Dr. Igor Santos

Security of Information Systems

Wi-Fi Security

2

Contents

Introduction to Wi-Fi networks Encryption

WEP WPA

Vulnerabilities Attacks Setting up a secure Wi-Fi network Captive Portals

3

Introducción a las redes Wi-Fi

4

Introduction to Wi-Fi networks

What is a Wi-Fi? Set of interconnected computers through

a Wireless "bridge / router" or Access Point

Main devices in a Wi-Fi network Network cards Access Points and Access Points (AP) Antennas

5

Introduction to Wi-Fi networks

Typical topology

6

Wi-Fi network cards

7

Wi-Fi network cards

Modes1. Ad-hoc: interconnection between

devices without the need for an AP ▪ It is similar to point-to-point connection via

crossover ethernet cable (however, several PCs can be connected ad-hoc)▪ AP manages the media → increased collisions

→ lowers performance

8

Wi-Fi network cards

2. Managed or Infrastructure: connected to an AP that manages connections (STA <> AP)▪ The card leaves all responsibility to the AP

to manage traffic▪ Sometimes it is necessary to know the

ESSID (network id) of the network that manages the AP to access → detect it by entering monitor mode.

9

Wi-Fi network cards

3. Master: as an AP, provides service and manages the connections (AP <> STA)▪ PCs can be converted into APs▪ HostAP: http://hostap.epitest.fi

▪ Advantages▪ A PC is much more powerful than an AP, many possibilities (filtering, security enhancements, routing, DHCP ...)▪ Recycling of obsolete equipment, cheap APs

▪ Shortcomings▪ Not all cards can work in Master mode (Prism / Hermes / Atheros).

10

Wi-Fi network cards

4. Monitor: allows to to capture packets without associating with an AP or ad-hoc network▪ Monitors a specific channel without

transmitting packets (passively)▪ The card does not check the packet CRC's▪ It is NOT THE SAME as promiscuous mode▪ Promiscuous : in LAN networks, connected▪ Monitor: in WiFi networks, not connected

▪ Not all cards support monitor mode▪ http://kmuto.jp/debian/hcl/index.cgi▪ http://linux-wless.passys.nl

11

Access Points

12

Wi-Fi Access Points

Interconnects Ethernet LANs with wireless users or networks

Alternatives Commercial APs Commercial APs with free software APs comerciales con software libre▪ Install Custom Firmware on commercial AP

“Homemade” APs ▪ Obsolete PC + WiFi card in Master mode

13

Wi-Fi Access Points

Functionalities They manage the physical media They selectively retransmit data They may have additional services▪ DHCP▪ Remote management (web, telnet, ssh)▪ IP, MAC, etc.. filtering

14

Wi-Fi Access Points

Concepts BSSID (Basic Service Set Identifier)▪ Unique address that identifies the AP that

creates the wireless network▪ MAC address

ESSID (Extended Service Set Identifier)▪ Unique name of up to 32 characters to

identify the wireless network

15

Wi-Fi Access Points

Channel▪ Wi-Fi works in the 2.4GHz bandwith▪ It is divided in 13 channels of 22 Mhz▪ Different frequency ranges within that band▪ They overlap-> Interferences!

▪ Recommendation▪ Use channels of 1, 6 and 11 so they do not

overlap each other

16

Wi-Fi Access Points

17

Wi-Fi antennas

18

Wi-Fi antennas

They manage to increase the coverage and performance of a wireless node

Several scenarios AP inside a building Exterior APs▪ Point to point connection▪ Point-to-multipoint▪ Hot-spot

19

Wi-Fi antennas

There are different types of antennas Omnidirectional▪ In all directions▪ Ideal for APs or hot-spots

Directives▪ Towards a direction or a small sector▪ Ideal for:▪ Users of an AP▪ Interconnection LAN-to-LAN

20

Wi-Fi antennas

Homemade antennas

21

Encryption

22

WEP Encryption

WEP (Wired Equivalent Privacy) Included in the 802.11 standard Protection based on the RC4 algorithm Use keys of 64, 128 and 256 bits (actually

40, 104 or 232 bits: because Initialization Vector - IV = 24 bits, different in each package)

The key may be generated from a passphrase or entered directly by the user

The key must be known to all clients (shared secret)

23

WPA Encryption

WPA (Wi-Fi Protected Access) Workaround prior to 802.11i (WPA2) Improvements over WEP▪ Dynamic key distribution with limited

duration (TKIP - Temporal Key Integrity Protocol)▪ Harder Initialization Vector: 48 bits,

minimizing key reuse▪ Integrity: from ICV (Integrity Check Value) to

MIC (Michael): based on the encryption key

24

WPA Encryption

Dos modalities Personal -WPA (PSK)▪ Though for simple environments▪ Pre-Shared Key (PSK): shared secret

