"Hole196": MD Sohail Ahmad

TOO!
WPA 2
“Hole196”
Md Sohail Ahmad
AirTight Networks
www.airtightnetworks.com
© AirTight Networks. All rights reserved.

A lot of speculations about “Hole196” !

Where did we find
this “Hole196” ?

Buried inside the IEEE 802.11 standard
for the last six years
It’s right here!

Hole 196!!!

The Talk is
NOT about:
Unauthorized user gaining access to WPA2 secured
network, or
Cracking private key of a WPA2 user
About:
An insider attack, which can be carried out by a
malicious user present inside the network

Can you sniff private in-flight data of
other WiFi users?
Wired LAN Segment
Traffic encrypted Traffic encrypted
with the private with the private
key of Client1 key of Client2
WiFi Client 1 WiFi Client 2
(Malicious Insider)

other WiFi users?
Wired LAN Segment
Honeypot style of attack will
not work!
Malicious Insider Honeypot AP WiFi Client 2

other WiFi users?
Wired LAN Segment
Existing wired IDS/IPS can
est
equ ) catch ARP spoofing attack!
P R ay
A R tew
a
fed e G
poo th
S am
(I
(Malicious Insider)

No key cracking! No brute force!
Wired LAN Segment
with the private with the private
key of Client1 key of Client2
(Malicious Insider)

Encryption Keys
Two types of keys for data encryption

1. 1. Pairwise Transient Key (PTK)
2. 2. Group Temporal Key (GTK)
While PTK is used to protect unicast data
frames , GTK is used to protect group
2
addressed data frames e.g. broadcast ARP WPA
request frames.

PTK is unique, derived per session
Wired LAN Segment
with PTK1 with PTK2
Private Key Private Key
PTK1 PTK2

GTK is shared among all associated clients
Your Group key is GTK1
Newly
associated client
Client 1 Client 2 Client 3

PTK = PTK1 PTK = PTK2 PTK = PTK3
Group key = GTK1 Group key = GTK! Group key = GTK1
Three connected clients

WPA2 standard defines GTK as a one-way key
Destination MAC = FF:FF:FF:FF:FF:FF
ARP Req
GTK should be used as an encryption key by an AP

and as a decryption key by a wireless client

A WiFi client always keeps a copy of GTK
wpa_supplicant software is used on WiFi client devices.
The log of wpa_supplicant software shows that GTK is always

known to a WiFi client device

A malicious client can inject encrypted group
addressed data frames to other clients
Legitimate clients
can not detect data
forgery
Broadcast frame
Encrypted with GTK
Malicious insider can
inject forged group
addressed data traffic

Exploit #1: Stealth ARP Poisoning
Wired LAN
Victim’s data encrypted Victim’s data encrypted
with Attacker’s PTK with Victim’s PTK
3 2
1
I am the Gateway 1 Attacker injects fake ARP Request packet
(Encrypted with GTK) to poison client’s cache for gateway.
Attacker Victim
2 Victim sends all traffic encrypted with its PTK
to the AP, with Attacker as the destination
(gateway)
3 AP forwards Victim’s data to the Attacker
encrypting it in the Attacker’s PTK. So
Attacker can decrypt Victim’s private data.
Man-in-the-middle (MITM) Attack
Wired LAN
Attacker forwards victim data to
actual Gateway to provide a
transparent service to the victim
4
Victim
I am the Gateway
(Encrypted with GTK)
Attacker Victim
Victim

ARP Poisoning: Detectable vs Stealth
Detectable (Old style) Stealth (Hole196)

Wired LAN Wired LAN
th e y
m a
I a te w
Ga
I am the Gateway
Encrypted with GTK
Malicious insider Victim Malicious insider Victim
Spoofed ARP Request frames are sent on Spoofed ARP Request frames are not
the wire and wireless medium by an AP. The sent to AP and never go on wire; hence
attack can be detected by wired IDS/IPS. cannot be detected by wired IDS/IPS

Exploit #2: IP Level Targeted Attack
Any data payload can be encapsulated in the group addressed IEEE

802.11 data frames
IP Layer Unicast Data Frame
Dur- Address 1 = Address 2 = Address 3 = Seq. Encapsulated

Flag FCS
ation FF:FF:FF:FF:FF:FF AP’s BSSID Src MAC Address No Data Payload
IEEE 802.11 Data Packet

Example: Port Scanning
SYN Frame
Dur- Address 1 = Address 2 = Address 3 = Seq. Encapsulated

Flag FCS
ation FF:FF:FF:FF:FF:FF AP’s BSSID Src MAC Address No Data Payload
IEEE 802.11 Data Packet
What else is possible ?

