the state of wireless security

neXusADVANCED SECURITY TRAINING

The State of Wireless Client Security in Mobile Device

“Alice in 802.11 land”


Dennis Verslegers

Filip Waeytens

Who are we?


This talk is about

•Overview of the current state of the technology

• Overview of existing attacks against the infrastructure

•Overview of existing attacks against the client

•Overview of the current tools and defences


This talk is NOT about

•Explaining in depth how wifi works

•Introducing some new fancy NSA style attack


A short refresh on 802.11


Frame types

• Management Frames: Allow for the maintenance of communication

• Control Frames: Facilitate in the exchange of data frames

• Data Frames: Carry packets with data (files, webpages…)


Management Frames• Beacon: AP says: “Yo, I’m here, and I do blahblahblah”

• Probe: request/response : STA says”Hey, are you in range and can you do blah?”. AP says:”I’m in range and do blahblahblah”.

• Authentication: request/response: STA says:”I want to identify myself and here’s my key(if any)”. AP says:”ok or not ok”.

• (Re-‐)Association: request/response: STA says:”I want to connect doing blahblahblah and I want to register with you”. AP says:”ok or not ok”.

• De-‐Authentication / Dis-‐Association: “I don’t want to be associated/authenticated anymore”.

Infrastructure Attacks


Wired Equivalent Privacy (WEP)

its intention was to provide data confidentiality comparable to that of a traditional wired network

source: wikipedia


How it works


How it works

• In (standard) WEP the RC4 seed consists of the 40-‐bit key + a 24-‐bit initialisation vector (IV)

• This seed is used to generate pseudo random stream of bits

• This stream is then XORred with the plaintext and sent on to the receiver


The flaws

• Keys are spread on every system, generally not the best security practice

• Easy to enter secret keys: input is done via 5 ascii characters each representing 8 bits -‐> 40 bits. Issue: printable ascii characters only cover a very small part of the possible byte values a.k.a. we reduce key space


Rule #1 for stream ciphers

keys must never be used twice


The flaws

• Due to the fact that the IV is only 24 bits long there is a 50% probability to use the same IV after 5000 packets

• a.k.a. every 5000 packets we use the same key

• very much crackable


How the industry solved it

Deprecated as they fail to meet their security goals

Move on to WPA or WPA2


How to break it

• FMS attack

• KoreK attack

•ChopChop attack

• Fragmentation attack

•PTW attack


How to break it

• Step 1: make sure you are in range of the access point (doh!)

• Step 2: set yourself up with a wireless adapter in monitor mode (listen to everyone chatting)

• Step 3: be patient and wait until you have sufficient IV’s (remember the 5000 packets rule)

• Step 4: crack the captured traffic


How to break it

• Fortunately there is an alternative for step 3:

– Associate yourself with the access point the AP ignores your packets and sends out deacuthentication packet in clear text if you are not associated

– Replay ARP packages which you see on the networkARP packages are great because they will be broadcasted by the access points and many IV’s will be generated in a very short timeframe


The tools

• Excellent script kiddie material !

– toolkit which required some knowledge about the actual attack: aircrack

– after that many many more ‘automated’ scripts, e.g. (wepcrack, fern, gerix, wifite, …)


The tools

++


Does this still work?

Let’s find out



• 30 minutes walk

• 1k+ wireless networks identified

• +/-‐ 5,5% or 58 wireless networks were (un)protected by WEP



Bureau HILLAWI

Eurada_WiFi LAPOSTE

ITB ZyXEL

34_Second_Floor

Le Paddock EUROCHILD eurocapital CS Belgium Meetingroom

Belkin_G_Plus_MIM... Thomson84B046


Wi-‐Fi Protect Access (WPA/WPA2)

The answer to WEP


How it works


The core changes

• integrity checks were added to defeat forgeries

• protection against replay attacks was added

• improved encryption key solution was introduced

• for WPA2: AES was used instead of TKIP


How to break it

• Attacks against the algorithm of WPA:

– Beck and Tews’ attack

– Ohigashi-‐Morii Attack

– Michael Attacks

– The Hole196 vulnerability


The flaw

• WPA-‐PSK / WPA2-‐PSK:

• Weak(er) pass-‐phrases maybe cracked using dictionary attacks.

• Mainly pass-‐phrases of 20 characters or less are vulnerable


How to break it

Before we begin:

• the passphrase is only used during the initial authentication handshake, so we will need to intercept one of those

• the passphrase used for the pre-‐shared key must be present in our dictionary or be of a short(er) length


How to break it

• Step 1: make sure you are in range of the access point (doh!)

