Topics in 802.11 inSecurity circa 2006

1
Topics in 802.11 (in)Security circa 2006

• Eldon Sprickerhoff, CISSP
• eSentire, Inc.

2
Who am I?

• Security Researcher
• eSentire Incident Response Team Member
• After consulting for several years, co-founded an
  Internet security company (in 2001) based out of
  Cambridge, ON.

3
Obligatory Disclaimer

• Know the law and obey it!
• The techniques described here are for research
  purposes only.
• Don't cry if nobody visits you while you're in
  Club Fed.

4
Topics

• Current State of Wireless Encryption.
• Why Encryption Might Not Matter, Anyways.
• Wireless IDS/IPS (testing and evading).
• Detecting rogue wireless on the wired side.
• Cutting Through Hot Spot Authentication.

5
Current State of Encryption

• WEP is dead, long live WEP!
• WPA-PSK better but not inpenetrable.
• CoWPAtty Joshua Wright
• Church of WiFi Prehashed password lists
  (170,000 words against top 1000 SSID's in
  wigle.net)
• Field Programmable Gate Arrays (FPGA's)

6
Encryption cont'd.

• Just because you're using EAP w/ certs doesn't
  mean you're OK.
• EAP Peeking (using FreeRADIUS and hostapd)
  coined by the Shmoo Group (google shmoo-fu.pdf)
• Disassociate the client from the legitimate AP.
• Reassociate to your AP, negotiate the 802.1x EAP
  and EAP-TTLS protocol exchanges.
• Secure tunnel established (if client doesn't do a
  remote certificate check)!
• Sniff credentials of client.
• Remember Pre-shared keys and/or not checking
  certificates... not so good.

7
And why it might not matter anyways

• The linksys community wifi network.
• What is the intent of the evildoer?
• What is the path of least resistance?

8
Widespread WiFi Availability

• Can you even buy a new laptop without wifi these
  days?
• Excellent wireless integration in Windows XP.
• Ever happened onto an open wifi node?

9
IPv4 Link-Local Addresses

• RFC 3927 - Dynamic Configuration of IPv4
  Link-Local Addresses
• If DHCP fails to provide an IP address,
  interfaces with Link-Local configurations will
  auto-assign an address in the 169.254.0.0/16
  range.
• Link-Local is on by default on all interfaces on
  all Windows platforms, including wireless
  interfaces.

10
MS Implementation of RFC 3927

• Using XP as an example
• Start -gt Connect To -gt Show all connections
• Right click on wireless connection
• Internet Protocol (TCP/IP) -gt Properties
• Two things to look for (they are set by default)
• General -gt Obtain an IP address automatically is
  checked
• Alternate Configuration -gt Automatic private IP
  address is checked
• Further details of Microsofts implementation are
  in RFC 3927 in appendix A.4

11
Ever wonder why there are so many AP's in an
airport lounge?

• User boots up laptop wireless is enabled.
• But Ethernet is disconnected, so a short timeout
  occurs
• Wireless is enabled, tries to find default SSID
• Default SSID is not found, no DHCP server
  answers, Link-Local is used
• IP address is assigned from 169.254.0.0/16 range
  per RFC 3330, this is APIPA (Automatic Private IP
  Address)
• Built-in laptop becomes an ad-hoc network using
  default SSID
• PC now says it is tmobile or linksys or
  dlink, and broadcasts its SSID as such. WHY?
• The first one up becomes the potential SSID
  leader.
• As additional laptops come up and cant find
  their default (re last) SSID to connect to, they
  may or may not connect.
• Windows stores all SSIDs you have connected to in
  Registry
• If you have the SSID leaders beaconing SSID in
  your Registry, you could connect
• Even if you dont, if there was only one SSID
  around, you could also connect.

12
Security Considerations from RFC 3927

• NOTE There are certain kinds of local links,
  such as wireless LANs, that provide no physical
  security. Because of the existence of these
  links it would be very unwise for an implementer
  to assume that when a device is communicating
  only on the local link it can dispense with
  normal security precautions. Failure to
  implement appropriate security measures could
  expose users to considerable risks.
• Ya think?

13
Attack Methodology

• Attach to the Peer-to-Peer network of the SSID
  Leader.
• Make sure you have a 169.254.0.0/16 address.
• Get the victim's IP address (ARP, sniff, if it's
  a Windows box, eventually it will broadcast via
  NetBIOS.
• Ping it (you might have to set a default route).
• Choose your poison nmap, Nessus, dsniff, Cain
  Abel, Metasploit.
• Too much work?

14
Faster!

• Configure a DHCP server on your machine.
• Lather, rinse, and repeat.
• Still too much work?

15
Faster, Faster!

• www.theta44.org/karma
• Created by Dino and K2
• KARMA answers all SSID requests by saying, Yes,
  I am an AP with the SSID you're looking for.
• Lather, rinse, and repeat.

16
Become the AP/Honeypot!

• Determine the most popular SSID being queried.
• Set up a fake AP with that SSID.
• DHCP server, DNS server, resolve everything to
  your own address.
• Forward all POP3/IMAP/SMTP traffic to your own
  server and log all userid's/passwords.

17
Defense

• Disable wifi NIC if not being used.
• Configure NIC to only use infrastructure mode.
• WEP on an ad-hoc network is possible.
• Firewall!!!
• There will be updates in the next big XP SP to
  prevent auto-advertising of ad-hoc networks.

