All your Wireless belongs to us

Size: px

Start display at page:

Download "All your Wireless belongs to us"

Beatrix Wilcox
5 years ago
Views:

1 _ (in)security we trust _!! Grenoble INP Ensimag SecurIMAG All your Wireless belongs to us Description: Wifi Security Lecturer: Guillaume Jeanne WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.

2 Presentation : Guillaume Jeanne Parcours : Prepa MP* au lycée Claude-Fauriel (Saint-Etienne, 42) 1A ENSIMAG Why SecurIMAG? (the ultimate question) I've always been fascinated by computer security and how we could divert an object from its normal use. (hacking) Contact : guillaume.jeanne{(_a\.t_)}ensimag.fr 2

3 Outline b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo WPA - Changes - WPA Security Problems 1/ Dictionary attack - Demo 3

4 Reminder of French Law Art «Le fait d accéder ou de se maintenir, frauduleusement, dans tout ou partie d un système de traitement automatisé de données est puni de deux ans d emprisonnement et de euros d amende. Lorsqu il en est résulté soit la suppression ou la modification de données contenues dans le système, soit une altération du fonctionnement de ce système, la peine est de trois ans d emprisonnement et de euros d amende.» 4

5 802.11b, Wired Equivalent Privacy (WEP) : a (1999), b(1999), g(2003), n (2009) Security (1999): Data encryption: Wireless Equivalent Privacy WEP Authentication: o Shared Key Authentication SKA (WEP is used during authentication) o Open System Authentication (no authentication occurs) Beginning: 40bits keys (U.S. law), WEP2 : 104bits Severely criticized for its lack of security 5

6 WEP, How it works? Emission Message M (unencrypted) M Control Function : CRC32 (to check integrity) M CRC(M) RC4 Encryption : IV (Initialization vector) (24 bits) + WEP key (104 bits) RC4( )= IV WEP Key RC4(Seed) 6

7 WEP, How it works? Emission RC4(Seed) M CRC(M) = IV (24 bits) encrypted message C 7

8 WEP, How it works? Reception exactly the same thing! retrieves the IV, concatenates it with wep key, encrypt with RC4, xor with the encrypted message. calculates the checksum and check it. RC4( IV WEP Key ) = RC4(Seed) encrypted message C = M 8

9 Shared Key Authentication SKA Four Way Handshake using the WEP password (secret key) 9

10 Outline b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo WPA - Changes - WPA Security Problems 1/ dictionary attack - Demo 10

11 WEP, Security problems 1/ Reuse the byte sequence 1/ Reuse the byte sequence Principle: A = M1 RC4(Seed) B = M2 RC4(Seed) A B = M1 RC4(Seed) M2 RC4(Seed) = M1 M2 If you know M1, you can deduce M2 : (and vice versa) M2 = M1 M2 M1 11

12 WEP, Security problems 1/ Reuse the byte sequence Question : how to know M1? easy; M1 is a internet packet. known structure. social engineering : send an ; contents will be encrypted by the wep key BUT The aim of the IV is to encrypt the packets differently, then the principle explained above will not work except if the same IV is reused! It s easy to detect because IVs are not encrypted. 12

13 WEP, Security problems 1/ Reuse the byte sequence You shall not reuse the same IV! But IVs are only 24 bits so IVs are necessarily reused. There is a 50% chance IV will be reused after 4823 packets! 13

14 Annex : Birthday Paradox Problem : how many people are needed in order that the probability of 2 of them being born on the same day is 1/2? Only 23 Explanations : (this is not a lie! ) (23*22)/2=253 pairs failure rate for each pair : 1-1/365=99,726% (1-1/365)^253=49,9% => 50,1% success 14

Annex : Birthday Paradox table 15 n p(n) 10 11.7% 20 41.1% 23 50.1% 30 70.6% 50 97.0% 57 99.0% 100 99.

