RC4 algorithm the Key Scheduling In the RC4 algorithm the Key Scheduling Algorithm (KSA) creates an IV-based on Algorithm (KSA) creates an IV-based on the base keythe base key
A flaw in the WEP implementation of RC4 A flaw in the WEP implementation of RC4 allows “weak” IVs to be generatedallows “weak” IVs to be generated
Those IVs “give away" info about the key Those IVs “give away" info about the key bytes they were derived frombytes they were derived from
An attacker will collect enough weak IVs to An attacker will collect enough weak IVs to reveal bytes of the base keyreveal bytes of the base key
109109
WEP problem discovery WEP problem discovery timelinetimeline
In October 2000, Jesse Walker was one of the In October 2000, Jesse Walker was one of the first people to identify several of the problems first people to identify several of the problems within WEP.within WEP.
In February 2001 three researchers (Fluhrer, In February 2001 three researchers (Fluhrer, Mantin, and Shamir) found a flaw in the RC4 key Mantin, and Shamir) found a flaw in the RC4 key setup algorithm which results in total recovery of setup algorithm which results in total recovery of the secret key. the secret key.
In June 2001 Tim Newsham found a problem in In June 2001 Tim Newsham found a problem in the algorithm that some vendors used to the algorithm that some vendors used to automatically generate WEP keys. He also built automatically generate WEP keys. He also built code to perform dictionary attacks against WEP-code to perform dictionary attacks against WEP-intercepted traffic. intercepted traffic.
110110
WEP Attacks (cont.)WEP Attacks (cont.) Four types of attacksFour types of attacks
Passive attacks to decrypt traffic based on statistical analysis. Passive attacks to decrypt traffic based on statistical analysis. Active attack to inject new traffic from unauthorized mobile stations, Active attack to inject new traffic from unauthorized mobile stations,
based on known plaintext. based on known plaintext. Active attacks to decrypt traffic, based on tricking the access point. Active attacks to decrypt traffic, based on tricking the access point. Dictionary-building attack that, after analysis of about a day's worth Dictionary-building attack that, after analysis of about a day's worth
of traffic, allows real-time automated decryption of all traffic. of traffic, allows real-time automated decryption of all traffic.
Time required to gather enough wireless traffic depends heavily Time required to gather enough wireless traffic depends heavily on the network saturation of target access pointon the network saturation of target access point
111111
Drawbacks of WEP ProtocolDrawbacks of WEP Protocol The determination and distribution of WEP keys The determination and distribution of WEP keys
are not defined are not defined There is no defined mechanism to change the There is no defined mechanism to change the
WEP key either per authentication or periodically WEP key either per authentication or periodically for an authenticated connection for an authenticated connection
No mechanism for central authentication, No mechanism for central authentication, authorization, and accounting authorization, and accounting
No per-frame authentication mechanism to No per-frame authentication mechanism to identify the frame source. identify the frame source.
No per-user identification and authentication No per-user identification and authentication
112112
Fluhrer Paper/AirSnort UtilityFluhrer Paper/AirSnort Utility
Key recovery possible due to statistical analysis Key recovery possible due to statistical analysis of plaintext and “weak” IVof plaintext and “weak” IV Leverages “weak” IVs—large class of weak IVs that Leverages “weak” IVs—large class of weak IVs that
can be generated by RC4can be generated by RC4 Passive attack, but can be more effective if coupled Passive attack, but can be more effective if coupled
with active attackwith active attack Two major implementationsTwo major implementations
AirSnort AirSnort AT&T/Rice University tests (not released)AT&T/Rice University tests (not released)
113113
UC Berkeley StudyUC Berkeley Study
Bit flippingBit flipping Bits are flipped in WEP encrypted frames, and ICV Bits are flipped in WEP encrypted frames, and ICV
CRC32 is recalculatedCRC32 is recalculated
ReplayReplay Bit flipped frames with known IVs resentBit flipped frames with known IVs resent AP accepts frame since CRC32 is correctAP accepts frame since CRC32 is correct Layer 3 device will reject, and send predictable Layer 3 device will reject, and send predictable
responseresponse Response database built and used to derive keyResponse database built and used to derive key
114114
UC Berkeley StudyUC Berkeley Study
Predicted PlainTextCisco
1234
XXYYZZCisco
XXYYZZ 1234
PlainText
CipherText
CipherText
Stream Cipher
Stream Cipher
WEP
WEP
PlainText Data Is XORed with the WEP Stream Cipher to Produce the Encrypted CipherText
If CipherText Is XORed with Guessed PlainText, the Stream Cipher Can Be Derived
115115
UC Berkeley StudyUC Berkeley Study
Bit Flipped Frame Sent
Attacker Anticipates Response from Upper
Layer Device and Attempts to Derive Key
Frame Passes ICV Forwarded to Dest MAC
Upper Layer Protocol Fails CRC Sends Predictable Error Message to Source MAC
AP WEP Encrypts Response and Forwards to Source MAC
116116
Message Integrity Check (MIC)Message Integrity Check (MIC)
The MIC will protect WEP frames from The MIC will protect WEP frames from being tampered withbeing tampered with
The MIC is computed from seed value, The MIC is computed from seed value, destination MAC, source MAC, and destination MAC, source MAC, and payloadpayload
The MIC is included in the WEP encrypted The MIC is included in the WEP encrypted payloadpayload
117117
Message Integrity CheckMessage Integrity Check MIC uses a hashing algorithm to stamp frameMIC uses a hashing algorithm to stamp frame The MIC is still pre-standards, awaiting 802.11i The MIC is still pre-standards, awaiting 802.11i
ratificationratification
WEP Frame—No MIC
WEP Frame—MIC
DA SA IV Data ICV
DA SA IV Data SEQ MIC ICV
WEP Encrypted
WEP Encrypted
118118
Temporal Key Integrity Protocol Temporal Key Integrity Protocol (TKIP)(TKIP)
Base key and IV hashedBase key and IV hashedTransmit WEP Key changes as IV changesTransmit WEP Key changes as IV changes
Key hashing is still pre-standards, awaiting Key hashing is still pre-standards, awaiting 802.11i ratification802.11i ratification
119119
WEP and TKIP ImplementationsWEP and TKIP Implementations WEP today uses an IV and base key; this includes weak IVs which WEP today uses an IV and base key; this includes weak IVs which
can be compromisedcan be compromised TKIP uses the IV and base key to hash a new key—thus a new key TKIP uses the IV and base key to hash a new key—thus a new key
every packet; weak keys are mitigatedevery packet; weak keys are mitigated
WEP Encryption Today TKIP
IVBase Key
Plaintext Data
StreamCipher
CipherTextData
RC4 XOR
IVBaseKey
PlaintextData
StreamCipher
CipherTextData
Hash XOR
RC4
IVPacket
Key
Wireless SpoofingWireless Spoofing
121121
Wireless SpoofingWireless Spoofing
The attacker constructs frames by filling The attacker constructs frames by filling selected fields that contain addresses or selected fields that contain addresses or identifiers with legitimate looking but non-identifiers with legitimate looking but non-existent values, or with legitimate values existent values, or with legitimate values that belong to others.that belong to others.