WPA-Enterprise (RADIUS)▪ Though for complex environments▪ Every user has his/her login/password▪ 802.1x▪ Supplicant (STA)▪ Authenticator (AP)▪ Auth server (RADIUS)

25

802.11i (WPA2) Encryption

WPA2 Approved by the IEEE and accepted by Wi-Fi

Alliance in 2004 Also known as 802.11i or RSN (Robust

Security Network) Improvements▪ 802.1x-based authentication

▪ AES-based encryption

▪ Dynamic key management (GKH, PKH)

▪ Support for ad-hoc networks

26

PORTADA VULNERABILIDADES

Wi-Fi vulnerabilities

27

Wi-Fi vulnerabilities

WiFi networks have the same problems / bugs / vulnerabilities than wired networks

Besides, they have additional problems related to its wireless features Radio Scanners Radio jamming (DoS) Flexibility vs. Security ...

28

Wi-Fi vulnerabilities

vulnerabilities Access: wardriving WEP Encryption: Attacks like FSM, KoreK,

etc WPA and WPA2 Encryption: Dictionary

Attracks Man-in-the-Middle Attacks▪ Rogue APs▪ Vulnerabilities in APs when "bridge“ mode: ARP

Poisoning Denial of Service(DoS)

29

WEP vulnerabilities

30

WEP vulnerabilities

Walker (Intel) (2000) "WEP is not a good way to provide

privacy for wireless communications" Using a stream cipher algorithm (RC4) in

an environment in which the keys are repeated a mistake

Main problem -> Initialization Vectors If the Initialization Vectors are

repeated and we know lots of plaintext is easy to break the encryption

31

WEP vulnerabilities

32

WEP vulnerabilities

Borisov et al. (2001) Alphabet Building Attack (the "keystream" is

derivable by a known plaintext attack)

Arbaugh (2001) Attack "Inductive Chosen Plain Text" (build a

Databse with all the "keystreams" for a WEP key in a relatively short time)

Fluhrer, Mantin, Shamir (2001) “Weaknesses in the Key Scheduling Algorithm of

RC4” (few bits determine many bits in the first permutation algorithm)

33

WEP vulnerabilities

KoreK (2004) “KoreK Attacks”: set of enhancements to the

attack FMS - Fluhrer, Mantin, Shamir (2001)▪ Only about 200,000 Initialization Vectors are

needed "Attack chop-chop": Reverse Inductive

Attack (Arbaugh 2001)▪ It sends an encrypted ARP request to the AP with

one byte less▪ The AP will repeat only those packets that verify

the CRC▪ After 256 attempts, it will find the valid byte of that

particular iteration▪ Requests can be send in parallel (more speed)▪ Gradually all the "keystream“ can be derived

34

WEP vulnerabilities

Reinjection of packets to generate new traffic (new Initialization Vectors)▪ ARP requests▪ ICMP Traffic▪ DHCP requests

35

WEP vulnerabilities

Klein (2005) Improvements to the correlations found by FMS

and RC4 KoreK

Bittau et al. (2006) Packet fragmentation attack between STA and AP

Ramachandran y Ahmad (2007) “Caffe-latte attack” (getting the user key, not the

AP one)

Hirte (2007) Improved "caffe-latte attack" (no need for ARPs)

36

WEP vulnerabilities

Tews, Weinmann, Pyshki (2007) “Breaking 104-bit WEP in less than 60

seconds” (improved KoreK’s approach by using the contribution from Klein)

Performance▪ 50% success with 40.000 Initialization Vectors▪ 95% success with 85.000 Initialization Vectors

Beck y Tews (2008) Improvements from the approaches by

Tews, Weinmann and Pyshki (reduces the number of needed packages from 90000-40000 to 24,000 )

37

WEP attacks

WEP cracking Capture traffic that contains Initialization

Vectors (NOT Beacon Frames)▪ If there are no users connected to the AP,

then the traffic cannot be generated▪ Fake Association

▪ If there is no much traffic▪ Reinject

Use one of the methods (Korek, …) to obtain the key

38

WEP attacks

Brute force For WEP40, is reasonable▪ 240

▪ On a Pentium Core2Duo: 42 days (300,000 K / S)▪ In a cluster of FPGAs: 13 minutes (1.386M K / S)

For WEP104, IT IS NOT▪ 2104 = 20 x 1030 ▪ On a Pentium Core2Duo: 2.14 trillion years▪ In a cluster of FPGAs: 464 billion years

Dictionary attacks Keys already broken in other APs Default keys

39

WEP attacks

Many manufacturers configure default WEP ESSID recognizable as WLAN_XX or equivalent Deductible WEP passphrase generated according

to:▪ A common prefix for each manufacturer▪ BSSID▪ The XX WLAN_XX

Other unknown data▪ You can try brute force the 16,384 possibilities

WlanDecrypter generates these possible keys depending on the BSSID and ESSID

Only one encrypted packet capture is needed▪ WlanInject to generate a false association if there is no

traffic

40

Tools for cracking WEP

GNU/Linux Tools aircrack, aircrack-ng▪ Continuous development▪ Highly recommended

WepLab▪ Centered in WEP, few updates▪ GUI (wxWepLab)

Assistants▪ Airoscript▪ wesside-ng y easside-ng▪ spoonwep2.

