Hacking Wireless Networks (2015)
Part III
Advanced Wi-Fi
Hacks
Chapter 14
Cracking Encryption
In This Chapter
ᮣ Understanding encryption
ᮣ Encrypting frames
ᮣ Looking at WEP problems
ᮣ Upgrading to WPA
ᮣ Using AES
ᮣ Tunneling through the Internet with a VPN
Most people believe that encryption is a panacea. They believe that when you encrypt something, it’s secure. Unfortunately, this is just not true. As with many newer technologies, you may find the available security features of encryption not as comprehensive or robust as you might like.
Cryptography features can have flaws. You can use the wrong algorithm, a flawed algorithm, a short key, or a poor implementation, and (oops!) there it is: a security breach. This chapter demonstrates how one or more of these problems affects the use of encryption with your wireless networks.
But we don’t want to play Cassandra and bring only bad news. We also show you some techniques for strengthening your access point. At a minimum, we strongly recommend that you use the built-in security features as part of an overall defense in-depth strategy.
What Can Happen
The IEEE 802.11 specification identified features that a wireless network needs to maintain a secure operating environment. One of the primary features was the use of encryption to provide the following: ߜ Message privacy: Sensitive information is encrypted when transmitted between two wireless entities to prevent interception and disclosure or prevent a third party from tracking communications between two other entities.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 256
256 Part III: Advanced Wi-Fi Hacks
ߜ Message integrity: An entity can verify that no one has changed the content of a message in transit.
Nice try. Even though the 802.11 standard attempted to address privacy and integrity, it fell well short. Let’s look at these features and their shortcomings.
Protecting Message Privacy
The 802.11 standard supports privacy through the use of cryptographic techniques for the wireless interface. The first and most widely used algorithm was Wired Equivalent Privacy, also known as the WEP algorithm.
WEP uses the RC4 symmetric-key, stream-cipher algorithm to generate a pseudo-random data sequence. This key stream is simply added via a modulo 2 calculation (exclusive ORed) to the transmitted data. Unfortunately, all those syllables don’t add up to very impressive security. (You can get a quick peek at why in the “Using Encryption” section, later in this chapter.) Generally, the longer the encryption key, the harder it is to crack — but WEP
(as defined in the 802.11 standard) supports only a puny (40-bit) size for the shared key. Fortunately, numerous vendors offered non-standard extensions of WEP that support key lengths from 40 bits to 104 bits. At least one vendor supports a key size of 128 bits (that is, 152 bits). The 104-bit WEP key, for instance, with a 24-bit Initialization Vector (IV) becomes a 128-bit RC4 key.
WEP uses the IV to seed the algorithm before encrypting a frame.
In general — all other things being equal — increasing the key size increases the security of a cryptographic technique. But that isn’t the whole story; flawed implementations or flawed designs can always prevent those long keys from increasing security. Research has shown that keys longer than 80
bits make brute-force cryptanalysis (running all possible key values on a super-fast computer) a near impossible task — for robust designs and implementations, anyway. In practice, however, most WLAN deployments rely on the scrawny 40-bit keys specified in 802.11. And there’s more bad news: Recent attacks have shown that the WEP approach to privacy is vulnerable to certain attacks regardless of key size. Brute-force attacks, mentioned above, are described later in the chapter.
Protecting Message Integrity
Making sure messages get through in tact is a basic security task. The IEEE
802.11 specification also outlined a simple Cyclic Redundancy Check (CRC) to provide data integrity for messages transmitted between wireless clients and access points. This security service was designed to reject any messages that 21_597302_ch14.qxd 8/4/05 7:05 PM Page 257
Chapter 14: Cracking Encryption
257
anyone may have changed. The access point and client compute a CRC-32 or frame-check sequence called an integrity check value (ICV) for each frame prior to transmission. You can see in Figure 14-1 that WEP then encrypts the integrity-sealed packet, using the RC4 key stream to provide the ciphertext message. The receiver decrypts the frame and re-computes the CRC on the message. The receiving end then compares the computed CRC to the one computed with the original message. When the CRCs are not equal, an error occurs, and the receiver discards the frame.
Great idea, but (again) poorly implemented. It is possible to flip bits and still end up passing the CRC check. Bottom line: Message modification is possible, which makes CRC-32 inadequate for protecting against intentional data-integrity attacks. You need real cryptographic mechanisms — such as a secure hash, message digest, or message-authentication code (MAC) —
to prevent deliberate attacks. Use of non-cryptographic mechanisms often facilitates attacks against the cryptography. In this case, it certainly does.
One reason is the use of the 64- or 128-bit key for integrity and privacy, which is a cryptography no-no.
1
3
C
Plaintext
Plaintext
R
C
2
7
8
9
C
Cipher-
Cipher-
R
XOR
IV
text
text
C
4
5
6
Figure 14-1:
How WEP
Secret
RC4
Keystream/
IV
works.
Key
PRNG
key sequence
Using Encryption
The popular press has done a lot to discourage organizations and individuals from using wireless networks. If you’ve been paying attention to the brouhaha, then you’re aware of all the negative articles about wireless security — especially those dealing with encryption. Part of the problem is that the press and others don’t understand the basis for WEP. As implied by its name, the developers of Wired Equivalent Privacy intended for it to give clients the same level of security found on a wired network — which, quite frankly, isn’t much. With 21_597302_ch14.qxd 8/4/05 7:05 PM Page 258
258 Part III: Advanced Wi-Fi Hacks
the exception of a fully switched environment, eavesdroppers can have their way with frames traversing a wired network. WEP was never intended to provide message integrity, non-repudiation, and confidentiality. And guess what — it doesn’t.
