7. SSID
Network identifier
SSID is broadcasted in a beacon frame
Clear Text!
Change it from the default
Cisco = tsunami
Linksys = linksys
Netgear = netgear
Stop broadcasting!
8. MAC Address Filtering
White-list approach
Does not scale
Frame headers are never encrypted
Sniffing traffic will reveal valid MAC addresses
Bottom line…..
Prevents casual hacking..
Quite useless
9. Shared/Open Authentication (1)
2 ways of initiating communication
Shared Key
Open Key authentication
Open key Auth = No authentication
Shared Key Auth = requires WEP
10. Shared Authentication (2)
The challenge is generated using a PRNG used
by WEP
Challenge is then encrypted using WEP key and
sent back
This is bad…….. reveals the WEP key
13. 64/40 and 128/104 bits
confusion
IV (24bits)
Your WEP key:
5-ASCII char word = 40bits
13-ASCII char word = 104bits
Security-wise, it’s really 40bits or 104bits
14. Problems with WEP
1 Static Key
No encryption is strong if one key is used forever
Key length is short (40bits)
Brute forcing is possible
104bits version exists
Using CRC32
CRC is a hash function used to produce a checksum
Improper use of RC4
IV space is too small (24bits)
No protection against replay attack
No specification on key distribution
Lacks scalability
15. CRC32 and WEP
CRC32 doesn’t have the cryptographic
strength seen in MD5 or SHA1
Bit-flipping is possible
Change the data, and WEP won’t catch it
Seems trivial….?
16. RC4 and WEP (1)
RC4 – Rivest’s Cipher 4
Stream Cipher
What is a requirement for a stream cipher?
Avoid key sequence collision at any cost
{M1 XOR RC4-Key} XOR {M2 XOR RC4-Key}
= M1 XOR M2
With WEP, key sequences are repeated every 16
million packets (2 ^ 24)
Key sequence collision doesn’t reveal the WEP key!
17. RC4 and WEP (2)
Weak IVs reveal the WEP key
5% chance of guessing the portion of the seed (WEP key)
correctly
FMS attack
2M~ packets to decrypt 40bit WEP key
The time needed is a linear function to the key length
104bit key is just as useless as 40bits key
18. Replay Attacks
Reinjection of the captured packets are
possible
IV usage is not specified
19. Effective WEP cracking
KoreK attack (Aug. 2004)
Another statistical analysis based attack on WEP key
Extremely fast
Decrypts packets using CRC32 vulnerability
Possible with as little as 0.1M IVs (packets)…
Traditional method requires more than 2M packets
Accelerate it with packet injection – ARP
A 40-bit WEP can be cracked in 10 Minutes
Fast swapping of WEP key is no longer safe
20. Conclusion: WEP
Confidentiality
FMS attack
KoreK attack
Integrity
Bit-flipping attack
Authentication
Non-existent
Attacks can be completely passive
NO MORE WEP
24. 802.1X
802.1X is a port-based, layer 2 authentication
framework
Not limited wireless networks
Uses EAP for implementation
End-result
A WEP key for WEP
A seed for an encryption key used in WPA/WPA2
802.1X is not an alternative to WEP
26. Extensible Authentication Protocol
(EAP)
Authentication Framework
runs on the different layer than 802.1x
Very flexible
RADIUS is de-facto
a server for remote user authentication and
accounting
28. EAP-MD5
EAP-MD5 is a simple EAP implementation
Uses and MD5 hash of a username and
password that is sent to the RADIUS
server
Authenticates only one way
Man in the middle attack
Bottom line: Not recommended
29. LEAP (EAP-Cisco)
Like EAP-MD5, it uses a Login/Password
scheme that it sends to the RADIUS server
Each user gets a dynamically generated one
time key upon login
Authenticates client to AP and vice versa
Only guaranteed to work with Cisco wireless
clients
Broken – ASLEAP by Joshua Wright
Dictionary attack
30. EAP-TLS by Microsoft
Instead of a username/password scheme, EAP-TLS
uses certificate based authentication
Two way authentication
Uses TLS (Transport Layer Security) to pass the
PKI (Public Key Infrastructure) information to
RADIUS server
Compatible with many OS’s
Harder to implement and deploy because PKI for
clients are also required
31. PEAP by Microsoft and Cisco
A more elegant solution!
