Wireless Security, Wardriving, and Detecting Rogue Access Points Using Kismet Wireless Scanner<br />By: Lance Howell<br />
Wireless Security<br />WEP (Wired Equivalent Privacy)<br />WPA (Wi-Fi Protected Access)<br />WPA2  (Wi-Fi Protected Access...
Weaknesses in WEP<br />Older Equipment and devices<br />Supports no keys or a shared key management system. <br />You have...
Weakness in WPA<br />Using short Pre-shared Keys (PSK)<br />Dictionary Attacks<br />
Reconnaissance<br />First Popular Software NetStumbler<br />Windows<br />Mac<br />No Linux Based Version<br />Kismet <br /...
Reconnaissance continued<br />Use the software to listen to traffic<br />Access Points (AP) Broadcast<br />SSID<br />Encry...
Sniffing<br />Passive and Undetectable to Intrusion Detection Systems (IDS)<br />Attackers can Identify Additional Resourc...
Spoofing and Unauthorized Access<br />Due to TCP/IP Design, there is little that can be done to prevent Media Access Contr...
Kismet and Wardriving<br />Info. Gathering, Analysis <br />And Research<br />
Introductions<br />Console-based wireless analysis tool<br />Passive; captures traffic from wireless cards in monitor mode...
Versions<br />Stable<br />Developmental<br />Newcore<br />Purpose<br />Recon<br />Enumeration<br />
Objectives of Kismet<br />Locate and Identify AP(s)<br />BSSID, ESSID, Channel and Encryption<br />GPS data<br />And more…...
Data Obtained<br />Text (txt)<br />Comma Delimited File (CSV)<br />XML<br />GPS <br />Pcap<br />NetXML<br />
LOG Files<br />
Netxml Logging File<br />Can be imported into Excel for post-processing analysis<br />Rename to “.xml”, select “read-only ...
Reporting on AP Uptime<br />“=U267/(1000000*(60*60*24))”<br />
Startup<br />Kismet will prompt to start the Kismet Server at startup<br />Once the Kismet server has started, you will be...
Kismet Sources<br />Specify the available wireless interface as a packet source<br />“wlan0, “wlan1”, etc.<br />Kismet wil...
Kismet Newcore Screenshot<br />
Plugins<br />Plugin architecture to extend functionality<br />Distributed with Kismet: Aircrack-PTW, Spectools<br />Third-...
Extending Kismet<br />Device Manufacturer Name<br />Kismet relies on Wireshark’s “manuf” file to identify manufacturers<br...
Graphical Representation<br />Gpsmap (old)<br />Pykismet<br />Kismet-earth<br />Kisgearth<br />
GISKisment<br />Building Visual Representations of Kismet data<br />Correlate information in database<br />Graphically rep...
GISKismet- Filters<br />Input Filters<br />AP configuration data<br />Query filters on any information<br />AP configurati...
Tips on Protecting the Network<br />Use an External Authentication Source<br />RADIUS<br />SecurID<br />Protect MAC Spoofi...
System Administrators<br />Poor performance on the wireless network complaint<br />Things to observe:<br />What AP are the...
Retries are normal in small numbers; more than sustained 10% is a problem<br />
Signal and Noise/Channel<br />Packet Rate <br />(Real Time)<br />Data Frames (Cumulative)<br />Networks Count (Yellow is h...
Auditors<br />Are the networks configured per specification?<br />SSID cloaking enabled/disabled?<br />Appropriate encrypt...
Security Analysts<br />Network discovery & analysis<br />Are there open Aps or weak crypto?<br />What are the clients on t...
Upcoming SlideShare
Loading in …5
×

Wardriving & Kismet Introduction

4,807 views
4,606 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,807
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
149
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • WPA- Provides partial compliance in 802.11 Wi-Fi standard. Meant to be an intermediary between WEP and the new verison WPA2WPA2- Full 802.11 Wi-Fi Standard is implemented.
  • Static Definition of MAC Address Tables: With the amount of resources that it takes to manage that system you have to decide of it is worth taking that approach.
  • Wardriving is deemed legal by the FBI as long as you do not do anything to crack or break into the network. Since wireless signals are traveling over the air the companies have no expected rights to privacy.
  • External Authentication: Prevent an unauthorized user from accessing the wireless network, and resources it connects with.Secure Connection for Host Services: Possible to require valid client certificates to access those resources. Even if they got into your network then they would be stopped at the critical systems.
  • Wardriving & Kismet Introduction

