CSCD 439/539 Wireless Networks and Security

1
CSCD 439/539Wireless Networks and Security

• Lecture 8
• Wi-Fi Threats and Vulnerabilities
• Fall 2007

2
Introduction

• Vulnerabilities
• Inherent characteristics of wireless
• Deliberate features designed into 802.11
• Flawed design
• WEP
• MAC access list
• Other design flaws
• Threats
• Hackers
• Classification
• Motivation

3
Wi-Fi Vulnerabilities

• Ask, Why are Wi-Fi networks vulnerable to
  attack?
• Answer seems obvious ...

4
Wi-Fi Vulnerabilities

• Answer
• Because its wireless ... transmits data on radio
  waves
• Propagate everywhere
• Boost waves with powerful antennas to travel up
  to mile or more
• Anyone along the path can listen to the
  transmission

5
Wi-Fi Vulnerabilities

• Wi-Fi doesnt fit the traditional model of
  security
• Firewall separates internal network from outer

6
Wi-Fi Vulnerabilities

• Wired networks
• Trusted and Untrusted zones separated by firewall
• Systems inside trusted
• Systems outside untrusted
• Untrusted can have enemies
• Trusted all are your friends in theory

7
Wi-Fi Vulnerabilities

• Wireless completely violates that model
• Introduces vulnerabilities
• People dont understand how to handle the new
  model of wired wireless
• No longer have
• a well-defined
• security perimeter

8
Wi-Fi Characteristics

• Shared, uncontrolled media
• - Lack of physical security, much harder to
  control
• Transient Networks
• - Mobile wireless devices can move
• - Ad-hoc networks, form and dissolve
• How do we protect these networks?

9
Wi-Fi Characteristics

• User Indifference
• - True of both wired and wireless networks
• - Users dont care about security
• - Does your mother care about computer security?
• Easier to attack
• - Lack of defined perimeter said that
• - Wireless nature easier than wired networks
• Hackers are lazy, take the easiest path

10
Inherent Vulnerabilities

• WLANs break assumptions of inside/outside
  paradigm
• Cant be confined
• Radio signal cuts through walls and windows
• Cant change the physical reality of wireless
• Must acknowledge this and counteract the threats
• Must worry about the following

11
Inherent Vulnerabilities

• Rogue access points
• Unauthorized AP installed and connected to
  Enterprise network
• On purpose employee not malicious
• On purpose outsider malicious intent
• Many uses for this useful device if malicious
• Cause users to associate to it
• Man-in-middle attack, session stealing
• Get possibly sensitive information .. more later

12
WEP Encryption

• Wired Equivalent Privacy
• Uses encryption to try to keep data private
• Has multiple problems make it more of a liability
  than a security solution
• Still coming up with new attacks against WEP!
• What was WEP designed for?

13
WEP Encryption

• Designed to
• Keep outsiders from connecting to a network or
  monitoring traffic on that network
• Nothing more

14
WEP Encryption

• WEP and wrong assumptions
• Was not designed to be end-to-end encryption
• Does not distribute and manage encryption keys
• Key distribution - manual outside 802.11 spec
• WPA and WPA2 fixes this
• Was not designed for complete data privacy
• See next slide

15
WEP Encryption

• Question
• Does WEP hide traffic from users on the same
  network sharing the same WEP key?
• No.
• Users can eavesdrop on each other
• So, how can you be sure users are all legitimate?

16
WEP Encryption

• WEP has no authentication except by encryption
  keys
• Assume user with valid key is legitimate
• Doesnt check any sort of user ID, password or
  hardware MAC address
• 802.11i task group
• Defines how this will be done
• Now, not done through WEP

17
MAC Address Filtering

• Another security mechanism
• Doesnt work very well
• Wi-Fi APs have ability to specify list of
  computers permitted to associate with AP
• Any computer not on list turned away by access
  point
• Not able to join your network
• Even if have WEP or WPA key

18
MAC Address Filtering

• Assumption
• Every network device has unique MAC address
• Whats wrong with this assumption?
• MAC addresses can be spoofed!!
• Machine associates with AP
• Sends MAC address in the clear
• Any hacker sniffer program listen for that
  transmission, get MAC address
• Spoof it

19
MAC Address Filtering

• Pretend to be legitimate user
• AP cant tell difference between good user and
  false user
• Fact that Software can impersonate MAC address
  negates MAC address filtering completely

20
Other Design Flaws

• MGMT, CTRL frames not encrypted
• Can be spoofed w/o knowledge of WEP key
• No authentication of AP to station
• Cant prove an AP is legitimate
• Limited of stations can use a single AP
• We can overflow an AP to prevent wireless access

21
Other Design Flaws

• Some believe that by using a complicated SSID
  unauthorized user will have difficulty in gaining
  access to their AP
• SSIDs are passed in the clear, even when WEP is
  enabled
• It is trivial to download free designed to
  intercept SSIDs from a wireless communication
  session

22
SSID Names
Note default SSIDs
23

• Threats

24
Threats and Those Responsible

• Hackers all levels
• What motivates them and more importantly what
  threat do they pose to your Wi-Fi network

25
Attackers

• Who are your typical attackers and what drives
  them to break into your network?
• What are their motives?
• What methods do they use?
• What damage can they cause?
• Are you are risk?

