The Art and Science of Penetration Testing
Download
Report
Transcript The Art and Science of Penetration Testing
802.11 Security
Past, Present, and Future
Chris Shutters, CISSP
February 2004
[email protected]
What We Will Cover
• Introduction - What is 802.11?
• Relationship Between 802.11 and Wi-Fi
• Original 802.11 Security Goals
• Original 802.11 Security
• Original Vulnerabilities
• Tools
• How to Secure Original 802.11
• Current 802.11 Security
• WPA Protocol Stack
• Future 802.11 Security
• Final Thoughts
Introduction - What is 802.11?
• A set of standards for wireless networking
–
Addresses LANs where devices
Communicate over ‘airwaves’ (radio or infrared)
Are within (relatively) close proximity to each other
• Wireless devices may communicate
–
–
Directly with each other (independent or ad-hoc networks)
Via an Access Point (AP) (infrastructure mode)
• Data rates
–
–
–
802.11b: up to 11 Mbps (2.4 GHz frequency range)
802.11a: up to 54 Mbps (5 GHz frequency range)
802.11g: up to 54 Mbps (2.4 GHz frequency range)
Relationship Between 802.11 and Wi-Fi
• 802.11 is a series of standards produced by the IEEE
–
Specify technical details such as:
Radio frequencies
Modulation methods
Protocol messages
• Wi-Fi is an alliance of major 802.11 manufacturers
–
–
–
Focus is on interoperability testing
Interoperability is defined by a set of “gold standard” products
Products are tested and certified as Wi-Fi compliant
Original 802.11 Security Goals
• Authorization
–
Verify that all mobile stations are authorized to access the
network
• Privacy
–
–
Implement security such that there is no privacy difference
between wireless and wired LANs
Maintain data privacy from all unauthorized stations
Original 802.11 Security
• Two authentication methods available
–
Open system authentication
Station 1 sends Service Set ID (SSID) to station 2
Station 2 accepts or rejects station 1 based on
knowledge of SSID
APs can be configured to accept the broadcast SSID
–
–
Thus allowing anyone to access the AP
Shared key authentication
Stations respond to an authentication challenge from an
AP or other device
–
AP sends a challenge to be encrypted by the station
– Station encrypts the challenge with shared key
– AP decrypts challenge and grants or denies authentication
based on decryption results
Original 802.11 Security (cont.)
• Wired Equivalent Privacy (WEP)
–
–
–
–
Encryption algorithm: RC4 (symmetric stream cipher)
Requires shared key for all communicating stations
Key length: either 40 or 104 bits (plus 24 bit initialization
vector [IV])
Each data frame is encrypted separately with a different IV
Key management: not addressed by 802.11
• WEP key details
–
RC4 encryption key is constructed by appending IV to
shared key
24 possible encryption keys for each shared key
2
Original 802.11 Security (cont.)
Original 802.11 Security (cont.)
• Data integrity is protected with a Message Integrity
Code (MIC)
–
The 32-bit Cyclic Redundancy Check (CRC-32) algorithm
was chosen to implement the MIC
Bad choice, as CRC-32 was originally designed to detect
random changes to data, not to protect against malicious
tampering
An attacker can reliably change both the data and the
CRC-32 value such that the CRC-32 matches the altered
data
Original Vulnerabilities
• Traffic sniffing
–
–
–
–
–
Easier to perform on wireless than on traditional wired LANs
SSID is always sniffable when stations associate to an AP
If WEP is not being used
Plaintext data frames can be sniffed
If WEP is being used
Ciphertext data frames can be sniffed
Accumulation of ciphertext data leads to many interesting
attacks
For APs connected to other LANs
Broadcast traffic should be available
Vulnerable to ARP spoofing
Original Vulnerabilities (cont.)
• Insertion – connecting an unauthorized station into a
Wireless LAN
–
–
Easy if WEP not being used
Try broadcast SSID
Sniff SSID and use it to gain access
Request DHCP address
If no DHCP, try a 192.168.1.x address
If WEP is being used
Can still do many things…
• Authentication problems
–
Currently, authentication only performed by SSID or WEP key
Both of these methods may be sniffed and duplicated
Original Vulnerabilities (cont.)
