9. Industry Organizations
IEEE
The IEEE is a
nonprofit
organization
responsible for
generating a variety
of technology
standards. Most
important of these
to us is the 802.11
standard.
Wi-Fi Alliance
The Wi-Fi Alliance is
responsible for
many WLAN
interoperability
certifications, such
WPA,WPA2 and
WPA3.
IETF
The IETF is
responsible for
creating Internet
standards and
promoting Internet
technology and
usage through the
adoption of Request
for Comment (RFC)
documents.
10. Wi-Fi Alliance Certification Process
Proprietary
Protocols and
Features Sets
WLAN
Manufactures
IEEE 2012 Specs
Products From Wireless
Industry
Bypass
Compliance
Testing
Wi-Fi Alliance
Compliance
Assurance
Programs
Consumer
Market
12. Home Office Security
◎Typically consist of one wireless AP and a
limited number of devices that associate to
the network
◎WPA2/WPA3 passphrase is adequate
◎As a best practice, reconfigure the WLAN AP
or router to use a strong passphrase
13. Small Business Security
◎Small business Wi-Fi may be controller-
based or cloud-based, which provide the
opportunity to use stronger security
mechanisms such as 802.1X/EAP
◎Small business security should consider
using only WPA2/WPA3 for CCMP/AES and
not TKIP/RC4
14. Large Enterprise Security
◎At this scale, security needs are much more
policy-driven and granular than in small
networks
◎ May use port-based access control
○ Virtual ports used within the AP
◎Should not rely on the WPA2/WPA3
authentication and encryption provided by
the WLAN as your only security
○ Security should be properly implemented
throughout the network (layered security)
15. OSI Model Security
Security techniques
work at various levels
of the OSI model from
the lowest, the
Physical layer, to the
highest, the
Application layer.
16. OSI Model Security Application Layer
Use of secure
applications assists in
network security
Network (IP) Layer
Use of secure infrastructures
and protocols. One common
way is to use VPN
Data Link (MAC) Layer
Data encryption and
authentication should be use.
Encryption must occur within
the data payload of the data
frames that traverse the air.
Layer 2 security types include
WEP, TKIP/RC4, CCMP/AES, and
802.1X/EAPThe Physical Layer
Monitoring and alert systems
should be used. Potential
vulnerabilities include
eavesdropping on unsecured
communications and intentional
RF interference (jamming)
18. “
If you do not need a particular
technology or capability for some
beneficial business purpose, do not
use it or leave it in place for others
to use.
20. One Simple Attack Scenario
Imagine that an
individual posing as a
copy machine repair
person. He pulls out a
small-footprint tablet
or laptop PC and
connects it to the
Ethernet port in the
office.
21. One Simple Attack Scenario
◎ He notices that the port is active. So
opens a command prompt and types the
command ipconfig/renew to see if a
DHCP server is available on the network
◎ The attacker now has an IP address on
your network, along with additional
information like gateway (router), subnet
mask, and DNS servers in use
22. One Simple Attack Scenario
◎ The next step might be to begin looking
for devices to access on the network,
using a scanning tools as nmap
24. One Simple Attack Scenario
◎ The attacker runs a script that tries to
connect to port 80 using HTTP on all the
discovered devices
◎ The attacker can reasonably assume
that these might be infrastructure
devices like switches or APs, which could
potentially be configured through a web
interface on printers
25. One Simple Attack Scenario
◎ Even if he did not know the default
credentials could easily look them up
online where many lists of network
default information are openly shared
◎ Attack surface reduction, applied to this
scenario, demands that the Ethernet
port in the spare office be disabled until
it is needed
27. Wireless Traversal Points
◎ After the data has traveled the network to
its final destination, it is processed in
some way
◎ In many cases, the data is stored in live
storage. It has two points of access
○ Network
○ Storage device
◎ Attacker may breach the network access
portion of your security
○ You should use secure authorization at
the point of live storage (permissions)
29. IEEE 802 vs OSI
Physical
Data Link
Network
Physical
IEEE 802 Reference
Model
Logical Link
Control
Medium Access
Control
Transport
Session
Presentation
Application
