Hacking 802.11 WirelessPrabhaker MatetiWright State University

Talk OutlineWireless LAN OverviewWireless Network SniffingWireless SpoofingWireless Network ProbingAP WeaknessesDenial of ServiceMan-in-the-Middle AttacksWar DrivingWireless Security Best PracticesConclusion

AckThere is nothing new in this talk. It is an overview what has been known for a couple of years.Several figures borrowed from many sources on the www.Apologies that I lost track of the original sources.

Wireless LAN Overview

OSI ModelApplicationPresentationSessionTransportNetworkData LinkPhysical802.11b802.11 MAC header802.11 PLCP header

Network Layers

IEEE 802.11Published in June 19972.4GHz operating frequency1 to 2 Mbps throughputCan choose between frequency hopping or direct sequence spread modulation

IEEE 802.11b1999Data Rate: 11 MbpsReality: 5 to 7 Mbps2.4-Ghz band; runs on 3 channelsshared by cordless phones, microwave ovens, and many Bluetooth productsOnly direct sequence modulation is specifiedMost widely deployed today

Channels

Physical Layer

The Unlicensed Radio Frequency Spectrum5.15-5.355.725-5.825GHzIEEE 802.11aHiperLAN/2

Channel Plan 802.11/11b/11g

2.4122.4372.462Non-overlapping channelsChannel Spacing (5MHz)

IEEE 802.11aData Rate: 54 MbpsReality:25 to 27 MbpsRuns on 12 channelsNot backward compatible with 802.11bUses Orthogonal Frequency Division Multiplexing (OFDM)

IEEE 802.11gAn extension to 802.11bData rate: 54 Mbps 2.4-Ghz band

IEEE 802.1XGeneral-purpose port based network access control mechanism for 802 technologies Authentication is mutual, both the user (not the station) and the AP authenticate to each other. supplicant - entity that needs to be authenticated before the LAN access is permitted (e.g., station); authenticator - entity that supports the actual authentication (e.g., the AP); authentication server - entity that provides the authentication service to the authenticator (usually a RADIUS server).

IEEE 802.1XExtensible Authentication Protocol (EAP) Can provide dynamic encryption key exchange, eliminating some of the issues with WEPRoaming is transparent to the end userMicrosoft includes support in Windows XP

802.1x Architecture

IEEE 802.11eCurrently under developmentWorking to improve security issuesExtensions to MAC layer, longer keys, and key management systemsAdds 128-bit AES encryption

Stations and Access Points

802 .11 Terminology: Station (STA)Device that contains IEEE 802.11 conformant MAC and PHY interface to the wireless medium, but does not provide access to a distribution systemMost often end-stations available in terminals (work-stations, laptops etc.)Typically Implemented in a PC-Card

Station Architecture

Ethernet-like driver interfacesupports virtually all protocol stacks

Frame translation according to IEEE Std 802.1HEthernet Types 8137 (Novell IPX) and 80F3 (AARP) encapsulated via the Bridge Tunnel encapsulation schemeIEEE 802.3 frames: translated to 802.11All other Ethernet Types: encapsulated via the RFC 1042 (Standard for the Transmission of IP Datagrams over IEEE 802 Networks) encapsulation schemeMaximum Data limited to 1500 octets

Transparent bridging to Ethernet

Terminology: Access-Point (AP) A transceiver that serves as the center point of a stand-alone wireless network or as the connection point between wireless and wired networks.Device that contains IEEE 802.11 conformant MAC and PHY interface to the wireless medium, and provide access to a Distribution System for associated stations (i.e., AP is a STA)Most often infra-structure products that connect to wired backbonesImplemented in a box containing a STA PC-Card.

Access-Point (AP) ArchitectureStations select an AP and associate with itAPs supportroamingPower Managementtime synchronization functions (beaconing)Traffic typically flows through AP

Basic Configuration

Infrastructure and Ad Hoc Modes

Terminology: Basic Service Set (BSS)A set of stations controlled by a single Coordination Function (=the logical function that determines when a station can transmit or receive)Similar to a cell in pre IEEE terminologyA BSS may or may not have an AP

Basic Service Set (BSS)

BSS

Terminology: Distribution System (DS)A system to interconnect a set of BSSsIntegrated; A single AP in a standalone networkWired; Using cable to interconnect the APWireless; Using wireless to interconnect the AP

Terminology: Independent Basic Service Set (IBSS)

A BSS forming a self-contained network in which no access to a Distribution System is availableA BSS without an APOne of the stations in the IBSS can be configured to initiate the network and assume the Coordination FunctionDiameter of the cell determined by coverage distance between two wireless stations

Independent Basic Service Set (IBSS)IBSS

Terminology: Extended Service Set (ESS)A set of one or more BSS interconnected by a Distribution System (DS)Traffic always flows via APDiameter of the cell is double the coverage distance between two wireless stations

ESS: single BSS (with int. DS)BSS

ESS: with wired DSBSSBSSDistribution System

ESS: with wireless DSBSSBSSDistribution System

Terminology: Service Set Identifier (SSID)Network name Upto 32 octets longOne network (ESS or IBSS) has one SSIDE.g., WSU Wireless; defaults: 101 for 3COM and tsunami for Cisco

Terminology: Basic Service Set Identifier (BSSID)

cell identifierOne BSS has one BSSID Exactly 6 octets longBSSID = MAC address of AP

802.11 CommunicationCSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) instead of Collision Detection WLAN adapter cannot send and receive traffic at the same time on the same channelHidden Node ProblemFour-Way Handshake

Hidden Node Problem

Four-Way HandshakeSourceDestinationRTS Request to SendCTS Clear to SendDATAACK

Infrastructure operation modesRoot Mode

Repeater Mode

Frames

Ethernet Packet StructureGraphic Source: Network Computing Magazine August 7, 200014 byte header2 addresses