The attacker would have collected these The attacker would have collected these legitimate values through sniffing.legitimate values through sniffing.
122122
MAC Address SpoofingMAC Address Spoofing
Probing is sniffable by the sys admins.Probing is sniffable by the sys admins.Attacker wishes to be hidden.Attacker wishes to be hidden.Use MAC address of a legitimate card.Use MAC address of a legitimate card.APs can filter based on MAC addresses.APs can filter based on MAC addresses.
123123
IP spoofingIP spoofing
Replacing the true IP address of the Replacing the true IP address of the sender (or, in some cases, the destination) sender (or, in some cases, the destination) with a different address.with a different address.
Defeats IP address based trust.Defeats IP address based trust. IP spoofing is an integral part of many IP spoofing is an integral part of many
attacks.attacks.
124124
Frame SpoofingFrame Spoofing
Frames themselves are not authenticated in Frames themselves are not authenticated in 802.11.802.11.
Construction of the byte stream that constitutes Construction of the byte stream that constitutes a spoofed frame is facilitated by libraries.a spoofed frame is facilitated by libraries.
The difficulty here is not in the construction of The difficulty here is not in the construction of the contents of the frame, but in getting, it the contents of the frame, but in getting, it radiated (transmitted) by the station or an AP. radiated (transmitted) by the station or an AP. This requires control over the firmware.This requires control over the firmware.
Wireless Network ProbingWireless Network Probing
126126
Wireless Network ProbingWireless Network Probing
Send cleverly constructed packets to a Send cleverly constructed packets to a target that trigger useful responses. target that trigger useful responses.
This activity is known as This activity is known as probingprobing or or activeactive scanningscanning..
The target can discover that it is being The target can discover that it is being probed.probed.
127127
Active AttacksActive Attacks
Attacker can connect to an AP and obtain an IP Attacker can connect to an AP and obtain an IP address from the DHCP server. address from the DHCP server.
A business competitor can use this kind of attack A business competitor can use this kind of attack to get the customer information which is to get the customer information which is confidential to an organization. confidential to an organization.
128128
Detection of SSIDDetection of SSID
Beacon transmission is disabled, and the Beacon transmission is disabled, and the attacker does not wish to wait …attacker does not wish to wait …
Inject a probe request frame using a Inject a probe request frame using a spoofed source MAC address. spoofed source MAC address.
The probe response frame from the APs The probe response frame from the APs will contain, in the clear, the SSID and will contain, in the clear, the SSID and other information similar to that in the other information similar to that in the beacon frames. beacon frames.
129129
Detection of APs and stationsDetection of APs and stations
Certain bits in the frames identify that the Certain bits in the frames identify that the frame is from an AP. frame is from an AP.
If we assume that WEP is either disabled If we assume that WEP is either disabled or cracked, the attacker can also gather or cracked, the attacker can also gather the IP addresses of the AP and the the IP addresses of the AP and the stations.stations.
130130
Detection of ProbingDetection of Probing
The frames that an attacker injects can be The frames that an attacker injects can be sniffed by a sys admin.sniffed by a sys admin.
GPS-enabled equipment can identify the GPS-enabled equipment can identify the physical coordinates of a transmitting physical coordinates of a transmitting device.device.
AP WeaknessesAP Weaknesses
132132
Poorly Constructed WEP keyPoorly Constructed WEP key
The default WEP keys used are often too trivial.The default WEP keys used are often too trivial. APs use simple techniques to convert the user’s APs use simple techniques to convert the user’s
key board input into a bit vector. key board input into a bit vector. Usually 5 or 13 ASCII printable characters are directly Usually 5 or 13 ASCII printable characters are directly
mapped by concatenating their ASCII 8-bit codes into a 40-mapped by concatenating their ASCII 8-bit codes into a 40-bit or 104-bit WEP key. bit or 104-bit WEP key.
A stronger 104-bit key can be constructed from 26 A stronger 104-bit key can be constructed from 26 hexadecimal digits. hexadecimal digits.
It is possible to form an even stronger104 bit It is possible to form an even stronger104 bit WEP key by truncating the MD5 hash of an WEP key by truncating the MD5 hash of an arbitrary length pass phrase.arbitrary length pass phrase.
133133
Defeating MAC FilteringDefeating MAC Filtering
Typical APs permit access to only those Typical APs permit access to only those stations with known MAC addresses. stations with known MAC addresses.
Easily defeated by the attacker Easily defeated by the attacker Spoofs his frames with a MAC address that is Spoofs his frames with a MAC address that is
registered with the AP from among the ones that registered with the AP from among the ones that he collected through sniffing. he collected through sniffing.
That a MAC address is registered can be detected That a MAC address is registered can be detected by observing the frames from the AP to the by observing the frames from the AP to the stations.stations.
134134
Rogue APRogue AP
135135
Rogue NetworksRogue Networks
Rogue AP = an unauthorized access pointRogue AP = an unauthorized access pointNetwork users often set up rogue wireless Network users often set up rogue wireless
LANs to simplify their livesLANs to simplify their livesRarely implement security measuresRarely implement security measuresNetwork is vulnerable to War Driving and Network is vulnerable to War Driving and
sniffing and you may not even know itsniffing and you may not even know it
136136
Access Point
SSID: “goodguy”
SSID: “badguy”
Stronger or CloserAccess Point
“ANY”
Wi-Fi Card
SSID: “goodguy”“badguy”
137137
Trojan APTrojan AP
Corporate back-doorsCorporate back-doorsCorporate espionageCorporate espionage
138138
Trojan AP MechanicsTrojan AP Mechanics
Create a competing wireless network.Create a competing wireless network. AP can be actual AP or HostAP of LinuxAP can be actual AP or HostAP of Linux Create or modify captive portal behind APCreate or modify captive portal behind AP Redirect users to “splash” pageRedirect users to “splash” page DoS or theft of user credentials, or WORSEDoS or theft of user credentials, or WORSE Bold attacker will visit ground zero.Bold attacker will visit ground zero. Not-so-bold will drive-by with an amp.Not-so-bold will drive-by with an amp.
