Wireless Awareness

1. Wireless Awareness Prepared for: CAMIS Group 07/2012

2. Biography Clint Lentner, MCSE, MCITP: EA • Netgain Datacenter Deployment Specialist • Designing technical solutions around a wide variety of applications--from complex enterprise to simple and specialty--in order to provide a seamless end-user experience.Actively engaged in developing the local IT community through free education opportunities to build networking and enhance technical abilities. • Specialties • Active Directory, Windows Server, Security and Task Automation

3. Netgain • National eHealth solutions provider • Provide complete IT infrastructure solutions in hosted or on-site environments. • Design solutions to deliver standards compliant security, five nine’s availability and the flexibility to meet the changing needs of healthcare organizations. • Simplify the healthcare IT environment while improving efficiencies and increasing security.

4. INTRODUCTION

5. Wireless Awareness: Introduction Wireless Communication: • Defined as “the transfer of information between two or more points that are not physically connected.” 802.11: • Set of standards created and maintained by the IEEE LAN/MAN Standards Committee (IEEE 802) for implementing Wireless Local Area Network (WLAN) computer communication in the 2.4, 3.6 and 5 GHz frequency bands. • These standards provide the basis for wireless network products using the Wi-Fi brand name.

6. Wireless Awareness: Introduction Wi-Fi Alliance: • Founded by six companies: 3Com, Aironet, Intersil, Lucent Technologies, Nokia and Symbol Technologies in 1999 to promote wireless LAN standard of 802.11 • Wi-Fi vs. IEEE 802.11, 802.11, or WLAN • Commonly mistaken for “Wireless Fidelity”, Wi-Fi is a nonsensical word.

7. Wireless Awareness: 802.11 MODES OF operation Ad-Hoc Mode • Defined by 802.11 as Independent Basic Service Set (IBSS) • Clients communicate directly with other IBSS clients within transmission range, creating a peer-to-peer network.

8. Wireless Awareness: 802.11 MODES OF operation • Infrastructure Mode • Defined by 802.11 as Basic Service Set (BSS) • Clients communicate with a central station, or access point (AP), which acts as an Ethernet bridge onto another network.

9. Wireless Awareness: Demo • http://www.nirsoft.net/utils/wireless_network_view.html

10. Wireless Awareness: Introduction

11. Wireless Awareness: Introduction

12. Wireless Awareness: Introduction

13. IMPLIED TRUST

14. Wireless Awareness: implied Trust

15. Wireless Awareness: implied Trust Wireless users are very trusting • Users need access to the Internet • Users tend to assume wireless is safe. • Wi-Fi is magic! Turn on the device, select your Wi-Fi network, maybe enter a password, and you’re done! • Users are unknowingly trusting… • The Access Point is safe • The Access Point is who it says it is • Other users on that Access Point are safe • The Network beyond the Access Point is safe • Wi-Fi enabled devices are safe

16. Wireless Awareness: implied Trust All roads to the Internet are safe.. Right?

17. VULNERABILITIES UNDERSTANDING WI-FI

18. Wireless Awareness: understanding wi-fi • Eavesdropping/Traffic Analysis • Data Mining • Masquerading Clients/Access Points • Promiscuous Access Points • Man-in-the-Middle • Compromising Security • Message Injection, Deletion, and Interception • Session Hijacking • Denial-of-Service

19. Wireless Awareness: Understanding Wi-fi Authentication and Association • Network Discovery • Authentication • Association

20. NETWORK DISCOVERY

21. Wireless Awareness: Network Discovery • Beacons • Broadcast by Access Points, advertising various properties: • Encryption type • Service Set IDentifier (SSID) • Transmission Rate, etc… • Clients continually scan\listen for beacons to determine which access points are available. • Probes • Broadcast by clients, searching for Access Points and their properties. Similar to information contained in beacons. • Broadcast by clients, searching for a specific Access Point SSID

22. Wireless Awareness: Demo http://www.wireshark.org

23. 802.11 Network Discovery: Method 1 • AP: Broadcasts Beacons • SSID: Linksys • BSSID: 08-86-3b-1c-be-ef • Encryption: WPA2 • Authentication: PSK • Transfer Rate: 54 Mbps • Client: Listens for beacon and generates list of available APs

24. 802.11 Network Discovery: Method 2 • Client: Broadcasts Probe for any available AP • AP: Sends probe response • SSID: Linksys • BSSID: 08-86-3b-1c-be-ef • Encryption: WPA2 • Authentication: PSK • Transfer Rate: 54 Mbps

25. 802.11 Network Discovery: Method 3 • Client: Broadcasts Probe for SSID “LinkSys” • AP: Sends probe response if SSID = “Linksys” • SSID: Linksys • BSSID: 08-86-3b-1c-be-ef • Encryption: WPA2 • Authentication: PSK • Transfer Rate: 54 Mbps

26. DATA MINING

27. Wireless Awareness: Data Mining • Wi-Fi Client • Basic Service Set Identification (BSSID) • Make/Model • SSID • Encryption/Authentication • Wi-Fi Access Point • Basic Service Set Identification (BSSID) • Make/Model • SSID • Encryption/Authentication

