Security Issues in 802.11 Wireless Networks
Prabhaker MatetiWright State University
www.wright.edu/~pmateti
WiFi Security 2
Talk OutlineWireless LAN OverviewWireless Network SniffingWireless SpoofingWireless Network ProbingAP WeaknessesDenial of ServiceMan-in-the-Middle AttacksWar DrivingWireless Security Best PracticesConclusion
Mateti
WiFi Security 3
AckThis talk is an overview of what has been
known for a couple of years.Figures borrowed from many sources on
the www.Apologies that I lost track of the original
sources.
Mateti
WiFi Security 4
This talk is based on … Prabhaker Mateti, “Hacking Techniques
in Wireless Networks”, in The Handbook of Information Security, Editor: Bidgoli, John Wiley, 2005
www.wright.edu/~pmateti/InternetSecurity/
Mateti
Wireless LAN Overview
Without security issues
WiFi Security 6
OSI Model
Application
Presentation
Session
Transport
Network
Data Link
Physical802.11
802.11 MAC header
802.11 PLCP header
Mateti
WiFi Security 7
IEEE 802.11Published in June 19972.4GHz operating frequency1 to 2 Mbps throughputCan choose between frequency hopping
or direct sequence spread modulation
Mateti
WiFi Security 8
IEEE 802.11b 1999 Data Rate: 11 Mbps Reality: 5 to 7 Mbps 2.4-Ghz band; runs on 3 channels shared by cordless phones, microwave ovens,
and many Bluetooth products Only direct sequence modulation is specified Most widely deployed today
Mateti
WiFi Security 9
IEEE 802.11aData Rate: 54 MbpsReality: 25 to 27 MbpsRuns on 12 channelsNot backward compatible with 802.11bUses Orthogonal Frequency Division
Multiplexing (OFDM)
Mateti
WiFi Security 10
IEEE 802.11g
An extension to 802.11bData rate: 54 Mbps 2.4-Ghz band
Mateti
WiFi Security 11
IEEE 802.11n
An extension to 802.11a/b/gFinal draft expected in 2010Data rate: 600 Mbps 2.4-Ghz band
Mateti
WiFi Security 12
802 .11 Terminology: Station (STA)
Device that contains IEEE 802.11 conformant MAC and PHY interface to the wireless medium, but does not provide access to a distribution system
Most often end-stations available in terminals (work-stations, laptops etc.)
Typically Implemented in a PC-CardBuilt into recent laptops and PDAs
Mateti
WiFi Security 13
Station Architecture
Ethernet-like driver interface supports virtually all protocol stacks
Frame translation according to IEEE 802.1H Ethernet Types 8137 (Novell IPX) and
80F3 (AARP) encapsulated via the Bridge Tunnel encapsulation scheme
IEEE 802.3 frames: translated to 802.11
All other Ethernet Types: encapsulated via the RFC 1042 (Standard for the Transmission of IP Datagrams over IEEE 802 Networks) encapsulation scheme
Maximum Data limited to 1500 octets
Transparent bridging to Ethernet
Mateti
Platform Computer
PC-Card Hardware
Radio Hardware
WMAC controller withStation Firmware
(WNIC-STA)
Driver Software(STADr)
802.11 frame format
802.3 frame format
Ethernet V2.0 / 802.3frame format
Protocol Stack
WiFi Security 14
Radio Frequency Spectrum
5.15-5.355.725-5.825GHz
IEEE 802.11aHiperLAN/2
Mateti
WiFi Security 15
2.412
2.437
2.462
Non-overlapping channels
Channel Spacing (5MHz)
Mateti
WiFi Security 16
Terminology: Access-Point (AP) A transceiver that serves as the center point of a
stand-alone wireless network or as the connection point between wireless and wired networks.
Device that contains IEEE 802.11 conformant MAC and PHY interface to the wireless medium, and provide access to a Distribution System for associated stations (i.e., AP is a STA)
Most often infra-structure products that connect to wired backbones
Implemented in a “box” containing a STA PC-Card.
