1 / 51

War of the Airwaves Wireless Hacks & Defenses

War of the Airwaves Wireless Hacks & Defenses. Get Ready for the Untethered World! . 2. Wired Network Security Architecture. Attackers. SECURE ENTERPRISE PERIMETER. Server. INTERNET. INTRANET. Virus & Malware. Desktop. Inside Threat. Data Theft. 3.

Olivia
Download Presentation

War of the Airwaves Wireless Hacks & Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. War of the AirwavesWireless Hacks & Defenses

  2. Get Ready for the Untethered World! 2

  3. Wired Network Security Architecture Attackers SECURE ENTERPRISE PERIMETER Server INTERNET INTRANET Virus & Malware Desktop Inside Threat Data Theft 3

  4. Wireless Threats Enterprise Networks 4 6 5 3 1 2 Rogue AP Connected to Network Neighboring AP Leaked Wired Traffic & Insertion Users Bypassing Network Security Controls Wi-Fi Phishing Non-Compliant AP Everyone is on the Inside Evil Twin Muni Wi-Fi AP Hacker Server Mobile User AP INTERNET INTRANET Laptop Desktop Municipal Wi-Fi aggravates Threats to Enterprise Networks Municipal Wi-Fi 4

  5. AIR Vs. HostAP Characteristics of Wireless Networks Shared, Uncontrolled Media • Invisible & Airborne Threats are hard to control vs. Wired Network 1 Self-Deploying & Transient Networks • Simplicity of Self Discovery Create Security Challenges • Mobile Nature of Wireless LAN Devices and Users Require In-depth Forensics capability to Address Security Breaches 2 User Indifference • Invisible Connectivity & True Distributed Nature Gives a Faulty Sense of Security 3 Easier to Attack • Lax WLAN Security is the Lowest Hanging Fruit for Hackers. Dozens of Tools Readily Available to Exploit these Holes 4 Wireless Networks Pose Higher Risks than Wired Networks 5

  6. Wired Networks Wireless Networks Anti Virus Content Filtering Increased Vulnerability For Upper Layers Wired Security Tools Attack Sophistication Damage SSL VPN Firewalls Secure Perimeter Predominant Attacks AirDefense Layered Approach to Security 6

  7. Wireless Attack Surface Signal emitted from a single access point. 7

  8. Just a Little Wigle Over 11 Million Networks... With GPS… I know all your secrets! 8

  9. Security is Never ABOUT Just Good Enough Security is Never ABOUT JUST GOOD ENOUGH Run your firewall for 6 minutes a day Turn off your IDS Allow All Traffic through your firewall Leave Doors unlock Leave Keys in the Car

  10. Wireless Data Breaches in Retail 10

  11. Agenda Introduction to Wireless Security Attacking the RF Medium • Passive Listening • Wired Network Leakage • Injection • Jamming • Breaking WEP Wireless Risks & Attacks Best Practices for Wireless Security The AirDefense Solution Q&A 11

  12. Wireless Sniffing Why & What Happens • Any clear-text is heard by everyone • If you are using WEP, remember everyone has YOUR key • Very common at hotspots • Hashes are clear-text • Most Service, still authenticate over clear-text no tunnels • Internal/Corporate servers are at higher risk due to lower security 12

  13. It’s Encrypted • Is it really encrypted?? • In some APs, “Both” is typical security • No to show that data is encrypted • The #1 AP Vendor • Enable WEP, MIC, and TKIP • Set the WEP level and enable TKIP and MIC • “ If you enter optional, client devices can associate to the access point with or without WEP enabled. You can enable TKIP with WEP set to optional but you cannot enable MIC. If you enter mandatory, client devices must have WEP enabled to associate to the access point. You can enable both TKIP and MIC with WEP set to mandatory.” • www.cisco.com 13

  14. WEP Summary of Attacks • 23 Known Attacks against WEP • WEP Attacks • Lack of IV replay protection • Short IV sequence space • RC4 vulnerabilities due to WEP’s implementation • Linear properties of CRC32 (allows bit flipping) • Lack of keyed Message Integrity Checking MIC • Use of shared keys Breaking Wep 2001 Un-crackable 2003 Years 2004 Days 2005 Hours 2006 Minute 2007 Seconds Shows that Implementation is VERY IMPORTANT Ultimate Hacking tool for Wep http://www.aircrack-ng.org/ 14

