Nibin - Reverse Engineering for exploit writers - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008
-
Upload
clubhack -
Category
Technology
-
view
2.250 -
download
2
Transcript of Sheetal - Wirelesss Hacking - ClubHack2008
![Page 1: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/1.jpg)
© ClubHack http://clubhack.com
Wireless Security Workshop
Rohit Srivastwa
Sheetal Joseph7th December 2008
![Page 2: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/2.jpg)
2© ClubHack http://clubhack.com
Roadmap
Wireless Overview
Wireless Security Standards
Exploiting Wireless Vulnerabilities
Wireless Best Practices
2
![Page 3: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/3.jpg)
3© ClubHack http://clubhack.com
Wireless - The World of Convenience!
User mobility
Reduced cost
Flexibility and convenience
Increase the productivity
Wireless devices use Radio Frequency (RF) technology to facilitate communication.
3
![Page 4: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/4.jpg)
4© ClubHack http://clubhack.com
Wireless Standards802.11b – Transmits at 2.4 GHz, sends data up to 11 Mbps using direct sequence spread spectrum modulation. 100 -150 feet range
802.11a – Transmits at 5 GHz and send data up to 54 Mbps using orthogonal frequency division multiplexing (OFDM). 50-75 feet range. Not interoperable is 802.11b.
802.11g – Combines features of both standards (a,b), 2.4 GHz frequency, 54 Mbps Speed, 100-150 feet range and is interoperable with 802.11b.
802.11i – Improves WEP encryption by implementing Wi-Fi Protected Access (WPA2). Data encryption with Advanced Encryption Standard (AES).
802.11n – 600 Mbps speed by adding multiple-input multiple-output (MIMO) and Channel-bonding/40 MHz operation to the physical (PHY) layer, and frame aggregation to the MAC layer. 802.11n uses WPA and WPA2 to secure the network.
4
![Page 5: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/5.jpg)
5© ClubHack http://clubhack.com
Latest Wireless HacksEmail sent before the Ahmedabad & Delhi bombings sent via a hacked wireless connection
TJX theft tops 45.6 million card numbers http://www.tjx.com/tjx_message.html
5
![Page 6: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/6.jpg)
6© ClubHack http://clubhack.com
Types of AttacksIdentity theft (MAC spoofing) - Cracker is able to listen in on network traffic and identify the MAC address of a computer and attack after spoofing the same
Man-in-the-middle attacks - Cracker entices clients to log into a computer set up as an AP Once this is done, the hacker connects to a real AP through another wireless card offering a steady flow of traffic.
Denial of service - Cracker continually bombards a targeted AP with bogus requests, premature successful connection messages, failure messages, and/or other commands.
6
![Page 7: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/7.jpg)
7© ClubHack http://clubhack.com
Wireless Security Goals
Access Control - Ensure that your wireless infrastructure is not mis-used. This calls for Efficient Key Management
Data Integrity - Ensure that your data packets are not modified in transit.
Confidentiality - Ensure that the contents of your wireless traffic is not learned. Proper Encryption mechanisms need to be implemented.
![Page 8: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/8.jpg)
8© ClubHack http://clubhack.com
Wireless Security Standards
![Page 9: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/9.jpg)
9© ClubHack http://clubhack.com
Description of WEP ProtocolWEP relies on a shared secret key (64 bit/128 bit) which is shared between the sender (Mobile Station) and the receiver (Access Point).
Secret Key - to encrypt packets before they are transmitted
Integrity Check - to ensure packets are not modified in transit.
The standard does not discuss how shared key is established. In practice, most installations use a single key which is shared between all mobile stations and access points. 9
![Page 10: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/10.jpg)
© ClubHack http://clubhack.com
CHAP Authentication
Supplicant Authenticator
username
challenge
response
Accept/reject
![Page 11: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/11.jpg)
© ClubHack http://clubhack.com
How WEP works
IV
RC4key
IV encrypted packet
original unencrypted packet checksum
![Page 12: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/12.jpg)
12© ClubHack http://clubhack.com
Deficiencies of WEP IV is too short and not protected from reuse.
The per packet key is constructed from the IV, making it susceptible to weak key attacks.