139139
Normal Gear @ 25mW(14dBm)
Cisco Gear @ 100mW(20dBm)
Senao Gear @ 200mW(23dBm)
Use a 15dBd antenna with a Senao for 38dBd total...
6 WATTS!
Vs 25mW?
No contest!
Choose your Wi-Fiweapon...
140140
141141
142142
143143
144144
AirsnarfAirsnarf
Nothing specialNothing specialSimplifies HostAP, httpd, dhcpd, Simplifies HostAP, httpd, dhcpd,
Net::DNS, and iptables setupNet::DNS, and iptables setupSimple example rogue APSimple example rogue AP
145145
Equipment FlawsEquipment Flaws Numerous flaws in equipment from well-known Numerous flaws in equipment from well-known
manufacturers manufacturers Search on Search on www.securityfocus.comwww.securityfocus.com with “access point with “access point
vulnerabilities” vulnerabilities” Ex 1: by requesting a file named config.img via TFTP, an Ex 1: by requesting a file named config.img via TFTP, an
attacker receives the binary image of the AP attacker receives the binary image of the AP configuration. The image includes the administrator’s configuration. The image includes the administrator’s password required by the HTTP user interface, the WEP password required by the HTTP user interface, the WEP encryption keys, MAC address, and SSID. encryption keys, MAC address, and SSID.
Ex 2: yet another AP returns the WEP keys, MAC filter Ex 2: yet another AP returns the WEP keys, MAC filter list, administrator’s password when sent a UDP packet to list, administrator’s password when sent a UDP packet to port 27155 containing the string “gstsearch”. port 27155 containing the string “gstsearch”.
Denial of ServiceDenial of Service
147147
Denial of ServiceDenial of Service
A system is not providing services to authorized A system is not providing services to authorized clients because of resource exhaustion by clients because of resource exhaustion by unauthorized clients. unauthorized clients.
DOS attacks are difficult to preventDOS attacks are difficult to prevent Difficult to stop an on-going attackDifficult to stop an on-going attack Victim and its clients may not even detect the Victim and its clients may not even detect the
attacks. attacks. Duration may range from milliseconds to hours. Duration may range from milliseconds to hours. A DOS attack against an individual station A DOS attack against an individual station
enables session hijacking.enables session hijacking.
148148
JammingJamming
The hacker can use a high power RF signal generator to The hacker can use a high power RF signal generator to interfere with the ongoing wireless connection, making it interfere with the ongoing wireless connection, making it useless.useless.
Can be avoided only by physically finding the jamming source.Can be avoided only by physically finding the jamming source.
149149
Flooding with AssociationsFlooding with Associations AP inserts the data supplied by the station in the AP inserts the data supplied by the station in the
Association Request into a table called the Association Request into a table called the association association table.table.
802.11 specifies a maximum value of 2007 concurrent 802.11 specifies a maximum value of 2007 concurrent associations to an AP. The actual size of this table varies associations to an AP. The actual size of this table varies among different models of APs. among different models of APs.
When this table overflows, the AP would refuse further When this table overflows, the AP would refuse further clients.clients.
Attacker authenticates several non-existing stations Attacker authenticates several non-existing stations using legitimate-looking but randomly generated MAC using legitimate-looking but randomly generated MAC addresses. The attacker then sends a flood of spoofed addresses. The attacker then sends a flood of spoofed associate requests so that the associationassociate requests so that the association table table overflows.overflows.
Enabling MAC filtering in the AP will prevent this attack.Enabling MAC filtering in the AP will prevent this attack.
150150
Deauth/Disassoc Management frameDeauth/Disassoc Management frame
• Attacker must spoof AP MAC address in Src Addr and BSSID• Sequence Control field handled by firmware (not set by attacker)
151151
Forged DissociationForged Dissociation
Attacker sends a spoofed Disassociation Attacker sends a spoofed Disassociation frame where the source MAC address is frame where the source MAC address is set to that of the AP. set to that of the AP.
To prevent Reassociation, the attacker To prevent Reassociation, the attacker continues to send Disassociation frames continues to send Disassociation frames for a desired period.for a desired period.
152152
Forged DeauthenticationForged Deauthentication When an Association Response frame is When an Association Response frame is
observed, the attacker sends a spoofed observed, the attacker sends a spoofed Deauthentication frame where the source MAC Deauthentication frame where the source MAC address is spoofed to that of the AP. address is spoofed to that of the AP.
The station is now unassociated and The station is now unassociated and unauthenticated, and needs to reconnect. unauthenticated, and needs to reconnect.
To prevent a reconnection, the attacker To prevent a reconnection, the attacker continues to send Deauthentication frames for a continues to send Deauthentication frames for a desired period. desired period.
Neither MAC filtering nor WEP protection will Neither MAC filtering nor WEP protection will prevent this attack.prevent this attack.
153153
First Stage – Deauth AttackFirst Stage – Deauth Attack
Airopeek Trace of Deauth AttackAiropeek Trace of Deauth Attack
154154
First Stage – Deauth AttackFirst Stage – Deauth Attack
Decode of Deauthentication FrameDecode of Deauthentication Frame
155155
Power ManagementPower Management Power-management schemes place a system in sleep mode Power-management schemes place a system in sleep mode
when no activity occurs when no activity occurs The MS can be configured to be in continuous aware mode The MS can be configured to be in continuous aware mode
(CAM) or Power Save Polling (PSP) mode.(CAM) or Power Save Polling (PSP) mode.
156156
Power SavingPower Saving Attacker steals packets for a station while the station is Attacker steals packets for a station while the station is
in Doze state.in Doze state. The 802.11 protocol requires a station to inform the AP through The 802.11 protocol requires a station to inform the AP through
a successful frame exchange that it wishes to enter the Doze a successful frame exchange that it wishes to enter the Doze state from the Active state.state from the Active state.
Periodically the station awakens and sends a PS-Poll frame to Periodically the station awakens and sends a PS-Poll frame to the AP. The AP will transmit in response the packets that were the AP. The AP will transmit in response the packets that were buffered for the station while it was dozing. buffered for the station while it was dozing.
This polling frame can be spoofed by an attacker causing the AP This polling frame can be spoofed by an attacker causing the AP to send the collected packets and flush its internal buffers. to send the collected packets and flush its internal buffers.
An attacker can repeat these polling messages so that when the An attacker can repeat these polling messages so that when the legitimate station periodically awakens and polls, AP will inform legitimate station periodically awakens and polls, AP will inform that there are no pending packets.that there are no pending packets.