15 Annex : Birthday Paradox table 15 n p(n) % % % % % % % % 300 (100 ( ))% 350 (100 ( ))% % (100 ( ))%

16 WEP, Security problems 1/ Reuse the byte sequence Application here ½ (4823 x 4822 ) = pairs failure rate for each pair : 1- ½^24 [1-(½^24)]^ = 50,00% 50% success 4,823s (8Mbit/s, 1ko) 16

17 Outline b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo WPA - Changes - WPA Security Problems 1/ Dictionary attack - Demo 17

18 WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack 2/ Fluhrer, Mantin and Shamir attack The most famous WEP attack. published in a 2001 paper titled Weaknesses in the Key Scheduling Algorithm of RC4 (1) implemented in AirSnort and Aircrack. exploits the weaknesses of the RC4 key generation algorithm and IVs. 18

19 WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack RC4 key generation algorithm Generate two tables S and K of a size of 256 bytes Initialize the table S by the integers from 0 to 255 (state table) Fill-in the table K with the secret key Pseudo-randomly permute the table S using the secret key Pseudo-randomly permute the table S with itself Xor the sequence obtained of the table S with the flow of data 19

20 WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack The attack Some IVs provide information about the secret key via their first byte, these IVs are called low IVs and are of the form (A+3, N-1, X) (3 bytes) where : A is the byte of the key to attack N = 256 because RC4 is modulo 256 X is between 0 and 255 For each byte of the key, there are 256 low IVs. 20

WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack The first byte of a 802.11b packet matches the SNAP header and it is almost always 0xAA.

21 WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack The first byte of a b packet matches the SNAP header and it is almost always 0xAA. output = 0xAA FirstByte Now you can attack, here is the algorithm : (KSA) begin ksa(with int keylength, with byte K[keylength]) for i from 0 to 255 S[i] := i endfor j := 0 for i from 0 to 255 j := (j + S[i] + K[i mod keylength]) mod 256 swap(s[i],s[j]) endfor End 21

22 WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack Explanation: First Key Byte : low IVs (A=0) [3,15,2,1,2,3,4,5] (mod 16) K[] = S[] = KSA : X X X X X X X X X X ) i=0, j=0+0+3=3, S[] = 2) i =1, j=3+1+15=3, S[] = 3) i=2, j=3+2+2=7, S[] = First byte = output j S[i] = = 1 22

23 WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack Second Byte, [4,15,9,1,2,3,4,5] K[] = S[] = X X X X X X X X KSA : 1) j=4, S[]= 2) j=4, S[]= 3) j=15,s[]= 4) j=3, S[]= SecurIMAG - title - author - date Second Byte = = 2

24 WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack but in reality : a 5% chance that the byte is true (for 1 IV) => repeat this for several IVs (X varies) 24

25 WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack Consequences Ability to modify the packets (integrity loss) Ability to authenticate «Solutions» increasing the size of the WEP key (and/or the possible space of the IV) is not enough (B day paradox) we should rely on another kind of cipher (eg: block cipher, see WPA) 25

26 WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack Furthermore Breaking 104 bit WEP in less than 60 seconds (2) In 2007, Erik Tews, Andrei Pychkine, and Ralf-Philipp Weinmann were able to extend Klein's 2005 attack and optimize it for usage against WEP. With the new attack it is possible to recover a 104-bit WEP key with probability 50% using only 40,000 captured packets. 26

27 DEMO 27

28 Outline b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo WPA - Changes - WPA Security Problems 1/ Dictionary attack - Demo 28

29 802.11i, Wi-Fi Protected Access (WPA & WPA2) WPA became available around WPA2 around 2004 Following serious weaknesses researchers had found in the previous system (WEP). Changes: Temporary Key Integrity Protocol (TKIP) o still RC4 but:128 bits key/packet o rekeying mechanism (frequently change, avoiding collisions) o the ICV field is replaced by a MICHAEL integrity check (64 bits) sequence number for each packet (replay protection) AES (block cipher), optionnal in WPA o Mandatory in WPA2 29

WPA, Security problems dictionary attack Dictionary attack test all the words in a dictionary It s the only wpa attack which allows to recover the key existing in

30 WPA, Security problems dictionary attack Dictionary attack test all the words in a dictionary It s the only wpa attack which allows to recover the key existing in aircrack Concretely you should disconnect a station from the network and you then capture the packet it sends to reconnect (Handshake) Then you can launch the attack 30

31 Problem 1 : Storage dictionaries are very heavy to store 5 characters key (uppercase lowercase numbers): 458 Mo 10 characters key : To 63 characters key : 5,25e+99 Po 31

Problem 1 : Solution generate the dictionary on the fly! Crunch (3.2) http://sourceforge.