- Buffer overflow exploit
- Malware Injection
- ???

Replay Detection in WPA2
48 bit Packet Number (PN) is present in all encrypted DATA frames
Replay Attack Detection in WPA2 Expecting
1. All clients learn the PN associated with a GTK PN >700
at the time of association
PN=701
2. AP sends a group addressed data frame to all
clients with a new PN
3. If new PN > locally cached PN, then packet is Access Point Legitimate client
decrypted and after successful decryption,
cached PN is updated with new PN

Exploit #3: WDoS on Broadcast Downlink Traffic
A malicious user can advance the locally cached PN (replay counter) in all
peer clients by forging a group addressed data frames with a very large PN
PN = 780 PN = 780
Legitimate
Malicious client
client
GTK encryp
ted broadca Client updates PN.
data frame st
PN = 9999 New PN = 9999
PN = 781
X Client checks PN. New
PN = 782 PN (781) < local PN
X (9999)
PN = 783
Packets are dropped
X
……. until PN reaches 9999

POC: GTK Exploit
Few lines of code + Off‐the‐shelf hardware

Open Source Software: Madwifi & WPA
Supplicant Software
wpa_supplicant (0.7.0)
Supplicant software is used to pass updated GTK and PN to be by madwifi
driver
Madwifi (0.9.4)
Software is modified to create spoofed group addressed data frames
with sender as AP address

Modification in the madwifi driver
Broadcast IEEE 802.11 Frame
Address 1 Address 2 Address 3
Dur- AP’s MAC Seq.

ToDS Flag
ation (BSSID)
Client’s MAC Address FF:FF:FF:FF:FF:FF
No
Receiver Transmitter Final Destination

FromDS Flag FF:FF:FF:FF:FF:FF Client’s MAC Address
ation (BSSID) No
Receiver Transmitter Original Sender

Modification in the madwifi driver
1. Cyclic shift of addresses, convert ToDS flag into

FromDS: 4 Lines
Address 1 Address 2 Address 3

ToDS Flag Client’s MAC Address FF:FF:FF:FF:FF:FF
ation (BSSID) No
10 lines of
driver code
to exploit
GTK
Flag FF:FF:FF:FF:FF:FF Client’s MAC Address
FromDS ation (BSSID) No
vulnerability!
2. Selection of right key for frame encryption: 6 Lines

Demo: Stealth mode MITM attack
The Arsenal of MITM Attack

Cain & Abel
Ettercap
Delegated/DNSSpoof
SSLSniff
SSLSTRIP
Malicious Victim
… Insider

Who is vulnerable to “Hole196” ?
All implementation of WPA and WPA2, regardless of

Type of encryption used in the network (AES or TKIP)
Type of authentication used in the network ( PSK or

802.1x/EAP)
Type of WLAN architectures (Standalone, Locally controlled

or Centrally Controlled)

Countermeasures
The Real Fix: Protocol Enhancement
Deprecate use of GTK and group addressed data traffic

1. For backward compatibility AP should send randomly generated
different GTKs to different clients so that all associated clients have
different copy of group key
2. AP should deliver group addressed data traffic by converting them into
unicast traffic
Disadvantages:
a. Impact on network throughput
b. Requires AP software upgrade (Not going to happen overnight !)

