SlideShare une entreprise Scribd logo
1  sur  36
TOO!
   WPA 2
        “Hole196”


  Md Sohail Ahmad
   AirTight Networks
www.airtightnetworks.com




 © AirTight Networks. All rights reserved.
A lot of speculations about “Hole196” !




                 © AirTight Networks. All rights reserved.
Where did we find 
this “Hole196” ?




             © AirTight Networks. All rights reserved.
Buried inside the IEEE 802.11 standard
   for the last six years




              It’s right here!
Hole 196!!!



                    © AirTight Networks. All rights reserved.
The Talk is


NOT about:
Unauthorized user gaining access to WPA2 secured
network, or


Cracking private key of a WPA2 user


About:
An insider attack, which can be carried out by a
malicious user present inside the network



                   © AirTight Networks. All rights reserved.
Can you sniff private in-flight data of
other WiFi users?

                     Wired LAN Segment




Traffic encrypted                                  Traffic encrypted 
with the private                                   with the private 
key of Client1                                     key of Client2




      WiFi Client 1                                   WiFi Client 2
    (Malicious Insider)

                          © AirTight Networks. All rights reserved.
Can you sniff private in-flight data of
other WiFi users?

                      Wired LAN Segment




                                                         Honeypot style of attack will 
                                                         not work!




                                            X



  Malicious Insider    Honeypot AP                   WiFi Client 2


                         © AirTight Networks. All rights reserved.
Can you sniff private in-flight data of
other WiFi users?

                        Wired LAN Segment




                               t                                   Existing wired IDS/IPS can 
                            es
                          u
                        eq y)                                      catch ARP spoofing attack!
                    P  R w a
                   R e
                d A  Gat
              fe e
         oo  th
       Sp am
         (I  




    WiFi Client 1                                           WiFi Client 2
  (Malicious Insider)

                                © AirTight Networks. All rights reserved.
No key cracking! No brute force!


                     Wired LAN Segment




Traffic encrypted                                  Traffic encrypted 
with the private                                   with the private 
key of Client1                                     key of Client2




      WiFi Client 1                                   WiFi Client 2
    (Malicious Insider)

                          © AirTight Networks. All rights reserved.
Encryption Keys


Two types of keys for data encryption
1. 1. Pairwise Transient Key (PTK)
2. 2. Group Temporal Key (GTK)



While PTK is used to protect unicast data 
frames , GTK is used to protect group 
                                                                    2
addressed data frames e.g. broadcast ARP                          WPA
request frames.




                      © AirTight Networks. All rights reserved.
PTK is unique, derived per session


                             Wired LAN Segment




       Traffic encrypted                                    Traffic encrypted 
       with PTK1                                            with PTK2




 Private Key                                                                   Private Key 
 PTK1                                                                          PTK2

          WiFi Client 1                                        WiFi Client 2


                            © AirTight Networks. All rights reserved.
GTK is shared among all associated clients



                                                  Your Group key  is GTK1


                                                                                 Newly 
                                                                            associated client




         Client 1                 Client 2                Client 3
        PTK = PTK1              PTK = PTK2               PTK = PTK3
     Group key = GTK1        Group key = GTK!         Group key = GTK1

                         Three connected clients

                        © AirTight Networks. All rights reserved.
WPA2 standard defines GTK as a one-way key



                                     Destination MAC = FF:FF:FF:FF:FF:FF



                      ARP Req




    GTK should be used as an encryption key by an AP
       and as a decryption key by a wireless client




               © AirTight Networks. All rights reserved.
A WiFi client always keeps a copy of GTK




wpa_supplicant software is used on WiFi client devices.

The log of wpa_supplicant software shows that GTK is always
known to a WiFi client device



                   © AirTight Networks. All rights reserved.
A malicious client can inject encrypted group 
addressed data frames to other clients


                                                                  Legitimate clients 
                                                                 can not detect data 
                                                                        forgery
                              Broadcast frame 
                              Encrypted with GTK
     Malicious insider can 
      inject forged group 
     addressed data traffic

                     © AirTight Networks. All rights reserved.
Exploit #1: Stealth ARP Poisoning

                      Wired LAN




Victim’s data encrypted                   Victim’s data encrypted 
with Attacker’s  PTK                      with Victim’s PTK

                    3                 2


                             1
                       I am the Gateway                              1 Attacker injects fake ARP Request packet 
                     (Encrypted with GTK)                              to poison client’s cache for gateway.
     Attacker                                       Victim
                                                                     2 Victim sends all traffic encrypted with its PTK 
                                                                        to the AP, with Attacker as the destination 
                                                                        (gateway)

                                                                     3 AP forwards Victim’s data to the Attacker 
                                                                       encrypting it in the Attacker’s PTK. So 
                                                                       Attacker can decrypt Victim’s private data.
              © AirTight Networks. All rights reserved.
Man-in-the-middle (MITM) Attack

                                    Wired LAN


Attacker forwards victim data to 
actual Gateway to provide a 
transparent service to the victim
                            4


                                                                            Victim
                                       I am the Gateway
                                     (Encrypted with GTK)
                 Attacker                                        Victim



                                                                            Victim


                                © AirTight Networks. All rights reserved.
ARP Poisoning: Detectable vs Stealth


         Detectable (Old style)                                     Stealth (Hole196)
                   Wired LAN                                               Wired LAN




                  th e y
                m a
             I a te w
               Ga
                                                                       I am the Gateway
                                                                       Encrypted with GTK
  Malicious insider                   Victim            Malicious insider                   Victim

Spoofed ARP Request frames are sent on                 Spoofed ARP Request frames are not
the wire and wireless medium by an AP. The             sent to AP and never go on wire; hence
attack can be detected by wired IDS/IPS.               cannot be detected by wired IDS/IPS



                               © AirTight Networks. All rights reserved.
Exploit #2: IP Level Targeted Attack

  Any data payload can be encapsulated in the group addressed IEEE
  802.11 data frames



                                                                   IP Layer Unicast Data Frame



       Dur-       Address 1 =      Address 2 =      Address 3 =    Seq.        Encapsulated
Flag                                                                                          FCS
       ation   FF:FF:FF:FF:FF:FF   AP’s BSSID    Src MAC Address    No         Data Payload


                                          IEEE 802.11 Data Packet




                                   © AirTight Networks. All rights reserved.
Example: Port Scanning



                                                                               SYN Frame



       Dur-       Address 1 =      Address 2 =      Address 3 =    Seq.         Encapsulated
Flag                                                                                           FCS
       ation   FF:FF:FF:FF:FF:FF   AP’s BSSID    Src MAC Address    No          Data Payload


                                          IEEE 802.11 Data Packet



   What else is possible ?
                  - Buffer overflow exploit
                  - Malware Injection
                  - ???

                                   © AirTight Networks. All rights reserved.
Replay Detection in WPA2

48 bit Packet Number (PN) is present in all encrypted DATA frames




Replay Attack Detection in WPA2                                                       Expecting
1.   All clients learn the PN associated with a GTK                                   PN >700
     at the time of association
                                                                             PN=701
2.   AP sends a group addressed data frame to all 
     clients with a new PN
3.   If new PN > locally cached PN, then packet is      Access Point                  Legitimate client
     decrypted and after successful decryption, 
     cached PN is updated with new PN

                                 © AirTight Networks. All rights reserved.
Exploit #3: WDoS on Broadcast Downlink Traffic

A malicious user can advance the locally cached PN (replay counter) in all
peer clients by forging a group addressed data frames with a very large PN

                               PN = 780                      PN = 780
                                                                        Legitimate 
  Malicious                                                             client
  client
                           GTK encryp
                                      ted broadca                  Client updates PN. 
                           data frame             st 
                                      PN = 9999                    New PN = 9999
                                             PN = 781
                                                             X     Client checks PN. New 
                                             PN = 782              PN (781) < local PN 
                                                             X     (9999)
                                             PN = 783
                                                                   Packets are dropped 
                                                             X
                                                  …….              until PN reaches 9999

                     © AirTight Networks. All rights reserved.
POC: GTK Exploit
Few lines of code + Off‐the‐shelf hardware




