200 likes | 276 Views
Misbehaving with 802.11. Will Stockwell bigwill@mit.edu. Topics. Snake oil access control MAC layers lacks per frame authentication The spoofing problems which result 802.1X issues related to spoofing WEP (dead horse, I’ll discuss it briefly) Attacks against these schemes Recommendations
E N D
Misbehaving with 802.11 Will Stockwell bigwill@mit.edu
Topics • Snake oil access control • MAC layers lacks per frame authentication • The spoofing problems which result • 802.1X issues related to spoofing • WEP (dead horse, I’ll discuss it briefly) • Attacks against these schemes • Recommendations • Wireless tools you can mess with
Terminology • SSID – Service Set ID • A text string used to identify sets of APs • Spoofing • Illegitimate generation of network traffic • Fake packets all together • Insert traffic into a stream • WEP – Wired Equivalent Privacy • Broken 802.11 encryption scheme • Should be “What on Earth does this Protect?”
Terminology (continued) • Access point • Device serving as wireless-to-wired bridge • Association request • Wireless stations ‘associate’ with an AP • Follows rudimentary authentication procedure • Per Frame Authentication • Every Frame authenticity information • Should be used with initial auth. exchange
Ted’s Hacker TED’S HACKER
Auth. in the 802.11 MAC Layer • Two types • Open System • No authentication • Gratuitous access • Shared Key • Uses WEP – broken scheme (Returning to this later) • Key distribution and usage issues • No per frame auth. • frame spoofing is easy (more later) • If a authentication scheme is to be effective, it needs to be per frame • No AP auth. – allows impersonation of APs • MAC layer does leave room for other auth. schemes • None presently implemented • New schemes which conform to standard still can’t be per frame • Per frame authentication
Other Forms of Access Control • SSID hiding (complete snake oil) • SSID often beaconed by APs • APs can be configured to stop beaconing • MAC address filtering (snake oil) • DHCP servers • AP ACLs • 802.1X (spoofing issues) • Takes places following MAC layer auth. and assoc. to AP • Controls access only to world beyond AP via EAP • Does allow for more robust authentication (Kerberos, others) • Doesn’t solve per packet auth. problem • No clients for all OS’s which all use the same auth. scheme
WEP, the “Sweet & Low” of 802.11(dead horse, moving quickly) • Passive listening • Numerous documented attacks • Attacks widely implemented • Key can be recovered at worst in a few hours of passive listening • Only encrypts data frames • Management, control frames sent in the clear • We can still spoof these frame types without a key • Key management issues • If key changes all devices must change it at the very same time, so short key periods won’t help much • Employee leaves with key in hand • Broken anyway! Why are you considering this option?
Circumvention:The Easy, the Challenging and the Not-So-Impossible
Sniffing the SSID - easy Sniff, sniff, sniff… Mischievous Station Running NetStumbler or similar Regular User Station being innocent AP w/ SSID ‘Paris’ Assoc. Request (…, SSID ‘Paris’, …)
Beating MAC Address Filters - easy • Sniff legitimate MAC Addresses • Wait for a station to leave • Set your MAC to a legitimate address • linux# ifconfig wlan0 hwaddr 00:00:de:ad:be:ef • openbsd# wicontrol wi0 –m b5:db:5d:b5:db:5d • You can now authenticate and associate • MAC filtered by DHCP server? • Sniff addresses and set your IP statically
Cracking WEP – easy, time consuming Sniff, sniff… CRACK! Mischievous Station Running AirSnort or similar Regular User Station being innocent WEP encrypted Data Frames (A1%h8#/?e$! ...) Access Point
Back to the Spoofing Issue • Allow lots of naughty behavior • Station disassociation DoS • Disrupt wireless station’s access • Access point saturation DoS • MAC level limit the number of associated stations to ~2000 • Implementation limits set lower to prevent congestion • Prevent new stations from authenticating to an AP • Hijacking of legitimately authenticated sessions • Man in the middle attacks • Old ARP cache poisoning, DNS spoofing affect 802.11 too • Impersonate AP to a client, tamper with traffic, pass it along
More on Spoofing Frames – challenging, getting easy • Libradiate makes it easy • Alpha stage code • Didn’t work for me, but expect it to work in future • Combine with Libnet to do all sorts of packet naughtiness • Denial of Service (disassoc, AP saturate, others) • no publicly implemented attacks • Libradiate author wrote and tested, but unreleased • Wrote my own disassociator! • 802.1X has its own DoSes (EAP Logoff, Failure)
Disassociating a Wireless Station – easy after implementation! Sniff, sniff… DISASSOC! Mischievous Station running dis2 Disassociate Frame(SANTA’S MAC, AP BSSID, DISASSOC, …) Regular User Station being innocent Access Point General Wireless Traffic (MGMT, CRTL, DATA)
Session Hijacking, MITM – old dogs, new playground • The wireless advantage: easy access to medium! • Hijacking a wireless session • Known network/transport layer attacks – easy w/ implementations • MAC level hijacking – implemented in UMD research, not public • Simple combination of disassociation and MAC spoofing • Can beat 802.1X, if hijacking after EAP Success received by station • MITM • SSH, SSL – easy w/ sshmitm, webmitm (part of the dsniff package) • ARP Poisoning, DNS redirect still work (may need retooling for 802.11 MAC) • Same issues that go along with these attacks on wired medium exist here • AP impersonate MITM – doable, challenging (no public implementation) • Could be detectable w/ knowledge of legitimate BSSIDs • 802.1X MITM – implemented in UMD research, not public • Spoof EAP success to station, pass traffic to network for it
Main Points • Wireless medium is an inherently insecure • The 802.11 MAC poorly compensates • MAC layer needs stronger authentication • Per packet auth. could solve many issues • 802.1X exchange comes too late • Spoofing attacks will become public
Recommendations • The first rule of Fight Club is… • Secure network protocols • SECURE NETWORK PROTOCOLS • wireless only makes attacks against these easier • Snake oil can provide hurdles for the casual • Treat wireless the way you treat remote traffic • High security environments: no wireless allowed • Not satisfied with these answers? Sorry!
Wireless Tools for your Tinkering • Windows • Netstumbler – find APs and their SSIDs • Airopeek – wireless frame sniffer • Linux • Airsnort (and other WEP tools) • Airtraf (Netstumbler-like) • Kismet (Netstumbler-like, WEP capture, other stuff) • *BSD • bsd-airtools (Netstumbler-like tool, WEP cracking) • Kismet
References • http://www.mit.edu/~bigwill/ • My slides • PGP key • 802.11 Wireless Networks: The Definitive Guide, Matthew S. Gast • Good overview of 802.11 in general • MAC layer well-covered • Discussion of the different physical layer standards as well • http://www.cs.umd.edu/~waa/wireless.html • Lots of links • WEP papers • 802.1X information • General 802.11 security information • http://www.packetfactory.net/projects/libradiate • 802.11 frame creation, injection, sniffing library • Works well in conjunction with libnet TCP/IP packet library • Broken in my experience, but big potential for the future