802.11 Security & Pen Tes4ng Constan'nosKolias

GeorgeMasonUniversitykkolias@gmu.edu

Wireless Communica4ons: Advantages & Disadvantages • Makescommunica'onpossiblewherecablesdon’treach• Convenience• BUT

•  Theairmediumisopentoeveryone•  Theboundariesofatransmissioncannotbeconfined

WiFi

•  CommercialnameoftheprotocolIEEE802.11•  Itisoneofthemostubiquitouswirelessnetworks

•  HomeNetworks•  EnterpriseNetworks

•  Communica'onisbasedonframes•  Essen'allyissequenceofbits

•  802.11definesthemeaning•  Vendorsimplementtheprotocol

•  2.4GhzIndustrialScien'ficMedical(ISM)and5Ghz•  Rangedependsontransmissionpower,antennatype,thecountry,andtheenvironment•  Typical100V

Channels

•  Theequipmentcanbesetinonlyonechannelata'me•  Eachcountryhasitsownrules

•  Allowedbandwidth•  Allowedpowerlevels

•  Strongersignalispreferred

Deployment Architectures

Infrastructure P2P/Ad-hoc

802.11 Header Structure

Frame Types

• Management•  Ini'aliza'on,maintainandfinaliza'on

• Control•  Managementofthedataexchange

• Data•  Encapsula'onofinforma'on

•  hZp://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf

802.11 Security Modes: Open Access

• OpenAccess•  Noprotec'on(whitelists)

802.11 Security Modes: WEP

• BasedonRC4Encryp'on• Broken

802.11 Security Modes: WPA/WPA2

• BasedonAES• Muchmoresecure• Currentstandard

Lab Setup

•  Externalcard•  AlphaAWUS036H•  Providesstrongersignal

• AP• WNDR3700• WNR1000•  LinksysWRT54GL

• OS•  KaliLinuxonVM•  SoVwarepen-tes'ngtools

Deauthentication Frames

• Deauthentication frame is a management frame •  Unencrypted •  Can easily be spoofed

• Demands all or a specific client to drop to unauthendicated/unassociated state •  It is not a request it must be accepted •  The client will attempt to reconnect again •  The attacker will repeat the process

•  For a complete survey of 802.11 DoS attacks refer to [2]

Deauthentication Attack in Practice •  MostbasicDoSaZack•  Cantargetspecificclients

•  Moreefficient•  Morestealthy

•  Canbebroadcast•  Moremassiveeffect

•  Cannotbeavoided•  DecidetheMACofvic'm

•  airmon-ng<interface>

•  TransmitDeauthen'ca'onFrames•  aireplay-ng-0<quantity>-a<APMAC

Address><interface>

•  Task:Deauthen-cateaspecificclientfromtheavic-mAP

Beacon Frames

• Adver'sethepresenceofanAPinthearea•  TransmiZedeveryintervalbytheAP•  TheycontainimportantdetailsabouttheAP

•  Nameofthenetwork(ESSID)•  Securitycapabili'es

• Beaconsaremanagementframes•  Noprotec'on•  Onecanforge(capture,copy,alter,transmit)suchframeseasily

• ByforgingBeaconswitharealESSIDbutfakeBSSID,mayevenresulttoDoS[3]

Evil Twin

•  FakeAPwiththesameESSIDandMACasthevic'mAP•  Usuallyopen

• Channelallthetrafficofclientsthroughit•  AZackerwillactasman-in-the-middle•  Monitortraffic•  Injectpackets

• MostmodernOSwillwarnusers

Evil Twin in Practice •  DeduceMACaddressofvic'mAP

•  airodump-ng<wirelessinterface>•  Increasethepowerofyourcard

•  ifconfig<interface>down•  iwregset<regioncode>•  ifconfig<interface>up•  iwregget

•  SetupfakeAP•  airbase-ng-a<APMAC>--essid<Nameofnetwork>-c<channelnumber><wirelessinterface>

•  DisconnectallusersfromvalidAP•  aireplay-ng-0<quantity>-a<APMAC><wirelessinterface>

•  Monitortraffic•  wireshark&

•  QUESTION:whynotsetregiontoUSA?