802.11 Packet StructureGraphic Source: Network Computing Magazine August 7, 200030 byte header4 addresses

Ethernet Physical Layer Packet Structure8 byte header (Preamble)Graphic Source: Network Computing Magazine August 7, 2000

802.11 Physical Layer Packet StructureGraphic Source: Network Computing Magazine August 7, 200024 byte header (PLCP, Physical Layer Convergence Protocol)Always transferred at 1 Mbps

Frame FormatsMAC Header format differs per Type:Control Frames (several fields are omitted)Management FramesData Frames

Address Field DescriptionAddr. 1 = All stations filter on this address.Addr. 2 = Transmitter Address (TA), Identifies transmitter to address the ACK frame to.Addr. 3 = Dependent on To and From DS bits.Addr. 4 = Only needed to identify the original source of WDS (Wireless Distribution System) frames

Type field descriptionsType and subtype identify the function of the frame:Type=00Management Frame Beacon (Re)AssociationProbe (De)Authentication Power Management Type=01Control FrameRTS/CTS ACKType=10Data Frame

Management FramesBeaconTimestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parametersTraffic Indication MapProbeSSID, Capabilities, Supported RatesProbe ResponseTimestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameterssame for Beacon except for TIM

Management Frames (contd)Association RequestCapability, Listen Interval, SSID, Supported RatesAssociation ResponseCapability, Status Code, Station ID, Supported RatesRe-association RequestCapability, Listen Interval, SSID, Supported Rates, Current AP AddressRe-association ResponseCapability, Status Code, Station ID, Supported Rates

Management Frames (contd)Dis-associationReason codeAuthenticationAlgorithm, Sequence, Status, Challenge TextDe-authenticationReason

SynchronizationNecessary for keeping frequency hopping synchronized, and other functions like Power Saving.AP periodically transmits special type of frames called Beacon Frames MS uses info in Beacon frames to synchronize to the AP.

Control Frame Format

Authentication

AuthenticationTo control access to the infrastructure via an authenticationThe station first needs to be authenticated by the AP in order to join the APs network. Stations identify themselves to other stations (or APs) prior to data traffic or association802.11 defines two authentication subtypes: Open system and shared key

Open system authentication

A sends an authentication request to B. B sends the result back to A

Shared Key AuthenticationUses WEP Keys

Access Point DiscoveryBeacons sent out 10x second Advertise capabilities Station queries access points Requests features Access points respond With supported features Authentication just a formality May involve more frames Features used by war drivingSoftware

Probe requestAuthentication requestAssociation requestProbe responseAuthentication responseAssociation response

Association

AssociationNext Step after authenticationAssociation enables data transfer between MS and AP.The MS sends an association request frame to the AP who replies to the client with an association response frame either allowing are disallowing the association.

AssociationTo establish relationship with APStations scan frequency band to and select AP with best communications qualityActive Scan (sending a Probe request on specific channels and assess response)Passive Scan (assessing communications quality from beacon message)AP maintains list of associate stations in MAC FWRecord station capability (data-rate)To allow inter-BSS relayStations MAC address is also maintained in bridge learn table associated with the port it is located on

Association + Authentication

State 1:UnauthenticatedUnassociatedState 2:AuthenticatedUnassociatedDeauthenticationSuccessful authenticationDisassociationState 3:AuthenticatedAssociatedSuccessful authentication or reassociationDeauthentication

Starting an ESSThe infrastructure network is identified by its ESSID All Access-Points will have been set according to this ESSIDWireless stations will be configured to set their desired SSID to the value of ESSIDOn power up, stations will issue Probe Requests and will locate the AP that they will associate with:best Access-Point with matching ESSID best Access-Point if the SSID has been set to ANY

Starting an IBSSStation configured for IBSS operation will:look for Beacons that contain a network name (SSID) that matches the one that is configured When Beacons with matching Network Name are received and are issued by an AP, Station will associate to the APWhen Beacons with matching Network Name are received and are issued by another Station in IBSS mode, the station will join this IBSSWhen no beacons are received with matching Network Name, Station will issue beacons itself.All Stations in an IBSS network will participate in sending beacons.All stations start a random timer prior to the point in time when next Beacon is to be sent.First station whose random timer expires will send the next beacon

Inter-Frame SpacingInter frame spacing required for MAC protocol trafficSIFS = Short interframe spacePIFS = PCF interframe spaceDIFS = DCF interframe spaceBack-off timer expressed in terms of number of time slots

Data Frames and their ACKAcknowledgment are to arrive at within the SIFSThe DCF interframe space is observed before medium is considered free for use

Traffic flow - Inter-BSSSTA-1BSS-ASTA-2

Traffic flow - ESS operationSTA-1STA-2BSS-ABSS-BBackboneSTA-1STA-21STA-1STA-2STA-12STA-221

Traffic flow - WDS operationSTA-1STA-2BSS-ABSS-BAP-1000 or AP-500Avaya Wireless PC-CardAssociation tableAP-1000 or AP-500Avaya Wireless PC-CardAssociation tableSTA-1STA-22STA-1STA-2STA-12STA-222Wireless BackboneWDS RelayWDS Relay

Wireless Network Sniffing

Network SniffingSniffing is a reconnaissance techniqueSniffing is eavesdropping on the network. A sniffer is a program that intercepts and decodes network traffic broadcast through a medium. Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B. Sniffing is not a TCP/IP problemenabled by the media, Ethernet and 802.11, as the physical and data link layers.

Wireless Network SniffingAn attacker can passively scan without transmitting at all.A passive scanner instructs the wireless card to listen to each channel for a few messages.RF monitor mode of a wireless card allows every frame appearing on a channel to be copied as the radio of the station tunes to various channels. Analogous to wired Ethernet card in promiscuous mode.A station in monitor mode can capture packets without associating with an AP or ad-hoc network.Many wireless cards permit RFmon mode.

