PISA WorkshopWireless LAN SecuritWireless LAN Securit
y Live Demoy Live Demo
Supporting Organizations
Presented by PISA members
Mr. Alan Tam Mr. Alan Tam CISSP, CCSI, ICICISSP, CCSI, ICI
Mr. Jim Shek Mr. Jim Shek CISSP, CISACISSP, CISA
Mr. Young, Wo Sang Mr. Young, Wo Sang CISSP, CISACISSP, CISA
Mr. Marco Ho Mr. Marco Ho
27 July 2002
Table of ContentTable of Content1. WLAN War Driving in Hong Kong
Jim Shek2. WLAN Terms and Security Risks
Young, Wo Sang3. Demo I: Home made antenna, so easy!
Jim Shek4. Demo II: WEP Weakness and Cracking
Alan Tam5. Demo III: Protection from Sniffing by VPN Encryption
Marco Ho6. WLAN Protection Strategy
Young, Wo Sang7. Demo IV: Protection from Illegal Access with silent SSID
Marco Ho, Alan Tam8. The Powerful WLAN Tool: Kismet
Alan Tam
1
Wireless LAN Security Live DemoWireless LAN Security Live Demo
War Driving in Hong Kong
Jim Shek
What is War Driving?What is War Driving?
The concept of "war driving" is simple:
You need a device capable of receiving an 802.11b signal, a device capable of moving around, and software that will log data from the second when a network is detected by the first. You then move these devices from place to place, letting them do their job. Over time, you build up a database comprised of the network name, signal strength, location, and ip/namespace in use.
War Driving in Hong KongWar Driving in Hong Kong
• Background:• Date : Jul 07, 2002• Time : 11:35am – 1:40pm• Weather: Isolated Showers
War Driving in Hong KongWar Driving in Hong Kong
• Route : • Admiralty MTR Stations -> Pacific Place -> Tram (Admiralty to
Kennedy Town) -> Tram (Kennedy Town to Causeway Bay)
War Driving in Hong KongWar Driving in Hong Kong
• Equipments: – Notebook + Avaya Gold Wireless LAN card +
Windows XP + NetStumbler– Notebook + Avaya Gold Wireless LAN card +
Antenna + Windows 2000 + NetStumbler
• Notes :– The Scan Speed of NetStumbler was changed to
Fastest.
• Participants :– PISA
28%
72%
War Driving in Hong KongWar Driving in Hong Kong
• Result Overview:
• Total Number of Discovered Access Point with antenna : 187
• Total Number of Discovered Access Point without antenna : 52 (subset of above)
Chart 1: Antenna Power
WEP Enable : 23%
WEP Disable :77%
War Driving in Hong KongWar Driving in Hong Kong
• Result WEP Usage: WEP Enable : 43 WEP Disable : 144
Chart 2: WEP Usage
War Driving in Hong KongWar Driving in Hong Kong
• Result SSID Usage: Default SSID : 77 Use Non Default SSID : 87 Unknown: 5
Other*: 18
10 %
3 %
46 %
41 %Default SSID
Well-knownNon Default SSID
Unknown
Chart 3: SSID Usage
Other means well known SSID, ie PCCW & i-cableSome of the Default SSID list is referenced from http://wlana.net/acc_point.htm
default 27%
PCCW23%
Times_Square14%
WaveLAN Network9%
linksys6%
My Network6%
tsunami6%
HV24Ap15%
IEEE 802.11 LAN4%
War Driving in Hong KongWar Driving in Hong Kong
• Result Top SSIDs:
Chart 4: Top SSIDs
War Driving in Hong KongWar Driving in Hong Kong
• Result Channel Distribution:
Chart 5: Channel ID Setting Behavior
Channel : 1 2 3 4 5 6 7 8 9 10 11Number of APs : 78 1 13 4 1 18 9 2 6 14 37
29 %
71 %
Default Channel ID
Non Default Channel ID
War Driving in Hong KongWar Driving in Hong Kong
• Interesting Observations Building-to-Building WLAN
• We discovered the signals of two APs with the same SSID name are very strong. These two APs are appeared in the list for 3 minutes while the tram is moving.
