CSCD 439/539 Wireless Networks and Security Lecture 8 Wi-Fi Threats and Vulnerabilities Fall 2007
Introduction <ul><li>Vulnerabilities </li></ul><ul><ul><li>Inherent characteristics of wireless </li></ul></ul><ul><ul><li...
Wi-Fi Vulnerabilities <ul><li>Ask, “Why are Wi-Fi networks vulnerable to attack?”  </li></ul><ul><ul><li>Answer seems obvi...
Wi-Fi Vulnerabilities <ul><li>Answer </li></ul><ul><ul><li>Because its wireless ... transmits data on radio waves </li></u...
Wi-Fi Vulnerabilities <ul><li>Wi-Fi doesn’t fit the traditional model of security </li></ul><ul><ul><li>Firewall separates...
Wi-Fi Vulnerabilities <ul><li>Wired networks </li></ul><ul><ul><li>Trusted and Untrusted zones separated by firewall </li>...
<ul><li>Wireless completely violates that model </li></ul><ul><ul><li>Introduces vulnerabilities  </li></ul></ul><ul><ul><...
Wi-Fi Characteristics <ul><li>Shared, uncontrolled media </li></ul><ul><ul><li>- Lack of physical security, much harder to...
Wi-Fi Characteristics <ul><li>User Indifference </li></ul><ul><ul><li>- True of both wired and wireless networks </li></ul...
Inherent Vulnerabilities <ul><li>WLAN’s break assumptions of inside/outside paradigm </li></ul><ul><ul><li>Can’t be confin...
Inherent Vulnerabilities <ul><li>Rogue access points </li></ul><ul><ul><li>Unauthorized AP installed and connected to Ente...
WEP Encryption <ul><li>Wired Equivalent Privacy </li></ul><ul><ul><li>Uses encryption to try to keep data private </li></u...
WEP Encryption <ul><li>Designed to … </li></ul><ul><ul><li>Keep outsiders from connecting to a network or monitoring traff...
WEP Encryption <ul><li>WEP and wrong assumptions </li></ul><ul><ul><li>Was not designed to be end-to-end encryption </li><...
WEP Encryption <ul><li>Question: </li></ul><ul><ul><li>Does WEP hide traffic from users on the same network sharing the sa...
WEP Encryption <ul><li>WEP has no authentication except by encryption keys </li></ul><ul><ul><li>Assume user with valid ke...
MAC Address Filtering <ul><li>Another security mechanism </li></ul><ul><ul><li>Doesn’t work very well </li></ul></ul><ul><...
MAC Address Filtering <ul><li>Assumption </li></ul><ul><ul><li>Every network device has unique MAC address  </li></ul></ul...
MAC Address Filtering <ul><li>Pretend to be legitimate user </li></ul><ul><ul><li>AP can’t tell difference between good us...
Other Design Flaws <ul><li>MGMT, CTRL frames not encrypted </li></ul><ul><ul><li>Can be spoofed w/o knowledge of WEP key <...
Other Design Flaws <ul><li>Some believe that by using a complicated SSID unauthorized user will have difficulty in gaining...
SSID Names Note default SSID’s
<ul><li>Threats </li></ul>
Threats and Those Responsible <ul><li>Hackers all levels  </li></ul><ul><ul><li>What motivates them and more importantly …...
Attackers <ul><li>Who are your typical attackers and what drives them to break into your network? </li></ul><ul><ul><li>Wh...
Attacker Groups <ul><li>Who are they? </li></ul><ul><li>Lots of groups out there that can threaten your systems </li></ul>...
Hacker Groups <ul><li>Can loosely classify them by skill level and motive </li></ul><ul><ul><li>Elite Hackers – White Hat ...
Elite Hackers White Hat <ul><ul><ul><li>Hackers in this group skilled </li></ul></ul></ul><ul><ul><ul><li>Often belong to ...
Elite Hackers White Hat <ul><li>Elite Hackers – White Hat </li></ul><ul><ul><li>Subscribe to a  “Hacker Code of Ethics” </...
Elite Hackers White Hat <ul><ul><li>New Code of Ethics includes: </li></ul></ul><ul><ul><ul><li>Leave no traces – keep a l...
Elite Hackers Black Hat <ul><ul><ul><li>Skilled but do damage </li></ul></ul></ul><ul><ul><ul><li>Break-in and leave evide...
Elite Hackers <ul><li>Psychological Profile of Elite Hackers </li></ul><ul><ul><ul><li>Most elite hackers are called devia...
Examples Elite Hackers <ul><li>Eric Corley (also known as Emmanuel Goldstein)  </li></ul><ul><ul><ul><li>Long standing pub...