Mateti
WiFi Security 17
Access-Point (AP) Architecture Stations select an AP
and “associate” with it APs support
Roaming Power Management Time synchronization
functions (Beaconing) Traffic flows through
AP
BridgeSoftware
PC-Card Hardware
Radio Hardware
WMAC controller withAccess Point Firmware
(WNIC-AP)
Driver Software(APDr)
802.11 frame format
802.3 frame format
Ethernet V2.0 / 802.3frame format
Kernel Software (APK)
BridgeHardware
EthernetInterface
Mateti
WiFi Security 18
Basic Configuration
Mateti
WiFi Security 19
Terminology: Basic Service Set (BSS)
A set of stations controlled by a single “Coordination Function” (that determines when a station can transmit or receive)
Similar to a “cell” in pre IEEE terminologyA BSS may or may not have an AP
Mateti
WiFi Security 20
Basic Service Set (BSS)
BSS
Mateti
WiFi Security 21
Terminology: Distribution System (DS)
A system to interconnect a set of BSSs Integrated: A single AP in a standalone
networkWired: Using cable to interconnect the APWireless: Using wireless to interconnect
the AP
Mateti
WiFi Security 22
Terminology: Independent Basic Service Set (IBSS)
A BSS forming a self-contained network in which no access to a Distribution System is available
A BSS without an AP One of the stations in the IBSS can be
configured to “initiate” the network and assume the Coordination Function
Diameter of the cell determined by coverage distance between two wireless stations
Mateti
WiFi Security 23
Independent Basic Service Set (IBSS)
IBSS
Mateti
WiFi Security 24
Terminology: Extended Service Set (ESS)
A set of one or more BSS interconnected by a Distribution System (DS)
Traffic always flows via APDiameter of the cell is double the
coverage distance between two wireless stations
Mateti
WiFi Security 25
Terminology: Service Set Identifier (SSID)
Network name Up to 32 bytes longOne network (ESS or IBSS) has one SSIDE.g., “WSU Wireless”; Known Defaults for many vendors
“101” for 3COM“tsunami” for Cisco
Mateti
WiFi Security 26
Terminology: Basic Service Set Identifier (BSSID)
Cell identifierOne BSS has one BSSID 6 bytes longBSSID = MAC address of AP
Mateti
WiFi Security 27
802.11 CommunicationCSMA/CA (Carrier Sense Multiple
Access/Collision Avoidance) instead of Collision Detection
WLAN adapter cannot send and receive traffic at the same time on the same channel
Hidden Node ProblemFour-Way Handshake
Mateti
WiFi Security 28
Four-Way Handshake
Source DestinationRTS – Request to Send
CTS – Clear to Send
DATA
ACK
Mateti
WiFi Security 29
Infrastructure operation modes
Root Mode
Repeater Mode
Mateti
WiFi Security 30
802.11 Packet Structure
Graphic Source: Network Computing Magazine August 7, 2000
• 30 byte header• 4 addresses
Mateti
WiFi Security 31
802.11 Physical Layer Packet Structure
Graphic Source: Network Computing Magazine August 7, 2000
• 24 byte header (PLCP, Physical Layer Convergence Protocol)• Always transferred at 1 Mbps
Mateti
WiFi Security 32
802.11 FramesFormat depends on type of frameControl FramesManagement FramesData Frames
Mateti
WiFi Security 33
802.11 Frame Formats
FrameControl DurationID Addr 1 Addr 2 Addr 3 Addr 4SequenceControl CRCFrameBody2 2 6 6 6 62 0-2312 4
802.11 MAC Header
Bytes:
ProtocolVersion Type SubType To
DS Retry PwrMgt
MoreData WEP Rsvd
Frame Control Field
Bits: 2 2 4 1 1 1 1 1 1 1 1
DSFrom More
Frag
Mateti
WiFi Security 34
Address Field Description
Addr. 1 = All stations filter on this address.Addr. 2 = Transmitter Address (TA), Identifies transmitter to address the ACK frame to.Addr. 3 = Dependent on To and From DS bits.Addr. 4 = Only needed to identify the original source of WDS
(Wireless Distribution System) frames.
ProtocolVersion Type SubType To
DS Retry PwrMgt
MoreData WEP Rsvd
Frame Control Field
Bits: 2 2 4 1 1 1 1 1 1 1 1
DSFrom More
Frag
To DS0011
From DS0101
Address 1DADA
BSSIDRA
Address 2SA
BSSIDSATA
Address 3BSSID
SADADA
Address 4N/AN/AN/ASA
Mateti
WiFi Security 35
Type field descriptions
Type and subtype identify the function of the frame: Type=00 Management Frame
Beacon (Re)AssociationProbe (De)Authentication
Power Management Type=01 Control Frame
RTS/CTS ACK Type=10 Data Frame
ProtocolVersion Type SubType To
DS Retry PwrMgt
MoreData WEP Rsvd
Frame Control Field
Bits: 2 2 4 1 1 1 1 1 1 1 1
DSFrom More
Frag
Mateti
WiFi Security 36
802.11 Management Frames Beacon
Timestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameters
Traffic Indication Map Probe
SSID, Capabilities, Supported Rates Probe Response
Timestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameters
Same for Beacon except for TIM
Mateti
WiFi Security 37
Management Frames (cont’d) Association Request
Capability, Listen Interval, SSID, Supported Rates Association Response
Capability, Status Code, Station ID, Supported Rates Re-association Request
Capability, Listen Interval, SSID, Supported Rates, Current AP Address
Re-association Response Capability, Status Code, Station ID, Supported Rates
Mateti
WiFi Security 38
Management Frames (cont’d)Dis-association
Reason codeAuthentication
Algorithm, Sequence, Status, Challenge TextDe-authentication
Reason
Mateti
WiFi Security 39
Association + AuthenticationState 1:
UnauthenticatedUnassociated
State 2:AuthenticatedUnassociated
DeauthenticationSuccessful
authentication
Disassociation
State 3:Authenticated
Associated
Successful association
Deauthentication
Mateti
WiFi Security 40
Authentication To control access to the infrastructure via
authentication. The station first needs to be authenticated by
the AP in order to join the APs network. Stations identify themselves to other stations (or
APs) prior to data traffic or association. Two authentication subtypes:
Open system. shared key.
Mateti
WiFi Security 41
Open System Authentication A sends an authentication request to B B sends the result back to A
Mateti
WiFi Security 42
Shared Key Authentication
Mateti
WiFi Security 43
Access Point Discovery Beacons sent out 10x second
Advertise capabilities Station queries access points
Requests features Access points respond
With supported features Authentication just a formality
May involve more frames
Probe request Authentication request Association request Probe response Authentication response Association response
Mateti
WiFi Security 44
Association
Next Step after authentication Association enables data transfer between Client and AP The Client sends an association request frame to the AP who
replies to the client with an association response frame either allowing or disallowing the association
Mateti
WiFi Security 45
Association To establish relationship with AP Stations scan frequency band to and select AP with best
communications quality Active Scan: send a “Probe request” on specific channels and
assess response Passive Scan: assess communications quality from beacon
message AP maintains list of associated stations in MAC FW
Record station capability (data-rate) To allow inter-BSS relay
Station’s MAC address is also maintained in bridge learn table associated with the port it is located on
Mateti
WiFi Security 46
WEP: Wired Equivalent Privacy Designed to be
computationally efficient, self-synchronizing, and exportable
Data headers remain unencrypted.
