1 / 53

Assessing Wireless Security Using Open Source Tools

Assessing Wireless Security Using Open Source Tools. By: Matthew Neely Presented: May 5 th 2009 at Pittsburgh ISSA. Speaker Biography. Matt Neely CISSP, CTGA, GCIH, GCWN - Manager of the Profiling team at SecureState:

Download Presentation

Assessing Wireless Security Using Open Source Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Assessing Wireless Security Using Open Source Tools By: Matthew Neely Presented: May 5th 2009 at Pittsburgh ISSA

  2. Speaker Biography • Matt Neely CISSP, CTGA, GCIH, GCWN - Manager of the Profiling team at SecureState: • Areas of expertise include: wireless security, penetration testing, physical security, security convergence and incident response • Formed and ran the TSCM team at a Fortune 200 company • 10 years of security experience • Outside of work: • Co-host of the Security Justice Podcast • Board member for the North Eastern Ohio InformationSecurity Forum • Licensed ham radio operator (Technician) for almost 20 years

  3. What concerns do you have about wireless?

  4. Agenda • Overview of the 802.11 standard • Hardware - Requirements and recommendations • Discovering wireless networks • Introduction to Kismet • Lab – Discovering and enumerating wireless network using Kismet • Demo – Aircrack-ng • How to tell if an AP is on your network • Wireless security recommendations • Conclusion

  5. Overview of 802.11

  6. What is 802.11 • Set of wireless local area network (WLAN) standards developed by the IEEE • Uses the standard Ethernet protocol • Adds special media access control process

  7. Popular 802.11 Standards • 802.11 • 2.4 GHz • 2 Mbps (0.9 Mbps typical) • 802.11a • 5 GHz • 54 Mbps (23 Mbps typical) • 802.11b • 2.4 GHz • 11 Mbps (4.5 Mbps typical) • 802.11g • 2.4 GHz • 54 Mbps (23 Mbps typical) • 802.11n - Draft • 2.4 and 5 GHz • 300 Mbps (74 Mbps typical) • Greenfield mode

  8. 802.11 Versus Wi-Fi • 802.11 is a set of standards from the IEEE • Wi-Fi is a subset of the 802.11 standards managed by the Wi-Fi Alliance • Wi-Fi Alliance insures all products with the Wi-Fi logo will work together • Different vendors often interpret standards differently • Wi-Fi Alliance defines what is the “right” thing to do when implementing a standard • Especially useful when vendors implement draft standards • Wi-Fi Protected Access (WPA) • “Draft” 802.11n equipment.

  9. Infrastructure Vs. Ad-hoc Networks • Infrastructure: Allows one or more computers to connect to a network using an Access Point (AP). • AP is the hub of communication • Service Set IDentifier (SSID) is used to identify the network • Ad-Hoc: Allows user to create peer-to-peer networks. • Does not use an AP • Independent Basic Service Set (IBSS) is used to identifythe network • First active ad-hoc station establishes the network and starts sending beacons with the IBSS

  10. How Clients Find Wireless Networks

  11. Broadcast Probe Request • Client sends out broadcast probe request packets asking who is there

  12. Broadcast Probe Reply • Any APs in the area reply back with their SSID

  13. Direct Probe Request • Client can also send direct probe request packets looking for a specific network name • Example: I’m looking for network Linksys

  14. Beacon Packets • AP sends out beacon packets • Beacon packets contain the SSID of the network • Client listens for beacon packets and uses the SSID information in the packet to figure out what networks are in range

  15. Hidden APs • Beaconless APs • AKA “disabled broadcast SSID”, “cloaked” or “closed” • Some APs do not send beacon packets when clients are not connected • Other APs still send a beacon packet but leave the SSID field blank • Attempts to prevent malicious users from finding the AP

  16. Requirement and Recommendations Hardware

  17. Hardware • Required • Computer - Running or capable of running Linux • Install Linux on a laptop • Use a LiveLinux distro such as BackTrack • Wireless card • Optional • External Antenna • Pigtail • GPS

  18. BackTrack • LiveLinux distro containing a large number of pre-configured attack tools • Variety of wireless drivers come pre-loaded • Plug and play support for many wireless cards • Available in two formats: • Bootable CD • Bootable thumb drive • Contains more tools • Data written to the thumb drive persists across reboots • Download: • http://www.remote-exploit.org/backtrack_download.html

  19. Backtrack in VMWare • BackTrack can not directly access a PCMCIA or mini-pci card • Limits what fun stuff can be done • Can use a USB dongle with a supported chipset • Temperamental and unstable at times • For just about everything except wireless related tasks, I run BackTrack inside VMWare • When I need to run wireless tools in BackTrack I prefer to run BackTrack on the bare hardware

  20. Saving Data on BackTrack • When run from a CD all saved data will be erased on reboot • Solution 1: • Run BackTrack from a bootable thumb drive • Solution 2: • Mount a thumb drive and save your data • Command: mount /dev/sdb1 • Solution 3: • Save your data to a network share before rebooting

  21. Wireless Card • Hopefully your internal wireless card works • Centrino or Atheros cards generally work well • Broadcom cards are a problem • Can use an external wireless card if the internal card does not work

  22. Determining What Wireless Type • Look up the specs for your laptop • Query the USB or PCI bus inside of Linux • lspci – Linux command that lists the devices attached to the PCI bus • Useful for gathering information on internal wireless cards • lsusb – Linux command that list devices attached to the USB bus

  23. Example lspci Output

  24. Example lsusb Output

  25. Card Selection • Features to look for in an external card: • 1) Atheros or Ralink RT73 chipset • Must support RF monitor mode • LORCON support is recommended • 2) External antenna connector • 3) Form factor that matches your needs • PCMCIA/Express cards • USB

  26. Getting the Card You Want • Difficult to know what chipset a card uses • Manufactures change them all the time • Pay close attention to model number and version • Buy your card from a store with a hassle free return policy • Buy your card from a store that states the chipset • Look for stores that cater to Linux users, wardrivers and wireless hackers • www.netgate.com

  27. Card Chipset Information • Card Chipset Lists • Atheros.rapla.net • Ralink.rapla.net • Broadcom.rapla.net – Avoid • www.seattlewireless.net/index.cgi/HardwareComparison • Backtrack website: • wiki.remote-exploit.org/index.php/HCL:Wireless • Aircrack-ng webiste: • www.aircrack-ng.org/doku.php?id=compatibility_drivers

  28. External Antennas • Greatly increases performance • Useful when: • Performing audits from inside a vehicle • Triangulating the location of an AP • Measuring RF leakage from a building • Antennas are tuned to work on specific frequencies • Need to select antennas that are tuned to the frequency range being used • 2.4 GHz is the most common • Used by b, g and n networks • Same frequency used by Bluetooth • 5 GHz is needed for a and n networks

  29. Types of Antennas • Omni-directional • Increases reception in all directions • Magnetic mount omni-directional antennas are useful for mounting on cars • Directional • Focuses the signal like a spot light • Can be used to triangulate the location of a signal

  30. Types of Directional Antennas • Panel • $20-40 • Typical gain 8-18 dBi • Good for travel: compact, portable and hard to damage • Yagi • $30-50 • Typically gain 9-15 dBi • Can be large • Typically encased in pcv pipe to protect the antenna • Parabolic dish • $30 and up • Very large • Very high gain, 19-30 dBi • Hard to transport • Waveguide (cantennas) • Around $50 • Typical gain 12 dBi

  31. Antenna Recommendation • Get two antennas • Directional • Either a panel or small yagi • Omni-direction • Magnetic mount is very helpful if you spend time doing surveys outside a building • Good source: www.hyperlinktech.com

  32. Pigtails and Adapters • Pigtail – Converts the small connector on the card to the connector used on the antenna • Do not buy cheap cables! • Where most signal loss occurs • Good quality pigtails cost around $10-20 • Only use cabled designed for use in the 2.4 or 5 GHz range • Pigtails should probably end in a N-Type male jack • Most antennas have a N-Type female jack • Good source: www.hyperlinktech.com • Pictures of common Wi-Fi antenna connectors: • wireless.gumph.org/content/3/7/011-cable-connectors.html

  33. GPS • Allows data to be placed onto a map for analysis • Only get an NMEA compatible GPS • Interface type: • Serial: Does not require a driver and just about always works • USB: Requires drivers which can be tricky in Linux • Bluetooth: Avoid because it operates in the 2.4 GHz spectrum • If you run Linux and do not have a serial port, the safest option is a serial GPS and a USB-to-serial adaptor • Buy a USB adaptor that is Linux friendly