• WEP problems
–
–
–
Inappropriate choice of encryption algorithm
With stream ciphers, it is unsafe to ever reuse a key
Key management problems
Because this issue is not addressed by 802.11, the
shared key is rarely if ever changed
Keyspace problems
Reuse of IVs is inevitable
–
For randomly-selected IVs: due to Birthday Paradox, it is
99% likely that at least one IV will be reused every 12,500
frames
On a moderately loaded AP, keyspace will be exhausted
in a few hours
Capture of large amounts of frames can lead to
compromise of shared key
Original Vulnerabilities (cont.)
–
Known plaintext attacks
If the plaintext and corresponding ciphertext of a
message can be obtained, the RC4 keystream for that IV
can be recovered
–
As discussed before, the shared key authentication
method does this for us!
– Note: No knowledge of the shared key is required, except
the fact that it hasn’t changed
Once at least one RC4 keystream has been recovered,
one can
–
Authenticate to the network
– Insert messages into the network
Original Vulnerabilities (cont.)
Often, attacker can inject known plaintext
–
HTTP requests
– PING packets
Known plaintext in a packet allows immediate recovery of
the keystream for that particular IV!
A Decryption Dictionary can be assembled
–
–
–
Table indexed by IV that contains recovered keystreams
Approximately 23 GB required for 24 bit IVs
Dictionary is the same size for 40 and 104 bit
encryption!
When a new packet that uses a known IV is captured, just
look up the keystream and decrypt the data!
Many implementations reset IVs to zero when initialized,
and sequentially increment IVs
In this case the dictionary won’t have to be very big to
be able to decrypt a significant percentage of traffic
Original Vulnerabilities (cont.)
• Misconfiguration
–
–
–
–
Default SSID not changed
Broadcast SSID not disabled
Default passwords not changed
WEP not enabled
Tools
• NetStumbler (http://www.netstumbler.com/)
–
–
–
Windows application that sniffs for presence of wireless
traffic
When it detects traffic, it logs
MAC address
SSID
Manufacturer
Channel
WEP enabled (yes or no)
Signal strength
Signal to noise ratio
If you have GPS data available, it will also log coordinates
Tools (cont.)
• AiroPeek NX
(http://www.wildpackets.com/products/airopeek_nx)
– Commercial 802.11 sniffer and analyzer
– Performs full decode of all 802.11 traffic as well as higherlevel network protocols
Tools (cont.)
Tools (cont.)
• AirSnort (http://airsnort.shmoo.com/)
– Wireless LAN WEP key recovery program
– Sniffs and stores traffic until key can be computed
Typically requires capture of between five to ten
million encrypted packets
– Implements attack against RC4 Key Scheduling
Algorithm Weakness
(http://downloads.securityfocus.com/library/rc4_ksaproc.pdf)
This is commonly known as the FMS attack (for the initials of
the discoverers of the attack)
Looks for frames that were encrypted with “weak” RC4 keys
(approximately 3,000 out of the 16+ million possible keys)
Once approximately 2,000 “interesting” frames have been
gathered, the key can be computed
Tools (cont.)
• Kismet (http://www.kismetwireless.net/)
–
–
Linux program for sniffing wireless traffic
Will log the following information
Networks found
Captured packets in binary format (suitable for later
replay and analysis)
Cryptographically “weak” packets (like AirSnort)
IP address blocks in use (via ARP and DHCP analysis)
All Cisco products that announce themselves via Cisco
Discovery Protocol (CDP)
How to Secure Original 802.11
•
Place the WLAN in a DMZ and require VPN authentication for
access to internal systems
–
•
•
•
•
•
•
•
•
•
•
Systems may still be individually attackable by rogue mobile stations
Enable WEP
Use 128 bit WEP encryption
Change shared keys on a regular basis
Change default SSID
Don’t make SSID something obvious (company name, street
address, etc)
Disable acceptance of “broadcast SSID”
Disable broadcasting of SSID
Change default passwords on all equipment
If possible, restrict access by MAC addresses
Consider not using DHCP (statically assign addresses)
Current 802.11 Security
• Wi-Fi Protected Access (WPA) is the current “state of
the art” in 802.11 security
–
–
Why? To specifically address WEP weaknesses in a timely
manner
Most existing equipment can implement WPA with a
firmware update
First, use of the Temporal Key Integrity Protocol (TKIP) is
specified
CRC is replaced with a MIC called Michael
–
New algorithm
– Compromise between security and ability to be
implemented in current hardware
– Can potentially be brute-forced
However, countermeasures are implemented to detect
and respond to brute-force attacks
Current 802.11 Security (cont.)