    1. 1. Wireless Security, Wardriving, and Detecting Rogue Access Points Using Kismet Wireless Scanner<br />By: Lance Howell<br />
    2. 2. Wireless Security<br />WEP (Wired Equivalent Privacy)<br />WPA (Wi-Fi Protected Access)<br />WPA2 (Wi-Fi Protected Access version 2)<br />
    3. 3. Weaknesses in WEP<br />Older Equipment and devices<br />Supports no keys or a shared key management system. <br />You have to manually change your keys<br />The Initialization Vector (IV) is too short and sent in clear text<br />IVs are static<br />No cryptographic integrity protection is implemented<br />
    4. 4. Weakness in WPA<br />Using short Pre-shared Keys (PSK)<br />Dictionary Attacks<br />
    5. 5. Reconnaissance<br />First Popular Software NetStumbler<br />Windows<br />Mac<br />No Linux Based Version<br />Kismet <br />Popular for professionals<br />Linux version <br />Windows called Kiswin v 0.1 Last Update 2005<br />
    6. 6. Reconnaissance continued<br />Use the software to listen to traffic<br />Access Points (AP) Broadcast<br />SSID<br />Encryption Status<br />Rather it is Broadcasting or not<br />AP Information<br />GPS Information<br />Map Locations<br />
    7. 7. Sniffing<br />Passive and Undetectable to Intrusion Detection Systems (IDS)<br />Attackers can Identify Additional Resources that can be Compromised<br />Authentication Types<br />Use of Virtual Private Networks (VPN), Secure Sockets Layer (SSL), and Secure Shell (SSH) helps protect against wireless interception<br />
    8. 8. Spoofing and Unauthorized Access<br />Due to TCP/IP Design, there is little that can be done to prevent Media Access Control/IP (MAC/IP) Address Spoofing<br />Static Definition of MAC Address Tables can this attack be prevented<br />Staff must be diligent about logging and monitoring those logs to try to address spoofing attacks so they can be identified. <br />
    9. 9. Kismet and Wardriving<br />Info. Gathering, Analysis <br />And Research<br />
    10. 10. Introductions<br />Console-based wireless analysis tool<br />Passive; captures traffic from wireless cards in monitor mode<br />Observes activity from all networks within range<br />Wardriving tool of choice<br />Wardriving is legal<br />Included in Backtrack 4 ready to run and use<br />
    11. 11. Versions<br />Stable<br />Developmental<br />Newcore<br />Purpose<br />Recon<br />Enumeration<br />
    12. 12. Objectives of Kismet<br />Locate and Identify AP(s)<br />BSSID, ESSID, Channel and Encryption<br />GPS data<br />And more…<br />Locate and Identify Client(s)<br />MAC Address<br />Manufacturers<br />Spectrum Analysis<br />Drones/Open-Source WIPS<br />
    13. 13. Data Obtained<br />Text (txt)<br />Comma Delimited File (CSV)<br />XML<br />GPS <br />Pcap<br />NetXML<br />
    14. 14. LOG Files<br />
    15. 15. Netxml Logging File<br />Can be imported into Excel for post-processing analysis<br />Rename to “.xml”, select “read-only workbook” when opening<br />Requires Internet access to download Kismet DTD file <br />Allows you to graph results, add details for additional analysis<br />
    16. 16. Reporting on AP Uptime<br />“=U267/(1000000*(60*60*24))”<br />
    17. 17. Startup<br />Kismet will prompt to start the Kismet Server at startup<br />Once the Kismet server has started, you will be prompted for the first packet source<br />
    18. 18. Kismet Sources<br />Specify the available wireless interface as a packet source<br />“wlan0, “wlan1”, etc.<br />Kismet will identify the needed information, place the interface in passive capture mode<br />Add as many sources as you want from Kismet Add Source<br />Can also specify libpcap wireless packet capture files as sources<br />
    19. 19. Kismet Newcore Screenshot<br />
    20. 20. Plugins<br />Plugin architecture to extend functionality<br />Distributed with Kismet: Aircrack-PTW, Spectools<br />Third-Party: DECT wireless sniffing<br />Kismet Plugins<br />Status of plugins, version information<br />Enable or disable UI plugins<br />See list of Kismet Server plugins<br />
    21. 21. Extending Kismet<br />Device Manufacturer Name<br />Kismet relies on Wireshark’s “manuf” file to identify manufacturers<br />File can be updated with make-manuf script (not distributed with BT4)<br /># wgethttp://anonsvn.wireshark.org/wireshark/trunk/wka.tmpl<br /># wgethttp://anonsvn.wireshark.org/wireshark/trunk/manuf.tmpl<br /># wgethttp://anonsvn.wireshark.org/wireshark/trunk/make-manuf<br /># perl make-manuf<br /># mvmanuf /usr/share/wireshark<br />
    22. 22. Graphical Representation<br />Gpsmap (old)<br />Pykismet<br />Kismet-earth<br />Kisgearth<br />
    23. 23. GISKisment<br />Building Visual Representations of Kismet data<br />Correlate information in database<br />Graphically represent information <br />Filter out non-useful information<br />
    24. 24. GISKismet- Filters<br />Input Filters<br />AP configuration data<br />Query filters on any information<br />AP configuration<br />Client information<br />GPS coordinate(s)<br />Filter Input<br />Insert all AP(s) on channel 6 named Linksys<br />Filter Output<br />Output all AP(s) without encryption<br />
    25. 25. Tips on Protecting the Network<br />Use an External Authentication Source<br />RADIUS<br />SecurID<br />Protect MAC Spoofing: Use a Secure Connection for all Host Services Accessed by the Network<br />SSH<br />SSL<br />Use a Dynamic Firewall<br />
    26. 26. System Administrators<br />Poor performance on the wireless network complaint<br />Things to observe:<br />What AP are the clients connecting to?<br />Are all AP’s properly configured?<br />Lots of retries indicating poor connections or noise<br />Lots of missed beacons indicating noise or faulty APs<br />What channels are being utilized?<br />
    27. 27. Retries are normal in small numbers; more than sustained 10% is a problem<br />
    28. 28. Signal and Noise/Channel<br />Packet Rate <br />(Real Time)<br />Data Frames (Cumulative)<br />Networks Count (Yellow is historic, green is currently active)<br />Detail View (Scroll with arrow keys)<br />
    29. 29. Auditors<br />Are the networks configured per specification?<br />SSID cloaking enabled/disabled?<br />Appropriate encryption and authentication settings?<br />Are there unencrypted networks (when there shouldn’t be)?<br />Kismet walkthrough while channel hopping, post-processing analysis.<br />
    30. 30. Security Analysts<br />Network discovery & analysis<br />Are there open Aps or weak crypto?<br />What are the clients on the network?<br />What kind of EAP types are in use?<br />Post-processing data evaluation<br />Third-Party tools with Kismet pcap files, XML records, nettxt summaries<br />

    ×