bh-us-02-lynn-802.11attack.ppt - by shimeiyan4

VIEWS: 43 PAGES: 43

									            Advanced 802.11 Attack
                 Mike Lynn
                     &
                 Robert Baird



7/31/2002          Black Hat 2002, Las Vegas NV
            What Is NOT Covered
  Wired Equiv. Privacy (WEP) vulnerabilities
  WEP Key cracking techniques
  Radio signal amplification
  Suggested changes to the IEEE 802.11b
  specification
  Wireless network discovery tools



7/31/2002        Black Hat 2002, Las Vegas NV
             What Will Be Covered
     Wireless network best practices
     Practical attacks
     The focus of the attack(s)
           The network layers
           The bottom 2 layers
           Custom (forged) 802.11b management frames
     The Tool Box
           Drivers
           Utilities
           Proof of concept code

7/31/2002               Black Hat 2002, Las Vegas NV
            What Will Be Covered
     Attack Scenarios
           Denial of service
           Masked ESSID detection
           802.11b layer MITM attack
           Inadequate VPN implementations
     Mitigation Strategies



7/31/2002            Black Hat 2002, Las Vegas NV
            Wireless Best Practices
     Enable WEP - Wired equivalent privacy
           Key rotation when equipment supports it
     Disable broadcast of ESSID
     Block null ESSID connection
     Restrict access by MAC address
     Use VPN technology
     Use strong mutual authentication

7/31/2002             Black Hat 2002, Las Vegas NV
            Practical Attacks
  WEP – Can be cracked passively
  Masked ESSID – Can be passively observed
  in management frames during association
  Block null ESSID connects – Same problem
  Install VPN – Weakly authenticated VPN is
  susceptible to active attack (MITM)
  Strong mutual authentication - ?


7/31/2002      Black Hat 2002, Las Vegas NV
            The Network Layers




7/31/2002       Black Hat 2002, Las Vegas NV
                The Bottom Layers
  Manipulating the bottom 2 layers of the
  OSI
       Data Link (Layer 2)
             Media Access Control (MAC) – Access to medium
             Logical Link Control (LLC) – Frame sync, flow
             control
       Physical (Layer 1)
             Radio bit stream
             Divided into channels


7/31/2002                Black Hat 2002, Las Vegas NV
            The Bottom Layers




7/31/2002       Black Hat 2002, Las Vegas NV
             Management Frames
     Management frames can control link
     characteristics and physical medium
     properties
     802.11b management frames are NOT
     authenticated
           Why is this bad?



7/31/2002             Black Hat 2002, Las Vegas NV
                       The Tool Box
     Custom Drivers
           Air-Jack
                Custom driver for PrismII (HFA384x) cards
                MAC address setting/spoofing
                Send custom (forged) management frames
                AP forgery/fake AP
           Lucent/Orinoco
              Linux driver modified to allow MAC address
                 setting/spoofing from the command line
     Utilities
           User space programs – wlan-jack, essid-
            jack, monkey-jack, kracker-jack

7/31/2002                   Black Hat 2002, Las Vegas NV
                     Air-Jack Driver
   Allows control of wireless card modes
        Modes 0 and 1 standard documented modes
             BSS (infrastructure) (1) or IBSS (0) (Ad-hoc)
        Pseudo-IBSS (3) mode
             Control channel selection
             Firmware handles timing sensitive functions
        Mode 5 - undocumented
             Channel selection
             Firmware handles time sensitive functions
             No beacons sent
             Very little firmware intervention


7/31/2002                  Black Hat 2002, Las Vegas NV
                    Air-Jack Driver
       Mode 6 – Host Access Point mode
             Sends Beacons (firmware control)
             Responds to Probe request
             Handles time sensitive functions
  Can enable PrismII monitor mode
  Uses Linux PF_PACKET interface for RX
  and TX of raw frames



7/31/2002                Black Hat 2002, Las Vegas NV
                Air-Jack Driver
     void send_deauth (__u8 *dst, __u8 *bssid)
     {
        struct {
             struct a3_80211hdr;
             __u16          reason;
        }frame;
        memset(&frame, 0, sizeof(frame));
        frame.hdr.mh_type = FC_TYPE_MGT;
        frame.hdr.mh_subtype = MGT_DEAUTH;
        memcpy(&(frame.hdr.mh_mac1), dst, 6);
        memcpy(&(frame.hdr.mh_mac2), bssid, 6);
        memcpy(&(frame.hdr.mh_mac3), bssid, 6);
        frame.reason = 1;
        send(socket, &frame, sizeof(frame), 0);
     }
7/31/2002            Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
     Denial of Service – De-authentication
           Use MAC address of Access Point
           Send deauthenticate frames
              Send continuously
              Send to broadcast address or specific MAC
           Users are unable to reassociate with AP
     Air-Jack + WLAN-Jack


7/31/2002               Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack




7/31/2002   Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack




   Airopeek Trace



7/31/2002      Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack




     Airopeek Trace

7/31/2002       Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack




     Decode of Deauthentication Frame

7/31/2002      Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
                       This is your connection




7/31/2002   Black Hat 2002, Las Vegas NV
Attack Scenarios – WLAN-Jack
                         This is your connection
                          on WLAN-Jack.