War Driving in Hong KongWar Driving in Hong Kong
• Interesting Observations When the tram was stopped …
• When the tram was stopped, the APs are easier to discover. One of the reasons are having longer time for the software to poll within the effective range. It is particular true when we using the machine without using the antenna.
War Driving in Hong KongWar Driving in Hong Kong
• Interesting Observations The Accessibility of APs
• Some APs were accessible when the tram was stopped. We come across some place that with the APs ready for us to connect into it. Below is the snapshot.
War Driving in Hong KongWar Driving in Hong Kong
• 堅城中心 創業商場 西區警局 上環 MTR 世界書局• 中銀保險 環球大廈 警察總站 大有商場 英皇中心 298
War Driving in Hong KongWar Driving in Hong Kong
• Another Discovery in Taikoo Place Background:
• Date : Jul 05, 2002
• Time : 03:00pm – 3:20pm
• Route : Within Taikoo Place
• Equipment:
– Notebook + Avaya Gold Wireless LAN card + Antenna + Windows 2000 + NetStumbler
• Notes :
– The Scan Speed of NetStumbler was default (ie medium)
• Participants :– PISA
War Driving in Hong KongWar Driving in Hong Kong
• Another Discovery in Taikoo Place Overview:
• Total No. of Discovered Access Point with antenna : 3030 WEP Usage:
• WEP Enable : 7 (23%) WEP Disable : 23 (77%) SSID Usage:
• Default SSID : 8 Non Default SSID : 14
• Unknown: 2 Other*: 6 (Problem SSID: 47%) Channel Distribution:
Channel : 1 3 5 6 7 8 9 11Number of APs : 17 1 2 4 1 1 1 3
(Default Channel: 80%)
2
Wireless LAN Terms and Wireless LAN Terms and Security RisksSecurity Risks
Young Wo Sang
What is Wireless LAN?What is Wireless LAN?
• It is a LAN• Extension of Wired LAN• Use High Frequency Radio Wave (RF)• Speed : 2Mbps to 54Mbps• Distance 100 feet to 15 miles
WLAN Terms & Basic ConceptWLAN Terms & Basic Concept
• 802.11 IEEE family of specifications for WLANs 2.4GHz 2Mbps
• 802.11a 5GHz, 54Mbps
• 802.11b Often called Wi-Fi, 2.4GHz, 11Mbps
• 802.11e QoS & Multimedia support to 802.11b & 802.11a
• 802.11g 2.4GHz, 54Mbps
• 802.11i An alternative of WEP
• 802.1x A method of authentication and security for all Ethernet-like protocols
WLAN Terms & Basic WLAN Terms & Basic ConceptConcept
• Access Point (AP) A device that serves as a communications "hub" for wireless
clients and provides a connection to a wired LAN
• Beacon Message transmitted at regular intervals by the APs Used to maintain and optimize communications to automatic
ally connect to the AP
WLAN Terms & Basic WLAN Terms & Basic ConceptConcept
• Ad Hoc Mode Wireless client-to-client communication, the opposite is
Infrastructure Mode
WLAN Terms & Basic WLAN Terms & Basic ConceptConcept
• Infrastructure Mode A client setting providing connectivity to APs As oppose to AdHoc Mode
AP
WLAN Terms & Basic WLAN Terms & Basic ConceptConcept
• SSID or BSSID Basic Service Set Identifier
BSSID or SSID(Basic Service Set Identifier)
beacon
beacon
beacon
BSSAn AP forms an association with one or more wireless clients is referred to as a Basic Service Set
WLAN Terms & Basic WLAN Terms & Basic ConceptConcept
• ESSID Extended Service Set Identifier
ESSID (Extended Service Set Identifier)
ESSIn order to increase the range and coverage of the wireless network, one needs to add more strategically placed APs to the environment to increase density. This is referred to as an Extended Service Set
WLAN Terms & Basic WLAN Terms & Basic ConceptConcept
• WEP optional cryptographic confidentiality algorithm
WLAN Terms & Basic WLAN Terms & Basic ConceptConcept
• Channel
WLAN Terms & Basic WLAN Terms & Basic ConceptConcept
• DSSS Channel
1 2 3 4 5 6 7 8 9 10 11
2.40
0
2.41
2
2.43
7
2.46
2
2.47
4
Frequency (GHz)
Channel 7
Channel 9
Channel 1 Channel 6 Channel 11
Channel 2
Channel 10Channel 5
Channel 4
Channel 3 Channel 8
WLAN Terms & Basic WLAN Terms & Basic ConceptConcept
• Channel
WLAN Terms & Basic WLAN Terms & Basic ConceptConcept
• DSSS Direct Sequence Spread Spectrum, a RF carrier
and pseudo-random pulse train are mixed to make
a noise like wide-band signal. • FHSS
Frequency Hopping Spread Spectrum, transmitting on one frequency for a certain time, then randomly jumping to another, and transmitting again.
