The state of wireless security

neXusADVANCED SECURITY TRAINING
The
State
of
Wireless
Client

Security
in
Mobile
Device
“Alice
in
802.11
land”

DennisVerslegers
Filip Waeytens
Who are we?

This
talk
is
about
•Overview
of
the
current
state
of
the
technology

•
Overview
of
existing
attacks
against
the
infrastructure

•Overview
of
existing
attacks
against
the
client

•Overview
of
the
current
tools
and
defences

This
talk
is
NOT
about
•Explaining
in
depth
how
wiﬁ
works

•Introducing
some
new
fancy
NSA
style
attack

A
short
refresh
on
802.11

Frame
types
• Management
Frames:
Allow
for
the
maintenance
of

communication

• Control
Frames:
Facilitate
in
the
exchange
of
data
frames

• Data
Frames:
Carry
packets
with
data
(ﬁles,
webpages…)

Management
Frames
• Beacon:
AP
says:
“Yo,
I’m
here,
and
I
do
blahblahblah”

• Probe:
request/response
:
STA
says”Hey,
are
you
in
range
and
can
you
do

blah?”.
AP
says:”I’m
in
range
and
do
blahblahblah”.

• Authentication:
request/response:
STA
says:”I
want
to
identify
myself
and

here’s
my
key(if
any)”.
AP
says:”ok
or
not
ok”.

• (Re-‐)Association:
request/response:
STA
says:”I
want
to
connect
doing

blahblahblah
and
I
want
to
register
with
you”.
AP
says:”ok
or
not
ok”.

• De-‐Authentication
/
Dis-‐Association:
“I
don’t
want
to
be
associated/
authenticated
anymore”.

Infrastructure
Attacks

Wired
Equivalent
Privacy
(WEP)
its
intention
was
to
provide
data
conﬁdentiality

comparable
to
that
of
a
traditional
wired
network
source:
wikipedia

How
it
works

How
it
works
•
In
(standard)
WEP
the
RC4
seed
consists
of
the
40-‐bit
key
+
a

24-‐bit
initialisation
vector
(IV)

•
This
seed
is
used
to
generate
pseudo
random
stream
of
bits

•
This
stream
is
then
XORred
with
the
plaintext
and
sent
on
to
the

receiver

The
ﬂaws
•
Keys
are
spread
on
every
system,
generally
not
the
best
security

practice

•
Easy
to
enter
secret
keys:
input
is
done
via
5
ascii
characters

each
representing
8
bits
-‐>
40
bits.
Issue:
printable
ascii

characters
only
cover
a
very
small
part
of
the
possible
byte

values
a.k.a.
we
reduce
key
space

Rule
#1
for
stream
ciphers
keys
must
never
be
used
twice

The
ﬂaws
•
Due
to
the
fact
that
the
IV
is
only
24
bits
long
there
is
a
50%

probability
to
use
the
same
IV
after
5000
packets

•
a.k.a.
every
5000
packets
we
use
the
same
key

•
very
much
crackable

How
the
industry
solved
it
Deprecated
as
they
fail
to
meet
their
security
goals

Move
on
to
WPA
or
WPA2

How
to
break
it
•
FMS
attack

•
KoreK
attack

•ChopChop
attack

•
Fragmentation
attack

•PTW
attack

How
to
break
it
•
Step
1:
make
sure
you
are
in
range
of
the
access
point
(doh!)

•
Step
2:
set
yourself
up
with
a
wireless
adapter
in
monitor
mode

(listen
to
everyone
chatting)

•
Step
3:
be
patient
and
wait
until
you
have
suﬃcient
IV’s

(remember
the
5000
packets
rule)

•
Step
4:
crack
the
captured
traﬃc

How
to
break
it
•
Fortunately
there
is
an
alternative
for
step
3:

–
Associate
yourself
with
the
access
point 
the
AP
ignores
your
packets
and
sends
out
deacuthentication

packet
in
clear
text
if
you
are
not
associated

–
Replay
ARP
packages
which
you
see
on
the
network 
ARP
packages
are
great
because
they
will
be
broadcasted
by

the
access
points
and
many
IV’s
will
be
generated
in
a
very

short
timeframe

The
tools
•
Excellent
script
kiddie
material
!

–
toolkit
which
required
some
knowledge
about
the
actual

attack:
aircrack

–
after
that
many
many
more
‘automated’
scripts,
e.g.

