Upload
dinhhanh
View
230
Download
0
Embed Size (px)
Citation preview
WLAN Security and AnalysisApril 1, 2008
Thomas d’Otreppe de BouvetteAircrack-ng
SHARKFEST '08Foothill CollegeMarch 31 - April 2, 2008
Agenda Who Am I? Wireless networks
Timeline Overview of 802.11 networks Wireless packets Encryption Interactions with networks Capture files analysis
OSdep Demo
Who Am I?
Started Aircrack-ng ~2 years ago.
Graduated from Brussels High School in June 2006
Currently work as IT consultant
Created Offensive-Security WiFu course
Overview of 802.11 networks -Timeline
802.11: ’97 802.11a: ‘99 802.11b: ’99 802.11g: 2003 802.11n: Group started in January 2004
D1.0 (1.06): November 2006 D1.1: January 19, 2007 D2.0: March 2007 D3 (3.02): January 2008
Overview of 802.11 networks - OSI
Physical
Data Link
PHY
MAC
802.2 Logical Link Control
802.3 MAC
802.3 PHY
802.11 MAC
802.11FHSS PHY
802.11bHR/ DSSS
PHY
802.11aOFDM PHY
802.11DSSS PHY
802.11gERP PHY
802.11IR
PHY
LLC
Wireless packets – Frame structure
Frame control Duration / ID Address 1 Address 2 Address 3 Sequence
Control Address 4
Data FCS
bytes
Protocol Version Type Subtype To
DSFromDS
More frag Retry More
DataPower Mgmt
Prot.frame Order
bits 2 2
2 2 2
4
4
1 1 1 1 1 1 1 1
6 6 6 6
0-2324
Header
bytes 30
Sequence Number FragmentNumber
bits 12 4
Wireless packets – Frame structureAddresses
APDASABSSID10
WDSSADATARA11
APSABSSIDDA01
IBSSBSSIDSADA00
ModeAddress 4Address 3Address 2Address 1ToDSbit
FromDSbit
Wireless packets – Management frames
• Definition: used to negotiate and control the relationship between the AP and the station.
• Type field value: 0
Probe response5
Probe request4
Meas. Pilot6
Reassoc. resp.3
Reassoc. req.2
Assoc. response1
Assoc. request0
DescriptionSubtype fieldvalue
Action13
Action No ACK14
Deauthentication12
Authentication11
Reserved15
Disassociation10
ATIM9
Beacon8
Reserved7
DescriptionSubtype fieldvalue
Wireless packets – Management frames (1)
Beacon
Frame control Duration Destination
AddressSource
Address BSS ID Sequence Control
Frame body FCS
2 2 2
4
6 6 6
Header
24
Beacon interval
Capability information SSID Supported
rates FH Parameter SetDS
Parameter set
2 2 2Variable Variable 6
Timestamp
8
CF Parameter set
8
IBSS Parameter
set
2
Country information
Variable
FH Hopping parameter
4
FH Pattern table
Variable
Power constant
3
Channel switch announcement
6
Quiet
8
IBSS DFS
Variable
TPC Report
4
ERP Information
3Extended Supported
rates
Variable
Robust Security Network
Variable
Variable
TIM
Variable
Wireless packets – Management frames (2)
Frame control Duration Destination
AddressSource Address BSS ID Sequence
Control
Frame body FCS
bytes 2 2 2
4
6 6 6
Header
bytes 24
SSID SupportedRates
Extended Supported
Rates
Variable Variable Variable
Probe Request
Variable
Wireless packets – Management frames (3)
Probe response
Frame control Duration Destination
AddressSource
Address BSS ID Sequence Control
Frame body FCS
2 2 2
4
6 6 6
Header
24
Beacon interval
Capability information SSID Supported
rates FH Parameter SetDS
Parameter set
2 2 2Variable Variable 6
Timestamp
8
CF Parameter set
8
IBSS Parameter
set
2
Country information
Variable
FH Hopping parameter
4
FH Pattern table
Variable
Power constant
3
Channel switch announcement
6
Quiet
8
IBSS DFS
Variable
TPC Report
4
ERP Information
3Extended Supported
rates
Variable
Robust Security Network