WEP uses the symmetrical RC4 (Ron’s Code 4) algorithm and a PRNG
(Pseudo-Random Number Generator). The original standard specified 40 (in practice, 64) and 128-bit key lengths with a 24-bit initialization vector (IV).
Then there’s the matter of incomplete coverage of network layers: WEP
encrypts Layers 3 through 7, but does not encrypt the MAC layer (that is, Layer 2). Because it’s a symmetrical algorithm, WEP gives every client the keys and other configuration data.
Okay, we know there’s nothing wrong with the RC4 algorithm per se — after all, Web browsers use it for Secure Sockets Layer (SSL). The problem is in the WEP implementation of the RC4 algorithm — and the false sense of security it encourages.
The algorithm takes the IV, which is in plaintext, and sticks it on the front end of the secret key (which the decrypter knows). WEP then plugs the result into the RC4 to regenerate the key stream. Next, the algorithm XORs the key stream with the ciphertext, which should give us the plaintext value. Finally, WEP re-performs the CRC-32 checksum on the message and ensures that it matches the integrity check value in our encrypted plaintext. Should the checksums not match, WEP assumes that someone tampered with the packet, and will discard it.
As mentioned earlier, access points generally have only three (namely, the following) encryption settings available:
ߜ None: This setting represents the most serious risk because someone can easily intercept, read, and alter unencrypted data traversing the network.
ߜ 40-bit shared key: A 40-bit shared key encrypts the network communications data, but there is still a risk of compromise. The 40-bit encryption has been broken by brute force cryptanalysis, using a high-end graphics computer — and even low-end computers — so it has only questionable value. We show you some tools in later sections that allow you to easily recover 40-bit keys — and if you can, a bad guy can.
ߜ 104-bit setting: In general, 104-bit (sometimes called 128-bit) encryption is more secure than 40-bit encryption because of the significant difference in the size of the cryptographic key space. Even though this better security isn’t true for 802.11 WEP (because of poor cryptographic design in the use of IVs), it is nonetheless recommended as a good practice. Again, you should be vigilant about checking with the vendor regarding upgrades to firmware and software — you may find some that overcome some of the WEP problems. (Some vendors, for example, support 152-bit keys.) 21_597302_ch14.qxd 8/4/05 7:05 PM Page 259
Chapter 14: Cracking Encryption
259
As a general rule, 40-bit keys are inadequate for any system. It is generally accepted that encryption keys should be longer than 80 bits to get the job done. The longer the key, the less likely that someone could compromise your access point by using a brute-force attack.
WEP Weaknesses
Security researchers have discovered security problems that let malicious users compromise the security of WLANs that use WEP — these, for instance: ߜ Passive attacks to decrypt traffic: These are based on statistical analysis.
ߜ Active attacks to inject new traffic from unauthorized mobile stations: These are based on known plaintext.
ߜ Active attacks to decrypt traffic: These are based on tricking the access point.
ߜ Dictionary-building attacks: These are possible after analyzing enough traffic on a busy network.
The biggest problem with WEP is when the installer doesn’t enable it in the first place. Even bad security is generally better than no security.
When people do use WEP, they forget to change their keys periodically.
Having many clients in a wireless network — potentially sharing the identical key for long periods of time — is a well-known security vulnerability. If you keep your key long enough, someone can grab all the frames he needs to crack it.
Can’t blame most access-point administrators for not changing keys — after all, the WEP protocol doesn’t offer any key management provisions. But the situation is dangerous: When someone in your organization loses a laptop for any reason, the key could become compromised — along with all the other computers sharing the key. So it’s worth repeating . . .
Shared keys can compromise a wireless network. As the number of people sharing the key grows, so does the security risk. A fundamental tenet of cryptography is that the security of a system is largely dependent on the secrecy of the keys. Expose the keys and you expose the text. Share the key, and a cracker only has to crack it once. Moreover, when every station uses the same key, an eavesdropper has ready access to a large amount of traffic for analytic attacks.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 260
260 Part III: Advanced Wi-Fi Hacks
As if key management problems weren’t enough, you have other problems with the WEP algorithm. Check out these bugbears in the WEP initialization vector:
ߜ The IV is too small and in cleartext. It’s a 24-bit field sent in the cleartext portion of a message. This 24-bit string, used to initialize the key stream generated by the RC4 algorithm, is a relatively small field when used for cryptographic purposes.
ߜ The IV is static. Reuse of the same IV produces identical key streams for the protection of data, and because the IV is short, it guarantees that those streams will repeat after a relatively short time (between 5 and 7
hours) on a busy network.
ߜ The IV makes the key stream vulnerable. The 802.11 standard does not specify how the IVs are set or changed, and individual wireless adapters from the same vendor may all generate the same IV sequences, or some wireless adapters may possibly use a constant IV. As a result, hackers can record network traffic, determine the key stream, and use it to decrypt the ciphertext.
ߜ The IV is a part of the RC4 encryption key. The fact that an eavesdropper knows 24-bits of every packet key, combined with a weakness in the RC4 key schedule, leads to a successful analytic attack that recovers the key after intercepting and analyzing only a relatively small amount of traffic. Such an attack is so nearly a no-brainer that it’s publicly available as an attack script and as open-source code.
