War of the Airwaves Wireless Hacks and Defenses

advertisement
War of the Airwaves
Wireless Hacks & Defenses
Richard Rushing
Chief Security Officer
AirDefense, Inc.
rrushing@airdefense.net
www.airdefense.net
Get Ready for the Untethered World!
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
2
Wired Network Security Architecture
Attackers
SECURE ENTERPRISE PERIMETER
Server
INTERNET
INTRANET
Virus & Malware
Desktop
Inside Threat
Data Theft
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
3
Wireless Threats Enterprise Networks
Everyone is on the Inside
6 Wi-Fi Phishing
Muni Wi-Fi AP
1 Rogue AP Connected
to Network
Evil Twin
Hacker
2 Leaked Wired Traffic
& Insertion
Server
Mobile User
AP
INTERNET
INTRANET
Laptop
Desktop
3 Non-Compliant AP
Municipal Wi-Fi aggravates
Threats to Enterprise Networks
5 Users Bypassing Network
4 Neighboring AP
Security Controls
Municipal Wi-Fi
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
4
Characteristics of Wireless Networks
1
Vs.
AIR
Shared, Uncontrolled Media
 Invisible & Airborne Threats are hard to control vs. Wired
Network
Self-Deploying & Transient Networks
2


Simplicity of Self Discovery Create Security Challenges
Mobile Nature of Wireless LAN Devices and Users Require
In-depth Forensics capability to Address Security Breaches
User Indifference
3
4

Invisible Connectivity & True Distributed Nature Gives a
Faulty Sense of Security
Easier to Attack
 Lax WLAN Security is the Lowest Hanging Fruit for Hackers.
Dozens of Tools Readily Available to Exploit these Holes
Wireless Networks Pose Higher Risks than Wired
Networks
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
5
Damage
Attack Sophistication
Anti Virus
Content
Filtering
SSL
VPN
Firewalls
Secure
Perimeter
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
AirDefense
Wired
Networks
Wired Security Tools
Layered Approach to Security
Wireless
Networks
Increased
Vulnerability
For
Upper Layers
Predominant
Attacks
6
Wireless Attack Surface
Signal emitted from a single access point.
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
7
Just a Little Wigle
Over 11 Million Networks... With GPS…
I know all your secrets!
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
8
Security is Never ABOUT Just Good Enough
Security is Never ABOUT JUST GOOD
ENOUGH
Run your firewall for 6 minutes a day
Turn off your IDS
Allow All Traffic through
your firewall
Leave Doors unlock
Leave Keys in the Car
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
9
Wireless Data Breaches in Retail
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
10
Agenda
Introduction to Wireless Security
Wireless Risks & Attacks
Attacking the RF Medium





Passive Listening
Wired Network Leakage
Injection
Jamming
Breaking WEP
Best Practices for Wireless Security
The AirDefense Solution
Q&A
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
11
Wireless Sniffing
Why & What Happens
 Any clear-text is heard by everyone
 If you are using WEP, remember everyone has YOUR key
 Very common at hotspots
 Hashes are clear-text
 Most Service, still authenticate over clear-text no tunnels
 Internal/Corporate servers are at higher risk due to lower
security
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
12
It’s Encrypted
 Is it really encrypted??
 In some APs, “Both” is typical
security
 No
to show that data is
encrypted
 The #1 AP Vendor
 Enable WEP, MIC, and TKIP
Set the WEP level and enable TKIP and MIC
“ If you enter optional, client devices can associate to
the access point with or without WEP enabled. You can
enable TKIP with WEP set to optional but you cannot
enable MIC. If you enter mandatory, client devices must
have WEP enabled to associate to the access point. You
can enable both TKIP and MIC with WEP set to mandatory.”
www.cisco.com
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
13
WEP Summary of Attacks
 23 Known Attacks against WEP
 WEP Attacks






