Hacking Techniques in Wireless Networks
Key Words
IEEE 802.11, wireless spoofing, cracking WEP, forged
Deauthentication, rogue/ Trojan access points, session hijacking, war driving.
Abstract
This article describes IEEE 802.11-specific hacking techniques
that attackers have used, and suggests various defensive measures. We describe
sniffing, spoofing and probing in the context of wireless
networks. We describe how SSIDs can be determined, how a
sufficiently large number of frames can be collected so that WEP can be
cracked. We show how easy it is to cause denial-of-service through
jamming and through forged disassociations and deauthentications. We
also explain three man-in-the-middle attacks using wireless
networks. We give a list of selected open-source
tools. We summarize the activity known as war driving. We
conclude the article with several recommendations that will help improve
security at a wireless deployment site.
Wireless networks broadcast their packets using radio frequency or
optical wavelengths. A modern laptop computer can listen in. Worse,
an attacker can manufacture new packets on the fly and persuade wireless
stations to accept his packets as legitimate.
We use the term hacking as described below.
hacker n. [originally,
someone who makes furniture with an axe] 1. A person who
enjoys exploring the details of programmable systems and how to stretch their
capabilities, as opposed to most users, who prefer to learn only the minimum
necessary. 2. One who programs enthusiastically (even
obsessively) or who enjoys programming rather than just theorizing about
programming. 3. A person capable of appreciating hack
value. 4. A person who is good at programming quickly. 5. An
expert at a particular program, or one who frequently does work using it or on
it; as in `a Unix hacker'. (Definitions 1 through 5 are correlated, and people
who fit them congregate.) 6. An expert or enthusiast of any
kind. One might be an astronomy hacker, for example. 7. One
who enjoys the intellectual challenge of creatively overcoming or circumventing
limitations. 8. [deprecated] A malicious meddler
who tries to discover sensitive information by poking around. Hence `password
hacker', `network hacker'. The correct term for this sense is cracker.
This article describes IEEE 802.11-specific hacking techniques
that attackers have used, and suggests various defensive measures. It is not an
overview of security features proposed in WPA or IEEE 802.11i. We do
not consider legal implications, or the intent behind such hacking, whether
malevolent or benevolent. The article’s focus is in describing
techniques, methods, analyses and uses in ways unintended by the
designers of IEEE 802.11.
In this section, we give a brief overview of wireless LAN (WLAN)
while emphasizing the features that help an attacker. We assume that the
reader is familiar with the TCP/IP suite (see, e.g., [Mateti 2003]).
IEEE 802.11 refers to a family of specifications (www.ieee802.org/11/) developed by the IEEE for over-the-air
interface between a wireless client and an AP or between two wireless
clients. To be called 802.11 devices, they must conform to the Medium
Access Control (MAC) and Physical Layer specifications. The IEEE 802.11
standard covers the Physical (Layer 1) and Data Link (Layer 2) layers of the
OSI Model. In this article, we are mainly concerned with the MAC
layer and not the variations of the physical layer known as 802.11a/b/g.
A wireless network interface card (adapter) is a device, called
a station, providing the network physical layer over a radio link
to another station. An access point (AP) is a
station that provides frame distribution service to stations associated with
it. The AP itself is typically connected by wire to a LAN.
The station and AP each contain a network interface that has
a Media Access Control (MAC) address, just as wired network cards do. This
address is a world-wide-unique 48-bit number, assigned to it at the time of
manufacture. The 48-bit address is often represented as a string of six octets
separated by colons (e.g., 00:02:2D:17:B9:E8) or hyphens (e.g., 00-02-2D-17-B9-E8). While the MAC
address as assigned by the manufacturer is printed on the device, the address
can be changed in software.
Each AP has a 0 to 32 byte long Service Set Identifier (SSID) that
is also commonly called a network name. The SSID is used to segment the
airwaves for usage. If two wireless networks are physically close, the SSIDs
label the respective networks, and allow the components of one network to
ignore those of the other. SSIDs can also be mapped to virtual LANs; thus, some
APs support multiple SSIDs. Unlike fully qualified host names (e.g.,
gamma.cs.wright.edu), SSIDs are not registered, and it is possible that two unrelated
networks use the same SSID.
The stations communicate with each other using radio frequencies
between 2.4 GHz and 2.5 GHz. Neighboring channels are only 5 MHz
apart. Two wireless networks using neighboring channels may
interfere with each other.
Wired Equivalent Privacy (WEP) is a shared-secret key encryption
system used to encrypt packets transmitted between a station and an
AP. The WEP algorithm is intended to protect wireless communication from
eavesdropping. A secondary function of WEP is to prevent unauthorized access to
a wireless network. WEP encrypts the payload of data packets.
Management and control frames are always transmitted in the clear. WEP
uses the RC4 encryption algorithm. The shared-secret key is either 40 or
104 bits long. The key is chosen by the system administrator.
This key must be shared among all the stations and the AP using mechanisms
that are not specified in the IEEE 802.11.
A wireless network operates in one of two modes. In the ad
hoc mode, each station is a peer to the other stations and
communicates directly with other stations within the network. No AP
is involved. All stations can send Beacon and Probe frames. The ad hoc
mode stations form an Independent Basic Service Set (IBSS).
A station in the infrastructure mode communicates
only with an AP. Basic Service Set (BSS) is a set of stations that are
logically associated with each other and controlled by a single AP. Together
they operate as a fully connected wireless network. The BSSID is a
48-bit number of the same format as a MAC address. This field uniquely
identifies each BSS. The value of this field is the MAC address of the AP.
Both the station and AP radiate and gather 802.11 frames as
needed. The format of frames is illustrated below. Most of the frames
contain IP packets. The other frames are for the management and control
of the wireless connection.