Man-in-the-Middle AttacksMan-in-the-Middle Attacks
158158
Man-in-the-Middle AttacksMan-in-the-Middle Attacks
Attacker on host X inserts X between all Attacker on host X inserts X between all communication between hosts B and C, communication between hosts B and C, and neither B nor C is aware of the and neither B nor C is aware of the presence of X. presence of X.
All messages sent by B do reach C but via All messages sent by B do reach C but via X, and vice versa. X, and vice versa.
The attacker can merely observe the The attacker can merely observe the communication or modify it before sending communication or modify it before sending it out. it out.
159159
MITM Via Deauth/DeAssocMITM Via Deauth/DeAssoc
A hacker may use a Trojan AP to hijack mobile nodes by A hacker may use a Trojan AP to hijack mobile nodes by sending a stronger signal than the actual AP is sending to sending a stronger signal than the actual AP is sending to those nodes. those nodes.
The MS then associates with the Trojan AP, sending its data The MS then associates with the Trojan AP, sending its data into the wrong hands.into the wrong hands.
160160
MITM Attack MITM Attack
Attacker takes over connections at layer 1 and 2Attacker takes over connections at layer 1 and 2 Attacker sends Deauthenticate framesAttacker sends Deauthenticate frames Race condition between attacker and AP Race condition between attacker and AP Attacker associates with clientAttacker associates with client Attacker associates with APAttacker associates with AP
Attacker is now inserted between client and APAttacker is now inserted between client and AP Example: Example:
Monkey jack, part ofMonkey jack, part of AirJack (AirJack (http://802.11ninja.net/airjack/http://802.11ninja.net/airjack/ ) )
161161
Wireless MITMWireless MITM Assume that station B was authenticated with C, a Assume that station B was authenticated with C, a
legitimate AP. legitimate AP. Attacker X is a laptop with two wireless cards. Through Attacker X is a laptop with two wireless cards. Through
one card, he presents X as an AP. one card, he presents X as an AP. Attacker X sends Deauthentication frames to B using the Attacker X sends Deauthentication frames to B using the
C’s MAC address as the source, and the BSSID he has C’s MAC address as the source, and the BSSID he has collected. collected.
B is deauthenticated and begins a scan for an AP and B is deauthenticated and begins a scan for an AP and may find X on a channel different from C. may find X on a channel different from C.
There is a race condition between X and C. There is a race condition between X and C. If B associates with X, the MITM attack succeeded. X If B associates with X, the MITM attack succeeded. X
will re-transmit the frames it receives from B to C. These will re-transmit the frames it receives from B to C. These frames will have a spoofed source address of B.frames will have a spoofed source address of B.
162162
The Monkey - Jack AttackThe Monkey - Jack Attack
Before Monkey-JackBefore Monkey-Jack
attacker victim
163163
The Monkey - Jack AttackThe Monkey - Jack Attack
After Monkey-JackAfter Monkey-Jack
164164
First Stage – Deauth AttackFirst Stage – Deauth Attack
Attack machine uses vulnerabilities to get Attack machine uses vulnerabilities to get information about AP and clients.information about AP and clients.
Attack machine sends deauthentication Attack machine sends deauthentication frames to victim using the AP’s MAC frames to victim using the AP’s MAC address as the sourceaddress as the source
165165
Second Stage – Client CaptureSecond Stage – Client Capture
Victim’s 802.11 card scans channels to Victim’s 802.11 card scans channels to search for new APsearch for new AP
Victim’s 802.11 card associates with Victim’s 802.11 card associates with Trojan AP on the attack machineTrojan AP on the attack machineAttack machine’s fake AP is duplicating MAC Attack machine’s fake AP is duplicating MAC
address and ESSID of real APaddress and ESSID of real APFake AP is on a different channel than the Fake AP is on a different channel than the
real onereal one
166166
Third Stage – Connect to APThird Stage – Connect to AP
Attack machine associates with real AP Attack machine associates with real AP using MAC address of the victim’s using MAC address of the victim’s machine.machine.
Attack machine is now inserted and can Attack machine is now inserted and can pass frames through in a manner that is pass frames through in a manner that is transparent to the upper level protocolstransparent to the upper level protocols
167167
The Monkey – Jack AttackThe Monkey – Jack Attack
168168
Monkey-Jack DetectionMonkey-Jack Detection
Why do I hear my MAC Address as the Src Addr? Is this an attack? Am I being spoofed?
169169
Beginning of a MITM IDS AlgorithmBeginning of a MITM IDS Algorithm
170170
ARP PoisoningARP Poisoning
ARP poisoningARP poisoning is an attack technique that is an attack technique that corrupts the ARP cache that the OS maintains corrupts the ARP cache that the OS maintains with wrong MAC addresses for some IP with wrong MAC addresses for some IP addresses. addresses.
ARP cache poisoning is an old problem in wired ARP cache poisoning is an old problem in wired networks. networks.
ARP poisoning is one of the techniques that ARP poisoning is one of the techniques that enables the man-in-the-middle attack. enables the man-in-the-middle attack.
ARP poisoning on wireless networks can affect ARP poisoning on wireless networks can affect wired hosts too.wired hosts too.
171171
Session HijackingSession Hijacking Session hijackingSession hijacking occurs when an attacker causes a user to lose his occurs when an attacker causes a user to lose his
connection, and the attacker assumes his identity and privileges for connection, and the attacker assumes his identity and privileges for a period.a period.
An attacker disables temporarily the user’s system, say by a DOS An attacker disables temporarily the user’s system, say by a DOS attack or a buffer overflow exploit. The attacker then takes the attack or a buffer overflow exploit. The attacker then takes the identity of the user. The attacker now has all the access that the identity of the user. The attacker now has all the access that the user has. When he is done, he stops the DOS attack, and lets the user has. When he is done, he stops the DOS attack, and lets the user resume. The user may not detect the interruption if the user resume. The user may not detect the interruption if the disruption lasts no more than a couple of seconds. disruption lasts no more than a couple of seconds.
Hijacking can be achieved by forged disassociation DOS attack.Hijacking can be achieved by forged disassociation DOS attack. Corporate wireless networks are set up so that the user is directed Corporate wireless networks are set up so that the user is directed
to an authentication server when his station attempts a connection to an authentication server when his station attempts a connection with an AP. After the authentication, the attacker employs the with an AP. After the authentication, the attacker employs the session hijacking described above using spoofed MAC addresses.session hijacking described above using spoofed MAC addresses.
