Embed Size (px)
Citation preview
Wireless Threats: Tools Attackers Are Using Against YouSUNY Technology ConferenceJune 21, 2011Bill Kramp – FLCC Network Administrator
Copyright © 2011 William D. KrampAll Rights Reserved
Wireless Threats
• What are the threats to your network?▫ Intentional▫ Unintentional▫ Network compromise▫ Account compromise▫ Denial of Service
Where is the threat?
• Scenario
Tools
• NetStumbler, iStumbler, Kismit, KisMAC• Aircrack set:▫ Airodump▫ Aircrack▫ Aireplay
• Void11• FreeRadius and WPE • asleap• Metasploit
Wireless Encryption
• Wireless Encryption Protocol (WEP)• WiFi Protected Access (WPA)• WiFi Protected Access II (WPA2)
Wireless Terms• Service Set Identifier (SSID): wireless network
name• Wireless devices: Laptop, iTouch, iPad▫ STA (station)▫ MAC: MAC address of wireless device▫ Supplicant: 802.1x term, provides credentials
• Access Point (AP):▫ BSSID: MAC address of an AP for a SSID▫ Authenticator: 802.1x term, controls access of
supplicant• Authentication Server (AS): Radius server▫ Performs authentication of supplicant
Attack Stages
1. Reconnaissance2. Enumeration3. Attack4. Backdoors5. Anti-forensics
Reconnaissance• Footprinting▫ Google the target▫ DNS analysis▫ Whois
• Fingerprinting:▫ NetStumbler, Kismit, etc▫ Nmap, fping▫ Cheops-ng
Enumeration
• Vulnerability scanning▫ Nessus
• Vulnerability Databases:▫ US-CERT
Attack Types
• Denial of Service (DoS)• Privilege Escalation• Man In The Middle (MITM)
Denial of Service• Physical (PHY) Layer 1▫ Unintentional▫ Intentional
• MAC Layer 2▫ Unintentional▫ Intentional
Layer 1 Interference
Layer 1 DoS
• RF Jammers▫ RX10 Worldband
Jammer: 800 MHz 900 MHz 1800 MHz 1900 MHz 3G-UTMS 2.4 Ghz (WiFi)
▫ 30 Meter radius
Queensland Attack
• 802.11b vulnerability• 802.11g/a immune• b/g AP’s impacted• Prism Test Utility• CSMA/CA Clear
Channel Assessment Exploit
Layer 2
802.11 Frame Types• Data▫ Encapsulates IP protocol and higher layers▫ Can be encrypted
• Management▫ Authentication and authorization functions▫ Not protected
• Control▫ Requesting and controlling access to wireless▫ Not protected
802.11 Legacy Stages
1. Unauthenticated and Unassociated2. Authenticated and Unassociated▫ Open System▫ Shared Key
3. Authenticated and Associated
Robust Secure Network Phases
• Phase 1: Discovery• Phase 2: Authentication• Phase 3: Key Generation and Distribution• Phase 4: Data Transfer• Phase 5: Connection Termination
Layer 2 DoS Attacks
• Void 11▫ Deauthenticate Clients▫ Authentication Flood▫ Association Flood
• Power Save Attack▫ Spoof power save poll message from AP▫ Spoof “no buffer msgs” to client
Deauthentication Attack
Authentication Flood
Targeted DoS
• Aireplay-ng• Targeted attack on a specific wireless device▫ Specify: BSSID of wireless AP MAC address of target wireless device ESSID (SSID)
Protecting Management Frames
• IEEE 802.11w▫ Adds protection against deauthentication▫ Adds protection against disassociation▫ Establishes Security Associations (SA’s) between
AP and STA▫ Devices try and confirm requests to de-auth’ or
disassociate.
