Attacking Automatic Wireless Network Selection. Dino A. Dai Zovi and Shane A. Macaulay {ddaizovi,smacaulay1}@bloomberg.com

Similar documents
Attacking Automatic Wireless Network Selection

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Topics in Network Security

Wireless Networks. Welcome to Wireless

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Wireless Security: Secure and Public Networks Kory Kirk

MN-700 Base Station Configuration Guide

Security Awareness. Wireless Network Security

New Avatars of Honeypot Attacks on WiFi Networks

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

The next generation of knowledge and expertise Wireless Security Basics

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

WiFi Security Assessments

Wireless Network Configuration Guide

WIRELESS NETWORKING SECURITY


Closing Wireless Loopholes for PCI Compliance and Security

Configuring Security Solutions

The Trivial Cisco IP Phones Compromise

PwC. Outline. The case for wireless networking. Access points and network cards. Introduction: OSI layers and 802 structure

Wireless security (WEP) b Overview

IP Link Best Practices for Network Integration and Security. Introduction...2. Passwords...4 ACL...5 VLAN...6. Protocols...6. Conclusion...

9 Simple steps to secure your Wi-Fi Network.

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

University of Hawaii at Manoa Professor: Kazuo Sugihara

Using a VPN with Niagara Systems. v0.3 6, July 2013

PePWave Surf Series PePWave Surf Indoor Series: Surf 200, AP 200, AP 400

Digicom Remote Control for the SRT

Security in IEEE WLANs

1 Introduction. 2 Cafe Crack. 1.1 Rogue AP Attack. 1.2 Airsnarf. 1.3 Detecting Rogue APs. References Acronyms

Securing end devices

Kvaser BlackBird Getting Started Guide

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Intro to Firewalls. Summary

Configuring Routers and Their Settings

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Chapter 4 Customizing Your Network Settings

Access Point Configuration

SOHO 6 Wireless Installation Procedure Windows 95/98/ME with Internet Explorer 5.x & 6.0

Wireless Threats To Corporate Security A Presentation for ISACA UK Northern Chapter

Wireless Network Best Practices for General User

Wireless (In)Security Trends in the Enterprise

Technical Brief. Wireless Intrusion Protection

How To Set Up A Computer With A Network Connection On A Cdrom 2.5 (For A Pc) Or Ipad (For Mac) On A Pc Or Mac Or Ipa (For Pc) On An Ipad Or Ipro (

Quick Installation Guide For Mac users

Industrial Communication. Securing Industrial Wireless

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

WRE2205. User s Guide. Quick Start Guide. Wireless N300 Range Extender. Default Login Details. Version 1.00 Edition 1, 06/2012

Configuration Manual English version

Design and Implementation Guide. Apple iphone Compatibility

Network Access Security. Lesson 10

Network Attacks. Common Network Attacks and Exploits

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

Using a VPN with CentraLine AX Systems

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Configure WorkGroup Bridge on the WAP131 Access Point

Chapter 1 Configuring Internet Connectivity

ECE 4893: Internetwork Security Lab 10: Wireless Security

Where every interaction matters.

Chapter 4 Management. Viewing the Activity Log

Security. TestOut Modules

User Manual. PePWave Surf / Surf AP Indoor Series: Surf 200, E200, AP 200, AP 400. PePWave Mesh Connector Indoor Series: MC 200, E200, 400

Web Request Routing. Technical Brief. What s the best option for your web security deployment?

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

802.11b and associated network security risks for the home user

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

United States Trustee Program s Wireless LAN Security Checklist

DESIGNING AND DEPLOYING SECURE WIRELESS LANS. Karl McDermott Cisco Systems Ireland

Recommended Wireless Local Area Network Architecture

N600 WiFi USB Adapter

How To Secure A Wireless Network With A Wireless Device (Mb8000)

Wireless security. Any station within range of the RF receives data Two security mechanism

Section 12 MUST BE COMPLETED BY: 4/22

WRE6505. User s Guide. Quick Start Guide. Wireless AC750 Range Extender. Default Login Details. Version 1.00 Edition 1,

Why VPN Alone Will not Secure your Wireless Network

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Detecting rogue systems

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

FinIntrusion Kit / Release Notes FINUSB SUITE SPECIFICATIONS. FINFISHER: FinIntrusion Kit 2.2 Release Notes

How To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)

Building A Secure Microsoft Exchange Continuity Appliance

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Quick Installation Guide-For MAC users

Wireless security isn't dead, attacking clients with MSF

ROGUE ACCESS POINT DETECTION: AUTOMATICALLY DETECT AND MANAGE WIRELESS THREATS TO YOUR NETWORK

Static Business Class HSI Basic Installation NETGEAR 7550

Security vulnerabilities in the Internet and possible solutions

Implementing Security for Wireless Networks

How to configure your Thomson SpeedTouch 780WL for ADSL2+

ITRAINONLINE MMTK WIRELESS CLIENT INSTALLATION HANDOUT

Nokia E90 Communicator Using WLAN

Wireless-G Access Point

Connecting to and Setting Up a Network

HP ProLiant Essentials Vulnerability and Patch Management Pack Server Security Recommendations

Transcription:

Attacking Automatic Wireless Network Selection Dino A. Dai Zovi and Shane A. Macaulay {ddaizovi,smacaulay1}@bloomberg.com

We made Slashdot! Hackers, Meet Microsoft "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."

