Wireless Security Basics

5,771 views

Published on

Full video available at http://www.securitytube.net

Published in: Education, Technology, Business
  • Be the first to comment

Wireless Security Basics

  1. 1. Hands-On EthicalHands-On Ethical Hacking and NetworkHacking and Network DefenseDefense Chapter 11Chapter 11 Hacking Wireless NetworksHacking Wireless Networks Last revised 10-30-08 5 pm
  2. 2. 2 ObjectivesObjectives  Explain wireless technologyExplain wireless technology  Describe wireless networking standardsDescribe wireless networking standards  Describe the process of authenticationDescribe the process of authentication  Describe wardrivingDescribe wardriving  Describe wireless hacking and tools usedDescribe wireless hacking and tools used by hackers and security professionalsby hackers and security professionals
  3. 3. 3 Understanding WirelessUnderstanding Wireless TechnologyTechnology  For a wireless network to function, youFor a wireless network to function, you must have the right hardware andmust have the right hardware and softwaresoftware  Wireless technology is part of our livesWireless technology is part of our lives  Baby monitorsBaby monitors  Cell and cordless phonesCell and cordless phones  PagersPagers  GPSGPS  Remote controlsRemote controls  Garage door openersGarage door openers  Two-way radiosTwo-way radios
  4. 4. 4 Components of a WirelessComponents of a Wireless NetworkNetwork  A wireless network has only three basicA wireless network has only three basic componentscomponents  Access Point (AP)Access Point (AP)  Wireless network interface card (WNIC)Wireless network interface card (WNIC)  Ethernet cableEthernet cable
  5. 5. 5 Access PointsAccess Points  An access point (AP) is a transceiver thatAn access point (AP) is a transceiver that connects to an Ethernet cableconnects to an Ethernet cable  It bridges the wireless network with the wiredIt bridges the wireless network with the wired networknetwork  Not all wireless networks connect to a wiredNot all wireless networks connect to a wired networknetwork  Most companies have Wireless LANsMost companies have Wireless LANs (WLANs) that connect to their wired network(WLANs) that connect to their wired network topologytopology
  6. 6. 6 Access PointsAccess Points  The AP is where channels are configuredThe AP is where channels are configured  An AP enables users to connect to a LANAn AP enables users to connect to a LAN using wireless technologyusing wireless technology  An AP is available only within a defined areaAn AP is available only within a defined area
  7. 7. 7 Service Set IdentifiersService Set Identifiers (SSIDs)(SSIDs)  Name used to identify the wireless localName used to identify the wireless local area network (WLAN)area network (WLAN)  The SSID is configured on the APThe SSID is configured on the AP  Unique 1- to 32-character alphanumericUnique 1- to 32-character alphanumeric namename  Name is case sensitiveName is case sensitive  Wireless computers need to configureWireless computers need to configure the SSID before connecting to a wirelessthe SSID before connecting to a wireless networknetwork
  8. 8. 8 Service Set IdentifiersService Set Identifiers (SSIDs)(SSIDs)  SSID is transmitted with each packetSSID is transmitted with each packet  Identifies which network the packet belongsIdentifies which network the packet belongs  The AP usually broadcasts the SSIDThe AP usually broadcasts the SSID
  9. 9. 9 Service Set IdentifiersService Set Identifiers (SSIDs)(SSIDs)  Many vendors have SSIDs set to a defaultMany vendors have SSIDs set to a default value that companies never changevalue that companies never change  An AP can be configured to not broadcastAn AP can be configured to not broadcast its SSID until after authenticationits SSID until after authentication  Wireless hackers can attempt to guess theWireless hackers can attempt to guess the SSIDSSID  Verify that your clients or customers areVerify that your clients or customers are not using a default SSIDnot using a default SSID
