DTS Solution presents wireless security protocols and attack vectors to break into the wireless security protocols.

1. Wireless Security Protocols
www.dts-solution.com
Shah H Sheikh – Sr. Security Solutions Consultant
MEng CISSP CISA CISM CRISC CCSK
shah@dts-solution.com
Mohamed Bedewi - Penetration Testing Consultant
Network+ | CCNA | MCSE | Linux+ RHCE | Security+ | CEH | PWB
mohamed@dts-solution.com

2. DTS Solution

3. Introduction
Wireless is the next communication evolution with no doubt but it still considered a new technology which we know only a little about, that's probably why design and implementations flaws are everywhere, till now researchers couldn't find any workarounds for it’s security design flaws, it’s too new and needs more time to evolve even more that’s why starting from now you should put an extra eye on your wireless access points.
Wireless is developed on IEEE 802.11 standards and it's widely used in wireless communications as it provides wireless access to applications and data across a radio network, it sets up numerous ways to build up a connection between the transmitter and the receiver such as DSSS, FHSS, Infrared (IR) and OFDM

4. Service Set Identifier (SSID)
1.SSID is a token to identify a 802.11 (WI-FI) network by default it's the part of the packet header sent over a wireless local area network (WLAN).
2.SSID acts as a single shared identifier between access points and clients.
3.SSID access points broadcasts the radio signals continuously received by the client machines if enabled.
4.A key management problem is created for the network administrator as SSID is a secret key instead of a public key.
5.SSID remains secret only on the closed networks with no activity, that's inconvenient to the legitimate users.
6.Security concerns arise when the default values are not changed as these units can be compromised.
7.A non-secure access mode allows clients to connect to the access point using the configured SSID, a blank SSID or SSID configured as "any“.
8.If the SSID of the network is changed, reconfiguration of the SSID on every network is required, as every user of the network configures the SSID into their system

5. WEP Encryption
1.Wired Equivalent Privacy (WEP) is an IEEE 802.11 wireless protocol which provides security algorithms for data confidentiality during wireless transmissions.
2.WEP uses 24-bit initialization vector (IV) to form stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity of wireless transmission.
•64 bit WEP uses 40 bit key size
•128 bit WEP uses 104 bit key size
•256 bit WEP uses 232 bit key size
3.WEP was developed without academic, public nor cryptologists review and it has significant vulnerabilities and design flaws.

6. How WEP Encryption Works?

7. WPA Encryption
1.WI-FI Protected Access (WPA) is a data encryption method for WLANs based on 802.11, it improves authentication and encryption features of WEP.
2.TKIP (Temporal Key Integrity Protocol)
•TKIP utilizes the RC4 stream cipher encryption with 128 bit keys and 64 bit keys for authentication.
•TKIP mitigates the WEP key derivation vulnerability by not reusing the same Initialization Vector.
3.128 bit Temporal Key
•Under TKIP, the client starts with a 128 bit "temporal key" which is combined with the client's MAC address and with an IV to create the RC4 encrypted key.
•it implements a sequence counter to protect against replay attacks.
4.WPA Enhances WEP
•TKIP enhances WEP by adding a rekeying mechanism to provide fresh encryption and integrity keys.
•Temporal keys are changed every 10000 packets which makes TKIP protected networks more resistant to cryptanalytic attacks.

8. How WPA Encryption Works?

9. WPA2 Encryption
1.WPA2 provides enterprise and WI-FI users with stronger data protection and network access control, it provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm.
2.WPA2 Personal
•Uses a set-up password (Pre-shared Key, PSK) to protect unauthorized network access.
•In PSK mode each wireless network device encrypts the network traffic using a 256 bit key which can be entered as a passphrase of 8 to 63 ASCII characters.
3.WPA2 Enterprise
•Includes EAP or RADIUS for centralized client authentication using multiple authentication methods such as token cards, Kerberos, certificates.
•Users are assigned login credentials by a centralized server which they must present when connecting to a network.

10. How WPA2 Encryption Works?

11. WEP Security Issues
1.The IV field is 24 bit which is too small and it's also sent in the clear text portion of a message.
2.Identical key streams are produced with the reuse of the same and since IV is short, key streams are repeated within short time.
3.Lack of centralized key management makes it difficult to change the WEP keys with any regularity.
4.When there's IV collision, it becomes possible to reconstruct the RC4 key- stream based on the IV and the decrypted payload of the packet.
5.IV is a part of the RC4 encryption key which leads to analytical attack that recovers the key after intercepting and analyzing a relatively small amount of traffic.
6.Use of RC4 was designed to be a one-time cipher and not intended for multiple message use and WEP is based on a password which is prone to password cracking attacks.
7.no defined method for encryption key distribution also associate and disassociate messages are not authenticated.

12. WEP Security Issues
1.Wireless adapters from the same vendor may all generate the same IV sequence which enable attackers to determine the key stream and decrypt the cipher-text.
2.WEP doesn't provide cryptographic integrity protection, by capturing two packets, an attacker can flip a bit in the encryption stream and modify the checksum so that the packet is accepted.
3.An attacker can construct a decryption table of the reconstructed key stream and can use it to decrypt the WEP packets in real-time.

13. Breaking WEP Encryption
1.Start the wireless interface in monitor mode on the specific access point channel.
2.Test the injection capability of the wireless device to the access point.
3.Use a tool such as aireplay-ng to do a fake authentication with the access point.
4.Start WI-FI sniffing tool such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs.
5.Start a WI-FI packet encryption tool such as aireplay-ng in ARP request replay mode to inject packets.
6.Run a cracking tool such as aircrack-ng or Cain & Abel to extract encryption key from the IVs. BOOOOOOOOOOOOOOOOOOOM, Cracked!

14. Breaking WEP Encryption

15. Breaking WEP Encryption

16. Breaking WPA/WPA2 Encryption
1.WPA PSK uses a user defined password to initialize the TKIP which is not crackable as it (per packet key) but the keys can be brute-forced using dictionary attacks using tools like aircrack-ng, aireplay-ng, KisMac.
2.You have to be near the AP for a matter of seconds in order to capture the WPA/WPA2 authentication four-way handshake and if you captured the right type of packets, you can crack WPA/WPA2 keys offline.
3.You can force the connected client to disconnect by sending him de- authentication packets then capture the re-connect and authentication packet using tools such as aireplay-ng then attempt to dictionary brute force the PMK. BOOOOOOOOOOOOOOOOOOOM, Cracked!

17. Breaking WPA/WPA2 Encryption

18. Breaking WPA/WPA2 Encryption

19. Important Facts to Consider
1.WEP Encryption is very easy to crack and it only takes a few minutes to bypass, in my personal opinion if I will have to use this one I will use it as a Honeybot!
2.MAC Address Filtering is a good idea but it will only tackle the attacker for a few minutes before he spoofs your MAC address, inject you out of the network and simply be you.
3.Disabling SSID Broadcasting seems smart but it’s actually not because it can give you a big headache when configuring your network and causes an increase in network traffic.
4.MITM Attacks are easily achievable in the above scenario and before you know you’ll find the attacker emulated the access point and sniffed every host on your network.

20. Thanks and Have a Good Day

21. Shah H Sheikh – Sr. Security Solutions Consultant
MEng CISSP CISA CISM CRISC CCSK
shah@dts-solution.com