wireless networking wireless vulnerabilities and attacks module-10

Wireless Networking

Wireless Vulnerabilities and AttacksModule-10

Jerry BernardiniCommunity College of Rhode Island

04/21/23 1Wireless Networking J. Bernardini

Presentation Reference Material

• CWNA Certified Wireless Network Administration Official Study Guide, Fourth Edition, Tom Carpenter, Joel Barrett

• Chapter-09, pages 439-473

04/21/23 Wireless Networking J. Bernardini 2

3

What is Information Security?

• Information Security: Task of guarding digital information

• Information must be protective -on the devices that store, manipulate, and transmit the information through products, people, and procedures.

• Information that must be protected are CIA• Confidentiality

– Only authorized parties can view information

• Integrity– Information is correct and unaltered

• Availability– Authorized parties must be able to access at all times

4

Layers of Security

5

Categories of Attackers

• Six categories of attackers:• Hackers - Not malicious; expose security flaws, “ethical attackers”

• Crackers – Violates system security with malicious intent

• Script kiddies- Break into computers to create damage

• Spies – Hired to break in and steal information

• Employees-Unhappy employees that steal, damage and change information

• Cyber-terrorists- Steal, damage and change information for ideology or extreme beliefs

6

Challenges of Securing Information

• Trends influencing increasing difficultly in information security:– Speed of attacks– Sophistication of attacks– Faster detection of weaknesses

• Day zero attacks

– Distributed attacks• The “many against one” approach • Impossible to stop attack by trying to identify and block source

7

Security Attackers Profiles

8

Security Organizations

• Many security organizations exist to provide security information, assistance, and training

• Computer Emergency Response Team Coordination Center (CERT/CC)

• Forum of Incident Response and Security Teams (FIRST)• InfraGard• Information Systems Security Association (ISSA)• National Security Institute (NSI)• SysAdmin, Audit, Network, Security (SANS) Institute

Common Attack Methods

• Eavesdropping• Hijacking• Man-in-the-middle• Denial of Services (DoS)• Management interface exploits• Encryption cracking• Authentication cracking• MAC spoofing• Peer-to-peer• Social engineering


Eavesdropping Issues

• Definition: The interception and reading of messages and information by unintended recipients

• WLAN sends data through the open air• Attacker can easily capture frames• Attacker may not be able read frames • Encryption of data reduces the ability to “read”• When you access a network, be sure you have given

the right to do so• Wardriving is eavesdropping• Laws are being enforce against eavesdropping


Eavesdropping Utilities

Casual Malicious•MacStumbler•KisMac•NetStumbler•KisMet•Easy Wi-Fi Radar•WiFi Hopper

•OmniPeek Personal (free)•AiroPeek •Network Instruments Observer•AirMagnet Laptop Analyzer•Javvin CAPSA•Wireshark (free)•Comm View for Wi-Fi PC•Comm View for Wi-Fi PocketPC


12

Man-in-the-Middle Attack

• Makes it seem that two computers are communicating with each other– Actually sending and receiving data with computer between them– Active or passive

SSID Filtering• Disable SSID broadcast.

By default, most wireless networking devices are set to broadcast the SSID, so anyone can easily join the wireless network.

• Change the default SSID.Wireless AP’s have a default SSID set by the factory. Linksys wireless products use Linksys. Change the network's SSID to something unique, and make sure it doesn't refer to the networking products, your company, department function, or location.

Hijacking and Man-in-the-middle

• Defined: An unauthorized user takes control of an authorized user’s WLAN connection

• Occurs at Layer1, Layer2 and Layer3• Hijacking Outline

– Attacked starts own AP and captures traffic– Attacker configures his AP with victim SSID– Attacker send deauthentication frame with high-power RF– Victim reassociates with higher-power attacker AP– Attacker runs DHCP giving address to victim

• Attacker can try to steal data from victim• Attacker can use second NIC to connect to original AP

– Traffic between victim and original AP is captured by attacker– Complete Man-in –the-middle attack with capture of Layer1, Layer2 and Layer3


Windows Client Vulnerabilities and Solutions

• By default Windows send out probe requests for “preferred networks”

• Wireless Network tab properties establishes what networks and the order -Scans for SSID in list

• If it can not find “preferred network” will continue to scan• A rogue AP has heard the SSID scan list and configures as one

of the unsecured SSIDs• Vitim Windows client connects to rogue AP• Solutions

– Keep WLAN card powered off– Remove unsecured SSIDs from list after using– Disable Windows client and use a more secure third-party client (Cisco LEAP)


Denial of Service Attack (DoS)

• Definition: An attack that results in the inability of a user or system to access needed resources

• Layer1 Attack-RF jamming– High level RF signal generator “drowns-out” APs in area

• Unintentional DoS – interference from microwave, wireless phone

• Layer2 Attack – Spoofs AP and generates management frames– Rogue AP spoofs AP MAC address– Rogue generate deauthentication or disassociation frame– Client STA disassociates– Rogue continues to send deauthentication or disassociation frame


Other DoS Attacks

• Empty Data Floods– Install two or three wireless adapter in laptop– Generate continuous maximum size frames– Position close to victim STA for stronger signal– Tie-up RF spectrum -preventing connect to legitimate Aps

• Other Attacks– Association Floods– Authentication Floods– Unauthorized AP left on

• Solution– Use spectrum analyzer to track down location of interference– Scan for SSIDs and zero-in on signal


Management Interface Exploits

• Web-based Interface exploit– Attacked captures traffic and determines IP network with scanning

utility– Varies address and finds AP gateway address (example 192.168.1.1,

10.10.10.1 …)– Tries passwords if necessary– Changes AP configurations– Turns off all MAC access except attacker's – a form of DoS

