Exploiting Vulnerabilities in 802.11x protocols

Exploiting Vulnerabilities in
802.11x protocols
Trey Evans
This presentation is:
A combination of three presentations
A brief introduction to wireless hacking
Heavily Linux/UNIX based
Too short
This presentation is not:
• Comprehensive
• Enough for you to go around telling people
you’re a hacker
• Entirely original. Thanks to:
– Xx25
– Abbad0n
– redsand
– #214
• Chipset
– Hermes
– Prism I, II
• III - experimental
– Proprietary, like DLINK’s X-treme G
• Drivers
– Custom – AirJack (later)
• Kernels
Monitor & Promiscuous
• Monitor (rfmon)
– Capture packets w/o associating
– Never transmit packets
– Possibility of corrupt packets
• Promiscuous
– View all packets
– Requires association (and a means to auth)
– Not supported on all cards
OSI Model (7 Layers)
• We’re concerned with bottom 3
Wireless Discovery Tools
• Windows
– NetStumbler - NDIS
• PocketStumbler
– Aerosol – Prism II, WaveLAN
• Linux
– Kismet – Any rfmon capable card
– Airsnort – Not really for discovery
– Wellenreiter – Prism II, Lucent, Cisco
NetStumbler v Kismet
(Win32 v *NIX)
• ACTIVE (bad)
• Pretty GUI
• Wide variety of
supported cards
• Easy to use
• Nice graphical
monitoring of signal
• PASSIVE (Yay!)
– Silent
– Promiscuous
– Impossible to detect
• Ugly
• Few cards support
• Confusing UI
• No need to run X
Demo Time
• First, Netstumbler
• Then, Pocketstumbler
• Reboot into Linux and demo Kismet
WEP Keys
Shared key to encrypt wireless network
Required to associate
Encrypts packets: client -> AP
WEP and WEP+ can both be cracked
– Airsnort, aircrack
– dweputils
– bsd_airtools
“Weak IVs”
• IV - 3-byte initialization vector in every
WEP packet
• Some IVs contain info about a certain byte
of the WEP key
• Statistically the correct key emerges when
a sufficient number of IVs are collected
• Promiscuous mode only … duh
• Capture enough and run them through
program, get yourself a WEP key
The problem for the hacker
• Large number of unique weak IVs
requires a large number of packets
• CREATE PACKETS! (packet injection)
– Host inside? ping –f as root to flood
• Or be mean about it and: (this code rocks, btw)
yes AAAAAAAAAAAAAAAAAAAAAA | nc -v -v -l -p 80 > /dev/null &&
yes BBBBBBBBBBBBBBBBBBBBBB | nc somerealmachine 80 > /dev/null
– ARP replay attack
• Use HostAP and aireplay
• Inject ARP requests on legitimate channel
Airsnort Demo
(won’t really work)
(Wifi Protected Access)
Better than WEP, but not really
Harder to crack
Easier to bring down
Send rouge network-wide deauth
All users deauthed for 60 seconds
WHAT? This is in the protocol, IT IS
• 26 lines of PERL code!!! TWENTY SIX
How WPA Works
• Uses TKIP (Temporal Key Integrity Protocol)
• Fills in holes WEP has
– Strong algorithm requires fast hardware
– Synchs changing key at each frame
– Verifies integrity after keys are generated
• Pre Shared Key (PSK)
– Simple but powerful enough for security
– Sets the initial key statically
– TKIP takes over and changes at interval
Recovery of a WPA key
• Buggy program called WZCOOK
• Recovers the Pairwise Master Key
– 256-bit value that is the result of the WPA pass phrase hashed
4096 times against the ESSID and the length of the ESSID
• No recovery of the actual pass phrase
– Brute force the only option
• Theoretically, knowing the PMK alone is
enough to connect to a WPA network
– Using netcat, you could create an auth packet
WPA Demo
• Pointless
• No WPA equipment around
• Skip
Bring the whole thing down
• Using AirJack and some knowledge, the
entire wireless network can be
• Not exposed, kill all traffic completely
• Users already on network get no signal
• New users attempting contact see nothing
• Exploits flaw in 802.11 protocol
• Protocol based attack = no fix
• Aren’t protocols supposed to be airtight?
