Wireless LAN Pen-Testing Part I - sbg. · PDF fileLab-1.1: Simple Sniffing ... Use Wireshark...
Transcript of Wireless LAN Pen-Testing Part I - sbg. · PDF fileLab-1.1: Simple Sniffing ... Use Wireshark...
Part I
To know your Enemy, you must become your Enemy
(Sun Tzu, 600 BC)
Georg Penn23.03.2012
Wireless LAN Pen-Testing
Motivation
Read manuals, documentation, standards … Check sources for their reliability, though!
Tools are there to assist you, not to cripple your thinking – the only limit is your imagination
Don't be limited by your imagination Creativity, curiosity and patience are as
important as knowledge Exercise on a regular base (at least 5hrs/week)
Presentation Conventions
Terminal commands will be mono-space blue:echo “foo” > bar
Unless stated otherwise We will use wlan0 as the name of the original and
mon0 as the monitor-mode interface The target Access Point will be called
“WirelessLab” and be configured to Channel 11
Why WLAN Security?
Integrated in lots of devices Laptops, Mobile Phones, Embedded Devices ...
Connects to the Internet How do you protect something you cannot see Extends beyond boundary walls Difficult to locate attacker Passive attacks can be done from miles away
WLAN Security – Setup
Wireless Card: ALFA AWUS036H (USB) Allows for packet sniffing Allows for packet injection Well integrated into Backtrack 5 Not too expensive (check out Amazon)
Tools: Mainly Aircrack-ng suite, Wireshark and some others
OS: Backtrack 5 as all tools are already installed on Backtrack 5
Wireless Sniffing – Basics
Wireless sniffing concepts are similar to the ones for the wired world
In the wired world we have “promiscuous” mode
In the wireless world we have a concept called “monitor” mode
We can use Airmon-ng to put our card into monitor mode e.g.airmonng start wlan0
Lab-1.1: Simple Sniffing
Check if other processes (e.g. dhclient3, etc …) interfere with Airmon-ng:airmonng checkairmonng check kill
Put card into monitor mode (e.g. on wlan0) → we actually create a monitor mode interfaceairmonng start wlan0
Start wireshark on the monitor-mode interface created by Airmon-ng (e.g. mon0) to sniff traffic
Basic Service Set (BSS)
A set of stations associated with a local or enterprise Wireless LAN Station (STA): Any device that contains an IEEE
802.11-conformant medium access control (MAC) and physical layer (PHY) interface to the wireless medium (WM)
BSS come in two flavors Independent BSS (IBSS) Infrastructure BSS (never called an IBSS)
Basic Service Set (cont'd)
IBSS is also referred to as an ad-hoc-network We are only dealing with Infrastructure BSS
BSSID
Identifies different wireless LANs in the same area
In infrastructure networks, the BSSID is the MAC address of the Access Point
In an IBSS (ad-hoc-network) the BSSID is randomly generated by the STA (client) that creates the network
Distribution System (DS)
A system used to interconnect a set of basic service sets (BSSs) and integrated local area networks (LANs) to create an extended service set (ESS)
Extended Service Set (ESS)
A set of one or more interconnected BSSs that appears as a single BSS to the logical link control (LLC) layer at any station (STA) associated with one of those BSSs
Frequency Ranges
Wireless can operate in 3 different frequency ranges 2.4 GHz – 802.11b/g/n (we will only cover 2.4 GHz) 3.6 GHz – 802.11y 4.9/5.0 GHz – 802.11a/h/j/n
Each of these ranges is divided into a multitude channels
Countries apply their own regulations to both the allowable channels and maximum power levels within these frequency ranges
2.4 GHz Wireless Channels
Wireless Channels (cont'd)
However, wireless cards with single radio can only be on one channel at a given time!!! Hence, we cannot sniff on all channels and bands
at the same time Best we can do is time-division multiplexing (hop)
Bands we can operate on depend on our hardware capability (wifi card)
ALFA AWUS036H supports 802.11b/g Country regulations can simply be overcome
but this could be illegal!
Lab-1.2: Channels
We can bind the card to a specific channel:iwconfig wlan0 channel 11
Make our card hop channels (this assumes we already have a monitor-mode interface mon0)airodumpng mon0
By default Airodump-ng hops on 2.4GHz channels but frequency band can also be setairodumpng band bg mon0
Check manuals for further options
Wireless LAN Frames
3 Types of frames Management (0x00 → 00) Control (0x01 → 01) Data (0x02 → 10)
Each of these types also has several defined Subtypes
For more details see IEEE Specification:http://standards.ieee.org/about/get/802/802.11.html
Types And Subtypes
Types And Subtypes (cont'd)
Know Your Access Point (AP)
The AP is configured with a Service Set Identifier (SSID)
The SSID indicates the identity of an ESS or IBSS (simply put: the name of the AP or of a network consisting of multiple APs)
The AP periodically sends out broadcast frames (Beacon Frames) to announce its presence
Clients use these frames to show a list of available wireless networks
Beacon Frames (0x08)
Are management frames with Type 0x00 and Subtype 0x08
Beacon Frames are used by the AP To broadcast its SSID To announce its capability (e.g. Supported Rates) To indicate the current channel the AP is residing
Beacon Frames are always transmitted in plaintext
Hence anyone can create and transmit Beacon Frames (card has to support injection)!
