Wireless%20Security%20Tools

1
Wireless Security Tools

• Pradeep Kollipara Sandeep
  Pinnamaneni

2
What is a WLAN?

• A wireless local area network (WLAN) is a
  flexible data communications system that can use
  either infrared or radio frequency technology to
  transmit and receive information over the air.
• In 1997, 802.11 was implemented as the first WLAN
  standard. It is based on radio technology
  operating in the 2.4 GHz frequency and has a
  maximum throughput of 1 to 2 Mbps.
• The currently most spread and deployed standard,
  IEEE 802.11b, was introduced late 1999. It still
  operates in the same frequency range, but with a
  maximum speed of 11 Mbps.

3
WLAN Components

• Basic components of a WLAN are access points
  (APs) and Network Interface Cards (NICs)/client
  adapters.
• Access Point (AP) is essentially the wireless
  equivalent of a LAN hub. It is typically
  connected with the wired backbone through a
  standard Ethernet cable, and communicates with
  wireless devices by means of an antenna. It also
  informs the wireless clients of its availability,
  and authenticates and associates wireless clients
  to the wireless network.
• Wireless client adapters connect PC or
  workstation to a wireless network either in ad
  hoc peer-to-peer mode or in infrastructure mode
  with APs.

4
Wireless Security

• The security issues of Wireless Networks are
  twofold
• Firstly, the data transmitted over the airwaves
  is not secure. There is no, or very little,
  security and it should be considered in the same
  way as sending a postcard, rather than sending a
  sealed letter.
• Secondly, a hacker could access the corporate
  network and launch attacks on corporate systems,
  use the corporate bandwidth to "Surf the
  Internet", or worse still, launch attacks against
  other networks.
• The WLAN provides a very quick and easy
  "back door" to the network. As the growth of WLAN
  implementations rises, so will the security
  problems that inevitably come with it.

5
Wireless Security Threats

• The more immediate security concerns for
  wireless communications are device theft, denial
  of service, malicious hackers, malicious code,
  and theft of service.
• Theft is likely to occur with wireless devices
  because of their portability. Authorized and
  unauthorized users of the system may commit fraud
  and theft however, authorized users are more
  likely to carry out such acts. Since users of a
  system may know what resources a system has and
  the systems security flaws, it is easier for
  them to commit fraud and theft.
• Malicious hackers, sometimes called crackers, are
  individuals who break into a system without
  authorization, usually for personal gain or to do
  harm. Malicious hackers are generally individuals
  from outside of an agency or organization.

6
Wireless Security Threats (Contd..)

• Malicious code involves viruses, worms, Trojan
  horses, logic bombs, or other unwanted software
  that is designed to damage files or bring down a
  system.
• Theft of service occurs when an unauthorized user
  gains access to the network and consumes network
  resources.
• Security requirements include the following
• AuthenticityTo verify that the content of a
  message has not been changed in transit must be
  provided.
• Non-repudiationThe origin or the receipt of a
  specific message must be verifiable.
• AccountabilityThe actions of an entity must be
  traceable uniquely to that entity.

7
Risk Mitigation

• Risks in wireless networks are equal to the
  sum of the risk of operating a wired network (as
  in operating a network in general) plus the new
  risks introduced by weaknesses in wireless
  protocols. To mitigate these risks, agencies need
  to adopt security measures and practices that
  help bring their risks to a manageable level.
• Some of the salient threats and vulnerabilities
  of wireless systems
• All the vulnerabilities that exist in a
  conventional wired network apply to wireless
  technologies.
• Malicious entities may gain unauthorized access
  to an agencys computer or voice (IP telephony)
  network through wireless connections, potentially
  bypassing any firewall protections.
• Sensitive information that is not encrypted (or
  that is encrypted with poor cryptographic
  techniques) and that is transmitted between two
  wireless devices may be intercepted and
  disclosed.

8
Vulnerabilities (contd..)

• Malicious entities may steal the identity of
  legitimate users and masquerade as them on
  internal or external corporate networks.
• Sensitive data may be corrupted during improper
  synchronization.
• Malicious entities may be able to violate the
  privacy of legitimate users and be able to track
  their physical movements.
• Malicious entities may deploy unauthorized
  equipment (e.g., client devices and access
  points) to gain access to sensitive information.
• Interlopers, from inside or out, may be able to
  gain connectivity to network management controls
  and thereby disable or disrupt operations.
• Malicious entities may use a third party,
  untrusted wireless network services to gain
  access to an agencys network resources.

9
Taxonomy of Security Attacks
10
Passive Attacks

• Passive attack is an attack in which an
  unauthorized party gains access to an asset and
  does not modify its content. This can be either
  eavesdropping or traffic analysis.
• EavesdroppingThe attacker monitors transmissions
  for message content. An example of this attack is
  a person listening into the transmissions on a
  LAN between two workstations or tuning into
  transmissions between a wireless handset and a
  base station.
• Traffic analysisThe attacker, in a more subtle
  way, gains intelligence by monitoring the
  transmissions for patterns of communication. A
  considerable amount of information is contained
  in the flow of messages between communicating
  parties.

