Chapter 8Chapter 8

Wireless Hacking Wireless Hacking

Last modified 4-21-14

Session EstablishmentSession Establishment

Infrastructure v. Ad HocInfrastructure v. Ad Hoc

InfrastructureInfrastructure– Uses an access pointUses an access point– Most common modeMost common mode

Ad HocAd Hoc– Devices connect peer-to-peerDevices connect peer-to-peer– Like an Ethernet crossover cableLike an Ethernet crossover cable

ProbesProbes

Client sends a Client sends a probe request probe request for the for the SSID (Service Set Identifier) SSID (Service Set Identifier) it is looking it is looking forfor

It repeats this request on every channel, It repeats this request on every channel, looking for a looking for a probe responseprobe response

After the response, client sends After the response, client sends authentication requestauthentication request

AuthenticationAuthentication

If system uses If system uses open authenticationopen authentication, the , the AP accepts any connectionAP accepts any connection

The alternate system, The alternate system, shared-key shared-key authenticationauthentication, is almost never used, is almost never used– Used only with WEPUsed only with WEP

WPA security mechanisms have no effect WPA security mechanisms have no effect on authentication—they take effect lateron authentication—they take effect later

AssociationAssociation

Client sends an Client sends an association requestassociation request

AP sends an AP sends an association responseassociation response

Security MechanismsSecurity Mechanisms

Basic Security MechanismsBasic Security Mechanisms

MAC filteringMAC filtering

"Hidden" networks"Hidden" networks– Omit SSID from beaconsOmit SSID from beacons– Microsoft recommends announcing your SSIDMicrosoft recommends announcing your SSID– Because Vista and later versions of Windows Because Vista and later versions of Windows

look for beacons before connectinglook for beacons before connecting– This makes Vista more secure, because it is This makes Vista more secure, because it is

not continuously sending out probe requests, not continuously sending out probe requests, inviting AP impersonation attacksinviting AP impersonation attacks

Responding to Broadcast Probe Responding to Broadcast Probe RequestsRequests

Clients can send Clients can send broadcast probe broadcast probe requestsrequests

Do not specify SSIDDo not specify SSID

APs can be configured to ignore themAPs can be configured to ignore them

WPA v. WPA2WPA v. WPA2

802.11i specifies encryption standards802.11i specifies encryption standards

WPA implements only part of 802.11iWPA implements only part of 802.11i– TKIP (Temporal Key Integrity Protocol)TKIP (Temporal Key Integrity Protocol)

WPA2 implements bothWPA2 implements both– TKIPTKIP– AES (Advanced Encryption Standard)AES (Advanced Encryption Standard)

PSK v. 802.1xPSK v. 802.1x

WPA-PSK (Wi-Fi Protected Access Pre-WPA-PSK (Wi-Fi Protected Access Pre-Shared Key)Shared Key)– Uses Pre-Shared KeyUses Pre-Shared Key

WPA-EnterpriseWPA-Enterprise– Uses 802.1x and a RADIUS serverUses 802.1x and a RADIUS server– EAP (Extensible Authentication Protocol), which EAP (Extensible Authentication Protocol), which

may be one ofmay be one ofEAP-TTLSEAP-TTLS

PEAPPEAP

EAP-FASTEAP-FAST

Four-Way HandshakeFour-Way Handshake

Both WPA-PSK and WPA Enterprise useBoth WPA-PSK and WPA Enterprise use

Four-way handshakeFour-way handshake– Pairwise transient keyPairwise transient key

Used for unicast communicationUsed for unicast communication

– Group temporal keyGroup temporal keyUsed for multicast and broadcast communicationUsed for multicast and broadcast communication

Three Encryption OptionsThree Encryption OptionsWEP (Wired Equivalent Privacy)WEP (Wired Equivalent Privacy)– Uses RC4Uses RC4– Flawed & easily exploitedFlawed & easily exploited

