Wi-Fi: a security overview Pierre Pavlidès EURECOM - SysSec course December 15, 2017 Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 1 / 60
Before we start Pierre Pavlidès @rogdham EURECOM student 2011-2012 Security consultant for 4 years Want to work in the industry? Send me your CV! Penetration testing Forensics Reverse engineer Python dev Paris Lyon (I work there!) Marseille... Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 2 / 60
Obligatory XKCD https://xkcd.com/416/ Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 3 / 60
Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 4 / 60
Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 5 / 60
Wi-Fi you say? Wi-Fi: technology based on IEEE 802.11 standard Protocol Band Max speed Date 802.11a 5GHz 54 Mb/s 1999 802.11b 2.4GHz 11 Mb/s 1999 802.11g 2.4GHz 54 Mb/s 2003 802.11n 2.4/5GHz 600 Mb/s 2009 Many Wi-Fi adapters today are dual-band Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 6 / 60
Channels in the 2.4GHz band Channels are overlapping Some are legally restricted Channel 14 only used in Japan Channels 12 & 13 are power restricted in the US In France: max emission power of 100mW EIRP https://www.arcep.fr/index.php?id=9272 https://en.wikipedia.org/wiki/list_of_wlan_channels Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 7 / 60
Modes of operation Infrastructure mode Access point (AP) + stations (STA) = basic service set (BSS) APs in the same distribution system (DS) = extended service set (ESS) Roaming between APs in the same ESS AP relays packet between STAs Ad hoc networks No AP: peer to peer mode STAs communicate directly with each other Monitor mode Not a wireless mode but a configuration mode of the driver Like promiscuous mode for a wired card Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 8 / 60
Hardware choice Things to consider: 2.4 GHz / 5 GHz / dual-band Internal card / USB adapter Emission & reception power Antenna: omnidirectional / directional And for pentesting: Full-fledged drivers in Linux Limit to some models in the 2.4 GHz band Is still a huge issue in the 5 GHz band Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 9 / 60
Hardware: popular choices for pentesting in 2.4 GHz band Alpha Network (26 ) Allow to go above legal emission power TP-Link TL-WN722N (9 ) Since v2, not 100% Linux driver support (yet) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 10 / 60
Practice time List your Wi-Fi adapters $ iwconfig lo no wireless extensions. enp1s0 no wireless extensions. wlp0s20f0u2 IEEE 802.11 ESSID : off / any Mode : Managed Access Point : Not - Associated Tx - Power =0 dbm Retry short limit :7 RTS thr : off Fragment thr : off Power Management : off # airmon -ng PHY Interface Driver Chipset phy0 wlp0s20f0u2 ath9k_htc Qualcomm Atheros Communications AR9271 802.11 n If the predictable network interface names feature is disabled, your Wi-Fi adapter will likely be wlan0, wlan1, etc. Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 11 / 60
Monitor mode # airmon - ng start <interface > List possibly interfering processes (and offer to kill them) Rename the interface, adding mon at the end $ iwconfig wlp0s20f0u2mon wlp0s20f0u2mon IEEE 802.11 Mode : Monitor Frequency :2.457 GHz Tx - Power =20 dbm Retry short limit :7 RTS thr : off Fragment thr : off Power Management : off Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 12 / 60
Wi-Fi network scanning # airodump - ng <interface > Space to pause output -c <channel> or for 5 GHz band: -b a -N <SSID> or -R <SSID-regex> -d <BSSID> (and -m <BSSID-mask>) To filter out unassociated STAs: -a Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 13 / 60
Wi-Fi network scanning Top part: APs Network: name (ESSID), type (ENC/CIPHER/AUTH), channel (CH) AP s MAC (BSSID) Signal strength (PWR/RXQ) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 14 / 60
Wi-Fi network scanning Bottom part: STAs Associated with AP: BSSID (if any) STA s MAC (STATION) Signal strength (PWR) How active is STA (number of frames) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 15 / 60
Hidden networks Usually, APs broadcast their SSIDs with beacon frames Useful since it is required for an STA to associate with an AP SSID in the association request frame Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 16 / 60
Hidden networks: recovering the SSID BSSID PWR Beacons ESSID 11:22:33:44:55:66-13 42 < length : 0> BSSID STATION PWR 11:22:33:44:55:66 77:88:99: aa: bb: cc -37 To recover the SSID, wait for a STA to associate Speed-up: send disassociation frames STA will automatically try to re-associate airmon-ng will eavesdrop the association request, extract the SSID and display it # aireplay - ng -a 11:22:33:44:55:66 -c 77:88:99: aa: bb: cc -0 1 < interface > Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 17 / 60
Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 18 / 60
Open Wi-Fi No authentication Anyone can join the network Everything is send in clear text Passive man-in-the-middle (MitM) attack: just set your card in monitor mode Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 19 / 60
MAC based access control Allow association only for clients with Media Access Control (MAC) in whitelist Wait, MAC are sent in cleartext, right? BSSID PWR Beacons ESSID 11:22:33:44:55:66-13 42 DatNetwork BSSID STATION PWR 11:22:33:44:55:66 77:88:99: aa: bb: cc -37 Impersonate MAC and get access # ip link set dev <interface > address 77:88:99: aa: bb: cc Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 20 / 60
Captive portals: overview Most open Wi-Fi networks are protected with captive portals Still no authentication to join the network But segregated on different VLAN Overview You join an open network You are on a separated VLAN You somehow open your browser on the captive portal (next slide) You enter credentials You are transparently moved to another VLAN with more access Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 21 / 60
Captive portals: redirection Method 1: MitM all HTTP requests, insert redirection Method 2: lying DNS server pointing to captive portal How to get the user to browse an HTTP (not HTTPS) page? Unusual nowadays thanks to Let s Encrypt, HSTS, etc. Browser and OS support e.g. Chrome visits http://www.gstatic.com/generate_204 Issue with method 1: DNS queries not filtered Maybe build a simple tunnel through port 53 Or a DNS tunnel, e.g. with iodine Allows attacker to access Internet, not the internal network Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 22 / 60
Captive portals on open Wi-Fi: no authentication Captive portals: access control based on MAC address Previous attack still work Get MAC of authenticated STA Impersonate MAC # ip link set dev <interface > address 77:88:99: aa: bb: cc Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 23 / 60
Captive portals on open Wi-Fi: no encryption Open Wi-Fi provide no confidentiality of data Maybe the captive portal is in HTTP (and not HTTPS)? Passive MitM attack Get credentials Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 24 / 60
Evil Twin attack: active MitM Devices will connect to the AP with best reception Let s be that AP! Broadcasting same SSID Relay all data to real AP Play with emission power, beacon frames interval, proximity to victim Send disassociation frames This attack allows for active MitM Edit data on the fly Create an AP (e.g. with hostapd+dnsmasq), enable IP forwarding # sysctl -w net. ipv4. ip_forward =1 Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 25 / 60
Evil Twin attack on captive portal We now have access the network (RealAP sees Attacker s MAC) Without modifying any of the relayed data But we don t have the credentials (HTTPS) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 26 / 60
Evil Twin attack + sslstrip # iptables -t nat -A PREROUTING -p tcp -- destination - port 80 -j REDIRECT --to - port 10000 $ sslstrip -w data. log We have the credentials! Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 27 / 60
Evil Twin attack + sslstrip: ios auth popup difference Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 28 / 60
Evil Twin attack: having fun with active MitM Getting credentials is quite fun already What about changing img s src in all pages? Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 29 / 60
Open Wi-Fi: conclusion No authentication Easy to get passive MitM Not difficult to get active MitM Captive portals Still no authentication to join the Wi-Fi network Can be bypassed Widely deployed For guests (corporate world) or customers (hotels, airports... ) So protect yourself: double-check HTTPS, use VPNs Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 30 / 60
Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 31 / 60
Wired Equivalent Privacy (WEP) Open networks provide no authentication Adding authentication afterwards (captive portals) is not enough WEP (1997) Simple encryption based on RC4 Shared key: 64 bits or 128 bits Since 2001: end of the WEP era Main issue: RC4 with key + IV reuse Many attacks, now attackers retrieve keys within 1 minute Today nobody uses WEP anymore (hopefully) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 32 / 60
Wi-Fi Protected Access (WPA) WPA1 (2003) Created to address WEP issues No change in hardware needed: uses TKIP algo (making sure RC4 is used with different key and IV) WPA2 (2004) IEEE 802.11i Can use TKIP or CCMP (AES-based) Also, CCMP backported to WPA1 Today, no real difference between WPA1 and WPA2 But prefer CCMP: some attacks on TKIP exist (e.g. PASEC 2008) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 33 / 60
