Slides

advertisement
Computer security 2014 –Ýmir Vigfússon
Based on slides by Björn@Syndis, Roy Werber, Pascal Meunier@Purdue,
material from Computer Networking: A Top Down Approach Featuring the Internet,
Jim Kurose, Keith Ross, Addison-Wesley
200
802.11n
Data rate (Mbps)
54
802.11a,g
5-11
802.11b
4
1
802.11a,g point-to-point
data
802.16 (WiMAX (4G?))
3G cellular
enhanced
UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO
802.15
.384
3G
UMTS/WCDMA, CDMA2000
.056
2G
IS-95, CDMA, GSM
NFR
Indoor
Outdoor
10-30m
50-200m
Mid-range
outdoor
Long-range
outdoor
200m – 4 Km
5Km – 20 Km

How does wireless differ from wired settings?

Base stations relay traffic between wireless and
wired networks
 Cell towers
 Access points
 ...

Infrastructure mode

vs. ad-hoc
 No base stations
network
infrastructure

Basic service set (BSS)
 A.k.a. “cell“
Internet
 Set of wireless hosts
 In infrastructure-mode,
also base station

In ad-hoc mode, hosts
relay for each other
 Interesting research
AP
hub, switch
or router
BSS 1
AP
questions ...
BSS 2

Genesis of a wireless/WiFI network
JOIN ME Beacon!!!
I have powerful signal!
I am called Secure! (SSID)
My MAC address is
00:de:ad:be:ef:00 (BSSID)
I encrypt .. or not

Genesis of a wireless/WiFI network

... and a WLAN is born

Afterward, may authenticate, run DHCP, etc.

2.4 GHz – 2.485 GHz divided into 11 channels
 Each is a band. How would you share bandwidth?

Share band, Carrier Sense Multiple Access (CSMA)
 Instead of just dividing frequency or time slots among
users, 802.11 uses Code Divison Multiple Access (CDMA)

Optional: CSMA-CA: Collision Avoidance
 Short Req-to-Send (RTS) messages to reserve channel
 Base station (access point) decides „Clear-to-Send“ (CTS)
A
Access Point
B
reservation collision
DATA (A)
time
defer

Suppose you‘re in charge of designing the first
wireless protocol for the masses, 802.11.
 How would you make it backward compatible?
Application protocol
Application
Application
TCP protocol
Transport
Transport
Network
IP protocol
IP
IP protocol
Network
Link
Data
Link
Network
Access
Data
Link
Link

Strive to replace only the lowest layer: link layer
 In regular networks, this is usually Ethernet
Link Layer
frame
IP Header
ETH IP TCP
Link (Ethernet)
Header

data
ETF
Link (Ethernet)
Trailer
Let‘s try to encapsulate it with the information
that we need
 Who we are
 What access point we‘re talking to
 Encryption?
2
2
6
6
6
frame
address address address
duration
control
1
2
3
Address 1: MAC address
of wireless host or AP
to receive this frame
2
Sequence No.: needed for ARQ
(ACK required) mode.
6
4
0 - 2312
address
seq
4
control
payload
CRC
Address 4: MAC address
of wireless relay host (ad hoc
networks only)
Address 3: MAC address of router interface to
which AP is attached
[Serves as Ethernet destination address]
Address 2: MAC address
of wireless host or AP
transmitting this frame
[Serves as Ethernet source address]
Internet
R1 router
H1
AP
R1 MAC addr
dest. address
H1 MAC addr
source address
802.3 (Ethernet) frame
AP MAC addr
address 1
1st dest (AP)
H1 MAC addr
address 2
source
R1 MAC addr
address 3
2nd dest (eth)
802.11 (WiFi) frame
frame seq #
(for reliable ARQ)
duration of reserved
transmission time (RTS/CTS)
2
2
6
6
6
frame
address address address
duration
control
1
2
3
2
Protocol
version
6
2
address
seq
4
control
2
4
1
1
1
1
Type
Subtype
To
AP
From
AP
More
frag
Retry
frame type
(RTS, CTS, ACK, data)
4
0 - 2312
payload
1
1
Power More
mgt
data
CRC
1
1
WEP
Rsvd

How would you attack this protocol?
 We can hinder communication (Denial-of-Service)
 We can hijack and modify connections
 We can pretend to be whoever we want (spoofing)
 ...

