Post on 30-Dec-2015
description
Assessing Wireless Security Using Open Source Tools
By: Matthew Neely
Presented: May 5th 2009 at Pittsburgh ISSA
Speaker Biography
• Matt Neely CISSP, CTGA, GCIH, GCWN - Manager of the Profiling team at SecureState:– Areas of expertise include: wireless security, penetration testing,
physical security, security convergence and incident response– Formed and ran the TSCM team at a Fortune 200 company– 10 years of security experience
• Outside of work:– Co-host of the Security Justice Podcast– Board member for the North Eastern Ohio Information
Security Forum– Licensed ham radio operator (Technician) for almost 20 years
What concerns do you have about wireless?
Agenda
• Overview of the 802.11 standard• Hardware - Requirements and recommendations• Discovering wireless networks• Introduction to Kismet• Lab – Discovering and enumerating wireless network using Kismet• Demo – Aircrack-ng• How to tell if an AP is on your network• Wireless security recommendations• Conclusion
OVERVIEW OF 802.11
What is 802.11
• Set of wireless local area network (WLAN) standards developed by the IEEE
• Uses the standard Ethernet protocol• Adds special media access control process
Popular 802.11 Standards
• 802.11– 2.4 GHz– 2 Mbps (0.9 Mbps typical)
• 802.11a– 5 GHz– 54 Mbps (23 Mbps typical)
• 802.11b– 2.4 GHz– 11 Mbps (4.5 Mbps typical)
• 802.11g– 2.4 GHz– 54 Mbps (23 Mbps typical)
• 802.11n - Draft– 2.4 and 5 GHz– 300 Mbps (74 Mbps typical)– Greenfield mode
802.11 Versus Wi-Fi
• 802.11 is a set of standards from the IEEE• Wi-Fi is a subset of the 802.11 standards managed
by the Wi-Fi Alliance• Wi-Fi Alliance insures all products with the Wi-Fi logo
will work together• Different vendors often interpret standards differently• Wi-Fi Alliance defines what is the “right” thing to do when
implementing a standard– Especially useful when vendors implement draft standards
• Wi-Fi Protected Access (WPA)• “Draft” 802.11n equipment.
Infrastructure Vs. Ad-hoc Networks
• Infrastructure: Allows one or more computers to connect to a network using an Access Point (AP).– AP is the hub of communication
– Service Set IDentifier (SSID) is used to identify the network
• Ad-Hoc: Allows user to create peer-to-peer networks.– Does not use an AP– Independent Basic Service Set
(IBSS) is used to identifythe network
– First active ad-hoc station establishes the network and starts sending beacons with the IBSS
HOW CLIENTS FIND WIRELESS NETWORKS
Broadcast Probe Request
• Client sends out broadcast probe request packets asking who is there
Broadcast Probe Reply
• Any APs in the area reply back with their SSID
Direct Probe Request
• Client can also send direct probe request packets looking for a specific network name– Example: I’m looking for network Linksys
Beacon Packets
• AP sends out beacon packets– Beacon packets contain the SSID of the network
• Client listens for beacon packets and uses the SSID information in the packet to figure out what networks are in range
Hidden APs
• Beaconless APs– AKA “disabled broadcast SSID”, “cloaked” or “closed”
• Some APs do not send beacon packets when clients are not connected
• Other APs still send a beacon packet but leave the SSID field blank• Attempts to prevent malicious users from finding the AP
HARDWARERequirement and Recommendations
Hardware
• Required– Computer - Running or capable of running Linux
• Install Linux on a laptop• Use a LiveLinux distro such as BackTrack
– Wireless card• Optional
– External Antenna– Pigtail– GPS
BackTrack
• LiveLinux distro containing a large number of pre-configured attack tools
• Variety of wireless drivers come pre-loaded• Plug and play support for many wireless cards• Available in two formats:
– Bootable CD– Bootable thumb drive
• Contains more tools• Data written to the thumb drive persists across reboots
• Download:– http://www.remote-exploit.org/backtrack_download.html
Backtrack in VMWare
• BackTrack can not directly access a PCMCIA or mini-pci card– Limits what fun stuff can be done
• Can use a USB dongle with a supported chipset– Temperamental and unstable at times
• For just about everything except wireless related tasks, I run BackTrack inside VMWare
• When I need to run wireless tools in BackTrack I prefer to run BackTrack on the bare hardware
Saving Data on BackTrack
• When run from a CD all saved data will be erased on reboot• Solution 1:
– Run BackTrack from a bootable thumb drive• Solution 2:
