Transcript Wireless Security - Wright State University

Security Issues in 802.11
Wireless Networks
Prabhaker Mateti
Wright State University
www.wright.edu/~pmateti
Talk Outline
 Wireless
LAN Overview
 Wireless Network Sniffing
 Wireless Spoofing
 Wireless Network Probing
 AP Weaknesses
 Denial of Service
 Man-in-the-Middle Attacks
 War Driving
 Wireless Security Best Practices
 Conclusion
Mateti
WiFi Security
2
Ack
This talk is an overview of what has been
known for a couple of years.
 Figures borrowed from many sources on
the www.
 Apologies that I lost track of the original
sources.

Mateti
WiFi Security
3
This talk is based on …


Mateti
Prabhaker Mateti, “Hacking Techniques
in Wireless Networks”, in
The Handbook of Information Security,
Editor: Bidgoli, John Wiley, 2005
www.wright.edu/~pmateti/
InternetSecurity/
WiFi Security
4
Wireless LAN Overview
Without security issues
OSI Model
Application
Presentation
Session
Transport
Network
802.11
Mateti
Data Link
802.11 MAC header
Physical
802.11 PLCP header
WiFi Security
6
IEEE 802.11
Published in June 1997
 2.4GHz operating frequency
 1 to 2 Mbps throughput
 Can choose between frequency hopping
or direct sequence spread modulation

Mateti
WiFi Security
7
IEEE 802.11b







Mateti
1999
Data Rate: 11 Mbps
Reality: 5 to 7 Mbps
2.4-Ghz band; runs on 3 channels
shared by cordless phones, microwave ovens,
and many Bluetooth products
Only direct sequence modulation is specified
Most widely deployed today
WiFi Security
8
IEEE 802.11a
Data Rate: 54 Mbps
 Reality: 25 to 27 Mbps
 Runs on 12 channels
 Not backward compatible with 802.11b
 Uses Orthogonal Frequency Division
Multiplexing (OFDM)

Mateti
WiFi Security
9
IEEE 802.11g
 An
extension to 802.11b
 Data rate: 54 Mbps
 2.4-Ghz band
Mateti
WiFi Security
10
IEEE 802.11n
 An
extension to 802.11a/b/g
 Final draft expected in 2010
 Data rate: 600 Mbps
 2.4-Ghz band
Mateti
WiFi Security
11
802 .11 Terminology: Station (STA)
Device that contains IEEE 802.11
conformant MAC and PHY interface to the
wireless medium, but does not provide
access to a distribution system
 Most often end-stations available in
terminals (work-stations, laptops etc.)
 Typically Implemented in a PC-Card
 Built into recent laptops and PDAs

Mateti
WiFi Security
12
Station Architecture

Ethernet-like driver interface





Mateti
Radio
Hardware
Frame translation according to IEEE
802.1H


supports virtually all protocol stacks
PC-Card
Hardware
802.11 frame format
Ethernet Types 8137 (Novell IPX) and
80F3 (AARP) encapsulated via the
Bridge Tunnel encapsulation scheme
IEEE 802.3 frames: translated to
802.11
All other Ethernet Types: encapsulated
via the RFC 1042 (Standard for the
Transmission of IP Datagrams over
IEEE 802 Networks) encapsulation
scheme
Maximum Data limited to 1500 octets
WMAC controller with
Station Firmware
(WNIC-STA)
802.3 frame format
Driver
Software
(STADr)
Platform
Computer
Ethernet V2.0 / 802.3
frame format
Protocol Stack
Transparent bridging to Ethernet
WiFi Security
13
Radio Frequency Spectrum
5.15-5.35
5.725-5.825GHz
IEEE 802.11a
HiperLAN/2
Mateti
WiFi Security
14
Channel Spacing (5MHz)
2.462
2.437
2.412
Non-overlapping channels
Mateti
WiFi Security
15
Terminology: Access-Point (AP)




Mateti
A transceiver that serves as the center point of a
stand-alone wireless network or as the
connection point between wireless and wired
networks.
Device that contains IEEE 802.11 conformant
MAC and PHY interface to the wireless medium,
and provide access to a Distribution System for
associated stations (i.e., AP is a STA)
Most often infra-structure products that connect
to wired backbones
Implemented in a “box” containing a STA PCCard.
WiFi Security
16
Access-Point (AP) Architecture


Stations select an AP
and “associate” with it
APs support




Mateti
Roaming
Power Management
Time synchronization
functions (Beaconing)
Traffic flows through
AP
Radio
Hardware
PC-Card
Hardware
802.11 frame format
WMAC controller with
Access Point Firmware
(WNIC-AP)
802.3 frame format
Driver
Software
(APDr)
Bridge
Software
Ethernet V2.0 / 802.3
frame format
Kernel Software (APK)
Ethernet
Interface
WiFi Security
Bridge
Hardware
17
Basic Configuration
Mateti
WiFi Security
18
Terminology: Basic Service Set
(BSS)
A set of stations controlled by a single
“Coordination Function” (that determines
when a station can transmit or receive)
 Similar to a “cell” in pre IEEE terminology
 A BSS may or may not have an AP

Mateti
WiFi Security
19
Basic Service Set (BSS)
BSS
Mateti
WiFi Security
20
Terminology: Distribution
System (DS)
A system to interconnect a set of BSSs
 Integrated: A single AP in a standalone
network
 Wired: Using cable to interconnect the AP
 Wireless: Using wireless to interconnect
the AP

Mateti
WiFi Security
21
Terminology: Independent Basic
Service Set (IBSS)