TKIPTKIP– A quick replacement for WEPA quick replacement for WEP– Runs on old hardwareRuns on old hardware– Still uses RC4Still uses RC4– No major vulnerabilities are knownNo major vulnerabilities are known

AES-CCMP (Advanced Encryption StandardAES-CCMP (Advanced Encryption Standard with with Cipher Block Chaining Message Authentication Code Cipher Block Chaining Message Authentication Code Protocol)Protocol)– Most secure, recommendedMost secure, recommended

Equipment Equipment

ChipsetChipset

Manufacturer's chipset driver limits your Manufacturer's chipset driver limits your control of the wireless NICcontrol of the wireless NIC– Most NICs can't be used for wireless hackingMost NICs can't be used for wireless hacking

Recommended Network CardsRecommended Network Cards– Ubuiquiti SRC, Atheros chipset, USBUbuiquiti SRC, Atheros chipset, USB– Alfa AWUS050NH, Ralink RT2770F chipset, Alfa AWUS050NH, Ralink RT2770F chipset,

USBUSB– Both support 802.11a/b/g/n and external Both support 802.11a/b/g/n and external

antennasantennas

Link Ch 8aLink Ch 8a

Windows x. LinuxWindows x. Linux

WindowsWindows– Wireless NIC drivers are easy to getWireless NIC drivers are easy to get– Wireless hacking tools are few and weakWireless hacking tools are few and weak

Unless you pay for AirPcap devices (link Ch 819) Unless you pay for AirPcap devices (link Ch 819) or OmniPeekor OmniPeek

Linux Linux – Wireless NIC drivers are hard to get and Wireless NIC drivers are hard to get and

installinstall– Wireless hacking tools are much betterWireless hacking tools are much better

KaliKali

Includes many drivers already Includes many drivers already Can be used from a virtual machine with a Can be used from a virtual machine with a USB NICUSB NIC

For other NIC types, you can't use For other NIC types, you can't use VMware for wireless hackingVMware for wireless hacking– Install Kali on the bare metalInstall Kali on the bare metal– Boot from a USB with Kali on itBoot from a USB with Kali on it– Boot from a LiveCD of KaliBoot from a LiveCD of Kali

OmniPeekOmniPeek

WildPackets now packages AiroPeek & WildPackets now packages AiroPeek & EtherPeek together into OmniPeekEtherPeek together into OmniPeek

A Windows-based sniffer for wireless and A Windows-based sniffer for wireless and wired LANswired LANs

Only supports a few wireless NICsOnly supports a few wireless NICs– See links Ch 801, Ch 802See links Ch 801, Ch 802

AntennasAntennas

Omnidirectional Omnidirectional antenna sends and antenna sends and receives in all receives in all directionsdirections

Directional antennas Directional antennas focus the waves in focus the waves in one directionone direction– The Cantenna shown The Cantenna shown

is a directional antennais a directional antenna

YagiYagi

Panel (or Panel) AntennaPanel (or Panel) Antenna

From digdice.comFrom digdice.com

Link Ch 8bLink Ch 8b

Global Positioning System (GPS)Global Positioning System (GPS)

Locates you using signals Locates you using signals from a set of satellitesfrom a set of satellites

Works with war-driving Works with war-driving software to create a map of software to create a map of access pointsaccess points

Discovery and MonitoringDiscovery and Monitoring

Discovery tools use 802.11 management Discovery tools use 802.11 management framesframes– Probe requests/responsesProbe requests/responses– BeaconsBeacons

Source and destination addresses of an Source and destination addresses of an 802.11 frame is always unencrypted802.11 frame is always unencrypted– Tools can map associations between clients Tools can map associations between clients

and APsand APs

Finding Wireless NetworksFinding Wireless Networks

Active DiscoveryActive Discovery– Send out broadcast probe requestsSend out broadcast probe requests– Record responsesRecord responses– Misses APs that are configured to ignore themMisses APs that are configured to ignore them– NetStumbler does thisNetStumbler does this

Passive DiscoveryPassive Discovery– Listen on every channelListen on every channel– Record every AP seenRecord every AP seen– Much better techniqueMuch better technique