– Mount a thumb drive and save your data– Command: mount /dev/sdb1
• Solution 3:– Save your data to a network share before rebooting
Wireless Card
• Hopefully your internal wireless card works– Centrino or Atheros cards generally work well– Broadcom cards are a problem
• Can use an external wireless card if the internal card does not work
Determining What Wireless Type
• Look up the specs for your laptop• Query the USB or PCI bus inside of Linux
– lspci – Linux command that lists the devices attached to the PCI bus
• Useful for gathering information on internal wireless cards– lsusb – Linux command that list devices attached to the USB
bus
Example lspci Output
Example lsusb Output
Card Selection
• Features to look for in an external card:– 1) Atheros or Ralink RT73 chipset
• Must support RF monitor mode• LORCON support is recommended
– 2) External antenna connector– 3) Form factor that matches your needs
• PCMCIA/Express cards• USB
Getting the Card You Want
• Difficult to know what chipset a card uses– Manufactures change them all the time
• Pay close attention to model number and version• Buy your card from a store with a hassle free return policy• Buy your card from a store that states the chipset
– Look for stores that cater to Linux users, wardrivers and wireless hackers
– www.netgate.com
Card Chipset Information
• Card Chipset Lists– Atheros.rapla.net– Ralink.rapla.net– Broadcom.rapla.net – Avoid– www.seattlewireless.net/index.cgi/HardwareComparison
• Backtrack website:– wiki.remote-exploit.org/index.php/HCL:Wireless
• Aircrack-ng webiste:– www.aircrack-ng.org/doku.php?id=compatibility_drivers
External Antennas
• Greatly increases performance• Useful when:
– Performing audits from inside a vehicle– Triangulating the location of an AP– Measuring RF leakage from a building
• Antennas are tuned to work on specific frequencies• Need to select antennas that are tuned to the frequency
range being used– 2.4 GHz is the most common
• Used by b, g and n networks• Same frequency used by Bluetooth
– 5 GHz is needed for a and n networks
Types of Antennas
• Omni-directional– Increases reception in all directions– Magnetic mount omni-directional antennas are useful for
mounting on cars• Directional
– Focuses the signal like a spot light– Can be used to triangulate the location of a signal
Types of Directional Antennas
• Panel– $20-40– Typical gain 8-18 dBi– Good for travel: compact, portable and hard to damage
• Yagi– $30-50– Typically gain 9-15 dBi– Can be large– Typically encased in pcv pipe to protect the antenna
• Parabolic dish– $30 and up– Very large– Very high gain, 19-30 dBi– Hard to transport
• Waveguide (cantennas)– Around $50– Typical gain 12 dBi
Antenna Recommendation
• Get two antennas• Directional
– Either a panel or small yagi• Omni-direction
– Magnetic mount is very helpful if you spend time doing surveys outside a building
• Good source: www.hyperlinktech.com
Pigtails and Adapters
• Pigtail – Converts the small connector on the card to the connector used on the antenna
• Do not buy cheap cables!– Where most signal loss occurs– Good quality pigtails cost around $10-20– Only use cabled designed for use in the 2.4 or 5 GHz range
• Pigtails should probably end in a N-Type male jack– Most antennas have a N-Type female jack
• Good source: www.hyperlinktech.com• Pictures of common Wi-Fi antenna connectors:
– wireless.gumph.org/content/3/7/011-cable-connectors.html
GPS
• Allows data to be placed onto a map for analysis• Only get an NMEA compatible GPS• Interface type:
– Serial: Does not require a driver and just about always works– USB: Requires drivers which can be tricky in Linux– Bluetooth: Avoid because it operates in the 2.4 GHz spectrum
• If you run Linux and do not have a serial port, the safest option is a serial GPS and a USB-to-serial adaptor– Buy a USB adaptor that is Linux friendly
DISCOVERING WIRELESS NETWORKS
Active Network Discovery
• Official way to find networks• Client sends out a broadcast probe request looking for networks• Client listens for beacon packets from APs• Cons:
– Requires the client to be within transmission range of the AP– Cannot find beaconless/hidden network
• Pros:– Every wireless card supports this method– Does not require a card or driver that supports RF monitor mode
• Windows tools such as NetStumbler use active network discovery
Passive Network Discovery
