www.airdefense.net war of the airwaves wireless hacks & defenses richard rushing chief security...

www.airdefense.net

War of the Airwaves Wireless Hacks & Defenses

Richard RushingChief Security Officer

AirDefense, [email protected]

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Get Ready for the Untethered World!

2


Wired Network Security Architecture

3

Virus & Malware

Attackers

Data Theft

INTERNET

INTRANET

SECURE ENTERPRISE PERIMETER

Desktop

Server

Inside Threat


Wireless Threats Enterprise Networks

4

Hacker

INTRANET

INTERNET

Desktop

1 Rogue AP Connected to Network

3 Non-Compliant AP

5 Users Bypassing Network Security Controls

Municipal Wi-Fi

2 Leaked Wired Traffic & Insertion

6 Wi-Fi Phishing

Muni Wi-Fi AP Evil Twin

Laptop

AP

Mobile UserServer

4 Neighboring AP

Municipal Wi-Fi aggravatesThreats to Enterprise Networks

Everyone is on the InsideEveryone is on the Inside


Characteristics of Wireless Networks

Shared, Uncontrolled Media Invisible & Airborne Threats are hard to control vs. Wired

Network

Self-Deploying & Transient Networks Simplicity of Self Discovery Create Security Challenges Mobile Nature of Wireless LAN Devices and Users Require

In-depth Forensics capability to Address Security Breaches

AIRVs.

User Indifference Invisible Connectivity & True Distributed Nature Gives a

Faulty Sense of Security

Easier to Attack Lax WLAN Security is the Lowest Hanging Fruit for Hackers.

Dozens of Tools Readily Available to Exploit these Holes

1

2

3

4

Wireless Networks Pose Higher Risks than Wired Networks

5


Layered Approach to Security

Wir

ed S

ecu

rity

To

ols

Air

Def

ense

WiredNetworks

WirelessNetworks

Att

ac

k S

op

his

tica

tio

n

Da

ma

ge

PredominantAttacks

IncreasedVulnerability

ForUpper Layers

SSLVPN

Firewalls

Anti Virus

Content Filtering

Secure Perimeter

6


Wireless Attack Surface

7

Signal emitted from a single access point.


Just a Little Wigle

Over 11 Million Networks... With GPS…

I know all your secrets!

Over 11 Million Networks... With GPS…

I know all your secrets!

8


Security is Never ABOUT Just Good Enough

9

Security is Never ABOUT JUST GOOD ENOUGH

Run your firewall for 6 minutes a day

Turn off your IDS

Allow All Traffic through your firewall

Leave Doors unlock

Leave Keys in the Car


Wireless Data Breaches in Retail

10

Copyright © 2002-2007 AirDefense Proprietary and Confidential.11

Agenda

Wireless Risks & Attacks

Best Practices for Wireless Security

The AirDefense Solution

Introduction to Wireless Security

Q&A

Attacking the RF Medium Passive Listening Wired Network Leakage Injection Jamming Breaking WEP


Wireless Sniffing

Why & What Happens Any clear-text is heard by everyone

If you are using WEP, remember everyone has YOUR key

Very common at hotspots

Hashes are clear-text

Most Service, still authenticate over clear-text no tunnels

Internal/Corporate servers are at higher risk due to lower security

12


It’s Encrypted Is it really encrypted??

In some APs, “Both” is typical security

No to show that data is encrypted

The #1 AP Vendor Enable WEP, MIC, and TKIP

Set the WEP level and enable TKIP and MIC “ If you enter optional, client devices can associate to the access point with or without WEP enabled. You can enable TKIP with WEP set to optional but you cannot enable MIC. If you enter mandatory, client devices must have WEP enabled to associate to the access point. You can enable both TKIP and MIC with WEP set to mandatory.”

www.cisco.com13


WEP Summary of Attacks

23 Known Attacks against WEP WEP Attacks

Lack of IV replay protection Short IV sequence space RC4 vulnerabilities due to WEP’s implementation Linear properties of CRC32 (allows bit flipping) Lack of keyed Message Integrity Checking MIC Use of shared keys

Shows that Implementation is VERY IMPORTANT

Ultimate Hacking tool for Wep

http://www.aircrack-ng.org/

Breaking Wep

2001 Un-crackable

2003 Years

2004 Days

2005 Hours

2006 Minute

2007 Seconds

14


WPA-PSK The PSK version of WPA suffers from an offline dictionary attack because of the

BROADCASTING of information required to create and verify a session key.

