Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- WPA TOO !
- Md Sohail Ahmad
- AirTight Networks
- www.airtightnetworks.com
- About the Speaker
- 2007, Toorcon9
- 2009, Defcon 17
- 2008, Defcon 16
- Caffe Latte Attack
- Autoimmunity
- Disorder in
- Wireless LANs
- WiFish Finder: Who
- will bite the bait?
- 2010, Defcon 18
- WPA TOO !
- Defcon 18
- WPA2 is vulnerable under certain conditions. This
- limitation, though known to the designers of WPA2, is not
- well understood or appreciated by WiFi users.
- In this talk, I am going to show that exploits are possible
- using off the shelf tools with minor modifications.
- About the Talk
- Background
- WEP, the one and only security configuration present in the original 802.11
- standard, was cracked in 2001. Since then several attacks on WEP have been
- published and demonstrated
- Nowadays most WLANs are secured with a much better and robust security
- protocol called WPA2.
- Interestingly, WPA2 is also being used to
- secure Guest WiFi, Municipal WiFi (e.g.
- GoogleWiFi Secure) and Public WiFi (e.g. T-
- Mobile or AT&T WiFi Hotspot) networks.
- Defcon 18
- Is WPA2 safe to be used in WiFi networks?
- Defcon 18
- 2003
- PSK
- Vulnerability
- 2004
- PSK cracking
- tool,
- Eavesdropping
- 2008
- TKIP
- Vulnerability
- PEAP
- Mis-config
- Vulnerability
- Known attacks on WPA/WPA2
- Attack on Pre-Shared Key (PSK)
- Authentication
- Attack on 802.1x
- Authentication
- Attack on
- Encryption
- Implications:
- Eavesdropping
- Unauthorized Access
- to the network
- Implications:
- Client compromise
- Implications:
- Injection of small size
- frames to create
- disruption
- Defcon 18
- 1. Do not use PSK authentication in other than private/home network
- (Solves PSK Vulnerability)
- 2. Do not ignore certificate validation check in client’s configuration
- (Solves Client Vulnerability)
- 3. Use AES encryption
- (Solves TKIP Vulnerability)
- Solution
- Is WPA2 safe to be used in WiFi networks?
- Defcon 18
- Encryption in WPA2
- Defcon 18
- Encryption Keys
- Two types of key for data encryption
- 1. 1. Pairwise Key (PTK)
- 2. 2. Group Key (GTK)
- While PTK is used to protect unicast data
- frames , GTK is used to protect group
- addressed data frames e.g. broadcast ARP
- request frames.
- Defcon 18
- GTK is shared among all associated clients
- Client 1
- Client 1 PTK = PTK1
- Client 1 Group key = K1
- Client 2
- Client 2 PTK = PTK2
- Client 2 Group key = K1
- Client 3
- Client 3 PTK = PTK3
- Client 3 Group key = K1
- Three connected clients
- New client
- Your Group key is K1
- Defcon 18
- Group addressed traffic in a WLAN
- Group addressed 802.11 data frames are always sent by an access
- point and never sent by a WiFi client
- GTK is designed to be used as an encryption key in the AP and as a
- decryption key in the client
- ToDS “Broadcast ARP Req”
- frame
- Address 1 (or Destination
- MAC) = AP/BSSID MAC
- From DS “Broadcast ARP Req”
- frame
- Address 1 (or Destination MAC) =
- FF:FF:FF:FF:FF:FF
- Defcon 18
- What if a client starts using GTK for group
- addressed frame encryption?
- Defcon 18
- Is it possible for a client to send forged group
- addressed data frames?
- From DS “Broadcast ARP Req.”
- frame
- Actually injected by a client
- Address 1 (or Destination MAC) =
- FF:FF:FF:FF:FF:FF
- Defcon 18
- Console log of a WiFi user’s machine
- Parameters (GTK, KeyID and PN) required to send group addressed data frame is
- known to all connected clients.
- A malicious user can always create fake packets
- Defcon 18
- WPA2 secured WiFi networks are vulnerable…
- Malicious insider can inject forged
- group addressed data traffic
- Legitimate clients can never detect
- data forgery
- …to Insider Attack
- Client
- Malicious Insider
- Defcon 18
- Implications
- Stealth mode ARP Poisoning/Spoofing attack
- Traffic snooping
- Man in the Middle (MiM): How about “Aurora” ?
- IP layer DoS attack
- IP level targeted attack
- TCP reset, TCP indirection, Port scanning, malware injection, privilege
- escalation etc. etc.
- Wireless DoS attack
- Blocks downlink broadcast data frame reception
- Defcon 18
- Stealth mode ARP Poisoning
- 1. Attacker injects fake ARP packet to
- poison client’s cache for gateway.
- The ARP cache of victim gets
- poisoned. For victim client Gateway
- is attacker’s machine.