  15. WPA-PSK The PSK version of WPA suffers from an offline dictionary attack because of the BROADCASTING of information required to create and verify a session key. In WPA, the PMK (master key) is produced by running a special function on a pre-shared pass phrase and an SSID. Both the host and the AP use this PMK, along with MAC addresses and nonces, in order to create the PTK (session key) Client Access Point Snonce Anonce PTK PMK PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256) PMK EAPOL-Key (Anonce) PTK EAPOL-Key (Snonce, MIC RSN IE) PTK = PRF-512(PMK, “Pairwise key expansion”, Min(AP_Mac, Client_Mac) || Max(AP_Mac, Client_Mac) || Min(ANonce, SNonce) || Max(ANonce, SNonce)) EAPOL-Key (Anonce, MIC RSN IE) Install Keys EAPOL-Key (Snonce, MIC) Install Keys 15

  16. WPA Tools (Easier than WEP) http://sourceforge.net/projects/ptcrack/ A hybrid dictionary/brute passphrase search tool for PMK discovery on 802.11 networks using WPA with preshared keys (PSKs) http://www.churchofwifi.org coWPAtty 3.0 is designed to audit the security of pre-shared keys selected in WiFi Protected Access (WPA) networks (http://www.churchofwifi.org) Rainbow-Like Tables http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent The resulting list is ~1,000,000 words for a total of approximately 40GB of hash tables for the top 1000 SSID's AirCrack-NG Built in WPA cracker since version 2.3 http://www.aircrack-ng.org/ http://www.tinypeap.com/page8.html WPA Cracker is a brute force Password cracker, all information entered manually. Rogue Squadron WRT firmware http://airsnarf.shmoo.com/rogue_squadron/index.html If you use 21 Character Pass-Phase you are safe? How many clients and AP’s let you enter in 31 Characters? What Happens when you Reach and overlap with SSID? 2006 80 keys per second 2007 130 keys per second 2007 30,000 keys per second 16

  17. What in the Air can Kill You? #1 Corporate Vulnerability • Even if the data is encrypted, the services that are run by the MAC address can be detected • Remember wireless is LAYER 2; it will send out all Layer 2 traffic • VRRP, HSRP, Spanning Tree, OSPF, VTP/VLAN, CDP • VLAN don’t help unless filtered • MOST USE HASHES or PASSWORDS • Clear-Text • Broadcast/Multicast key rotation is OFF by Default • Client devices using static WEP cannot use the access point when you enable broadcast key rotation It’s a two-way street, what goes out can also come in! 17

  18. Injection of Traffic • Yersinia is a network tool designed to take advantage of some weaknesses in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. • http://www.yersinia.net • Attacks • Spanning Tree Protocol (STP) • Cisco Discovery Protocol (CDP) • Dynamic Trunking Protocol (DTP) • Dynamic Host Configuration Protocol (DHCP) • Hot Standby Router Protocol (HSRP) • 802.1q • 802.1x • Inter-Switch Link Protocol (ISL) • VLAN Trunking Protocol (VTP) • Current Exploits  • Cisco CatOS VLAN Trunking Protocol Remote Command Execution Vulnerability • Cisco IOS Multiple VLAN Trunking Protocol Code Execution and DoS Vulnerabilities • Cisco Intrusion Prevention and Detection Systems DoS and Security • Cisco Access Point Web-browser Interface Unauthorized Administrative Access and Bypass Issue 18

  19. Agenda Introduction to Wireless Security Attacking Clients • Wireless Fuzzing • Mobile Workers • Windows Zero-Configuration • Hotspots • Station Impersonation • Bridging Interfaces • Wireless Printers Wireless Risks & Attacks Best Practices for Wireless Security The AirDefense Solution Q&A 19

