Driveby Hacking

1
Drive-by Hacking
ECE 578 COMPUTER NETWORK AND SECURITY A TERM
PAPER ON
Shekhar shinde Shinde_at_engr.orst.edu Oregon State
University.
2
Contents

• Background
• Problem of drive by hacking
• Wireless security options
• Challenges
• Types of attacks
• Internet scanner
• Real life solution to the problem
• Conclusion
• References

3
Background

• WLAN technology is making its way into
  organizations, but
• Authorized deployments are hindered by security
  concerns.
• Unauthorized (rogue) deployments put the
  corporate network at risk.
• Top concerns
• Where are the access points?
• Are they vulnerable to attack?
• Where is the network perimeter?

4
Market
5
The Problem Drive By Hacking
The Building
If the distance from the Access Port to the
street outside is 1500 feet or less, then a
Hacker could also get access while sat outside
6
Wireless LAN Security Options

• MAC address filtering
• Vendor specific authentication
• SSID/Network ID
• Wired Equivalent Privacy (WEP)
• Emerging IEEE 802.11x

7
Or in other words
The Problem ??Totally proprietary technology,
and therefore vendor specific and the initial
broadcast keys can still be sniffed
1. User runs client software and enters User name
Password
Valid only for session
Valid only for session
3. When device wants to connect to a different
AP, a new session is created, with a different
unique set of keys
2. The request is sent to the RADIUS/EAP Server,
RADIUS authenticates the session and sends unique
session keys to device AP
8
The Challenges

• Rogues Access Points
• Due to low cost, users setting up their own Aps
  without IT knowledge (ie boardrooms)
• DHCP
• One of the advantages of WLAN is the ability to
  move around the building, therefore moving
  between IP subnets therefore DHCP is needed,
  but very abuse able !!
• 803.11xx and other technologies (such as
  Bluetooth WAP) are all new and so no standards
  exist, so very vendor specific

9
Types of Attacks

• Insertion Attacks
• Interception and unauthorised monitoring
• Jamming
• Client to Client Attacks
• Brute Force on AP password
• Encryption Attacks
• Mis-configurations

10
Types of Attacks

• Insertion
• Deploying un-authorised devices or creating new
  wireless networks without prior knowledge of IT
• Interception and Unauthorised Monitoring
• As with wire networks it is possible to sniff
  the network, but where monitoring agents are
  required, with WLAN you can get everything.
• Jamming
• As name suggests this is a Denial of Service
  Attack floods the 2.4Ghz range, used by these and
  other devices, so nothing can communicate

11
Types of Attacks

• Client to Client Attacks
• Once Windows is configured to support Wireless it
  can be contacted by any other wireless device
  so all the usual File Sharing and TCP service
  attacks work
• Brute Force on Access Point password
• The APs use simple usernames and passwords which
  can be easily brute forced, and key management is
  not easy
• Encryption Attacks
• Although 802.11 has WEP, vulnerabilities have
  already been found and the keys can easily be
  cracked
• Mis-configurations
• All major vendors make their units easy to
  deploy, so they come with insecure, well known
  pre-configurations, which are rarely changed when
  installed

12
WLAN Security Challenges

• How to Defend against WLAN Threat
• WLAN Security is similar to the Wired network.
• Just represents an extension of wired networks
• Another potential un-trusted entry point into the
  wired network.
• Multi-Layer Security Approach
• Protect WLAN holistically at the network, system,
  and application layer for clients, access points,
  and the back-end servers.
• Apply traditional wired security
  countermeasures.

13
WLAN Discovery / Assessment/ Monitoring Tools

• Internet Scanner 6.2, the market leading network
  vulnerability assessment tool, was the first to
  assess many 802.11b security checks. 802.11
  checks are in several X-Press Updates (XPU 4.9
  and 4.10).
• RealSecure 6.5, the market leading IDS, was the
  first to monitor many 802.11b attacks. Recommend
  to make sure you are up to the latest X-Press
  Updates. 802.11 checks for IDS were in XPU 3.1.

14
Internet Scanner
1. Finds the Holes
2. Finds Rogue Access Points or Devices
15
Real Secure
Kill !!
Kill !!
16
The Solution

• Wireless Scanner 1.0 is the solution for this
  problem
• Identify 802.11b access points.
• Assess the implementation of available security
  features.
• Laptop-based for mobility.
• Wireless Scanner provides automated detection
  and security assessment of WLAN access points and
  clients.

17
Target Market

• Primary market of Wireless Scanner 1.0
• Enterprise customers
• SMB customers
• Security consultants / auditors
• These customers want to
• Implement a WLAN without compromising their
  existing security measures.
• Protect network from unauthorized APs.

18
How it works ..

• Each device has a WLAN adapter
• These communicate back to Access Ports (AP), or
  Wireless Bridges
• The technology works like old ethernet bridges by
  simply passing data on
• So anyone with a wireless device could,
  theoretically, connect to your network.

19
Features Detection

• Wireless Scanner detects access points

and active clients.
20
Features Security Assessment

• Wireless Scanner probes access points to
  determine their vulnerability to connection and
  attack by unauthorized users.

21
Features Reporting

• Multi-level reporting
• Export options
• New Access Points report highlights new 802.11b
  devices discovered in scan.

22
Features Flexibility

• Mobile users can scan while walking
• User configurable
• Filters
• Alarms and notifications
• Encryption keys for scanning
• Configurations can be saved and loaded

23
References

• Wireless scanner a white paper by stephen
  schmid.
• Cryptography and Network Security Principles and
  Practice, Second Edition by William Stallings
• Web reference of www.computing.co.uk/News/
• Cryptography and network security, third edition
  by William Stallings
• Fundamentals Of Computer Security Technology by
  Edward G. Amoroso. 
• Network Security by Mario Devargas. 
• LAN Times Guide To Security And Data Integrity by
  Marc Farley, Tom Stearns, And Jeffrey Hsu. 
• Computer System And Network Security by Gregory
  B. White, Eric A. Fisch, Udo W. Pooch.