Penetration Testing
       Wireless Networks
SANS Assessing Wireless Excerpts
 Regarding Penetration Testing

            ...
Introduction
• Wireless networks are everywhere
   – The perimeter of a network extends
     beyond classic perimeter fire...
Useful Tools
Wireshark - Open source
Kismet - Open source
Spectrum Analyzer – Hardware
Aircrack-ng - Open source
cowpatty ...
Typical Network Deployment
 Untrusted network                                  Trusted network

                          ...
Identifying Wireless
• War-walking/driving/flying
• Use best consumer hardware
  – Favorite 500 mw Alfa USB + 9 dbi
• Linu...
Identifying Wireless (2)‫‏‬
• Focus on 802.11 a/b/g
  – Non-802.11 wireless exists
  – Non FCC channels exists
    • 802.1...
Useful Encryption Terms
•   RFMON – 802.11 wireless monitor mode
•   WEP – Weakest 802.11 encryption
•   WPA – Use WEP har...
WEP Issues
•   24 bits of the key don't count (64=40)‫‏‬
•   Confidentiality, not Authorization
•   Applies to data frames...
Attacking WEP
• Weak Initialization Vectors (IVs)‫‏‬
• After enough packets/time, can crack
• Can accelerate with replay o...
FMS Attacks
                 Aircrack-ng
• Recognizes 5.5 million weak IVs
  – Effective against IV-filtered networks
• Ex...
Dynamic vs. Static WEP
• DWEP enhances security through
  dynamic key selection
  – Users authenticate using 802.1X and an...
Cisco DWEP
   • No support to rotate unicast keys via
     EAPOL-Key messages
   • Group keys can be rotated
       – Not ...
Where is WEP Vulnerable?
• WEP networks are not only vulnerable
  at AP location
• Clients can be exploited by
  impersona...
Method for Cracking WEP (1)‫‏‬
• Capture a few data packets, try
  wep_crack Neesus Datacom attack
• Next, try dictionary ...
Method for Cracking WEP (2)‫‏‬
   • Use chopchop attack in aireplay-ng to
     decrypt one packet
      – Learn IP address...
wesside-ng
1.   Channel hops to find a network
2.   Authenticates or impersonates a station
3.   Recovers 128-bytes of PRG...
Introduction to WPA
 • Portion of 802.11i to secure existing
   wireless technology
 • Moniker for multiple security
   me...
Cowpatty Process
         Collect AA, SPA, Nonces, MIC and EAP
               frame #4 from libpcap file

                ...
Cowpatty Example
  • Requires four-way, wordlist, SSID
  • Sample below on Pentium 4 2.8 GHz
$ cowpatty -r eapfourway.dump...
Enterprise WPA
• TKIP algorithm with 802.1x key distribution
• EAPOL-Key messages distribute encrypted
  keys following au...
PEAP Authentication Attack
• Attacker obtains list of valid usernames
  through traffic sniffing
• Manually attempts repea...
Identifying WLAN IPSec Networks
      Passive Analysis Methods

• Kismet will identify ISAKMP traffic
• Post-processing Wi...
Auditing IPSec WLAN Networks
• Directed toward traditional vulnerability
  assessment
• May need to overcome simple layer ...
Auditing Implementation
              Weaknesses
 • Test IPSec server for aggressive IKE
    – Scan systems with ike-scan,...
Making Wireless
          Pentests Valuable
• Wireless access is acquired
  – Now use classic network and
    application ...
Upcoming SlideShare
Loading in …5
×

Penetration Testing Wireless Networks

963 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
963
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
83
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Penetration Testing Wireless Networks