  20. Clients All Shapes and Sizes Hotspots Wi-Fi Phones Free Access via OUI Many ways to attack clients Scan Exploit Repeat But why do you have to? Have the client come to you! YOU KNOW WHAT THEY WANT!!!!!!! Probe Request Soft AP to the Probe Request 20

  21. Attacking Wireless Clients Packets of Death Plenty of them from handheld devices to laptops Most are BAD packets Usually Management or Control Frames Some are Data WEP Cracking is adding to the packets Fuzzing Most are using cut through data rates (5.5 for Beacon Frames) Most are simple buffer overflows Lots of things that go BOOM Client Software Authentication Supplicates http://www.802.11mercenary.net/lorcon/ 21

  22. www.klcconsulting.net/smac SMACis a MAC Address Modifying Utility (spoofer) for Windows 2000/XP and Server 2003 systems, regardless of whether the manufactures allow this option or not.  Client MAC Address Spoofing 1. Find MAC address MAC: 00 02 2D 50 D1 4E (Cisco 350) 2. Change MAC (SMAC, regedit) User Station 3. Re-initialize card 4. Associate AP 1 2 3 4 NEW MAC: 00 02 2D 50 D1 4E ORIGINAL MAC: 00 12 2D 50 43 1E (Orinoco Gold) Hacker MAC filtering is not enough 22

  23. How Not to Attack a Client Wired Thinking Attack 1 Laptop sends Probe request 2 AP responds to Probe request 3 Naïve user Associates with AP CORPORATE NETWORK 4 AP provides IP address to user User Station Intruder Laptop as Soft AP 5 Scan laptop for Windows vulnerabilities & compromise it 6 Use User Station as a launch pad Municipal Wi-Fi increases Evil Twin attack surface 23

  24. Windows Wireless Zero Configuration • Wireless Auto Configuration attempts to connect to the preferred networks that appear in the list of available networks in the preferred networks preference order • If there are no successful connections, Wireless Auto Configuration attempts to connect to the preferred networks that are hidden wireless network. (No Beacon SSID) 24

  25. Windows Wireless Zero Configuration • If there are no successful connections and there is an ad hoc network in the list of preferred networks that is available, Wireless Auto Configuration tries to connect to it 25

  26. Windows Wireless Zero Configuration • If there are no successful connections Wireless Auto Configuration configures the wireless network adapter to act as the first node in the ad hoc network • If there are no successful connections to preferred networks and there are no ad hoc networks in the list of preferred networks, If Automatically connect to non-preferred networks is enabled, If all connection attempts to non-preferred networks fail, Wireless Auto Configuration creates a random wireless network name and places the wireless network adapter in infrastructure mode. • If the Windows wireless client is already connected to a wireless network but a more preferred wireless network becomes available, Wireless Auto Configuration disconnects from the currently connected wireless network and attempts to connect to the more preferred wireless network 26

  27. Wireless Phishing • Tools such as Karma can respond to ANY client probe request • Variety of services (POP, FTP and HTTP) to lure unsuspecting users • No authentication of “pervasive wireless cloud” • Automatic network selection in Windows (Zero Configuration Client) and MACs is dangerous • Enterprises need to manage centralized policies • Karma (http://theta44.org/karma/index.html) • AirSnarf (http://airsnarf.shmoo.com/) 27

  28. DHCP and DNS Clients Attacks • Since they Take the Hook, now asking for More • Hungry Fish  • Give Me an IP Address • Give them an address the could be Excluded from Personal Firewalls • 10.X.X.X, 192.168.X.X, 172.16.X.X • Or an IP address they are looking for • DHCP Attack • Exploit attacks a client and loads creates a Admin User on device • DHCP Broadcast Attack (MS06-036) • http://www.milw0rm.com/sploits/07212006-MS06_036_DHCP_Client.tar.gz • DNS Attack/Manipulation • “I am DNS, I am the Internet” - Cricket Liu • Can offer anything to you and you believe it • Sites : Banking, Hotel, Airlines, Work (Exchange, Oracle, SQL) 28