NetStumbler ScreenNetStumbler Screen

WardrivingWardriving

WardrivingWardriving

Finding Wireless networks with a portable Finding Wireless networks with a portable devicedevice– Image from Image from

overdrawnoverdrawn.net.net

CCSF Wardriving

VistumblerVistumbler

Link Ch 8jLink Ch 8j

Google Sniffing

Link Ch 8k

iPhoneiPhone

The iPhone combines GPS, Wi-Fi, and cell The iPhone combines GPS, Wi-Fi, and cell tower location technology to locate youtower location technology to locate you

You can wardrive with the Android phone You can wardrive with the Android phone and Wifiscanand Wifiscan

WiGLEWiGLE

Collects wardriving data from usersCollects wardriving data from users

Has over 16 million recordsHas over 16 million records– Link Ch 825Link Ch 825

Kismet ScreenshotKismet Screenshot

For Kismet, see link Ch 811For Kismet, see link Ch 811

Kismet DemoKismet Demo

– Use the Linksys WUSB54G ver 4 nicsUse the Linksys WUSB54G ver 4 nics– Boot from the Kali 2 CDBoot from the Kali 2 CD– Start, Kali, Radio Network Analysis, 80211, Start, Kali, Radio Network Analysis, 80211,

All, KismetAll, Kismet

WEP Crack with CainWEP Crack with Cain

You need an AirPCap Wi-Fi cardYou need an AirPCap Wi-Fi card

Cain from www.oxid.it/cain.htmlCain from www.oxid.it/cain.html

Sniffing Wireless TrafficSniffing Wireless Traffic

Easy if traffic is unencryptedEasy if traffic is unencrypted

Man-in-the-middle (MITM) attacks Man-in-the-middle (MITM) attacks common and easycommon and easy

May violate wiretap lawsMay violate wiretap laws

If you can't get you card into "Monitor If you can't get you card into "Monitor mode" you'll see higher level traffic but not mode" you'll see higher level traffic but not 802.11 management frames802.11 management frames

Demo: Wireless Sniffing on MacDemo: Wireless Sniffing on Mac

De- authentication DoS AttackDe- authentication DoS Attack

Unauthenticated Management FramesUnauthenticated Management Frames– An attacker can spoof a de-authentication An attacker can spoof a de-authentication

frame that looks like it came from the access frame that looks like it came from the access pointpoint

– aireplay-ng can do thisaireplay-ng can do this

Rogue AP SuppressionRogue AP Suppression

Identifying Wireless Network Identifying Wireless Network DefensesDefenses

SSID SSID

SSID can be found from any of these framesSSID can be found from any of these frames– BeaconsBeacons

Sent continually by the access point (unless disabled)Sent continually by the access point (unless disabled)

– Probe RequestsProbe Requests Sent by client systems wishing to connectSent by client systems wishing to connect

– Probe ResponsesProbe ResponsesResponse to a Probe RequestResponse to a Probe Request

– Association and Reassociation RequestsAssociation and Reassociation RequestsMade by the client when joining or rejoining the networkMade by the client when joining or rejoining the network

If SSID broadcasting is off, just send a If SSID broadcasting is off, just send a deauthentication frame to force a reassociationdeauthentication frame to force a reassociation

MAC Access ControlMAC Access Control

CCSF used this technique for yearsCCSF used this technique for years

Each MAC must be entered into the list of Each MAC must be entered into the list of approved addressesapproved addresses

High administrative effort, low securityHigh administrative effort, low security

Attacker can just sniff MACs from clients Attacker can just sniff MACs from clients and spoof themand spoof them

Gaining Access Gaining Access (Hacking 802.11)(Hacking 802.11)

Specifying the SSIDSpecifying the SSID

In Windows, just select it from the In Windows, just select it from the available wireless networksavailable wireless networks– In Vista, right-click the network icon in the taskbar tray In Vista, right-click the network icon in the taskbar tray

and click "Connect to a Network"and click "Connect to a Network"– If the SSID is hidden, click "Set up a connection or If the SSID is hidden, click "Set up a connection or

network" and then click "Manually connect to a network" and then click "Manually connect to a wireless network"wireless network"