No effective detection of message tampering (message integrity).
No built-in provision to update the keys in all wireless clients connected to the access point.
No protection against message replay.
12
![Page 13: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/13.jpg)
© ClubHack http://clubhack.com
WEP Cracking Demo
![Page 14: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/14.jpg)
14© ClubHack http://clubhack.com
Radius: An additional layer in security
![Page 15: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/15.jpg)
© ClubHack http://clubhack.com
802.1xPort-based access control
Mutual authentication via authentication server
3. Issue challenge
5. Validate response
2. Limit access to authentication server
6. Allow access to network
1. Request access
4. Answer challenge
7. Use other Network devices
TimeSupplicant
Authenticator
Authenticator server
Client inaccessible network devices
![Page 16: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/16.jpg)
16© ClubHack http://clubhack.com
Wi-Fi Protected Access (WPA)IEEE 802.1X authentication server- LEAP, EAP/TLS, PEAP or PSK (Pre-Shared Key)
RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV).
Temporal Key Integrity Protocol (TKIP)
Message Integrity Code (MIC) Michael to ensure data Integrity
16
![Page 17: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/17.jpg)
17© ClubHack http://clubhack.com
WPA – PSKA pass phrase (shared secret key) is used.
Pre-Shared Key is generated by combining the Service Set Identifier (SSID) with a passphrase (an ASCII string, 8-63 characters.)
A passphrase less than 64 characters can be insecure
Management is handled on the AP - Vulnerable to dictionary attacks
17
![Page 18: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/18.jpg)
18© ClubHack http://clubhack.com
Temporal Key Integrity ProtocolFixes flaws of key reuse in WEP - Comprised of 3 parts, guarantees clients different keys– - 128-bit temporal key, shared by clients and APs– - MAC of client– - 48-bit IV describes packet sequence number
Increments the value of the IV to ensure every frame has a different value
Changes temporal keys every 10,000 packets
Uses RC4 like WEP, only firmware upgrade required
18
![Page 19: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/19.jpg)
19© ClubHack http://clubhack.com
Michael Message Integrity CheckMessage Integrity Code (MIC) - 64-bit message calculated using “Michael” algorithm inserted in TKIP packet to detect content alteration
Message is concatenated with the secret key and the result is hashed
Protects both data and header
Implements a frame counter, which discourages replay attacks
19
![Page 20: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/20.jpg)
20© ClubHack http://clubhack.com
WPA Summary
Confidentiality: Per-packet keying via TKIP
Message Authenticity: Michael algorithm
Access Control and Authentication: IEEE 802.1x -EAP/TLS
20
![Page 21: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/21.jpg)
21© ClubHack http://clubhack.com
Deficiencies of WPADictionary Attack on WPA-PSK - The weak pass-phrases users typically employ are vulnerable to dictionary attacks.
DoS Attacks - Due to inevitable weaknesses of Michael, the network is forced to shut down for one minute if two frames are discovered that fail the Michael check.
TKIP Attack - An attacker sniffs a packet, makes minor modifications to affect the checksum, and checks the results by sending the packet back to the access point.
21
![Page 22: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/22.jpg)
© ClubHack http://clubhack.com
WPA–PSK Hacking Demo
![Page 23: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/23.jpg)
23© ClubHack http://clubhack.com
WPA2 – 802.11i
802.1x / PSK for authentication.
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) to provide confidentiality, integrity and origin authentication.
AES replaces RC4 w/TKIP
23
![Page 24: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/24.jpg)
© ClubHack http://clubhack.com
A Comparison
WEP WPA WPA2
Cipher RC4 RC4 AES
Key Size 40 bits 128 bits 128 bits
Key Life 24 bit IV 48 bit IV 48 bit IV
Packet Key Concatenated Mixing Function
Not Needed
Data Integrity CRC - 32 Michael CCM
Replay Attack None IV Sequence IV Sequence
Key Management
None EAP - Based EAP - Based
![Page 26: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/26.jpg)
28© ClubHack http://clubhack.com
Locating a wireless network
We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.
http://www.xkcd.com Strip Number: 466
![Page 27: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/27.jpg)
29© ClubHack http://clubhack.com
Locating a wireless networkNetStumbler – This Windows based tool easily finds
wireless signals being broadcast within range
29
![Page 28: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/28.jpg)
30© ClubHack http://clubhack.com
Locating a wireless network (contd)
Kismet – Kismet will detect and display SSIDs that are not being broadcast which is very critical in finding wireless networks.
