all your wireless belongs to us - ensimag...2012/03/01 · all your wireless belongs to us...

• Description: 802.11 Wifi Security

• Lecturer: Guillaume Jeanne

All your Wireless belongs to us

SecurIMAG

2012-03-01

WARNING: SecurIMAG is a security club at

Ensimag. Thoughts, ideas and opinions are not

related to Ensimag. The authors assume no

liability including for errors and omissions.

¡¡_ (in)security we trust _!!

Grenoble INP

Ensimag

http://www.ensimag.fr/

http://www.ensimag.fr/

Presentation : Guillaume Jeanne

2 SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01

• Parcours :

• Prepa MP* au lycée Claude-Fauriel (Saint-Etienne, 42)

• 1A ENSIMAG

• Why SecurIMAG ? (the ultimate question)

• I've always been fascinated by computer

security and how we could divert an object from

its normal use. (hacking)

• Contact :

• guillaume.jeanne{(_a\.t_)}ensimag.fr

Outline


802.11b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo

WPA - Changes - WPA Security Problems 1/ Dictionary attack - Demo

Reminder of French Law

4

Art.323-1

« Le fait d’accéder ou de se maintenir, frauduleusement,

dans tout ou partie d’un système de traitement automatisé

de données est puni de deux ans d’emprisonnement et

de 30 000 euros d’amende.

Lorsqu’il en est résulté soit la suppression ou la

modification de données contenues dans le système, soit

une altération du fonctionnement de ce système, la peine

est de trois ans d’emprisonnement et de 45 000 euros

d’amende. »

SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01

802.11b, Wired Equivalent Privacy (WEP)

5

• 802.11: a (1999), b(1999), g(2003), n (2009)

• Security (1999):

• Data encryption: Wireless Equivalent Privacy “WEP”

• Authentication: o Shared Key Authentication “SKA” (WEP is used during

authentication)

o Open System Authentication (no authentication occurs)

• Beginning: 40bits keys (U.S. law), WEP2 : 104bits

• Severely criticized for its lack of security


WEP, How it works ? Emission

6

• Message M (unencrypted)

• Control Function : CRC32 (to check integrity)

• RC4 Encryption :

IV (Initialization vector) (24 bits) + WEP key (104 bits)

RC4( )=

M

M CRC(M)

IV WEP Key RC4(Seed)


WEP, How it works ? Emission

7

⊕

=

M CRC(M)

RC4(Seed)

IV (24 bits) encrypted message C


WEP, How it works ? Reception

8

• exactly the same thing !

• retrieves the IV, concatenates it with wep key, encrypt

with RC4, xor with the encrypted message. calculates

the checksum and check it.

RC4( )

=

⊕

=

IV WEP Key

RC4(Seed)

encrypted message C

M


Shared Key Authentication “SKA”

9

• Four Way Handshake using the WEP password (secret

key)


Outline



WPA - Changes - WPA Security Problems 1/ dictionary attack - Demo

WEP, Security problems

1/ Reuse the byte sequence

11

1/ Reuse the byte sequence Principle:

• A = M1 ⊕ RC4(Seed)

• B = M2 ⊕ RC4(Seed)

• A ⊕ B = M1 ⊕ RC4(Seed) ⊕ M2 ⊕ RC4(Seed) =

M1 ⊕ M2

• If you know M1, you can deduce M2 : (and vice versa)

M2 = M1 ⊕ M2 ⊕ M1




12

• Question : how to know M1…?

easy; M1 is a internet packet. known structure.

social engineering : send an email; contents will be

encrypted by the wep key…

BUT

• The aim of the IV is to encrypt the packets differently,

then the principle explained above will not work…

except if…

• the same IV is reused ! It’s easy to detect because IVs

are not encrypted.




13

• You shall not reuse the same IV !

• But…IVs are only 24 bits so IVs are necessarily reused.

• There is a 50% chance IV will be reused after 4823

packets !


Annex : Birthday Paradox

14

• Problem : how many people are needed in order that the

probability of 2 of them being born on the same day is

1/2 ?

• …

• Only 23

• Explanations :

(23*22)/2=253 pairs

failure rate for each pair :

1-1/365=99,726%

(1-1/365)^253=49,9%

=> 50,1% success


(this is not a lie! )

Annex : Birthday Paradox table

15

n p(n)

10 11.7%

20 41.1%

23 50.1%

30 70.6%

50 97.0%

57 99.0%

100 99.99997%

200 99.9999999999999999999999999998%

300 (100 − (6×10−80))%

350 (100 − (3×10−129))%

365 (100 − (1.45×10−155))%

366 100% SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01



16

Application here

• ½ (4823 x 4822 ) = 11 628 253 pairs

• failure rate for each pair : 1- ½^24

• [1-(½^24)]^ 11 628 253 = 50,00%

50% success

4,823s (8Mbit/s, 1ko)


Outline





2/ Fluhrer, Mantin and Shamir attack

18


• The most famous WEP attack.

• published in a 2001 paper titled “Weaknesses in the Key

Scheduling Algorithm of RC4” (1)

• implemented in AirSnort and Aircrack.