11
Active Attacks

• Active Attack is an attack whereby an
  unauthorized party makes modifications to a
  message, data stream, or file. It is possible to
  detect this type of attack but it may not be
  preventable.
• MasqueradingThe attacker impersonates an
  authorized user and thereby gains certain
  unauthorized privileges.
• ReplayThe attacker monitors transmissions
  (passive attack) and
• retransmits messages as the legitimate
  user.
• Message modificationThe attacker alters a
  legitimate message by
• deleting, adding to, changing, or
  reordering it.
• Denial-of-serviceThe attacker prevents or
  prohibits the normal use
• or management of communications facilities.

12
Wireless Detection Tools

• There are many wireless detection tools
  available. Some of them are Netstumbler,
  MiniStumbler, etc.
• NetStumbler is a tool for Windows that allows you
  to detect Wireless Local Area Networks (WLANs)
  using 802.11b, 802.11a and 802.11g.
• NetStumbler verifies that your network is set up
  the way you intended. It finds locations with
  poor coverage in your WLAN. It detects other
  networks that may be causing interference on your
  network. It also detects unauthorized "rogue"
  access points in your workplace.
• MiniStumbler is a smaller version of NetStumbler
  designed to work on PocketPC 3.0 and PocketPC
  2002 platforms. It has the same uses as
  NetStumbler.
• MiniStumbler is a tool for Windows CE that allows
  you to detect Wireless Local Area Networks
  (WLANs) using 802.11b, 802.11a and 802.11g.

13
Categories of Tools

• The wireless security tools can be categorized as
  follows
• Scanning Tools- These tools are used to find
  wireless networks and their settings.
• Sniffing Tools- These tools are used to find
  lots of information about a network and its
  settings.
• Cracking Tools- These tools were made to exploit
  vulnerabilities in WEP.
• Also we will see DOS (Denial Of Service) Tools.

14
Scanning Tools

• Scanning Tools are used to find wireless networks
  and their settings.
• What they can find
• The presence of a wireless network.
• The SSID of a wireless network.
• The channel the access point is set to.
• The MAC address of the access point.
• If WEP is enabled or not.
• Signal Strength, Noise Level and Signal to Noise
  ratio.
• Some examples of scanning tools are NetStumbler,
  AirFart, Aerosol, WaveStumbler, etc.

15
Sniffing Tools

• Wireless Sniffing Tools are used to find a lot
  of information about a network and its settings.
• What these tools are used for
• Generally used to troubleshoot wireless networks.
• These are used to gather information like SSID,
  IP address, MAC address, channel of AP, etc.
• These tools can be used to generate DOS attacks
  and Replay attacks.
• Some examples of these tools are Kismet, Mognet,
  etc

16
Hybrid Tools

• For serious troubleshooting and packet
  examination we use a sniffer. If you are only
  interested in simple identification information
  then we use a scanner.
• Hybrid Tools- These tools can both scan and
  capture packets. So these act as scanner as well
  as sniffer.
• Some examples of these tools are Mognet,
  AirMagnet, Kismet, etc.

17
Cracking Tools

• These tools were made to exploit vulnerabilities
  in WEP.
• The hardest part about running these tools are
  changing the wireless NICs device drivers to
  support data capture.
• There is no good WEP breaking tool available for
  Windows yet.
• Some examples of cracking tools are AirSnort,
  WEPCrack, bsd-airtools, Wellenreiter, etc.
• There are also tools for cracking Ciscos LEAP
  protocol like ANWRAP, ASLEAP, etc.

18
NetStumbler

• NetStumbler is a tool for Windows that
  allows you to detect Wireless Local Area Networks
  (WLANs) using 802.11b, 802.11a and 802.11g.
• It has many uses
• Verify that your network is set up the way you
  intended.
• Find locations with poor coverage in your WLAN.
• Detect other networks that may be causing
  interference on
• your network.
• Detect unauthorized "rogue" access points in
  your workplace.

19
MiniStumbler

• A smaller version of NetStumbler designed to work
  on PocketPC 3.0 and PocketPC 2002 platforms.
• MiniStumbler is a tool for Windows CE that allows
  you to detect
• Wireless Local Area Networks (WLANs) using
  802.11b, 802.11a and
• 802.11g.
• It has the same uses as NetStumbler.

20
MacStumbler

• This is Macintosh version of NetStumbler.
• MacStumbler is a utility to display information
  about nearby 802.11b and 802.11g wireless access
  points. It is mainly designed to be a tool to
  help find access points while traveling, or to
  diagnose wireless network problems.
• Additionally, MacStumbler can be used for
  "wardriving", which involves coordinating with a
  GPS unit while traveling around to help produce a
  map of all access points in a given area.

