802.11 Security & Pen Tes4ng - Wayne State University
Transcript of 802.11 Security & Pen Tes4ng - Wayne State University
802.11 Security & Pen Tes4ng Constan'nosKolias
Wireless Communica4ons: Advantages & Disadvantages • Makescommunica'onpossiblewherecablesdon’treach• Convenience• BUT
• Theairmediumisopentoeveryone• Theboundariesofatransmissioncannotbeconfined
WiFi
• CommercialnameoftheprotocolIEEE802.11• Itisoneofthemostubiquitouswirelessnetworks
• HomeNetworks• EnterpriseNetworks
• Communica'onisbasedonframes• Essen'allyissequenceofbits
• 802.11definesthemeaning• Vendorsimplementtheprotocol
• 2.4GhzIndustrialScien'ficMedical(ISM)and5Ghz• Rangedependsontransmissionpower,antennatype,thecountry,andtheenvironment• Typical100V
Channels
• Theequipmentcanbesetinonlyonechannelata'me• Eachcountryhasitsownrules
• Allowedbandwidth• Allowedpowerlevels
• Strongersignalispreferred
Deployment Architectures
Infrastructure P2P/Ad-hoc
802.11 Header Structure
Frame Types
• Management• Ini'aliza'on,maintainandfinaliza'on
• Control• Managementofthedataexchange
• Data• Encapsula'onofinforma'on
• hZp://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf
802.11 Security Modes: Open Access
• OpenAccess• Noprotec'on(whitelists)
802.11 Security Modes: WEP
• BasedonRC4Encryp'on• Broken
802.11 Security Modes: WPA/WPA2
• BasedonAES• Muchmoresecure• Currentstandard
Lab Setup
• Externalcard• AlphaAWUS036H• Providesstrongersignal
• AP• WNDR3700• WNR1000• LinksysWRT54GL
• OS• KaliLinuxonVM• SoVwarepen-tes'ngtools
Deauthentication Frames
• Deauthentication frame is a management frame • Unencrypted • Can easily be spoofed
• Demands all or a specific client to drop to unauthendicated/unassociated state • It is not a request it must be accepted • The client will attempt to reconnect again • The attacker will repeat the process
• For a complete survey of 802.11 DoS attacks refer to [2]
Deauthentication Attack in Practice • MostbasicDoSaZack• Cantargetspecificclients
• Moreefficient• Morestealthy
• Canbebroadcast• Moremassiveeffect
• Cannotbeavoided• DecidetheMACofvic'm
• airmon-ng<interface>
• TransmitDeauthen'ca'onFrames• aireplay-ng-0<quantity>-a<APMAC
Address><interface>
• Task:Deauthen-cateaspecificclientfromtheavic-mAP
Beacon Frames
• Adver'sethepresenceofanAPinthearea• TransmiZedeveryintervalbytheAP• TheycontainimportantdetailsabouttheAP
• Nameofthenetwork(ESSID)• Securitycapabili'es
• Beaconsaremanagementframes• Noprotec'on• Onecanforge(capture,copy,alter,transmit)suchframeseasily
• ByforgingBeaconswitharealESSIDbutfakeBSSID,mayevenresulttoDoS[3]
Evil Twin
• FakeAPwiththesameESSIDandMACasthevic'mAP• Usuallyopen
• Channelallthetrafficofclientsthroughit• AZackerwillactasman-in-the-middle• Monitortraffic• Injectpackets
• MostmodernOSwillwarnusers
Evil Twin in Practice • DeduceMACaddressofvic'mAP
• airodump-ng<wirelessinterface>• Increasethepowerofyourcard
• ifconfig<interface>down• iwregset<regioncode>• ifconfig<interface>up• iwregget
• SetupfakeAP• airbase-ng-a<APMAC>--essid<Nameofnetwork>-c<channelnumber><wirelessinterface>
• DisconnectallusersfromvalidAP• aireplay-ng-0<quantity>-a<APMAC><wirelessinterface>
• Monitortraffic• wireshark&
• QUESTION:whynotsetregiontoUSA?