A. DEFENDERS: AC-18 WIRELESS ACCESS RESTRICTIONS
[the italicized section below is a security control from NIST SP 800-53]
Control: The organization: (i) establishes usage restrictions and implementation guidance for wireless technologies; and (ii) documents, monitors, and controls wireless access to the information system. Appropriate organizational officials authorize the use of wireless technologies.
Guidance: NIST Special Publication 800-48 provides guidance on wireless network security with particular emphasis on the IEEE 802.11b and Bluetooth standards.
Control Enhancement 1: The organization uses authentication and encryption to protect wireless access to the information system.
[the following section is the PHA response to the control described above]
Implementation: See the Systems Level Controls Appendix for information regarding this control.
Systems Level Controls Appendix:
Section 27 – AC-18 Wireless Restrictions – see memorandum regarding “Wireless Activity in the PHA 123-456”.
Memorandum: “Wireless Activity in the PHA 123-456”
This memorandum was not available.
The poorly written and vaguely defined defenders’ policy examples in this paper are based on real life experiences. Despite the fact that the defenders’ primary policy document regarding wireless restrictions seemed to be missing from the primary documentation, there was in fact another document that referenced NIST SP 800-48 and spelled out a complete framework for wireless security. Since this secondary document actually offered a semi-viable wireless defensive posture, it is offered below as the defenders’ wireless policy.
- Encryption – WEP encryption must be turned on and must use 128 bit keys.
- SSIDs – SSIDs must be changed from defaults, must not reflect any information about the organization or location of the Access Point, and SSID cloaking must be turned on.
- MAC filtering – MAC address filtering must be used to restrict wireless access to only approved hardware addresses.
- Default settings – check all default settings, including administration password and access path, and change them or disable functions as needed. Turn off all access point services that are not being used (ftp, http, etc…).
- AP locations – place access points in interior positions and away from exterior walls and windows. Place them in secured locations to prevent unauthorized physical access.
B. ATTACKERS: KISMET
Kismet passively collects 802.11 wireless packets, usually by scanning across a range of channels, and presents information on the wireless networks it has seen. The packets are stored in tcpdump/wireshark format for later analysis and more detailed information is stored in several text files. Kismet tries to identify whether the traffic is encrypted or not and if so, by what means. It tries to identify the manufacturer of access points and clients that it sees. It collects client information that can be associated with an access point. It will tag “cloaked” access points and wait until it can correlate them with traffic from a client that reveals the SSID, effectively uncloaking them. It collects any IP addresses that are seen. It extracts Cisco equipment information from any CDP packets and stores it in a file. It can also collect GPS co-ordinates and save them for later mapping. Instead of scanning for traffic on all available channels, Kismet can be focused to collect traffic from only a specific channel or even a specific access point.
C. ATTACKERS: Aircrack
Aircrack is a suite of tools built around the primary tool called aircrack-ng which is designed to crack WEP encryption. It includes airodump-ng, which captures packets and does some analysis, and aireplay-ng, which performs packet replay injection to speed up cracking.
Airodump-ng can be used in conjunction with Kismet. Some of the functionality is redundant with Kismet, but one area where it is unique is in collection of the keys known as an “Initialization Vectors” (IVs) for cracking. The kismet packet dump file collects all packets and can grow quite large in a short amount of time. Airodump-ng can be set to collect only packets with IVs (ignoring all the beacon frames and other administrative packets), thus greatly reducing the size of the capture file. The airodump-ng IV capture file format is not compatible with wireshark or most other packet reading tools, but it works fine with aircrack-ng. Airodump-ng also produces a nice list of access points and clients that it has seen along with their associated information. This data can easily be imported into a spreadsheet or database for further analysis.
Aircrack-ng is designed to use a hybrid blend of statistical analysis and FMS-style attacks against WEP encryption. It can also perform a dictionary attack against WPA encryption. It has the ability to read an IV collection file from airodump-ng at the same time as it is being collected. This is a very convenient feature. When a capture file is opened by Airodump-ng, a list of networks included in the packets is shown and the user is offered a choice of which network they wish to process for cracking.
Aireplay-ng is a tool that can replay a packet and inject it back into a wireless data stream, usually for the purpose of producing more IVs in response and greatly accelerating the cracking process, which depends on how many IVs have been collected.
For high volume wireless networks that produce a lot of IV containing packets in a short time, airodump-ng can be used to collect about 150,000 packets (passively) and then aircrack-ng can be used to crack them and produce the key needed to decode the traffic completely.
In a situation requiring haste and no stealth, it is possible to use aireplay-ng to speed up the collection process and accomplish cracking a 128 bit WEP key in well under ten minutes. However, the injection process used by aireplay-ng is noisy, intrusive, probably illegal, and should be picked up by any wireless intrusion detection process, if one is being used. In most wireless installations today, a wireless IDS system is not being used.