Script Kiddies <ul><li>Skilled hackers put their scripts on-line  </li></ul><ul><ul><ul><li>They appear to want others to ...
Script Kiddies <ul><li>Script kiddie is a  wannabe  hacker </li></ul><ul><ul><li>Scans Internet for compromised systems us...
Motivation <ul><li>Ego gratification </li></ul><ul><ul><li>Both Elite hackers and script kiddies </li></ul></ul><ul><li>Pr...
Motivation <ul><li>Revenge </li></ul><ul><ul><li>Grudge against a company </li></ul></ul><ul><ul><li>Set off a time bomb -...
BEFORE  AFTER  (your results may vary)
What hackers do to you <ul><li>Basically 4 things with lots of variations </li></ul><ul><li>1. Connect to computer – you a...
What hackers do to you <ul><li>3. Hijack machine   </li></ul><ul><ul><li>Put Trojan Horse on it </li></ul></ul><ul><ul><li...
Phases of Attacks <ul><ul><li>In general, many attacks are not spontaneous </li></ul></ul><ul><ul><li>Attackers go through...
Three Phases in an Attack <ul><ul><ul><li>Reconnaissance </li></ul></ul></ul><ul><ul><ul><ul><li>Scope out the place, gain...
Reconnaissance <ul><li>Purpose for Wireless </li></ul><ul><ul><li>Scope out networks and potential victims  </li></ul></ul...
Reconnaissance <ul><li>Information discovery </li></ul><ul><ul><li>Tools </li></ul></ul><ul><ul><ul><li>Netstumbler, Kisme...
Reconnaissance <ul><li>Social Engineering </li></ul><ul><ul><li>Surprising number of employees give away sensitive informa...
Reconnaissance <ul><li>Defense against Social Engineering </li></ul><ul><ul><li>User awareness </li></ul></ul><ul><ul><ul>...
Reconnaissance <ul><li>Specific to Wireless Networks </li></ul><ul><ul><li>Physical Reconnaissance </li></ul></ul><ul><ul>...
Reconnaissance <ul><li>Techniques </li></ul><ul><ul><li>Attackers use lots of different tools and techniques for gathering...
War Driving <ul><li>War Driving </li></ul><ul><ul><li>Invented by Peter Shipley in 2001 when he drove around Silicon Valle...
San Francisco Wi-Fi’s
War Driving <ul><li>Active Scanning </li></ul><ul><ul><li>Broadcast 802.11 probe packets with SSID of “any” to check for a...
War Driving <ul><li>What does Netstumbler do? </li></ul><ul><ul><li>Gathers MAC address, SSID, Wireless Channel and relati...
From www.wigle.net The island of Manhattan, one of the densest points of observed networks in the WiGLE world.
Wigle.net Wireless DB <ul><li>Wireless Geographic Logging Engine: Making maps of wireless networks since 2001  </li></ul><...
War Driving <ul><li>Netstumbler </li></ul><ul><ul><li>After installation, important to turn off TCP/IP in Windows </li></u...
Netstumbler Window Default SSIDs
War Driving <ul><li>Defense Against Active Scanning </li></ul><ul><ul><li>Configure access points to ignore probes with “a...
War Driving <ul><li>Passive Scanning </li></ul><ul><ul><li>Kismet – by Mike Kershaw  </li></ul></ul><ul><ul><ul><li>More f...
War Driving <ul><li>Wellenreiter Tool </li></ul><ul><ul><ul><li>Listens for ARP or DHCP traffic to determine the MAC and I...
War Driving <ul><li>Drawback of Wellenreiter </li></ul><ul><ul><li>If access point configured to omit its SSID from its be...
Summary <ul><li>Wi-Fi networks, 802.11 Standard </li></ul><ul><ul><li>Many built-in vulnerabilities </li></ul></ul><ul><ul...
Finish <ul><ul><li>Next time: More on Attacks and Tools  </li></ul></ul><ul><ul><li>Read articles on Course Notes page </l...