The cipher used is RC4(v, k)
Shared key k: Manual distribution among clients.
Mateti
WiFi Security 47
WEP Encryption WEP encryption key: a shared 40- or 104-bit long number. WEP keys are used for authentication and encryption of data. A 32-bit integrity check value (ICV) is calculated that provides data
integrity for the MAC frame. The ICV is appended to the end of the frame data.
A 24-bit initialization vector (IV) is appended to the WEP key. IV and WEP encryption key are input to a pseudo-random number
generator (PRNG) to generate a bit sequence that is the same size as the combination of [data+ICV].
The PRNG bit sequence is bit-wise XORed with [data+ICV] to produce the encrypted portion of the payload that is sent between the wireless AP and the wireless client.
The IV is added to the front of the encrypted [data+ICV] which becomes the payload for the wireless MAC frame.
The result is IV+ encrypted [data+ICV].
Mateti
WiFi Security 48
WEP Decryption IV is obtained from the front of the MAC payload. WEP encryption key is concatenated with the IV. The concatenated WEP encryption key and IV is used as the input
of the same PRNG to generate a bit sequence of the same size as the combination of the [data + ICV].
The PRNG bit sequence is XORed with the encrypted [data+ICV] to decrypt the [data+ICV] portion of the payload.
The ICV for the data portion of the payload is calculated and compared with the value included in the incoming frame.
The WEP key remains constant over a long duration (days and months) but the IV can be changed frequently depending on the degree of security needed.
Mateti
WiFi Security 49
WEP
Mateti
802.11 Hdr Data
Append ICV = CRC32(Data)
Data802.11 Hdr ICV
Encrypted Data802.11 Hdr IV ICV
Select and insert IVPer-packet Key = IV || RC4 Base Key
RC4 Encrypt Data || ICV
Remove IV from packetPer-packet Key = IV || RC4 Base KeyRC4 Decrypt Data || ICV
Check ICV = CRC32(Data)
24 bits
WiFi Security 50
WEP ProtocolKey is shared by all clients and the base
station.PRNG – Pseudo Random Number Gen
Mateti
WiFi Security 51
WEP .. cont
Mateti
WiFi Security 52
Drawbacks of WEP Protocol The determination and distribution of WEP keys
are not defined There is no defined mechanism to change the
WEP key either per authentication or periodically for an authenticated connection
No mechanism for central authentication, authorization, and accounting
No per-frame authentication mechanism to identify the frame source.
No per-user identification and authentication
Mateti
WiFi Security 53
Initialization Vector (IV)Over a period, same plaintext packet
should not generate same ciphertext packet
IV is random, and changes per packetGenerated by the device on the fly24 bits long64 bit encryption: IV + 40 bits WEP key128 bit encryption: IV + 104 bits WEP keyMateti
WiFi Security 54Mateti
WiFi Security 55
WiFi Security
Mateti
WiFi Security 56
Wireless ThreatsPassive eavesdropping and traffic analysisMessage injection and active
eavesdropping Message deletion and interceptionMasquerading and malicious access pointsSession hijackingDenial of service (DoS)
Mateti
WiFi Security 57
Network Sniffing Sniffing is eavesdropping, a reconnaissance
technique A sniffer is a program that intercepts and
decodes network traffic broadcast through a medium
Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B
Sniffing is not a TCP/IP problem enabled by the media, Ethernet and 802.11, at the
physical and data link layers
Mateti
WiFi Security 58
Wireless Network Sniffing Wireless LAN sniffers can be used to gather
information about the wireless network from a distance with a directional antenna
RF monitor mode of a wireless card allows every frame appearing on a channel to be copied as the radio of the station tunes to various channels. Analogous to wired Ethernet card in promiscuous mode
A station in monitor mode can capture packets without associating with an AP or ad-hoc network
Many wireless cards permit RF monitor modeMateti
WiFi Security 59
Passive Scanning Eavesdropper does
NOT transmit packets.
A wlan can be “listened to” outside a building using readily available technology
Mateti
WiFi Security 60
Passive Scanning A passive scanner instructs
the wireless card to listen to each channel for a few messages
Passive scanners are capable of gathering the passwords from the HTTP sites and the telnet sessions sent in plain text
An attacker can passively scan without transmitting at all. These attacks do not leave any trace of the attacker’s presence on the network
Mateti
WiFi Security 61
Passive Scanning: Why?Scanning is a reconnaissance techniqueDetection of SSIDCollecting the MAC addressesCollecting the frames for cracking WEP
Mateti
A Basic “Attack”
Behind the scenes of a completely passive wireless pre-attack
session using kismet
WiFi Security 63
KismetKismet is a wireless snifferSetting up Kismet is fairly straightforwardGoogle on “Kismet” for articleshttp://www.kismetwireless.net/
Mateti
WiFi Security 64
Starting Kismet
The mysqld service is started.
The gpsd service is started on serial port 1.
The wireless card is placed into monitor mode.
kismet is launched.