Passive ScanningA corporate network can be accessed from outside a building using readily available technology by an eavesdropper

Passive ScanningWireless LAN sniffers can be used to gather information about the wireless network from a distance with a directional antenna. These applications are capable of gathering the passwords from the HTTP sites and the telnet sessions sent in plain text.These attacks do not leave any trace of the hackers presence on the network

Passive ScanningScanning is a reconnaissance techniqueDetection of SSIDCollecting the MAC addressesCollecting the frames for cracking WEP

A Basic AttackBehind the scenes of a completely passive wireless pre-attack session

Installing KismetSetting up Kismet is fairly straightforward.Google on Kismethttp://www.kismetwireless.net/

Starting KismetThe mysqld service is started.The gpsd service is started on serial port 1.The wireless card is placed into monitor mode.kismet is launched.

DetectionKismet picks up some wireless jabber! In order to take a closer look at the traffic, disengage autofit mode by pressing ss to sort by SSID.

WEP? yes or no.4 TCP packetsIPs detectedtypestrength

Network DetailsNetwork details for the 0.0.0.0 address are viewed by pressing the i key.

Network DetailsNetwork details for the 169.254.187.86 address are viewed by pressing the i key.

More network detailsMore network details for the 169.254.187.86 address are viewed by pressing the i key, then scrolling down to view more information.

traffic dumpA dump of printable traffic can be had by pressing the d key.\MAILSLOTS? Could this be a postal office computer?

(that is a joke. feel free to laugh at this point. thank you.)

packet listA list of packet types can be viewed by selecting a wireless point and pressing p

gpsmapA gpsmap is printed of the area using

# gpsmap S2 s10 -r gpsfile

ethereal - beaconThe *.dump files Kismet generates can be opened with tcpdump or ethereal as shown here.This is an 802.11 beacon frame.

ethereal probe request....an 802.11 Probe Request from the same machine

ethereal - registrationoooh... a NETBIOS registration packet for MSHOME...

ethereal - registration...another registration packet, this time from LAP10...

ethereal DHCP request...a DHCP request... it would be interesting to spoof a response to this...

ethereal browser request...a NETBIOS browser request...

ethereal browser announce...an SMB host announcement... revealing an OS major version of 5 and an OS minor version of 1...We have a Windows XP client laptop searching for an access point.This particular target ends up being nothing more than a lone client crying out for a wireless server to connect to. Spoofing management frames to this client would most likely prove to be pointless...

Passive ScanningThis simple example demonstrates the ability to monitor even client machines which are not actively connected to a wireless access pointIn a more chatty environment, so much more is possibleAll of this information was captured passively. Kismet did not send a single packet on the airwaves.This type of monitoring can not be detected, but preventive measures can be taken.

Detection of SSIDSSID occurs in the following frame types: beacon, probe requests, probe responses, association requests, and reassociation requests.Management frames are always in the clear, even when WEP is enabled.Merely collect a few frames and note the SSID.What if beacons are turned off? Or SSID is hidden?

When the Beacon displaysa null SSID Patiently wait.Recall that management frames are in the clear.Wait for an associate request; Associate request and response both contain the SSIDWait for a probe request; Probe responses contain SSID

Beacon transmission is disabled ...Wait for a voluntary associate request to appear. OrActively probe by injecting spoofed frames, and then sniff the response

Collecting the MAC AddressesAttacker gathers legitimate MAC addresses for use later in spoofed frames.The source and destination MAC addresses are always in the clear in all the frames. The attacker sniffs these legitimate addresses

Collecting frames for cracking WEPSystematic procedures in cracking the WEP.Need to collect a large number (millions) of frames.Collection may take hours to days.Cracking is few seconds to a couple of hours.

Cracking WEP

Wired Equivalent Privacy (WEP)Designed to be computationally efficient, self-synchronizing, and exportableAll users of a given AP share the same encryption keyData headers remain unencrypted so anyone can see the source and destination of the data stream

Initialization Vector (IV)Over a period, same plaintext packet should not generate same ciphertext packetIV is random, and changes per packetGenerated by the device on the fly24 bits long64 bit encryption: IV + 40 bits WEP key128 bit encryption: IV + 104 bits WEP key

WEP EncryptionWEP encryption key: a shared 40- or 104-bit long numberWEP keys are used for authentication and encryption of dataA 32-bit integrity check value (ICV) is calculated that provides data integrity for the MAC frame.The ICV is appended to the end of the frame data.A 24-bit initialization vector (IV) is appended to the WEP key.The combination of [IV+WEP encryption key] is used as the input of a pseudo-random number generator (PRNG) to generate a bit sequence that is the same size as the combination of [data+ICV].The PRNG bit sequence, is bit-wise XORed with [data+ICV] to produce the encrypted portion of the payload that is sent between the wireless AP and the wireless client.The IV is added to the front of the encrypted [data+ICV] which becomes the payload for the wireless MAC frame. The result is IV+encrypted [data+ICV].

DecryptionThe IV is obtained from the front of the MAC payload.The WEP encryption key is concatenated with the IV.The concatenated WEP encryption key and IV is used as the input of the same PRNG to generate a bit sequence of the same size as the combination of the data and the ICV which is the same bit sequence as that of the sending wireless node. The PRNG bit sequence is XORed with the encrypted [data+ICV] to decrypt the [data+ICV] portion of the payload.The ICV for the data portion of the payload is calculated and compared with the value included in the incoming frame. If the values match, the data is sent from the wireless client and unmodified in transit.The WEP key remains constant over a long duration but the IV can be changed frequently depending on the degree of security needed.

