Exploiting Vulnerabilities in 802.11x protocols Trey Evans www.bestican.net This presentation is: • • • • A combination of three presentations A brief introduction to wireless hacking Heavily Linux/UNIX based Too short This presentation is not: • Comprehensive • Enough for you to go around telling people you’re a hacker • Entirely original. Thanks to: – Xx25 – Abbad0n – redsand – #214 <primer> Concepts • Chipset – Hermes – Prism I, II • III - experimental – Proprietary, like DLINK’s X-treme G • Drivers – Custom – AirJack (later) – OEM • Kernels Monitor & Promiscuous • Monitor (rfmon) – Capture packets w/o associating – Never transmit packets – Possibility of corrupt packets • Promiscuous – View all packets – Requires association (and a means to auth) – Not supported on all cards OSI Model (7 Layers) • We’re concerned with bottom 3 </primer> Discovery Wireless Discovery Tools • Windows – NetStumbler - NDIS • PocketStumbler – Aerosol – Prism II, WaveLAN • Linux – Kismet – Any rfmon capable card – Airsnort – Not really for discovery – Wellenreiter – Prism II, Lucent, Cisco NetStumbler v Kismet (Win32 v *NIX) • ACTIVE (bad) • Pretty GUI • Wide variety of supported cards • Easy to use • Nice graphical monitoring of signal strength • PASSIVE (Yay!) – Silent – Promiscuous – Impossible to detect • Ugly • Few cards support rfmon • Confusing UI • No need to run X Demo Time • First, Netstumbler • Then, Pocketstumbler • Reboot into Linux and demo Kismet WEP WEP Keys • • • • • Shared key to encrypt wireless network Required to associate Encrypts packets: client -> AP WEP and WEP+ can both be cracked Tools – Airsnort, aircrack – dweputils – bsd_airtools “Weak IVs” • IV - 3-byte initialization vector in every WEP packet • Some IVs contain info about a certain byte of the WEP key • Statistically the correct key emerges when a sufficient number of IVs are collected • Promiscuous mode only … duh • Capture enough and run them through program, get yourself a WEP key The problem for the hacker • Large number of unique weak IVs requires a large number of packets • CREATE PACKETS! (packet injection) – Host inside? ping –f as root to flood • Or be mean about it and: (this code rocks, btw) yes AAAAAAAAAAAAAAAAAAAAAA | nc -v -v -l -p 80 > /dev/null && yes BBBBBBBBBBBBBBBBBBBBBB | nc somerealmachine 80 > /dev/null – ARP replay attack • Use HostAP and aireplay • Inject ARP requests on legitimate channel Airsnort Demo (won’t really work) WPA WPA • • • • • • (Wifi Protected Access) Better than WEP, but not really Harder to crack Easier to bring down Send rouge network-wide deauth All users deauthed for 60 seconds WHAT? This is in the protocol, IT IS MEANT TO BE THERE! • 26 lines of PERL code!!! TWENTY SIX How WPA Works • Uses TKIP (Temporal Key Integrity Protocol) • Fills in holes WEP has – Strong algorithm requires fast hardware – Synchs changing key at each frame – Verifies integrity after keys are generated • Pre Shared Key (PSK) – Simple but powerful enough for security – Sets the initial key statically – TKIP takes over and changes at interval Recovery of a WPA key • Buggy program called WZCOOK • Recovers the Pairwise Master Key – 256-bit value that is the result of the WPA pass phrase hashed 4096 times against the ESSID and the length of the ESSID • No recovery of the actual pass phrase – Brute force the only option • Theoretically, knowing the PMK alone is enough to connect to a WPA network – Using netcat, you could create an auth packet WPA Demo • Pointless • No WPA equipment around • Skip AirJack Bring the whole thing down • Using AirJack and some knowledge, the entire wireless network can be compromised • Not exposed, kill all traffic completely • Users already on network get no signal • New users attempting contact see nothing • Exploits flaw in 802.11 protocol • Protocol based attack = no fix • Aren’t protocols supposed to be airtight? AirJack isn’t a program • • • • Driver