21
Airfart

• AirFart is a wireless tool created to detect
  wireless devices, calculate their signal
  strengths, and present them to the user in an
  easy-to-understand fashion.
• It is written in C/C with a GTK front end.
• Airfart implements a modular n-tier architecture
  with the data collection at the bottom tier and a
  graphical user interface at the top.

22
ClassicStumbler

• ClassicStumbler scans for and displays
  information about all the wireless access points
  in range.
• It will display your signal strength, noise
  strength, signal to noise ratio, what channel
  your access point is on, if other access points
  are interfering with yours, and whether or not
  those access points are providing encrypted,
  unencrypted, computer-to-computer, or
  infrastructure type networks.

23
Kismet

• Kismet is an 802.11 layer2 wireless network
  detector, sniffer, and intrusion detection
  system. Kismet will work with any wireless card
  which supports raw monitoring mode, and can sniff
  802.11b, 802.11a, and 802.11g traffic.
• Kismet identifies networks by passively
  collecting packets and detecting standard named
  networks, detecting (and given time, decloaking)
  hidden networks, and inferring the presence of
  non-beaconing networks via data traffic.
• Kismet automatically tracks all networks in range
  and is able to detect (or infer) hidden networks,
  attack attempts, find rogue access points, and
  find unauthorized users.

24
AirTraf

• AirTraf is a wireless sniffer that can detect and
  determine exactly what is being transmitted over
  802.11 wireless networks.
• What this does-
• Tracks and identifies legitimate and rogue access
  points.
• Keeps performance statistics on a by-user and
  by-protocol basis.
• Measures the signal strength of network
  components.

25
AirMagnet

• This is an handheld analyzer.
• AirMagnet keeps wireless networks of all sizes
  safe, secure, and performing smoothly.
• AirMagnet Enterprise provides network
  administrators with an enterprise-hardened
  intrusion prevention system to protect and
  administer all of their 802.11 WLANs worldwide
• The system provides 24x7 coverage of all bands
  (802.11b, 802.11b or 802.11g) and channels in use
  worldwide, to detect and automatically stop
  threats to the network.

26
Mognet

• Mognet is a simple, lightweight 802.11b sniffer
  written in Java. Mognet will work with any
  wireless card which supports raw monitoring mode
• Mognet Features-
• Real-time capture output.
• Support for all 802.11b generic and
  frame-specific headers.
• loading/saving capture sessions in libpcap
  format.

27
AirSnort

• Wireless networks transmit information over
  public airwaves, the same medium used by
  television, radio and cell phones. The networks
  are supposed to be protected by a built-in
  security feature, the Wired Equivalent Privacy
  system (WEP) -- also known as the 802.11b
  standard -- which encrypts data as it is
  transmitted.
• AirSnort is a wireless LAN (WLAN) tool which
  cracks WEP encryption keys. AirSnort passively
  monitors wireless transmissions and automatically
  computes the encryption key when enough packets
  have been gathered.
• AirSnort requires approximately 5-10 million
  encrypted packets to be gathered. Once enough
  packets have been gathered, AirSnort can guess
  the encryption password in under a second.

28
BSD-AirTools

• BSD-AirTools is a package that provides a
  complete toolset for wireless 802.11b auditing.
• It currently contains a bsd-based WEP cracking
  application, called dweputils.
• It also contains a curses based AP detection
  application similar to NetStumbler (dstumbler)
  that can be used to detect wireless access points
  and connected nodes, view signal to noise graphs,
  and interactively scroll through scanned AP's and
  view statistics for each.

29
AirDefence

• It is a commercial wireless LAN intrusion
  protection and management system that discovers
  network vulnerabilities, detects and protects a
  WLAN from intruders and attacks, and assists in
  the management of a WLAN.
• AirDefense also has the capability to discover
  vulnerabilities and threats in a WLAN such as
  rogue APs and ad hoc networks.
• Apart from securing a WLAN from all the threats,
  AirDefence also provides a robust WLAN management
  functionality that allows users to understand
  their network, monitor network performance and
  enforce network policies.

30
Top 10 Security Recommendations

• Change wireless LAN authentication
• Choose scalable solutions
• Add additional security services
• Scheduled access point discovery
• Scheduled security audits
• Distributed personal firewalls or IDS agents
• Monitor the network
• Connect access points to switches
• Implement a Wireless DMZ
• Use VLANs to Segment Wireless Traffic
• Configure mutual authentication for clients and
• Access Points against a RADIUS server

31
Questions

• What are various wireless security attacks?
• What are scanning tools and explain any two
  wireless scanning tools?
• What are sniffing tools and explain any two
  wireless sniffing tools?
• What are cracking tools and explain any two
  wireless cracking tools?

32
References

• http//tipsybottle.com/technology/wireless.shtml
• http//netsecurity.about.com/cs/hackertools/a/aafr
  eewifi.htm
• http//cs-www.ncsl.nist.gov/publications/nistpubs/
  800-48/NIST_SP_800-48.pdf
• http//www.securitydocs.com

33
Any Queries?
34
Thank You!