Transcript Slides
Computer security 2014 –Ýmir Vigfússon
Based on slides by Björn@Syndis, Roy Werber, Pascal Meunier@Purdue,
material from Computer Networking: A Top Down Approach Featuring the Internet,
Jim Kurose, Keith Ross, Addison-Wesley
200
802.11n
Data rate (Mbps)
54
802.11a,g
5-11
802.11b
4
1
802.11a,g point-to-point
data
802.16 (WiMAX (4G?))
3G cellular
enhanced
UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO
802.15
.384
3G
UMTS/WCDMA, CDMA2000
.056
2G
IS-95, CDMA, GSM
NFR
Indoor
Outdoor
10-30m
50-200m
Mid-range
outdoor
Long-range
outdoor
200m – 4 Km
5Km – 20 Km
How does wireless differ from wired settings?
Base stations relay traffic between wireless and
wired networks
Cell towers
Access points
...
Infrastructure mode
vs. ad-hoc
No base stations
network
infrastructure
Basic service set (BSS)
A.k.a. “cell“
Internet
Set of wireless hosts
In infrastructure-mode,
also base station
In ad-hoc mode, hosts
relay for each other
Interesting research
AP
hub, switch
or router
BSS 1
AP
questions ...
BSS 2
Genesis of a wireless/WiFI network
JOIN ME Beacon!!!
I have powerful signal!
I am called Secure! (SSID)
My MAC address is
00:de:ad:be:ef:00 (BSSID)
I encrypt .. or not
Genesis of a wireless/WiFI network
... and a WLAN is born
Afterward, may authenticate, run DHCP, etc.
2.4 GHz – 2.485 GHz divided into 11 channels
Each is a band. How would you share bandwidth?
Share band, Carrier Sense Multiple Access (CSMA)
Instead of just dividing frequency or time slots among
users, 802.11 uses Code Divison Multiple Access (CDMA)
Optional: CSMA-CA: Collision Avoidance
Short Req-to-Send (RTS) messages to reserve channel
Base station (access point) decides „Clear-to-Send“ (CTS)
A
Access Point
B
reservation collision
DATA (A)
time
defer
Suppose you‘re in charge of designing the first
wireless protocol for the masses, 802.11.
How would you make it backward compatible?
Application protocol
Application
Application
TCP protocol
Transport
Transport
Network
IP protocol
IP
IP protocol
Network
Link
Data
Link
Network
Access
Data
Link
Link
Strive to replace only the lowest layer: link layer
In regular networks, this is usually Ethernet
Link Layer
frame
IP Header
ETH IP TCP
Link (Ethernet)
Header
data
ETF
Link (Ethernet)
Trailer
Let‘s try to encapsulate it with the information
that we need
Who we are
What access point we‘re talking to
Encryption?
2
2
6
6
6
frame
address address address
duration
control
1
2
3
Address 1: MAC address
of wireless host or AP
to receive this frame
2
Sequence No.: needed for ARQ
(ACK required) mode.
6
4
0 - 2312
address
seq
4
control
payload
CRC
Address 4: MAC address
of wireless relay host (ad hoc
networks only)
Address 3: MAC address of router interface to
which AP is attached
[Serves as Ethernet destination address]
Address 2: MAC address
of wireless host or AP
transmitting this frame
[Serves as Ethernet source address]
Internet
R1 router
H1
AP
R1 MAC addr
dest. address
H1 MAC addr
source address
802.3 (Ethernet) frame
AP MAC addr
address 1
1st dest (AP)
H1 MAC addr
address 2
source
R1 MAC addr
address 3
2nd dest (eth)
802.11 (WiFi) frame
frame seq #
(for reliable ARQ)
duration of reserved
transmission time (RTS/CTS)
2
2
6
6
6
frame
address address address
duration
control
1
2
3
2
Protocol
version
6
2
address
seq
4
control
2
4
1
1
1
1
Type
Subtype
To
AP
From
AP
More
frag
Retry
frame type
(RTS, CTS, ACK, data)
4
0 - 2312
payload
1
1
Power More
mgt
data
CRC
1
1
WEP
Rsvd
How would you attack this protocol?
