File:Hands-on with wifi security publish.pdf

Hands-on with wifi security OWASP Göteborg Security Tapas 2015-10-20 Anders Rosdahl

1. whoami

Avarage security enthusiast No bleeding edge research, no wall of fames, no cve's Actually, this is me... @rosdahl Agenda Wifi overview Authentication and encryption Attacks Defence Demo / lab Wifi overview Access points continuously send beacons to announce themselves Clients continously probe for access points Authentication Association Bands, channels and frequencies 802.11 Release year Frequency (GHz) Max data transfer rate (Mbit/s) Bandwidth (MHz) a 1999 5 / (3.7) 54 20 b 1999 2.4 11 22 g 2003 2.4 54 20 n 2009 2.4 / 5 72/150 (per MIMO stream) 20/40 ac 2013 5 96/200/433/866 (per MIMO stream) 20/40/80/160 there’s more... Wireless Modes Each wireless device/inteface can be in one of the followingmodes. Definitions vary. Station – also referred to as Client mode or Managed mode Master – also referred to as Access Point or Infrastructuremode Ad hoc – for mesh wifi networks Monitor – also referred to as RFMON (Radio Frequency MONitor). Used to silently listen to wifi traffic. An interface in this mode can capture traffic without connecting to any network. Not all combination of wifi cards/drivers/OS support all modes.. Authentication and encryption • Based on the RC4 stream cipher, which is effectively broken WEP • WPA – intermediate solution while waiting for WPA2, which would fix all that was broken with WEP. Designed by crytographers. • PSK or asymmetric key pairs/certificates • TKIP-RC4 (WPA) / CCMP-AES (WPA2) WPA/WPA2 • Provides WPA/WPA2 password to client requiring only a PIN code • Two modes: • Push-Button-Connect • 4/8 digit PIN code WPS Attacks WPA/WPA2 1. Deauthenticate connected client(s) with traffic injection 2. Capture re-authenticationhandshake 3. Offline word-list or rule-based brute force attack on recorded handshake WPS Brute force WPS PIN. In 2012 several deficienciesin WPS were disclosed. E.g. onlymax 11k vs 10M tries is needed since AP acks/nacks first 4 digits. WPS backoff/timeout timeout preventsbruteforcing. Was not ubiquitous 2012. WEP RC4 ... Offline brute force attack similarto WPA above Defence – hot security tips for hotspots Use long and strong WPA2 passwords! Disable WPS on yourrouter Don’t use WEP – obviously... Use VPN when connected to public access points – anyone can listen Be careful about auto-connect features of devicesto avoid connecting to rouge access points Demo/lab Alfa cards for loan!