Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
{elysiumsecurity}
WIFI SECURITY EXPOSED
An introduction to WIFI Security
Version: 1.2a
Date: 15/02/2018
Author: Sylvain Ma...
{elysiumsecurity}
cyber protection & response
2
DemoWPA3WPA/WPA2WEPContext
• What is WIFI
• How WIFI Works
• Protocol
• We...
{elysiumsecurity}
cyber protection & response
3Public
What is WIFI / WI-FI
• Technology using radio waves to provide netwo...
{elysiumsecurity}
cyber protection & response
4Public
HOW WIFI WORKS
• HOTSPOTS will usually advertise there are here by B...
{elysiumsecurity}
cyber protection & response
5Public
HOW WIFI WORKS
MY_WIFI
Are you
here?
YES!
CONNECT
HOME
MY_WIFI
Are y...
{elysiumsecurity}
cyber protection & response
6
DemoWPA3WPA/WPA2WEPContext
Public
WEP PROTOCOL
• 1997
• Wired Equivalent P...
{elysiumsecurity}
cyber protection & response
7Public
WEP WEAKNESSES
• Same key must never be used twice, this is a proble...
{elysiumsecurity}
cyber protection & response
8Public
WEP ATTACKS
• 2001, passive attack to recover the RC4 Key in about a...
{elysiumsecurity}
cyber protection & response
9Public
WPA PROTOCOL
• WEP Replacement from 2003;
• Use of a Temporal Key In...
{elysiumsecurity}
cyber protection & response
10Public
WPA WEAKNESSES
• Some common weaknesses to WEP regarding its messag...
{elysiumsecurity}
cyber protection & response
11Public
WPA ATTACKS
• 2012, Possible to brute force the WPA key;
• Key = PB...
{elysiumsecurity}
cyber protection & response
12Public
WPA2 PROTOCOL
• More secure protocol from 2004;
• Implements all th...
{elysiumsecurity}
cyber protection & response
13Public
WPA2 WEAKNESSES
• AES-128 is breakable with enough time;
• ARP Pois...
{elysiumsecurity}
cyber protection & response
14Public
WPA2 ATTACKS
• Possible to disconnect legitimate users with a DEAUT...
{elysiumsecurity}
cyber protection & response
15Public
WPA3
• Announced in January 2018 for later this year;
• 192 bit enc...
{elysiumsecurity}
cyber protection & response
16Public
DEMO
• KARMA ATTACK
• EVIL PORTAL
DemoWPA3WPA/WPA2WEPContext
{elysiumsecurity}
cyber protection & response
17Public
WIFI KARMA ATTACK
MY_WIFI
Are you
here?
NO
SHOP_WIFI
Are you
here?
...
{elysiumsecurity}
cyber protection & response
18Public
WIFI EVIL PORTAL ATTACK
COFFEE SHOP
FREE_WIFI
CONNECT
DemoWPA3WPA/W...
{elysiumsecurity}
cyber protection & response
19Public
WIFI EVIL PORTAL ATTACK
DemoWPA3WPA/WPA2WEPContext
{elysiumsecurity}
cyber protection & response
20Public
WIFI EVIL PORTAL ATTACK
DemoWPA3WPA/WPA2WEPContext
{elysiumsecurity}
cyber protection & response
21Public
WIFI EVIL PORTAL ATTACK
DemoWPA3WPA/WPA2WEPContext
{elysiumsecurity}
cyber protection & response
22Public
WIFI EVIL PORTAL ATTACK
DemoWPA3WPA/WPA2WEPContext
{elysiumsecurity}
cyber protection & response
23Public
WIFI EVIL PORTAL ATTACK
DemoWPA3WPA/WPA2WEPContext
{elysiumsecurity...
{elysiumsecurity}
cyber protection & response
24Public
WIFI EVIL PORTAL ATTACK
DemoWPA3WPA/WPA2WEPContext
{elysiumsecurity...
{elysiumsecurity}
cyber protection & response
© 2018 ElysiumSecurity Ltd.
All Rights Reserved
www.elysiumsecurity.com
THAN...
Upcoming SlideShare
Loading in …5
×

Talk2 esc2 muscl-wifi_v1_2b

121 views

Published on

Overview on the state of WIFI security for WEP, WPA/WPA2, WPA3. Looking at their protocols, weaknesses and attacks.
The presentation finishes with a live demo on 2 attacks: Karma Attack and Evil Portal Attack