32 Problem 1 : Solution generate the dictionary on the fly! Crunch (3.2) /pentest/passwords/crunch/./crunch abc[ ]xyz o wordlist.txt Pipe on aircrack 32

33 Problem 2 : Time Dictionary attack is very long Time = O(n²) double the length => time will be squared Question : how to speed up the attack? 33

34 Accelerate the attack ElcomSoft Distributed Password Recovery (3) Support for NVIDIA CUDA cards, ATI Radeon and Tableau TACC1441 hardware accelerators. Allows up to 64 CPUs or CPU cores and up to 32 GPUs per processing node Distributed password recovery over LAN, Internet or both. 34 SecurIMAG - title - author - date

35 Accelerate the attack Application family Microsoft Office 2007 Microsoft Office 2007 Microsoft Office 2010 Microsoft Office XP/2003 Microsoft Office 97/2000 Microsoft Office 97/ SecurIMAG - title - author - date Applications Word, Excel, PowerPoint, Project Extensions.DOCX,.XLSX,.PPTX, Type of recovery password Password types file opening password Access.ACCDB password file opening password Word, Excel, Access, PowerPoint Word, Excel, PowerPoint.DOCX,.XLSX,.PPTX.DOC,.XLS,.PPT password file opening password password "open" password only Word, Excel.DOC,.XLS password "open" password only Word, Excel.DOC,.XLS key "open" password only - guaranteed decryption Hardware Acceleration NVIDIA ATI Tableau NVIDIA ATI Tableau

36 OpenDoc word processing (text) documents.odt,.ott,.sxw,.stw password NVIDIA OpenDoc spreadsheets.ods,.ots,.sxc,.stc password NVIDIA OpenDoc OpenDoc OpenDoc presentations graphics/drawing formulae, mathematical equations.odp,.otp,.sxi,.sti.odg,.otg,.sxd,.std password password NVIDIA NVIDIA.ODF,.SXM password NVIDIA Microsoft Money.MNY password Intuit Quicken 1.QDF password PGP and Open-Key Passwords PGP and Open-Key Passwords PGP zip archives 1.PGP password PGP secret key rings.skr password

37 Adobe Acrobat PDF PDF with 256-bit encryption.pdf password "user" and "owner" password Adobe Acrobat PDF PDF with 128-bit encryption.pdf password "user" and "owner" password Adobe Acrobat PDF PDF with 40-bit encryption.pdf password "user" and "owner" password Adobe Acrobat PDF PDF with 40-bit encryption.pdf key "user" passw ord - guaranteed decryption System Passwords Microsoft Windows NT, 2000, XP, 2003, Vista password logon passwords (LM/NTLM) NVIDIA 2 System Passwords Microsoft Windows password SYSKEY startup passwords System Passwords Microsoft Windows 37 SecurIMAG - title - author - date password DCC (Domain Cached Credentials) passwords NVIDIA 2

38 System Passwords UNIX password users passwords System Passwords Wireless networks Password WPA and WPA2 passwords NVIDIA ATI Tableau iphone/ipo d/ipad backup itunes password NVIDIA ATI Tableau BlackBerry backup BlackBerry Desktop Software (old).ipd,.bbb password AES-NI 3 Mozilla, FireFox, Thunderbird password master passwords BlackBerry backup BlackBerry Desktop Software (6.0+ for Windows, 2.0+ for Mac) password NVIDIA ATI Tableau Apple iwork Pages, Numbers, Keynote.pages,.numbers,.key password password to open 38

39 Performance comparison 10x faster on Nvidia 8800GT than on Core2Duo 3,3Ghz 39

40 But it is relative 5 characters WPA key brut force attack: 1 day and 18 hours vs 16 days and 4 hours 10 characters WPA key brut force attack: days (4251 millennium) a WPA2 key can have 63 characters 40

41 Full CUDA on Backtrack CUDA natively used by Backtrack (and more particularly crunch and aircrack) documentation/backtrack-4-cuda- guide.pdf 41

info/userfiles/file/hak5_rtables_lm_ all_1-7.

42 WPA & WPA2 Conclusion How to improve the attack : Use Rainbow tables here 120Go hash of LanManager of Windows: all_1-7.torrent How to protect yourselves : Use key > 10 characters Use special characters Change the default password 42

43 Annex : Rainbow table 43

44 DEMO 44

45 References (1) attack Jon Erickson Hacking: The Art of Exploitation (2) Breaking 104 bit WEP in less than 60 seconds : l%20message%20falsification%20attack%20on%20wpa.pdf (3) 45

References http://www.offensivesecurity.

46 References

47 Questions? 47

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities Wireless Security Comp Sci 3600 Security Outline 1 2 3 Wired versus wireless Endpoint Access point Figure 24.1 Wireless Networking Components Locations and types of attack Outline 1 2 3 Wired Equivalent