18
Testing WIDS/WIPS

• Had the opportunity to test several wireless IDS
  and IPS, including both stand-alone systems and
  functionality integrated into AP's.
• Typically sensors are deployed throughout an
  organization, scan through 802.1a/b/g and try to
  match signatures (and/or scan the RF) and give
  option to disrupt unauthorized communications.
• Uses triangulation to identify location of
  inappropriate activity.

19
WIDS/WIPS cont'd.

• Expected them to be OK for detecting
  low-hanging fruit (members of the linksys
  community network).
• Expected them to be susceptible to plenty of
  false positives.
• Expected them not to report on purely passive
  sniffing.
• Between a/b/g, there's a lot of area to cover, so
  I didn't expect them to capture all traffic all
  of the time.

20
Building an Attack Kit

• Plenty of code available (of varying
  compile-ready quality).
• How many Linux kernels do you want to compile
  today?
• OpenBSD 3.7 incorporated a TON of 802.11g and USB
  cards (up to v3.9 now).
• Auditor or the BackTrack CD's (if you're lazy)
• Gather hardware from around the office (from
  earlier gigs).

21
What did we discover?

• Still an emerging technology.
• Generally, a high reliance on SSID's and MAC's.
• Still dealing (mostly) at the packet level-alert
  stage.
• Only capturing about 20-40 of specific traffic
  (unless you lock a sensor to a channel).
• Not consistent at identifying location.
• Generally poor at aggregating and correlating
  events.
• Acts as a supplement to your existing
  diagnostics/forensic wireless system.

22
Discoveries

• One vendor's sensor completely froze after 5
  minutes of a Disassociation storm and didn't
  alert us to this fact (ostensibly because it was
  still pingable by the main server).
• Plenty of injected traffic doesn't raise a blip
  on many products Broadcast storms of CTS, RTS,
  EAP suite (Failure, Logoff, Req-Failure,
  Resp-Failure), Korek WEP, even garbage.
• RF disruption silently kills most sensors RF
  detection should be standard by now!
• And Bluetooth, too. Soon Zigbee, wifi RFID?

23
WIDS/WIPS Workout Regimen

• Make a smallish list of SSID's. Be creative.
• Generate a random number of IP addresses within a
  single subnet.
• Give your soft AP a vendor-valid yet otherwise
  random MAC address, and a random channel.
• Fill your local ARP table with vendor-valid but
  otherwise random MAC's for these IP addresses.
• Enable WEP (WHAT?)
• Choose a random size of packet.
• Let loose with a random amount of random UDP/ICMP
  traffic to each IP!
• Lather, Rinse, Repeat with a new SSID/channel.

24
WIDS/WIPS Workout cont'd.

• Use an amplifier and highly directional antenna
  and paint the entire building!
• Determine what of time does a sensor spend on
  scanning/capture versus active disassociation.
• What is the maximum number of rogue AP's that can
  be disconnected simultaneously?
• Something's got to give!

25
P stands for Prevention

• Prevent unauthorized stations from connecting to
  authorized or rogue access points by injecting
  disconnects into the airstream.
• Basically a tiny, focused DoS against a
  conversation.
• But you really need to play nice with your
  neighbours it's getting more congested out
  there. Take care not to knock other people out
  of the air.

26
P Stands for Prevention, cont'd.

• Weaknesses in Wireless LAN Session Containment
  - Joshua Wright 2005
• Describes how different WIPS perform containment
  (detection through sequence numbers, signal
  power, disconnect notice, etc.).
• Some WIPS perform the Deauth/Disassoc only
  against the client (unidirectional).
• So patch your kernel to ignore these frames.
• Also, this activity permits external entities to
  fingerprint your WIPS.

27
How to use a rogue AP (if you must) and not get
caught (maybe).

• Duplicate the characteristics (MAC, SSID,
  channel) of a valid AP on the other side of the
  building, turn down the volume, and get lost in
  the noise of typical network traffic (take
  advantage of operator exhaustion).
• Change the wired-side MAC address, disable admin
  pages, configure firewall to deny inbound
  traffic.
• Use a covert channel within bad frames (Butti and
  Veysset).
• Use a Symbol Spectrum24 AP/card combo with full
  frequency hopping (eBay 5 for 25).
• YMMV

28
Odds and Ends

• AP's with built-in IDS functionality and SIP
  phones
• Wi-Spy

29
Cutting through the Authentication at For-Pay Hot
Spots

• ICMP Tunneling
• Tunneling through DNS Queries
• Caveat can be tracked by IP address or domain
  name (but only if the WISP is tracking this data
  and is watching for this activity).

30
Wired-Side Rogue AP Detection

• Low hanging fruit.
• Port Scanning (nmap) SNMP (sdig) OUI Lookup
• I'm working on a little project to pull this all
  together.
• Don't hold your breath.
• I'm juggling a lot of cats.

31
eSENTIRE, Inc.

• Collaborative Threat Management - truly pervasive
  security analysis (not just SNMP, ICMP/ping)
• Vulnerability and Penetration Analysis
• Security Incident Response
• Employee Monitoring
• Code Security Reviews
• Bespoke Security Analysis

32
Cisco VPN 3000 Vulnerability

• About 10h ago, Cisco updated their original VPN
  security advisory with firmware that we have
  verified actually (finally) fixes a problem we
  discovered during a vulnerability assessment and
  reported to them on August 26th.
• 8 months to the day!
• Update your VPN concentrator ASAP.

33
Thank you for your time.

• Eldon Sprickerhoff, CISSP
• eldons_at_esentire.com
• 866.579.2200 x111