Lack of IV replay protection
Short IV sequence space
RC4 vulnerabilities due to WEP’s implementation
Linear properties of CRC32 (allows bit flipping)
Lack of keyed Message Integrity Checking MIC
Use of shared keys
Shows that Implementation is
VERY IMPORTANT
Breaking Wep
2001 Un-crackable
2003 Years
2004 Days
2005 Hours
2006 Minute
2007 Seconds
Ultimate Hacking tool for Wep
http://www.aircrack-ng.org/
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
14
WPA-PSK
 The PSK version of WPA suffers from an offline dictionary attack because of the
BROADCASTING of information required to create and verify a session key.
 In WPA, the PMK (master key) is produced by running a special function on a preshared pass phrase and an SSID. Both the host and the AP use this PMK, along with
MAC addresses and nonces, in order to create the PTK (session key)
Client
PMK
Access Point
PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)
Snonce
PMK
Anonce
EAPOL-Key (Anonce)
PTK
EAPOL-Key (Snonce, MIC RSN IE)
PTK = PRF-512(PMK, “Pairwise key expansion”, Min(AP_Mac, Client_Mac) ||
Max(AP_Mac, Client_Mac) || Min(ANonce, SNonce) || Max(ANonce, SNonce))
PTK
EAPOL-Key (Anonce, MIC RSN IE)
Install
Keys
EAPOL-Key (Snonce, MIC)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Install
Keys
15
WPA Tools (Easier than WEP)
 http://sourceforge.net/projects/ptcrack/
 A hybrid dictionary/brute passphrase search tool for PMK discovery on 802.11 networks using
WPA with preshared keys (PSKs)
 http://www.churchofwifi.org
 coWPAtty 3.0 is designed to audit the security of pre-shared keys selected in WiFi Protected
Access (WPA) networks
 (http://www.churchofwifi.org)
 Rainbow-Like Tables http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent
 http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent
 The resulting list is ~1,000,000 words for a total of approximately 40GB of hash tables for the top 1000 SSID's
 AirCrack-NG
2006 80 keys per second
 Built in WPA cracker since version 2.3
 http://www.aircrack-ng.org/
 http://www.tinypeap.com/page8.html
2007 130 keys per second
2007 30,000 keys per second
 WPA Cracker is a brute force Password cracker, all information entered manually.
 Rogue Squadron WRT firmware
 http://airsnarf.shmoo.com/rogue_squadron/index.html
 If you use 21 Character Pass-Phase you are safe?
 How many clients and AP’s let you enter in 31 Characters?
 What Happens when you Reach and overlap with SSID?
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
16
What in the Air can Kill You?
#1 Corporate Vulnerability

Even if the data is encrypted, the services that are
run by the MAC address can be detected

Remember wireless is LAYER 2; it will send out all
Layer 2 traffic

VRRP, HSRP, Spanning Tree, OSPF,
VTP/VLAN, CDP

VLAN don’t help unless filtered

MOST USE HASHES or PASSWORDS
Clear-Text

Broadcast/Multicast key rotation is OFF by Default

Client devices using static WEP cannot use the
access point when you enable broadcast key
rotation
It’s a two-way street, what goes out can also come in!
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
17
Injection of Traffic

Yersinia is a network tool designed to take advantage of some weaknesses in
different network protocols. It pretends to be a solid framework for analyzing and
testing the deployed networks and systems.
 http://www.yersinia.net

Attacks









Spanning Tree Protocol (STP)
Cisco Discovery Protocol (CDP)
Dynamic Trunking Protocol (DTP)
Dynamic Host Configuration Protocol (DHCP)
Hot Standby Router Protocol (HSRP)
802.1q
802.1x
Inter-Switch Link Protocol (ISL)
VLAN Trunking Protocol (VTP)
Current Exploits 
Cisco CatOS VLAN Trunking Protocol Remote Command Execution Vulnerability
Cisco IOS Multiple VLAN Trunking Protocol Code Execution and DoS Vulnerabilities
Cisco Intrusion Prevention and Detection Systems DoS and Security
Cisco Access Point Web-browser Interface Unauthorized Administrative Access and Bypass Issue
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
18
Agenda
Introduction to Wireless Security
Wireless Risks & Attacks
Attacking Clients