Lab-1.3: Beacon Frames
Create a monitor mode interface Use Wireshark to capture traffic on the monitor
mode interface Find a Beacon Frame
What's the SSID of the AP which sent this frame? What are the capabilities of the AP? Which channel is the AP currently configured to? What else can we find out (poke around)
Probe Request / Response
Once we bring up a client's wireless interface it broadcasts Probe Requests to see which APs (networks) are available This is sometimes called a Null-Probe-Request
The client can also send Probe Requests for a specific SSID (e.g. if client is configured for this specific AP)
Any AP in range replies with a Probe Response which contains e.g the AP's SSID and channel
Authentication Phase (OPN)
Once a client connects to an open (not encrypted) AP or network the authentication process takes place Client sends an authentication request (SEQ: 1) Server sends an authentication response (SEQ: 2)
As we are dealing with an open network no key-exchange what so ever is taking place
After successful authentication the association phase begins
Association Phase
First the client sends an association request where the client tells the AP its capabilities (we will not go into details here)
And if the AP is satisfied it sends back an association response
After the successful association phase data transfer between the client and the AP starts
Demo-1.1
We create an open authentication based AP SSID: WirelessLab (case sensitive!) Channel 11
Connect a client to it (Smart Phone, Laptop, ...) Collect all frames (packets) using Wireshark
We make sure our card is on the same channel
Analyze the flow and try to confirm our previously made assumptions
Summary
802.11 State Machine
Dissecting the Frame
Understanding things at the frame level is essential for advanced topics – frames don't lie!
IEEE 802.11 Frame Format
So an IEEE 808.11 Frame at least needs: Frame Control Duration ID Address 1 Frame Check Sequence (CRC)
Presents depends on Type / Subtype
Frame Control
Frame Control – Protocol Version
Protocol Version – 2 Bits Always 0 at the moment May change if there is a major revision which is not
back compatible anymore
Frame Control - Type
Type – 2 Bits Management (Binary 00) Control (Binary 01) Data (Binary 10)
Frame Control - Subtype
Subtype – 4 Bits Type could be something like: Beacon, Probe
Response, Request to Send (RTS), etc. Beacon Frame: Binary 1000 = 0x08 Refer to IEEE Standard for details
Frame Control – To / From DS
To DS From DS Meaning
0 0STA to STA in same IBSS, Management and Control Frames e.g. Beacon Frames
0 1Exiting the Distribution System (DS) e.g. AP sends a Data Frame to a wireless client
1 0 Entering the DS e.g. Wireless client sends a Data Frame to the AP maybe destined for a host on the Internet
1 1Used in Wireless DS (WDS). Allows a wireless network to be expanded using multiple access points without the traditional wired backbone
Frame Control – Other 1 Bit Flags
More Fragments: Set if more fragments are to come Only applicable to Management and Data Frames
Retry: Set if the Frame has been retransmitted Only applicable to Management and Data Frames Helps eliminating duplicates
Frame Control – Other 1 Bit Flags
Power Management: Set if STA runs in power save mode (PS mode) Always set to 0 in Frames transmitted by the AP
More Data: If STA is in PS mode, AP queues up data Set to inform STA that there is data available
Frame Control – Other 1 Bit Flags
Protected Frame: Set if Frame Body is encrypted Applies to Data Frame and Management Frames of
type Authentication
Order: Indicates that all received Frames must be processed in order
Demo-1.2
Reading raw Frame data is a bit tricky We read 0x08 as Type and Subtype, how does
this make sense? Bit 1 and Bit 0 indicate Protocol Version (00) Bit 3 and Bit 2 indicate the Type (10 Data) Bit 7 to Bit 4 indicate the Subtype (0000 Data)
7 6 5 4 | 3 2 1 0 Bit Indexes0 0 0 0 | 1 0 0 0 Binary Value 0 | 8 Hex Value
Challenge-1.1 – Frame Control
What kind of Frame is it (Type / Subtype)? And where is the catch?
80 10 00 00 ff ff ff ff ff ff f4 6d 04 a0 cc b1 f4 6d 04 a0 cc b1 50 18 83 e1 f8 5b 6b 00 00 00 64 00 01 04 00 0b 57 69 72 65 6c 65 73 73 4c 61 62 01 08 82 84 8b 96 24 30 48 6c 03 01 0b 05 04 00 01 00 00 2a 01 00 2f 01 00 32 04 0c 12 18 60 dd 09 00 10 18 02 00 f0 00 00 00 7c cd f1 8e
Challenge-1.1 – Solution
We are only interested in 2 Bytes! 0x80 0x10
Let's look at 0x80 in binary
Beacon Frames are sent from AP only!