30
![Page 29: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/29.jpg)
31© ClubHack http://clubhack.com
Capturing the Wireless Network•If the wireless network is using authentication and/or encryption, you may need one of the following tools.
Airodump-ng - packet capture program, collects authentication handshake
Aireplay-ng - de-authenticator /packet injection program
31
![Page 30: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/30.jpg)
32© ClubHack http://clubhack.com
Attacking to the Wireless Network
CowPatty – Brute force tool for cracking WPA-PSK.
Aircrack-ng - To crack PSK using authentication handshake
32
![Page 31: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/31.jpg)
33© ClubHack http://clubhack.com
Sniffing Wireless DataWireshark – Ethereal can scan wireless and Ethernet data and comes with some robust filtering capabilities. It can also be used to sniff-out 802.11 management beacons and probes and subsequently could be used as a tool to sniff-out non-broadcast SSIDs.
33
![Page 32: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/32.jpg)
34
Steps to achieve security for home users
• • Open the configuration of your wi-fi device• • Go to wireless setting• • Under security option, select any one (whichever available)
» – WPA» – WPA - PSK» – WPA - Personal» – WPA - AES» – WPA2 - Personal» – WPA2 - PSK
• • Set a complex password• • Change the login password of the wireless router.• • Change the SSID to something classy• • Don't disable SSID broadcast• • Done
![Page 33: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/33.jpg)
35
Example : Linksys
![Page 34: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/34.jpg)
36
Example : Netgear
![Page 35: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/35.jpg)
37
Example : Dlink
![Page 36: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/36.jpg)
38
Example : ZyXEL
![Page 37: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/37.jpg)
39
Further Advised• Change the router login password frequently
– Atleast once a month
• Change the wireless WPA password also– Atleast once a month
• Avoid temptation to connect to open wireless just looking for free internet.
![Page 38: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/38.jpg)
40© ClubHack http://clubhack.com
Securing Enterprise Networks1. Define, monitor and enforce a wireless security policy– Policy should cover all 802.11 and Bluetooth wireless
devices– Define wireless policies for mobile workers– Ensure wireless devices are not used until they comply with
the wireless security policy
2. Take a complete inventory of all Access Points and 802.11 devices in the airwaves– Eliminate rogue Access Points and unauthorized user
Stations.
40
![Page 39: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/39.jpg)
41© ClubHack http://clubhack.com
Securing Enterprise Networks (Contd)
3. Define secure configurations for Access Points and user Stations– Change default setting– Disable SSID broadcast– Turn-off “ad-hoc” mode operation
4. Define acceptable encryption and authentication protocols– Use strong authentication (802.1x with EAP recommended)– Use strong encryption with at least 128-bit keys (WPA2, WPA
recommended)– Deploy a layer-3 Virtual Private Network (VPN) for wireless
communication
41
![Page 40: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/40.jpg)
42© ClubHack http://clubhack.com
Securing Enterprise Networks (Contd)
5. Monitor the airwaves to identify suspicious activity– Deploy a Wireless Intrusion Detection System (IDS) to
identify threats and attacks– Detect and terminate unauthorized associations in a timely
manner– Monitor wireless assets for policy violations– Log, analyze, and resolve incidents in a timely manner– Gather and store wireless activity information for forensic
analysis
42
![Page 41: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/41.jpg)
© ClubHack http://clubhack.com
References
Aircrack-ngAirtight Networks BackTrack 3Understanding WPA TKIP crackPractical attacks against WEP and WPABest Practices for Wireless Network Security and Sarbanes-Oxley compliance – Joshua WrightiPig Encryption SoftwareWikipedia!
![Page 42: Sheetal - Wirelesss Hacking - ClubHack2008](https://reader035.fdocuments.us/reader035/viewer/2022062513/55657791d8b42a7b518b5372/html5/thumbnails/42.jpg)
44
Q & 42 ?
:-?