Transcript Bh-us-02-lynn-802.11attack

Advanced 802.11 Attack
Mike Lynn
&
Robert Baird
7/31/2002
Black Hat 2002, Las Vegas NV
What Is NOT Covered
Wired Equiv. Privacy (WEP) vulnerabilities
WEP Key cracking techniques
Radio signal amplification
Suggested changes to the IEEE 802.11b
specification
Wireless network discovery tools
7/31/2002
Black Hat 2002, Las Vegas NV
What Will Be Covered
Wireless network best practices
Practical attacks
The focus of the attack(s)



The network layers
The bottom 2 layers
Custom (forged) 802.11b management frames
The Tool Box



7/31/2002
Drivers
Utilities
Proof of concept code
Black Hat 2002, Las Vegas NV
What Will Be Covered
Attack Scenarios




Denial of service
Masked ESSID detection
802.11b layer MITM attack
Inadequate VPN implementations
Mitigation Strategies
7/31/2002
Black Hat 2002, Las Vegas NV
Wireless Best Practices
Enable WEP - Wired equivalent privacy

Key rotation when equipment supports it
Disable broadcast of ESSID
Block null ESSID connection
Restrict access by MAC address
Use VPN technology
Use strong mutual authentication
7/31/2002
Black Hat 2002, Las Vegas NV
Practical Attacks
WEP – Can be cracked passively
Masked ESSID – Can be passively observed
in management frames during association
Block null ESSID connects – Same problem
Install VPN – Weakly authenticated VPN is
susceptible to active attack (MITM)
Strong mutual authentication - ?
7/31/2002
Black Hat 2002, Las Vegas NV
The Network Layers
7/31/2002
Black Hat 2002, Las Vegas NV
The Bottom Layers
Manipulating the bottom 2 layers of the
OSI

Data Link (Layer 2)
 Media Access Control (MAC) – Access to medium
 Logical Link Control (LLC) – Frame sync, flow
control

Physical (Layer 1)
 Radio bit stream
 Divided into channels
7/31/2002
Black Hat 2002, Las Vegas NV
The Bottom Layers
7/31/2002
Black Hat 2002, Las Vegas NV
Management Frames
Management frames can control link
characteristics and physical medium
properties
802.11b management frames are NOT
authenticated

7/31/2002
Why is this bad?
Black Hat 2002, Las Vegas NV
The Tool Box
Custom Drivers

Air-Jack





Custom driver for PrismII (HFA384x) cards
MAC address setting/spoofing
Send custom (forged) management frames
AP forgery/fake AP
Lucent/Orinoco
 Linux driver modified to allow MAC address
setting/spoofing from the command line
Utilities

7/31/2002
User space programs – wlan-jack, essid-jack,
monkey-jack, kracker-jack
Black Hat 2002, Las Vegas NV
Air-Jack Driver
Allows control of wireless card modes

Modes 0 and 1 standard documented modes
 BSS (infrastructure) (1) or IBSS (0) (Ad-hoc)

Pseudo-IBSS (3) mode
 Control channel selection
 Firmware handles timing sensitive functions

Mode 5 - undocumented
 Channel selection
 Firmware handles time sensitive functions
 No beacons sent
 Very little firmware intervention
7/31/2002
Black Hat 2002, Las Vegas NV
Air-Jack Driver

Mode 6 – Host Access Point mode
 Sends Beacons (firmware control)
 Responds to Probe request
 Handles time sensitive functions
Can enable PrismII monitor mode
Uses Linux PF_PACKET interface for RX
and TX of raw frames
7/31/2002
Black Hat 2002, Las Vegas NV
Air-Jack Driver
void send_deauth (__u8 *dst, __u8 *bssid)
{
struct {
struct a3_80211hdr;
__u16
reason;
}frame;
memset(&frame, 0, sizeof(frame));
frame.hdr.mh_type = FC_TYPE_MGT;
frame.hdr.mh_subtype = MGT_DEAUTH;
memcpy(&(frame.hdr.mh_mac1), dst, 6);
memcpy(&(frame.hdr.mh_mac2), bssid, 6);
memcpy(&(frame.hdr.mh_mac3), bssid, 6);
frame.reason = 1;
send(socket, &frame, sizeof(frame), 0);
}
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
Denial of Service – De-authentication


Use MAC address of Access Point
Send deauthenticate frames
 Send continuously
 Send to broadcast address or specific MAC