  10. 10. 10  See links Ch 11a, bSee links Ch 11a, b
  11. 11. 11 Configuring an Access PointConfiguring an Access Point  Configuring an AP varies depending onConfiguring an AP varies depending on the hardwarethe hardware  Most devices allow access through any WebMost devices allow access through any Web browserbrowser  Enter IP address on your Web browser andEnter IP address on your Web browser and provide your user logon name and passwordprovide your user logon name and password
  12. 12. 12 Wireless RouterWireless Router  A wireless router includes an access point,A wireless router includes an access point, a router, and a switcha router, and a switch
  13. 13. 13 Demo: Configuring anDemo: Configuring an Access PointAccess Point  Wireless ConfigurationWireless Configuration OptionsOptions  SSIDSSID  Wired EquivalentWired Equivalent Privacy (WEP)Privacy (WEP) encryptionencryption  Changing AdminChanging Admin PasswordPassword
  14. 14. 14 Configuring an Access PointConfiguring an Access Point  Wireless Configuration OptionsWireless Configuration Options  SSIDSSID  Wired Equivalent Privacy (WEP) encryptionWired Equivalent Privacy (WEP) encryption  WPA (WiFi Protected Access ) is betterWPA (WiFi Protected Access ) is better
  15. 15. 15 Configuring an Access PointConfiguring an Access Point (continued)(continued)  Steps for configuring a D-Link wirelessSteps for configuring a D-Link wireless router (continued)router (continued)  Turn off SSID broadcastTurn off SSID broadcast  You should also change your SSIDYou should also change your SSID
  16. 16. 16
  17. 17. 17 Wireless NICsWireless NICs  For wireless technology to work, eachFor wireless technology to work, each node or computer must have a wirelessnode or computer must have a wireless NICNIC  NIC’s main functionNIC’s main function  Converting the radio waves it receives intoConverting the radio waves it receives into digital signals the computer understandsdigital signals the computer understands
  18. 18. 18 Wireless NICsWireless NICs  There are many wireless NICs on theThere are many wireless NICs on the marketmarket  Choose yours depending on how you plan toChoose yours depending on how you plan to use ituse it  Some tools require certain specific brands ofSome tools require certain specific brands of NICsNICs
  19. 19. 19 Understanding WirelessUnderstanding Wireless Network StandardsNetwork Standards  A standard is a set of rules formulated byA standard is a set of rules formulated by an organizationan organization  Institute of Electrical and ElectronicsInstitute of Electrical and Electronics Engineers (IEEE)Engineers (IEEE)  Defines several standards for wirelessDefines several standards for wireless networksnetworks
  20. 20. 20 IEEE: CCSF Student ChapterIEEE: CCSF Student Chapter  Next meeting:Next meeting:  Thurs, Nov 6, 2008 in Sci 37, 5:00 pmThurs, Nov 6, 2008 in Sci 37, 5:00 pm  EmailEmail sbowne@ccsf.edusbowne@ccsf.edu for more infofor more info
  21. 21. 21 IEEE StandardsIEEE Standards  Standards pass through these groups:Standards pass through these groups:  Working group (WG)Working group (WG)  Sponsor Executive Committee (SEC)Sponsor Executive Committee (SEC)  Standards Review Committee (RevCom)Standards Review Committee (RevCom)  IEEE Standards BoardIEEE Standards Board  IEEE Project 802IEEE Project 802  LAN and WAN standardsLAN and WAN standards
  22. 22. 22 The 802.11 StandardThe 802.11 Standard  The first wireless technology standardThe first wireless technology standard  Defined wireless connectivity at 1 MbpsDefined wireless connectivity at 1 Mbps and 2 Mbps within a LANand 2 Mbps within a LAN  Applied to layers 1 and 2 of the OSI modelApplied to layers 1 and 2 of the OSI model  Wireless networks cannot detect collisionsWireless networks cannot detect collisions  Carrier sense multiple access/collisionCarrier sense multiple access/collision avoidance (CSMA/CA) is used instead ofavoidance (CSMA/CA) is used instead of CSMA/CDCSMA/CD
