1 00:00:04,300 --> 00:00:09,140 Hello and welcome this video titled PMF and SA queries. 2 00:00:09,140 --> 00:00:12,640 In this particular video we're going to be talking about specific aspects 3 00:00:12,640 --> 00:00:18,640 of protected management frames that protects clients and access points 4 00:00:18,640 --> 00:00:24,020 against malicious actors attempting to spoof a client and associate. 5 00:00:24,020 --> 00:00:27,240 So let's go into the details here. 6 00:00:27,240 --> 00:00:32,120 So prior to protected management frames and if you remember this is a 7 00:00:32,120 --> 00:00:36,400 brief recap of protected management frames we learned that in a previous 8 00:00:36,400 --> 00:00:41,000 video that there are certain management frames called robust management 9 00:00:41,000 --> 00:00:47,060 frames such as deauthentication, disassociation and action frames. 10 00:00:47,060 --> 00:00:50,900 And protected management frames was designed to so that the access point 11 00:00:50,900 --> 00:00:56,240 could add a MIC, a message integrity code to those frames so that when 12 00:00:56,240 --> 00:01:00,140 a receiver received them like your wireless client it had the warm fuzzies 13 00:01:00,140 --> 00:01:03,880 that that frame had actually come from a legitimate access point and not 14 00:01:03,880 --> 00:01:07,780 a malicious actor acting as a rogue access point. 15 00:01:07,780 --> 00:01:12,100 So this is something that comes with protected management frames. 16 00:01:12,100 --> 00:01:15,220 So when you enable protected management frames this comes with it. 17 00:01:15,220 --> 00:01:18,560 It's already on by default although there are a couple of timers that 18 00:01:18,560 --> 00:01:23,740 you're going to tweak with it and that's what we're going to look at here. 19 00:01:23,740 --> 00:01:28,600 So before protected management frames existed if you were already associated 20 00:01:28,600 --> 00:01:33,280 so let's talk about like WPA2 or even the older original WPA. 21 00:01:33,280 --> 00:01:37,620 If you a legitimate client were associated to your access point and then 22 00:01:37,620 --> 00:01:41,840 a malicious actor came along did some Wi-Fi spoofing discovered your MAC 23 00:01:41,840 --> 00:01:46,700 address, changed their own MAC address to look exactly like yours and 24 00:01:46,700 --> 00:01:50,440 then they sent an association request to the access point it would actually 25 00:01:50,440 --> 00:01:54,760 result in the access point kicking you off of the wireless LAN and so 26 00:01:54,760 --> 00:01:56,840 this is how that worked. 27 00:01:56,840 --> 00:02:01,900 So here we have an existing security association an existing association 28 00:02:01,900 --> 00:02:04,840 between the access point and the station then all of a sudden the malicious 29 00:02:04,840 --> 00:02:09,220 actor like to talk about changed their MAC address to look exactly like 30 00:02:09,220 --> 00:02:13,320 yours and they send their own association request. 31 00:02:13,320 --> 00:02:16,260 Well at this point the access point is going to get a little confused 32 00:02:16,260 --> 00:02:19,680 it's going to say wait a second this person's already associated I thought 33 00:02:19,680 --> 00:02:24,520 hmm maybe something happened they got booted off and now they're associating 34 00:02:24,520 --> 00:02:29,160 again so the access point's response would be to connect to terminate 35 00:02:29,160 --> 00:02:33,180 the connection so the legitimate Wiles LAN client all of a sudden just 36 00:02:33,180 --> 00:02:38,440 lost their Wi-Fi connectivity and then in the second or two it takes them 37 00:02:38,440 --> 00:02:44,220 to connect again the malicious actor could then successfully associate 38 00:02:44,220 --> 00:02:46,160 to the wireless LAN. 39 00:02:46,160 --> 00:02:50,100 Now fortunately for us when you turn on protected management frames which 40 00:02:50,100 --> 00:02:55,380 is required for WPA3 it has a built-in mechanism which this video is about 41 00:02:55,380 --> 00:02:58,060 to prevent that type of thing. 42 00:02:58,060 --> 00:02:59,960 So here's how this works. 43 00:02:59,960 --> 00:03:04,320 So with protected management frames you've got two mechanisms you have 44 00:03:04,320 --> 00:03:09,400 an association comeback timer and an SA query procedure both of these 45 00:03:09,400 --> 00:03:13,420 were designed to prevent that type of attack I just showed you. 46 00:03:13,420 --> 00:03:16,480 Let's first of all talk about the association comeback timer. 47 00:03:16,480 --> 00:03:22,460 So the way this works is let's say an association request is received. 48 00:03:22,460 --> 00:03:27,160 So the now the access point or the wireless LAN controller either or is 49 00:03:27,160 --> 00:03:31,520 going to check to see if there's currently an association already from 50 00:03:31,520 --> 00:03:34,480 that same client from that same MAC address. 