Reading the StrengthenReading the Strengthen
• dBm Decibel referenced to 1 milli-watt into a 50Ω
impedance (usually) dBm = 10 * (log10mW) e.g. 0 dBm = 1 mW
• Attenuation/gain revision: dB = 10 * (log10 [output / input]) If output>input, then dB will be +ve If output<input, then dB will be -ve
WLAN Terms & Basic WLAN Terms & Basic ConceptConcept
• Signal Level & Noise Level
SL
NL
SL
NL
SL
NL
WLAN RiskWLAN Risk
• Unauthorized Clients
In rangeMalicious client
Out of range !!
Detector
WLAN RiskWLAN Risk
• Unauthorized or Renegade Access Points• Interception and unauthorized monitoring of w
ireless traffic • Client-to-Client Attacks• Jamming (DoS)
malicious
Jamming
Client-to-client attack
WLAN Risk - WLAN Risk - Fake Access PointFake Access Point
• Access Point Clone (Evil Twin) Traffic Interception
AP1
AP1*
WLAN Risk WLAN Risk
• Brute force attacks against access point passwords
• WEP weakness • “Mis-configurations”
SSIDs SNMP Community (RO & RW) Administration (Web, Telnet, Serial) Installation
WLAN Risk WLAN Risk
• Deployment Internal Network?! DMZ?! Who can install AP?
• Many $$ to secure the wired network• A user spend HK$2,000 to break it
When was installed? Where are APs installed?
WLAN Risk WLAN Risk
• Low cost product prevalent limited features, insecure
• Accidental detection Wireless card itself
3
Demo IDemo I
Home made antenna, so easyHome made antenna, so easy
Jim ShekJim Shek
Home made antenna, so easyHome made antenna, so easy
• Use available material to hand make an antenna, gain from 3dB to 11dB (Real Object Shown)
• Compared to commercial antenna with gain 6dB, costing HKD600+
• Dimension is the key to success. Measurement available on web search.
• With an antenna, the result of War Driving can be much improved so as to risk of exposure to hacking of your WLAN network!
4
Demo IIDemo II
WEP Weakness and CrackingWEP Weakness and Cracking
Alan TamAlan Tam
WEP WeaknessWEP Weakness
• Background
• Weakness in KSA/RC4
• Proof of Concept
• Some counter actions
The magic RFMON modeThe magic RFMON mode
• Property: Like promiscuous mode in wired Listen(Receive) only Also known as “Monitor Mode”
• Chipset capable of RFMON (i.e. have specification opened) Cisco Aironet Based on Intersil Prism2 Orinoco (well, not official)
What does Linux Hackers What does Linux Hackers use?use?
