Transcript Slide 1

Assessing Wireless Security Using
Open Source Tools
By: Matthew Neely
Presented: May 5th 2009 at Pittsburgh ISSA
Speaker Biography
• Matt Neely CISSP, CTGA, GCIH, GCWN - Manager of the Profiling
team at SecureState:
– Areas of expertise include: wireless security, penetration testing,
physical security, security convergence and incident response
– Formed and ran the TSCM team at a Fortune 200 company
– 10 years of security experience
• Outside of work:
– Co-host of the Security Justice Podcast
– Board member for the North Eastern Ohio Information
Security Forum
– Licensed ham radio operator (Technician) for almost 20 years
What concerns do you
have about wireless?
Agenda
•
•
•
•
•
•
•
•
•
Overview of the 802.11 standard
Hardware - Requirements and recommendations
Discovering wireless networks
Introduction to Kismet
Lab – Discovering and enumerating wireless network using Kismet
Demo – Aircrack-ng
How to tell if an AP is on your network
Wireless security recommendations
Conclusion
OVERVIEW OF 802.11
What is 802.11
• Set of wireless local area network (WLAN) standards
developed by the IEEE
• Uses the standard Ethernet protocol
• Adds special media access control process
Popular 802.11 Standards
•
•
•
•
•
802.11
– 2.4 GHz
– 2 Mbps (0.9 Mbps typical)
802.11a
– 5 GHz
– 54 Mbps (23 Mbps typical)
802.11b
– 2.4 GHz
– 11 Mbps (4.5 Mbps typical)
802.11g
– 2.4 GHz
– 54 Mbps (23 Mbps typical)
802.11n - Draft
– 2.4 and 5 GHz
– 300 Mbps (74 Mbps typical)
– Greenfield mode
802.11 Versus Wi-Fi
• 802.11 is a set of standards from the IEEE
• Wi-Fi is a subset of the 802.11 standards managed
by the Wi-Fi Alliance
• Wi-Fi Alliance insures all products with the Wi-Fi logo
will work together
• Different vendors often interpret standards differently
• Wi-Fi Alliance defines what is the “right” thing to do when
implementing a standard
– Especially useful when vendors implement draft standards
• Wi-Fi Protected Access (WPA)
• “Draft” 802.11n equipment.
Infrastructure Vs. Ad-hoc Networks
• Infrastructure: Allows one or more
computers to connect to a network
using an Access Point (AP).
– AP is the hub of communication
– Service Set IDentifier (SSID) is
used to identify the network
• Ad-Hoc: Allows user to create
peer-to-peer networks.
– Does not use an AP
– Independent Basic Service Set
(IBSS) is used to identify
the network
– First active ad-hoc station
establishes the network and starts
sending beacons with the IBSS
HOW CLIENTS FIND
WIRELESS NETWORKS
Broadcast Probe Request
• Client sends out broadcast probe request packets
asking who is there
Broadcast Probe Reply
• Any APs in the area reply back with their SSID
Direct Probe Request
• Client can also send direct probe request packets looking for a
specific network name
– Example: I’m looking for network Linksys
Beacon Packets
• AP sends out beacon packets
– Beacon packets contain the SSID of the network
• Client listens for beacon packets and uses the SSID information in
the packet to figure out what networks are in range
Hidden APs
• Beaconless APs
– AKA “disabled broadcast SSID”, “cloaked” or “closed”
• Some APs do not send beacon packets when clients
are not connected
• Other APs still send a beacon packet but leave the SSID field blank
• Attempts to prevent malicious users from finding the AP
Requirement and Recommendations
HARDWARE
Hardware
• Required
– Computer - Running or capable of running Linux
• Install Linux on a laptop
• Use a LiveLinux distro such as BackTrack
– Wireless card
• Optional
– External Antenna
– Pigtail
– GPS
BackTrack
• LiveLinux distro containing a large number of pre-configured
attack tools
• Variety of wireless drivers come pre-loaded
• Plug and play support for many wireless cards
• Available in two formats:
– Bootable CD
– Bootable thumb drive