We can hinder communication (Denial-of-Service)
We can hijack and modify connections
We can pretend to be whoever we want (spoofing)
...
Effectively no security measures been taken
What can we do?
First, let‘s optionally authenticate users
Second, let‘s at least try to to encrypt every packet
How do we do that?
Unless we want an open network, we‘re going to
have to share a key
Later, we should have key management!
How would you implement this?
At the time WEP was defined, export restrictions
limited cryptography, so 64-bit RC4 was used
Extensions later for for 128-bit WEP
What about authentication with shared key?
First idea:
Client sends authentication request with key
Access point responds with ACCEPT if key correct
Second idea:
Client sends num and hash(num | key)
Access point also computes hash, ACCEPTS if
it likes the outcome
Third idea:
Client sends intention to authenticate
Access point sends back a random number (nonce) x
Client computes hash(x | key), sends to access point
Access point sends ACCEPT if matches local hash(x | key)
This is used in WEP
Called 4-step challenge-response handshake
Avoids disclosing the (static) key
Prevents replay attack (“pass-the-hash“)
Basic idea behind WEP encryption
RC4: Streaming cipher algorithm
Why Initialization Vector (IV)?
Prevents reuse of keys
Also need a checksum to avoid malicious bit flips
CRC
802.11 Frame
Header
Payload
Payload
ICV
3
2
ICV computed – 32-bit CRC of payload
ICV = Integrity Check Value checksum
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4
Key
40
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV = Initialization vector
IV
keynumber
24
8
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
64
IV
Key
Payload
ICV
RC4
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
IV+key used to encrypt payload+ICV
WEP Frame
Header
IV
keynumber
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
IV+key used to encrypt payload+ICV
IV+keynumber prepended to encrypted
payload+ICV
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4
Keynumber is used to select key
Key
40
64
IV
Key
Payload
ICV
RC4
Payload
Keynumber is used to select key
ICV+key used to decrypt payload+ICV
Done!
ICV
IV (Initialization vector) is 24 bits long
Recall seeds for random number generators?
Only 16 million different RC4 cipher streams per key
If an IV is ever reused, XOR between packets
equivalent to XOR of plaintext messages
C = cipher text, P = plain text:
C1 C2 = (P1 IV) (P2 IV) = P1 P2
Guess one plain text message, have another
How long until we expect a reused IV?
Remember class about DNS birthday attacks?
23 people in a room
How likely that two people
share the same birthday?
For 𝑚 people and 𝑛 days, the
probability is about 1 − 𝑒
𝑚2
−
2𝑛
Roughly:
Answer: 50.7%!
Here, n = 16M, so:
50% chance of collision after only 4,823 packets!
99% chance of collision 12,430 packets
If network is operating at 11Mbps, takes 3 seconds
Start listening in on traffic, gradually obtaining all
16M IVs to be fully authenticated
More worrying: Fluhrer, Martin, Shamir attack
Passive attack against RC4 in WEP to recover RC4 key
one letter at a time! Implemented in aircrack-ng
Can inject data to network to speed up attack
Online demo of a WEP crack using airsnort
https://www.youtube.com/watch?v=_G4kOaJqMOE
Remember: Do NOT use any hacking software
without express permission from the owner of the
network you are attacking.
It was quickly realized that WEP offered lax security.
WEP was decommissioned in 2004
Teams from Wi-Fi Alliance set-up to think of two
solutions for Protected Access (WPA)
Backward compatible: WPA-TKIP
Stopgap solution for WEP that could be flashed as firmware on
to existing infrastructure
(i) Uses a key mixing function between IV and key
(ii) Adds message integrity checks (MIC) instead of ICV of
CRC32 (cryptographically insecure)
Attack (2008): Inject 7 packets to a wireless client
Forward thinking: WPA2
Implemented more elaborate 4-way handshake and
group key handshake
Supports TKIP, CCMP, etc.