(wepcrack,
fern,
gerix,
wiﬁte,
…)

The
tools
++

Does
this
still
work?
Let’s
ﬁnd
out

Does
this
still
work?
•
30
minutes
walk

•
1k+
wireless
networks
identiﬁed

•
+/-‐
5,5%
or
58
wireless
networks
were
(un)protected
by
WEP

Does
this
still
work?
Bureau

HILLAWI

Eurada_WiFi

LAPOSTE

ITB

ZyXEL

34_Second_Floor

Le
Paddock

EUROCHILD

eurocapital

CS
Belgium

Meetingroom

Belkin_G_Plus_MIM...

Thomson84B046

Wi-‐Fi
Protect
Access
(WPA/WPA2)
The
answer
to
WEP

The
core
changes
•
integrity
checks
were
added
to
defeat
forgeries

•
protection
against
replay
attacks
was
added

•
improved
encryption
key
solution
was
introduced

•
for
WPA2:
AES
was
used
instead
of
TKIP

How
to
break
it
•
Attacks
against
the
algorithm
of
WPA:

–
Beck
and
Tews’
attack

–
Ohigashi-‐Morii
Attack

–
Michael
Attacks

–
The
Hole196
vulnerability

The
ﬂaw
•
WPA-‐PSK
/
WPA2-‐PSK:

• Weak(er)
pass-‐phrases
maybe
cracked
using
dictionary

attacks.

•
Mainly
pass-‐phrases
of
20
characters
or
less
are
vulnerable

How
to
break
it
Before
we
begin:

•
the
passphrase
is
only
used
during
the
initial
authentication

handshake,
so
we
will
need
to
intercept
one
of
those

•
the
passphrase
used
for
the
pre-‐shared
key
must
be
present
in

our
dictionary
or
be
of
a
short(er)
length

How
to
break
it
•
Step
1:
make
sure
you
are
in
range
of
the
access
point
(doh!)

•
Step
2:
set
yourself
up
with
a
wireless
adapter
in
monitor
mode

(listen
to
everyone
chatting)

•
Step
3:
be
patient
and
wait
until
you
have
a
client
performing

authentication

•
Step
4:
brute
force
the
pre-‐shared
key
through
the
captured

authentication
handshake

How
to
break
it
•
Fortunately
there
is
an
alternative
for
step
3:

–
Deauthenticate
a
wireless
client

But
wait
wasn’t
there
something
called

WPS?
convenience
kills
security

The
ﬂaw
•
8
digits
pin
code
+
60
seconds
time-‐out
after
3
failed
attempts
=

6.3
years
required
to
crack
the
pin

•
For
some
reason
the
pin
code
has
been
split
in
2
sets
of
4
digits

…
Hmmmm

•
The
router
tells
you
when
you
found
the
ﬁrst
4,
great
checkpoint 

Now
we
only
need
1
day
to
crack
the
pin
…

The
ﬂaw
•
To
make
matters
worse:

–
pin
code
in
many
cases
is
built-‐in,
no
way
to
change
it

–
WPS
functionality
can,
in
some
cases,
not
be
disabled

–
some
routers
oﬀering
the
option
to
disable
WPS
… 

…
don’t
really
disable
WPS
after
all

How
to
break
it

Brute
Force!

Does
this
still
work?
•
Same
round

•
1055
wireless
networks
identiﬁed

•
+/-‐
18%
or
178
wireless
networks
were
using
WPS

Does
this
still
work?
Cisco
Ducale
51

ActuaTV-‐VP

Meetingroom

STELLA
Consulting

EUROHUB

CONSULTANCY

Regency

Misija
NATO

Voyager

King's
Room

FurEurope

francite

Kabinet

michel

Act
As
One
Exco
II

Economic

EAP
/
LEAP
/
PEAP
Extensible
Authentication
Protocol

How
it
works
•
Replace
the
pre-‐shared-‐key
with
more
corporate
grade

authentication
system
covering:

–
authentication

–
key
distribution

•
Extensible
Authentication
Protocol
a.k.a.
authentication

framework

LEAP
•Lightweight
EAP

–
Credentials
are
sent
using
MS-‐CHAP
without
SSL
tunnel

protection

–
User
credentials
are
not
strongly
protected

–
Oﬄine
password
cracking
possible

PEAP
•Protected
EAP

–
EAP
is
encapsulated
in
a
TLS
tunnel
(encryption
&

authentication)