ߜ WEP provides no cryptographic integrity protection. However, the 802.11 MAC protocol uses a non-cryptographic Cyclic Redundancy Check (CRC) to check the integrity of packets, and acknowledges packets that have the correct checksum. The combination of non-cryptographic checksums with stream ciphers is dangerous — and often introduces vulnerabilities. The classic case? You guessed it: WEP.
There is an active attack that permits the attacker to decrypt any packet by systematically modifying the packet, and CRC sending it to the AP
and noting whether the packet is acknowledged. These kinds of attacks are often subtle, and it is now considered risky to design encryption protocols that do not include cryptographic integrity protection, because of the possibility of interactions with other protocol levels that can give away information about ciphertext.
Only one of the problems listed above depends on a weakness in the cryptographic algorithm. Therefore substituting a stronger stream cipher will not help. For example, the vulnerability of the key stream is a consequence of a weakness in the implementation of the RC4 stream cipher — and that’s exposed by a poorly designed protocol.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 261
Chapter 14: Cracking Encryption
261
One flaw in the implementation of the RC4 cipher in WEP is the fact that the 802.11 protocol does not specify how to generate IVs. Remember that IVs are the 24-bit values that are pre-pended to the secret key and used in the RC4
cipher. The IV is transmitted in plaintext. The reason we have IVs is to ensure that the value used as a seed for the RC4 PRNG is always different.
RC4 is quite clear in its requirement that you should never, ever reuse a secret key. The problem with WEP is that there is no guidance on how to implement IVs.
Microsoft uses the RC4 stream cipher in Word and Excel — and makes the mistake of using the same keystream to encrypt two different documents.
So you can break Word and Excel encryption by XORing the two ciphertext streams together to get the keystream to dropsout. Using the key stream, you can easily recover the two plaintexts by using letter-frequency analysis and other basic techniques. You’d think Microsoft would learn. But they made the same mistake in 1999 with the Windows NT Syskey.
The key, whether it’s 64 or 128 bits, is a combination of a shared secret and the IV. The IV is a 24-bit binary number. Do we choose IV values randomly?
Do we start at 0 and increment by 1? Or do we start at 16,777,215 and decre-ment by 1? Most implementations of WEP initialize hardware using an IV of 0; and increment by 1 for each packet sent. Because every packet requires a unique seed for RC4, you can see that at higher volumes, the entire 24-bit space can be used up in a matter of hours. Therefore we are forced to repeat IVs — and to violate RC4’s cardinal rule against ever repeating keys. Ask Microsoft what happens when you do. Statistical analysis shows that all possible IVs (224) are exhausted in about 5 hours. Then the IV re-initializes, starting at 0, every 5 hours.
Other WEP Problems to Look For
As if the weaknesses in the algorithm weren’t enough, other key vulnerabilities contribute to the problem. These vulnerabilities include WEP keys that are non-unique, never changing, unmodified factory defaults, or just bone-headed (weak keys made of all zeros or all ones, based on easily guessed passwords, or using other similarly trivial patterns).
One of the fundamental flaws of WEP is that it uses keys for more than one purpose. Generally, you don’t use the same keys for authentication and encryption or the same key for integrity and privacy. Because WEP breaks these rules and others, it behooves you to protect your keys. Remember that WEP doesn’t provide any help here. Break the authentication and you can break the encryption — and vice versa.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 262
262 Part III: Advanced Wi-Fi Hacks
The manufacturer may provide one or more keys to enable shared-key authentication between the device that’s trying to gain access to the network and the AP. And yes, we’re going to say it again: Using a default shared-key setting is a security vulnerability — a common one because many vendors use identical shared keys in their factory settings. A malicious cracker may know the default shared key and use it to gain access to the network.
Don’t use default WEP keys! No matter what your security level, your organization should change the shared key from its default setting because it’s just too easily exploited. In the event you don’t know the default keys for a wireless access point (or you don’t know whether there is a default key), check out www.cirt.net.
Some products generate keys after a keystroke from a user that, when done properly using the appropriate random processes, can result in a strong WEP
key. Other vendors, though, based WEP keys on passwords chosen by users; this typically reduces the effective key size.
You may find your configuration utility doesn’t have a passcode generator, but allows you to enter the key as alphanumeric characters (that is, a to z, A to Z, and 0 to 9) rather than as a hexadecimal number. You just need to create a good passcode, right? Sounds like a good idea — until you study it. Each character you enter represents 8 bits, so you can type 5 characters for a 40-bit code and 13 characters for a 104-bit code. Entering 5 characters in ASCII is not as strong as generating the key randomly in hexadecimal. Think of all the poor five-letter passcodes you could create!
So take it from us: WEP is weak. The following is a summary of some of the more glaring weaknesses of WEP:
ߜ The IV value is too short — and not protected against reuse.
ߜ The way keys are constructed from the IV makes it susceptible to weak key attacks.
ߜ There is no effective detection of message tampering; that is, WEP has no effective message integrity.
ߜ It directly uses the master key and has no built-in provision to update the keys.
ߜ There is no provision against message replay.
ߜ There is no key-management mechanism built in.
At a minimum, enterprises should employ the built-in WEP encryption. But that’s a poor minimum. And it’s amazing how many access points don’t have any encryption at all. We find that less than half the access points we stumble on have encryption of any sort.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 263
Chapter 14: Cracking Encryption
263
If an access point is using WEP, it makes your hacking a little more difficult but certainly not impossible. You just need to get yourself a WEP cracker.