Mateti
A BSS forming a self-contained network in which
no access to a Distribution System is available
A BSS without an AP
One of the stations in the IBSS can be
configured to “initiate” the network and assume
the Coordination Function
Diameter of the cell determined by coverage
distance between two wireless stations
WiFi Security
22
Independent Basic Service Set
(IBSS)
IBSS
Mateti
WiFi Security
23
Terminology: Extended Service
Set (ESS)
A set of one or more BSS interconnected
by a Distribution System (DS)
 Traffic always flows via AP
 Diameter of the cell is double the
coverage distance between two wireless
stations

Mateti
WiFi Security
24
Terminology: Service Set
Identifier (SSID)
Network name
 Up to 32 bytes long
 One network (ESS or IBSS) has one SSID
 E.g., “WSU Wireless”;
 Known Defaults for many vendors

“101” for 3COM
 “tsunami” for Cisco

Mateti
WiFi Security
25
Terminology: Basic Service Set
Identifier (BSSID)
Cell identifier
 One BSS has one BSSID
 6 bytes long
 BSSID = MAC address of AP

Mateti
WiFi Security
26
802.11 Communication
CSMA/CA (Carrier Sense Multiple
Access/Collision Avoidance) instead of
Collision Detection
 WLAN adapter cannot send and receive
traffic at the same time on the same
channel
 Hidden Node Problem
 Four-Way Handshake

Mateti
WiFi Security
27
Four-Way Handshake
Source
Mateti
Destination
WiFi Security
28
Infrastructure operation modes

Root Mode

Repeater Mode
Mateti
WiFi Security
29
802.11 Packet Structure
•30 byte header
•4 addresses
Mateti
WiFi Security
Graphic Source: Network Computing Magazine August 7, 2000
30
802.11 Physical Layer Packet
Structure
•24 byte header (PLCP, Physical Layer Convergence Protocol)
•Always transferred at 1 Mbps
Mateti
WiFi Security
Graphic Source: Network Computing Magazine August 7, 2000
31
802.11 Frames
Format depends on type of frame
 Control Frames
 Management Frames
 Data Frames

Mateti
WiFi Security
32
802.11 Frame Formats
Bytes:
2
2
Frame
Control
6
Duration
ID
Addr 1
6
Addr 2
6
2
6
Sequence
Control
Addr 3
0-2312
Frame
Body
Addr 4
4
CRC
802.11 MAC Header
Bits: 2
Protocol
Version
2
4
Type
SubType
1
To
DS
1
1
1
1
1
1
1
From
DS
More
Frag
Retry
Pwr
Mgt
More
Data
WEP
Rsvd
Frame Control Field
Mateti
WiFi Security
33
Address Field Description
Bits: 2
Protocol
Version
2
4
Type
SubType
1
To
DS
1
1
1
1
1
1
1
From
DS
More
Frag
Retry
Pwr
Mgt
More
Data
WEP
Rsvd
Frame Control Field
To DS
From DS
Address 1
Address 2
Address 3
Address 4
0
0
DA
SA
BSSID
N/A
0
1
DA
BSSID
SA
N/A
1
0
BSSID
SA
DA
N/A
1
1
RA
TA
DA
SA
Addr. 1 = All stations filter on this address.
Addr. 2 = Transmitter Address (TA), Identifies transmitter to address the ACK frame to.
Addr. 3 = Dependent on To and From DS bits.
Addr. 4 = Only needed to identify the original source of WDS
(Wireless Distribution System) frames.
Mateti
WiFi Security
34
Type field descriptions
Bits: 2
Protocol
Version
2
4
Type
SubType
1
To
DS
1
1
1
1
1
1
1
From
DS
More
Frag
Retry
Pwr
Mgt
More
Data
WEP
Rsvd
Frame Control Field
Type and subtype identify the function of the frame:

Type=00
Management Frame
Beacon
(Re)Association
Probe
(De)Authentication
Power Management

Type=01
Control Frame
RTS/CTS

Type=10
Mateti
ACK
Data Frame
WiFi Security
35
802.11 Management Frames

Beacon



Probe


SSID, Capabilities, Supported Rates
Probe Response


Mateti
Timestamp, Beacon Interval, Capabilities, SSID,
Supported Rates, parameters
Traffic Indication Map
Timestamp, Beacon Interval, Capabilities, SSID,
Supported Rates, parameters
Same for Beacon except for TIM
WiFi Security
36
Management Frames (cont’d)

Association Request


Association Response


Capability, Listen Interval, SSID, Supported Rates,
Current AP Address
Re-association Response

Mateti
Capability, Status Code, Station ID, Supported Rates
Re-association Request


Capability, Listen Interval, SSID, Supported Rates
Capability, Status Code, Station ID, Supported Rates
WiFi Security
37
Management Frames (cont’d)

Dis-association


Authentication


Algorithm, Sequence, Status, Challenge Text
De-authentication

Mateti
Reason code
Reason
WiFi Security
38
Association + Authentication
State 1:
Unauthenticated
Unassociated
Successful
authentication
Deauthentication
Successful
association
Deauthentication
State 2:
Authenticated
Unassociated
Disassociation
State 3:
Authenticated
Associated
Mateti
WiFi Security
39
Authentication




To control access to the infrastructure via
authentication.
The station first needs to be authenticated by
the AP in order to join the APs network.
Stations identify themselves to other stations (or
APs) prior to data traffic or association.
Two authentication subtypes:


Mateti
Open system.
shared key.
WiFi Security
40
Open System Authentication


Mateti
A sends an authentication request to B
B sends the result back to A
WiFi Security
41
Shared Key Authentication
Mateti
WiFi Security
42
Access Point Discovery

Beacons sent out 10x
second


Station queries access
points






Requests features
With supported features
Authentication just a
formality

Mateti

Probe request
Authentication request
Association request
Probe response
Authentication response
Association response
Access points respond


Advertise capabilities

May involve more frames
WiFi Security
43
Association



Mateti
Next Step after authentication
Association enables data transfer between Client and AP
The Client sends an association request frame to the AP who
replies to the client with an association response frame either
allowing or disallowing the association
WiFi Security
44
Association


