540 likes | 687 Views
Assessing Wireless Security Using Open Source Tools. By: Matthew Neely Presented: May 5 th 2009 at Pittsburgh ISSA. Speaker Biography. Matt Neely CISSP, CTGA, GCIH, GCWN - Manager of the Profiling team at SecureState:
E N D
Assessing Wireless Security Using Open Source Tools By: Matthew Neely Presented: May 5th 2009 at Pittsburgh ISSA
Speaker Biography • Matt Neely CISSP, CTGA, GCIH, GCWN - Manager of the Profiling team at SecureState: • Areas of expertise include: wireless security, penetration testing, physical security, security convergence and incident response • Formed and ran the TSCM team at a Fortune 200 company • 10 years of security experience • Outside of work: • Co-host of the Security Justice Podcast • Board member for the North Eastern Ohio InformationSecurity Forum • Licensed ham radio operator (Technician) for almost 20 years
Agenda • Overview of the 802.11 standard • Hardware - Requirements and recommendations • Discovering wireless networks • Introduction to Kismet • Lab – Discovering and enumerating wireless network using Kismet • Demo – Aircrack-ng • How to tell if an AP is on your network • Wireless security recommendations • Conclusion
What is 802.11 • Set of wireless local area network (WLAN) standards developed by the IEEE • Uses the standard Ethernet protocol • Adds special media access control process
Popular 802.11 Standards • 802.11 • 2.4 GHz • 2 Mbps (0.9 Mbps typical) • 802.11a • 5 GHz • 54 Mbps (23 Mbps typical) • 802.11b • 2.4 GHz • 11 Mbps (4.5 Mbps typical) • 802.11g • 2.4 GHz • 54 Mbps (23 Mbps typical) • 802.11n - Draft • 2.4 and 5 GHz • 300 Mbps (74 Mbps typical) • Greenfield mode
802.11 Versus Wi-Fi • 802.11 is a set of standards from the IEEE • Wi-Fi is a subset of the 802.11 standards managed by the Wi-Fi Alliance • Wi-Fi Alliance insures all products with the Wi-Fi logo will work together • Different vendors often interpret standards differently • Wi-Fi Alliance defines what is the “right” thing to do when implementing a standard • Especially useful when vendors implement draft standards • Wi-Fi Protected Access (WPA) • “Draft” 802.11n equipment.
Infrastructure Vs. Ad-hoc Networks • Infrastructure: Allows one or more computers to connect to a network using an Access Point (AP). • AP is the hub of communication • Service Set IDentifier (SSID) is used to identify the network • Ad-Hoc: Allows user to create peer-to-peer networks. • Does not use an AP • Independent Basic Service Set (IBSS) is used to identifythe network • First active ad-hoc station establishes the network and starts sending beacons with the IBSS
Broadcast Probe Request • Client sends out broadcast probe request packets asking who is there
Broadcast Probe Reply • Any APs in the area reply back with their SSID
Direct Probe Request • Client can also send direct probe request packets looking for a specific network name • Example: I’m looking for network Linksys
Beacon Packets • AP sends out beacon packets • Beacon packets contain the SSID of the network • Client listens for beacon packets and uses the SSID information in the packet to figure out what networks are in range
Hidden APs • Beaconless APs • AKA “disabled broadcast SSID”, “cloaked” or “closed” • Some APs do not send beacon packets when clients are not connected • Other APs still send a beacon packet but leave the SSID field blank • Attempts to prevent malicious users from finding the AP
Requirement and Recommendations Hardware
Hardware • Required • Computer - Running or capable of running Linux • Install Linux on a laptop • Use a LiveLinux distro such as BackTrack • Wireless card • Optional • External Antenna • Pigtail • GPS
BackTrack • LiveLinux distro containing a large number of pre-configured attack tools • Variety of wireless drivers come pre-loaded • Plug and play support for many wireless cards • Available in two formats: • Bootable CD • Bootable thumb drive • Contains more tools • Data written to the thumb drive persists across reboots • Download: • http://www.remote-exploit.org/backtrack_download.html