Several are available from Web sites on the Internet and are relatively easy to use. If you’ve dug in to Chapter 8 and know how to use ethereal, then cracking WEP keys is easy.
How long it will take to crack the WEP key depends on the access point’s level of activity.
Attacking WEP
There are several active and passive attacks for WEP as follows: ߜ Active attacks to inject traffic based on known plaintext ߜ Active attacks to decrypt traffic based on tricking access points ߜ Dictionary-based attacks after gathering enough traffic ߜ Passive attacks to decrypt traffic using statistical analysis The following sections discuss these attacks in detail.
Active traffic injection
Suppose an attacker knows the exact plaintext version of one encrypted message using a passive technique. The attacker can use this information to construct — and insert — correctly encrypted packets for the network.
To do this, the attacker constructs a new message calculating CRC-32 values and performs bit-flips on the original message to encrypt plaintext in its encrypted form. The attacker can now send the packet to the access point, undetected. There are several variations on this technique; here’s where you get the tools to use them:
ߜ Aireplay: This program lets you take any captured packet and reinject it back onto the network.
ߜ WEPWedgie (http://sourceforge.net/projects/wepwedgie/): This program is a toolkit for determining 802.11 WEP keystreams and inject-ing traffic with known keystreams.
Active attack from both sides
An extension of the active injection technique from the previous section.
The attacker makes guesses on packet header contents rather than packet 21_597302_ch14.qxd 8/4/05 7:05 PM Page 264
264 Part III: Advanced Wi-Fi Hacks
payload. Bit-flipping can transform destination addresses and route traffic to rogue devices where retransmission (with alterations) could occur. Educated guessing can also provide port information to allow passage through firewalls by changing it to use port 80 (the default port for Web traffic).
Table-based attack
A small space of possible WEP initialization vectors (IVs) — and the high likelihood they’ll be reused at relatively short intervals — allow attackers to build decryption tables. Using passive techniques, the attacker gains some plaintext information. The attacker can then compute the RC4 key stream used by the IV. Over time, repetitive techniques allow an attacker to build a complete decryption table of all possible IVs. This allows an attacker to decipher every packet sent.
Passive attack decryption
This is more of an intrusion than an attack, but monitoring leads to further exploits. An attacker monitors traffic until an IV collision occurs. A collision is when the algorithm reuses an IV. When a collision happens, the shared secret and the repeated IV results in a key stream that has been used before.
Because the algorithm sends the IV in ciphertext, an attacker keeping track of all the traffic can identify when collisions occur. Then, the attacker will use the resulting XOR information to infer data about the message content.
IP traffic is redundant in nature, and replication of this process easily yields enough data to decipher the encrypted text.
You can find commercial, off-the-shelf (COTS) hardware readily available to monitor 2.4 GHz transmissions. We cover some of these products in Chapter 8. By re-configuring drivers, you can cause the hardware to intercept encrypted traffic. Using the techniques described previously, you can make the WLAN vulnerable.
Cracking Keys
We have discussed a lot of WEP flaws in this chapter, with good reason: WEP
is the algorithm most commonly used to protect wireless networks. But WEP
has many flaws. These flaws leave WEP open to crack attacks. To crack WEP
keys, you need
ߜ A large amount of captured frames
ߜ A program to process the frames
21_597302_ch14.qxd 8/4/05 7:05 PM Page 265
Chapter 14: Cracking Encryption
265
. . . and that’s about all. Then you use the tools identified in Chapters 8 and 10
to capture frames for you. Okay, they don’t crack the keys for you, but that’s not much of a problem: You simply use another tool, such as WEPcrack or AirSnort. To add to your store of goodies, you can have a program like Kismet save weak IVs to feed into another program such as WEPcrack.
Using WEPcrack
WEPcrack (http://sourceforge.net/projects/wepcrack/) is perhaps the most famous of all WEP crackers. Most likely WEPcrack made its reputation as it was the first tool to hit the street. WEPcrack captures, logs, and cracks IVs to provide keys.
All you need to run WEPcrack is some packets and PERL. The WEPcrack authors wrote it so it is portable anywhere there is a PERL interpreter. That’s easy to meet for most UNIX platforms. It’s simple to run WEPcrack in UNIX, just type perl /tmp/WEPcrack.pl at the prompt (assuming that’s where you installed the script). Running WEPcrack is conceivably a challenge for Windows users because Microsoft does not provide PERL natively. But you can use Cygwin (if you didn’t install it already, you might want to refer to Chapter 4) or you can get yourself a PERL interpreter for Windows, such as ActivePerl.
Should you have a Windows platform, you’ll need to download and install ActivePerl. You can download the freeware ActivePerl from ActiveState (www.activestate.com/Products/ActivePerl/). Installing and using ActivePerl to run WEPcrack is as easy as following these steps: 1. Start ActivePerl setup.
You should see the setup window as shown in Figure 14-2.
2. Click Next.
The license agreement appears on-screen.
3. Select the I accept the terms in the License Agreement radio button and then click Next.
Another window appears.
4. Choose where you want to install ActivePerl and then click Next.
If you don’t want to install it at the root directory, click the Browse button and browse your directory tree until you find the location where you want to install. If you click Browse, you see the window shown in Figure 14-3.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 266
266 Part III: Advanced Wi-Fi Hacks
Figure 14-2:
The
ActivePerl
installation
wizard.