Mateti
WiFi Security 65
Detection
Kismet picks up some wireless jabber! In order to take a closer look at the traffic, disengage “autofit” mode by pressing “ss” to sort by SSID.
WEP? yes or no.
4 TCP packets
IP’s detected
type
strength
Mateti
WiFi Security 66
Network Details
Network details for the 0.0.0.0 address are viewed by pressing the “i” key.
Mateti
WiFi Security 67
Network Details
Network details for the 169.254.187.86 address are viewed by pressing the “i” key.
Mateti
WiFi Security 68
More network details
More network details for the 169.254.187.86 address are viewed by pressing the “i” key, then scrolling down to view more information.
Mateti
WiFi Security 69
traffic dump
A dump of “printable” traffic can be had by pressing the “d” key.
\MAILSLOTS? Could this be a post office computer?
(that is a joke. feel free to laugh at this point. thank you.)
Mateti
WiFi Security 70
packet list
A list of packet types can be viewed by selecting a wireless point and pressing “p”
Mateti
WiFi Security 71
gpsmap
A map of the area is printed:# gpsmap –S2 –s10 -r gpsfile
Mateti
WiFi Security 72
wireshark - Beacon
The *.dump files Kismet generates can be opened with tcpdump or wireshark
This is an 802.11 beacon frame.
Mateti
WiFi Security 73
wireshark – Probe Request
....an 802.11 Probe Request from the same machine
Mateti
WiFi Security 74
wireshark - Registration
oooh... a NETBIOS registration packet for “MSHOME”...
Mateti
WiFi Security 75
wireshark - Registration
...another registration packet, this time from “LAP10”...
Mateti
WiFi Security 76
wireshark – DHCP request
...a DHCP request... it would be interesting to spoof a response to this...
Mateti
WiFi Security 77
wireshark – Browser request
...a NETBIOS browser request...
Mateti
WiFi Security 78
wireshark – Browser announce
...an SMB host announcement... revealing an OS major version of 5 and an OS minor version of 1...We have a Windows XP client laptop searching for an access point.
This particular target ends up being nothing more than a lone client crying out for a wireless server to connect to. Spoofing management frames to this client would most likely prove to be pointless...Mateti
WiFi Security 79
Passive Scanning This simple example demonstrates the ability to
monitor even client machines which are not actively connected to a wireless access point.
In a more “chatty” environment, so much more is possible.
All of this information was captured passively. Kismet did not send a single packet on the airwaves.
This type of monitoring can not be detected, but preventive measures can be taken.
Mateti
WiFi Security 80
Detection of SSID SSID occurs in the following frame types:
beacon, probe requests, probe responses, association requests, and reassociation requests.
Management frames are always in the clear, even when WEP is enabled.
Merely collect a few frames and note the SSID. What if beacons are turned off? Or SSID is
hidden?
Mateti
WiFi Security 81
When the Beacon displaysa null SSID …
Patiently wait. Recall that management frames are in the clear.
Wait for an associate request; Associate Request and Response both contain the SSID.
Wait for a Probe Request; Probe Responses contain SSID.
Mateti
WiFi Security 82
Beacon transmission is disabled ...
Wait for a voluntary Associate Request to appear. Or
Actively probe by injecting spoofed frames, and then sniff the response
Mateti
WiFi Security 83
Collecting the MAC AddressesAttacker gathers legitimate MAC
addresses for use later in spoofed frames.The source and destination MAC
addresses are always in the clear in all the frames.
The attacker sniffs these legitimate addresses
Mateti
WiFi Security 84
WEP Attacks Systematic procedures in cracking the WEP. Need to collect a large number of frames.
Collection may take hours to days. Time required depends heavily on saturation of access point
Cracking may take a few seconds to a couple of hours. Cracking uses “weakness” in IV Four types of attacks
Passive attacks to decrypt traffic based on statistical analysis Active attack to inject new traffic from unauthorized mobile stations,
based on known plaintext Active attacks to decrypt traffic, based on tricking the access point Dictionary-building attack that, after analysis of about a day's worth
of traffic, allows real-time automated decryption of all traffic
Mateti
WiFi Security 85
What is a “Weak” IV?Key Scheduling Algorithm (KSA) creates
an IV-based on the base keyA flaw in the WEP implementation of RC4
allows “weak” IVs to be generatedThose IVs give away info about the bytes
of the key they were derived fromAn attacker will collect enough weak IVs to
reveal bytes of the base key
Mateti
WiFi Security 86
Initialization Vector, IV IV is only 24 bits providing 16,777,216 different RC4
cipher streams for a given WEP key Chances of duplicate IVs are:
1% after 582 encrypted frames 10% after 1881 encrypted frames 50% after 4,823 encrypted frames 99% after 12,430 encrypted frames
Increasing Key size will not make WEP any safer. Why? Walker, “IEEE 802.11i wireless LAN: Unsafe at any key
size”, http://www.dis.org/wl/pdf/unsafe.pdf, Oct 2000Mateti
WiFi Security 87
UC Berkeley Study Bit flipping
Bits are flipped in WEP encrypted frames, and ICV CRC32 is recalculated
Replay Bit flipped frames with known IVs re-sent AP accepts frame since CRC32 is correct Layer 3 device will reject, and send predictable
response Response database built and used to derive key
Mateti
WiFi Security 88
UC Berkeley Study
Predicted PlainTextCisco
1234
XXYYZZCisco
XXYYZZ 1234
PlainText
CipherText
CipherText
Stream Cipher
Stream Cipher
WEP
WEP
PlainText Data Is XORed with the WEP Stream Cipher to Produce the Encrypted CipherText
If CipherText Is XORed with Guessed PlainText, the Stream Cipher Can Be Derived
Mateti
WiFi Security 89
UC Berkeley Study
Bit Flipped Frame Sent
Attacker Anticipates Response from Upper
Layer Device and Attempts to Derive Key
Frame Passes ICV Forwarded to Dest MAC
Upper Layer Protocol Fails CRC Sends Predictable Error Message to Source MAC
AP WEP Encrypts Response and Forwards to Source MAC
Mateti
Wireless Spoofing
WiFi Security 91
Wireless SpoofingThe attacker constructs frames by filling
selected fields that contain addresses or identifiers with legitimate looking but non-existent values, or with legitimate values that belong to others.
