Ethical hacking Chapter 11 - Exploiting Wireless Networks - Eric Vanderburg
- 2. Objectives
Explain wireless technology
Describe wireless networking standards
Describe the process of authentication
Describe wardriving
Describe wireless hacking and tools used by hackers and
security professionals
- 3. Understanding Wireless
Technology
For a wireless network to function, you must have the right
hardware and software
Wireless technology is part of our lives
Baby monitors
Cell and cordless phones
Pagers
GPS
Remote controls
Garage door openers
Two-way radios
Wireless PDAs
- 4. Components of a Wireless
Network
A wireless network has only three basic components
Access Point (AP)
Wireless network interface card (WNIC)
Ethernet cable
- 5. Access Points
An access point (AP) is a transceiver that connects to an
Ethernet cable
It bridges the wireless network with the wired network
Not all wireless networks connect to a wired network
Most companies have WLANs that connect to their wired network
topology
The AP is where channels are configured
An AP enables users to connect to a LAN using wireless
technology
An AP is available only within a defined area
- 6. Service Set Identifiers (SSIDs)
Name used to identify the wireless local area network (WLAN)
The SSID is configured on the AP
Unique 1- to 32-character alphanumeric name
Name is case sensitive
Wireless computers need to configure the SSID before
connecting to a wireless network
SSID is transmitted with each packet
Identifies which network the packet belongs
The AP usually broadcasts the SSID
- 7. Service Set Identifiers (SSIDs)
(continued)
Many vendors have SSIDs set to a default value that
companies never change
An AP can be configured to not broadcast its SSID until after
authentication
Wireless hackers can attempt to guess the SSID
Verify that your clients or customers are not using a default SSID
- 8. Configuring an Access Point
Configuring an AP varies depending on the hardware
Most devices allow access through any Web browser
Steps for configuring a D-Link wireless router
Enter IP address on your Web browser and provide your user logon
name and password
After a successful logon you will see the device’s main window
Click on Wireless button to configure AP options
SSID
Wired Equivalent Privacy (WEP) keys
- 9. Configuring an Access Point
(continued)
Steps for configuring a D-Link wireless router (continued)
Turn off SSID broadcast
Disabling SSID broadcast is not enough to protect your WLAN
You must also change your SSID
- 10. Wireless NICs
For wireless technology to work, each node or computer must have
a wireless NIC
NIC’s main function
Converting the radio waves it receives into digital signals the computer
understands
There are many wireless NICs on the market
Choose yours depending on how you plan to use it
Some tools require certain specific brands of NICs
- 11. Understanding Wireless Network
Standards
A standard is a set of rules formulated by an organization
Institute of Electrical and Electronics Engineers (IEEE)
Defines several standards for wireless networks
- 12. Institute of Electrical and
Electronics Engineers (IEEE)
Working group (WG)
Standards
A group of people from the electrical and electronics industry
that meet to create a standard
Sponsor Executive Committee (SEC)
Group that reviews and approves proposals of new standards
created by a WG
Standards Review Committee (RevCom)
Recommends proposals to be reviewed by the IEEE Standards
Board
IEEE Standards Board
Approves proposals to become new standards
- 13. The 802.11 Standard
The first wireless technology standard
Defined wireless connectivity at 1 Mbps and 2 Mbps within a LAN
Applied to layers 1 and 2 of the OSI model
Wireless networks cannot detect collisions
Carrier sense multiple access/collision avoidance (CSMA/CA) is used
instead of CSMA/CD
Wireless LANs do not have an address associated with a physical
location
An addressable unit is called a station (STA)
- 14. The Basic Architecture of 802.11
802.11 uses a basic service set (BSS) as its building block
Computers within a BSS can communicate with each others
To connect two BSSs, 802.11 requires a distribution system (DS) as an
intermediate layer
An access point (AP) is a station that provides access to the DS
Data moves between a BSS and the DS through the AP
- 15. The Basic Architecture of 802.11
(continued)
IEEE 802.11 also defines the operating frequency range of 802.11
In the United States, it is 2.400 to 2.4835 GHz
Each frequency band contains channels
A channel is a frequency range
The 802.11 standard defines 79 channels
If channels overlap, interference could occur
- 16. The Basic Architecture of 802.11
(continued)
Other terms
Wavelength
Frequency
Cycle
Hertz or cycles per second
Bands
- 17. An Overview of Wireless
Technologies Infrared (IR)
