Wireless Networking Wireless Vulnerabilities and Attacks Module-13 Jerry Bernardini Community College of Rhode Island 6/26/20151Wireless Networking J

Wireless Networking

Wireless Vulnerabilities and AttacksModule-13

Jerry BernardiniCommunity College of Rhode Island

04/18/23 1Wireless Networking J. Bernardini

Presentation Reference Material• CWNA Certified Wireless Network Administration Official Study Guide (PWO-104), David Coleman, David Westcott, 2009, Chapter-14

• CWNA Certified Wireless Network Administration Official Study Guide, Fourth Edition, Tom Carpenter, Joel Barrett

– Chapter-9,10

• Cisco White Paper - A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite

www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm

• Your 802.11 Wireless Network has No Clothes¤– William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan, Department of

Computer Science University of Maryland College Park, Maryland 20742 March 30, 2001

– http://www.cs.umd.edu/~waa/wireless.pdf

04/18/23 Wireless Networking J. Bernardini 2

http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm

http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm

http://www.cs.umd.edu/~waa/wireless.pdf

3

Categories of Attackers

• Six categories of attackers:• Hackers - Not malicious; expose security flaws, “ethical attackers”

• Crackers – Violates system security with malicious intent

• Script kiddies- Break into computers to create damage

• Spies – Hired to break in and steal information

• Employees-Unhappy employees that steal, damage and change information

• Cyber-terrorists- Steal, damage and change information for ideology or extreme beliefs

4

Security Attackers Profiles

Early IEEE 802.11 Security

• Referred to as: Pre-RSNA Security– RSNA=Robust Security Network Association

• Pre-RSNA Security includes– Open System Authentication– Share Key Authentication– Wired Equivalent Privacy

• This technology has many flaws and should not be considered for new systems

• But we should understand Pre-RSNA to appreciate WLAN vulnerabilities


CCRI J. Bernardini 6

Open Authentication

• Open authentication allows any device network access.

• If no encryption is enabled on the network, any device that knows the SSID of the access point can gain access to the network.

• With WEP encryption enabled on an access point, the WEP key itself becomes a means of access control.


802.11 client authentication process• 1. Client broadcasts a probe request frame on every channel• 2. Access points within range respond with a probe response frame• 3. The client decides which access point (AP) is the best for access and sends an

authentication request• 4. The access point will send an authentication reply• 5. Upon successful authentication, the client will send an association request frame to the

access point• 6. The access point will reply with an association response• 7. The client is now able to pass traffic to the access point


Open Authentication Vulnerabilities

• No way for the access point to determine whether a client is valid.

• A major security vulnerability if WEP or better encryption is not implemented– Cisco does not recommend deploying wireless LANs without WEP encryption.

• When WEP encryption is not needed or is not feasible to deploy - such as public WLAN deployments

• Higher-layer authentication can be provided by implementing a Service Selection Gateway (SSG).


Vulnerability of Shared Key Authentication

10

WEP Characteristics

• WEP shared secret keys must be at least 40 bits– Most vendors use 104 bits

• Options for creating WEP keys:– 40-bit WEP shared secret key (5 ASCII characters or 10 hexadecimal

characters)– 104-bit WEP shared secret key (13 ASCII characters or 16 hexadecimal

characters)– Passphrase (16 ASCII characters)

• APs and wireless devices can store up to four shared secret keys– Default key one of the four stored keys– Default key used for all encryption– Default key can be different for AP and client

WEP Weaknesses• Key management and key size.

40-bit• The IV is too small. 24-bit = 16,777,216 different cipher streams.• The ICV algorithm is not appropriate

Uses CRC-32 when MD5 or SHA-1 would be better.

• Authentication messages can be easily forged.


Initialization Vector Replay Attacks• 1. A known plain-text message is sent to an

observable wireless LAN client (an e-mail message)

• 2. The network attacker will sniff the wireless LAN looking for the predicted cipher-text

• 3. The network attacker will find the known frame and derive the key stream

• 4. The network attacker can "grow" the key stream using the same IV/WEP key pair as the observed frame

• This attack is based on the knowledge that the IV and base WEP key can be reused or replayed repeatedly to generate a key stream large enough to subvert the network.


"Growing" a Key Stream Attack • Once a key stream has been derived for a given

frame size, it can be "grown" to any size required. • 1. The network attacker can build a frame one

byte larger than the known key stream size; an Internet Control Message Protocol (ICMP) echo frame is ideal because the access point solicits a response

• 2. The network attacker then augments the key stream by one byte

• 3. The additional byte is guessed because only 256 possible values are possible

• 4. When the network attacker guesses the correct value, the expected response is received: in this example, the ICMP echo reply message

• 5. The process is repeated until the desired key stream length is obtained

Corporate Security Policy

• Develop a wireless security policy to define what is and what is not allowed with wireless technology.

• Know the technologies and the users that use the network.

• Measure the basic field or illumination coverage of the wireless network.

• Physical Security

Corporate Security Policy

• Set base lines and perform audits/monitoring of the network.

