Pentesting your own Wireless Network

June 8, 2011, by | Start Discussion

Introduction to IEEE 802.11

IEEE 802.11 is a set of protocols used for implementing wireless LAN. IEEE Protocol standards are created and maintained by IEEE LAN/MAN Standard Committee.
 
WLANs operate in 3 different frequency ranges that is2.4Ghz (802.11b/g/n), 3.6Ghz (802.11y) and 4.9/5.0Ghz (802.11a/h/j/n). Each of these Frequencies are further divided in to multiple channels.  Every country has permissible channels and maximum power levels.  However, wireless card can be easily configured to disregard these policies. One can make the wireless NIC hop on different channels, but at any given period of time a wireless NIC will be connected only to a single channel.
 

Different Wireless Architectures & Implementations

Wi-Fi implementation as any other technology is needed to drive Business. It’s very important to get an optimum ROI with required security & controls in place. Keeping this in mind, the Home implementation of Wi-Fi network differs as compared to SOHO or Enterprise implementation.
 
1. Wi-Fi Network at Home: 
 
In a usual home environment multiple clients connect to an AP which is connected to a broadband (DSL / Cable) modem. Wi-Fi at home is mainly used for internet access and all the users have same privileges.
WiFi Network at Home
 
The following is typical of a Wi-Fi implementation at home’s:  
  • Clients connecting to AP / Wireless Routers
  • Wireless Router connected to a broadband modem for internet service
  • Security – WEP or WPA/WPA2 Personal
  • SSID broadcast
  • MAC Address filtering
  • Paraphrases/passwords to access Wi-Fi service never changed and at times easy to guess
Due to the nature of work and the type of information, it is not feasible to implement Enterprise class security for home users. The home networks are easier to compromise but again it’s a tradeoff between security and ease of use.
 However, there are good practices which if implemented correctly would deter and make it difficult for an attacker to break into the home Wi-Fi network.

2. Corporate / Enterprise Network:
 
In a Corporate enterprise network, stronger security controls are required.  Wi-Fi is used by employee’s to access the corporate network and by the guests / visitors to access the internet.
 
Access to Corporate network through Wi-Fi requires the employee’s to authenticate to the authentication server before the access is granted to the corporate network. They key features of this network setup are:-
 
  • Restricted to employee’s
  • Involves authentication using authenticating server
  • Stronger encryption protocols
  • Access on need to know basis
  • Security – WPA2 Enterprise along with EAP-TTLS, MSCHAPv2 etc. is used
Corporate-Enterprise Network
 
In a corporate environment there is usually a ‘Guest’ wireless network for guests and visitors. This network is only for internet access and is supposed to be isolated from the Corporate Wi-Fi network.
 

Encryption & Authentication used in IEEE 802.11 Environment:

Wired Equivalent Privacy (WEP) – WEP uses RC4 encryption algorithm which has several weaknesses. IEEE 802.11i was ratified in 2004 and is the primary means of wireless security. In spite of known vulnerabilities due to the oldest and easiest configuration WEP is still widely deployed at least on Home Networks 
 
Wi-Fi Protected Access (WPA) – WPA protocol implements majority of IEE 802.11i standard requirements. WPA makes use of Temporal Key Integrity Protocol (TKIP) instead of RC4 used in its predecessor WEP. To offer greater security, CCMP, an AES based encryption protocol was released in the final IEEE 802.11i standard (referred to as WPA2). 
 
WPA Personal – Commonly referred as WPA – Pre shared key (PSK). The clients authenticate with the AP’s using the 256 bit keys. It’s mainly used at homes and in SOHO environment 
 
WPA Enterprise – Mainly designed for Enterprise networks and requires authentication using RADIUS server. Extensible Authentication Protocol (EAP) is used for authentication, which comes in different flavors (EAP-TLS, EAP-TTLS).  It is also referred as WPA-802.1x mode
 
RADIUS protocol inherently only allows for password based authentication i.e. the password is sent as MD5 Hash or response to a challenge (CHAP-password). EAP enriches the authentication feature of RADIUS.
 

VA&PT of Wireless Networks

Approach for conducting VA&PT of a wireless network is similar to traditional connected network but there are added risks and vulnerabilities specific to Wi-Fi network that need to be looked into. To conduct VA&PT of wireless network it is very important to get the objectives clear. 
Wireless network if compromised can lead to unauthorized access to the corporate infrastructure which might be on the traditional connected network.
 
