Date post: | 14-Jul-2015 |
Category: |
Internet |
Upload: | nexussecurity |
View: | 337 times |
Download: | 8 times |
neXusADVANCED SECURITY TRAINING
The State of Wireless Client Security in Mobile Device
“Alice in 802.11 land”
neXusADVANCED SECURITY TRAINING
Dennis Verslegers
Filip Waeytens
Who are we?
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
This talk is about
•Overview of the current state of the technology
• Overview of existing attacks against the infrastructure
•Overview of existing attacks against the client
•Overview of the current tools and defences
neXusADVANCED SECURITY TRAINING
This talk is NOT about
•Explaining in depth how wifi works
•Introducing some new fancy NSA style attack
neXusADVANCED SECURITY TRAINING
A short refresh on 802.11
neXusADVANCED SECURITY TRAINING
Frame types
• Management Frames: Allow for the maintenance of communication
• Control Frames: Facilitate in the exchange of data frames
• Data Frames: Carry packets with data (files, webpages…)
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
Management Frames• Beacon: AP says: “Yo, I’m here, and I do blahblahblah”
• Probe: request/response : STA says”Hey, are you in range and can you do blah?”. AP says:”I’m in range and do blahblahblah”.
• Authentication: request/response: STA says:”I want to identify myself and here’s my key(if any)”. AP says:”ok or not ok”.
• (Re-‐)Association: request/response: STA says:”I want to connect doing blahblahblah and I want to register with you”. AP says:”ok or not ok”.
• De-‐Authentication / Dis-‐Association: “I don’t want to be associated/authenticated anymore”.
Infrastructure Attacks
neXusADVANCED SECURITY TRAINING
Wired Equivalent Privacy (WEP)
its intention was to provide data confidentiality comparable to that of a traditional wired network
source: wikipedia
neXusADVANCED SECURITY TRAINING
How it works
neXusADVANCED SECURITY TRAINING
How it works
• In (standard) WEP the RC4 seed consists of the 40-‐bit key + a 24-‐bit initialisation vector (IV)
• This seed is used to generate pseudo random stream of bits
• This stream is then XORred with the plaintext and sent on to the receiver
neXusADVANCED SECURITY TRAINING
The flaws
• Keys are spread on every system, generally not the best security practice
• Easy to enter secret keys: input is done via 5 ascii characters each representing 8 bits -‐> 40 bits. Issue: printable ascii characters only cover a very small part of the possible byte values a.k.a. we reduce key space
neXusADVANCED SECURITY TRAINING
Rule #1 for stream ciphers
keys must never be used twice
neXusADVANCED SECURITY TRAINING
The flaws
• Due to the fact that the IV is only 24 bits long there is a 50% probability to use the same IV after 5000 packets
• a.k.a. every 5000 packets we use the same key
• very much crackable
neXusADVANCED SECURITY TRAINING
How the industry solved it
Deprecated as they fail to meet their security goals
Move on to WPA or WPA2
neXusADVANCED SECURITY TRAINING
How to break it
• FMS attack
• KoreK attack
•ChopChop attack
• Fragmentation attack
•PTW attack
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
How to break it
• Step 1: make sure you are in range of the access point (doh!)
• Step 2: set yourself up with a wireless adapter in monitor mode (listen to everyone chatting)
• Step 3: be patient and wait until you have sufficient IV’s (remember the 5000 packets rule)
• Step 4: crack the captured traffic
neXusADVANCED SECURITY TRAINING
How to break it
• Fortunately there is an alternative for step 3:
– Associate yourself with the access point the AP ignores your packets and sends out deacuthentication packet in clear text if you are not associated
– Replay ARP packages which you see on the networkARP packages are great because they will be broadcasted by the access points and many IV’s will be generated in a very short timeframe
neXusADVANCED SECURITY TRAINING
The tools
• Excellent script kiddie material !
