Title: Capturing Air: Tools and Methods to Make Wireless Assessments a Breeze
1Capturing Air Tools and Methods to Make Wireless
Assessments a Breeze
- Leo Walsh, GSNA
- Professional
- Jefferson Wells
2Topics
- Auditing Mindset
- Wireless Basics
- Wireless Security Issues
- Typical Wireless Architectures
- Auditing Wireless Networks
3Why are you here?
- You might be required to do a wireless audit.
- You want to learn more about wireless security.
- You would like to learn how to secure your home
wireless router. - You hope the presenter will show you how to hack
into your neighbors wireless router. - Your company is paying for your lunch at the
Hereford house.
4Auditing Mindset Common Ground
- Independent Cooperative
- Appraisal Assurance
- Enemy Team Mate
- Auditing is measuring
- Answers the question, How do you know?
5Auditing Mindset Working with IT
IT thinks they are Just Fine The Experts Overworked Secure Auditors think IT is Insecure Stubborn Aloof Arrogant
6Auditing Mindset Working with IT
- Obtain Wireless information up front
- SSID
- Network Architecture
- Wireless Device Configurations and Model s
- IP Addresses
- Internet Connectivity
- Corporate Network Connectivity
- Risk Mitigation Techniques
- Remote Management
- Logging and Monitoring Procedures
- Authentication and Encryption Methods
7Wireless Basics Terms
- Access Point
- An access point connects multiple wireless
devices much like a hub or switch. Most wireless
routers are access points - End Point
- An end point connects to an access point or
another end point. Computers are the most common
end points.
8Wireless Basics Terms
- Open Network
- An open network can be accessed by any end point.
The data transmitted on the open network is not
encrypted and can be read by anyone with a
wireless device. When using an open network users
are very susceptible to attack and information
leakage. If required to use an open network
immediately connect to a VPN or use only SSL
sites. The Jefferson Wells VPN does not encrypt
HTTP traffic for web sites on the Internet.
9Wireless Basics Terms
- WEP Encrypted Network
- WEP stands for Wired Equivalent Privacy. It was
designed to provide the same level of privacy a
user could expect when connecting to a LAN. The
wireless traffic on a WEP network is encrypted
using an inferior encryption scheme. It is easy
for potential attackers to obtain the encryption
key and decrypt WEP traffic.
10Wireless Basics Terms
- WPA Encrypted Network
- WPA stands for WiFi Protected Access. WPA is far
superior to WEP. Traffic on a WPA wireless
network is encrypted using a simple password. It
is difficult (but not impossible) to guess this
password and decrypt WPA traffic. WPA replaced
WEP in 2003.
11Wireless Basics Terms
- SSID
- SSID stands for service set identifier which is
used to identify that a particular packet is
assigned to the network associated with that SSID.
12Wireless Basics Terms
- BSS
- BSS stands for basic service set. It is composed
of at least 2 devices with the AP acting as the
master control. - ESS
- ESS stands for extended service set. It is a set
of one or more interconnected BSSs with the same
SSID.
13Wireless Basics Terms
- WLAN
- WLAN stands for Wireless Local Area Network
- Wi-Fi
- Wi-Fi is a brand name owned by the Wi-Fi
Alliance, a group of independent companies that
have agreed upon certain standards in order to
ensure interoperability
14Wireless Basics Terms
- 802.11
- 802.11 is the generic IEEE standard for WLAN
communication. The number is followed by a letter
(like a, b or g) to describe a specific standard. - 802.1x
- 802.1x is the IEEE standard for network access
control (authentication). It is frequently
confused with 802.11 standards. 802.1x standards
are frequently used in WLAN implementations.
15Wireless Basics Terms
- Radio Frequency (RF)
- RF is the rate of oscillation of a radio wave.
802.11 applies to the frequencies of 5 GHz and
2.4 GHz, which are both public sector bands. - Signal Strength
- The signal strength of a RF devices is measured
in watts. The higher the strength the larger the
distance covered by the RF device. Modern APs
range from 32 mW to 200 mW.