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Talk2 esc2 muscl-wifi_v1_2b

  1. 1. {elysiumsecurity} WIFI SECURITY EXPOSED An introduction to WIFI Security Version: 1.2a Date: 15/02/2018 Author: Sylvain Martinez Reference: ESC2-MUSCL Classification: Public cyber protection & response
  2. 2. {elysiumsecurity} cyber protection & response 2 DemoWPA3WPA/WPA2WEPContext • What is WIFI • How WIFI Works • Protocol • Weaknesses • Attacks • Protocol • Weaknesses • Attacks • Introduction • Karma Attack • Evil Portal CONTENTS Public
  3. 3. {elysiumsecurity} cyber protection & response 3Public What is WIFI / WI-FI • Technology using radio waves to provide network connectivity based on the IEEE 802.11 standard; • Frequencies of 2.4 GHz and 5.8 GHz; • 802.11a, 802.11b, 802.11g, 802.11n, 802.11ac • Other radio waves technologies include: • ZigBee (IEEE 802.15.4); • Bluetooth and Bluetooth Low Energy (802.15.1); • WiMax (IEEE 802.16) • But also Cellular, NFC, etc; DemoWPA3WPA/WPA2WEPContext
  4. 4. {elysiumsecurity} cyber protection & response 4Public HOW WIFI WORKS • HOTSPOTS will usually advertise there are here by BROADCASTING their name (SSID); • Clients attempts to connect to HOTSPOTS, for example your WIFI home router; • Connection to the HOTSPOT can be done: • With no password (OPEN); • With a password or passphrase; • With a certificate; • Clients will remember HOTSPOTS they previously connected to: MY_WIFI, SHOP_WIFI, CORP_WIFI, etc. • As long as the Clients WIFI is on, they will keep trying to connect to their known HOTSPOTS, all of them, all the the time. DemoWPA3WPA/WPA2WEPContext
  5. 5. {elysiumsecurity} cyber protection & response 5Public HOW WIFI WORKS MY_WIFI Are you here? YES! CONNECT HOME MY_WIFI Are you here? NO SHOP_WIFI Are you here? CONNECT YES! MY_WIFI Are you here? NO SHOP_WIFI Are you here? YES! CORP_WIFI Are you here? COFFEE SHOP WORK MY_WIFI SHOP_WIFI CORP_WIFI NO Icons from VMWARE CONNECT DemoWPA3WPA/WPA2WEPContext
  6. 6. {elysiumsecurity} cyber protection & response 6 DemoWPA3WPA/WPA2WEPContext Public WEP PROTOCOL • 1997 • Wired Equivalent Privacy; • 10 or 26 Hexadecimal digits (40 or 104 bits) + 24 bits IV key. 2 key sizes due to earlier USA restriction on cryptography exportation • RC4 Stream cipher with CRC checks; Source from Wikipedia
  7. 7. {elysiumsecurity} cyber protection & response 7Public WEP WEAKNESSES • Same key must never be used twice, this is a problem in a busy network with only a 24 bits IV key; • Possibility to force traffic noise if the network is not busy enough; • Possibility to modify intercepted packets and replay those into the network; • Short key; • CRC was not designed for security; • Authenticated users can see other users’ network traffic. DemoWPA3WPA/WPA2WEPContext
  8. 8. {elysiumsecurity} cyber protection & response 8Public WEP ATTACKS • 2001, passive attack to recover the RC4 Key in about a minute with the right conditions and equipment; • 2005, Start of widely available open source tools to attack WEP; • 2006, near real time decryption of WEP traffic; • 2008, PCI Security Standards prohibits the use of WEP • Popular attacking tools: • Aircrack, Airsnort, kismet, Cain & Able, Fern WIFI Wireless cracker, etc. Source from Wikipedia DemoWPA3WPA/WPA2WEPContext
  9. 9. {elysiumsecurity} cyber protection & response 9Public WPA PROTOCOL • WEP Replacement from 2003; • Use of a Temporal Key Integrity Protocol (TKIP) to replace RC4 • Use of a Message Integrity Code (MIC/Michael) • Dynamically generates 128-bit key for each packet • Message Integrity Check to prevent replay and modification attacks; • Designed as an interim solution for hardware not supporting WPA2 Source from Wikipedia DemoWPA3WPA/WPA2WEPContext