Figure 1 An IEEE 802.11 Frame
There are three classes of frames. The management frames
establish and maintain communications. These are of Association request,
Association response, Reassociation request, Reassociation response, Probe
request, Probe response, Beacon, Announcement traffic indication message,
Disassociation, Authentication, Deauthentication types. The SSID is part
of several of the management frames. Management messages are always sent in the
clear, even when link encryption (WEP or WPA) is used, so the SSID is visible
to anyone who can intercept these frames.
The control frames help in the delivery of data.
The data frames encapsulate the OSI Network Layer
packets. These contain the source and destination MAC address, the
BSSID, and the TCP/IP datagram. The payload part of the datagram is
WEP-encrypted.
Authentication is the process of proving identity of a station to
another station or AP. In the open system authentication, all stations
are authenticated without any checking. A station A sends an Authentication
management frame that contains the identity of A, to station B. Station B
replies with a frame that indicates recognition, addressed to A. In the
closed network architecture, the stations must know the SSID of the AP in
order to connect to the AP. The shared key authentication uses a standard
challenge and response along with a shared secret key.
Figure 2: States and Services
Data can be exchanged between the station and AP only after a
station is associated with an AP in the infrastructure mode or with another
station in the ad hoc mode. All the APs transmit Beacon frames a few
times each second that contain the SSID, time, capabilities, supported rates,
and other information. Stations can chose to associate with an AP
based on the signal strength etc. of each AP. Stations can have a
null SSID that is considered to match all SSIDs.
The association is a two-step process. A station that is currently
unauthenticated and unassociated listens for Beacon frames. The station selects
a BSS to join. The station and the AP mutually authenticate themselves by
exchanging Authentication management frames. The client is now
authenticated, but unassociated. In the second step, the station
sends an Association Request frame, to which the AP responds with an
Association Response frame that includes an Association ID to the
station. The station is now authenticated and associated.
A station can be authenticated with several APs at the same time,
but associated with at most one AP at any time. Association implies
authentication. There is no state where a station is associated but not
authenticated.
Sniffing is eavesdropping
on the network. A (packet) sniffer is a program
that intercepts and decodes network traffic broadcast through a
medium. Sniffing is the act by a machine S of making copies of a
network packet sent by machine A intended to be received by machine B.
Such sniffing, strictly speaking, is not a TCP/IP problem, but it is enabled by
the choice of broadcast media, Ethernet and 802.11, as the physical and data
link layers.
Sniffing has long been a reconnaissance technique used in wired
networks. Attackers sniff the frames necessary to enable the exploits
described in later sections. Sniffing is the underlying technique used in
tools that monitor the health of a network. Sniffing can also help
find the easy kill as in scanning for open access points that allow anyone to
connect, or capturing the passwords used in a connection session that does not
even use WEP, or in telnet, rlogin and ftp connections.
It is easier to sniff wireless networks than wired ones. It is
easy to sniff the wireless traffic of a building by setting shop in a car
parked in a lot as far away as a mile, or while driving around the block. In a
wired network, the attacker must find a way to install a sniffer on one or more
of the hosts in the targeted subnet. Depending on the equipment used in a
LAN, a sniffer needs to be run either on the victim machine whose traffic is of
interest or on some other host in the same subnet as the victim. An
attacker at large on the Internet has other techniques that make it possible to
install a sniffer remotely on the victim machine.
Scanning is the act of sniffing by tuning to various radio
channels of the devices. A passive network scanner instructs
the wireless card to listen to each channel for a few messages. This does
not reveal the presence of the scanner.
An attacker can passively scan without transmitting at all.
Several modes of a station permit this. There is a mode called RF
monitor mode that allows every frame appearing on a channel to be
copied as the radio of the station tunes to various channels. This is
analogous to placing a wired Ethernet card in promiscuous mode. This mode is
not enabled by default. Some wireless cards on the market today have
disabled this feature in the default firmware. One can buy wireless cards
whose firmware and corresponding driver software together permit reading of all
raw 802.11 frames. A station in monitor mode can
capture packets without associating with an AP or ad-hoc network. The
so-called promiscuous mode allows the capture of all wireless
packets of an associated network. In this mode, packets cannot be read until
authentication and association are completed.
An example sniffer is Kismet (http://www.kismetwireless.net). An example wireless card that
permits RF monitor modes is Cisco Aironet AIR-PCM342.
The attacker can discover the SSID of a network usually by passive
scanning because the SSID occurs in the following frame types: Beacon, Probe
Requests, Probe Responses, Association Requests, and Reassociation Requests.
Recall that management frames are always in the clear, even when WEP is
enabled.
On a number of APs, it is possible to configure so that the SSID
transmitted in the Beacon frames is masked, or even turn off Beacons
altogether. The SSID shown in the Beacon frames is set to null in the
hope of making the WLAN invisible unless a client already knows the correct
SSID. In such a case, a station wishing to join a WLAN begins the
association process by sending Probe Requests since it could not detect any APs
via Beacons that match its SSID.
If the Beacons are not turned off, and the SSID in them is not set
to null, an attacker obtains the SSID included in the Beacon frame by passive
scanning.
When the Beacon displays a null SSID, there are two possibilities.
Eventually, an Associate Request may appear from a legitimate station that
already has a correct SSID. To such a request, there will be an Associate
Response frame from the AP. Both frames will contain the SSID in the
clear, and the attacker sniffs these. If the station wishes to join any
available AP, it sends Probe Requests on all channels, and listens for Probe
Responses that contain the SSIDs of the APs. The station considers all
Probe Responses, just as it would have with the non-empty SSID Beacon frames,
to select an AP. Normal association then begins. The attacker waits to
sniff these Probe Responses and extract the SSIDs.