30. 802.11 Frame with WPA2 Header (Simplified)
Frame
Control
Addr 1
Key ID,
Packet
Number
MSDU
Mac address of
wireless host or
AP to receive
this frame
Mac address of
wireless host or AP
transmitting this
frame
Mac address of
router interface to
which AP is
attached
Packet Number stores
the replay counter,
KeyID identifies which
key is used
Specifies frame
type and further
details
Addr 2 Addr 3 FCS
Used to detect
errors
32. IEEE 802.11 Network Components and
Architectural Model
Distribution System (DS)
33. IEEE 802.11 Services
Service Provider Used to Support
Association Distribution system MSDU delivery
Authentication Station LAN access and security
Deauthentication Station LAN access and security
Disassociation Distribution system MSDU delivery
Distribution Distribution system MSDU delivery
Integration Distribution system MSDU delivery
MSDU delivery Station MSDU delivery
Privacy Station LAN access and security
Reassociation Distribution system MSDU delivery
34. Distribution of Messages Within a DS
◎Distribution service
○ Used to exchange MAC frames from station in one
BSS to station in another BSS
◎Integration service
○ Transfer of data between station on IEEE 802.11
LAN and station on integrated IEEE 802.x LAN
35. Transition Types Based On Mobility
◎No transition
○ Stationary or moves only within BSS
◎BSS transition
○ Station moving from one BSS to another BSS in
same ESS
◎ESS transition
○ Station moving from BSS in one ESS to BSS within
another ESS
36. Association-Related Services
◎Association
○ Establishes initial association between station and
AP
◎Reassociation
○ Enables transfer of association from one AP to
another, allowing station to move from one BSS to
another
◎Disassociation
○ Association termination notice from station or AP
37. IEEE 802.11i Wireless LAN Security
The significant
differences between
wired and wireless
LANs suggest the
increased need for
robust security
services and
mechanisms for
wireless LANs
38. IEEE 802.11i Wireless LAN Security
The significant
differences between
wired and wireless
LANs suggest the
increased need for
robust security
services and
mechanisms for
wireless LANs
39. Access and Privacy Services
◎Authentication
○ Establishes identity of stations to each other
◎Deauthentication
○ Invoked when existing authentication is
terminated
40. Access and Privacy Services
◎Access control
○ Enforces the use of the authentication function,
routes the messages properly, and facilitates key
exchange
◎Privacy
○ Prevents message contents from being read by
unintended recipient
43. Security Capabilities
◎STA and AP decide on specific techniques
in the following areas
○ Confidentiality and MPDU integrity protocols for
protecting unicast traffic
○ Authentication method
○ Cryptography key management approach
◎Confidentiality and integrity protocols for
protecting multicast/broadcast traffic are
dictated by the AP
44. Security Capabilities
◎The options for the confidentiality and
integrity cipher suite are
○ WEP, with either a 40-bit or 104-bit key, which
allows backward compatibility with older IEEE
802.11 implementations
○ TKIP
○ CCMP
○ Vendor-specific methods
46. Network and Security Capability Discovery
Station sends a
request to join
network
AP periodically
broadcast its security
capabilities in a specific
channel through the
Beacon frame
STA AP
Probe request
Probe response
47. Open System Authentication
Station sends a
request to join
network
Probe request
Probe response
Station sends a
request to perform
null authentication
Open system
authentication request
Open system
authentication response
Provides no security, is
simply to maintain
backward compatibility
with the IEEE 802.11
state machine
STA AP
48. Association
Station sends a
request to join
network
AP sends the associated
security parameters
Station sends a
request to perform
null authentication
Station sends a
request to associate
with AP with security
parameters
Association request
Association response
Station sets
selected
security
parameters
If there is no match in
capabilities between the
AP and the STA, the AP
refuses the Association
Request and STA blocks
controlled ports
STA AP
Probe request
Probe response
Open system
authentication request
Open system
authentication response
51. AAA
Authentication
Authentication can
be accomplished in a
variety of ways
including
username/password
pair and user
certificates.