IV size increased from 24 to 48 bits
–
IVs mandated to be used in sequential order
– IV rollover or reuse won’t happen for hundreds of years
– IV is also used as a replay detector/preventer
The secret key used to encrypt packets is changed for
every packet, using Per-Packet Key Mixing
–
Static Master and Session keys exist, but they are not
directly used to encrypt packets
– Thus, the tactic of accumulating large amounts of
ciphertext to attack a static secret key will no longer work
Countermeasures
–
The countermeasure against a Michael brute-force attack
is to halt all network traffic on the attacked device for one
minute
This limits attacker to one attempt per minute
The network interruptions should (in theory) be noticed
by network support personnel
Current 802.11 Security (cont.)
–
–
Second, use of the Extensible Authentication Protocol (EAP)
is specified
This is a simple protocol, designed to transport arbitrary
authentication information (originally designed for dialup)
For communication between mobile station and AP, EAP
over LAN (EAPOL) is used
For communication between AP and authentication
server, EAP over RADIUS is used
Third, use of the 802.1X protocol is specified
802.1X was designed to implement access control at the
point where a user joins the network
–
Multiple lower-level protocols can implement 802.1X
WPA specifies EAPOL as the 802.1X protocol used
between mobile station and AP
WPA specifies RADIUS as the 802.1X protocol used
between AP and authentication server
Current 802.11 Security (cont.)
Please note that 802.1X has been shown to be
vulnerable to man-in-the-middle and session hijacking
attacks (http://www.cs.umd.edu/~waa/1x.pdf)
Fourth, use of Transport Layer Security (TLS, the RFC
standardized version of SSL) is specified
TLS is transported over EAP
It is utilized specifically for authentication
This implies existence of a PKI infrastructure for
managing keys and certificates
–
–
–
May be non-trivial to implement such an infrastructure
Fifth, specific methods of cryptographic key management
are specified
Each authenticated mobile station receives:
–
A pairwise key that is used to protect communications
between it and the AP
– A group key that is used to protect broadcast or multicast
data
WPA Protocol Stack
Security Communication Between
Mobile Station and Access Point
TLS (RFC2246)
TLS over EAP (RFC2716)
EAP (RFC2284)
802.1X EAPOL
802.11
WPA Protocol Stack (cont.)
Security Communication Between
Access Point and Authentication Server
TLS (RFC2246)
TLS over EAP (RFC2716)
EAP (RFC2284)
EAP over RADIUS (RFC2869)
RADIUS (RFC2865)
TCP/IP
802.3 (or other)
Future 802.11 Security
• The 802.11i standard is close to being finalized and
published
–
–
WPA was designed to be upwardly compatible with 802.11i
802.11i defines a Robust Security Network (RSN)
RSN utilizes almost all of the protocols specified in WPA,
but includes some additional changes/options
First, use of the Advanced Encryption Standard (AES) is
required,
–
This replaces RC4
– AES can not be implemented in the majority of existing
hardware
Future 802.11 Security (cont.)
Second, the WPA MIC is replaced by Cipher Block
Chaining – Message Authentication Code (CBC-MAC)
–
This is a new implementation of CBC-MAC using AES, but
based upon previous implementations of CBC-MAC using
other crypto algorithms
Third, TKIP is replaced by Counter Mode – CBC-MAC
Protocol, or CCMP (RFC 3610)
–
This is basically an implementation of a protocol similar to
TKIP, only based on AES instead of RC4
– What RC4 is to TKIP, AES is to CCMP
Future 802.11 Security (cont.)
Fourth, multiple additional upper-layer authentication
mechanisms (at the same layer as TLS) are specified
–
Kerberos V5 (RFC 1510) is a well-known, centralized
authentication and authorization system
– Protected EAP (PEAP) provides a way to do EAP
negotiation while not exposing authentication tokens (e.g.
passwords, password hashes, or identity credentials) to
sniffing attacks
Currently a draft internet standard
(http://www.ietf.org/internet-drafts/draft-josefssonpppext-eap-tls-eap-07.txt)
– EAP-SIM is based on an authentication method used in
cellular networks
Final Thoughts
• Original 802.11 networks can be secured, but it is not
easy
• WPA is a dramatic improvement over original 802.11
security
• 802.11i will likely be even better, but implementation
will almost assuredly require updated hardware
• Questions?