Changing your MACChanging your MAC

Bwmachak changes a NIC under Windows Bwmachak changes a NIC under Windows for Orinoco cardsfor Orinoco cards

SMAC is SMAC is easy easy

link Ch 812link Ch 812

Device ManagerDevice Manager

Many Wi-Fi Many Wi-Fi cards allow cards allow you to you to change the change the MAC in MAC in Windows' Windows' Device Device ManagerManager

HotSpotterHotSpotter

Hotspotter--Like SSLstrip, it silently Hotspotter--Like SSLstrip, it silently replaces a secure WiFi connection with an replaces a secure WiFi connection with an insecure oneinsecure one

Less effective since Windows XP SP2, Less effective since Windows XP SP2, because Windows machines no longer because Windows machines no longer probe for known networks as muchprobe for known networks as much– Link Ch 8eLink Ch 8e

Attacks Against the WEP Algorithm Attacks Against the WEP Algorithm

Brute-force keyspace – takes weeks even Brute-force keyspace – takes weeks even for 40-bit keysfor 40-bit keys

Collect Initialization Vectors, which are Collect Initialization Vectors, which are sent in the clear, and correlate them with sent in the clear, and correlate them with the first encrypted bytethe first encrypted byte– This makes the brute-force process much This makes the brute-force process much

fasterfaster

Tools that Exploit WEP Tools that Exploit WEP Weaknesses Weaknesses

AirSnort AirSnort

WLAN-Tools WLAN-Tools

DWEPCrack DWEPCrack

WEPAttack WEPAttack – Cracks using the weak IV flawCracks using the weak IV flaw

Best countermeasure – use WPABest countermeasure – use WPA

WPAWPAWPA is strongWPA is strong

No major weaknessesNo major weaknesses

However, if you use a weak Pre-Shared However, if you use a weak Pre-Shared Key, it can be found with a dictionary attackKey, it can be found with a dictionary attack

ButBut– PSK is hashed 4096 times, can be up to 63 PSK is hashed 4096 times, can be up to 63

characters long, and includes the SSIDcharacters long, and includes the SSID

Tools: Airodump-ng, coWPAtty, rainbow Tools: Airodump-ng, coWPAtty, rainbow tablestables

WPS (Wi-Fi Protected Setup)WPS (Wi-Fi Protected Setup)

Intended to make WPA easier to useIntended to make WPA easier to use

Included in almost all modern Wi-Fi Included in almost all modern Wi-Fi routersrouters

Uses a key with only 10,500 possible Uses a key with only 10,500 possible valuesvalues

Subject to a trivial brute-force attackSubject to a trivial brute-force attack

Cracking WPSCracking WPS

Link Ch 8dLink Ch 8d

Attacking WPA EnterpriseAttacking WPA Enterprise

This means attacking EAPThis means attacking EAP

Techniques depend on the specific EAP Techniques depend on the specific EAP type usedtype used– LEAPLEAP– EAP-TTLS and PEAPEAP-TTLS and PEAP

Detecting EAP type with Detecting EAP type with WiresharkWireshark

Lightweight Extensible Lightweight Extensible Authentication Protocol (LEAP)Authentication Protocol (LEAP)

What is LEAP?What is LEAP?