  1. 1. Penetration Testing Wireless Networks SANS Assessing Wireless Excerpts Regarding Penetration Testing jims@bluenotch.com Penetration Testing Wireless Networks © 2008 SANS
  2. 2. Introduction • Wireless networks are everywhere – The perimeter of a network extends beyond classic perimeter firewalls • Rogue wireless weakens any network • Wireless equipment is cheap • Threat exists regardless of wireless policy • Wireless assessment/pentest necessary Penetration Testing Wireless Networks © 2008 SANS
  3. 3. Useful Tools Wireshark - Open source Kismet - Open source Spectrum Analyzer – Hardware Aircrack-ng - Open source cowpatty - Open source Penetration Testing Wireless Networks © 2008 SANS
  4. 4. Typical Network Deployment Untrusted network Trusted network permit DNS to dns dns.ebac.com permit DHCP to dhcp permit IP/50 to vpn drop everything else vpn.ebac.com dhcp.ebac.com Penetration Testing Wireless Networks © 2008 SANS
  5. 5. Identifying Wireless • War-walking/driving/flying • Use best consumer hardware – Favorite 500 mw Alfa USB + 9 dbi • Linux (drivers support RFMON)‫‏‬ • Look for Rogue Access Points – Power/Channel/SSID – Triangulate location to highest power Penetration Testing Wireless Networks © 2008 SANS
  6. 6. Identifying Wireless (2)‫‏‬ • Focus on 802.11 a/b/g – Non-802.11 wireless exists – Non FCC channels exists • 802.11 – channels 12-14 • Warwalk only identifies live issues • Some wireless IDS tech helps • Easy to create an AP from a laptop Penetration Testing Wireless Networks © 2008 SANS
  7. 7. Useful Encryption Terms • RFMON – 802.11 wireless monitor mode • WEP – Weakest 802.11 encryption • WPA – Use WEP hardware “better” • WPA2 – Best 802.11 encryption • IPSec – Encrypting all IP packets Penetration Testing Wireless Networks © 2008 SANS
  8. 8. WEP Issues • 24 bits of the key don't count (64=40)‫‏‬ • Confidentiality, not Authorization • Applies to data frames, payload only • Extremely vulnerable – Weak initialization – No replay protection – Can recover WEP key from plaintext and cyphertext Penetration Testing Wireless Networks © 2008 SANS
  9. 9. Attacking WEP • Weak Initialization Vectors (IVs)‫‏‬ • After enough packets/time, can crack • Can accelerate with replay of known- plaintext – ARP, Windows DHCP, etc. • wep_crack/WEPAttack guess WEP key • Aircrack-ng/Airreplay-ng uses FMS/PTW to crack and accelerate key Penetration Testing Wireless Networks © 2008 SANS
  10. 10. FMS Attacks Aircrack-ng • Recognizes 5.5 million weak IVs – Effective against IV-filtered networks • Extended with Pychkine, Tews, Weinmann (PTW) attack using ARP response data • Optimal 104-bit key recovery probability: – 50% success after 40,000 packets (60 sec)‫‏‬ – 80% success after 60,000 packets (90 sec)‫‏‬ – 95% success after 85,000 packets (128 sec)‫‏‬ Penetration Testing Wireless Networks © 2008 SANS
  11. 11. Dynamic vs. Static WEP • DWEP enhances security through dynamic key selection – Users authenticate using 802.1X and an EAP type • Keys are unique per-user and per- session • Eliminates key selection attacks, vulnerable to many other attacks Penetration Testing Wireless Networks © 2008 SANS
  12. 12. Cisco DWEP • No support to rotate unicast keys via EAPOL-Key messages • Group keys can be rotated – Not enabled by default • Must force reauthentication to rotate keys – Results in ~3-5 second loss of connectivity ap1200#conf t Enter configuration commands, one per line. End with CNTL/Z. ap1200(config)#int dot11Radio 0 ap1200(config-if)#broadcast-key change 600 ap1200(config-if)#dot1x reauth-period 600 Penetration Testing Wireless Networks © 2008 SANS
  13. 13. Where is WEP Vulnerable? • WEP networks are not only vulnerable at AP location • Clients can be exploited by impersonating AP, ARP flooding – Caffe Latte attack; attacker impersonates a WEP network while victim enjoys coffee • Keys realistically compromised in ~6 minutes with one client Penetration Testing Wireless Networks © 2008 SANS
  14. 14. Method for Cracking WEP (1)‫‏‬ • Capture a few data packets, try wep_crack Neesus Datacom attack • Next, try dictionary attack with WepAttack • Start collecting data for Aircrack-ng attack – Stop and restart Airodump after ~60,000 data packets – Try to recover key while capturing Penetration Testing Wireless Networks © 2008 SANS