If Beacon transmission is disabled, the attacker has two
choices. The attacker can keep sniffing waiting for a voluntary Associate
Request to appear from a legitimate station that already has a correct SSID and
sniff the SSID as described above. The attacker can also chose to
actively probe by injecting frames that he constructs, and then sniffs the
response as described in a later section.
When the above methods fail, SSID discovery is done by active scanning
(see Section 5).
The attacker gathers legitimate MAC addresses for use later in
constructing spoofed frames. The source and destination MAC addresses are
always in the clear in all the frames. There are two reasons why an
attacker would collect MAC addresses of stations and APs participating in a
wireless network. (1) The attacker wishes to use these values in spoofed
frames so that his station or AP is not identified. (2) The targeted AP may be
controlling access by filtering out frames with MAC addresses that were not
registered.
The goal of an attacker is to discover the WEP shared-secret
key. Often, the shared key can be discovered by guesswork based on a
certain amount of social engineering regarding the administrator who configures
the wireless LAN and all its users. Some client software stores the WEP
keys in the operating system registry or initialization scripts. In the
following, we assume that the attacker was unsuccessful in obtaining the key in
this manner. The attacker then employs systematic procedures in cracking
the WEP. For this purpose, a large number (millions) of frames need to be
collected because of the way WEP works.
The wireless device generates on the fly an Initialization Vector
(IV) of 24-bits. Adding these bits to the shared-secret key of either 40
or 104 bits, we often speak of 64-, or 128-bit encryption. WEP generates a
pseudo-random key stream from the shared secret key and the IV. The CRC-32
checksum of the plain text, known as the Integrity Check (IC) field, is
appended to the data to be sent. It is then exclusive-ORed with the
pseudo-random key stream to produce the cipher text. The IV is
appended in the clear to the cipher text and transmitted. The receiver extracts
the IV, uses the secret key to re-generate the random key stream, and
exclusive-ORs the received cipher text to yield the original plaintext.
Certain cards are so simplistic that they start their IV as 0 and
increment it by 1 for each frame, resetting in between for some
events. Even the better cards generate weak IVs from which the first
few bytes of the shared key can be computed after statistical
analyses. Some implementations generate fewer mathematically weak
vectors than others do.
The attacker sniffs a large number of frames from a single
BSS. These frames all use the same key. The mathematics behind the
systematic computation of the secret shared key from a collection of cipher
text extracted from these frames is described elsewhere in this
volume. What is needed however is a collection of frames that were
encrypted using “mathematically-weak” IVs. The number of encrypted frames that
were mathematically weak is a small percentage of all frames. In a
collection of a million frames, there may only be a hundred mathematically weak
frames. It is conceivable that the collection may take a few hours to
several days depending on how busy the WLAN is.
Given a sufficient number of mathematically weak frames, the
systematic computation that exposes the bytes of the secret key is
intensive. However, an attacker can employ powerful computers. On
an average PC, this may take a few seconds to hours. The storage of the
large numbers of frames is in the several hundred-mega bytes to a few giga
bytes range.
Detecting the presence of a wireless sniffer, who remains
radio-silent, through network security measures is virtually impossible.
Once the attacker begins probing (i.e., by injecting packets), the presence and
the coordinates of the wireless device can be detected.
There are well-known attack techniques known as spoofing
in both wired and wireless networks. The attacker constructs frames
by filling selected fields that contain addresses or identifiers with
legitimate looking but non-existent values, or with values that belong to
others. The attacker would have collected these legitimate values through
sniffing.
The attacker generally desires to be hidden. But the probing
activity injects frames that are observable by system administrators. The
attacker fills the Sender MAC Address field of the injected frames with a
spoofed value so that his equipment is not identified.
Typical APs control access by permitting only those stations with
known MAC addresses. Either the attacker has to compromise a computer
system that has a station, or he spoofs with legitimate MAC addresses in frames
that he manufactures. MAC addresses are assigned at the time of manufacture,
but setting the MAC address of a wireless card or AP to an arbitrary chosen
value is a simple matter of invoking an appropriate software tool that engages
in a dialog with the user and accepts values. Such tools are routinely
included when a station or AP is purchased. The attacker, however,
changes the MAC address programmatically, sends several frames with that
address, and repeats this with another MAC address. In a period of a
second, this can happen several thousand times.
When an AP is not filtering MAC addresses, there is no need for
the attacker to use legitimate MAC addresses. However, in certain
attacks, the attacker needs to have a large number of MAC addresses than he
could collect by sniffing. Random MAC addresses are generated. However,
not every random sequence of six bytes is a MAC address. The IEEE assigns
globally the first three bytes, and the manufacturer chooses the last three
bytes. The officially assigned numbers are publicly available. The
attacker generates a random MAC address by selecting an IEEE-assigned three
bytes appended with an additional three random bytes.
Replacing the true IP address of the sender (or, in rare
cases, the destination) with a different address is known as IP spoofing.
This is a necessary operation in many attacks.
The IP layer of the OS simply trusts that the source address, as
it appears in an IP packet is valid. It assumes that the packet it
received indeed was sent by the host officially assigned that source address.
Because the IP layer of the OS normally adds these IP addresses to a data
packet, a spoofer must circumvent the IP layer and talk directly to the raw
network device. Note that the attacker’s machine cannot simply be
assigned the IP address of another host X using ifconfig or a similar
configuration tool. Other hosts, as well as X, will discover (through ARP, for
example) that there are two machines with the same IP address.
IP spoofing is an integral part of many attacks. For
example, an attacker can silence a host A from sending further packets to B by
sending a spoofed packet announcing a window size of zero to A as though it
originated from B.
The attacker will inject frames that are valid by 802.11
specifications, but whose content is carefully spoofed as described above.
