Wireless LAN Pen-Testing Part I To know your Enemy, you must become your Enemy (Sun Tzu, 600 BC) Georg Penn 23.03.2012
Motivation Read manuals, documentation, standards Check sources for their reliability, though! Tools are there to assist you, not to cripple your thinking the only limit is your imagination Don't be limited by your imagination Creativity, curiosity and patience are as important as knowledge Exercise on a regular base (at least 5hrs/week)
Presentation Conventions Terminal commands will be mono-space blue: echo foo > bar Unless stated otherwise We will use wlan0 as the name of the original and mon0 as the monitor-mode interface The target Access Point will be called WirelessLab and be configured to Channel 11
Why WLAN Security? Integrated in lots of devices Laptops, Mobile Phones, Embedded Devices... Connects to the Internet How do you protect something you cannot see Extends beyond boundary walls Difficult to locate attacker Passive attacks can be done from miles away
WLAN Security Setup Wireless Card: ALFA AWUS036H (USB) Allows for packet sniffing Allows for packet injection Well integrated into Backtrack 5 Not too expensive (check out Amazon) Tools: Mainly Aircrack-ng suite, Wireshark and some others OS: Backtrack 5 as all tools are already installed on Backtrack 5
Wireless Sniffing Basics Wireless sniffing concepts are similar to the ones for the wired world In the wired world we have promiscuous mode In the wireless world we have a concept called monitor mode We can use Airmon-ng to put our card into monitor mode e.g. airmon ng start wlan0
Lab-1.1: Simple Sniffing Check if other processes (e.g. dhclient3, etc ) interfere with Airmon-ng: airmon ng check airmon ng check kill Put card into monitor mode (e.g. on wlan0) we actually create a monitor mode interface airmon ng start wlan0 Start wireshark on the monitor-mode interface created by Airmon-ng (e.g. mon0) to sniff traffic
Basic Service Set (BSS) A set of stations associated with a local or enterprise Wireless LAN Station (STA): Any device that contains an IEEE 802.11-conformant medium access control (MAC) and physical layer (PHY) interface to the wireless medium (WM) BSS come in two flavors Independent BSS (IBSS) Infrastructure BSS (never called an IBSS)
Basic Service Set (cont'd) IBSS is also referred to as an ad-hoc-network We are only dealing with Infrastructure BSS
BSSID Identifies different wireless LANs in the same area In infrastructure networks, the BSSID is the MAC address of the Access Point In an IBSS (ad-hoc-network) the BSSID is randomly generated by the STA (client) that creates the network
Distribution System (DS) A system used to interconnect a set of basic service sets (BSSs) and integrated local area networks (LANs) to create an extended service set (ESS)
Extended Service Set (ESS) A set of one or more interconnected BSSs that appears as a single BSS to the logical link control (LLC) layer at any station (STA) associated with one of those BSSs
Frequency Ranges Wireless can operate in 3 different frequency ranges 2.4 GHz 802.11b/g/n (we will only cover 2.4 GHz) 3.6 GHz 802.11y 4.9/5.0 GHz 802.11a/h/j/n Each of these ranges is divided into a multitude channels Countries apply their own regulations to both the allowable channels and maximum power levels within these frequency ranges
2.4 GHz Wireless Channels
Wireless Channels (cont'd) However, wireless cards with single radio can only be on one channel at a given time!!! Hence, we cannot sniff on all channels and bands at the same time Best we can do is time-division multiplexing (hop) Bands we can operate on depend on our hardware capability (wifi card) ALFA AWUS036H supports 802.11b/g Country regulations can simply be overcome but this could be illegal!
Lab-1.2: Channels We can bind the card to a specific channel: iwconfig wlan0 channel 11 Make our card hop channels (this assumes we already have a monitor-mode interface mon0) airodump ng mon0 By default Airodump-ng hops on 2.4GHz channels but frequency band can also be set airodump ng band bg mon0 Check manuals for further options
Wireless LAN Frames 3 Types of frames Management (0x00 00) Control (0x01 01) Data (0x02 10) Each of these types also has several defined Subtypes For more details see IEEE Specification: http://standards.ieee.org/about/get/802/802.11.html
Types And Subtypes
Types And Subtypes (cont'd)
Know Your Access Point (AP) The AP is configured with a Service Set Identifier (SSID) The SSID indicates the identity of an ESS or IBSS (simply put: the name of the AP or of a network consisting of multiple APs) The AP periodically sends out broadcast frames (Beacon Frames) to announce its presence Clients use these frames to show a list of available wireless networks
Beacon Frames (0x08) Are management frames with Type 0x00 and Subtype 0x08 Beacon Frames are used by the AP To broadcast its SSID To announce its capability (e.g. Supported Rates) To indicate the current channel the AP is residing Beacon Frames are always transmitted in plaintext Hence anyone can create and transmit Beacon Frames (card has to support injection)!
Lab-1.3: Beacon Frames Create a monitor mode interface Use Wireshark to capture traffic on the monitor mode interface Find a Beacon Frame What's the SSID of the AP which sent this frame? What are the capabilities of the AP? Which channel is the AP currently configured to? What else can we find out (poke around)
Probe Request / Response Once we bring up a client's wireless interface it broadcasts Probe Requests to see which APs (networks) are available This is sometimes called a Null-Probe-Request The client can also send Probe Requests for a specific SSID (e.g. if client is configured for this specific AP) Any AP in range replies with a Probe Response which contains e.g the AP's SSID and channel
Authentication Phase (OPN) Once a client connects to an open (not encrypted) AP or network the authentication process takes place Client sends an authentication request (SEQ: 1) Server sends an authentication response (SEQ: 2) As we are dealing with an open network no key-exchange what so ever is taking place After successful authentication the association phase begins
Association Phase First the client sends an association request where the client tells the AP its capabilities (we will not go into details here) And if the AP is satisfied it sends back an association response After the successful association phase data transfer between the client and the AP starts
Demo-1.1 We create an open authentication based AP SSID: WirelessLab (case sensitive!) Channel 11 Connect a client to it (Smart Phone, Laptop,...) Collect all frames (packets) using Wireshark We make sure our card is on the same channel Analyze the flow and try to confirm our previously made assumptions
Summary
802.11 State Machine
Dissecting the Frame Understanding things at the frame level is essential for advanced topics frames don't lie!
IEEE 802.11 Frame Format Presents depends on Type / Subtype So an IEEE 808.11 Frame at least needs: Frame Control Duration ID Address 1 Frame Check Sequence (CRC)
Frame Control
Frame Control Protocol Version Protocol Version 2 Bits Always 0 at the moment May change if there is a major revision which is not back compatible anymore
Frame Control - Type Type 2 Bits Management (Binary 00) Control (Binary 01) Data (Binary 10)
Frame Control - Subtype Subtype 4 Bits Type could be something like: Beacon, Probe Response, Request to Send (RTS), etc. Beacon Frame: Binary 1000 = 0x08 Refer to IEEE Standard for details
Frame Control To / From DS To DS From DS Meaning 0 0 0 1 1 0 1 1 STA to STA in same IBSS, Management and Control Frames e.g. Beacon Frames Exiting the Distribution System (DS) e.g. AP sends a Data Frame to a wireless client Entering the DS e.g. Wireless client sends a Data Frame to the AP maybe destined for a host on the Internet Used in Wireless DS (WDS). Allows a wireless network to be expanded using multiple access points without the traditional wired backbone
Frame Control Other 1 Bit Flags More Fragments: Set if more fragments are to come Only applicable to Management and Data Frames Retry: Set if the Frame has been retransmitted Only applicable to Management and Data Frames Helps eliminating duplicates
Frame Control Other 1 Bit Flags Power Management: Set if STA runs in power save mode (PS mode) Always set to 0 in Frames transmitted by the AP More Data: If STA is in PS mode, AP queues up data Set to inform STA that there is data available
Frame Control Other 1 Bit Flags Protected Frame: Set if Frame Body is encrypted Applies to Data Frame and Management Frames of type Authentication Order: Indicates that all received Frames must be processed in order
Demo-1.2 Reading raw Frame data is a bit tricky We read 0x08 as Type and Subtype, how does this make sense? Bit 1 and Bit 0 indicate Protocol Version (00) Bit 3 and Bit 2 indicate the Type (10 Data) Bit 7 to Bit 4 indicate the Subtype (0000 Data) 7 6 5 4 3 2 1 0 Bit Indexes 0 0 0 0 1 0 0 0 Binary Value 0 8 Hex Value
Challenge-1.1 Frame Control 80 10 00 00 ff ff ff ff ff ff f4 6d 04 a0 cc b1 f4 6d 04 a0 cc b1 50 18 83 e1 f8 5b 6b 00 00 00 64 00 01 04 00 0b 57 69 72 65 6c 65 73 73 4c 61 62 01 08 82 84 8b 96 24 30 48 6c 03 01 0b 05 04 00 01 00 00 2a 01 00 2f 01 00 32 04 0c 12 18 60 dd 09 00 10 18 02 00 f0 00 00 00 7c cd f1 8e What kind of Frame is it (Type / Subtype)? And where is the catch?
Challenge-1.1 Solution We are only interested in 2 Bytes! 0x80 0x10 Let's look at 0x80 in binary 7 6 5 4 3 2 1 0 Bit Indexes 0 0 Protocol Version 0 0 Type (Management) 1 0 0 0 Subtype (0x08 Beacon) Beacon Frames are sent from AP only!
