Shane Hartman – CISSP, GCIA, GREM Suncoast Security Society
Wireless Types Wireless Advantages / Disadvantages Wireless Insecurities – WEP Wireless Insecurities ‐ WPA Hardening wireless Detecting Rouge Wireless Wireless Intrusion Detection Demo cracking WEP Demo cracking WPA
802.11a 5 Ghz 300 ft. range 54 mb transfer rate
802.11b 2.5 Ghz 300 ft. range 11 mb transfer rate
802.11g 2.5 Ghz 150 ft. range 54 mb transfer rate
802.11n 2.5 Ghz/ 5 Ghz 1200 ft. range Theoretical 300 mb transfer rate ‐ burst
Convenience Mobility Productivity Deployment Expandability Cost
Security Range Reliability Speed
Wireless Equivalent Privacy Part of the 802.11 standard to prevent eavesdropping and data tampering Uses an RC4 cipher stream and “x no. of bits” key with a 24 bit random number known as the initialization vector (IV)
WEP Key Recovery WEP uses the same WEP key and different IV The IV is limited from (0 – 16,777,215) Eventually reusing the IV
Unauthorized data decryption and Data Integrity Once the key is known it can be used to gain access to data or the AP itself
Poor key management Once set they remain the same In Corp. environment people leave and the keys should be changed but rarely are
No access point authentication Authentication works one way Clients authenticate to the AP but The access point has no way of authenticating the client
Wifi Protected Access Also known as 802.11i Moved away from the RC4 cipher steam of WEP to : TKIP (Temporal Key Integrity Protocol ) /and or AES (Advanced Encryption Standard)
Used 4 way hand shake to authenticate and encrypt
Poor key management Once set they remain the same In Corp. environment people leave and the keys should be changed but rarely are
No access point authentication Authentication works one way Clients authenticate to the AP but The access point has no way of authenticating the client
Don’t use wireless – if possible User Layered Approach
MAC Address filter Turn off SSID broadcast Don’t allow AP to issue IP Addresses Only allow access during certain times Use WPA2 – Large no dictionary key – Home Use WPA2 – With 802.1x port security aka (Radius)
Turn off auto connect to preferred networks on clients (Karma) Establish VPN connection from wireless APs to your office
Use “fake AP” and produce 53,000 Aps Apply protection to structure to prevent wireless Setup wireless intrusion detection
Implement a wireless security policy Provide for physical security Provide a supported WLAN infrastructure Implement 802.1x port‐based security on your switches Limit the number of MAC addresses per port to only one SW2(config‐if) # switchport port‐security maximum 1
Use a wireless client to detect the AP You have to be within range of the AP Can be difficult to detect if not broadcasting Hard to manage remote sites
Tools
Airdefense – www.airdefense.net Airmagnet – www.airmagnet.com Netstumbler – www.netstumbler.com Kismet – www.kismetwirless.net
Much more difficult –You have to rely a lot on the footprint that is leaves instead of outright detection. Look for things like:
Multiple MAC addresses to one port Larger than normal bandwidth usage on port Analysis of packets will show anomalies Unusual DHCP entries
Issues / Problems Hard to discern what is directed at you True detection occurs after the packets pass through your AP Infrastructure is loosely put together support connectivity besides intrusion detection Little to no support for this type of detection
Arpwatch – http://www‐nrg.ee.lbl.gov Tools that do OS fingerprinting Nmap – www.insecure.org Xprobe – http://sys‐security.com/blog/xprobe2/ Nessus – www.nessus.org
http://www.intel.com/standards/case/case_802_11.htm Unwanted Wireless Signals Bounce Off This Paint ‐ http://www.informationweek.com/news/mobility/showArticle.jhtml?articleID=198001494 WLAN Keygenerator ‐ http://darkvoice.dyndns.org/wlankeygen/ Wireless Security: Why WPA2 is better than WPA ‐ http://www.thegeekpub.com/Home/ArticleView/tabid/59/selectmoduleid/399/ArticleID/64/reftab/65/Default.aspx WPA PSK Crackers: Loose Lips Sink Ships ‐ http://www.wi‐fiplanet.com/tutorials/article.php/3667586 SANS Reading Room – http://www.sans.org Airdefense – www.airdefense.net Airmagnet – www.airmagnet.com Netstumbler – www.netstumbler.com Kismet – www.kismetwirless.net Arpwatch – http://www‐nrg.ee.lbl.gov Tools that do OS fingerprinting Nmap – www.insecure.org Xprobe – http://sys‐security.com/blog/xprobe2/ Nessus – www.nessus.org Air Crack ‐ http://www.aircrack‐ng.org/ Air Replay ‐ http://www.wirelessdefence.org/Contents/Aircrack_aireplay.htm Airsnort ‐ http://airsnort.shmoo.com/ FakeAP ‐ http://www.blackalchemy.to/project/fakeap/ Hotspotter ‐ http://www.remote‐exploit.org/codes_hotspotter.html Karma ‐ http://theta44.org/karma/index.html MacChanger ‐ http://alobbs.com/macchanger/