Frames themselves are not authenticated in 802.11 networks.
So when a frame has a spoofed source address, it cannot be detected unless the
address is wholly bogus. If the frame to be spoofed is a
management or control frame, there is no encryption to deal with. If it
is a data frame, perhaps as part of an on-going MITM attack, the data payload
must be properly encrypted.
Construction of the byte stream that constitutes a spoofed frame
is a programming matter once the attacker has gathered the needed information
through sniffing and probing. There are software libraries that
ease this task. Examples of such libraries are libpcap (sourceforge.net/projects/libpcap/), libnet (libnet.sourceforge.net/), libdnet (libdnet. sourceforge.net/)
and libradiate (www.packetfactory.net/projects/libradiate/ ).
The difficulty here is not in the construction of the contents of
the frame, but in getting, it radiated (transmitted) by the station or an
AP. This requires control over the firmware and driver of the wireless
card that may sanitize certain fields of a frame. Therefore, the attacker
selects his equipment carefully. Currently, there are off-the-shelf
wireless cards that can be manipulated. In addition, the construction of
special purpose wireless cards is within the reach of a resourceful attacker.
Even though the attacker gathers considerable amount of
information regarding a wireless network through sniffing, without revealing
his wireless presence at all, there are pieces that may still be missing.
The attacker then sends artificially constructed packets to a target that
trigger useful responses. This activity is known as probing or active
scanning.
The target may discover that it is being probed, it might even be
a honey pot (www.honeynet.org/) target carefully constructed to trap the
attacker. The attacker would try to minimize this risk.
Detection of SSID is often possible by simply sniffing Beacon
frames as describe in a previous section.
If Beacon transmission is disabled, and the attacker
does not wish to patiently wait for a voluntary Associate Request to appear
from a legitimate station that already has a correct SSID, or Probe Requests
from legitimate stations, he will resort to probing by injecting a Probe
Request frame that contains a spoofed source MAC address. The Probe
Response frame from the APs will contain, in the clear, the SSID and other
information similar to that in the Beacon frames were they enabled. The
attacker sniffs these Probe Responses and extracts the SSIDs.
Some models of APs have an option to disable responding to Probe
Requests that do not contain the correct SSID. In this case, the attacker
determines a station associated with the AP, and sends the station a forged
Disassociation frame where the source MAC address is set to that of the
AP. The station will send a Reassociation Request that exposes the
SSID.
Every AP is a station, so SSIDs, MAC addresses are gathered as
described above.
Certain bits in the frames identify that the frame is from an
AP. If we assume that WEP is either disabled or cracked, the attacker can
also gather the IP addresses of the AP and the stations.
Detection of probing is possible. The frames that an
attacker injects can also be heard by the intrusion detection systems (IDS) of
hardened wireless LAN. There is GPS-enabled equipment that can identify
the physical coordinates of a wireless device through which the probe frames
are being transmitted.
APs have weaknesses that are both due to design mistakes and user
interfaces that promote weak passwords, etc. It has been demonstrated by
many publicly conducted war-driving efforts (www.worldwidewardrive.org) in major cities around the world that a large majority of the
deployed APs are poorly configured, most with WEP disabled, and configuration
defaults, as set up the manufacturer, untouched.
The default WEP keys used are often too trivial. Different APs use
different techniques to convert the user’s key board input into a bit
vector. Usually 5 or 13 ASCII printable characters are directly mapped by
concatenating their ASCII 8-bit codes into a 40-bit or 104-bit WEP key. A
stronger key can be constructed from an input of 26 hexadecimal digits. It is
possible to form an even stronger104 bit WEP key by truncating the MD5 hash of
an arbitrary length pass phrase.
Typical APs permit access to only those stations with known MAC
addresses. This is easily defeated by the attacker who spoofs his frames
with a MAC address that is registered with the AP from among the ones that he
collected through sniffing. That a MAC address is registered can be
detected by observing the frames from the AP to the stations.
Access points that are installed without proper authorization and
verification that overall security policy is obeyed are called rogue APs.
These are installed and used by valid users. Such APs are configured
poorly, and attackers will find them.
An attacker sets up an AP so that the targeted station receives a
stronger signal from it than what it receives from a legitimate AP. If
WEP is enabled, the attacker would have already cracked it. A legitimate
user selects the Trojan AP because of the stronger signal, authenticates and
associates. The Trojan AP is connected to a system that collects the IP
traffic for later analyses. It then transmits all the frames to a
legitimate AP so that the victim user does not recognize the on-going MITM
attack. The attacker can steal the users password, network access, compromise
the user’s system to give himself root access. This attack is called
the Evil Twin Attack.
It is easy to build a Trojan AP because an AP is a computer system
optimized for its intended application. A general purpose PC with a
wireless card can be turned into a capable AP. An example of such
software is HostAP (http://hostap.epitest.fi/ ). Such a Trojaned AP would be
formidable.
A search on www.securityfocus.com with “access point vulnerabilities” will
show that numerous flaws in equipment from well-known manufacturers are
known. For example, one such AP crashes when a frame is sent to it that
has the spoofed source MAC address of itself. Another AP features an
embedded TFTP (Trivial File Transfer Protocol) server. By requesting a file
named config.img via TFTP, an attacker receives the binary
image of the AP configuration. The image includes the administrator’s password
required by the HTTP user interface, the WEP encryption keys, MAC address, and
SSID. Yet another AP returns the WEP keys, MAC filter list, administrator’s
password when sent a UDP packet to port 27155 containing the string “gstsearch”.
It is not clear how these flaws were discovered. The following is
a likely procedure. Most manufacturers design their equipment so that its
firmware can be flashed with a new and improved one in the field. The
firmware images are downloaded from the manufacturers’ web site. The CPU
used in the APs can be easily recognized, and the firmware can be
systematically disassembled revealing the flaws at the assembly language level.