War DrivingWar Driving
173173
War DrivingWar Driving
““The benign act of locating and logging The benign act of locating and logging wireless access points while in motion.” -- wireless access points while in motion.” -- ((http://http://www.wardrive.netwww.wardrive.net//).).
This “benign” act is of course useful to the This “benign” act is of course useful to the attackers.attackers.
174174
War chalkingWar chalking
175175
Typical EquipmentTypical Equipment
176176
““Special” EquipmentSpecial” Equipment
Possible: 8 mile range using a 24dB gain Possible: 8 mile range using a 24dB gain parabolic dish antenna.parabolic dish antenna.
PC cards vary in power.PC cards vary in power.Typical: 25mW (14dBm)Cisco: 100mW (20dBm)Senao: 200mW (23dBm)
177177
War DrivingWar Driving
Default installation allows any wireless Default installation allows any wireless NIC to access the networkNIC to access the network
Drive around (or walk) and gain access to Drive around (or walk) and gain access to wireless networkswireless networks
Provides direct access behind the firewallProvides direct access behind the firewall
178178
Software ToolsSoftware Tools
179179
802.11 Attack Tools802.11 Attack Tools
The following are all freewareThe following are all freeware Airsnort (Linux)Airsnort (Linux) WEPcrack (Linux)WEPcrack (Linux) Kismet (Linux)Kismet (Linux) Wellenreiter (Linux)Wellenreiter (Linux) NetStumbler (windows)NetStumbler (windows) MiniStumbler (PocketPC)MiniStumbler (PocketPC) BSD – Airtools (*BSD)BSD – Airtools (*BSD) Aerosol (Windows)Aerosol (Windows) WiFiScanner (Linux)WiFiScanner (Linux)
180180
802.11 Network Security Tools802.11 Network Security Tools
AiroPeek / AiroPeek NX: Wireless frame AiroPeek / AiroPeek NX: Wireless frame sniffer / analyzer, Windowssniffer / analyzer, Windows
AirTraf: Wireless sniffer / analyzer / “IDS”AirTraf: Wireless sniffer / analyzer / “IDS” AirSnort: WEP key “cracker”AirSnort: WEP key “cracker” BSD Airtools: Ports for common wireless BSD Airtools: Ports for common wireless
tools, very usefultools, very useful NetStumbler: Access point enumeration NetStumbler: Access point enumeration
tool, Windows, freetool, Windows, free
181181
EttercapEttercap
Ettercap is a suite for man in the middle Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live attacks on LAN. It features sniffing of live connections, content filtering on the fly and connections, content filtering on the fly and many other interesting tricks.many other interesting tricks.
It supports active and passive dissection It supports active and passive dissection of many protocols (even ciphered ones) of many protocols (even ciphered ones) and includes many feature for network and and includes many feature for network and host analysis.host analysis.
182182
Weapons Of Mass DisruptionWeapons Of Mass Disruption
Many tools are new and notable in the Many tools are new and notable in the world of wireless attacking:world of wireless attacking: libradiate – a librarylibradiate – a library airtrafairtraf kismetkismet air-jack familyair-jack family thc-rut - The Hacker's Choicethc-rut - The Hacker's Choice
183183
libradiatelibradiate
Radiate is a C library similar in practice to Radiate is a C library similar in practice to Libnet but designed for "802.11 frame Libnet but designed for "802.11 frame reading, creation and injection."reading, creation and injection."
Libnet builds layer 3 and aboveLibnet builds layer 3 and aboveLibradiate builds 802.11 framesLibradiate builds 802.11 framesDisperse, an example tool built using Disperse, an example tool built using
libradiate, is fully functionallibradiate, is fully functional
184184
libradiatelibradiate
Frame types and subtypesFrame types and subtypes Beacon transmitted often announcing a WLANBeacon transmitted often announcing a WLAN Probe request: A client frame- "anyone out there?"Probe request: A client frame- "anyone out there?" Association: client and server exchange- "can i Association: client and server exchange- "can i
play?"play?" Disassociate: "no soup for you!"Disassociate: "no soup for you!" RTS/CTS: ready/clear to send framesRTS/CTS: ready/clear to send frames ACK: AcknowlegementACK: Acknowlegement
Radiate allows construction of these frames Radiate allows construction of these frames very easily. very easily.
185185
airtrafairtraf
more a tool for the good guys, but more a tool for the good guys, but noteworthy none the lessnoteworthy none the less
http://airtraf.sourceforge.net/http://airtraf.sourceforge.net/ http://www.elixar.comhttp://www.elixar.com (Elixar, Inc) (Elixar, Inc)
186186
netstumblernetstumbler
‘‘stumbler certainly deserves a mention, as stumbler certainly deserves a mention, as it is and was the most popularized wireless it is and was the most popularized wireless network detection tool aroundnetwork detection tool around
windows based, it supports GPS but lacks windows based, it supports GPS but lacks in many features required by a REAL in many features required by a REAL wireless security hacker...wireless security hacker...
http://www.netstumbler.comhttp://www.netstumbler.com
187187
stumbler vs. stumbverterstumbler vs. stumbverter
thanks to fr|tz @ thanks to fr|tz @ www.mindthief.net for map data! for map data!
188188
stumbler vs. stumbverterstumbler vs. stumbverter
thanks to fr|tz @ thanks to fr|tz @ www.mindthief.net for map data! for map data!
189189
stumbler vs. stumbverterstumbler vs. stumbverter
thanks to fr|tz @ thanks to fr|tz @ www.mindthief.net for map data! for map data!
190190
kismetkismet
A wireless network sniffer that A wireless network sniffer that Segregates trafficSegregates traffic Detects IP blocksDetects IP blocks decloaks SSID’sdecloaks SSID’s Detects factory default configurationsDetects factory default configurations Detects netstumbler clientsDetects netstumbler clients Maps wireless pointsMaps wireless points
191191
kismetkismet
192192
kismetkismet
193193
kismet - gpsmapkismet - gpsmap
./gpsmap –S 2 –s 12 -r./gpsmap –S 2 –s 12 -r
Included with kismet, Included with kismet, gpsmap gives a great look gpsmap gives a great look at captured wireless nodes.at captured wireless nodes.
194194
kismet - gpsmapkismet - gpsmap
./gpsmap –S 2 –s 14 –r -t./gpsmap –S 2 –s 14 –r -t
Included with kismet, Included with kismet, gpsmap gives a great look gpsmap gives a great look at captured wireless nodes.at captured wireless nodes.