• Contains more tools
• Data written to the thumb drive persists across reboots
• Download:
– http://www.remote-exploit.org/backtrack_download.html
Backtrack in VMWare
• BackTrack can not directly access a PCMCIA or mini-pci card
– Limits what fun stuff can be done
• Can use a USB dongle with a supported chipset
– Temperamental and unstable at times
• For just about everything except wireless related tasks, I run
BackTrack inside VMWare
• When I need to run wireless tools in BackTrack I prefer to run
BackTrack on the bare hardware
Saving Data on BackTrack
• When run from a CD all saved data will be erased on reboot
• Solution 1:
– Run BackTrack from a bootable thumb drive
• Solution 2:
– Mount a thumb drive and save your data
– Command: mount /dev/sdb1
• Solution 3:
– Save your data to a network share before rebooting
Wireless Card
• Hopefully your internal wireless card works
– Centrino or Atheros cards generally work well
– Broadcom cards are a problem
• Can use an external wireless card if the internal card does not work
Determining What Wireless Type
• Look up the specs for your laptop
• Query the USB or PCI bus inside of Linux
– lspci – Linux command that lists the devices attached to
the PCI bus
• Useful for gathering information on internal wireless cards
– lsusb – Linux command that list devices attached to the USB bus
Example lspci Output
Example lsusb Output
Card Selection
• Features to look for in an external card:
– 1) Atheros or Ralink RT73 chipset
• Must support RF monitor mode
• LORCON support is recommended
– 2) External antenna connector
– 3) Form factor that matches your needs
• PCMCIA/Express cards
• USB
Getting the Card You Want
• Difficult to know what chipset a card uses
– Manufactures change them all the time
• Pay close attention to model number and version
• Buy your card from a store with a hassle free return policy
• Buy your card from a store that states the chipset
– Look for stores that cater to Linux users, wardrivers and
wireless hackers
– www.netgate.com
Card Chipset Information
• Card Chipset Lists
– Atheros.rapla.net
– Ralink.rapla.net
– Broadcom.rapla.net – Avoid
– www.seattlewireless.net/index.cgi/HardwareComparison
• Backtrack website:
– wiki.remote-exploit.org/index.php/HCL:Wireless
• Aircrack-ng webiste:
– www.aircrack-ng.org/doku.php?id=compatibility_drivers
External Antennas
• Greatly increases performance
• Useful when:
– Performing audits from inside a vehicle
– Triangulating the location of an AP
– Measuring RF leakage from a building
• Antennas are tuned to work on specific frequencies
• Need to select antennas that are tuned to the frequency
range being used
– 2.4 GHz is the most common
• Used by b, g and n networks
• Same frequency used by Bluetooth
– 5 GHz is needed for a and n networks
Types of Antennas
• Omni-directional
– Increases reception in all directions
– Magnetic mount omni-directional antennas are useful for
mounting on cars
• Directional
– Focuses the signal like a spot light
– Can be used to triangulate the location of a signal
Types of Directional Antennas
•
•
•
•
Panel
– $20-40
– Typical gain 8-18 dBi
– Good for travel: compact, portable and hard to damage
Yagi
– $30-50
– Typically gain 9-15 dBi
– Can be large
– Typically encased in pcv pipe to protect the antenna
Parabolic dish
– $30 and up
– Very large
– Very high gain, 19-30 dBi
– Hard to transport
Waveguide (cantennas)
– Around $50
– Typical gain 12 dBi
Antenna Recommendation
• Get two antennas
• Directional
– Either a panel or small yagi
• Omni-direction
– Magnetic mount is very helpful if you spend time doing surveys
outside a building
• Good source: www.hyperlinktech.com
Pigtails and Adapters
• Pigtail – Converts the small connector on the card to the connector
used on the antenna
• Do not buy cheap cables!