Comprehensive lists of such equipment flaws are likely circulating
among the attackers.
A denial of service (DoS) occurs when a system is
not providing services to authorized clients because of resource exhaustion by
unauthorized clients. In wireless networks, DoS attacks are difficult to
prevent, difficult to stop an on-going attack and the victim and its clients
may not even detect the attacks. The duration of such DoS may range from
milliseconds to hours. A DoS attack against an individual station enables
session hijacking.
A number of consumer appliances such as microwave ovens, baby
monitors, and cordless phones operate on the unregulated 2.4GHz radio
frequency. An attacker can unleash large amounts of noise using these devices
and jam the airwaves so that the signal to noise drops so low, that the
wireless LAN ceases to function. The only solution to this is RF proofing
the surrounding environment.
The AP inserts the data supplied by the station in the Association
Request into a table called the association table that the AP
maintains in its memory. The IEEE 802.11 specifies a maximum value of
2007 concurrent associations to an AP. The actual size of this table
varies among different models of APs. When this table overflows, the AP
would refuse further clients.
Having cracked WEP, an attacker authenticates several non-existing
stations using legitimate-looking but randomly generated MAC
addresses. The attacker then sends a flood of spoofed associate requests
so that the association table overflows.
Enabling MAC filtering in the AP will prevent this attack.
The attacker sends a spoofed Disassociation frame where the source
MAC address is set to that of the AP. The station is still authenticated but
needs only to reassociate and sends Reassociation Requests to the AP. The
AP may send a Reassociation Response accepting the station and the station can
then resume sending data. To prevent Reassociation, the attacker continues to
send Disassociation frames for a desired period.
The attacker monitors all raw frames collecting the source and
destination MAC addresses to verify that they are among the targeted
victims. When a data or Association Response frame is observed, the
attacker sends a spoofed Deauthentication frame where the source MAC address is
spoofed to that of the AP. The station is now unassociated and unauthenticated,
and needs to reconnect. To prevent a reconnection, the attacker continues
to send Deauthentication frames for a desired period. The attacker may
even rate limit the Deauthentication frames to avoid overloading an already
congested network.
The mischievous packets of Disassociation and
Deauthentication are sent directly to the client, so these will not be logged
by the AP or IDS, and neither MAC filtering nor WEP protection will prevent it.
Power conservation is important for typical station laptops, so
they frequently enter an 802.11 state called Doze. An attacker can steal
packets intended for a station while the station is in the Doze state.
The 802.11 protocol requires a station to inform the AP through a
successful frame exchange that it wishes to enter the Doze state from the
Active state.
Periodically the station awakens and sends a PS-Poll frame to the
AP. The AP will transmit in response the packets that were buffered for the
station while it was dozing. This polling frame can be spoofed by an attacker
causing the AP to send the collected packets and flush its internal
buffers. An attacker can repeat these polling messages so that when the
legitimate station periodically awakens and polls, AP will inform that there
are no pending packets.
Man-in-the-middle (MITM)
attack refers to the situation where an attacker on host X inserts X between
all communications between hosts B and C, and neither B nor C is aware of the
presence of X. All messages sent by B do reach C but via X, and vice
versa. The attacker can merely observe the communication or modify it
before sending it out. An MITM attack can break connections that are
otherwise secure. At the TCP level, SSH and VPN, e.g., are prone to this
attack.
Assume that station B was authenticated with C, a legitimate
AP. Attacker X is a laptop with two wireless
cards. Through one card, he will present X as an
AP. Attacker X sends Deauthentication frames to B using the C’s MAC
address as the source, and the BSSID he has collected. B gets
deauthenticated and begins a scan for an AP and may find X on a channel
different from C. There is a race condition between X and
C. If B associates with X, the MITM attack succeeded. X
will re-transmit the frames it receives from B to C, and the frames it receives
from C to B after suitable modifications.
The package of tools called AirJack (http://802.11ninja.net/airjack/) includes a program called monkey_jack that automates the
MITM attack. This is programmed well so that the odds of it winning
in the race condition mentioned above are improved.
ARP cache poisoning is an old problem in wired networks. Wired
networks have deployed mitigating techniques. But, the ARP poisoning
technique is re-enabled in the presence of APs that are connected to a
switch/hub along with other wired clients.
ARP is used to determine the MAC address of a device whose IP
address is known. The translation is performed with a table
look-up. The ARP cache accumulates as the host continues to
network. If the ARP cache does not have an entry for an IP address, the
outgoing IP packet is queued, and an ARP Request packet that effectively
requests “If your IP address matches this target IP address, then please let me
know what your Ethernet address is” is broadcast. The host with the target IP
is expected to respond with an ARP Reply, which contains the MAC address of the
host. Once the table is updated because of receiving this response,
all the queued IP packets can now be sent. The entries in the table expire
after a set time in order to account for possible hardware address changes for
the same IP address. This change may have happened, e.g., due to the NIC being
replaced.
Unfortunately, the ARP does not provide for any verification that
the responses are from valid hosts or that it is receiving a spurious response
as if it has sent an ARP Request. ARP poisoning is an attack
technique exploiting this lack of verification. It corrupts the ARP
cache that the OS maintains with wrong MAC addresses for some IP addresses. An
attacker accomplishes this by sending an ARP Reply packet that is deliberately
constructed with a “wrong” MAC address. The ARP is a stateless
protocol. Thus, a machine receiving an ARP Reply cannot determine if the
response is due to a request it sent or not.