WEP Protocol

WEP: Wired Equivalent Privacy

What is an IV?IV is short for Initialization Vector24 bits long 64 bit encryption: 24 bits IV + 40 bits WEP key128 bit encryption: 24 bits IV + 104 bits WEP keyIVMSDUICVInitialization VectorPadKey ID24620-23044OctetsBitsEncrypted

What is a Weak IV?In the RC4 algorithm the Key Scheduling Algorithm (KSA) creates an IV-based on the base keyA flaw in the WEP implementation of RC4 allows weak IVs to be generatedThose IVs give away" info about the key bytes they were derived fromAn attacker will collect enough weak IVs to reveal bytes of the base key

WEP problem discovery timelineIn October 2000, Jesse Walker was one of the first people to identify several of the problems within WEP. In February 2001 three researchers (Fluhrer, Mantin, and Shamir) found a flaw in the RC4 key setup algorithm which results in total recovery of the secret key. In June 2001 Tim Newsham found a problem in the algorithm that some vendors used to automatically generate WEP keys. He also built code to perform dictionary attacks against WEP-intercepted traffic.

WEP Attacks (cont.)Four types of attacksPassive attacks to decrypt traffic based on statistical analysis. Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext. Active attacks to decrypt traffic, based on tricking the access point. Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic.

Time required to gather enough wireless traffic depends heavily on the network saturation of target access point

Drawbacks of WEP ProtocolThe determination and distribution of WEP keys are not defined There is no defined mechanism to change the WEP key either per authentication or periodically for an authenticated connection No mechanism for central authentication, authorization, and accounting No per-frame authentication mechanism to identify the frame source. No per-user identification and authentication

Fluhrer Paper/AirSnort UtilityKey recovery possible due to statistical analysis of plaintext and weak IVLeverages weak IVslarge class of weak IVs that can be generated by RC4Passive attack, but can be more effective if coupled with active attackTwo major implementationsAirSnort AT&T/Rice University tests (not released)

UC Berkeley StudyBit flippingBits are flipped in WEP encrypted frames, and ICV CRC32 is recalculatedReplayBit flipped frames with known IVs resentAP accepts frame since CRC32 is correctLayer 3 device will reject, and send predictable responseResponse database built and used to derive key

UC Berkeley StudyPredicted PlainTextCisco1234XXYYZZCiscoXXYYZZ1234PlainTextCipherTextCipherTextStream CipherStream CipherWEPWEPPlainText Data Is XORed with the WEP Stream Cipher to Produce the Encrypted CipherTextIf CipherText Is XORed with Guessed PlainText, the Stream Cipher Can Be Derived

UC Berkeley StudyBit Flipped Frame SentAttacker Anticipates Response from Upper Layer Device and Attempts to Derive KeyFrame Passes ICV Forwarded to Dest MACUpper Layer Protocol Fails CRC Sends Predictable Error Message to Source MACAP WEP Encrypts Response and Forwards to Source MAC

Message Integrity Check (MIC)The MIC will protect WEP frames from being tampered withThe MIC is computed from seed value, destination MAC, source MAC, and payloadThe MIC is included in the WEP encrypted payload

Message Integrity CheckMIC uses a hashing algorithm to stamp frameThe MIC is still pre-standards, awaiting 802.11i ratificationWEP FrameNo MICWEP FrameMICDASAIVDataICVDASAIVDataSEQMICICVWEP EncryptedWEP Encrypted

Temporal Key Integrity Protocol (TKIP)Base key and IV hashedTransmit WEP Key changes as IV changesKey hashing is still pre-standards, awaiting 802.11i ratification

WEP and TKIP ImplementationsWEP today uses an IV and base key; this includes weak IVs which can be compromisedTKIP uses the IV and base key to hash a new keythus a new key every packet; weak keys are mitigatedWEP Encryption TodayTKIPIVBase KeyPlaintext DataStream CipherCipherText DataRC4XORIVBase KeyPlaintext DataStream CipherCipherText DataHashXORRC4IVPacket Key

Wireless Spoofing

Wireless SpoofingThe attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but non-existent values, or with legitimate values that belong to others.The attacker would have collected these legitimate values through sniffing.

MAC Address SpoofingProbing is sniffable by the sys admins.Attacker wishes to be hidden.Use MAC address of a legitimate card.APs can filter based on MAC addresses.

IP spoofingReplacing the true IP address ofthe sender (or, in some cases, the destination) with a different address.Defeats IP address based trust.IP spoofing is an integral part of many attacks.

Frame SpoofingFrames themselves are not authenticated in 802.11.Construction of the byte stream that constitutes a spoofed frame is facilitated by libraries.The difficulty here is not in the construction of the contents of the frame, but in getting, it radiated (transmitted) by the station or an AP. This requires control over the firmware.

Wireless Network Probing

Wireless Network ProbingSend cleverly constructed packets to a target that trigger useful responses.This activity is known as probing or active scanning.The target can discover that it is being probed.

Active AttacksAttacker can connect to an AP and obtain an IP address from the DHCP server. A business competitor can use this kind of attack to get the customer information which is confidential to an organization.

Detection of SSIDBeacon transmission is disabled, and the attacker does not wish to wait Inject a probe request frame using a spoofed source MAC address. The probe response frame from the APs will contain, in the clear, the SSID and other information similar to that in the beacon frames.

Detection of APs and stationsCertain bits in the frames identify that the frame is from an AP. If we assume that WEP is either disabled or cracked, the attacker can also gather the IP addresses of the AP and the stations.

Detection of ProbingThe frames that an attacker injects can be sniffed by a sys admin.GPS-enabled equipment can identify the physical coordinates of a transmitting device.

AP Weaknesses

Poorly Constructed WEP keyThe default WEP keys used are often too trivial.APs use simple techniques to convert the users key board input into a bit vector. Usually 5 or 13 ASCII printable characters are directly mapped by concatenating their ASCII 8-bit codes into a 40-bit or 104-bit WEP key. A stronger 104-bit key can be constructed from 26 hexadecimal digits. It is possible to form an even stronger104 bit WEP key by truncating the MD5 hash of an arbitrary length pass phrase.

Defeating MAC FilteringTypical APs permit access to only those stations with known MAC addresses. Easily defeated by the attacker Spoofs his frames with a MAC address that is registered with the AP from among the ones that he collected through sniffing. That a MAC address is registered can be detected by observing the frames from the AP to the stations.

