PowerPoint-10b - Community College of Rhode Island

Download Report

Transcript PowerPoint-10b - Community College of Rhode Island

Wireless Networking
Wireless Vulnerabilities and Attacks
Module-10
Jerry Bernardini
Community College of Rhode Island
3/22/2017
Wireless Networking J. Bernardini
1
Presentation Reference Material
• CWNA Certified Wireless Network
Administration Official Study Guide, Fourth
Edition, Tom Carpenter, Joel Barrett
• Chapter-09, pages 439-473
3/22/2017
Wireless Networking J. Bernardini
2
What is Information Security?
• Information Security: Task of guarding digital information
• Information must be protective -on the devices that store,
manipulate, and transmit the information through products, people, and
procedures.
• Information that must be protected are CIA
• Confidentiality
– Only authorized parties can view information
• Integrity
– Information is correct and unaltered
• Availability
– Authorized parties must be able to access at all times
3
Layers of Security
4
Categories of Attackers
•
•
•
•
•
•
•
Six categories of attackers:
Hackers - Not malicious; expose security flaws, “ethical attackers”
Crackers – Violates system security with malicious intent
Script kiddies- Break into computers to create damage
Spies – Hired to break in and steal information
Employees-Unhappy employees that steal, damage and change information
Cyber-terrorists- Steal, damage and change information for ideology or
extreme beliefs
5
Challenges of Securing Information
• Trends influencing increasing difficultly in
information security:
– Speed of attacks
– Sophistication of attacks
– Faster detection of weaknesses
• Day zero attacks
– Distributed attacks
• The “many against one” approach
• Impossible to stop attack by trying to identify and block source
6
Security Attackers Profiles
7
Security Organizations
• Many security organizations exist to provide security
information, assistance, and training
• Computer Emergency Response Team Coordination
Center (CERT/CC)
• Forum of Incident Response and Security Teams
(FIRST)
• InfraGard
• Information Systems Security Association (ISSA)
• National Security Institute (NSI)
• SysAdmin, Audit, Network, Security (SANS) Institute
8
Common Attack Methods
•
•
•
•
•
•
•
•
•
•
Eavesdropping
Hijacking
Man-in-the-middle
Denial of Services (DoS)
Management interface exploits
Encryption cracking
Authentication cracking
MAC spoofing
Peer-to-peer
Social engineering
3/22/2017
Wireless Networking J. Bernardini
9
Eavesdropping Issues
• Definition: The interception and reading of messages
and information by unintended recipients
• WLAN sends data through the open air
• Attacker can easily capture frames
• Attacker may not be able read frames
• Encryption of data reduces the ability to “read”
• When you access a network, be sure you have given
the right to do so
• Wardriving is eavesdropping
• Laws are being enforce against eavesdropping
3/22/2017
Wireless Networking J. Bernardini
10
Eavesdropping Utilities
Casual
•MacStumbler
•KisMac
•NetStumbler
•KisMet
•Easy Wi-Fi Radar
•WiFi Hopper
3/22/2017
Malicious
•OmniPeek Personal (free)
•AiroPeek
•Network Instruments
Observer
•AirMagnet Laptop Analyzer
•Javvin CAPSA
•Wireshark (free)
•Comm View for Wi-Fi PC
•Comm View for Wi-Fi
PocketPC
Wireless Networking J. Bernardini
11
Man-in-the-Middle Attack
• Makes it seem that two computers are
communicating with each other
– Actually sending and receiving data with computer between them
– Active or passive
12
SSID Filtering
• Disable SSID broadcast.
By default, most wireless networking devices are set
to broadcast the SSID, so anyone can easily join the
wireless network.
• Change the default SSID.
Wireless AP’s have a default SSID set by the factory.
Linksys wireless products use Linksys. Change the
network's SSID to something unique, and make sure
it doesn't refer to the networking products, your
company, department function, or location.