Upcoming SlideShare
Loading in …5
×

Wi-Fi Vulnerabilities, Attacks

1,828 views
1,755 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,828
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
73
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Wi-Fi Vulnerabilities, Attacks

  1. 1. CSCD 439/539 Wireless Networks and Security Lecture 8 Wi-Fi Threats and Vulnerabilities Fall 2007
  2. 2. Introduction <ul><li>Vulnerabilities </li></ul><ul><ul><li>Inherent characteristics of wireless </li></ul></ul><ul><ul><li>Deliberate features designed into 802.11 </li></ul></ul><ul><ul><li>Flawed design </li></ul></ul><ul><ul><ul><li>WEP </li></ul></ul></ul><ul><ul><ul><li>MAC access list </li></ul></ul></ul><ul><ul><li>Other design flaws </li></ul></ul><ul><li>Threats </li></ul><ul><ul><li>Hackers </li></ul></ul><ul><ul><ul><li>Classification </li></ul></ul></ul><ul><ul><ul><li>Motivation </li></ul></ul></ul>
  3. 3. Wi-Fi Vulnerabilities <ul><li>Ask, “Why are Wi-Fi networks vulnerable to attack?” </li></ul><ul><ul><li>Answer seems obvious ... </li></ul></ul>
  4. 4. Wi-Fi Vulnerabilities <ul><li>Answer </li></ul><ul><ul><li>Because its wireless ... transmits data on radio waves </li></ul></ul><ul><ul><li>Propagate everywhere </li></ul></ul><ul><ul><li>Boost waves with powerful antennas to travel up to mile or more </li></ul></ul><ul><ul><li>Anyone along the path can listen to the transmission </li></ul></ul>
  5. 5. Wi-Fi Vulnerabilities <ul><li>Wi-Fi doesn’t fit the traditional model of security </li></ul><ul><ul><li>Firewall separates internal network from outer </li></ul></ul>
  6. 6. Wi-Fi Vulnerabilities <ul><li>Wired networks </li></ul><ul><ul><li>Trusted and Untrusted zones separated by firewall </li></ul></ul><ul><ul><ul><li>Systems inside trusted </li></ul></ul></ul><ul><ul><ul><li>Systems outside untrusted </li></ul></ul></ul><ul><ul><ul><li>Untrusted can have enemies </li></ul></ul></ul><ul><ul><ul><li>Trusted all are your friends – in theory </li></ul></ul></ul>
  7. 7. <ul><li>Wireless completely violates that model </li></ul><ul><ul><li>Introduces vulnerabilities </li></ul></ul><ul><ul><li>People don’t understand how to handle the new model of wired + wireless </li></ul></ul><ul><ul><li>No longer have </li></ul></ul><ul><ul><li>a well-defined </li></ul></ul><ul><ul><li>security perimeter </li></ul></ul>Wi-Fi Vulnerabilities
  8. 8. Wi-Fi Characteristics <ul><li>Shared, uncontrolled media </li></ul><ul><ul><li>- Lack of physical security, much harder to control </li></ul></ul><ul><li>Transient Networks </li></ul><ul><ul><li>- Mobile – wireless devices can move </li></ul></ul><ul><ul><li>- Ad-hoc networks, form and dissolve </li></ul></ul><ul><ul><li>How do we protect these networks? </li></ul></ul>
  9. 9. Wi-Fi Characteristics <ul><li>User Indifference </li></ul><ul><ul><li>- True of both wired and wireless networks </li></ul></ul><ul><ul><li>- Users don’t care about security </li></ul></ul><ul><ul><li>- Does your mother care about computer security? </li></ul></ul><ul><li>Easier to attack </li></ul><ul><ul><li>- Lack of defined perimeter – said that … </li></ul></ul><ul><ul><li>- Wireless nature – easier than wired networks </li></ul></ul><ul><ul><li>Hackers are lazy, take the easiest path </li></ul></ul>
  10. 10. Inherent Vulnerabilities <ul><li>WLAN’s break assumptions of inside/outside paradigm </li></ul><ul><ul><li>Can’t be confined </li></ul></ul><ul><ul><li>Radio signal cuts through walls and windows </li></ul></ul><ul><ul><li>Can’t change the physical reality of wireless </li></ul></ul><ul><ul><ul><li>Must acknowledge this and counteract the threats </li></ul></ul></ul><ul><ul><ul><li>Must worry about the following </li></ul></ul></ul>
  11. 11. Inherent Vulnerabilities <ul><li>Rogue access points </li></ul><ul><ul><li>Unauthorized AP installed and connected to Enterprise network </li></ul></ul><ul><ul><ul><li>On purpose – employee – not malicious </li></ul></ul></ul><ul><ul><ul><li>On purpose – outsider – malicious intent </li></ul></ul></ul><ul><ul><li>Many uses for this useful device if malicious </li></ul></ul><ul><ul><li>Cause users to associate to it </li></ul></ul><ul><ul><ul><li>Man-in-middle attack, session stealing </li></ul></ul></ul><ul><ul><ul><li>Get possibly sensitive information .. more later </li></ul></ul></ul>
