rogue access pointcysecure.org/560/18fall/project/colivanragoodial_b... · behavior”, the authors...
TRANSCRIPT
Rogue Access Point
By: Christopher Barnett, Nealesh Ragoodial, Christian Oliva, Bejo Philip Benny, Driss Ould-Ibbat
IASP-560 Wireless Network and Security
Final Group Project
Table of Contents
❖ Introduction 3
❖ What is Rogue Access Point 3
❖ Problem 4
❖ Related Work 6
❖ Approach 8
❖ Prevention 8
❖ Raspberry Pi setup 10
➢ Linux commands
❖ How to detect 13
➢ Kismet
➢ Net Surveyor
➢ Solar Winds
❖ Outcome 14
➢ Contributions
❖ Conclusion 16
❖ Works Cited 16
Introduction
Many companies provide wireless networks to help efficiency, convenience and
productivity in the workplace. It is very easy that someone collect packets and analyze
them with free software such as Wireshark. Most systems implement wireless network
security protocols such as WPA and WPA2. However these methods cannot protect
users from rogue access points because attackers can have these installed and bypass
all forms of security measure. Average users cannot tell he the difference between
rogue access point and a legitimate access points. If given the chance successful rogue
AP’s can gather sensitive data from a company. It it necessary to have the correct tools
to prevent and detect these devices. It is up to the organization itself to incorporate a
policy where the installation of such device cannot be installed and if so, it will be
detected quickly before any harm is done.
What is a Rogue Access Point?
One of the most common wireless security threats is the rogue access point—it is used
in many attacks, both DoS and data theft. Many other rogue access points, however,
are deployed by employees wanting unfettered wireless access—these access points
are called soft access points. Other rogues are located in neighboring companies using
your network for free access. Typically low-cost and consumer-grade, these access
points often do not broadcast their presence over the wire and can only be detected
over-the-air. Because they are typically installed in their default mode, authentication
and encryption are not enabled, thereby creating a security hazard. Because wireless
LAN signals can traverse building walls, an open access point connected to the
corporate network the perfect target for war driving. Any client that connects to a rogue
access point must be considered a rogue client because it is bypassing the authorized
security procedures put in place by the IT department.
A rogue access point is a device that is not sanctioned by an administration,
however, it is operating on the network anyway. It can be an access point set up by
either an employee or by a hacker. There are many reasons to think that an access
point is definitely a rogue. The SSID of the access point is neither your network SSID
and it is not listed in the SSID list. The access point may not be broadcasting an SSID
at all. It is safe to check the SSID of an access point using methods from the MSS CLI,
methods from Network Director, and from MSS (Wilton 2008). The access point is
basically masquerading one of your SSID. Access points that are masquerading your
SSID are rogue by default, but you can change this rule. The access point is an ad-hoc
access point. Ad-hoc access points are formed directly between two client devices.
End users who add wireless devices to a network can pose major security
threats, most of these rogue access points serve as an unsecured gateways to a
person’s data (Wilton 2008). A rogue access point can pop-up on a network. It can
pop-up by a malicious intent or an employee. Commoditization of Wifi access points can
raise the possible risk of someone putting up a personal access point on the network. It
is estimated that almost twenty percent of businesses have rogue access points in their
network. A wireless access point is installed by an employee without any consent of the
IT Department. With no proper security configuration, the users have exposed their
company’s network to the outside world. Many rogue access points can be detected by
performing an audit in the business with a sniffer software. Another method is to install
probes that constantly watch and monitor the wireless network, checking for changes or
install a server software that monitors both wires and wireless sides of a network. An
access point that is set up by a hacker who is outside of the business, with a wireless
network. The rogue access point picks up beacons, which are signals that advertise its
presence from the company’s true access point, and then transmits the same identical
beacons. Therefore, as long as wireless security is enabled, this type of attack can not
compromise the user’s network, but, it can cause harm by slowing down the
connections with the real network.
Wireless radios automatically scan the radio frequency spectrum for other access
points, transmitting in the same exact spectrum. This radio frequency scan, discovers
third-party transmitters in addition to other radio frequencies. Rogue access points and
their clients undermine the security of a company network by potentially allowing an
access point to the network by a wireless user or a client in the area (EC-Council 2011).
