1 / 31

Wireless Security

Wireless Security. Agenda. Basics of an Attack 802.11b Overview WEP Other security measures Future of Wireless Security. Step 1: War Driving. Materials needed: Laptop w/ 802.11b card and GPS, Netstumbler, Airsnort, Ethereal, and the car of your choice

lesley-love
Download Presentation

Wireless Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Security

  2. Agenda • Basics of an Attack • 802.11b Overview • WEP • Other security measures • Future of Wireless Security ECE 4112 - Internetwork Security

  3. Step 1: War Driving • Materials needed: Laptop w/ 802.11b card and GPS, Netstumbler, Airsnort, Ethereal, and the car of your choice • An attacker would first use Netstumbler to drive around and map out active wireless networks • Netstumbler not only has the ability to monitor all active networks in the area, but it also integrates with a GPS to map AP’s ECE 4112 - Internetwork Security

  4. Step 2: Cracking Using Airsnort • At this point, the attacker has chosen his target; most likely a business • Netstumbler can tell you whether or not the network is encrypted • If encrypted, park the car, start up Airsnort, and leave it be for a few hours • Airsnort, given enough time, will passively listen to traffic and figure out the encryption key ECE 4112 - Internetwork Security

  5. Step 3: Listening to the Network • Once the encryption key is compromised, it is a trivial process to connect to the network, and if there wasn’t an encryption key at all, well then …. • An attacker would next use Ethereal to listen to the network traffic, analyze, and plan further attacks ECE 4112 - Internetwork Security

  6. That’s it…the network is compromised • Most wireless networks are no more secure than this, many are less secure • Hundreds of business’s, schools, airports, and residences use wireless technology as a major point of access to their networks • Growth of demand for Wireless LANs (WLAN) is increasing dramatically ECE 4112 - Internetwork Security

  7. Basic 802.11b Overview • 802.11b was IEEE approved in 1999 • Infrastructure Mode or Ad Hoc • Utilizes 2.4GHz band on 15 different channels (only 11 in US) • 11mbit shared among all users on access point • Cheap!!! ECE 4112 - Internetwork Security

  8. Built in Security Features • Service Set Identifier (SSID) • Differentiates one access point from another • SSID is sent in ‘beacon frames’ every few seconds. • Beacon frames are in plain text! ECE 4112 - Internetwork Security

  9. Do’s and Don'ts for SSID’s • Default SSID’s are well known (Linksys AP’s default to linksys, CISCO defaults to tsunami, etc) so change them immediately. • Don’t set your SSID to something that will give away information. • Do change the settings on your AP so that it does not broadcast the SSID in the beacon frame. ECE 4112 - Internetwork Security

  10. Associating with the AP • Access points have two ways of initiating communication with a client • Shared Key or Open Key authentication • Open key allows anyone to start a conversation with the AP • Shared Key is supposed to add an extra layer of security by requiring authentication info as soon as one associates ECE 4112 - Internetwork Security

  11. How Shared Key Auth. works • Client begins by sending an association request to the AP • AP responds with a challenge text (unencrypted) • Client, using the proper WEP key, encrypts text and sends it back to the AP • If properly encrypted, AP allows communication with the client ECE 4112 - Internetwork Security

  12. Is Open or Shared Key more secure? • Ironically enough, Open key is the answer in short • Using passive sniffing, one can gather 2 of the three variables needed in Shared Key authentication: challenge text and the encrypted challenge text • Simply plugging these two values into the RC4 equations will yield the WEP key! ECE 4112 - Internetwork Security

  13. Wired Equivalent Protocol (WEP) • Primary built security for 802.11 protocol • Uses 40bit RC4 encryption • Intended to make wireless as secure as a wired network • Unfortunately, since ratification of the 802.11 standard, RC4 has been proven insecure, leaving the 802.11 protocol wide open for attack ECE 4112 - Internetwork Security

  14. A closer look at WEP • Weakness in RC4 lies within the Initialization Vector (IV) • The IV is a random 24bit number (2^24) • Packets sent over the network contain the IV followed by the encrypted data • RC4 combines the IV and the 40bit key to encrypt the data • Two known attacks against this! ECE 4112 - Internetwork Security

  15. Numerical Limitation Attack • IV’s are only 24bit, and thus there are only 16,777,216 possible IV’s • A busy network will repeat IV’s often • By listening to the encrypted traffic and picking out the duplicate IV’s, it is possible to infer what parts of the WEP key are • Enough duplicate IV’s and you can figure out the whole WEP key ECE 4112 - Internetwork Security