Authorization
Authentication
confirms a user’s
identity, and
authorization
provides access to
network resources
according to policy.
Accounting
Accounting includes
monitoring, analysis,
and reporting of
network events.
52. ◎IETF requires support for mutual
authentication in the creation of a robust
security network association (RSNA)
◎If the server is authenticating the client, but
the client is not authenticating the server,
evil twin attacks and other impersonation
attacks are much easier
Mutual Authentication
57. MPDU Exchange
Connect to AS
The STA sends a
request to its AP for
connection to the
AS. The AP
acknowledges this
request and sends
an access request to
the AS.
EAP exchange
This exchange
authenticates the
STA and AS to each
other.
Secure key delivery
Once authentication
is established, the AS
generates a master
session key (MSK)
and sends it to the
STA.
58. Typical 802.1X Exchange on 802.11
STA AP Radius
1: Eapol-Start
3: Response Identity
5: EAP-Response/Method
2: Request/Identity
7: EAPOL-Key
EAP-Response/Method
EAP-Request/Method
EAP-Success
EAP-Request/Method
Radius-Access-Request
8: Data
......
9: EAPOL- Logoff
4: Radius-Access-Challenge
Radius-Access-Request
Radius-Access-Challenge
Radius-Access-Request
6: Radius-Access-Accept
...
embeddedauth.protocol
64. Wired Equivalent Privacy (WEP)
WEP is a security
algorithm for IEEE 802.11
wireless networks.
Introduced as part of the
original 802.11 standard
ratified in 1997. WEP was
at one time widely in use
and was often the first
security choice presented
to users by router
configuration tools
65. WEP Cryptographic Operations
User Data
CRC32
Initialization
Vector (IV)
WEP Key
WEP Key
+
Initialization
Vector (IV)
RC4
IV
Encrypted
Data
User Data +
ICV
66. WEP weaknesses
◎802.11 allows for using a different IV for
each frame, but it is not required
◎WEP uses CRC that is not cryptographically
secure
○ It is easy to predict how changing a single bit will
affect the result of the CRC calculation
◎In 2001, Fluhrer, Mantin and Shamir
published the paper “Weaknesses in the
key Scheduling Algorithm of RC4”
○ FMS attack assumes the ability to recover the first
byte of the encrypted payload
67. The Temporal key Integrity Protocol (TKIP)
The major motivation for
the development of TKIP
was to upgrade the
security of WEP-based
hardware. TKIP retains
the basic architecture
and operations of WEP
because it was designed
to be a software upgrade
to WEP-based solutions
68. TKIP, IV Use and Key Mixing
◎To mitigate the attacks against IV, TKIP
doubles the length of the IV from 24 to 48
bits
○ Increase the size of IV space from 16 million to 281
trillion
◎TKIP performs key mixing to mitigate
attacks against WEP
○ Every frame is encrypted with an RC4 key unique
to that frame
○ Extends IV (incorporating sending MAC address)
69. TKIP Sequence Number and Replay Protection
◎TKIP IV serves as a sequence counter
○ When a new master key is installed the
IV/sequence counter is set to 1
◎TKIP maintains the most recent sequence
counter value received from each station
○ It defends against replay attacks
70. The Michael Integrity Check
◎WEP’s integrity check is a linear hash value
○ Unsuitable for cryptographic operations
◎Michael is stronger than a simple linear
hash
◎Michael is implemented entirely with
bitwise operations
○ It is better than CRC but it does not offer security
against a determined attack
71. TKIP Frame Processing Encryption
Michael
User
Data
MIC Key
Transmitted
Address (TA)
Destination
Address (DA)
Priority
Field
MIC +
User Data
Message
Transmitted
Address (TA)
Temporal Key
(TK)
Phase 1
Key Mixing
