Wireless

The Radio Spectrum in the US*Source US Department of Commerce http://www.ntia.doc.gov/osmhome/allochrt.PDF

Wi-Fi Radio Spectrum*Wi-Fi is an unlicensed service

It has beginnings in the ISM (industrial Scientific Medical) band where it was not desirable or profitable to license such short range devices. 2.4 GHz5 GHzThe first frequencies available for Wi-Fi use were in the 2.4 GHz range

As Wi-Fi popularity and usage increased, the regulatory bodies allocated additional spectrum in the 5 GHz band.

The spectrum we use today is also used by Amateur (Ham Radio) and other services such as radio location (radar).

There is more bandwidth in 5 GHz with mechanisms in place to co-exist with licensed services such as radar using Dynamic Frequency Selection

Wi-Fi Radio Spectrum 2.4 Ghz*Even today, many portable devices in use are limited to 2.4 GHz only, including newer devices, but this is changing.

802.11b/g is 2.4 GHz 802.11a is 5 GHz802.11n (can be either band) 2.4 or 5 GHzThe 2.4 GHz spectrum in the US has 3 non-overlapping channels 1, 6 and 11.

There are plenty of channels in the 5 GHz spectrum and they do not overlap

2.4 GHz and 5 GHz are different portions of the radio band and usually require separate antennas

Most, if not all, 5 GHz devices also have support for 2.4 GHz - however there are still many 2.4 GHz only devices.

Wi-Fi Radio Spectrum 2.4 GHz *

Wi-Fi Radio Spectrum 5 GHz Channels*Note: 5 GHz channels do not have the severe overlap that 2.4 GHz channels have but they use DFS to enable sharing of the band

Wi-Fi Radio Spectrum 5 GHz Channels*Note: 5 GHz channels do not have the severe overlap that 2.4 GHz channels have but they use DFS to enable sharing of the band

Wi-Fi Based on a Series of 802.11 PHY Standards*802.11b802.11a802.11g802.11n802.11ah802.11af802.11adThe FutureThe Past802.11ac

802.11ac, the next generation Wi-Fi, is just around the corner

*Use casesTechnologyFunctionalityAvailabilitySimilar to 802.11nVoice/video/data for consumer/enterpriseExtension of 802.11n in 5GHz onlySimilar range to 802.11nFaster than 802.11n up to ~2.5Gb/sFirst usable draft standard in early 2012First wave of certification in early 2013IEEE 802.11ac

802.11ac uses MU-MIMO to provide switch rather than hub technology*Single User MIMO in 802.11n sends one frame to one receiverMulti-user MIMO in 802.11ac sends multiple frames to multiple receiversAP with 4 antennas can send 1 stream each to 3 smartphones, all at the same timeAP must beamform 1 space-time stream to the each receiver & simultaneously null-steer that space-time stream to the two other receivers

Basic TerminologyStationsClients (mobile devices, laptops, printers, etc)Access Points 802.11 frames must be converted in order to communicate with the wired networkThis bridging function is the most important part of an access point*

Basic TerminologyBasic Service Set (BSS)Basic building block of all wireless networks essentially one or more stations that communicate with each other

Independent BSS (IBSS)Also known as an Ad-Hoc network. A network comprised of one or more stations without the user of an access point

Infrastructure BSSMost common type of deployment these networks consist of at least one station and one access pointStation to station communication is relayed by the access point.

*

Basic TerminologyExtended Service Set (ESS) Formed by linking BSSs togetherUsually created to extend the range of a single BSS to facilitate a greater coverage areaStations in an ESS may communicate with each other even if they are in different BSSs

Multi-BSSDue to the popularity of wireless networks, radio chipset manufacturers created the ability to have multiple BSS using the same hardwareThis greatly expands functionality by allowing BSSs to be associated with specific VLANs

*

802.11 LAN architecture*IdentifiersBSS Identifier (BSSID) usually the MAC address of the access point service the BSS

Service Set Identifier (SSID/ESSID) a friendly name given to the network

BSSID: 00:12:31:00:11:00SSID: PolyBSSID: 00:12:34:23:22:33SSID: Poly

FramingGeneric 802.11 Frame

Data and Management Frames

802.11 Session States

*

Generic 802.11 Frame*

802.11 Frame: Addressing*Address 2: MAC addressof wireless host or AP transmitting this frameAddress 1: MAC addressof wireless host or AP to receive this frameAddress 3: MAC addressof router interface to which AP is attachedAddress 4: used only in ad hoc mode