26
Attacker Groups

• Who are they?
• Lots of groups out there that can threaten your
  systems
• Not easy to classify them
• Typical way to group them is by skill level or
  potential for damage
• Can rank them from lowest to highest in skill but
  doesnt always correlate with damage potential
• Good example are the virus/worm writers
• Do a lot of damage but not necessarily the most
  skilled

27
Hacker Groups

• Can loosely classify them by skill level and
  motive
• Elite Hackers White Hat
• Elite Hackers Black Hat
• Virus/Worm Writers and Spammers
• Hacktivism Groups
• Script Kiddies

28
Elite Hackers White Hat

• Hackers in this group skilled
• Often belong to a hacker group
• L0pht, Masters of Deception
• Feel they have a mission to improve the security
  of the computer world
• Avoid damage to network and systems
• Inform and educate system administrators about
  fixes to their security

29
Elite Hackers White Hat

• Elite Hackers White Hat
• Subscribe to a Hacker Code of Ethics
• It said ...
• Ethical duty of the hacker to remove barriers,
  liberate information, decentralize power, honor
  people based on their ability, create things that
  are good and life-enhancing through computers.

30
Elite Hackers White Hat

• New Code of Ethics includes
• Leave no traces keep a low profile, if accused,
  deny it, if caught, plead the 5th.
• Share information
• Dont hoard or hide information
• Information increases in value when shared

31
Elite Hackers Black Hat

• Skilled but do damage
• Break-in and leave evidence of their presence
• Need to re-install software
• Dont worry about loss of private information
• Dont buy into a Code of Ethics
• Sell their services to highest bidder
• In business for themselves

32
Elite Hackers

• Psychological Profile of Elite Hackers
• Most elite hackers are called deviants
• Different values and beliefs than society
• White hats believe they are performing a service
  for society by exposing poor security practices
• Sometimes have a tenuous grasp on reality because
  they live mostly in the cyber world
• Examples Rob Morris, Kevin Mitnik

33
Examples Elite Hackers

• Eric Corley (also known as Emmanuel Goldstein)
• Long standing publisher of 2600 The Hacker
  Quarterly and founder of the H.O.P.E.
  conferences.
• Been part of the hacker community since the late
  '70s.
• Kevin Mitnick
• A former computer criminal who now speaks,
  consults, and authors books about social
  engineering and network security.
• Robert Morris
• Now a professor at MIT
• The son of the chief scientist at the National
  Computer Security Center part of the National
  Security Agency (NSA)
• Cornell University graduate student, he
  accidentally unleashed an Internet worm in 1988
• Thousands of computers were infected and
  subsequently crashed.

34
Script Kiddies

• Skilled hackers put their scripts on-line
• They appear to want others to use and benefit
  from their experience
• Goes along with the ethic of sharing
  information
• Allows people with limited technical knowledge to
  do lots of damage since there are lots of them

35
Script Kiddies

• Script kiddie is a wannabe hacker
• Scans Internet for compromised systems using
  freely available tools
• At the bottom of the pile in the hacking world
• Can still do an incredible amount of damage
• Especially to unprotected wireless networks

36
Motivation

• Ego gratification
• Both Elite hackers and script kiddies
• Profit
• Earn lots of money hacking these days
• Spamming, selling credit cards on black market,
  botnets
• Corporate espionage or nation-state level of
  hacking
• Political Agenda
• Hacktivism is growing as an attention getter

37
Motivation

• Revenge
• Grudge against a company
• Set off a time bomb - electronically
• Steal secrets and sell them to competitor
• For fun
• Just want to see if they can do

38
BEFORE AFTER (your results may vary)
39
What hackers do to you

• Basically 4 things with lots of variations
• 1. Connect to computer you are unaware
• Vandalize machine
• Steal data, Use your bandwidth
• 2. Dont connect to your computer
• Sniff traffic
• Obtain passwords, credit card data, other useful
  information

40
What hackers do to you

• 3. Hijack machine
• Put Trojan Horse on it
• Trojan is a program that seems to do something
  its supposed to but has a hidden task also
• Typically a backdoor but can have other purposes
• 4. Denial of Service (DoS)
• Prevent you from using machine

41
Phases of Attacks

• In general, many attacks are not spontaneous
• Attackers go through phases to compromise a
  system
• Phases of attacks
• Reconnaissance
• Scanning
• Gaining access with Attacks

42
Three Phases in an Attack

• Reconnaissance
• Scope out the place, gain initial information on
  victims, and network discovery
• 2. Scanning
• Build a detailed map of the network and services
  and vulnerabilities
• Open ports
• 3. Attack
• The actual offensive action, method depends on
  what is goal of attack

43
Reconnaissance

• Purpose for Wireless
• Scope out networks and potential victims
• Find wireless networks, see if security is
  enabled, and how strong
• Discover as much information about them as
  possible
• Many ways to do this .