–
Credentials
are
sent
using
MS-‐CHAPv2

EAP
•
Many
variants
available
(hence
extensible):

–
EAP-‐TLS:
based
on
certiﬁcates
and
public/private
keys

–
EAP-‐MD5:
based
on
MD5
hashing
to
pass
credentials

–
EAP-‐IKEv2:
based
on
Key
Exchange
Protocol
version
2

Flaws
&
attacks
•
EAP
overall:

–
communication
between
Access
Points
and
RADIUS
server(s)

relies
only
on
the
HMAC-‐MD5
hashing
algorithm
in
RADIUS

implementations
=
vulnerable
to
man-‐in-‐the-‐middle
attacks

–
users
/
endpoints
are
left
with
the
decision
whether
or
not
to

trust
the
certiﬁcates
provided
by
the
authenticator
=

vulnerable
to
impersonation
attack

Last
but
not
least
The
wireless
access
point
or
router
interfaces

AP’s
are
no
other
then
the
rest
•Default
conﬁguration
/
passwords
…
far
too
common

•Webservers
embedded
in
small
devices
…

•Attacks
which
tend
to
work
on
regular
websites
also
work

against
admin
pages:

•Cross
Site
Request
Forgery

•DNS
rebinding

Further
reading
•
http://www.iescobar.net/survey%20wiﬁ.pdf

•
https://www.matthieu.io/dl/wiﬁ-‐attacks-‐wep-‐wpa.pdf

•https://en.wikipedia.org/wiki/Fluhrer,_Mantin_and_Shamir_attack

•
http://dl.aircrack-‐ng.org/breakingwepandwpa.pdf

•
http://www.aircrack-‐ng.org/doku.php?id=simple_wep_crack

•
http://www.aircrack-‐ng.org/doku.php?id=cracking_wpa&s[]=wpa&s[]=crack

Client Attacks

Major Categories
• Attacking the client directly: wireless card driver
attacks
• Attacking the client via “Man in the Middle”
attacks (MitM)

Wireless Driver Attacks
• Mostly Buffer Overflow type flaws
• Not trivial: requires deep knowledge on OS/Kernel
level
• Vendor specific
• Not much has happened lately

Last public driver BO Exploit dates from 2010

“Man in the Middle” Attacks
• Victim connects to “evil” AP -> Attacker has
control over trafﬁc
• Very popular
• = Starting Point of 50 shades of exploitation:
snifﬁng, injection, dns poisoning,…

Popular Attacks
• Free Wifi : because people like free stuff
• Karma/Jasager: because 802.11 is (was?) flawed
• Mana: because Karma is flawed
• Mana-toolkit: attacking secure networks
• Fake Portal: because social engineering is
effective

Free Wiﬁ
• How it works: just set up an open AP in a crowded
area and people will connect
• Tools needed: Laptop+ Kali Linux : Hostapd/
Airbase-ng + iptables + forwarding + dnsmasq
• or get a Pineapple MarkV if you have 99 USD
lying around

Freewifi config: Routing and NAT:
ifconfig wlan1 up
ifconfig wlan1 172.16.50.1/24
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
+ run hostapd and dnsmasq (configs next slides)

Freewifi config: hostapd.conf
interface=wlan1
driver=nl80211
ssid=freewifi
channel=1
hw_mode=g

Freewiﬁ conﬁg:DNSMasq.conf
log-facility=/var/log/dnsmasq.log
interface=wlan1
dhcp-range=172.16.50.10,172.16.50.250,12h
dhcp-option=3,172.16.50.1
dhcp-option=6,8.8.8.8
log-queries

But
I
don’t
trust
“FreeWifi”1…
Enter
the
“PNL”
•a.k.a.
The
Preferred
Network
List

•Every
Eme
we
connect
to
an
AP,
it
get’s
stored
on
our
devices
in

the
PNL

•Our
devices
“probe”
all
the
Eme
for
these
networks

•When
probing
for
a
specific
network,
the
device
sends
a
request

probe
with
a
specific
SSID
(directed
probe)

•Devices
also
send
out
null
probes:
request
probes
with
SSID=“”