  23. 23. 23 AddressingAddressing  Wireless LANs do not have an addressWireless LANs do not have an address associated with a physical locationassociated with a physical location  An addressable unit is called a station (STA)An addressable unit is called a station (STA)
  24. 24. 24 The Basic Architecture ofThe Basic Architecture of 802.11802.11  802.11 uses a basic service set (BSS) as802.11 uses a basic service set (BSS) as its building blockits building block  Computers within a BSS can communicateComputers within a BSS can communicate with each otherwith each other
  25. 25. 25 The Basic Architecture of 802.11The Basic Architecture of 802.11  To connectTo connect two BSSs,two BSSs, 802.11802.11 requires arequires a distributiondistribution system (DS)system (DS)
  26. 26. 26 Frequency RangeFrequency Range  In the United States, Wi-Fi usesIn the United States, Wi-Fi uses frequencies near 2.4 GHzfrequencies near 2.4 GHz  (Except 802.11a at 5 GHz)(Except 802.11a at 5 GHz)  There are 11 channels, but they overlap, soThere are 11 channels, but they overlap, so only three are commonly usedonly three are commonly used  See link Ch 11c (cisco.com)See link Ch 11c (cisco.com)
  27. 27. 27 Infrared (IR)Infrared (IR)  Infrared light can’t be seen by the human eyeInfrared light can’t be seen by the human eye  IR technology is restricted to a single room orIR technology is restricted to a single room or line of sightline of sight  IR light cannot penetrate walls, ceilings, or floorsIR light cannot penetrate walls, ceilings, or floors  Image: IR transmitter for wireless headphonesImage: IR transmitter for wireless headphones
  28. 28. 28 IEEE Additional 802.11IEEE Additional 802.11 ProjectsProjects  802.11a802.11a  Created in 1999Created in 1999  Operating frequency 5 GHzOperating frequency 5 GHz  Throughput 54 MbpsThroughput 54 Mbps
  29. 29. 29 IEEE Additional 802.11IEEE Additional 802.11 Projects (continued)Projects (continued)  802.11b802.11b  Operates in the 2.4 GHz rangeOperates in the 2.4 GHz range  Throughput 11 MbpsThroughput 11 Mbps  Also referred as Wi-Fi (wireless fidelity)Also referred as Wi-Fi (wireless fidelity)  Allows for 11 channels to prevent overlappingAllows for 11 channels to prevent overlapping signalssignals  Effectively only three channels (1, 6, and 11) canEffectively only three channels (1, 6, and 11) can be used in combination without overlappingbe used in combination without overlapping  Introduced Wired Equivalent Privacy (WEP)Introduced Wired Equivalent Privacy (WEP)
  30. 30. 30 IEEE Additional 802.11IEEE Additional 802.11 Projects (continued)Projects (continued)  802.11e802.11e  It has improvements to address the problemIt has improvements to address the problem of interferenceof interference  When interference is detected, signals can jump toWhen interference is detected, signals can jump to another frequency more quicklyanother frequency more quickly  802.11g802.11g  Operates in the 2.4 GHz rangeOperates in the 2.4 GHz range  Throughput increased from 11 Mbps to 54Throughput increased from 11 Mbps to 54 MbpsMbps
  31. 31. 31 IEEE Additional 802.11IEEE Additional 802.11 Projects (continued)Projects (continued)  802.11i802.11i  Introduced Wi-Fi Protected Access (WPA)Introduced Wi-Fi Protected Access (WPA)  Corrected many of the security vulnerabilitiesCorrected many of the security vulnerabilities of 802.11bof 802.11b  802.11n (draft)802.11n (draft)  Will be finalized in Dec 2009Will be finalized in Dec 2009  Speeds up to 300 MbpsSpeeds up to 300 Mbps  Aerohive AP runs at 264 Mbps nowAerohive AP runs at 264 Mbps now  Links Ch 11zc, Ch 11zdLinks Ch 11zc, Ch 11zd
  32. 32. 32 IEEE Additional 802.11IEEE Additional 802.11 Projects (continued)Projects (continued)  802.15802.15  Addresses networkingAddresses networking devices within onedevices within one person’s workspaceperson’s workspace  Called wirelessCalled wireless personal area networkpersonal area network (WPAN)(WPAN)  Bluetooth is one of sixBluetooth is one of six 802.15 standards802.15 standards  Image fromImage from ubergizmo.comubergizmo.com
  33. 33. 33 IEEE Additional 802.11IEEE Additional 802.11 Projects (continued)Projects (continued)  BluetoothBluetooth  Defines a method for interconnecting portableDefines a method for interconnecting portable devices without wiresdevices without wires  Maximum distance allowed is 10 metersMaximum distance allowed is 10 meters  It uses the 2.45 GHz frequency bandIt uses the 2.45 GHz frequency band  Throughput of up to 2.1 Mbps for BluetoothThroughput of up to 2.1 Mbps for Bluetooth 2.02.0  Note: the speed value of 12 Mbps in your book andNote: the speed value of 12 Mbps in your book and the lecture notes is wrongthe lecture notes is wrong  Link Ch 11zgLink Ch 11zg
  34. 34. 34 IEEE Additional 802.11IEEE Additional 802.11 Projects (continued)Projects (continued)  802.16 (also called WIMAX)802.16 (also called WIMAX)  Addresses the issue of wireless metropolitanAddresses the issue of wireless metropolitan area networks (MANs)area networks (MANs)  Defines the WirelessMAN Air InterfaceDefines the WirelessMAN Air Interface  Range of up to 30 milesRange of up to 30 miles  Throughput of up to 120 MbpsThroughput of up to 120 Mbps  802.20802.20  Addresses wireless MANs for mobile usersAddresses wireless MANs for mobile users who are sitting in trains, subways, or carswho are sitting in trains, subways, or cars traveling at speeds up to 150 miles per hourtraveling at speeds up to 150 miles per hour
  35. 35. 35 IEEE Additional 802.11IEEE Additional 802.11 Projects (continued)Projects (continued)  BluetoothBluetooth  Defines a method for interconnecting portableDefines a method for interconnecting portable devices without wiresdevices without wires  Maximum distance allowed is 10 metersMaximum distance allowed is 10 meters  It uses the 2.45 GHz frequency bandIt uses the 2.45 GHz frequency band  Throughput of up to 12 MbpsThroughput of up to 12 Mbps  HiperLAN2HiperLAN2  European WLAN standardEuropean WLAN standard  It is not compatible with 802.11 standardsIt is not compatible with 802.11 standards
  36. 36. 36 2.1 Mbps
  37. 37. 37 Understanding AuthenticationUnderstanding Authentication  Wireless technology brings new securityWireless technology brings new security risks to a networkrisks to a network  AuthenticationAuthentication  Establishing that a user is authentic—Establishing that a user is authentic— authorized to use the networkauthorized to use the network  If authentication fails, anyone in radio rangeIf authentication fails, anyone in radio range can use your networkcan use your network
  38. 38. 38 The 802.1X StandardThe 802.1X Standard  Defines the process of authenticating andDefines the process of authenticating and authorizing users on a WLANauthorizing users on a WLAN  Basic conceptsBasic concepts  Point-to-Point Protocol (PPP)Point-to-Point Protocol (PPP)  Extensible Authentication Protocol (EAP)Extensible Authentication Protocol (EAP)  Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)
  39. 39. 39 Point-to-Point Protocol (PPP)Point-to-Point Protocol (PPP)  Many ISPs use PPP to connect dial-up orMany ISPs use PPP to connect dial-up or DSL usersDSL users  PPP handles authentication with a userPPP handles authentication with a user name and password, sent with PAP orname and password, sent with PAP or CHAPCHAP  PAP (Password Authentication Protocol)PAP (Password Authentication Protocol) sends passwords unencryptedsends passwords unencrypted  Vulnerable to trivial sniffing attacksVulnerable to trivial sniffing attacks  See link Ch 11fSee link Ch 11f
  40. 40. 40 CHAP VulnerabilityCHAP Vulnerability  CHAP (Challenge-HandshakeCHAP (Challenge-Handshake Authentication Protocol)Authentication Protocol)  Server sends a Challenge with a randomServer sends a Challenge with a random valuevalue  Client sends a Response, hashing theClient sends a Response, hashing the random value with the secret passwordrandom value with the secret password  This is still vulnerable to a sort of sessionThis is still vulnerable to a sort of session hijacking attack (see links Ch 11e)hijacking attack (see links Ch 11e)