                       © AirTight Networks. All rights reserved.
Open Source Software: Madwifi & WPA
Supplicant Software


wpa_supplicant (0.7.0)
Supplicant software is used to pass updated GTK and PN to be by madwifi
driver


Madwifi (0.9.4)
Software is modified to create spoofed group addressed data frames
with sender as AP address




                         © AirTight Networks. All rights reserved.
Modification in the madwifi driver

 Broadcast IEEE 802.11 Frame

                          Address 1             Address 2           Address 3

                Dur-        AP’s MAC                                                 Seq.
 ToDS    Flag
                ation        (BSSID)
                                            Client’s MAC Address FF:FF:FF:FF:FF:FF
                                                                                      No



                          Receiver              Transmitter     Final Destination



                Dur-                            AP’s MAC                             Seq.
FromDS   Flag           FF:FF:FF:FF:FF:FF                     Client’s MAC Address
                ation                            (BSSID)                              No




                          Receiver              Transmitter      Original Sender




                                  © AirTight Networks. All rights reserved.
Modification in the madwifi driver

1. Cyclic shift of addresses, convert ToDS flag into
FromDS: 4 Lines

                          Address 1             Address 2           Address 3

                Dur-        AP’s MAC                                                 Seq.
 ToDS    Flag                               Client’s MAC Address FF:FF:FF:FF:FF:FF
                ation        (BSSID)                                                  No
                                                                                             10 lines of 
                                                                                             driver code 
                                                                                              to exploit 
                Dur-                            AP’s MAC                             Seq.
                                                                                                 GTK 
         Flag           FF:FF:FF:FF:FF:FF                     Client’s MAC Address
FromDS          ation                            (BSSID)                              No
                                                                                            vulnerability!


2. Selection of right key for frame encryption: 6 Lines


                                  © AirTight Networks. All rights reserved.
Demo: Stealth mode MITM attack



The Arsenal of MITM Attack
Cain & Abel

Ettercap

Delegated/DNSSpoof

SSLSniff

SSLSTRIP
                                            Malicious             Victim
…                                           Insider




                      © AirTight Networks. All rights reserved.
Who is vulnerable to “Hole196” ?


All implementation of WPA and WPA2, regardless of
    Type of encryption used in the network (AES or TKIP)


    Type of authentication used in the network ( PSK or
   802.1x/EAP)


    Type of WLAN architectures (Standalone, Locally controlled
   or Centrally Controlled)




                      © AirTight Networks. All rights reserved.
Countermeasures
The Real Fix: Protocol Enhancement


     Deprecate use of GTK and group addressed data traffic
   1.   For backward compatibility AP should send randomly generated
        different GTKs to different clients so that all associated clients have
        different copy of group key
   2.   AP should deliver group addressed data traffic by converting them into
        unicast traffic


Disadvantages:
a. Impact on network throughput
b. Requires AP software upgrade (Not going to happen overnight !)




                      © AirTight Networks. All rights reserved.
What should we do now?
Can we rely on end point security software?


Client software such as DecaffeintID or Snort detects change in
the ARP cache.




                        Detects ARP Cache Poisoning attack

Limitations:
1. Client software is available only for limited 
operating systems and hardware platforms

2. Not enterprise grade; Impractical to manually install 
on large number of endpoints
                            © AirTight Networks. All rights reserved.
Can we rely on WLAN infrastructure ?

Public Secure Packet Forwarding (PSPF)/peer-to-peer (P2P) or
Client Isolation


                                                    A’s packet is not 


                            s  A
                                                    forwarded to B
                          s i                  X
                        hi
                      , T
                     B
                 llo
               He




                Client A                              Client B

Legitimate users might want to download songs/pics from say
laptop to smartphone!
What’s about Voice-over-WiFi deployment ?
                       © AirTight Networks. All rights reserved.
Can we rely on Wireless Monitoring Systems
(WIPS/WIDS) ?

