Haines Seven Deadliest Wireless Technologies Attacks

CHAPTER 1 802.11 Wireless – Infrastructure Attacks
Publisher Summary
Wired Equivalent Privacy (WEP) is the original encryption scheme included in the 802.11b wireless standard from 1997. WEP is based on the RC4 stream cipher algorithm, and as with any stream cipher, identical keys must not be used. The initialization vector (IV) changes with each packet and eventually repeats, giving an attacker, two packets with identical IVs. The counter used for IVs in the previous years was 24 bits long, which on a fairly busy network meant that there was a good chance that after 5,000 packets, an IV would be repeated, yielding an IV collision where two packets were encrypted with the same key, thus providing a basis for cryptanalysis. The advent of the ARP replay attack really shortened the time needed to perform an attack. The ARP replay attack is where an encrypted ARP packet is captured from a network and retransmitted back to the access point (AP), which in turn sends back another ARP packet with a different IV. There are many tools available that break WEP, but the most popular is Aircrack-ng. Wi-Fi Protected Access2 (WPA2) (also known as 802.11i) is the final and more secure version of WPA. WPA2 uses Advanced Encryption Standard as its stream cipher, which is vastly more secure but requires resources only found on the newer generations of APs and is not available on older equipment. Information in This Chapter • How Wireless Networks Work • Case Study: TJX Corporation • Understanding WEP Cracking • How to Crack WEP • It Gets Better and Worse • WPA and WPA2 in a Nutshell • How to Crack WPA PSK and WPA2 PSK Just about every new laptop that hits the market today has an 802.11 network card built in. It’s a technology that has become ubiquitous in our lives, and we can hardly remember a time when it wasn’t part of our days. It’s a technology that has grown in terms of speed and range to provide the capability to be connected to the Internet from anywhere in our homes or businesses. This widespread technology would also very quickly become quite an issue from a security perspective. Users quickly demanded to “cut the cable” and be able to access the network from anywhere in the office. Home users were quick to adopt the technology to work from the kitchen, the couch, or (more oddly) the bathroom. This intense push led to a lot of overworked and underpaid information technology (IT) administrators and neighborhood computer know-it-alls to install wireless networks without properly understanding the security risks involved. These early networks would continue to “just work” with users not realizing that the security arms race caught up with them and even passed them, making them prime targets for attack. In November 2003, Toronto, Ontario, police held a press conference to announce a (at the time) new and unusual crime.A The police report indicates that at around 5:00 A.M. an officer noticed a car slowly driving the wrong way down a one-way street in a residential neighborhood. The officer pulled the car over, and when he walked up to the driver, he was greeted with several disturbing sights. The driver was first of all not wearing any pants, which is probably disturbing in and of itself, but more alarmingly, on the passenger seat was a laptop clearly displaying child pornography. The driver had been using open wireless networks in the area to obtain Internet access to download child pornography, unbeknownst to the owners of those networks. The owners were victims themselves, twice. First, they were victims of theft of service since their communications had to compete for bandwidth with the traffic of the unauthorized user. Second, they were victimized because, for all intents and purposes, the child pornography was being downloaded through their connection. Any digital trail left would lead back to them, potentially exposing them to false accusations of downloading child pornography themselves and all the emotional and financial damage that accusation can bring. The suspect’s home was searched as a result, and 10 computers and over 1,000 CDs worth of illegal material were seized.B This case, along with others through the years, has shown that operating an access point (AP) without any authentication of client devices is dangerous. If anyone can connect, there is no restriction on what sort of activities those users can partake in. Often, it’s simply to check an e-mail or catch up on the latest news, but it may be someone downloading copyrighted materials, sending threatening messages, or doing worse. Sometimes, connecting to an open network without authorization can occur even without someone realizing he or she is doing it. Windows XP, before Service pack 2, was notorious for automatically connecting to networks named the same as ones it had connected to before. A person carrying a laptop down the street configured for a common network name like “linksys” could drift to any network similarly named “linksys” and be committing an unauthorized access without knowing or interacting. Many users noticed this behavior and thought it more than helpful in gaining access to free Wi-Fi. Attackers noticed this and began to exploit it (more on that in Chapter 2, 802.11 Wireless – Client Attacks). It’s sad to consider that leaving your APs open for anyone to connect to is a dangerous proposition. The idea of everyone sharing free Internet access anywhere he or she goes is a tempting one, but society, as a cross section, contains all sorts of people, some good and some bad, and often the bad ruin such freedoms for everyone. The Institute of Electrical and Electronics Engineers (IEEE) knew that they had to establish some mechanism to maintain privacy of communications as they were broadcast and restrict who can connect and from where. This is why all APs sold contain various methods of securing communications and limiting who can connect. Originally, Wired Equivalent Privacy (WEP) was the only option available, but as time went on, Wi-Fi Protected Access (WPA) was introduced as an interim solution when WEP was shown to be weak, and eventually WPA2 was brought forth with the final ratification of 802.11i. As with many security technologies, if you give users the option of using it, they often won’t. If you give them too many options, there’s no way of guaranteeing that they will keep their systems up to date either. How Wireless Networks Work
A wireless network typically is made up of two classes of device: APs and client devices, typically called stations (STAs). This chapter focuses on security of APs typically found in a home or business. Client security is discussed in Chapter 2, 802.11 Wireless – Client Attacks. These networks can be 802.11a, b, g, or n, but for the most part, and for discussion purposes in this chapter, it doesn’t matter. The infrastructure needed is fairly universal, and standards for security are pretty much the same for all of them. The APs are something everyone in the IT industry and most home computer users are probably familiar with. They come in all shapes and sizes and can have varying features. They are the gateways between the wired and wireless network. If you don’t have one at home already, you can usually see them bolted to the wall at many businesses or in public spaces with one or more antennas sticking out of them. The AP is what the client STA connects to in a wireless network (as opposed to the other way around). In their default state, most APs will accept connections from any client STA that asks to join the network. While this is convenient for users, it is also very convenient for anyone else who wants to connect, for good reasons or bad. In the early days of wireless, this was seen as something positive. Wireless brought out ideas of a brave new world with free Internet access and sharing of a new and useful resource. It didn’t take long for the bad guys to figure out that this was very useful for them as well. Note It’s hard to imagine a world without wireless networking. It’s absolutely everywhere. Since 2001, Wigle.net, an online repository of data submitted by users, has collected tens of millions of unique network locations with Global Positioning System (GPS) coordinates and over a billion points of observations of those networks. The site also includes some automatically generated maps of that data that can pretty conclusively show that wherever there are people and computers, there are wireless networks. Figure 1.1 shows Wigle.net’s map of North America.
FIGURE 1.1 Wigle.net’s Map of North America While this sort of activity may seem odd, companies like Skyhook Wireless (www.skyhookwireless.com) has made a business out of wardriving themselves. They map the location of networks throughout the world and use that information to provide GPS-like location sensing via triangulation of known APs as opposed to satellites, which has the added benefit of working indoors in many cases, unlike GPS. As you can see, there are wireless networks everywhere. Wherever there is a population center, you will be able to find wireless networks there. Wireless is a shared medium. If you remember the bad old days where Ethernet networks were all using hubs and not switches, everyone saw everyone else’s traffic. Well, wireless brings all the fun of...