44
Reconnaissance

• Information discovery
• Tools
• Netstumbler, Kismet, Wellenrighter, Wififofum,
  Cain
• People
• Techniques
• Rogue APs
• Open/misconfigured APs
• Ad Hoc Stations
• Ask for information

45
Reconnaissance

• Social Engineering
• Surprising number of employees give away
  sensitive information
• Most successful are calls to employees
• Call the help desk as a new employee for help
  with a particular task
• Angry manager calls a lower level employee
  because his password has suddenly stopped working
• System administrator calls employee to fix her
  account on the system which requires using her
  password

46
Reconnaissance

• Defense against Social Engineering
• User awareness
• Must be trained to not give out sensitive
  information
• Security awareness program should inform
  employees about social engineering attacks
• No reason why a system administrator ever needs
  you to give him/her your password
• Help desk should have a way to verify the
  identify of any user requesting help
• Hacker at Defcon wear shirts
• No defense against stupidity

47
Reconnaissance

• Specific to Wireless Networks
• Physical Reconnaissance
• In addition to techniques for wired networks
  wireless networks involve physical aspect
• Can see antennas and wireless APs
• Antennas Walls, ceilings, hallways, roofs
• Access Points Ceilings, walls, support beams
• shelves
• Devices -
• Printers/PDA Reception area, offices, desks

48
Reconnaissance

• Techniques
• Attackers use lots of different tools and
  techniques for gathering information
• War driving for WLANs, war dialing for modems
• Note
• Defenders need to defend all paths into the
  network
• Attackers need to find just one open path
• Attackers have all the time in the world

49
War Driving

• War Driving
• Invented by Peter Shipley in 2001 when he drove
  around Silicon Valley and found hundreds of
  access points
• Mapped them out to show how vulnerable WLANs are
  to snooping

50
San Francisco Wi-Fis
51
War Driving

• Active Scanning
• Broadcast 802.11 probe packets with SSID of any
  to check for access points in range
• Like going outside and shouting, Whos there?
• Netstumbler is free tool for doing active
  scanning
• www.netstumbler.com
• Most popular tool for active scanning WLANs
• Runs under Windows
• Supports ORiNOCO, Dell TrueMobile 1150, Toshiba
  802.11b wireless card, Compaq WL110 plus several
  others

52
War Driving

• What does Netstumbler do?
• Gathers MAC address, SSID, Wireless Channel and
  relative signal strength of each access point
• Also if security is turned on, WEP
• Coordinates with GPA system
• Example New York City
• Netstumbler
• ORiNOCO antenna, Laptop, taxi cab in NY City
• One hour found 455 access points

53
From www.wigle.net
The island of Manhattan, one of the densest
points of observed networks in the WiGLE world.
54
Wigle.net Wireless DB

• Wireless Geographic Logging Engine Making maps
  of wireless networks since 2001
• Database 6 years old
• 12,389,316 points from 765,231,060 unique
  observations
• Many known open or weak Access Points
• Fully available on the web
• Search by SSID, MAC address, longitude/latitude,
  physical address

55
War Driving

• Netstumbler
• After installation, important to turn off TCP/IP
  in Windows
• If not, then, when you wardrive and get within
  range of network, your computer will try to
  connect to the network
• The netstumbler site has interesting features
• www.netstumbler.com
• Database of all access points reported by other
  war drivers maps.netsumbler.com
• You must register, and then you can query the DB
  for your NICs MAC address
• You can upload your capture log to their DB
• Also, this link has several maps you can browse
• http//wiki.personaltelco.net/index.cgi/WarDriving
  

56
Netstumbler Window
Default SSIDs
57
War Driving

• Defense Against Active Scanning
• Configure access points to ignore probes with
  any
• Can configure access points to repress the beacon
  so it disables broadcast SSID
• Passive Scanning
• Stealthier way of discovering WLANs
• Puts wireless card into rfmon mode monitor mode
  
• Sniffs all wireless traffic from the air

58
War Driving

• Passive Scanning
• Kismet by Mike Kershaw
• More for detailed packet capture and analysis
• www.kismetwireless.net
• Wellenreiter - by Max Moser
• Optimized for war-driving
• www.remoteexploit.org
• Runs on Linux and supports, prism2, lucent, and
  cisco wireless card types

59
War Driving

• Wellenreiter Tool
• Listens for ARP or DHCP traffic to determine the
  MAC and IP addresses of each wireless device
• Passive mode
• Doesnt send probe packets
• Every 100 ms access points send beacons to
  synchronize timing and frequency information

60
War Driving

• Drawback of Wellenreiter
• If access point configured to omit its SSID from
  its beacons and no other users are sending
  traffic to access point, wont be able to
  determine SSID
• Will know its there, not its name

61
Summary

• Wi-Fi networks, 802.11 Standard
• Many built-in vulnerabilities
• Problems from people related vulnerabilities too
• Lots of Attackers out there
• Incentive for them, glory, money, fun ..
• Phases of attack
• Reconnaissance, Scanning, Attack
• War driving Reconnaissance
• Highly successful

62
Finish

• Next time More on Attacks and Tools
• Read articles on Course Notes page