7/31/2002   Black Hat 2002, Las Vegas NV
Attack Scenarios – ESSID-Jack
     Is the ESSID a shared secret?
     If I mask the ESSID from the AP
     beacons then unauthorized users will
     not be able to associate with my AP?
     Discover Masked ESSID
           Send a deauthenticate frame to the
            broadcast address.
           Obtain ESSID contained in client probe
            request or AP probe response.
7/31/2002             Black Hat 2002, Las Vegas NV
Attack Scenarios – ESSID-Jack




7/31/2002   Black Hat 2002, Las Vegas NV
Attack Scenarios - ESSID-Jack




     Airopeek Trace

7/31/2002       Black Hat 2002, Las Vegas NV
Attack Scenarios – ESSID-Jack




     Airopeek Trace
7/31/2002       Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack
     MITM Attack
           Taking over connections at layer 1 and 2
           Insert attack machine between victim and
            access point
     Management frames
           Deauthenticate victim from real AP
              Send deauthenticate frames to the victim using
              the access point’s MAC address as the source


7/31/2002               Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack
     Victim’s 802.11 card scans channels to search
      for new AP
     Victim’s 802.11 card associates with fake AP
      on the attack machine
        Fake AP is on a different channel than the real one
        Attack machine’s fake AP is duplicating MAC
            address and ESSID of real AP




7/31/2002               Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack
           Attack machine associates with real AP
              Attack machine duplicates MAC address of the
              victim’s machine.
     Attack machine is now inserted and can
     pass frames through in a manner that is
     transparent to the upper level protocols



7/31/2002               Black Hat 2002, Las Vegas NV
Attack Scenarios – Monkey-Jack




            Before Monkey-Jack
7/31/2002       Black Hat 2002, Las Vegas NV
Attack Scenarios Monkey-Jack




            After Monkey-Jack

7/31/2002     Black Hat 2002, Las Vegas NV
Attack Scenarios - Monkey-Jack




7/31/2002   Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
  Dangers of wireless MITM
       Wireless networks are more vulnerable to
        MITM attacks than wired networks.
       Many security solutions are implemented with
        an assumption of a secure layer 1 and 2
       Many VPN solutions are implemented with
        inadequate authentication for protection
        against wireless MITM attacks.


7/31/2002          Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
     WAVEsec
           An open source software solution for
            securing wireless networks
           Uses FreeS/WAN IPSEC implementation
           Will thwart passive eavesdropping of
            wireless network communications.
           Implementation options
             X.509 Certificates
             Secure DNS

7/31/2002               Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
     Authenticating with WAVEsec gateway
           Client sends modified DHCP request with
            client’s public key
           WAVEsec gateway inserts client’s public
            key into DNS record
           Client obtains WAVEsec gateway’s public
            key by requesting it from the DNS server
           IPSEC tunnel setup


7/31/2002             Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
  Using Kracker-Jack
       KJ inserts to 802.11 layer (like monkey-jack)
       KJ, using a DNS request, gets victims public
        key from DNS server
       KJ, using the victims MAC address sends DHCP
        request with its own key to replace the victim’s
        key in the DNS server



7/31/2002           Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
       KJ initiates ISAKMP main mode SA with the
        WAVEsec server
       KJ initiates ISAKMP main mode SA with victim
       Victim gets new server key by DNS request
        serviced by KJ
       Two separate IPSEC tunnels are now setup
       All traffic passes through KJ unencrypted


7/31/2002          Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack




7/31/2002   Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
  IKE – ISAKMP/Oakley
      Phase 1
         Messages 1 and 2 – negotiate characteristics of
          security association; no authentication
         Messages 3 and 4 – exchange random values
          (nonce) and execute Diffie-Hellman exchange to
          establish a master key (SKEYID); no authentication
         Messages 5 and 6 – exchange information for
          mutually authenticating the parties; identity
          payload, signature payload, and OPTIONAL
          certificate payload
7/31/2002            Black Hat 2002, Las Vegas NV
Attack Scenarios – Kracker-Jack
     IKE – ISAKMP/Oakley
           Phase 2 – Oakley Quick Mode
             Define Security Associations
             Define keys used to protect IP datagrams




7/31/2002              Black Hat 2002, Las Vegas NV
Attack Scenarios
     Shared key authentication attack
           Observe plain text challenge
           Observe cipher text response
           XOR plain text with cipher text to get key
            stream
           XOR IP packet with key stream re-using IV
           Broadcast ping


7/31/2002             Black Hat 2002, Las Vegas NV
             Mitigation Strategies
     Big guy with a stick
     Wireless IDS and Monitoring
           AirDefense http://www.airdefense.net
     VPN + Strong mutual authentication
     RF Signal shaping – Avoiding signal
     leaks
           Antennas with directional radiation pattern
           Lower Access Point power

7/31/2002              Black Hat 2002, Las Vegas NV
                    Summary
   Wireless networks are more susceptible to
   active attacks than wired networks
   Enable all built-in security capabilities
   Use VPN with strong mutual authentication
   Monitor wireless network medium (air
   space) for suspicious activity
   Updates – Black Hat web site or
        http://802.11ninja.net

7/31/2002           Black Hat 2002, Las Vegas NV
   Advanced 802.11 Attack
            Robert Baird
                 &
              Mike Lynn



7/31/2002      Black Hat 2002, Las Vegas NV

								
To top