Wireless Fuzzing
Mobile Workers
Windows Zero-Configuration
Hotspots
Station Impersonation
Bridging Interfaces
Wireless Printers
Best Practices for Wireless Security
The AirDefense Solution
Q&A
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
19
Clients
 All Shapes and Sizes
 Hotspots
 Wi-Fi Phones
 Free Access via OUI
 Many ways to attack clients
 Scan
 Exploit
 Repeat
 But why do you have to?
 Have the client come to you!
 YOU KNOW WHAT THEY
WANT!!!!!!!
 Probe Request
 Soft AP to the Probe Request
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
20
Attacking Wireless Clients
 Packets of Death
 Plenty of them from handheld devices to laptops
 Most are BAD packets
 Usually Management or Control Frames
 Some are Data
 WEP Cracking is adding to the packets
 Fuzzing
 Most are using cut through data rates
(5.5 for Beacon Frames)
 Most are simple buffer overflows
 Lots of things that go BOOM
 Client Software
 Authentication
 Supplicates
http://www.802.11mercenary.net/lorcon/
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
21
Client MAC Address Spoofing
1. Find MAC address
MAC: 00 02 2D 50 D1 4E
(Cisco 350)
2. Change MAC (SMAC, regedit)
User
Station
3. Re-initialize card
4. Associate
AP
1
2
NEW MAC: 00 02 2D 50 D1 4E
ORIGINAL MAC: 00 12 2D 50 43 1E
(Orinoco Gold)
3
4
Hacker
www.klcconsulting.net/smac
SMAC is a MAC Address Modifying
Utility (spoofer) for Windows 2000/XP
and Server 2003 systems, regardless
of whether the manufactures allow
this option or not.
MAC filtering is not enough
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
22
How Not to Attack a Client
CORPORATE NETWORK
1
Laptop sends Probe request
AP responds to Probe request
3
User
Station
Naïve user Associates with AP
AP provides IP address to user
5
2
Wired
Thinking
Attack
4
Scan laptop for Windows
vulnerabilities & compromise it
Intruder
Laptop as
Soft AP
6
Use User Station as a launch pad
Municipal Wi-Fi increases Evil Twin attack surface
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
23
Windows Wireless Zero Configuration
1.
Wireless Auto Configuration attempts to
connect to the preferred networks that
appear in the list of available networks in
the preferred networks preference order
2.
If there are no successful connections,
Wireless Auto Configuration attempts to
connect to the preferred networks that are
hidden wireless network. (No Beacon
SSID)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
24
Windows Wireless Zero Configuration
3.
If there are no successful connections
and there is an ad hoc network in the
list of preferred networks that is
available, Wireless Auto Configuration
tries to connect to it
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
25
Windows Wireless Zero Configuration

If there are no successful connections Wireless Auto
Configuration configures the wireless network adapter to act as
the first node in the ad hoc network

If there are no successful connections to preferred networks and there
are no ad hoc networks in the list of preferred networks, If Automatically
connect to non-preferred networks is enabled, If all connection attempts
to non-preferred networks fail, Wireless Auto Configuration creates a
random wireless network name and places the wireless network
adapter in infrastructure mode.

If the Windows wireless client is already connected to a wireless
network but a more preferred wireless network becomes available,
Wireless Auto Configuration disconnects from the currently
connected wireless network and attempts to connect to the more
preferred wireless network
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
26
Wireless Phishing

Tools such as Karma can respond to ANY client probe request

Variety of services (POP, FTP and HTTP) to lure unsuspecting users

No authentication of “pervasive wireless cloud”

Automatic network selection in Windows (Zero Configuration Client) and MACs is
dangerous

Enterprises need to manage centralized policies

Karma (http://theta44.org/karma/index.html)

AirSnarf (http://airsnarf.shmoo.com/)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
27
DHCP and DNS Clients Attacks
 Since they Take the Hook, now asking for More
 Hungry Fish 
 Give Me an IP Address
 Give them an address the could be Excluded from Personal Firewalls
 10.X.X.X, 192.168.X.X, 172.16.X.X
 Or an IP address they are looking for
 DHCP Attack
 Exploit attacks a client and loads creates a Admin User on device
 DHCP Broadcast Attack (MS06-036)
 http://www.milw0rm.com/sploits/07212006-MS06_036_DHCP_Client.tar.gz
 DNS Attack/Manipulation
 “I am DNS, I am the Internet” - Cricket Liu
 Can offer anything to you and you believe it
 Sites : Banking, Hotel, Airlines, Work (Exchange, Oracle, SQL)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
28
Data Seepage
 Your notebook is not location-aware
 Office or Home or Hotspot
 Interfaces are Active by order
 Last Interface is usually Wifi
 Wants to always connect to something
 Just someone to offer you a connection
Office
All data is same
 Company Name
What am I
connected to?
 Servers
Home
 Email
 Clients
 Applications
 And More…..
Hotspot
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
29
Agenda
Introduction to Wireless Security
Wireless Risks & Attacks
Real-World Wireless Issues
 Zero-Day Attacks
 Hotspots
Best Practices for Wireless Security
The AirDefense Solution
Q&A
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
30
Exploiting is too Easy!