Figure 14-3:
Custom
setup
window.
5. In the New features in PPM window, either select Enable PPM3 to send profile info to ASPN; otherwise click Next.
6. If you wish, deselect any options you won’t be using and then click Next.
7. Click the Install button.
The Install Status window appears. As it says in the window, installation can take several minutes. When the process is complete, you are ready to use PERL.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 267
Chapter 14: Cracking Encryption
267
8. From the Start menu, select Run.
9. Type command in the Open: dialog box and then click OK.
10. At the command prompt, type perl \progra~1\wepcrack\pcap-getIV.pl.
Of course, you’ll have to substitute the correct path for your WEPcrack PERL routines; the one we show here is just an example. This script itself is useless unless you have a captured packet you can drop in from another program such as ethereal or prismdump. You will need about 5 million frames; then you can proceed to Step 11.
If you have prismdump and want to do it in one step, you can run the command prismdump | pcap-getIV.pl. The output of this step is the ivfile.log file.
11. Start WEPcrack by typing perl \progra~1\wepcrack\wepcrack.
pl ivfile.log.
Oops, there goes another WEP key.
12. When you are finished, click the X in the upper right-hand corner of the window.
Unfortunately, the key is in decimal format, so you have to convert it to hexadecimal before you can use it.
Using AirSnort
AirSnort (http://airsnort.shmoo.com/) is a passive scanner that also cracks WEP keys. When AirSnort gathers enough weak initialization vectors, it starts to crack the WEP key. Of the over 16 million IVs, approximately nine thousand of the 128-bit keys are weak. AirSnort looks for these weak keys.
The folks at the Shmoo Group estimate they need only about 2,000 weak IVs to guess the WEP key.
You can download AirSnort from Sourceforge at
http://sourceforge.net/projects/airsnort/
It runs on a UNIX platform, and is fairly easy to install and use. Windows users can also get WinAirSnort from Nevillon at
www.nwp.nevillon.org/attack.html
Figure 14-4 shows the WinAirSnort window that looks eerily like the Linux version.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 268
268 Part III: Advanced Wi-Fi Hacks
Figure 14-4:
WinAirSnort
window.
To install AirSnort in Linux, follow these steps:
1. Unzip the download. To do so, use the following command:
/#gunzip airsnort-0.2.7e.tar.gz
2. Untar the file with the following command:
/#tar –xvf airsnort-0.2.7e.tar
3. Change the directory to the one you created when you uncompressed and retrieved the archive. Do this with this command:
/#cd airsnort-0.2.7e
4. Compile and install AirSnort.
You may find your platform requires different commands, but you get the idea. The compiling procedure puts AirSnort binaries in the /user/
local/bin directory. Depending on your platform, try one of these commands:
/airsnort-0.2.7e# ./autogen.sh
/airsnort-0.2.7e# make
/airsnort-0.2.7e# make install
5. To run AirSnort, open a terminal window and type the following command:
/airsnort-0.2.7e# airsnort
6. Use the up or down arrows to select the channel you want to scan.
If you used Kismet or another wireless scanner earlier to identify channels, then you most likely know the channel you want to monitor. If you simply want to monitor all the channels, click Scan.
7. From the Network device drop-down list, select your network device.
This is the device that you will use to monitor. For example, select eth0. AirSnort does not necessarily put cards into monitor mode automatically.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 269
Chapter 14: Cracking Encryption
269
8. From the Card type drop-down list, select your wireless NIC.
For example, you can select ORiNOCO.
9. If you want to decrease the time it takes to crack the key, then increase the 40-bit or 128-bit crack breadth.
Increasing the crack breadth increases the number of key possibilities examined when AirSnort attempts to break the WEP key.
10. Click the Start button on the lower-left part of the bottom bar.
AirSnort will start to show you some interesting SSIDs — and eventually will crack the key.
It can take a long time to crack the key. The Shmoo crew gives an example in its FAQ (http://airsnort.shmoo.com/faq.html). Take the example of a small company with four employees. The four use the Internet all day and in so doing generate about 1 million packets per day. Of those 1 million packets, about 120 are interesting. Regardless of whether you look at the total packets or the interesting IVs, the keys are exhausted in about 16 days. The more employees, the shorter the timeframe.
You’ll find a wealth of information at the Shmoo site including WEP implementation and passive monitoring.
Using aircrack
Aircrack (www.cr0.net:8040/code/network/) from Christophe Devine is another WEP-cracking tool. There is a Windows and Linux version. However, we will concentrate in this section on the version made specifically for the Windows platform.
Aircrack implements KoreK’s attacks as well as improved FMS (Fluhrer-Mantin-Shamir) attacks. Aircrack provides the fastest and most effective statistical attacks available. To give aircrack a try, simply collect as many packets as possible from a WEP-encrypted wireless network, and then start aircrack. Perhaps a few steps to illustrate this:
1. Download and unzip aircrack-2.1.zip from Christophe’s Web site.
After you unzip the aircrack-2.1.zip file, you should see in the win32
subdirectory a file titled airodump. Airodump is a packet-capture program.
2. Start the packet capture by double-clicking the airodump icon.
You should see the window shown in Figure 14-5.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 270
270 Part III: Advanced Wi-Fi Hacks
Figure 14-5:
Airodump
window:
starting the
options.
