wlan security and analysis -...

WLAN Security and AnalysisApril 1, 2008

Thomas d’Otreppe de BouvetteAircrack-ng

SHARKFEST '08Foothill CollegeMarch 31 - April 2, 2008

Agenda Who Am I? Wireless networks

Timeline Overview of 802.11 networks Wireless packets Encryption Interactions with networks Capture files analysis

OSdep Demo

Who Am I?

Started Aircrack-ng ~2 years ago.

Graduated from Brussels High School in June 2006

Currently work as IT consultant

Created Offensive-Security WiFu course

Overview of 802.11 networks -Timeline

802.11: ’97 802.11a: ‘99 802.11b: ’99 802.11g: 2003 802.11n: Group started in January 2004

D1.0 (1.06): November 2006 D1.1: January 19, 2007 D2.0: March 2007 D3 (3.02): January 2008

Overview of 802.11 networks - OSI

Physical

Data Link

PHY

MAC

802.2 Logical Link Control

802.3 MAC

802.3 PHY

802.11 MAC

802.11FHSS PHY

802.11bHR/ DSSS

PHY

802.11aOFDM PHY

802.11DSSS PHY

802.11gERP PHY

802.11IR

PHY

LLC

Overview of 802.11 networks – Operating Modes

Infrastructure

Ad hoc

Overview of 802.11 networks -Infrastructure

AP

STA STA

AP

STA STA

DS

BSS BS

S

ESS

Overview of 802.11 networks – Ad hoc

STASTA

IBSS

Wireless packets – Frame structure

Frame control Duration / ID Address 1 Address 2 Address 3 Sequence

Control Address 4

Data FCS

bytes

Protocol Version Type Subtype To

DSFromDS

More frag Retry More

DataPower Mgmt

Prot.frame Order

bits 2 2

2 2 2

4

4

1 1 1 1 1 1 1 1

6 6 6 6

0-2324

Header

bytes 30

Sequence Number FragmentNumber

bits 12 4

Wireless packets – Frame structureAddresses

APDASABSSID10

WDSSADATARA11

APSABSSIDDA01

IBSSBSSIDSADA00

ModeAddress 4Address 3Address 2Address 1ToDSbit

FromDSbit

Wireless packets – Frames types

Management frames

Control frames

Data frames

Wireless packets – Management frames

• Definition: used to negotiate and control the relationship between the AP and the station.

• Type field value: 0

Probe response5

Probe request4

Meas. Pilot6

Reassoc. resp.3

Reassoc. req.2

Assoc. response1

Assoc. request0

DescriptionSubtype fieldvalue

Action13

Action No ACK14

Deauthentication12

Authentication11

Reserved15

Disassociation10

ATIM9

Beacon8

Reserved7


Wireless packets – Management frames (1)

Beacon

Frame control Duration Destination

AddressSource

Address BSS ID Sequence Control

Frame body FCS

2 2 2

4

6 6 6

Header

24

Beacon interval

Capability information SSID Supported

rates FH Parameter SetDS

Parameter set

2 2 2Variable Variable 6

Timestamp

8

CF Parameter set

8

IBSS Parameter

set

2

Country information

Variable

FH Hopping parameter

4

FH Pattern table

Variable

Power constant

3

Channel switch announcement

6

Quiet

8

IBSS DFS

Variable

TPC Report

4

ERP Information

3Extended Supported

rates

Variable

Robust Security Network

Variable

Variable

TIM

Variable



AddressSource Address BSS ID Sequence

Control

Frame body FCS

bytes 2 2 2

4

6 6 6

Header

bytes 24

SSID SupportedRates

Extended Supported

Rates

Variable Variable Variable

Probe Request

Variable


Probe response


AddressSource


Frame body FCS

2 2 2

4

6 6 6

Header

24

Beacon interval

Capability information SSID Supported

rates FH Parameter SetDS

Parameter set

2 2 2Variable Variable 6

Timestamp

8

CF Parameter set

8

IBSS Parameter

set

2

Country information

Variable

FH Hopping parameter

4

FH Pattern table

Variable

Power constant

3

Channel switch announcement

6

Quiet

8

IBSS DFS

Variable

TPC Report

4

ERP Information

3Extended Supported

rates

Variable

Robust Security Network

Variable

Variable



AddressSource


Frame Body FCS

bytes 2 2 2

4

6 6 6

Header

bytes 24

Authentication

Authentication Algorithm No

2Authentication Transaction

Seq No

2

Challenge text

Variablebytes

Status Code

2

Variable




Control

Frame Body FCS

bytes 2 2 2

4

6 6 6

Header

bytes 24

Association request

Capability Information

2

Listen Interval

2

SSID

Variable

Supported rates

Variable

Variable



AddressSource


Frame Body FCS

bytes 2 2 2

4

6 6 6

Header

bytes 24

Reassociation request


2

Listen Interval

2

SSID

Variable

Supported rates

Variable

Source Address

6bytes

Variable



AddressSource


Frame Body FCS

bytes 2 2 2

4

6 6 6

Header

bytes 24

Association/Reassociation response


2

Status code

2

Supported rates

Variable

Association ID (AID)

6bytes

Variable




Control

Body FCS

bytes 2 2 2

4

6 6 6

2

Header

bytes 24

Reason code

2

Disassociation / Deauthentication frame

bytes

Wireless packets – Control frames

• Definition: Assist in the delivery of management and data frames.


