Introduction WLAN Security Threats Evolution of Wireless LAN Security y Demo : Crack WEP, WPA PSK Prevention Q&A... Wireless LAN Security Threats... Evolution of Wireless LAN Security...
Trang 1Wireless LAN Security
Hồ Đắc Biên bien.ho@ttgtc.com
0985 196 884 MCSA, MCITP-EA, CCNP, , , , CCIE Written, Security+, CEH
Trang 2Introduction WLAN Security Threats Evolution of Wireless LAN Security y Demo : Crack WEP, WPA PSK
Prevention Q&A
Trang 3Introduction WLAN Security Threats
Trang 4Introduction
Trang 5Wireless LAN Security Threats
Trang 7Toys for Hackers
Trang 8A Dual-Use Product
Trang 9Netstumbler
Trang 10Kismet
Trang 11Sniffer on WLAN
• All messages are sent in clear over the wireless network.
• Eavesdroppers may be stealing your messages secretly…
eavesdropper
gateway.cstelnet gateway.cs
Trang 12Evolution of Wireless LAN Security
Trang 13Evolution of Wireless LAN Security
User
Standardized
Improved encryption
Strong user
AES strong encryption
802.1X EAP (LEAP, PEAP)
Strong, user authentication (such as, LEAP, PEAP, EAP-FAST)
Dynamic key management
Trang 14WEP (Wired Equivalent Privacy)
WEP (Wired Equivalent Privacy)
Uses either 40 bit or 104 bit shared ke
Uses either 40-bit or 104-bit shared-key encryption with a 24-bit initialization vector This encryption scheme is extremely vulnerable yp y
1 WEP keys are static
2 Initialization vector is short and possibly
constant
3 Initialization vector easily known to attacker
4 WEP has no cryptographic integrity protection
4 WEP has no cryptographic integrity protection
Trang 15WEP (Continued)
RC4 Developed by Ron Rivest Became public in 1994
Stream cipher used for WEP Ideal for its extremely fast speed for generating pseudo random numbers
Trang 16WEP(Diagram)
Trang 17Encryption Standards(Continued)
WPA
128 bit ti ith 48 bit i iti li ti t 128-bit encryption with a 48-bit initialization vector Uses TKIP
Extends the IV space
Trang 18Cracks in WEP – Historic Evolution
2001 - The insecurity of 802.11, Mobicom, July 2001
N Borisov, I Goldberg and D Wagner.
2001 - Weaknesses in the key scheduling algorithm of RC4.
S Fluhrer, I Mantin, A Shamir Aug 2001.
2002 U i th Fl h M ti d Sh i Att k t B k WEP
2002 - Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
A Stubblefield, J Ioannidis, A Rubin.
2004 – KoreK, improves on the above technique and reduces the
l it f WEP ki W i l d complexity of WEP cracking We now require only around 500,000 packets to break the WEP key.
2005 Adreas Klein introduces more correlations between the
2005 – Adreas Klein introduces more correlations between the RC4 key stream and the key.
2007 – PTW extend Andreas technique to further simplify WEP Cracking Now with just around 60 000 – 90 000 packets it is
Cracking Now with just around 60,000 90,000 packets it is possible to break the WEP key.
Trang 19WEP Attacks – exposure area
Using known methods, exposure is
limited to RF range of WEP enabled
No Mutual Authentication
p
Message Modification
Message Injection
1 10 100 1000 On the Moon
Trang 20Demo : Crack WEP Key, WPA PSK
Trang 21Wireless network model
2 A user computer connects to p
router through wireless
connection which is protected
by WEP
3 Attacker doesn’t know the WEP
password and even the SSID
password and even the SSID
and Channel.
Trang 22Crack WEP Key
1 Wireless card support crack WEP key pp y
Trang 23Wireless Card Crack WEP
TL-WN510G WG511T
WG111T D-Link WUA-1340 WG111T
Trang 24Setup Card & Begin Scan
First, you need to scan for a victim & setup your
card For atheros, Kismet automatically detects, others you will need to edit Kismet’s config.
Once you know the bssid & channel you need,
Once you know the bssid & channel you need, set your network card to Monitor
Trang 25Begin Dumping & Injecting
Use airodump to record all of the IVs you’ll need
to crack Use aireplay to inject a mass quantity to get new IVs to use to crack the key.
You’ll need at least 100,000 keys to crack a bit WEP key, generally 200-300k is good
128-Use new PTW attack we only need 20,000 for 64 bits, 60,000 – 80,000 for 128 bits WEP
Trang 26Demo: Airodump
1 Select adapter 2.Choose interface
*
*Airodump Airodump supports limited supports limited kind of wireless adapters including:
including: Atheros Atheros Aironet Aironet, ,
Realteak Realteak, , PrismGT PrismGT and Intel and Intel 3956.
Trang 27Aircrack-ng
Trang 28Crack WPA PSK
aircrack-ng -w (dictionary file) (file name of cap created by airdump)
Trang 29Prevention
Trang 30Security on Open Networks y p
Use a personal firewall or similar protection
Use an intrusion protection system (IPS)
Scan for viruses
Keep systems religiously up to date
Keep systems religiously up to date
Trang 32Website : http://ttgtc.com Forum : http://ttgtc.com/forum
Trang 33Securing WEP
Use WEP only if nothing else better is available y g
Use 128 bit encryption
Test all access points for weak packets (Kismet)
Consider changing shared access keys periodically or
when security situation changes
Use with MAC controls on small networks
Keep access points behind a firewall in a DMZ
Assume the network is untrusted and provide for
Assume the network is untrusted and provide for
additional security
Trang 34Securing WPA/WPA2
Use WPA2 or WPA when ever available
Use hardened authentication where possible
Radius EAP / LEAP
Use strong passwords for WPA Pre-Shared Keys
Minimum of 17 characters Include complex characters (numbers, caps, punc) It's easier to break weak passwords on WPA PSK than it is to do codebook attacks on WEP!
Trang 36Resources and References
http://www.informationheadquarters.com/Internet/WIFI.shtml http://www.networkintrusion.co.uk/wireless.htm
htt // b ifi t / http://www.usbwifi.orcon.net.nz/
Trang 37Q & A
Email : bien.ho@ttgtc.com You can download this slide at TTG forum
http://ttgtc.com/forum/
Trang 38Website : http://ttgtc.com Forum : http://ttgtc.com/forum