wireless security

by: Frank Pfleger

Introduction to Wireless Networks

Secure the Network◦ Wireless Security Mechanisms

Unsecure the Network◦ Security Mechanism Weaknesses◦ Tools and Techniques

Wardriving / Procedures

Private Wi-Fi◦ Easy installation security problems◦ Location freedom

Office Wi-Fi◦ Location freedom◦ Laptop popularity

Public Hotspot◦ Non-private ( mostly with fee )◦ Public places

Introduction Secure Unsecure Wardriving Conclusion

Non Encryption◦ Static IP addresses

Deactivate DHCP Assign IP address on every host

◦ MAC address filter Restrict access to unique hardware address Add MAC address for every host

◦ Hide SSID Deactivate the SSID broadcasting


INSECURE

Encryption◦ WEP – Wired Equivalent Privacy

Based on RC4 (pseudo-random generator) XOR between data and random (bitstream) RC4 uses WEP key + Initialization vector INSECURE

◦ WPA – Wi-Fi Protected Access Based on the WEP architecture ( RC4 ) TKIP – Temporal Key Integrity Protocol RC4 uses WPA key (PSK or EAP) + Initialization

vector + Per packet key mixing + Re Keying+ Message Integrity Check

SECURE


Encryption◦ WPA2 – Wi-Fi Protected Access 2

Implements IEEE 802.11 a,b,gand basic/mandatory functions of IEEE 802.11 i

New architecture based on AES AES – Advanced Encryption Standard

Symmetric crypto system Complies with the requirements of FIPS 140-2

Choose strong password / passphrase (63 characters)

SECURE


RADIUS◦ Remote Authentification Dial-In Server◦ Client – Server system◦ AAA protocol

Authentification ( who ) Authorization ( what ) Accounting ( track consumption )

VPN – Virtual Private Network◦ Tunnel◦ Authentification◦ Secure Encryption ( Public Key / RSA )


Weaknesses◦ Serveral techniques to compromise

Sniffing a IP address◦ Deactivated DHCP◦ IP address transmitted in every packet

Spoofing a MAC address◦ MAC address filter◦ MAC address transmitted in every frame


Hacking WEP◦ Introduced in 1999◦ Serious weaknesses identified in 2001◦ IV – Initialization Vector used for decryption◦ ICV – Integrity Check Value

CRC32 checksum CRC32 is strict linear

◦ Calculation of the Key Attack based on security flaw in CRC32 500 000 – 1 000 000 IV‘s for 128 bit encryption Techniques: Packet Reinjection / Deauthenticate

Client TU Darmstadt ( PTW ) 50 000 IV‘s for 128 bit (50%)


WPA / WPA2◦ Currently no weakness or security flaw◦ Weak Passwords

Choose a strong password At least 12 characters Mixed letters, numbers and symbols

◦ Dictionary Attack◦ Brute-Force Attack


Tools and Techniques◦ MAC address spoofing

Linux macchanger –s wlan0

Windows supported by some Wi-Fi cards SMAC or other tools

◦ ARP spoofing Spoof the wrong MAC – IP combination Windows

WinArpSpoofer Linux

arpspoof –t 10.0.0.1 ( all packets to your host)


Tools and Techniques◦ Man-in-the-Middle ( MITM )

Use ARP spoofing to get packets Analyze packets Forward packets to victim Linux:

fragroute/fragrouter sslsniff ( https MITM )

◦ DNS Spoofing Spoof the wrong Hostname – IP combination Linux:

dnsspoof


Tools and Techniques◦ Sniffing data

Used for MITM or passive listening Capture and analyze data Linux / Windows:

Wireshark ( Ethereal )

◦ Aircrack Toolkit Cracking a WEP encryption Airodump

Logging / Scanning IV‘s Aireplay

Re-inject packets


Act of searching Wireless Networks In general with a car

◦ Warbiking◦ Warwalking

Warchalking◦ Mark a place, mostly with chalk

Mapping◦ Create exact maps◦ Use GPS to get the coordinates◦ Provide information online

Difference to Piggybacking◦ Use of the wireless network


Equipment◦ Good equipment for effective Wardriving◦ Notebook with Tools◦ Wireless Network Card

Regular Card Special Card with an external antenna interface

◦ Antenna Directional Onmidirectional Parabolic (not for Wardriving)

◦ GPS receiver Logging / Mapping


Tools◦ Operating System

Windows ( just for Mapping and Logging ) Linux (Special Distributions)

All tools and drivers preinstalled Run from CD Eg. Backtrack ( Auditor )

◦ Scanning and Mapping Windows

Netstumbler Linux

Kismet


Wardriving◦ Scan for wireless networks ( Netstumbler /

Kismet )◦ Save the GPS position

Piggybacking◦ Connect to the wireless network◦ Use the network


Using Backtrack ( Auditor ) Hidden SSID

◦ aircrack to deauthenticate ( force reconnect )◦ Scan with airodump for the SSID

Scan and log IV‘s◦ airodump to log◦ Filters, Stores and analyzes packets for IV‘s

Reinject packets◦ aireplay reinjects found IV‘s◦ Increases the retransmitted IV‘s

Crack the Key◦ aircrack to calculate the WEP key◦ Enough IV‘s needed


MAC filter◦ Scan packets with Wireshark ( Ethereal )◦ Spoof a MAC address with macchanger

DHCP deactivated◦ Scan packets with Wireshark ( Ethereal )◦ Set your IP address

Man-in-the-Middle◦ Spoof your MAC with the gateways IP◦ Spoof your MAC with the victims IP◦ Reroute packets◦ Using arpspoof and fragroute


Spoof DNS Entry◦ Spoof your IP address for different hostnames◦ Eg. hostname of the victims bank

Intercept SSL connections◦ SSL MITM attack◦ Fake SSL certificate◦ Sniff data transmitted via SSL◦ Using sslsniff

Sniff Data◦ Log and analyze all transmitted data◦ Using Wireshark ( Ethereal )

Get access to Computers◦ Using various Windows / Linux tools


Secure your wireless network properly!

Don‘t rely on◦ Hidden SSID◦ MAC filter◦ Deactivated DHCP◦ WEP

Use a proper encryption◦ WPA / WPA2 ( choose a strong password )◦ VPN ( secure with multi user )


Thanks for your attention.

Any Question?

Frank [email protected]


wireless security

Documents

packet key mixing

wpa key psk

wifi cardssmac

eap initialization vector

random bitstreamrc4

rc4 pseudorandom generatorxor

inew architecture

toolsarp spoofingspoof