Infrared light can’t be seen by the human eye
IR technology is restricted to a single room or line of sight
IR light cannot penetrate walls, ceilings, or floors
Narrowband
Uses microwave radio band frequencies to transmit data
Popular uses
Cordless phones
Garage door openers
- 18. An Overview of Wireless
Technologies (continued)
Spread Spectrum
Modulation defines how data is placed on a carrier signal
Data is spread across a large-frequency bandwidth instead of
traveling across just one frequency band
Methods
Frequency-hopping spread spectrum (FHSS)
Direct sequence spread spectrum (DSSS)
Orthogonal frequency division multiplexing (OFDM)
- 19. IEEE Additional 802.11 Projects
802.11a
Created in 1999
Operating frequency range changed from 2.4 GHz to 5 GHz
Throughput increased from 11 Mbps to 54 Mbps
Bands or frequencies
Lower band—5.15 to 5.25 GHz
Middle band—5.25 to 5.35 GHz
Upper band—5.75 to 5.85 GHz
- 20. IEEE Additional 802.11 Projects
(continued)
802.11b
Operates in the 2.4 GHz range
Throughput increased from 1 or 2 Mbps to 11 Mbps
Also referred as Wi-Fi (wireless fidelity)
Allows for 11 channels to prevent overlapping signals
Effectively only three channels (1, 6, and 11) can be used in combination
without overlapping
Introduced Wired Equivalent Privacy (WEP)
- 21. IEEE Additional 802.11 Projects
(continued)
802.11e
It has improvements to address the problem of interference
When interference is detected, signals can jump to another frequency more
quickly
802.11g
Operates in the 2.4 GHz range
Uses OFDM for modulation
Throughput increased from 11 Mbps to 54 Mbps
- 22. IEEE Additional 802.11 Projects
(continued)
802.11i
Introduced Wi-Fi Protected Access (WPA)
Corrected many of the security vulnerabilities of 802.11b
802.15
Addresses networking devices within one person’s workspace
Called wireless personal area network (WPAN)
Bluetooth is a common example
- 23. IEEE Additional 802.11 Projects
(continued)
802.16
Addresses the issue of wireless metropolitan area networks (MANs)
Defines the WirelessMAN Air Interface
It will have a range of up to 30 miles
Throughput of up to 120 Mbps
802.20
Addresses wireless MANs for mobile users who are sitting in trains,
subways, or cars traveling at speeds up to 150 miles per hour
- 24. IEEE Additional 802.11 Projects
(continued)
Bluetooth
Defines a method for interconnecting portable devices without wires
Maximum distance allowed is 10 meters
It uses the 2.45 GHz frequency band
Throughput of up to 12 Mbps
HiperLAN2
European WLAN standard
It is not compatible with 802.11 standards
- 26. The 802.1X Standard
Defines the process of authenticating and authorizing users on a
WLAN
Addresses the concerns with authentication
Basic concepts
Point-to-Point Protocol (PPP)
Extensible Authentication Protocol (EAP)
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access (WPA)
- 27. Point-to-Point Protocol (PPP)
Many ISPs use PPP to connect dial-up or DSL users
PPP handles authentication by requiring a user to enter a valid user
name and password
PPP verifies that users attempting to use the link are indeed who
they say they are
- 28. Extensible Authentication Protocol
(EAP)
EAP is an enhancement to PPP
Allows a company to select its authentication method
Certificates
Kerberos
Certificate
Record that authenticates network entities
It contains X.509 information that identifies the owner, the certificate
authority (CA), and the owner’s public key
- 29. Extensible Authentication Protocol
(EAP) (continued)
EAP methods to improve security on a wireless networks
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
Protected EAP (PEAP)
Microsoft PEAP
802.1X components
Supplicant
Authenticator
Authentication server
- 30. Wired Equivalent Privacy (WEP)
Part of the 802.11b standard
It was implemented specifically to encrypt data that traversed a
wireless network
WEP has many vulnerabilities
Works well for home users or small businesses when combined with a
Virtual Private Network (VPN)
- 31. Wi-Fi Protected Access (WPA)
Specified in the 802.11i standard
It is the replacement for WEP
WPA improves encryption by using Temporal Key Integrity
Protocol (TKIP)
TKIP is composed of four enhancements
Message Integrity Check (MIC)
Cryptographic message integrity code
Main purpose is to prevent forgeries
Extended Initialization Vector (IV) with sequencing rules
Implemented to prevent replays
- 32. Wi-Fi Protected Access (WPA)
(continued)
TKIP enhancements (continued)
Per-packet key mixing
It helps defeat weak key attacks that occurred in WEP
MAC addresses are used in creating an intermediate key
Rekeying mechanism
It provides fresh keys that help prevent attacks that relied on reusing old keys
WPA also adds an authentication mechanism implementing 802.1X
and EAP
- 33. Understanding Wardriving