Approach:-
  1. Reconnaissance
  2. Identifying the Encryption & Authentication Technology
  3. Attempt to Gain Access
  4. Brute Forcing / Guessing Passwords
  5. Identifying weakness in the Wi-Fi Technology
  6. Attacks specific to Wi-Fi Technology
  7. Summarization & Reporting
 
Phase I: Reconnaissance
 
This is the most important phase whereby the attacker gains most of the information required for further directed attacks. Intelligent sniffing can help in gathering good amount of information on the wireless network, technology being used and the deployment. 
 
Beacons are used to relay important information like weather conditions, navigation details, status reports etc. Beacon frames in an IEE 802.11 WLAN contain important details like SSID, type of the network, encryption details, supported data rates, manufacturer of AP etc. It is transmitted periodically to make the presence of WLAN known. 
 
Tools like Kismet, NetStumbler, Wireshark can assist in reconnaissance. With the help of these tools details like SSID, Type of encryption & authentication, access point MAC Address along with approximate location, signal strength, channels being used etc. can be obtained. 
 
The information obtained in this phase is what dictates the further course of wireless security testing.
 
Exploiting the Authentication Protocol:
 
Due to the inherent nature of Wi-Fi networks i.e. without wires and theoretically no boundaries; security has always been a prime concern. Authentication, Encryption, Authorization are a must in a Wi-Fi setup. In 802.11X network EAP gives RADIUS the capability to work with variety of authentication schemes like Kerberos, PKI, Smart Card etc. 
 
In a typical and common implementation of EAP like TLS, MD5 and MSCHAPv2 (used in most of the Windows clients) the user ID/Login ID (active directory/domain) is sent in clear text during handshake.
Figure 1. LEAP Handshake [1]
 
Compromise of Login ID can further lead to brute force attempts for the passwords leading to unauthorized access.  In Figure 1 it can be seen that the User / Login ID is displayed in clear text. Wireshark is used to sniff the EAP – LEAP packets.
 
Phase II: Attacks on Guest Wireless Networks
 
Organizations these days have an isolated wireless network for guests & visitors to access the internet. The ‘Guest’ network is supposed to be an isolated network with no connection / interface to the corporate network.
The following is common in a typical implementation of a ‘Guest’ wireless network:
  • WEP
  • WPA2 with pre-shared key (PSK)
  • Internal IP Address assigned to the guests
  • The ‘Guest’ client part of ‘Guest VLAN’ hypothetically isolated from the corporate / enterprise network; in many cases it is not
  • For accessing the ‘Internet’ resources; login credentials (username & password) required to be entered in the browser
  • Pre-Shared Keys are common for all ‘Guests’ and are seldom changed
  • Login Credentials used for accessing the internet are common for all the ‘Guests’
  • Outsiders, contractors, vendors, guests, over sea / travelling employees etc. given access through the same ‘Guest’ network
  • ‘Guest VLAN’ is not isolated from the corporate VLAN
Consider a scenario where an attacker sitting in the organization’s premises gains access to the ‘Guest’ network’s IP Address. Irrespective of if he/she can access the internet assigning of organization’s internal IP Address to the attacker’s machine is a major threat. 
Figure 2.: Scan for10.100.1.1 to 10.100.1.100range showing two hosts are up
 
The attacker can use tools like ‘Angry IP Scan’ to scan the entire range of IP Address to find out the host that is ‘UP’. Once the host is identified traditional VA&PT tools like Nessus, nmap, Metasploit etc. could be used to identify and exploit the vulnerabilities.
 
Phase III: Implementation specific Attacks
 
Attack on WEP:
 
Attack Scenario 1: Cracking Wep Key Using airmon-ng
 
Boot your favorite Linux distribution and initialize command console, Make sure you have the following tools installed:
  1. Aircrack-ng:Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.
  2. Macchanger:A GNU/Linux utility for viewing/manipulating the MAC address of network interfaces.
  3.  
Part A: Setting up your Machine
1. Let’s start with setting up your machine with required software’s and libraries. You can install the above mentioned software’s from your linux distributor’s online repositories.
 