The attacker would have collected these legitimate values through sniffing.
Mateti
WiFi Security 92
MAC Address SpoofingProbing is sniffable by the sys admins.Attacker wishes to be hidden.Use MAC address of a legitimate card.APs can filter based on MAC addresses.
Mateti
WiFi Security 93
IP spoofingReplacing the true IP address of the
sender (or, in some cases, the destination) with a different address.
Defeats IP address based trust. IP spoofing is an integral part of many
attacks.
Mateti
WiFi Security 94
Frame Spoofing Frames themselves are not authenticated in
802.11. Construction of the byte stream that constitutes
a spoofed frame is facilitated by libraries. The difficulty here is not in the construction of
the contents of the frame, but in getting it radiated (transmitted) by the STA or an AP. This requires control over the firmware.
Mateti
Wireless Network Probing
WiFi Security 96
Wireless Network ProbingSend cleverly constructed packets to a
target that triggers useful responses. This activity is known as probing or active
scanning.The target can discover that it is being
probed.
Mateti
WiFi Security 97
Active Attacks Attacker can connect to an AP and obtain an IP
address from the DHCP server. A business competitor can use this kind of
attack to get the customer information which is confidential to an organization.
Mateti
WiFi Security 98
Detection of SSIDBeacon transmission is disabled, and the
attacker does not wish to wait … Inject a probe request frame using a
spoofed source MAC address. The probe response frame from the APs
will contain, in the clear, the SSID and other information similar to that in the beacon frames.
Mateti
WiFi Security 99
Detection of APs and stationsCertain bits in the frames identify that the
frame is from an AP. If we assume that WEP is either disabled
or cracked, the attacker can also gather the IP addresses of the AP and the stations.
Mateti
WiFi Security 100
Detection of ProbingThe frames that an attacker injects can be
sniffed by a sys admin.GPS-enabled equipment can identify the
physical coordinates of a transmitting device.
Mateti
AP Weaknesses
WiFi Security 102
Poorly Constructed WEP keys The default WEP keys used are often too trivial. APs use simple techniques to convert the user’s
key board input into a bit vector. Usually 5 or 13 ASCII printable characters are directly
mapped by concatenating their ASCII 8-bit codes into a 40-bit or 104-bit WEP key.
A stronger 104-bit key can be constructed from 26 hexadecimal digits.
It is possible to form an even stronger 104 bit WEP key by truncating the MD5 hash of an arbitrary length pass phrase.
Mateti
WiFi Security 103
Defeating MAC FilteringTypical APs permit access to only those
stations with known MAC addresses. Easily defeated by the attacker
Spoofs his frames with a MAC address that is registered with the AP from among the ones that he collected through sniffing.
That a MAC address is registered can be detected by observing the frames from the AP to the stations
Mateti
WiFi Security 104
Rogue NetworksRogue AP = an unauthorized access pointNetwork users often set up rogue wireless
LANs to simplify their livesRarely implement security measuresNetwork is vulnerable to War Driving and
sniffing and you may not even know itTrojan AP = Rogue AP with malicious
intentMateti
WiFi Security 105
Trojan AP Mechanics
Create a competing wireless network. AP can be actual AP or HostAP of Linux Create or modify captive portal behind AP Redirect users to “splash” page DoS or theft of user credentials, or … Bold attacker will visit ground zero. Not-so-bold will drive-by with an amp.
Mateti
WiFi Security 106
Equipment Flaws Numerous flaws in equipment from well-known
manufacturers Search on “access point vulnerabilities” Ex 1: Receiving a request for a file named config.img via
TFTP, an AP sends its configuration. The image includes the administrator’s password required by the HTTP user interface, the WEP encryption keys, MAC address, and SSID.
Ex 2: An AP returns the WEP keys, MAC filter list, administrator’s password when sent a UDP packet to port 27155 containing the string “gstsearch”.
Mateti
Denial of Service
WiFi Security 108
Denial of Service A system is not providing services to authorized
clients because of resource exhaustion by unauthorized clients.
DoS attacks are difficult to prevent Difficult to stop an on-going attack Victim and its clients may not even detect the
attacks Duration may range from milliseconds to hours. A DoS attack against an individual station
enables session hijacking
Mateti
WiFi Security 109
Jamming
The hacker can use a high power RF signal generator to interfere with the ongoing wireless connection, making it useless.
Can be avoided only by physically finding the jamming source.
Mateti
WiFi Security 110
Flooding with Associations AP inserts the data supplied by the STA in the
Association Request into a table called the association table
802.11 specifies a maximum value of 2007 concurrent associations to an AP. The actual size of this table varies among different models of APs.