WPA2 Personal: Pre-shared key between people
WPA2 Enterprise: Connect to a RADIUS server
▪ Tedious to set up. Also means that if your WiFi credentials are
compromised, your whole account will be too.
2012: Flaw in WPS – the device configuration tool for
routers that uses a PIN for fast access.
▪ Even when disabled, obtains shared key in about 7 hours
Key sharing still vulnerable to handshake capture
WEP, WPA-TKIP, WPA2-PSK – PSK = Pre-Shared Key
Cracking the hashes depends on password strength and -
can take a long time
Rainbow tables accelerate the process (coWPAtty)
http://www.renderlab.net/projects/WPA-tables/
Does take long(er) to crack
WPA2 Enterprise / WPA-802.1x
Mostly used in corporate or larger wifi environments
A Radius server acts as an authentication server
Uses EAP or “Extensible Authencation Protocol”
which handles the actual authentcation
Very few setups use EAP-TLS
▪ Considered most secure variant of EAP
Most setups use EAP-PEAP or something less secure
Probe Response
SSID: SuperSecure
ENC: WPA2-Enterprise
Deauth attack
4 way handshake
authentication
- User name
Probe Requests
-
Password (MSCHAPv2)
Many devices send authenticating information
without doing any verification of certificates.
Some people even setup their devices in this way.
Several phone manufacturers
Even Linux distributions
Need to be in range of the device to capture the
encrypted password
The default setting for most devices is, however,
to ask the user to accept the modified certificate
Built on
Evil access point/hotspot idea
The fact most devices connect to multiple networks
The idea
We know NICs continually scan and sens probe requests
What if we send broadcast requests for a million SSIDs?
If a device has connected before, will I get a response ?
Widespread risk
Applies to those that use traditional Wi-Fi networks
Also applies to singular devices and non AP networks
Broadcast SSIDs
- Hot Spot
- Guests
- Free WiFi
- xfinitywifi
- ETC
- ....
(OPN, WEP, WPAPSK)
Association
request á SSID:
gestir
Confidentiality:
Record authentication handshakes (WEP, WPA, WPA2)
Record and log traffic remotely (leaks)
Lure people to fake access points
Integrity:
Record packets, then replay, modify and inject them
Availability:
Easy to jam frequencies. Turn on the microwave oven...
Accountability:
Attacker can remain fully anonymous
Attacker can spoof and frame others
You could just as easily define a wireless network
as a single device or two devices together(ad-hoc)?
Is anyone out there?
Is gestir there?
Is Hotspot there?
Please talk to me
Oh yes I’m here
Lets create a WLAN
together
And on topic
Operates using Radio Frequency(RF) technology
IEEE 802.11 is a set of standards for the
implementation of wireless LAN networks
Otherwise known as WiFi.
Operates on the 2.4Ghz and 5Ghz frequency bands
Supports up to 13 channels
Various encryption methods implemented
Various types of Frames to conduct business
Frames
Beacon frame
▪ An Access Point sends this frame to declare its relevant
information. Such as SSID, timestamp and other information
▪ Wireless stations(NIC’s) listen to this continually and pick which
one might be the best to associate with
Probe request frame
▪ A station sends a frame indicating it wants to find what AP’s are
within range. Or whether a specific SSID is in range(beacon frame
before)
Probe response frame
▪ Capability information, data rates,
http://grouper.ieee.org/groups/802/11/
Frames
Association request Frame
▪ A station sends an Association request which an AP can
respond to
Association response frame
▪ AP rejects or accepts the association request
Authentication Frame
▪ A station sends an Authentcation frame which the AP either
accepts or rejects
Deauthentication Frame
▪ Tell a station to deauthenticate from an AP
Data Frame
▪ All the data! TCP/IP headers/packets, etc.
