1 / 232

Hacking 802.11 Wireless

Hacking 802.11 Wireless. Prabhaker Mateti Wright State University. Talk Outline. Wireless LAN Overview Wireless Network Sniffing Wireless Spoofing Wireless Network Probing AP Weaknesses Denial of Service Man-in-the-Middle Attacks War Driving Wireless Security Best Practices Conclusion.

gitano
Download Presentation

Hacking 802.11 Wireless

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking 802.11 Wireless Prabhaker Mateti Wright State University

  2. Talk Outline • Wireless LAN Overview • Wireless Network Sniffing • Wireless Spoofing • Wireless Network Probing • AP Weaknesses • Denial of Service • Man-in-the-Middle Attacks • War Driving • Wireless Security Best Practices • Conclusion

  3. Ack • There is nothing new in this talk. It is an overview what has been known for a couple of years. • Several figures borrowed from many sources on the www. • Apologies that I lost track of the original sources.

  4. Wireless LAN Overview

  5. OSI Model Application Presentation Session Transport Network Data Link 802.11 MAC header 802.11b Physical 802.11 PLCP header

  6. Network Layers

  7. IEEE 802.11 • Published in June 1997 • 2.4GHz operating frequency • 1 to 2 Mbps throughput • Can choose between frequency hopping or direct sequence spread modulation

  8. IEEE 802.11b • 1999 • Data Rate: 11 Mbps • Reality: 5 to 7 Mbps • 2.4-Ghz band; runs on 3 channels • shared by cordless phones, microwave ovens, and many Bluetooth products • Only direct sequence modulation is specified • Most widely deployed today

  9. Channels

  10. Physical Layer

  11. The Unlicensed Radio Frequency Spectrum 5.15-5.35 5.725-5.825GHz IEEE 802.11a HiperLAN/2

  12. Channel Plan – 802.11/11b/11g

  13. Channel Spacing (5MHz) 2.462 2.437 2.412 Non-overlapping channels

  14. IEEE 802.11a • Data Rate: 54 Mbps • Reality: 25 to 27 Mbps • Runs on 12 channels • Not backward compatible with 802.11b • Uses Orthogonal Frequency Division Multiplexing (OFDM)

  15. IEEE 802.11g • An extension to 802.11b • Data rate: 54 Mbps • 2.4-Ghz band

  16. IEEE 802.1X • General-purpose port based network access control mechanism for 802 technologies • Authentication is mutual, both the user (not the station) and the AP authenticate to each other. • supplicant - entity that needs to be authenticated before the LAN access is permitted (e.g., station); • authenticator - entity that supports the actual authentication (e.g., the AP); • authentication server - entity that provides the authentication service to the authenticator (usually a RADIUS server).

  17. IEEE 802.1X • Extensible Authentication Protocol (EAP) • Can provide dynamic encryption key exchange, eliminating some of the issues with WEP • Roaming is transparent to the end user • Microsoft includes support in Windows XP

  18. 802.1x Architecture

  19. IEEE 802.11e • Currently under development • Working to improve security issues • Extensions to MAC layer, longer keys, and key management systems • Adds 128-bit AES encryption

  20. Stations and Access Points

  21. 802 .11 Terminology: Station (STA) • Device that contains IEEE 802.11 conformant MAC and PHY interface to the wireless medium, but does not provide access to a distribution system • Most often end-stations available in terminals (work-stations, laptops etc.) • Typically Implemented in a PC-Card

  22. PC-Card Hardware Radio Hardware 802.11 frame format WMAC controller with Station Firmware (WNIC-STA) 802.3 frame format Platform Computer Driver Software (STADr) Ethernet V2.0 / 802.3 frame format Protocol Stack Station Architecture • Ethernet-like driver interface • supports virtually all protocol stacks • Frame translation according to IEEE Std 802.1H • Ethernet Types 8137 (Novell IPX) and 80F3 (AARP) encapsulated via the Bridge Tunnel encapsulation scheme • IEEE 802.3 frames: translated to 802.11 • All other Ethernet Types: encapsulated via the RFC 1042 (Standard for the Transmission of IP Datagrams over IEEE 802 Networks) encapsulation scheme • Maximum Data limited to 1500 octets • Transparent bridging to Ethernet

  23. Terminology: Access-Point (AP) • A transceiver that serves as the center point of a stand-alone wireless network or as the connection point between wireless and wired networks. • Device that contains IEEE 802.11 conformant MAC and PHY interface to the wireless medium, and provide access to a Distribution System for associated stations (i.e., AP is a STA) • Most often infra-structure products that connect to wired backbones • Implemented in a “box” containing a STA PC-Card.