• Step 2: set yourself up with a wireless adapter in monitor mode (listen to everyone chatting)

• Step 3: be patient and wait until you have a client performing authentication

• Step 4: brute force the pre-‐shared key through the captured authentication handshake


How to break it

• Fortunately there is an alternative for step 3:

– Deauthenticate a wireless client


But wait wasn’t there something called WPS?

convenience kills security


How it works


The flaw

• 8 digits pin code + 60 seconds time-‐out after 3 failed attempts = 6.3 years required to crack the pin

• For some reason the pin code has been split in 2 sets of 4 digits … Hmmmm

• The router tells you when you found the first 4, great checkpoint Now we only need 1 day to crack the pin …


The flaw

• To make matters worse:

– pin code in many cases is built-‐in, no way to change it

– WPS functionality can, in some cases, not be disabled

– some routers offering the option to disable WPS … … don’t really disable WPS after all


How to break it

Brute Force!



Let’s find out



• Same round

• 1055 wireless networks identified

• +/-‐ 18% or 178 wireless networks were using WPS



Cisco Ducale 51 ActuaTV-‐VP Meetingroom

STELLA Consulting EUROHUB

CONSULTANCY Regency

Misija NATO

Voyager King's Room FurEurope francite Kabinet michel

Act As One Exco II Economic


EAP / LEAP / PEAP

Extensible Authentication Protocol


How it works

• Replace the pre-‐shared-‐key with more corporate grade authentication system covering:

– authentication

– key distribution

• Extensible Authentication Protocol a.k.a. authentication framework


LEAP

•Lightweight EAP

– Credentials are sent using MS-‐CHAP without SSL tunnel protection

– User credentials are not strongly protected

– Offline password cracking possible


PEAP

•Protected EAP

– EAP is encapsulated in a TLS tunnel (encryption & authentication)

– Credentials are sent using MS-‐CHAPv2


EAP

• Many variants available (hence extensible):

– EAP-‐TLS: based on certificates and public/private keys

– EAP-‐MD5: based on MD5 hashing to pass credentials

– EAP-‐IKEv2: based on Key Exchange Protocol version 2


Flaws & attacks

• EAP overall:

– communication between Access Points and RADIUS server(s) relies only on the HMAC-‐MD5 hashing algorithm in RADIUS implementations = vulnerable to man-‐in-‐the-‐middle attacks

– users / endpoints are left with the decision whether or not to trust the certificates provided by the authenticator = vulnerable to impersonation attack


Last but not least

The wireless access point or router interfaces



AP’s are no other then the rest•Default configuration / passwords … far too common

•Webservers embedded in small devices …

•Attacks which tend to work on regular websites also work against admin pages:

•Cross Site Request Forgery

•DNS rebinding

Further reading

• http://www.iescobar.net/survey%20wifi.pdf

• https://www.matthieu.io/dl/wifi-‐attacks-‐wep-‐wpa.pdf

•https://en.wikipedia.org/wiki/Fluhrer,_Mantin_and_Shamir_attack

• http://dl.aircrack-‐ng.org/breakingwepandwpa.pdf

• http://www.aircrack-‐ng.org/doku.php?id=simple_wep_crack

• http://www.aircrack-‐ng.org/doku.php?id=cracking_wpa&s[]=wpa&s[]=crack


http://www.iescobar.net/survey%20wifi.pdf

https://www.matthieu.io/dl/wifi-attacks-wep-wpa.pdf

https://en.wikipedia.org/wiki/Fluhrer,_Mantin_and_Shamir_attack

http://dl.aircrack-ng.org/breakingwepandwpa.pdf

http://www.aircrack-ng.org/doku.php?id=simple_wep_crack

http://www.aircrack-ng.org/doku.php?id=cracking_wpa&s%5B%5D=wpa&s%5B%5D=crack

Client Attacks


Major Categories

• Attacking the client directly: wireless card driver attacks

• Attacking the client via “Man in the Middle” attacks (MitM)


Wireless Driver Attacks

• Mostly Buffer Overflow type flaws

• Not trivial: requires deep knowledge on OS/Kernel level

• Vendor specific

• Not much has happened lately


Last public driver BO Exploit dates from 2010


“Man in the Middle” Attacks

• Victim connects to “evil” AP -> Attacker has control over traffic

• Very popular

• = Starting Point of 50 shades of exploitation: sniffing, injection, dns poisoning,…