Phase 2
Key Mixing
48-bit IV
Key RC4
72. Counter Mode with CBC-MAC (CCMP)
CCMP is an encryption
protocol designed for
Wireless LAN products
that implements the
standards of the IEEE
802.11i amendment. It is
based upon the Counter
Mode with CBC-MAC
(CCM mode) of the
Advanced Encryption
Standard (AES) standard
73. CCMP Frame Processing Encryption
Plaintext MPDU
MAC Header
Construct
Additional
Authentication Data
CCM
Enc
||Data Encrypted
MPDU
Construct
CCMP
Header
TK
PN
Key ID
Increment
Packet
Number
Construct
Nonce
MAC_send,
Priority
74. CCM Encryption and Integrity
AESAES AES AES AES AES
AES AES AES AES
IV Data Integrity Key
Header 128 bits 128 bits...128 bits MIC
Header Data Data Data Data MIC FCSEncryption
Integrity Check
CTR
Data Encryption
Key
75. CCMP Encryption and Integrity
AESAES AES AES AES AES
AES AES AES AES
IV Data Integrity Key
Header 128 bits 128 bits...128 bits MIC
Header Data Data Data Data MIC FCSEncryption
Integrity Check
CTR
Data Encryption
Key
IV = Flag1 || Flag || MAC_send || Nonce || Length
(Data + Plaintext)16
CTR = Flag2 || Flag || MAC_send || Nonce || 016
Nonce = PRF (Random Number, “InitCounter”,
MAC_send || Time, 256)
77. Pairwise Keys
Pairwise keys are used for
communication between
STA and AP. There are two
possibilities:
◎ pre-shared key (PSK)
◎ master session key
(MSK)
A pairwise master key
(PMK) is derived from the
master key.
Key Management Phase
Group Keys
Group keys are used for
multicast communication.
At the top level of the
group key hierarchy is the
group master key (GMK).
The GMK is a key-
generating key used with
other inputs to derive the
group temporal key (GTK).
79. Derive the PTK (for CCMP)
PTK =
PRF (PMK, “Pairwise key expansion”,
min (AMAC, SMAC) ||
max (AMAC, SMAC) ||
min (Anonce, Snonce) ||
max (Anonce, Snonce),
384)
80. IEEE 802.11i Pseudorandom Function
HMAC-SHA1
| |
PRF (K, A, B, Len):
R = null
for i = 0 to ((Len + 159)/160 − 1)
R = R || HMAC-SHA1 (K, A || 0 || B || i)
return Truncate-to-Len (R, Len)
A 0
B i
i++
K
R = HMAC-SHA1(K, A || 0 || B || i)
82. 4-way handshake
AMAC, ANonce, sn, Msg1
SMAC, SNonce, sn, Msg2
MICKCK(SNonce, sn, Msg2)
Derive
PTK
Derive PTK,
Verify MIC
optional 802.1X authentication
PTK =
PRF (PMK, “Pairwise key expansion”,
min (AMAC, SMAC) ||
max (AMAC, SMAC) ||
min (Anonce, Snonce) ||
max (Anonce, Snonce),
384 [key length])
83. 4-way handshake
AMAC, ANonce, sn, Msg1
SMAC, SNonce, sn, Msg2
MICKCK(SNonce, sn, Msg2)
AMAC, ANonce, sn+1, Msg3,
EncKEK(GTK), MICKCK(ANonce,
sn+1, Msg3)
SMAC, SNonce, sn+1, Msg4
MICKCK(sn+1, Msg4)
Derive
PTK
Derive PTK,
Verify MIC
Verify MIC,
Install PTK &
GTK, Update
sn
Install PTK
Update sn
optional 802.1X authentication
encrypted data frame can now be exchanged
84. 3.
Challenges
We’ll use Aircrack-ng to recover
WEP and WPA2 personal wireless
keys by eavesdropping on,
injecting traffic into a wireless
network and we’ll use Bully to
brute-force a WPS pin
85. Weak Key
Web application security,
firewalls, security-
awareness training, and so
on can do nothing to
protect an internal
network if there’s an
attacker sitting on a bench
in front of the target
organization’s building and
the organization provides
wireless access with weak
encryption to the internal
network
92. Open Wireless
Open wireless networks
are a real disaster from a
security perspective
because anyone within
antenna range of the
access point can connect
to that network. Also, the
wireless packets traveling
through an open network
are not encrypted, and
anyone listening can see
any data in plaintext
96. Wired Equivalent Privacy
The shared WEP key can be
either 64 or 148 bits.
