Capturing Air: Tools and Methods to Make Wireless Assessments a Breeze

1
Capturing Air Tools and Methods to Make Wireless
Assessments a Breeze

• Leo Walsh, GSNA
• Professional
• Jefferson Wells

2
Topics

• Auditing Mindset
• Wireless Basics
• Wireless Security Issues
• Typical Wireless Architectures
• Auditing Wireless Networks

3
Why are you here?

• You might be required to do a wireless audit.
• You want to learn more about wireless security.
• You would like to learn how to secure your home
  wireless router.
• You hope the presenter will show you how to hack
  into your neighbors wireless router.
• Your company is paying for your lunch at the
  Hereford house.

4
Auditing Mindset Common Ground

• Independent Cooperative
• Appraisal Assurance
• Enemy Team Mate
• Auditing is measuring
• Answers the question, How do you know?

5
Auditing Mindset Working with IT
IT thinks they are Just Fine The Experts Overworked Secure Auditors think IT is Insecure Stubborn Aloof Arrogant
6
Auditing Mindset Working with IT

• Obtain Wireless information up front
• SSID
• Network Architecture
• Wireless Device Configurations and Model s
• IP Addresses
• Internet Connectivity
• Corporate Network Connectivity
• Risk Mitigation Techniques
• Remote Management
• Logging and Monitoring Procedures
• Authentication and Encryption Methods

7
Wireless Basics Terms

• Access Point
• An access point connects multiple wireless
  devices much like a hub or switch. Most wireless
  routers are access points
• End Point
• An end point connects to an access point or
  another end point. Computers are the most common
  end points.

8
Wireless Basics Terms

• Open Network
• An open network can be accessed by any end point.
  The data transmitted on the open network is not
  encrypted and can be read by anyone with a
  wireless device. When using an open network users
  are very susceptible to attack and information
  leakage. If required to use an open network
  immediately connect to a VPN or use only SSL
  sites. The Jefferson Wells VPN does not encrypt
  HTTP traffic for web sites on the Internet.

9
Wireless Basics Terms

• WEP Encrypted Network
• WEP stands for Wired Equivalent Privacy. It was
  designed to provide the same level of privacy a
  user could expect when connecting to a LAN. The
  wireless traffic on a WEP network is encrypted
  using an inferior encryption scheme. It is easy
  for potential attackers to obtain the encryption
  key and decrypt WEP traffic.

10
Wireless Basics Terms

• WPA Encrypted Network
• WPA stands for WiFi Protected Access. WPA is far
  superior to WEP. Traffic on a WPA wireless
  network is encrypted using a simple password. It
  is difficult (but not impossible) to guess this
  password and decrypt WPA traffic. WPA replaced
  WEP in 2003.

11
Wireless Basics Terms

• SSID
• SSID stands for service set identifier which is
  used to identify that a particular packet is
  assigned to the network associated with that SSID.

12
Wireless Basics Terms

• BSS
• BSS stands for basic service set. It is composed
  of at least 2 devices with the AP acting as the
  master control.
• ESS
• ESS stands for extended service set. It is a set
  of one or more interconnected BSSs with the same
  SSID.

13
Wireless Basics Terms

• WLAN
• WLAN stands for Wireless Local Area Network
• Wi-Fi
• Wi-Fi is a brand name owned by the Wi-Fi
  Alliance, a group of independent companies that
  have agreed upon certain standards in order to
  ensure interoperability

14
Wireless Basics Terms

• 802.11
• 802.11 is the generic IEEE standard for WLAN
  communication. The number is followed by a letter
  (like a, b or g) to describe a specific standard.
• 802.1x
• 802.1x is the IEEE standard for network access
  control (authentication). It is frequently
  confused with 802.11 standards. 802.1x standards
  are frequently used in WLAN implementations.

15
Wireless Basics Terms

• Radio Frequency (RF)
• RF is the rate of oscillation of a radio wave.
  802.11 applies to the frequencies of 5 GHz and
  2.4 GHz, which are both public sector bands.
• Signal Strength
• The signal strength of a RF devices is measured
  in watts. The higher the strength the larger the
  distance covered by the RF device. Modern APs
  range from 32 mW to 200 mW.

