bh-us-02-lynn-802.11attack.ppt - black hat
TRANSCRIPT
7/31/2002 Black Hat 2002, Las Vegas NV
Advanced 802.11 Attack Mike Lynn &Robert Baird
7/31/2002 Black Hat 2002, Las Vegas NV
What Is NOT CoveredWired Equiv. Privacy (WEP) vulnerabilitiesWEP Key cracking techniquesRadio signal amplificationSuggested changes to the IEEE 802.11b specificationWireless network discovery tools
7/31/2002 Black Hat 2002, Las Vegas NV
What Will Be CoveredWireless network best practicesPractical attacksThe focus of the attack(s) The network layers The bottom 2 layers Custom (forged) 802.11b management frames
The Tool Box Drivers Utilities Proof of concept code
7/31/2002 Black Hat 2002, Las Vegas NV
What Will Be CoveredAttack Scenarios Denial of service Masked ESSID detection 802.11b layer MITM attack Inadequate VPN implementationsMitigation Strategies
7/31/2002 Black Hat 2002, Las Vegas NV
Wireless Best PracticesEnable WEP - Wired equivalent privacy Key rotation when equipment supports itDisable broadcast of ESSIDBlock null ESSID connectionRestrict access by MAC addressUse VPN technologyUse strong mutual authentication
7/31/2002 Black Hat 2002, Las Vegas NV
Practical AttacksWEP – Can be cracked passivelyMasked ESSID – Can be passively observed in management frames during associationBlock null ESSID connects – Same problemInstall VPN – Weakly authenticated VPN is susceptible to active attack (MITM)Strong mutual authentication - ?
7/31/2002 Black Hat 2002, Las Vegas NV
The Network Layers
7/31/2002 Black Hat 2002, Las Vegas NV
The Bottom LayersManipulating the bottom 2 layers of the OSI Data Link (Layer 2)
Media Access Control (MAC) – Access to medium
Logical Link Control (LLC) – Frame sync, flow control
Physical (Layer 1) Radio bit stream Divided into channels
7/31/2002 Black Hat 2002, Las Vegas NV
The Bottom Layers
7/31/2002 Black Hat 2002, Las Vegas NV
Management FramesManagement frames can control link characteristics and physical medium properties802.11b management frames are NOT authenticated Why is this bad?
7/31/2002 Black Hat 2002, Las Vegas NV
The Tool BoxCustom Drivers Air-Jack
Custom driver for PrismII (HFA384x) cards MAC address setting/spoofing Send custom (forged) management frames AP forgery/fake AP
Lucent/Orinoco Linux driver modified to allow MAC address
setting/spoofing from the command lineUtilities User space programs – wlan-jack, essid-jack,
monkey-jack, kracker-jack
7/31/2002 Black Hat 2002, Las Vegas NV
Air-Jack DriverAllows control of wireless card modes Modes 0 and 1 standard documented modes
BSS (infrastructure) (1) or IBSS (0) (Ad-hoc) Pseudo-IBSS (3) mode
Control channel selection Firmware handles timing sensitive functions
Mode 5 - undocumented Channel selection Firmware handles time sensitive functions No beacons sent Very little firmware intervention
7/31/2002 Black Hat 2002, Las Vegas NV
Air-Jack Driver Mode 6 – Host Access Point mode
Sends Beacons (firmware control) Responds to Probe request Handles time sensitive functions
Can enable PrismII monitor modeUses Linux PF_PACKET interface for RX and TX of raw frames
7/31/2002 Black Hat 2002, Las Vegas NV
Air-Jack Drivervoid send_deauth (__u8 *dst, __u8 *bssid){
struct {struct a3_80211 hdr;__u16 reason;}frame;memset(&frame, 0, sizeof(frame));frame.hdr.mh_type = FC_TYPE_MGT;frame.hdr.mh_subtype = MGT_DEAUTH;memcpy(&(frame.hdr.mh_mac1), dst, 6);memcpy(&(frame.hdr.mh_mac2), bssid, 6);memcpy(&(frame.hdr.mh_mac3), bssid, 6);frame.reason = 1;send(socket, &frame, sizeof(frame), 0);
}
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
Denial of Service – De-authentication Use MAC address of Access Point Send deauthenticate frames
Send continuously Send to broadcast address or specific MAC
Users are unable to reassociate with APAir-Jack + WLAN-Jack
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
Airopeek Trace
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
Airopeek Trace
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
Decode of Deauthentication Frame
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
This is your connection
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
This is your connection on WLAN-Jack.