- 2. Victim sends all traffic to attacker
- 3. Now attacker can either drop traffic
- or forward it to actual gateway
- 1
- 2
- Target
- Attacker
- 3
- I am the Gateway
- Wired LAN
- Defcon 18
- ARP Poisoning Attack: Normal vs Stealth Mode
- Target
- Attacker
- I am the
- Gateway
- Wired LAN
- Target Attacker
- Wired LAN
- Normal Stealth Mode
- ARP poisoning frames appear on wire
- through AP. Chances of being caught is
- high.
- ARP poisoning frames invisible to AP,
- never go on wire. Can’t be detected by
- any ARP cache poison detection tool.
- Defcon 18
- IP Level Targeted Attack
- Defcon 18
- PN or Packet Number in CCMP Header
- 48 bit Packet Number (PN) is present in all CCMP encrypted DATA frames
- Legitimate client Access Point
- Replay Attack Detection in WPA2
- PN=701
- 1. All clients learn the PN associated with a
- GTK at the time of association
- 2. AP sends a group addressed data frame to
- all clients with a new PN
- 3. If new PN > locally cached PN than packet
- is decrypted and after successful
- decryption, old PN is updated with new PN
- Expecting
- PN >700
- Defcon 18
- Wireless DoS Attack (WDoS)
- Defcon 18
- Demo: Stealth mode attack
- A live demo of the exploit will be done
- during presentation
- Defcon 18
- Prevention & Countermeasures
- Defcon 18
- Endpoint Security
- Client software such as DecaffeintID or Snort can be used to
- detect ARP cache poisoning.
- Detects ARP Cache Poisoning attack
- Defcon 18
- Limitations
- Smartphones
- Varieties of client device which connect to WPA2 secured WiFi
- networks while software is available only for either Windows or
- Linux running devices
- Operating Systems Hardware
- Defcon 18
- Infrastructure Side
- Public Secure Packet Forwarding (PSPF)/peer-to-peer (P2P) or
- Client Isolation
- Client A
- Client B
- X X
- AP does not
- forward A’s
- packet to B
- The feature can be used to stop communication between two
- WiFi enabled client devices
- Defcon 18
- Limitations
- Not all standalone mode APs or WLAN controllers have built-in
- PSPF or client isolation capabilities
- PSPF or Client Isolation does not always work
- - It does not work across APs in standalone mode
- - In controller based architecture, PSPF (peer2peer) does not
- work across controllers even the controllers are present in
- the same mobility group
- Attacker can always use WiFi client to launch attack and setup a
- non-WiFi host to serve the victim and easily bypass PSPF/Client
- isolation
- Defcon 18
- Long Term Solution: Protocol Enhancement
- Deprecate use of GTK and group addressed data traffic from AP
- 1. Convert all group addressed data traffic into unicast traffic
- 2. For backward compatibility AP should send randomly generated
- different GTKs to different clients so that all associated clients have
- different copies of group key
- Disadvantages:
- a. Brings down total network throughput
- b. Requires AP software upgrade
- Defcon 18
- Key Take Away
- WPA2 – secure, but vulnerable to insider attack!
- This limitation known to WPA2 designers, but not well
- understood by WiFi users
- Countermeasures can be deployed wherever threat of insider
- attacks is high
- Using endpoint security; or
- Using wireless traffic monitoring using WIPS sensors
- Defcon 18
- Thank You!
- Md Sohail Ahmad
- Email: md.ahmad@airtightnetworks.com
- www.airtightnetworks.com
- For up-to-date information on developments in wireless
- security, visit
- blog.airtightnetworks.com
- Defcon 18
- References
- [1] Task Group I, IEEE P802.11i Draft 10.0. Project IEEE 802.11i, 2004.
- [2] Aircrack-ng
- www.aircrack-ng.org
- [3] PEAP: Pwned Extensible Authentication Protocol
- http://www.willhackforsushi.com/presentations/PEAP_Shmoocon2008_Wright_Antoniewicz.pdf
- [4]. WPA/WPA2 TKIP Exploit: Tip of the Iceberg?
- www.cwnp.com/pdf/TKIPExploit08.pdf
- [5]. Cisco’s PSPF or P2P
- http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da
- 3.shtml
- [6] Client isolation
- http://www.cisecurity.org/tools2/wireless/CIS_Wireless_Addendum_Linksys.pdf
- [7]. The Madwifi Project
- http://madwifi-project.org/
- Defcon 18
- References
- [8]. Host AP Driver
- http://hostap.epitest.fi/
- [9]. ARP Cache Poisoning
- http://www.grc.com/nat/arp.htm
- [10] Detecting Wireless LAN MAC Address Spoofing
- http://forskningsnett.uninett.no/wlan/download/wlan-mac-spoof.pdf
- [11]. DecaffeinatID
- http://www.irongeek.com/i.php?page=security/decaffeinatid-simple-ids-arpwatch-for-
- windows&mode=print
- [12] SNORT
- http://www.snort.org/
- [13]. Wireless Hotspot Security
- http://www.timeatlas.com/Reviews/Reviews/Wireless_Hotspot_Security
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement