GORVAM SADDAR: Monday, April 14, 2014

Monday, April 14, 2014

Man-in-the-Middle Attacks, Wireless MITM, Gorvam saddar

Man-in-the-Middle Attacks

Man-in-the-middle (MITM) attack refers to the situation where an attacker on host X inserts X between all communications between hosts B and C, and neither B nor C is aware of the presence of X. All messages sent by B do reach C but via X, and vice versa. The attacker can merely observe the communication or modify it before sending it out. An MITM attack can break connections that are otherwise secure. At the TCP level, SSH and VPN, e.g., are prone to this attack.

8.1 Wireless MITM

Assume that station B was authenticated with C, a legitimate AP. Attacker X is a laptop with two wireless cards. Through one card, he will present X as an AP. Attacker X sends Deauthentication frames to B using the C’s MAC address as the source, and the BSSID he has collected. B gets deauthenticated and begins a scan for an AP and may find X on a channel different from C.

Denial of Service by gorvam saddar

. Denial of Service

A denial of service (DoS) occurs when a system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. In wireless networks, DoS attacks are difficult to prevent, difficult to stop an on-going attack and the victim and its clients may not even detect the attacks. The duration of such DoS may range from milliseconds to hours. A DoS attack against an individual station enables session hijacking.

7.1 Jamming the Air Waves

A number of consumer appliances such as microwave ovens, baby monitors, and cordless phones operate on the unregulated 2.4GHz radio frequency. An attacker can unleash large amounts of noise using these devices and jam the airwaves so that the signal to noise drops so low, that the wireless LAN ceases to function. The only solution to this is RF proofing the surrounding environment.

7.2 Flooding with Associations

Detection of Probing, AP Weaknesses, Defeating MAC Filtering, Rogue APTrojan AP Equipment Flaws by gorvam saddar

Detection of Probing

Detection of probing is possible. The frames that an attacker injects can also be heard by the intrusion detection systems (IDS) of hardened wireless LAN. There is GPS-enabled equipment that can identify the physical coordinates of a wireless device through which the probe frames are being transmitted.

6. AP Weaknesses

APs have weaknesses that are both due to design mistakes and user interfaces that promote weak passwords, etc. It has been demonstrated by many publicly conducted war-driving efforts (www.worldwidewardrive.org) in major cities around the world that a large majority of the deployed APs are poorly configured, most with WEP disabled, and configuration defaults, as set up the manufacturer, untouched.

6.1 Configuration

The default WEP keys used are often too trivial. Different APs use different techniques to convert the user’s key board input into a bit vector

Collecting the Frames for Cracking WEP, etection of the Sniffers, Wireless Spoofing, MAC Address Spoofing by gorvam saddar

Collecting the Frames for Cracking WEP

The goal of an attacker is to discover the WEP shared-secret key. Often, the shared key can be discovered by guesswork based on a certain amount of social engineering regarding the administrator who configures the wireless LAN and all its users. Some client software stores the WEP keys in the operating system registry or initialization scripts. In the following, we assume that the attacker was unsuccessful in obtaining the key in this manner. The attacker then employs systematic procedures in cracking the WEP. For this purpose, a large number (millions) of frames need to be collected because of the way WEP works.

Collecting the MAC Addresses by gorvam saddar

Collecting the MAC Addresses

The attacker gathers legitimate MAC addresses for use later in constructing spoofed frames. The source and destination MAC addresses are always in the clear in all the frames. There are two reasons why an attacker would collect MAC addresses of stations and APs participating in a wireless network.
(1) The attacker wishes to use these values in spoofed frames so that his station or AP is not identified.
(2) The targeted AP may be controlling access by filtering out frames with MAC addresses that were not registered.

Detection of SSID by gorvam saddar

2 Detection of SSID

The attacker can discover the SSID of a network usually by passive scanning because the SSID occurs in the following frame types: Beacon, Probe Requests, Probe Responses, Association Requests, and Reassociation Requests. Recall that management frames are always in the clear, even when WEP is enabled.

