Transcript Wireless Security

Misbehaving with 802.11
Will Stockwell
[email protected]
Topics
•
•
•
•
•
•
•
•
Snake oil access control
MAC layers lacks per frame authentication
The spoofing problems which result
802.1X issues related to spoofing
WEP (dead horse, I’ll discuss it briefly)
Attacks against these schemes
Recommendations
Wireless tools you can mess with
Terminology
• SSID – Service Set ID
– A text string used to identify sets of APs
• Spoofing
– Illegitimate generation of network traffic
• Fake packets all together
• Insert traffic into a stream
• WEP – Wired Equivalent Privacy
– Broken 802.11 encryption scheme
– Should be “What on Earth does this Protect?”
Terminology (continued)
• Access point
– Device serving as wireless-to-wired bridge
• Association request
– Wireless stations ‘associate’ with an AP
– Follows rudimentary authentication procedure
• Per Frame Authentication
– Every Frame authenticity information
– Should be used with initial auth. exchange
Ted’s Hacker
TED’S HACKER
Auth. in the 802.11 MAC Layer
• Two types
– Open System
• No authentication
• Gratuitous access
– Shared Key
• Uses WEP – broken scheme (Returning to this later)
• Key distribution and usage issues
• No per frame auth.
– frame spoofing is easy (more later)
– If a authentication scheme is to be effective, it needs to be per frame
• No AP auth. – allows impersonation of APs
• MAC layer does leave room for other auth. schemes
– None presently implemented
– New schemes which conform to standard still can’t be per frame
– Per frame authentication
Other Forms of Access Control
• SSID hiding (complete snake oil)
– SSID often beaconed by APs
– APs can be configured to stop beaconing
• MAC address filtering (snake oil)
– DHCP servers
– AP ACLs
• 802.1X (spoofing issues)
–
–
–
–
–
Takes places following MAC layer auth. and assoc. to AP
Controls access only to world beyond AP via EAP
Does allow for more robust authentication (Kerberos, others)
Doesn’t solve per packet auth. problem
No clients for all OS’s which all use the same auth. scheme
WEP, the “Sweet & Low” of 802.11
(dead horse, moving quickly)
• Passive listening
– Numerous documented attacks
– Attacks widely implemented
– Key can be recovered at worst in a few hours of passive listening
• Only encrypts data frames
– Management, control frames sent in the clear
– We can still spoof these frame types without a key
• Key management issues
– If key changes all devices must change it at the very same time,
so short key periods won’t help much
– Employee leaves with key in hand
– Broken anyway! Why are you considering this option?
Circumvention:
The Easy, the Challenging
and the Not-So-Impossible
Sniffing the SSID - easy
Mischievous
Station
Running
NetStumble
r or similar
Regular User Station
being innocent
Sniff,
sniff,
sniff…
AP w/ SSID ‘Paris’
Assoc. Request
(…, SSID ‘Paris’, …)
Beating MAC Address Filters - easy
• Sniff legitimate MAC Addresses
• Wait for a station to leave
• Set your MAC to a legitimate address
– linux# ifconfig wlan0 hwaddr 00:00:de:ad:be:ef
– openbsd# wicontrol wi0 –m b5:db:5d:b5:db:5d
• You can now authenticate and associate
• MAC filtered by DHCP server?
– Sniff addresses and set your IP statically
Cracking WEP – easy, time consuming
Mischievous
Station
Running
AirSnort or
similar
Regular User Station
being innocent
WEP encrypted Data
Frames
(A1%h8#/?e$! ...)
Sniff,
sniff…
CRACK
!
Access Point
Back to the Spoofing Issue
• Allow lots of naughty behavior
– Station disassociation DoS
• Disrupt wireless station’s access
– Access point saturation DoS
• MAC level limit the number of associated stations to ~2000
• Implementation limits set lower to prevent congestion
• Prevent new stations from authenticating to an AP
– Hijacking of legitimately authenticated sessions
– Man in the middle attacks
• Old ARP cache poisoning, DNS spoofing affect 802.11 too
• Impersonate AP to a client, tamper with traffic, pass it along
More on Spoofing Frames –
challenging, getting easy
• Libradiate makes it easy
– Alpha stage code
– Didn’t work for me, but expect it to work in future
– Combine with Libnet to do all sorts of packet
naughtiness
• Denial of Service (disassoc, AP saturate, others)
–
–
–
–
no publicly implemented attacks
Libradiate author wrote and tested, but unreleased
Wrote my own disassociator!
802.1X has its own DoSes (EAP Logoff, Failure)
Disassociating a Wireless Station –
easy after implementation!
Mischievous
Station
running dis2
Regular User Station
being innocent
Sniff,
sniff…
DISASSOC
!
Disassociate Frame
(SANTA’S MAC, AP BSSID,
DISASSOC, …)
General Wireless Traffic
(MGMT, CRTL, DATA)
Access Point
Session Hijacking, MITM – old
dogs, new playground
• The wireless advantage: easy access to medium!
• Hijacking a wireless session
– Known network/transport layer attacks – easy w/ implementations
– MAC level hijacking – implemented in UMD research, not public
• Simple combination of disassociation and MAC spoofing
• Can beat 802.1X, if hijacking after EAP Success received by station
• MITM
– SSH, SSL – easy w/ sshmitm, webmitm (part of the dsniff package)
• ARP Poisoning, DNS redirect still work (may need retooling for 802.11 MAC)
• Same issues that go along with these attacks on wired medium exist here
– AP impersonate MITM – doable, challenging (no public implementation)
• Could be detectable w/ knowledge of legitimate BSSIDs
– 802.1X MITM – implemented in UMD research, not public
• Spoof EAP success to station, pass traffic to network for it
Main Points
•
•
•
•
•
•
Wireless medium is an inherently insecure
The 802.11 MAC poorly compensates
MAC layer needs stronger authentication
Per packet auth. could solve many issues
802.1X exchange comes too late
Spoofing attacks will become public
Recommendations
• The first rule of Fight Club is…
– Secure network protocols
– SECURE NETWORK PROTOCOLS
– wireless only makes attacks against these easier
•
•
•
•
Snake oil can provide hurdles for the casual
Treat wireless the way you treat remote traffic
High security environments: no wireless allowed
Not satisfied with these answers? Sorry!
Wireless Tools for your Tinkering
• Windows
– Netstumbler – find APs and their SSIDs
– Airopeek – wireless frame sniffer
• Linux
– Airsnort (and other WEP tools)
– Airtraf (Netstumbler-like)
– Kismet (Netstumbler-like, WEP capture, other stuff)
• *BSD
– bsd-airtools (Netstumbler-like tool, WEP cracking)
– Kismet
References
•
http://www.mit.edu/~bigwill/
– My slides
– PGP key
•
802.11 Wireless Networks: The Definitive Guide, Matthew S. Gast
– Good overview of 802.11 in general
– MAC layer well-covered
– Discussion of the different physical layer standards as well
•
http://www.cs.umd.edu/~waa/wireless.html
–
–
–
–
•
Lots of links
WEP papers
802.1X information
General 802.11 security information
http://www.packetfactory.net/projects/libradiate
– 802.11 frame creation, injection, sniffing library
– Works well in conjunction with libnet TCP/IP packet library
– Broken in my experience, but big potential for the future