Dr. Igor Santos
Security of Information Systems
Wi-Fi Security
2
Contents
Introduction to Wi-Fi networks Encryption
WEP WPA
Vulnerabilities Attacks Setting up a secure Wi-Fi network Captive Portals
3
Introducción a las redes Wi-Fi
4
Introduction to Wi-Fi networks
What is a Wi-Fi? Set of interconnected computers through
a Wireless "bridge / router" or Access Point
Main devices in a Wi-Fi network Network cards Access Points and Access Points (AP) Antennas
5
Introduction to Wi-Fi networks
Typical topology
6
Wi-Fi network cards
7
Wi-Fi network cards
Modes1. Ad-hoc: interconnection between
devices without the need for an AP ▪ It is similar to point-to-point connection via
crossover ethernet cable (however, several PCs can be connected ad-hoc)▪ AP manages the media → increased collisions
→ lowers performance
8
Wi-Fi network cards
2. Managed or Infrastructure: connected to an AP that manages connections (STA <> AP)▪ The card leaves all responsibility to the AP
to manage traffic▪ Sometimes it is necessary to know the
ESSID (network id) of the network that manages the AP to access → detect it by entering monitor mode.
9
Wi-Fi network cards
3. Master: as an AP, provides service and manages the connections (AP <> STA)▪ PCs can be converted into APs▪ HostAP: http://hostap.epitest.fi
▪ Advantages▪ A PC is much more powerful than an AP, many possibilities (filtering, security enhancements, routing, DHCP ...)▪ Recycling of obsolete equipment, cheap APs
▪ Shortcomings▪ Not all cards can work in Master mode (Prism / Hermes / Atheros).
10
Wi-Fi network cards
4. Monitor: allows to to capture packets without associating with an AP or ad-hoc network▪ Monitors a specific channel without
transmitting packets (passively)▪ The card does not check the packet CRC's▪ It is NOT THE SAME as promiscuous mode▪ Promiscuous : in LAN networks, connected▪ Monitor: in WiFi networks, not connected
▪ Not all cards support monitor mode▪ http://kmuto.jp/debian/hcl/index.cgi▪ http://linux-wless.passys.nl
11
Access Points
12
Wi-Fi Access Points
Interconnects Ethernet LANs with wireless users or networks
Alternatives Commercial APs Commercial APs with free software APs comerciales con software libre▪ Install Custom Firmware on commercial AP
“Homemade” APs ▪ Obsolete PC + WiFi card in Master mode
13
Wi-Fi Access Points
Functionalities They manage the physical media They selectively retransmit data They may have additional services▪ DHCP▪ Remote management (web, telnet, ssh)▪ IP, MAC, etc.. filtering
14
Wi-Fi Access Points
Concepts BSSID (Basic Service Set Identifier)▪ Unique address that identifies the AP that
creates the wireless network▪ MAC address
ESSID (Extended Service Set Identifier)▪ Unique name of up to 32 characters to
identify the wireless network
15
Wi-Fi Access Points
Channel▪ Wi-Fi works in the 2.4GHz bandwith▪ It is divided in 13 channels of 22 Mhz▪ Different frequency ranges within that band▪ They overlap-> Interferences!
▪ Recommendation▪ Use channels of 1, 6 and 11 so they do not
overlap each other
16
Wi-Fi Access Points
17
Wi-Fi antennas
18
Wi-Fi antennas
They manage to increase the coverage and performance of a wireless node
Several scenarios AP inside a building Exterior APs▪ Point to point connection▪ Point-to-multipoint▪ Hot-spot
19
Wi-Fi antennas
There are different types of antennas Omnidirectional▪ In all directions▪ Ideal for APs or hot-spots
Directives▪ Towards a direction or a small sector▪ Ideal for:▪ Users of an AP▪ Interconnection LAN-to-LAN
20
Wi-Fi antennas
Homemade antennas
21
Encryption
22
WEP Encryption
WEP (Wired Equivalent Privacy) Included in the 802.11 standard Protection based on the RC4 algorithm Use keys of 64, 128 and 256 bits (actually
40, 104 or 232 bits: because Initialization Vector - IV = 24 bits, different in each package)
The key may be generated from a passphrase or entered directly by the user
The key must be known to all clients (shared secret)
23
WPA Encryption
WPA (Wi-Fi Protected Access) Workaround prior to 802.11i (WPA2) Improvements over WEP▪ Dynamic key distribution with limited
duration (TKIP - Temporal Key Integrity Protocol)▪ Harder Initialization Vector: 48 bits,
minimizing key reuse▪ Integrity: from ICV (Integrity Check Value) to
MIC (Michael): based on the encryption key
24
WPA Encryption
Dos modalities Personal -WPA (PSK)▪ Though for simple environments▪ Pre-Shared Key (PSK): shared secret
WPA-Enterprise (RADIUS)▪ Though for complex environments▪ Every user has his/her login/password▪ 802.1x▪ Supplicant (STA)▪ Authenticator (AP)▪ Auth server (RADIUS)
25
802.11i (WPA2) Encryption
WPA2 Approved by the IEEE and accepted by Wi-Fi
Alliance in 2004 Also known as 802.11i or RSN (Robust
Security Network) Improvements▪ 802.1x-based authentication
▪ AES-based encryption
▪ Dynamic key management (GKH, PKH)
▪ Support for ad-hoc networks
26
PORTADA VULNERABILIDADES
Wi-Fi vulnerabilities
27
Wi-Fi vulnerabilities
WiFi networks have the same problems / bugs / vulnerabilities than wired networks
Besides, they have additional problems related to its wireless features Radio Scanners Radio jamming (DoS) Flexibility vs. Security ...