Very similar to EAP-TLS except that the client
does not have to authenticate itself with the
server using a certificate, instead it can use a
login/password based scheme
Much easier to setup, does not necessarily
require a PKI
Currently works natively with Windows XP SP1,
and OSX. 802.1x supplicant exists for linux
33. WPA Mechanism
1. Confirmation of association capability
2. Authentication by 802.1x or PSK
3. 4-way handshake
4. Encryption using TKIP
Very Different from WEP which took care of
“everything”
36. 802.1x Authentication + PMK
Security level can be selected
Pairwise Master Key (PMK) is a seed for
temporal key generation used in
encryption
PMK is generated based on the user
authentication result
37. 4 Way Handshake and PTK
PTK (512bits) splits in 4 ways
Part of PTK is used to generate the
encryption key (WEP equivalent) in the
next phase
39. TKIP (Temporal Key Integrity
Protocol)
The heart of WPA encryption mechanism
Expands IV space (24 48bits)
IV sequence is specified
Generate a key which conforms to WEP
A fresh key is used for every 16M packets
Michael
Very cheap integrity checker for MAC
addresses and DATA
40. WPA-PSK
For home / SOHO use
Removes 802.1x authentication
Pre-shared Key + TKIP
Weak against passive dictionary attack
Attacks exist - WPA Cracker
Still MUCH better than WEP
41. WPA Security Insight
No effective attacks found on WPA + 802.1x
WPA-PSK should be used with care
42. WPA2 - 802.11i
The long-awaited security standard for
wireless, ratified in June 2004
Better encryption: AES-CCMP
Key-caching (optional)
Pre-authentication (optional)
Hardware manufactured before 2002 is
likely to be unsupported: too weak
43. PMK Key-Caching
Skips re-entering of the user credential by
storing the host information on the network
Allows client to become authenticated with
an AP before moving to it
Useful in encrypted VoIP over Wi-Fi
Fast Roaming
45. Suggested Practice
Hide SSID
Do NOT use WEP
Use WPA-PSK with a good pass-phrase
or Use WPA with 802.1x if possible
Get WPA2 certified product for your next
purchase
46. tinyPEAP (1)
A self contained PEAP enabled RADIUS
server
Currently available in Linksys
WRT54G/GS router and Win32 binary
Native Windows XP SP1 support
Web-based user management
The easiest and the most secure solution
available in consumer level
49. Survey (2)
Ready to reconfigure your wireless
network?
50.
51. Links to the tools used:
Airsnort
http://airsnort.shmoo.com
Netstumbler
http://www.netstumbler.com
Ethereal
http://www.ethereal.com
tinyPEAP
http://www.tinypeap.com
52. Papers and Wireless Security Web
Pages
Weaknesses in the Key Scheduling Algorithm of
RC4
The Unofficial 802.11 Security Web Page
Wireless Security Blackpaper
The IEEE 802.11 specifications (includes WEP
spec)
Paper on detecting Netstumbler and similar
programs
Further reading on upcoming 802.11 variations
Assorted 802.11 related crypto algorithms
written in ANSI C
53. An exercise in wireless
insecurity
Tools used:
Laptop w/ 802.11a/b/g card
GPS
Netstumbler
Aircrack (or any WEP cracking tool)
Ethereal
the car of your choice
54. Step1: Find networks to attack
An attacker would first use Netstumbler to
drive around and map out active wireless
networks
Using Netstumbler, the attacker locates a
strong signal on the target WLAN
Netstumbler not only has the ability to
monitor all active networks in the area, but
it also integrates with a GPS to map AP’s
56. Step 2: Choose the network to
attack
At this point, the attacker has chosen his
target; most likely a business
Netstumbler can tell you whether or not
the network is encrypted
Also, start Ethereal to look for additional
information.
This time…….
Your target is GTwireless
57. Step3: Analyzing the Network
WLAN has no broadcasted SSID
Netstubmler tells me that SSID is
GTwireless
Multiple access points
Open authentication method
WLAN is encrypted with 40bit WEP
WLAN is not using 802.1X (WEB-auth)
58. Step4: Cracking the WEP key
Attacker sets NIC drivers to Monitor Mode
Begins capturing packets with Airodump
Airodump quickly lists the available
network with SSID and starts capturing
packets.
After a few hours of airodump session,
launch aircrack to start cracking!
WEP key for GTwireless is revealed!
59. Step5: Sniffing the network
Once the WEP key is cracked and the NIC
is configured appropriately, the attacker is
assigned an IP, and can access the WLAN
However, a secure proxy with an SSL
enabled web based login prevents access
to the rest of network and the Internet
Attacker begins listening to traffic with
Ethereal
60. Step6: Sniffing continued…
Sniffing a WLAN is very fruitful because
everyone on the WLAN is a peer, therefore
you can sniff every wireless client
Listening to connections with plain text
protocols (in this case FTP, POP, Telnet) to
servers on the wired LAN yielded 2 usable
logins within 1.5hrs
61. What was accomplished?
Complete access to the WLAN
Complete access to the wired LAN
Complete access to the internet
Access to servers on the wired LAN using
the sniffed accounts
Some anonymity. Usage of Netstumbler
and other network probing devices can be
detected. Skip that step if possible.
62. Other possibilities
Instead of sniffing a valid login, the
attacker could have exploited a known
vulnerability in the proxy (provided there is
one)
The greater risk for being noticed,
something an attacker does not want
63. That’s it…the network is
compromised
As long as WEP is in place, such attack is
always possible
Sadly, many are less secure
How about yours?