195195
kismet - gpsmapkismet - gpsmap
./gpsmap –r –t ./gpsmap –r –t
Included with kismet, Included with kismet, gpsmap gives a great look gpsmap gives a great look at captured wireless nodes.at captured wireless nodes.
196196
air-jackair-jack Not a tool, a family of post-detection tools based on Not a tool, a family of post-detection tools based on
the air-jack driver.the air-jack driver. wlan-jack: spoofs a deauthentication frame to force a wlan-jack: spoofs a deauthentication frame to force a
wireless user off the net. Shake, repeat forever. wireless user off the net. Shake, repeat forever. Victim is GONE!Victim is GONE!
essid-jack: wlan-jacks a victim then sniffs the SSID essid-jack: wlan-jacks a victim then sniffs the SSID when the user reconnects.when the user reconnects.
Monkey-jack: wlan-jacks a victim, then plays man-in-Monkey-jack: wlan-jacks a victim, then plays man-in-the-middle between the attacker and the target.the-middle between the attacker and the target.
kracker-jack: monkey-jacks a WLAN connection kracker-jack: monkey-jacks a WLAN connection protected by MAC protected, IPSec secured VPN!protected by MAC protected, IPSec secured VPN!
197197
air-jackair-jack
http://802.11ninja.net/http://802.11ninja.net/Robert Baird & Mike Lynn’s excellent Robert Baird & Mike Lynn’s excellent
presentation lays out the attacks available presentation lays out the attacks available to air-jack users. to air-jack users.
http://www.blackhat.com/presentations/bh-usa-02/http://www.blackhat.com/presentations/bh-usa-02/baird-lynn/bh-us-02-lynn-802.11attack.pptbaird-lynn/bh-us-02-lynn-802.11attack.ppt
198198
thc-rutthc-rut
a set of post-detection toolsa set of post-detection tools
Wireless Security Best Wireless Security Best PracticesPractices
200200
Location of the APsLocation of the APs
Network segmentationNetwork segmentationTreat the WLAN as an untrusted networkTreat the WLAN as an untrusted network
RF signal shapingRF signal shapingContinually check for unauthorized Continually check for unauthorized
(“rogue/Trojan”) APs (“rogue/Trojan”) APs
201201
Proper ConfigurationProper Configuration
Change the default passwordsChange the default passwords Use WEP, however broken it may beUse WEP, however broken it may be Don't use static keys, change them frequentlyDon't use static keys, change them frequently Don't allow connections with an empty SSIDDon't allow connections with an empty SSID Don't broadcast your SSIDDon't broadcast your SSID Use a VPN and MAC address filtering with Use a VPN and MAC address filtering with
strong mutual authenticationstrong mutual authentication Wireless IDS/monitoring (e.g., Wireless IDS/monitoring (e.g.,
www.airdefense.net)www.airdefense.net)
202202
Proper ConfigurationProper Configuration
Most devices have multiple management Most devices have multiple management interfacesinterfacesHTTPHTTPTelnetTelnetFTPFTPTFTPTFTPSNMPSNMP
Disable unneeded services / interfacesDisable unneeded services / interfacesStay current with patchesStay current with patches
203203
RemediesRemedies
Secure Protocol TechniquesSecure Protocol TechniquesEncrypted messagesEncrypted messagesDigitally signed messagesDigitally signed messagesEncapsulation/tunnelingEncapsulation/tunneling
Use strong authenticationUse strong authentication
204204
Wireless IDSWireless IDS A wireless intrusion detection system (WIDS) is often a A wireless intrusion detection system (WIDS) is often a
self-contained computer system with specialized self-contained computer system with specialized hardware and software to detect anomalous behavior. hardware and software to detect anomalous behavior.
The special wireless hardware is more capable than the The special wireless hardware is more capable than the commodity wireless card, including the RF monitor commodity wireless card, including the RF monitor mode, detection of interference, and keeping track of mode, detection of interference, and keeping track of signal-to-noise ratios. signal-to-noise ratios.
It also includes GPS equipment so that rogue clients and It also includes GPS equipment so that rogue clients and APs can be located. APs can be located.
A WIDS includes one or more listening devices that A WIDS includes one or more listening devices that collect MAC addresses, SSIDs, features enabled on the collect MAC addresses, SSIDs, features enabled on the stations, transmit speeds, current channel, encryption stations, transmit speeds, current channel, encryption status, beacon interval, etc. status, beacon interval, etc.
205205
Wireless IDSWireless IDS WIDS computing engine should be powerful WIDS computing engine should be powerful
enough that it can dissect frames and WEP-enough that it can dissect frames and WEP-decrypt into IP and TCP components. These decrypt into IP and TCP components. These can be fed into TCP/IP related intrusion can be fed into TCP/IP related intrusion detection systems. detection systems.
Unknown MAC addresses are detected by Unknown MAC addresses are detected by maintaining a registry of MAC addresses of maintaining a registry of MAC addresses of known stations and APs. known stations and APs.
Can detect spoofed known MAC addresses Can detect spoofed known MAC addresses because the attacker could not control the because the attacker could not control the firmware of the wireless card to insert the firmware of the wireless card to insert the appropriate sequence numbers into the frame.appropriate sequence numbers into the frame.
206206
Wireless AuditingWireless Auditing
Periodically, every wireless network should be Periodically, every wireless network should be audited. audited.
Several audit firms provide this service for a fee. Several audit firms provide this service for a fee. A security audit begins with a well-established A security audit begins with a well-established
security policy. security policy. A policy for wireless networks should include a A policy for wireless networks should include a
description of the geographical volume of description of the geographical volume of coverage. coverage.
The goal of an audit is to verify that there are no The goal of an audit is to verify that there are no violations of the policy.violations of the policy.