But
I
don’t
trust
“FreeWiﬁ”2…..
Enter
“Karma”
•Karma
aWack:
an
AP
that
responds
posiEve
to
all
directed
probes

(a.k.a.
“Jasager”)
Is “Macdonalds” Wiﬁ here?
Sure, that’s me
Is “corporate-guest” here?
Sure, that’s me

What
happened
(unEl+-‐2012)
•Clients
constantly
sent
directed
probes
for
all
networks
in
their

PNL
(Preferred
Network
List)

•An
evil
Karma
AP
responded
posiEvely
to
any
directed
probe

•Clients
automaEcally
(!!)
connected
to
the
Karma
AP

So,
what
happened
around
+-‐2012?
•Vendors
silently
‘ﬁxed’
behaviour
in
newer
OS’:
Clients
only

connected
when
AP
responded
to
BOTH
directed/null
probe

•Devices
stopped
constantly
sending
directed
probes.
Some

stopped
sending
them
altogether
(IOS).

•Karma
didn’t
respond
to
broadcast
null
probes

Karma
was
broken

Hackers
‘fix’
Karma
aWack…
Enter
“Mana”
•Mana
=
modified
Hostapd
for
Karma
aWack

•Actually:
Mana-‐toolkit
(modded
hostapd
+
bunch
of
stuff)

•Mana
waits
unEl
it
sees
a
directed
probe
and
then
responds
to

both
directed
and
broadcast
probe.

•Behaviour
of
probing
sEll
differs
greatly
between
OS’s

•Also
has
‘loud
mode’:
it
keeps
a
list
of
all
SSID’s
it
sees
from
all

devices
and
broadcasts
them:
more
chance
to
get
‘popular’

SSID’s

DetecEng
probes
•Wireshark
ﬁlter
for
request
probes:

wlan.fc.type_subtype
==
0x04

•or
Python+
scapy

•don’t
forget
to
put
interface
in
monitor
mode


Example:
Nexus
5
Phone
with
Android
OS
4.4.3
•ErraEc:
direct
probes
with
30
seconds
to
10
minute
intervals.

So
what
about
hidden
SSID’s
?
•Hidden
networks
don’t
return
a
SSID
in
response
to
a
broadcast

probe:
the
AP
only
gives
the
SSID
when
receiving
a
directed

probe.

•Devices
with
a
hidden
network
in
their
PNL
need
to
probe
for
it

speciﬁcally

•IOS
devices
only
do
this
when
it
sees
at
least
1
hidden
network

•SoluEon:
put
a
hidden
network
somewhere
to
get
directed

probes
from
IOS
devices
for
hidden
networks

Can
we
get
more
“vicEms”?
Enter
“De-‐Auth”
•De-‐authenEcaEon
packet
is
sent
to
terminate
communicaEon

between
a
client
and
an
AP

•Is
done
via
a
management
packet:
cleartext

•Can
be
spoofed
easily

Anyone
can
de-‐authenEcate
anyone

We
can
disconnect
exisEng
connecEons

(unEl
they
connect
to
us)


DeauthenEcaEon
tools
•Aireplay-‐ng:
e.g.
deauth
all
clients
of
BSSID
7a:54:2e:9c:31:1f

•mdk3
(“Murder
Death
Kill”)

•Several
scripts

What
about
secure
networks?
(SSL)
•A
lot
of
apps
use
SSL
connecEons

•login
pages
/
sensiEve
data:
websites
use
SSL

•an
aWacker
performing
MitM
can
not
read
data
directly

•A
lot
of
aWacks
against
SSL
lately
(BEAST,
POODLE,
…),
but
most

aWacks
impracEcal
(except
heartbleed,
which
isn’t
a
MitM
aWack)

Common
aWack
methods
1:
Fake
CERT
•Terminate
SSL
connecEon
in
the
Middle
and
present
your
own

cerEﬁcate.

•Problem:
SSL
popup

•SoluEon:
None.

