Advanced 802 11 attack
Download
1 / 43

Advanced 802.11 Attack - PowerPoint PPT Presentation


  • 168 Views
  • Updated On :

Advanced 802.11 Attack. Mike Lynn & Robert Baird. What Is NOT Covered. Wired Equiv. Privacy (WEP) vulnerabilities WEP Key cracking techniques Radio signal amplification Suggested changes to the IEEE 802.11b specification Wireless network discovery tools. What Will Be Covered.

Related searches for Advanced 802.11 Attack

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Advanced 802.11 Attack' - gaylord


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Advanced 802 11 attack l.jpg

Advanced 802.11 Attack

Mike Lynn

&

Robert Baird

Black Hat 2002, Las Vegas NV


What is not covered l.jpg
What Is NOT Covered

  • Wired Equiv. Privacy (WEP) vulnerabilities

  • WEP Key cracking techniques

  • Radio signal amplification

  • Suggested changes to the IEEE 802.11b specification

  • Wireless network discovery tools

Black Hat 2002, Las Vegas NV


What will be covered l.jpg
What Will Be Covered

  • Wireless network best practices

  • Practical attacks

  • The focus of the attack(s)

    • The network layers

    • The bottom 2 layers

    • Custom (forged) 802.11b management frames

  • The Tool Box

    • Drivers

    • Utilities

    • Proof of concept code

Black Hat 2002, Las Vegas NV


What will be covered4 l.jpg
What Will Be Covered

  • Attack Scenarios

    • Denial of service

    • Masked ESSID detection

    • 802.11b layer MITM attack

    • Inadequate VPN implementations

  • Mitigation Strategies

Black Hat 2002, Las Vegas NV


Wireless best practices l.jpg
Wireless Best Practices

  • Enable WEP - Wired equivalent privacy

    • Key rotation when equipment supports it

  • Disable broadcast of ESSID

  • Block null ESSID connection

  • Restrict access by MAC address

  • Use VPN technology

  • Use strong mutual authentication

Black Hat 2002, Las Vegas NV


Practical attacks l.jpg
Practical Attacks

  • WEP – Can be cracked passively

  • Masked ESSID – Can be passively observed in management frames during association

  • Block null ESSID connects – Same problem

  • Install VPN – Weakly authenticated VPN is susceptible to active attack (MITM)

  • Strong mutual authentication - ?

Black Hat 2002, Las Vegas NV


The network layers l.jpg
The Network Layers

Black Hat 2002, Las Vegas NV


The bottom layers l.jpg
The Bottom Layers

  • Manipulating the bottom 2 layers of the OSI

    • Data Link (Layer 2)

      • Media Access Control (MAC) – Access to medium

      • Logical Link Control (LLC) – Frame sync, flow control

    • Physical (Layer 1)

      • Radio bit stream

      • Divided into channels

Black Hat 2002, Las Vegas NV


The bottom layers9 l.jpg
The Bottom Layers

Black Hat 2002, Las Vegas NV


Management frames l.jpg
Management Frames

  • Management frames can control link characteristics and physical medium properties

  • 802.11b management frames are NOT authenticated

    • Why is this bad?

Black Hat 2002, Las Vegas NV


The tool box l.jpg
The Tool Box

  • Custom Drivers

    • Air-Jack

      • Custom driver for PrismII (HFA384x) cards

      • MAC address setting/spoofing

      • Send custom (forged) management frames

      • AP forgery/fake AP

    • Lucent/Orinoco

      • Linux driver modified to allow MAC address setting/spoofing from the command line

  • Utilities

    • User space programs – wlan-jack, essid-jack, monkey-jack, kracker-jack

Black Hat 2002, Las Vegas NV


Air jack driver l.jpg
Air-Jack Driver

  • Allows control of wireless card modes

    • Modes 0 and 1 standard documented modes

      • BSS (infrastructure) (1) or IBSS (0) (Ad-hoc)

    • Pseudo-IBSS (3) mode

      • Control channel selection

      • Firmware handles timing sensitive functions

    • Mode 5 - undocumented

      • Channel selection

      • Firmware handles time sensitive functions

      • No beacons sent

      • Very little firmware intervention

Black Hat 2002, Las Vegas NV


Air jack driver13 l.jpg
Air-Jack Driver

  • Mode 6 – Host Access Point mode

    • Sends Beacons (firmware control)

    • Responds to Probe request

    • Handles time sensitive functions

  • Can enable PrismII monitor mode

  • Uses Linux PF_PACKET interface for RX and TX of raw frames

  • Black Hat 2002, Las Vegas NV


    Air jack driver14 l.jpg
    Air-Jack Driver

    void send_deauth (__u8 *dst, __u8 *bssid)

