Advanced 802.11 Attack

Advanced 802.11 Attack Mike Lynn & Robert Baird Black Hat 2002, Las Vegas NV

What Is NOT Covered • Wired Equiv. Privacy (WEP) vulnerabilities • WEP Key cracking techniques • Radio signal amplification • Suggested changes to the IEEE 802.11b specification • Wireless network discovery tools Black Hat 2002, Las Vegas NV

What Will Be Covered • Wireless network best practices • Practical attacks • The focus of the attack(s) • The network layers • The bottom 2 layers • Custom (forged) 802.11b management frames • The Tool Box • Drivers • Utilities • Proof of concept code Black Hat 2002, Las Vegas NV

What Will Be Covered • Attack Scenarios • Denial of service • Masked ESSID detection • 802.11b layer MITM attack • Inadequate VPN implementations • Mitigation Strategies Black Hat 2002, Las Vegas NV

Wireless Best Practices • Enable WEP - Wired equivalent privacy • Key rotation when equipment supports it • Disable broadcast of ESSID • Block null ESSID connection • Restrict access by MAC address • Use VPN technology • Use strong mutual authentication Black Hat 2002, Las Vegas NV

Practical Attacks • WEP – Can be cracked passively • Masked ESSID – Can be passively observed in management frames during association • Block null ESSID connects – Same problem • Install VPN – Weakly authenticated VPN is susceptible to active attack (MITM) • Strong mutual authentication - ? Black Hat 2002, Las Vegas NV

The Network Layers Black Hat 2002, Las Vegas NV

The Bottom Layers • Manipulating the bottom 2 layers of the OSI • Data Link (Layer 2) • Media Access Control (MAC) – Access to medium • Logical Link Control (LLC) – Frame sync, flow control • Physical (Layer 1) • Radio bit stream • Divided into channels Black Hat 2002, Las Vegas NV

The Bottom Layers Black Hat 2002, Las Vegas NV

Management Frames • Management frames can control link characteristics and physical medium properties • 802.11b management frames are NOT authenticated • Why is this bad? Black Hat 2002, Las Vegas NV

The Tool Box • Custom Drivers • Air-Jack • Custom driver for PrismII (HFA384x) cards • MAC address setting/spoofing • Send custom (forged) management frames • AP forgery/fake AP • Lucent/Orinoco • Linux driver modified to allow MAC address setting/spoofing from the command line • Utilities • User space programs – wlan-jack, essid-jack, monkey-jack, kracker-jack Black Hat 2002, Las Vegas NV

Air-Jack Driver • Allows control of wireless card modes • Modes 0 and 1 standard documented modes • BSS (infrastructure) (1) or IBSS (0) (Ad-hoc) • Pseudo-IBSS (3) mode • Control channel selection • Firmware handles timing sensitive functions • Mode 5 - undocumented • Channel selection • Firmware handles time sensitive functions • No beacons sent • Very little firmware intervention Black Hat 2002, Las Vegas NV

Air-Jack Driver • Mode 6 – Host Access Point mode • Sends Beacons (firmware control) • Responds to Probe request • Handles time sensitive functions • Can enable PrismII monitor mode • Uses Linux PF_PACKET interface for RX and TX of raw frames Black Hat 2002, Las Vegas NV

Air-Jack Driver void send_deauth (__u8 *dst, __u8 *bssid) { struct { struct a3_80211 hdr; __u16 reason; }frame; memset(&frame, 0, sizeof(frame)); frame.hdr.mh_type = FC_TYPE_MGT; frame.hdr.mh_subtype = MGT_DEAUTH; memcpy(&(frame.hdr.mh_mac1), dst, 6); memcpy(&(frame.hdr.mh_mac2), bssid, 6); memcpy(&(frame.hdr.mh_mac3), bssid, 6); frame.reason = 1; send(socket, &frame, sizeof(frame), 0); } Black Hat 2002, Las Vegas NV

Attack Scenarios – WLAN-Jack • Denial of Service – De-authentication • Use MAC address of Access Point • Send deauthenticate frames • Send continuously • Send to broadcast address or specific MAC • Users are unable to reassociate with AP • Air-Jack + WLAN-Jack Black Hat 2002, Las Vegas NV

Attack Scenarios – WLAN-Jack Black Hat 2002, Las Vegas NV

Attack Scenarios – WLAN-Jack Airopeek Trace Black Hat 2002, Las Vegas NV

Attack Scenarios – WLAN-Jack • Airopeek Trace Black Hat 2002, Las Vegas NV

Attack Scenarios – WLAN-Jack • Decode of Deauthentication Frame Black Hat 2002, Las Vegas NV

Attack Scenarios – WLAN-Jack This is your connection Black Hat 2002, Las Vegas NV

Attack Scenarios – WLAN-Jack This is your connection on WLAN-Jack. Black Hat 2002, Las Vegas NV

Attack Scenarios – ESSID-Jack • Is the ESSID a shared secret? • If I mask the ESSID from the AP beacons then unauthorized users will not be able to associate with my AP? • Discover Masked ESSID • Send a deauthenticate frame to the broadcast address. • Obtain ESSID contained in client probe request or AP probe response. Black Hat 2002, Las Vegas NV