*H1R1802.11 Frame: Addressing

*H1R1802.11 Frame: Addressing

Types of FramesData Frames:Data frames are encrypted when the protected flag is setFrame Control Type: 10 and subtype is commonly 0000 (Data)

Management Frames:Address fields are fixed valuesFrame payload contains management infoFrame Control Type: 00

Management FramesAssociation Request subtype 0000Association Response subtype 1000Re-Assoc Request subtype 0010Re-Assoc Response subtype 0010Probe Request 0100Probe Response 0101Beacon 1000Disassociation 1010Authentication 1011Deauthentication - 1100

*

Management Frames - BeaconsBeacons are set a reoccurring intervals by the AP to announce the existence of a networkNormally contains information such as the SSIDWireless networks are considered hidden when the SSID is omitted from the beacons?*

Management Frame Probe Requests and ResponsesProbe RequestsProbe requests are sent by stations to scan for in-range networksThe station will channel hop through all available channels when searching for its networks during this processStations can also send broadcast probe requests to solicit a response to any AP in its vicinity

Probe ReponsesAccess points acknowledge a probe request with a probe response to indicate to the client that a compatible network existsAPs that dont respond to broadcast probe requests are considered closed*

802.11 Session StatesAuthenticationEstablish the wireless stations identity to the access pointOpen AuthenticationAccess Point permits any stationShared Key AuthenticationA shred key must be present (WEP only)AP sends challenge, client encrypts challeng with key, sends response to APDeauthenticationTerminates a previously established session*

802.11 Session StatesAssociationRecord keeping process where the AP identifies itself as the gateway for a particular wireless stationsDisassociationThe process of removing the wireless station from the networkRoaming/ReassociationSince clients are not tethered by cable, clients can move freely around their physical locationIn a large ES, one AP may provide a better signal strength as the clients moves around*

Session EstablishmentPutting it all together*

WiFi Security*

Wi-Fi Security State*Broken many years agoReplaced by WPA & then WPA2Do not use!!!!Based on TKIP & 802.1XBreakingTransitional mechanismAvoid use!Wi-Fi Protected SetupDesigned to encourage consumers to actually use securityBased on WPA2 but not enterprise classWi-Fi Alliance is strongly encouraging use of WPA2 (for enterprise & consumer), and Wi-Fi Protected Setup (for consumer)802.11w defines security for management frames and was certified in early 2012 by the Wi-Fi AllianceThere are ongoing efforts in 802.11ai to optimise the process of setting up WPA2 securityWEPWPAWPA2Based on AES & 802.1XEnterprise class, particularly when used with appropriate EAP methods

WPA*

About WPAIEEE 802.11iHistoryDraft in 2003, ratified in 2004Latest is 802.11-2007EncryptionNeeded to address the issues in WEPIntroduced TKIP and AESRC4 TKIP (Temporal Key Integrity Protocol)Major improvement over WEP but still based on RC4Developed so that WEP could be easily upgradedAES CCMP (Advanced Encryption Standard)Counter Mode with Cipher Block Chaining - Message Auth Code)Complete redesign of encryption mechanismsDeveloped to completely replace WEP and TKIP*

About WPAIEEE 802.11iWPACertification by the WiFi AllianceHastily released in 2003 to certify devices up to the current at the time 802.11i draftImplies at least TKIP supportLatest is 802.11-2007WPA2Certification by the WiFi AllianceReleased in 2004 once the 802.11i draft was ratifiedFull compliance with the standard, support for AES and TKIP*

About WPATKIP and AES Security ImprovementsRC4 - TKIPIncreases the size of the Initialization Vector to 48-bits and the key size to 128 bitsMessage Integrity Check (MIC) within the frameDynamic Key RotationAES - CCMPComplete redesign, no longer uses RC4Re-keys automatically to derive new sets of temporal keysUses Packet Number field as a counter to provide replay protection*

About WPAAuthenticationWPA Personal (WPA-PSK)A single pre-shared key is distributed to usersIf you have the key, you can connect to the networkMost suited for home use.WPA EnterpriseFlexible AuthenticationCan be user based, computer based, etcPermits centralized user managementPer user Authentication, Authorization and Accounting (AAA)Most suited for corporations, small businesses.