2. For Debian Based Linux Distribution (Eg: Debain, Ubuntu, linux mint etc.):- 
sudo apt-get install aircrack-ng sudo apt-get install Maccchanger
 
For Redhat Based Linux Ditribution (Eg: RHEL, Centos, Fedora, Opensuse):-  
yum install aircrack-ng yum install Macchanger 
 
3. This command will list the current network adaptors in your system in detail; see what name has been assigned to your Wi-Fi adaptor.  For E.g:  wlan0, wlan1, etc.
ifconfig
 4. This command will stop the card and disable’s the broadcast and reception, as system won’t allow you to change the MAC address when card is in use:
airmon-ng stop [Wi-Fi Card name]
 5. Macchanger utility will change the original MAC address to any MAC address you desire.
macchanger      - -mac  [] Disired MAC adress] [WiFi card-name]  
6. This command will activate the wireless network adaptor for broadcast and reception, In some Linux distributions you may also witness the following error, as shown in the snapshot below:
Airmon-ng start wlan0
Figure 3: Step 6 Starting airmon-ng
 
 7. If you see this error coming up on your console, you don’t need to lose your heart, it’s just that few services are already using your wireless adaptor or it’s associated files, you will also see the process names and PID’s, you can stop those process by using the following command’s:
Kill - kill [PID ] – process 

 
8. You will see another extra adaptor that is set on monitor mode with the name mon0, use that adaptor in further commands where – ‘[Wi-Fi card name]’ appears
airmon-ng start [Wi-Fi Card name]

 
 
PART B: Start Capturing  Data Packets
 
1. This command will initialize the Wi-Fi network monitoring & will show wireless network’s in range with encryption cipher being used like Wep, WPA or WPA2 and more.
 
2. As you execute the following command, you will see a certain number of beacons and data packets that will be stored in the filename you have given. The file will be stored in the root of the system drive (Click on Computer and you will see the file). The file will be present in two formats: *.cap, *.txt.
 
 airodump-ng-c [Channel number]  -w [Desired File name for later description]  --bssid[BSSID] [Wi-Fi card name]
 
Part C: Speed up the Process Data Packet’s Capturing
 
Open a new console after the first data packet has been stored. Type the command in the new console and execute it
 
 airreplay-ng -1 0 –a [BSSID] –h [FAKED MAC ADDRESS]  -e [Wi-fi name] [Wi-Fi card name]
 
As you type this command you will see that the data packets required for breaking the key will increase dramatically thereby saving you a lot of time.
PART D: Cracking/brute forcing Wep Key
 
Open another console once you have around 20,000 data packets and type the following command to reveal the WEP key.
 aircrack-ng –n 64 –b [BSSID] [Filename without the extension]
 
Figure 4: Aircrack-ng in action
 
It is not necessary that the key should have exactly the same digits as shown above so please don’t freak out if you see a 10 digit or 14 digit key.
Figure 5: Brute force attack completed. Key Decrypted.
 
Also if the decryption fails, you can change the bit level of the decryption in the command:
 
 aircrack-ng –n [BIT LEVEL] –b [BSSID] [Filename without extension]
 
 
Remember, the bit level should be a number of 2n where n = 1,2,3,4… 
 

Rogue Access Points

Rogue Access Point is a wireless access point that has been illegally installed within a range of secure wireless network without the consent of the administrator of that wireless network. The sole purpose behind creating the Rogue access points is to capture the secret key used to by the clients to authenticate them to the legitimate wireless access point.
 
Attacker’s exploits the loophole and setup their own access point with the same SSID’s to fool the clients in a way so that instead of connecting to legitimate access point they may connect to the Fake Access point created by the attacker. Once the attacker gain’s access to the secured wireless network he may also use sniffing and man in the middle attacks to capture the juicy information travelling throughout the network like login credentials, credit card details other important information.
 
Airsnarf [1]
 
Itis a simple rogue wireless access point setup utility which can found in  Backtrack a popular security distribution for penetration testers. Airsnarf is specially designed to demonstrate how rogue access point can actually steal usernames and passwords from publically available hotspots. It exploits the vulnerability in 802.11b hotspots by confusing the users with DNS and HTTP redirects from a competing legitimate wireless access point.
 