  10. 10. {elysiumsecurity} cyber protection & response 10Public WPA WEAKNESSES • Some common weaknesses to WEP regarding its message integrity check algorithm (TKIP); • The message integrity code hash function (Michael) is flawed; • Possible to retrieve the keystream to use for re-injection and spoofing; • Authenticated users can see other users’ network traffic. DemoWPA3WPA/WPA2WEPContext
  11. 11. {elysiumsecurity} cyber protection & response 11Public WPA ATTACKS • 2012, Possible to brute force the WPA key; • Key = PBKDF2(HMAC−SHA1,passphrase, ssid, 4096, 256); • Large rainbow tables available for the top 1000 used SSIDs; • WPS can be attacked through a weaker PIN strength; • Popular attacking tools: • Aircrack-ng, Reaver, kismet, etc. DemoWPA3WPA/WPA2WEPContext
  12. 12. {elysiumsecurity} cyber protection & response 12Public WPA2 PROTOCOL • More secure protocol from 2004; • Implements all the mandatory elements of IEEE 802.11i; • Support for Counter Mode CBC-MAC (CCMP), an AES-Based encryption mode with strong security; • Since March 2006 mandatory for all new WI-FI labelled devices. Source from Wikipedia DemoWPA3WPA/WPA2WEPContext
  13. 13. {elysiumsecurity} cyber protection & response 13Public WPA2 WEAKNESSES • AES-128 is breakable with enough time; • ARP Poisoning and Spoofing are possible; • Authenticated users can see other user’s network traffic; DemoWPA3WPA/WPA2WEPContext
  14. 14. {elysiumsecurity} cyber protection & response 14Public WPA2 ATTACKS • Possible to disconnect legitimate users with a DEAUTH attack, even when not associated to the network; • Password can be cracked offline from intercepted encrypted traffic; • 2017, Key Reinstallation AttaCKs (KRACKs) allows an attacker to intercept and read data that is encrypted. The main attack is against the 4 way WPA2 handshake. https://www.krackattacks.com DemoWPA3WPA/WPA2WEPContext
  15. 15. {elysiumsecurity} cyber protection & response 15Public WPA3 • Announced in January 2018 for later this year; • 192 bit encryption; • Individualized encryption for each user; • Protection against brute-force dictionary attacks; • Improved handshake protocol • Simpler connection without a GUI (WPS?) DemoWPA3WPA/WPA2WEPContext
  16. 16. {elysiumsecurity} cyber protection & response 16Public DEMO • KARMA ATTACK • EVIL PORTAL DemoWPA3WPA/WPA2WEPContext
  17. 17. {elysiumsecurity} cyber protection & response 17Public WIFI KARMA ATTACK MY_WIFI Are you here? NO SHOP_WIFI Are you here? YES! CORP_WIFI Are you here? AIRPORT AIRPORT_WIFI NO CONNECT MY_WIFI Are you here? CONNECT AIRPORT MY_WIFI Are you here? MY_WIFI Are you here? YES! YES! YES! HACKER_HOTSPOT … DemoWPA3WPA/WPA2WEPContext
  18. 18. {elysiumsecurity} cyber protection & response 18Public WIFI EVIL PORTAL ATTACK COFFEE SHOP FREE_WIFI CONNECT DemoWPA3WPA/WPA2WEPContext Please login Hotel Page Google Orange Etc. Google Creds THANK YOU! Internet Access Granted
  19. 19. {elysiumsecurity} cyber protection & response 19Public WIFI EVIL PORTAL ATTACK DemoWPA3WPA/WPA2WEPContext
  20. 20. {elysiumsecurity} cyber protection & response 20Public WIFI EVIL PORTAL ATTACK DemoWPA3WPA/WPA2WEPContext
  21. 21. {elysiumsecurity} cyber protection & response 21Public WIFI EVIL PORTAL ATTACK DemoWPA3WPA/WPA2WEPContext
  22. 22. {elysiumsecurity} cyber protection & response 22Public WIFI EVIL PORTAL ATTACK DemoWPA3WPA/WPA2WEPContext
  23. 23. {elysiumsecurity} cyber protection & response 23Public WIFI EVIL PORTAL ATTACK DemoWPA3WPA/WPA2WEPContext {elysiumsecurity} cyber protection & response 23Public WIFI EVIL PORTAL ATTACK DemoWPA3WPA/WPA2WEPContext
  24. 24. {elysiumsecurity} cyber protection & response 24Public WIFI EVIL PORTAL ATTACK DemoWPA3WPA/WPA2WEPContext {elysiumsecurity} cyber protection & response 23Public WIFI EVIL PORTAL ATTACK DemoWPA3WPA/WPA2WEPContext
  25. 25. {elysiumsecurity} cyber protection & response © 2018 ElysiumSecurity Ltd. All Rights Reserved www.elysiumsecurity.com THANK YOU! Public 25

×