  24. PC-Card Hardware Radio Hardware 802.11 frame format WMAC controller with Access Point Firmware (WNIC-AP) 802.3 frame format Bridge Software Driver Software (APDr) Ethernet V2.0 / 802.3 frame format Kernel Software (APK) Bridge Hardware Ethernet Interface Access-Point (AP) Architecture • Stations select an AP and “associate” with it • APs support • roaming • Power Management • time synchronization functions (beaconing) • Traffic typically flows through AP

  25. Basic Configuration

  26. Infrastructure and Ad Hoc Modes

  27. Terminology: Basic Service Set (BSS) • A set of stations controlled by a single “Coordination Function” (=the logical function that determines when a station can transmit or receive) • Similar to a “cell” in pre IEEE terminology • A BSS may or may not have an AP

  28. Basic Service Set (BSS) BSS

  29. Terminology: Distribution System (DS) • A system to interconnect a set of BSSs • Integrated; A single AP in a standalone network • Wired; Using cable to interconnect the AP • Wireless; Using wireless to interconnect the AP

  30. Terminology: Independent Basic Service Set (IBSS) • A BSS forming a self-contained network in which no access to a Distribution System is available • A BSS without an AP • One of the stations in the IBSS can be configured to “initiate” the network and assume the Coordination Function • Diameter of the cell determined by coverage distance between two wireless stations

  31. Independent Basic Service Set (IBSS) IBSS

  32. Terminology: Extended Service Set (ESS) • A set of one or more BSS interconnected by a Distribution System (DS) • Traffic always flows via AP • Diameter of the cell is double the coverage distance between two wireless stations

  33. ESS: single BSS (with int. DS) BSS

  34. ESS: with wired DS BSS Distribution System BSS

  35. ESS: with wireless DS BSS Distribution System BSS

  36. Terminology: Service Set Identifier (SSID) • “Network name” • Upto 32 octets long • One network (ESS or IBSS) has one SSID • E.g., “WSU Wireless”; defaults: “101” for 3COM and “tsunami” for Cisco

  37. Terminology: Basic Service Set Identifier (BSSID) • “cell identifier” • One BSS has one BSSID • Exactly 6 octets long • BSSID = MAC address of AP

  38. 802.11 Communication • CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) instead of Collision Detection • WLAN adapter cannot send and receive traffic at the same time on the same channel • Hidden Node Problem • Four-Way Handshake

  39. Hidden Node Problem

  40. Four-Way Handshake Source Destination RTS – Request to Send CTS – Clear to Send DATA ACK

  41. Infrastructure operation modes Root Mode Repeater Mode

  42. Frames

  43. Ethernet Packet Structure • 14 byte header • 2 addresses Graphic Source: Network Computing Magazine August 7, 2000

  44. 802.11 Packet Structure • 30 byte header • 4 addresses Graphic Source: Network Computing Magazine August 7, 2000

  45. Ethernet Physical Layer Packet Structure • 8 byte header (Preamble) Graphic Source: Network Computing Magazine August 7, 2000

  46. 802.11 Physical Layer Packet Structure • 24 byte header (PLCP, Physical Layer Convergence Protocol) • Always transferred at 1 Mbps Graphic Source: Network Computing Magazine August 7, 2000

  47. MAC Header format differs per Type: Control Frames (several fields are omitted) Management Frames Data Frames Bytes: 2 2 6 6 6 2 6 0-2312 4 Frame Frame Duration Sequence Addr 1 Addr 2 Addr 3 Addr 4 CRC Body Control ID Control 802.11 MAC Header Bits: 2 2 4 1 1 1 1 1 1 1 1 Protocol To From More Pwr More Type SubType Retry WEP Rsvd Version DS DS Frag Mgt Data Frame Control Field Frame Formats

  48. Bits: 2 2 4 1 1 1 1 1 1 1 1 Protocol To From More Pwr More Type SubType Retry WEP Rsvd Version DS DS Frag Mgt Data Frame Control Field To DS From DS Address 1 Address 2 Address 3 Address 4 0 0 DA SA BSSID N/A 0 1 DA BSSID SA N/A 1 0 BSSID SA DA N/A 1 1 RA TA DA SA Address Field Description Addr. 1 = All stations filter on this address. Addr. 2 = Transmitter Address (TA), Identifies transmitter to address the ACK frame to. Addr. 3 = Dependent on To and From DS bits. Addr. 4 = Only needed to identify the original source of WDS (Wireless Distribution System) frames

  49. Bits: 2 2 4 1 1 1 1 1 1 1 1 Protocol To From More Pwr More Type SubType Retry WEP Rsvd Version DS DS Frag Mgt Data Frame Control Field Type field descriptions Type and subtype identify the function of the frame: • Type=00 Management Frame Beacon (Re)Association Probe (De)Authentication Power Management • Type=01 Control Frame RTS/CTS ACK • Type=10 Data Frame

  50. Management Frames • Beacon • Timestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameters • Traffic Indication Map • Probe • SSID, Capabilities, Supported Rates • Probe Response • Timestamp, Beacon Interval, Capabilities, SSID, Supported Rates, parameters • same for Beacon except for TIM

More Related