Airsnarf is very user friendly. It contains a configuration file ./cfg/airsnarf.cfg file in which details like local network, gateway & SSID can be configured. The clients associated with the Fake / Rogue AP will receive the IP, DNS and gateway details from the Rogue AP. Also, it is possible to configure Airsnarf ‘splash page’ as dummy login page and capture the login credentials of the users. These details would be mailed to [email protected] 
 
Rogue AP is in a way a Social Engineering attack where in the attacker exploits the human tendency of ‘trust’. 
Other tools available for creating Rogue access point are freeradius WPE, karmetasploit a module in Metasploit (which is a combination of famous tool called karma), Hotspotter, Fake AP, VOID11 and wifitap.
 
hole196 [2]
 
Please note this vulnerability was identified and presented by MdSohail Ahmad from AirTight Networks at BlackHat 2010.
Background:
Man-in-the-Middle Attack or what is popularly known as MITM is very common in wired networks. But, now it’s very much possible in WPA2 networks as well. 
WPA2 uses two ncryption keys:
  • Pairwise key (PTK)
  • Group Key (GTK)
GTK – GTK is broadcasted by the Access Point (AP) to all the clients and remains common for all the clients.
PTK – It’s a unique to each client and is used to protect unicast data frames. It changes with each session.
 
As per IEEE 802.11 standard PTK has inherent capability whereby it can detect MAC Address spoofing and data forgery. GTK has not been designed with this feature. These details are mentioned on the page 196 of IEEE 802.11 standard and hence the vulnerability was named as ‘Hole196’. Once again the flaw in the inherent design of the protocol has been used to exploit this vulnerability. 
 
‘hole196’ does not lead to cracking of WPA2 keys or discovering the passwords. It is a threat by the malicious insider which can act as a legitimate Access Point and affect the other clients i.e. Man-in-the-Middle Attack.
Attack: 
Figure 6: Three Connected Clients
 
The Access Point (AP) shares the same GTK with all the connected clients. So, GTK is known and is common to all connected clients. GTK is used as an encryption key by the AP and decryption key by the client.
Figure 7
 
The log of wpa_supplicant software running on wireless clients shows that GTK key is known to the client devices. 
Figure 8
 
 
  • Attacker injects fake ARP Request packet to poison client’s cache for gateway. For the victim the attacker’s machine becomes the client gateway.
  • Victim sends all traffic encrypted with its PTK to the AP, with Attacker as the destination (gateway)
  • AP forwards Victim’s data to the Attacker encrypting it in the Attacker’s PTK. So Attacker can decrypt Victim’s private data.
 
Spoofed ARP packets are never sent to AP and they never go over the wire and hence cannot be detected by wired IDS/IPS.
 
 
 
Block ACK DoS [3]
 
All of us are familiar with TCP Sliding Window flow control concept. On the similar lines IEEE 802.11e and IEEE 802.11n are designed to acknowledge a block of packets instead of sequential transmit/acknowledge. The AP sends the client Add Block Acknowledgement (ADDBA) indicating the starting of the transmission, window size, sequence numbers etc. Anything outside the window is dropped by the recipient. So here is the catch!
 
There is no security on the control frame and hence ADDBA frame can be impersonated and spoofed.
Figure 9
 
 
Ideal Scenario:
 
  • AP sends the ADDBA request to client identifying the window size, starting sequence number etc.
  • Client responds with ACK followed by ADDBA response
  • AP sends an acknowledgement (ACK)
  • Clients starts receiving the frames defined in the ADDBA control frame and ignores all the frames that fall outside this range
  • The AP sends BlockACK Request frame to client to know the status of the received frames
  • Client reverts with a BlockACK if all the frames were received alternatively client can request for a retransmission or selective transmission of lost packets
  • AP sends a delete block acknowledgement (DELBA) Request to release the buffers of both AP and Client.
 
Vulnerability in Block ACK Handling & DELBA frame:
 
  • Since the control frames are not protected a malicious user / attacker can spoof the ADDBA frame and tamper the sequence details causing the recipient (in this client) to drop some or all the frames
  • This would result in re transmission or can also lead to DoS
  • Alternatively malicious DELBA messages can be sent to untimely free the sender and receiver buffers causing disruption of service
 

References:

2. MdSohail Ahmed from AirTight networks.
3.High Speed Risks in 802.11n Networks by Joshua Wright from Aruba Networks presented in RAS Conference 2008.
 
Note: By the time of this writing, a very good tutorial series has been launched by VivekRamachandranOn SecurityTube.net.
 

Information Security Consultant with KPMG. Specializing in Infrastructure & Network Security. BE - Electronics, ME - Telecommunication.

Leave a Reply