• Harden AP’s, servers, and gateways.• Determine level of security protocols

and standards.• Consider using switches, DMZ, RADIUS

servers, and VPN.• Update firmware and software.

To Secure the WLAN

• If possible, put the wireless network behind its own routed interface so you can shut it off if necessary.

• Pick a random SSID that gives nothing about your network away.

• Use WPA or have your broadcast keys rotate every ten minutes.

• Use 802.1X for key management and authentication – Look over the available EAP protocols and decide which is

right for your environment. – Set the session to time out every ten minutes or less.


Service Set Identifier Myth

• The SSID is a construct that allows logical separation of wireless LANs.

• A client must be configured with the appropriate SSID to gain access to the wireless LAN.

• The SSID does not provide any data-privacy functions, nor does it truly authenticate the client to the access point.


MAC Address Authentication

• MAC address authentication is not specified in the 802.11 standard• Many vendors—including Cisco—support it. • MAC address authentication verifies the client's MAC address against a locally configured list

of allowed addresses or against an external authentication server

• MAC authentication is used to augment the open and shared key authentications provided

by 802.11


MAC Address Authentication Vulnerabilities Myth

• MAC addresses are sent in the clear as required by the 802.11 specification.

• In wireless LANs that use MAC authentication, a network attacker might be able to subvert the MAC authentication process by "spoofing" a valid MAC address.

• MAC address spoofing is possible in 802.11 network interface cards (NICs) that allow the universally administered address (UAA) to be overwritten with a locally administered address (LAA).

• A network attacker can use a protocol analyzer to determine a valid MAC address in the business support system (BSS) and an LAA-compliant NIC with which to spoof the valid MAC address.


Authentication Vulnerabilities with SSID

• The SSID is advertised in plain-text in the access point beacon messages Although beacon messages are transparent to users

• Eavesdropper can easily determine the SSID with WLAN packet analyzer• Some access-point vendors, offer the option to disable SSID broadcasts in the beacon

messages. • The SSID can still be determined by sniffing the probe response frames from an access point• Disabling SSID broadcasts might have adverse effects on Wi-Fi interoperability for mixed-

client deployments.

21

Challenges of Securing Information

• Trends influencing increasing difficultly in information security:– Speed of attacks– Sophistication of attacks– Faster detection of weaknesses

• Day zero attacks

– Distributed attacks• The “many against one” approach • Impossible to stop attack by trying to identify and block source

22

Security Organizations

• Many security organizations exist to provide security information, assistance, and training

• Computer Emergency Response Team Coordination Center (CERT/CC)

• Forum of Incident Response and Security Teams (FIRST)• InfraGard• Information Systems Security Association (ISSA)• National Security Institute (NSI)• SysAdmin, Audit, Network, Security (SANS) Institute

Common Attack Methods

• Eavesdropping• Hijacking• Man-in-the-middle• Denial of Services (DoS)• Management interface exploits• Encryption cracking• Authentication cracking• MAC spoofing• Peer-to-peer• Social engineering


Eavesdropping Issues

• Definition: The interception and reading of messages and information by unintended recipients

• WLAN sends data through the open air• Attacker can easily capture frames• Attacker may not be able read frames • Encryption of data reduces the ability to “read”• When you access a network, be sure you have given

the right to do so• Wardriving is eavesdropping• Laws are being enforce against eavesdropping


Eavesdropping Utilities

Casual Malicious•MacStumbler•KisMac•NetStumbler•KisMet•Easy Wi-Fi Radar•WiFi Hopper

•OmniPeek Personal (free)•AiroPeek •Network Instruments Observer•AirMagnet Laptop Analyzer•Javvin CAPSA•Wireshark (free)•Comm View for Wi-Fi PC•Comm View for Wi-Fi PocketPC


26

Man-in-the-Middle Attack

• Makes it seem that two computers are communicating with each other– Actually sending and receiving data with computer between them– Active or passive

SSID Filtering• Disable SSID broadcast.

By default, most wireless networking devices are set to broadcast the SSID, so anyone can easily join the wireless network.

• Change the default SSID.Wireless AP’s have a default SSID set by the factory. Linksys wireless products use Linksys. Change the network's SSID to something unique, and make sure it doesn't refer to the networking products, your company, department function, or location.

Hijacking and Man-in-the-middle

• Defined: An unauthorized user takes control of an authorized user’s WLAN connection

• Occurs at Layer1, Layer2 and Layer3• Hijacking Outline

– Attacked starts own AP and captures traffic– Attacker configures his AP with victim SSID– Attacker send deauthentication frame with high-power RF– Victim reassociates with higher-power attacker AP– Attacker runs DHCP giving address to victim

• Attacker can try to steal data from victim• Attacker can use second NIC to connect to original AP

– Traffic between victim and original AP is captured by attacker– Complete Man-in –the-middle attack with capture of Layer1, Layer2 and Layer3


Windows Client Vulnerabilities and Solutions

• By default Windows send out probe requests for “preferred networks”