• NIC drivers wlan-ng 0.1.13+ with patch or 0.1.14pre?+ orinoco_cs 0.09b+ with patch
• Libpcap library with PF_PACKET interface patched to interpret 802.11b packets for example, 0.7.1 with patch
• Prism Driver & Orinoco Patch ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/ http://airsnort.shmoo.com/orinocoinfo.html
WEPWEP• Stands for Wired Equivalent Privacy• Symmetric Encryption Algorithm: RC4• Commercial claimed key size: 40 or 128 bit
(as of April 2002)• At the back:
40 bit secret key + 24 bit IV = 64 bit packet key 104 bit secret key + 24 bit IV = 128 bit packet key
IV= Initialization Vector
Weaknesses in KSA of RC4 Weaknesses in KSA of RC4
• Presented in a paper by Scott Fluhrer, Itsik Mantin, Adi Shamir
• Invariance weakness Existence of large class of weak keys
• IV weakness Related key vulnerability
WEP AttackWEP Attack
• Invariance weakness WEP packet distinguisher
• IV weakness Exist in a commonly used mode in RC4
• Properties Cryptanalytic Attack: Generally faster than
Brute-force Attack Passive Ciphertext-only Attack: Zero knowledge
needed
Proof of ConceptProof of Concept
• Adam Stubblefield, AT&T Labs http://www.cs.rice.edu/~astubble/wep
• WEPCrack http://sourceforge.net/projects/wepcrack
• Airsnort http://airsnort.shmoo.com/
Case Study: AirsnortCase Study: Airsnort
• Maintained by The Shmoo Group
• An X-windows application
• Supported platforms: Cisco Aironet Prism Orinoco
• Requires approx. 5-10 million encrypted packets to break a key
TKIPTKIP
• Temporary Key Integrity Protocol Initially referred as WEP2 128bit TK + 40 bit Client MAC 16-octet IV RC4 (still) TK changed every 10,000 packets
ReferenceReference
• Technical Knowledge http://www.qsl.net/n9zia/wireless/index.html http://www.80211-planet.com/tutorials
• Access Points MAC addresses http://aptools.sourceforge.net/
ReferenceReference
• Linux Resources http://www.hpl.hp.com/personal/
Jean_Tourrilhes/index.html http://lists.samba.org/listinfo/wireless http://airtraf.sourceforge.net/
5
Demo IIIDemo III
Securing Wireless Networksby VPN
Marco Ho
Secure ProtocolsSecure Protocolsfor Encryptionfor EncryptionApplication
Transport(TCP, UDP)
Network (IP)
802.11b Link
802.1bPhysical
SSL
(VPN)
WEP
Network (IP)
802.11b Link
802.1bPhysical
WEP
Network (IP)
Ethernet Link
EthernetPhysical
Application
Transport(TCP, UDP)
Network (IP)
EthernetLink
EthernetPhysical
SSL
(VPN)
Router
Network Level Encryption Network Level Encryption (VPN)(VPN)
Advantages• Encryption of multi-protocols• Hides the network routing (with proper configuration)
Choices1. PPTP
• Come with W2K RRAS• Simpler and easier to configure
2. IPSec• More secure• Microsoft: IPSec over L2TP using 3DES• Use certificate (instead of pre-shared keys) to further improve the
security : mutual authentication
Real Life Demo with Real Life Demo with PPTPPPTP
VPN Server Microsoft VPN Server (RRAS+PPTP)
• Encryption MPPE 128 (Microsoft Point-to-point Encryption)
• Authentication MS-CHAP V2
Remark: WEP turned off for demonstration purpose
Sniffing ToolsSniffing Tools
• Two sniffing tools used to capture traffic packet contents Ethereal
• Freeware available in Linux and Win32 platforms
Iris• Commercial product, 15-day evaluation available
• Strong decode function to ease protocol session tracking
Without VPN EncryptionWithout VPN Encryption
IP-10.0.0.1
No WEP
IP-10.0.0.15
Sniffer
IP-10.0.0.20
FTP Client
IP-10.0.0.25
FTP Server
A
B
“A” FTP to “B”
Clear textClear text
Clear text
Clear text
With VPN EncryptionWith VPN Encryption
WirelessIP-10.0.0.10
VPN Gateway