Hackers use wardriving
Driving around with inexpensive hardware and software that enables
them to detect access points that haven’t been secured
Wardriving is not illegal
But using the resources of these networks is illegal
Warflying
Variant where an airplane is used instead of a car
- 34. How It Works
An attacker or security tester simply drives around with the following
equipment
Laptop computer
Wireless NIC
An antenna
Software that scans the area for SSIDs
Not all wireless NICs are compatible with scanning programs
Antenna prices vary depending on the quality and the range they
can cover
- 35. How It Works (continued)
Scanning software can identify
The company’s SSID
The type of security enabled
The signal strength
Indicating how close the AP is to the attacker
- 36. NetStumbler
Shareware tool written for Windows that enables you to
detect WLANs
Supports 802.11a, 802.11b, and 802.11g standards
NetStumbler was primarily designed to
Verify your WLAN configuration
Detect other wireless networks
Detect unauthorized APs
NetStumbler is capable of interface with a GPS
Enabling a security tester or hacker to map out locations of all
the WLANs the software detects
- 37. NetStumbler (continued)
NetStumbler logs the following information
SSID
MAC address of the AP
Manufacturer of the AP
Channel on which it was heard
Strength of the signal
Encryption
Attackers can detect APs within a 350-foot radius
But with a good antenna, they can locate APs a couple of miles
away
- 38. Kismet
Another product for conducting wardriving attacks
Written by Mike Kershaw
Runs on Linux, BSD, MAC OS X, and Linux PDAs
Kismet is advertised also as a sniffer and IDS
Kismet can sniff 802.11b, 802.11a, and 802.11g traffic
Kismet features
Ethereal- and Tcpdump-compatible data logging
AirSnort compatible
Network IP range detection
- 39. Kismet (continued)
Kismet features (continued)
Hidden network SSID detection
Graphical mapping of networks
Client-server architecture
Manufacturer and model identification of APs and clients
Detection of known default access point configurations
XML output
Supports 20 card types
- 40. Understanding Wireless Hacking
Hacking a wireless network is not much different from hacking a
wired LAN
Techniques for hacking wireless networks
Port scanning
Enumeration
- 41. Tools of the Trade
Equipment
Laptop computer
A wireless NIC
An antenna
Sniffers
Wireless routers that perform DHCP functions can pose a big security
risk
Tools for cracking WEP keys
AirSnort
WEPCrack
- 42. AirSnort
Created by Jeremy Bruestle and Blake Hegerle
It is the tool most hackers wanting to access WEP-enabled WLANs
use
AirSnort limitations
Runs only on Linux
Requires specific drivers
Not all wireless NICs function with AirSnort
- 43. WEPCrack
Another open-source tool used to crack WEP encryption
WEPCrack was released about a week before AirSnort
It also works on *NIX systems
WEPCrack uses Perl scripts to carry out attacks on wireless systems
Future versions are expected to include features for attackers to
conduct brute-force attacks
- 44. Countermeasures for Wireless
Attacks
Consider using anti-wardriving software to make it more difficult for
attackers to discover your wireless LAN
Honeypots
Fakeap
Black Alchemy Fake AP
Limit the use of wireless technology to people located in your facility
Allow only predetermined MAC addresses and IP addresses to have
access to the wireless LAN
- 45. Countermeasures for Wireless
Attacks (continued)
Consider using an authentication server instead of relying on a
wireless device to authenticate users
Consider using EAP, which allows different protocols to be used that
enhance security
Consider placing the AP in the demilitarized zone (DMZ)
If you use WEP, consider using 104-bit encryption rather than 40-bit
encryption
Assign static IP addresses to wireless clients instead of using DHCP
- 46. Summary
IEEE’s main purpose is to create standards for LANs and WANs
802.11 is the IEEE standard for wireless networking
Wireless technology defines how and at what frequency data
travels over carrier sound waves
Three main components of a wireless network
Access Points (APs)
Wireless network interface cards (WNICs)
Ethernet cables
- 47. Summary (continued)
A service set identifier (SSID) assigned to an AP
Represents the wireless segment of a network for which the AP is
responsible
Data must be modulated over carrier signals
DSSS, FHSS, and OFDM are the most common modulations for
wireless networks
Wardriving and warflying
WLANs can be attacked with many of the same tools used for
hacking wired LANS
- 48. Summary (continued)
Countermeasures include
Disabling SSID broadcast
Renaming default SSIDs
Using an authentication server
Placing the AP in the DMZ
Using a router to filter any unauthorized MAC and IP address from
network access