Hacking Wireless Networks For Dummies
.pdf
290 Part III: Advanced Wi-Fi Hacks
To use 802.1X, do the following:
Set the authentication method to Open.
Have your broadcast keys rotate every ten minutes or less.
Use 802.1X for key management and authentication.
Look over the available EAP protocols and decide which is right for your environment.
Set the session to time out every ten minutes or less.
You can find a list of open EAP issues at www.drizzle.com/~aboba/EAP/ eapissues.html. Also, you can find a commercial EAP testing tool from QA Cafe (www.qacafe.com/suites-eapol.htm). You can use its EAPOL to test your 802.1X authentication. EAPOL is a serious lab-testing tool and is not really intended for “script kiddies.” It provides test coverage of the EAPOL protocol along with specific EAP-MD5, EAP-PEAP, EAP-TLS, and EAP-TTLS tests. Check out the site and you’ll find a demo version for Linux.
Let’s look at a major EAP problem: cracking LEAP.
Cracking LEAP
Implementations of 802.1X with LEAP established a strong foothold in the enterprise market. Because LEAP was one of the first solutions available, crackers wrote LEAP crackers. As such, LEAP represents a large security vulnerability for most enterprise wireless LANs. Even so, few enterprises seem to care.
The LEAP weakness was well known from the beginning, because LEAP is essentially an enhanced version of EAP-MD5 with Dynamic Key Rotation and Mutual Authentication. Part of the problem is that LEAP relies on MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) to protect the authentication of user credentials. MS-CHAPv2 is weak because it does not use a salt for the NT hashes, uses a weak 2-byte DES key, and sends usernames in cleartext. So LEAP inherits the following MS-CHAP flaws:
Cleartext username
Weak challenge/response DES key selection: a 8-bit challenge, hashed with MD4 (Can you say, “You’ve got to be kidding?”)
Absence of a salt for the stored NT hashes
Chapter 15: Authenticating Users 291
Because LEAP is susceptible to off-line dictionary and brute-force attacks, you should not use LEAP for secure networks. Cracking LEPA is made easier by maintaining a 4-terabyte database of likely passwords with pre-calculated hashes. What most users think is a strong password is usually really weak and breakable within minutes. An attacker can do this with relative impunity and zero chance of detection, since the attack is passive and performed off-line. Cisco feels that you can make LEAP secure by increasing the complexity of the password, thereby thwarting off-line dictionary and bruteforce attacks. Although this is true, the possibility that someone actually will create a ten-character, uppercase-and-lowercase, alphanumeric password peppered with special characters is (to put it mildly) slight. Think about the passwords in your organization. Let’s face facts: Any password you expect people to remember is easily cracked using a dictionary or brute-force attack.
For an attacker who’s in a hurry (and most of them are), cracking LEAP is far more productive than cracking the infamously weak WEP protocol. You can usually crack LEAP in several minutes, compared to the hours it might take to crack WEP. So LEAP is a definite target.
There are several LEAP solutions available, including these gems:
asleap
THC-LEAPcracker
anwrap
These are discussed in detail in the following sections.
Using asleap
Should you want to test your implementation of LEAP to see whether your organization uses strong passwords, you can use asleap from Joshua Wright. This tool makes it easy to capture the required login traffic by allowing you to spot WLANs that are using LEAP — and then de-authenticate users on
the WLAN, forcing them to reconnect and reenter their usernames and passwords. You’ll find that weak passwords fall rapidly when pitted against a tool such as asleap.
asleap allows you to scan the wireless-network broadcast spectrum for networks that use LEAP, capture wireless network traffic, and crack user passwords. asleap is a busy little program. Here’s a quick look at what it does:
Recovers weak LEAP passwords
Reads frames from any wireless interface running in RFMON mode
292 Part III: Advanced Wi-Fi Hacks
Monitors a single channel, or hops channels to look for target networks that are using LEAP
Actively de-authenticates users on LEAP networks, forcing them to reauthenticate, which makes the capture of LEAP passwords very fast
Only de-authenticates new users, doesn’t waste time on user accounts that aren’t running LEAP
Reads from stored libpcap files or AiroPeek NX files
Reads live from any Ethernet network interface
Uses a dynamic database table and index to do lookups on large files very rapidly
Cracks PPTP VPN authentication sessions that use MS-CHAP
Figure 15-1 shows the syntax for asleap.
