aacking)wireless)connec1ons:) …a"acking)wireless)connec1ons:) how)to)protectyourself)...

A"acking Wireless Connec1ons: How to protect yourself

Jose Ruiz MIS – OSWP, MCSA, MCT

18 Mayo, 2013 Puerto Rico Educators Cyber Security Awareness Training

Anfi-‐Teatro Maestros Rafael Cordero Universidad de Puerto Rico Ríp Piedras

#cybersecuritypr

Introduc1on

•  Who am I? – Masters in Informa1on System – Electronic Fraud detec1on preven1on

– Offensive Security Wireless Professional – MicrosoX Trainer –  Just love what I do! (That simple!)

#cybersecuritypr

Wireless Communica1ons

•  Seamless mobility •  It's everywhere •  Mass adop1on •  Integrated into all devices – Laptops – Phones – Embedded Devices

•  Connects to Internet

#cybersecuritypr

Wireless Security Challenges

•  How do you protect something you can’t see? •  Extend beyond vic1m’s boundaries •  Mobile clients •  Difficult to locate a"acker •  A"acks can be done from miles away

#cybersecuritypr

Typical Vic1ms

#cybersecuritypr

Tools of the trade

#cybersecuritypr

WEP •  Wired Equivalent Privacy •  Security algorithm for wireless networks. •  Introduced in September 1999. •  Provides a degree of data confiden1ality •  Size of keys 10 or 26 hexadecimal digits. – Example 0023A2B798

•  OXen the first security choice presented to users in routers

#cybersecuritypr

WEP •  Anyone can authen1cate to the network: –  It lets you in although no data transmission is allowed.

•  Confiden1ality vulnerabili1es: –  The header is not encrypted or checked as part of the ‘message integrity check’.

•  Replay a"acks: •  The ICV is not linked to 1mestamps or session sequence

numbers.

•  Cracked 100% of the 1me – GUARANTEED!

#cybersecuritypr

WEP

•  Why is s1ll used? – Handheld scanners in stores use WEP – Enterprises with legacy devices that don’t allow WPA s1ll use WEP.

– CLARO s1ll sells you boxes with WEP!!! – Customer misinforma1on.

#cybersecuritypr

WPA

•  Wi-‐Fi Protected Access (WPA) / (WPA2) •  Response to the major flaws in WEP •  Became available in 2003. •  Not limited to the 0123456789ABCDEF key characters.

•  Long strange passwords -‐ GOOD!!!!

#cybersecuritypr

WPA

•  S1ll can get cracked. •  Weak passwords is the key – Ex. carlitos1232

•  Weak passwords makes it easier than WEP!!! •  Good dic1onaries might find the password. •  It was the best op1on un1l…..

#cybersecuritypr

…WPS decided to show up

#cybersecuritypr


•  WPS (Wi-‐Fi Protected Setup) -‐ standard that simplifies the setup of a secure wireless home network.

•  Created by the Wi-‐Fi Alliance in 2007 •  Allow less experienced users to set up wireless security, add devices etc with li"le effort and…

#cybersecuritypr


•  NO NEED FOR LONG PASSPHRASES!!

•  We got WPS – We’re sexy and you know it!!!

LMFAO!!!!

#cybersecuritypr


•  This flaw allows the recovery of the WPS PIN in a few hours and, with it, the network's WPA/WPA2 pre-‐shared key.

•  By the way… it works even if you passphrase is up to 62 characters!!!

#cybersecuritypr


•  Users have been urged to turn off the WPS feature.

•  This may not be possible on some router models.

•  On tests that I've done it doesn't ma"er. If it supports WPS out of the box it is vulnerable either with WPS on or off.

#cybersecuritypr

This is how you look…

#cybersecuritypr

Wireless Security Myths

•  What you do… –  I hide my SSID

•  yeah… ok… whatever… •  What they do: – Deauthen1cate you or brute force your AP

#cybersecuritypr


#cybersecuritypr


•  What you do: –  I restrict MAC access

•  Oh really?!?! Dream on!!!! •  What they do: – Scan you, get your MAC and impersonate you

#cybersecuritypr


#cybersecuritypr


•  What you do: –  I assign sta1c IP’s

•  Ok stop, you’re killing me!!! •  What they do: – Once we crack the AP we scan your devices get an IP and impersonate you…. AGAIN!!!

#cybersecuritypr


•  I use WPA – With a strong Password??? – Uhh??? – Okay… I give up…

#cybersecuritypr

He can see me… Can I see him?

•  Yes you can… and scan him back!!!! •  Unless… •  He changes his regulatory domain… – Now he can use wireless channels restricted in the US so he can do whatever he wants and you just stand there!!!!

#cybersecuritypr

Basic A"acks (WPA)

#cybersecuritypr

Basic A"acks (WPA -‐ Reaver) 4954 Seconds = almost 90 minutes

#cybersecuritypr

So you are compromised (or not)

#cybersecuritypr

Vulnerable Routers

•  Can be cracked in 11 hours…

#cybersecuritypr

Vulnerable Routers

•  Can be cracked in 3 hours…

#cybersecuritypr

Vulnerable Routers

•  Can be cracked in 45 minutes… •  (NETGEAR Wireless Router – WNDR3700v1)

#cybersecuritypr

Vulnerable Routers

•  Can be cracked in 45 minutes or less… •  (CISCO/Linksys -‐ Wireless Router – WRT100)

#cybersecuritypr

S1ll safe with one of these!

•  NETGEAR -‐ WGR614v8

#cybersecuritypr


•  THOMPSON -‐ TG782

•  The irony is…

#cybersecuritypr


•  This box is secure… but CLARO sells it with WEP so It can be cracked in 10 minutes…..

#cybersecuritypr

Do I have any hope?

•  To be honest… NOT A LOT!!!!! •  But there are things you could do to lessen the chances of being a vic1m.

#cybersecuritypr

Countermeasures

•  Wireless IS vulnerable. •  Even if you apply every sugges1on it’s not a guarantee of safety.

•  The more experienced the a"acker, the more security measures he can circumvent.

#cybersecuritypr

Countermeasures •  Use the most secure possible encryp1on: WPA2 with a NON-‐WPS Router

•  Change the default IP address scheme of 192.168.1.1 / 192.168.0.1 to make even harder to get to your devices if your Internet box is compromised.

•  Use the AP's firewall and efine addi1onal security policies and apply them. For example do not allow any traffic coming in or out that has an internal IP address as the source. Your proxy should be doing this job.

#cybersecuritypr

Countermeasures

•  Disable the auto-‐connect feature. Your computer remembers every single AP it connects to so an a"acker can fake your AP and even if you are 1000 miles from it.

•  Don’t use public WI-‐Fi spots to surf sensi1ve websites.

#cybersecuritypr

Countermeasures

•  I know I bashed at this but do it (more is be"er) – Change and hide the default SSID. – Restrict access by assigning sta1c IP addresses – Use MAC filtering:

•  Turn off your router when not in use: •  If you encounter a cer1ficate warning DON’T blindly click OK. Read it!

•  Keep your browser updated.

#cybersecuritypr

Thanks

•  You can send me an email at: [email protected]

aacking)wireless)connec1ons:) …a"acking)wireless)connec1ons:) how)to)protectyourself)...

Documents