28
Wi-Fi vulnerabilities
vulnerabilities Access: wardriving WEP Encryption: Attacks like FSM, KoreK,
etc WPA and WPA2 Encryption: Dictionary
Attracks Man-in-the-Middle Attacks▪ Rogue APs▪ Vulnerabilities in APs when "bridge“ mode: ARP
Poisoning Denial of Service(DoS)
29
WEP vulnerabilities
30
WEP vulnerabilities
Walker (Intel) (2000) "WEP is not a good way to provide
privacy for wireless communications" Using a stream cipher algorithm (RC4) in
an environment in which the keys are repeated a mistake
Main problem -> Initialization Vectors If the Initialization Vectors are
repeated and we know lots of plaintext is easy to break the encryption
31
WEP vulnerabilities
32
WEP vulnerabilities
Borisov et al. (2001) Alphabet Building Attack (the "keystream" is
derivable by a known plaintext attack)
Arbaugh (2001) Attack "Inductive Chosen Plain Text" (build a
Databse with all the "keystreams" for a WEP key in a relatively short time)
Fluhrer, Mantin, Shamir (2001) “Weaknesses in the Key Scheduling Algorithm of
RC4” (few bits determine many bits in the first permutation algorithm)
33
WEP vulnerabilities
KoreK (2004) “KoreK Attacks”: set of enhancements to the
attack FMS - Fluhrer, Mantin, Shamir (2001)▪ Only about 200,000 Initialization Vectors are
needed "Attack chop-chop": Reverse Inductive
Attack (Arbaugh 2001)▪ It sends an encrypted ARP request to the AP with
one byte less▪ The AP will repeat only those packets that verify
the CRC▪ After 256 attempts, it will find the valid byte of that
particular iteration▪ Requests can be send in parallel (more speed)▪ Gradually all the "keystream“ can be derived
34
WEP vulnerabilities
Reinjection of packets to generate new traffic (new Initialization Vectors)▪ ARP requests▪ ICMP Traffic▪ DHCP requests
35
WEP vulnerabilities
Klein (2005) Improvements to the correlations found by FMS
and RC4 KoreK
Bittau et al. (2006) Packet fragmentation attack between STA and AP
Ramachandran y Ahmad (2007) “Caffe-latte attack” (getting the user key, not the
AP one)
Hirte (2007) Improved "caffe-latte attack" (no need for ARPs)
36
WEP vulnerabilities
Tews, Weinmann, Pyshki (2007) “Breaking 104-bit WEP in less than 60
seconds” (improved KoreK’s approach by using the contribution from Klein)
Performance▪ 50% success with 40.000 Initialization Vectors▪ 95% success with 85.000 Initialization Vectors
Beck y Tews (2008) Improvements from the approaches by
Tews, Weinmann and Pyshki (reduces the number of needed packages from 90000-40000 to 24,000 )
37
WEP attacks
WEP cracking Capture traffic that contains Initialization
Vectors (NOT Beacon Frames)▪ If there are no users connected to the AP,
then the traffic cannot be generated▪ Fake Association
▪ If there is no much traffic▪ Reinject
Use one of the methods (Korek, …) to obtain the key
38
WEP attacks
Brute force For WEP40, is reasonable▪ 240
▪ On a Pentium Core2Duo: 42 days (300,000 K / S)▪ In a cluster of FPGAs: 13 minutes (1.386M K / S)
For WEP104, IT IS NOT▪ 2104 = 20 x 1030 ▪ On a Pentium Core2Duo: 2.14 trillion years▪ In a cluster of FPGAs: 464 billion years
Dictionary attacks Keys already broken in other APs Default keys
39
WEP attacks
Many manufacturers configure default WEP ESSID recognizable as WLAN_XX or equivalent Deductible WEP passphrase generated according
to:▪ A common prefix for each manufacturer▪ BSSID▪ The XX WLAN_XX
Other unknown data▪ You can try brute force the 16,384 possibilities
WlanDecrypter generates these possible keys depending on the BSSID and ESSID
Only one encrypted packet capture is needed▪ WlanInject to generate a false association if there is no
traffic
40
Tools for cracking WEP
GNU/Linux Tools aircrack, aircrack-ng▪ Continuous development▪ Highly recommended
WepLab▪ Centered in WEP, few updates▪ GUI (wxWepLab)
Assistants▪ Airoscript▪ wesside-ng y easside-ng▪ spoonwep2.