Rogue AP

Rogue NetworksRogue AP = an unauthorized access pointNetwork users often set up rogue wireless LANs to simplify their livesRarely implement security measuresNetwork is vulnerable to War Driving and sniffing and you may not even know it

Trojan APCorporate back-doorsCorporate espionage

Trojan AP MechanicsCreate a competing wireless network.AP can be actual AP or HostAP of LinuxCreate or modify captive portal behind APRedirect users to splash pageDoS or theft of user credentials, or WORSEBold attacker will visit ground zero.Not-so-bold will drive-by with an amp.

Normal Gear @ 25mW(14dBm)Cisco Gear @ 100mW(20dBm)Senao Gear @ 200mW(23dBm)Use a 15dBd antenna with a Senao for 38dBd total...

6 WATTS!

Vs 25mW?

No contest!

Choose your Wi-Fi weapon...

AirsnarfNothing specialSimplifies HostAP, httpd, dhcpd, Net::DNS, and iptables setupSimple example rogue AP

Equipment FlawsNumerous flaws in equipment from well-known manufacturers Search on www.securityfocus.com with access point vulnerabilities Ex 1: by requesting a file named config.img via TFTP, an attacker receives the binary image of the AP configuration. The image includes the administrators password required by the HTTP user interface, the WEP encryption keys, MAC address, and SSID. Ex 2: yet another AP returns the WEP keys, MAC filter list, administrators password when sent a UDP packet to port 27155 containing the string gstsearch.

Denial of Service

Denial of ServiceA system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. DOS attacks are difficult to preventDifficult to stop an on-going attackVictim and its clients may not even detect the attacks. Duration may range from milliseconds to hours. A DOS attack against an individual station enables session hijacking.

JammingThe hacker can use a high power RF signal generator to interfere with the ongoing wireless connection, making it useless.Can be avoided only by physically finding the jamming source.

Flooding with AssociationsAP inserts the data supplied by the station in the Association Request into a table called the association table.802.11 specifies a maximum value of 2007 concurrent associations to an AP.The actual size of this table varies among different models of APs. When this table overflows, the AP would refuse further clients.Attacker authenticates several non-existing stations usinglegitimate-looking but randomly generated MAC addresses. The attacker then sends a flood of spoofed associate requests so that the associationtable overflows.Enabling MAC filtering in the AP will prevent this attack.

Deauth/Disassoc Management frame

Forged DissociationAttacker sends a spoofed Disassociation frame where the source MAC address is set to that of the AP. To prevent Reassociation, the attacker continues to send Disassociation frames for a desired period.

Forged DeauthenticationWhen an Association Response frame is observed, the attacker sends a spoofed Deauthentication frame where the source MAC address is spoofed to that of the AP. The station is now unassociated and unauthenticated, and needs to reconnect. To prevent a reconnection, the attacker continues to send Deauthentication frames for a desired period. Neither MAC filtering nor WEP protection will prevent this attack.

First Stage Deauth AttackAiropeek Trace of Deauth Attack

First Stage Deauth Attack Decode of Deauthentication Frame

Power ManagementPower-management schemes place a system in sleep mode when no activity occurs The MS can be configured to be in continuous aware mode (CAM) or Power Save Polling (PSP) mode.

Power SavingAttacker steals packets for a station while the station is in Doze state.The 802.11 protocol requires a station to inform the AP through a successful frame exchange that it wishes to enter the Doze state from the Active state.Periodically the station awakens and sends a PS-Poll frame to the AP. The AP will transmit in response the packets that were buffered for the station while it was dozing. This polling frame can be spoofed by an attacker causing the AP to sendthe collected packets and flush its internal buffers. An attacker can repeat these polling messages so that when the legitimate station periodically awakens and polls, AP will inform that there are no pending packets.

Man-in-the-Middle Attacks

Man-in-the-Middle AttacksAttacker on host X inserts X between all communication between hosts B and C, and neither B nor C is aware of the presence of X. All messages sent by B do reach C but via X, and vice versa. The attacker can merely observe the communication or modify it before sending it out.

MITM Via Deauth/DeAssocA hacker may use a Trojan AP to hijack mobile nodes by sending a stronger signal than the actual AP is sending to those nodes. The MS then associates with the Trojan AP, sending its data into the wrong hands.

MITM Attack Attacker takes over connections at layer 1 and 2 Attacker sends Deauthenticate frames Race condition between attacker and AP Attacker associates with client Attacker associates with APAttacker is now inserted between client and APExample: Monkey jack, part ofAirJack (http://802.11ninja.net/airjack/ )

Wireless MITMAssume that station B was authenticated with C, a legitimate AP. Attacker X is a laptop with two wireless cards. Through one card, he presents X as an AP. Attacker X sends Deauthentication frames to B using the Cs MAC address as the source, and the BSSID he has collected. B is deauthenticated and begins a scan for an AP and may find X on a channel different from C. There is a race condition between X and C. If B associates with X, the MITM attack succeeded. X will re-transmit the frames it receives from B to C. These frames will have a spoofed source address of B.

The Monkey - Jack AttackBefore Monkey-Jackattackervictim

The Monkey - Jack AttackAfter Monkey-Jack

First Stage Deauth AttackAttack machine uses vulnerabilities to get information about AP and clients.Attack machine sends deauthentication frames to victim using the APs MAC address as the source

Second Stage Client Capture

Victims 802.11 card scans channels to search for new APVictims 802.11 card associates with Trojan AP on the attack machineAttack machines fake AP is duplicating MAC address and ESSID of real APFake AP is on a different channel than the real one

Third Stage Connect to APAttack machine associates with real AP using MAC address of the victims machine.Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols

The Monkey Jack Attack

Monkey-Jack DetectionWhy do I hear my MAC Address as the Src Addr? Is this an attack? Am I being spoofed?