Agenda n Motivation n What is Automatic Wireless Network Selection? n Windows XP Wireless Auto Configuration (WZCSVC) Algorithm n Wireless Auto Configuration Weaknesses and Vulnerabilities n KARMA: Wireless Client Attack Assessment Toolkit

Motivation n Wireless LANs now can be and increasingly are quite secure n Improved encryption systems (WPA) n MAC address filtering n Hidden networks (SSID cloaking) n Mobile clients bridge networks across time n Connect to secure networks as well as insecure networks (conferences, hotels, airports, cafes) n Can be compromised on airplane and spread compromise to secure network at work n Security of most secure network depends on security of least secure network

Motivation n Paradigm shift to new wireless threat n Attacking wireless clients n Nightmare scenario n Target: Identify wireless clients n Position: Get on same network as victim n Attack: Exploit client-side vulnerabilities to install persistent agent n Subvert: Agent gives attacker remote access to secure networks that client connects to

Automatic Wireless Network Selection n Purpose: Automatically (re)connect to trusted known wireless networks n Operating System maintains list of Trusted/ Preferred wireless Networks n Records (SSID, Cleartext/WEP/WPA) n Preferred Networks are automatically connected to when available n Windows: Continually search when wireless card is on and not associated to another wireless network n MacOS X: Search for networks when user logs in or machine wakes from sleep

Microsoft Windows XP Wireless Auto Configuration Algorithm n First, Client builds list of available networks n Send broadcast Probe Request on each channel

Wireless Auto Configuration Algorithm n Access Points within range respond with Probe Responses

Wireless Auto Configuration Algorithm n n If Probe Responses are received for networks in preferred networks list: n Connect to them in preferred networks list order Otherwise, if no available networks match preferred networks: n Specific Probe Requests are sent for each preferred network in case networks are hidden

Wireless Auto Configuration Algorithm n If still not associated and there is an adhoc network in preferred networks list, create the network and become first node n Uses self-assigned IP address (169.254.Y.Z)

Wireless Auto Configuration Algorithm n Finally, if Automatically connect to non-preferred networks is enabled (disabled by default), connect to networks in order they were detected n Otherwise, wait for user to select a network or preferred network to appear n Set card s desired SSID to random 32-char value, Sleep for minute, and then restart algorithm

Weaknesses in Wireless Auto Configuration n Information Disclosure n Specific 802.11 Probe Requests reveal SSIDs of preferred networks n Spoofing n Unencrypted networks are identified and authenticated only by SSID n Unintended Behavior n An ad-hoc network in Preferred Networks List turns a wireless client into an Access Point

Positioning for Attack Against Wireless Clients Join ad-hoc network created by target Sniff network to discover self-assigned IP (169.254.Y.Z) Create a stronger signal for currently associated network While associated to a network, clients send Probe Requests for same network to look for stronger signal Create a (more) Preferred Network Spoof disassociation frames to cause clients to restart scanning process Sniff Probe Requests to discover Preferred Networks Create a network with SSID from Probe Request

Attacking Wireless Auto Configuration n Attacker spoofs disassociation frame to victim n Client sends broadcast and specific Probe Requests again n Attacker discovers networks in Preferred Networks list (e.g. linksys, MegaCorp, t-mobile)

Attacking Wireless Auto Configuration n Attacker creates a rogue access point with SSID MegaCorp

Attacking Wireless Auto Configuration n Victim associates to attacker s fake network n Even if preferred network was WEP (XP SP 0) n Attacker can supply DHCP, DNS,, servers n Attacker exerts a significant amount of control over victim

Improving the Attack n Parallelize n Attack multiple clients at once n Expand scope n Act as any networks that any client is looking for n Simplify n Don t require learning preferred networks before beginning attack n Increase availability n Attack continuously

Attack Implementation n Most wireless cards have firmware that enforce frame restrictions n Prism II HostAP mode doesn t pass Probe Requests to Operating System n Atheros-based cards don t have firmware n Hardware Abstraction Layer (HAL) and all frame handling in driver software n Attack implemented as modified Linux MADWiFi Driver n Respond to Probe Request frames for any SSID n Allow Assoc Request to any SSID

Performing The Attack n Laptop runs software base station n Possibly with antenna, amplifiers n AP responds to any Probe/Assoc Request n Clients within range join what they think is one of their Preferred Networks n Client A thinks it is on linksys n Client B thinks it is on t-mobile n Client C thinks it is on hhonors n Any client with at least one unencrypted preferred network will join if no legitimate preferred networks are present

Wireless Auto Configuration Vulnerabilities n Remember how SSID is set to random value? n The card sends out Probe Requests for it n We respond w/ Probe Response n Card associates n Host brings interface up, DHCPs an address, etc. n Verified on Windows XP SP2 w/ PrismII and Orinoco (Hermes) cards n Fixed in Longhorn

Packet trace of Windows XP associating using random SSID 1) 00:49:04.007115 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA: 00:e0:29:91:8e:fd Probe Request (^J^S^V^K^U^L^R^E^H^V^U...) [1.0* 2.0* 5.5* 11.0* Mbit] 2) 00:49:04.008125 BSSID:00:05:4e:43:81:e8 DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8 Probe Response (^J^S^V^K^U^L^R^E^H^V^U...) [1.0* 2.0* 5.5 11.0 Mbit] CH: 1 3) 00:49:04.336328 BSSID:00:05:4e:43:81:e8 DA:00:05:4e:43:81:e8 SA:00:e0:29:91:8e:fd Authentication (Open System)-1: Succesful 4) 00:49:04.337052 BSSID:00:05:4e:43:81:e8 DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8 Authentication (Open System)-2: 5) 00:49:04.338102 BSSID:00:05:4e:43:81:e8 DA:00:05:4e:43:81:e8 SA:00:e0:29:91:8e:fd Assoc Request (^J^S^V^K^U^L^R^E^H^V^U...) [1.0* 2.0* 5.5* 11.0* Mbit] 6) 00:49:04.338856 BSSID:00:05:4e:43:81:e8 DA:00:e0:29:91:8e:fd SA:00:05:4e:43:81:e8 Assoc Response AID(1) :: Succesful

First of all, there is no we

Vulnerable PNL Configurations n If there are no networks in the Preferred Networks List, random SSID will be joined n If all networks in PNL are encrypted, random SSID will have left-over WEP configuration (attacker will have to guess key) n We supply the challenge, victim replies with challenge XOR RC4 keystream n Our challenge is 000000000000000000 n We get first 144 bytes of keystream for a given IV n If there are any unencrypted networks in PNL, host will associate to our modified Access Point.

Apple MacOS X n n n n n n MacOS X AirPort (but not AirPort Extreme) has similar issues MacOS X maintains list of trusted wireless networks n User can t edit it, it s an XML file base64-encoded in another XML file When user logs in or system wakes from sleep, a probe is sent for each network n Only sent once, list isn t continuously sent out n Attacker has less of a chance of observing it If none are found, card s SSID is set to a dynamic SSID n With 40-bit WEP enabled n but to a static key After waking from sleep, SSID is set to dummy SSID n Will associate as plaintext or 40-bit WEP with above key MacOS X 10.4 ( Tiger ) has GUI to edit list of trusted wireless networks

Defenses n Keep wireless card turned off when not using a wireless network n Only keep secure networks in Preferred Networks List n Remove insecure network from PNL immediately after done using it n Prevent mobile clients from connecting to sensitive networks

KARMA: A Wireless Client Assessment Tool n Track clients by MAC address n Identify state: scanning/associated n Record preferred networks by capturing Probe Requests n Display signal strength of packets from client n Allows targeting a specific client n Create a network they will automatically associate to n Identify insecure wireless clients that will join rogue networks n Kismet for wireless clients

KARMA Probe Monitor

Karma Attacks Radioed Machines Automatically n Wireless and client-side attack and assessment toolkit n Modules attack multiple layers as hostile server or Man-in-the-Middle n 802.11: Modified MADWiFi driver answers all Probe/Assoc Requests n DHCP: Rogue DHCP server points client at our DNS server n DNS: Rogue DNS Server responds to all queries with our IP address n POP3/FTP: Servers capture plaintext credentials n HTTP: Attack web server redirects any query to browser exploits or acts as transparent proxy

Conclusion n Demonstrated weaknesses and vulnerabilities in Automatic Wireless Network Selection n Allows attacker to put victim on hostile subnet n Firewalls commonly on by default, but clients still initiate a lot of traffic n Automatic updates n Browsing (NetBIOS, Rendezvous/Bonjour) n Rise in client-side vulnerabilities n Mobile clients are a risk to secure networks n Assess risk of wireless clients with KARMA n http://www.theta44.org/karma/

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information