To establish relationship with AP
Stations scan frequency band to and select AP with best
communications quality



AP maintains list of associated stations in MAC FW



Mateti
Active Scan: send a “Probe request” on specific channels and
assess response
Passive Scan: assess communications quality from beacon
message
Record station capability (data-rate)
To allow inter-BSS relay
Station’s MAC address is also maintained in bridge learn
table associated with the port it is located on
WiFi Security
45
WEP: Wired Equivalent Privacy




Mateti
WiFi Security
Designed to be
computationally
efficient, selfsynchronizing, and
exportable
Data headers remain
unencrypted.
The cipher used is
RC4(v, k)
Shared key k: Manual
distribution among
clients.
46
WEP Encryption








Mateti
WEP encryption key: a shared 40- or 104-bit long number.
WEP keys are used for authentication and encryption of data.
A 32-bit integrity check value (ICV) is calculated that provides data
integrity for the MAC frame. The ICV is appended to the end of the
frame data.
A 24-bit initialization vector (IV) is appended to the WEP key.
IV and WEP encryption key are input to a pseudo-random number
generator (PRNG) to generate a bit sequence that is the same size
as the combination of [data+ICV].
The PRNG bit sequence is bit-wise XORed with [data+ICV] to
produce the encrypted portion of the payload that is sent between
the wireless AP and the wireless client.
The IV is added to the front of the encrypted [data+ICV] which
becomes the payload for the wireless MAC frame.
The result is IV+ encrypted [data+ICV].
WiFi Security
47
WEP Decryption






Mateti
IV is obtained from the front of the MAC payload.
WEP encryption key is concatenated with the IV.
The concatenated WEP encryption key and IV is used as the input
of the same PRNG to generate a bit sequence of the same size as
the combination of the [data + ICV].
The PRNG bit sequence is XORed with the encrypted [data+ICV] to
decrypt the [data+ICV] portion of the payload.
The ICV for the data portion of the payload is calculated and
compared with the value included in the incoming frame.
The WEP key remains constant over a long duration (days and
months) but the IV can be changed frequently depending on the
degree of security needed.
WiFi Security
48
WEP
802.11 Hdr
Data
Append ICV = CRC32(Data)
Check ICV = CRC32(Data)
802.11 Hdr
Data
Select and insert IV
Remove IV from packet
Per-packet Key = IV || RC4 Base Key
Per-packet Key = IV || RC4 Base Key
RC4 Encrypt Data || ICV
802.11 Hdr
IV
ICV
RC4 Decrypt Data || ICV
Encrypted Data
ICV
24 bits
Mateti
WiFi Security
49
WEP Protocol
Key is shared by all clients and the base
station.
 PRNG – Pseudo Random Number Gen

Mateti
WiFi Security
50
WEP .. cont
Mateti
WiFi Security
51
Drawbacks of WEP Protocol





Mateti
The determination and distribution of WEP keys
are not defined
There is no defined mechanism to change the
WEP key either per authentication or
periodically for an authenticated connection
No mechanism for central authentication,
authorization, and accounting
No per-frame authentication mechanism to
identify the frame source.
No per-user identification and authentication
WiFi Security
52
Initialization Vector (IV)
Over a period, same plaintext packet
should not generate same ciphertext
packet
 IV is random, and changes per packet
 Generated by the device on the fly
 24 bits long
 64 bit encryption: IV + 40 bits WEP key
 128 bit encryption: IV + 104 bits WEP key

Mateti
WiFi Security
53
Mateti
WiFi Security
54
WiFi Security
Mateti
WiFi Security
55
Wireless Threats
Passive eavesdropping and traffic analysis
 Message injection and active
eavesdropping
 Message deletion and interception
 Masquerading and malicious access points
 Session hijacking
 Denial of service (DoS)

Mateti
WiFi Security
56
Network Sniffing




Sniffing is eavesdropping, a reconnaissance
technique
A sniffer is a program that intercepts and
decodes network traffic broadcast through a
medium
Sniffing is the act by a machine S of making
copies of a network packet sent by machine A
intended to be received by machine B
Sniffing is


Mateti
not a TCP/IP problem
enabled by the media, Ethernet and 802.11, at the
physical and data link layers
WiFi Security
57
Wireless Network Sniffing




Mateti
Wireless LAN sniffers can be used to gather
information about the wireless network from a
distance with a directional antenna
RF monitor mode of a wireless card allows
every frame appearing on a channel to be
copied as the radio of the station tunes to
various channels. Analogous to wired Ethernet
card in promiscuous mode
A station in monitor mode can capture packets
without associating with an AP or ad-hoc
network
Many wireless cards permit RF monitor mode
WiFi Security
58
Passive Scanning


Mateti
WiFi Security
Eavesdropper does
NOT transmit
packets.
A wlan can be
“listened to” outside a
building using readily
available technology
59
Passive Scanning



Mateti
WiFi Security
A passive scanner instructs
the wireless card to listen to
each channel for a few
messages
Passive scanners are capable
of gathering the passwords
from the HTTP sites and the
telnet sessions sent in plain
text
An attacker can passively scan
without transmitting at all.
These attacks do not leave
any trace of the attacker’s
presence on the network
60
Passive Scanning: Why?
Scanning is a reconnaissance technique
 Detection of SSID
 Collecting the MAC addresses
 Collecting the frames for cracking WEP

Mateti
WiFi Security
61
A Basic “Attack”
Behind the scenes of a completely
passive wireless pre-attack
session using kismet
Kismet
Kismet is a wireless sniffer
 Setting up Kismet is fairly straightforward
 Google on “Kismet” for articles
 http://www.kismetwireless.net/