A proprietary protocol from Cisco Systems A proprietary protocol from Cisco Systems developed in 2000 to address the security developed in 2000 to address the security weaknesses common in WEP weaknesses common in WEP

LEAP is an 802.1X schema using a LEAP is an 802.1X schema using a RADIUS serverRADIUS server

As of 2004, 46% of IT executives in the As of 2004, 46% of IT executives in the enterprise said that they used LEAP in their enterprise said that they used LEAP in their organizations organizations

The Weakness of LEAPThe Weakness of LEAP

LEAP is fundamentally weak because it LEAP is fundamentally weak because it provides zero resistance to offline provides zero resistance to offline dictionary attacksdictionary attacks

It solely relies on MS-CHAPv2 (Microsoft It solely relies on MS-CHAPv2 (Microsoft Challenge Handshake Authentication Challenge Handshake Authentication Protocol version 2) to protect the user Protocol version 2) to protect the user credentials used for Wireless LAN credentials used for Wireless LAN authentication authentication

MS-CHAPv2MS-CHAPv2

MS-CHAPv2 is notoriously weak becauseMS-CHAPv2 is notoriously weak because– It does not use a SALT in its NT hashesIt does not use a SALT in its NT hashes– Uses a weak 2 byte DES keyUses a weak 2 byte DES key– Sends usernames in clear textSends usernames in clear text

Because of this, offline dictionary and brute Because of this, offline dictionary and brute force attacks can be made much more efficient force attacks can be made much more efficient by a very large (4 gigabytes) database of likely by a very large (4 gigabytes) database of likely passwords with pre-calculated hashes passwords with pre-calculated hashes – Rainbow tablesRainbow tables

Cisco's DefenseCisco's Defense

LEAP is secure if the passwords are long LEAP is secure if the passwords are long and complexand complex– 10 characters long with random upper case, 10 characters long with random upper case,

lower case, numeric, and special characters lower case, numeric, and special characters

The vast majority of passwords in most The vast majority of passwords in most organizations do not meet these stringent organizations do not meet these stringent requirementsrequirements– Can be cracked in a few days or even a few Can be cracked in a few days or even a few

minutes minutes

AsleapAsleap

Grabs and decrypts weak LEAP Grabs and decrypts weak LEAP passwords from Cisco wireless access passwords from Cisco wireless access points and corresponding wireless cards points and corresponding wireless cards

Integrated with Air-Jack to knock Integrated with Air-Jack to knock authenticated wireless users off targeted authenticated wireless users off targeted wireless networks wireless networks – When the user reauthenticates, their When the user reauthenticates, their

password will be sniffed and cracked with password will be sniffed and cracked with Asleap Asleap

CloudCrackerCloudCracker

Kills PPTP and, apparently, LEAP deadKills PPTP and, apparently, LEAP deadLink Ch 8fLink Ch 8f

Microsoft: Don't Use PPTP and Microsoft: Don't Use PPTP and MS-CHAPMS-CHAP

Microsoft recommends PEAP, L2TP/IPsec, Microsoft recommends PEAP, L2TP/IPsec, IPSec with IKEv2, or SSTP insteadIPSec with IKEv2, or SSTP instead

Link Ch 8gLink Ch 8g

EAP-TTLS and PEAPEAP-TTLS and PEAP

TLS TunnelTLS Tunnel

EAP-TTLS and PEAP both use a TLS EAP-TTLS and PEAP both use a TLS tunnel to protect a less secure tunnel to protect a less secure inner inner authenticated protocolauthenticated protocol

Inner authentication protocolsInner authentication protocols– MS-CHAPv2MS-CHAPv2– EAP-GTC (one-time passwords)EAP-GTC (one-time passwords)– CleartextCleartext

Attacking TLSAttacking TLS

No known way to defeat the encryptionNo known way to defeat the encryptionBut AP impersonation can workBut AP impersonation can work

– Trick target into connecting to MITM instead Trick target into connecting to MITM instead of serverof server

– Misconfigured clients won't validate the Misconfigured clients won't validate the identity of the RADIUS server so it can be identity of the RADIUS server so it can be spoofedspoofed

– FreeRADIUS-WPE does this (link Ch 8h)FreeRADIUS-WPE does this (link Ch 8h)

Protecting EAP-Protecting EAP-TTLS and PEAPTTLS and PEAP

Check the Check the "Validate the "Validate the Server Server Certificate" on all Certificate" on all wireless clientswireless clients

Link Ch 8iLink Ch 8i