207207
Newer Standards and ProtocolsNewer Standards and Protocols
208208
WLAN Security TimelineWLAN Security Timeline
209209
Cisco LEAP OverviewCisco LEAP Overview
Provides centralized, scalable, user-based Provides centralized, scalable, user-based authenticationauthentication
Algorithm requires mutual authenticationAlgorithm requires mutual authenticationNetwork authenticates client, client Network authenticates client, client
authenticates networkauthenticates networkUses 802.1X for 802.11 authentication Uses 802.1X for 802.11 authentication
messagingmessagingAPs will support WinXP’s EAP-TLS alsoAPs will support WinXP’s EAP-TLS also
Dynamic WEP key support with WEP key Dynamic WEP key support with WEP key session timeoutssession timeouts
210210
LEAP Authentication ProcessLEAP Authentication Process
Start
Broadcast Key AP Sends Client Broadcast Key, Encrypted with Session Key
Identity
RADIUS Server Authenticates Client
Request Identity
Client Authenticates RADIUS Server
Key Length
Client AP RADIUS Server
DeriveKeyDerive
Key
Identity
AP Blocks All Requests Until Authentication Completes
211211
802.11i802.11i Takes base 802.1X and adds several featuresTakes base 802.1X and adds several features Wireless implementations are divided into two Wireless implementations are divided into two
groups: legacy and new groups: legacy and new Both groups use 802.1x for credential verification, but Both groups use 802.1x for credential verification, but
the encryption method differsthe encryption method differs Legacy networks must use 104-bit WEP, TKIP Legacy networks must use 104-bit WEP, TKIP
and MICand MIC New networks will be same as legacy, except New networks will be same as legacy, except
that they must replace WEP/TKIP with advanced that they must replace WEP/TKIP with advanced encryption standard – operation cipher block encryption standard – operation cipher block (AES-OCB)(AES-OCB)
212212
Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)
Security solution based on IEEE standards Security solution based on IEEE standards Replacement for WEPReplacement for WEP Designed to run on existing hardware as a Designed to run on existing hardware as a
software upgrade, Wi-Fi Protected Access is software upgrade, Wi-Fi Protected Access is derived from and will be forward-compatible with derived from and will be forward-compatible with the upcoming IEEE 802.11i standardthe upcoming IEEE 802.11i standard
Two main features are:Two main features are: enhanced encryption using TKIP enhanced encryption using TKIP user authentication via 802.1x and EAPuser authentication via 802.1x and EAP
213213
Other VulnerabilitiesOther Vulnerabilities
In February 2002, Arunesh Mishra and William In February 2002, Arunesh Mishra and William Arbaugh described several design flaws in the Arbaugh described several design flaws in the combination of the IEEE 802.1X and IEEE combination of the IEEE 802.1X and IEEE 802.11 protocols that permit man-in-the-middle 802.11 protocols that permit man-in-the-middle and session hijacking attacks. and session hijacking attacks.
LEAP-enabled Cisco wireless networks are LEAP-enabled Cisco wireless networks are vulnerable to dictionary attacks (a la “anwrap”)vulnerable to dictionary attacks (a la “anwrap”)
Attackers can compromise other VPN clients Attackers can compromise other VPN clients within a “wireless DMZ” and piggyback into the within a “wireless DMZ” and piggyback into the protected network.protected network.
214214
Secure LAN (SLAN)Secure LAN (SLAN)
Intent to protect link between wireless client and Intent to protect link between wireless client and (assumed) more secure wired network(assumed) more secure wired network
Similar to a VPN and provides server Similar to a VPN and provides server authentication, client authentication, data privacy, authentication, client authentication, data privacy, and integrity using per session and per user short and integrity using per session and per user short life keyslife keys
Simpler and more cost efficient than a VPNSimpler and more cost efficient than a VPN Cross-platform support and interoperability, not Cross-platform support and interoperability, not
highly scaleable, thoughhighly scaleable, though Supports Linux and WindowsSupports Linux and Windows Open Source (slan.sourceforge.net)Open Source (slan.sourceforge.net)
215215
SLAN ArchitectureSLAN Architecture
216216
SLAN StepsSLAN Steps
1.1. Client/Server Version HandshakeClient/Server Version Handshake
2.2. Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
3.3. Server Authentication (public key Server Authentication (public key fingerprint)fingerprint)
4.4. Client Authentication (optional) with PAM Client Authentication (optional) with PAM on Linuxon Linux
5.5. IP Configuration – IP address pool and IP Configuration – IP address pool and adjust routing tableadjust routing table
217217
SLAN ClientSLAN Client
SLAN Driver
User Space Process
Physical Driver
Client Applicationie Web Browser
Plaintext Traffic
Plaintext Traffic Encrypted Traffic
Encrypted Traffic toSLAN Server
Encrypted Traffic
218218
Intermediate WLANIntermediate WLAN
11-100 users11-100 usersCan use MAC addresses, WEP and rotate Can use MAC addresses, WEP and rotate
keys if you want.keys if you want.Some vendors have limited MAC storage Some vendors have limited MAC storage
abilityabilitySLAN also an optionSLAN also an optionAnother solution is to tunnel traffic through Another solution is to tunnel traffic through
a VPNa VPN
219219
Intermediate WLAN ArchitectureIntermediate WLAN Architecture
220220
VPNVPN
Provides a scaleable authentication and Provides a scaleable authentication and encryption solutionencryption solution
Does require end user configuration and a Does require end user configuration and a strong knowledge of VPN technologystrong knowledge of VPN technology
Users must re-authenticate if roaming Users must re-authenticate if roaming between VPN serversbetween VPN servers
221221
VPN ArchitectureVPN Architecture
222222
VPN ArchitectureVPN Architecture
223223
Enterprise WLANEnterprise WLAN
100+ users100+ usersReconfiguring WEP keys not feasibleReconfiguring WEP keys not feasibleMultiple access points and subnetsMultiple access points and subnetsPossible solutions include VLANs, VPNs, Possible solutions include VLANs, VPNs,
custom solutions, and 802.1xcustom solutions, and 802.1x
224224
VLANsVLANs
Combine wireless networks on one VLAN Combine wireless networks on one VLAN segment, even geographically separated segment, even geographically separated networks. networks.
Use 802.1Q VLAN tagging to create a Use 802.1Q VLAN tagging to create a wireless subnet and a VPN gateway for wireless subnet and a VPN gateway for authentication and encryptionauthentication and encryption
225225
VLAN ArchitectureVLAN Architecture
226226
Customized GatewayCustomized Gateway
Georgia Institute of TechnologyGeorgia Institute of Technology Allows students with laptops to log on to the Allows students with laptops to log on to the
campus networkcampus network Uses VLANs, IP Tables, and a Web browserUses VLANs, IP Tables, and a Web browser No end user configuration requiredNo end user configuration required
User access a web site and enters a userid and User access a web site and enters a userid and passwordpassword
Gateway runs specialized code authenticating the user Gateway runs specialized code authenticating the user with Kerberos and packet filtering with IPTables, adding with Kerberos and packet filtering with IPTables, adding the user’s IP address to the allowed list to provide the user’s IP address to the allowed list to provide network accessnetwork access
227227
Gateway ArchitectureGateway Architecture
228228
Temporal Key Integrity Protocol Temporal Key Integrity Protocol (TKIP)(TKIP)
128-bit shared secret – “temporal key” (TK)128-bit shared secret – “temporal key” (TK) Mixes the transmitter's MAC address with TK to produce a Mixes the transmitter's MAC address with TK to produce a
Phase 1 key. Phase 1 key. The Phase 1 key is mixed with an initialization vector (iv) to The Phase 1 key is mixed with an initialization vector (iv) to
derive per-packet keys. derive per-packet keys. Each key is used with RC4 to encrypt one and only one data Each key is used with RC4 to encrypt one and only one data
packet. packet.