When this table overflows, the AP would refuse further clients
Attacker authenticates several non-existing STA using legitimate-looking but randomly generated MAC addresses. The attacker then sends a flood of spoofed associate requests so that the association table overflows
Enabling MAC filtering in the AP will prevent this attack
Mateti
WiFi Security 111
Deauth/Disassoc Management frame
• Attacker must spoof AP MAC address in Src Addr and BSSID• Sequence Control field handled by firmware (not set by attacker)
Mateti
WiFi Security 112
Forged DissociationAttacker sends a spoofed Disassociation
frame where the source MAC address is set to that of the AP.
To prevent Reassociation, the attacker continues to send Disassociation frames for a desired period.
Mateti
WiFi Security 113
Forged Deauthentication After an Association Response frame is
observed, the attacker sends a spoofed Deauthentication frame where the source MAC address is spoofed to that of the AP.
The station is now unassociated and unauthenticated, and needs to reconnect.
To prevent a reconnection, the attacker continues to send Deauthentication frames for a desired period.
Neither MAC filtering nor WEP protection will prevent this attack
Mateti
WiFi Security 114
First Stage – Deauth Attack
Airopeek Trace of Deauth Attack
Mateti
WiFi Security 115
First Stage – Deauth Attack
Decode of Deauthentication Frame
Mateti
WiFi Security 116
Power Management Power-management schemes place a system in sleep mode
when no activity occurs The Client can be configured to be in continuous aware mode
(CAM) or Power Save Polling (PSP) mode
Mateti
WiFi Security 117
Power Saving Attacker steals packets for a station while the station is
in Doze state. The 802.11 protocol requires a station to inform the AP through a
successful frame exchange that it wishes to enter the Doze state from the Active state.
Periodically the station awakens and sends a PS-Poll frame to the AP. The AP will transmit in response the packets that were buffered for the station while it was dozing.
This polling frame can be spoofed by an attacker causing the AP to send the collected packets and flush its internal buffers.
An attacker can repeat these polling messages so that when the legitimate station periodically awakens and polls, AP will inform that there are no pending packets.
Mateti
Man-in-the-Middle Attacks
WiFi Security 119
Man-in-the-Middle AttacksAttacker on host X inserts X between all
communication between hosts B and C, and neither B nor C is aware of the presence of X.
All messages sent by B do reach C but via X, and vice versa.
The attacker can merely observe the communication or modify it before sending it out.
Mateti
WiFi Security 120
Wireless MITM Attack A hacker uses a Trojan AP to hijack mobile nodes by sending
a stronger signal than the actual AP is sending to those nodes. The clients then associates with the Trojan AP, sending its
data into the wrong hands.
Mateti
WiFi Security 121
Wireless MITM Attack Assume that station B was authenticated with C, a
legitimate AP. Attacker X is a laptop with two wireless cards. Through
one card, he presents X as an AP. Attacker X sends Deauthentication frames to B using the
C’s MAC address as the source, and the BSSID he has collected.
B is deauthenticated and begins a scan for an AP and may find X on a channel different from C.
There is a race condition between X and C. If B associates with X, the MITM attack succeeded. X
will re-transmit the frames it receives from B to C. These frames will have a spoofed source address of B.
Mateti
WiFi Security 122
First Stage – Deauth AttackAttack machine uses vulnerabilities to get
information about AP and clients.Attack machine sends deauthentication
frames to victim using the AP’s MAC address as the source
Mateti
WiFi Security 123
Second Stage – Client Capture
Victim’s 802.11 card scans channels to search for new AP
Victim’s 802.11 card associates with Trojan AP on the attack machineAttack machine’s fake AP is duplicating MAC
address and ESSID of real APFake AP is on a different channel than the real
one
Mateti
WiFi Security 124
Third Stage – Connect to AP
Attack machine associates with real AP using MAC address of the victim’s machine.
Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols
Mateti
WiFi Security 125
The Monkey – Jack Attack
Mateti
WiFi Security 126
Monkey-Jack Detection
Why do I hear my MAC Address as the Src Addr? Is this an attack? Am I being spoofed?
Mateti
WiFi Security 127
Beginning of a MITM IDS Algorithm
Mateti
WiFi Security 128
ARP Poisoning ARP poisoning is an attack technique that
corrupts the ARP cache that the OS maintains with wrong MAC addresses for some IP addresses.
ARP cache poisoning is an old problem in wired networks.
ARP poisoning is one of the techniques that enables the man-in-the-middle attack.
ARP poisoning on wireless networks can affect wired hosts too.
Mateti
WiFi Security 129
Session Hijacking Session hijacking occurs when an attacker causes a user to lose his
connection, and the attacker assumes his identity and privileges for a period.
An attacker disables temporarily the user’s system, say by a DoS attack or a buffer overflow exploit. The attacker then takes the identity of the user. The attacker now has all the access that the user has. When he is done, he stops the DoS attack, and lets the user resume. The user may not detect the interruption if the disruption lasts no more than a couple of seconds.
Hijacking can be achieved by forged disassociation DoS attack. Corporate wireless networks are set up so that the user is directed
to an authentication server when his station attempts a connection with an AP. After the authentication, the attacker employs the session hijacking described above using spoofed MAC addresses.
Mateti
WiFi Security 130
War Driving“The benign act of locating and logging
wireless access points while in motion.” -- (http://www.wardrive.net/).of course useful to attackers.Drive around (or walk)
Possible: 10 mile range using a parabolic dish antenna.