Mateti
WiFi Security
63
Starting Kismet
The mysqld
service is
started.
The gpsd
service is
started on
serial port 1.
The wireless
card is
placed into
monitor
mode.
kismet
is
Mateti
launched.
WiFi Security
64
Detection
Kismet picks
up some
wireless
jabber! In
order to take
a closer look
at the traffic,
disengage
“autofit”
mode by
pressing “ss”
to sort by
SSID.
Mateti
type
WEP? yes or no.
4 TCP packets
IP’s detected
strength
WiFi Security
65
Network Details
Network details for
the 0.0.0.0
address are
viewed by
pressing the “i”
key.
Mateti
WiFi Security
66
Network Details
Network details for
the
169.254.187.86
address are
viewed by
pressing the “i”
key.
Mateti
WiFi Security
67
More network details
More network
details for the
169.254.187.86
address are
viewed by
pressing the “i”
key, then scrolling
down to view more
information.
Mateti
WiFi Security
68
traffic dump
A dump of
“printable” traffic
can be had by
pressing the “d”
key.
\MAILSLOTS?
Could this be a
post office
computer?
(that is a joke. feel free to
laugh at this point. thank
you.)
Mateti
WiFi Security
69
packet list
A list of packet
types can be
viewed by
selecting a
wireless point and
pressing “p”
Mateti
WiFi Security
70
gpsmap
A map of the area
is printed:
# gpsmap –S2 –
s10 -r gpsfile
Mateti
WiFi Security
71
wireshark - Beacon
The *.dump files
Kismet generates
can be opened
with tcpdump or
wireshark
This is an 802.11
beacon frame.
Mateti
WiFi Security
72
wireshark – Probe Request
....an 802.11
Probe Request
from the same
machine
Mateti
WiFi Security
73
wireshark - Registration
oooh... a
NETBIOS
registration packet
for “MSHOME”...
Mateti
WiFi Security
74
wireshark - Registration
...another
registration
packet, this time
from “LAP10”...
Mateti
WiFi Security
75
wireshark – DHCP request
...a DHCP
request... it would
be interesting to
spoof a response
to this...
Mateti
WiFi Security
76
wireshark – Browser request
...a NETBIOS
browser request...
Mateti
WiFi Security
77
wireshark – Browser announce
...an SMB host
announcement...
revealing an OS
major version of 5
and an OS minor
version of 1...
We have a
Windows XP client
laptop searching
for an access
point.
Mateti
This particular target ends up being nothing more than a
lone client crying out for a wireless server to connect to.
Spoofing management frames to this client would most
WiFi Security
78
likely prove to be pointless...
Passive Scanning




Mateti
This simple example demonstrates the ability to
monitor even client machines which are not
actively connected to a wireless access point.
In a more “chatty” environment, so much more is
possible.
All of this information was captured passively.
Kismet did not send a single packet on the
airwaves.
This type of monitoring can not be detected, but
preventive measures can be taken.
WiFi Security
79
Detection of SSID




Mateti
SSID occurs in the following frame types:
beacon, probe requests, probe responses,
association requests, and reassociation
requests.
Management frames are always in the clear,
even when WEP is enabled.
Merely collect a few frames and note the SSID.
What if beacons are turned off? Or SSID is
hidden?
WiFi Security
80
When the Beacon displays
a null SSID …
Patiently wait. Recall that management
frames are in the clear.
 Wait for an associate request; Associate
Request and Response both contain the
SSID.
 Wait for a Probe Request; Probe
Responses contain SSID.

Mateti
WiFi Security
81
Beacon transmission is disabled ...
Wait for a voluntary Associate Request to
appear. Or
 Actively probe by injecting spoofed
frames, and then sniff the response

Mateti
WiFi Security
82
Collecting the MAC Addresses
Attacker gathers legitimate MAC
addresses for use later in spoofed frames.
 The source and destination MAC
addresses are always in the clear in all the
frames.
 The attacker sniffs these legitimate
addresses

Mateti
WiFi Security
83
WEP Attacks


Systematic procedures in cracking the WEP.
Need to collect a large number of frames.





Cracking may take a few seconds to a couple of hours.
Cracking uses “weakness” in IV
Four types of attacks




Mateti
Collection may take hours to days.
Time required depends heavily on saturation of access point
Passive attacks to decrypt traffic based on statistical analysis
Active attack to inject new traffic from unauthorized mobile stations,
based on known plaintext
Active attacks to decrypt traffic, based on tricking the access point
Dictionary-building attack that, after analysis of about a day's worth
of traffic, allows real-time automated decryption of all traffic
WiFi Security
84
What is a “Weak” IV?
Key Scheduling Algorithm (KSA) creates
an IV-based on the base key
 A flaw in the WEP implementation of RC4
allows “weak” IVs to be generated
 Those IVs give away info about the bytes
of the key they were derived from
 An attacker will collect enough weak IVs to
reveal bytes of the base key

Mateti
WiFi Security
85
Initialization Vector, IV


IV is only 24 bits providing 16,777,216 different
RC4 cipher streams for a given WEP key
Chances of duplicate IVs are:





Increasing Key size will not make WEP any safer.
Why?