  12. 12. WEP Encryption <ul><li>Wired Equivalent Privacy </li></ul><ul><ul><li>Uses encryption to try to keep data private </li></ul></ul><ul><ul><li>Has multiple problems make it more of a liability than a security solution </li></ul></ul><ul><ul><li>Still coming up with new attacks against WEP! </li></ul></ul><ul><li>What was WEP designed for? </li></ul>
  13. 13. WEP Encryption <ul><li>Designed to … </li></ul><ul><ul><li>Keep outsiders from connecting to a network or monitoring traffic on that network </li></ul></ul><ul><ul><li>Nothing more </li></ul></ul>
  14. 14. WEP Encryption <ul><li>WEP and wrong assumptions </li></ul><ul><ul><li>Was not designed to be end-to-end encryption </li></ul></ul><ul><ul><li>Does not distribute and manage encryption keys </li></ul></ul><ul><ul><ul><li>Key distribution - manual outside 802.11 spec </li></ul></ul></ul><ul><ul><ul><li>WPA and WPA2 fixes this </li></ul></ul></ul><ul><ul><li>Was not designed for complete data privacy </li></ul></ul><ul><ul><ul><li>See next slide </li></ul></ul></ul>
  15. 15. WEP Encryption <ul><li>Question: </li></ul><ul><ul><li>Does WEP hide traffic from users on the same network sharing the same WEP key? </li></ul></ul><ul><ul><ul><li>No. </li></ul></ul></ul><ul><ul><ul><li>Users can eavesdrop on each other </li></ul></ul></ul><ul><ul><ul><li>So, how can you be sure users are all legitimate? </li></ul></ul></ul>
  16. 16. WEP Encryption <ul><li>WEP has no authentication except by encryption keys </li></ul><ul><ul><li>Assume user with valid key is legitimate </li></ul></ul><ul><ul><li>Doesn’t check any sort of user ID, password or hardware MAC address </li></ul></ul><ul><ul><li>802.11i task group </li></ul></ul><ul><ul><ul><li>Defines how this will be done </li></ul></ul></ul><ul><ul><ul><li>Now, not done through WEP </li></ul></ul></ul>
  17. 17. MAC Address Filtering <ul><li>Another security mechanism </li></ul><ul><ul><li>Doesn’t work very well </li></ul></ul><ul><ul><li>Wi-Fi AP’s have ability to specify list of computers permitted to associate with AP </li></ul></ul><ul><ul><li>Any computer not on list turned away by access point </li></ul></ul><ul><ul><li>Not able to join your network </li></ul></ul><ul><ul><ul><li>Even if have WEP or WPA key </li></ul></ul></ul>
  18. 18. MAC Address Filtering <ul><li>Assumption </li></ul><ul><ul><li>Every network device has unique MAC address </li></ul></ul><ul><ul><li>What’s wrong with this assumption? </li></ul></ul><ul><ul><ul><li>MAC addresses can be spoofed!! </li></ul></ul></ul><ul><ul><ul><li>Machine associates with AP </li></ul></ul></ul><ul><ul><ul><li>Sends MAC address in the clear </li></ul></ul></ul><ul><ul><ul><li>Any hacker + sniffer program listen for that transmission, get MAC address </li></ul></ul></ul><ul><ul><ul><li>Spoof it </li></ul></ul></ul>
  19. 19. MAC Address Filtering <ul><li>Pretend to be legitimate user </li></ul><ul><ul><li>AP can’t tell difference between good user and false user </li></ul></ul><ul><li>Fact that Software can impersonate MAC address negates MAC address filtering completely </li></ul>
  20. 20. Other Design Flaws <ul><li>MGMT, CTRL frames not encrypted </li></ul><ul><ul><li>Can be spoofed w/o knowledge of WEP key </li></ul></ul><ul><li>No authentication of AP to station </li></ul><ul><ul><li>Can’t prove an AP is legitimate </li></ul></ul><ul><li>Limited # of stations can use a single AP </li></ul><ul><ul><li>We can overflow an AP to prevent wireless access </li></ul></ul>
  21. 21. Other Design Flaws <ul><li>Some believe that by using a complicated SSID unauthorized user will have difficulty in gaining access to their AP </li></ul><ul><ul><li>SSID’s are passed in the clear, even when WEP is enabled </li></ul></ul><ul><ul><li>It is trivial to download free designed to intercept SSID’s from a wireless communication session </li></ul></ul>
  22. 22. SSID Names Note default SSID’s
  23. 23. <ul><li>Threats </li></ul>
  24. 24. Threats and Those Responsible <ul><li>Hackers all levels </li></ul><ul><ul><li>What motivates them and more importantly … what threat do they pose to your Wi-Fi network </li></ul></ul>
  25. 25. Attackers <ul><li>Who are your typical attackers and what drives them to break into your network? </li></ul><ul><ul><li>What are their motives? </li></ul></ul><ul><ul><li>What methods do they use? </li></ul></ul><ul><ul><li>What damage can they cause? </li></ul></ul><ul><ul><li>Are you are risk? </li></ul></ul>