In WPA, the PMK (master key) is produced by running a special function on a pre-shared pass phrase and an SSID. Both the host and the AP use this PMK, along with MAC addresses and nonces, in order to create the PTK (session key)

PTK = PRF-512(PMK, “Pairwise key expansion”, Min(AP_Mac, Client_Mac) ||Max(AP_Mac, Client_Mac) || Min(ANonce, SNonce) || Max(ANonce, SNonce))

Client Access Point

PMK PMK

Snonce Anonce

EAPOL-Key (Anonce)PTK

PTK

EAPOL-Key (Snonce, MIC RSN IE)

EAPOL-Key (Anonce, MIC RSN IE)Install Keys

Install Keys

EAPOL-Key (Snonce, MIC)

PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)

15


WPA Tools (Easier than WEP) http://sourceforge.net/projects/ptcrack/

A hybrid dictionary/brute passphrase search tool for PMK discovery on 802.11 networks using WPA with preshared keys (PSKs)

http://www.churchofwifi.org coWPAtty 3.0 is designed to audit the security of pre-shared keys selected in WiFi Protected

Access (WPA) networks (http://www.churchofwifi.org) Rainbow-Like Tables http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent The resulting list is ~1,000,000 words for a total of approximately 40GB of hash tables for the top 1000

SSID's

AirCrack-NG Built in WPA cracker since version 2.3 http://www.aircrack-ng.org/

http://www.tinypeap.com/page8.html WPA Cracker is a brute force Password cracker, all information entered manually.

Rogue Squadron WRT firmware http://airsnarf.shmoo.com/rogue_squadron/index.html

If you use 21 Character Pass-Phase you are safe? How many clients and AP’s let you enter in 31 Characters? What Happens when you Reach and overlap with SSID?

2006 80 keys per second

2007 130 keys per second

2007 30,000 keys per second

16


What in the Air can Kill You?#1 Corporate Vulnerability Even if the data is encrypted, the services that are

run by the MAC address can be detected

Remember wireless is LAYER 2; it will send out all Layer 2 traffic

VRRP, HSRP, Spanning Tree, OSPF, VTP/VLAN, CDP

VLAN don’t help unless filtered

MOST USE HASHES or PASSWORDS

Clear-Text

Broadcast/Multicast key rotation is OFF by Default

Client devices using static WEP cannot use the access point when you enable broadcast key rotation

It’s a two-way street, what goes out can also come in!

17


Injection of Traffic Yersinia is a network tool designed to take advantage of some weaknesses in

different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

http://www.yersinia.net Attacks

Spanning Tree Protocol (STP) Cisco Discovery Protocol (CDP) Dynamic Trunking Protocol (DTP) Dynamic Host Configuration Protocol (DHCP) Hot Standby Router Protocol (HSRP) 802.1q 802.1x Inter-Switch Link Protocol (ISL) VLAN Trunking Protocol (VTP)

Current Exploits Cisco CatOS VLAN Trunking Protocol Remote Command Execution Vulnerability

Cisco IOS Multiple VLAN Trunking Protocol Code Execution and DoS Vulnerabilities

Cisco Intrusion Prevention and Detection Systems DoS and Security

Cisco Access Point Web-browser Interface Unauthorized Administrative Access and Bypass Issue

18


Agenda





Q&A

Attacking Clients Wireless Fuzzing Mobile Workers Windows Zero-Configuration Hotspots Station Impersonation Bridging Interfaces Wireless Printers


Clients All Shapes and Sizes Hotspots Wi-Fi Phones

Free Access via OUI

Many ways to attack clients Scan Exploit Repeat

But why do you have to? Have the client come to you! YOU KNOW WHAT THEY WANT!!!!!!!