On a number of APs, it is possible to configure so that the SSID transmitted in the Beacon frames is masked, or even turn off Beacons altogether. The SSID shown in the Beacon frames is set to null in the hope of making the WLAN invisible unless a client already knows the correct SSID. In such a case, a station wishing to join a WLAN begins the association process by sending Probe Requests since it could not detect any APs via Beacons that match its SSID.

If the Beacons are not turned off, and the SSID in them is not set to null, an attacker obtains the SSID included in the Beacon frame by passive scanning.

When the Beacon displays a null SSID, there are two possibilities. Eventually, an Associate Request may appear from a legitimate station that already has a correct SSID. To such a request, there will be an Associate Response frame from the AP. Both frames will contain the SSID in the clear, and the attacker sniffs these. If the station wishes to join any available AP, it sends Probe Requests on all channels, and listens for Probe Responses that contain the SSIDs of the APs. The station considers all Probe Responses, just as it would have with the non-empty SSID Beacon frames, to select an AP. Normal association then begins. The attacker waits to sniff these Probe Responses and extract the SSIDs.

If Beacon transmission is disabled, the attacker has two choices. The attacker can keep sniffing waiting for a voluntary Associate Request to appear from a legitimate station that already has a correct SSID and sniff the SSID as described above. The attacker can also chose to actively probe by injecting frames that he constructs, and then sniffs the response as described in a later section.

When the above methods fail, SSID discovery is done by active scanning (see Section 5).

Wireless Network Sniffing , Authentication, Association, Passive Scanning by gorvam saddar

2.6 Authentication

Authentication is the process of proving identity of a station to another station or AP. In the open system authentication, all stations are authenticated without any checking. A station A sends an Authentication management frame that contains the identity of A, to station B. Station B replies with a frame that indicates recognition, addressed to A. In the closed network architecture, the stations must know the SSID of the AP in order to connect to the AP. The shared key authentication uses a standard challenge and response along with a shared secret key.

2.7 Association

Data can be exchanged between the station and AP only after a station is associated with an AP in the infrastructure mode or with another station in the ad hoc mode. All the APs transmit Beacon frames a few times each second that contain the SSID, time, capabilities, supported rates, and other information. Stations can chose to associate with an AP based on the signal strength etc. of each AP. Stations can have a null SSID that is considered to match all SSIDs.

The association is a two-step process. A station that is currently unauthenticated and unassociated listens for Beacon frames. The station selects a BSS to join. The station and the AP mutually authenticate themselves by exchanging Authentication management frames. The client is now authenticated, but unassociated. In the second step, the station sends an Association Request frame, to which the AP responds with an Association Response frame that includes an Association ID to the station. The station is now authenticated and associated.

Wireless LAN,Stations and Access Points, Channels, WEPInfrastructure and Ad Hoc Modes, Frames by gorvam saddar

2. Wireless LAN Overview

In this section, we give a brief overview of wireless LAN (WLAN) while emphasizing the features that help an attacker. We assume that the reader is familiar with the TCP/IP suite (see, e.g., [Mateti 2003]).

IEEE 802.11 refers to a family of specifications (www.ieee802.org/11/) developed by the IEEE for over-the-air interface between a wireless client and an AP or between two wireless clients. To be called 802.11 devices, they must conform to the Medium Access Control (MAC) and Physical Layer specifications. The IEEE 802.11 standard covers the Physical (Layer 1) and Data Link (Layer 2) layers of the OSI Model. In this article, we are mainly concerned with the MAC layer and not the variations of the physical layer known as 802.11a/b/g.

2.1 Stations and Access Points

A wireless network interface card (adapter) is a device, called a station, providing the network physical layer over a radio link to another station. An access point (AP) is a station that provides frame distribution service to stations associated with it. The AP itself is typically connected by wire to a LAN.

The station and AP each contain a network interface that has a Media Access Control (MAC) address, just as wired network cards do. This address is a world-wide-unique 48-bit number, assigned to it at the time of manufacture. The 48-bit address is often represented as a string of six octets separated by colons (e.g., 00:02:2D:17:B9:E8) or hyphens (e.g., 00-02-2D-17-B9-E8). While the MAC address as assigned by the manufacturer is printed on the device, the address can be changed in software.