Misbehaving with 802.11

1
Misbehaving with 802.11

• Will Stockwell
• bigwill_at_mit.edu

2
Topics

• Snake oil access control
• MAC layers lacks per frame authentication
• The spoofing problems which result
• 802.1X issues related to spoofing
• WEP (dead horse, Ill discuss it briefly)
• Attacks against these schemes
• Recommendations
• Wireless tools you can mess with

3
Terminology

• SSID Service Set ID
• A text string used to identify sets of APs
• Spoofing
• Illegitimate generation of network traffic
• Fake packets all together
• Insert traffic into a stream
• WEP Wired Equivalent Privacy
• Broken 802.11 encryption scheme
• Should be What on Earth does this Protect?

4
Terminology (continued)

• Access point
• Device serving as wireless-to-wired bridge
• Association request
• Wireless stations associate with an AP
• Follows rudimentary authentication procedure
• Per Frame Authentication
• Every Frame authenticity information
• Should be used with initial auth. exchange

5
Teds Hacker
6
Auth. in the 802.11 MAC Layer

• Two types
• Open System
• No authentication
• Gratuitous access
• Shared Key
• Uses WEP broken scheme (Returning to this
  later)
• Key distribution and usage issues
• No per frame auth.
• frame spoofing is easy (more later)
• If a authentication scheme is to be effective, it
  needs to be per frame
• No AP auth. allows impersonation of APs
• MAC layer does leave room for other auth. schemes
• None presently implemented
• New schemes which conform to standard still cant
  be per frame
• Per frame authentication

7
Other Forms of Access Control

• SSID hiding (complete snake oil)
• SSID often beaconed by APs
• APs can be configured to stop beaconing
• MAC address filtering (snake oil)
• DHCP servers
• AP ACLs
• 802.1X (spoofing issues)
• Takes places following MAC layer auth. and assoc.
  to AP
• Controls access only to world beyond AP via EAP
• Does allow for more robust authentication
  (Kerberos, others)
• Doesnt solve per packet auth. problem
• No clients for all OSs which all use the same
  auth. scheme

8
WEP, the Sweet Low of 802.11(dead horse,
moving quickly)

• Passive listening
• Numerous documented attacks
• Attacks widely implemented
• Key can be recovered at worst in a few hours of
  passive listening
• Only encrypts data frames
• Management, control frames sent in the clear
• We can still spoof these frame types without a
  key
• Key management issues
• If key changes all devices must change it at the
  very same time, so short key periods wont help
  much
• Employee leaves with key in hand
• Broken anyway! Why are you considering this
  option?

9
CircumventionThe Easy, the Challenging and the
Not-So-Impossible
10
Sniffing the SSID - easy
Sniff, sniff, sniff
Mischievous Station Running NetStumbler or
similar
Regular User Station being innocent
AP w/ SSID Paris
Assoc. Request (, SSID Paris, )
11
Beating MAC Address Filters - easy

• Sniff legitimate MAC Addresses
• Wait for a station to leave
• Set your MAC to a legitimate address
• linux ifconfig wlan0 hwaddr 0000deadbeef
• openbsd wicontrol wi0 m b5db5db5db5d
• You can now authenticate and associate
• MAC filtered by DHCP server?
• Sniff addresses and set your IP statically

12
Cracking WEP easy, time consuming
Sniff, sniff CRACK!
Mischievous Station Running AirSnort or similar
Regular User Station being innocent
WEP encrypted Data Frames (A1h8/?e! ...)
Access Point
13
Back to the Spoofing Issue

• Allow lots of naughty behavior
• Station disassociation DoS
• Disrupt wireless stations access
• Access point saturation DoS
• MAC level limit the number of associated stations
  to 2000
• Implementation limits set lower to prevent
  congestion
• Prevent new stations from authenticating to an AP
• Hijacking of legitimately authenticated sessions
• Man in the middle attacks
• Old ARP cache poisoning, DNS spoofing affect
  802.11 too
• Impersonate AP to a client, tamper with traffic,
  pass it along

14
More on Spoofing Frames challenging, getting
easy

• Libradiate makes it easy
• Alpha stage code
• Didnt work for me, but expect it to work in
  future
• Combine with Libnet to do all sorts of packet
  naughtiness
• Denial of Service (disassoc, AP saturate, others)
• no publicly implemented attacks
• Libradiate author wrote and tested, but
  unreleased
• Wrote my own disassociator!
• 802.1X has its own DoSes (EAP Logoff, Failure)

15
Disassociating a Wireless Station easy after
implementation!
Sniff, sniff DISASSOC!
Mischievous Station running dis2
Disassociate Frame(SANTAS MAC, AP BSSID,
DISASSOC, )
Regular User Station being innocent
Access Point
General Wireless Traffic (MGMT, CRTL, DATA)
16
Session Hijacking, MITM old dogs, new playground

• The wireless advantage easy access to medium!
• Hijacking a wireless session
• Known network/transport layer attacks easy w/
  implementations
• MAC level hijacking implemented in UMD
  research, not public
• Simple combination of disassociation and MAC
  spoofing
• Can beat 802.1X, if hijacking after EAP Success
  received by station
• MITM
• SSH, SSL easy w/ sshmitm, webmitm (part of the
  dsniff package)
• ARP Poisoning, DNS redirect still work (may need
  retooling for 802.11 MAC)
• Same issues that go along with these attacks on
  wired medium exist here
• AP impersonate MITM doable, challenging (no
  public implementation)
• Could be detectable w/ knowledge of legitimate
  BSSIDs
• 802.1X MITM implemented in UMD research, not
  public
• Spoof EAP success to station, pass traffic to
  network for it

17
Main Points

• Wireless medium is an inherently insecure
• The 802.11 MAC poorly compensates
• MAC layer needs stronger authentication
• Per packet auth. could solve many issues
• 802.1X exchange comes too late
• Spoofing attacks will become public

18
Recommendations

• The first rule of Fight Club is
• Secure network protocols
• SECURE NETWORK PROTOCOLS
• wireless only makes attacks against these easier
• Snake oil can provide hurdles for the casual
• Treat wireless the way you treat remote traffic
• High security environments no wireless allowed
• Not satisfied with these answers? Sorry!

19
Wireless Tools for your Tinkering

• Windows
• Netstumbler find APs and their SSIDs
• Airopeek wireless frame sniffer
• Linux
• Airsnort (and other WEP tools)
• Airtraf (Netstumbler-like)
• Kismet (Netstumbler-like, WEP capture, other
  stuff)
• BSD
• bsd-airtools (Netstumbler-like tool, WEP
  cracking)
• Kismet

20
References

• http//www.mit.edu/bigwill/
• My slides
• PGP key
• 802.11 Wireless Networks The Definitive Guide,
  Matthew S. Gast
• Good overview of 802.11 in general
• MAC layer well-covered
• Discussion of the different physical layer
  standards as well
• http//www.cs.umd.edu/waa/wireless.html
• Lots of links
• WEP papers
• 802.1X information
• General 802.11 security information
• http//www.packetfactory.net/projects/libradiate
• 802.11 frame creation, injection, sniffing
  library
• Works well in conjunction with libnet TCP/IP
  packet library
• Broken in my experience, but big potential for
  the future