WPA flavours First phase: getting the master key (MK) Exchanges are not secured yet Can be PSK (WPA personal) or EAP-based (WPA enterprise) Second phase: exchanging other secrets Four-way handshake Secured thanks to the MK Each party proves knowledge of MK (authentication) Last phase: using the secrets TKIP / CCMP to protect communications Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 34 / 60
Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 35 / 60
WPA personal (i.e. with PSK) Pre-shared key (PSK) 8 to 63 printable ASCII (0x20 to 0x7e) MK = PBKDF 2(PSK, SSID) Overview of the attack: Capture a four-way handshake (disassociate STA if needed) Run a dictionary-based attack on the PSK used in that handshake Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 36 / 60
WPA 4-way handshake Attack only requires the first 2 frames Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 37 / 60
WPA 4-way handshake: testing a PSK MK = PBKDF 2(PSK, SSID) PTK = PRF (MK, MAC AP, MAC STA, ANonce, SNonce) MIC = HMAC X(PTK 0:15, frame) X is MD5 for WPA and SHA1 for WPA2 In other words, we need: PSK to be tested SSID First two frames of the handshake Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 38 / 60
Cracking WPA 4-way handshake on CPU with aircrack-ng $ aircrack -ng -w < dictionary.txt > < capture.cap > [-e <SSID >] Test speed on your machine Uses all CPU cores $ aircrack - ng -S Normal results: between 1 000 and 10 000 PSK tested per second Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 39 / 60
Cracking WPA 4-way handshake on GPU with hashcat $ aircrack -ng < capture.cap > -J < capture. hccap > $ hashcat -m 2500 < capture. hccap > < dictionary. txt > $ hashcat -m 2500 -a3 < capture. hccap > '?d?d?d?d?d?d?d?d ' Test speed on your machine uses all CPU cores and GPUs depending on installation (OpenCL) $ hashcat -m 2500 -b GeForce GTX 1080 Ti: 500 000 PSK tested per second Expected results for almost any GPU model on hashcat forums Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 40 / 60
WPA 4-way handshake: cracking speeds You buy some good GPU... 1 000 000 PSK tested per second PSK length PSK charset Duration 8 0-9 2 min min length 8 0-9a-f 1h12 8 a-z 2.5 days 8 a-z0-9 33 days 8 a-za-z0-9 7 years 26 0-9A-F 10 17 years ISP router 63 \x20-\x7e 10 112 years max complexity Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 41 / 60
WPA PSK: once you have the PSK Obviously, you can connect to the network with the PSK And then try to attack other hosts, etc. It is also possible to decrypt network captures Allows to see traffic of other STAs The 4-way handshake of that STA needs to be in the capture $ airdecap - ng -e <ESSID > -p <PSK > < capture. cap > Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 42 / 60
WPA PSK: conclusion PSK cracking Create good dictionaries (e.g. Alice1996) If the PSK is strong, you will never get it Best practices (defender side) Use strong PSK Change PSK periodically Should not be used in enterprise environments Needs to be changed every time an employee leaves the company Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 43 / 60
Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 44 / 60
WPA enterprise Many Extensible Authentication Protocols (EAP) can be used with WPA The most widely deployed are: PEAP/EAP-MSCHAPv2: STA auth with domain credentials EAP-TLS: mutual auth via server & client certificates Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 45 / 60
WPA PEAP/MSCHAPv2 PEAP: a TLS tunnel is created between STA and RADIUS server STA checks certificate of RADIUS server Then the EAP-MSCHAPv2 protocol is performed Usually with user credentials (domain) Sometimes with machine credentials Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 46 / 60
MSCHAPv2 protocol NT = MD4(UserPassword) ServerChal is randomly generated by the RADIUS server ClientChal is randomly generated by the STA ChalHash = SHA1(ClientChal ServerChal Username) 0:7 ChalResponse = DES NT0:6 (ChalHash) DES NT7:13 (ChalHash) DES NT14:20 (ChalHash) AuthResponse = Φ(NT, ChalResponse, ChalHash) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 47 / 60
MSCHAPv2 and NetNTLMv1 ChalResponse = DES NT0:6 (ChalHash) DES NT7:13 (ChalHash) DES NT14:20 (ChalHash) Only third frame is needed From an attacker point of view, this is the same as NetNTLMv1 Naive cracking: Compute NT = MD4(UserPass) Check if each part of the DES encryption matches the ChalResponse Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 48 / 60
MSCHAPv2/NetNTLMv1 Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 49 / 60
MSCHAPv2/NetNTLMv1: improving the cracking We can recover the last 2 bytes of the NT by pure bruteforce (in seconds) Improved cracking: Compute NT = MD4(UserPass) If last 2 bytes of NT don t match, abort Check if each part of the DES encryption matches the ChalResponse We get almost same speed as NT cracking as a result $ john -- format =nt -- test =10 Raw : 43096 K c/ s real $ john -- format = netntlm -- test =10 Only one salt : 41776 K c/ s real Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 50 / 60
