Wireless Attacks and Penetration Testing (part 1 of 3)
by Jonathan Hassell
The very idea of a wireless network introduces multiple venues for attack and penetration that are either much more difficult or completely impossible to execute with a standard, wired network. Wireless networks only know the boundaries of their own signal: streets, parks, nearby buildings, and cars all offer a virtual "port" into your wireless network.
This is the first of a three part series on penetration testing for wireless networks. This installment will detail many common styles of attacks against wireless networks, introduce WEP key-cracking, and then discuss some recent developments in wireless security.
Part two of this series will explain the WEP key-cracking process in detail, review standard port scanning techniques, and then explain how to identify and exploit vulnerabilities. The third installment will discuss mitigating strategies to protect your wireless network.
Types of attacks
There are three main types of attacks against wireless networks: denial of service attacks, man in the middle attacks, and ARP poisoning attacks. WEP key-cracking, which is often also considered an attack, will be introduced in this article and then discussed in detail in the next installment.
Denial of Service (DoS) attacks
The objective of any denial of service attack is to prevent users from accessing network resources -- to deny them service. The usual methods of triggering DoS attacks are to flood a network with degenerate or faulty packets, crowding out legitimate traffic and causing systems not to respond.
Wireless systems are particularly susceptible to DoS attacks because of the way different layers of the OSI stack interact with one another. First, and perhaps most obviously, an attack using the "physical" layer in a wireless network is much easier than to attack the physical layer of a wired network -- the physical layer is the air, the general vicinity around a particular access point. Attackers don't need to gain access to your internal corporate campus; they can simply drive by and begin their attack from a car or even a nearby shop or restaurant, depending on how your access points are laid out. It's also more difficult to discern whether or not a physical DoS attack has occurred with a wireless network as typically, there is no real evidence. An attacker can create a physical DoS attack by manufacturing a device that will flood the 2.4 GHz spectrum with noise and illegitimate traffic, a task that is not technically complicated. Even some poorer quality cordless phones can cause interference at 2.4 GHz, the range that 802.11b wireless networks operate.
At the data link layer of the OSI stack, again one can point out numerous ways in which DoS attacks are simpler to launch against wireless systems than against traditional wired networks. One of the most common ways to mount an attack against the data link layer is through the manipulation of diversity antennas. Here's how that might work: say there is an access point, named AP, with diversity antennas A (for the left side) and B (for the right). If user 1 and user 2 are on opposite sides of the office, then each user by default accesses a different antenna on the access point. Herein lies the problem-if user A decided to clone the MAC address of user B, the former can take the latter off the network. By increasing the strength of his signal to at least equal, if not exceeding, user B's signal on antenna A, then the access point will no longer send or receive data from user A. He has been denied service, and the attack was successful.
Spoofed access points are another problem with the data link layer on wireless networks, even with WEP authentication. Clients are typically configured to associate with the access point with the strongest signal. An attacker can simply spoof the SSID (the name) of an access point and clients will automatically associate with it and pass frames back and. Here is where an attacker can capture traffic and, with time, determine the WEP key used to authenticate and encrypt traffic on the wireless network.
Finally, at the network layer, it's simple to flood a wireless network with large ping requests or other unauthentic traffic once an attacker has associated with a particular wireless access point.
Similar to DoS attacks, man-in-the-middle attacks on a wireless network are significantly easier to mount than against physical networks, typically because such attacks on a wired network require some sort of access to the network. Man-in-the-middle attacks take two common forms: eavesdropping and manipulation.
In eavesdropping, an attacker simply listens to a set of transmissions to and from different hosts even though the attacker's computer isn't party to the transaction. Many relate this type of attack to a leak, in which sensitive information could be disclosed to a third party without the legitimate users' knowledge. Manipulation attacks build on the capability of eavesdropping by taking this unauthorized receipt of a data stream and changing its contents to suit a certain purpose of the attacker-perhaps spoofing an IP address, changing a MAC address to emulate another host, or some other type of modification.
To prevent an eavesdropping attack, one must encrypt the contents of a data transmission at several levels, preferably using SSH, SSL, or IPsec. Otherwise, large amounts of traffic containing private information are passed through thin air, just waiting for an attacker to listen in and collect the frames for further illegitimate analysis.
To understand an ARP poisoning attack, a bit of background on ARP itself is needed. The Address Resolution Protocol allows Ethernet objects using TCP/IP as their communications protocol to discern which other objects on a network have which IP addresses. Much like NetBIOS, it is a chatty protocol that broadcasts traffic to all hosts when a particular packet is only meant for one host on that network, ARP broadcasts a request to identify a particular host that is using a certain IP address. The host in question receives that message and acknowledges it, and the originating computer stores the responding computer's MAC address in its cache, knowing that further transmission to that host won't require any further IP address discovery.
The problem comes about with modern operating systems that don't fully adhere to the spirit of ARP broadcasting and detection. If a computer running modern versions of Windows or even Linux detects a packet sent from a particular machine on the network, it will assume that the MAC address of that computer correctly corresponds with the IP address from which the sending computer is purportedly transmitting. All future transmissions to that computer will then take place using that efficiently but problematically learned IP address, which is stored in the computer's cache for future reference.
