Wireless LAN Security II WEP Attacks WPA and WPA2 Raj Jain Washington University in Saint Louis Saint Louis MO 63130 Jain cse wustl edu Audio Video recordings of this lecture are available at http www cse wustl edu jain cse571 07 Washington University in St Louis CSE571S 21 1 2007 Raj Jain Overview Wireless Networking Attacks Wireless Protected Access WPA Wireless Protected Access 2 WPA2 Washington University in St Louis CSE571S 21 2 2007 Raj Jain Wireless Networking Attacks 1 MAC Address Spoofing Attack 2 Disassociation and Deauthentication Attacks 3 Shared Key Authentication Attacks 4 Known Plaintext Attack 5 Reaction Attack 6 Message Modification Attack 7 Inductive Attack 8 Reuse IV Attack 9 WEP Key Attacks 10 FMS Attack 11 Dictionary Attack on LEAP 12 Rouge APs 13 Ad Hoc Networking Issues Washington University in St Louis CSE571S 21 3 2007 Raj Jain MAC Address Spoofing Attack AP has list of MAC addresses that are allowed to enter the network Attacker can sniff the MAC addresses and spoof it Washington University in St Louis CSE571S 21 4 2007 Raj Jain Disassociation and Deauthentication Attacks WiFi stations authenticate and then associate Anyone can send disassociate packets Omerta http www securityfocus com archive 89 326248 simply sends disassociation for every data packet AirJack http 802 11ninja net includes essid jack which sends a disassociation packet and then listens for association packets to find hidden SSIDs that are not broadcast fata jack sends invalid authentication requests spoofing legitimate clients causing the AP to disassociate the client Monkey jack deauthenticates a victim and poses as the AP when the victim returns MitM Void11 www wlsec net void11 floods authenticate requests to AP causing DoS Washington University in St Louis CSE571S 21 5 2007 Raj Jain Shared Key Authentication Attacks Authentication challenge is sent in clear XOR of challenge and response keystream for the IV Can use the IV and keystream for false authentication Collect keystreams for many IVs 24b IV 2 24 keystreams 24 GB for 1500B packets Can store all possible keystreams and then use them to decrypt any messages Washington University in St Louis CSE571S 21 6 2007 Raj Jain Known Plaintext Attack Wired attacker sends a message to wireless victim AP encrypts the message and transmits over the air Attacker has both plain text and encrypted text keystream Wired Net Wireless Net Known Plain Text keystream Washington University in St Louis Cipher Text Sniffer Xor CSE571S 21 7 2007 Raj Jain Reaction Attack ICV is a linear sum Predictable Change a few bits and rebroadcast TCP acks short packets Flip selected bits Keystream bits are 0 or 1 Washington University in St Louis CSE571S 21 8 2007 Raj Jain Message Modification Attack Change the destination address to attacker s wired node Unencrypted packet will be delivered by the AP to the wired node Washington University in St Louis CSE571S 21 9 2007 Raj Jain Inductive Attack If you know n bytes of keystream you can find n 1st byte Send a ping request with 256 variations of the n 1st byte Whichever generates a response is the correct variation Guessed Byte Known keystream n bytes 1A Xor Encrypted Guess Ping packet n 1 bytes Ping Response Yes OK No Packet silently dropped Washington University in St Louis CSE571S 21 10 2007 Raj Jain Reuse IV Attack If you have keystream for a particular IV you can keep using the same IV for which he has keystream Washington University in St Louis CSE571S 21 11 2007 Raj Jain WEP Key Attacks 40 bit key or 104 bit key generated by a well known pass phrase algorithm wep crack creats a table of keys for all dictionary words and uses them to find the key wep decrypt tries random 40 bit keys to decrypt 2 20 attempts 60 seconds Dictionary based pass phrase take less than 1 seconds Washington University in St Louis CSE571S 21 12 2007 Raj Jain FMS Attack Scott Fluhrer Itsik Mantin and Adi Shamir Based on a weakness of the way RC4 initializes its matrix If a key is weak RC4 keystream contains some portions of key more than other combinations Statistically plot the distribution of parts of keystreams Parts of key WEPcrack http wepcrack sourceforge net sniffs the network and analyzes the output using FMS to crack the keys AirSnort http airsnort shmoo com also sniffs and uses a part of FMS to find the key bsed airtools includes dwepdump to capture the packets and dwepcrack to find the WEP key Washington University in St Louis CSE571S 21 13 2007 Raj Jain Dictionary Attack on LEAP LEAP uses MS CHAP v1 for authentication Capture the challenge and response Brute force password attack Washington University in St Louis CSE571S 21 14 2007 Raj Jain Rouge APs AirSnarf http airsnarf shmoo com setups a rouge AP and presents an authentication web page to the user Can steal credit card numbers Washington University in St Louis CSE571S 21 15 2007 Raj Jain Ad Hoc Networking Issues Computer to computer networking is allowed in XP Viruses and worms can be passed on if one of them is infected and the other does not have a personal firewall Washington University in St Louis CSE571S 21 16 2007 Raj Jain IEEE 802 11i Security Enhancement Strong message integrity check Longer Initialization Vector 48 bits in place of 24b Key mixing algorithm to generate new per packet keys Packet sequence number to prevent replay Extensible Authentication Protocol EAP Many authentication methods Default IAKERB 802 1X Authentication with Pre shared key mode or managed mode with using RADIUS servers Mutual Authentication Station Key Distribution Center Station Access Point AP sends security options in probe response if requested Robust Security Network RSN Stronger AES encryption AES CCMP Washington University in St Louis CSE571S 21 17 2007 Raj Jain 802 11 Security Protocol Stack Station Access Point TLS TLS EAP 802 11 EAP Washington University in St Louis 802 11 CSE571S 21 18 TLS Authentication Server TLS EAP EAP RADIUS RADIUS TCP IP 802 3 TCP IP 802 3 2007 Raj Jain Wi Fi Protected Access WPA Temporal Key Integrity Protocol TKIP Longer IV Key mixing to get Per Packet Key MIC Use the same encryption RC4 Firmware upgrade All access points and subscribers need to use WPA WPA WEP WEP Separate keys for authentication encryption and integrity 48b TKIP sequence counter TSC is used to generate IV and avoid replay attack Reset to 0 on new key and incremented IV reuse is prevented by changing WEP key on IV recycling Washington University in St Louis CSE571S 21 19 2007 Raj Jain