What should we do now?
Can we rely on end point security software?
Client software such as DecaffeintID or Snort detects change in

the ARP cache.
Detects ARP Cache Poisoning attack
Limitations:
1. Client software is available only for limited
operating systems and hardware platforms
2. Not enterprise grade; Impractical to manually install
on large number of endpoints
Can we rely on WLAN infrastructure ?
Public Secure Packet Forwarding (PSPF)/peer-to-peer (P2P) or

Client Isolation
A’s packet is not
s A
forwarded to B
s i X
hi
, T
B
llo
He
Client A Client B
Legitimate users might want to download songs/pics from say

laptop to smartphone!
What’s about Voice-over-WiFi deployment ?
Can we rely on Wireless Monitoring Systems
(WIPS/WIDS) ?
Similar to WEP Cracking, Skyjacking
and WPA‐TKIP, Hole 196 exploit is
carried out entirely over the air
WIPS can serve as an additional layer of defense in detecting and

protecting from such attacks
Concluding Remarks
All WPA2 networks are exposed with the “Hole 196” vulnerability; Inter
user privacy is broken in WPA2
The real fix requires enhancement in the WPA2 protocol. In long term,
standard can fix the problem but in short term AP vendors should provide
a patch (proprietary solution)
In the mean time, enterprises should consider turning ON Client isolation

(PSPF) features on their WLANs and use endpoint security (ARP
poisoning detector like Snort or other higher layer security like IPSec)
A multi-layered security approach should be adopted; A dedicated WIPS

monitoring the airspace 24/7 can detect and mitigate zero-day
vulnerabilities such as “Hole 196”

Be Aware, Be Secure !
Thank You
Md Sohail Ahmad
md.ahmad@airtightnetworks.com
www.airtightnetworks.com
For up-to-date information on developments in wireless

security, visit
blog.airtightnetworks.com

"Hole196": MD Sohail Ahmad

Uploaded by

Copyright:

Available Formats

"Hole196": MD Sohail Ahmad

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

"Hole196": MD Sohail Ahmad

Uploaded by

Copyright:

Available Formats

TOO!

© AirTight Networks. All rights reserved.

© AirTight Networks. All rights reserved.

© AirTight Networks. All rights reserved.

It’s right here!

© AirTight Networks. All rights reserved.

Cracking private key of a WPA2 user

© AirTight Networks. All rights reserved.

Wired LAN Segment

© AirTight Networks. All rights reserved.

Wired LAN Segment

Malicious Insider Honeypot AP WiFi Client 2

© AirTight Networks. All rights reserved.

Wired LAN Segment

© AirTight Networks. All rights reserved.

Wired LAN Segment

© AirTight Networks. All rights reserved.

Two types of keys for data encryption

© AirTight Networks. All rights reserved.

Wired LAN Segment

© AirTight Networks. All rights reserved.

Client 1 Client 2 Client 3

© AirTight Networks. All rights reserved.

Destination MAC = FF:FF:FF:FF:FF:FF

GTK should be used as an encryption key by an AP

© AirTight Networks. All rights reserved.

wpa_supplicant software is used on WiFi client devices.

The log of wpa_supplicant software shows that GTK is always

© AirTight Networks. All rights reserved.

© AirTight Networks. All rights reserved.

© AirTight Networks. All rights reserved.

Detectable (Old style) Stealth (Hole196)

© AirTight Networks. All rights reserved.

Any data payload can be encapsulated in the group addressed IEEE

IP Layer Unicast Data Frame

Dur- Address 1 = Address 2 = Address 3 = Seq. Encapsulated

IEEE 802.11 Data Packet

© AirTight Networks. All rights reserved.

Dur- Address 1 = Address 2 = Address 3 = Seq. Encapsulated

IEEE 802.11 Data Packet

What else is possible ?

© AirTight Networks. All rights reserved.

48 bit Packet Number (PN) is present in all encrypted DATA frames

© AirTight Networks. All rights reserved.

© AirTight Networks. All rights reserved.

© AirTight Networks. All rights reserved.

© AirTight Networks. All rights reserved.

Broadcast IEEE 802.11 Frame

Address 1 Address 2 Address 3

Dur- AP’s MAC Seq.

Receiver Transmitter Final Destination

Dur- AP’s MAC Seq.

Receiver Transmitter Original Sender

© AirTight Networks. All rights reserved.

1. Cyclic shift of addresses, convert ToDS flag into

Address 1 Address 2 Address 3

Dur- AP’s MAC Seq.

2. Selection of right key for frame encryption: 6 Lines

© AirTight Networks. All rights reserved.

Type of authentication used in the network ( PSK or

Type of WLAN architectures (Standalone, Locally controlled

Deprecate use of GTK and group addressed data traffic

In the mean time, enterprises should consider turning ON Client isolation

A multi-layered security approach should be adopted; A dedicated WIPS