  26. 26. Attacker Groups <ul><li>Who are they? </li></ul><ul><li>Lots of groups out there that can threaten your systems </li></ul><ul><li>Not easy to classify them </li></ul><ul><ul><li>Typical way to group them is by skill level or potential for damage </li></ul></ul><ul><ul><li>Can rank them from lowest to highest in skill but doesn’t always correlate with damage potential </li></ul></ul><ul><ul><li>Good example are the virus/worm writers </li></ul></ul><ul><ul><ul><li>Do a lot of damage but not necessarily the most skilled </li></ul></ul></ul>
  27. 27. Hacker Groups <ul><li>Can loosely classify them by skill level and motive </li></ul><ul><ul><li>Elite Hackers – White Hat </li></ul></ul><ul><ul><li>Elite Hackers – Black Hat </li></ul></ul><ul><ul><li>Virus/Worm Writers and Spammers </li></ul></ul><ul><ul><li>Hacktivism Groups </li></ul></ul><ul><ul><li>Script Kiddies </li></ul></ul>
  28. 28. Elite Hackers White Hat <ul><ul><ul><li>Hackers in this group skilled </li></ul></ul></ul><ul><ul><ul><li>Often belong to a hacker group </li></ul></ul></ul><ul><ul><ul><ul><li>L0pht, Masters of Deception </li></ul></ul></ul></ul><ul><ul><ul><li>Feel they have a mission to improve the security of the computer world </li></ul></ul></ul><ul><ul><ul><li>Avoid damage to network and systems </li></ul></ul></ul><ul><ul><ul><li>Inform and educate system administrators about fixes to their security </li></ul></ul></ul>
  29. 29. Elite Hackers White Hat <ul><li>Elite Hackers – White Hat </li></ul><ul><ul><li>Subscribe to a “Hacker Code of Ethics” </li></ul></ul><ul><ul><li>It said ... </li></ul></ul><ul><ul><ul><ul><li>Ethical duty of the hacker to remove barriers, liberate information, decentralize power, honor people based on their ability, create things that are good and life-enhancing through computers. </li></ul></ul></ul></ul>
  30. 30. Elite Hackers White Hat <ul><ul><li>New Code of Ethics includes: </li></ul></ul><ul><ul><ul><li>Leave no traces – keep a low profile, if accused, deny it, if caught, plead the 5th. </li></ul></ul></ul><ul><ul><ul><li>Share information </li></ul></ul></ul><ul><ul><ul><li>Don’t hoard or hide information </li></ul></ul></ul><ul><ul><ul><li>Information increases in value when shared </li></ul></ul></ul>
  31. 31. Elite Hackers Black Hat <ul><ul><ul><li>Skilled but do damage </li></ul></ul></ul><ul><ul><ul><li>Break-in and leave evidence of their presence </li></ul></ul></ul><ul><ul><ul><ul><li>Need to re-install software </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Don’t worry about loss of private information </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Don’t buy into a Code of Ethics </li></ul></ul></ul></ul><ul><ul><ul><li>Sell their services to highest bidder </li></ul></ul></ul><ul><ul><ul><li>In business for themselves </li></ul></ul></ul>
  32. 32. Elite Hackers <ul><li>Psychological Profile of Elite Hackers </li></ul><ul><ul><ul><li>Most elite hackers are called deviants </li></ul></ul></ul><ul><ul><ul><li>Different values and beliefs than society </li></ul></ul></ul><ul><ul><ul><li>White hats believe they are performing a service for society by exposing poor security practices </li></ul></ul></ul><ul><ul><ul><li>Sometimes have a tenuous grasp on reality because they live mostly in the cyber world </li></ul></ul></ul><ul><ul><ul><li>Examples: Rob Morris, Kevin Mitnik </li></ul></ul></ul>
  33. 33. Examples Elite Hackers <ul><li>Eric Corley (also known as Emmanuel Goldstein) </li></ul><ul><ul><ul><li>Long standing publisher of 2600: The Hacker Quarterly and founder of the H.O.P.E. conferences. </li></ul></ul></ul><ul><ul><ul><li>Been part of the hacker community since the late '70s. </li></ul></ul></ul><ul><li>Kevin Mitnick </li></ul><ul><ul><ul><li>A former computer criminal who now speaks, consults, and authors books about social engineering and network security. </li></ul></ul></ul><ul><li>Robert Morris </li></ul><ul><ul><ul><li>Now a professor at MIT </li></ul></ul></ul><ul><ul><ul><li>The son of the chief scientist at the National Computer Security Center — part of the National Security Agency (NSA) </li></ul></ul></ul><ul><ul><ul><li>Cornell University graduate student, he accidentally unleashed an Internet worm in 1988 </li></ul></ul></ul><ul><ul><ul><li>Thousands of computers were infected and subsequently crashed. </li></ul></ul></ul>