• Solutions– Strong AP password– Disable web-interface– Secure telnet and SSH– Use strong WPA-PSK or WPA2-PSK


Encryption Cracking

• Weak Key Cracking– Attacker captures 100 MB of data– Process captured with “cracking tool”– Obtain WEP key in seconds– Weak keys and initialization vectors are very vulnerable

• Solution– Use strong encryption– WPA2 and AES– IEEE 802.11i– EAP-Cisco LEAP

• More Information in Chapter-10


20

Wired Equivalent Privacy (WEP)

• Guard the Confidentiality of CIA– Ensure only authorized parties can view it

• Used in IEEE 802.11 to encrypt wireless transmissions– “Scrambling

• Cryptography: Science of transforming information so that it is secure while being transmitted or stored– scrambles” data

• Encryption: Transforming plaintext to ciphertext• Decryption: Transforming ciphertext to plaintext• Cipher: An encryption algorithm

– Given a key that is used to encrypt and decrypt messages– Weak keys: Keys that are easily discovered

21

WEP Cryptography

22

WEP Implementation

• IEEE 802.11 cryptography objectives:– Efficient– Exportable– Optional– Reasonably strong– Self-synchronizing

• WEP relies on secret key “shared” between a wireless device and the AP

• Same key installed on device and AP• A form of Private key cryptography or symmetric

encryption

23

WEP Characteristics

• WEP shared secret keys must be at least 40 bits– Most vendors use 104 bits

• Options for creating WEP keys:– 40-bit WEP shared secret key (5 ASCII characters or 10 hexadecimal

characters)– 104-bit WEP shared secret key (13 ASCII characters or 16 hexadecimal

characters)– Passphrase (16 ASCII characters)

• APs and wireless devices can store up to four shared secret keys– Default key one of the four stored keys– Default key used for all encryption– Default key can be different for AP and client

24

WEP Keys

- Key order must be the same for all devices

- Default Keys can be different for each device

25

Open System Authentication Vulnerabilities

• Inherently weak– Based only on match of SSIDs– SSID beaconed from AP during passive scanning

• Easy to discover

• Vulnerabilities:– Beaconing SSID is default mode in all APs– Not all APs allow beaconing to be turned off

• Or manufacturer recommends against it

– SSID initially transmitted in plaintext (unencrypted)

• Vulnerabilities -If an attacker cannot capture an initial negotiation process, can force one to occur

– SSID can be retrieved from an authenticated device– Many users do not change default SSID

• Several wireless tools freely available that allow users with no advanced knowledge of wireless networks to capture SSIDs

Peer-to-Peer Attacks

• Definition: Peer-to-Peer attack occurs when on STA attacks another STA that is associated with same AP

• Intension is generally data theft• Installation of backdoors and other software• Laptops are particularly vulnerable• IBSS networks vulnerable (ad hoc)• Hot spot networks can be a serious problem• Solutions:

– Public Secure Packet Forwarding (PSPF) applications– STA to STA communication disallowed– Microsoft file sharing disabled


Social Engineering

• Definition: Technique of persuading people to give you something that they should not give you– Organization Information– Data– Passwords and passphases– Keys

• Targets– Help Desk– On-site contractors– Employees

• Solutions– Do not only depend upon technology– Train personal regularly


MAC Address Filtering and Spoofing

• Most Access point offer some form of MAC Filtering. – MAC Access Lists– Advanced MAC Filtering Lists

• WLAN administrator must configure a list or set of rules for clients that will be allowed or not allowed to join the network.

MAC Access Filtering

Proxim AP-600b

MAC Address Filtering

Access Points

Wired LAN

WiredClients

1 2

DatabaseServer

WirelessClients

AP-1 AP-2

MAC Address00022D9DE44E

MAC Address001122C5AF3B


Access Points

1

DatabaseServerAP-1



Wireless Client

Mask: F = Look 0 = Ignore (Logical Anding)

AP-600b

Wired MAC Adr. = 001122C5AF3BWired Mask = FFFFFFFFFFFF

Wireless MAC Adr. = 00022D9DE44EWireless Mask = FFFFFFFFFFFF

Filtering = Blocking


Access Points

1

DatabaseServerAP-1



Wireless Client

AP-600b

Circumventing MAC Filters

• MAC addresses are sent in the clear in the frame header!

• User/attacker can change their MAC address via software and then spoof or more accurately impersonate or masquerade under the address.

• Evade/Hide Network Presence• Bypass Access Control Lists• Authenticated User Impersonation

34

Access Control Security• Intended to guard one of the CIA’s

– Availability of information

• Wireless access control: Limit user’s access to AP– by Filtering MAC addresses

• Media Access Control (MAC) address filtering: Based on a node’s unique MAC address

• Can be defeated by Spoofing a MAC address

35

Access Control Filtering

• MAC address filtering considered to be a basic means of controlling access– Requires pre-approved

authentication– Difficult to provide temporary

access for “guest” devices

MAC Spoofing

Security Solutions

802.1XAuthentication

MICMessage Integrity

Checking

TKIPTemporal Key Integrity

Protocol

Cipher andAuthentication

Negotiation

KeyManagement

AESAdvanced Encryption

Standard

WPA / WPA2Wi-Fi Protected

Access

802.11i

Remember CIA and AAA

• CIA • Confidentiality-Keep things private

• Integrity – Data must be consistant and accurate

• Availability – The right data to the right users

• AAA• Authentication –”Who are You?”

• Authorization – “What do you want?”

• Accounting – “What have you done?”• Bottom Line

– Users are responsible for protecting there accounts and their data


wireless networking wireless vulnerabilities and attacks module-10

Documents

information security

security information

system security

layers of security

security attackers profiles

bernardiniwireless networking

wifi pccomm view

ethical attackerscrackers