51 00:03:34,480 --> 00:03:39,940 If there is instead of just kicking that client off it will actually send 52 00:03:39,940 --> 00:03:46,100 a response back to that association request in an association response 53 00:03:46,100 --> 00:03:50,440 basically denying it and saying with a status code of 30 and saying please 54 00:03:50,440 --> 00:03:53,300 come back later and this is actually what it looks like here in a stiffer 55 00:03:53,300 --> 00:03:57,100 trace I'm sorry that's a little fuzzy here I couldn't get a clear screenshot 56 00:03:57,100 --> 00:04:01,720 than this but you can see up in the top that this says association response 57 00:04:01,720 --> 00:04:06,840 so this is coming from the access point status code association request 58 00:04:06,840 --> 00:04:12,520 rejected temporarily try again later and the status code is 30 you can 59 00:04:12,520 --> 00:04:19,840 see 1e and hex is equal to 30 and then down below it actually says this 60 00:04:19,840 --> 00:04:23,460 is a result of the association comeback time it says you can try again 61 00:04:23,460 --> 00:04:28,300 in now this is in milliseconds so this would be one second or 1000 milliseconds 62 00:04:28,300 --> 00:04:33,160 now that timer right there is what you can configure at least on the Cisco 63 00:04:33,160 --> 00:04:37,200 9800 wireless LAN controllers I'll show you how you can set that timer 64 00:04:37,200 --> 00:04:40,040 to a different value if you wish. 65 00:04:40,040 --> 00:04:44,460 Okay now there's another thing that happens once that association comeback 66 00:04:44,460 --> 00:04:48,940 timer starts on the access point and says okay I'm not going to allow 67 00:04:48,940 --> 00:04:53,020 any more association requests from this particular client during that 68 00:04:53,020 --> 00:04:59,220 time it also says hmm maybe I should check to see if the actual client 69 00:04:59,220 --> 00:05:04,240 is really still connected to me or not and that's what the purpose of 70 00:05:04,240 --> 00:05:11,820 this is so the security association queries so once that association comeback 71 00:05:11,820 --> 00:05:15,740 timer begins and remember the whole reason that started is because somebody 72 00:05:15,740 --> 00:05:20,340 was trying to spoof you and they sent an association request and the access 73 00:05:20,340 --> 00:05:24,520 point said I've already got one for that guy or that girl so it started 74 00:05:24,520 --> 00:05:30,500 the association comeback timer now the second it starts that it also sends 75 00:05:30,500 --> 00:05:34,080 a message to the client the legitimate client that's really associated 76 00:05:34,080 --> 00:05:39,400 called an SA query request now this is within a specific action frame 77 00:05:39,400 --> 00:05:42,840 you know which is a management frame so this falls under protected management 78 00:05:42,840 --> 00:05:48,620 frames an action frame is a robust management frame type and this is the 79 00:05:48,620 --> 00:05:52,080 access points way of saying hey client are you really still here I think 80 00:05:52,080 --> 00:05:57,300 you are I have an association with you but are you really here and there's 81 00:05:57,300 --> 00:06:02,580 a timer called the SA query interval so this is our second timer now it's 82 00:06:02,580 --> 00:06:06,940 shorter obviously than the association comeback timer and the client if 83 00:06:06,940 --> 00:06:11,300 he really is associated the legitimate one has to respond back with an 84 00:06:11,300 --> 00:06:18,360 SA query response so the the data within these frames within the SA query 85 00:06:18,360 --> 00:06:22,740 request and the SA query response remember this is unicast between the 86 00:06:22,740 --> 00:06:26,720 access point and the legitimate client and so we are going to use protected 87 00:06:26,720 --> 00:06:30,700 management frames to protect that actually we're going to protect it actually 88 00:06:30,700 --> 00:06:36,360 encrypting it so in this case the tk the temporal key that was created 89 00:06:36,360 --> 00:06:39,900 when that client first associated and went through the eep over land handshake 90 00:06:39,900 --> 00:06:46,400 is going to be used to encrypt these requests and response frames and 91 00:06:46,400 --> 00:06:50,480 so here's an example of what this looks like so once again our client 92 00:06:50,480 --> 00:06:54,620 has a valid association and in comes the malicious actor attempting to 93 00:06:54,620 --> 00:06:59,160 spoof it in this case the malicious actor will get back that association 94 00:06:59,160 --> 00:07:05,480 response saying rejected try again later now soon that happens the association 95 00:07:05,480 --> 00:07:09,720 comeback time starts we saw in the previous slide that that was 1000 milliseconds 96 00:07:09,720 --> 00:07:14,980 