  41. 41. 41 Extensible AuthenticationExtensible Authentication Protocol (EAP)Protocol (EAP)  EAP is an enhancement to PPPEAP is an enhancement to PPP  Allows a company to select itsAllows a company to select its authentication methodauthentication method  CertificatesCertificates  KerberosKerberos  Kerberos is used on LANs for authenticationKerberos is used on LANs for authentication  Uses Tickets and KeysUses Tickets and Keys  Used by Windows 2000, XP, and 2003 Server byUsed by Windows 2000, XP, and 2003 Server by defaultdefault  Not common on WLANS (I think)Not common on WLANS (I think)
  42. 42. 42 X.509 CertificateX.509 Certificate  Record that authenticates networkRecord that authenticates network entitiesentities  IdentifiesIdentifies  The ownerThe owner  The certificate authority (CA)The certificate authority (CA)  The owner’s public keyThe owner’s public key  See link Ch 11jSee link Ch 11j
  43. 43. 43 Sample X.509 CertificateSample X.509 Certificate  Go to gmail.comGo to gmail.com  Double-click the padlockDouble-click the padlock
  44. 44. 44 Public KeyPublic Key  Your browserYour browser uses theuses the Public Key toPublic Key to encrypt dataencrypt data so only Gmailso only Gmail can read itcan read it
  45. 45. 45 LEAPLEAP  Lightweight ExtensibleLightweight Extensible Authentication ProtocolAuthentication Protocol (LEAP)(LEAP)  A Cisco productA Cisco product  Vulnerable, but Cisco didn’t careVulnerable, but Cisco didn’t care  Joshua Wright wrote the ASLEAP hackingJoshua Wright wrote the ASLEAP hacking tool to crack LEAP, and forced Cisco totool to crack LEAP, and forced Cisco to develop a better protocoldevelop a better protocol  See link Ch 11gSee link Ch 11g
  46. 46. 46 More Secure EAP MethodsMore Secure EAP Methods  Extensible Authentication Protocol-Extensible Authentication Protocol- Transport Layer Security (EAP-TLS)Transport Layer Security (EAP-TLS)  Secure but rarely used, because both clientSecure but rarely used, because both client and server need certificates signed by a CAand server need certificates signed by a CA  Protected EAP (PEAP) and MicrosoftProtected EAP (PEAP) and Microsoft PEAPPEAP  Very secure, only requires server to have aVery secure, only requires server to have a certificate signed by a CAcertificate signed by a CA  See link Ch 11hSee link Ch 11h
  47. 47. 47 802.1X components802.1X components  SupplicantSupplicant  The user accessing a WLANThe user accessing a WLAN  AuthenticatorAuthenticator  The APThe AP  Authentication serverAuthentication server  Checks an account database to see if user’sChecks an account database to see if user’s credentials are acceptablecredentials are acceptable  May use RADIUS (Remote Access Dial-In UserMay use RADIUS (Remote Access Dial-In User Service)Service)  See link Ch 11kSee link Ch 11k
  48. 48. 48
  49. 49. 49 Wired Equivalent PrivacyWired Equivalent Privacy (WEP)(WEP)  Part of the 802.11b standardPart of the 802.11b standard  Encrypts data on a wireless networkEncrypts data on a wireless network  WEP has many vulnerabilitiesWEP has many vulnerabilities  To crack WEP, see links Ch 11l, 11mTo crack WEP, see links Ch 11l, 11m
  50. 50. 50 Wi-Fi Protected AccessWi-Fi Protected Access (WPA)(WPA)  Specified in the 802.11i standardSpecified in the 802.11i standard  Replaces WEPReplaces WEP  WPA improves encryption by usingWPA improves encryption by using Temporal Key Integrity Protocol (TKIP)Temporal Key Integrity Protocol (TKIP)
  51. 51. 51 TKIP EnhancementsTKIP Enhancements  Message Integrity Check (MIC)Message Integrity Check (MIC)  Prevent attacker from injecting forged packetsPrevent attacker from injecting forged packets  Extended Initialization Vector (IV) withExtended Initialization Vector (IV) with sequencing rulessequencing rules  Prevent replays (attacker re-sending copiedPrevent replays (attacker re-sending copied packets)packets)
  52. 52. 52 TKIP EnhancementsTKIP Enhancements  Per-packet key mixingPer-packet key mixing  MAC addresses are used to create a keyMAC addresses are used to create a key  Each link uses a different keyEach link uses a different key  Rekeying mechanismRekeying mechanism  Provides fresh keysProvides fresh keys  Prevents attackers from reusing old keysPrevents attackers from reusing old keys