  34. 34. Script Kiddies <ul><li>Skilled hackers put their scripts on-line </li></ul><ul><ul><ul><li>They appear to want others to use and benefit from their experience </li></ul></ul></ul><ul><ul><ul><ul><li>Goes along with the ethic of “sharing information” </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Allows people with limited technical knowledge to do lots of damage since there are lots of them </li></ul></ul></ul></ul>
  35. 35. Script Kiddies <ul><li>Script kiddie is a wannabe hacker </li></ul><ul><ul><li>Scans Internet for compromised systems using freely available tools </li></ul></ul><ul><ul><li>At the bottom of the pile in the hacking world </li></ul></ul><ul><ul><li>Can still do an incredible amount of damage </li></ul></ul><ul><ul><li>Especially to unprotected wireless networks </li></ul></ul>
  36. 36. Motivation <ul><li>Ego gratification </li></ul><ul><ul><li>Both Elite hackers and script kiddies </li></ul></ul><ul><li>Profit </li></ul><ul><ul><li>Earn lots of money hacking these days </li></ul></ul><ul><ul><ul><li>Spamming, selling credit cards on black market, botnets </li></ul></ul></ul><ul><ul><li>Corporate espionage or nation-state level of hacking </li></ul></ul><ul><li>Political Agenda </li></ul><ul><ul><li>Hacktivism is growing as an attention getter </li></ul></ul>
  37. 37. Motivation <ul><li>Revenge </li></ul><ul><ul><li>Grudge against a company </li></ul></ul><ul><ul><li>Set off a time bomb - electronically </li></ul></ul><ul><ul><li>Steal secrets and sell them to competitor </li></ul></ul><ul><li>For fun </li></ul><ul><ul><li>Just want to see if they can do </li></ul></ul>
  38. 38. BEFORE AFTER (your results may vary)
  39. 39. What hackers do to you <ul><li>Basically 4 things with lots of variations </li></ul><ul><li>1. Connect to computer – you are unaware </li></ul><ul><ul><li>Vandalize machine </li></ul></ul><ul><ul><li>Steal data, Use your bandwidth </li></ul></ul><ul><li>2. Don’t connect to your computer </li></ul><ul><ul><li>Sniff traffic </li></ul></ul><ul><ul><ul><li>Obtain passwords, credit card data, other useful information </li></ul></ul></ul>
  40. 40. What hackers do to you <ul><li>3. Hijack machine </li></ul><ul><ul><li>Put Trojan Horse on it </li></ul></ul><ul><ul><li>Trojan is a program that seems to do something its supposed to but has a hidden task also </li></ul></ul><ul><ul><li>Typically a backdoor but can have other purposes </li></ul></ul><ul><li>4. Denial of Service (DoS) </li></ul><ul><ul><li>Prevent you from using machine </li></ul></ul>
  41. 41. Phases of Attacks <ul><ul><li>In general, many attacks are not spontaneous </li></ul></ul><ul><ul><li>Attackers go through phases to compromise a system </li></ul></ul><ul><ul><li>Phases of attacks </li></ul></ul><ul><ul><ul><li>Reconnaissance </li></ul></ul></ul><ul><ul><ul><li>Scanning </li></ul></ul></ul><ul><ul><ul><li>Gaining access with Attacks </li></ul></ul></ul>
  42. 42. Three Phases in an Attack <ul><ul><ul><li>Reconnaissance </li></ul></ul></ul><ul><ul><ul><ul><li>Scope out the place, gain initial information on victims, and network discovery </li></ul></ul></ul></ul><ul><ul><ul><li>2. Scanning </li></ul></ul></ul><ul><ul><ul><ul><li>Build a detailed map of the network and services and vulnerabilities </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Open ports </li></ul></ul></ul></ul><ul><ul><ul><li>3. Attack </li></ul></ul></ul><ul><ul><ul><ul><li>The actual offensive action, method depends on what is goal of attack </li></ul></ul></ul></ul>
  43. 43. Reconnaissance <ul><li>Purpose for Wireless </li></ul><ul><ul><li>Scope out networks and potential victims </li></ul></ul><ul><ul><li>Find wireless networks, see if security is enabled, and how strong </li></ul></ul><ul><ul><li>Discover as much information about them as possible </li></ul></ul><ul><ul><li>Many ways to do this …. </li></ul></ul>
