Wireless Protocol Attacks – CompTIA Network+ N10-006 – 3.2

How secure are our wireless protocols? In this video, you’ll learn about replay attacks, cracking WEP encryption, WPA2 encryption, and WPS vulnerabilities.
<< Previous: Wireless Network AttacksNext: Brute Force Attacks >>

Just as we have attacks on our wired networks, we also have to be aware of attacks to our wireless networks. And in this video, we’ll look at a number of different ways that the bad guys can use to get into your wireless network. A replay attack is one where the bad guy is recording information that you’re sending and then once you’re done, he re-sends it off onto the network in an attempt to gain access to a second device. It works the same on a wireless network as it does on a wired network, but on a wireless network, you can listen to everyone’s conversations.

You don’t need a specialized tap or a port mirror in order to capture that information. So it’s very easy to capture this information the instant it’s sent out over the network. And you can capture it from anybody in an area, especially if it’s an open hotspot. You can sit in one place and listen to everything that’s going by. Wireless attacks were prevalent on wireless networks running WEP, that’s the Wired Equivalent Privacy, the old encryption that, of course, we never, never use any longer because of the vulnerabilities that we found with the cryptography.

There was nothing built into WEP that would stop a replay attack, so it was very easy to send that information back out over a WEP network. One type of replay attack that worked really in conjunction with the known cryptographic vulnerabilities of WEP is an ARP request replay attack. This is an attack where we’re sending out these ARPs so that we can see the responses. And the responses are going to have initialization vectors inside of them or IV. When you collect enough IVs, you’re able to perform that cryptographic break of the WEP protocol.

Now you could wait around all day and simply watch the normal conversations go back and forth and collect the IVs that are sent over that time frame, but it’s much faster if you simply replay some ARPs on to the wireless network and watch the responses. You can collect thousands of ARP responses and thousands of initialization vector packets that way. And once you’ve collected all those packets, you can very easily– in a matter of minutes– determine what the WEP password is for that network. And it’s because of that cryptographic vulnerability that we never use WEP on our wireless networks today.

Breaking WEP was a big deal. That cryptographic vulnerability was very easy to exploit, and so we had to make a lot of drastic changes to our wireless networks to make sure that everything remained secure. WPA was the next version of encryption that we created after WEP. It was an extremely strong encryption, but a number of vulnerabilities were found with the subprotocols that we used, specifically TKIP. This TKIP vulnerability was not one that was as bad as the WEP vulnerability.

It could only be used in very specific situations, it was a per-packet type of vulnerability, it was very slow, and it was very difficult for anyone to be able to exploit that specific vulnerability. But even so, we needed a more secure protocol. So, of course, we created WPA2. This used CCMP and AES to have this cryptography and strong security of the data going over the wireless network. And even today, there are no known cryptographic vulnerabilities when you’re using WPA2 with CCMP.

So how can we gain access then to a WPA2 network? Well, we know there aren’t any known cryptographic vulnerabilities at this point, so we can’t access the network by taking advantage of something that’s wrong with the cryptography. If you’re running WPA-Personal, you might also see this referred to as WPA-PSK, that stands for pre-shared key. This is one where everybody is given the same key to access the network. If you’re running WPA2 at home, you’re probably running WPA-Personal.

You may see it referred to as WPA2 Personal or WPA2 PSK. You’re handing out the same key to all of the devices on your network and the only way then to gain access to this network is if you have the key. So therefore, one way to get into this network would be to reverse engineer the key. Effectively, brute force. Use every possible key you could think of to try to find the one that matches for this PSK network.

So ideally you should be using on your wireless network a very complex key. It needs to have a lot of numbers and letters. You want to try avoiding words so that nobody can use a dictionary attack against you. And in using something that’s a little more complex, you can prevent anybody from performing that brute force on a WPA2 network.

If you’re in a business, you’re probably integrating your wireless authentication with some type of authentication database on the back end. You’re not handing out pre-shared keys to everyone. This is called WPA-Enterprise or WPA-802.1X. With this network authentication method, you are now authenticating every user against their individual login and password.

So there’s usually a back end process using RADIUS or TACACS+ or LDAP, and there are no practical attacks against this one either. You would need to gain access to some authentication credentials and only then would you be given access to this WPA2 network. There’s also another way to authenticate to a wireless access point called WPS. This stands for Wi-Fi Protected Setup. Originally this was called Wi-Fi Simple Config.

And the idea is that this would be an easy way to allow devices to securely authenticate to an access point, especially an access point you might have at home. So instead of using a passphrase or some other long encryption mechanism or even setting it up properly to begin with, you connect to the access point in a number of different ways. You can first use a pin that is configured on the access point, and then use that same personal identification number on your mobile device.

Some access points have a button on the front and you can push the button and then tell your wireless device to then connect to that access point. There’s also near-field communication that was integrated on a number of access points. So you only needed to be close to the access point and the access point would recognize you and allow you access to the network. And there was once also a USB method where you would take USB information off of your machine, you’d plug it into the access point, and it would then recognize who you were.

By creating WPS, we thought we were creating a much easier way for people to connect to their wireless network and connect to it securely. Unfortunately, there was a very significant flaw found with this process of connecting to a device using WPS. And the first hack was identified in December of 2011 and it was clearly based on a design flaw of WPS. The entire mechanism was built wrong from the very beginning.

This design flaw was based on the method of communicating that used the personal identification number. This is an eight digit number. What it really was was seven digits and a checksum, so the seven digits that you needed to know that were unique give you about 10 million possible combinations. It would seem like 10 million numbers would be a pretty large number to be able to protect your access point, but the way that it examined these seven digits is where the problem was. It really examined the first half of the number and then the second half of the number.

So it looked at four digits in that first half. There are only 10,000 different options then for those four digits. And of course, in the second half, we weren’t looking at four digits. It was three digits and a checksum, so you only needed to go through three digits which is about 1,000 possibilities. So in reality, you only needed to go through 11,000 numbers to find the one you were really looking for.

And if you did this on a relatively conservative basis to an access point, it takes you about four hours and you could go through every possible iteration. These devices generally didn’t have a lockout function, so they didn’t see that somebody was trying to brute force using this WPS functionality. So as long as you had access to this device for at least four hours, you were guaranteed a way to gain access to that wireless network. And that’s the reason why WPS today is either disabled or not available on all of our access points.