    {

    struct {

    struct a3_80211 hdr;

    __u16 reason;

    }frame;

    memset(&frame, 0, sizeof(frame));

    frame.hdr.mh_type = FC_TYPE_MGT;

    frame.hdr.mh_subtype = MGT_DEAUTH;

    memcpy(&(frame.hdr.mh_mac1), dst, 6);

    memcpy(&(frame.hdr.mh_mac2), bssid, 6);

    memcpy(&(frame.hdr.mh_mac3), bssid, 6);

    frame.reason = 1;

    send(socket, &frame, sizeof(frame), 0);

    }

    Black Hat 2002, Las Vegas NV


    Attack scenarios wlan jack l.jpg
    Attack Scenarios – WLAN-Jack

    • Denial of Service – De-authentication

      • Use MAC address of Access Point

      • Send deauthenticate frames

        • Send continuously

        • Send to broadcast address or specific MAC

      • Users are unable to reassociate with AP

    • Air-Jack + WLAN-Jack

    Black Hat 2002, Las Vegas NV


    Attack scenarios wlan jack16 l.jpg
    Attack Scenarios – WLAN-Jack

    Black Hat 2002, Las Vegas NV


    Attack scenarios wlan jack17 l.jpg
    Attack Scenarios – WLAN-Jack

    Airopeek Trace

    Black Hat 2002, Las Vegas NV


    Attack scenarios wlan jack18 l.jpg
    Attack Scenarios – WLAN-Jack

    • Airopeek Trace

    Black Hat 2002, Las Vegas NV


    Attack scenarios wlan jack19 l.jpg
    Attack Scenarios – WLAN-Jack

    • Decode of Deauthentication Frame

    Black Hat 2002, Las Vegas NV


    Attack scenarios wlan jack20 l.jpg
    Attack Scenarios – WLAN-Jack

    This is your connection

    Black Hat 2002, Las Vegas NV


    Attack scenarios wlan jack21 l.jpg
    Attack Scenarios – WLAN-Jack

    This is your connection on WLAN-Jack.

    Black Hat 2002, Las Vegas NV


    Attack scenarios essid jack l.jpg
    Attack Scenarios – ESSID-Jack

    • Is the ESSID a shared secret?

    • If I mask the ESSID from the AP beacons then unauthorized users will not be able to associate with my AP?

    • Discover Masked ESSID

      • Send a deauthenticate frame to the broadcast address.

      • Obtain ESSID contained in client probe request or AP probe response.

    Black Hat 2002, Las Vegas NV


    Attack scenarios essid jack23 l.jpg
    Attack Scenarios – ESSID-Jack

    Black Hat 2002, Las Vegas NV


    Attack scenarios essid jack24 l.jpg
    Attack Scenarios - ESSID-Jack

    • Airopeek Trace

    Black Hat 2002, Las Vegas NV


    Attack scenarios essid jack25 l.jpg
    Attack Scenarios – ESSID-Jack

    • Airopeek Trace

    Black Hat 2002, Las Vegas NV


    Attack scenarios monkey jack l.jpg
    Attack Scenarios – Monkey-Jack

    • MITM Attack

      • Taking over connections at layer 1 and 2

      • Insert attack machine between victim and access point

    • Management frames

      • Deauthenticate victim from real AP

        • Send deauthenticate frames to the victim using the access point’s MAC address as the source

    Black Hat 2002, Las Vegas NV


    Attack scenarios monkey jack27 l.jpg
    Attack Scenarios – Monkey-Jack

    • Victim’s 802.11 card scans channels to search for new AP

    • Victim’s 802.11 card associates with fake AP on the attack machine

      • Fake AP is on a different channel than the real one

      • Attack machine’s fake AP is duplicating MAC address and ESSID of real AP

    Black Hat 2002, Las Vegas NV


    Attack scenarios monkey jack28 l.jpg
    Attack Scenarios – Monkey-Jack

    • Attack machine associates with real AP

      • Attack machine duplicates MAC address of the victim’s machine.

  • Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols

  • Black Hat 2002, Las Vegas NV


    Attack scenarios monkey jack29 l.jpg
    Attack Scenarios – Monkey-Jack

    • Before Monkey-Jack

    Black Hat 2002, Las Vegas NV


    Attack scenarios monkey jack30 l.jpg
    Attack Scenarios Monkey-Jack

    • After Monkey-Jack

    Black Hat 2002, Las Vegas NV


    Attack scenarios monkey jack31 l.jpg
    Attack Scenarios - Monkey-Jack

    Black Hat 2002, Las Vegas NV


    Attack scenarios kracker jack l.jpg
    Attack Scenarios – Kracker-Jack

    • Dangers of wireless MITM

      • Wireless networks are more vulnerable to MITM attacks than wired networks.

