Wireless Pentesting: It's more than cracking WEP

Wireless Penetration Testing is More Than Cracking WEPPresented By: Joe McCrayStrategic Security, Inc. © http://www.strategicsec.com/

Hmmm......InterestingStrategic Security, Inc. © http://www.strategicsec.com/

Anybody Hungry???Strategic Security, Inc. © http://www.strategicsec.com/

Don’t Worry About Turning Off Your Phones For This Presentation. I’ll Take Care Of That For You. Strategic Security, Inc. © http://www.strategicsec.com/

Now What Day Did You Say You Checked In?Strategic Security, Inc. © http://www.strategicsec.com/

What If I Want Percocet More Than Every 4 Hours?Strategic Security, Inc. © http://www.strategicsec.com/

I Want To Join The Group Too: The Domain Admin Group.Strategic Security, Inc. © http://www.strategicsec.com/

How Did You Do All Of This? Strategic Security, Inc. © http://www.strategicsec.com/

Agenda1. Scope of Wireless Penetration Testing2. Methodology3. Tools of the trade4. Peeling The Onion of a Wireless Network5. It's all about the dataStrategic Security, Inc. © http://www.strategicsec.com/

Methodology1. Reconnaissance Phase2. Attack (Penetration Testing) Phase3. Range Survey Phase4. ReportingStrategic Security, Inc. © http://www.strategicsec.com/

Reconnaissance Phase1.Initial ObservationsConducted on foot or in a car, using a handheld device or laptop to gather signal strength and a listing of available wireless networks2.Analysis of available networksSilently gather information about WAPs and clients using each WAP. - Determine if network is in scope for the assessment3.Gather Network and AP InformationGather details for all networks under test. - Use packet captures to record traffic passing over the network.Strategic Security, Inc. © http://www.strategicsec.com/

Attack Penetration Testing Phase1.Use data gathered within the recon phase to enumerate priority list of targets.2.Survey & sniff open access points (if available).3.Break WEP/WPA encryption if available.4.Prepare fake RADIUS Server for WPA / managed APs.5.Launch MiTM attacks.6.Use other attack patterns as appropriate.Strategic Security, Inc. © http://www.strategicsec.com/

Range Survey Phase1.Survey with typical wireless card, omni-directional antenna, and GPS.2.Survey with typical wireless card, directional antenna, and GPS.3.Generate signal maps using gathered data and mapping utility.Strategic Security, Inc. © http://www.strategicsec.com/

Peeling Back The LayersCustomers tend to implement the following:1. Configuration parameter ambiguity2. 802.11 Wireless Authentication 3. 802.11 Wireless Encryption4. Wireless Network Isolation5. Wireless Client Isolation....Just remember that we're on offense? We're pentesters.Strategic Security, Inc. © http://www.strategicsec.com/

Configuration AmbiguityConfiguration Parameter Ambiguity - SSID Broadcast Disabled - MAC Address FilteringStrategic Security, Inc. © http://www.strategicsec.com/

Wireless AuthenticationWireless AuthenticationWEP -- PoorestCisco's LEAP -- PoorWPA-PSK -- BetterWPA-Enterprise -- BestStrategic Security, Inc. © http://www.strategicsec.com/

Wireless EncryptionWireless EncryptionWEP -- PoorestWPA (TKIP) -- BetterWPA2 (AES) -- BestStrategic Security, Inc. © http://www.strategicsec.com/

Wireless SeparationWireless Network IsolationZero Separation -- PoorestLayer 3 Routed Boundary -- PoorFirewalled Boundary -- BetterVPN Concentrator -- BestStrategic Security, Inc. © http://www.strategicsec.com/

Wireless Network IsolationZero Separation is all too common. Countless times I see wireless networks that are basically bridged to the LAN.There is no work required for me to get to the LAN.Strategic Security, Inc. © http://www.strategicsec.com/

Wireless Network IsolationLayer 3 Routed Boundry is almost as common. Your best shot here is using EXTREMELY specific ACLs, and to be honest that doesn't help much either.Strategic Security, Inc. © http://www.strategicsec.com/

Captive PortalUsed commonly in Hotels, Airports, Coffee Shops, etc…2 Primary bypass methods - Impersonating an Authorized Wireless Client - Tunneling Traffic out of the network via DNS, or ICMPStrategic Security, Inc. © http://www.strategicsec.com/

Wireless Network IsolationFirewalled Boundry is much less common. In my opinion the only thing you really get with this over the routed boundry is better logging.Strategic Security, Inc. © http://www.strategicsec.com/