Probe Request

Soft AP to the Probe Request

20


Attacking Wireless Clients Packets of Death

Plenty of them from handheld devices to laptops Most are BAD packets Usually Management or Control Frames Some are Data WEP Cracking is adding to the packets

Fuzzing

Most are using cut through data rates (5.5 for Beacon Frames)

Most are simple buffer overflows Lots of things that go BOOM

Client Software Authentication Supplicates

http://www.802.11mercenary.net/lorcon/

21


Client MAC Address Spoofing

3. Re-initialize card

MAC: 00 02 2D 50 D1 4E (Cisco 350)

ORIGINAL MAC: 00 12 2D 50 43 1E (Orinoco Gold)

NEW MAC: 00 02 2D 50 D1 4E

12

3

Hacker

User Station

MAC filtering is not enough

2. Change MAC (SMAC, regedit)

1. Find MAC address

4. Associate

www.klcconsulting.net/smac

SMAC is a MAC Address Modifying Utility (spoofer) for Windows 2000/XP and Server 2003 systems, regardless of whether the manufactures allow this option or not.

AP

4

22


How Not to Attack a Client

1

2

3

4

CO

RP

OR

AT

E N

ET

WO

RK

UserStation

AP provides IP address to user

Naïve user Associates with AP

AP responds to Probe request

Laptop sends Probe request

Scan laptop for Windows vulnerabilities & compromise it

5

6Use User Station as a launch pad

IntruderLaptop as

Soft AP

Municipal Wi-Fi increases Evil Twin attack surface

23

Wired Thinking

Attack


Windows Wireless Zero Configuration1. Wireless Auto Configuration attempts to

connect to the preferred networks that appear in the list of available networks in the preferred networks preference order

2. If there are no successful connections, Wireless Auto Configuration attempts to connect to the preferred networks that are hidden wireless network. (No Beacon SSID)

24


Windows Wireless Zero Configuration3. If there are no successful connections

and there is an ad hoc network in the list of preferred networks that is available, Wireless Auto Configuration tries to connect to it

25


Windows Wireless Zero Configuration If there are no successful connections Wireless Auto

Configuration configures the wireless network adapter to act as the first node in the ad hoc network

If there are no successful connections to preferred networks and there are no ad hoc networks in the list of preferred networks, If Automatically connect to non-preferred networks is enabled, If all connection attempts to non-preferred networks fail, Wireless Auto Configuration creates a random wireless network name and places the wireless network adapter in infrastructure mode.

If the Windows wireless client is already connected to a wireless network but a more preferred wireless network becomes available, Wireless Auto Configuration disconnects from the currently connected wireless network and attempts to connect to the more preferred wireless network

26


Wireless Phishing

Tools such as Karma can respond to ANY client probe request Variety of services (POP, FTP and HTTP) to lure unsuspecting users

No authentication of “pervasive wireless cloud”

Automatic network selection in Windows (Zero Configuration Client) and MACs is dangerous

Enterprises need to manage centralized policies Karma (http://theta44.org/karma/index.html)

AirSnarf (http://airsnarf.shmoo.com/)

27


DHCP and DNS Clients Attacks Since they Take the Hook, now asking for More

Hungry Fish

Give Me an IP Address Give them an address the could be Excluded from Personal Firewalls

10.X.X.X, 192.168.X.X, 172.16.X.X

Or an IP address they are looking for

DHCP Attack Exploit attacks a client and loads creates a Admin User on device

DHCP Broadcast Attack (MS06-036)

http://www.milw0rm.com/sploits/07212006-MS06_036_DHCP_Client.tar.gz

DNS Attack/Manipulation “I am DNS, I am the Internet” - Cricket Liu

Can offer anything to you and you believe it

Sites : Banking, Hotel, Airlines, Work (Exchange, Oracle, SQL)

28


Data Seepage Your notebook is not location-aware

Office or Home or Hotspot

Interfaces are Active by order Last Interface is usually Wifi

Wants to always connect to something Just someone to offer you a connection

Office

Home

Hotspot

All data is same

Company Name

Servers

Email

Clients

Applications

And More…..