“PC cards” vary in power: 25mW -- 100mW
Mateti
Wireless Hacking Tools
WiFi Security 132
802.11 Attack Freeware Many open source also
Airsnort (Linux) WEPcrack (Linux) Kismet (Linux) Wellenreiter (Linux) NetStumbler (windows) MiniStumbler (PocketPC) BSD – Airtools (*BSD) Aerosol (Windows) WiFiScanner (Linux)
BackTrack 5 Linux Penetration Tools Distro Details of a few follow
Mateti
WiFi Security 133
802.11 Network Security ToolsAiroPeek / AiroPeek NX: Wireless frame
sniffer / analyzer, Windows AirTraf: Wireless sniffer / analyzer / “IDS” AirSnort: WEP key “cracker” BSD Airtools: Ports for common wireless
tools, very useful
Mateti
WiFi Security 134
Airsnarf
Simplifies HostAP, httpd, dhcpd, Net::DNS, and iptables setup
Simple example of a rogue AP
Mateti
WiFi Security 135
EttercapEttercap is a suite for man in the middle
attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
Mateti
WiFi Security 136
libradiateRadiate is a C library similar in practice to
Libnet but designed for "802.11 frame reading, creation and injection."
Libnet builds layer 3 and aboveLibradiate builds 802.11 framesDisperse, an example tool built using
libradiate, is fully functional
Mateti
WiFi Security 137
libradiate Frame types and subtypes
Beacon transmitted often announcing a WLAN Probe request: A client frame- "anyone out there?" Association: client and server exchange- "can i
play?" Disassociate: "no soup for you!" RTS/CTS: ready/clear to send frames ACK: Acknowlegement
Radiate allows construction of these frames very easily.
Mateti
WiFi Security 138
netstumblerAccess point enumeration tool, Windows,
freeSupports GPS but lacks features required
by a real wireless security hacker...http://www.netstumbler.com
Mateti
WiFi Security 139Mateti
WiFi Security 140
stumbverter (2002)
thanks to fr|tz @ www.mindthief.net for map data!
Mateti
WiFi Security 141
http://wigle.net/Wireless Geographic Logging Engine:
Making maps of wireless networks since 2001
45 Million Wifi Networks! Sep 27, 2011Download Wigle Wifi for AndroidDownload the JiGLE Java ClientDownload the DiGLE Windows Native
clientMateti
WiFi Security 142
kismet: wireless network sniffer Segregates trafficDetects IP blocksdecloaks SSID’sDetects factory default configurationsDetects netstumbler clientsMaps wireless pointshttp://kismetwireless.net/
Mateti
WiFi Security 143
air-jack A family of tools based on the air-jack driver wlan-jack: spoofs a deauthentication frame to force a
wireless user off the net essid-jack: wlan-jacks a victim then sniffs the SSID
when the user reconnects Monkey-jack: wlan-jacks a victim, then plays man-in-
the-middle between the attacker and the target kracker-jack: monkey-jacks a WLAN connection http://802.11ninja.net/ http://www.blackhat.com/presentations/bh-usa-02/baird-lynn/bh-us-02
-lynn-802.11attack.ppt
Mateti
Wireless Security Best Practices
WiFi Security 145
Location of the APsNetwork segmentation
Treat the WLAN as an untrusted networkRF signal shapingContinually check for unauthorized
(“rogue/Trojan”) APs
Mateti
WiFi Security 146
Proper Configuration Change the default passwords Use WEP, however broken it may be Don't use static keys, change them frequently Don't allow connections with an empty SSID Don't broadcast your SSID Use a VPN and MAC address filtering with
strong mutual authentication Wireless IDS/monitoring (e.g.,
www.airdefense.net)
Mateti
WiFi Security 147
Proper ConfigurationMost devices have multiple management
interfacesHTTPTelnetFTPTFTPSNMP
Disable unneeded services / interfacesStay current with patches
Mateti
WiFi Security 148
RemediesSecure Protocol Techniques
Encrypted messagesDigitally signed messagesEncapsulation/tunneling
Use strong authentication
Mateti
WiFi Security 149
Wireless IDS A wireless intrusion detection system (WIDS) is often a
self-contained computer system with specialized hardware and software to detect anomalous behavior.
The special wireless hardware is more capable than the commodity wireless card, including the RF monitor mode, detection of interference, and keeping track of signal-to-noise ratios.
It also includes GPS equipment so that rogue clients and APs can be located.
A WIDS includes one or more listening devices that collect MAC addresses, SSIDs, features enabled on the stations, transmit speeds, current channel, encryption status, beacon interval, etc.
Mateti
WiFi Security 150
Wireless IDS WIDS computing engine should be powerful
enough that it can dissect frames and WEP-decrypt into IP and TCP components. These can be fed into TCP/IP related intrusion detection systems.
Unknown MAC addresses are detected by maintaining a registry of MAC addresses of known stations and APs.
Can detect spoofed known MAC addresses because the attacker could not control the firmware of the wireless card to insert the appropriate sequence numbers into the frame.
Mateti
WiFi Security 151
Wireless Auditing Periodically, every wireless network should be
audited. Several audit firms provide this service for a fee.
A security audit begins with a well-established
security policy. A policy for wireless networks should include a
description of the geographical volume of coverage.
The goal of an audit is to verify that there are no violations of the policy.