• exploits the weaknesses of the RC4 key generation

algorithm and IVs.




19

RC4 key generation algorithm

• Generate two tables S and K of a size of 256 bytes

• Initialize the table S by the integers from 0 to 255 (state

table)

• Fill-in the table K with the secret key

• Pseudo-randomly permute the table S using the secret

key

• Pseudo-randomly permute the table S with itself

• Xor the sequence obtained of the table S with the flow of

data




20

The attack

• Some IVs provide information about the secret key via

their first byte, these IVs are called low IVs and are of

the form (A+3, N-1, X) (3 bytes) where :

• A is the byte of the key to attack

• N = 256 because RC4 is modulo 256

• X is between 0 and 255

For each byte of the key, there are 256 low IVs.




21

• The first byte of a 802.11b packet matches the SNAP

header and it is almost always 0xAA.

output = 0xAA ⊕ FirstByte

• Now you can attack, here is the algorithm : (KSA)

begin ksa(with int keylength, with byte K[keylength]) for i from 0 to 255 S[i] := i endfor j := 0 for i from 0 to 255 j := (j + S[i] + K[i mod keylength]) mod 256 swap(S[i],S[j]) endfor End




22

Explanation:

• First Key Byte : low IVs (A=0) [3,15,2,1,2,3,4,5] (mod 16)

• K[] =

• S[] =

• KSA :

1) i=0, j=0+0+3=3, S[] =

2) i =1, j=3+1+15=3, S[] =

3) i=2, j=3+2+2=7, S[] =

First byte = output – j – S[i] = 9 – 7 – 1 = 1

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

3 15 2 X X X X X 3 15 2 X X X X X

3 1 2 0 …

3 0 2 1 4 5 …

3 0 7 1 4 5 6 2 8 9 10 11 12 13 14 15




23 SecurIMAG - title - author - date

• Second Byte, [4,15,9,1,2,3,4,5]

• K[] =

• S[] =

• KSA :

1) j=4, S[]=

2) j=4, S[]=

3) j=15,S[]=

4) j=3, S[]=

Second Byte = 6 – 3 – 1 = 2

4 15 9 1 X X X X 4 15 9 1 X X X X

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 1

15 2

4 0



24

• but in reality : a 5% chance that the byte is true (for 1 IV)

• => repeat this for several IVs (X varies)




25

• Consequences

• Ability to modify the packets (integrity loss)

• Ability to authenticate

• « Solutions »

• increasing the size of the WEP key (and/or the

possible space of the IV) is not enough (B’day

paradox)

• we should rely on another kind of cipher (eg: block

cipher, see WPA)




26

Furthermore

• Breaking 104 bit WEP in less than 60 seconds (2)

• In 2007, Erik Tews, Andrei Pychkine, and Ralf-Philipp

Weinmann were able to extend Klein's 2005 attack and

optimize it for usage against WEP. With the new attack it

is possible to recover a 104-bit WEP key with probability

50% using only 40,000 captured packets.


DEMO


28

Outline




802.11i, Wi-Fi Protected Access (WPA & WPA2)

29

• WPA became available around 1999.

• WPA2 around 2004

• Following serious weaknesses researchers had found in

the previous system (WEP).

• Changes: • Temporary Key Integrity Protocol (TKIP)

o still RC4 but:128 bits key/packet

o rekeying mechanism (frequently change, avoiding collisions)

o the ICV field is replaced by

– a MICHAEL integrity check (64 bits)

– sequence number for each packet (replay protection)

• AES (block cipher), optionnal in WPA o Mandatory in WPA2


WPA, Security problems

dictionary attack

30

Dictionary attack

• test all the words in a dictionary

• It’s the only wpa attack which allows to recover the key

existing in aircrack

• Concretely you should disconnect a station from the

network and you then capture the packet it sends to

reconnect (Handshake)

• Then you can launch the attack


Problem 1 : Storage

31

• dictionaries are very heavy to store

• 5 characters key (uppercase lowercase numbers): 458 Mo

• 10 characters key :

8392993 To

• 63 characters key :

5,25e+99 Po SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01

Problem 1 : Solution

32

• generate the dictionary on the fly !

• Crunch (3.2)

http://sourceforge.net/projects/crunch-wordlist/

• Pipe « | » on aircrack

/pentest/passwords/crunch/./crunch 10 10 0123456789abc[…]xyz –o wordlist.txt





Problem 2 : Time

33

• Dictionary attack is very long

• Time = O(n²)

• double the length => time will be

squared

• Question : how to speed up the attack?


Accelerate the attack


ElcomSoft Distributed Password Recovery (3)

• Support for NVIDIA CUDA cards, ATI Radeon and

Tableau TACC1441 hardware accelerators.

• Allows up to 64 CPUs or CPU cores and up to 32 GPUs

per processing node

• Distributed password recovery over LAN,

Internet or both.