*

About WPAJoining the Network with WPAStep 1: 802.11 Session EstablishmentStandard Probe/Authentication/Association Requests and ResponsesStep 2: EAP HandshakeOnly in WPA Enterprise to generate PMK, more on this laterStep 3: 4 way handshake.Use PMK to generate/establish encryption keysStep 4: Data CommunicationSuccessful authentication, now a connected party

*

About WPAJoining the Network with WPAStep 1: 802.11 Session EstablishmentStandard Probe/Authentication/Association Requests and ResponsesStep 2: EAP HandshakeOnly in WPA Enterprise to generate PMK, more on this laterStep 3: 4 way handshake.Use PMK to generate/establish encryption keysStep 4: Data CommunicationSuccessful authentication, now a connected party

*

WPA Enterprise AuthenticationIEEE 802.1XStandard for access controlCommonly used on wired switchesIntroduces three new termsSupplicant Client attempting to connect to the networkAuthenticator Controls access to the network; usually the APAuthentication Server Authorizes user to connect (Radius Server)Uses EAP for messaging

*

WPA Enterprise AuthenticationExtensible Authentication Protocol (EAP)Originally designed and used for dial-up networking (PPP)Officially, EAP only has 4 general message types:EAP-RequestEAP-ResponseEAP-SuccessEAP-FailureSupports a variety of authentication methodsDefined by the type field of EAP-Request/Response framesEAP-TLS Certificate based authenticationLEAP username/password authenticationPEAP/EAP-TTLS/EAP-FAST Certificate + username/password authentication

*

WPA Enterprise AuthenticationEAP Handshake

*

WPA EncryptionKeyingPairwise Master Key (PMK): Used to derive all other keysWPA-Pre-Shared Key: derived by the PSKWPA-Enterprise: created at the RADIUS server and distributedThe four way handshakeEstablishes encryption between the AP and the clientPairwise Transit Key (PTK)The key used to encrypt unicast 802.11 trafficGroup Temporal Key (GTK)The key used to encrypt broadcast and multicast 802.11 traffic

*

Attacking WPAAuthenticationMost common attacksOnly a limited number existRequires at least 1 connected clientYields username and passwordAlmost always requires offline brute forcingUsing a complex password thwarts the attackEncryptionEmerging attacksResults in the ability to encrypt/decrypt limited trafficCan inject a small number of packetsNot very stealthy

*

Attacking Authentication: WPA-PSKTheoryCapture 4-way HandshakeIts possible to deduce the PSK using the data in the handshakePassively: Sniff and new clients connectionActively: DoS (de-authentication attack) the client and watch him reconnect.Brute ForceWith the handshake we can launch an offline brute force attack

*

Attacking Authentication WPA EnterpriseUsed in most corporationsAttacks are categorized by EAP TypeA good deployment is hard to break intoMost attacks require brute forceSuccessful attack results in credentials to access the network as a regular user

*

Attacking Authentication WPA EnterpriseAuthentication Methods - LEAPAboutStands for Lightweight EAPProprietary EAP type developed by CiscoOperationUses MSCHAP Challenge/Response mechanism for authenticationThis handshake is transmitted in clear text between the client and the authentication server

*

Attacking Authentication WPA EnterpriseAuthentication Methods EAP/TTLS and PEAPAboutBoth establish an SSL tunnel between the client and authentication serverTunnel is used to transmit less secure inner authentication credentials (i.e. PAP/CHAP/MS-CHAP)EAP-TTLS (Tunnel TLS)Developed by Funk Software (now Juniper) and CerticomSupports and inner authentication protocolPEAP (Protected EAP)Replacement for LEAP. Developed by RSA, Microsoft and CiscoOnly supports a limited number of inner authentication protocols

*

Attacking Authentication WPA EnterpriseAuthentication Methods EAP/TTLS and PEAPHow it works

*

Attacking Authentication WPA EnterpriseAuthentication Methods EAP/TTLS and PEAPAttacks VectorsImproper certificate validationCertificates allow the client to ensure the identity of the authentication serverClient is commonly configured to ignore this certificateThis allows an attacker to impersonate an AP and gain access to the inner authentication credentials