16Wireless Security Issues
- Radio waves can penetrate walls and be reflected
unintentionally - Signal leakage is a common occurrence
- Cant detect someone listening to your signal
- Distance is determined by antenna quality both
AP and EP - Poor encryption
- Poor authentication
- Devices can be very small
17Wireless Security Issues Location
- Keep in mind what is physically near the AP
- Parking lot
- Park
- Deli / Coffee House
- Other buildings or offices
- Keep in mind what is physically distant from the
AP - Mountain / Hill
- Tall building
18Wireless Security Issues WEP
- WEP uses a very poorly implemented encryption
scheme (RC4) - The WEP key is easy to guess using freely
available tools - WEP has been proven to be obsolete (incredibly
worthless) since 2001 - Original version used only a 40 bit key which was
changed to a 104 bit key - Active attacks can dramatically reduce the amount
of time required to obtain the key for cracking
purposes
19Wireless Security Issues WEP Myths
- New WEP implementations WEP, WEP2, Dynamic WEP
fixed the problem - It takes a very long time to obtain enough
information to crack the encryption key - Using 128 bit WEP is safe
- Certain WEP keys are unbreakable
20Wireless Security Issues Cracking WEP
- Simple process
- Very well described on the Internet
- Freely available tools and drivers
- New tool requires very few packets
- Can be done from long distances
21Wireless Security Issues Cracking WEP Active
Attack
- Obtain hardware and software to support WEP
cracking - Place wireless device within range of WEP network
to capture traffic - Use tool to force end point to disconnect from
network - Listen for special packet on reconnect
- Replay packet until enough information is
gathered - Run tool to obtain WEP key
- Decrypt all WEP traffic
22Wireless Security Issues Cracking WEP Passive
Attack
- Obtain hardware and software to support WEP
cracking - Place wireless device within range of WEP network
to capture traffic - Listen for enough packets to obtain key
- Run tool to obtain WEP key
- Decrypt all WEP traffic
23Typical Wireless Architectures
- Open on public network
- Closed on public network
- Filtered on public network
- Closed on corporate network
- Closed and segregated on corporate network
24Typical Wireless Architectures - Open on Public
Network
25Typical Wireless Architectures - Closed on
Public Network
26Typical Wireless Architectures - Filtered on
Public Network
27Typical Wireless Architectures - Closed on
Corporate Network
28Typical Wireless Architectures - Closed and
segregated on corporate network
29Auditing Wireless Networks High Risk First
- Start with assessing the highest/most common
risks first - Misconfiguration
- Poor encryption
- Unapproved devices
- Bad implementation
30Auditing Wireless Networks Tools
- Free tools to get the job done
- Network Stumbler
- www.netstumbler.com
- Aircrack-ng Suite
- www.aircrack-ng.org
- BackTrack v2.0 Live CD
- www.remote-exploit.org/backtrack.html
31Auditing Wireless Networks Hardware
- Check your chipset
- Not all chipsets support injection
- May have to download a tool to determine
- Good info at
- http//www.aircrack-ng.org/doku.php?idcompatible_
cards - Check driver support for OS and application
- Atheros chipset best supported with drivers for
Windows and Linux - Consider an antenna or GPS
32Auditing Wireless Networks NetStumbler
- Windows only
- Monitors signal strength
- Lists SSID, MAC addresses, etc
- Can be used to monitor and log wireless activity
- Can be used to detect wireless devices
- Locate device in list then monitor
- Roam around using signal strength as hot or
cold indication
33Auditing Wireless Networks NetStumbler
34Auditing Wireless Networks NetStumbler
35Auditing Wireless Networks NetStumbler
36Auditing Wireless Networks Aircrack-ng Suite
- Set of wireless tools mostly designed to crack
encryption - Windows and Linux (although some tools are Linux
only) - Contains a packet sniffer, packet injector,
capture file decoder, tunnel interface and
multiple crackers - Used to list SSIDs in range
- Prove that WEP is too weak to use in any scenario
37Auditing Wireless Networks Aircrack-ng Suite
38Auditing Wireless Networks Aircrack-ng Suite
39Auditing Wireless Networks Aircrack-ng Suite
40Auditing Wireless Networks Aircrack-ng Suite
41Auditing Wireless Networks Steps
- Obtain wireless network information from IT
- Configuration and Models
- Architecture
- SSID
- Encryption and Authentication
- Mitigation
- Logging and Monitoring
- Administration
- Confirm information obtained using manual review
of configuration files and wireless tools - Provide results and possible recommendations back
to IT for comment - Provide final report to management
42Auditing Wireless Networks Questions to ask
- What type of encryption are we using?
- Is there any 802.1x authentication configured for
the WLAN? - Are connections to the WLAN logged?
- Is important data transmitted over our wireless
networks? - What security parameters or configurations are in
place? - What is our SSID?
- What is our WPA or WEP key and how is it
protected?
43Auditing Wireless Networks Questions?