Variable
Variable
Wireless packets – Management frames (4)
Frame control Duration Destination
AddressSource
Address BSS ID Sequence Control
Frame Body FCS
bytes 2 2 2
4
6 6 6
Header
bytes 24
Authentication
Authentication Algorithm No
2Authentication Transaction
Seq No
2
Challenge text
Variablebytes
Status Code
2
Variable
Wireless packets – Management frames (5)
Frame control Duration Destination
AddressSource Address BSS ID Sequence
Control
Frame Body FCS
bytes 2 2 2
4
6 6 6
Header
bytes 24
Association request
Capability Information
2
Listen Interval
2
SSID
Variable
Supported rates
Variable
Variable
Wireless packets – Management frames (6)
Frame control Duration Destination
AddressSource
Address BSS ID Sequence Control
Frame Body FCS
bytes 2 2 2
4
6 6 6
Header
bytes 24
Reassociation request
Capability Information
2
Listen Interval
2
SSID
Variable
Supported rates
Variable
Source Address
6bytes
Variable
Wireless packets – Management frames (7)
Frame control Duration Destination
AddressSource
Address BSS ID Sequence Control
Frame Body FCS
bytes 2 2 2
4
6 6 6
Header
bytes 24
Association/Reassociation response
Capability Information
2
Status code
2
Supported rates
Variable
Association ID (AID)
6bytes
Variable
Wireless packets – Management frames (8)
Frame control Duration Destination
AddressSource Address BSS ID Sequence
Control
Body FCS
bytes 2 2 2
4
6 6 6
2
Header
bytes 24
Reason code
2
Disassociation / Deauthentication frame
bytes
Wireless packets – Control frames
• Definition: Assist in the delivery of management and data frames.
• Type field value: 1
PS-Poll10
Block ACK9
Block ACK request8
Control Wrapper7
Reserved0-6
DescriptionSubtype fieldvalue
CF-End + CF-ACK15
CF End14
ACK13
CTS12
RTS11
DescriptionSubtype fieldvalue
Wireless packets – Control frames (2)
Frame control Duration Receiver
AddressTransmitter
Address
bytes 2 2 6 6
FCS
4
Frame control Duration Receiver
Address
bytes 2 2 6
FCS
4
RTS
CTS
Frame control Duration Receiver
Address
bytes 2 2 6
FCS
4
ACK
Wireless packets – Data frames
• Definition: Carry higher level protocol data in the frame body
• Type field value: 2
CF ACK5
Null function4
CF Poll6
Data + CF ACK
+ CF Poll
3
Data + CF Poll2
Data + CF ACK1
Data0
DescriptionSubtype fieldvalue
Reserved13
QoS CF-Poll (no data)14
QoS Null (no data)12
QoS data + CF-ACK + CF-Poll
11
QoS CF-ACK + CF-Poll(no data)
15
QoS data + CF-Poll10
QoS data + CF-ACK9
QoS data8
CF ACK + CF Poll7
DescriptionSubtype fieldvalue
Interactions with networks –Encryption - WEP
Wired Equivalent Privacy
Part of 802.11
RC4
24 bit IV
CRC32 (ICV) for message integrity
Interactions with networks –Encryption - WEP (2)
KSA
IV
Key
PRGA
Message
ICV
Keystream
EncryptedMessage ICVKey
IDIV
Header
Interactions with networks –Encryption - WEP (3)
KSA PRGA Keystream
EncryptedMessage ICVKey
IDIV
Key
PlaintextMessage
Decryption
ICV
Interactions with networks –Encryption - WEP (4)
function KSA()
for i from 0 to 255
S[i] := i
endfor
j := 0
for i from 0 to 255
j := (j + S[i] + key[i % keylength]) % 256
swap(S[i], S[j])
endfor
endfunction
Interactions with networks –Encryption - WEP (5)
function PRGA()
i := 0
j := 0
while GeneratingOutput:
i := (i + 1) % 256
j := (j + S[i]) % 256
swap(S[i], S[j])
output S[(S[i] + S[j]) mod 256]
endwhile
endfunction
Interactions with networks –Encryption - WEP (6)
1 0 11
1 0 11
1 1 00
Plaintext