Vx.netlux.org
MVBSWE
Worm Editors
Virus Editors
Script Editors
Do you Trust your
Hotspot Web Page?
Corporate Guest
Access?
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
31
Zero Day Alerts
http://www.frsirt.com/
http://www.cert.org
http://nvd.nist.gov
FrSIRT delivers
vulnerability and threat
alerts, 24/7, 365 days a
year, to inform
organizations of new
potential threats. Our
services are designed to
deliver notification of
vulnerabilities and
exploits as they are
identified, providing
timely, actionable
information and guidance
to help mitigate risks
before they are exploited.
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
32
ZERO Day New Attacks

Zero-Day attacks
against know
services

Zero-Day attacks
against IE, Firefox
 Remote Exploits
 I am on your
system as YOU!

New Trojans and
Virus ready for
Injection

Favorite exploits

NEW

WMF

Media Player

Java Exploits
www.milw0rm.com
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
33
Adding to Metasploit Framework
 Wireless Enabled
 Driver Level Exploit
 Point and Click Exploits
 Exploit for Zero-Day
Attacks
 Numerous Payloads
 Number ways to take over
you Computer
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
34
Agenda
Introduction to Wireless Security
Wireless Risks & Attacks
Enumeration of Wireless Devices







Password Sniffing & Cracking
Hacking Password Hashes
Breaking VPNs over Wireless
Listening to VoIP Conversations
One-way Insertion Attacks
Zero-day Attacks
Snarfing
Best Practices for Wireless Security
The AirDefense Solution
Q&A
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
35
Hacking Password Hashes





Get virtually any password
Offline & passive
LEAP, PPTP, MS-CHAPv2, MD-5
Search hash list to find password
Large password list to generate hashes
 Requires 3-5 GB of space
 Rainbow tables are indexed hash lists





Required 2-3 TB of space
Known tables exist for up to14 characters
http://rainbowtables.shmoo.com/
http://www.antsight.com/zsl/rainbowcrack/
http://www.rainbowcrack-online.com/
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
36
Man-in-the-Middle Attack: WLAN Jack & Air-Jack Tools
Allows attacker to:
 Intercept ALL communications between the client & AP
 Pretend to be the client without disrupting the client’s session at Layer 2
Possible due to:
 Management frame’s lack of authentication/ Lack of AP authentication
 Step 1: Disassociation of Target station from AP by spoofing the MAC of the AP
and sending Disassociate & Deauth Frames
 Step 2: Attacker re-associates target to Malicious station and connects to AP
AP
Server
Target
Dual-Card Attacker
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
37
Snarfing
 Hot Spots
 Security question: Connecting to a untrusted network and launching the
most vulnerable program you have just screams
“ E X P L O I T M E “!!!!
Fake web pages
 Steals your Hotspot Password
 Evil web pages
 Infect your PC with Malware
 My Web pages









