Post on 25-Feb-2016
description
CMGT/441 Intro. to Information Systems Security Management
Information TechnologyUniversity of Phoenix Kapolei Learning Center
Week #4
1
Hacking Wireless Networks
Philip Robbins – December 19, 2013
2
Hacking Wireless Networks
Topics• Understanding Wireless Technology & Standards• Tools• Hacking WEP, WPA, WPA2• Uncovering SSIDs• Bypassing MAC Address Filtering• De-Authentication & Mis-Association• Review Q&A
• Quiz #4
3
4
Understanding Wireless Standards• IEEE 802.11– IEEE came up the 802.11 standard for wireless
ethernet.– OSI Layers 1 & 2– 79 channels, 2.4 to 2.4835 GHz (USA)– Half Duplex– CSMA/CA (Avoidance) v.s. CSMA/CD (Detection)– Modulation Techniques
5
Understanding Wireless Standards– Center Frequency & Channels for 2.4 GHz
6
Understanding Wireless Standards– 4 Way Handshake
7
Understanding Wireless Standards– 802.11 Standards
8
9
Tools• Alfa AWUSO36H WiFi Network Adapter
10
Tools• Alfa AWUSO36H WiFi Network Adapter
11
Tools• Alfa AWUSO36H WiFi Network Adapter
30dBm = 1W
12
Tools• Netgear Wireless Router
13
Tools• Netgear Wireless Router
TARGET AP
14
Tools• Netgear Wireless Router
TARGET
192.168.1.1
15
Tools / Configuration
“password”
16
Tools / Configuration
Forgot the password for your router? …or your neighbors?
17
Tools / Configuration
“password”
WEP CONFIGURATION
18
Tools / Configuration
19
Tools / Configuration
Authentication?
20
Tools / Configuration
WPA CONFIGURATION
21
Tools / Configuration
22
Tools / Configuration
“password”
23
ToolsBacktrack 5r3Ubuntu Linux Distribution providing a comprehensive collection of security-related tools for digital forensics andpen testing use.
http://www.backtrack-linux.org/downloads/
1
2 3
4…
24
Tools
25
Tools
26
Tools
27
Tools
28
Tools
AirSnort replacement.
29
Understanding Wireless Technology• Wi-Fi Protected Access (WPA)– Touted as a step up from WEP– Weak passphrases renders the protection inadequate– False sense of security– Network Sniffers– TKIP v.s. AES
30
Cracking WPA
31
Cracking WPA
32
Cracking WPA
33
r
Cracking WPA
34
r
Cracking WPA
35
Cracking WPA
36
r
Cracking WPA
37
r
Cracking WPA
38
Cracking WPA
39
r
Cracking WPA
40
r
Cracking WPA
41
Cracking WPA
42
Cracking WPA
43
Cracking WPA
Can take a few hours to gothrough 1+ million keys…
44
Cracking WPA
45
Cracking WPA
46
Understanding Wireless Technology• Wired Equivalent Privacy (WEP)
47
Understanding Wireless Technology• Wired Equivalent Privacy (WEP)– Confidentiality– Access Control– Data Integrity
– In reality, none of these are actually enforced!
48
Understanding Wireless Technology• Wired Equivalent Privacy (WEP)
Stream Cipher using XOR
Keystream
64-bit Keyspace (2^64 keys)128-bit Keyspace (2^128 keys)
40 bits 24 bits
49
Understanding Wireless Technology• Wired Equivalent Privacy (WEP)
50
Understanding Wireless Technology• Wired Equivalent Privacy (WEP)
51
Understanding Wireless Technology• Wired Equivalent Privacy
52
Cracking WEP
53
Cracking WEP
54
Cracking WEP
55
Cracking WEP
56
Cracking WEP
57
Cracking WEP
58
Cracking WEP
1
2
3
59
Bypassing MAC filtering
60
Review Questions• Question #1
Which IEEE standard defines authentication and authorization in wireless networks?
a. 802.11b. 802.11ac. 802.11bd. 802.11X
61
Review Questions• Question #1
Which IEEE standard defines authentication and authorization in wireless networks?
a. 802.11b. 802.11ac. 802.11bd. 802.11X
62
Review Questions• Question #2
Which IEEE standard defines wireless technology?