  34. Discovering Wireless Networks

  35. Active Network Discovery • Official way to find networks • Client sends out a broadcast probe request looking for networks • Client listens for beacon packets from APs • Cons: • Requires the client to be within transmission range of the AP • Cannot find beaconless/hidden network • Pros: • Every wireless card supports this method • Does not require a card or driver that supports RF monitor mode • Windows tools such as NetStumbler use active network discovery

  36. Passive Network Discovery • Card listens to the airwaves and extracts information about the networks in the area from the packets it sees • Requires cards that support RF monitor mode • Not all cards and drivers support RF monitor mode • Pros: • Client only needs to be within receiving range • Can detect networks with the beacon turned off • Can gain more information about the network • Cons: • Requires a card and driver that supports full RF monitor mode • No free Windows program supports passive network discovery

  37. Kismet • http://www.kismetwireless.net/ • Passive scanner • OS: Linux and other Unix systems • Kismet is really two programs • kismet_server: Collects the packets • kismet_client: User interface • Pros: • Will find hidden networks • GPS support • Cons: • Complicated installation and configuration

  38. Kismet Classic Versus Newcore • “Classic” is the present stable release of Kismet • Kismet-newcore is a rewrite of Kismet • Still under development • Supports plugins • Example: DECT support • Avoid newcore unless you have a specific reason to use it or like to tinker

  39. Configuring Kismet • Configuration file is usually located at /usr/local/etc/kismet.conf • Specify suiduser • suiduser=<normal non-root user> • Ex: suiduser=matt • Packet Source • source=<driver, interface, name> • Ex: source=madwifi_g,ath0,AtherosCard • Skip these steps on BackTrack • Use –c flag when starting the server to tell it the packet source • Ex: kismet_server –c madwifi_g,wifi0,CiscoCard

  40. Source Settings - Driver • Run airmon-ng to determine which driver your wireless card is using • Part of the Aircrack-ng suite • # airmon-ng • $ sudo airmon-ng

  41. Driver Setting - Source • Run airmon-ng or iwconfig to see all the wireless interfaces • # iwconfig • $ iwconfig

  42. Lab: Discovering and enumerating wireless network using Kismet

  43. Accessing the Lab Server • Connect to wireless network • Lab-Connect_Here • Windows Telnet: • Start -> Run -> cmd.exe • telnet 192.168.10.102 –t vt100 • SSH (Putty or other SSH client) • Connect to 192.168.10.102 • Once connected login • Username: kismet • Password: kismet

  44. Demo: Airodump-ng

  45. How to Tell if an AP is on Your Network • Direction/Location • GPS • Use a directional antenna • Connect to the network and check: • If a traceroute shows the traffic traversing your network • If you can contact an internal server • DNS server address • Do not rely on the assigned IP address

  46. Security Recommendations

  47. General Security Recommendations • Make the network difficult to find • Limit AP power output • Use RF shielding to prevent RF leakage • Only use 802.11a APs • Do not use hidden APs • Could make it easier to attack your wireless Windows clients • Windows prefers visible networks over hidden networks • Attackers can trick users into connecting to a malicious AP • MAC filtering • Not recommended • Easy to by-pass and adds a lot of complexity in a large environment • Minimal level of protection is generally not worth the effort

  48. Wireless IDS • Consider deploying a wireless IDS • Can detect: • De-auth attacks • RTS and CTS attacks denial of service attacks • Rogue APs • Both on and off your network • Remember IDS is only detection and not prevention • Be very careful with wireless IPS • IPS system could end up attacking neighboring networks

  49. Wireless Encryption and Authentication • Do not use WEP • Migrate from LEAP • Known weaknesses and attack tools for LEAP • If you can not migrate from LEAP be sure you enforce a strong password policy • Use WPA or WPA2 • Prefer WPA2 • Both can be secured fairly well

  50. WPA-PSK Recommendations • WPA-PSK (Pre-Shared Key) • AKA WPA Home • Choose a long and complex passphrase • Prevents bruteforce attacks from tools like Cowpatty • Choose a unique SSID • Prevents using pre-compiled tables to speed up bruteforce attacks

More Related