Hijacking and Man-in-the-middle
• Defined: An unauthorized user takes control of an authorized
user’s WLAN connection
• Occurs at Layer1, Layer2 and Layer3
• Hijacking Outline
–
–
–
–
–
Attacked starts own AP and captures traffic
Attacker configures his AP with victim SSID
Attacker send deauthentication frame with high-power RF
Victim reassociates with higher-power attacker AP
Attacker runs DHCP giving address to victim
• Attacker can try to steal data from victim
• Attacker can use second NIC to connect to original AP
– Traffic between victim and original AP is captured by attacker
– Complete Man-in –the-middle attack with capture of Layer1, Layer2 and Layer3
3/22/2017
Wireless Networking J. Bernardini
14
Windows Client Vulnerabilities and Solutions
• By default Windows send out probe requests for “preferred
networks”
• Wireless Network tab properties establishes what networks
and the order -Scans for SSID in list
• If it can not find “preferred network” will continue to scan
• A rogue AP has heard the SSID scan list and configures as one
of the unsecured SSIDs
• Vitim Windows client connects to rogue AP
• Solutions
– Keep WLAN card powered off
– Remove unsecured SSIDs from list after using
– Disable Windows client and use a more secure third-party client (Cisco LEAP)
3/22/2017
Wireless Networking J. Bernardini
15
Denial of Service Attack (DoS)
• Definition: An attack that results in the inability of a user or
system to access needed resources
• Layer1 Attack-RF jamming
– High level RF signal generator “drowns-out” APs in area
• Unintentional DoS – interference from microwave, wireless phone
• Layer2 Attack – Spoofs AP and generates management frames
–
–
–
–
3/22/2017
Rogue AP spoofs AP MAC address
Rogue generate deauthentication or disassociation frame
Client STA disassociates
Rogue continues to send deauthentication or disassociation frame
Wireless Networking J. Bernardini
16
Other DoS Attacks
• Empty Data Floods
–
–
–
–
Install two or three wireless adapter in laptop
Generate continuous maximum size frames
Position close to victim STA for stronger signal
Tie-up RF spectrum -preventing connect to legitimate Aps
• Other Attacks
– Association Floods
– Authentication Floods
– Unauthorized AP left on
• Solution
– Use spectrum analyzer to track down location of interference
– Scan for SSIDs and zero-in on signal
3/22/2017
Wireless Networking J. Bernardini
17
Management Interface Exploits
• Web-based Interface exploit
– Attacked captures traffic and determines IP network with scanning
utility
– Varies address and finds AP gateway address (example 192.168.1.1,
10.10.10.1 …)
– Tries passwords if necessary
– Changes AP configurations
– Turns off all MAC access except attacker's – a form of DoS
• Solutions
–
–
–
–
3/22/2017
Strong AP password
Disable web-interface
Secure telnet and SSH
Use strong WPA-PSK or WPA2-PSK
Wireless Networking J. Bernardini
18
Encryption Cracking
• Weak Key Cracking
–
–
–
–
Attacker captures 100 MB of data
Process captured with “cracking tool”
Obtain WEP key in seconds
Weak keys and initialization vectors are very vulnerable
• Solution
–
–
–
–
Use strong encryption
WPA2 and AES
IEEE 802.11i
EAP-Cisco LEAP
• More Information in Chapter-10
3/22/2017
Wireless Networking J. Bernardini
19
Wired Equivalent Privacy (WEP)
• Guard the Confidentiality of CIA
– Ensure only authorized parties can view it
• Used in IEEE 802.11 to encrypt wireless transmissions
– “Scrambling
• Cryptography: Science of transforming information so that it
is secure while being transmitted or stored
– scrambles” data
• Encryption: Transforming plaintext to ciphertext
• Decryption: Transforming ciphertext to plaintext
• Cipher: An encryption algorithm
– Given a key that is used to encrypt and decrypt messages
– Weak keys: Keys that are easily discovered
20
WEP Cryptography
21
WEP Implementation
• IEEE 802.11 cryptography objectives:
–
–
–
–
–
Efficient
Exportable
Optional
Reasonably strong
Self-synchronizing
• WEP relies on secret key “shared” between a
wireless device and the AP
• Same key installed on device and AP
• A form of Private key cryptography or symmetric
encryption
22
WEP Characteristics
• WEP shared secret keys must be at least 40 bits
– Most vendors use 104 bits
• Options for creating WEP keys:
– 40-bit WEP shared secret key (5 ASCII characters or 10 hexadecimal
characters)