for Prism II cards Set/Spoof MAC addy Send custom (read: forged) man frames User-land programs – wlan-jack, essid-jack, monkey-jack, krackerjack (should include a driver switching script so I don’t have to do it by hand) The AirJack Driver • Allows for control of wireless card mode – Selection of mode set: • 0 & 1, 3, 5, or 6 (access point mode) • Enables rfmon on Prism II • Uses PF_Packet on Linux to enable receive and transmit of raw frames Driver Code void send_deauth (__u8 *dst, __u8 *bssid) { struct { struct a3_80211 hdr; __u16 reason; }frame; memset(&frame, 0, sizeof(frame)); frame.hdr.mh_type = FC_TYPE_MGT; frame.hdr.mh_subtype = MGT_DEAUTH; memcpy(&(frame.hdr.mh_mac1), dst, 6); memcpy(&(frame.hdr.mh_mac2), bssid, 6); memcpy(&(frame.hdr.mh_mac3), bssid, 6); frame.reason = 1; send(socket, &frame, sizeof(frame), 0); } AirJack with WLAN-Jack • De-authenticate DoS the whole network • Knowing the MAC of the AP (use kismet) – Continuously send deauth frames to AP – Users can not re-associate with AP • Knowing MAC of target user (figure it out) – Continuously send deauth frames to user WLAN-Jack in action Trace of WLAN-Jack Trace con’t Deuthentication Frame • YAY! IT WORKED! Dead Connection Using Monkey-Jack • Simple Man in the Middle (MitM) attack • Take over layers 1 & 2 • Places attacker between victim and legitimate AP • Similar to using HostAP spoof, but much more advanced and effective How Monkey-Jack Works • Uses spoofed management frames • Sends deauth to victim with spoofed MAC of legit AP as source of packet • Deauths user from real AP • Windows auto-rescans, finds fake AP • Associates with attack machine – Attack AP is on different channel than real AP – Fake AP is duplicating MAC and ESSID of legitimate AP Con’t • Attack machine now associates with legitimate access point • Attack machine duplicates MAC of victim • Now that inserted, we can pass frames through transparently to higher level protocols • Many security schemes assume secure layers 1 and 2 • Wireless more vulnerable than wired Before and After Before After LEAP Cisco’s LEAP • LEAP – Light Extensible Auth Protocol • Guarantees Cisco a market share • Client is licensed out for use with nonCisco equipment (i.e. my Intel 2100) • Uses short lived WEP keys to encrypt data, if used at all • Helps prevent MiTM attacks • Username sent in clear text (ASCII) • 3rd DES key is weak, five \0’s in a row LEAP Vulnerabilities • CISCO Proprietary • Checks wireless user against some user data base. Can be: – RADIUS – LDAP – SQL • Keep in mind this is and authentication protocol Packet Crafting • LEAP simply auths user, no encryption – Can be used in conjunction with crypto • LEAP w/o crypto – Send packets in requesting information from some outside server (which we own) – Get info back as to firewall rules • Simplistic, but effective for finding out how the internal network works • (Draw picture) asleap • Exploits the variation of MS-CHAP that LEAP uses for authentication • Reads from any rfmon card or from a libpcap file (like from Ethereal) or Airopeek • Uses AirJack to deauth users, forcing them to reauth, speeds up capture of PWs • Compares dictionary hashes to hashes captured from network Wrap Up Extreme Measures • HERF – High Energy Radio Frequency • HERF gun – Destroys all RF within reach – Used in military installation – Helps satisfy tempest test • PoE – Put too much current on line – Physically fry AP Patching your own system • • • • • • • Use latest firmware Longer WEP keys Don’t use weak pass phrases VPN for secure information Limit coverage of network to prevent leaks Shy away from proprietary protocols Security interferes with plug and play – Tweak your out of box settings Links • • • • • • • Stumbler • This presentation is at: Aerosol bestican.net/wifi/ Kismet Or for PDF: Wellenreiter bestican.net/wifi/pres.pdf Airsnort asleap AirJack -domain down Thanks. -Trey trey@bestican.net Questions