Mateti
1% after 582 encrypted frames
10% after 1881 encrypted frames
50% after 4,823 encrypted frames
99% after 12,430 encrypted frames
Walker, “IEEE 802.11i wireless LAN: Unsafe at any
key size”, http://www.dis.org/wl/pdf/unsafe.pdf, Oct
2000
WiFi Security
86
UC Berkeley Study

Bit flipping


Replay




Mateti
Bits are flipped in WEP encrypted frames, and ICV
CRC32 is recalculated
Bit flipped frames with known IVs re-sent
AP accepts frame since CRC32 is correct
Layer 3 device will reject, and send predictable
response
Response database built and used to derive key
WiFi Security
87
UC Berkeley Study
Stream Cipher
1234
PlainText
Cisco
WEP
CipherText
XXYYZZ
PlainText Data Is
XORed with the WEP
Stream Cipher to
Produce the Encrypted
CipherText
Predicted PlainText
Cisco
If CipherText Is XORed
CipherText
Stream Cipher
with Guessed
XXYYZZ
WEP
1234
PlainText, the Stream
Cipher Can Be Derived
Mateti
WiFi Security
88
UC Berkeley Study
Bit Flipped Frame Sent
Frame Passes ICV
Forwarded to Dest MAC
Attacker Anticipates
Response from Upper
Layer Device and
Attempts to Derive Key
Mateti
AP WEP Encrypts
Response and
Forwards to Source MAC
WiFi Security
Upper Layer
Protocol Fails CRC
Sends Predictable
Error Message to
Source MAC
89
Wireless Spoofing
Wireless Spoofing
The attacker constructs frames by filling
selected fields that contain addresses or
identifiers with legitimate looking but nonexistent values, or with legitimate values
that belong to others.
 The attacker would have collected these
legitimate values through sniffing.

Mateti
WiFi Security
91
MAC Address Spoofing
Probing is sniffable by the sys admins.
 Attacker wishes to be hidden.
 Use MAC address of a legitimate card.
 APs can filter based on MAC addresses.

Mateti
WiFi Security
92
IP spoofing
Replacing the true IP address of the
sender (or, in some cases, the destination)
with a different address.
 Defeats IP address based trust.
 IP spoofing is an integral part of many
attacks.

Mateti
WiFi Security
93
Frame Spoofing



Mateti
Frames themselves are not authenticated in
802.11.
Construction of the byte stream that constitutes
a spoofed frame is facilitated by libraries.
The difficulty here is not in the construction of
the contents of the frame, but in getting it
radiated (transmitted) by the STA or an
AP. This requires control over the firmware.
WiFi Security
94
Wireless Network Probing
Wireless Network Probing
Send cleverly constructed packets to a
target that triggers useful responses.
 This activity is known as probing or active
scanning.
 The target can discover that it is being
probed.

Mateti
WiFi Security
96
Active Attacks


Mateti
Attacker can connect to an AP and obtain an IP
address from the DHCP server.
A business competitor can use this kind of
attack to get the customer information which is
confidential to an organization.
WiFi Security
97
Detection of SSID
Beacon transmission is disabled, and
the attacker does not wish to wait …
 Inject a probe request frame using a
spoofed source MAC address.
 The probe response frame from the APs
will contain, in the clear, the SSID and
other information similar to that in the
beacon frames.

Mateti
WiFi Security
98
Detection of APs and stations
Certain bits in the frames identify that the
frame is from an AP.
 If we assume that WEP is either disabled
or cracked, the attacker can also gather
the IP addresses of the AP and the
stations.

Mateti
WiFi Security
99
Detection of Probing
The frames that an attacker injects can be
sniffed by a sys admin.
 GPS-enabled equipment can identify the
physical coordinates of a transmitting
device.

Mateti
WiFi Security
100
AP Weaknesses
Poorly Constructed WEP keys


The default WEP keys used are often too trivial.
APs use simple techniques to convert the user’s
key board input into a bit vector.



Mateti
Usually 5 or 13 ASCII printable characters are directly
mapped by concatenating their ASCII 8-bit codes into a 40bit or 104-bit WEP key.
A stronger 104-bit key can be constructed from 26
hexadecimal digits.
It is possible to form an even stronger 104 bit
WEP key by truncating the MD5 hash of an
arbitrary length pass phrase.
WiFi Security
102
Defeating MAC Filtering
Typical APs permit access to only those
stations with known MAC addresses.
 Easily defeated by the attacker

Spoofs his frames with a MAC address that is
registered with the AP from among the ones
that he collected through sniffing.
 That a MAC address is registered can be
detected by observing the frames from the AP
to the stations

Mateti
WiFi Security
103
Rogue Networks
Rogue AP = an unauthorized access point
 Network users often set up rogue wireless
LANs to simplify their lives
 Rarely implement security measures
 Network is vulnerable to War Driving and
sniffing and you may not even know it
 Trojan AP = Rogue AP with malicious
intent

Mateti
WiFi Security
104
Trojan AP Mechanics







Mateti
Create a competing wireless network.
AP can be actual AP or HostAP of Linux
Create or modify captive portal behind AP
Redirect users to “splash” page
DoS or theft of user credentials, or …
Bold attacker will visit ground zero.
Not-so-bold will drive-by with an amp.
WiFi Security
105
Equipment Flaws




Mateti
Numerous flaws in equipment from well-known
manufacturers
Search on “access point vulnerabilities”
Ex 1: Receiving a request for a file named config.img via
TFTP, an AP sends its configuration. The image
includes the administrator’s password required by the
HTTP user interface, the WEP encryption keys, MAC
address, and SSID.
Ex 2: An AP returns the WEP keys, MAC filter list,
administrator’s password when sent a UDP packet to
port 27155 containing the string “gstsearch”.
WiFi Security
106
Denial of Service
Denial of Service






Mateti
A system is not providing services to authorized
clients because of resource exhaustion by
unauthorized clients.
DoS attacks are difficult to prevent
Difficult to stop an on-going attack
Victim and its clients may not even detect the
attacks
Duration may range from milliseconds to hours.
A DoS attack against an individual station
enables session hijacking
WiFi Security
108
Jamming


Mateti
The hacker can use a high power RF signal generator to
interfere with the ongoing wireless connection, making it
useless.
Can be avoided only by physically finding the jamming
source.
WiFi Security
109
Flooding with Associations





Mateti
AP inserts the data supplied by the STA in the
Association Request into a table called the association
table
802.11 specifies a maximum value of 2007 concurrent
associations to an AP. The actual size of this table
varies among different models of APs.
When this table overflows, the AP would refuse further
clients
Attacker authenticates several non-existing STA
using legitimate-looking but randomly generated MAC
addresses. The attacker then sends a flood of spoofed
associate requests so that the association table
overflows
Enabling MAC filtering in the AP will prevent this attack
WiFi Security
110
Deauth/Disassoc Management frame
• Attacker must spoof AP MAC address in Src Addr and BSSID
• Sequence Control field handled by firmware (not set by attacker)
Mateti
WiFi Security
111
Forged Dissociation
Attacker sends a spoofed Disassociation
frame where the source MAC address is
set to that of the AP.
 To prevent Reassociation, the attacker
continues to send Disassociation frames
for a desired period.