  29. Data Seepage • Your notebook is not location-aware • Office or Home or Hotspot • Interfaces are Active by order • Last Interface is usually Wifi • Wants to always connect to something • Just someone to offer you a connection Office • All data is same • Company Name • Servers • Email • Clients • Applications • And More….. What am I connected to? Home Hotspot 29

  30. Agenda Introduction to Wireless Security Real-World Wireless Issues • Zero-Day Attacks • Hotspots Wireless Risks & Attacks Best Practices for Wireless Security The AirDefense Solution Q&A 30

  31. Exploiting is too Easy! Vx.netlux.org MVBSWE Worm Editors Virus Editors Script Editors Do you Trust your Hotspot Web Page? Corporate Guest Access? 31

  32. Zero Day Alerts http://www.frsirt.com/ http://www.cert.org http://nvd.nist.gov FrSIRT delivers vulnerability and threat alerts, 24/7, 365 days a year, to inform organizations of new potential threats. Our services are designed to deliver notification of vulnerabilities and exploits as they are identified, providing timely, actionable information and guidance to help mitigate risks before they are exploited. 32

  33. ZERO Day New Attacks • Zero-Day attacks against know services • Zero-Day attacks against IE, Firefox • Remote Exploits • I am on your system as YOU! • New Trojans and Virus ready for Injection • Favorite exploits • NEW • WMF • Media Player • Java Exploits www.milw0rm.com 33

  34. Adding to Metasploit Framework • Wireless Enabled • Driver Level Exploit • Point and Click Exploits • Exploit for Zero-Day Attacks • Numerous Payloads • Number ways to take over you Computer 34

  35. Agenda Introduction to Wireless Security Enumeration of Wireless Devices • Password Sniffing & Cracking • Hacking Password Hashes • Breaking VPNs over Wireless • Listening to VoIP Conversations • One-way Insertion Attacks • Zero-day Attacks • Snarfing Wireless Risks & Attacks Best Practices for Wireless Security The AirDefense Solution Q&A 35

  36. Hacking Password Hashes Get virtually any password Offline & passive LEAP, PPTP, MS-CHAPv2, MD-5 Search hash list to find password Large password list to generate hashes Requires 3-5 GB of space Rainbow tables are indexed hash lists Required 2-3 TB of space Known tables exist for up to14 characters http://rainbowtables.shmoo.com/ http://www.antsight.com/zsl/rainbowcrack/ http://www.rainbowcrack-online.com/ 36

  37. Allows attacker to: Intercept ALL communications between the client & AP Pretend to be the client without disrupting the client’s session at Layer 2 Possible due to: Management frame’s lack of authentication/ Lack of AP authentication Step 1: Disassociation of Target station from AP by spoofing the MAC of the AP and sending Disassociate & Deauth Frames Step 2: Attacker re-associates target to Malicious station and connects to AP Man-in-the-Middle Attack: WLAN Jack & Air-Jack Tools AP Server Target Dual-Card Attacker 37

  38. Snarfing Hot Spots Security question: Connecting to a untrusted network and launching the most vulnerable program you have just screams “ E X P L O I T M E “!!!! Fake web pages Steals your Hotspot Password Evil web pages Infect your PC with Malware My Web pages Steal your NT Password 1x1 pixel Cross Site Scripting Installs Trojans Installs Spyware Opens back doors Changes Registry Adds User Account Shares Files and such Oops you just opened a web page, that’s all!!!!! 38

  39. Next Generation Wireless Attacks 802.1x State Machine Client initiated disconnection Assumes everyone plays nice Fuzzing Attacks will Expand Intel driver issues 802.1x supplicant issues AP issues Exploit More EAP-Types TLS is not secure in Windows Windows Vista Wireless stack rewritten Good news Support for many EAP types Providing for XP too Bad news Hacking tools ported to Windows Built in Network Address Spoofing Point and click “hacking” 39

  40. Firewall Myths “Firewall only” approach to network security Firewalls: • Cannot stop rogue wireless devices • Do not eliminate the need for wireless scanning for rogues • Do not protect against wireless attacks • Once a hacker is on the network they can punch through open ports • Access Control Lists are weaker than Firewalls • Best bet is to keep hackers off the network 40