EthernetIP-192.168.1.230
VPN Server (PPTP)
IP-10.0.0.1
No WEP
FTP Server
IP-192.168.1.254
IP-10.0.0.20
VPN Client
FTP Client
A
D
C
“A” FTP to “D”
with VPN
IP-10.0.0.15
Sniffer
Clear text
6
Wireless LAN Protection StrategiesWireless LAN Protection Strategies
Young, Wo Sang
Recommendation (I)Recommendation (I)
• Wireless LAN related Configuration Enable WEP, use 128bit key* Drop non-encrypted packets Disable SSID Broadcasts No SNMP access Choose complex admin password Enable firewall function Use MAC (hardware) address to restrict access Non-default Access Point password Change default Access Point Name Use 802.1x [warning]
EAP Enable AuthenticationEAP Enable Authentication
Recommendation (II)Recommendation (II)• Deployment Consideration
Closed Network* Treat Wireless LAN as external network VPN & Use strong encryption No DHCP (use fixed private IP) Install in a Separated Network
Recommendation (III)Recommendation (III)
• Always (wired or wireless) Install virus protection software plus automatic frequent pattern fil
e update Shared folders must impose password
• Management Issue Prohibit to install the AP without authorization Discover any new APs constantly (NetStumbler is free, Antenna is
cheap) Power off ADSL Modem when Internet access is not required Carefully select the physical location of your AP, not near window
s or front doors.
The The [warning][warning] of 802.1x of 802.1x
• Session hijacking waits for successfully authenticated , acts as AP, tells , “you are disconnected” AP thinks that is exists
• Man-in-the-middle-attack 802.1x is one way authentication mechanism acts as an AP to the acts as a user to the AP.
Reference : http://www.infoworld.com/articles/hn/xml/02/02/14/020214hnwifispec.xml
The workaround to The workaround to [warning][warning] of 802.1x of 802.1x
• Vendor Proprietary Implementation “rekeying” of WEP
• “Standard” TKIP or Temporal Key Integrity Protocol changes the encryption key about every 10,000
packets
7
Demo IVDemo IV
Silent WLAN Access PointSilent WLAN Access Point
Marco Ho & Alan Tam
Disabling SSID insertionDisabling SSID insertion
• Method 1: Vendor Utility It may use HTTP or SNMP to set the SSID
• Method 2: Use AP Utility run under Linux http://ap-utils.polesye.net/ Manage by SNMP Supported Platforms:
• ATMEL chipset (e.g. Linksys WAP11,D-Link DWL-900AP, PCi AP-11S)
• NWN chipset (e.g. Compex WavePort WP11)
8
The Powerful WLAN Tool: The Powerful WLAN Tool: KismetKismet
• http://www.kismetwireless.net/• Network sniffer• Client server architecture• Cryptographically weak packet logging• Used by German federal authorities (26 July
2002)• Platforms
Intel iPaq/ARM Zaurus/ARM
ContributorsContributorsThe workshop was jointly presented by PISA members
Alan Tam [email protected] Shek [email protected] Ho [email protected]
Young, Wo Sang [email protected]
On 27 July 2002, the eve of PISA 1st anniversary of establishment
RemarkAnother valuable presentation on the theoretical part:PISA seminar “Critical Security Issues on Wireless LAN” by Ray Hunt, 13 June 2002http://www.pisa.org.hk/event/wlan_sec.pdf
CopyrightCopyright
Professional Information Security Association (PISA) owns the copyright of the presentation. Any party can quote the whole or part of this presentation in an undistorted manner and with a clear reference to PISA.
DisclaimerDisclaimer
This is the handout of a presentation workshop. The points made here are kept concise for the purpose of presentation. If you require details of test and implementation please refer to technical references.
Top Related