Users are unable to reassociate with AP
Air-Jack + WLAN-Jack
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
Airopeek Trace
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
Airopeek Trace
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
Decode of Deauthentication Frame
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
This is your connection
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
This is your connection
on WLAN-Jack.
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – ESSID-Jack
Is the ESSID a shared secret?
If I mask the ESSID from the AP
beacons then unauthorized users will
not be able to associate with my AP?
Discover Masked ESSID


7/31/2002
Send a deauthenticate frame to the
broadcast address.
Obtain ESSID contained in client probe
request or AP probe response.
Black Hat 2002, Las Vegas NV
Attack Scenarios – ESSID-Jack
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios - ESSID-Jack
Airopeek Trace
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – ESSID-Jack
Airopeek Trace
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack
MITM Attack


Taking over connections at layer 1 and 2
Insert attack machine between victim and
access point
Management frames

Deauthenticate victim from real AP
 Send deauthenticate frames to the victim using
the access point’s MAC address as the source
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack


Victim’s 802.11 card scans channels to search
for new AP
Victim’s 802.11 card associates with fake AP
on the attack machine
 Fake AP is on a different channel than the real one
 Attack machine’s fake AP is duplicating MAC
address and ESSID of real AP
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack

Attack machine associates with real AP
 Attack machine duplicates MAC address of the
victim’s machine.
Attack machine is now inserted and can
pass frames through in a manner that is
transparent to the upper level protocols
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack
Before Monkey-Jack
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios Monkey-Jack
After Monkey-Jack
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios - Monkey-Jack
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
Dangers of wireless MITM



Wireless networks are more vulnerable to
MITM attacks than wired networks.
Many security solutions are implemented with
an assumption of a secure layer 1 and 2
Many VPN solutions are implemented with
inadequate authentication for protection
against wireless MITM attacks.
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
WAVEsec




An open source software solution for
securing wireless networks
Uses FreeS/WAN IPSEC implementation
Will thwart passive eavesdropping of
wireless network communications.
Implementation options
 X.509 Certificates
 Secure DNS
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
Authenticating with WAVEsec gateway




7/31/2002
Client sends modified DHCP request with
client’s public key
WAVEsec gateway inserts client’s public
key into DNS record
Client obtains WAVEsec gateway’s public
key by requesting it from the DNS server
IPSEC tunnel setup
Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
Using Kracker-Jack



KJ inserts to 802.11 layer (like monkey-jack)
KJ, using a DNS request, gets victims public
key from DNS server
KJ, using the victims MAC address sends DHCP
request with its own key to replace the victim’s
key in the DNS server
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack





KJ initiates ISAKMP main mode SA with the
WAVEsec server
KJ initiates ISAKMP main mode SA with victim
Victim gets new server key by DNS request
serviced by KJ
Two separate IPSEC tunnels are now setup
All traffic passes through KJ unencrypted
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
IKE – ISAKMP/Oakley

Phase 1
 Messages 1 and 2 – negotiate characteristics of
security association; no authentication
 Messages 3 and 4 – exchange random values
(nonce) and execute Diffie-Hellman exchange to
establish a master key (SKEYID); no authentication
 Messages 5 and 6 – exchange information for
mutually authenticating the parties; identity
payload, signature payload, and OPTIONAL
certificate payload
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
IKE – ISAKMP/Oakley

Phase 2 – Oakley Quick Mode
 Define Security Associations
 Define keys used to protect IP datagrams
7/31/2002
Black Hat 2002, Las Vegas NV
Attack Scenarios
Shared key authentication attack





7/31/2002
Observe plain text challenge
Observe cipher text response
XOR plain text with cipher text to get key
stream
XOR IP packet with key stream re-using IV
Broadcast ping
Black Hat 2002, Las Vegas NV
Mitigation Strategies
Big guy with a stick
Wireless IDS and Monitoring

AirDefense http://www.airdefense.net
VPN + Strong mutual authentication
RF Signal shaping – Avoiding signal
leaks


7/31/2002
Antennas with directional radiation pattern
Lower Access Point power
Black Hat 2002, Las Vegas NV
Summary
Wireless networks are more susceptible to
active attacks than wired networks
Enable all built-in security capabilities
Use VPN with strong mutual authentication
Monitor wireless network medium (air
space) for suspicious activity
Updates – Black Hat web site or

http://802.11ninja.net
7/31/2002
Black Hat 2002, Las Vegas NV
Advanced 802.11 Attack
Robert Baird
&
Mike Lynn
7/31/2002
Black Hat 2002, Las Vegas NV