An initialization vector (IV)
makes up the first 24 bits of
the key to add
randomness, making the
effective key length really
only 40 or 104 bits
100. Cracking WEP Keys with Aircrack-ng
◎ Base Station MAC Address: 00:23:69:F5:B4:2B
◎ SSID: linksys
◎ Channel: 6
101. Injecting Packets
◎ -1 tells Aireplay-ng to fake authentication
◎ 0 is the retransmission time
◎ -e is the SSID; in my case linksys
◎ -a is the MAC address of the access point
◎ -h is the MAC address of our card
◎ mon0 is the interface to use for the fake authentication
102. Generating IVs with the ARP Request Relay attack
◎ -3 performs the ARP request replay attack
◎ -b is the base station MAC address
◎ -h is our Alfa card MAC address
◎ mon0 is the interface
103. Generating an ARP Request
◎ #Data (IV) increases rapidly
◎ Aireplay-ng continues to retransmit the ARP packet
105. Challenges with WEP Cracking
Access points could use
MAC filtering to allow only
wireless cards with certain
MAC addresses to connect,
and if your Alfa card isn’t
on the list, your fake
authentication attempt will
fail
107. WPA2
It implements an
encryption protocol built
specifically for wireless
security called Counter
Mode with Cipher Block
Chaining Message
Authentication Code
Protocol (CCMP). CCMP is
built on the Advanced
Encryption Standard (AES)
108. The Enterprise Connection Process
◎ First the client and AP agree on mutually supported security protocols
◎ AP and the RADIUS server exchange messages to generate a master key
◎ A message that authentication was successful is sent to the AP and
passed on to the client, and the master key is sent to the AP
◎ The AP and the client exchange and verify keys for mutual
authentication, message encryption, and message integrity via a 4-way
handshake
109. The Personal Connection Process
◎ No RADIUS server is required
◎ WPA/WPA2 personal use pre-shared keys, which are
generated using pre-shared passphrases
◎ The WPA/WPA2 personal passphrase that you enter when
you connect to a secured network is static
110. Cracking WPA/WPA2 Keys
The cryptographic algorithms
used in WPA and WPA2 are
robust enough to stop
attackers from recovering the
key simply by capturing
enough traffic and
performing cryptanalysis. The
Achilles’ heel in WPA / WPA2
personal networks lies in the
quality of the pre-shared key
(passphrase) used
111. Using Aircrack-ng to Crack WPA/WPA2 Keys
◎ Airodump-ng -c 6 for the channel
◎ --bssid with the base station MAC address
◎ -w to specify the filename for output
◎ mon0 for the monitor interface
112. Using Aircrack-ng to Crack WPA/WPA2 Keys
◎ -0 means deauthentication
◎ 1 is the number of deauthentication requests to send
◎ -a 00:14:6C:7E:40:80 is the MAC address of the base station
◎ -c 00:0F:B5:FD:FB:C2 is the MAC address of the client to deauthenticate
113. Using Aircrack-ng to Crack WPA/WPA2 Keys
◎ If the Airodump-ng capture sees a four-way handshake with a client, it
records it in the first line of the captured output
114. Using Aircrack-ng to Crack WPA/WPA2 Keys
◎ Open the .cap file in Wireshark with File → Open → filename.cap. Once in
Wireshark, filter for the eapol protocol to see the four packets that
make up the handshake
115. Using Aircrack-ng to Crack WPA/WPA2 Keys
◎ Aircrack-ng to test the keys in the wordlist
◎ -w option to specific a list
117. Cracking WPS with Bully
◎ -b flag to specify the MAC address
◎ -e flag for the SSID
◎ -c flag for the channel
◎ Kali provides tools that you can use to implement a
brute-force attack against WPS. One such tool is Bully
119. KRACK Overview
Concretely, attackers can
use this novel attack
technique to read
information that was
previously assumed to be
safely encrypted. This can
be abused to steal sensitive
information such as credit
card numbers, passwords,
chat messages, emails,
photos, and so on
120. About Authors
Frank Piessens is a professor in the
research group DistriNet (Distributed
Systems and Computer Networks) at the
Computer Science department of the
Katholieke Universiteit Leuven (BE).