  16. The Weak IV attack • Some IV’s do not work well with RC4 • Using a formula, one can take a weak IV and infer part of the WEP key • Once again, passively monitoring the network for a few hours can be enough time to gather enough weak IV’s to figure out the WEP key ECE 4112 - Internetwork Security

  17. Taking a look back on WEP • WEP is flawed by a technology weakness, and there is no simple solution to fix it • Increasing key length will only help against a brute force attack (trying to guess the key). The IV is the weakness in this protocol, so increasing key length is pointless • Attacks against WEP are passive and extremely difficult to detect ECE 4112 - Internetwork Security

  18. Security beyond 802.11 specifications • For a secure wireless network, you MUST go above and beyond the 802.11b security measures. • At this point, there are many measures you can take to secure a wireless network. All have their pro’s and con’s, and of course some work better than others • The Goal: a secure network that is easy to deploy and maintain. ECE 4112 - Internetwork Security

  19. Hiding the SSID • As stated earlier, the SSID is by default broadcast every few seconds. • Turning it off makes it harder to figure out a wireless connection is there • Reading raw packets will reveal the SSID since even when using WEP, the SSID is in plain text • Increases deployment difficulty ECE 4112 - Internetwork Security

  20. MAC address filtering • MAC address filtering works by only allowing specific hardware to connect to the AP • Management on large networks unfeasible • Using a packet sniffer, one can very easily find a valid MAC address and modify their OS to use it, even if the data is encrypted • May be good for small networks ECE 4112 - Internetwork Security

  21. Counter measures that could have prevented this! • Only allow users to connect to servers on the wired LAN with secure protocols. If that is not an option, use a firewall to block insecure connections to servers on the wired LAN • Use of 802.1X and a secure EAP if possible • If convenient, a VPN would greatly increases security of data ECE 4112 - Internetwork Security

  22. Things to keep in mind when securing a WLAN • All WLAN should be considered insecure, and thus should be treated that way • Never put a WLAN within the perimeter of your wired LAN’s firewall • Use WEP, it will deter most would be trespassers • Do not leave default WEP key • Implement 802.1X with key rotation every 5 to 10 minutes • Combine security mechanisms. ECE 4112 - Internetwork Security

  23. Future of wireless security • 802.11i is in progress, and addresses security issues in 802.11b • 802.11i will in essence be a standardized way for 802.11b and 802.1X to be coupled, and introduce new ciphers • TKIP cipher should be able to be used on existing hardware with new firmware • New ciphers based on AES encryption will require new hardware ECE 4112 - Internetwork Security

  24. Lab Goals • Examine Unencrypted Wireless Traffic • Circumventing MAC Address Filtering • Cracking WEP using AirSnort ECE 4112 - Internetwork Security

  25. D-Link Wireless AP 192.168.1(2).144 Evil RedHat Linux 8.0 Sniffer 192.168.1(2).50 WindowsXP2 FTP Server 192.168.1(2).150 WindowsXP1 FTP Client 192.168.1(2).100 Network Layout ECE 4112 - Internetwork Security

  26. Unencrypted Wireless Traffic(kismet) ECE 4112 - Internetwork Security

  27. MAC Address Filtering • Use Kismet to find a valid MAC Address • Spoof your MAC address • With no encryption, full access should be granted ECE 4112 - Internetwork Security

  28. Cracking WEP Cracking using AirSnort can take a considerable amount of time, so you will be provided with a nearly complete log file ECE 4112 - Internetwork Security

  29. Links to the tools used: • Airsnorthttp://airsnort.shmoo.com • Netstumblerhttp://www.netstumbler.com • Etherealhttp://www.ethereal.com ECE 4112 - Internetwork Security

  30. Papers and Wireless Security Web Pages • Weaknesses in the Key Scheduling Algorithm of RC4 • The Unofficial 802.11 Security Web Page • Wireless Security Blackpaper • The IEEE 802.11 specifications (includes WEP spec) • Paper on detecting Netstumbler and similar programs • Further reading on upcoming 802.11 variations • Assorted 802.11 related crypto algorithms written in ANSI C ECE 4112 - Internetwork Security

  31. Acknowledgements Brian Lee authored most of these slides. ECE 4112 - Internetwork Security

More Related