Figure 15-1:
The asleap syntax.
Should you want to find more information about asleap, check out the mailing list at http://lists.sourceforge.net/lists/listinfo/ asleap-users.
The source and Win32 binary distribution are available at http://asleap. sourceforge.net. The latest version does PPTP as well as LEAP captures. asleap is released under the GNU Public License (GPL).
Using THC-LEAPcracker
The THC-LEAPcracker Tool suite contains tools to break the NTChallengeResponse encryption technique used by Cisco Wireless LEAP Authentication. Also included are tools for spoofing challenge packets from Access Points, so you can perform dictionary attacks against all users.
Chapter 15: Authenticating Users 293
You can find THC-LEAPcracker at http://thc.org/releases.php?s= 4&q=&o=.
Using anwrap
Written by Brian Barto and Ron Sweeney, anwrap is a wrapper for ancontrol that serves as a dictionary-attack tool against LEAP enabled Cisco Wireless Networks. It traverses a user list and password list, attempting authentication and logging the results to a file. anwrap causes havoc on NT Networks that have lockout policies in place.
anwrap requires ancontrol and Perl. The ancontrol command controls the operation of Aironet wireless networking devices via the an driver. The anwrap author tested the tool on FreeBSD 4.7.
You can find anwrap at http://packetstormsecurity.nl/cisco/ anwrap.pl.
As a result of cracker tools like asleap, THC-LEAPcracker and anwrap, Cisco has de-emphasized the use of LEAP, especially for those organizations that can’t or won’t enforce strong passwords. They now recommend the use of EAP-FAST.
Network Authentication Countermeasures
If you had your heart set on a life of carefree wireless-network use, maybe you’re ready to put your head in the oven and turn on the gas. Don’t do it. There are some things you can do to protect yourself. Help is on the way.
WPA improves the 8021.1 picture
Because of the WEP problems, the IEEE approved Wi-Fi Protected Access (WPA) as an interim solution to address those problems. WPA is an example of a software or firmware patch and does not require the hardware upgrade that 802.11i does.
The objective of WPA was to bring a standards-based security solution to the marketplace to replace WEP until the availability of the full-blown IEEE 802.11i Robust Security Network (RSN), an amendment to the existing wireless LAN standard.
294 Part III: Advanced Wi-Fi Hacks
Two key features WPA are its most significant improvements:
802.1X support: WPA uses 802.1X port access control to distribute persession keys. Some vendors previously offered 802.11X support even though it was not specified in the standard. The 802.1X port-based access control provides a framework to allow the use of robust upperlayer authentication protocols.
Temporal Key Integrity Protocol (TKIP): WPA uses the Temporal Key Integrity Protocol (TKIP) to address WEP problems such as IV length and key management.
But WPA is not without its problems. Basically, one can crack Wi-Fi Protected Access Pre-Shared Keys that use short dictionary-word–based passphrases. You will find software to help with this as well. The WPA Cracker (www.tiny peap.com/page8.html) tool is somewhat primitive, requiring that you enter the appropriate data retrieved via a packet sniffer. The author recommends you use ethereal.
Joshua Wright, who wrote asleap, offers us CoWPAtty (http://new. remote-exploit.org/), which is another off-line WPA-PSK–auditing tool.
For WPA, certain shorter or dictionary-based keys are easy to crack because an attacker can monitor a short transaction or force that transaction to occur and then perform the crack remotely.