PS-Poll10

Block ACK9

Block ACK request8

Control Wrapper7

Reserved0-6


CF-End + CF-ACK15

CF End14

ACK13

CTS12

RTS11


Wireless packets – Control frames (2)

Frame control Duration Receiver

AddressTransmitter

Address

bytes 2 2 6 6

FCS

4


Address

bytes 2 2 6

FCS

4

RTS

CTS


Address

bytes 2 2 6

FCS

4

ACK

Wireless packets – Data frames

• Definition: Carry higher level protocol data in the frame body


CF ACK5

Null function4

CF Poll6

Data + CF ACK

+ CF Poll

3

Data + CF Poll2

Data + CF ACK1

Data0


Reserved13

QoS CF-Poll (no data)14

QoS Null (no data)12

QoS data + CF-ACK + CF-Poll

11

QoS CF-ACK + CF-Poll(no data)

15

QoS data + CF-Poll10

QoS data + CF-ACK9

QoS data8

CF ACK + CF Poll7


Interactions with networks –Encryption

Open network

WEP

WPA

Interactions with networks –Encryption - Open networks

No encryption

Hotspot, mesh networks

Thanks for your passwords ;)

Interactions with networks –Encryption - WEP

Wired Equivalent Privacy

Part of 802.11

RC4

24 bit IV

CRC32 (ICV) for message integrity

Interactions with networks –Encryption - WEP (2)

KSA

IV

Key

PRGA

Message

ICV

Keystream

EncryptedMessage ICVKey

IDIV

Header


KSA PRGA Keystream

EncryptedMessage ICVKey

IDIV

Key

PlaintextMessage

Decryption

ICV


function KSA()

for i from 0 to 255

S[i] := i

endfor

j := 0

for i from 0 to 255

j := (j + S[i] + key[i % keylength]) % 256

swap(S[i], S[j])

endfor

endfunction


function PRGA()

i := 0

j := 0

while GeneratingOutput:

i := (i + 1) % 256

j := (j + S[i]) % 256

swap(S[i], S[j])

output S[(S[i] + S[j]) mod 256]

endwhile

endfunction


1 0 11

1 0 11

1 1 00

Plaintext

Encrypted data

Keystream

Encryption

1 0 11

1 0 11Plaintext

Encrypted data

Keystream

Decryption

1 1 00

Interactions with networks –Encryption - WPA

802.11i group

Developped two link-layer protocols: TKIP – WPA1: Draft 3 of 802.11i group (backward

compatible with legacy hardware). CCMP – WPA2: final 802.11i standard

Two flavors: Personal: PSK Enterprise: MGT

Interactions with networks –Encryption - WPA (2)

STA

Agreement onSecurity protocols

802.1X authentication

AuthenticatorAP

Keys distributionand verification

Master Key Distribution by Radius Server

Data encryption and integrity


Agreement on security protocols

Beacons and probe

Authentication: PSK or Radius server

Encryption suite for unicast and multicast/broadcast: TKIP, …


802.1X Authentication

Not done with PSK Use EAP When successfully authenticated:

ACK sent to the client Generated Master Key sent to the AP


STA

Agreement onSecurity protocols

AP

Keys distributionand verification

Data encryption and integrity


Key distribution and verification

Confirmation of the cipher suite used

Confirmation of the PMK knowledge

Installation of the integrity and encryption keys

Send GTK securely


SupplicantANonce

SNonce + MIC

GTK + MIC

ACK

Supplicant constructPairwise Transient Key

(256 bit)

Authenticator constructPairwise Transient Key

(256 bit)

WPA Key distribution and verification4-way handshake

Authenticator


Supplicant

GTK + MIC

ACK

Group Transient KeyConstruction

Group Transient Key Deciphering (using KEK)

Group key handshake

AP


Pairwise Master Key (256 bit)

ANonce

SNonce

STA MAC Address

AP MAC Address

HASH

Key Confirmation Key

Key Encryption Key

Temporal Key

MIC Rx key

128 bit

128 bit

128 bit

64 bitMIC Tx Key 64 bit

Pairwise Transient Key

WPA Key exchange and verificationPTK Generation


Group Master Key (256 bit)

GNonce

Group Key Expansion

AP MAC AddressH

ASH Group Transient Key

WPA Key exchange and verificationGTK Construction


MAC Header IV/Key ID Extended IV Data (PDU) MIC ICV FCS

4 4 8 4 4>= 1

TKIP Frame

bytes

Encrypted

MAC Header CCMP Header Data (PDU) MIC FCS

8 8 4>= 1

CCMP Frame

bytes

Encrypted

Data Encryption and Integrity

Interactions with networks

APSTA Probe request / response

Association request / response

Authentication

Data

Interactions with networks – Authentication -Open

APSTA Authenticationrequest

AP authenticate The client

Interactions with networks – Authentication -Shared

APSTA Authenticationrequest

Encrypt Challenge Textthen send it to AP

ChallengeText

Decrypt and if correct,Authenticate client

Capture file analysis

Hotspot / Open network

WEP network (Shared authentication)

WPA network

OSdep

Similar to LORCON

OS supported: Linux, *BSD, Windows

Automatic recognition of the interface / driver

Sniffing capabilities

OSdep (2)

Control interfaces Get and set MAC address Get and set Channel Get and set rate

Networking

Create your own DLL to interact with special drivers on windows

OSdep - Applications

Existing tools: Aircrack-ng 1.0 MDK3

Sample application:www.aircrack-ng.org/wifiping.tar.gz

Questions?

wlan security and analysis -...

Documents