Wireless Security - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Wireless Security

Description:

Wireless Security – PowerPoint PPT presentation

Number of Views:168
Avg rating:3.0/5.0
Slides: 23
Provided by: gate307
Category:

less

Transcript and Presenter's Notes

Title: Wireless Security


1
Wireless Security
2
Outline
  • 802.11 Overview
  • WEP
  • Other security measures
  • Attacks
  • Lab motivation

3
802.11 Overview
  • IEEE 802.11 denotes a set of wireless
  • standards definied by IEEE
  • Most popular include 802.11a/b/g
  • 802.11a is in the 5GHz band, b/g is in the
  • 2.4GHz band
  • 802.11i is intended to improve security

4
Security Features
  • Service Set Identifier (SSID)
  • Used to differentiate between access points
  • Sent out in a beacon frame
  • These are plain text messages

5
Associating with an AP
  • Two initialization methods
  • Shared Key or Open Key
  • With Open Key anyone can talk to the AP
  • Shared Key requires authentication as soon as
    association succeeds

6
Wired Equivalent Privacy (WEP)
  • WEP uses the stream cipher C4
  • RC4 generates a pseudorandom stream of bits (a
    "keystream") which is combined with the plaintext
    using xor
  • Decryption is performed the same way
  • WEP uses two key sizes 40 bit 104 bit
  • 64 bit and 128 bit WEP
  • To each is added a 24-bit initialization vector
  • (IV) which is transmitted in the clear.

7
WEP
  • WEP has several weaknesses
  • The weakness with RC4 is with the Initialization
    Vector (IV)
  • This lead to several different types of attacks
  • We will use a tool that combines two of these
    attacks, and the appendix will describe another

8
WEP attack 1
  • The 24 bit IV has a numerical limit
  • Only 16,777,216 possible IVs
  • Listening long enough, and IVs will be repeated
  • Enough duplicate IVs and the WEP key can be
    determined

9
WEP attack 2
  • Another attack relies on the fact that some IVs
    are weak
  • Using a formula, one can take a weak IV and infer
    part of the WEP key
  • Listening to the network long enough and the WEP
    key can be discovered
  • This attack, like the last one, can take a very
    long time

10
WEP attack 3
  • A new attack was developed by a hacker name KoreK
  • This attack relies on gathering enough unique IVs
  • This is a statistical attack that requires about
    200,000 unique IVs to determine a 40-bit WEP key

11
Default Settings
  • Most consumer access points are very easy to
    setup
  • However, their default states have no security
    and are easy to lookup
  • Despite this, many people leave their APs in this
    state, making them easy targets

12
Protecting Your Network
  • There are several methods to increase the
    security of a wireless network
  • Turning off SSID broadcasting
  • SSID broadcasting helps attackers find your WLAN
  • While not broadcasting will not stop anyone, it
    will make your network less interesting

13
MAC Address Filtering
  • MAC address filtering allows only a set list of
    hardware devices connect
  • In theory every device will have a unique MAC
    address
  • However, using a sniffer the MAC address of a
    valid client is easily found
  • Most wireless cards allow their MAC addresses to
    be changed

14
WPA - Wi-Fi Protected Access
  • By increasing the size of the keys, the number of
    keys in use, and adding a secure message
    verification system, WPA makes breaking into a
    Wireless LAN far more difficult.
  • The Michael algorithm was the strongest that WPA
    designers could come up with that would still
    work with most older network cards however it is
    subject to attack. To limit this risk, WPA
    networks shut down for 30 seconds whenever an
    attempted attack is detected.

15
Lab Goals
  • Determine router type and defaults
  • Examining unencrypted traffic
  • Bypassing MAC address filtering
  • Cracking WEP using Aircrack
  • Setting up a fake AP to steal login information

16
Network Layout
17
Unencrypted Traffic
18
MAC Address Filtering
  • Sniff traffic for a valid MAC address
  • Change your MAC address to the valid one
    (Spoofing)
  • Full access if no encryption on the network

19
Cracking WEP with Aircrack
  • Airodump collects packets
  • Aircrack is used on the output file from Airodump
  • It uses unique IVs to break the WEP key
  • 330,000 unique IVs and Aircrack broke the key
    in 1 second
  • 100,000 and it took 21 seconds

20
Fake AP
  • The tool suite we will use allows us to setup our
    wireless card as an access point
  • To make this useful we will need to do some work
  • By deauthenticating a client from his AP, we can
    make him connect to our fake one
  • By forging a web page we can potentially steal
    important login information
  • This attack is very hard for the victim to
    realize until it is far to late

21
Links to tools
  • Ethereal
  • http//www.ethereal.com
  • Kismet
  • http//www.kismetwireless.net
  • Auditor security collection -
  • http//new.remote-exploit.org/index.php/Auditor_ma
    in
  • Aircrack
  • http//www.cr0.net8040/code/network/aircrack

22
References
  • http//en.wikipedia.org/wiki/RC4
  • http//en.wikipedia.org/wiki/WEP
  • http//en.wikipedia.org/wiki/IEEE_802.11
  • http//www.securityfocus.com/infocus/1814
  • http//www.cr0.net8040/code/network/aircrack/
Write a Comment
User Comments (0)
About PowerShow.com