8/14/2019 Advanced 802.11 Attack
1/43
7/31/2002 Black Hat 2002, Las Vegas NV
Advanced 802.11 Attack
Mike Lynn
&
Robert Baird
8/14/2019 Advanced 802.11 Attack
2/43
7/31/2002 Black Hat 2002, Las Vegas NV
What Is NOT Covered
Wired Equiv. Privacy (WEP)vulnerabilities
WEP Key cracking techniquesRadio signal amplification
Suggested changes to the IEEE
802.11b specificationWireless network discovery tools
8/14/2019 Advanced 802.11 Attack
3/43
7/31/2002 Black Hat 2002, Las Vegas NV
What Will Be Covered
Wireless network best practices
Practical attacks
The focus of the attack(s) The network layers The bottom 2 layers Custom (forged) 802.11b management frames
The Tool Box Drivers Utilities Proof of concept code
8/14/2019 Advanced 802.11 Attack
4/43
7/31/2002 Black Hat 2002, Las Vegas NV
What Will Be Covered
Attack Scenarios Denial of service
Masked ESSID detection 802.11b layer MITM attack Inadequate VPN implementations
Mitigation Strategies
8/14/2019 Advanced 802.11 Attack
5/43
7/31/2002 Black Hat 2002, Las Vegas NV
Wireless Best Practices
Enable WEP - Wired equivalent privacy Key rotation when equipment supports it
Disable broadcast of ESSIDBlock null ESSID connection
Restrict access by MAC address
Use VPN technology
Use strong mutual authentication
8/14/2019 Advanced 802.11 Attack
6/43
7/31/2002 Black Hat 2002, Las Vegas NV
Practical AttacksWEP Can be cracked passively
Masked ESSID Can be passively observed inmanagement frames during association
Block null ESSID connects Same problemInstall VPN Weakly authenticated VPN issusceptible to active attack (MITM)
Strong mutual authentication - ?
8/14/2019 Advanced 802.11 Attack
7/43
8/14/2019 Advanced 802.11 Attack
8/43
7/31/2002 Black Hat 2002, Las Vegas NV
The Bottom Layers
Manipulating the bottom 2 layers of theOSI Data Link (Layer 2)
Media Access Control (MAC) Access tomedium
Logical Link Control (LLC) Frame sync, flowcontrol
Physical (Layer 1)Radio bit stream
Divided into channels
8/14/2019 Advanced 802.11 Attack
9/43
7/31/2002 Black Hat 2002, Las Vegas NV
The Bottom Layers
8/14/2019 Advanced 802.11 Attack
10/43
7/31/2002 Black Hat 2002, Las Vegas NV
Management Frames
Management frames can controllink characteristics and physical
medium properties802.11b management frames areNOT authenticated
Why is this bad?