Attack Scenarios – ESSID-Jack Black Hat 2002, Las Vegas NV

Attack Scenarios - ESSID-Jack • Airopeek Trace Black Hat 2002, Las Vegas NV

Attack Scenarios – ESSID-Jack • Airopeek Trace Black Hat 2002, Las Vegas NV

Attack Scenarios – Monkey-Jack • MITM Attack • Taking over connections at layer 1 and 2 • Insert attack machine between victim and access point • Management frames • Deauthenticate victim from real AP • Send deauthenticate frames to the victim using the access point’s MAC address as the source Black Hat 2002, Las Vegas NV

Attack Scenarios – Monkey-Jack • Victim’s 802.11 card scans channels to search for new AP • Victim’s 802.11 card associates with fake AP on the attack machine • Fake AP is on a different channel than the real one • Attack machine’s fake AP is duplicating MAC address and ESSID of real AP Black Hat 2002, Las Vegas NV

Attack Scenarios – Monkey-Jack • Attack machine associates with real AP • Attack machine duplicates MAC address of the victim’s machine. • Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols Black Hat 2002, Las Vegas NV

Attack Scenarios – Monkey-Jack • Before Monkey-Jack Black Hat 2002, Las Vegas NV

Attack Scenarios Monkey-Jack • After Monkey-Jack Black Hat 2002, Las Vegas NV

Attack Scenarios - Monkey-Jack Black Hat 2002, Las Vegas NV

Attack Scenarios – Kracker-Jack • Dangers of wireless MITM • Wireless networks are more vulnerable to MITM attacks than wired networks. • Many security solutions are implemented with an assumption of a secure layer 1 and 2 • Many VPN solutions are implemented with inadequate authentication for protection against wireless MITM attacks. Black Hat 2002, Las Vegas NV

Attack Scenarios – Kracker-Jack • WAVEsec • An open source software solution for securing wireless networks • Uses FreeS/WAN IPSEC implementation • Will thwart passive eavesdropping of wireless network communications. • Implementation options • X.509 Certificates • Secure DNS Black Hat 2002, Las Vegas NV

Attack Scenarios – Kracker-Jack • Authenticating with WAVEsec gateway • Client sends modified DHCP request with client’s public key • WAVEsec gateway inserts client’s public key into DNS record • Client obtains WAVEsec gateway’s public key by requesting it from the DNS server • IPSEC tunnel setup Black Hat 2002, Las Vegas NV

Attack Scenarios – Kracker-Jack • Using Kracker-Jack • KJ inserts to 802.11 layer (like monkey-jack) • KJ, using a DNS request, gets victims public key from DNS server • KJ, using the victims MAC address sends DHCP request with its own key to replace the victim’s key in the DNS server Black Hat 2002, Las Vegas NV

Attack Scenarios – Kracker-Jack • KJ initiates ISAKMP main mode SA with the WAVEsec server • KJ initiates ISAKMP main mode SA with victim • Victim gets new server key by DNS request serviced by KJ • Two separate IPSEC tunnels are now setup • All traffic passes through KJ unencrypted Black Hat 2002, Las Vegas NV

Attack Scenarios – Kracker-Jack Black Hat 2002, Las Vegas NV

Attack Scenarios – Kracker-Jack • IKE – ISAKMP/Oakley • Phase 1 • Messages 1 and 2 – negotiate characteristics of security association; no authentication • Messages 3 and 4 – exchange random values (nonce) and execute Diffie-Hellman exchange to establish a master key (SKEYID); no authentication • Messages 5 and 6 – exchange information for mutually authenticating the parties; identity payload, signature payload, and OPTIONAL certificate payload Black Hat 2002, Las Vegas NV

Attack Scenarios – Kracker-Jack • IKE – ISAKMP/Oakley • Phase 2 – Oakley Quick Mode • Define Security Associations • Define keys used to protect IP datagrams Black Hat 2002, Las Vegas NV

Attack Scenarios • Shared key authentication attack • Observe plain text challenge • Observe cipher text response • XOR plain text with cipher text to get key stream • XOR IP packet with key stream re-using IV • Broadcast ping Black Hat 2002, Las Vegas NV

Mitigation Strategies • Big guy with a stick • Wireless IDS and Monitoring • AirDefense http://www.airdefense.net • VPN + Strong mutual authentication • RF Signal shaping – Avoiding signal leaks • Antennas with directional radiation pattern • Lower Access Point power Black Hat 2002, Las Vegas NV

Summary • Wireless networks are more susceptible to active attacks than wired networks • Enable all built-in security capabilities • Use VPN with strong mutual authentication • Monitor wireless network medium (air space) for suspicious activity • Updates – Black Hat web site or • http://802.11ninja.net Black Hat 2002, Las Vegas NV

Advanced 802.11 Attack Robert Baird & Mike Lynn Black Hat 2002, Las Vegas NV

Advanced 802.11 Attack

Advanced 802.11 Attack

Presentation Transcript

Advanced 802.11 Attack

Attack

IEEE 802.11

Advanced Flooding Attack on a SIP Server

Attack

Advanced Attack Groups (Objectives, Tactics, Countermeasures ) February 27 , 2013

802.11 Attack Demo

Attack

Attack Attack !

ATTACK

Advanced Web Hack: Padding Oracle Attack

802.11 security

Side-Channel Attack: timing attack

Protecting IEEE 802.11 Wireless LANs against the FCS False Blocking Attack

Advanced Attack Detection and Infrastructure Protection

Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks

attack