So what do you do? Well, you can:
Choose better passphrases, especially ones that aren’t made up of words in the dictionary. Select passphrases that are random and at least 20 characters in length.
Use WPA Enterprise or 802.1X with WPA.
Alternatively, you can use virtual private network technology, such as those technologies described below.
Using WPA2
WPA is still based on the RC4 algorithm, a stream cipher. But a major component of new RSN specification in 802.11i is the use of the Advanced Encryption Standard (AES) for both data confidentiality and integrity.
We strongly recommend you look for and implement technology that supports 802.11i. The 802.11i specification offers Advanced Encryption Standard (AES)-based data link level cryptographic services that are validated under FIPS 140-2. The ratified standard WPA2 uses the AES-CCMP (Counter ModeCipher Block Chaining MAC Protocol) algorithm.
Chapter 15: Authenticating Users 295
The AES-based solution will provide a highly robust solution for the future but will require new hardware and protocol changes. (For more about the advantages of 80211i, WPA and AES, see Chapter 14.)
Using a VPN
Your organization may find that it is necessary to use a virtual private network (VPN) scheme. A VPN helps against the risk of eavesdropping by providing an encrypted tunnel between two networks that only authorized persons can access. A tunnel is created using an accepted technique between two endpoints. Any data traveling between those two points is secured using encryption. The tunnel is set up and torn down each time you use it. (For more about VPNs, see Chapter 14.)
The solution you decide upon needs to fulfill your business needs. There are many different implementations of virtual private networking. These range from commercial third-party applications to those that are embedded in operating systems. There are several potential VPN solutions as follows:
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)
IPSec
SSH2
You should know that people were kind enough to release other PPTP crackers (in addition to asleap), such as these:
Anger: Anger, which is a PPTP MS-CHAP challenge/response sniffer that can feed output to L0phtcrack. You can find Anger at www. securiteam.com/tools/6F00X000AU.html.
Deceit: Aleph One released deceit, which you can find at http:// packetstormsecurity.nl/new-exploits/deceit.c.
Ettercap: Don’t forget to look at ettercap (http://ettercap.source forge.net/). Ettercap has plug-ins to sniff PPTP tunnels, decapsulate traffic, and retrieve user passwords. If that makes you think you should use something other than PPTP, you got it in one!
But just when you think another protocol is secure, you find out it isn’t. There are CheckPoint VPN-1, Cisco VPN Client, Nortel Contivity VPN Client, OpenBSD isakmpd, PGPFreeware, SafeNet, and WAVEsec versions of IPSec that are susceptible to monkey-in-the-middle and buffer overflow attacks. You can use ike-scan, IKEProbe, ipsectrace, and IKEcrack to test those
296 Part III: Advanced Wi-Fi Hacks
IPSec VPNs. The first three are available from www.forinsect.de/pen test/pentest-tools.html. You can find IKEcrack at http://ikecrack. sourceforge.net/. You should also try kracker_jack to perform a monkey-in-the-middle attack. kracker_jack is part of AirJack (http:// sourceforge.net/projects/airjack/).
WIDS
Wireless intrusion detection (as detailed in Chapter 11) requires its own system. AirSnare is another tool to add to your Wireless Intrusion Detection System toolbox. AirSnare will alert you to unfriendly MAC addresses on your network — and will also alert you to DHCP requests taking place. If AirSnare detects an unfriendly MAC address, you can track that MAC address’s access to IP addresses and ports — or launch ethereal.
Figure 15-2 shows AirSnare running. You can see that it identified some “unfriendly MAC addresses.”
You can find AirSnare at www.majorgeeks.com/download4091.html.
Figure 15-2:
AirSnare finding intruders.
Chapter 15: Authenticating Users 297
Use the right EAP
As you saw there are several versions of EAP. Which one do you use? You should select one that is non-proprietary. Also, make sure your solution provides protection from a variety of network attacks, including man-in-the- middle, authentication forging, weak-IV attacks (AirSnort), packet forgery (replay attacks), and dictionary attacks. Obviously, your solution should support a variety of userand password-database types, support password expiration and change, and be flexible, easy to deploy, and easy to manage.
