Wireless Security

1
Wireless Security
Mark Nakrop Managing Director nForce Security
Systems
2
Wireless Security, Advanced Wireless LAN Hacking
Agenda

• Advanced 802.11 Attack
• Wireless Best Practices
• Wireless Hacking Tools
• wlan-jack, essid-jack, monkey-jack, kracker-jack
• Network Stumbler
• Mitigation Strategies

3
Conventional LAN Security Model
Enterprise Premises
Internet
Corporate Firewall
Firewall shields inside from outside.
4
WiFi Breaks the Conventional Model
Network not confined to wires/premises anymore.
Enterprise Premises
Wi-Fi security solutions are needed.
Internet
Corporate Firewall
5
Threats from Unmanaged Devices
Denial of Service Attack
Neighboring Network

• Common
• Rogue Access Points

• Mis-configured Access Points

Mis-association

• Ad hoc connections

• Client mis-associations

Enterprise Network
Mis-configured AP

• Unauthorized associations

Unauthorized Association

• Malicious
• Honeypot APs

Honeypot
Rogue AP

• MAC Spoofing APs

?
AP MAC Spoofing
Ad Hoc

• Denial of Service
• De-authentication flood
• Packet storm

6
Goals of WLAN Security

• Fortify authorized communication
• Access control and encryption over wireless link
• WEP ? WPA ? 802.11i adequately address this
  problem
• Protect the network from unmanaged devices
• Rogue APs, DoS attacks, client misassociations,
  Honeypots, ad hoc networks, MAC spoofing etc.
• Current pain point in enterprise network
• Wireless Intrusion Detection and Prevention
  Systems

7
802.11, 802.11b, etc.

• IEEE standard based on well known Ethernet
  standards
• 802.11 FHSS or DSSS, WEP, 2.4 GHz,
  Infrastructure (BSS) or Ad-Hoc (iBSS)
• Limited to 2Mb/s due to FCC limits on dwell times
  per frequency hop
• 802.11b DSSS only, WEP, 2.4 GHz, Infrastructure
  or Ad-Hoc
• Up to 11Mb/s
• Also known as Wi-Fi
• 802.11a and 802.11g

8
General Principles

• Deal with the basics
• Integrity
• Protecting your packets from modification by
  other parties
• Confidentiality
• Keeping eavesdroppers within range from gaining
  useful information
• Keeping unauthorized users off the network
• Free Internet!
• Risks to both internal and external network
• Availability
• Low level DoS is hard to prevent
• Like any other environment, there are no silver
  bullets

9
Current Security Practices

• WEP Wired Equivalent Privacy
• Link Level
• Very Broken
• Firewalls/MAC Filtering
• Reactionary IDS/Active Portal
• Higher level protocols

10
Thoughts on WEP

• Key management beyond a handful of people is
  impossible
• Too much trust
• Difficult administration
• Key lifetime can get very short in an enterprise
• No authentication for management frames
• No per packet auth
• False Advertising!!!

11
What is Lacking?

• Scalability
• Many clients
• Large networks
• Protection for all parties
• Eliminate invalid trust assumptions

12
What is War Driving.?

• Equipped with wireless devices and related tools,
  and driving around in a vehicle or parking at
  interesting places with a goal of discovering
  easy-to-get-into wireless networks is known as
  war driving. War-drivers define war driving as
  The benign act of locating and logging wireless
  access points while in motion.  This benign act
  is of course useful to the attackers.

13
What is War Chalking.?

• War chalking is the practice of marking sidewalks
  and walls with special symbols to indicate that
  wireless access is nearby so that others do not
  need to go through the trouble of the same
  discovery. 

14
What Will Be Covered

• Wireless network best practices
• Practical attacks
• The focus of the attack(s)
• The network layers
• The bottom 2 layers
• Custom (forged) 802.11b management frames
• The Tool Box
• Drivers
• Utilities
• Proof of concept code

15
What Will Be Covered

• Attack Scenarios
• Denial of service
• Masked ESSID detection
• 802.11b layer MITM attack
• Inadequate VPN implementations
• Mitigation Strategies

16
Wireless Best Practices

• Enable WEP - Wired equivalent privacy
• Key rotation when equipment supports it
• Disable broadcast of ESSID
• Block null ESSID connection
• Restrict access by MAC address
• Use VPN technology
• Use strong mutual authentication

17
Practical Attacks

• WEP Can be cracked passively
• Masked ESSID Can be passively observed in
  management
• frames during association
• Block null ESSID connects Same problem
• Install VPN Weakly authenticated VPN is
  susceptible to
• active attack (MITM)
• Strong mutual authentication - ?