Effectively no security measures been taken

What can we do?

First, let‘s optionally authenticate users

Second, let‘s at least try to to encrypt every packet
 How do we do that?

Unless we want an open network, we‘re going to
have to share a key
 Later, we should have key management!
 How would you implement this?

At the time WEP was defined, export restrictions
limited cryptography, so 64-bit RC4 was used
 Extensions later for for 128-bit WEP

What about authentication with shared key?

First idea:
 Client sends authentication request with key
 Access point responds with ACCEPT if key correct

Second idea:
 Client sends num and hash(num | key)
 Access point also computes hash, ACCEPTS if
it likes the outcome

Third idea:
 Client sends intention to authenticate
 Access point sends back a random number (nonce) x
 Client computes hash(x | key), sends to access point
 Access point sends ACCEPT if matches local hash(x | key)

This is used in WEP

Called 4-step challenge-response handshake
 Avoids disclosing the (static) key
 Prevents replay attack (“pass-the-hash“)

Basic idea behind WEP encryption
 RC4: Streaming cipher algorithm

Why Initialization Vector (IV)?
 Prevents reuse of keys

Also need a checksum to avoid malicious bit flips
CRC
802.11 Frame
Header
Payload
Payload
ICV
3
2

ICV computed – 32-bit CRC of payload
ICV = Integrity Check Value checksum
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4


Key
40
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV = Initialization vector
IV
keynumber
24



8
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
64
IV
Key
Payload




ICV
RC4
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
IV+key used to encrypt payload+ICV
WEP Frame
Header





IV
keynumber
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
IV+key used to encrypt payload+ICV
IV+keynumber prepended to encrypted
payload+ICV
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4

Keynumber is used to select key
Key
40
64
IV
Key
Payload
ICV
RC4
Payload

Keynumber is used to select key

ICV+key used to decrypt payload+ICV

Done!
ICV

IV (Initialization vector) is 24 bits long
 Recall seeds for random number generators?
 Only 16 million different RC4 cipher streams per key

If an IV is ever reused, XOR between packets
equivalent to XOR of plaintext messages
 C = cipher text, P = plain text:
 C1  C2 = (P1  IV)  (P2  IV) = P1  P2
 Guess one plain text message, have another

How long until we expect a reused IV?
 Remember class about DNS birthday attacks?


23 people in a room
How likely that two people
share the same birthday?
For 𝑚 people and 𝑛 days, the
probability is about 1 − 𝑒
𝑚2
−
2𝑛
Roughly:
Answer: 50.7%!

Here, n = 16M, so:
 50% chance of collision after only 4,823 packets!
 99% chance of collision 12,430 packets
 If network is operating at 11Mbps, takes 3 seconds

Start listening in on traffic, gradually obtaining all
16M IVs to be fully authenticated

More worrying: Fluhrer, Martin, Shamir attack
 Passive attack against RC4 in WEP to recover RC4 key
one letter at a time! Implemented in aircrack-ng
 Can inject data to network to speed up attack

Online demo of a WEP crack using airsnort

https://www.youtube.com/watch?v=_G4kOaJqMOE

Remember: Do NOT use any hacking software
without express permission from the owner of the
network you are attacking.