Wireless Hacking
• Privilege Escalation• Man (Rodian) In The
Middle
Wireless Encryption Protocol
WEP Vulnerabilities
• RC4 KSA: Weak keys• Short IV: 24-bit Initialization Value• Lack of Integrity Protection: CRC-32• Key reuse (WEP key)• No replay protection• Short keys: 40 and 106 bit
Hardjono & Dondeti (2005)
WEP Attacks
• Traffic Injection:▫ Aireplay▫ WEPWedgie
• Cracking Keys:▫ Aircrack (airodump)▫ WEPcrack▫ AirSnort
WiFi Protected Access (WPA)
• Short term “fix” for vulnerabilities of WEP• Work within legacy computational limits• Provides:▫ 802.1X support▫ Temporal Key Integrity Protocol (TKIP) Key mixing Longer IV Message Integrity Check (MIC)
Beaver & Davis (2005)
WPA Vulnerabilities• Four-way handshake at session start▫ Exposes pre-shared keys
• Dictionary attack can be executed• Security Assumptions for 4-way Exchanges:▫ Secure PMK delivery▫ Strong PSK’s▫ Random nonces▫ Correct implementation
Hardjono & Dondeti (2005)
WPA Attack
Rainbow Tables
• Contain lists of:▫ Commonly used
passwords ▫ Dictionary words
• Church of WiFi: ▫ coWPAtty▫ 1M+ words▫ Precompiled▫ 33 GB
Cloud based WPA Attack
Best Defense Against Cracking
• Passwords longer then 20 characters• Don’t use dictionary words• Mix letters, numbers and special characters
Beaver & Davis (2005)
WiFi Protected Access 2
WPA2
• Robust Security Network (RSN) aka 802.11• Advanced Encryption Standard (AES)▫ Provides: Data confidentiality Integrity
▫ Meets federal standard FIPS 140-2• Modes:▫ Personal▫ Enterprise
WPA2 Vulnerabilities
• WPA2 with AES encryption - very secure• Use MITM attack to reveal credentials:▫ Dependencies: Poor password selection Users do not validate wireless cert’s CN servers for cert’ verification not specified CA not specified Users not prompted to add CA’s
WPA2 Attack Tools
• FreeRadius• Wireless Pwnage Edition (WPE)• Access Point (could use airbase-ng)• Airodump• Aireplay• asleap
Wireless Pwnage Edition• Patches FreeRadius to:▫ Accept clients with any IP▫ Accept logins with any username▫ Add credential logging with many EAP-methods: PEAP TTLS LEAP
▫ Username, Challenge and Response hashes logged
asleap
• Initially developed to crack Cisco LEAP• Upgraded to crack MS-CHAPv2• Performs dictionary attack• Hashes of common passwords pre-compiled
WPA2 Attack
Wireless Intrusion Detection System
Vulnerability Exploit tools
• Metasploit▫ Sam Juicer
Backdoors
• Back Oriface 2000• NetBus• Sub7• Lanfiltrator• VNC• Cd00r• NetCat
Cd00r
• Many backdoors open a detectable port.• Cd00r only opens listener port as needed• Uses port knocking to activate• SYN packets sent to several ports in a predefined
sequence (X, Y, Z).• Cd00r then opens up port 5002• Can also use NetCat to initiate an outbound
command line session
NetCat
• Reads and writes data across a network• Allows inbound and outbound connections• Supports use of UDP or TCP packets• Just about any port number can be used• Runs on just about any OS• Very flexible• Encrypted version available
Anti-Forensics
• Deleting or modifying log files• Timestomp: Changing timestamps• Transmogrify: Modify header files to match file
“extension”• Slacker: Break files up and hide in slack space
Windows Time Stamps
• What are they?
Timestomp
• Used on Windows Operating Systems• Allows modification/deletion of timestamps:▫ Last Modified timestamp▫ Last Accessed timestamp▫ Created timestamp▫ Entered into NTFS Master File Table
• Referred to as the “MACE” timestamp values• Process can be performed in memory
Sam Juicer
• Dumps Windows password hashes• Runs in memory (direct memory injection)▫ Never hits disk▫ Never hits registry
• Doesn’t need SYSTEM privileges• EnCase won’t detect it, but dd.exe can!
Demonstrations
• Airodump• FreeRadius PWE patch• Metasploit▫ Exploit netapi vulnerability▫ Install NetCat for backdoor▫ Timestomp NetCat dates to blend in▫ Change registry to start NetCat at boot time
Successful WPA2 MITM Attack
• JohnDoe connects to rogue AP• Enters credentials• No warnings for invalid cert’s• Simple password is cracked
with asleap
Failed WPA2 MITM Attack
• JaneDoe connects to rogue AP• Enters credentials• PEAP configured to check cert’s• Popup explains that cert’ is not
valid, click Cancel to abort.• Credentials not sent if aborted.
Metasploit Attack• Top Image:▫ Parameters for
compromise of w2k3 SP1 with netapi vulnerability.
▫ Connection opened with reverse_tcp payload for CLI control of w2k3.
• Bottom Image:▫ NetCat (nc.exe) uploaded
for backdoor access.▫ Registry then edited to
allow nc.exe to start at next reboot of OS.
Sources
Beaver, K., Davis, P.T., (2005). Hacking Wireless Networks for Dummies. Wiley Publishing, Inc.: Hoboken, NJ.
Hardjono, T., Dondeti, L.R. (2005). Security in Wireless LANs and MANs. Artech House, Inc: Norwood, MA.