41
Tools for cracking WEP
Tools for Microsoft Windows Privative Software▪ CommView for WiFi (TamoSoft)▪ OmniPeek (WildPackets)▪ AirMagnet WiFi Analyzer (AirMagnet)
42
Tools for cracking WEP
Ports of free software (partial functionality)
Ports de software libre (parcial functionality )▪ airsnort: obsolete▪ WepLab▪ Doesn’t support Windows capture▪ Required Wireshark or other capture programs
▪ aircrack y aircrack-ng▪ Currently widely used▪ Capture and reinjection with some drivers
43
Conclusions WEP
A few years ago it was said that WEP was bad, but better than nothing
Today it is almost the opposite: Protecting a network with WEP makes it
easy to crack because it is a challenge very accessible to casual crackers
There are security protocols, so WEP should be discarded ALWAYS
44
WPA-PSK vulnerabilities
45
WPA-PSK vulnerabilities
WPA-PSK vulnerabilities The system used by WPA for the
exchange of information used for the key generation is weak
Preset Keys are "unsafe" (WPA-PSK)▪ Subject to dictionary attacks▪ No need to capture lots of traffic, capture
only key exchange
46
WPA vulnerabilities
1. Capture initial handshake 4 packets WPA from user authentication
against an AP de autenticación de un cliente contra un
AP2. Brute force or dictionary attack to
extract the key Success depends on the dictionary Éxito depende del diccionario It is also possible to use Rainbow Tables
47
WPA attacks
Many manufacturers configure default WPA ESSID recognizable▪ WLAN_XXXX▪ JAZZTEL_XXX
BSSID also needed Online Tools▪ http://www.seguridadwireless.net/wpamagickey1.php▪ http://www.seguridadwireless.net/wpamagickey.php
48
Tools for cracking WPA-PSK CoWPAtty
In its fourth version cracks WPA2 There are "rainbow tables" of the most
common challenges (English) for common ESSIDs (linksys, tsunami, comcomcom, etc..)
wpa_crack Proof of concept
SpoonWpa GUI assistant
wpacracker.com Cracking WPA using cloud computing (17 US$)
49
WPA Cracking Workflow
WPA_XXXX / JAZZTEL_XXXX? http://www.seguridadwireless.net/wpamagick
ey1.php http://www.seguridadwireless.net/wpamagick
ey.php Test default passphrase “12345670”
WPA-PSK?1. Obtain the ESSID2. Obtain authentication:
De authenticate: aireplay-ng -0
3. Pre-computed tables for that ESSID Crack: aircrack-ng, cowpatty
50
WPA Cracking Workflow
4. Without tables for that ESSID Generate tables: genpmk (in parallel if
possible) Goto 3
51
WIFISLAX!!!
Other Tools
52
Wifislax 4.0
WIFISLAX 4.0 LiveCD Linux Wifi Audit Tools http://www.wifislax.com/wifislax-4-0-el-re
greso
53
Setting up a secure Wi-Fi network
54
AP Safe Setup
WPA2 encryption with strong and not predictable password
Disable beacon frames Set MAC filteringDisable DHCP Setup different IP range set than the
default (192.168.1.X)Limit the number of clients that
can be connected
55
Configuration with RADIUS server
Implementation in Microsoft Windows Client: Windows XP SP2+ / Vista / 7 Authenticator: AP hardware (WRT54g) RADIUS server: Microsoft Internet
Authentication Server (IAS) / FreeRADIUS.net
56
Configuration with RADIUS server
Implementation in GNU/Linux Client▪ wpa_supplicant▪ Xsupplicant▪ wireless-tools: iwconfig + iwpriv
Authenticator: hostapd (service of HostAP)
RADIUS server: FreeRADIUS, OpenRADIUS, Radiator, etc.
57
Captive portals
58
Captive portals
Client validation system for wireless nodes
Depending on the user type, it assigns bandwidth and gives access to different services
Usually based on temporal "tokens" managed by HTTP-SSL (443/TCP)
59
Captive portals
60
Captive portals
Authentication process
61
Images
http://www.flickr.com/photos/87546268@N00/76197417/ (AP)http://www.flickr.com/photos/13522901@N00/5182549507/
http://www.flickr.com/photos/laughingsquid/176520387http://www.flickr.com/photos/pittpics/504774599http://www.flickr.com/photos/hatemaster/2197840114http://www.flickr.com/photos/rayj1839/4940079038http://www.flickr.com/photos/atelier_tee/5551668917http://www.flickr.com/photos/meredithfarmer/318077155
http://www.flickr.com/photos/87793853@N00/2078979917/