18
The Tool Box

• Custom Drivers
• Air-Jack
• Custom driver for PrismII (HFA384x) cards
• MAC address setting/spoofing
• Send custom (forged) management frames
• AP forgery/fake AP
• Lucent/Orinoco
• Linux driver modified to allow MAC address
  setting/spoofing from the command line
• Utilities
• User space programs wlan-jack, essid-jack,
  monkey-jack, kracker-jack
• NetStrumbler

19
Attack Scenarios WLAN-Jack
20
Attack Scenarios WLAN-Jack

• Airopeek Trace

21
Attack Scenarios WLAN-Jack

• Airopeek Trace

22
Attack Scenarios WLAN-Jack

• Decode of Deauthentication Frame

23
Attack Scenarios WLAN-Jack

• This is your connection

24
Attack Scenarios WLAN-Jack

• This is your connection on WLAN-Jack.

25
Attack Scenarios ESSID-Jack

• Is the ESSID a shared secret?
• If I mask the ESSID from the AP beacons then
  unauthorized
• users will not be able to associate with my AP?
• Discover Masked ESSID
• Send a deauthenticate frame to the broadcast
  address.
• Obtain ESSID contained in client probe request or
  AP probe response.

26
Attack Scenarios ESSID-Jack
27
Attack Scenarios - ESSID-Jack

• Airopeek Trace

28
Attack Scenarios ESSID-Jack

• Airopeek Trace

29
Attack Scenarios Monkey-Jack

• MITM Attack
• Taking over connections at layer 1 and 2
• Insert attack machine between victim and access
  point
• Management frames
• Deauthenticate victim from real AP
• Send deauthenticate frames to the victim using
  the access points MAC address as the source

30
Attack Scenarios Monkey-Jack

• Victims 802.11 card scans channels to search for
  new AP
• Victims 802.11 card associates with fake AP on
  the attack machine
• Fake AP is on a different channel than the real
  one
• Attack machines fake AP is duplicating MAC
  address and ESSID
• of real AP
• Attack machine associates with real AP
• Attack machine duplicates MAC address of the
  victims machine
• .
• Attack machine is now inserted and can pass
  frames through in a manner that is transparent to
  the upper level protocols

31
Attack Scenarios Monkey-Jack

• Before Monkey-Jack

32
Attack Scenarios Monkey-Jack

• After Monkey-Jack

33
Attack Scenarios - Monkey-Jack
34
WarDriving Techniques

• NetStumbler - identifies wireless access points
  and peer networks , http//www.netstumbler.com
• AiroPeek - actually lets you peak into the data
  transmitted across a wireless network ,
  http//www.wildpackets.com/products/airopeek
• AirSnort
• http//airsnort.shmoo.com/
• CrackWEP
• http//wepcrack.sourceforge.net/

35
NetStumbler
36
Airopeek
37
Mitigation Strategies

• Wireless IDS and Monitoring
• VPN Strong mutual authentication
• RF Signal shaping Avoiding signal leaks
• Antennas with directional radiation pattern

38
Wi-Fi Intrusion Detection and Prevention
Denial of Service Attack
Neighboring Network
X
Mis-association
Mis-association
X
X
Enterprise Network
Mis-configured AP
X
Unauthorized Association
Honeypot
Rogue AP
X
X
X
X
?
X
AP MAC Spoofing
Ad Hoc
39
Summary

• Wireless networks are more susceptible to active
  attacks than wired networks
• Enable all built-in security capabilities
• Use VPN with strong mutual authentication
• Monitor wireless network medium (air space) for
  suspicious activity

40
DONT GET DISCOURAGED!

• Attackers are constantly improving their skills
• The security community must strive to improve as
  well
• Keeping up is a lot of work
• But it can be fun, and does help ensure job
  security
• Experiment in your Hacker Analysis Laboratory
• By remaining diligent,
• you can defend
• your computer systems! ?

41
THANK YOU ?