AirJack isn’t a program
Driver for Prism II cards
Set/Spoof MAC addy
Send custom (read: forged) man frames
User-land programs
– wlan-jack, essid-jack, monkey-jack, krackerjack (should include a driver switching script
so I don’t have to do it by hand)
The AirJack Driver
• Allows for control of wireless card mode
– Selection of mode set:
• 0 & 1, 3, 5, or 6 (access point mode)
• Enables rfmon on Prism II
• Uses PF_Packet on Linux to enable
receive and transmit of raw frames
Driver Code
void send_deauth (__u8 *dst, __u8 *bssid)
struct {
struct a3_80211
memset(&frame, 0, sizeof(frame));
frame.hdr.mh_type = FC_TYPE_MGT;
frame.hdr.mh_subtype = MGT_DEAUTH;
memcpy(&(frame.hdr.mh_mac1), dst, 6);
memcpy(&(frame.hdr.mh_mac2), bssid, 6);
memcpy(&(frame.hdr.mh_mac3), bssid, 6);
frame.reason = 1;
send(socket, &frame, sizeof(frame), 0);
AirJack with WLAN-Jack
• De-authenticate DoS the whole network
• Knowing the MAC of the AP (use kismet)
– Continuously send deauth frames to AP
– Users can not re-associate with AP
• Knowing MAC of target user (figure it out)
– Continuously send deauth frames to user
WLAN-Jack in action
Trace of WLAN-Jack
Trace con’t
Deuthentication Frame
Dead Connection
Using Monkey-Jack
• Simple Man in the Middle (MitM) attack
• Take over layers 1 & 2
• Places attacker between victim and
legitimate AP
• Similar to using HostAP spoof, but much
more advanced and effective
How Monkey-Jack Works
• Uses spoofed management frames
• Sends deauth to victim with spoofed MAC
of legit AP as source of packet
• Deauths user from real AP
• Windows auto-rescans, finds fake AP
• Associates with attack machine
– Attack AP is on different channel than real AP
– Fake AP is duplicating MAC and ESSID of
legitimate AP
• Attack machine now associates with
legitimate access point
• Attack machine duplicates MAC of victim
• Now that inserted, we can pass frames
through transparently to higher level
• Many security schemes assume secure
layers 1 and 2
• Wireless more vulnerable than wired
Before and After
Cisco’s LEAP
• LEAP – Light Extensible Auth Protocol
• Guarantees Cisco a market share
• Client is licensed out for use with nonCisco equipment (i.e. my Intel 2100)
• Uses short lived WEP keys to encrypt
data, if used at all
• Helps prevent MiTM attacks
• Username sent in clear text (ASCII)
• 3rd DES key is weak, five \0’s in a row
LEAP Vulnerabilities
• CISCO Proprietary
• Checks wireless user against some user
data base. Can be:
• Keep in mind this is and authentication
Packet Crafting
• LEAP simply auths user, no encryption
– Can be used in conjunction with crypto
• LEAP w/o crypto
– Send packets in requesting information from
some outside server (which we own)
– Get info back as to firewall rules
• Simplistic, but effective for finding out how
the internal network works
• (Draw picture)
• Exploits the variation of MS-CHAP that
LEAP uses for authentication
• Reads from any rfmon card or from a
libpcap file (like from Ethereal) or Airopeek
• Uses AirJack to deauth users, forcing
them to reauth, speeds up capture of PWs
• Compares dictionary hashes to hashes
captured from network
Wrap Up
Extreme Measures
– High Energy Radio Frequency
• HERF gun
– Destroys all RF within reach
– Used in military installation
– Helps satisfy tempest test
• PoE
– Put too much current on line
– Physically fry AP
Patching your own system
Use latest firmware
Longer WEP keys
Don’t use weak pass phrases
VPN for secure information
Limit coverage of network to prevent leaks
Shy away from proprietary protocols
Security interferes with plug and play
– Tweak your out of box settings
• This presentation is at:
Or for PDF:
AirJack -domain down
[email protected]