Wireless in-Security.doc.doc.doc


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Wireless in-Security.doc.doc.doc

  1. 1. DFWUUG SECURITY SIG WIRELESS (IN)SECURITY INTRODUCTION TO 802.11 TECHNOLOGIES At present there are three wireless LAN technologies in common use today: 802.11b, 802.11a, and 802.11g. The bandwidth of 802.11b is 11 Mb/sec and operates at 2.4 GHz Frequency. The successor of this current 802.11b standard is 802.11g and it is designed to be faster speed and operates at the same frequency at 54 Mb/sec. 802.11g is backwards compatible with 802.11b. 802.11a operates at a higher frequency, 5 GHz, and uses a different bandwidth management scheme from 802.11b and 802.11g resulting in an incompatible technology. In addition to being incompatible with the established 802.11b networks, 802.11a uses a part of the radio frequency spectrum that is already allocated in Europe. These factors coupled with decreased range over 802.11b and 802.11 g have all but killed 802.11a. Wireless LAN devices consist of wireless cards that fit into computers and access points. An AP (access point also known as a AP) is the wireless server that connects clients to the internal net- work. AP’s typically act as a bridge for the clients. There is an IP address for management con- figuration of the AP. The AP’s typically have a web browser and an SNMP agent for remote management. The 802.11 client cards for PDA’s, laptops, and desktops are approximately under $19US. Be- cause of inexpensive equipment to get into wireless, attackers can get easy access to the tools necessary to apply the attack. Because of the inexpensive price, within many companies employ- ees can purchase wireless equipment without approval and deploy this in a rogue fashion, creat- ing additional risk. The same security issues apply to home networks, corporate networks, and telecommuters that are using wireless. As the corporate networks are allowing in remote users, these remote users may be using wireless at their end-point to connect in. In this case, even if wireless capabilities have not been installed on the corporate network, they may still be affected by the risk that their remote employees are using wireless at home or on the road. Airports, hotels, coffee shops like Starbucks, and even McDonald’s are deploying 802.11 net- works so people can wirelessly browse the Internet with their laptops. As these types of net- works increase, this will create additional security risk for the remote user if not properly pro- tected. WAR DRIVING ETC. Taken from the movie, "WarGames", dialing many phone numbers looking for computers to ac- cess was called "War-Dialing". This similar action has been applied to wireless. War-walking, war-driving, war-flying refer to the modes of transportation for going around and identifying various Access Points. Most reports of war-walking, war-driving, and war-flying has resulted in identifying large numbers of wide open un-secure Access Points in most cities. Dallas/Fort Worth Unix Users Group – Security SIG Page 1
  2. 2. Mar 2004 War-chalking is the act of marking the area or vicinity with a symbol to infer that an AP is with- in range. WiFi War-chalking Symbols are at http://www.warchalking.org . 802.11 RISKS The main known security risks with 802.11 are • Denial of Service • Insertion Attacks • Interception and monitoring wireless traffic • Misconfiguration DENIAL OF SERVICE 802.11b and 802.11g wireless LANs are allocated spectrum in the 2.4 GHz region. This part of the radio frequency is set aside as unlicensed spectrum, i.e., a license is not required to transmit at that frequency. Other electronic devices operating at the same frequency are cordless digital phones and microwaves ovens. An attacker could perform a simple denial of service just by turning on a cordless digital phone on the area of a wireless LAN. Similarly, a microwave oven with a leaky door seal will spew enough energy to take down a wireless LAN. A more insidious attack is the disassociate denial of service attack. An AP can send out a special command to all the associated client stations forcing them to disassociate, thus dropping the network connection. The client stations have no recourse but to drop the association. To accomplish this, an attacker uses an AP that had had its output power boosted and can be programmatically controlled to send out the disassociate command. INSERTION ATTACKS The insertion attacks are based on placing unauthorized devices on the wireless network without going through a security process and review. •Plugging in unauthorized clients An attacker tries to connect their wireless client, typically a laptop or PDA, to a AP without au- thorization. AP’s can be configured to require a password before clients can access. If there is no password, an intruder can connect to the internal network by connecting a client to the AP. •Plugging in unauthorized rogue access points Many companies may not be aware that internal employees have deployed wireless capabilities on their network. An internal employee wanting to add their own wireless capabilities to the net- work plugs in their own AP into the wired intranet. This is a risk if the AP has not been properly Dallas/Fort Worth Unix Users Group – Security SIG Page 2