      • Many security solutions are implemented with an assumption of a secure layer 1 and 2

      • Many VPN solutions are implemented with inadequate authentication for protection against wireless MITM attacks.

    Black Hat 2002, Las Vegas NV


    Attack scenarios kracker jack33 l.jpg
    Attack Scenarios – Kracker-Jack

    • WAVEsec

      • An open source software solution for securing wireless networks

      • Uses FreeS/WAN IPSEC implementation

      • Will thwart passive eavesdropping of wireless network communications.

      • Implementation options

        • X.509 Certificates

        • Secure DNS

    Black Hat 2002, Las Vegas NV


    Attack scenarios kracker jack34 l.jpg
    Attack Scenarios – Kracker-Jack

    • Authenticating with WAVEsec gateway

      • Client sends modified DHCP request with client’s public key

      • WAVEsec gateway inserts client’s public key into DNS record

      • Client obtains WAVEsec gateway’s public key by requesting it from the DNS server

      • IPSEC tunnel setup

    Black Hat 2002, Las Vegas NV


    Attack scenarios kracker jack35 l.jpg
    Attack Scenarios – Kracker-Jack

    • Using Kracker-Jack

      • KJ inserts to 802.11 layer (like monkey-jack)

      • KJ, using a DNS request, gets victims public key from DNS server

      • KJ, using the victims MAC address sends DHCP request with its own key to replace the victim’s key in the DNS server

    Black Hat 2002, Las Vegas NV


    Attack scenarios kracker jack36 l.jpg
    Attack Scenarios – Kracker-Jack

    • KJ initiates ISAKMP main mode SA with the WAVEsec server

    • KJ initiates ISAKMP main mode SA with victim

    • Victim gets new server key by DNS request serviced by KJ

    • Two separate IPSEC tunnels are now setup

    • All traffic passes through KJ unencrypted

    Black Hat 2002, Las Vegas NV


    Attack scenarios kracker jack37 l.jpg
    Attack Scenarios – Kracker-Jack

    Black Hat 2002, Las Vegas NV


    Attack scenarios kracker jack38 l.jpg
    Attack Scenarios – Kracker-Jack

    • IKE – ISAKMP/Oakley

      • Phase 1

        • Messages 1 and 2 – negotiate characteristics of security association; no authentication

        • Messages 3 and 4 – exchange random values (nonce) and execute Diffie-Hellman exchange to establish a master key (SKEYID); no authentication

        • Messages 5 and 6 – exchange information for mutually authenticating the parties; identity payload, signature payload, and OPTIONAL certificate payload

    Black Hat 2002, Las Vegas NV


    Attack scenarios kracker jack39 l.jpg
    Attack Scenarios – Kracker-Jack

    • IKE – ISAKMP/Oakley

      • Phase 2 – Oakley Quick Mode

        • Define Security Associations

        • Define keys used to protect IP datagrams

    Black Hat 2002, Las Vegas NV


    Attack scenarios l.jpg
    Attack Scenarios

    • Shared key authentication attack

      • Observe plain text challenge

      • Observe cipher text response

      • XOR plain text with cipher text to get key stream

      • XOR IP packet with key stream re-using IV

      • Broadcast ping

    Black Hat 2002, Las Vegas NV


    Mitigation strategies l.jpg
    Mitigation Strategies

    • Big guy with a stick

    • Wireless IDS and Monitoring

      • AirDefense http://www.airdefense.net

    • VPN + Strong mutual authentication

    • RF Signal shaping – Avoiding signal leaks

      • Antennas with directional radiation pattern

      • Lower Access Point power

    Black Hat 2002, Las Vegas NV


    Summary l.jpg
    Summary

    • Wireless networks are more susceptible to active attacks than wired networks

    • Enable all built-in security capabilities

    • Use VPN with strong mutual authentication

    • Monitor wireless network medium (air space) for suspicious activity

    • Updates – Black Hat web site or

      • http://802.11ninja.net

    Black Hat 2002, Las Vegas NV


    Advanced 802 11 attack43 l.jpg

    Advanced 802.11 Attack

    Robert Baird

    &

    Mike Lynn

    Black Hat 2002, Las Vegas NV


    ad