Computer security 2014 –Ýmir Vigfússon Based on slides by Björn@Syndis, Roy Werber, Pascal Meunier@Purdue, material from Computer Networking: A Top Down Approach Featuring the Internet, Jim Kurose, Keith Ross, Addison-Wesley 200 802.11n Data rate (Mbps) 54 802.11a,g 5-11 802.11b 4 1 802.11a,g point-to-point data 802.16 (WiMAX (4G?)) 3G cellular enhanced UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO 802.15 .384 3G UMTS/WCDMA, CDMA2000 .056 2G IS-95, CDMA, GSM NFR Indoor Outdoor 10-30m 50-200m Mid-range outdoor Long-range outdoor 200m – 4 Km 5Km – 20 Km How does wireless differ from wired settings? Base stations relay traffic between wireless and wired networks Cell towers Access points ... Infrastructure mode vs. ad-hoc No base stations network infrastructure Basic service set (BSS) A.k.a. “cell“ Internet Set of wireless hosts In infrastructure-mode, also base station In ad-hoc mode, hosts relay for each other Interesting research AP hub, switch or router BSS 1 AP questions ... BSS 2 Genesis of a wireless/WiFI network JOIN ME Beacon!!! I have powerful signal! I am called Secure! (SSID) My MAC address is 00:de:ad:be:ef:00 (BSSID) I encrypt .. or not Genesis of a wireless/WiFI network ... and a WLAN is born Afterward, may authenticate, run DHCP, etc. 2.4 GHz – 2.485 GHz divided into 11 channels Each is a band. How would you share bandwidth? Share band, Carrier Sense Multiple Access (CSMA) Instead of just dividing frequency or time slots among users, 802.11 uses Code Divison Multiple Access (CDMA) Optional: CSMA-CA: Collision Avoidance Short Req-to-Send (RTS) messages to reserve channel Base station (access point) decides „Clear-to-Send“ (CTS) A Access Point B reservation collision DATA (A) time defer Suppose you‘re in charge of designing the first wireless protocol for the masses, 802.11. How would you make it backward compatible? Application protocol Application Application TCP protocol Transport Transport Network IP protocol IP IP protocol Network Link Data Link Network Access Data Link Link Strive to replace only the lowest layer: link layer In regular networks, this is usually Ethernet Link Layer frame IP Header ETH IP TCP Link (Ethernet) Header data ETF Link (Ethernet) Trailer Let‘s try to encapsulate it with the information that we need Who we are What access point we‘re talking to Encryption? 2 2 6 6 6 frame address address address duration control 1 2 3 Address 1: MAC address of wireless host or AP to receive this frame 2 Sequence No.: needed for ARQ (ACK required) mode. 6 4 0 - 2312 address seq 4 control payload CRC Address 4: MAC address of wireless relay host (ad hoc networks only) Address 3: MAC address of router interface to which AP is attached [Serves as Ethernet destination address] Address 2: MAC address of wireless host or AP transmitting this frame [Serves as Ethernet source address] Internet R1 router H1 AP R1 MAC addr dest. address H1 MAC addr source address 802.3 (Ethernet) frame AP MAC addr address 1 1st dest (AP) H1 MAC addr address 2 source R1 MAC addr address 3 2nd dest (eth) 802.11 (WiFi) frame frame seq # (for reliable ARQ) duration of reserved transmission time (RTS/CTS) 2 2 6 6 6 frame address address address duration control 1 2 3 2 Protocol version 6 2 address seq 4 control 2 4 1 1 1 1 Type Subtype To AP From AP More frag Retry frame type (RTS, CTS, ACK, data) 4 0 - 2312 payload 1 1 Power More mgt data CRC 1 1 WEP Rsvd How would you attack this protocol? We can hinder communication (Denial-of-Service) We can hijack and modify connections We can pretend to be whoever we want (spoofing) ... Effectively no security measures been taken What can we do? First, let‘s optionally authenticate users Second, let‘s at least try to to encrypt every packet How do we do that? Unless we want an open network, we‘re going to have to share a key Later, we should have key management! How would you implement this? At the time WEP was defined, export restrictions limited cryptography, so 64-bit RC4 was used Extensions later for for 128-bit WEP What about authentication with shared key? First idea: Client sends authentication request with key Access point responds with ACCEPT if key correct Second idea: Client sends num and hash(num | key) Access point also computes hash, ACCEPTS if it likes the outcome Third idea: Client sends intention to authenticate Access point sends back a random number (nonce) x Client computes hash(x | key), sends to access point Access point sends ACCEPT if matches local hash(x | key) This is used in WEP Called 4-step challenge-response handshake Avoids disclosing the (static) key Prevents replay attack (“pass-the-hash“) Basic idea behind WEP encryption RC4: Streaming cipher algorithm Why Initialization Vector (IV)? Prevents reuse of keys Also need a checksum to avoid malicious bit flips CRC 802.11 Frame Header Payload Payload ICV 3 2 ICV computed – 32-bit CRC of payload ICV = Integrity Check Value checksum 4 x 40 Key 1 Keynumber Key 2 Key 3 Key 4 Key 40 ICV computed – 32-bit CRC of payload One of four keys selected – 40-bits IV = Initialization vector IV keynumber 24 8 ICV computed – 32-bit CRC of payload One of four keys selected – 40-bits