What am I connected to?

29


Agenda





Q&A

Real-World Wireless Issues Zero-Day Attacks Hotspots


Exploiting is too Easy!

Vx.netlux.org MVBSWE Worm Editors Virus Editors Script Editors

Do you Trust your Hotspot Web Page?

Corporate Guest Access?

31


Zero Day Alerts

http://www.frsirt.com/

http://www.cert.org

http://nvd.nist.gov

FrSIRT delivers vulnerability and threat alerts, 24/7, 365 days a year, to inform organizations of new potential threats. Our services are designed to deliver notification of vulnerabilities and exploits as they are identified, providing timely, actionable information and guidance to help mitigate risks

before they are exploited.

32


ZERO Day New Attacks

Zero-Day attacks against know services

Zero-Day attacks against IE, Firefox

Remote Exploits

I am on your system as YOU!

New Trojans and Virus ready for Injection

Favorite exploits NEW

WMF

Media Player

Java Exploits

www.milw0rm.com

33


Adding to Metasploit Framework

Wireless Enabled Driver Level Exploit

Point and Click Exploits Exploit for Zero-Day

Attacks

Numerous Payloads Number ways to take over

you Computer

34


Agenda





Q&A

Enumeration of Wireless Devices Password Sniffing & Cracking Hacking Password Hashes Breaking VPNs over Wireless Listening to VoIP Conversations One-way Insertion Attacks Zero-day Attacks Snarfing


Hacking Password Hashes Get virtually any password Offline & passive LEAP, PPTP, MS-CHAPv2, MD-5 Search hash list to find password Large password list to generate hashes

Requires 3-5 GB of space

Rainbow tables are indexed hash lists Required 2-3 TB of space Known tables exist for up to14 characters http://rainbowtables.shmoo.com/ http://www.antsight.com/zsl/rainbowcrack/ http://www.rainbowcrack-online.com/

36


Allows attacker to: Intercept ALL communications between the client & AP

Pretend to be the client without disrupting the client’s session at Layer 2

Possible due to: Management frame’s lack of authentication/ Lack of AP authentication

Step 1: Disassociation of Target station from AP by spoofing the MAC of the AP and sending Disassociate & Deauth Frames

Step 2: Attacker re-associates target to Malicious station and connects to AP

Man-in-the-Middle Attack: WLAN Jack & Air-Jack Tools

TargetServerAP

Dual-Card Attacker

37


Snarfing Hot Spots

Security question: Connecting to a untrusted network and launching the most vulnerable program you have just screams

“ E X P L O I T M E “!!!!Fake web pages Steals your Hotspot Password

Evil web pages Infect your PC with Malware

My Web pages Steal your NT Password 1x1 pixel Cross Site Scripting Installs Trojans Installs Spyware Opens back doors Changes Registry Adds User Account Shares Files and such

Oops you just opened a web page, that’s all!!!!!

38


Next Generation Wireless Attacks 802.1x State Machine

Client initiated disconnection

Assumes everyone plays nice

Fuzzing Attacks will Expand Intel driver issues 802.1x supplicant issues AP issues

Exploit More EAP-Types TLS is not secure in Windows

Windows Vista Wireless stack rewritten Good news

Support for many EAP types Providing for XP too

Bad news Hacking tools ported to

Windows Built in Network Address

Spoofing Point and click “hacking”

39


Firewall Myths

Firewalls: Cannot stop rogue wireless

devices Do not eliminate the need

for wireless scanning for rogues

Do not protect against wireless attacks

Once a hacker is on the network they can punch through open ports

Access Control Lists are weaker than Firewalls

Best bet is to keep hackers off the network

“Firewall only” approach to network security

40


VPN Myths Allows the hacker to get onto open Wi-Fi

network and exploit network or clients for

weaknesses

Client cannot run on many embedded

devices (e.g., wireless scanners, VoWi-Fi

handsets, etc.)

