802.11 Security & Pen Tes4ng - Wayne State University
Transcript of 802.11 Security & Pen Tes4ng - Wayne State University
![Page 2: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/2.jpg)
Wireless Communica4ons: Advantages & Disadvantages • Makescommunica'onpossiblewherecablesdon’treach• Convenience• BUT
• Theairmediumisopentoeveryone• Theboundariesofatransmissioncannotbeconfined
![Page 3: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/3.jpg)
WiFi
• CommercialnameoftheprotocolIEEE802.11• Itisoneofthemostubiquitouswirelessnetworks
• HomeNetworks• EnterpriseNetworks
• Communica'onisbasedonframes• Essen'allyissequenceofbits
• 802.11definesthemeaning• Vendorsimplementtheprotocol
• 2.4GhzIndustrialScien'ficMedical(ISM)and5Ghz• Rangedependsontransmissionpower,antennatype,thecountry,andtheenvironment• Typical100V
![Page 4: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/4.jpg)
Channels
• Theequipmentcanbesetinonlyonechannelata'me• Eachcountryhasitsownrules
• Allowedbandwidth• Allowedpowerlevels
• Strongersignalispreferred
![Page 5: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/5.jpg)
Deployment Architectures
Infrastructure P2P/Ad-hoc
![Page 6: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/6.jpg)
802.11 Header Structure
![Page 7: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/7.jpg)
Frame Types
• Management• Ini'aliza'on,maintainandfinaliza'on
• Control• Managementofthedataexchange
• Data• Encapsula'onofinforma'on
• hZp://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf
![Page 8: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/8.jpg)
802.11 Security Modes: Open Access
• OpenAccess• Noprotec'on(whitelists)
![Page 9: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/9.jpg)
802.11 Security Modes: WEP
• BasedonRC4Encryp'on• Broken
![Page 10: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/10.jpg)
802.11 Security Modes: WPA/WPA2
• BasedonAES• Muchmoresecure• Currentstandard
![Page 11: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/11.jpg)
Lab Setup
• Externalcard• AlphaAWUS036H• Providesstrongersignal
• AP• WNDR3700• WNR1000• LinksysWRT54GL
• OS• KaliLinuxonVM• SoVwarepen-tes'ngtools
![Page 12: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/12.jpg)
Deauthentication Frames
• Deauthentication frame is a management frame • Unencrypted • Can easily be spoofed
• Demands all or a specific client to drop to unauthendicated/unassociated state • It is not a request it must be accepted • The client will attempt to reconnect again • The attacker will repeat the process
• For a complete survey of 802.11 DoS attacks refer to [2]
![Page 13: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/13.jpg)
Deauthentication Attack in Practice • MostbasicDoSaZack• Cantargetspecificclients
• Moreefficient• Morestealthy
• Canbebroadcast• Moremassiveeffect
• Cannotbeavoided• DecidetheMACofvic'm
• airmon-ng<interface>
• TransmitDeauthen'ca'onFrames• aireplay-ng-0<quantity>-a<APMAC
Address><interface>
• Task:Deauthen-cateaspecificclientfromtheavic-mAP
![Page 14: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/14.jpg)
Beacon Frames
• Adver'sethepresenceofanAPinthearea• TransmiZedeveryintervalbytheAP• TheycontainimportantdetailsabouttheAP
• Nameofthenetwork(ESSID)• Securitycapabili'es
• Beaconsaremanagementframes• Noprotec'on• Onecanforge(capture,copy,alter,transmit)suchframeseasily
• ByforgingBeaconswitharealESSIDbutfakeBSSID,mayevenresulttoDoS[3]
![Page 15: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/15.jpg)
Evil Twin
• FakeAPwiththesameESSIDandMACasthevic'mAP• Usuallyopen
• Channelallthetrafficofclientsthroughit• AZackerwillactasman-in-the-middle• Monitortraffic• Injectpackets
• MostmodernOSwillwarnusers
![Page 16: 802.11 Security & Pen Tes4ng - Wayne State University](https://reader034.fdocuments.net/reader034/viewer/2022050520/627298f6bb3a90698b556613/html5/thumbnails/16.jpg)
Evil Twin in Practice • DeduceMACaddressofvic'mAP
• airodump-ng<wirelessinterface>• Increasethepowerofyourcard
• ifconfig<interface>down• iwregset<regioncode>• ifconfig<interface>up• iwregget
• SetupfakeAP• airbase-ng-a<APMAC>--essid<Nameofnetwork>-c<channelnumber><wirelessinterface>
• DisconnectallusersfromvalidAP• aireplay-ng-0<quantity>-a<APMAC><wirelessinterface>
• Monitortraffic• wireshark&
• QUESTION:whynotsetregiontoUSA?