IV selected – 24-bits, prepended to keynumber 64 IV Key Payload ICV RC4 Payload ICV ICV computed – 32-bit CRC of payload One of four keys selected – 40-bits IV selected – 24-bits, prepended to keynumber IV+key used to encrypt payload+ICV WEP Frame Header IV keynumber Payload ICV ICV computed – 32-bit CRC of payload One of four keys selected – 40-bits IV selected – 24-bits, prepended to keynumber IV+key used to encrypt payload+ICV IV+keynumber prepended to encrypted payload+ICV 4 x 40 Key 1 Keynumber Key 2 Key 3 Key 4 Keynumber is used to select key Key 40 64 IV Key Payload ICV RC4 Payload Keynumber is used to select key ICV+key used to decrypt payload+ICV Done! ICV IV (Initialization vector) is 24 bits long Recall seeds for random number generators? Only 16 million different RC4 cipher streams per key If an IV is ever reused, XOR between packets equivalent to XOR of plaintext messages C = cipher text, P = plain text: C1 C2 = (P1 IV) (P2 IV) = P1 P2 Guess one plain text message, have another How long until we expect a reused IV? Remember class about DNS birthday attacks? 23 people in a room How likely that two people share the same birthday? For 𝑚 people and 𝑛 days, the probability is about 1 − 𝑒 𝑚2 − 2𝑛 Roughly: Answer: 50.7%! Here, n = 16M, so: 50% chance of collision after only 4,823 packets! 99% chance of collision 12,430 packets If network is operating at 11Mbps, takes 3 seconds Start listening in on traffic, gradually obtaining all 16M IVs to be fully authenticated More worrying: Fluhrer, Martin, Shamir attack Passive attack against RC4 in WEP to recover RC4 key one letter at a time! Implemented in aircrack-ng Can inject data to network to speed up attack Online demo of a WEP crack using airsnort https://www.youtube.com/watch?v=_G4kOaJqMOE Remember: Do NOT use any hacking software without express permission from the owner of the network you are attacking. It was quickly realized that WEP offered lax security. WEP was decommissioned in 2004 Teams from Wi-Fi Alliance set-up to think of two solutions for Protected Access (WPA) Backward compatible: WPA-TKIP Stopgap solution for WEP that could be flashed as firmware on to existing infrastructure (i) Uses a key mixing function between IV and key (ii) Adds message integrity checks (MIC) instead of ICV of CRC32 (cryptographically insecure) Attack (2008): Inject 7 packets to a wireless client Forward thinking: WPA2 Implemented more elaborate 4-way handshake and group key handshake Supports TKIP, CCMP, etc. WPA2 Personal: Pre-shared key between people WPA2 Enterprise: Connect to a RADIUS server ▪ Tedious to set up. Also means that if your WiFi credentials are compromised, your whole account will be too. 2012: Flaw in WPS – the device configuration tool for routers that uses a PIN for fast access. ▪ Even when disabled, obtains shared key in about 7 hours Key sharing still vulnerable to handshake capture WEP, WPA-TKIP, WPA2-PSK – PSK = Pre-Shared Key Cracking the hashes depends on password strength and - can take a long time Rainbow tables accelerate the process (coWPAtty) http://www.renderlab.net/projects/WPA-tables/ Does take long(er) to crack WPA2 Enterprise / WPA-802.1x Mostly used in corporate or larger wifi environments A Radius server acts as an authentication server Uses EAP or “Extensible Authencation Protocol” which handles the actual authentcation Very few setups use EAP-TLS ▪ Considered most secure variant of EAP Most setups use EAP-PEAP or something less secure Probe Response SSID: SuperSecure ENC: WPA2-Enterprise Deauth attack 4 way handshake authentication - User name Probe Requests - Password (MSCHAPv2) Many devices send authenticating information without doing any verification of certificates. Some people even setup their devices in this way. Several phone manufacturers Even Linux distributions Need to be in range of the device to capture the encrypted password The default setting for most devices is, however, to ask the user to accept the modified certificate Built on Evil access point/hotspot idea The fact most devices connect to multiple networks The idea We know NICs continually scan and sens probe requests What if we send broadcast requests for a million SSIDs? If a device has connected before, will I get a response ? Widespread risk Applies to those that use traditional Wi-Fi networks Also applies to singular devices and non AP networks Broadcast SSIDs - Hot Spot - Guests - Free WiFi - xfinitywifi - ETC - .... (OPN, WEP, WPAPSK) Association request á SSID: gestir Confidentiality: Record authentication handshakes (WEP, WPA, WPA2) Record and log traffic remotely (leaks) Lure people to fake access points Integrity: Record packets, then replay, modify and inject them Availability: Easy to jam frequencies. Turn on the microwave oven... Accountability: Attacker can remain fully anonymous Attacker can spoof and frame others You could just as easily define a wireless network as a single device or two devices together(ad-hoc)? Is anyone out there? Is gestir there? Is Hotspot there? Please talk to me Oh yes I’m here Lets create a WLAN together And on topic Operates using Radio Frequency(RF) technology IEEE 802.11 is a set of