"Wireless Security - PowerPoint"
by: Frank Pfleger Introduction to Wireless Networks Secure the Network ◦ Wireless Security Mechanisms Unsecure the Network ◦ Security Mechanism Weaknesses ◦ Tools and Techniques Wardriving / Procedures Private Wi-Fi ◦ Easy installation security problems ◦ Location freedom Office Wi-Fi ◦ Location freedom ◦ Laptop popularity Public Hotspot ◦ Non-private ( mostly with fee ) ◦ Public places Introduction Secure Unsecure Wardriving Conclusion Non Encryption ◦ Static IP addresses Deactivate DHCP Assign IP address on every host ◦ MAC address filter Restrict access to unique hardware address Add MAC address for every host ◦ Hide SSID Deactivate the SSID broadcasting Introduction Secure Unsecure Wardriving Conclusion Encryption ◦ WEP – Wired Equivalent Privacy Based on RC4 (pseudo-random generator) XOR between data and random (bitstream) RC4 uses WEP key + Initialization vector INSECURE ◦ WPA – Wi-Fi Protected Access Based on the WEP architecture ( RC4 ) TKIP – Temporal Key Integrity Protocol RC4 uses WPA key (PSK or EAP) + Initialization vector + Per packet key mixing + Re Keying + Message Integrity Check SECURE Introduction Secure Unsecure Wardriving Conclusion Encryption ◦ WPA2 – Wi-Fi Protected Access 2 Implements IEEE 802.11 a,b,g and basic/mandatory functions of IEEE 802.11 i New architecture based on AES AES – Advanced Encryption Standard Symmetric crypto system Complies with the requirements of FIPS 140-2 Choose strong password / passphrase (63 characters) SECURE Introduction Secure Unsecure Wardriving Conclusion RADIUS ◦ Remote Authentification Dial-In Server ◦ Client – Server system ◦ AAA protocol Authentification ( who ) Authorization ( what ) Accounting ( track consumption ) VPN – Virtual Private Network ◦ Tunnel ◦ Authentification ◦ Secure Encryption ( Public Key / RSA ) Introduction Secure Unsecure Wardriving Conclusion Weaknesses ◦ Serveral techniques to compromise Sniffing a IP address ◦ Deactivated DHCP ◦ IP address transmitted in every packet Spoofing a MAC address ◦ MAC address filter ◦ MAC address transmitted in every frame Introduction Secure Unsecure Wardriving Conclusion Hacking WEP ◦ Introduced in 1999 ◦ Serious weaknesses identified in 2001 ◦ IV – Initialization Vector used for decryption ◦ ICV – Integrity Check Value CRC32 checksum CRC32 is strict linear ◦ Calculation of the Key Attack based on security flaw in CRC32 500 000 – 1 000 000 IV‘s for 128 bit encryption Techniques: Packet Reinjection / Deauthenticate Client TU Darmstadt ( PTW ) 50 000 IV‘s for 128 bit (50%) Introduction Secure Unsecure Wardriving Conclusion WPA / WPA2 ◦ Currently no weakness or security flaw ◦ Weak Passwords Choose a strong password At least 12 characters Mixed letters, numbers and symbols ◦ Dictionary Attack ◦ Brute-Force Attack Introduction Secure Unsecure Wardriving Conclusion Tools and Techniques ◦ MAC address spoofing Linux macchanger –s wlan0 Windows supported by some Wi-Fi cards SMAC or other tools ◦ ARP spoofing Spoof the wrong MAC – IP combination Windows WinArpSpoofer Linux arpspoof –t 10.0.0.1 ( all packets to your host) Introduction Secure Unsecure Wardriving Conclusion Tools and Techniques ◦ Man-in-the-Middle ( MITM ) Use ARP spoofing to get packets Analyze packets Forward packets to victim Linux: fragroute/fragrouter sslsniff ( https MITM ) ◦ DNS Spoofing Spoof the wrong Hostname – IP combination Linux: dnsspoof Introduction Secure Unsecure Wardriving Conclusion Tools and Techniques ◦ Sniffing data Used for MITM or passive listening Capture and analyze data Linux / Windows: Wireshark ( Ethereal ) ◦ Aircrack Toolkit Cracking a WEP encryption Airodump Logging / Scanning IV‘s Aireplay Re-inject packets Introduction Secure Unsecure Wardriving Conclusion Act of searching Wireless Networks In general with a car ◦ Warbiking ◦ Warwalking Warchalking ◦ Mark a place, mostly with chalk Mapping ◦ Create exact maps ◦ Use GPS to get the coordinates ◦ Provide information online Difference to Piggybacking ◦ Use of the wireless network Introduction Secure Unsecure Wardriving Conclusion Equipment ◦ Good equipment for effective Wardriving ◦ Notebook with Tools ◦ Wireless Network Card Regular Card Special Card with an external antenna interface ◦ Antenna Directional Onmidirectional Parabolic (not for Wardriving) ◦ GPS receiver Logging / Mapping Introduction Secure Unsecure Wardriving Conclusion Tools ◦ Operating System Windows ( just for Mapping and Logging ) Linux (Special Distributions) All tools and drivers preinstalled Run from CD Eg. Backtrack ( Auditor ) ◦ Scanning and Mapping Windows Netstumbler Linux Kismet Introduction Secure Unsecure Wardriving Conclusion Wardriving ◦ Scan for wireless networks ( Netstumbler / Kismet ) ◦ Save the GPS position Piggybacking ◦ Connect to the wireless network ◦ Use the network Introduction Secure Unsecure Wardriving Conclusion Using Backtrack ( Auditor ) Hidden SSID ◦ aircrack to deauthenticate ( force reconnect ) ◦ Scan with airodump for the SSID Scan and log IV‘s ◦ airodump to log ◦ Filters, Stores and analyzes packets for IV‘s Reinject packets ◦ aireplay reinjects found IV‘s ◦ Increases the retransmitted IV‘s Crack the Key ◦ aircrack to calculate the WEP key ◦ Enough IV‘s needed Introduction Secure Unsecure Wardriving Conclusion MAC filter ◦ Scan packets with Wireshark ( Ethereal ) ◦ Spoof a MAC address with macchanger DHCP deactivated ◦ Scan packets with Wireshark ( Ethereal ) ◦ Set your IP address Man-in-the-Middle ◦ Spoof your MAC with the gateways IP ◦ Spoof your MAC with the victims IP ◦ Reroute packets ◦ Using arpspoof and fragroute Introduction Secure Unsecure Wardriving Conclusion Spoof DNS Entry ◦ Spoof your IP address for different hostnames ◦ Eg. hostname of the victims bank Intercept SSL connections ◦ SSL MITM attack ◦ Fake SSL certificate ◦ Sniff data transmitted via SSL ◦ Using sslsniff Sniff Data ◦ Log and analyze all transmitted data ◦ Using Wireshark ( Ethereal ) Get access to Computers ◦ Using various Windows / Linux tools Introduction Secure Unsecure Wardriving Conclusion Secure your wireless network properly! Don‘t rely on ◦ Hidden SSID ◦ MAC filter ◦ Deactivated DHCP ◦ WEP Use a proper encryption ◦ WPA / WPA2 ( choose a strong password ) ◦ VPN ( secure with multi user ) Introduction Secure Unsecure Wardriving Conclusion Thanks for your attention. Any Question? Frank Pfleger email@example.com Introduction Secure Unsecure Wardriving Conclusion