Rogue access points can also interfere with the operation of a company’s network. A
rogue access point can allow a hacker to conduct a man in the middle attack. The
hacker makes an independent connection with the victim and relays the messages
between them. Therefore, making them believe that they are chatting directly to each
other over a private connection. Rogue access points can flood the network with
useless data and can create a denial of service attack. It can also send fake SSIDs, that
advertise attractive features such as a free internet connectivity (EC-Council 2011).
When the user connects, the fake SSID is simply added to the client’s wireless
configuration, therefore, the client begins to broadcast the fake SSID, which touches
other clients.
Problem
Many people don't understand the atrocities involved with wireless networking and end
up deploying them without activating the proper security measures needed to ensure
secure communications with the office network. As a result, the existence of this
unauthorized AP leaves your network susceptible to attack by anyone who has a
wireless connection and is within close enough proximity to see it.
Related Work
Comparison
The flexibility and portability of wireless communications has afforded organizations
many benefits such as increased productivity and lower installation cost. The benefits
are not without cost, by using airwaves as the transmission medium, an entirely new set
of security issues are born. These papers focus on rogue access points exposing the
enterprise network to a barrage of security vulnerabilities in that they are typically
connected to a network port behind the firewalls.
Contrast
In “A Passive Approach to Rogue Access Point Detection”, the authors proposed
to use the round-trip time (RTT) of network traffic to distinguish between wired and
wireless nodes. This information coupled with a standard wireless AP authorization
policy allows the differentiation (at a central location) between wired nodes, authorized
APs, and rogue APs. They showed that the lower capacity and the higher variability in a
wireless network can be used to effectively distinguish between wired and wireless
nodes. They have shown that as a result of the lower capacity of the wireless link
wireless nodes have greater RTT associated with their packets. As the capacity of
wireless links increase it is likely that the RTT associated with the wireless link will come
close to that of the current wired links.
In “Rogue Access Point Detection in WLAN by Analyzing Network Traffic and
Behavior”, the authors present a rogue access point detection approach. In this
approach they are extending the functionality of basic analyzer. It will deeply analyze
different properties of WLAN. If required, it will calculate statistics and store it in
database. They used this result to compare next data. Besides analyzing wireless data,
some filters are implemented that can be used to identify rogue APs in WLAN.
Presented a very simple approach to detect rogue AP without using any extra sensor
and extra hardware. By extending some functionality of packet analyzer we can use it to
identify rogue APs.
In “Rogue Access Point Detection System in Wireless LAN”, the authors
proposed the detection and the rogue access points Classification of rogue access point
and related risk assessment is analyzed. Rogue detection algorithm is also proposed. It
is designed to utilize the existing wireless LAN infrastructure. These rogue access
points (APs) expose the enterprise network to a barrage of security vulnerabilities in that
they are typically connected to a network port behind the firewall. Most of the current
approaches to detecting rogue APs are rudimentary and are easily evaded by hackers.
There is no need to acquire the new RF devices or dedicated wireless detection
sensors.
The discussion on rogue access points have been circulating in network security
and computer ethics research for more than a decade. The idea that someone would
have access to wired network without the permission of the administrator or owner
causes us to question more deeply on the true power of computers. In these two articles
“. “Using Multi-Agent Sourcing Method for Detection and Elimination of Rogue Access
Points in WLAN-802. 11” and “Rogue Access Points — Threat to Enterprise Security,”
authors Dnyanada Patil, P.N. Mahalle, and Bruce Potter explore the implications on
network security and try to offer possible solutions. In his paper, Potter discusses the
various threats to privacy and security that rogue access points introduce to technology.
On the other hand, authors Patil and Mahelle discuss the increasing popularity on rogue
access point attacks common Wireless LANs and try to implement multi-agent node
detector to help the network monitor itself.
Through his paper, Potter is essentially establishing the different methods that
hackers could use rogue access points as a means of fooling a computer user. He goes
into depth on each of these possible plays, including sniffing around traffic, pretending
to be a valid access point, searching out idle deploying systems, etc., as a means of
warning the reader to be well aware of the different methods a hacker could use to
infiltrate your secure system. Potter offers the suggestion of educating the user-base as
the critical prevention towards rogue access points. Within the system, Potter implores
us to only connect to any given SSID if the AP supports WEP encryption. This would
essentially add another authentication step to the process of accessing your wireless
system. Patil and Mahelle offer similar suggestions of self-education and spreading
awareness, but also offer a multi-node solution to physically authorize a requesting
user. Patil and Mahelle suggest giving our network multiple master agents that would be
allowed to cross check each other in order to prevent one master being hacked and
compromising the network. In their architecture, a DHCP-server will be in charge of
authorizing what requesting user MAC address actually matches their given information.