  15. 15. Method for Cracking WEP (2)‫‏‬ • Use chopchop attack in aireplay-ng to decrypt one packet – Learn IP addresses in decrypted content • Forge an ARP request frame with packetforge-ng • Replay with aireplay-ng to accelerate IV collection Wouldn't it be nice if this were automated for us? Penetration Testing Wireless Networks © 2008 SANS
  16. 16. wesside-ng 1. Channel hops to find a network 2. Authenticates or impersonates a station 3. Recovers 128-bytes of PRGA/LKE 4. Decrypts a frame to identify network IP information 5. Creates an ARP request for target IP 6. Floods network with ARP requests 7. Launches PTW attack using aircrack-ng Attacker: "./wesside-ng -i ath0" Penetration Testing Wireless Networks © 2008 SANS
  17. 17. Introduction to WPA • Portion of 802.11i to secure existing wireless technology • Moniker for multiple security mechanisms (TKIP)‫‏‬ • Designed to fit with existing hardware • Based on RC4 encryption, like WEP Software upgradeable, Paucity of processing cycles Penetration Testing Wireless Networks © 2008 SANS
  18. 18. Cowpatty Process Collect AA, SPA, Nonces, MIC and EAP frame #4 from libpcap file Read dictionary word Computationally Calc PMK using dictionary word and SSID Expensive Calc PTK using PMK, AA, SPA and nonces Computationally Inexpensive Calculate MIC of frame #4 using PTK No Yes PSK is Does calculated MIC == Observed MIC? word Penetration Testing Wireless Networks © 2008 SANS
  19. 19. Cowpatty Example • Requires four-way, wordlist, SSID • Sample below on Pentium 4 2.8 GHz $ cowpatty -r eapfourway.dump -f passlist -s GNIPGNOPWLAN cowpatty 1.2 - WPA-PSK dictionary attack. <jwright@hasborg.com> Collected all necessary data to mount crack against passphrase. Starting dictionary attack. Please be patient. The PSK is "family movie night". 4087 passphrases tested in 59.29 seconds: 68.93 passphrases/second $ Good reason to requisition a new laptop! Penetration Testing Wireless Networks © 2008 SANS
  20. 20. Enterprise WPA • TKIP algorithm with 802.1x key distribution • EAPOL-Key messages distribute encrypted keys following authentication • Pairwise Master Key (PMK/256 bit)‫‏‬ – Protects and generates PTK with random data • Pairwise Transient Key (PTK/512 bit)‫‏‬ – Split up into encryption keys, integrity keys and key encryption keys • Encryption keys rotated every 216 packets Penetration Testing Wireless Networks © 2008 SANS
  21. 21. PEAP Authentication Attack • Attacker obtains list of valid usernames through traffic sniffing • Manually attempts repeated authentication – Using common weak passwords • Authenticator silently ignores bad passwords • Likely to enable failed authentication account lockout policies • Could be leveraged for DoS attack Penetration Testing Wireless Networks © 2008 SANS
  22. 22. Identifying WLAN IPSec Networks Passive Analysis Methods • Kismet will identify ISAKMP traffic • Post-processing Wireshark filters – Display ISAKMP traffic "isakmp" – UDP ports 500, 10000, 5150 common • Lots of UDP traffic to one destination Penetration Testing Wireless Networks © 2008 SANS
  23. 23. Auditing IPSec WLAN Networks • Directed toward traditional vulnerability assessment • May need to overcome simple layer 2 security (static WEP, MAC filters)‫‏‬ • Passive analysis often exposes FW rules – Active analysis also possible, but slow • Test integrity of exposed systems – Patch levels, configuration vulnerabilities Penetration Testing Wireless Networks © 2008 SANS
  24. 24. Auditing Implementation Weaknesses • Test IPSec server for aggressive IKE – Scan systems with ike-scan, record – Post-process with Wireshark • Test DNS for recursive name resolution – Establish a known TXT record Wireshark Aggressive Mode Filter: "isakmp[18] eq 4" Check DNS recursion: "dig @remote-dns IN TXT hostname" Penetration Testing Wireless Networks © 2008 SANS
  25. 25. Making Wireless Pentests Valuable • Wireless access is acquired – Now use classic network and application pentest techniques – Identify specific vulnerabilities and potential damage/risk – Change equipment and policies to limit the risk as much as possible – Rinse and repeat Penetration Testing Wireless Networks © 2008 SANS

×