standards for the implementation of wireless LAN networks Otherwise known as WiFi. Operates on the 2.4Ghz and 5Ghz frequency bands Supports up to 13 channels Various encryption methods implemented Various types of Frames to conduct business Frames Beacon frame ▪ An Access Point sends this frame to declare its relevant information. Such as SSID, timestamp and other information ▪ Wireless stations(NIC’s) listen to this continually and pick which one might be the best to associate with Probe request frame ▪ A station sends a frame indicating it wants to find what AP’s are within range. Or whether a specific SSID is in range(beacon frame before) Probe response frame ▪ Capability information, data rates, http://grouper.ieee.org/groups/802/11/ Frames Association request Frame ▪ A station sends an Association request which an AP can respond to Association response frame ▪ AP rejects or accepts the association request Authentication Frame ▪ A station sends an Authentcation frame which the AP either accepts or rejects Deauthentication Frame ▪ Tell a station to deauthenticate from an AP Data Frame ▪ All the data! TCP/IP headers/packets, etc. http://grouper.ieee.org/groups/802/11/ http://www.willhackforsushi.com/papers/80211_Po cket_Reference_Guide.pdf Basic security features of most wireless networks Hidden SSID MAC address filtering Encryption and user authentication WEP WPA2-PSK WPA2-Enterprise with radius server for authentication All can be broken or bypassed Absolutely not in every instance obviously but often true Wifi is pretty much everywhere Mobile devices, laptops, etc Most homes and companies have wifi We know various types of authentication/encryption schemes are used Open, WEP, WPA/2-PSK, WPA2-Enterprise (EAP,TLS) We also know wireless networks exist in the absense of AP’s! We take our devices everywhere and they broadcast..... People connect their devices to various networks.... WEP is insecure Sure, almost everyone knows that Why do we have a slide about it? ▪ Because WEP is still very common Who here uses WEP? Are you really really absolutely sure? Most larger companies and institutions don’t use WEP and neither do most tech savy people But grandparents and parents do! Who here has connected his pc/device to a WEP network? Did you connect your phone to your father in-laws WEP network? Don’t you think your pc/device remembers this? WPA/2-PSK Much more secure than WEP Prevents a number of attacks (e.g. Replay attacks) with message integrity and “per packet key. Its very easy to acquire a WPA handshake which can be cracked ▪ Quite slowly mind you Plenty of attacks available The standard today(WPA2-PSK) uses AES 256 bit encryption but stopgap software solution is still widely supported, 128 bit TKIP encryption A lot of WPA2 networks use either very weak or known keys Rainbow tables exist for multiple known SSID’s which can be used with tools like cowpatty to conduct cracking very quickly ▪ ▪ ▪ ▪ Can anyone tell me why? Rainbow tables have already done all the computational hard work and the only thing required is memory to process the tables against the handshake See http://www.renderlab.net/projects/WPA-tables/ Still only works against dumb passwords so a long none dictionary key takes forever to break Who here has ever connected his/her device to a known WPA2-PSK network? What if we know that key as well, the BSSID, etc? A lot of devices send the authentcation information without doing any verification of certificates! Some people even setup their devices in this way. Lots of phone manufacturers Even Linux distros! In those cases you only need to be in range of the device to capture the encrypted password! The default setting for most devices is however to ask the user to accept the modified certificate Built on Evil access point/hotspot idea The fact most devices connect to multiple networks The idea We know NICS continually scan and sens probe requests What if (Evil guys) send broadcast requests for a million SSID’s? If a device has connected before will I get a response ? Widespread risk Applies to those that use traditional Wifi networks Also applies to singular devices and non AP networks Broadcast SSIDs - Hot Spot - Guests - Free WiFi - xfinitywifi - ETC - .... (OPN, WEP, WPAPSK) Association request á SSID: gestir Huge potential Known examples are intel wireless drivers containing exploitable overflows how they handle broadcast responses Automating the process of discovering nonbroadcastable SSID’s aswell as automatically tryingo to break them. Lots of wireless interfaces == lots of different drivers loaded! Huge potential to do fingerprinting? Alfa AWUS USB Support up to 2 watts of transmit power External antenna connection Supports monitoring mode Supported by Kali/Backtrack Antennas Omni directional – High gain Directional Long range – over 10km have been recorded Use good equipment. It actually matters. Don‘t use poor EAP authentication for WPA2-ent Only use full client/server certificates Put your mobile devices on a limited network 1) 2) 3) 4) • 5) Don‘t give them access to internal resources without heavy restrictions. Against APOD style attacks? 1) Your are at my mercy!