Steal your NT Password
1x1 pixel
Cross Site Scripting
Installs Trojans
Installs Spyware
Opens back doors
Changes Registry
Adds User Account
Shares Files and such
 Oops you just opened a web page, that’s all!!!!!
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
38
Next Generation Wireless Attacks
 802.1x State Machine
 Client initiated
disconnection
 Assumes everyone plays
nice
 Fuzzing Attacks will
Expand
 Intel driver issues
 802.1x supplicant issues
 AP issues
 Exploit More EAP-Types
 Windows Vista
 Wireless stack rewritten
 Good news
 Support for many EAP types
 Providing for XP too
 Bad news
 Hacking tools ported to
Windows
 Built in Network Address
Spoofing
 Point and click “hacking”
 TLS is not secure in Windows
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
39
Firewall Myths
“Firewall only” approach to network security
Firewalls:
 Cannot stop rogue wireless
devices
 Do not eliminate the need
for wireless scanning for
rogues
 Do not protect against
wireless attacks
 Once a hacker is on the
network they can punch
through open ports
 Access Control Lists are
weaker than Firewalls
 Best bet is to keep
hackers off the network
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
40
VPN Myths
 Allows the hacker to get onto open Wi-Fi
network and exploit network or clients for
weaknesses
VPN
WIPS
 Client cannot run on many embedded
devices (e.g., wireless scanners, VoWi-Fi
handsets, etc.)
 Subnet roaming is problematic
 VPN Less performance and more
overhead
 Break weak encryption & authentication
 Re-authentication on weak ciphers
 Dictionary attacks on weak ciphers
 Protocol & server flaws exposed
 IKE Aggressive mode
 Pre-shared keys
 Exploiting bugs in VPN server
Wireless
Security
A Layer 3 solution
to a Layer 2
problem
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
41
VLANs
 Virtual Local Area Networks
 A logical grouping of devices or users
 Users can be grouped by function, department, application,
regardless of physical segment location
 VLAN configuration is done at the switch (Layer 2)
 WIRELESS is not the SAME (Spoofing is EASY)
 VLAN Membership
 Static VLAN Assignment
 Port based membership: Membership is determined by the port on the switch on not by the
host.
 Dynamic VLAN Assignment
 Membership is determined by the host’s MAC address. Administrator has to create a
database with MAC addresses and VLAN mappings
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
42
Guest networking Issues on VLANs
 Guest access to Internet
via WLAN
 IP-Adress for WLAN- Client via
DHCP Server which is in the
area of the Corporate Network,
including DNS Servercredentials
 Sometimes a split but that does
not help either…. As the DNS
Server, still is in the Corporate
LAN…
 Issues: DHCP DoS
Access Point
DNS DoS
VLAN Hopping u.a.
= 1q VLAN used for Guest “tunnelt”
= DHCP Address supplied containing
DNS Server Information
= DNS request from Client
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Internet
DNS
Server
DHCP
Server
WLAN
SSID
Guest
VLAN Hopping
Basic VLAN Hopping Attack
Attacker fools switch into thinking
that he is a switch that needs
trunking
Double Encapsulated VLAN
Hopping Attack
SSID’s
Switches perform only one level
of IEEE 802.1q decapsulation
Corp
Guest
OLD
VOIP
This allows the attacker to specify
Corp
a .1q tag inside the frame,
allowing the frame to go to a Client
VLAN that the outer tag did
specify
VOIP
OLD
?
Guest
WPA-2
Guest
WEP Only
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
44
Why VLAN do not Work for Wireless
 Making Logical on a Physical Media
 Not Making Logical on a Virtual media
 Design on Port usage
 No Physical Ports on Wireless
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
45
Agenda
Introduction to Wireless Security
Wireless Risks & Attacks
Best Practices for Wireless Security
The AirDefense Solution
Q&A
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
46
Recommended Wireless Security Strategy
Automatically keep all
unauthorized wireless
devices off the entire
wired network all the
time
Accurately detect
(WIDS) and
automatically defend
(WIPS) against the
greatest number of
wireless attacks
possible
Contain and control
authorized wireless devices,
both inside owned facilities
and outside at hotspots,
municipal wifi zones &
home
Continually assure
strong security
configurations and
policies 24x7 on all
authorized wireless
devices
Store and data mine
long-term, forensics
quality information for
investigations and
diagnosing wireless
problems
Measure and prove
compliance with
regulatory wireless
security policies and
controls
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
47
Wireless Security
 Can not Mitigate Risks
 Flawed
 It’s the Internet All over
 Telnet
 FTP
 HTTP
 We still use them
 Risk vs. Threats




SHARED MEDIUM
Easy comprise
Remediation is Key
Monitoring is Key
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
48
Summary
 Wireless is a business enabler and part of every network
 Unmonitored wireless networks make the entire network
infrastructure vulnerable
 Lack of policy compliance can result in regulatory liabilities
 AirDefense offers market-leading solutions to provide
visibility and control of all wireless assets, regardless of
location
 AirDefense solutions are trusted by the most securitysensitive organizations in the world
 AirDefense solutions are cost-effective & provide the lowest
TCO
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
49
Contact us
 Web: www.AirDefense.NET
 HQs Phone: 770-663-8115
 Demo of Laptop Products Available on www.AirDefense.NET
 Contact:
 Anthony Perridge
Vice President, International
aperridge@airdefense.net
+44 1628 509058
http://www.airdefense.net/seminars/airdefense_europe_oct_2007.pdf
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
50
Summary
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
51
Download