Backtrack in VMWare • BackTrack can not directly access a PCMCIA or mini-pci card • Limits what fun stuff can be done • Can use a USB dongle with a supported chipset • Temperamental and unstable at times • For just about everything except wireless related tasks, I run BackTrack inside VMWare • When I need to run wireless tools in BackTrack I prefer to run BackTrack on the bare hardware
Saving Data on BackTrack • When run from a CD all saved data will be erased on reboot • Solution 1: • Run BackTrack from a bootable thumb drive • Solution 2: • Mount a thumb drive and save your data • Command: mount /dev/sdb1 • Solution 3: • Save your data to a network share before rebooting
Wireless Card • Hopefully your internal wireless card works • Centrino or Atheros cards generally work well • Broadcom cards are a problem • Can use an external wireless card if the internal card does not work
Determining What Wireless Type • Look up the specs for your laptop • Query the USB or PCI bus inside of Linux • lspci – Linux command that lists the devices attached to the PCI bus • Useful for gathering information on internal wireless cards • lsusb – Linux command that list devices attached to the USB bus
Card Selection • Features to look for in an external card: • 1) Atheros or Ralink RT73 chipset • Must support RF monitor mode • LORCON support is recommended • 2) External antenna connector • 3) Form factor that matches your needs • PCMCIA/Express cards • USB
Getting the Card You Want • Difficult to know what chipset a card uses • Manufactures change them all the time • Pay close attention to model number and version • Buy your card from a store with a hassle free return policy • Buy your card from a store that states the chipset • Look for stores that cater to Linux users, wardrivers and wireless hackers • www.netgate.com
Card Chipset Information • Card Chipset Lists • Atheros.rapla.net • Ralink.rapla.net • Broadcom.rapla.net – Avoid • www.seattlewireless.net/index.cgi/HardwareComparison • Backtrack website: • wiki.remote-exploit.org/index.php/HCL:Wireless • Aircrack-ng webiste: • www.aircrack-ng.org/doku.php?id=compatibility_drivers
External Antennas • Greatly increases performance • Useful when: • Performing audits from inside a vehicle • Triangulating the location of an AP • Measuring RF leakage from a building • Antennas are tuned to work on specific frequencies • Need to select antennas that are tuned to the frequency range being used • 2.4 GHz is the most common • Used by b, g and n networks • Same frequency used by Bluetooth • 5 GHz is needed for a and n networks
Types of Antennas • Omni-directional • Increases reception in all directions • Magnetic mount omni-directional antennas are useful for mounting on cars • Directional • Focuses the signal like a spot light • Can be used to triangulate the location of a signal
Types of Directional Antennas • Panel • $20-40 • Typical gain 8-18 dBi • Good for travel: compact, portable and hard to damage • Yagi • $30-50 • Typically gain 9-15 dBi • Can be large • Typically encased in pcv pipe to protect the antenna • Parabolic dish • $30 and up • Very large • Very high gain, 19-30 dBi • Hard to transport • Waveguide (cantennas) • Around $50 • Typical gain 12 dBi
Antenna Recommendation • Get two antennas • Directional • Either a panel or small yagi • Omni-direction • Magnetic mount is very helpful if you spend time doing surveys outside a building • Good source: www.hyperlinktech.com
Pigtails and Adapters • Pigtail – Converts the small connector on the card to the connector used on the antenna • Do not buy cheap cables! • Where most signal loss occurs • Good quality pigtails cost around $10-20 • Only use cabled designed for use in the 2.4 or 5 GHz range • Pigtails should probably end in a N-Type male jack • Most antennas have a N-Type female jack • Good source: www.hyperlinktech.com • Pictures of common Wi-Fi antenna connectors: • wireless.gumph.org/content/3/7/011-cable-connectors.html
GPS • Allows data to be placed onto a map for analysis • Only get an NMEA compatible GPS • Interface type: • Serial: Does not require a driver and just about always works • USB: Requires drivers which can be tricky in Linux • Bluetooth: Avoid because it operates in the 2.4 GHz spectrum • If you run Linux and do not have a serial port, the safest option is a serial GPS and a USB-to-serial adaptor • Buy a USB adaptor that is Linux friendly