Mateti
WiFi Security
112
Forged Deauthentication




Mateti
After an Association Response frame is
observed, the attacker sends a spoofed
Deauthentication frame where the source MAC
address is spoofed to that of the AP.
The station is now unassociated and
unauthenticated, and needs to reconnect.
To prevent a reconnection, the attacker
continues to send Deauthentication frames for a
desired period.
Neither MAC filtering nor WEP protection will
prevent this attack
WiFi Security
113
First Stage – Deauth Attack
Airopeek Trace of Deauth Attack
Mateti
WiFi Security
114
First Stage – Deauth Attack
Decode of Deauthentication Frame
Mateti
WiFi Security
115
Power Management


Mateti
Power-management schemes place a system in sleep mode
when no activity occurs
The Client can be configured to be in continuous aware mode
(CAM) or Power Save Polling (PSP) mode
WiFi Security
116
Power Saving

Attacker steals packets for a station while the station is
in Doze state.




Mateti
The 802.11 protocol requires a station to inform the AP through a
successful frame exchange that it wishes to enter the Doze state
from the Active state.
Periodically the station awakens and sends a PS-Poll frame to
the AP. The AP will transmit in response the packets that were
buffered for the station while it was dozing.
This polling frame can be spoofed by an attacker causing the AP
to send the collected packets and flush its internal buffers.
An attacker can repeat these polling messages so that when the
legitimate station periodically awakens and polls, AP will inform
that there are no pending packets.
WiFi Security
117
Man-in-the-Middle Attacks
Man-in-the-Middle Attacks
Attacker on host X inserts X between all
communication between hosts B and C,
and neither B nor C is aware of the
presence of X.
 All messages sent by B do reach C but via
X, and vice versa.
 The attacker can merely observe the
communication or modify it before sending
it out.

Mateti
WiFi Security
119
Wireless MITM Attack


Mateti
A hacker uses a Trojan AP to hijack mobile nodes by sending
a stronger signal than the actual AP is sending to those nodes.
The clients then associates with the Trojan AP, sending its
data into the wrong hands.
WiFi Security
120
Wireless MITM Attack






Mateti
Assume that station B was authenticated with C, a
legitimate AP.
Attacker X is a laptop with two wireless cards. Through
one card, he presents X as an AP.
Attacker X sends Deauthentication frames to B using the
C’s MAC address as the source, and the BSSID he has
collected.
B is deauthenticated and begins a scan for an AP and
may find X on a channel different from C.
There is a race condition between X and C.
If B associates with X, the MITM attack succeeded. X
will re-transmit the frames it receives from B to C. These
frames will have a spoofed source address of B.
WiFi Security
121
First Stage – Deauth Attack
Attack machine uses vulnerabilities to get
information about AP and clients.
 Attack machine sends deauthentication
frames to victim using the AP’s MAC
address as the source

Mateti
WiFi Security
122
Second Stage – Client Capture
Victim’s 802.11 card scans channels to
search for new AP
 Victim’s 802.11 card associates with
Trojan AP on the attack machine

Attack machine’s fake AP is duplicating MAC
address and ESSID of real AP
 Fake AP is on a different channel than the real
one

Mateti
WiFi Security
123
Third Stage – Connect to AP
Attack machine associates with real AP
using MAC address of the victim’s
machine.
 Attack machine is now inserted and can
pass frames through in a manner that is
transparent to the upper level protocols

Mateti
WiFi Security
124
The Monkey – Jack Attack
Mateti
WiFi Security
125
Monkey-Jack Detection
Why do I hear my MAC Address as the Src
Addr? Is this an attack? Am I being spoofed?
Mateti
WiFi Security
126
Beginning of a MITM IDS Algorithm
Mateti
WiFi Security
127
ARP Poisoning




Mateti
ARP poisoning is an attack technique that
corrupts the ARP cache that the OS maintains
with wrong MAC addresses for some IP
addresses.
ARP cache poisoning is an old problem in wired
networks.
ARP poisoning is one of the techniques that
enables the man-in-the-middle attack.
ARP poisoning on wireless networks can affect
wired hosts too.
WiFi Security
128
Session Hijacking




Mateti
Session hijacking occurs when an attacker causes a user to lose his
connection, and the attacker assumes his identity and privileges for
a period.
An attacker disables temporarily the user’s system, say by a DoS
attack or a buffer overflow exploit. The attacker then takes the
identity of the user. The attacker now has all the access that the
user has. When he is done, he stops the DoS attack, and lets the
user resume. The user may not detect the interruption if the
disruption lasts no more than a couple of seconds.
Hijacking can be achieved by forged disassociation DoS attack.
Corporate wireless networks are set up so that the user is directed
to an authentication server when his station attempts a connection
with an AP. After the authentication, the attacker employs the
session hijacking described above using spoofed MAC addresses.
WiFi Security
129
War Driving

“The benign act of locating and logging
wireless access points while in motion.” -(http://www.wardrive.net/).
of course useful to attackers.
 Drive around (or walk)