– toolkit which required some knowledge about the actual attack: aircrack
– after that many many more ‘automated’ scripts, e.g. (wepcrack, fern, gerix, wifite, …)
neXusADVANCED SECURITY TRAINING
The tools
++
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
Does this still work?
Let’s find out
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
Does this still work?
• 30 minutes walk
• 1k+ wireless networks identified
• +/-‐ 5,5% or 58 wireless networks were (un)protected by WEP
neXusADVANCED SECURITY TRAINING
Does this still work?
Bureau HILLAWI
Eurada_WiFi LAPOSTE
ITB ZyXEL
34_Second_Floor
Le Paddock EUROCHILD eurocapital CS Belgium Meetingroom
Belkin_G_Plus_MIM... Thomson84B046
neXusADVANCED SECURITY TRAINING
Wi-‐Fi Protect Access (WPA/WPA2)
The answer to WEP
neXusADVANCED SECURITY TRAINING
How it works
neXusADVANCED SECURITY TRAINING
The core changes
• integrity checks were added to defeat forgeries
• protection against replay attacks was added
• improved encryption key solution was introduced
• for WPA2: AES was used instead of TKIP
neXusADVANCED SECURITY TRAINING
How to break it
• Attacks against the algorithm of WPA:
– Beck and Tews’ attack
– Ohigashi-‐Morii Attack
– Michael Attacks
– The Hole196 vulnerability
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
The flaw
• WPA-‐PSK / WPA2-‐PSK:
• Weak(er) pass-‐phrases maybe cracked using dictionary attacks.
• Mainly pass-‐phrases of 20 characters or less are vulnerable
neXusADVANCED SECURITY TRAINING
How to break it
Before we begin:
• the passphrase is only used during the initial authentication handshake, so we will need to intercept one of those
• the passphrase used for the pre-‐shared key must be present in our dictionary or be of a short(er) length
neXusADVANCED SECURITY TRAINING
How to break it
• Step 1: make sure you are in range of the access point (doh!)
• Step 2: set yourself up with a wireless adapter in monitor mode (listen to everyone chatting)
• Step 3: be patient and wait until you have a client performing authentication
• Step 4: brute force the pre-‐shared key through the captured authentication handshake
neXusADVANCED SECURITY TRAINING
How to break it
• Fortunately there is an alternative for step 3:
– Deauthenticate a wireless client
neXusADVANCED SECURITY TRAINING
But wait wasn’t there something called WPS?
convenience kills security
neXusADVANCED SECURITY TRAINING
How it works
neXusADVANCED SECURITY TRAINING
The flaw
• 8 digits pin code + 60 seconds time-‐out after 3 failed attempts = 6.3 years required to crack the pin
• For some reason the pin code has been split in 2 sets of 4 digits … Hmmmm
• The router tells you when you found the first 4, great checkpoint Now we only need 1 day to crack the pin …
neXusADVANCED SECURITY TRAINING
The flaw
• To make matters worse:
– pin code in many cases is built-‐in, no way to change it
– WPS functionality can, in some cases, not be disabled
– some routers offering the option to disable WPS … … don’t really disable WPS after all
neXusADVANCED SECURITY TRAINING
How to break it
Brute Force!
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
Does this still work?
Let’s find out
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
Does this still work?
• Same round
• 1055 wireless networks identified
• +/-‐ 18% or 178 wireless networks were using WPS
neXusADVANCED SECURITY TRAINING
Does this still work?