Setting up a WDMZ
You must treat any wireless segment as untrusted — and because it’s an untrusted segment, you must protect yourself. Generally we accomplish this through the use of a security method called a wireless demilitarized zone or WDMZ. The term DMZ has its roots in geopolitics: It is the “no man’s land” between North and South Korea. Take a stroll in the DMZ, and both sides will take a shot at you. With WDMZs, we won’t shoot you, but we won’t trust you.
You should add a wireless DMZ or screened wireless network between the internal network (that is, your intranet) and the external network (the Internet). This DMZ is where you put your access point, authentication server, Web server, and external DNS server. You use an authentication server to regulate traffic between the untrusted network (the Internet) and the trusted network (the intranet). With wireless, we compartmentalize our networks or segregate our access points — and have a trusted way into the internal network. Bottom line: You should segregate wireless stations onto one or more separate network segments and prevent any direct, unauthenticated communication with other devices on the wired portion of the network. By compartmentalizing, we can isolate risks and apply controls to mitigate or eliminate the risk.
In summary, you must not allow anyone to place an access point behind your firewall. Place the access point on a segment that the firewall filters.
Using the Auditor Collection
In this book, we showed you a lot of tools. In Chapter 8, we mentioned the Auditor Collection. You can find the Auditor Collection at http://new. remote-exploit.org/index.php/Auditor_main. The Auditor Collection is an ISO image of Knoppix that includes over 300 tools. It is a “must-have”
298 Part III: Advanced Wi-Fi Hacks
for anyone doing ethical hacking in an organization — especially the wireless variety. It provides the most useful Linux, wireless, ethical-hacking tools. Fortunately it’s really easy to use.
Auditor installs itself and a complete Linux 2.4.9 kernel on a RAM disk — and executes in RAM. Auditor has complete PC Card support and is ideally run on a laptop computer. You can mount a hard drive or floppy drive and save logs and reports.
Using the Auditor CD-ROM is as easy as the following steps.
1.Open your laptop CD-ROM bay. Then power down Windows or Linux or whatever operating system you are using.
2.Insert the Auditor CD-ROM into the drive and close it.
3.Power up the computer and watch Auditor boot.
If this is the first time you have used Auditor, interrupt the boot process and enter the BIOS set-up program. Make sure that your system will boot from the CD-ROM before it tries the hard drive. Obviously the exact method for doing this depends on your hardware manufacturer and the BIOS you’re using, but follow the on-screen instructions to enter the setup program. When you’re done, you won’t need to do this again.
You see an Auditor splash screen with license and credit information.
4.Should Auditor pause temporarily at a boot: prompt, select the appropriate screen resolution; then hit Enter or Return.
Eventually you see the Auditor desktop, as shown in Figure 15-3: a picture of a centurion.
In the lower-left portion of the window, you see a K with a gear. This is the KDE manager icon.
5.Click the KDE manager icon.
A menu pops up.
6.From the menu, select Auditor Wireless LEAP/PPTP cracker
ASLeap (LEAP/PPTP cracker), as shown in Figure 15-4.
This is Auditor’s ASleap tool. The window shown in Figure 15-1 opens.
Take some time and explore all the programs available with the Auditor CD-ROM. Whenever you want to use Auditor, just put the disk in the drive and turn on the power. When you’re finished with Auditor, shut down, remove the Auditor CD-ROM, and reboot. Your system will boot whatever operating system it gets from your hard drive (assuming you have set it up that way).
Now you have a handful of wireless networking ethical-hacking tools. So you have no excuse. Dedicate a laptop to ethical hacking and get cracking.
Chapter 15: Authenticating Users 299
Figure 15-3:
Auditor desktop.
KDE Manager icon
Figure 15-4:
LEAP crackers.