  3. 3. Mar 2004 secured. This could lead to the previously described attack of unauthorized clients then gaining access to unauthorized AP’s, allowing intruders into the internal network. Typically, companies may need a policy against allowing employees to add wireless AP’s onto the corporate network without requesting permission and going through a security process. A sophisticated intruder may physically place an AP on the victims’ network to allow them remote access via wireless technology. INSERTION AND MONITORING WIRELESS TRAFFIC These interception and monitoring attacks are popular on broadcast wired networks like Ether- net. The same principles apply to wireless. •Wireless Sniffer An attacker can sniff and capture legitimate traffic. Many of the sniffer tools for Ethernet are based on capturing the first part of the connection session, where the data would typically in- clude the username and password. An intruder can masquerade as that user by using this cap- tured information. An intruder who monitors the wireless network can apply this same attack principle on the wireless. One of the big differences between wireless sniffer attacks and wired sniffer attacks is that a wired sniffer attack is achieved by remotely placing a sniffer program on a compromised server and monitor the local network segment. This sniffer based attack can happen from anywhere in the world. Wireless sniffing requires the attacker to typically be within range of the wireless traf- fic. This is usually around 300 feet range, but wireless equipment keeps strengthening the signal and pushing this range further out. There are many people who are building cheap antennas with various cheap cans bought at the grocery store including the Pringles can and beef stew cans. The waveguide cans appear to be significantly stronger in strength. Here is a good guide to building Pringles and waveguide an- tennas: • 802.11b Homebrew Antenna Shootout • http://www.turnpoint.net/wireless/has.html •Highjacking the Session If an attacker can sniff the wireless traffic, it is possible to inject false traffic into a connection. An attacker may be able to issue commands on behalf of a legitimate user by injecting traffic and hijacking their victim’s session. •Broadcast Monitoring If an AP is connected to a hub rather than a switch, any network traffic across that hub can be potentially broadcasted out over the wireless network. Because the Ethernet hub broadcasts all data packets to all connected devices including the wireless AP, an attacker can monitor sensi- tive data going over wireless not even intended for any wireless clients. Dallas/Fort Worth Unix Users Group – Security SIG Page 3
  4. 4. Mar 2004 •Evil Twin An attacker can trick legitimate wireless clients to connect to the attacker’s network by placing an unauthorized AP with a stronger signal within close proximity of the wireless clients that mimic a legitimate AP. This may cause unaware users to attempt to log into the attacker’s servers. With false login prompts, the user unknowingly can give away sensitive data like pass- words. MISCONFIGURATION By default, all the AP’s out of the box from the factory are configured in the least secure mode possible. Adding the proper security configuration is left up as an exercise to the administrator to lock down. Unless the administrator of the AP understands the security risks, most of the AP’s remain at a high risk level. •The SSID The SSID (Server Set ID) is a configurable identification that allows clients to communicate to the appropriate AP. With proper configuration, only clients that are configured with the same SSID can communicate with AP’s having the same SSID. SSID from a security point of view acts as a simple single shared password between AP’s and clients. Some default SSID’s • “tsunami” - Cisco • “101” – 3Com • “RoamAbout Default Network Name” - Lucent/Cabletron • “Default SSID" • “Compaq” - Compaq • “WLAN” – Addtron, a popular AP • “intel” - Intel • “linksys” – Linksys • “Wireless” Most AP’s today are configured with a server set id (SSID) that acts as a single key or password that is shared with all connecting wireless clients. An attacker can try to guess the AP SSID by attempting to use a brute force dictionary attack by trying dictionary attacks. Most companies and people configure most passwords to be simple to remember and therefore easy to guess. Once the intruder guesses the SSID, they can gain access through the AP. Dallas/Fort Worth Unix Users Group – Security SIG Page 4
  5. 5. Mar 2004 The SSID could be obtained through one of the wireless clients becoming compromised or an employee resigns knowing the key, there is risk that anyone with the SSID could still connect to the AP until the SSID is changed. If there are many wireless users and clients, it can become problematic to scale this security solution if the SSID needs to be changed frequently and all clients and AP’s need to be reconfigured with an updated shared single SSID each time. Unfortunately, the SSID cannot be encrypted. WEP (Wired Equivalent Privacy), the encryption standard for 802.11, only encrypts the data packets not the 802.11 management packets and the SSID is in the beacon and probe management messages. The SSID is not encrypted if WEP is turned on. The SSID goes over the air in clear text. This makes obtaining the SSID easy by sniffing 802.11 wireless traffic. Many AP’s by default have broadcasting the SSID turned on. Sniffers typically will find the SSID in the broadcast beacon packets. Turning off the broadcast of SSID in the beacon message (a common practice) does not prevent getting the SSID; since the SSID is sent in the clear in the probe message when a client associates to an AP, a sniffer just has to wait for a valid user to as- sociate to the network to see the SSID. •Wired Equivalent Privacy WEP can be typically configured in 3 possible modes: • No encryption mode • 40 bit encryption • 128 bit encryption WEP, by default out of the box, is turned off. 64 bit encryption versus 128 bit encryption pro- vides