Subnet roaming is problematic

VPN Less performance and more

overhead Break weak encryption & authentication

Re-authentication on weak ciphers Dictionary attacks on weak ciphers

Protocol & server flaws exposed IKE Aggressive mode Pre-shared keys Exploiting bugs in VPN server

Wireless Security

WIPS

VPN

A Layer 3 solution to a Layer 2

problem41


VLANs Virtual Local Area Networks

A logical grouping of devices or users

Users can be grouped by function, department, application,

regardless of physical segment location

VLAN configuration is done at the switch (Layer 2)

WIRELESS is not the SAME (Spoofing is EASY)

VLAN Membership

Static VLAN Assignment Port based membership: Membership is determined by the port on the switch on not by the

host.

Dynamic VLAN Assignment Membership is determined by the host’s MAC address. Administrator has to create a

database with MAC addresses and VLAN mappings

42


Guest networking Issues on VLANs Guest access to Internet

via WLAN IP-Adress for WLAN- Client via

DHCP Server which is in the area of the Corporate Network, including DNS Servercredentials

Sometimes a split but that does not help either…. As the DNS Server, still is in the Corporate LAN…

Issues: DHCP DoS DNS DoS VLAN Hopping u.a.

Guest

Internet

DHCP Server

DNSServer

WLAN SSID

= 1q VLAN used for Guest “tunnelt”= 1q VLAN used for Guest “tunnelt”

= DHCP Address supplied containing DNS Server Information

= DHCP Address supplied containing DNS Server Information

= DNS request from Client= DNS request from Client

Access Point


VLAN Hopping

Guest

?

Corp

Guest

WEP Only

VOIPClient

WPA-2

SSID’sCorp

Guest

OLD

VOIP

Basic VLAN Hopping Attack

Attacker fools switch into thinking that he is a switch that needs trunking

Double Encapsulated VLAN Hopping Attack

Switches perform only one level of IEEE 802.1q decapsulation

This allows the attacker to specify a .1q tag inside the frame, allowing the frame to go to a VLAN that the outer tag did specify

OLD

44


Why VLAN do not Work for Wireless Making Logical on a Physical Media

Not Making Logical on a Virtual media

Design on Port usage

No Physical Ports on Wireless

45


Agenda





Q&A


Recommended Wireless Security Strategy

Contain and control authorized wireless devices, both inside owned facilities

and outside at hotspots, municipal wifi zones &

home

Automatically keep all unauthorized wireless devices off the entire wired network all the

time

Continually assure strong security

configurations and policies 24x7 on all authorized wireless

devices

Accurately detect (WIDS) and

automatically defend (WIPS) against the greatest number of

wireless attacks possible

Store and data mine long-term, forensics

quality information for investigations and

diagnosing wireless problems

Measure and prove compliance with

regulatory wireless security policies and

controls

47


Wireless Security Can not Mitigate Risks

Flawed

It’s the Internet All over Telnet FTP HTTP

We still use them Risk vs. Threats

SHARED MEDIUM Easy comprise Remediation is Key Monitoring is Key

48


Summary

Wireless is a business enabler and part of every network

Unmonitored wireless networks make the entire network

infrastructure vulnerable

Lack of policy compliance can result in regulatory liabilities

AirDefense offers market-leading solutions to provide

visibility and control of all wireless assets, regardless of

location

AirDefense solutions are trusted by the most security-

sensitive organizations in the world

AirDefense solutions are cost-effective & provide the lowest

TCO

49


Contact us Web: www.AirDefense.NET HQs Phone: 770-663-8115 Demo of Laptop Products Available on www.AirDefense.NET

Contact: Anthony Perridge

Vice President, International

[email protected]

+44 1628 509058

50

http://www.airdefense.net/seminars/airdefense_europe_oct_2007.pdfhttp://www.airdefense.net/seminars/airdefense_europe_oct_2007.pdf


Summary

51

www.airdefense.net war of the airwaves wireless hacks & defenses richard rushing chief security...

Documents

airdefense proprietary

wireless security qa

inside slide

wireless sniffing

car slide

wireless data breaches

wireless attack surface

security breaches air