Documente Academic
Documente Profesional
Documente Cultură
Countermeasures
Version 6
Module XX
Hacking Wireless
Networks
Module Objective
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless Networking
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Advantages and Disadvantages of
a Wireless Network
• Mobility (easy)
• Cost-effective in the initial phase
Advantages: • Easy connection
• Diff
Different
t ways tto ttransmit
it data
d t
• Easy sharing
• Mobility (insecure)
• Hi h cost post-implementation
High i l i
Disadvantages: • No physical protection of networks
• Hacking has become more convenient
• Risk of data sharing is high
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Standards
8
802.11i:
i IImproves WLAN security
it
• Omni-directional antennas
• Directional antennas
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Access Points
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Setting up a WLAN
The channel
Th h l iis a number
b b between
t 1 and
d 11 (b
(between
t 1 and
d 13 iin
Europe) and it designates the frequency on which the network will
operate
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Authentication and Association
Wired LANs typically employ physical controls to prevent unauthorized users from
connecting to the network and viewing data
IEEE chose to employ encryption at the data link layer to prevent unauthorized
eavesdropping on a network
• This is accomplished by encrypting data with the RC4 encryption algorithm
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wired Equivalent Privacy (cont’d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
WEP Flaws
• Pre-shared keys were set once at installation and are rarely (if ever)
changed
• As the pre-shared key is rarely changed, the same key is used over
and over
• An attacker monitors traffic and finds enough examples to work out
the plaintext from message context and with knowledge of the
ciphertext and plaintext, he/she can compute the key
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What is WPA
WPA is not an official IEEE standard, but will be compatible with the
upcoming
i 802.11i
8 i security
i standard
d d
It resolves the issue of weak WEP headers, which are called initialization
vectors (IVs)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
WPA (cont’d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
WEP, WPA, and WPA2
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
WPA2 Wi-Fi Protected Access 2
• Enterprise:
p Verifies network users through
g a server
• Personal: Protects unauthorized network access by utilizing a set-up password
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Terminologies
Global
Gl b l Positioning
P iti i System
S t (GPS) – It can b
be used
d tto h
help
l map
the open networks that are found
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Cracking WEP
P i attacks:
Passive tt k
Active attacks:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Weak Keys (a.k.a. Weak IVs)
Some IVs can reveal information about the secret key depending upon
how RC4 is used in WEP:
• Mathematical details out of the scope of this material
Attack
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Problems with WEP’s Key Stream
and Reuse
Initialization
t a at o vectors
ecto s a
aree co
commonly
o y reused
eused
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Automated WEP Crackers
AiroPeek • Easy
Easy-to-use,
to use, flexible, and sophisticated analyzer
(C
(Commercial)
i l)
WEPCrack, • Implementations
p of the FMA attack
AirSnort
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Pad-Collection Attacks
Default SSIDs
Beacon Broadcast
• Base stations
i regularly
l l b broadcast
d iits existence
i ffor end
d
users to listen and negotiate a session
• Signals can be captured by anyone
• Wireless network SSID are known while connecting to the
station
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Rogue Access Points
The two basic methods for locating rogue access points are:
• Beaconing/requesting a beacon
• Network sniffing: Looking for packets in the air
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hotspotter
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Cloaked Access Point
Cloaked access p
points are not detected byy
active scanners like NetStumbler
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
MAC Sniffing and AP Spoofing
Attackers can easilyy sniff MAC addresses because theyy must appear
pp in the
clear even when WEP is enabled
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Defeating MAC Address Filtering
in Windows
Ch
Changing
i MAC address
dd is
i an easy job
j b in
i Windows
Wi d
Eavesdropping Manipulating
Two types of MITM:
• Eavesdropping:
• Happens when an attacker
receives a data
communication stream
• Not usingg securityy
mechanisms such as Ipsec,
SSH, or SSL makes data
vulnerable to an unauthorized
use
user
• Manipulation:
• An extended step of
eavesdropping
• Can
C b be d
done bby ARP
poisoning
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detecting a Wireless Network
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Steps for Hacking Wireless Networks
St 4: Crack
Step C k ththe WEP key
k
Step 5: Sniff
iff the
h network
k
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
WIDZ: Wireless Intrusion
Detection System
WIDZ is a proof of concept IDS system for 802.11 that guards APs and
monitors locally for potentially malevolent activity
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Securing Wireless Networks
SSID (NetworkID)
• The first attempt to secure a wireless network was the use of
Network ID (SSID)
• When a wireless client wants to associate with an access
point the SSID is transmitted during the process
point,
• The SSID is a seven-digit alphanumeric ID that is hard
coded into the access point and the client device
Firewalls
ewa s
• Using a firewall to secure a wireless network is probably the
only way to prevent unauthorized access
Wireless
Wi l networksk that
h use iinfrared
f dbbeams to transport d
data ffrom one point
i
to another are secure
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Network Security
Checklist
9 Ensure that all unused ports are closed
9 Any
A open ports
t mustt b
be jjustified
tifi d
9 “Pessimistic” network view
9 Enforce the rule of least access
9 Ensure SSIDs are changed regularly
9 Ensure insurance and authentication standards are
created and enforced
9 Use strong encryption
9 SHA-1 (Secure Hashing Algorithm)
9 Initiate encryption at user and end at server that is
behind the firewall, outside the DMZ
9 Treat WLANs as untrusted networks that must operate
inside the DMZ
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary
A wireless network enables a mobile user to connect to a LAN through a wireless (radio)
connection
Wired Equivalent Privacy (WEP) is designed to provide a WLAN with a level of security
and privacy comparable to what is usually expected of a wired LAN
It is vulnerable because of relatively short IVs and keys that remain static
Even if WEP is enabled, an attacker can easily sniff MAC addresses as they appear in
the clear format. Spoofing MAC addresses is also easy
Wireless network security can adopt a suitable strategy of MAC address filtering,
filtering
firewalling, or a combination of protocol-based measures
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited