Wireless Security, Authentication and Attacks Sebastian Büttrich, NSRC edit: June 2013, AfNOG http://creativecommons.org/licenses/by-nc-sa/3.0/
Aspects of IT Security Confidentiality Integrity Availability Authenticity Non-repudiation
This talk: 3 parts 1. Security aspects & tools 2. Authentication 3. Man-in-the-Middle attacks on authentication
Aspects of IT Security Security is always a management process in which you evaluate risks, consequences and priorities Security management is about people, policies and communications e.g. define a Fair Use Policy and make people sign it Security is not identical to Authentication or Access control
Aspects of IT Security Some of the aspects of security are in conflict with one another you can not have everything! e.g. encryption of all my personal traffic might be in my personal security interest, but the security manager of the network might disagree. Or, I can make it very difficult to get access to my network, but then users will just leave and build their own (rogue) networks.
Wireless Security The term wireless security is most often used as synonym for keeping unwanted users out of your network & encrypting traffic This addresses to some extent (!) Confidentiality Integrity Availability However, none of these are fully secured by wireless security!
Wireless Security The idea of wireless security seems to be changing: In the old days, it meant: How do I keep the outsider out? Maybe, today it means: How do I keep the insider from abusing my network?
Wireless Security When discussing wireless security, do not assume that the wired side is so much more secure! Most threats are NOT specifically wireless! Biggest threats today probably: Phishing and account theft Windows computers, Virus/bots/trojans Uncontrolled file sharing and media usage (?) Systems not prepared for high bandwidth connectivity and many dynamic users Introduction of IPv6 (discuss!)
Wireless Security My personal view: A healthy way of looking at network security: The network is the streets and roads Many people and vehicles travel on these roads Streets and roads are open, or mostly open we do not lock people into their houses If we need to transport money from A to B we use a protected vehicle (= end-to-end security )
Methods for Wireless Hiding Hidden / Closed networks May be found by passive sniffers anyway Misleading Security by Obscurity No real security
Methods for Wireless key based encryption Key based encryption of wireless network (WEP/WPA) WEP is easily crackable merely symbolic safety WPA takes longer, but is crackable If anything, use WPA2 but even that is vulnerable WPA, especially WPA Enterprise/802.1x, might force you to offer a lot of user support
Methods for Wireless WPA WPA IEEE 802.11i draft 128 bit TKIP encryption WPA2 IEEE 802.11i-2004 AES based encryption WPA2 certification is mandatory for all devices to bear the Wi-Fi trademark (since 2006)
Methods for Wireless WPA modes Both WPA1 and WPA2 have 2 modes: WPA-Personal = WPA-PSK (Pre-shared key) mode No authentication server. same 256-bit key for all users. WPA-Enterprise = WPA-802.1X mode Requires RADIUS authentication server. Extensible Authentication Protocol (EAP) for authentication.
Methods for Wireless MAC address ACL MAC (hardware address) based ACL MAC black/whitelisting on AP or gateways Might be useful for stable user groups, registered equipment Difficult to maintain, easy to spoof and compromise (Sniff network, find an allowed MAC and spoof it) No real security
Methods for Wireless summary Summary of key based and ACL methods While none of those offers 100% security, appropriate combinations may give reasonable protection All of these are hard to maintain with fast changing, large usergroups All of these pose communication challenges how to hand out keys? How to keep MAC lists up-to-date?
Essential tools Reminder: think in layers! Working with wireless security to some extent means working with compromising tools a good protector knows how to attack Some GNU/Linux here
Essential tools Physical layer: Spectrum analyzers: airview, wispy Packet sniffers: kismet Netstumbler (windows) Network layer: etherape (no admin tool just quick visual overview) General networking and management tools: wireshark, ntop, mrtg, rrdtool, nmap, mtr WEP/WPA/WPA2 cracking: aircrack etc Tool collections: backtrack
Spectrum Analyzers Real spectrum analyzers very expensive, but USB analyzers or RF Explorer are a reasonable compromise e.g. AirView (2.4 GHz), WiSpy (2.4 5.8 GHz) Pure physical layer! They will show you non-wifi stuff, like microwave ovens, jamming attempts, bluetooth phones, etc
Spectrum Analyzers: Airview
Spectrum Analyzers: WiSpy
What is kismet? Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Works in raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. It is passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and presence of nonbeaconing networks via data traffic. Kismet is powerful - especially when combined with other tools like tcpdump/wireshark, nmap, etc
Start screen
What does kismet show? List of SSIDs Note: it also shows networks with hidden SSIDs / no beacons - just blank! If a client associates to those, you will also see the SSID.
What does kismet show? T = Type P Probe request - no associated connection yet A Access point - standard wireless network H Ad-hoc - point to point wireless network T Turbocell - Turbocell aka Karlnet or Lucent Router G Group - Group of wireless networks D Data - Data only network with no control packets
What does kismet show? W = Encryption Colour = Network/Client Type: Yellow Unencrypted Network Red Factory default settings in use! Green Secure Networks (WEP, WPA etc..) Blue SSID cloaking on / Broadcast SSID disabled
kismet - options (Some of the) Options: c Show clients in current network h Help i Detailed info about current network s Sort network list r Packet rate graph a Statistics p Dump packet type Q Quit
kismet - Network info
Client info
Kismet scan USIU
Kismet scan USIU
Kismet scan USIU
Kismet scan USIU
What is etherape? Etherape is not really a security tool, but it gives a very useful quick first view of traffic in your network. For example, in case you have a spam virus in your network, you will see this immediately. It also gives you a good feel for what various applications, such as skype or torrent clients, are doing to your network.
etherape screenshot
Case: UEW Garnet, port 15715 :)
What is wireshark? Wireshark, formerly known as ethereal, is a powerful packet dumping and analyzing program Extermely nice filtering for fast identification of problems, e.g. specific protocols (e.g. ARP), IP numbers, or keywords
wireshark screenshot
wireshark screenshot
wireshark for ARP trouble
Wireless Network Authentication Phil Regnauld / Sebastian Büttrich Edit: June 2013
Wireless Network Authentication - Various models of network authentication on wireless networks - We will cover the protocols and mechanisms, as well as the architectures and components to implement it
Overview What are we trying to solve Protocols & Implementation (mechs) & Layers Ways to regulate access to the network (mech) - out of scope: MAC filtering, WEP/WPA - Captive portal - 802.1X (EAPoL and EAP-TLS) Architectural components - authentication server (Radius) - Access Point - Supplicant (module to authenticate) Non-tech aspects - Captive Portal vs 802.1x, Helpdesk, support issues
Basic Terminology - Some basic terms - EAP Extensible Authentication Protocol - PNAC Port-based Network Access Control - Supplicant a software application, installed on a user's computer, which submits credentials provided by the user, to an authenticator - Authenticator challenges, receives, processes, and replies to authentication requests from a supplicant
What is authentication? Definition: Authentication is the process of verifying the claim that an entity is allowed to act on behalf of a given known identity In plain speak: Is this person says who they say they claim to be? Can they prove it (password, signature)? In ours case, the entity is the software, acting on behalf of the user controlling the computer
Some core concepts - Important to distinguish between the following concepts: confidentiality access control authentication authorization
Some core concepts (2) Confidentiality - Ensure that only those who should have access to information can indeed do so (usually encryption) Authorization & access control - Authorization defines what an entity (here, a user, a device) is authorized (allowed), to access or do - Which networks (ACLs/filters) - Which systems, which files? (FS ACLs, permissions) - When can they do that (time policies)? - Can they run an application or access a service? Access control are the mechanisms by which these rights and restrictions are controlled and enforced
What are we trying to solve Require authentication so that We know WHO, WHERE(*), and WHEN This is NOT the same as using password-based WEP/WPA encryption - WEP/WPA keys can be shared between users - No way to identify who has connected, where, and when We want to know: - Which user? - What area of the wireless network (AP) did they associate with? - When did they log on?
What solutions do we have? WEP/WPA - As explained, they only provide confidentiality at the network level, they do not tell us who is connected MAC filtering - Problem: doesn't identify a person - Easily spoofed, and not a secret information IP address - Doesn't restrict physical access to the medium - Easily spoofed
Captive portals Captive portals - Very popular (public areas, airports, hotels, ) - Very flexible - Self-explanatory (web page), can enforce AUP (Acceptable Use Policy) validation - Easy to implement Downsides: - Not transparent - Not standardized (different looks, different credentials, ) - Requires regular re-authentication (disruptive) - Often unreliable and easy to break
Captive portals (2) To redirect you to a welcome page, any one of the following methods may be used: - HTTP silent redirection - HTTP 30x redirect - IP hijacking - DNS hijacking Certain URLs may be allowed - e.g Information page (think: Airport Flight info)
Captive portals (3) Many vendors and open source projects - CoovaChilli, CoovaAP - WiFidog - M0n0wall, pfsense - zeroshell Many general networking vendors offer some form of integrated captive portals, e.g. - Microtik - HP - Cisco - Aruba - Aptilo - Ubiquiti
802.1x & EAP Port-based Network Access Control (PNAC) Originally designed for wired networks (EAPoL), but design accomodated for wireless networks RFC5216 Layer 2 protocol 4 states: 1. initialization (all traffic blocked no DHCP or anything) 2. initiation (authenticator sends EAP-Requests, and client responds with EAP-Response-Identity) 3. negotiation of a method of authentication 4. authentication if negotiation succeeds Traffic is allowed through
802.1x & EAP (2) Advantages - transparent for Applications - inline - doesn't require interaction with upper layers like DHCP, IP, HTTP to function - standardized for both wired and wireless LANs - authentication mechanism is well known (MS-CHAP or PAP, from PPP/PPPoE) Downsides - may require new network equipment and/or firmware upgrade - may require an external authentication server
How does it work source: wikipedia
802.1x & EAP vs captive portals They are complementary: Captive portals may be preferable for networks, or parts of the network, where there are many non-regular, guest users Captive portals can guide users, provide helpdesk contact information 802.1x is more streamlined and standardized making it preferable for known, pre-configured users A combination of both may be useful - 802.1x everywhere is possible, on LAN/WLAN (dedicated SSID) - Guest -style captive portal for the rest (different SSID) - Captive portal remains more intuitive for first time users if it is your policy to have guests! (may not be the case)
802.1x & EAP vs captive portals - 2 Function at different levels - 802.1x is layer 2 - Captive Portals use layers 3 7
Authentication backends & components Already discussed, but as a reminder: - SQL or LDAP/Active Directory - Can be local flat text file - Radius (which can use any of the above solutions) - Backends can be shared between technologies (captive portal + 802.1x)
NSRC recommended solution User store in LDAP/AD, often OpenLDAP RADIUS, often freeradius 802.1x and/or Captive Portal A guide (the NSRC AuthKit) is available at http://authkit.nsrc.org/wiki
Part 3: Remarks on Man-in-the-Middle attacks Sebastian Büttrich, IT University Copenhagen / NSRC edit: March 2013, ICTP Trieste http://creativecommons.org/licenses/by-nc-sa/3.0/
Security measures that work (to some extent) WPA2 shared or personal 802.1x = EAP over wireless EAP = Extensible Authentication Protocol RADIUS (Remote Authentication Dial In User Service) often as manager for centralized Authentication, Authorization, and Accounting (AAA) management it acts inbetween the user database and wireless Aps RADIUS protocol can talk to files, SQL, LDAP etc
How does RADIUS work source: wikipedia
The reality of 802.1x Used in many universities and institutions. e.g. ICTP User credentials typically from a user database, e.g. LDAP, Active Directory (AD) RADIUS often used for Authentication, Authorization, and Accounting (AAA) management it acts between the user database and the wireless APs
The reality of 802.1x Widely used e.g. in eduroam http://eduroam.org Typically used with protocols like TTLS or PEAP for the outer tunnel, MSCHAP, PAP, CHAP for inner authentication Problem: all inner authentication methods are broken and crackable see: http://wire.less.dk/?p=205
The reality of 802.1x Because the inner methods are broken, all security depends on the outer tunnel this means, for TTLS a certificate based approach What is the reality of SSL certificates? Do clients validate them? Typically no! This user/client behaviour creates a vulnerability: Man-in-the-Middle attacks
Man-in-the-middle attacks Advanced attack and analysis tools, e.g. Pineapple Pineapple (with Jasager software) listens to all probe requests, mimicks the SSID and associates users From there on, all your traffic is belong to me :)
Demonstration Wireless Access Points (* = current AP) ictp-open: Infra, 00:11:21:ED:B6:C1, Freq 2412 MHz, Rate 54 Mb/s, Strength 35 ictp-secure: Infra, 00:11:21:ED:B6:C0, Freq 2412 MHz, Rate 54 Mb/s, Strength 34 WPA WPA2 Enterprise ICTP-SDU: Infra, 00:15:6D:72:48:54, Freq 2437 MHz, Rate 54 Mb/s, Strength 37 WPA2 *MarconiLab: Infra, 00:15:6D:18:8F:F8, Freq 2452 MHz, Rate 54 Mb/s, Strength 100 WPA2 alao: Infra, 00:27:22:E6:53:2D, Freq 2412 MHz, Rate 54 Mb/s, Strength 98 Lab_Test_01: Infra, 00:27:22:E6:54:E6, Freq 2432 MHz, Rate 54 Mb/s, Strength 97 WPA2 whyme: Infra, 00:11:24:09:65:F9, Freq 2412 MHz, Rate 54 Mb/s, Strength 97 WPA2 ictp-secure: Infra, 00:15:6D:F6:14:0E, Freq 2412 MHz, Rate 54 Mb/s, Strength 100 WPA2 Enterprise Note that we have two different kinds of hardware serving the SSID ictp-secure - one of them is in fact an attacker, in this case a harmless one (Sebastian). It will offer 802.1x authentication, with its own RADIUS server (on Sebastians laptop), and if the client does not validate the certificate, it will willingly send its login to this server, where we can collect the packets, find the handshake dialogue, and crack it. (rest of this session as live demo)
Attack Get user to associate to rogue AP and start handshake, authentication process Packet dump everything Analyze the traffic, isolate the handshake The outer tunnel is easy as it the attacker owns certificate and keys The inner tunnel (typically MSCHAP) needs to be cracked (offline or online services)
Solution to the problem Unfortunately, we do not have one as long as users and software behave the way they do.
Questions? Comments? sebastian@nsrc.org http://nsrc.org Sebastian Büttrich, NSRC http://creativecommons.org/licenses/by-nc-sa/3.0/