This step to a self-checking step to the authorization process that allows the network to
check you are who you say you are. While both articles deal with the common issue of
rogues access points security threats, both authors show different approaches in the
ultimate architecture one can implement to their own network. With this continuing
research on rogue access points, it is clear that more work is needed to establish a
permanent solution to the security threat posed by rogue access points.
Our Approach
What we did to prepare for this project was turn a raspberry pi into an access point and
named it “MavericksWiFi” which is very similar to the school’s WiFi connection called
“Mavericks-WiFi” which includes the dash in the name, where ours does not. This can
trick students into thinking this is a legitimate school WiFi connection. We will run
wireshark on the raspberry pi and show the IP’s that are connected to it and analyze the
packets.
Prevention
There are many different types of techniques to help stop a rogue from entering into
your network. The user should establish strict rules and also make sure that the user
are well polished, but only IT staff are able to connect any type of networking
equipment. The user can also change the rogue classification rules, because all
unknown devices are classified as suspects. When the user changes this to rogue, the
controller automatically classifies any third-party access point or a client as a rogue, and
the user can optionally isolate the access point by dropping all the packets to and from
the device. Users also need to use a strong security system. For example, the IEEE
802.11i security uses IEEE 802.1x for the same authentication between the network
and the client (Wilton 2008). Therefore, clients that try to access network information
must be authenticated by the network. Using active access points scanning in addition
to passive scanning. An active scan sends probes with a null SSID name, to basically
look for rogue access points and the clients. It is also important to investigate ad-hoc
access points and to add security for them or simply take them away. Basically, an
ad-hoc network is one that is created directly between two client devices (EC-Council
2011).
.
Figure 1: Overall view of a Rogue Access Point setup
Raspberry pi to access point setup:
What do you need:
- Raspberry pi
- Raspbian OS
- Wireshark
- Wireless mouse
- Wireless keyboard
- Ethernet cable
- Power supply
- Monitor
Use the following to update your Raspbian installation:
sudo apt-get update sudo apt-get upgrade Install all the required software in one go with this command:
sudo apt-get install dnsmasq hostapd
Since the configuration files are not ready yet, turn the new software off as
follows
sudo systemctl stop dnsmasq sudo systemctl stop hostapd
To ensure that an updated kernel is configured correctly after install, reboot:
sudo reboot
We need to set up hostapd to tell it to broadcast a particular SSID and allow WiFi connections on a certain channel. Edit the hostapd.conf file (this will create a new file, as one likely does not exist yet) with this command:
sudo nano /etc/hostapd/hostapd.conf
Enter the following into that file. Feel fee to change the ssid (WiFi network name)
and the wpa_passphrase (password to join the network) to whatever you’d like. You can
also change the channel to something in the 1-11 range (if channel 6 is too crowded in
your area).
interface=wlan0 driver=br0 ssid=MavericksWiFi
hw_mode=g channel=6 ieee80211n=1 wmm_enabled=1 auth_algs=1 wpa=2 wpa_key_mgmt=WPA-PSK wpa_passphrase=mercy123 rsn_pairwise=CCMP Save and exit by pressing ctrl + x and y when asked.
Unfortunately, hostapd does not know where to find this configuration file, so we
need to provide its location to the hostapd startup script. Open /etc/default/hostapd:
sudo nano /etc/default/hostapd Find the line #DAEMON_CONF="" and replace it with:
DAEMON_CONF="/etc/hostapd/hostapd.conf"
Restart the Raspberry Pi using the following command:
sudo reboot After your Pi restarts (no need to log in), you should see your ssid appear as a
potential wireless network from your computer.
How To Detect
Now that we know what a rogue access is and the harm it can do on corporations, we
must now know how to detect one of these devices. The difficulty on how these access
points can be found Depends on how the individual configured the device. He or she
could have just simply created an AP and renamed it. Or they could have attached a
wireless antenna, installed on an ethernet point and configured it as a
man-in-the-middle device. It truly depends on the skill of the hacker.
There are an abundant of software out there that can detect rogue access points.
Most are free and the better ones would have to be paid for. Of course, the paid
software will always be better due to support and stable functionality. But in the hopes
of testing, free software will get the point across. With most of these scanning tools, you
must have a general idea on what AP’s you or the business has installed. For example,
If you are scanning a particular floor and notice your tool displays 5 AP’s yet the
topology says only 4 have been installed. Obviously one of the AP’s will have to be
rogue. We will be discussing three types of software. Two of which will be free and one
will be a paid version which most security companies use. The softwares in which we
will be using are NetSurveyor, Kismet and the paid software - SolarWind.