or one second but that's configurable and then when that starts the SA 97 00:07:14,980 --> 00:07:20,520 query time will start as well which is less during that SA query time 98 00:07:20,520 --> 00:07:24,880 the access point sends to the legitimate client an SA query request and 99 00:07:24,880 --> 00:07:28,660 hopefully if that client really is there and really is associated it will 100 00:07:28,660 --> 00:07:34,980 send an SA query response now once that association comeback timer expires 101 00:07:34,980 --> 00:07:39,260 the malicious actor could always try again and this process would repeat 102 00:07:39,260 --> 00:07:46,300 itself so we can see here that there this type of attack while the malicious 103 00:07:46,300 --> 00:07:51,700 actor may have had the original intent of using this to try to kick off 104 00:07:51,700 --> 00:07:55,540 a legitimate Wi-Fi client maybe the malicious actor isn't even really 105 00:07:55,540 --> 00:07:59,900 concerned about actually connecting to the Wi-Fi I mean after all the 106 00:07:59,900 --> 00:08:04,980 malicious actor might not have the pairwise master key or the shared secret 107 00:08:04,980 --> 00:08:09,520 or anything his sole intention is to try to kick off a legitimate client 108 00:08:09,520 --> 00:08:14,400 and that's why he's doing it so with this he won't be able to kick off 109 00:08:14,400 --> 00:08:18,640 the client but there is a downside what if that malicious actor decides 110 00:08:18,640 --> 00:08:22,280 you know what i'm just going to keep doing this every second or every 111 00:08:22,280 --> 00:08:25,460 half second or something i'm just gonna i'm gonna set up some automated 112 00:08:25,460 --> 00:08:30,160 thing that mimics this client here you know maybe this client is my CEO 113 00:08:30,160 --> 00:08:34,400 and i don't really like my CEO so i'm going to mimic his MAC address her 114 00:08:34,400 --> 00:08:38,700 MAC address and i'm just gonna send association requests like every 500 115 00:08:38,700 --> 00:08:42,060 milliseconds or something over and over and over again well think about 116 00:08:42,060 --> 00:08:47,440 what's happening in the background it's going to be taking some CPU processing 117 00:08:47,440 --> 00:08:52,900 power and some memory on behalf of the access point and the client the 118 00:08:52,900 --> 00:08:56,120 legitimate client to go through all this because that access point is 119 00:08:56,120 --> 00:08:59,520 going to have to be continually sending these association response denied 120 00:08:59,520 --> 00:09:04,360 doing the essay query requests then the client is going to constantly 121 00:09:04,360 --> 00:09:08,260 send an essay query response so if this is happening over and over and 122 00:09:08,260 --> 00:09:12,860 over again it could actually exhaust some resources in the access point 123 00:09:12,860 --> 00:09:16,460 and the client and maybe slow down the actual transmission of legitimate 124 00:09:16,460 --> 00:09:21,180 Wi-Fi frames so this could be used in that sense as sort of a crude form 125 00:09:21,180 --> 00:09:24,720 of a denial of service attack so there's nothing you can really do about 126 00:09:24,720 --> 00:09:28,280 that but at least the client is not actually getting kicked off of the 127 00:09:28,280 --> 00:09:33,440 wireless LAN so last thing i want to show you is how in the 9800 how you 128 00:09:33,440 --> 00:09:36,640 can manage this how you can configure it so like i said when you turn 129 00:09:36,640 --> 00:09:41,520 protected management frames to required this feature is already there 130 00:09:41,520 --> 00:09:45,720 now this is in this is under the edit wireless LAN obviously and you can 131 00:09:45,720 --> 00:09:49,660 see here here's the two timers so by default the association comeback 132 00:09:49,660 --> 00:09:54,760 timer will be one second and the essay query timer will be 200 milliseconds 133 00:09:54,760 --> 00:09:58,660 however you can see here within the association of comeback timer you've 134 00:09:58,660 --> 00:10:03,400 got a range not a big range but a range of one to 20 seconds and the essay 135 00:10:03,400 --> 00:10:08,900 query timer you've got from 100 to 500 milliseconds so if you're concerned 136 00:10:08,900 --> 00:10:13,720 about a malicious actor maybe descending spoofed association requests 137 00:10:13,720 --> 00:10:18,420 over and over and over again and driving up resource usage maybe what 138 00:10:18,420 --> 00:10:21,740 you want to do is take this association comeback timer and increase it 139 00:10:21,740 --> 00:10:28,320 from one second to maybe 10 or 15 seconds if you do that then not nearly 140 00:10:28,320 --> 00:10:34,400 as many essay queries and essay replies will have to be generated so that 141 00:10:34,400 --> 00:10:38,260 concludes this video thank you so much for watching and i hope it was