Popular Attacks

• Free Wifi : because people like free stuff

• Karma/Jasager: because 802.11 is (was?) flawed

• Mana: because Karma is flawed

• Mana-toolkit: attacking secure networks

• Fake Portal: because social engineering is effective


Free Wifi• How it works: just set up an open AP in a crowded

area and people will connect

• Tools needed: Laptop+ Kali Linux : Hostapd/Airbase-ng + iptables + forwarding + dnsmasq

• or get a Pineapple MarkV if you have 99 USD lying around


Freewifi config: Routing and NAT:

ifconfig wlan1 up

ifconfig wlan1 172.16.50.1/24

iptables --policy INPUT ACCEPT

iptables --policy OUTPUT ACCEPT

iptables --policy FORWARD ACCEPT

iptables -t nat -F

iptables -F

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

echo '1' > /proc/sys/net/ipv4/ip_forward

+ run hostapd and dnsmasq (configs next slides)


Freewifi config: hostapd.conf

interface=wlan1

driver=nl80211

ssid=freewifi

channel=1

hw_mode=g


Freewifi config:DNSMasq.conf

log-facility=/var/log/dnsmasq.log

interface=wlan1

dhcp-range=172.16.50.10,172.16.50.250,12h

dhcp-option=3,172.16.50.1

dhcp-option=6,8.8.8.8

log-queries


But I don’t trust “FreeWifi”1… Enter the “PNL”

•a.k.a. The Preferred Network List •Every Eme we connect to an AP, it get’s stored on our devices in the PNL •Our devices “probe” all the Eme for these networks •When probing for a specific network, the device sends a request probe with a specific SSID (directed probe) •Devices also send out null probes: request probes with SSID=“”


But I don’t trust “FreeWifi”2….. Enter “Karma”•Karma aWack: an AP that responds posiEve to all directed probes (a.k.a. “Jasager”)

Is “Macdonalds” Wifi here?

Sure, that’s me

Is “corporate-guest” here?

Sure, that’s me


What happened (unEl+-‐2012)

•Clients constantly sent directed probes for all networks in their PNL (Preferred Network List) •An evil Karma AP responded posiEvely to any directed probe •Clients automaEcally (!!) connected to the Karma AP


So, what happened around +-‐2012?

•Vendors silently ‘fixed’ behaviour in newer OS’: Clients only connected when AP responded to BOTH directed/null probe •Devices stopped constantly sending directed probes. Some stopped sending them altogether (IOS). •Karma didn’t respond to broadcast null probes

Karma was brokenneXus

ADVANCED SECURITY TRAINING

Hackers ‘fix’ Karma aWack… Enter “Mana”

•Mana = modified Hostapd for Karma aWack •Actually: Mana-‐toolkit (modded hostapd + bunch of stuff) •Mana waits unEl it sees a directed probe and then responds to both directed and broadcast probe. •Behaviour of probing sEll differs greatly between OS’s •Also has ‘loud mode’: it keeps a list of all SSID’s it sees from all devices and broadcasts them: more chance to get ‘popular’ SSID’s


DetecEng probes

•Wireshark filter for request probes: wlan.fc.type_subtype == 0x04 •or Python+ scapy

•don’t forget to put interface in monitor mode


Example: Nexus 5 Phone with Android OS 4.4.3

•ErraEc: direct probes with 30 seconds to 10 minute intervals.


So what about hidden SSID’s ?

•Hidden networks don’t return a SSID in response to a broadcast probe: the AP only gives the SSID when receiving a directed probe. •Devices with a hidden network in their PNL need to probe for it specifically •IOS devices only do this when it sees at least 1 hidden network •SoluEon: put a hidden network somewhere to get directed probes from IOS devices for hidden networks


Can we get more “vicEms”? Enter “De-‐Auth”

•De-‐authenEcaEon packet is sent to terminate communicaEon between a client and an AP •Is done via a management packet: cleartext •Can be spoofed easily

Anyone can de-‐authenEcate anyone We can disconnect exisEng connecEons

(unEl they connect to us) neXus


DeauthenEcaEon tools

•Aireplay-‐ng: e.g. deauth all clients of BSSID 7a:54:2e:9c:31:1f

•mdk3 (“Murder Death Kill”) •Several scripts


What about secure networks? (SSL)

•A lot of apps use SSL connecEons • login pages / sensiEve data: websites use SSL •an aWacker performing MitM can not read data directly •A lot of aWacks against SSL lately (BEAST, POODLE, …), but most aWacks impracEcal (except heartbleed, which isn’t a MitM aWack)