                                                  Similar to WEP Cracking, Skyjacking 
                                                  and WPA‐TKIP, Hole 196 exploit is 
                                                  carried out entirely over the air




 WIPS can serve as an additional layer of defense in detecting and
 protecting from such attacks
                   © AirTight Networks. All rights reserved.
Concluding Remarks


 All WPA2 networks are exposed with the “Hole 196” vulnerability; Inter
 user privacy is broken in WPA2

 The real fix requires enhancement in the WPA2 protocol. In long term,
 standard can fix the problem but in short term AP vendors should provide
 a patch (proprietary solution)

 In the mean time, enterprises should consider turning ON Client isolation
 (PSPF) features on their WLANs and use endpoint security (ARP
 poisoning detector like Snort or other higher layer security like IPSec)

 A multi-layered security approach should be adopted; A dedicated WIPS
 monitoring the airspace 24/7 can detect and mitigate zero-day
 vulnerabilities such as “Hole 196”


                     © AirTight Networks. All rights reserved.
Be Aware, Be Secure !


                      Thank You
                   Md Sohail Ahmad
              md.ahmad@airtightnetworks.com
                  www.airtightnetworks.com


     For up-to-date information on developments in wireless
                          security, visit

               blog.airtightnetworks.com

                © AirTight Networks. All rights reserved.

Contenu connexe

Tendances

Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...Siddharth Rao
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol AttacksConferencias FIST
 
Muriel Medard - Network Coding in Satellites - Global SIP 2018
Muriel Medard - Network Coding in Satellites - Global SIP 2018Muriel Medard - Network Coding in Satellites - Global SIP 2018
Muriel Medard - Network Coding in Satellites - Global SIP 2018CodeOn
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga
 
Technical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishTechnical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishPrivateWave Italia SpA
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPvanhoefm
 
The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondSiddharth Rao
 
Gsm security
Gsm securityGsm security
Gsm securityAli Kamil
 

Tendances (20)

Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
 
Wireless security
Wireless securityWireless security
Wireless security
 
Muriel Medard - Network Coding in Satellites - Global SIP 2018
Muriel Medard - Network Coding in Satellites - Global SIP 2018Muriel Medard - Network Coding in Satellites - Global SIP 2018
Muriel Medard - Network Coding in Satellites - Global SIP 2018
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
 
Technical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishTechnical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - english
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
 
L2 tp., ip sec
L2 tp., ip secL2 tp., ip sec
L2 tp., ip sec
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
 
The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyond
 
Gsm security
Gsm securityGsm security
Gsm security
 
802.11w Tutorial
802.11w Tutorial802.11w Tutorial
802.11w Tutorial
 

Similaire à Wpa too-hole196-defcon18-presentation

WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesWPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesAirTight Networks
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsAirTight Networks
 
Next Gen Monitoring with INT
Next Gen Monitoring with INTNext Gen Monitoring with INT
Next Gen Monitoring with INTMyNOG
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2sweta dargad
 
PATENT of panatrate firewall
PATENT of panatrate firewallPATENT of panatrate firewall
PATENT of panatrate firewallBo Xiong
 
Internet of Things (IoT) Security using stream cipher.ppt
Internet of Things (IoT)  Security using stream cipher.pptInternet of Things (IoT)  Security using stream cipher.ppt
Internet of Things (IoT) Security using stream cipher.pptAliSalman110
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2samis
 
Making networks secure with multi-layer encryption
Making networks secure with multi-layer encryptionMaking networks secure with multi-layer encryption
Making networks secure with multi-layer encryptionADVA
 
cisco-nti-Day20
cisco-nti-Day20cisco-nti-Day20
cisco-nti-Day20eyad alaa
 
Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3Hannes Tschofenig
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 

Similaire à Wpa too-hole196-defcon18-presentation (20)

WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesWPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
 
Best!
Best!Best!
Best!
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQs
 
Next Gen Monitoring with INT
Next Gen Monitoring with INTNext Gen Monitoring with INT
Next Gen Monitoring with INT
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
 
E firewalls
E firewallsE firewalls
E firewalls
 
PATENT of panatrate firewall
PATENT of panatrate firewallPATENT of panatrate firewall
PATENT of panatrate firewall
 
Internet of Things (IoT) Security using stream cipher.ppt
Internet of Things (IoT)  Security using stream cipher.pptInternet of Things (IoT)  Security using stream cipher.ppt
Internet of Things (IoT) Security using stream cipher.ppt
 