Mateti
WiFi Security 152
IEEE 802.1X General-purpose port based network access
control mechanism for 802 technologies Authentication is mutual, both the user (not the
station) and the AP authenticate to each other. supplicant - entity that needs to be authenticated
before the LAN access is permitted (e.g., station);
authenticator - entity that supports the actual authentication (e.g., the AP);
authentication server - entity that provides the authentication service to the authenticator (usually a RADIUS server).
Mateti
WiFi Security 153
IEEE 802.1XExtensible Authentication Protocol (EAP) Can provide dynamic encryption key
exchange, eliminating some of the issues with WEP
Roaming is transparent to the end userMicrosoft includes support in Windows
Mateti
WiFi Security 154
802.1x Architecture
Mateti
WiFi Security 155
Cisco LEAP OverviewProvides centralized, scalable, user-based
authenticationAlgorithm requires mutual authentication
Network authenticates client, client authenticates network
Uses 802.1X for 802.11 authentication messagingAPs will support WinXP’s EAP-TLS also
Dynamic WEP key support with WEP key session timeouts
Mateti
WiFi Security 156
LEAP Authentication Process
Start
Broadcast Key AP Sends Client Broadcast Key, Encrypted with Session Key
Identity
RADIUS Server Authenticates Client
Request Identity
Client Authenticates RADIUS Server
Key Length
Client AP RADIUS Server
DeriveKeyDerive
Key
Identity
AP Blocks All Requests Until Authentication Completes
Mateti
WiFi Security 157
Ratified: 2004 Replaces broken WEP and stopgap measures
such as WPA Mutual authentication
EAP-TLS/802.1X/RADIUS Data confidentiality and integrity
CCMP (special mode of AES) replaces TKIP Key management protocols Discovery and Negotiation Coordination with Authentication
IEEE 802.11i
Mateti
WiFi Security 158
802.11i Takes base 802.1X and adds several features Wireless implementations are divided into two
groups: legacy and new Both groups use 802.1x for credential verification, but
the encryption method differs Legacy networks must use 104-bit WEP, TKIP
and MIC New networks will be same as legacy, except
that they must replace WEP/TKIP with advanced encryption standard – operation cipher block (AES-OCB)
Mateti
WiFi Security 159
802.11i Architecture
PHY
MAC_SAP
MAC
802.1X Uncontrolled
Port
802.1X Controlled
Port
Station Management Entity
802.1XAuthenticator/Supplicant
Data Link
Physical
PMD
802.11i State MachinesWEP/TKIP/CCMP
Data
TK
PTK PRF(PMK)(PTK = KCK | KEK | TK)
Mateti
WiFi Security 160
Wi-Fi Protected Access (WPA)2003Security solution based on IEEE
standards Replacement for WEPDesigned to run on existing hardware as a
software upgrade, Wi-Fi Protected Access is derived from and expected to be compatible with the IEEE 802.11i standard
TKIP (Temporal Key Integrity Protocol)User authentication via 802.1x and EAPMateti
WiFi Security 161
WPA22004All of WPA Support for CCMP (Counter Mode with
Cipher Block Chaining Message Authentication Code Protocol) based on AES cipher as an alternative to TKIP
Mateti
WiFi Security 162
Temporal Key Integrity Protocol (TKIP)
128-bit shared secret – “temporal key” (TK) Mixes the transmitter's MAC address with TK to produce a
Phase 1 key. The Phase 1 key is mixed with an initialization vector (iv) to
derive per-packet keys. Each key is used with RC4 to encrypt one and only one data
packet.
Defeats the attacks based on “Weaknesses in the key scheduling algorithm of RC4” by Fluhrer, Mantin and Shamir"
TKIP is backward compatible with current APs and wireless NICs
Mateti
WiFi Security 163
Message Integrity Check (MIC)MIC prevents bit-flip attacks Implemented on both the access point and
all associated client devices, MIC adds a few bytes to each packet to make the packets tamper-proof.
Mateti
WiFi Security 164
References1. Jon Edney and William A. Arbaugh, Real 802.11 Security: Wi-Fi Protected Access
and 802.11i, 480 pages, Addison Wesley, 2003, ISBN: 0-321-13620-92. Matthew S. Gast, 802.11 Wireless Networks: The Definitive Guide, 464 pages,
O’Reilly & Associates, April 2002, ISBN: 05960018353. Changhua He, "Analysis Of Security Protocols For Wireless Networks",PhD
dissertation, Stanford University, December 20054. Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, WarDriving: Drive,
Detect, Defend, A Guide to Wireless Security, ISBN: 1931836035, Syngress, 20045. IEEE, IEEE 802.11 standards documents, http://standards.ieee.org/wireless/ 6. Tom Karygiannis and Les Owens, Wireless Network Security: 802.11, Bluetooth and
Handheld Devices, National Institute of Standards and Technology Special Publication 800-48, November 2002. http://cs-www.ncsl.nist.gov/publications/ nistpubs/800-48/NIST_SP_800-48.pdf
7. Prabhaker Mateti, TCP/IP Suite, The Internet Encyclopedia, Hossein Bidgoli (Editor), John Wiley 2003, ISBN 0471222011
8. Prabhaker Mateti, ``Hacking Techniques in Wireless Networks'', in The Handbook of Information Security, edited by Bidgoli, John Wiley, 2005
9. Bruce Potter and Bob Fleck, 802.11 Security, O'Reilly & Associates, 2002; ISBN: 0-596-00290-4
10. Joshua Wright, Understanding the WPA/WPA2 Break, www.inguardians.com, 2008
Mateti