But what if an attacker creates illegitimate packets with a spoofed IP address that claims that IP belongs to his own computer's MAC address? Then, all transmissions from hosts that use the "shortcut" method of learning MAC/IP address combinations will be directed to the attacker's computer and not to the intended host, which allows the attacker's computer to eavesdrop on communications and possibly manipulate responses to deepen his attack. This is certainly a serious problem. An attacker can get packets and frames out of thin air by simply "poisoning" these local caches of MAC/IP combinations of any two hosts connected to the physical network on which any access point runs.
The attacks described above are by no means the only ways for crackers to get access to wireless networks. In this section, I'll describe some of the other considerations for administrators of WLANs.
Back when dial-in use was common and corporate networks had their own pools of modems, attackers would use a technique called "war-dialing" in which scripts would generate large blocks of random phone numbers and dial them, attempting to find a phone that would answer with a modem connection string. This sort of mass dialing transferred itself onto the Internet once the latter became the prevalent way of accessing information and computers, and it became even more common and even more effective by allowing attackers to not even need a phone line to knock on the doors of groups of computers, found by randomly generating their IP address.
Shift your attention now to the current day, where wireless networks have suddenly become the target of "war drivers." Using special software, a global positioning system (GPS) unit, and a notebook computer with wireless capabilities, an attacker can drive through any city or populated area, sampling the airwaves for wireless access points. The special war driving software keeps information about latitude, longitude, and configuration of the access points found along the driver's route. In fact, one can travel on an interstate system in the United States, or other similarly-traveled highway elsewhere, and find plenty of access points that are open with no security enabled. This is certainly something to keep in mind when deploying your WAPs.
Wired Equivalent Privacy (WEP)
One of the most known and publicized insecurities in wireless networks in the Wired Equivalent Privacy, or WEP, authentication scheme. Use of WEP means your network is one step away from having a completely open wireless network-but that one step is pretty measly.
Using WEP means each frame is encrypted using an RC4 stream cipher that is decrypted upon arrival at the access point, so WEP is only good for data sent between access points-wired networks don't and can't use WEP. To encrypt the data, WEP uses a seed that takes a shared secret key (the "WEP key") and combines it with a 24-bit piece of data called the initialization vector, or IV. Using the IV with the WEP key increases the life of the WEP key because the IV can be changed upon each transmission, whereas logistically the WEP key itself is much more difficult to change. WEP uses the seed with a random number generator that creates the keystream. On the receiving end, the access point recalculates the bits used to create the keystream and compares it against the received data to make sure its integrity was preserved. WEP also specifies a shared secret 40 or 64-bit key to encrypt and decrypt the data, and most vendors nowadays are allowing 128-bit WEP keys as well.
Using WEP is problematic, however, and lulls you into a false sense of security because of the short IVs used and the fact that WEP keys are static. Since WEP only uses 24 bits for its IV value range, eventually the same IV will be used for different data packets-if you have a large network with lots of traffic, this duplication can conceivably occur within an hour. Keystreams, therefore, are similar, and all an attacker has to do is collect data frames for about an extended period (using an eavesdropping attack as described previously in this feature) and then run a Linux utility created specifically to break WEP encryption, called WEPCrack. WEPCrack will be discussed further in the next installment of this article.
The vulnerability is exacerbated by the static shared secret keys-since keys can't be exchanged among access points in the network, the same keys are used for extended periods of time. The attacker doesn't need long to figure out the key, and once he has the key, you might as well not use WEP at all.
Recent developments in wireless security
As of May 17, 2004, two security organizations issued alerts regarding flaws in 802.11b wireless equipment that they claim are "indefensible." AusCERT and US-CERT, two emergency response team organizations, were notified in November of a flaw in the direct-sequence spread spectrum (DSSS) modulation scheme that 802.11b equipment uses, and in close cooperation with several manufacturers were unable to find a resolution to the problem. The only real solution to the problem is to switch to 802.11a devices, which use a different method of modulation.
A denial of service attack can be launched by a malicious user by working against the Clear Channel Assessment (CCA) procedure in the DSSS protocol, exploiting it at the physical layer. By doing so, all devices within range of the affected access point stop transmitting data for the duration of the attack. Since the CCA procedure is used to discern whether a channel within the wireless spectrum is busy, attacks against the CCA result in a sort of constant "busy" signal that prevents any use of the wireless network while the attack is proceeding.
An administrator can guard against the attack using any number of radio frequency spectrum management tools, which sample the airwaves and determine the channel which is being jammed. Administrators could then dynamically reassign the channel used by their access equipment and restore service to the wireless network. However, the best recommended workaround is to begin employing tri-mode wireless equipment that operates with the 802.11a, 802.11b, and 802.11g protocols. Keep your eyes open for more on this development, as it is significant to wireless network security.
Part two of this article will explain the WEP key-cracking process in detail, review standard port scanning techniques, and then explain how to identify and exploit vulnerabilities. Stay tuned.
About the author
Jonathan Hassell is an author and consultant specializing in Windows administration and security. He is the author of Managing Windows Server 2003 and RADIUS, both published by O'Reilly & Associates, and Hardening Windows, published by Apress. He also holds periodic public seminars; see www.hardeningwin.com for details. He has written for Windows & .NET Magazine and WindowsITSecurity.COM and is a contributor to PC Pro, a leading computer magazine in the United Kingdom.
View more articles by Jonathan Hassell on SecurityFocus.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.