Active Network Discovery • Official way to find networks • Client sends out a broadcast probe request looking for networks • Client listens for beacon packets from APs • Cons: • Requires the client to be within transmission range of the AP • Cannot find beaconless/hidden network • Pros: • Every wireless card supports this method • Does not require a card or driver that supports RF monitor mode • Windows tools such as NetStumbler use active network discovery
Passive Network Discovery • Card listens to the airwaves and extracts information about the networks in the area from the packets it sees • Requires cards that support RF monitor mode • Not all cards and drivers support RF monitor mode • Pros: • Client only needs to be within receiving range • Can detect networks with the beacon turned off • Can gain more information about the network • Cons: • Requires a card and driver that supports full RF monitor mode • No free Windows program supports passive network discovery
Kismet • http://www.kismetwireless.net/ • Passive scanner • OS: Linux and other Unix systems • Kismet is really two programs • kismet_server: Collects the packets • kismet_client: User interface • Pros: • Will find hidden networks • GPS support • Cons: • Complicated installation and configuration
Kismet Classic Versus Newcore • “Classic” is the present stable release of Kismet • Kismet-newcore is a rewrite of Kismet • Still under development • Supports plugins • Example: DECT support • Avoid newcore unless you have a specific reason to use it or like to tinker
Configuring Kismet • Configuration file is usually located at /usr/local/etc/kismet.conf • Specify suiduser • suiduser=<normal non-root user> • Ex: suiduser=matt • Packet Source • source=<driver, interface, name> • Ex: source=madwifi_g,ath0,AtherosCard • Skip these steps on BackTrack • Use –c flag when starting the server to tell it the packet source • Ex: kismet_server –c madwifi_g,wifi0,CiscoCard
Source Settings - Driver • Run airmon-ng to determine which driver your wireless card is using • Part of the Aircrack-ng suite • # airmon-ng • $ sudo airmon-ng
Driver Setting - Source • Run airmon-ng or iwconfig to see all the wireless interfaces • # iwconfig • $ iwconfig
Lab: Discovering and enumerating wireless network using Kismet
Accessing the Lab Server • Connect to wireless network • Lab-Connect_Here • Windows Telnet: • Start -> Run -> cmd.exe • telnet 192.168.10.102 –t vt100 • SSH (Putty or other SSH client) • Connect to 192.168.10.102 • Once connected login • Username: kismet • Password: kismet
How to Tell if an AP is on Your Network • Direction/Location • GPS • Use a directional antenna • Connect to the network and check: • If a traceroute shows the traffic traversing your network • If you can contact an internal server • DNS server address • Do not rely on the assigned IP address
General Security Recommendations • Make the network difficult to find • Limit AP power output • Use RF shielding to prevent RF leakage • Only use 802.11a APs • Do not use hidden APs • Could make it easier to attack your wireless Windows clients • Windows prefers visible networks over hidden networks • Attackers can trick users into connecting to a malicious AP • MAC filtering • Not recommended • Easy to by-pass and adds a lot of complexity in a large environment • Minimal level of protection is generally not worth the effort
Wireless IDS • Consider deploying a wireless IDS • Can detect: • De-auth attacks • RTS and CTS attacks denial of service attacks • Rogue APs • Both on and off your network • Remember IDS is only detection and not prevention • Be very careful with wireless IPS • IPS system could end up attacking neighboring networks
Wireless Encryption and Authentication • Do not use WEP • Migrate from LEAP • Known weaknesses and attack tools for LEAP • If you can not migrate from LEAP be sure you enforce a strong password policy • Use WPA or WPA2 • Prefer WPA2 • Both can be secured fairly well
WPA-PSK Recommendations • WPA-PSK (Pre-Shared Key) • AKA WPA Home • Choose a long and complex passphrase • Prevents bruteforce attacks from tools like Cowpatty • Choose a unique SSID • Prevents using pre-compiled tables to speed up bruteforce attacks