– Where most signal loss occurs
– Good quality pigtails cost around $10-20
– Only use cabled designed for use in the 2.4 or 5 GHz range
• Pigtails should probably end in a N-Type male jack
– Most antennas have a N-Type female jack
• Good source: www.hyperlinktech.com
• Pictures of common Wi-Fi antenna connectors:
– wireless.gumph.org/content/3/7/011-cable-connectors.html
GPS
• Allows data to be placed onto a map for analysis
• Only get an NMEA compatible GPS
• Interface type:
– Serial: Does not require a driver and just about always works
– USB: Requires drivers which can be tricky in Linux
– Bluetooth: Avoid because it operates in the 2.4 GHz spectrum
• If you run Linux and do not have a serial port, the safest option is a
serial GPS and a USB-to-serial adaptor
– Buy a USB adaptor that is Linux friendly
DISCOVERING WIRELESS
NETWORKS
Active Network Discovery
•
•
•
•
Official way to find networks
Client sends out a broadcast probe request looking for networks
Client listens for beacon packets from APs
Cons:
– Requires the client to be within transmission range of the AP
– Cannot find beaconless/hidden network
• Pros:
– Every wireless card supports this method
– Does not require a card or driver that supports RF monitor mode
• Windows tools such as NetStumbler use active network discovery
Passive Network Discovery
• Card listens to the airwaves and extracts information about the
networks in the area from the packets it sees
• Requires cards that support RF monitor mode
– Not all cards and drivers support RF monitor mode
• Pros:
– Client only needs to be within receiving range
– Can detect networks with the beacon turned off
– Can gain more information about the network
• Cons:
– Requires a card and driver that supports full RF monitor mode
– No free Windows program supports passive network discovery
Kismet
•
•
•
•
http://www.kismetwireless.net/
Passive scanner
OS: Linux and other Unix systems
Kismet is really two programs
– kismet_server: Collects the packets
– kismet_client: User interface
• Pros:
– Will find hidden networks
– GPS support
• Cons:
– Complicated installation and configuration
Kismet Classic Versus Newcore
• “Classic” is the present stable release of Kismet
• Kismet-newcore is a rewrite of Kismet
– Still under development
– Supports plugins
• Example: DECT support
• Avoid newcore unless you have a specific reason to use it or
like to tinker
Configuring Kismet
• Configuration file is usually located at /usr/local/etc/kismet.conf
• Specify suiduser
– suiduser=<normal non-root user>
– Ex: suiduser=matt
• Packet Source
– source=<driver, interface, name>
– Ex: source=madwifi_g,ath0,AtherosCard
• Skip these steps on BackTrack
– Use –c flag when starting the server to tell it the packet source
– Ex: kismet_server –c madwifi_g,wifi0,CiscoCard
Source Settings - Driver
• Run airmon-ng to determine which driver your wireless card is using
– Part of the Aircrack-ng suite
– # airmon-ng
– $ sudo airmon-ng
Driver Setting - Source
• Run airmon-ng or iwconfig to see all the wireless interfaces
– # iwconfig
– $ iwconfig
LAB: DISCOVERING AND
ENUMERATING WIRELESS
NETWORK USING KISMET
Accessing the Lab Server
• Connect to wireless network
– Lab-Connect_Here
• Windows Telnet:
– Start -> Run -> cmd.exe
– telnet 192.168.10.102 –t vt100
• SSH (Putty or other SSH client)
– Connect to 192.168.10.102
• Once connected login
– Username: kismet
– Password: kismet
DEMO: AIRODUMP-NG
How to Tell if an AP is on Your Network
• Direction/Location
– GPS
– Use a directional antenna
• Connect to the network and check:
– If a traceroute shows the traffic traversing your network
– If you can contact an internal server
– DNS server address
• Do not rely on the assigned IP address
SECURITY
RECOMMENDATIONS
General Security Recommendations
• Make the network difficult to find
– Limit AP power output
– Use RF shielding to prevent RF leakage
– Only use 802.11a APs
• Do not use hidden APs
– Could make it easier to attack your wireless Windows clients
• Windows prefers visible networks over hidden networks
• Attackers can trick users into connecting to a malicious AP
• MAC filtering
– Not recommended
– Easy to by-pass and adds a lot of complexity in
a large environment
– Minimal level of protection is generally not worth the effort
Wireless IDS
• Consider deploying a wireless IDS
• Can detect:
– De-auth attacks
– RTS and CTS attacks denial of service attacks
– Rogue APs
• Both on and off your network
• Remember IDS is only detection and not prevention
• Be very careful with wireless IPS
– IPS system could end up attacking neighboring networks
Wireless Encryption and Authentication
• Do not use WEP
• Migrate from LEAP
– Known weaknesses and attack tools for LEAP
– If you can not migrate from LEAP be sure you enforce a strong
password policy
• Use WPA or WPA2
– Prefer WPA2
– Both can be secured fairly well
WPA-PSK Recommendations
• WPA-PSK (Pre-Shared Key)
• AKA WPA Home
• Choose a long and complex passphrase
– Prevents bruteforce attacks from tools like Cowpatty
• Choose a unique SSID
– Prevents using pre-compiled tables to speed up
bruteforce attacks
WPA Enterprise Recommendations
• Generally more secure than WPA-PSK
– Also more complex
• Requires a RADIUS server
• Use an authentication type that provides mutual authentication
• With PEAP and EAP-TTLS insure the client is properly configured
• Consider using two-factor authentication
Conclusion
• Kismet are free tools that can be used to locate wireless networks
• Selecting the right card is critical when using Kismet
• Finding N Greenfield mode networks could be a challenge
in the future
• Do not use WEP to secure a wireless network
• Use WPA2 Enterprise with multi-factor authentication
• Insure the wireless client is properly configured and secured
QUESTIONS?
More Information:
www.SecureState.com
www.matthewneely.com
[email protected]