Presentation
PresentationPresentation
Presentation
 
Lec 1 apln security(4pd)
Lec  1 apln security(4pd)Lec  1 apln security(4pd)
Lec 1 apln security(4pd)
 
Cyber security
Cyber securityCyber security
Cyber security
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
 
Airheads vail 2011 pci 2.0 compliance
Airheads vail 2011   pci 2.0 complianceAirheads vail 2011   pci 2.0 compliance
Airheads vail 2011 pci 2.0 compliance
 
D do s
D do sD do s
D do s
 
Making networks secure with multi-layer encryption
Making networks secure with multi-layer encryptionMaking networks secure with multi-layer encryption
Making networks secure with multi-layer encryption
 
Network and DNS Vulnerabilities
Network and DNS VulnerabilitiesNetwork and DNS Vulnerabilities
Network and DNS Vulnerabilities
 
cisco-nti-Day20
cisco-nti-Day20cisco-nti-Day20
cisco-nti-Day20
 
Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 

Dernier

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 

Dernier (20)

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 

Wpa too-hole196-defcon18-presentation

  • 1. TOO! WPA 2 “Hole196” Md Sohail Ahmad AirTight Networks www.airtightnetworks.com © AirTight Networks. All rights reserved.
  • 2. A lot of speculations about “Hole196” ! © AirTight Networks. All rights reserved.
  • 3. Where did we find  this “Hole196” ? © AirTight Networks. All rights reserved.
  • 4. Buried inside the IEEE 802.11 standard for the last six years It’s right here! Hole 196!!! © AirTight Networks. All rights reserved.
  • 5. The Talk is NOT about: Unauthorized user gaining access to WPA2 secured network, or Cracking private key of a WPA2 user About: An insider attack, which can be carried out by a malicious user present inside the network © AirTight Networks. All rights reserved.
  • 6. Can you sniff private in-flight data of other WiFi users? Wired LAN Segment Traffic encrypted  Traffic encrypted  with the private  with the private  key of Client1 key of Client2 WiFi Client 1  WiFi Client 2 (Malicious Insider) © AirTight Networks. All rights reserved.
  • 7. Can you sniff private in-flight data of other WiFi users? Wired LAN Segment Honeypot style of attack will  not work! X Malicious Insider Honeypot AP WiFi Client 2 © AirTight Networks. All rights reserved.
  • 8. Can you sniff private in-flight data of other WiFi users? Wired LAN Segment t  Existing wired IDS/IPS can  es u eq y) catch ARP spoofing attack! P  R w a R e d A  Gat fe e oo  th Sp am (I   WiFi Client 1  WiFi Client 2 (Malicious Insider) © AirTight Networks. All rights reserved.
  • 9. No key cracking! No brute force! Wired LAN Segment Traffic encrypted  Traffic encrypted  with the private  with the private  key of Client1 key of Client2 WiFi Client 1  WiFi Client 2 (Malicious Insider) © AirTight Networks. All rights reserved.
  • 10. Encryption Keys Two types of keys for data encryption 1. 1. Pairwise Transient Key (PTK) 2. 2. Group Temporal Key (GTK) While PTK is used to protect unicast data  frames , GTK is used to protect group  2 addressed data frames e.g. broadcast ARP  WPA request frames. © AirTight Networks. All rights reserved.
  • 11. PTK is unique, derived per session Wired LAN Segment Traffic encrypted  Traffic encrypted  with PTK1 with PTK2 Private Key  Private Key  PTK1 PTK2 WiFi Client 1 WiFi Client 2 © AirTight Networks. All rights reserved.
  • 12. GTK is shared among all associated clients Your Group key  is GTK1 Newly  associated client Client 1 Client 2 Client 3 PTK = PTK1 PTK = PTK2 PTK = PTK3 Group key = GTK1 Group key = GTK! Group key = GTK1 Three connected clients © AirTight Networks. All rights reserved.
  • 13. WPA2 standard defines GTK as a one-way key Destination MAC = FF:FF:FF:FF:FF:FF ARP Req GTK should be used as an encryption key by an AP and as a decryption key by a wireless client © AirTight Networks. All rights reserved.