Cisco Ducale 51 ActuaTV-‐VP Meetingroom
STELLA Consulting EUROHUB
CONSULTANCY Regency
Misija NATO
Voyager King's Room FurEurope francite Kabinet michel
Act As One Exco II Economic
neXusADVANCED SECURITY TRAINING
EAP / LEAP / PEAP
Extensible Authentication Protocol
neXusADVANCED SECURITY TRAINING
How it works
• Replace the pre-‐shared-‐key with more corporate grade authentication system covering:
– authentication
– key distribution
• Extensible Authentication Protocol a.k.a. authentication framework
neXusADVANCED SECURITY TRAINING
LEAP
•Lightweight EAP
– Credentials are sent using MS-‐CHAP without SSL tunnel protection
– User credentials are not strongly protected
– Offline password cracking possible
neXusADVANCED SECURITY TRAINING
PEAP
•Protected EAP
– EAP is encapsulated in a TLS tunnel (encryption & authentication)
– Credentials are sent using MS-‐CHAPv2
neXusADVANCED SECURITY TRAINING
EAP
• Many variants available (hence extensible):
– EAP-‐TLS: based on certificates and public/private keys
– EAP-‐MD5: based on MD5 hashing to pass credentials
– EAP-‐IKEv2: based on Key Exchange Protocol version 2
neXusADVANCED SECURITY TRAINING
Flaws & attacks
• EAP overall:
– communication between Access Points and RADIUS server(s) relies only on the HMAC-‐MD5 hashing algorithm in RADIUS implementations = vulnerable to man-‐in-‐the-‐middle attacks
– users / endpoints are left with the decision whether or not to trust the certificates provided by the authenticator = vulnerable to impersonation attack
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
Last but not least
The wireless access point or router interfaces
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
AP’s are no other then the rest•Default configuration / passwords … far too common
•Webservers embedded in small devices …
•Attacks which tend to work on regular websites also work against admin pages:
•Cross Site Request Forgery
•DNS rebinding
Further reading
• http://www.iescobar.net/survey%20wifi.pdf
• https://www.matthieu.io/dl/wifi-‐attacks-‐wep-‐wpa.pdf
•https://en.wikipedia.org/wiki/Fluhrer,_Mantin_and_Shamir_attack
• http://dl.aircrack-‐ng.org/breakingwepandwpa.pdf
• http://www.aircrack-‐ng.org/doku.php?id=simple_wep_crack
• http://www.aircrack-‐ng.org/doku.php?id=cracking_wpa&s[]=wpa&s[]=crack
neXusADVANCED SECURITY TRAINING
Client Attacks
neXusADVANCED SECURITY TRAINING
Major Categories
• Attacking the client directly: wireless card driver attacks
• Attacking the client via “Man in the Middle” attacks (MitM)
neXusADVANCED SECURITY TRAINING
Wireless Driver Attacks
• Mostly Buffer Overflow type flaws
• Not trivial: requires deep knowledge on OS/Kernel level
• Vendor specific
• Not much has happened lately
neXusADVANCED SECURITY TRAINING
Last public driver BO Exploit dates from 2010
neXusADVANCED SECURITY TRAINING
“Man in the Middle” Attacks
• Victim connects to “evil” AP -> Attacker has control over traffic
• Very popular
• = Starting Point of 50 shades of exploitation: sniffing, injection, dns poisoning,…
neXusADVANCED SECURITY TRAINING
Popular Attacks
• Free Wifi : because people like free stuff
• Karma/Jasager: because 802.11 is (was?) flawed
• Mana: because Karma is flawed
• Mana-toolkit: attacking secure networks
• Fake Portal: because social engineering is effective
neXusADVANCED SECURITY TRAINING
Free Wifi• How it works: just set up an open AP in a crowded
area and people will connect
• Tools needed: Laptop+ Kali Linux : Hostapd/Airbase-ng + iptables + forwarding + dnsmasq
• or get a Pineapple MarkV if you have 99 USD lying around
neXusADVANCED SECURITY TRAINING
Freewifi config: Routing and NAT:
ifconfig wlan1 up
ifconfig wlan1 172.16.50.1/24
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
+ run hostapd and dnsmasq (configs next slides)
neXusADVANCED SECURITY TRAINING
Freewifi config: hostapd.conf
interface=wlan1
driver=nl80211
ssid=freewifi
channel=1
hw_mode=g
neXusADVANCED SECURITY TRAINING
Freewifi config:DNSMasq.conf
log-facility=/var/log/dnsmasq.log
interface=wlan1
dhcp-range=172.16.50.10,172.16.50.250,12h
dhcp-option=3,172.16.50.1
dhcp-option=6,8.8.8.8
log-queries
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
But I don’t trust “FreeWifi”1… Enter the “PNL”
•a.k.a. The Preferred Network List •Every Eme we connect to an AP, it get’s stored on our devices in the PNL •Our devices “probe” all the Eme for these networks •When probing for a specific network, the device sends a request probe with a specific SSID (directed probe) •Devices also send out null probes: request probes with SSID=“”
neXusADVANCED SECURITY TRAINING
But I don’t trust “FreeWifi”2….. Enter “Karma”•Karma aWack: an AP that responds posiEve to all directed probes (a.k.a. “Jasager”)
Is “Macdonalds” Wifi here?