Common aWack methods 1: Fake CERT

•Terminate SSL connecEon in the Middle and present your own cerEficate. •Problem: SSL popup •SoluEon: None. •But users usually click through annoying popups :)

No Problem :)


Common aWack methods 2: SSLSTRIP

•SSLStrip is a proxy in the Middle that changes all HTTPS links in hWp responses to HTTP (it “strips” the SSL) •Problem:

» A) works only for redirects to hWps » B) address in browser shows as hWp instead of hWps

•SoluEon: »A) None »B) we add a favicon that looks like a lock: good enough for most users


Vendors Response: HSTS

•HSTS = HTTP Strict Transport Security •Sites can send a ‘Strict-‐Transport-‐Security’ response header back to the browser

•Once the browser has received this, the browser will only connect directly in HTTPS •Google also maintains a preloaded list •Used by latest versions of Chrome, Safari, Firefox (not IE<12)


Hackers Respond: SSLSplit

•SOLUTION: “sslsplit” = modified sslstrip –“Works like a proxy, similar to sslstrip.” –“ SSLsplit removes response headers for HPKP in order to prevent public key pinning for HSTS, to allow the user to accept untrusted cerEficates” – generates on the fly fake cerEficates •But if the user already browsed to the site before, the browser will sEll use HTTPS only

Problem not yet solvedneXus


Hackers respond some more: SSLStrip+

•SSLStrip+ changes hostname: – User wants to surf to www.google.com and gets redirected to wwww.google.com . SSLStrip+ keeps track of DNS. – users wants to surf to account.google.com and gets redirected to accounts.google.com

•Because accounts.google.com and wwww.google.com do not exist, the browser also doesn’t have an HSTS entry for them, and sslsplit works. •Latest aWack against HSTS: NTP MitM


http://www.google.com

http://wwww.google.com

http://account.google.com

http://accounts.google.com

http://accounts.google.com

http://wwww.google.com


The End Boss Demo’s

Demo: Evil Twin Scenario

•We listen for wireless traffic around us and see open AP “ABC” •We setup an access point with Mana Toolkit and name it “ABC” •We de-‐authorise “USER1” who is connected to “ABC” •“USER1” connects to our AP •We sniff traffic, using SSLStrip+ and capture the google password


Demo: Evil Portal

•We Set Up a Wireless Portal that Provides free access (preferably somewhere where there’s a lot of people and no other AP’s) •Some social engineering: people can login with Google, facebook, twiWer and other social media accounts •… but not really


Conclusions

•Karma aWack sEll works on some devices but not that great (not many direct probes) •There are sEll tricks to ‘bypass’ secure networks, but vendors are working on it as well (HSTS) •Most effecEve aWacks these days involve some degree of social engineering: Evil Twin + Deauth, Fake CapEve Portal


References• hWp://www.sensepost.com/blog/11823.html • hWp://www.thoughtcrime.org/sopware/sslstrip/ • hWps://www.roe.ch/SSLsplit • hWp://www.theta44.org/karma/ • hWps://www.blackhat.com/docs/asia-‐14/materials/Nve/Asia-‐14-‐Nve-‐Offensive-‐ExploiEng-‐DNS-‐Servers-‐Changes.pdf • hWp://www.wsec.be/blog/2012/02/14/airbase-‐ng-‐sslstrip-‐meet-‐airstrip • hWps://www.blackhat.com/docs/eu-‐14/materials/eu-‐14-‐Selvi-‐Bypassing-‐HTTP-‐Strict-‐Transport-‐Security-‐wp.pdf


http://www.sensepost.com/blog/11823.html

http://www.thoughtcrime.org/software/sslstrip/

https://www.roe.ch/SSLsplit

http://www.theta44.org/karma/

https://www.blackhat.com/docs/asia-14/materials/Nve/Asia-14-Nve-Offensive-Exploiting-DNS-Servers-Changes.pdf

http://www.wsec.be/blog/2012/02/14/airbase-ng-sslstrip-meet-airstrip

https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf


Want to see more?• www.nexus-‐training.eu • video’s available • slideset will be provided there too

• training • 30.03-‐01.043 day hacking introducEon @ Ausy (Haasrode) hWp://www.dataflow.be/en/ethical-‐hacking-‐training-‐hacking-‐explained-‐condensed

http://www.nexus-training.eu

http://www.dataflow.be/en/ethical-hacking-training-hacking-explained-condensed

the state of wireless security

Internet

security goals

best security practice

packets rule step

client overview

pseudo random stream

current state

data condentiality comparable

stream cipherskeys