  • 14. A WiFi client always keeps a copy of GTK wpa_supplicant software is used on WiFi client devices. The log of wpa_supplicant software shows that GTK is always known to a WiFi client device © AirTight Networks. All rights reserved.
  • 15. A malicious client can inject encrypted group  addressed data frames to other clients Legitimate clients  can not detect data  forgery Broadcast frame  Encrypted with GTK Malicious insider can  inject forged group  addressed data traffic © AirTight Networks. All rights reserved.
  • 16. Exploit #1: Stealth ARP Poisoning Wired LAN Victim’s data encrypted  Victim’s data encrypted  with Attacker’s  PTK with Victim’s PTK 3 2 1 I am the Gateway 1 Attacker injects fake ARP Request packet  (Encrypted with GTK) to poison client’s cache for gateway. Attacker Victim 2 Victim sends all traffic encrypted with its PTK  to the AP, with Attacker as the destination  (gateway) 3 AP forwards Victim’s data to the Attacker  encrypting it in the Attacker’s PTK. So  Attacker can decrypt Victim’s private data. © AirTight Networks. All rights reserved.
  • 17. Man-in-the-middle (MITM) Attack Wired LAN Attacker forwards victim data to  actual Gateway to provide a  transparent service to the victim 4 Victim I am the Gateway (Encrypted with GTK) Attacker Victim Victim © AirTight Networks. All rights reserved.
  • 18. ARP Poisoning: Detectable vs Stealth Detectable (Old style) Stealth (Hole196) Wired LAN Wired LAN th e y m a I a te w Ga I am the Gateway Encrypted with GTK Malicious insider Victim Malicious insider Victim Spoofed ARP Request frames are sent on Spoofed ARP Request frames are not the wire and wireless medium by an AP. The sent to AP and never go on wire; hence attack can be detected by wired IDS/IPS. cannot be detected by wired IDS/IPS © AirTight Networks. All rights reserved.
  • 19. Exploit #2: IP Level Targeted Attack Any data payload can be encapsulated in the group addressed IEEE 802.11 data frames IP Layer Unicast Data Frame Dur- Address 1 = Address 2 = Address 3 = Seq. Encapsulated Flag FCS ation FF:FF:FF:FF:FF:FF AP’s BSSID Src MAC Address No Data Payload IEEE 802.11 Data Packet © AirTight Networks. All rights reserved.
  • 20. Example: Port Scanning SYN Frame Dur- Address 1 = Address 2 = Address 3 = Seq. Encapsulated Flag FCS ation FF:FF:FF:FF:FF:FF AP’s BSSID Src MAC Address No Data Payload IEEE 802.11 Data Packet What else is possible ? - Buffer overflow exploit - Malware Injection - ??? © AirTight Networks. All rights reserved.
  • 21. Replay Detection in WPA2 48 bit Packet Number (PN) is present in all encrypted DATA frames Replay Attack Detection in WPA2 Expecting 1. All clients learn the PN associated with a GTK  PN >700 at the time of association PN=701 2. AP sends a group addressed data frame to all  clients with a new PN 3. If new PN > locally cached PN, then packet is  Access Point Legitimate client decrypted and after successful decryption,  cached PN is updated with new PN © AirTight Networks. All rights reserved.
  • 22. Exploit #3: WDoS on Broadcast Downlink Traffic A malicious user can advance the locally cached PN (replay counter) in all peer clients by forging a group addressed data frames with a very large PN PN = 780 PN = 780 Legitimate  Malicious  client client GTK encryp ted broadca Client updates PN.  data frame st   PN = 9999 New PN = 9999 PN = 781 X Client checks PN. New  PN = 782 PN (781) < local PN  X (9999) PN = 783 Packets are dropped  X ……. until PN reaches 9999 © AirTight Networks. All rights reserved.
  • 23. POC: GTK Exploit Few lines of code + Off‐the‐shelf hardware © AirTight Networks. All rights reserved.
  • 24. Open Source Software: Madwifi & WPA Supplicant Software wpa_supplicant (0.7.0) Supplicant software is used to pass updated GTK and PN to be by madwifi driver Madwifi (0.9.4) Software is modified to create spoofed group addressed data frames with sender as AP address © AirTight Networks. All rights reserved.