Beginning of a MITM IDS Algorithm

ARP PoisoningARP poisoning is an attack technique that corrupts the ARP cache that the OS maintains with wrong MAC addresses for some IP addresses. ARP cache poisoning is an old problem in wired networks. ARP poisoning is one of the techniques that enables the man-in-the-middle attack. ARP poisoning on wireless networks can affect wired hosts too.

Session HijackingSession hijacking occurs when an attacker causes a user to lose his connection, and the attacker assumes his identity and privileges for a period.An attacker disables temporarily the users system, say by a DOS attack or a buffer overflow exploit. The attacker then takes the identity of the user. The attacker now has all the access that the user has. When he is done, he stops the DOS attack, and lets the user resume. The user may not detect the interruption if the disruption lasts no more than a couple of seconds. Hijacking can be achieved by forged disassociationDOS attack.Corporate wireless networks are set up so that the user is directed to an authentication server when his station attempts a connection with an AP. After the authentication, the attacker employs the session hijacking described above using spoofed MAC addresses.

War Driving

War DrivingThe benign act of locating and logging wireless access points while in motion.-- (http://www.wardrive.net/).This benign act is of course useful to the attackers.

War chalking

Typical Equipment

Special EquipmentPossible: 8 mile range using a 24dB gain parabolic dish antenna.PC cards vary in power.Typical: 25mW (14dBm)Cisco: 100mW (20dBm)Senao: 200mW (23dBm)

War DrivingDefault installation allows any wireless NIC to access the networkDrive around (or walk) and gain access to wireless networksProvides direct access behind the firewall

Software Tools

802.11 Attack ToolsThe following are all freewareAirsnort (Linux)WEPcrack (Linux)Kismet (Linux)Wellenreiter (Linux)NetStumbler (windows)MiniStumbler (PocketPC)BSD Airtools (*BSD)Aerosol (Windows)WiFiScanner (Linux)

802.11 Network Security ToolsAiroPeek / AiroPeek NX: Wireless frame sniffer / analyzer, Windows AirTraf: Wireless sniffer / analyzer / IDS AirSnort: WEP key cracker BSD Airtools: Ports for common wireless tools, very useful NetStumbler: Access point enumeration tool, Windows, free

EttercapEttercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

Weapons Of Mass DisruptionMany tools are new and notable in the world of wireless attacking:libradiate a libraryairtrafkismetair-jack familythc-rut - The Hacker's Choice

libradiateRadiate is a C library similar in practice to Libnet but designed for "802.11 frame reading, creation and injection."Libnet builds layer 3 and aboveLibradiate builds 802.11 framesDisperse, an example tool built using libradiate, is fully functional

libradiateFrame types and subtypesBeacon transmitted often announcing a WLANProbe request: A client frame- "anyone out there?"Association: client and server exchange- "can i play?"Disassociate: "no soup for you!"RTS/CTS: ready/clear to send framesACK: AcknowlegementRadiate allows construction of these frames very easily.

airtrafmore a tool for the good guys, but noteworthy none the lesshttp://airtraf.sourceforge.net/ http://www.elixar.com (Elixar, Inc)

netstumblerstumbler certainly deserves a mention, as it is and was the most popularized wireless network detection tool aroundwindows based, it supports GPS but lacks in many features required by a REAL wireless security hacker...http://www.netstumbler.com

stumbler vs. stumbverterthanks to fr|tz @ www.mindthief.net for map data!

stumbler vs. stumbverterthanks to fr|tz @ www.mindthief.net for map data!

stumbler vs. stumbverterthanks to fr|tz @ www.mindthief.net for map data!

kismetA wireless network sniffer that Segregates trafficDetects IP blocksdecloaks SSIDsDetects factory default configurationsDetects netstumbler clientsMaps wireless points

kismet

kismet

kismet - gpsmap./gpsmap S 2 s 12 -rIncluded with kismet, gpsmap gives a great look at captured wireless nodes.

kismet - gpsmap./gpsmap S 2 s 14 r -tIncluded with kismet, gpsmap gives a great look at captured wireless nodes.

kismet - gpsmap./gpsmap r t Included with kismet, gpsmap gives a great look at captured wireless nodes.

air-jackNot a tool, a family of post-detection tools based on the air-jack driver.wlan-jack: spoofs a deauthentication frame to force a wireless user off the net. Shake, repeat forever. Victim is GONE!essid-jack: wlan-jacks a victim then sniffs the SSID when the user reconnects.Monkey-jack: wlan-jacks a victim, then plays man-in-the-middle between the attacker and the target.kracker-jack: monkey-jacks a WLAN connection protected by MAC protected, IPSec secured VPN!

air-jackhttp://802.11ninja.net/Robert Baird & Mike Lynns excellent presentation lays out the attacks available to air-jack users. http://www.blackhat.com/presentations/bh-usa-02/baird-lynn/bh-us-02-lynn-802.11attack.ppt

thc-ruta set of post-detection tools

Wireless Security Best Practices

Location of the APsNetwork segmentationTreat the WLAN as an untrusted networkRF signal shapingContinually check for unauthorized (rogue/Trojan) APs

Proper ConfigurationChange the default passwordsUse WEP, however broken it may beDon't use static keys, change them frequentlyDon't allow connections with an empty SSIDDon't broadcast your SSIDUse a VPN and MAC address filtering with strong mutual authenticationWireless IDS/monitoring (e.g., www.airdefense.net)

Proper ConfigurationMost devices have multiple management interfacesHTTPTelnetFTPTFTPSNMPDisable unneeded services / interfacesStay current with patches

RemediesSecure Protocol TechniquesEncrypted messagesDigitally signed messagesEncapsulation/tunnelingUse strong authentication

Wireless IDSA wireless intrusion detection system (WIDS) is often a self-contained computer system with specialized hardware and software to detect anomalous behavior. The special wireless hardware is more capable than the commodity wireless card, including the RF monitor mode, detection of interference, and keeping track of signal-to-noise ratios. It also includes GPS equipment so that rogue clients and APs can be located. A WIDS includes one or more listening devices that collect MAC addresses, SSIDs, features enabled on the stations, transmit speeds, current channel, encryption status, beacon interval, etc.