no added protection against the known flaw in WEP. Most public wireless LAN access points (i.e., airports, hotels, etc) do not enable WEP. Based on statistical analysis in regions like New York, San Francisco, London, Atlanta, most companies do not turn on WEP security on their AP’s. If the AP does not enable WEP, the wireless clients can not use the WEP encryption. In some AP’s, it is optional whether the encryption is enforced. The WEP encryption may be turned on, but if it is not enforced, a client without encryption with the proper SSID can still ac- cess that AP. •Attacks against WEP 802.11a/b/g standard uses WEP (Wired Equivalent Privacy). It has some known weaknesses in how the encryption is implemented. Papers on WEP Insecurities • Researchers at Berkeley have documented these findings at: • http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html • Using the Fluhrer, Mantin, and Shamir Attack to Break WEP • http://www.cs.rice.edu/~astubble/wep/wep_attack.html Dallas/Fort Worth Unix Users Group – Security SIG Page 5
  6. 6. Mar 2004 Using WEP is better than not using it. It at least stops casual sniffers. Today, there are readily available tools for most attackers to crack the WEP keys. Airsnort and others tools take a lot of packets (several million) to get the WEP key, on most networks this takes longer than most peo- ple are willing to wait. If the network is very busy, the WEP key can be cracked and obtained within 15 minutes. A reasonable amount of data to crack the WEP key is 3GB. A collection run of 5GB will certainly yield the WEP key. Because of the WEP weakness, wireless sniffing and hijacking techniques can work despite the WEP encrypted turned on. There is the IEEE 802.11i standard which allows network access to be authenticated and keys to be distributed. This allows access to AP’s to be authenticated and WEP keys to be distributed and updated. On the road to 802.11i, the Wi-Fi alliance has created WPA (Wi-Fi Protected Ac- cess). It is forward compatible with 802.11i and was supposed to fix the problems of WEP and lead us down the garden path to robust wireless security. WPA has a dirty little secret: poorly chosen short human-readable passphrases can be cracked with a robust dictionary attack offline and without access to the network. Short, text-based WPA keys can be broken through no fault in the WPA protocol. This is not a flaw in WPA; it is a configuration problem which is ultimate- ly a people problem. The NetGear Access Point uses the following 4 WEP sequences as default keys. • 10 11 12 13 14 • 21 22 23 24 25 • 31 32 33 34 35 • 41 42 43 44 45 It is highly recommended not to use the default WEP keys. Many wireless AP’s have SNMP (Simple Network Management Protocol) agents running. If the community word is not properly configured, an intruder can read and potentially write sensi- tive information and data on the AP. If SNMP agents are enabled on the wireless clients, the same risk applies to them as well. By default, all AP’s with SNMP are read accessible by using the community word, “public”. With the default of most AP’s using the community word “public”, potentially sensitive infor- mation can be obtained from the AP. WAR DRIVING, WAR WALKING As people are “War Driving”, and locating the AP’s and recording the GPS coordinates of the AP location, these AP maps are being shared to any attacker on the Internet. If a company has their AP location and information shared on the Internet, their AP becomes a potential target and increases their risk. They usually include a visual map and a database query tool for locating var- ious AP’s. Here are some popular places to upload War Driving AP maps. • http://www.netstumbler.com. Dallas/Fort Worth Unix Users Group – Security SIG Page 6
  7. 7. Mar 2004 • http://www.wigle.net • http://www.wifimaps.com 802.11 SECURITY TOOLS • AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. AirSnort will work for both 40 and 128 bit encryption. o http://freshmeat.net/projects/airsnort/ o http://www.dachb0den.com/projects/bsd-airtools.html • WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling. o http://sourceforge.net/projects/wepcrack • Network Stumbler scans for networks roughly every second and logs all the networks it runs into--including the real SSIDs, the AP's MAC address, the best signal-to-noise ratio encountered, and the time you crossed into the network's space. If you add a GPS receiv- er to the notebook, it logs the exact latitude and longitude of the AP. Network Stumbler does not use promiscuous mode. Thus, by simply turning off broadcast pings hides the Access Point from NetStumbler. Now NetStumbler website includes a PocketPC MiniS- tumbler. o http://www.netstumbler.com/ o http://www.netstumbler.com/download.php?op=getit&lid=21 PocketPC MiniStumbler • Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. It will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic. o http://www.kismetwireless.net/ WHAT CAN YOU DO ABOUT WIRELESS SECURITY? Actually, you can do a lot. • Follow secure file-sharing practices. This means: o Share only what you need to share (think Folders, not entire hard drives) o Password protect anything that is shared with a strong password. Dallas/Fort Worth Unix Users Group – Security SIG Page 7