Evil Twin attack WPA PEAP/EAP-MSCHAPv2 Overview of the attack: Evil Twin access point with custom certificate Wait for STA to associate with it (send disassociation frames if needed) Capture MSCHAPv2 exchanges Crack MSCHAPv2 Use a patched version of hostapd: hostapd-wpe or hostapd-mana STA 77:88:99: aa: bb: cc IEEE 802.11: associated ( aid 1) CTRL - EVENT -EAP - STARTED 77:88:99: aa:bb:cc CTRL - EVENT -EAP - PROPOSED - METHOD vendor =0 method =1 CTRL - EVENT -EAP - PROPOSED - METHOD vendor =0 method =25 mschapv2 : username : angelcorp \ alice challenge : f6 :83: a7:b7 :5c:ae:c3:fa response : 3a :39: bb :55:7 e :06:29: f3 :6c:d6 :df:c0 :7f:4f:b0 :9d :53:54:26:29:3 e: a8: c3 :13 jtr NETNTLM : angelcorp \ alice : $NETNTLM$f683a7b75caec3fa$3a... STA 77:88:99: aa: bb: cc IEEE 802.11: disassociated Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 51 / 60
Evil Twin attack WPA PEAP/EAP-MSCHAPv2 What if the STA checks the CA of the RADIUS server? Needs to be enabled Some configuration prompts the user (with obscure error message) STA 77:88:99: aa: bb: cc IEEE 802.11: associated ( aid 1) CTRL - EVENT -EAP - STARTED 77:88:99: aa:bb:cc CTRL - EVENT -EAP - PROPOSED - METHOD vendor =0 method =1 CTRL - EVENT -EAP - PROPOSED - METHOD vendor =0 method =25 SSL : SSL3 alert : read ( remote end reported an error ): fatal : unknown CA OpenSSL : openssl_handshake - SSL_connect error :14094418: SSL routines : ssl3_read_bytes : tlsv1 alert unknown ca CTRL - EVENT -EAP - FAILURE 77:88:99: aa:bb:cc STA 77:88:99: aa: bb: cc IEEE 802.1 X: authentication failed - EAP type : 0 ( unknown ) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 52 / 60
MSCHAPv2/NetNTLMv1: cracking speed GTX 1080 Ti: 30.8 GH/s, that s 3.10 10 tests per second (remember WPA PSK: 5.10 5 tests per second) Password length Password charset Duration 14 0-9 54min 12 0-9a-f 2h33 10 a-z 1h17 9 a-z0-9 55min 8 a-za-z0-9 1h59 8 \x20-\x7e 2 days 17h Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 53 / 60
MSCHAPv2/NetNTLMv1: exhaustive search However, it is possible to recover the full NT by exhaustive search Interesting watch: https://www.youtube.com/watch?v=siidzpntdcm Using crack.sh Cost: 20$ or 200$ to get NT within 26h! Issue (for white hats): giving the hash to a third party Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 54 / 60
Having the NT is enough With crack.sh, we only have the NT However, thanks to the pass-the-hash feature of Windows, it is enough: To authenticate on the Wi-Fi To access shares To open sessions Use the exploit/windows/smb/psexec_psh module in Metasploit Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 55 / 60
WPA PEAP/EAP-MSCHAPv2: conclusion EAP-MSCHAPv2 protected by PEAP (TLS) Evil Twin attack with own (invalid) certificate MSCHAPv2 challenge-response cracking Very fast on CPU/GPU Or just use crack.sh to get the NT If successful, attacker has more than an access to the network User credentials give access to resources Best practices (defender side) Force the STA to check the certificate of the RADIUS server Use EAP-TLS instead: each STA has its own client certificate In both cases: use GPOs and mobile device management (MDM) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 56 / 60
Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 57 / 60
Conclusion Attacks on the 3 main type of Wi-Fi networks: Open Easy to get passive/active MitM Attacks on captive portals WPA PSK Dictionary attack on 4-way handshake Will not work for robust PSK Allows to access network, decrypt traffic WPA PEAP/EAP-MSCHAPv2 Evil Twin attack to get MSCHAPv2 challenge-response Will not work if certificate is properly checked Dictionary attack or bruteforce NT Allows to access network, and usually more But still many topics not covered... Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 58 / 60
Going the extra mile Captive portals Why does HSTS protects against sslstrip? What is sslstrip+/sslstrip2 doing against HSTS, is it effective? WEP WPA PSK Precomputed tables, why are they specific to some SSID? WPS (Wi-Fi Protected Setup): bruteforce PIN, AP protections, null PIN attack (August 2017) Vulnerable home routers where PSK can be found from SSID/BSSID (e.g. old Bbox) WPA Enterprise Understand differences between various types of EAP available KRACK attack (October 2017) on all WPA flavours What does it do exactly? There will probably be a public PoC at some point, look into it Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 59 / 60
Thank you! Feel free to contact me I ll be around this afternoon Or just send me an email! Q&A Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 60 / 60