Wireless IDSWIDS computing engine should be powerful enough that it can dissect frames and WEP-decrypt into IP and TCP components. These can be fed into TCP/IP related intrusion detection systems. Unknown MAC addresses are detected by maintaining a registry of MAC addresses of known stations and APs. Can detect spoofed known MAC addresses because the attacker could not control the firmware of the wireless card to insert the appropriate sequence numbers into the frame.

Wireless AuditingPeriodically, every wireless network should be audited. Several audit firms provide this service for a fee. A security audit begins with a well-established security policy. A policy for wireless networks should include a description of the geographical volume of coverage. The goal of an audit is to verify that there are no violations of the policy.

Newer Standards and Protocols

WLAN Security Timeline

Cisco LEAP OverviewProvides centralized, scalable, user-based authenticationAlgorithm requires mutual authenticationNetwork authenticates client, client authenticates networkUses 802.1X for 802.11 authentication messagingAPs will support WinXPs EAP-TLS alsoDynamic WEP key support with WEP key session timeouts

LEAP Authentication ProcessStartBroadcast KeyAP Sends Client Broadcast Key, Encrypted with Session KeyIdentityRADIUS Server Authenticates ClientRequest IdentityClient Authenticates RADIUS ServerKey LengthClientAPRADIUS ServerDeriveKeyDeriveKeyIdentityAP Blocks All Requests Until Authentication Completes

802.11iTakes base 802.1X and adds several featuresWireless implementations are divided into two groups: legacy and new Both groups use 802.1x for credential verification, but the encryption method differsLegacy networks must use 104-bit WEP, TKIP and MICNew networks will be same as legacy, except that they must replace WEP/TKIP with advanced encryption standard operation cipher block (AES-OCB)

Wi-Fi Protected Access (WPA)Security solution based on IEEE standards Replacement for WEPDesigned to run on existing hardware as a software upgrade, Wi-Fi Protected Access is derived from and will be forward-compatible with the upcoming IEEE 802.11i standardTwo main features are:enhanced encryption using TKIP user authentication via 802.1x and EAP

Other Vulnerabilities In February 2002, Arunesh Mishra and William Arbaugh described several design flaws in the combination of the IEEE 802.1X and IEEE 802.11 protocols that permit man-in-the-middle and session hijacking attacks. LEAP-enabled Cisco wireless networks are vulnerable to dictionary attacks (a la anwrap) Attackers can compromise other VPN clients within a wireless DMZ and piggyback into the protected network.

Secure LAN (SLAN)Intent to protect link between wireless client and (assumed) more secure wired networkSimilar to a VPN and provides server authentication, client authentication, data privacy, and integrity using per session and per user short life keysSimpler and more cost efficient than a VPNCross-platform support and interoperability, not highly scaleable, thoughSupports Linux and WindowsOpen Source (slan.sourceforge.net)

SLAN Architecture

SLAN StepsClient/Server Version HandshakeDiffie-Hellman Key ExchangeServer Authentication (public key fingerprint)Client Authentication (optional) with PAM on LinuxIP Configuration IP address pool and adjust routing table

SLAN ClientSLAN DriverUser Space ProcessPhysical DriverClient Applicationie Web BrowserPlaintext TrafficPlaintext TrafficEncrypted TrafficEncrypted Traffic toSLAN ServerEncrypted Traffic

Intermediate WLAN11-100 usersCan use MAC addresses, WEP and rotate keys if you want.Some vendors have limited MAC storage abilitySLAN also an optionAnother solution is to tunnel traffic through a VPN

Intermediate WLAN Architecture

VPNProvides a scaleable authentication and encryption solutionDoes require end user configuration and a strong knowledge of VPN technologyUsers must re-authenticate if roaming between VPN servers

VPN Architecture

VPN Architecture

Enterprise WLAN100+ usersReconfiguring WEP keys not feasibleMultiple access points and subnetsPossible solutions include VLANs, VPNs, custom solutions, and 802.1x

VLANsCombine wireless networks on one VLAN segment, even geographically separated networks. Use 802.1Q VLAN tagging to create a wireless subnet and a VPN gateway for authentication and encryption

VLAN Architecture

Customized GatewayGeorgia Institute of TechnologyAllows students with laptops to log on to the campus networkUses VLANs, IP Tables, and a Web browserNo end user configuration requiredUser access a web site and enters a userid and passwordGateway runs specialized code authenticating the user with Kerberos and packet filtering with IPTables, adding the users IP address to the allowed list to provide network access

Gateway Architecture

Temporal Key Integrity Protocol (TKIP)128-bit shared secret temporal key (TK)Mixes the transmitter's MAC address with TK to produce a Phase 1 key. The Phase 1 key is mixed with an initialization vector (iv) to derive per-packet keys. Each key is used with RC4 to encrypt one and only one data packet.

Defeats the attacks based on Weaknesses in the key scheduling algorithm of RC4 by Fluhrer, Mantin and Shamir"

TKIP is backward compatible with current APs and wireless NICs

Message Integrity Check (MIC)MIC prevents bit-flip attacks Implemented on both the access point and all associated client devices, MIC adds a few bytes to each packet to make the packets tamper-proof.