Sure, that’s me
Is “corporate-guest” here?
Sure, that’s me
neXusADVANCED SECURITY TRAINING
What happened (unEl+-‐2012)
•Clients constantly sent directed probes for all networks in their PNL (Preferred Network List) •An evil Karma AP responded posiEvely to any directed probe •Clients automaEcally (!!) connected to the Karma AP
neXusADVANCED SECURITY TRAINING
So, what happened around +-‐2012?
•Vendors silently ‘fixed’ behaviour in newer OS’: Clients only connected when AP responded to BOTH directed/null probe •Devices stopped constantly sending directed probes. Some stopped sending them altogether (IOS). •Karma didn’t respond to broadcast null probes
Karma was brokenneXus
ADVANCED SECURITY TRAINING
Hackers ‘fix’ Karma aWack… Enter “Mana”
•Mana = modified Hostapd for Karma aWack •Actually: Mana-‐toolkit (modded hostapd + bunch of stuff) •Mana waits unEl it sees a directed probe and then responds to both directed and broadcast probe. •Behaviour of probing sEll differs greatly between OS’s •Also has ‘loud mode’: it keeps a list of all SSID’s it sees from all devices and broadcasts them: more chance to get ‘popular’ SSID’s
neXusADVANCED SECURITY TRAINING
DetecEng probes
•Wireshark filter for request probes: wlan.fc.type_subtype == 0x04 •or Python+ scapy
•don’t forget to put interface in monitor mode
neXusADVANCED SECURITY TRAINING
Example: Nexus 5 Phone with Android OS 4.4.3
•ErraEc: direct probes with 30 seconds to 10 minute intervals.
neXusADVANCED SECURITY TRAINING
So what about hidden SSID’s ?
•Hidden networks don’t return a SSID in response to a broadcast probe: the AP only gives the SSID when receiving a directed probe. •Devices with a hidden network in their PNL need to probe for it specifically •IOS devices only do this when it sees at least 1 hidden network •SoluEon: put a hidden network somewhere to get directed probes from IOS devices for hidden networks
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
Can we get more “vicEms”? Enter “De-‐Auth”
•De-‐authenEcaEon packet is sent to terminate communicaEon between a client and an AP •Is done via a management packet: cleartext •Can be spoofed easily
Anyone can de-‐authenEcate anyone We can disconnect exisEng connecEons
(unEl they connect to us) neXus
ADVANCED SECURITY TRAINING
DeauthenEcaEon tools
•Aireplay-‐ng: e.g. deauth all clients of BSSID 7a:54:2e:9c:31:1f
•mdk3 (“Murder Death Kill”) •Several scripts
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
What about secure networks? (SSL)
•A lot of apps use SSL connecEons • login pages / sensiEve data: websites use SSL •an aWacker performing MitM can not read data directly •A lot of aWacks against SSL lately (BEAST, POODLE, …), but most aWacks impracEcal (except heartbleed, which isn’t a MitM aWack)
neXusADVANCED SECURITY TRAINING
Common aWack methods 1: Fake CERT
•Terminate SSL connecEon in the Middle and present your own cerEficate. •Problem: SSL popup •SoluEon: None. •But users usually click through annoying popups :)
No Problem :)
neXusADVANCED SECURITY TRAINING
Common aWack methods 2: SSLSTRIP
•SSLStrip is a proxy in the Middle that changes all HTTPS links in hWp responses to HTTP (it “strips” the SSL) •Problem:
» A) works only for redirects to hWps » B) address in browser shows as hWp instead of hWps