– 104-bit WEP shared secret key (13 ASCII characters or 16 hexadecimal
characters)
– Passphrase (16 ASCII characters)
• APs and wireless devices can store up to four shared
secret keys
– Default key one of the four stored keys
– Default key used for all encryption
– Default key can be different for AP and client
23
WEP Keys
- Key order must be the
same for all devices
- Default Keys can be
different for each device
24
Open System Authentication Vulnerabilities
• Inherently weak
– Based only on match of SSIDs
– SSID beaconed from AP during passive scanning
• Easy to discover
• Vulnerabilities:
– Beaconing SSID is default mode in all APs
– Not all APs allow beaconing to be turned off
• Or manufacturer recommends against it
– SSID initially transmitted in plaintext (unencrypted)
• Vulnerabilities -If an attacker cannot capture an initial negotiation process,
can force one to occur
– SSID can be retrieved from an authenticated device
– Many users do not change default SSID
• Several wireless tools freely available that allow users with no advanced
knowledge of wireless networks to capture SSIDs
25
Peer-to-Peer Attacks
• Definition: Peer-to-Peer attack occurs when on STA attacks
•
•
•
•
•
•
another STA that is associated with same AP
Intension is generally data theft
Installation of backdoors and other software
Laptops are particularly vulnerable
IBSS networks vulnerable (ad hoc)
Hot spot networks can be a serious problem
Solutions:
– Public Secure Packet Forwarding (PSPF) applications
– STA to STA communication disallowed
– Microsoft file sharing disabled
3/22/2017
Wireless Networking J. Bernardini
26
Social Engineering
• Definition: Technique of persuading people to give you
something that they should not give you
–
–
–
–
Organization Information
Data
Passwords and passphases
Keys
• Targets
– Help Desk
– On-site contractors
– Employees
• Solutions
– Do not only depend upon technology
– Train personal regularly
3/22/2017
Wireless Networking J. Bernardini
27
MAC Address Filtering and Spoofing
• Most Access point offer some form of
MAC Filtering.
– MAC Access Lists
– Advanced MAC Filtering Lists
• WLAN administrator must configure a list or set of
rules for clients that will be allowed or not allowed to
join the network.
MAC Access Filtering
Proxim AP-600b
MAC Address Filtering
Database
Server
Wired
Clients
MAC Address
001122C5AF3B
Wired LAN
Access Points
AP-1
AP-2
1
Wireless
Clients
MAC Address
00022D9DE44E
2
MAC Address
Filtering
AP-600b
MAC Address
00022D9DE44E
MAC Address
001122C5AF3B
1
Wireless Client
Access Points
AP-1
Database
Server
Filtering = Blocking
Mask:
F = Look
0 = Ignore
(Logical Anding)
Wired MAC Adr.
Wired Mask
=
=
001122C5AF3B
FFFFFFFFFFFF
Wireless MAC Adr.
Wireless Mask
=
=
00022D9DE44E
FFFFFFFFFFFF
MAC Address
Filtering
AP-600b
MAC Address
00022D9DE44E
MAC Address
001122C5AF3B
1
Wireless Client
Access Points
AP-1
Database
Server
Circumventing MAC Filters
• MAC addresses are sent in the clear in the frame
header!
• User/attacker can change their MAC address via
software and then spoof or more accurately
impersonate or masquerade under the address.
•
•
•
Evade/Hide Network Presence
Bypass Access Control Lists
Authenticated User Impersonation
Access Control Security
• Intended to guard one of the CIA’s
– Availability of information
• Wireless access control: Limit user’s access to AP
– by Filtering MAC addresses
• Media Access Control (MAC) address filtering:
Based on a node’s unique MAC address
• Can be defeated by Spoofing a MAC address
34
Access Control Filtering
• MAC address filtering
considered to be a basic
means of controlling access
– Requires pre-approved
authentication
– Difficult to provide temporary
access for “guest” devices
35
MAC Spoofing
Security Solutions
802.1X
Authentication
TKIP
Temporal Key Integrity
Protocol
MIC
Message Integrity
Checking
Key
Management
WPA / WPA2
Wi-Fi Protected
Access
Cipher and
Authentication
Negotiation
AES
Advanced Encryption
Standard
802.11i
Remember CIA and AAA
•
•
•
•
•
•
•
•
CIA
Confidentiality-Keep things private
Integrity – Data must be consistant and accurate
Availability – The right data to the right users
AAA
Authentication –”Who are You?”
Authorization – “What do you want?”
Accounting – “What have you done?”
• Bottom Line
– Users are responsible for protecting there accounts and their data
3/22/2017
Wireless Networking J. Bernardini
38