  53. 53. 53 WPA Adds 802.1xWPA Adds 802.1x  WPA also adds an authenticationWPA also adds an authentication mechanism implementing 802.1X andmechanism implementing 802.1X and EAPEAP  This was not available in WEPThis was not available in WEP
  54. 54. 54 Understanding WardrivingUnderstanding Wardriving  Hackers use wardrivingHackers use wardriving  Finding insecure access pointsFinding insecure access points  Using a laptop or palmtop computerUsing a laptop or palmtop computer  Wardriving is not illegalWardriving is not illegal  But using the resources of these networks isBut using the resources of these networks is illegalillegal  WarflyingWarflying  Variant where an airplane is used instead of aVariant where an airplane is used instead of a carcar
  55. 55. 55 How It WorksHow It Works  An attacker or security tester simply drivesAn attacker or security tester simply drives around with the following equipmentaround with the following equipment  Laptop computerLaptop computer  Wireless NICWireless NIC  An antennaAn antenna  Software that scans the area for SSIDsSoftware that scans the area for SSIDs  Not all wireless NICs are compatible withNot all wireless NICs are compatible with scanning programsscanning programs  Antenna prices vary depending on theAntenna prices vary depending on the quality and the range they can coverquality and the range they can cover
  56. 56. 56 How It Works (continued)How It Works (continued)  Scanning software can identifyScanning software can identify  The company’s SSIDThe company’s SSID  The type of security enabledThe type of security enabled  The signal strengthThe signal strength  Indicating how close the AP is to the attackerIndicating how close the AP is to the attacker
  57. 57. 57 Demo: VistaStumblerDemo: VistaStumbler  Link Ch 11zeLink Ch 11ze
  58. 58. 58 NetStumblerNetStumbler  Shareware tool written for Windows thatShareware tool written for Windows that enables you to detect WLANsenables you to detect WLANs  Supports 802.11a, 802.11b, and 802.11gSupports 802.11a, 802.11b, and 802.11g standardsstandards  NetStumbler was primarily designed toNetStumbler was primarily designed to  Verify your WLAN configurationVerify your WLAN configuration  Detect other wireless networksDetect other wireless networks  Detect unauthorized APsDetect unauthorized APs
  59. 59. 59 NetStumblerNetStumbler  NetStumbler is capable of interface with aNetStumbler is capable of interface with a GPSGPS  Enabling a security tester or hacker to mapEnabling a security tester or hacker to map out locations of all the WLANs the softwareout locations of all the WLANs the software detectsdetects
  60. 60. 60 NetStumblerNetStumbler  NetStumbler logs the following informationNetStumbler logs the following information  SSIDSSID  MAC address and Manufacturer of the APMAC address and Manufacturer of the AP  ChannelChannel  Signal StrengthSignal Strength  EncryptionEncryption  Can detect APs within a 350-foot radiusCan detect APs within a 350-foot radius  With a good antenna, they can locate APs aWith a good antenna, they can locate APs a couple of miles awaycouple of miles away
  61. 61. 61
  62. 62. 62
  63. 63. 63 KismetKismet  Another product for conducting wardrivingAnother product for conducting wardriving attacksattacks  Runs on Linux, BSD, MAC OS X, andRuns on Linux, BSD, MAC OS X, and Linux PDAsLinux PDAs  Kismet is advertised also as a sniffer andKismet is advertised also as a sniffer and IDSIDS  Kismet can sniff 802.11b, 802.11a, andKismet can sniff 802.11b, 802.11a, and 802.11g traffic802.11g traffic
  64. 64. 64 Kismet featuresKismet features  Ethereal- and Tcpdump-compatible dataEthereal- and Tcpdump-compatible data logginglogging  AirSnort compatibleAirSnort compatible  Network IP range detectionNetwork IP range detection