•SoluEon: »A) None »B) we add a favicon that looks like a lock: good enough for most users
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
Vendors Response: HSTS
•HSTS = HTTP Strict Transport Security •Sites can send a ‘Strict-‐Transport-‐Security’ response header back to the browser
•Once the browser has received this, the browser will only connect directly in HTTPS •Google also maintains a preloaded list •Used by latest versions of Chrome, Safari, Firefox (not IE<12)
neXusADVANCED SECURITY TRAINING
Hackers Respond: SSLSplit
•SOLUTION: “sslsplit” = modified sslstrip –“Works like a proxy, similar to sslstrip.” –“ SSLsplit removes response headers for HPKP in order to prevent public key pinning for HSTS, to allow the user to accept untrusted cerEficates” – generates on the fly fake cerEficates •But if the user already browsed to the site before, the browser will sEll use HTTPS only
Problem not yet solvedneXus
ADVANCED SECURITY TRAINING
Hackers respond some more: SSLStrip+
•SSLStrip+ changes hostname: – User wants to surf to www.google.com and gets redirected to wwww.google.com . SSLStrip+ keeps track of DNS. – users wants to surf to account.google.com and gets redirected to accounts.google.com
•Because accounts.google.com and wwww.google.com do not exist, the browser also doesn’t have an HSTS entry for them, and sslsplit works. •Latest aWack against HSTS: NTP MitM
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
The End Boss Demo’s
Demo: Evil Twin Scenario
•We listen for wireless traffic around us and see open AP “ABC” •We setup an access point with Mana Toolkit and name it “ABC” •We de-‐authorise “USER1” who is connected to “ABC” •“USER1” connects to our AP •We sniff traffic, using SSLStrip+ and capture the google password
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
Demo: Evil Portal
•We Set Up a Wireless Portal that Provides free access (preferably somewhere where there’s a lot of people and no other AP’s) •Some social engineering: people can login with Google, facebook, twiWer and other social media accounts •… but not really
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
Conclusions
•Karma aWack sEll works on some devices but not that great (not many direct probes) •There are sEll tricks to ‘bypass’ secure networks, but vendors are working on it as well (HSTS) •Most effecEve aWacks these days involve some degree of social engineering: Evil Twin + Deauth, Fake CapEve Portal
neXusADVANCED SECURITY TRAINING
References• hWp://www.sensepost.com/blog/11823.html • hWp://www.thoughtcrime.org/sopware/sslstrip/ • hWps://www.roe.ch/SSLsplit • hWp://www.theta44.org/karma/ • hWps://www.blackhat.com/docs/asia-‐14/materials/Nve/Asia-‐14-‐Nve-‐Offensive-‐ExploiEng-‐DNS-‐Servers-‐Changes.pdf • hWp://www.wsec.be/blog/2012/02/14/airbase-‐ng-‐sslstrip-‐meet-‐airstrip • hWps://www.blackhat.com/docs/eu-‐14/materials/eu-‐14-‐Selvi-‐Bypassing-‐HTTP-‐Strict-‐Transport-‐Security-‐wp.pdf
neXusADVANCED SECURITY TRAINING
neXusADVANCED SECURITY TRAINING
Want to see more?• www.nexus-‐training.eu • video’s available • slideset will be provided there too
• training • 30.03-‐01.043 day hacking introducEon @ Ausy (Haasrode) hWp://www.dataflow.be/en/ethical-‐hacking-‐training-‐hacking-‐explained-‐condensed