Accelerate the attack


Application family

Applications Extensions Type of

recovery Password

types Hardware

Acceleration

Microsoft Office 2007

Word, Excel, PowerPoint, Project

.DOCX,

.XLSX,

.PPTX, password

file opening password

NVIDIA ATI

Tableau


Access .ACCDB password file opening password


Word, Excel, Access, PowerPoint

.DOCX,

.XLSX, .PPTX password

file opening password

NVIDIA ATI

Tableau

Microsoft Office

XP/2003 Word, Excel, PowerPoint

.DOC, .XLS,

.PPT password

"open" password only

Microsoft Office

97/2000 Word, Excel .DOC, .XLS password

"open" password only

Microsoft Office

97/2000 Word, Excel .DOC, .XLS key

"open" password only - guaranteed decryption

OpenDoc word processing (text) documents

.ODT, .OTT,

.SXW, .STW password NVIDIA

OpenDoc spreadsheets .ODS, .OTS, .SXC, .STC

password NVIDIA

OpenDoc presentations .ODP, .OTP, .SXI, .STI

password NVIDIA

OpenDoc graphics/drawing .ODG, .OTG, .SXD, .STD

password NVIDIA

OpenDoc formulae, mathematical equations

.ODF, .SXM password NVIDIA

Microsoft Money .MNY password

Intuit Quicken1 .QDF password

PGP and Open-Key Passwords

PGP zip archives1 .PGP password

PGP and Open-Key Passwords

PGP secret key rings .SKR password


Adobe Acrobat

PDF

PDF with 256-bit encryption

.PDF password "user" and "owner" password

Adobe Acrobat

PDF



Adobe Acrobat

PDF



Adobe Acrobat

PDF


.PDF key

"user" password - guaranteed decryption

System Passwords

Microsoft Windows NT, 2000, XP, 2003, Vista

password logon passwords (LM/NTLM)

NVIDIA2

System Passwords

Microsoft Windows password SYSKEY startup passwords

System Passwords

Microsoft Windows password

DCC (Domain Cached Credentials) passwords

NVIDIA2

38

System Passwords

UNIX password users’ passwords

System Passwords

Wireless networks Password

WPA and WPA2 passwords

NVIDIA ATI

Tableau

iPhone/iPod/iPad backup

iTunes password NVIDIA

ATI Tableau

BlackBerry backup

BlackBerry Desktop Software (old)

.IPD, .BBB password AES-NI3

Mozilla, FireFox, Thunderbird

password master passwords

BlackBerry backup

BlackBerry Desktop Software (6.0+ for Windows, 2.0+ for Mac)

password NVIDIA

ATI Tableau

Apple iWork

Pages, Numbers, Keynote .pages, .numbers, .key

password password to open


Performance comparison

39

• 10x faster on Nvidia 8800GT than on Core2Duo 3,3Ghz


But … it is relative

40

• 5 characters WPA key brut force attack:

1 day and 18 hours vs 16 days and 4 hours

• 10 characters WPA key brut force attack:

1 551 683 291 days (4251 millennium)

…a WPA2 key can have 63 characters


Full CUDA on Backtrack

41

• CUDA natively used by Backtrack (and more particularly

crunch and aircrack)

http://www.offensive-security.com/

documentation/backtrack-4-cuda-

guide.pdf


WPA & WPA2 Conclusion

42

• How to improve the attack :

• Use Rainbow tables

• here 120Go hash of LanManager of Windows:

http://www.korben.info/UserFiles/File/hak5_rtables_lm_

all_1-7.torrent

• How to protect yourselves :

• Use key > 10 characters

• Use special characters

• Change the default password


http://www.korben.info/UserFiles/File/hak5_rtables_lm_all_1-7.torrent




Annex : Rainbow table


DEMO


References

45

• (1) http://aboba.drizzlehosting.com/IEEE/rc4_ksaproc.pdf

• http://en.wikipedia.org/wiki/Fluhrer,_Mantin_and_Shamir_

attack

• http://en.wikipedia.org/wiki/RC4

• http://en.wikipedia.org/wiki/Birthday_problem

• Jon Erickson ”Hacking: The Art of Exploitation”

• (2) Breaking 104 bit WEP in less than 60

seconds :http://eprint.iacr.org/2007/120.pdf

• http://jwis2009.nsysu.edu.tw/location/paper/A%20Practica

l%20Message%20Falsification%20Attack%20on%20WPA

.pdf

• (3) http://www.elcomsoft.com/edpr.html SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01

http://aboba.drizzlehosting.com/IEEE/rc4_ksaproc.pdf

http://en.wikipedia.org/wiki/Fluhrer,_Mantin_and_Shamir_attack



http://en.wikipedia.org/wiki/RC4



http://en.wikipedia.org/wiki/Birthday_problem



http://jwis2009.nsysu.edu.tw/location/paper/A Practical Message Falsification Attack on WPA.pdf



http://www.elcomsoft.com/edpr.html

References

46

• http://www.offensive-

security.com/documentation/backtrack-4-cuda-guide.pdf

• http://sourceforge.net/projects/crunch-wordlist/

http://www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdf









Questions ?


all your wireless belongs to us - ensimag...2012/03/01 · all your wireless belongs to us...

Documents