*

WEP*

Understanding WEP EncryptionHistory of WEP1997 WEP Introduced

2001 WEP found to be flawed

2002 104 bit WEP still considered secure

2004 Korek details advanced attacks and aircrack released

2007 PTW attack released WEP DEAD DO NOT USE

Present people and organizations still using WEP

*

Understanding WEP EncryptionWEPNo longer considered a viable method of securing 802.11 frames

Protects information transmitted via the wireless network by encrypting the data within the 802.11 frame

The client uses the initialization vector (IV) stored within the frame head and the WEP key to decrypt the data

*

WEP Encryption ProcessThe CRC-32 ICVA 4 byte CRC-32 Integrity Check Value (ICV) is computed for the data payload of the packet and appended to it

The UNIQUE Seed

The shared secret key K is staticA 24 bit Initialization Vector (IV) is concatendated with the key (k) to form a unique seed

*Plaintext Message (M)ICVIVShared Key (k)

WEP Encryption ProcessThe KeystreamThis seed is input into the RC4 stream cipher which outputs a keystream of arbitrary length

*Shared Key (k)IVRC4100101001000100000111110101001101101001Keystream

WEP Encryption ProcessCiphertextThe plaintext data the appended CRC-32 value are XORed against an equal number of bits from the keystream to create the ciphertext

*Plaintext Message (M)ICV100101001000100000111110101001101101001KeystreamCipherText (C)XOR

WEP Decryption ProcessDecryption The IV is put into the WEP head in Plaintext and the encrypted packet is sent to the receiverThe receiver uses the IV in the header along with the shared key, k, to reproduce the RC4 keystream

*802.11 HdrIV100101001000100000111110101001101101001Shared Key (k)Ciphertext (C)IVRC4RC4 Keystream

WEP Decryption ProcessDecryptionThe ciphertext is XORed against the RC4 keystream and the plaintext is receovered

*1001001011100101010101001010101010101Ciphertext (C)Plaintext Message (M)XORICV

WEP Decryption ProcessDecryption The CRC-32 Integrity Check Value (ICV) computed to verify the integrity of the data

*Plantext Message (M)ICVCRC-32ICVMatch?

Attacking WEPMisc AttacksVerizon FiOS Actiontech MI424WRRouter ships with WEP enabled by defaultWEP key is a function of the SSIDSSID is 5 upper case alpha-numeric characters If you know the the SSID you know the default key!Java/Bash Generator exists at:http://xkyle.com/2009/03/03/verizon-fios-wireless-key-calculator*

Attacking WEPThe Passive AttackThis was the original attack against WEPOffline attack one enough IVs are obtainedRelies on passively sniffing WLAN trafficStealthy*

Attacking WEPThe Passive Attack using aircrack-ngThis is dependent on a .cap file that contains enough frames to actually crack WEP. Frames can be generated quickly using active attack techniques discussed laterCommand:aircrack-ng *

Attacking WEPActive Attack TheoryGoal: Generate traffic to get unique IvsStep 1:Client sends legitimate encrypted data (thus new/valid IV)Step 2: Attacker observes the traffic and replays it many timesStep 3: AP receives ALL data, decrypts it and processes itStep 4: Traffic destined for the wireless network is encrypted with a new IV*

Attacking WEPFake Authentication - TheoryWhat if there are currently no connected clients?It may be possible to launch the Fake Authentication attack so the AP thinks are an authorized clientOnce we create a false association, we can forward frames through the new AP after we figure out how to craft valid ones*

Attacking WEPAP-Less AttacksCaf Latte AttackTargets individual clients who are not in the vicinity of the wireless networkWe can respond to the clients probe requests and ultimately gain enough packets during the shared key authentication, initial DHCP and initial ARP requests made by the client to forge our own ARP requestsWe bombard the client with ARP requests and use it responses to crack the WEP keyCurrently implemented in airbase-ng*

Generalized Wireless AttackEvil TwinRogue WiFi access point that appears to be a legitimate one offered on premisesAttacker fools the wireless device into connecting to the attackers hotspot vs the real oneUsed to steal passwords, redirecting to fraudulent web sites.Karmetasploit acts as a wireless AP and answers all probe requests from wireless clients. Once associated every service the client tries to access leads to a malicious applicationhttp://dev.metasploit.com/redmine/projects/framework/wiki/Karmetasploit*