It was quickly realized that WEP offered lax security.
 WEP was decommissioned in 2004

Teams from Wi-Fi Alliance set-up to think of two
solutions for Protected Access (WPA)

Backward compatible: WPA-TKIP
 Stopgap solution for WEP that could be flashed as firmware on
to existing infrastructure
 (i) Uses a key mixing function between IV and key
 (ii) Adds message integrity checks (MIC) instead of ICV of
CRC32 (cryptographically insecure)
 Attack (2008): Inject 7 packets to a wireless client

Forward thinking: WPA2
 Implemented more elaborate 4-way handshake and
group key handshake
 Supports TKIP, CCMP, etc.
 WPA2 Personal: Pre-shared key between people
 WPA2 Enterprise: Connect to a RADIUS server
▪ Tedious to set up. Also means that if your WiFi credentials are
compromised, your whole account will be too.
 2012: Flaw in WPS – the device configuration tool for
routers that uses a PIN for fast access.
▪ Even when disabled, obtains shared key in about 7 hours

Key sharing still vulnerable to handshake capture
 WEP, WPA-TKIP, WPA2-PSK – PSK = Pre-Shared Key
 Cracking the hashes depends on password strength and -
can take a long time
 Rainbow tables accelerate the process (coWPAtty)
 http://www.renderlab.net/projects/WPA-tables/

Does take long(er) to crack

WPA2 Enterprise / WPA-802.1x
 Mostly used in corporate or larger wifi environments
 A Radius server acts as an authentication server
 Uses EAP or “Extensible Authencation Protocol”
which handles the actual authentcation
 Very few setups use EAP-TLS
▪ Considered most secure variant of EAP
 Most setups use EAP-PEAP or something less secure
Probe Response
SSID: SuperSecure
ENC: WPA2-Enterprise
Deauth attack
4 way handshake
authentication
- User name
Probe Requests
-
Password (MSCHAPv2)

Many devices send authenticating information
without doing any verification of certificates.

Some people even setup their devices in this way.
 Several phone manufacturers
 Even Linux distributions

Need to be in range of the device to capture the
encrypted password

The default setting for most devices is, however,
to ask the user to accept the modified certificate

Built on
 Evil access point/hotspot idea
 The fact most devices connect to multiple networks

The idea
 We know NICs continually scan and sens probe requests
 What if we send broadcast requests for a million SSIDs?
 If a device has connected before, will I get a response ?

Widespread risk
 Applies to those that use traditional Wi-Fi networks
 Also applies to singular devices and non AP networks
Broadcast SSIDs
- Hot Spot
- Guests
- Free WiFi
- xfinitywifi
- ETC
- ....
(OPN, WEP, WPAPSK)
Association
request á SSID:
gestir

Confidentiality:
 Record authentication handshakes (WEP, WPA, WPA2)
 Record and log traffic remotely (leaks)
 Lure people to fake access points

Integrity:
 Record packets, then replay, modify and inject them

Availability:
 Easy to jam frequencies. Turn on the microwave oven...

Accountability:
 Attacker can remain fully anonymous
 Attacker can spoof and frame others

You could just as easily define a wireless network
as a single device or two devices together(ad-hoc)?
Is anyone out there?
Is gestir there?
Is Hotspot there?
Please talk to me
Oh yes I’m here
Lets create a WLAN
together

And on topic


Operates using Radio Frequency(RF) technology
IEEE 802.11 is a set of standards for the
implementation of wireless LAN networks
 Otherwise known as WiFi.

Operates on the 2.4Ghz and 5Ghz frequency bands

Supports up to 13 channels

Various encryption methods implemented

Various types of Frames to conduct business

Frames
 Beacon frame
▪ An Access Point sends this frame to declare its relevant
information. Such as SSID, timestamp and other information
▪ Wireless stations(NIC’s) listen to this continually and pick which
one might be the best to associate with
 Probe request frame
▪ A station sends a frame indicating it wants to find what AP’s are
within range. Or whether a specific SSID is in range(beacon frame
before)
 Probe response frame
▪ Capability information, data rates,
http://grouper.ieee.org/groups/802/11/