ARP poisoning is one of the techniques that enables the
man-in-the-middle attack. An attacker on machine X inserts himself between two
hosts B and C by (i) poisoning B so that C’s IP address is associated with X’s
MAC address, (ii) poisoning C so that B’s address is associated with X’s MAC
address, and (iii) relaying the packets X receives.
The ARP poison attack is applicable to all hosts in a subnet. Most
APs act as transparent MAC layer bridges, and so all stations associated with
it are vulnerable. If an access point is connected directly to a hub or a
switch without an intervening router/firewall, then all hosts connected to that
hub or switch are susceptible also. Note that recent devices aimed at the home
consumer market combine a network switch with may be four or five ports, an AP,
a router and a DSL/cable modem connecting to the Internet at large.
Internally, the AP is connected to the switch. As a result, an
attacker on a wireless station can become a MITM between two wired hosts, one
wired one wireless, or both wireless hosts.
Session hijacking occurs in the context of a “user”, whether human or
computer. The user has an on-going connection with a server.
Hijacking is said to occur when an attacker causes the user to lose his
connection, and the attacker assumes his identity and privileges for a period.
An attacker disables temporarily the user’s system, say by a DoS
attack or a buffer overflow exploit. The attacker then takes the identity
of the user. The attacker now has all the access that the user has.
When he is done, he stops the DoS attack, and lets the user resume. The
user may not detect the interruption if the disruption lasts no more than a
couple of seconds. Such hijacking can be achieved by using forged
Disassociation DoS attack.
Corporate wireless networks are often set up so that the user is
directed to an authentication server when his station attempts a connection
with an AP. After the authentication, the attacker employs the session
hijacking described above using spoofed MAC addresses.
Equipped with wireless devices and related tools, and driving
around in a vehicle or parking at interesting places with a goal of discovering
easy-to-get-into wireless networks is known as war
driving. War-drivers (http://www.wardrive.net/) define war driving as “The benign act of
locating and logging wireless access points while in motion.” This benign
act is of course useful to the attackers.
War chalking is the practice of marking sidewalks and walls with
special symbols to indicate that wireless access is nearby so that others do
not need to go through the trouble of the same discovery. A search onwww.google.com with key words “war driving maps” will
produce a large number of hits. Yahoo! Maps can show "Wi-fi
Hotspots" near an address you give.
Figure 3: War Chalking Symbols
The typical war driving equipment consists of a laptop computer
system or a PDA with a wireless card, a GPS, and a high-gain
antenna. Typical choice of an operating system is Linux or FreeBSD
where open source sniffers (e.g., Kismet) and WEP crackers (e.g., AirSnort) are
available. Similar tools (e.g., NetStumbler) that run on Windows are
available.
War drivers need to be within the range of an AP or station
located on the target network. The range depends on the transmit
output power of the AP and the card, and the gain of the antenna.
Ordinary access point antennae transmit their signals in all directions.
Often, these signals reach beyond the physical boundaries of the intended work
area, perhaps to adjacent buildings, floors, and parking lots. With the typical
30mW wireless cards intended for laptops, the range is about 300 feet, but
there are in 2004 wireless cards for laptops on the market that have 200mW.
Directional high-gain antennae and an RF-amplifier can dramatically extend the
range.
Figure 4: War Drivers' Equipment
This section describes best practices in mitigating the problems
described above.
APs should be topologically located outside the perimeter
firewalls. The wireless network segments should be treated with the
same suspicion as that for the public Internet. Additionally, it is
important to use directional antennae and physically locate them in such a way
that the radio-coverage volume is within the control of the corporation or
home.
Statistics collected by www.worldwidewardrive.org show a distressingly large percentage of APs left configured
with the defaults.
Before a wireless device is connected to the rest of the existing
network, proper configuration of the wireless device is necessary. The
APs come with a default SSID, such as “Default SSID”, “WLAN”, “Wireless”,
“Compaq”, “intel”, and “linksys”. The default passwords for the administrator
accounts that configure the AP via a web browser or SNMP are well known for all
manufacturers. A proper configuration should change these to
difficult to predict values.
Note that the SSID serves as a simple handle, not as a password,
for a wireless network. Unless the default SSID on the AP and stations is
changed, SSID broadcasts are disabled, MAC address filtering is enabled, WEP
enabled, an attacker can use the wireless LAN resources without even
sniffing.
The configuration via web browsing (HTTP) is provided by a
simplistic web server built into an AP. Often this configuration
interface is provided via both wired connections and wireless
connections. The web server embedded in a typical AP does not contain
secure HTTP, so the password that the administrator submits to the AP can be
sniffed. Web based configuration via wireless connections should be
disabled.
WEP is disabled in some organization because the throughput is
then higher. Enabling WEP encryption makes it necessary for the attacker
intending to WEP-crack to have to sniff a large number of frames. The
higher the number of bits in the encryption the larger the number of frames
that must be collected is. The physical presence in the radio range of the
equipment for long periods increases the odds of his equipment being
detected. WEP should be enabled.
The IEEE 802.11 does not describe an automated way of distributing
the shared-secret keys. In large installations, the manual distribution
of keys every time they are changed is expensive. Nevertheless, the WEP
encryption keys should be changed periodically.
If the WEP is disabled, or after the WEP is cracked, the attacker
can capture all TCP/IP packets by radio-silent sniffing for later
analyses. All the wired network attacks are possible. There are real-time
tools that analyze and interpret the TCP/IP data as they arrive.
All protocols that send passwords and data in the clear must be
avoided. This includes the rlogin family, telnet, and POP3. Instead
one should use SSH and VPN.
In general, when a wireless segment is involved, one should use
end-to-end encryption at the application level in addition to enabling WEP.