  8. 8. Mar 2004 • Enable WEP Encryption 802.11's WEP encryption has had a lot of deservedly bad press about its weaknesses. But a weak lock is better than no lock at all, so enable WEP encryption and use a non-obvious en- cryption key. Look for and use products that support 128bit WEP. Prices have come down on 802.11 equipment so there's no need to buy something that doesn't support 128bit WEP. • Use non-obvious WEP keys and periodically change them While the limitations that some wireless client utilities have don't help (hexadecimal only support, single keys, forgetting keys, etc.), don't make it easy for potential snoops to get onto your LAN by using simple keys like 123456, all ones, etc. Changing the keys periodically is more difficult, because it requires sending out information about the new keys to users and that can be a security problem in itself. But changing keys periodically can help keep your LAN secure, so consider getting a procedure into place to do it. • Secure your wireless router / Access Point (AP) Your router or Access Point should require a password to access its Admin features. If it doesn't, get one that will! Also, change your password from the default and use a strong one! • Disallow router/ AP administration via wireless Unfortunately, this feature is usually only present in "Enterprise-grade" AP’s. This is perhaps more dangerous than SNMP community strings named “public”. • Use MAC address based Access and Association control Previously available only on "Enterprise-grade" products, many routers and Access Points are being upgraded to have the ability to control the clients that can use them. MAC ad- dresses are tied to physical network adapters, so using this method requires a little coordina- tion and maybe a little inconvenience for LAN users. And MAC addresses can be "spoofed" or imitated/copied, so it's not a guarantee of security. But it adds another hurdle for potential intruders to jump. If you already have a product that doesn't include this feature, check your Manufacturer's Web site for a firmware upgrade. • Don’t broadcast the SSID. You wouldn’t put a note card with the combination of a lock next to the lock. Similarly, don’t broadcast the SSID to the world and make it easier to get in. • Don’t put AP’s next to exterior walls. As you do your site survey for access point deployment, think about locating the access points toward the center of your building rather than near the windows. Plan your coverage to radiate out to the windows, but not beyond. If the access points are located near the win- dows, a stronger signal will be radiated outside your building making it easier for people to find you. Dallas/Fort Worth Unix Users Group – Security SIG Page 8
  9. 9. Mar 2004 • Add the extra security of RADIUS Consider using an additional level of authentication, such as RADIUS, before you permit an association with your access points. While it's not part of the 802.11b standard, a number of companies are optionally including some provision for RADIUS authentication. Orinoco ac- cess points, for example, can enforce RADIUS authentication of MAC addresses to an exter- nal RADIUS server. Intermec access points include a built-in RADIUS server for up to 128 MAC addresses. • If you can get away with it, don’t use DHCP. If you're deploying a wireless router, think about assigning static IP addresses for your wire- less NIC’s and turn off DHCP. It's true that it's more of an administrative overhead to man- age, but we found a number of wireless networks that passed out IP addresses to us once we associated with the AP. Although a wireless sniffer could easily pick out IP addresses, by not passing them out, it just adds another barrier. It makes it tougher for the casual "drive by" to use your network. • While you’re at it, change the subnet. If you're using a wireless router and have decided to turn off DHCP, also consider changing the IP subnet. Many wireless routers default to the network and use as the default router. • Avoid 64 bit WEP! Don't buy access points or NIC’s that only support 64-bit WEP. Some low-end products only support 64-bit (40 bit key) WEP, and as you know by now, even 128-bit WEP is universally considered not very secure. Note that some NIC’s may only require a driver upgrade to attain 128-bit WEP capability. • Avoid equipment that can’t be upgraded. Only purchase access points that have flashable firmware. There are a number of security en- hancements that are being developed, and you want to be sure that you can upgrade your ac- cess point. • Hunt down rogue access points. Periodically survey your site using a tool like NetStumbler to see if any "rogue" access points pop up. With the declining pricing of access points, it's not hard to imagine that a de- partment might run out to Best Buy, buy a couple of NIC’s and an AP, and plug it into your corporate network. All of your hard work to "harden" your wireless network could be wasted if a rogue AP were plugged into you network behind your firewall. Dallas/Fort Worth Unix Users Group – Security SIG Page 9
  10. 10. Mar 2004 • Determine where the broadcast perimeter of the wireless network ends. Take a notebook equipped with NetStumbler and an external antenna outside your office building and survey what someone parked in your parking lot might "see". You'll be sur- prised how far the signal radiates. You might only associate at 1-2 Mbps, but it's still a secu- rity breach. • Use a VPN The most effective strategy would be to put your wireless access points into a DMZ, and have your wireless users tunnel into your network using a VPN (Virtual Private Network). CONCLUSION In closing, you can implement as much or as little security as you want to on your wireless net- work. There is no one single thing you can do to make your wireless LAN secure. Fortunately, there are a lot of things that can be done to make an essentially insecure medium into a more se- cure medium suitable for many uses beyond mere hobbyist tinkering. Dallas/Fort Worth Unix Users Group – Security SIG Page 10