Possible: 10 mile range using a parabolic
dish antenna.
 “PC cards” vary in power: 25mW -100mW

Mateti
WiFi Security
130
Wireless Hacking Tools
802.11 Attack Freeware

Many open source also











Mateti
Airsnort (Linux)
WEPcrack (Linux)
Kismet (Linux)
Wellenreiter (Linux)
NetStumbler (windows)
MiniStumbler (PocketPC)
BSD – Airtools (*BSD)
Aerosol (Windows)
WiFiScanner (Linux)
BackTrack 5 Linux Penetration Tools Distro
Details of a few follow
WiFi Security
132
802.11 Network Security Tools
AiroPeek / AiroPeek NX: Wireless frame
sniffer / analyzer, Windows
 AirTraf: Wireless sniffer / analyzer / “IDS”
 AirSnort: WEP key “cracker”
 BSD Airtools: Ports for common wireless
tools, very useful

Mateti
WiFi Security
133
Airsnarf
Simplifies HostAP, httpd, dhcpd,
Net::DNS, and iptables setup
 Simple example of a rogue AP

Mateti
WiFi Security
134
Ettercap
Ettercap is a suite for man in the middle
attacks on LAN. It features sniffing of live
connections, content filtering on the fly
and many other interesting tricks.
 It supports active and passive dissection
of many protocols (even ciphered ones)
and includes many feature for network and
host analysis.

Mateti
WiFi Security
135
libradiate
Radiate is a C library similar in practice to
Libnet but designed for "802.11 frame
reading, creation and injection."
 Libnet builds layer 3 and above
 Libradiate builds 802.11 frames
 Disperse, an example tool built using
libradiate, is fully functional

Mateti
WiFi Security
136
libradiate

Frame types and subtypes







Mateti
Beacon transmitted often announcing a WLAN
Probe request: A client frame- "anyone out there?"
Association: client and server exchange- "can i
play?"
Disassociate: "no soup for you!"
RTS/CTS: ready/clear to send frames
ACK: Acknowlegement
Radiate allows construction of these frames
very easily.
WiFi Security
137
netstumbler
Access point enumeration tool, Windows,
free
 Supports GPS but lacks features required
by a real wireless security hacker...
 http://www.netstumbler.com

Mateti
WiFi Security
138
Mateti
WiFi Security
139
stumbverter (2002)
Mateti
WiFi Security
thanks to fr|tz @
140
www.mindthief.net for map data!
http://wigle.net/
Wireless Geographic Logging Engine:
Making maps of wireless networks since
2001
 45 Million Wifi Networks! Sep 27, 2011
 Download Wigle Wifi for Android
 Download the JiGLE Java Client
 Download the DiGLE Windows Native
client

Mateti
WiFi Security
141
kismet: wireless network sniffer







Mateti
Segregates traffic
Detects IP blocks
decloaks SSID’s
Detects factory default configurations
Detects netstumbler clients
Maps wireless points
http://kismetwireless.net/
WiFi Security
142
air-jack

A family of tools based on the air-jack driver
wlan-jack: spoofs a deauthentication frame to force a
wireless user off the net
essid-jack: wlan-jacks a victim then sniffs the SSID
when the user reconnects
Monkey-jack: wlan-jacks a victim, then plays man-inthe-middle between the attacker and the target
kracker-jack: monkey-jacks a WLAN connection

http://802.11ninja.net/

http://www.blackhat.com/presentations/bh-usa-02/baird-lynn/bh-us02-lynn-802.11attack.ppt




Mateti
WiFi Security
143
Wireless Security Best
Practices
Location of the APs

Network segmentation

Treat the WLAN as an untrusted network
RF signal shaping
 Continually check for unauthorized
(“rogue/Trojan”) APs

Mateti
WiFi Security
145
Proper Configuration







Mateti
Change the default passwords
Use WEP, however broken it may be
Don't use static keys, change them frequently
Don't allow connections with an empty SSID
Don't broadcast your SSID
Use a VPN and MAC address filtering with
strong mutual authentication
Wireless IDS/monitoring (e.g.,
www.airdefense.net)
WiFi Security
146
Proper Configuration

Most devices have multiple management
interfaces
HTTP
 Telnet
 FTP
 TFTP
 SNMP

Disable unneeded services / interfaces
 Stay current with patches

Mateti
WiFi Security
147
Remedies

Secure Protocol Techniques
Encrypted messages
 Digitally signed messages
 Encapsulation/tunneling


Mateti
Use strong authentication
WiFi Security
148
Wireless IDS




Mateti
A wireless intrusion detection system (WIDS) is often a
self-contained computer system with specialized
hardware and software to detect anomalous behavior.
The special wireless hardware is more capable than the
commodity wireless card, including the RF monitor
mode, detection of interference, and keeping track of
signal-to-noise ratios.
It also includes GPS equipment so that rogue clients and
APs can be located.
A WIDS includes one or more listening devices that
collect MAC addresses, SSIDs, features enabled on the
stations, transmit speeds, current channel, encryption
status, beacon interval, etc.
WiFi Security
149
Wireless IDS



Mateti
WIDS computing engine should be powerful
enough that it can dissect frames and WEPdecrypt into IP and TCP components. These
can be fed into TCP/IP related intrusion
detection systems.
Unknown MAC addresses are detected by
maintaining a registry of MAC addresses of
known stations and APs.
Can detect spoofed known MAC addresses
because the attacker could not control the
firmware of the wireless card to insert the
appropriate sequence numbers into the frame.
WiFi Security
150
Wireless Auditing





Mateti
Periodically, every wireless network should be
audited.
Several audit firms provide this service for a fee.
A security audit begins with a well-established
security policy.
A policy for wireless networks should include a
description of the geographical volume of
coverage.
The goal of an audit is to verify that there are no
violations of the policy.
WiFi Security
151
IEEE 802.1X