Frames
 Association request Frame
▪ A station sends an Association request which an AP can
respond to
 Association response frame
▪ AP rejects or accepts the association request
 Authentication Frame
▪ A station sends an Authentcation frame which the AP either
accepts or rejects
 Deauthentication Frame
▪ Tell a station to deauthenticate from an AP
 Data Frame
▪ All the data! TCP/IP headers/packets, etc.
http://grouper.ieee.org/groups/802/11/

http://www.willhackforsushi.com/papers/80211_Po
cket_Reference_Guide.pdf




Basic security features of most wireless networks
Hidden SSID
MAC address filtering
Encryption and user authentication
 WEP
 WPA2-PSK
 WPA2-Enterprise with radius server for authentication

All can be broken or bypassed
 Absolutely not in every instance obviously but often true

Wifi is pretty much everywhere
 Mobile devices, laptops, etc
 Most homes and companies have wifi

We know various types of
authentication/encryption schemes are used
 Open, WEP, WPA/2-PSK, WPA2-Enterprise (EAP,TLS)

We also know wireless networks exist in the
absense of AP’s!

We take our devices everywhere and they broadcast.....

People connect their devices to various networks....

WEP is insecure
 Sure, almost everyone knows that
 Why do we have a slide about it?
▪ Because WEP is still very common

Who here uses WEP?
 Are you really really absolutely sure?





Most larger companies and institutions don’t use
WEP and neither do most tech savy people
But grandparents and parents do!
Who here has connected his pc/device to a WEP
network?
Did you connect your phone to your father in-laws
WEP network?
Don’t you think your pc/device remembers this?

WPA/2-PSK



Much more secure than WEP
Prevents a number of attacks (e.g. Replay attacks) with message integrity
and “per packet key.
Its very easy to acquire a WPA handshake which can be cracked
▪

Quite slowly mind you
Plenty of attacks available



The standard today(WPA2-PSK) uses AES 256 bit encryption but stopgap
software solution is still widely supported, 128 bit TKIP encryption
A lot of WPA2 networks use either very weak or known keys
Rainbow tables exist for multiple known SSID’s which can be used with tools
like cowpatty to conduct cracking very quickly
▪
▪
▪
▪
Can anyone tell me why?
Rainbow tables have already done all the computational hard work and the only thing
required is memory to process the tables against the handshake
See http://www.renderlab.net/projects/WPA-tables/
Still only works against dumb passwords so a long none dictionary key takes forever
to break
Who here has ever connected his/her device to a known WPA2-PSK network?
What if we know that key as well, the BSSID, etc?

A lot of devices send the authentcation information
without doing any verification of certificates!

Some people even setup their devices in this way.
 Lots of phone manufacturers
 Even Linux distros!

In those cases you only need to be in range of the
device to capture the encrypted password!

The default setting for most devices is however to ask
the user to accept the modified certificate

Built on
 Evil access point/hotspot idea
 The fact most devices connect to multiple networks

The idea
 We know NICS continually scan and sens probe requests
 What if (Evil guys) send broadcast requests for a million SSID’s?
 If a device has connected before will I get a response ?

Widespread risk
 Applies to those that use traditional Wifi networks
 Also applies to singular devices and non AP
 networks
Broadcast SSIDs
- Hot Spot
- Guests
- Free WiFi
- xfinitywifi
- ETC
- ....
(OPN, WEP, WPAPSK)
Association
request á SSID:
gestir

Huge potential
 Known examples are intel wireless drivers containing
exploitable overflows how they handle broadcast
responses

Automating the process of discovering nonbroadcastable SSID’s aswell as automatically
tryingo to break them.
Lots of wireless interfaces == lots of different
drivers loaded!
 Huge potential to do fingerprinting?


Alfa AWUS USB
 Support up to 2 watts of transmit power
 External antenna connection
 Supports monitoring mode
 Supported by Kali/Backtrack

Antennas
 Omni directional – High gain
 Directional
 Long range – over 10km have been recorded
Use good equipment. It actually matters.
Don‘t use poor EAP authentication for WPA2-ent
Only use full client/server certificates
Put your mobile devices on a limited network
1)
2)
3)
4)
•
5)
Don‘t give them access to internal resources without
heavy restrictions.
Against APOD style attacks?
1) Your are at my mercy!
Download