8/14/2019 Advanced 802.11 Attack
11/43
7/31/2002 Black Hat 2002, Las Vegas NV
The Tool BoxCustom Drivers Air-Jack
Custom driver for PrismII (HFA384x) cards MAC address setting/spoofing
Send custom (forged) management frames AP forgery/fake AP
Lucent/Orinoco Linux driver modified to allow MAC address
setting/spoofing from the command line
Utilities User space programs wlan-jack, essid-jack,
monkey-jack, kracker-jack
8/14/2019 Advanced 802.11 Attack
12/43
7/31/2002 Black Hat 2002, Las Vegas NV
Air-Jack DriverAllows control of wireless card modes Modes 0 and 1 standard documented modes
BSS (infrastructure) (1) or IBSS (0) (Ad-hoc)
Pseudo-IBSS (3) mode Control channel selection Firmware handles timing sensitive functions
Mode 5 - undocumented Channel selection
Firmware handles time sensitive functions
No beacons sent
Very little firmware intervention
8/14/2019 Advanced 802.11 Attack
13/43
7/31/2002 Black Hat 2002, Las Vegas NV
Air-Jack Driver Mode 6 Host Access Point mode
Sends Beacons (firmware control)
Responds to Probe request
Handles time sensitive functions
Can enable PrismII monitor mode
Uses Linux PF_PACKET interface
for RX and TX of raw frames
8/14/2019 Advanced 802.11 Attack
14/43
7/31/2002 Black Hat 2002, Las Vegas NV
Air-Jack Drivervoid send_deauth (__u8 *dst, __u8 *bssid){
struct {
struct a3_80211 hdr;
__u16 reason;
}frame;memset(&frame, 0, sizeof(frame));
frame.hdr.mh_type = FC_TYPE_MGT;
frame.hdr.mh_subtype = MGT_DEAUTH;
memcpy(&(frame.hdr.mh_mac1), dst, 6);
memcpy(&(frame.hdr.mh_mac2), bssid, 6);memcpy(&(frame.hdr.mh_mac3), bssid, 6);
frame.reason = 1;
send(socket, &frame, sizeof(frame), 0);
}
8/14/2019 Advanced 802.11 Attack
15/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios WLAN-Jack
Denial of Service De-authentication Use MAC address of Access Point
Send deauthenticate frames
Send continuously
Send to broadcast address or specific MAC
Users are unable to reassociate with AP
Air-Jack + WLAN-Jack
8/14/2019 Advanced 802.11 Attack
16/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios WLAN-Jack
8/14/2019 Advanced 802.11 Attack
17/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios WLAN-Jack
Airopeek Trace
8/14/2019 Advanced 802.11 Attack
18/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios WLAN-Jack
Airopeek Trace
8/14/2019 Advanced 802.11 Attack
19/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios WLAN-Jack
Decode of Deauthentication Frame
8/14/2019 Advanced 802.11 Attack
20/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios WLAN-Jack
This is yourconnection
8/14/2019 Advanced 802.11 Attack
21/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios WLAN-Jack
This is yourconnection onWLAN-Jack.
8/14/2019 Advanced 802.11 Attack
22/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios ESSID-Jack
Is the ESSID a shared secret?
If I mask the ESSID from the APbeacons then unauthorized users will
not be able to associate with my AP?Discover Masked ESSID Send a deauthenticate frame to the
broadcast address.
Obtain ESSID contained in client proberequest or AP probe response.
8/14/2019 Advanced 802.11 Attack
23/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios ESSID-Jack
8/14/2019 Advanced 802.11 Attack
24/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios - ESSID-Jack
Airopeek Trace
8/14/2019 Advanced 802.11 Attack
25/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios ESSID-Jack
Airopeek Trace
k i k
8/14/2019 Advanced 802.11 Attack
26/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Monkey-Jack
MITM AttackTaking over connections at layer 1 and 2
Insert attack machine between victim and
access pointManagement frames Deauthenticate victim from real AP
Send deauthenticate frames to the victim using
the access points MAC address as the source
k S i k
8/14/2019 Advanced 802.11 Attack
27/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Monkey-Jack
Victims 802.11 card scans channels tosearch for new AP
Victims 802.11 card associates with
fake AP on the attack machineFake AP is on a different channel than the
real one
Attack machines fake AP is duplicating MAC
address and ESSID of real AP
A k S i M k
8/14/2019 Advanced 802.11 Attack
28/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Monkey-Jack
Attack machine associates with realAPAttack machine duplicates MAC address
of the victims machine.
Attack machine is now insertedand can pass frames through in a
manner that is transparent to theupper level protocols
Att k S i M k
8/14/2019 Advanced 802.11 Attack
29/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Monkey-Jack
Before Monkey-Jack
Att k S i M k
8/14/2019 Advanced 802.11 Attack
30/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Monkey-Jack
After Monkey-Jack
Att k S i M k
8/14/2019 Advanced 802.11 Attack
31/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios - Monkey-Jack
Att k S i K k
8/14/2019 Advanced 802.11 Attack
32/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Kracker-Jack
Dangers of wireless MITM Wireless networks are more vulnerable to
MITM attacks than wired networks.