28. Wireless Awareness: Demo http://aircrack-ng.org

29. Wireless Awareness: Data Mining • Windows wireless probe issues • Prior to XP SP3, connecting to an AP with a hidden SSID via Wireless Zero Configuration (WZC) had to be set to “automatically reconnect”, as there was no way to manually connect. • Affected Versions • Windows XP, pre Service Pack 3 • Windows Server® 2003, pre Service Pack 2 • Technet Article • http://technet.microsoft.com/en-us/library/bb726942.aspx • Other Wi-Fi enabled devices • This isn’t just a Microsoft problem

30. Wireless Awareness: Data Mining • Pre-SP3 • SP3/Vista/Win7

31. Wireless Awareness: Data Mining How can this data be used? • Access Point • BSSID/SSID • Geolocation Mapping with GPS (WarDriving) • WIGLE.net • Wi-Fi Triangulation • Skyhook, Placelabs, Navizon • Encryption/Authentication Type • Identify easy targets for free Wi-Fi, or malicious intent • Open, WEP, or WPA/WPA2 with a common SSID • BSSID/Transfer Rate, Etc… • Statistical Usage Analysis

32. Wireless Awareness: Demo http://wigle.net

33. Wireless Awareness: Data Mining How can this data be used? Client • SSID • Establish profile of locations via Geolocation Mapping • BSSID • Wi-Fi probe tracking

34. Wireless Awareness: Data Mining • Why Do I Care? • Cellular carriers/smartphone vendors already track users 24/7 • Cell tower triangulation • GPS • Users grant apps access to location services • Users enable GPSand keep it enabled without understanding consequences • Stalking produces similar results • Analyzing/Tracking Wi-Fi beacons requires zero user interaction and is completely available to anyone who wishes to “listen”

35. Wireless Awareness: Data Mining • Security in Layers • Do you… • Have a front door? Close your front door? • Lock your front door? Reinforce your front door? • Do you… • Have windows? Close your windows? • Lock your windows? Reinforce your windows? • Do you… • Have locks? Use your locks? • Have reinforced locks? Keep your keys secured?

36. Wireless Awareness: understanding wi-fi • Eavesdropping/Traffic Analysis • Data Mining • Masquerading Clients/Access Points • Promiscuous Access Points • Man-in-the-Middle • Compromising Security • Message Injection, Deletion, and Interception • Session Hijacking • Denial-of-Service

37. MiTM • (Man in The Middle)

38. Wireless Awareness: Man in the Middle • Man-in-the-middle Attack • “A form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.”

39. Wireless Awareness: Man in the Middle

40. Wireless Awareness: Man in the Middle • MitM Attacks: • Collecting clear-text communications • Email • Chat • …Anything not encrypted • Collecting Usernames/Passwords • Session-Jacking • Manipulating the Internet experience • Redirection to fake/malicious websites • Manipulated webpage results • Manipulated certificate/SSL requests • Anything else you can think of—you are the router.

41. 802.11 Network Discovery: Method 3 • Client: Broadcasts Probe for SSID “LinkSys” • AP: Sends probe response if SSID = “Linksys” • SSID: Linksys • BSSID: 08-86-3b-1c-be-ef • Encryption: WPA2 • Authentication: PSK • Transfer Rate: 54 Mbps

42. Wireless Awareness: Demo http://aircrack-ng.org

43. Wireless Awareness: Man in the Middle • Anyone can do it… • Hak5, a popular hacking community, assisted in developing and selling a small, battery-powered wireless router which acts as a inconspicuous, promiscuous access point. • Built-in penetration tools makes this device a serious threat to any Wi-Fi environment • Extremely popular, very easy to use. • Only $99.95!...or make your own for around half.

44. Wireless Awareness: Man in the Middle

45. Wireless Awareness: Man in the Middle • https://www.youtube.com/watch?v=yr5upPHqhlA

46. MITIGATION

47. Wireless Awareness: Mitigation • User Awareness • Consequences of connecting to public Wi-Fi • Consequences of configuring “auto-connect” • Discourage use of sensitive information sites via Wi-Fi if possible • Disable Wi-Fi when not in use • Wi-Fi Configuration • Manually connect to APs with hidden SSIDs • Require same authentication/encryption type for reconnecting to APs (software specific) • Prevent users from accessing open APs (Solutions?? Anyone??) • Whitelist acceptable APs (via Windows GPO) • Obfuscate SSID names • Utilize cellular wireless communication if possible • Utilize VPNs to secure Wi-Fi sessions.

48. Wireless Awareness: Mitigation • Administrator Awareness • Understanding why Wi-Fi vulnerabilities pose a REAL risk: • Malicious tools are relatively easy to acquire and setup • Targets are very easy to acquire • Attackers are difficult to track • Attacks are difficult to detect, especially when targeting non-technical users • Wi-Fi enabled devices can be anything • Because Wi-Fi is popular! • Educating\Reeducating Users • Eliminate Wi-Fi apathy! Don’t implicitly trust Wi-Fi! Vulnerabilities are a real threat!

49. THANK YOU! http://centralmnit.com