3. From this list of known wireless interfaces, pick the one you want to use, choose it, and hit the Enter key.
Your window should look similar to the one shown in Figure 14-6.
4. Choose your interface and then press Enter.
You can choose o for Orinoco/Realtek interfaces or a for Aironet/Atheros interfaces.
Figure 14-6:
Airodump
window: the
network-
interface
index
option.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 271
Chapter 14: Cracking Encryption
271
5. Enter a channel to scan and then press Enter.
If you know the channel from your wardriving, then enter the number of the channel you want to dump. Otherwise enter 0 (zero) to scan them all.
6. Enter any name for the output file, and then hit the Enter key.
Pick a name that makes sense. You may want to include the date and time in the name.
7. If you want to filter on a particular MAC address, enter it. Otherwise type p for none. Hit the Enter key.
Your window should look similar to the one shown in Figure 14-7.
Figure 14-7:
Airodump
window:
finishing the
options.
8. Observe as Airodump starts capturing frames.
A window like the one in Figure 14-8 appears. From this window, you can see airodump racking up the IVs.
9. Double-click the aircrack icon.
A window like the one in Figure 14-9 appears.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 272
272 Part III: Advanced Wi-Fi Hacks
Figure 14-8:
Airodump
capturing
frames.
Aircrack often determines a WEP key within a few seconds, but the execution time is highly variable. It took Peter several days to crack a WEP
with little activity and a 40-bit key. Shorter execution times require more traffic, more unique IVs, more luck, and the lowest successful fudge factor, a setting that tells aircrack how wildly it should guess when trying new keys. The higher the fudge factor, the more keys aircrack will try —
increasing both the potential time of execution and the likelihood that the attack will succeed. The fudge factor has a default value of two, but you can set it to any positive integer. The default setting is a good place to start, but try several different settings when the initial attack does not succeed. Note, however, that there’s a tradeoff: Generally the higher the fudge factor, the longer the execution time.
Figure 14-9:
Aircrack
window:
options.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 273
Chapter 14: Cracking Encryption
273
10. If you want to use a fudge factor other than the default, type it in and then press Enter.
11. Access the file created in Steps 1 through 9.
You can type the name and hit the Enter key or (following aircrack’s suggestion) drag the file over to where you need it.
12. Enter a 0 (zero) and then hit the Enter key.
If you get the message shown in Figure 14-10, then you need to let airodump gather more IVs. Should you see the message in Figure 14-11, however, it’s Game Over time.
Figure 14-10:
The Air-
crack IV
message.
Figure 14-11:
Aircrack
success!
Using WepLab
WepLab (http://weplab.sourceforge.net/) from Jose Ignacio Sanchez provides an alternative implementation of the KoreK attacks. Similar to aircrack’s fudge factor, WepLab provides a probability adjustment with its percent (--perc) command-line option. The default setting of 50 percent is fairly 21_597302_ch14.qxd 8/4/05 7:05 PM Page 274
274 Part III: Advanced Wi-Fi Hacks
aggressive, and results in relatively few branches; higher settings increase the number of branches taken. In addition to excellent statistical attacks, WepLab provides brute-force and dictionary-cracking attacks that can be very effective. This combination of techniques makes WepLab an essential tool.
Finding other tools
Don’t like any of those tools? Don’t fret — there are more. For example, you can try these WEP crackers:
ߜ Auditor Security Collection: http://remote-exploit.org/?page=
auditor
ߜ chopchop: www.netstumbler.org/showthread.php?t=12489
ߜ Dwepcrack: www.e.kth.se/~pvz/wifi/
ߜ jc-wepcracker: www.astalavista.com/?section=dir&cmd=file& id=3316
ߜ WepAttack: http://wepattack.sourceforge.net/
Not sure what one to use? Well, we don’t usually enter into religious debates.
But we can point you to a place where they do. You can find an excellent comparison of the above tools at SourceForge (www.securityfocus.com/
infocus/1814).
Armed with a WEP key, you can decipher new packets you gather using AirSnort, ethereal, or prismdump. Or you could use WEP Decrypter (www.linkferret.ws/products/decrypt.htm), wep_decrypt (www.lava.
net/~newsham/wlan/wep_tools.tgz), or chopchop (http://forums.net stumbler.com/showthread.php?t=12489) to decrypt frames. You also can negotiate with the access point and gain entry to the network. Once on the network, you can run nmap (www.insecure.org/nmap/) or Cain & Abel (www.oxid.it/cain.html) to gather passwords, discern applications, and fingerprint operating systems.
Countermeasures Against Home
Network-Encryption Attacks
If you’ve read up to this point, we wouldn’t blame you if you’re a bit crest-fallen about using wireless networks safely. Don’t despair, there are some things you can do to protect yourself — even at home. You can 21_597302_ch14.qxd 8/4/05 7:05 PM Page 275
Chapter 14: Cracking Encryption
275
ߜ Rotate the keys
ߜ Use Wi-Fi Protected Access (WPA)
These are discussed in detail in the sections that follow.
Rotating keys
As mentioned, WEP is a symmetric algorithm that uses the same secret key for encryption and decryption. Sender and receiver must possess the same key.
If they must share keys, then they must also have a method for securely exchanging those shared keys.