Many security solutions are implementedwith an assumption of a secure layer 1 and2
Many VPN solutions are implemented with
inadequate authentication for protectionagainst wireless MITM attacks.
Att k S i K k
8/14/2019 Advanced 802.11 Attack
33/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Kracker-Jack
WAVEsec An open source software solution for
securing wireless networks Uses FreeS/WAN IPSEC implementation Will thwart passive eavesdropping of
wireless network communications. Implementation options
X.509 CertificatesSecure DNS
Att k S i K k
8/14/2019 Advanced 802.11 Attack
34/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Kracker-Jack
Authenticating with WAVEsec gateway Client sends modified DHCP request with
clients public key
WAVEsec gateway inserts clients publickey into DNS record
Client obtains WAVEsec gateways publickey by requesting it from the DNS server
IPSEC tunnel setup
Att k S i K k
8/14/2019 Advanced 802.11 Attack
35/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Kracker-Jack
Using Kracker-Jack KJ inserts to 802.11 layer (like monkey-jack)
KJ, using a DNS request, gets victimspublic key from DNS server
KJ, using the victims MAC address sends
DHCP request with its own key to replacethe victims key in the DNS server
Att k S i K k
8/14/2019 Advanced 802.11 Attack
36/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Kracker-Jack
KJ initiates ISAKMP main mode SA with theWAVEsec server
KJ initiates ISAKMP main mode SA withvictim
Victim gets new server key by DNSrequest serviced by KJ
Two separate IPSEC tunnels are now setup All traffic passes through KJ unencrypted
Att k S i K k
8/14/2019 Advanced 802.11 Attack
37/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Kracker-Jack
Att k S i K k
8/14/2019 Advanced 802.11 Attack
38/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Kracker-Jack
IKE ISAKMP/Oakley Phase 1
Messages 1 and 2 negotiate characteristics of
security association; no authenticationMessages 3 and 4 exchange random values
(nonce) and execute Diffie-Hellman exchangeto establish a master key (SKEYID); noauthentication
Messages 5 and 6 exchange information formutually authenticating the parties; identitypayload, signature payload, and OPTIONALcertificate payload
Attack Scenarios Kracker
8/14/2019 Advanced 802.11 Attack
39/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios Kracker-Jack
IKE ISAKMP/Oakley Phase 2 Oakley Quick Mode
Define Security Associations
Define keys used to protect IP datagrams
8/14/2019 Advanced 802.11 Attack
40/43
7/31/2002 Black Hat 2002, Las Vegas NV
Attack Scenarios
Shared key authentication attack Observe plain text challenge
Observe cipher text response XOR plain text with cipher text to get
key stream
XOR IP packet with key stream re-using IV Broadcast ping
8/14/2019 Advanced 802.11 Attack
41/43
7/31/2002 Black Hat 2002, Las Vegas NV
Mitigation Strategies
Big guy with a stick
Wireless IDS and Monitoring AirDefense http://www.airdefense.net
VPN + Strong mutual authentication
RF Signal shaping Avoiding signal leaks Antennas with directional radiation pattern Lower Access Point power
http://www.airdefense.net/http://www.airdefense.net/http://www.airdefense.net/http://www.airdefense.net/8/14/2019 Advanced 802.11 Attack
42/43
7/31/2002 Black Hat 2002, Las Vegas NV
Summary
Wireless networks are more susceptible toactive attacks than wired networks
Enable all built-in security capabilities
Use VPN with strong mutual authenticationMonitor wireless network medium (airspace) for suspicious activity
Updates Black Hat web site or http://802.11ninja.net
8/14/2019 Advanced 802.11 Attack
43/43
Advanced 802.11 Attack
RobertBaird
&Mike Lynn