Overview

This workshop aims at providing attendees a broad overview of WiFi security state of the art, mainly from the attacker point of view. It will expose all known and exploited vulnerabilities in WiFi networks, their inner basis (the why) and exploitation (the how), so one can truely understand how to secure a wireless network using whether latest security standards, i.e. WPA or WPA2, or higher level security, such as IPSEC.

After a quick introduction to 802.11, the second an main part of the workshop will be focused on vulnerabilities and attacks, such as network enumeration technics (wardriving), management traffic injection, rogue APs, WEP cracking, traffic injection, isolation bypass, captive portal bypass, etc. A big part will address WEP cracking theoritical aspects and exploitation technics (injection, auth bypass, fragmentation, IV/PRGA tables, weak keys, statistical attacks from Korek). This part will show where vulnerabilities are and introduce the last part, how to secure the stuff. Cosmetic protections (MAC filtering, SSID cloaking, stations isolation, WEP+/WEP2) efficiency will be discussed as well.

The last third of this workshop aims are exposing and/or clarifying WPA/WPA2 security scheme. As one can see by just browsing public security mailing lists archives (just have a look at wifisec@securityfocus.net), there's a lot of confusion in people's mind regarding what are WPA and WPA2. This part provides an in-depth description of thoses protocols and the solution they bring to previously exposed attacks. Known vulnerabilities will also be discussed. Workshop will end on showing WPA and WPA2 availability on commonly used OS and hardware, and the requirements to deploy and use them, to give people WiFi security deployement best practices.

top ^

Course Outline

1. 802.11 quick 101/reminder
1. Physical considerations
2. Frame format
3. Basis and functionalities
4. Intrinseque flaws
1. Physical jamming (DoS)
2. Bandwidth reservation (DoS)
2. 802.11 early security: WEP
1. RC4 reminder
2. WEP data encryption
3. WEP authentication
4. Vulnerability sources identification
3. 802.11 flaws...
1. Enumeration/identification technics (wardriving)
2. Management trafic injection
3. Rogue APs
4. WEP abuse and cracking
1. Bypassing WEP authentication
2. Exploiting known-cleartext attacks
3. Fragmentation attack
4. Arbitrary trafic injection
5. Arbitrary frame tampering
6. Inductive packet decrypting
7. IV/PRGA tables
8. Weak IVs
9. Final key recovery attack
10. Fix attempts (WEP+/WEP2)
5. Trafic injection an tampering
1. Open infrastructure abuse
2. Captive portal bypass
3. Clients attacks
4. Isolation bypass
6. Protection means
1. WPA
1. Authentication: PSK vs. EAP
2. TKIP+Michael
1. Key scheduling
2. Ext. IV & anti-replay
3. PSK brute force flaw...
2. WPA2
1. Authentication: PSK vs. EAP
1. What differs from WPA
2. AES/CCMP+CCMP MIC
1. Ext. IV & anti-replay
3. Identified flaws
1. Replay counter-measures abuse (DoS)
2. AP handshake flood (DoS)
7. Configuration guidelines
1. WPA/WPA2 support for clients
1. Adapters
2. Unices: GNU/Linux, BSD, OSX
3. Windows: 2k, XP
2. WPA/WPA2 support for APs
1. Off the shelf hardware
2. Unices: GNU/Linux, BSD
3. Configuration tricks
1. WPA vs. WPA2
2. PSK vs. EAP
3. EAP flavors (PEAP, TLS, etc.)
4. TKIP vs. AES
5. etc.

top ^

About the tutor

Cedric Blancher has spent the last 5 years working in network security field, performing audits and penetration tests. In 2004, he joined EADS Corporate Research Center in France to work at IT Security Reseach lab, focusing on networking and wireless links security. He is an active member of Rstack team and French Honeynet Project with studies on honeynet containment, honeypot farms and network traffic analysis.

He's been delivering technical talks worldwide (Cansecwest/core06, Recon, Ruxcon, Pacsec/core05, etc.), published research papers, magazine articles (MISC) and trainings (Eusecwest/core06, Cansecwest/core06, etc.) on network and wireless security. He also authored Wifitap, a 802.11 communication tool based on trafic injection.