•But
users
usually
click
through

annoying
popups
:)
No Problem :)

Common
aWack
methods
2:
SSLSTRIP
•SSLStrip
is
a
proxy
in
the
Middle
that
changes
all
HTTPS
links
in

hWp
responses
to
HTTP
(it
“strips”
the
SSL)

•Problem:

»
A)
works
only
for
redirects
to
hWps

»
B)
address
in
browser
shows
as
hWp
instead
of
hWps

•SoluEon:

»A)
None

»B)
we
add
a
favicon
that
looks
like
a
lock:
good
enough
for
most
users


Vendors
Response:
HSTS
•HSTS
=
HTTP
Strict
Transport
Security

•Sites
can
send
a
‘Strict-‐Transport-‐Security’
response
header
back

to
the
browser

•Once
the
browser
has
received
this,
the
browser
will
only

connect
directly
in
HTTPS

•Google
also
maintains
a
preloaded
list

•Used
by
latest
versions
of
Chrome,
Safari,
Firefox
(not
IE<12)

Hackers
Respond:
SSLSplit
•SOLUTION:
“sslsplit”
=
modified
sslstrip

–“Works
like
a
proxy,
similar
to
sslstrip.”

–“
SSLsplit
removes
response
headers
for
HPKP
in
order
to
prevent
public

key
pinning
for
HSTS,
to
allow
the
user
to
accept
untrusted
cerEficates”

–
generates
on
the
fly
fake
cerEficates

•But
if
the
user
already
browsed
to
the
site
before,
the
browser

will
sEll
use
HTTPS
only

Problem
not
yet
solved

Hackers
respond
some
more:
SSLStrip+
•SSLStrip+
changes
hostname:

–
User
wants
to
surf
to
www.google.com
and
gets
redirected
to

wwww.google.com
.
SSLStrip+
keeps
track
of
DNS.

–
users
wants
to
surf
to
account.google.com
and
gets
redirected
to

accounts.google.com

•Because
accounts.google.com
and
wwww.google.com
do
not

exist,
the
browser
also
doesn’t
have
an
HSTS
entry
for
them,
and

sslsplit
works.

•Latest
aWack
against
HSTS:
NTP
MitM

The
End
Boss
Demo’s

Demo:
Evil
Twin
Scenario
•We
listen
for
wireless
traffic
around
us
and
see
open
AP
“ABC”

•We
setup
an
access
point
with
Mana
Toolkit
and
name
it
“ABC”

•We
de-‐authorise
“USER1”
who
is
connected
to
“ABC”

•“USER1”
connects
to
our
AP

•We
sniff
traffic,
using
SSLStrip+
and
capture
the
google
password

Demo:
Evil
Portal
•We
Set
Up
a
Wireless
Portal
that
Provides
free
access
(preferably

somewhere
where
there’s
a
lot
of
people
and
no
other
AP’s)

•Some
social
engineering:
people
can
login
with
Google,

facebook,
twiWer
and
other
social
media
accounts

•…
but
not
really

Conclusions
•Karma
aWack
sEll
works
on
some
devices
but
not
that
great
(not

many
direct
probes)

•There
are
sEll
tricks
to
‘bypass’
secure
networks,
but
vendors
are

working
on
it
as
well
(HSTS)

•Most
eﬀecEve
aWacks
these
days
involve
some
degree
of
social

engineering:
Evil
Twin
+
Deauth,
Fake
CapEve
Portal

References
• hWp://www.sensepost.com/blog/11823.html

• hWp://www.thoughtcrime.org/sopware/sslstrip/

• hWps://www.roe.ch/SSLsplit

• hWp://www.theta44.org/karma/

• hWps://www.blackhat.com/docs/asia-‐14/materials/Nve/Asia-‐14-‐Nve-‐Oﬀensive-‐ExploiEng-‐
DNS-‐Servers-‐Changes.pdf

• hWp://www.wsec.be/blog/2012/02/14/airbase-‐ng-‐sslstrip-‐meet-‐airstrip

• hWps://www.blackhat.com/docs/eu-‐14/materials/eu-‐14-‐Selvi-‐Bypassing-‐HTTP-‐Strict-‐
Transport-‐Security-‐wp.pdf

Want
to
see
more?
•
www.nexus-‐training.eu

•
video’s
available

•
slideset
will
be
provided
there
too

•
training

•
30.03-‐01.04 
3
day
hacking
introducEon
@
Ausy
(Haasrode) 
hWp://www.dataﬂow.be/en/ethical-‐hacking-‐training-‐hacking-‐
explained-‐condensed

The state of wireless security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to The state of wireless security

Similar to The state of wireless security (20)

Recently uploaded

Recently uploaded (20)

The state of wireless security