Mathy Vanhoef is a postdoctoral researcher at
Katholieke Universiteit Leuven (BE), where he currently
performs research on automatically discovering
logical vulnerabilities in network protocol
implementations.
130. Key Reinstallation Attack - Complications
◎Not all Wi-Fi clients properly implement the
state machine
○ Still vulnerable against the group key handshake
and FT handshake
◎We must obtain a MitM position between
the client and AP
○ It is difficult due to 4-way handshake
○ The solution is to employ a channel-based MitM
attack
137. Encrypted Retransmission of frame 3
◎There are some clients that, once they
installed the PTK, they do only accept
encrypted retransmissions of message 3
◎To attack them, we exploit an inherent race
condition between the entity executing the
4-way handshake, and the entity
implementing the data-confidentiality
protocol
142. Breaking the Group Key Handshake
Prerequisites:
◎ Clients will reinitialize the replay counter when
installing an already-in-use group key
○ All Wi-Fi clients are vulnerable
◎ We must be able to collect a group message 1 that the
client (still) accepts, and that contains a group key
that is already in use by the AP
○ According to the standard, the new group key should be installed
after all stations replied with a group message 2
143. Breaking the Group Key Handshake
◎ Client is attacked, but only AP sends real broadcast
frames
◎ Can only replay broadcast frames to client
Unicast Broadcast
149. The Fast BSS Transition (FT) Handshake
◎Fast Roaming = 802.11r
◎Its goal is to reduce the roaming time when
a client moves from one AP to another of
the same Basic Service Set
◎A new 802.1x handshake is not required
◎It embeds the 4-way handshake stage in
the authentication and reassociation
frames
151. 802.11r FT Handshake Attack
◎Access Point is attacked
○ Replay, Decrypt, Forge
◎No MitM required
◎Can keep causing Nonce resets
◎If the reassociation response is lost due to
background noise, the client will retransmit
the reassociation request
○ APs may already be reusing Nonces
153. 802.11r FT Handshake Attack
AuthReq(Snonce)
ReassReq(ANonce, SNonce, MIC)
Install
PTK & GTK
AuthResp(Anonce, Snonce)
Install
PTK
ReassResp(ANonce, SNonce, MIC, GTK)
ReassReq(ANonce, SNonce, MIC)
Enc1
PTK(Data(...))
ReassResp(ANonce, SNonce, MIC, GTK)
next transmitted frames will reuse Nonces
Reinstall
PTK
Do NOT contain
Replay Counter!
154. Cipher suite specific
◎ AES-CCMP
○ No practical frame forging attacks
◎ WPA-TKIP
○ Recover Message Integrity Check key from
plaintext
○ Forge/inject frames sent by the device under
attack
◎ GCMP (WiGig)
○ Recover GHASH authentication key from nonce
reuse
○ Forge/inject frames in both directions
155. Implementation specific
◎ iOS 10 and Windows: 4-way handshake not affected
○ Cannot decrypt unicast traffic (nor replay/decrypt)
○ But group key handshake is affected (replay
broadcast)
○ Note: iOS 11 does have vulnerable 4-way
handshake
◎wpa_supplicant 2.4+
○ Client used on Linux and Android 6.0+
○ On retransmitted msg3 will install all-zero key
161. References
◎ W. Stallings - Cryptography and Network Security, 7-th
edition
◎ CWSP ®Certified Wireless Security Professional Official
Study Guide: Second Edition (CWSP-205)
◎ M. Vanhoef, Frank Piessens - Key Reinstallation
Attacks: Forcing Nonce Reuse in WPA2
◎ G. Weidman - Penetration Testing: A Hands-On
Introduction to Hacking