D. Scenario (Wireless Network)
The attackers used Kismet to survey the wireless landscape and then performed analysis on the data they collected. From the initial reconnaissance phase, they already knew that the facilities were using both 802.11b and 802.11g band with WEP encryption. A preliminary boundary survey around the geographic perimeter of each target facility helped by defining what wireless activity was originating inside the perimeter and what was found outside the border. In most cases, this was done by war-driving (in a moving vehicle) and by either cruising slowly around the edge of the facility perimeter or parking to collect packets then moving and repeating the process. They did a lot of crisscrossing and retracing of the same routes in order to fill in the data set completely. They spread their efforts out over many days in order to work slowly and not attract attention, but also in order to make sure they saw all the wireless activity that was available and were not limited to a single snapshot in time.
Running the GPS data file through a mapping application called gpsmap produced a map of the facility perimeter that showed the locations of the access points found. The locations are approximated by the data co-ordinates collected, so if the collection point (car) was moving in a straight line, the location might not be very accurate. But with the collectors deliberately creating a grid-like driving pattern, the locations can be trusted as fairly accurate. The map made it easy to identify wireless sources that are outside the target perimeter and screen them out from future collections. When the location of an access point seemed ambiguous, a YAGI (directional) antenna was used to pinpoint the source.
[example of a gpsmap produced from Kismet data]
Further analysis was done by importing the .csv file into Excel, and sorting and color coding entries by MAC address, SSID, encryption type and more. In large installations, access points are often purchased in large quantities and this can be observed by noting MAC addresses that are nearly sequential. MAC addresses consist of a six character prefix that represents the manufacturer and a six character suffix that is essentially the same thing as a serial number. When the suffixes of a group of MAC addresses are sequential or nearly sequential, the observer can make a good guess that they were purchased in a batch lot and are all deployed by the same organization.
Once the boundary of the wireless zone was been defined, more concentrated collection of the interior began. At some points, Kismet was locked onto a single channel and at other times it was set to filter out traffic related to a single BSSID (MAC address of an access point).
As the collected data was analyzed, the fact that WEP encryption was being used was confirmed by looking at the privacy bit in the frame control field found in management frames. The privacy bit by itself only indicates encryption of some form, but the following WEP parameters confirm that the privacy technique being used is in fact WEP.
[high-lighted row shows privacy bit – WEP parameters appear near the bottom of the packet]
The length of the key cannot be determined by observation alone and must be deduced by cracking efforts. In order to eliminate the easiest methods first, the attackers ran a utility called “wep_crack” which can crack the “Neesus Datacom” vulnerability in shorter 64 bit keys and often yields results in less than one second with only two packets.
[a commonly seen configuration utility that uses the algorithm vulnerable to the Neesus Datacom attack]
None of the traffic collected produced results with this method. The attackers next ran a tool called “wep_attack” which performs a dictionary attack against packets encrypted with both 64 bit and 128 bit keys, but also produced no results with this. It was time to bring the larger guns into play, so they started airodump-ng on collecting packets from a specific access point. Once about 150,000 packets had been collected from the access point, they were fed into aircrack-ng and within a few minutes, the WEP key was produced.
Once the encryption key has been retrieved, it can be put into wireshark and used to decode all the encrypted packets for further analysis. All visible traffic on the wireless network can now be read in plain text.
Screenshot – packets in wireshark as they are collected
Screenshot – the same packets in wireshark after the encryption key has been added to decrypt them
The key can also be used to configure the wireless connection and associate with an access point and become part of the target network. At this point, with the encryption key available, once a live connection is established, all future network traffic seen by the client will be decrypted using the key and can be observed by wireshark just like normal network packets.
In most cases, the defenders were using MAC address filtering as a wireless defense as their policy had stated. Even with the encryption key, this filtering can prevent an unauthorized connection from being completed. Earlier analysis had produced a list of MAC addresses of clients that had been observed connecting to access points. A valid MAC address was selected from the list and after checking to make sure that it was not currently active, the attacking system was configured to use that MAC address. With both a cloned MAC address and the encryption key, the attacking system could connect with the wireless network.
Because of the obtrusive nature of aireplay’s packet injection technique, the attackers’ decided to not use it at least for their early penetration attempts. They didn’t want to risk being noticed and the high volume of traffic available made it unnecessary to use.
The attackers now engaged in passive collection of network packets and analysis of whatever they were able to collect. Tools such as Etherape, Ettercap-NG and p0f can be used either online in passive mode (putting out no packets at all, making them invisible) or simply by reading in packet capture files while offline. They can identify the source and target of traffic flow, show ports and protocols being uses, identify the OSes, capture text information and more.
[example of Etherape – from http://etherape.sourceforge.net/images/]
[example of Ettercap – from http://ettercap.sourceforge.net/screenshots.php]
Eventually, a decision point was reached on whether or not to press the attack further, which would require some form of action that might be detected, instead of silent passive collection. The wireless attack team had successfully penetrated the perimeter and now had a presence inside the defenses that allowed them to see far more of the network traffic than the defenders would have believed possible, but they decided to stop here and wait for a zero-day vulnerability before pushing the penetration any deeper. In the meantime, they continued to passively collect network data, analyze it and add it into their ever growing database of PHA network information.