Mateti
General-purpose port based network access
control mechanism for 802 technologies
Authentication is mutual, both the user (not the
station) and the AP authenticate to each other.
supplicant - entity that needs to be authenticated
before the LAN access is permitted (e.g.,
station);
authenticator - entity that supports the actual
authentication (e.g., the AP);
authentication server - entity that provides the
authentication service to the authenticator
(usually a RADIUS server).
WiFi Security
152
IEEE 802.1X
Extensible Authentication Protocol (EAP)
 Can provide dynamic encryption key
exchange, eliminating some of the issues
with WEP
 Roaming is transparent to the end user
 Microsoft includes support in Windows

Mateti
WiFi Security
153
802.1x Architecture
Mateti
WiFi Security
154
Cisco LEAP Overview
Provides centralized, scalable, user-based
authentication
 Algorithm requires mutual authentication



Uses 802.1X for 802.11 authentication
messaging


Mateti
Network authenticates client, client
authenticates network
APs will support WinXP’s EAP-TLS also
Dynamic WEP key support with WEP key
session timeouts
WiFi Security
155
LEAP Authentication Process
Client
AP
Start
Request Identity
Identity
RADIUS
Server
AP Blocks All Requests Until
Authentication Completes
Identity
RADIUS Server Authenticates Client
Client Authenticates RADIUS Server
Derive
Key
Broadcast Key
Key Length
Mateti
Derive
Key
AP Sends Client Broadcast Key,
Encrypted with Session Key
WiFi Security
156
IEEE 802.11i



Ratified: 2004
Replaces broken WEP and stopgap measures
such as WPA
Mutual authentication


Data confidentiality and integrity




Mateti
EAP-TLS/802.1X/RADIUS
CCMP (special mode of AES) replaces TKIP
Key management protocols
Discovery and Negotiation
Coordination with Authentication
WiFi Security
157
802.11i


Takes base 802.1X and adds several features
Wireless implementations are divided into two
groups: legacy and new



Mateti
Both groups use 802.1x for credential verification, but
the encryption method differs
Legacy networks must use 104-bit WEP, TKIP
and MIC
New networks will be same as legacy, except
that they must replace WEP/TKIP with advanced
encryption standard – operation cipher block
(AES-OCB)
WiFi Security
158
802.11i Architecture
Data
802.1X
Controlled
Port
Data Link
802.1X
Authenticator/Supplicant
802.1X
Uncontrolled
Port
MAC_SAP
WEP/TKIP/CCMP
TK
802.11i State Machines
PTK  PRF(PMK)
(PTK = KCK | KEK | TK)
MAC
Physical
Station Management
Entity
PHY
PMD
Mateti
WiFi Security
159
Wi-Fi Protected Access (WPA)
2003
 Security solution based on IEEE
standards
 Replacement for WEP
 Designed to run on existing hardware as a
software upgrade, Wi-Fi Protected Access
is derived from and expected to be
compatible with the IEEE 802.11i standard
 TKIP (Temporal Key Integrity Protocol)
 User authentication via 802.1x and EAP

Mateti
WiFi Security
160
WPA2
2004
 All of WPA
 Support for CCMP (Counter Mode with
Cipher Block Chaining Message
Authentication Code Protocol) based on
AES cipher as an alternative to TKIP

Mateti
WiFi Security
161
Temporal Key Integrity Protocol
(TKIP)

128-bit shared secret – “temporal key” (TK)



Mixes the transmitter's MAC address with TK to produce a
Phase 1 key.
The Phase 1 key is mixed with an initialization vector (iv) to
derive per-packet keys.
Each key is used with RC4 to encrypt one and only one data
packet.

Defeats the attacks based on “Weaknesses in the key
scheduling algorithm of RC4” by Fluhrer, Mantin and
Shamir"

TKIP is backward compatible with current APs and
wireless NICs
Mateti
WiFi Security
162
Message Integrity Check (MIC)
MIC prevents bit-flip attacks
 Implemented on both the access point and
all associated client devices, MIC adds a
few bytes to each packet to make the
packets tamper-proof.

Mateti
WiFi Security
163
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Mateti
Jon Edney and William A. Arbaugh, Real 802.11 Security: Wi-Fi Protected Access
and 802.11i, 480 pages, Addison Wesley, 2003, ISBN: 0-321-13620-9
Matthew S. Gast, 802.11 Wireless Networks: The Definitive Guide, 464 pages,
O’Reilly & Associates, April 2002, ISBN: 0596001835
Changhua He, "Analysis Of Security Protocols For Wireless Networks",PhD
dissertation, Stanford University, December 2005
Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, WarDriving: Drive,
Detect, Defend, A Guide to Wireless Security, ISBN: 1931836035, Syngress, 2004
IEEE, IEEE 802.11 standards documents, http://standards.ieee.org/wireless/
Tom Karygiannis and Les Owens, Wireless Network Security: 802.11, Bluetooth and
Handheld Devices, National Institute of Standards and Technology Special
Publication 800-48, November 2002. http://cs-www.ncsl.nist.gov/publications/
nistpubs/800-48/NIST_SP_800-48.pdf
Prabhaker Mateti, TCP/IP Suite, The Internet Encyclopedia, Hossein Bidgoli (Editor),
John Wiley 2003, ISBN 0471222011
Prabhaker Mateti, ``Hacking Techniques in Wireless Networks'', in The Handbook of
Information Security, edited by Bidgoli, John Wiley, 2005
Bruce Potter and Bob Fleck, 802.11 Security, O'Reilly & Associates, 2002; ISBN: 0596-00290-4
Joshua Wright, Understanding the WPA/WPA2 Break, www.inguardians.com, 2008
WiFi Security
164