Encrypted data
Keystream
Encryption
1 0 11
1 0 11Plaintext
Encrypted data
Keystream
Decryption
1 1 00
Interactions with networks –Encryption - WPA
802.11i group
Developped two link-layer protocols: TKIP – WPA1: Draft 3 of 802.11i group (backward
compatible with legacy hardware). CCMP – WPA2: final 802.11i standard
Two flavors: Personal: PSK Enterprise: MGT
Interactions with networks –Encryption - WPA (2)
STA
Agreement onSecurity protocols
802.1X authentication
AuthenticatorAP
Keys distributionand verification
Master Key Distribution by Radius Server
Data encryption and integrity
Interactions with networks –Encryption - WPA (3)
Agreement on security protocols
Beacons and probe
Authentication: PSK or Radius server
Encryption suite for unicast and multicast/broadcast: TKIP, …
Interactions with networks –Encryption - WPA (4)
802.1X Authentication
Not done with PSK Use EAP When successfully authenticated:
ACK sent to the client Generated Master Key sent to the AP
Interactions with networks –Encryption - WPA (5)
STA
Agreement onSecurity protocols
AP
Keys distributionand verification
Data encryption and integrity
Interactions with networks –Encryption - WPA (6)
Key distribution and verification
Confirmation of the cipher suite used
Confirmation of the PMK knowledge
Installation of the integrity and encryption keys
Send GTK securely
Interactions with networks –Encryption - WPA (7)
SupplicantANonce
SNonce + MIC
GTK + MIC
ACK
Supplicant constructPairwise Transient Key
(256 bit)
Authenticator constructPairwise Transient Key
(256 bit)
WPA Key distribution and verification4-way handshake
Authenticator
Interactions with networks –Encryption - WPA (8)
Supplicant
GTK + MIC
ACK
Group Transient KeyConstruction
Group Transient Key Deciphering (using KEK)
Group key handshake
AP
Interactions with networks –Encryption - WPA (9)
Pairwise Master Key (256 bit)
ANonce
SNonce
STA MAC Address
AP MAC Address
HASH
Key Confirmation Key
Key Encryption Key
Temporal Key
MIC Rx key
128 bit
128 bit
128 bit
64 bitMIC Tx Key 64 bit
Pairwise Transient Key
WPA Key exchange and verificationPTK Generation
Interactions with networks –Encryption - WPA (10)
Group Master Key (256 bit)
GNonce
Group Key Expansion
AP MAC AddressH
ASH Group Transient Key
WPA Key exchange and verificationGTK Construction
Interactions with networks –Encryption - WPA (11)
MAC Header IV/Key ID Extended IV Data (PDU) MIC ICV FCS
4 4 8 4 4>= 1
TKIP Frame
bytes
Encrypted
MAC Header CCMP Header Data (PDU) MIC FCS
8 8 4>= 1
CCMP Frame
bytes
Encrypted
Data Encryption and Integrity
Interactions with networks
APSTA Probe request / response
Association request / response
Authentication
Data
Interactions with networks – Authentication -Open
APSTA Authenticationrequest
AP authenticate The client
Interactions with networks – Authentication -Shared
APSTA Authenticationrequest
Encrypt Challenge Textthen send it to AP
ChallengeText
Decrypt and if correct,Authenticate client
OSdep
Similar to LORCON
OS supported: Linux, *BSD, Windows
Automatic recognition of the interface / driver
Sniffing capabilities
OSdep (2)
Control interfaces Get and set MAC address Get and set Channel Get and set rate
Networking
Create your own DLL to interact with special drivers on windows
OSdep - Applications
Existing tools: Aircrack-ng 1.0 MDK3
Sample application:www.aircrack-ng.org/wifiping.tar.gz