7 6 5 4 3 2 1 0 Bit Indexes 0 0 Protocol Version 0 0 Type (Management)1 0 0 0 Subtype (0x08 Beacon)→
Challenge-1.1 – Solution (cont'd)
Let's look at 0x10 in binary:
7 6 5 4 3 2 1 0 Bit Indexes------------------------------------------------------ 0 0 From / To DS 0 More Fragments 0 Retry 1 Power Management 0 More Data 0 Protected Frame0 Order
Oops: Pwr MgtFlag is always
0 for AP !
Frame Format – Addresses
Value and presence depends on Type/Subtype typically Source Address Destination Address BSSID
See IEEE 802.11 Standard for more details
Frame Format – Seq. Control
Sequence number of the Frame Fragment number of the Frame
In case of fragmentation SEQ No. is the same for all fragments belonging together
Frame Body and FCS
Variable length field containing the payload Management Frame details Actual data
Frame Check Sequence (FCS) – 32-Bit CRC Calculated over all the fields of the MAC header
and the Frame Body field
Other Frame Header Fields
Refer to IEEE 802.11 Standard for: Duration / ID Quality of Service (QoS) Control
General Advice: If you are not sure about how things work always
refer to standards if possible! Always take a hands-on approach and try out things
yourself
Beacon Frame
Announce the existence of a network (SSID) Many APs allow for hiding SSID
Probe Request
Mobile stations use Probe Requests to scan an area for existing 802.11 networks
A Probe Request frame contains two fields: The SSID The rates supported by the mobile station
The mobile station must support all the data rates required by the network
Probe Response
Probe Responses are very similar to Beacons
Other Management Frames
Refer to IEEE 802.11 Standard for: Association Request/Response Reassociation Request/Response Disassociation Authentication Deauthentication ATIM Action
Mission Completed
It's time to kick ass and chew bubble gum!
Lab-1.4 – Injection Test
Create a monitor mode interface Find out the BSSID of our Access Point We can use Aireplay-ng to inject Frames
Make sure your card is set to the correct channel!
To perform an injection test you can issue:aireplayng test a <BSSID> mon0 This initially sends out broadcast probe requests See Aircrack-ng documentation for details
Recover Hidden SSID
Normally SSID of AP is advertised in Beacon Frames
Most APs allow you to create a “hidden” or “visible” network
“Hidden” networks do not broadcast SSID However, Probe Requests/Responses still do! Important: We must have at least one
legitimate client connected or about to connect!
Demo-1.3 – Recover Hidden SSID
Set AP to hide SSID (supported by most APs) Create a monitor mode interface on channel 11 Use Airodump-ng on channel 11 to sniff trafficairodumpng c 11 mon0
Start Wireshark to capture on mon0 Connect a legitimate mobile client Analyze captured traffic What if client was already connected to AP?
Deauthentication Attack
Send deauthentication frames to one or more clients which are currently associated with a particular AP
Why would we do that? Recovering a hidden ESSID Capturing WPA/WPA2 handshakes by forcing
clients to reauthenticate Have clients to connect to a spoofed AP
Useless if there are no associated clients
802.11 State Machine - Revisited
Lab-1.5 – Deauth Attack
Create a monitor mode interface Find out the BSSID of the target AP Use Aireplay-ng to deauthenticate all stations
associated with the targetaireplayng deauth 0 a <BSSID> mon0
sends disassocate frames ich are currently associated with a particular access point
0 means send them continuously
Soft Access Point
We can use Airbase-ng to setup a soft AP Normal APs have two network devices (2 MAC)
Wireless interface Wired interface
Airbase-ng uses mon0 as its wireless interface and creates the TAP (virtual network) device at0 as the wired interface at0 will not be up by default
Lab-1.4 – Soft AP
Set up a soft AP (ESSID is up to you)airbaseng e <ESSID> c 11 mon0
Use airodump-ng on channel 11 - can you see your fake AP?
Bring up at0: ifconfig at0 up
Use wireshark to capture traffic on at0 Try to connect a client (e.g. mobile phone) to
the fake AP → What is your client's IP?
Please Try This At Home!
Create an Evil-Twin of your legitimate AP Connect a client to the real AP Force the client to connect to the Evil-Twin Try to get IP level connectivity Additions:
Try to do a real Man-In-The-Middle-Attack (e.g. by bridging the at0 to wired eth0)
Use Metasploit's Autopwn to attack your client
Lessons Learned (so far)
Spoofing 802.11 frames is very simple There is no protection mechanism available This “insecurity” is the starting point for a lot of
different attacks e.g. DoS attacks on clients and APs Setting up fake APs WEP or WPA cracking
In the wired world the attacker would have to be part of the network to do this!
Any Questions?
Now we are here!
Always A Good Read
Matthew S. Gast: 802.11 Wireless Networks: The Definitive Guide – O'Reilly Media 2005
Vivek Ramachandran: Backtrack 5 Wireless Penetration Testing Beginner's Guide – Packt Publishing 2011
IEEE 802.11: Wireless Local Area Networks Standards (1200+ pages!)
What Is Planned?
Part II: WEP or there's just two ways this can end, and in both of them, you die!
Part III: Understanding and attacking WPA/WPA2
Part IV: WPA2 enterprise and possible attacks Part V: Where to go from here?