1 / 38

Wireless Networking Wireless Vulnerabilities and Attacks Module-10

Wireless Networking Wireless Vulnerabilities and Attacks Module-10. Jerry Bernardini Community College of Rhode Island. Presentation Reference Material. CWNA Certified Wireless Network Administration Official Study Guide, Fourth Edition, Tom Carpenter, Joel Barrett Chapter-09, pages 439-473.

aqua
Download Presentation

Wireless Networking Wireless Vulnerabilities and Attacks Module-10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless NetworkingWireless Vulnerabilities and AttacksModule-10 Jerry Bernardini Community College of Rhode Island Wireless Networking J. Bernardini

  2. Presentation Reference Material • CWNA Certified Wireless Network Administration Official Study Guide, Fourth Edition, Tom Carpenter, Joel Barrett • Chapter-09, pages 439-473 Wireless Networking J. Bernardini

  3. What is Information Security? • Information Security: Task of guarding digital information • Information must be protective -on the devices that store, manipulate, and transmit the information through products, people, and procedures. • Information that must be protected are CIA • Confidentiality • Only authorized parties can view information • Integrity • Information is correct and unaltered • Availability • Authorized parties must be able to access at all times

  4. Layers of Security

  5. Categories of Attackers • Six categories of attackers: • Hackers - Not malicious; expose security flaws, “ethical attackers” • Crackers – Violates system security with malicious intent • Script kiddies- Break into computers to create damage • Spies – Hired to break in and steal information • Employees-Unhappy employees that steal, damage and change information • Cyber-terrorists- Steal, damage and change information for ideology or extreme beliefs

  6. Challenges of Securing Information • Trends influencing increasing difficultly in information security: • Speed of attacks • Sophistication of attacks • Faster detection of weaknesses • Day zero attacks • Distributed attacks • The “many against one” approach • Impossible to stop attack by trying to identify and block source

  7. Security Attackers Profiles

  8. Security Organizations • Many security organizations exist to provide security information, assistance, and training • Computer Emergency Response Team Coordination Center (CERT/CC) • Forum of Incident Response and Security Teams (FIRST) • InfraGard • Information Systems Security Association (ISSA) • National Security Institute (NSI) • SysAdmin, Audit, Network, Security (SANS) Institute

  9. Common Attack Methods • Eavesdropping • Hijacking • Man-in-the-middle • Denial of Services (DoS) • Management interface exploits • Encryption cracking • Authentication cracking • MAC spoofing • Peer-to-peer • Social engineering Wireless Networking J. Bernardini

  10. Eavesdropping Issues • Definition: The interception and reading of messages and information by unintended recipients • WLAN sends data through the open air • Attacker can easily capture frames • Attacker may not be able read frames • Encryption of data reduces the ability to “read” • When you access a network, be sure you have given the right to do so • Wardriving is eavesdropping • Laws are being enforce against eavesdropping Wireless Networking J. Bernardini

  11. Eavesdropping Utilities Wireless Networking J. Bernardini

  12. Man-in-the-Middle Attack • Makes it seem that two computers are communicating with each other • Actually sending and receiving data with computer between them • Active or passive

  13. SSID Filtering • Disable SSID broadcast.By default, most wireless networking devices are set to broadcast the SSID, so anyone can easily join the wireless network. • Change the default SSID.Wireless AP’s have a default SSID set by the factory. Linksys wireless products use Linksys. Change the network's SSID to something unique, and make sure it doesn't refer to the networking products, your company, department function, or location.

