bh-us-02-lynn-802.11attack.ppt - black hat

7/31/2002 Black Hat 2002, Las Vegas NV

Advanced 802.11 Attack Mike Lynn &Robert Baird


What Is NOT CoveredWired Equiv. Privacy (WEP) vulnerabilitiesWEP Key cracking techniquesRadio signal amplificationSuggested changes to the IEEE 802.11b specificationWireless network discovery tools


What Will Be CoveredWireless network best practicesPractical attacksThe focus of the attack(s) The network layers The bottom 2 layers Custom (forged) 802.11b management frames

The Tool Box Drivers Utilities Proof of concept code


What Will Be CoveredAttack Scenarios Denial of service Masked ESSID detection 802.11b layer MITM attack Inadequate VPN implementationsMitigation Strategies


Wireless Best PracticesEnable WEP - Wired equivalent privacy Key rotation when equipment supports itDisable broadcast of ESSIDBlock null ESSID connectionRestrict access by MAC addressUse VPN technologyUse strong mutual authentication


Practical AttacksWEP – Can be cracked passivelyMasked ESSID – Can be passively observed in management frames during associationBlock null ESSID connects – Same problemInstall VPN – Weakly authenticated VPN is susceptible to active attack (MITM)Strong mutual authentication - ?


The Network Layers


The Bottom LayersManipulating the bottom 2 layers of the OSI Data Link (Layer 2)

Media Access Control (MAC) – Access to medium

Logical Link Control (LLC) – Frame sync, flow control

Physical (Layer 1) Radio bit stream Divided into channels


The Bottom Layers


Management FramesManagement frames can control link characteristics and physical medium properties802.11b management frames are NOT authenticated Why is this bad?


The Tool BoxCustom Drivers Air-Jack

Custom driver for PrismII (HFA384x) cards MAC address setting/spoofing Send custom (forged) management frames AP forgery/fake AP

Lucent/Orinoco Linux driver modified to allow MAC address

setting/spoofing from the command lineUtilities User space programs – wlan-jack, essid-jack,

monkey-jack, kracker-jack


Air-Jack DriverAllows control of wireless card modes Modes 0 and 1 standard documented modes

BSS (infrastructure) (1) or IBSS (0) (Ad-hoc) Pseudo-IBSS (3) mode

Control channel selection Firmware handles timing sensitive functions

Mode 5 - undocumented Channel selection Firmware handles time sensitive functions No beacons sent Very little firmware intervention


Air-Jack Driver Mode 6 – Host Access Point mode

Sends Beacons (firmware control) Responds to Probe request Handles time sensitive functions

Can enable PrismII monitor modeUses Linux PF_PACKET interface for RX and TX of raw frames


Air-Jack Drivervoid send_deauth (__u8 *dst, __u8 *bssid){

struct {struct a3_80211 hdr;__u16 reason;}frame;memset(&frame, 0, sizeof(frame));frame.hdr.mh_type = FC_TYPE_MGT;frame.hdr.mh_subtype = MGT_DEAUTH;memcpy(&(frame.hdr.mh_mac1), dst, 6);memcpy(&(frame.hdr.mh_mac2), bssid, 6);memcpy(&(frame.hdr.mh_mac3), bssid, 6);frame.reason = 1;send(socket, &frame, sizeof(frame), 0);

}


Attack Scenarios – WLAN-Jack

Denial of Service – De-authentication Use MAC address of Access Point Send deauthenticate frames

Send continuously Send to broadcast address or specific MAC

Users are unable to reassociate with APAir-Jack + WLAN-Jack



Airopeek Trace



Decode of Deauthentication Frame



This is your connection



This is your connection on WLAN-Jack.


Attack Scenarios – ESSID-Jack

Is the ESSID a shared secret?If I mask the ESSID from the AP beacons then unauthorized users will not be able to associate with my AP?Discover Masked ESSID Send a deauthenticate frame to the

broadcast address. Obtain ESSID contained in client probe

request or AP probe response.


Attack Scenarios - ESSID-Jack

Airopeek Trace



Airopeek Trace


Attack Scenarios – Monkey-Jack

MITM Attack Taking over connections at layer 1 and

2 Insert attack machine between victim

and access pointManagement frames Deauthenticate victim from real AP

Send deauthenticate frames to the victim using the access point’s MAC address as the source



Victim’s 802.11 card scans channels to search for new AP

Victim’s 802.11 card associates with fake AP on the attack machine Fake AP is on a different channel than the

real one Attack machine’s fake AP is duplicating MAC

address and ESSID of real AP



Attack machine associates with real AP Attack machine duplicates MAC address

of the victim’s machine.Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols



Before Monkey-Jack


Attack Scenarios Monkey-Jack

After Monkey-Jack


Attack Scenarios - Monkey-Jack


Attack Scenarios – Kracker-Jack

Dangers of wireless MITM Wireless networks are more vulnerable

to MITM attacks than wired networks. Many security solutions are implemented

with an assumption of a secure layer 1 and 2

Many VPN solutions are implemented with inadequate authentication for protection against wireless MITM attacks.



WAVEsec An open source software solution for

securing wireless networks Uses FreeS/WAN IPSEC implementation Will thwart passive eavesdropping of

wireless network communications. Implementation options

X.509 Certificates Secure DNS



Authenticating with WAVEsec gateway Client sends modified DHCP request with

client’s public key WAVEsec gateway inserts client’s public

key into DNS record Client obtains WAVEsec gateway’s public

key by requesting it from the DNS server IPSEC tunnel setup



Using Kracker-Jack KJ inserts to 802.11 layer (like monkey-

jack) KJ, using a DNS request, gets victims

public key from DNS server KJ, using the victims MAC address sends

DHCP request with its own key to replace the victim’s key in the DNS server



KJ initiates ISAKMP main mode SA with the WAVEsec server

KJ initiates ISAKMP main mode SA with victim

Victim gets new server key by DNS request serviced by KJ

Two separate IPSEC tunnels are now setup All traffic passes through KJ unencrypted



IKE – ISAKMP/Oakley Phase 1

Messages 1 and 2 – negotiate characteristics of security association; no authentication

Messages 3 and 4 – exchange random values (nonce) and execute Diffie-Hellman exchange to establish a master key (SKEYID); no authentication

Messages 5 and 6 – exchange information for mutually authenticating the parties; identity payload, signature payload, and OPTIONAL certificate payload



IKE – ISAKMP/Oakley Phase 2 – Oakley Quick Mode

Define Security Associations Define keys used to protect IP datagrams


Attack ScenariosShared key authentication attack Observe plain text challenge Observe cipher text response XOR plain text with cipher text to get

key stream XOR IP packet with key stream re-

using IV Broadcast ping


Mitigation StrategiesBig guy with a stickWireless IDS and Monitoring AirDefense http://www.airdefense.net VPN + Strong mutual authenticationRF Signal shaping – Avoiding signal leaks Antennas with directional radiation

pattern Lower Access Point power

http://www.airdefense.net/




SummaryWireless networks are more susceptible to active attacks than wired networksEnable all built-in security capabilitiesUse VPN with strong mutual authenticationMonitor wireless network medium (air space) for suspicious activityUpdates – Black Hat web site or http://802.11ninja.net


Advanced 802.11 AttackRobert Baird & Mike Lynn

bh-us-02-lynn-802.11attack.ppt - black hat

Documents