  65. 65. 65 Kismet features (continued)Kismet features (continued)  Hidden network SSID detectionHidden network SSID detection  Graphical mapping of networksGraphical mapping of networks  Client-server architectureClient-server architecture  Manufacturer and model identification of APsManufacturer and model identification of APs and clientsand clients  Detection of known default access pointDetection of known default access point configurationsconfigurations  XML outputXML output  Supports 20 card typesSupports 20 card types
  66. 66. 66 Understanding WirelessUnderstanding Wireless HackingHacking  Hacking a wireless network is not muchHacking a wireless network is not much different from hacking a wired LANdifferent from hacking a wired LAN  Techniques for hacking wireless networksTechniques for hacking wireless networks  Port scanningPort scanning  EnumerationEnumeration
  67. 67. 67 Tools of the TradeTools of the Trade  EquipmentEquipment  Laptop computerLaptop computer  A wireless NICA wireless NIC  An antennaAn antenna  Sniffer softwareSniffer software
  68. 68. 68 AirSnortAirSnort  Created by Jeremy Bruestle and BlakeCreated by Jeremy Bruestle and Blake HegerleHegerle  It is the tool most hackers wanting toIt is the tool most hackers wanting to access WEP-enabled WLANs useaccess WEP-enabled WLANs use  AirSnort limitationsAirSnort limitations  Runs on either Linux or Windows (textbook isRuns on either Linux or Windows (textbook is wrong)wrong)  Requires specific driversRequires specific drivers  Not all wireless NICs function with AirSnortNot all wireless NICs function with AirSnort  See links Ch 11p, 11qSee links Ch 11p, 11q
  69. 69. 69 WEPCrackWEPCrack  Another open-source tool used to crackAnother open-source tool used to crack WEP encryptionWEP encryption  WEPCrack was released about a week beforeWEPCrack was released about a week before AirSnortAirSnort  It also works on *NIX systemsIt also works on *NIX systems  WEPCrack uses Perl scripts to carry outWEPCrack uses Perl scripts to carry out attacks on wireless systemsattacks on wireless systems  AirSnort is considered better (link Ch 11r)AirSnort is considered better (link Ch 11r)
  70. 70. 70 Countermeasures forCountermeasures for Wireless AttacksWireless Attacks  Anti-wardriving software makes it moreAnti-wardriving software makes it more difficult for attackers to discover yourdifficult for attackers to discover your wireless LANwireless LAN  HoneypotsHoneypots  Servers with fake data to snare intrudersServers with fake data to snare intruders  Fakeap and Black Alchemy Fake APFakeap and Black Alchemy Fake AP  Software that makes fake Access PointsSoftware that makes fake Access Points  Link Ch 11sLink Ch 11s
  71. 71. 71 Countermeasures forCountermeasures for Wireless AttacksWireless Attacks  Use special paint to stop radio fromUse special paint to stop radio from escaping your buildingescaping your building  Allow only predetermined MAC addressesAllow only predetermined MAC addresses and IP addresses to have access to theand IP addresses to have access to the wireless LANwireless LAN  Use an authentication server instead ofUse an authentication server instead of relying on a wireless device torelying on a wireless device to authenticate usersauthenticate users
  72. 72. 72 Countermeasures forCountermeasures for Wireless AttacksWireless Attacks  Use an EAP authentication protocolUse an EAP authentication protocol  If you use WEP, use 104-bit encryptionIf you use WEP, use 104-bit encryption rather than 40-bit encryptionrather than 40-bit encryption  But just use WPA insteadBut just use WPA instead  Assign static IP addresses to wirelessAssign static IP addresses to wireless clients instead of using DHCPclients instead of using DHCP  Don’t broadcast the SSIDDon’t broadcast the SSID
  73. 73. 73 Countermeasures forCountermeasures for Wireless AttacksWireless Attacks  Place the AP in the demilitarized zonePlace the AP in the demilitarized zone (DMZ)(DMZ) (image from wikipedia)(image from wikipedia)
  74. 74. 74 Demo: Defeating MACDemo: Defeating MAC Address FilteringAddress Filtering  Link Ch 11zfLink Ch 11zf

×