Wireless Security

Michael Sansone & Michael Marcucci

1. WEP
2. WPA
• WPA-TKIP/AES-Enterprise
3. WPS
4. Mac filtering
5. Cloaking the AP
6. Admin page
7. Rogue AP
8. WIPS and WIDS
9. Adhoc attacks

WEP

• Depreciated wireless technology that uses a password to encrypt the wireless data and ensure that data sent across the air is secure and is also responsible for user authentication to the access point.
• WEP cracking works on based on WEP vulnerabilities
• Initially the password was used to create the keystream, by repetition, (ie. password="pass1" keystream="pass1pass1pass1...") and the keystream was combined with the plain text (this was bad, knowing a packet meant knowing the password)
• Later, IV's were introduced and used in tandem with the key to encrypt the data
• PROBLEM: IV's were predictable (psuedo-random) and the 24bit length of an IV meant wrapping would occur.
• Methods to crack WEP involve sending the an arp packet to a router which in turn sends a response back with an incremented IV, eventually all IV's would be captured and wrapping occurs. Once enough packets are captured and the IVs wrap a few more times, the packets can be aligned and the IV's subtract from the encryption exposing the keystream with just the password.
• Encryption:

WPA

• Originally, cracking the preshared key involved waiting for client to connect and listening to the four way handshake that occurs.
• WPA uses a public and private key combo
• Via the four-way handshake the public key can be acquired
• This allows for offline cracking by guessing the password, however brute forcing (96^64 combos) takes forever.
• HOWEVER:
• WPA-TKIP-PSK is vulnerable to the Beck-Tew Attack
• Which easily allows ARP poisoning or DNS spoofing
• This uses the same vulnerability as WEP, which is that WPA also allows keystream reuse. (However, there is a limit imposed, which is 1 minute intervals).
• The key stream is captured by sending a spoofed ARP packet and looking for responses, ie. good response 68 bytes, bad response 40 bytes.
• Once the keystream is found, 7-15 packets can be sent and accepted.
• WPA-AES is the new standard and must be brute forced or cracked with a dictionary
• Difference between WPA & WPA2, WPA2 simply does not allow TKIP and forces AES


• The demo, showed how easy it is to capture a handshake, either by waiting passively for a connection, or sending a de-authentication packet to a client and waiting for the to reconnect, often done automatically.
• However, having a secure password mitigates any chance of guesses occurring, also changing your password forces the handshake to become invalid.

WPA-TKIP/AES-Enterprise

• Uses a username and password
• The authentication is performed with a RADIUS server
• Vulnerability
  • When it was first implemented the default configuration was such that it would not validate the server certificate, although the options were available.
  • Or if an external certificate from a signing authority was used that could be spoofed
  • Therefore, a fake RADIUS server can be setup with fake AP, which accepts all users and steals their login info.
  The fix, is now the default but
  • Ensure certificates are signed
  • The RADIUS server is specified
  • Sign it using a private authority, if possible
  • 

WPS

• Wifi protected setups(WPS) use an 8 digit number to allow connections, (WPS pins do not change)
• 10^8 possibilities (~600 days to guess if limited to 1 guess a second)
• HOWEVER:
• Due to the implementation of WPS last digit is a checksum => 10^7 possibilities
• Final Flaw, the first and last 4 digits are independently authenticated, therefore the first four digits (10^4) possibilities would take 2.h and the final 3 (10^3) would take 16 min
• So bruteforcing all possible combos of WPS would take ~3h
• Also, some manufacturers use bad algorithms to initialize WPS
• An attacker only has to figure out some meta information about the AP and preform some calculations to get the WPS pin


• The Demo showed how easy it is to attack WPS setups, it is hard to guess at 1 pin/second, but even at 5 seconds per pin, statistically a pin could be guessed in under 8 hours.
• Furthermore, it is not just that the pin is captured, the WPA password is returned as well. Either the pin or the password can then be used to connect.

Mac Address Filtering

• Router configuration, whereby the mac address assigned to each network card is used to determine who has access to a network
• WHY its bad:
• Foiled by macchanger
• Gives false sense of security
• (Personally) Annoying to add new devices

AP Cloaking

• Hiding SSID (Network Name)
• It works by disabling the sending of beacons so the AP cannot be discovered
• However , this is just one way that the SSID is sent over the air and this gives a false sense of security


• Various tools can be used to find the SSID
• Kismet can be used passively, wait for a client to connect
• Netstumbler or inSSIDer can be used to disassociate a client and force them to reconnect
• The demo showed how easy it was to do this, a packet capturing utility is used to watch the network, and all we had to do was wait for a client to connect or force a client to disconnect (automatically tries to reconnect).

Admin Page

• There are so many routers and admin pages and they cant all be safe
• BEST PRACTICE : Turn off admin access from WAN
• User other secure means of access: SSH, VNC

Rogue AP

• 3 types: Friendly, Evil, Evil-Twin
• A Friendly Rogue AP is one that an employee may setup in a workplace. If connected to your network this access point will become the weak point in your security.


• An Evil AP is one that tries to attract victims to connect to it.
• Often by Honeypotting, attracting victims (FreeWifi)
• Or sending de-authentication packets (Think other wifi is broken)
• being more powerful than the real AP


• An Evil-Twin AP is one that mimics an existing access point's SSID (network name).
• Sending de-authentication packets
• As a client will connect to stronger signals being a more powerful than the real AP or closer


• Attackers are then able to perform man in the middle attacks, or monitor data
• Mitigation :
• Only connect to trusted APs / ensure they have the same MAC
• Use HTTPS whenever possible
• Or in an enterprise environment install systems to sniff out rogue APs, WIDS
• ASSIDE: ARP Man in the middle attacks:
• Make sure a user is trusted as any person connected can perform a man in the middle attack
• TO FIX : Try to setup the network so that clients cannot talk to each other

WIPS and WIDS

• Wireless Intrusion Prevention/Detection Systems
• WIDS and WIPS systems utilize sensors
• Detect for unauthorized AP, rogue APs, or wireless attacks
• In many enterprise level routers WIDS are now built into the router
• Routers' macaddresses or signatures can be checked against a central db


• WIPS (depreciated) can be used in WEP systems to prevent password cracking by sending "chaff" which mimics/spoofs the APs packet but uses a different password/keystream
• This is also called cloaking an AP
• This works to confuse password cracking programs
• Why depreciated: A. WEP is easy to crack & slow. B. Tools like airdecloak-ng can be used to remove most of the chaff. ~80%

Adhoc Attacks

• Laptops not connected to AP's are still susceptible to intrusion
• A packet can be crafted such that it would cause the card to run commands or code.
• This has been proven, but it is not mainstream.
• Vulnerability : Bad Drivers / Hardware
• Same premise as the Nike Bluetooth band from other presentation
• To Prevent : Update Drivers and turn off wireless radio when not using it