View
216
Download
0
Category
Preview:
Citation preview
Wireless Insecurity
Wireless
• 802.11a works on 5 Ghz
• 802.11b,g,n works on 2.4 Ghz
• Access points and wireless cards are used.
• Protocol can be either in the clear or encrypted.
• Wired Equivalent Privacy (WEP) provides poor security
Scenario
AttackerUser
Access Point
PhysicalSecurity
AttackerUser
Access Point
Typical Configuration
PCMCIA Wireless NIC
USB Wireless NIC
ISA/PCI Wireless NIC
Corporate Resources
Wireless Equivalence Protocol
• RC4 Crypto algorithm
• 64, 128 bit encryption
• 24 bit Initialization Vector
• Compromised in under 24 hours– Even faster now!!!
• No key management (key update)New
Configuring Wireless
Service Set Identifier (SSID)
Key
Steps for attack
• Surveying (Wardriving/Warwalking)
• Identification (Warchalking)
• Crypto-analysis(Cracking)
• Penetration
• Exploitation
Wardriving Tools
• Laptop or PDA with Wireless Card– Prism Wireless Card for promiscuous
monitoring– Antenna– GPS– Netstumbler– Kismet– Wireshark
GPS
Antenna
PDA with wireless card and Ministumbler Goal is to identify
Access Points and SSIDs
Warchalking
Identifying wireless sites is a new trophy sport for some.
Note Access Points are Identified
Warchalking as a Social Activity
WEP Cracking
• Capture the packets of an Access Point for a Day using Ethereal.
• Pass through WEP Crack (Shareware)
• Will identify the key in under an hour.
• WEP crypto will be defeated (including 128 bit)
Nobody uses WEP anymore right?
WPA2
• TKIP
• AES
• WPA2-PSK can be cracked with PSK under 21 characters
Use LONG pass phrases for Wireless
Everyonehastherighttolife,libertyand security
Bypassing Access Points with MAC Access Control
• Some Access Points require MACs to authenticate access.
• MACs can be discovered and forged
• Using linux – ifconfig hw eth0 11:11:11:11:11
Other tools• AirSnort
– AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.
• AirJAM– Jams Access Point– denial of service attack
• Aircrack-ng and WEPLab
are 802.11 WEP key crackers implementing the Fluhrer - Mantin - Shamir (FMS) attack, and the KoreK approach.
• CoWPAtty (Dictionary attack tool)
Penetration
• Access the network
• Take/Alter Data
• Use backdoor (Wi-Fi) or Front Door (cable)
• GO TO JAIL – Criminal Code
Improvements
• Wi-Fi Protected Access
• WPA2 (802.11i)
• Implementation of Temporal Key Interchange Protocol
• Extensible Authentication Protocol
Other safeguards
• RADIUS Access control
• VPN based on Certificates
• Intrusion Prevention System
• Intrusion Detection System
What is the point?
• Vulnerabilities are discovered
• Vulnerabilities get fixed
• New vulnerabilities appear
• You must re-assess safeguards
Recommended