Challenge-1.1 Solution (cont'd) Let's look at 0x10 in binary: 7 6 5 4 3 2 1 0 Bit Indexes ------------------------------------------------------ 0 0 From / To DS 0 More Fragments 0 Retry 1 Power Management 0 More Data 0 Protected Frame 0 Order Oops: Pwr Mgt Flag is always 0 for AP!
Frame Format Addresses Value and presence depends on Type/Subtype typically Source Address Destination Address BSSID See IEEE 802.11 Standard for more details
Frame Format Seq. Control Sequence number of the Frame Fragment number of the Frame In case of fragmentation SEQ No. is the same for all fragments belonging together
Frame Body and FCS Variable length field containing the payload Management Frame details Actual data Frame Check Sequence (FCS) 32-Bit CRC Calculated over all the fields of the MAC header and the Frame Body field
Other Frame Header Fields Refer to IEEE 802.11 Standard for: Duration / ID Quality of Service (QoS) Control General Advice: If you are not sure about how things work always refer to standards if possible! Always take a hands-on approach and try out things yourself
Beacon Frame Announce the existence of a network (SSID) Many APs allow for hiding SSID
Probe Request Mobile stations use Probe Requests to scan an area for existing 802.11 networks A Probe Request frame contains two fields: The SSID The rates supported by the mobile station The mobile station must support all the data rates required by the network
Probe Response Probe Responses are very similar to Beacons
Other Management Frames Refer to IEEE 802.11 Standard for: Association Request/Response Reassociation Request/Response Disassociation Authentication Deauthentication ATIM Action
Mission Completed It's time to kick ass and chew bubble gum!
Lab-1.4 Injection Test Create a monitor mode interface Find out the BSSID of our Access Point We can use Aireplay-ng to inject Frames Make sure your card is set to the correct channel! To perform an injection test you can issue: aireplay ng test a <BSSID> mon0 This initially sends out broadcast probe requests See Aircrack-ng documentation for details
Recover Hidden SSID Normally SSID of AP is advertised in Beacon Frames Most APs allow you to create a hidden or visible network Hidden networks do not broadcast SSID However, Probe Requests/Responses still do! Important: We must have at least one legitimate client connected or about to connect!
Demo-1.3 Recover Hidden SSID Set AP to hide SSID (supported by most APs) Create a monitor mode interface on channel 11 Use Airodump-ng on channel 11 to sniff traffic airodump ng c 11 mon0 Start Wireshark to capture on mon0 Connect a legitimate mobile client Analyze captured traffic What if client was already connected to AP?
Deauthentication Attack Send deauthentication frames to one or more clients which are currently associated with a particular AP Why would we do that? Recovering a hidden ESSID Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate Have clients to connect to a spoofed AP Useless if there are no associated clients
802.11 State Machine - Revisited
Lab-1.5 Deauth Attack Create a monitor mode interface Find out the BSSID of the target AP Use Aireplay-ng to deauthenticate all stations associated with the target aireplay ng deauth 0 a <BSSID> mon0 sends disassocate frames ich are currently associated with a particular access point 0 means send them continuously
Soft Access Point We can use Airbase-ng to setup a soft AP Normal APs have two network devices (2 MAC) Wireless interface Wired interface Airbase-ng uses mon0 as its wireless interface and creates the TAP (virtual network) device at0 as the wired interface at0 will not be up by default
Lab-1.4 Soft AP Set up a soft AP (ESSID is up to you) airbase ng e <ESSID> c 11 mon0 Use airodump-ng on channel 11 - can you see your fake AP? Bring up at0: ifconfig at0 up Use wireshark to capture traffic on at0 Try to connect a client (e.g. mobile phone) to the fake AP What is your client's IP?
Please Try This At Home! Create an Evil-Twin of your legitimate AP Connect a client to the real AP Force the client to connect to the Evil-Twin Try to get IP level connectivity Additions: Try to do a real Man-In-The-Middle-Attack (e.g. by bridging the at0 to wired eth0) Use Metasploit's Autopwn to attack your client
Lessons Learned (so far) Spoofing 802.11 frames is very simple There is no protection mechanism available This insecurity is the starting point for a lot of different attacks e.g. DoS attacks on clients and APs Setting up fake APs WEP or WPA cracking In the wired world the attacker would have to be part of the network to do this!
Any Questions? Now we are here!
Always A Good Read Matthew S. Gast: 802.11 Wireless Networks: The Definitive Guide O'Reilly Media 2005 Vivek Ramachandran: Backtrack 5 Wireless Penetration Testing Beginner's Guide Packt Publishing 2011 IEEE 802.11: Wireless Local Area Networks Standards (1200+ pages!)
What Is Planned? Part II: WEP or there's just two ways this can end, and in both of them, you die! Part III: Understanding and attacking WPA/WPA2 Part IV: WPA2 enterprise and possible attacks Part V: Where to go from here?