Wireless Network IsolationVPN Concentrator is even less common, but it's probably your best option if you find that packet overhead isn't affecting business operations. This can really slow down your network.Strategic Security, Inc. © http://www.strategicsec.com/

OK – I’m Bored – Let’s Do Some HackingLet's start with the simple stuff....Simple security mechanisms suck - SSID Broadcast disabled - MAC Address FilteringWireless Traffic That Reveals Confidential InformationRouge Access Points - Employees deploying rogue APs - Malicious attackers deploying rogue APsStrategic Security, Inc. © http://www.strategicsec.com/

Attacking Wireless Authentication & Encryption MechanismsWEP was the first encryption standard available for wireless networks. WEPcan be deployed in two strengths, 64 bit and 128 bit. 64-bit WEP consists of a 40-bit secret key and a 24-bit initialization vector, and is often referred to as 40-bit WEP. 128-bit WEP similarly employs a 104-bit secret key and a 24-bit initialization vector and is often called 104-bit WEP. Association with WEP encrypted networks can be accomplished through the use of a password, an ASCII key, or a hexadecimal key. WEP’s implementation of the RC4 algorithm was determined to be flawed, allowing an attacker to crack the key and compromise WEP encrypted networks.Strategic Security, Inc. © http://www.strategicsec.com/

WEP IS DEAD!!!!!!!- WEP has been dead since 2001 - 2 Primary Methods of attacking WEP - Collection of weak IVs After somewhere between 1,500 and 5,000 "weak" IVs are collected, they can be fed back into the Key Scheduling Algorithm (KSA) and Pseudo Random Number Generator (PRNG) and the first byte of the key is revealed. This process is then repeatedforeach byte until the WEP key is cracked - Collection of unique IVs The last byte from the WEP packet is removed, effectively breaking the Cyclic Redundancy Check/Integrity Check Value (CRC/ICV). If the last byte was zero, then xora certain value with the last four bytes of the packet and the CRC will become valid again. This packet can then be retransmitted.Strategic Security, Inc. © http://www.strategicsec.com/

WEP IS DEAD!!!!!!!WEP is dead continued...The biggest problem with attacks against WEP is that collecting enoughpackets. Traffic can be injected into the network, creating more packets.This is usually accomplished by collecting one or more Address Resolution Protocol (ARP) packets and retransmitting them to the access point. ARP packets are a good choice because they have a predictable size (28 bytes).The response will generate traffic and increase the speed that packets are collected.Strategic Security, Inc. © http://www.strategicsec.com/

What About WPA??WPA was developed to replace WEP because of the vulnerabilities associated with it. WPA can be deployed either using a pre-shared key (WPA-PSK) or in conjunction with a RADIUS server (WPA-RADIUS). WPA uses either the Temporal Key Integrity Protocol (TKIP) or the Advanced Encryption Standard (AES) for its encryption algorithm. Some vulnerabilities were discovered with certain implementations of WPA-PSK. Because of this, and to further strengthen the encryption, WPA2 was developed.The primary difference between WPA and WPA2 is that WPA2 requires the use of both TKIP and AES, where WPA allowed the user to determine which would be employed.Strategic Security, Inc. © http://www.strategicsec.com/

WPA Continued...WPA/WPA2 requires the use of an authentication piece in addition to the encryption piece. A form of the Extensible Authentication Protocol (EAP) is used for this piece. There are five different EAPs available for use with WPA/WPA2: - EAP-TLS - EAP-TTLS/MSCHAPv2 - EAPv0/EAP-MSCHAP2 - EAPv1/EAP-GTC - EAP-SIMStrategic Security, Inc. © http://www.strategicsec.com/

At The End Of The Day....It’s All About The DataAt the end of the day wireless penetration testing is really about verifying whether or not an attacker can gain access to your production network. At its core it’s no different than physical security testing. Can you get to the production network?Strategic Security, Inc. © http://www.strategicsec.com/

Download This PresentationIf you have other questions you’d like to ask outside of this conference, or if you want to get a copy of my slides you can contact me at:Email: joe@strategicsec.comTwitter: @j0emccrayLinkedIn: http://www.linkedin.com/in/joemccrayStrategic Security, Inc. © http://www.strategicsec.com/

Wireless Pentesting: It's more than cracking WEP

More Related Content

What's hot (20)

Similar to Wireless Pentesting: It's more than cracking WEP (20)

Recently uploaded (20)

Wireless Pentesting: It's more than cracking WEP