Presentation is loading. Please wait.

Presentation is loading. Please wait.

Misbehaving with 802.11 Will Stockwell

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Misbehaving with 802.11 Will Stockwell"— Presentation transcript:

1 Misbehaving with 802.11 Will Stockwell bigwill@mit.edu

2 Topics Snake oil access control MAC layers lacks per frame authentication The spoofing problems which result 802.1X issues related to spoofing WEP (dead horse, I’ll discuss it briefly) Attacks against these schemes Recommendations Wireless tools you can mess with

3 Terminology SSID – Service Set ID –A text string used to identify sets of APs Spoofing –Illegitimate generation of network traffic Fake packets all together Insert traffic into a stream WEP – Wired Equivalent Privacy –Broken 802.11 encryption scheme –Should be “What on Earth does this Protect?”

4 Terminology (continued) Access point –Device serving as wireless-to-wired bridge Association request –Wireless stations ‘associate’ with an AP –Follows rudimentary authentication procedure Per Frame Authentication –Every Frame authenticity information –Should be used with initial auth. exchange

5 Ted’s Hacker TED’S HACKER

6 Auth. in the 802.11 MAC Layer Two types –Open System No authentication Gratuitous access –Shared Key Uses WEP – broken scheme (Returning to this later) Key distribution and usage issues No per frame auth. –frame spoofing is easy (more later) –If a authentication scheme is to be effective, it needs to be per frame No AP auth. – allows impersonation of APs MAC layer does leave room for other auth. schemes –None presently implemented –New schemes which conform to standard still can’t be per frame –Per frame authentication

7 Other Forms of Access Control SSID hiding (complete snake oil) –SSID often beaconed by APs –APs can be configured to stop beaconing MAC address filtering (snake oil) –DHCP servers –AP ACLs 802.1X (spoofing issues) –Takes places following MAC layer auth. and assoc. to AP –Controls access only to world beyond AP via EAP –Does allow for more robust authentication (Kerberos, others) –Doesn’t solve per packet auth. problem –No clients for all OS’s which all use the same auth. scheme

8 WEP, the “Sweet & Low” of 802.11 (dead horse, moving quickly) Passive listening –Numerous documented attacks –Attacks widely implemented –Key can be recovered at worst in a few hours of passive listening Only encrypts data frames –Management, control frames sent in the clear –We can still spoof these frame types without a key Key management issues –If key changes all devices must change it at the very same time, so short key periods won’t help much –Employee leaves with key in hand –Broken anyway! Why are you considering this option?

9 Circumvention: The Easy, the Challenging and the Not-So-Impossible

10 Sniffing the SSID - easy Assoc. Request (…, SSID ‘Paris’, …) Regular User Station being innocent AP w/ SSID ‘Paris’ Mischievous Station Running NetStumble r or similar Sniff, sniff, sniff…

11 Beating MAC Address Filters - easy Sniff legitimate MAC Addresses Wait for a station to leave Set your MAC to a legitimate address –linux# ifconfig wlan0 hwaddr 00:00:de:ad:be:ef –openbsd# wicontrol wi0 –m b5:db:5d:b5:db:5d You can now authenticate and associate MAC filtered by DHCP server? –Sniff addresses and set your IP statically

12 Cracking WEP – easy, time consuming WEP encrypted Data Frames (A1%h8#/?e$!...) Regular User Station being innocent Access Point Mischievous Station Running AirSnort or similar Sniff, sniff… CRACK !

13 Back to the Spoofing Issue Allow lots of naughty behavior –Station disassociation DoS Disrupt wireless station’s access –Access point saturation DoS MAC level limit the number of associated stations to ~2000 Implementation limits set lower to prevent congestion Prevent new stations from authenticating to an AP –Hijacking of legitimately authenticated sessions –Man in the middle attacks Old ARP cache poisoning, DNS spoofing affect 802.11 too Impersonate AP to a client, tamper with traffic, pass it along

14 More on Spoofing Frames – challenging, getting easy Libradiate makes it easy –Alpha stage code –Didn’t work for me, but expect it to work in future –Combine with Libnet to do all sorts of packet naughtiness Denial of Service (disassoc, AP saturate, others) –no publicly implemented attacks –Libradiate author wrote and tested, but unreleased –Wrote my own disassociator! –802.1X has its own DoSes (EAP Logoff, Failure)

15 Disassociating a Wireless Station – easy after implementation! Disassociate Frame (SANTA’S MAC, AP BSSID, DISASSOC, …) Regular User Station being innocent Access Point Mischievous Station running dis2 Sniff, sniff… DISASSOC ! General Wireless Traffic (MGMT, CRTL, DATA)

16 Session Hijacking, MITM – old dogs, new playground The wireless advantage: easy access to medium! Hijacking a wireless session –Known network/transport layer attacks – easy w/ implementations –MAC level hijacking – implemented in UMD research, not public Simple combination of disassociation and MAC spoofing Can beat 802.1X, if hijacking after EAP Success received by station MITM –SSH, SSL – easy w/ sshmitm, webmitm (part of the dsniff package) ARP Poisoning, DNS redirect still work (may need retooling for 802.11 MAC) Same issues that go along with these attacks on wired medium exist here –AP impersonate MITM – doable, challenging (no public implementation) Could be detectable w/ knowledge of legitimate BSSIDs –802.1X MITM – implemented in UMD research, not public Spoof EAP success to station, pass traffic to network for it

17 Main Points Wireless medium is an inherently insecure The 802.11 MAC poorly compensates MAC layer needs stronger authentication Per packet auth. could solve many issues 802.1X exchange comes too late Spoofing attacks will become public

18 Recommendations The first rule of Fight Club is… –Secure network protocols –SECURE NETWORK PROTOCOLS –wireless only makes attacks against these easier Snake oil can provide hurdles for the casual Treat wireless the way you treat remote traffic High security environments: no wireless allowed Not satisfied with these answers? Sorry!

19 Wireless Tools for your Tinkering Windows –Netstumbler – find APs and their SSIDs –Airopeek – wireless frame sniffer Linux –Airsnort (and other WEP tools) –Airtraf (Netstumbler-like) –Kismet (Netstumbler-like, WEP capture, other stuff) *BSD –bsd-airtools (Netstumbler-like tool, WEP cracking) –Kismet

20 References http://www.mit.edu/~bigwill/ –My slides –PGP key 802.11 Wireless Networks: The Definitive Guide, Matthew S. Gast –Good overview of 802.11 in general –MAC layer well-covered –Discussion of the different physical layer standards as well http://www.cs.umd.edu/~waa/wireless.html –Lots of links –WEP papers –802.1X information –General 802.11 security information http://www.packetfactory.net/projects/libradiate –802.11 frame creation, injection, sniffing library –Works well in conjunction with libnet TCP/IP packet library –Broken in my experience, but big potential for the future

Download ppt "Misbehaving with 802.11 Will Stockwell"

Similar presentations

Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
Ethical Hacking Module XV Hacking Wireless Networks.

Ethical Hacking Module XV Hacking Wireless Networks.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Security Awareness Chapter 5 Wireless Network Security.

Security Awareness Chapter 5 Wireless Network Security.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).

Similar presentations

Ads by Google