• Wireless Network tab properties establishes what networks and the order -Scans for SSID in list

• If it can not find “preferred network” will continue to scan• A rogue AP has heard the SSID scan list and configures as one

of the unsecured SSIDs• Vitim Windows client connects to rogue AP• Solutions

– Keep WLAN card powered off– Remove unsecured SSIDs from list after using– Disable Windows client and use a more secure third-party client (Cisco LEAP)


Denial of Service Attack (DoS)

• Definition: An attack that results in the inability of a user or system to access needed resources

• Layer1 Attack-RF jamming– High level RF signal generator “drowns-out” APs in area

• Unintentional DoS – interference from microwave, wireless phone

• Layer2 Attack – Spoofs AP and generates management frames– Rogue AP spoofs AP MAC address– Rogue generate deauthentication or disassociation frame– Client STA disassociates– Rogue continues to send deauthentication or disassociation frame


Other DoS Attacks

• Empty Data Floods– Install two or three wireless adapter in laptop– Generate continuous maximum size frames– Position close to victim STA for stronger signal– Tie-up RF spectrum -preventing connect to legitimate Aps

• Other Attacks– Association Floods– Authentication Floods– Unauthorized AP left on

• Solution– Use spectrum analyzer to track down location of interference– Scan for SSIDs and zero-in on signal


Management Interface Exploits

• Web-based Interface exploit– Attacked captures traffic and determines IP network with scanning

utility– Varies address and finds AP gateway address (example 192.168.1.1,

10.10.10.1 …)– Tries passwords if necessary– Changes AP configurations– Turns off all MAC access except attacker's – a form of DoS

• Solutions– Strong AP password– Disable web-interface– Secure telnet and SSH– Use strong WPA-PSK or WPA2-PSK


Encryption Cracking

• Weak Key Cracking– Attacker captures 100 MB of data– Process captured with “cracking tool”– Obtain WEP key in seconds– Weak keys and initialization vectors are very vulnerable

• Solution– Use strong encryption– WPA2 and AES– IEEE 802.11i– EAP-Cisco LEAP

• More Information in Chapter-10


34

Open System Authentication Vulnerabilities

• Inherently weak– Based only on match of SSIDs– SSID beaconed from AP during passive scanning

• Easy to discover

• Vulnerabilities:– Beaconing SSID is default mode in all APs– Not all APs allow beaconing to be turned off

• Or manufacturer recommends against it

– SSID initially transmitted in plaintext (unencrypted)

• Vulnerabilities -If an attacker cannot capture an initial negotiation process, can force one to occur

– SSID can be retrieved from an authenticated device– Many users do not change default SSID

• Several wireless tools freely available that allow users with no advanced knowledge of wireless networks to capture SSIDs

Peer-to-Peer Attacks

• Definition: Peer-to-Peer attack occurs when on STA attacks another STA that is associated with same AP

• Intension is generally data theft• Installation of backdoors and other software• Laptops are particularly vulnerable• IBSS networks vulnerable (ad hoc)• Hot spot networks can be a serious problem• Solutions:

– Public Secure Packet Forwarding (PSPF) applications– STA to STA communication disallowed– Microsoft file sharing disabled


Social Engineering

• Definition: Technique of persuading people to give you something that they should not give you– Organization Information– Data– Passwords and passphases– Keys

• Targets– Help Desk– On-site contractors– Employees

• Solutions– Do not only depend upon technology– Train personal regularly


MAC Address Filtering and Spoofing

• Most Access point offer some form of MAC Filtering. – MAC Access Lists– Advanced MAC Filtering Lists

• WLAN administrator must configure a list or set of rules for clients that will be allowed or not allowed to join the network.

MAC Access Filtering

Proxim AP-600b

MAC Address Filtering

Access Points

Wired LAN

WiredClients

1 2

DatabaseServer

WirelessClients

AP-1 AP-2

MAC Address00022D9DE44E

MAC Address001122C5AF3B


Access Points

1

DatabaseServerAP-1



Wireless Client

Mask: F = Look 0 = Ignore (Logical Anding)

AP-600b

Wired MAC Adr. = 001122C5AF3BWired Mask = FFFFFFFFFFFF

Wireless MAC Adr. = 00022D9DE44EWireless Mask = FFFFFFFFFFFF

Filtering = Blocking


Access Points

1

DatabaseServerAP-1



Wireless Client

AP-600b

Circumventing MAC Filters

• MAC addresses are sent in the clear in the frame header!

• User/attacker can change their MAC address via software and then spoof or more accurately impersonate or masquerade under the address.

• Evade/Hide Network Presence• Bypass Access Control Lists• Authenticated User Impersonation

MAC Spoofing

Other Security Techniques

• Wireless hacking Techniques website• http://www.cs.wright.edu/~pmateti/InternetSecurity

/Lectures/WirelessHacks/Mateti-WirelessHacks.htm


http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm

http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm

Documents

Wireless Networking Wireless Vulnerabilities and Attacks Module-13 Jerry Bernardini Community College of Rhode Island 6/26/20151Wireless Networking J