A wireless intrusion detection system (WIDS) is often a
self-contained computer system with specialized hardware and software to detect
anomalous behavior. The underlying software techniques are the same
hacking techniques described above. The special wireless hardware is
more capable than the commodity wireless card, including the RF monitor mode,
detection of interference, and keeping track of signal-to-noise
ratios. It also includes GPS equipment so that rogue clients and APs
can be located. A WIDS includes one or more listening devices that
collect MAC addresses, SSIDs, features enabled on the stations, transmit
speeds, current channel, encryption status, beacon interval,
etc. Its computing engine will be powerful enough that it can
dissect frames and WEP-decrypt into IP and TCP components. These can
be fed into TCP/IP related intrusion detection systems.
Unknown MAC addresses are detected by maintaining a registry of
MAC addresses of known stations and APs. Frequently, a WIDS can
detect spoofed known MAC addresses because the attacker could not control the
firmware of the wireless card to insert the appropriate sequence numbers into
the frame.
Periodically, every wireless network should be
audited. Several audit firms provide this service for a
fee. A security audit begins with a well-established security
policy. A policy for wireless networks should include a description
of the geographical volume of coverage. The main goal of an audit is
to verify that there are no violations of the policy. To this end,
the typical auditor employs the tools and techniques of an attacker.
Many improvements in wireless network technology are proposed
through proprietary channels (e.g., Cisco Lightweight Extensible Authentication
Protocol) as well as through the IEEE. The new IEEE 802.11i
(ratified in June 2004) enhances the current 802.11 standard to provide
improvements in security. These include Port Based Access Control
for authentication, Temporal Key Integrity Protocol for dynamic changing of
encryption keys, and Wireless Robust Authentication protocol. An
interim solution proposed by vendors is the Wi-Fi Protected Access (WPA), a
subset of 802.11i, is only now becoming available in some products. Time
will tell if these can withstand future attacks.
Below we describe a collection of cost-free tools that can be used
both as attack tools and as audit tools.
· AirJack (http://802.11ninja.net/airjack/) is a collection of wireless card drivers and related
programs. It includes a program called monkey_jack that automates the
MITM attack. Wlan_jack is a DoS tool that accepts a target source
and BSSID to send continuous deauthenticate frames to a single client or an
entire network (broadcast address). Essid_jack sends a disassociate frame to a target
client in order to force the client to reassociate with the network, thereby
giving up the network SSID.
- AirSnort (www.airsnort.shmoo.com ) can break WEP by passively monitoring
transmissions and computing the encryption key when enough packets have
been gathered.
- Ethereal (www.ethereal.com ) is a LAN analyzer, including
wireless. One can interactively browse the capture data,
viewing summary and detail information for all observed wireless traffic.
- FakeAP (ww.blackalchemy.to/project/fakeap) can generate thousands of counterfeit 802.11b access
points.
- HostAP (www.hostap.epitest.fi) converts a station that is based on Intersil's
Prism2/2.5/3 chipset to function as an access point.
- Kismet (www.kismetwireless.net) is a wireless sniffer and monitor. It
passively monitors wireless traffic and dissects frames to identify SSIDs,
MAC addresses, channels and connection speeds.
- Netstumbler (www.netstumbler.com) is a wireless access point identifier running on
Windows. It listens for SSIDs and sends beacons as probes
searching for access points.
- Prismstumbler (prismstumbler.sourceforge.net/) can find wireless networks. It constantly
switches channels and monitors frames received.
- The Hacker’s Choice
organization (www.thc.org) has LEAP Cracker Tool suite that contains tools to
break Cisco LEAP. It also has tools for spoofing authentication
challenge-packets from an AP. The WarDrive is a tool for mapping a city
for wireless networks with a GPS device.
- StumbVerter (www.sonar-security.com/sv.html) is a tool that reads NetStumbler's collected data
files and presents street maps showing the logged WAPs as icons, whose
color and shape indicating WEP mode and signal strength.
- Wellenreiter (http://www.wellenreiter.net/) is a WLAN discovery tool. It uses brute
force to identify low traffic access points while hiding the real MAC
address of the card it uses. It is integrated with GPS.
- WEPcrack (www.wepcrack.sourceforge.net) cracks 802.11 WEP encryption keys using weaknesses of
RC4 key scheduling.
This article is an introduction to the techniques an attacker
would use on wireless networks. Regardless of the protocols, wireless
networks will remain potentially insecure because an attacker can listen in
without gaining physical access. In addition, the protocol designs
were security-naïve. We have pointed out several existing tools that
implement attack techniques that exploit the weaknesses in the protocol
designs. The integration of wireless networks into existing networks
also has been carelessly done. We pointed out several best practices
that can mitigate the insecurities.
AP: Access Point. Any entity that has station
functionality and provides access to the distribution services, via the
wireless medium for associated stations.
Association Table: The Association table is within an AP and
controls the routing of all packets between the Access Point and the wireless
devices in a WLAN.
Basic Service Set: BSS is a collection, or set, of
stations that are logically associated with each other and controlled by a
single AP. Together, they operate as a fully connected wireless network.
Basic Service Set Identifier (BSSID): A 48-bit identifier used by
all stations in a Basic Service Set as part of the frame header.
Beacon: A wireless LAN frame broadcast by access points that
signals their availability.
Evil Twin Attack. An unauthorized AP whose goal is to masquerade
as an existing legitimate/ authorized AP is called an Evil Twin. The
evil twin AP is designed and located so that client stations receive stronger
signals from it. Legitimate users are lured into the evil twin, and
unknowingly give away user IDs and passwords.
Independent BSS: An IBSS is usually an ad-hoc network. In an IBSS,
all of the stations are responsible for sending beacons.
IDS: Intrusion detection system.
MITM: Man in the middle. See Section 8.
Service Set Identifier (SSID): All APs and stations within the
same wireless network use an identifier that is up to 32-bytes long.