  14. Hijacking and Man-in-the-middle • Defined: An unauthorized user takes control of an authorized user’s WLAN connection • Occurs at Layer1, Layer2 and Layer3 • Hijacking Outline • Attacked starts own AP and captures traffic • Attacker configures his AP with victim SSID • Attacker send deauthentication frame with high-power RF • Victim reassociates with higher-power attacker AP • Attacker runs DHCP giving address to victim • Attacker can try to steal data from victim • Attacker can use second NIC to connect to original AP • Traffic between victim and original AP is captured by attacker • Complete Man-in –the-middle attack with capture of Layer1, Layer2 and Layer3 Wireless Networking J. Bernardini

  15. Windows Client Vulnerabilities and Solutions • By default Windows send out probe requests for “preferred networks” • Wireless Network tab properties establishes what networks and the order -Scans for SSID in list • If it can not find “preferred network” will continue to scan • A rogue AP has heard the SSID scan list and configures as one of the unsecured SSIDs • Vitim Windows client connects to rogue AP • Solutions • Keep WLAN card powered off • Remove unsecured SSIDs from list after using • Disable Windows client and use a more secure third-party client (Cisco LEAP) Wireless Networking J. Bernardini

  16. Denial of Service Attack (DoS) • Definition: An attack that results in the inability of a user or system to access needed resources • Layer1 Attack-RF jamming • High level RF signal generator “drowns-out” APs in area • Unintentional DoS – interference from microwave, wireless phone • Layer2 Attack – Spoofs AP and generates management frames • Rogue AP spoofs AP MAC address • Rogue generate deauthentication or disassociation frame • Client STA disassociates • Rogue continues to send deauthentication or disassociation frame Wireless Networking J. Bernardini

  17. Other DoS Attacks • Empty Data Floods • Install two or three wireless adapter in laptop • Generate continuous maximum size frames • Position close to victim STA for stronger signal • Tie-up RF spectrum -preventing connect to legitimate Aps • Other Attacks • Association Floods • Authentication Floods • Unauthorized AP left on • Solution • Use spectrum analyzer to track down location of interference • Scan for SSIDs and zero-in on signal Wireless Networking J. Bernardini

  18. Management Interface Exploits • Web-based Interface exploit • Attacked captures traffic and determines IP network with scanning utility • Varies address and finds AP gateway address (example 192.168.1.1, 10.10.10.1 …) • Tries passwords if necessary • Changes AP configurations • Turns off all MAC access except attacker's – a form of DoS • Solutions • Strong AP password • Disable web-interface • Secure telnet and SSH • Use strong WPA-PSK or WPA2-PSK Wireless Networking J. Bernardini

  19. Encryption Cracking • Weak Key Cracking • Attacker captures 100 MB of data • Process captured with “cracking tool” • Obtain WEP key in seconds • Weak keys and initialization vectors are very vulnerable • Solution • Use strong encryption • WPA2 and AES • IEEE 802.11i • EAP-Cisco LEAP • More Information in Chapter-10 Wireless Networking J. Bernardini

  20. Wired Equivalent Privacy (WEP) • Guard the Confidentiality of CIA • Ensure only authorized parties can view it • Used in IEEE 802.11 to encrypt wireless transmissions • “Scrambling • Cryptography: Science of transforming information so that it is secure while being transmitted or stored • scrambles” data • Encryption: Transforming plaintext to ciphertext • Decryption: Transforming ciphertext to plaintext • Cipher: An encryption algorithm • Given a key that is used to encrypt and decrypt messages • Weak keys: Keys that are easily discovered

  21. WEP Cryptography

  22. WEP Implementation • IEEE 802.11 cryptography objectives: • Efficient • Exportable • Optional • Reasonably strong • Self-synchronizing • WEP relies on secret key “shared” between a wireless device and the AP • Same key installed on device and AP • A form of Private key cryptography or symmetric encryption

  23. WEP Characteristics • WEP shared secret keys must be at least 40 bits • Most vendors use 104 bits • Options for creating WEP keys: • 40-bit WEP shared secret key (5 ASCII characters or 10 hexadecimal characters) • 104-bit WEP shared secret key (13 ASCII characters or 16 hexadecimal characters) • Passphrase (16 ASCII characters) • APs and wireless devices can store up to four shared secret keys • Default key one of the four stored keys • Default key used for all encryption • Default key can be different for AP and client

