Misbehaving with Will Stockwell

Topics Snake oil access control MAC layers lacks per frame authentication The spoofing problems which result 802.1X issues related to spoofing WEP (dead horse, I’ll discuss it briefly) Attacks against these schemes Recommendations Wireless tools you can mess with

Terminology SSID – Service Set ID –A text string used to identify sets of APs Spoofing –Illegitimate generation of network traffic Fake packets all together Insert traffic into a stream WEP – Wired Equivalent Privacy –Broken encryption scheme –Should be “What on Earth does this Protect?”

Terminology (continued) Access point –Device serving as wireless-to-wired bridge Association request –Wireless stations ‘associate’ with an AP –Follows rudimentary authentication procedure Per Frame Authentication –Every Frame authenticity information –Should be used with initial auth. exchange

Ted’s Hacker TED’S HACKER

Auth. in the MAC Layer Two types –Open System No authentication Gratuitous access –Shared Key Uses WEP – broken scheme (Returning to this later) Key distribution and usage issues No per frame auth. –frame spoofing is easy (more later) –If a authentication scheme is to be effective, it needs to be per frame No AP auth. – allows impersonation of APs MAC layer does leave room for other auth. schemes –None presently implemented –New schemes which conform to standard still can’t be per frame –Per frame authentication

Other Forms of Access Control SSID hiding (complete snake oil) –SSID often beaconed by APs –APs can be configured to stop beaconing MAC address filtering (snake oil) –DHCP servers –AP ACLs 802.1X (spoofing issues) –Takes places following MAC layer auth. and assoc. to AP –Controls access only to world beyond AP via EAP –Does allow for more robust authentication (Kerberos, others) –Doesn’t solve per packet auth. problem –No clients for all OS’s which all use the same auth. scheme

WEP, the “Sweet & Low” of (dead horse, moving quickly) Passive listening –Numerous documented attacks –Attacks widely implemented –Key can be recovered at worst in a few hours of passive listening Only encrypts data frames –Management, control frames sent in the clear –We can still spoof these frame types without a key Key management issues –If key changes all devices must change it at the very same time, so short key periods won’t help much –Employee leaves with key in hand –Broken anyway! Why are you considering this option?

Circumvention: The Easy, the Challenging and the Not-So-Impossible

Sniffing the SSID - easy Assoc. Request (…, SSID ‘Paris’, …) Regular User Station being innocent AP w/ SSID ‘Paris’ Mischievous Station Running NetStumble r or similar Sniff, sniff, sniff…

Beating MAC Address Filters - easy Sniff legitimate MAC Addresses Wait for a station to leave Set your MAC to a legitimate address –linux# ifconfig wlan0 hwaddr 00:00:de:ad:be:ef –openbsd# wicontrol wi0 –m b5:db:5d:b5:db:5d You can now authenticate and associate MAC filtered by DHCP server? –Sniff addresses and set your IP statically

Cracking WEP – easy, time consuming WEP encrypted Data Frames (A1%h8#/?e$!...) Regular User Station being innocent Access Point Mischievous Station Running AirSnort or similar Sniff, sniff… CRACK !

Back to the Spoofing Issue Allow lots of naughty behavior –Station disassociation DoS Disrupt wireless station’s access –Access point saturation DoS MAC level limit the number of associated stations to ~2000 Implementation limits set lower to prevent congestion Prevent new stations from authenticating to an AP –Hijacking of legitimately authenticated sessions –Man in the middle attacks Old ARP cache poisoning, DNS spoofing affect too Impersonate AP to a client, tamper with traffic, pass it along

More on Spoofing Frames – challenging, getting easy Libradiate makes it easy –Alpha stage code –Didn’t work for me, but expect it to work in future –Combine with Libnet to do all sorts of packet naughtiness Denial of Service (disassoc, AP saturate, others) –no publicly implemented attacks –Libradiate author wrote and tested, but unreleased –Wrote my own disassociator! –802.1X has its own DoSes (EAP Logoff, Failure)

Disassociating a Wireless Station – easy after implementation! Disassociate Frame (SANTA’S MAC, AP BSSID, DISASSOC, …) Regular User Station being innocent Access Point Mischievous Station running dis2 Sniff, sniff… DISASSOC ! General Wireless Traffic (MGMT, CRTL, DATA)

Session Hijacking, MITM – old dogs, new playground The wireless advantage: easy access to medium! Hijacking a wireless session –Known network/transport layer attacks – easy w/ implementations –MAC level hijacking – implemented in UMD research, not public Simple combination of disassociation and MAC spoofing Can beat 802.1X, if hijacking after EAP Success received by station MITM –SSH, SSL – easy w/ sshmitm, webmitm (part of the dsniff package) ARP Poisoning, DNS redirect still work (may need retooling for MAC) Same issues that go along with these attacks on wired medium exist here –AP impersonate MITM – doable, challenging (no public implementation) Could be detectable w/ knowledge of legitimate BSSIDs –802.1X MITM – implemented in UMD research, not public Spoof EAP success to station, pass traffic to network for it

Main Points Wireless medium is an inherently insecure The MAC poorly compensates MAC layer needs stronger authentication Per packet auth. could solve many issues 802.1X exchange comes too late Spoofing attacks will become public

Recommendations The first rule of Fight Club is… –Secure network protocols –SECURE NETWORK PROTOCOLS –wireless only makes attacks against these easier Snake oil can provide hurdles for the casual Treat wireless the way you treat remote traffic High security environments: no wireless allowed Not satisfied with these answers? Sorry!

Wireless Tools for your Tinkering Windows –Netstumbler – find APs and their SSIDs –Airopeek – wireless frame sniffer Linux –Airsnort (and other WEP tools) –Airtraf (Netstumbler-like) –Kismet (Netstumbler-like, WEP capture, other stuff) *BSD –bsd-airtools (Netstumbler-like tool, WEP cracking) –Kismet

References –My slides –PGP key Wireless Networks: The Definitive Guide, Matthew S. Gast –Good overview of in general –MAC layer well-covered –Discussion of the different physical layer standards as well –Lots of links –WEP papers –802.1X information –General security information – frame creation, injection, sniffing library –Works well in conjunction with libnet TCP/IP packet library –Broken in my experience, but big potential for the future