Social Engineering: Social engineering is a term, coined in jest
that refers to all non-technical methods of collecting information about a
person so that the passwords the person may use can be predicted. The
methods of collection range from dumpster diving, analyzing the publicly
available information to making phone calls impersonating others.
STA: A wireless station.
WEP: Wired Equivalent Privacy (WEP) is a shared-secret key
encryption system used to encrypt packets transmitted between a station and an
AP.
The following is a list of other articles in the handbook related
to wireless networks. Article numbers are as in the Handbook TOC.
26. Radio Frequency and
Wireless Communications Security
27. Propagation Characteristics of Wireless Channels
43. Wireless Local Area Networks
44. Security Issues in Wireless Sensor Networks
46. Mobile IP (Internet Protocol)
48. TCP (Transmission Control Protocol) over Wireless Links
50. Wireless Internet
56. PKI (Public Key Infrastructure)
67. Wireless Application Protocol (WAP)
68. Wireless Networks Standards and Protocol (802.11)
74. Wireless Information Warfare
142. Hacking Techniques in Wireless Networks (mine)
150. Wireless Threats and Attacks
151. WEP (Wired Equivalent Privacy) Security
152. Wireless Security
153. Cracking WEP (Wired Equivalent Privacy)
27. Propagation Characteristics of Wireless Channels
43. Wireless Local Area Networks
44. Security Issues in Wireless Sensor Networks
46. Mobile IP (Internet Protocol)
48. TCP (Transmission Control Protocol) over Wireless Links
50. Wireless Internet
56. PKI (Public Key Infrastructure)
67. Wireless Application Protocol (WAP)
68. Wireless Networks Standards and Protocol (802.11)
74. Wireless Information Warfare
142. Hacking Techniques in Wireless Networks (mine)
150. Wireless Threats and Attacks
151. WEP (Wired Equivalent Privacy) Security
152. Wireless Security
153. Cracking WEP (Wired Equivalent Privacy)
- John Bellardo and Stefan
Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and
Practical Solutions”, 2003, Usenix 2003 Proceedings. http://www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf Retrieved Jan 20, 2004.
- Jon Edney and William A.
Arbaugh, Real 802.11 Security: Wi-Fi Protected Access and 802.11i,
480 pages, Addison Wesley, 2003, ISBN: 0-321-13620-9
- Jamil Farshchi, Wireless
Intrusion Detection Systems, November 5, 2003, http://www.securityfocus.com/infocus/1742 Retrieved Jan 20, 2004
- Bob Fleck and Jordan Dimov,
"Wireless Access Points and ARP Poisoning: Wireless vulnerabilities
that expose the wired network," October 2001.http://www.cigitallabs.com/resources/papers/download/arppoison.pdf. Retrieved on Jan 20, 2004.
- Rob Flickenger, Wireless
Hacks: 100 Industrial-Strength Tips & Tools, 286 pages, O'Reilly
& Associates, September 2003, ISBN: 0-596-00559-8
- Matthew S. Gast, 802.11
Wireless Networks: The Definitive Guide, 464 pages, O’Reilly &
Associates, April 2002, ISBN: 0596001835.
- Vikram Gupta, Srikanth
Krishnamurthy, and Michalis Faloutsos, “Denial of Service Attacks at the
MAC Layer in Wireless Ad Hoc Networks”, Proceedings of 2002 MILCOM
Conference, Anaheim, CA, October 2002.
- Chris Hurley, Michael Puchol,
Russ Rogers, and Frank Thornton, WarDriving: Drive, Detect,
Defend, A Guide to Wireless Security, ISBN: 1931836035, Syngress,
2004.
- IEEE, IEEE 802.11
standards documents, http://standards.ieee.org/wireless/ . Retrieved Jan 20, 2004
- Tom Karygiannis and Les Owens,
Wireless Network Security: 802.11, Bluetooth and Handheld Devices,
National Institute of Standards and Technology Special Publication 800-48,
November 2002. http://cs-www.ncsl.nist.gov/publications/
nistpubs/800-48/NIST_SP_800-48.pdf . Retrieved Jan 20, 2004
- Prabhaker Mateti, TCP/IP Suite,
The Internet Encyclopedia, Hossein Bidgoli (Editor), John Wiley 2003, ISBN
0471222011.
- Robert Moskowitz, “Debunking
the Myth of SSID Hiding”, Retrieved on March 10, 2004. http://www.icsalabs.com/html/communities/WLAN/wp_ssid_hiding.
pdf.
- Bruce Potter and Bob
Fleck, 802.11 Security, O'Reilly & Associates, 2002; ISBN:
0-596-00290-4.
- William Stallings, Wireless
Communications & Networks, Prentice Hall, 2001, ISBN: 0130408646.
- War-chalking, http://www.warchalking.org/. Retrieved Jan 20, 2004.
- Joshua Wright, “Detecting
Wireless LAN MAC Address Spoofing”, Retrieved on Jan 20, 2004. http://home.jwu.edu/jwright/
Stallings’ book is a broad introduction to wireless communications
including electrical signal theory, TCP/IP suite, IEEE 802.11 and
Bluetooth. Gast’s book is devoted to 802.11. The report
by Karygiannis and Les Owens is a gentle introduction to wireless
security. Potter and Fleck's book is about network security in
general in spite of its title, and covers several Unix-like OS. The book by
Edney and Arbaugh is an advanced technical book aimed at wireless networking
professionals and covers 802.11i and WPA.
The website 802.11-security.com/ is a rich collection of links. The
site at en.wikipedia. org/wiki/IEEE_802.11 shows promise that it will become a living
free encyclopedia on wireless networks.
BY Piyush Manral
Comments
Post a Comment