  44. 44. Reconnaissance <ul><li>Information discovery </li></ul><ul><ul><li>Tools </li></ul></ul><ul><ul><ul><li>Netstumbler, Kismet, Wellenrighter, Wififofum, Cain </li></ul></ul></ul><ul><ul><ul><li>People </li></ul></ul></ul><ul><ul><li>Techniques </li></ul></ul><ul><ul><ul><li>Rogue AP’s </li></ul></ul></ul><ul><ul><ul><li>Open/misconfigured AP’s </li></ul></ul></ul><ul><ul><ul><li>Ad Hoc Stations </li></ul></ul></ul><ul><ul><ul><li>Ask for information </li></ul></ul></ul>
  45. 45. Reconnaissance <ul><li>Social Engineering </li></ul><ul><ul><li>Surprising number of employees give away sensitive information </li></ul></ul><ul><ul><li>Most successful are calls to employees </li></ul></ul><ul><ul><ul><li>Call the help desk as a “new” employee for help with a particular task </li></ul></ul></ul><ul><ul><ul><li>Angry manager calls a lower level employee because his password has suddenly stopped working </li></ul></ul></ul><ul><ul><ul><li>System administrator calls employee to fix her account on the system which requires using her password </li></ul></ul></ul>
  46. 46. Reconnaissance <ul><li>Defense against Social Engineering </li></ul><ul><ul><li>User awareness </li></ul></ul><ul><ul><ul><li>Must be trained to not give out sensitive information </li></ul></ul></ul><ul><ul><ul><li>Security awareness program should inform employees about social engineering attacks </li></ul></ul></ul><ul><ul><ul><li>No reason why a system administrator ever needs you to give him/her your password </li></ul></ul></ul><ul><ul><ul><li>Help desk should have a way to verify the identify of any user requesting help </li></ul></ul></ul><ul><ul><li>Hacker at Defcon wear shirts … </li></ul></ul><ul><ul><ul><li>“ No defense against stupidity …” </li></ul></ul></ul>
  47. 47. Reconnaissance <ul><li>Specific to Wireless Networks </li></ul><ul><ul><li>Physical Reconnaissance </li></ul></ul><ul><ul><ul><li>In addition to techniques for wired networks wireless networks involve physical aspect </li></ul></ul></ul><ul><ul><li>Can see antennas and wireless AP’s </li></ul></ul><ul><ul><li>Antennas Walls, ceilings, hallways, roofs </li></ul></ul><ul><ul><li>Access Points Ceilings, walls, support beams </li></ul></ul><ul><ul><li>shelves </li></ul></ul><ul><ul><li>Devices - </li></ul></ul><ul><ul><li>Printers/PDA Reception area, offices, desks </li></ul></ul>
  48. 48. Reconnaissance <ul><li>Techniques </li></ul><ul><ul><li>Attackers use lots of different tools and techniques for gathering information </li></ul></ul><ul><ul><li>War driving for WLAN’s, war dialing for modems </li></ul></ul><ul><ul><li>Note: </li></ul></ul><ul><ul><ul><li>Defenders need to defend all paths into the network </li></ul></ul></ul><ul><ul><ul><li>Attackers need to find just one open path </li></ul></ul></ul><ul><ul><ul><li>Attackers have all the time in the world </li></ul></ul></ul>
  49. 49. War Driving <ul><li>War Driving </li></ul><ul><ul><li>Invented by Peter Shipley in 2001 when he drove around Silicon Valley and found hundreds of access points </li></ul></ul><ul><ul><li>Mapped them out to show how vulnerable WLAN’s are to snooping </li></ul></ul>
  50. 50. San Francisco Wi-Fi’s
  51. 51. War Driving <ul><li>Active Scanning </li></ul><ul><ul><li>Broadcast 802.11 probe packets with SSID of “any” to check for access points in range </li></ul></ul><ul><ul><ul><li>Like going outside and shouting, “Who’s there?” </li></ul></ul></ul><ul><ul><li>Netstumbler is free tool for doing active scanning </li></ul></ul><ul><ul><ul><li>www.netstumbler.com </li></ul></ul></ul><ul><ul><ul><li>Most popular tool for active scanning WLAN’s </li></ul></ul></ul><ul><ul><ul><li>Runs under Windows </li></ul></ul></ul><ul><ul><ul><li>Supports ORiNOCO, Dell TrueMobile 1150, Toshiba 802.11b wireless card, Compaq WL110 plus several others </li></ul></ul></ul>
  52. 52. War Driving <ul><li>What does Netstumbler do? </li></ul><ul><ul><li>Gathers MAC address, SSID, Wireless Channel and relative signal strength of each access point </li></ul></ul><ul><ul><li>Also if security is turned on, WEP </li></ul></ul><ul><ul><li>Coordinates with GPA system </li></ul></ul><ul><ul><ul><li>Example: New York City </li></ul></ul></ul><ul><ul><ul><li>Netstumbler </li></ul></ul></ul><ul><ul><ul><li>ORiNOCO antenna, Laptop, taxi cab in NY City </li></ul></ul></ul><ul><ul><ul><li>One hour found 455 access points </li></ul></ul></ul>
  53. 53. From www.wigle.net The island of Manhattan, one of the densest points of observed networks in the WiGLE world.