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – ESSID-Jack
Is the ESSID a shared secret?If I mask the ESSID from the AP beacons then unauthorized users will not be able to associate with my AP?Discover Masked ESSID Send a deauthenticate frame to the
broadcast address. Obtain ESSID contained in client probe
request or AP probe response.
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – ESSID-Jack
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios - ESSID-Jack
Airopeek Trace
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – ESSID-Jack
Airopeek Trace
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack
MITM Attack Taking over connections at layer 1 and
2 Insert attack machine between victim
and access pointManagement frames Deauthenticate victim from real AP
Send deauthenticate frames to the victim using the access point’s MAC address as the source
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack
Victim’s 802.11 card scans channels to search for new AP
Victim’s 802.11 card associates with fake AP on the attack machine Fake AP is on a different channel than the
real one Attack machine’s fake AP is duplicating MAC
address and ESSID of real AP
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack
Attack machine associates with real AP Attack machine duplicates MAC address
of the victim’s machine.Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack
Before Monkey-Jack
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Monkey-Jack
After Monkey-Jack
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios - Monkey-Jack
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
Dangers of wireless MITM Wireless networks are more vulnerable
to MITM attacks than wired networks. Many security solutions are implemented
with an assumption of a secure layer 1 and 2
Many VPN solutions are implemented with inadequate authentication for protection against wireless MITM attacks.
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
WAVEsec An open source software solution for
securing wireless networks Uses FreeS/WAN IPSEC implementation Will thwart passive eavesdropping of
wireless network communications. Implementation options
X.509 Certificates Secure DNS
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
Authenticating with WAVEsec gateway Client sends modified DHCP request with
client’s public key WAVEsec gateway inserts client’s public
key into DNS record Client obtains WAVEsec gateway’s public
key by requesting it from the DNS server IPSEC tunnel setup
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
Using Kracker-Jack KJ inserts to 802.11 layer (like monkey-
jack) KJ, using a DNS request, gets victims
public key from DNS server KJ, using the victims MAC address sends
DHCP request with its own key to replace the victim’s key in the DNS server
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
KJ initiates ISAKMP main mode SA with the WAVEsec server
KJ initiates ISAKMP main mode SA with victim
Victim gets new server key by DNS request serviced by KJ
Two separate IPSEC tunnels are now setup All traffic passes through KJ unencrypted
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
IKE – ISAKMP/Oakley Phase 1
Messages 1 and 2 – negotiate characteristics of security association; no authentication
Messages 3 and 4 – exchange random values (nonce) and execute Diffie-Hellman exchange to establish a master key (SKEYID); no authentication
Messages 5 and 6 – exchange information for mutually authenticating the parties; identity payload, signature payload, and OPTIONAL certificate payload
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
IKE – ISAKMP/Oakley Phase 2 – Oakley Quick Mode
Define Security Associations Define keys used to protect IP datagrams
7/31/2002 Black Hat 2002, Las Vegas NV
Attack ScenariosShared key authentication attack Observe plain text challenge Observe cipher text response XOR plain text with cipher text to get
key stream XOR IP packet with key stream re-
using IV Broadcast ping
7/31/2002 Black Hat 2002, Las Vegas NV
Mitigation StrategiesBig guy with a stickWireless IDS and Monitoring AirDefense http://www.airdefense.net VPN + Strong mutual authenticationRF Signal shaping – Avoiding signal leaks Antennas with directional radiation
pattern Lower Access Point power
7/31/2002 Black Hat 2002, Las Vegas NV
SummaryWireless networks are more susceptible to active attacks than wired networksEnable all built-in security capabilitiesUse VPN with strong mutual authenticationMonitor wireless network medium (air space) for suspicious activityUpdates – Black Hat web site or http://802.11ninja.net
7/31/2002 Black Hat 2002, Las Vegas NV
Advanced 802.11 AttackRobert Baird & Mike Lynn