Amazingly, there is nothing in the 802.11 standard about managing keys —
even though key management is probably the most critical aspect of a cryptographic system. But key management for 802.11 systems largely left up to the users of a 802.11 network — many of whom you wouldn’t exactly call security-savvy. Result: Many vulnerabilities are introduced into the WLAN
environment. The lack of key management in the original 802.11 specification also leaves key distribution unresolved. Without a consistent sense of how to exchange keys securely, WEP-secured WLANs don’t scale well.
When an enterprise recognizes the need to change keys often and to make them random, the task is formidable in a large WLAN environment. When you have only two or three laptops, this is an annoyance; when you have 3,000
workstations, it’s a potential showstopper. Each one of those 3,000 workstations must have the same secret key — and the owner of every workstation must keep it secret. Generating, distributing, loading, and managing keys for an environment of this size is a significant challenge and well-nigh impossible. Compromise one client and you have the keys.
You know what they say about secrets? (Here’s a hint: It’s no secret.) Have you ever lost a laptop? Have you ever lost an employee? In both cases, you should change all 3,000 keys. Otherwise someone can decrypt every message, because everybody is using the same key. And just how often do you really think administrators will change the keys?
Using WPA
You may have heard of 802.11i, the new kid on the standards block. Check out the IEEE (www.ieee.org/), if you haven’t. IEEE 802.11i defines the “robust security network (RSN).” An access point that meets this standard will only allow RSN-capable devices to connect. RSN is the environment we are evolving to because it provides the security services we require for a network.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 276
276 Part III: Advanced Wi-Fi Hacks
Only time will tell whether there are flaws in 802.11i. We cover 802.11i features in this section — and again, later in the chapter, when we cover AES.
Implementing 802.11i requires new hardware. Not everyone wants (or needs) to acquire new hardware — but everybody will still want improved security.
So far, it looks as if WPA comes to the rescue.
An initiative for improving WLAN security is the interim solution — Wi-Fi Protected Access (WPA) — to address the problems of WEP. WPA uses the Temporal Key Integrity Protocol (TKIP) to address the problems without requiring hardware changes — that is, requiring only changes to firmware and software drivers. TKIP is also part of the RSN.
WPA is an example of a software or firmware patch. As an interim security solution, WPA does not require a hardware upgrade to your existing 802.11
equipment; the full-blown 802.11i standard does. WPA is not a perfect solution, but it does attempt quick and proactive delivery of enhanced protection to address some of the chronic WEP problems that predate the availability of 802.11i security features. WPA has two key features:
ߜ 802.1X support
ߜ Temporal Key Integrity Protocol (TKIP)
WPA uses 802.1X port-access control to distribute per-session keys. (Some vendors previously offered 802.11X support, even though it wasn’t specified in the standard.) The 802.1X port-based access control provides a framework that allows use of robust upper-layer authentication protocols.
Temporal Key Integrity Protocol (TKIP) provides key mixing and a longer initialization vector. It also provides a Message Integrity Check (MIC) that prevents wireless data from being modified in transit. Even better, TKIP
offers some essential support for wireless-network security by ߜ Managing keys to prevent the reuse of a static key
ߜ Facilitating the use of session keys because cryptographic keys should change often
ߜ Including four new algorithms to enhance the security of 802.11
ߜ Extending the IV space
ߜ Allowing for per-packet key construction
ߜ Providing cryptographic integrity
ߜ Providing key derivation and distribution
Through 802.11i and WPA, TKIP protects against various security attacks discussed earlier in this chapter — including replay attacks and attacks on data integrity. Additionally, it addresses the critical need to change keys. Again, the objective of WPA was to bring a standards-based security solution to the 21_597302_ch14.qxd 8/4/05 7:05 PM Page 277
Chapter 14: Cracking Encryption
277
marketplace to replace WEP until full-blown IEEE 802.11i Robust Security Networks (RSNs), based on an amendment to the existing wireless LAN standard, become available. RSN also includes the Advanced Encryption Standard (AES) for confidentiality and integrity.
But WPA is not without its problems. Basically, one can crack Wi-Fi Protected Access Pre-Shared Keys that use short passphrases based on words found in the dictionary (yes, people still do that). For WPA, certain short or dictionary-based keys are easy to crack because an attacker can monitor a short transaction — or force that transaction to occur and then perform the crack remotely.
You will find software to help with WPA cracking as well. The WPA Cracker (www.tinypeap.com/page8.html) tool is somewhat primitive, requiring that you enter the appropriate data retrieved via a sniffer. (Your friendly authors recommend that you use ethereal.)
So how do you protect yourself when using WPA? Well, you can ߜ Choose a better passphrase, especially one that isn’t made up of words in the dictionary.
ߜ Select a passphrase that is at least 20 characters long.
ߜ Randomly choose your passphrase.
ߜ Use WPA Enterprise or 802.1X with WPA.
ߜ Use virtual-private-network (VPN) technology, such as those technologies described later in this chapter.
As with all encryption matters, RSN, WPA, and TKIP are fairly complex topics.
You can find more information on these protocols and algorithms in Peter’s Wireless Networks For Dummies (Wiley).
Organization Encryption Attack
Countermeasures
Your organization should adopt the techniques provided for the home network where practical. But you should supplement those features with one of these measures:
ߜ WPA2 technology
ߜ VPN technology
These are discussed in detail in the following sections.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 278
278 Part III: Advanced Wi-Fi Hacks
Using WPA2
As much of an improvement as it is, WPA is still based on the RC4 algorithm —
a stream cipher. But a major component of RSN is the use of the Advanced Encryption Standard (AES) for both data confidentiality and integrity.