http://grouper.ieee.org/groups/802/11/
http://www.willhackforsushi.com/papers/80211_Po
cket_Reference_Guide.pdf
Basic security features of most wireless networks
Hidden SSID
MAC address filtering
Encryption and user authentication
WEP
WPA2-PSK
WPA2-Enterprise with radius server for authentication
All can be broken or bypassed
Absolutely not in every instance obviously but often true
Wifi is pretty much everywhere
Mobile devices, laptops, etc
Most homes and companies have wifi
We know various types of
authentication/encryption schemes are used
Open, WEP, WPA/2-PSK, WPA2-Enterprise (EAP,TLS)
We also know wireless networks exist in the
absense of AP’s!
We take our devices everywhere and they broadcast.....
People connect their devices to various networks....
WEP is insecure
Sure, almost everyone knows that
Why do we have a slide about it?
▪ Because WEP is still very common
Who here uses WEP?
Are you really really absolutely sure?
Most larger companies and institutions don’t use
WEP and neither do most tech savy people
But grandparents and parents do!
Who here has connected his pc/device to a WEP
network?
Did you connect your phone to your father in-laws
WEP network?
Don’t you think your pc/device remembers this?
WPA/2-PSK
Much more secure than WEP
Prevents a number of attacks (e.g. Replay attacks) with message integrity
and “per packet key.
Its very easy to acquire a WPA handshake which can be cracked
▪
Quite slowly mind you
Plenty of attacks available
The standard today(WPA2-PSK) uses AES 256 bit encryption but stopgap
software solution is still widely supported, 128 bit TKIP encryption
A lot of WPA2 networks use either very weak or known keys
Rainbow tables exist for multiple known SSID’s which can be used with tools
like cowpatty to conduct cracking very quickly
▪
▪
▪
▪
Can anyone tell me why?
Rainbow tables have already done all the computational hard work and the only thing
required is memory to process the tables against the handshake
See http://www.renderlab.net/projects/WPA-tables/
Still only works against dumb passwords so a long none dictionary key takes forever
to break
Who here has ever connected his/her device to a known WPA2-PSK network?
What if we know that key as well, the BSSID, etc?
A lot of devices send the authentcation information
without doing any verification of certificates!
Some people even setup their devices in this way.
Lots of phone manufacturers
Even Linux distros!
In those cases you only need to be in range of the
device to capture the encrypted password!
The default setting for most devices is however to ask
the user to accept the modified certificate
Built on
Evil access point/hotspot idea
The fact most devices connect to multiple networks
The idea
We know NICS continually scan and sens probe requests
What if (Evil guys) send broadcast requests for a million SSID’s?
If a device has connected before will I get a response ?
Widespread risk
Applies to those that use traditional Wifi networks
Also applies to singular devices and non AP
networks
Broadcast SSIDs
- Hot Spot
- Guests
- Free WiFi
- xfinitywifi
- ETC
- ....
(OPN, WEP, WPAPSK)
Association
request á SSID:
gestir
Huge potential
Known examples are intel wireless drivers containing
exploitable overflows how they handle broadcast
responses
Automating the process of discovering nonbroadcastable SSID’s aswell as automatically
tryingo to break them.
Lots of wireless interfaces == lots of different
drivers loaded!
Huge potential to do fingerprinting?
Alfa AWUS USB
Support up to 2 watts of transmit power
External antenna connection
Supports monitoring mode
Supported by Kali/Backtrack
Antennas
Omni directional – High gain
Directional
Long range – over 10km have been recorded
Use good equipment. It actually matters.
Don‘t use poor EAP authentication for WPA2-ent
Only use full client/server certificates
Put your mobile devices on a limited network
1)
2)
3)
4)
•
5)
Don‘t give them access to internal resources without
heavy restrictions.
Against APOD style attacks?
1) Your are at my mercy!