  • 25. Modification in the madwifi driver Broadcast IEEE 802.11 Frame Address 1 Address 2 Address 3 Dur- AP’s MAC Seq. ToDS Flag ation (BSSID) Client’s MAC Address FF:FF:FF:FF:FF:FF No Receiver Transmitter Final Destination Dur- AP’s MAC Seq. FromDS Flag FF:FF:FF:FF:FF:FF Client’s MAC Address ation (BSSID) No Receiver Transmitter Original Sender © AirTight Networks. All rights reserved.
  • 26. Modification in the madwifi driver 1. Cyclic shift of addresses, convert ToDS flag into FromDS: 4 Lines Address 1 Address 2 Address 3 Dur- AP’s MAC Seq. ToDS Flag Client’s MAC Address FF:FF:FF:FF:FF:FF ation (BSSID) No 10 lines of  driver code  to exploit  Dur- AP’s MAC Seq. GTK  Flag FF:FF:FF:FF:FF:FF Client’s MAC Address FromDS ation (BSSID) No vulnerability! 2. Selection of right key for frame encryption: 6 Lines © AirTight Networks. All rights reserved.
  • 27. Demo: Stealth mode MITM attack The Arsenal of MITM Attack Cain & Abel Ettercap Delegated/DNSSpoof SSLSniff SSLSTRIP Malicious  Victim … Insider © AirTight Networks. All rights reserved.
  • 28. Who is vulnerable to “Hole196” ? All implementation of WPA and WPA2, regardless of Type of encryption used in the network (AES or TKIP) Type of authentication used in the network ( PSK or 802.1x/EAP) Type of WLAN architectures (Standalone, Locally controlled or Centrally Controlled) © AirTight Networks. All rights reserved.
  • 30. The Real Fix: Protocol Enhancement Deprecate use of GTK and group addressed data traffic 1. For backward compatibility AP should send randomly generated different GTKs to different clients so that all associated clients have different copy of group key 2. AP should deliver group addressed data traffic by converting them into unicast traffic Disadvantages: a. Impact on network throughput b. Requires AP software upgrade (Not going to happen overnight !) © AirTight Networks. All rights reserved.
  • 31. What should we do now?
  • 32. Can we rely on end point security software? Client software such as DecaffeintID or Snort detects change in the ARP cache. Detects ARP Cache Poisoning attack Limitations: 1. Client software is available only for limited  operating systems and hardware platforms 2. Not enterprise grade; Impractical to manually install  on large number of endpoints © AirTight Networks. All rights reserved.
  • 33. Can we rely on WLAN infrastructure ? Public Secure Packet Forwarding (PSPF)/peer-to-peer (P2P) or Client Isolation A’s packet is not  s  A forwarded to B s i X hi , T  B llo He Client A Client B Legitimate users might want to download songs/pics from say laptop to smartphone! What’s about Voice-over-WiFi deployment ? © AirTight Networks. All rights reserved.
  • 34. Can we rely on Wireless Monitoring Systems (WIPS/WIDS) ? Similar to WEP Cracking, Skyjacking  and WPA‐TKIP, Hole 196 exploit is  carried out entirely over the air WIPS can serve as an additional layer of defense in detecting and protecting from such attacks © AirTight Networks. All rights reserved.
  • 35. Concluding Remarks All WPA2 networks are exposed with the “Hole 196” vulnerability; Inter user privacy is broken in WPA2 The real fix requires enhancement in the WPA2 protocol. In long term, standard can fix the problem but in short term AP vendors should provide a patch (proprietary solution) In the mean time, enterprises should consider turning ON Client isolation (PSPF) features on their WLANs and use endpoint security (ARP poisoning detector like Snort or other higher layer security like IPSec) A multi-layered security approach should be adopted; A dedicated WIPS monitoring the airspace 24/7 can detect and mitigate zero-day vulnerabilities such as “Hole 196” © AirTight Networks. All rights reserved.
  • 36. Be Aware, Be Secure ! Thank You Md Sohail Ahmad md.ahmad@airtightnetworks.com www.airtightnetworks.com For up-to-date information on developments in wireless security, visit blog.airtightnetworks.com © AirTight Networks. All rights reserved.