Presently, you can find AES WRAP (Wireless Robust Authenticated Protocol) products, but the final specification requires the AES-CCMP (Counter Mode-Cipher Block Chaining MAC Protocol) algorithm.
WPA2 (as specified in 802.11i) helps prevent replays and repudiation, enhances message integrity, and protects message privacy.
The 802.11i specification offers Advanced Encryption Standard (AES)-based cryptographic services at the Data Link Level and validates them according to the federal standard FIPS 140-2. Because AES will mitigate most concerns you may have about wireless eavesdropping or active wireless attacks, we strongly recommend its use. Keep in mind, however, that a wireless protocol at the Data Link Level protects only the wireless sub network — not the entirenetwork. Where traffic traverses other network segments — whether those are local- or wide-area networks, wired segments, the Internet, or your in-house network’s backbone, you may require additional security. That means implementing higher-level, FIPS-validated, end-to-end cryptographic protection.
The AES-based solution provides a highly robust security stance for the future — but requires new hardware and protocol changes. Your organization may have difficulty justifying the use of AES because it requires you to build a Public Key Infrastructure (PKI) — and that’s costly.
At the time of publication, we could not find any cracking tools for AES-CCMP.
That doesn’t mean they don’t exist or won’t emerge; it just means you get a reprieve for now. But you are in an arms-escalation race. The crackers will catch up, so you must remain ever vigilant.
Using a VPN
Your organization can supplement the other controls in this book with a virtual private network (VPN) — a network that is created using public wires to connect private nodes. It’s essentially a secure “tunnel” through the Internet; its “walls” are made of high-level encryption measures. It’s attractive because it normally means less investment in hardware; many of us, in fact, are already using the Internet to connect to office applications. But the Internet is a very public network — and the public is partly made up of bad guys.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 279
Chapter 14: Cracking Encryption
279
Even accessing your e-mail from the park outside your office as you sip your latté is risky without a VPN — because the person next to you on the bench could use the tools in this chapter to intercept and decrypt all your work. If you make frequent use of a wireless network at the office, you need to install and use VPN technology to protect yourself.
There are three general types of VPN:
ߜ Remote Access VPN: This, the most common VPN, allows a remote user to securely access internal applications such as e-mail.
ߜ Extranet VPN: This allows one organization to securely access another organization.
ߜ Intranet VPN: In this VPN, data crossing the organization’s normal network is encrypted.
You will find many solutions that help you to create networks using the Internet as the medium for transporting data. Typically, VPN solutions use encryption to ensure that only authorized users can access the network and that nobody can intercept the data. The solutions provide a tunnel between two networks that only authorized persons can access. You set up a tunnel each time you need it, and it is torn down when you are finished. In lieu of end-to-end cryptographic applications, your organization may find that it is necessary to build tunnels over public networks at the network or transport layer. There are many VPN solutions, ranging from commercial applications to sophisticated features that are available as part of our operating systems.
Some of the more popular protocols for VPNs are:
ߜ Point-to-Point Tunneling Protocol (PPTP)
ߜ Layer 2 Tunneling Protocol (L2TP)
ߜ Internet Protocol Security (IPSec)
ߜ Secure Shell (SSH)
These are discussed in detail in the following sections.
Using Microsoft’s Point-to-Point Tunneling Protocol
Arguably the weakest of all techniques, PPTP offers a quick and relatively painless method of accessing your network. It does offer a level of encryption that is more than adequate for most small-business owners. Small-to-medium-size businesses tend to like PPTP because it doesn’t need a certificate server (as do L2TP and IPSec) and it supports native Windows commands. Finally, client software is available for all Microsoft operating systems and most commercial VPN vendors support PPTP.
21_597302_ch14.qxd 8/4/05 7:05 PM Page 280
280 Part III: Advanced Wi-Fi Hacks
You can choose authentication that uses passwords. Understand, however, that PPTP relies heavily on your password-generation skills.
Using Layer 2 Tunneling Protocol
Microsoft has made Layer 2 Tunneling Protocol (L2TP) available on the Windows 2000 or 2003 platform. Its primary drawback for the small business owner is its need for a certificate server or third-party certificate — which may not be affordable.
Using IPSec
IPSec is an industry standard for encryption that Microsoft includes in its newer Windows 2000, XP and 2003 operating systems. It is reasonably easy to set up between Windows machines and offers excellent security. Like L2TP, IPSec requires the use of a certificate server or a third-party certificate.
IPSec has two modes of use: tunnel and transport. Tunnel mode encrypts the header and the payload of each packet, while transport mode only encrypts the payload.
A rule of usage: Tunnel on the WAN and transport on the LAN.
Using SSH2
SSH or Secure Shell is another tunnel. Organizations commonly used SSH to tunnel services with cleartext passwords such as Telnet and FTP.
SSH also allows you to log in to remote host computers securely — as we did earlier using PPTP. You can also run commands on a remote machine, and enjoy secure, encrypted, and authenticated communications between two machines or networks. Within this tunnel, you run the services you want to protect such as e-mail, FTP, or even Web browsing.
We don’t mean to leave you with the impression that a VPN is a silver bullet.
The bad guys mount client-side and server-side attacks on VPNs. If your weakness is your clients, then that’s where they attack. If you are interested in more information on WLANs and VPNs, pick up Wireless Networks ForDummies (Wiley).
22_597302_ch15.qxd 8/4/05 7:11 PM Page 281