NetSurveyor is a very easy and straightforward network discovery program in
which anyone can download use. It can have many uses like finding out where the best
position an AP could be installed to finding unauthorized devices on the network. It
displays what channel is being used most. It also show detailed information regarding
each network. Info such as; SSID, MAC Address, Beacon strength and quality, as well
as if the network is encrypted or not. NetSurveyor is a great program to understand how
traffic is being handled and what APs are available. However, it does have its faults. It is
very broad in its scanning and the rogue APs have to be configured lightly to be seen
here.
One step up would be a program called Kismet. Kismet is not detection software
but a sniffer instead. It can filter through packets of information and decode WEP
packets on the fly. Kismet is very lightweight and can be installed on Linux and with
some configuring, on Windows. Kismet has a lot of functionality but there is one in
particular which could be used against rogue access points. If an individual were to
arrive at a company and install an AP, they will most likely hide the SSID so programs
like NetSurveyor could not detect it. Kismet however, can fight back against this
technique by decloaking the SSID so it can be found. It can also give an alert when an
AP is found with weak encryption or a default configuration. With these two features and
a lot more, Kismet is a great open source program to detect rogue access points.
The last of our software is a paid management system known as Solar Winds.
Kismet and NetSurveyor were both local software that can be ran on any machine. In
contrast, SolarWinds is monitoring software which runs on the server level. It monitors
all the AP’s on the network and categorizes what it deems to be rogue on the network.
This software is self managing which explains why its a paid software.
This software breaks down the information in a report like format where it is easy to
read and share. Once configured properly, it would be able to display a heat map of
used access points in the given area.
Conclusion
With cyber attacks becoming more common and sophisticated, it is important to
be educated and aware of vulnerabilities that occur on a daily basis. In this paper
we have discussed what rogue access points are and their potential dangers if
not correct promptly. It is very imperative for companies and institutions to
educated in this matter. Mainly due to the fact we were simply able to make our
own access point and pretend to be apart of the school network with ease while
capture and analyzing data packets with wireshark. It can be tricky for rogue
access points to be detected but with the correct software that we mentioned, it
can help mitigate any possible future attacks.
Outcomes
After continuous research and testing we were successful in our project but of
course not without any hiccups.
Contributions
Driss - Research on Access Points
Christ O - Hands on
Neal - Test and Research Detection Software
Bejo - Research on Technical papers
Chris B - Research on Wireshark and Net Surveyor
Work Cited:
- Wilton, Andy (2008) Deploying Wireless Networks, New York, New York,
Cambridge
- EC-Council (2011) Network Defense Security Policy And Threats, Clifton, New
York, Cengage Learning
- Seth, Vivek. “Turning Your Raspberry Pi into a Rogue Wifi Router For Hacking.”
Medium.com, Medium, 17 Feb. 2016,
medium.com/@viveks3th/turning-your-raspberry-pi-into-a-rogue-wifi-router-for-ha
cking-46d4941bbca9.
- “WIFI HACKING – KISMET – How to Install Kismet on Windows.” University of
South Wales: Information Security & Privacy, 7 May 2017,
uwnthesis.wordpress.com/2016/03/29/wifi-hacking-kismet-how-to-install-kismet-o
n-windows/.
- “Rogue Detection under Unified Wireless Networks.” Cisco, 26 May 2017,
www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/70987-r
ogue-detect.html.
- Bandal, G., Dhamdhere, V., & Pardeshi, S. (2018). Rogue Access Point
Detection System in Wireless LAN. Retrieved from
https://pdfs.semanticscholar.org/41a4/4df312f08ce3551a932335310d6e542e2fa
7.pdf
- Bandal, G., Dhamdhere, V., & Pardeshi, S. (2018). Rogue Access Point
Detection System in Wireless LAN. Retrieved from
https://pdfs.semanticscholar.org/41a4/4df312f08ce3551a932335310d6e542e2fa
7.pdf
- Jagtap, S. (2018). Rogue Access Point Detection in WLAN by Analyzing Network
Traffic and Behavior. Retrieved from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.184.7176&rep=rep1&ty
pe=pdf
YouTube Link: https://www.youtube.com/watch?v=zUCB8Ac0I2Q&feature=youtu.be