a. 802.3b. 802.5c. 802.11d. All 802 standards
63
Review Questions• Question #2
Which IEEE standard defines wireless technology?
a. 802.3b. 802.5c. 802.11d. All 802 standards
64
Review Questions• Question #3
Which wireless encryption standard offers the best security?
a. WPA2b. WEPc. SSLd. WPA
65
Review Questions• Question #3
Which wireless encryption standard offers the best security?
a. WPA2b. WEPc. SSLd. WPA
66
Review Questions• Question #4
What information can be gathered by wardriving?
a. SSIDs of wireless networksb. Whether encryption is enabledc. Whether SSL is enabledd. Signal strength
67
Review Questions• Question #4
What information can be gathered by wardriving?
a. SSIDs of wireless networksb. Whether encryption is enabledc. Whether SSL is enabledd. Signal strength
68
Review Questions• Question #5
What is a known weakness of wireless SSIDs?
a. They’re broadcast in cleartextb. They’re difficult to configurec. They use large amounts of bandwidthd. They consume an excessive amount of computer memory
69
Review Questions• Question #5
What is a known weakness of wireless SSIDs?
a. They’re broadcast in cleartextb. They’re difficult to configurec. They use large amounts of bandwidthd. They consume an excessive amount of computer memory
70
Review Questions• Question #6
Wi-Fi Protected Access (WPA) was introduced in which IEEE 802 standard?
a. 802.11ab. 802.11bc. 802.11id. 802.11
71
Review Questions• Question #6
Wi-Fi Protected Access (WPA) was introduced in which IEEE 802 standard?
a. 802.11ab. 802.11bc. 802.11id. 802.11
72
Review Questions• Question #7
What protocol was added to 802.11i to address WEP’s encryption vulnerability?
a. MICb. TKIPc. TTLd. EAP-TLS
73
Review Questions• Question #7
What protocol was added to 802.11i to address WEP’s encryption vulnerability?
a. MICb. TKIPc. TTLd. EAP-TLS
74
Review Questions• Question #8
Disabling SSID broadcasts must be configured on the computer and the AP. True or False?
a. TRUEb. FALSE
75
Review Questions• Question #8
Disabling SSID broadcasts must be configured on the computer and the AP. True or False?
a. TRUEb. FALSE
76
Review Questions• Question #9
The operating frequency range of 802.11a is 2.4 GHZ. True or False?
a. TRUEb. FALSE
77
Review Questions• Question #9
The operating frequency range of 802.11a is 2.4 GHZ. True or False?
a. TRUEb. FALSE
78
Review Questions• Question #10
What TKIP enhancement addressed the WEP vulnerability of forging packets?
a. Extended Initialization Vector (IV) with sequencing rulesb. Per-packet key mixingc. Rekeying mechanismd. Message Integrity Check (MIC)
79
Review Questions• Question #10
What TKIP enhancement addressed the WEP vulnerability of forging packets?
a. Extended Initialization Vector (IV) with sequencing rulesb. Per-packet key mixingc. Rekeying mechanismd. Message Integrity Check (MIC)
80
Review Questions• Question #11
Which EAP method requires installing digital certificates on both the server and client?
a. EAP-TLSb. PEAPc. EAP-SSLd. EAP-CA
81
Review Questions• Question #11
Which EAP method requires installing digital certificates on both the server and client?
a. EAP-TLSb. PEAPc. EAP-SSLd. EAP-CA
82
Review Questions• Question #12 (last one)
Which spread spectrum method divides bandwidth into a series of frequencies called tones?
a. Frequency-hopping spread spectrum (FHSS)b. Direct sequence spread spectrum (DSSS)c. Spread spectrum frequency tonation (SSFT)d. Orthogonal frequency division multiplexing (OFDM)
83
Review Questions• Question #12 (last one)
Which spread spectrum method divides bandwidth into a series of frequencies called tones?
a. Frequency-hopping spread spectrum (FHSS)b. Direct sequence spread spectrum (DSSS)c. Spread spectrum frequency tonation (SSFT)d. Orthogonal frequency division multiplexing (OFDM)
84
Questions?
philiprobbins@email.phoenix.eduwww2.hawaii.edu/~probbinshttps://www.dorkatron.com/docs/CMGT441/