  24. WEP Keys - Key order must be the same for all devices - Default Keys can be different for each device

  25. Open System Authentication Vulnerabilities • Inherently weak • Based only on match of SSIDs • SSID beaconed from AP during passive scanning • Easy to discover • Vulnerabilities: • Beaconing SSID is default mode in all APs • Not all APs allow beaconing to be turned off • Or manufacturer recommends against it • SSID initially transmitted in plaintext (unencrypted) • Vulnerabilities -If an attacker cannot capture an initial negotiation process, can force one to occur • SSID can be retrieved from an authenticated device • Many users do not change default SSID • Several wireless tools freely available that allow users with no advanced knowledge of wireless networks to capture SSIDs

  26. Peer-to-Peer Attacks • Definition: Peer-to-Peer attack occurs when on STA attacks another STA that is associated with same AP • Intension is generally data theft • Installation of backdoors and other software • Laptops are particularly vulnerable • IBSS networks vulnerable (ad hoc) • Hot spot networks can be a serious problem • Solutions: • Public Secure Packet Forwarding (PSPF) applications • STA to STA communication disallowed • Microsoft file sharing disabled Wireless Networking J. Bernardini

  27. Social Engineering • Definition: Technique of persuading people to give you something that they should not give you • Organization Information • Data • Passwords and passphases • Keys • Targets • Help Desk • On-site contractors • Employees • Solutions • Do not only depend upon technology • Train personal regularly Wireless Networking J. Bernardini

  28. MAC Address Filtering and Spoofing • Most Access point offer some form of MAC Filtering. • MAC Access Lists • Advanced MAC Filtering Lists • WLAN administrator must configure a list or set of rules for clients that will be allowed or not allowed to join the network.

  29. MAC Access Filtering Proxim AP-600b

  30. MAC Address Filtering Database Server Wired Clients MAC Address 001122C5AF3B Wired LAN Access Points AP-1 AP-2 Wireless Clients 1 2 MAC Address 00022D9DE44E

  31. MAC Address Filtering AP-600b MAC Address 001122C5AF3B MAC Address 00022D9DE44E 1 Database Server Wireless Client Access Points AP-1 Filtering = Blocking Wired MAC Adr. = 001122C5AF3B Wired Mask = FFFFFFFFFFFF Wireless MAC Adr. = 00022D9DE44E Wireless Mask = FFFFFFFFFFFF Mask: F = Look 0 = Ignore (Logical Anding)

  32. MAC Address Filtering AP-600b MAC Address 001122C5AF3B MAC Address 00022D9DE44E 1 Database Server Wireless Client Access Points AP-1

  33. Circumventing MAC Filters • MAC addresses are sent in the clear in the frame header! • User/attacker can change their MAC address via software and then spoof or more accurately impersonate or masquerade under the address. • Evade/Hide Network Presence • Bypass Access Control Lists • Authenticated User Impersonation

  34. Access Control Security • Intended to guard one of the CIA’s • Availability of information • Wireless access control: Limit user’s access to AP • by Filtering MAC addresses • Media Access Control (MAC) address filtering: Based on a node’s unique MAC address • Can be defeated by Spoofing a MAC address

  35. MAC address filtering considered to be a basic means of controlling access Requires pre-approved authentication Difficult to provide temporary access for “guest” devices Access Control Filtering

  36. MAC Spoofing

  37. Security Solutions 802.1X Authentication TKIP Temporal Key Integrity Protocol MIC Message Integrity Checking Cipher and Authentication Negotiation Key Management WPA / WPA2Wi-Fi Protected Access AES Advanced Encryption Standard 802.11i

  38. Remember CIA and AAA • CIA • Confidentiality-Keep things private • Integrity – Data must be consistant and accurate • Availability – The right data to the right users • AAA • Authentication –”Who are You?” • Authorization – “What do you want?” • Accounting – “What have you done?” • Bottom Line • Users are responsible for protecting there accounts and their data Wireless Networking J. Bernardini

More Related