Defeats the attacks based on “Weaknesses in the key Defeats the attacks based on “Weaknesses in the key scheduling algorithm of RC4” by Fluhrer, Mantin and scheduling algorithm of RC4” by Fluhrer, Mantin and Shamir" Shamir"
TKIP is backward compatible with current APs and TKIP is backward compatible with current APs and wireless NICswireless NICs
229229
Message Integrity Check (MIC)Message Integrity Check (MIC)
MIC prevents bit-flip attacks MIC prevents bit-flip attacks Implemented on both the access point and Implemented on both the access point and
all associated client devices, MIC adds a all associated client devices, MIC adds a few bytes to each packet to make the few bytes to each packet to make the packets tamper-proof.packets tamper-proof.
230230
ConclusionConclusion
Some predictions are that the market for Some predictions are that the market for wireless LANs will be $2.2 billion in 2004, wireless LANs will be $2.2 billion in 2004, up from $771 million in 2000.up from $771 million in 2000.
Current 802.11 security state is not ideal Current 802.11 security state is not ideal for sensitive environments.for sensitive environments.
Wireless Networks at home …Wireless Networks at home …
231231
ReferencesReferences1.1. John Bellardo and Stefan Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”, John Bellardo and Stefan Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”,
2003, Usenix 2003 Proceedings. 2003, Usenix 2003 Proceedings. http://www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdfhttp://www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf 2.2. Jon Edney and William A. Arbaugh, Jon Edney and William A. Arbaugh, Real 802.11 Security: Wi-Fi Protected Access and 802.11iReal 802.11 Security: Wi-Fi Protected Access and 802.11i, 480 pages, Addison , 480 pages, Addison
Wesley, 2003, ISBN: 0-321-13620-9Wesley, 2003, ISBN: 0-321-13620-93.3. Jamil Farshchi, Wireless Intrusion Detection Systems, November 5, 2003, Jamil Farshchi, Wireless Intrusion Detection Systems, November 5, 2003, http://www.securityfocus.com/infocus/1742http://www.securityfocus.com/infocus/1742
Retrieved Jan 20, 2004 Retrieved Jan 20, 20044.4. Rob Flickenger, Rob Flickenger, Wireless Hacks: 100 Industrial-Strength Tips & ToolsWireless Hacks: 100 Industrial-Strength Tips & Tools, 286 pages, O'Reilly & Associates, September , 286 pages, O'Reilly & Associates, September
2003, ISBN: 0-596-00559-82003, ISBN: 0-596-00559-85.5. Matthew S. Gast, Matthew S. Gast, 802.11 Wireless Networks: The Definitive Guide802.11 Wireless Networks: The Definitive Guide, 464 pages, O’Reilly & Associates, April 2002, , 464 pages, O’Reilly & Associates, April 2002,
ISBN: 0596001835.ISBN: 0596001835.6.6. Vikram Gupta, Srikanth Krishnamurthy, and Michalis Faloutsos, “Denial of Service Attacks at the MAC Layer in Vikram Gupta, Srikanth Krishnamurthy, and Michalis Faloutsos, “Denial of Service Attacks at the MAC Layer in
Wireless Ad Hoc Networks”, Proceedings of 2002 MILCOM Conference, Anaheim, CA, October 2002.Wireless Ad Hoc Networks”, Proceedings of 2002 MILCOM Conference, Anaheim, CA, October 2002.7.7. Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, WarDriving: Drive, Detect, Defend, A Guide to WarDriving: Drive, Detect, Defend, A Guide to
Wireless SecurityWireless Security, ISBN: 1931836035, Syngress, 2004., ISBN: 1931836035, Syngress, 2004.8.8. IEEE, IEEE 802.11 standards documents, IEEE, IEEE 802.11 standards documents, http://http://standards.ieee.orgstandards.ieee.org/wireless//wireless/ 9.9. Tom Karygiannis and Les Owens, Wireless Network Security: 802.11, Bluetooth and Handheld Devices, National Tom Karygiannis and Les Owens, Wireless Network Security: 802.11, Bluetooth and Handheld Devices, National
Institute of Standards and Technology Special Publication 800-48, November 2002. Institute of Standards and Technology Special Publication 800-48, November 2002. http://cs-www.ncsl.nist.gov/publicationshttp://cs-www.ncsl.nist.gov/publications/ nistpubs/800-48/NIST_SP_800-48.pdf/ nistpubs/800-48/NIST_SP_800-48.pdf
10.10. Prabhaker Mateti, TCP/IP Suite, Prabhaker Mateti, TCP/IP Suite, The Internet EncyclopediaThe Internet Encyclopedia, Hossein Bidgoli (Editor), John Wiley 2003, ISBN , Hossein Bidgoli (Editor), John Wiley 2003, ISBN 0471222011.0471222011.
11.11. Robert Moskowitz, “Debunking the Myth of SSID Hiding”, Retrieved on March 10, 2004. Robert Moskowitz, “Debunking the Myth of SSID Hiding”, Retrieved on March 10, 2004. http://http://www.icsalabs.com/html/communities/WLAN/wp_ssid_hidingwww.icsalabs.com/html/communities/WLAN/wp_ssid_hiding. . pdfpdf..
12.12. Bruce Potter and Bob Fleck, Bruce Potter and Bob Fleck, 802.11 Security802.11 Security, O'Reilly & Associates, 2002; ISBN: 0-596-00290-4., O'Reilly & Associates, 2002; ISBN: 0-596-00290-4.13.13. William Stallings, William Stallings, Wireless Communications & Networks,Wireless Communications & Networks, Prentice Hall, 2001, ISBN: 0130408646. Prentice Hall, 2001, ISBN: 0130408646.14.14. http://www.warchalking.org/ “Collaboratively creating a hobo-language for free wireless networking.”http://www.warchalking.org/ “Collaboratively creating a hobo-language for free wireless networking.”15.15. Joshua Wright, “Detecting Wireless LAN MAC Address Spoofing”, Retrieved on Jan 20, 2004. Joshua Wright, “Detecting Wireless LAN MAC Address Spoofing”, Retrieved on Jan 20, 2004. http://http://
home.jwu.edu/jwrighthome.jwu.edu/jwright//
232232