  41. VPN Myths • Allows the hacker to get onto open Wi-Fi network and exploit network or clients for weaknesses • Client cannot run on many embedded devices (e.g., wireless scanners, VoWi-Fi handsets, etc.) • Subnet roaming is problematic • VPN Less performance and more overhead • Break weak encryption & authentication • Re-authentication on weak ciphers • Dictionary attacks on weak ciphers • Protocol & server flaws exposed • IKE Aggressive mode • Pre-shared keys • Exploiting bugs in VPN server VPN WIPS Wireless Security A Layer 3 solution to a Layer 2 problem 41

  42. VLANs • Virtual Local Area Networks • A logical grouping of devices or users • Users can be grouped by function, department, application, regardless of physical segment location • VLAN configuration is done at the switch (Layer 2) • WIRELESS is not the SAME (Spoofing is EASY) • VLAN Membership • Static VLAN Assignment • Port based membership: Membership is determined by the port on the switch on not by the host. • Dynamic VLAN Assignment • Membership is determined by the host’s MAC address. Administrator has to create a database with MAC addresses and VLAN mappings 42

  43. Internet Guest networking Issues on VLANs • Guest access to Internet via WLAN • IP-Adress for WLAN- Client via DHCP Server which is in the area of the Corporate Network, including DNS Servercredentials • Sometimes a split but that does not help either…. As the DNS Server, still is in the Corporate LAN… • Issues: DHCP DoS DNS DoS VLAN Hopping u.a. DNS Server DHCP Server Access Point WLAN SSID = 1q VLAN used for Guest “tunnelt” = DHCP Address supplied containing DNS Server Information Guest = DNS request from Client

  44. Client VLAN Hopping • Basic VLAN Hopping Attack • Attacker fools switch into thinking that he is a switch that needs trunking • Double Encapsulated VLAN Hopping Attack • Switches perform only one level of IEEE 802.1q decapsulation • This allows the attacker to specify a .1q tag inside the frame, allowing the frame to go to a VLAN that the outer tag did specify • SSID’s • Corp • Guest • OLD • VOIP Corp VOIP OLD ? Guest WPA-2 Guest WEP Only 44

  45. Why VLAN do not Work for Wireless • Making Logical on a Physical Media • Not Making Logical on a Virtual media • Design on Port usage • No Physical Ports on Wireless

  46. Agenda Introduction to Wireless Security Wireless Risks & Attacks Best Practices for Wireless Security The AirDefense Solution Q&A 46

  47. Continually assure strong security configurations and policies 24x7 on all authorized wireless devices Contain and control authorized wireless devices, both inside owned facilities and outside at hotspots, municipal wifi zones & home Automatically keep all unauthorized wireless devices off the entire wired network all the time Accurately detect (WIDS) and automatically defend (WIPS) against the greatest number of wireless attacks possible Store and data mine long-term, forensics quality information for investigations and diagnosing wireless problems Measure and prove compliance with regulatory wireless security policies and controls Recommended Wireless Security Strategy 47

  48. Wireless Security • Can not Mitigate Risks • Flawed • It’s the Internet All over • Telnet • FTP • HTTP • We still use them • Risk vs. Threats • SHARED MEDIUM • Easy comprise • Remediation is Key • Monitoring is Key 48

  49. Summary • Wireless is a business enabler and part of every network • Unmonitored wireless networks make the entire network infrastructure vulnerable • Lack of policy compliance can result in regulatory liabilities • AirDefense offers market-leading solutions to provide visibility and control of all wireless assets, regardless of location • AirDefense solutions are trusted by the most security-sensitive organizations in the world • AirDefense solutions are cost-effective & provide the lowest TCO 49

  50. Contact us Web: www.AirDefense.NET HQs Phone: 770-663-8115 Demo of Laptop Products Available on www.AirDefense.NET Contact: Anthony Perridge Vice President, International aperridge@airdefense.net +44 1628 509058 http://www.airdefense.net/seminars/airdefense_europe_oct_2007.pdf 50

More Related