Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks...
Transcript of Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks...
![Page 1: Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks Defence Demo / lab. Wifioverview Access points continuously send beaconsto announce themselves](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f46cb5b0f6f482b1e351a6c/html5/thumbnails/1.jpg)
Hands-onwith wifi securityOWASPGöteborgSecurity Tapas
2015-10-20AndersRosdahl
![Page 2: Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks Defence Demo / lab. Wifioverview Access points continuously send beaconsto announce themselves](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f46cb5b0f6f482b1e351a6c/html5/thumbnails/2.jpg)
#whoami
Avarage security enthusiastNobleedingedge research,nowall of fames,nocve'sActually,this isme...
@rosdahl
![Page 3: Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks Defence Demo / lab. Wifioverview Access points continuously send beaconsto announce themselves](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f46cb5b0f6f482b1e351a6c/html5/thumbnails/3.jpg)
Agenda
Wifi overview
Authentication andencryption
Attacks
Defence
Demo/lab
![Page 4: Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks Defence Demo / lab. Wifioverview Access points continuously send beaconsto announce themselves](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f46cb5b0f6f482b1e351a6c/html5/thumbnails/4.jpg)
Wifi overview
Accesspointscontinuouslysendbeacons toannouncethemselvesClients continouslyprobe foraccesspointsAuthenticationAssociation
![Page 5: Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks Defence Demo / lab. Wifioverview Access points continuously send beaconsto announce themselves](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f46cb5b0f6f482b1e351a6c/html5/thumbnails/5.jpg)
Bands,channels andfrequencies
802.11 Releaseyear Frequency(GHz)
Maxdatatransferrate(Mbit/s)
Bandwidth(MHz)
a 1999 5/(3.7) 54 20
b 1999 2.4 11 22
g 2003 2.4 54 20
n 2009 2.4/572/150
(perMIMOstream)
20/40
ac 2013 596/200/433/866(perMIMOstream)
20/40/80/160
there’s more...
![Page 6: Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks Defence Demo / lab. Wifioverview Access points continuously send beaconsto announce themselves](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f46cb5b0f6f482b1e351a6c/html5/thumbnails/6.jpg)
Wireless Modes
Each wireless device/inteface can beinone of thefollowingmodes.Definitionsvary.
Station– also referred toasClientmodeorManaged modeMaster– also referred toasAccessPointorInfrastructuremodeAdhoc– formesh wifi networksMonitor – also referred toasRFMON(RadioFrequencyMONitor).Usedtosilently listentowifi traffic.Aninterfaceinthis modecan capturetraffic without connecting toany network.
Notallcombinationof wifi cards/drivers/OSsupportallmodes..
![Page 7: Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks Defence Demo / lab. Wifioverview Access points continuously send beaconsto announce themselves](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f46cb5b0f6f482b1e351a6c/html5/thumbnails/7.jpg)
Authentication andencryption
• BasedontheRC4streamcipher,whichiseffectivelybrokenWEP
• WPA – intermediatesolutionwhilewaitingforWPA2,whichwouldfixallthatwasbrokenwithWEP.Designedbycrytographers.
• PSKorasymmetrickeypairs/certificates• TKIP-RC4(WPA)/CCMP-AES(WPA2)
WPA/WPA2
• ProvidesWPA/WPA2passwordtoclientrequiringonlyaPINcode• Twomodes:• Push-Button-Connect• 4/8digitPINcode
WPS
![Page 8: Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks Defence Demo / lab. Wifioverview Access points continuously send beaconsto announce themselves](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f46cb5b0f6f482b1e351a6c/html5/thumbnails/8.jpg)
Attacks
WPA/WPA21. Deauthenticate connected client(s)with traffic injection2. Capture re-authenticationhandshake3. Offline word-listorrule-based brute forceattackonrecorded handshake
WPSBrute forceWPSPIN.In2012several deficiencies inWPSwere disclosed.E.g.onlymax11kvs10Mtries isneeded since APacks/nacks first 4digits.WPSbackoff/timeouttimeoutpreventsbruteforcing.Was notubiquitous 2012.
WEPRC4...Offline brute forceattacksimilar toWPAabove
![Page 9: Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks Defence Demo / lab. Wifioverview Access points continuously send beaconsto announce themselves](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f46cb5b0f6f482b1e351a6c/html5/thumbnails/9.jpg)
Defence – hotsecurity tipsforhotspots
Use longandstrongWPA2passwords!Disable WPSonyour routerDon’t useWEP– obviously...Use VPNwhen connected topublicaccesspoints – anyone canlistenBecareful about auto-connectfeaturesof devices toavoidconnecting torougeaccesspoints
![Page 10: Hands-on with wifi security v2 - OWASP · Wifi overview Authentication and encryption Attacks Defence Demo / lab. Wifioverview Access points continuously send beaconsto announce themselves](https://reader034.fdocuments.us/reader034/viewer/2022042803/5f46cb5b0f6f482b1e351a6c/html5/thumbnails/10.jpg)
Demo/lab
Alfacards forloan!