ConclusionSome predictions are that the market for wireless LANs will be $2.2 billion in 2004, up from $771 million in 2000.Current 802.11 security state is not ideal for sensitive environments.Wireless Networks at home

ReferencesJohn Bellardo and Stefan Savage, 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, 2003, Usenix 2003 Proceedings. http://www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf Jon Edney and William A. Arbaugh, Real 802.11 Security: Wi-Fi Protected Access and 802.11i, 480 pages, Addison Wesley, 2003, ISBN: 0-321-13620-9Jamil Farshchi, Wireless Intrusion Detection Systems, November 5, 2003, http://www.securityfocus.com/infocus/1742 Retrieved Jan 20, 2004Rob Flickenger, Wireless Hacks: 100 Industrial-Strength Tips & Tools, 286 pages, O'Reilly & Associates, September 2003, ISBN: 0-596-00559-8Matthew S. Gast, 802.11 Wireless Networks: The Definitive Guide, 464 pages, OReilly & Associates, April 2002, ISBN: 0596001835.Vikram Gupta, Srikanth Krishnamurthy, and Michalis Faloutsos, Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks, Proceedings of 2002 MILCOM Conference, Anaheim, CA, October 2002.Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, WarDriving: Drive, Detect, Defend, A Guide to Wireless Security, ISBN: 1931836035, Syngress, 2004.IEEE, IEEE 802.11 standards documents, http://standards.ieee.org/wireless/Tom Karygiannis and Les Owens, Wireless Network Security: 802.11, Bluetooth and Handheld Devices, National Institute of Standards and Technology Special Publication 800-48, November 2002. http://cs-www.ncsl.nist.gov/publications/ nistpubs/800-48/NIST_SP_800-48.pdf Prabhaker Mateti, TCP/IP Suite, The Internet Encyclopedia, Hossein Bidgoli (Editor), John Wiley 2003, ISBN 0471222011.Robert Moskowitz, Debunking the Myth of SSID Hiding, Retrieved on March 10, 2004. http://www.icsalabs.com/html/communities/WLAN/wp_ssid_hiding. pdf.Bruce Potter and Bob Fleck, 802.11 Security, O'Reilly & Associates, 2002; ISBN: 0-596-00290-4.William Stallings, Wireless Communications & Networks, Prentice Hall, 2001, ISBN: 0130408646.http://www.warchalking.org/ Collaboratively creating a hobo-language for free wireless networking.Joshua Wright, Detecting Wireless LAN MAC Address Spoofing, Retrieved on Jan 20, 2004. http://home.jwu.edu/jwright/

Frequency band of operation: 2.400GHz-2.483GHz unlicensed - Globally represented Nor America: FCC part 15.247 - 15.249 Europe: ETS 300-328 Japan: RCR - STD-33A

Extensible Authentication Protocol (EAP) RFC 2284) that was first developed in the Internet community for Point-to-Point Protocol (PPP )Authentication is mutual, both the user (not the wireless device as in the case of WEP) and the access point authenticate to each other. Prevents rogue access pointsEAP in 802.1x is called EAPOL (Extensible Authentication Protocol over LANs) and is based on three entities: supplicant - entity that needs to be authenticated before the LAN access is permitted (i.e. the wireless client station); authenticator - entity that supports the actual authentication (i.e. the access point); authentication server - entity that provides the authentication service to the authenticator (usually a RADIUS server).

What is a rogue AP? A rogue AP is an unauthorized access point.

Traditionally, in a closed network, this is an access point that allows unauthorized entry into the network. This can be a user standing up their own wireless access point for the sake of convenience, attached to the corporate network, providing an unintentional back-door. Or this can be a competing company one floor up slipping 20 bucks to a janitor for dropping an AP on your LAN so they can perform a bit of corporate espionage by pointing an antenna at their floor / your ceiling. Either way, its a network security officers nightmare.

Another obvious use for rogue APs is open or public networks. This can be as hands-off as dropping an overpowered AP in the midst of a public network with a redirect to a splash page stating, Save the Moose! , thereby creating a denial of service. Or this can be as involved as walking around in a coffee house with a wireless-capable PDA in AP mode duping users into giving up their hotspot usernames and passwords.

As always, users are the simple way into a network. Wireless or not.

But wait, heres a new twist to using rogue APs for network penetrationLets say we have an access point with an SSID of goodguy. If a wireless client with their SSID set to ANY enters the range of the access point goodguy, they will associate to goodguy and the clients SSID will effectively become goodguy.

However, if another access point with an SSID of badguy enters the picture, and in relation to the wireless client, badguy is either physically closer or its signal is stronger than goodguy, then there is the potential for the client to re-associate to the closer and stronger access point badguy, and the clients SSID will effectively become badguy.

It is possible for the mis-association pictured here to happen without the users knowledge. Even worse, the badguy access point here could just have easily set its SSID to goodguy, making it even easier for the mis-association to occur, and making it that much more difficult for the user to detect.

Such is the threat of rogue APs in wireless environments.So what are the mechanics behind a rogue access point?

Basically, the idea is to simply create a competing wireless network. A rogue AP is essentially a wireless network of its own, but with a purpose other than providing legitimate service to the Intranet. Instead, the main purpose is to steal credentials from unsuspecting users and use those credentials for illegitimate access to the target legitimate network.

The AP component of a rogue AP can be an actual access point or a simple wireless card running HostAP.

Off the backend of the AP, an attacker can create a captive portal, which accepts DNS and web queries, but redirects all users to a splash page of some sort. Depending on how open the wireless network is to begin with, we can simply sit as a man in the middle acting as a repeater of sorts, brokering wireless connections from the rogue wireless network, to the legitimate wireless network.

An attacker can simply deny service to all users or go so far as to steal usernames and passwordsperhaps even provide no interaction with the user and simply make the user a vector for some infection into the wired network.

If the attacker is bold, they can do this intermittently while using the network. One day, they are a legitimate user, the next, a rogue APyet another new insider threat for you.

A big antenna and amp can facilitate a drive-by rogue AP. Lets see an example rogue AP setup in action.Airsnarf is a rogue AP setup utility we will now demonstrate.

Simply put, its just a shell script that integrates and sets up several fairly standard Linux utilities to create a rogue access point, specifically:

HostAP for AP functionality, httpd to serve up the splash page, dhcpd to give out IPs/DNS/gateway, a simple Perl-based Net::DNS::Nameserver DNS redirect, and iptables to funnel all the DNS requests the gateway sees to a local port

All of these Linux utilities are publicly available.

(Demonstration)