16
Wireless Security Issues

• Radio waves can penetrate walls and be reflected
  unintentionally
• Signal leakage is a common occurrence
• Cant detect someone listening to your signal
• Distance is determined by antenna quality both
  AP and EP
• Poor encryption
• Poor authentication
• Devices can be very small

17
Wireless Security Issues Location

• Keep in mind what is physically near the AP
• Parking lot
• Park
• Deli / Coffee House
• Other buildings or offices
• Keep in mind what is physically distant from the
  AP
• Mountain / Hill
• Tall building

18
Wireless Security Issues WEP

• WEP uses a very poorly implemented encryption
  scheme (RC4)
• The WEP key is easy to guess using freely
  available tools
• WEP has been proven to be obsolete (incredibly
  worthless) since 2001
• Original version used only a 40 bit key which was
  changed to a 104 bit key
• Active attacks can dramatically reduce the amount
  of time required to obtain the key for cracking
  purposes

19
Wireless Security Issues WEP Myths

• New WEP implementations WEP, WEP2, Dynamic WEP
  fixed the problem
• It takes a very long time to obtain enough
  information to crack the encryption key
• Using 128 bit WEP is safe
• Certain WEP keys are unbreakable

20
Wireless Security Issues Cracking WEP

• Simple process
• Very well described on the Internet
• Freely available tools and drivers
• New tool requires very few packets
• Can be done from long distances

21
Wireless Security Issues Cracking WEP Active
Attack

• Obtain hardware and software to support WEP
  cracking
• Place wireless device within range of WEP network
  to capture traffic
• Use tool to force end point to disconnect from
  network
• Listen for special packet on reconnect
• Replay packet until enough information is
  gathered
• Run tool to obtain WEP key
• Decrypt all WEP traffic

22
Wireless Security Issues Cracking WEP Passive
Attack

• Obtain hardware and software to support WEP
  cracking
• Place wireless device within range of WEP network
  to capture traffic
• Listen for enough packets to obtain key
• Run tool to obtain WEP key
• Decrypt all WEP traffic

23
Typical Wireless Architectures

• Open on public network
• Closed on public network
• Filtered on public network
• Closed on corporate network
• Closed and segregated on corporate network

24
Typical Wireless Architectures - Open on Public
Network
25
Typical Wireless Architectures - Closed on
Public Network
26
Typical Wireless Architectures - Filtered on
Public Network
27
Typical Wireless Architectures - Closed on
Corporate Network
28
Typical Wireless Architectures - Closed and
segregated on corporate network
29
Auditing Wireless Networks High Risk First

• Start with assessing the highest/most common
  risks first
• Misconfiguration
• Poor encryption
• Unapproved devices
• Bad implementation

30
Auditing Wireless Networks Tools

• Free tools to get the job done
• Network Stumbler
• www.netstumbler.com
• Aircrack-ng Suite
• www.aircrack-ng.org
• BackTrack v2.0 Live CD
• www.remote-exploit.org/backtrack.html

31
Auditing Wireless Networks Hardware

• Check your chipset
• Not all chipsets support injection
• May have to download a tool to determine
• Good info at
• http//www.aircrack-ng.org/doku.php?idcompatible_
  cards
• Check driver support for OS and application
• Atheros chipset best supported with drivers for
  Windows and Linux
• Consider an antenna or GPS

32
Auditing Wireless Networks NetStumbler

• Windows only
• Monitors signal strength
• Lists SSID, MAC addresses, etc
• Can be used to monitor and log wireless activity
• Can be used to detect wireless devices
• Locate device in list then monitor
• Roam around using signal strength as hot or
  cold indication

33
Auditing Wireless Networks NetStumbler
34
Auditing Wireless Networks NetStumbler
35
Auditing Wireless Networks NetStumbler
36
Auditing Wireless Networks Aircrack-ng Suite

• Set of wireless tools mostly designed to crack
  encryption
• Windows and Linux (although some tools are Linux
  only)
• Contains a packet sniffer, packet injector,
  capture file decoder, tunnel interface and
  multiple crackers
• Used to list SSIDs in range
• Prove that WEP is too weak to use in any scenario

37
Auditing Wireless Networks Aircrack-ng Suite
38
Auditing Wireless Networks Aircrack-ng Suite
39
Auditing Wireless Networks Aircrack-ng Suite
40
Auditing Wireless Networks Aircrack-ng Suite
41
Auditing Wireless Networks Steps

• Obtain wireless network information from IT
• Configuration and Models
• Architecture
• SSID
• Encryption and Authentication
• Mitigation
• Logging and Monitoring
• Administration
• Confirm information obtained using manual review
  of configuration files and wireless tools
• Provide results and possible recommendations back
  to IT for comment
• Provide final report to management

42
Auditing Wireless Networks Questions to ask

• What type of encryption are we using?
• Is there any 802.1x authentication configured for
  the WLAN?
• Are connections to the WLAN logged?
• Is important data transmitted over our wireless
  networks?
• What security parameters or configurations are in
  place?
• What is our SSID?
• What is our WPA or WEP key and how is it
  protected?

43
Auditing Wireless Networks Questions?

• Any Questions?