41

Tools for cracking WEP

Tools for Microsoft Windows Privative Software▪ CommView for WiFi (TamoSoft)▪ OmniPeek (WildPackets)▪ AirMagnet WiFi Analyzer (AirMagnet)

42

Tools for cracking WEP

Ports of free software (partial functionality)

Ports de software libre (parcial functionality )▪ airsnort: obsolete▪ WepLab▪ Doesn’t support Windows capture▪ Required Wireshark or other capture programs

▪ aircrack y aircrack-ng▪ Currently widely used▪ Capture and reinjection with some drivers

43

Conclusions WEP

A few years ago it was said that WEP was bad, but better than nothing

Today it is almost the opposite: Protecting a network with WEP makes it

easy to crack because it is a challenge very accessible to casual crackers

There are security protocols, so WEP should be discarded ALWAYS

44

WPA-PSK vulnerabilities

45

WPA-PSK vulnerabilities

WPA-PSK vulnerabilities The system used by WPA for the

exchange of information used for the key generation is weak

Preset Keys are "unsafe" (WPA-PSK)▪ Subject to dictionary attacks▪ No need to capture lots of traffic, capture

only key exchange

46

WPA vulnerabilities

1. Capture initial handshake 4 packets WPA from user authentication

against an AP de autenticación de un cliente contra un

AP2. Brute force or dictionary attack to

extract the key Success depends on the dictionary Éxito depende del diccionario It is also possible to use Rainbow Tables

47

WPA attacks

Many manufacturers configure default WPA ESSID recognizable▪ WLAN_XXXX▪ JAZZTEL_XXX

BSSID also needed Online Tools▪ http://www.seguridadwireless.net/wpamagickey1.php▪ http://www.seguridadwireless.net/wpamagickey.php

48

Tools for cracking WPA-PSK CoWPAtty

In its fourth version cracks WPA2 There are "rainbow tables" of the most

common challenges (English) for common ESSIDs (linksys, tsunami, comcomcom, etc..)

wpa_crack Proof of concept

SpoonWpa GUI assistant

wpacracker.com Cracking WPA using cloud computing (17 US$)

49

WPA Cracking Workflow

WPA_XXXX / JAZZTEL_XXXX? http://www.seguridadwireless.net/wpamagick

ey1.php http://www.seguridadwireless.net/wpamagick

ey.php Test default passphrase “12345670”

WPA-PSK?1. Obtain the ESSID2. Obtain authentication:

De authenticate: aireplay-ng -0

3. Pre-computed tables for that ESSID Crack: aircrack-ng, cowpatty

50

WPA Cracking Workflow

4. Without tables for that ESSID Generate tables: genpmk (in parallel if

possible) Goto 3

51

WIFISLAX!!!

Other Tools

52

Wifislax 4.0

WIFISLAX 4.0 LiveCD Linux Wifi Audit Tools http://www.wifislax.com/wifislax-4-0-el-re

greso

53

Setting up a secure Wi-Fi network

54

AP Safe Setup

WPA2 encryption with strong and not predictable password

Disable beacon frames Set MAC filteringDisable DHCP Setup different IP range set than the

default (192.168.1.X)Limit the number of clients that

can be connected

55

Configuration with RADIUS server

Implementation in Microsoft Windows Client: Windows XP SP2+ / Vista / 7 Authenticator: AP hardware (WRT54g) RADIUS server: Microsoft Internet

Authentication Server (IAS) / FreeRADIUS.net

56

Configuration with RADIUS server

Implementation in GNU/Linux Client▪ wpa_supplicant▪ Xsupplicant▪ wireless-tools: iwconfig + iwpriv

Authenticator: hostapd (service of HostAP)

RADIUS server: FreeRADIUS, OpenRADIUS, Radiator, etc.

57

Captive portals

58

Captive portals

Client validation system for wireless nodes

Depending on the user type, it assigns bandwidth and gives access to different services

Usually based on temporal "tokens" managed by HTTP-SSL (443/TCP)

59

Captive portals

60

Captive portals

Authentication process

61

Images

http://www.flickr.com/photos/87546268@N00/76197417/ (AP)http://www.flickr.com/photos/13522901@N00/5182549507/

http://www.flickr.com/photos/laughingsquid/176520387http://www.flickr.com/photos/pittpics/504774599http://www.flickr.com/photos/hatemaster/2197840114http://www.flickr.com/photos/rayj1839/4940079038http://www.flickr.com/photos/atelier_tee/5551668917http://www.flickr.com/photos/meredithfarmer/318077155

http://www.flickr.com/photos/87793853@N00/2078979917/