• Card listens to the airwaves and extracts information about the networks in the area from the packets it sees
• Requires cards that support RF monitor mode– Not all cards and drivers support RF monitor mode
• Pros:– Client only needs to be within receiving range– Can detect networks with the beacon turned off– Can gain more information about the network
• Cons:– Requires a card and driver that supports full RF monitor mode– No free Windows program supports passive network discovery
Kismet
• http://www.kismetwireless.net/• Passive scanner• OS: Linux and other Unix systems• Kismet is really two programs
– kismet_server: Collects the packets– kismet_client: User interface
• Pros:– Will find hidden networks– GPS support
• Cons:– Complicated installation and configuration
Kismet Classic Versus Newcore
• “Classic” is the present stable release of Kismet• Kismet-newcore is a rewrite of Kismet
– Still under development– Supports plugins
• Example: DECT support• Avoid newcore unless you have a specific reason to use it or
like to tinker
Configuring Kismet
• Configuration file is usually located at /usr/local/etc/kismet.conf• Specify suiduser
– suiduser=<normal non-root user>– Ex: suiduser=matt
• Packet Source– source=<driver, interface, name>– Ex: source=madwifi_g,ath0,AtherosCard
• Skip these steps on BackTrack– Use –c flag when starting the server to tell it the packet source– Ex: kismet_server –c madwifi_g,wifi0,CiscoCard
Source Settings - Driver
• Run airmon-ng to determine which driver your wireless card is using– Part of the Aircrack-ng suite– # airmon-ng– $ sudo airmon-ng
Driver Setting - Source
• Run airmon-ng or iwconfig to see all the wireless interfaces– # iwconfig– $ iwconfig
LAB: DISCOVERING AND ENUMERATING WIRELESS NETWORK USING KISMET
Accessing the Lab Server
• Connect to wireless network– Lab-Connect_Here
• Windows Telnet:– Start -> Run -> cmd.exe– telnet 192.168.10.102 –t vt100
• SSH (Putty or other SSH client)– Connect to 192.168.10.102
• Once connected login– Username: kismet– Password: kismet
DEMO: AIRODUMP-NG
How to Tell if an AP is on Your Network
• Direction/Location– GPS– Use a directional antenna
• Connect to the network and check:– If a traceroute shows the traffic traversing your network– If you can contact an internal server– DNS server address
• Do not rely on the assigned IP address
SECURITY RECOMMENDATIONS
General Security Recommendations
• Make the network difficult to find– Limit AP power output– Use RF shielding to prevent RF leakage– Only use 802.11a APs
• Do not use hidden APs– Could make it easier to attack your wireless Windows clients
• Windows prefers visible networks over hidden networks• Attackers can trick users into connecting to a malicious AP
• MAC filtering– Not recommended– Easy to by-pass and adds a lot of complexity in
a large environment– Minimal level of protection is generally not worth the effort
Wireless IDS
• Consider deploying a wireless IDS• Can detect:
– De-auth attacks– RTS and CTS attacks denial of service attacks– Rogue APs
• Both on and off your network• Remember IDS is only detection and not prevention• Be very careful with wireless IPS
– IPS system could end up attacking neighboring networks
Wireless Encryption and Authentication
• Do not use WEP• Migrate from LEAP
– Known weaknesses and attack tools for LEAP– If you can not migrate from LEAP be sure you enforce a strong
password policy• Use WPA or WPA2
– Prefer WPA2– Both can be secured fairly well
WPA-PSK Recommendations
• WPA-PSK (Pre-Shared Key)• AKA WPA Home• Choose a long and complex passphrase
– Prevents bruteforce attacks from tools like Cowpatty• Choose a unique SSID
– Prevents using pre-compiled tables to speed up bruteforce attacks
WPA Enterprise Recommendations
• Generally more secure than WPA-PSK– Also more complex
• Requires a RADIUS server• Use an authentication type that provides mutual authentication• With PEAP and EAP-TTLS insure the client is properly configured• Consider using two-factor authentication
Conclusion
• Kismet are free tools that can be used to locate wireless networks• Selecting the right card is critical when using Kismet• Finding N Greenfield mode networks could be a challenge
in the future• Do not use WEP to secure a wireless network• Use WPA2 Enterprise with multi-factor authentication• Insure the wireless client is properly configured and secured
QUESTIONS?More Information:
www.SecureState.com
www.matthewneely.com
mneely@securestate.com