  54. 54. Wigle.net Wireless DB <ul><li>Wireless Geographic Logging Engine: Making maps of wireless networks since 2001 </li></ul><ul><li>Database 6 years old </li></ul><ul><ul><li>12,389,316 points from 765,231,060 unique observations </li></ul></ul><ul><li>Many known open or weak Access Points </li></ul><ul><ul><li>Fully available on the web </li></ul></ul><ul><li>Search by SSID, MAC address, longitude/latitude, physical address </li></ul>
  55. 55. War Driving <ul><li>Netstumbler </li></ul><ul><ul><li>After installation, important to turn off TCP/IP in Windows </li></ul></ul><ul><ul><li>If not, then, when you wardrive and get within range of network, your computer will try to connect to the network </li></ul></ul><ul><ul><li>The netstumbler site has interesting features </li></ul></ul><ul><ul><ul><li>www.netstumbler.com </li></ul></ul></ul><ul><ul><li>Database of all access points reported by other war drivers maps.netsumbler.com </li></ul></ul><ul><ul><li>You must register, and then you can query the DB for your NIC’s MAC address </li></ul></ul><ul><ul><li>You can upload your capture log to their DB </li></ul></ul><ul><ul><li>Also, this link has several maps you can browse </li></ul></ul><ul><ul><li>http://wiki.personaltelco.net/index.cgi/WarDriving </li></ul></ul>
  56. 56. Netstumbler Window Default SSIDs
  57. 57. War Driving <ul><li>Defense Against Active Scanning </li></ul><ul><ul><li>Configure access points to ignore probes with “any” </li></ul></ul><ul><ul><li>Can configure access points to repress the beacon so it disables broadcast SSID </li></ul></ul><ul><li>Passive Scanning </li></ul><ul><ul><li>Stealthier way of discovering WLAN’s </li></ul></ul><ul><ul><li>Puts wireless card into rfmon mode – monitor mode </li></ul></ul><ul><ul><li>Sniffs all wireless traffic from the air </li></ul></ul>
  58. 58. War Driving <ul><li>Passive Scanning </li></ul><ul><ul><li>Kismet – by Mike Kershaw </li></ul></ul><ul><ul><ul><li>More for detailed packet capture and analysis </li></ul></ul></ul><ul><ul><ul><li>www.kismetwireless.net </li></ul></ul></ul><ul><ul><li>Wellenreiter - by Max Moser </li></ul></ul><ul><ul><ul><li>Optimized for war-driving </li></ul></ul></ul><ul><ul><ul><li>www.remoteexploit.org </li></ul></ul></ul><ul><ul><ul><li>Runs on Linux and supports, prism2, lucent, and cisco wireless card types </li></ul></ul></ul>
  59. 59. War Driving <ul><li>Wellenreiter Tool </li></ul><ul><ul><ul><li>Listens for ARP or DHCP traffic to determine the MAC and IP addresses of each wireless device </li></ul></ul></ul><ul><ul><ul><li>Passive mode </li></ul></ul></ul><ul><ul><ul><ul><li>Doesn’t send probe packets </li></ul></ul></ul></ul><ul><ul><ul><li>Every 100 ms access points send beacons to synchronize timing and frequency information </li></ul></ul></ul>
  60. 60. War Driving <ul><li>Drawback of Wellenreiter </li></ul><ul><ul><li>If access point configured to omit its SSID from its beacons and no other users are sending traffic to access point, won’t be able to determine SSID </li></ul></ul><ul><ul><li>Will know its there, not its name </li></ul></ul>
  61. 61. Summary <ul><li>Wi-Fi networks, 802.11 Standard </li></ul><ul><ul><li>Many built-in vulnerabilities </li></ul></ul><ul><ul><li>Problems from people related vulnerabilities too </li></ul></ul><ul><li>Lots of Attackers out there … </li></ul><ul><ul><li>Incentive for them, glory, money, fun .. </li></ul></ul><ul><li>Phases of attack </li></ul><ul><ul><li>Reconnaissance, Scanning, Attack </li></ul></ul><ul><li>War driving – Reconnaissance </li></ul><ul><ul><li>Highly successful </li></ul></ul>
  62. 62. Finish <ul><ul><li>Next time: More on Attacks and Tools </li></ul></ul><ul><ul><li>Read articles on Course Notes page </li></ul></ul>

×