MAC Address Authentication - Faculty Website Directory
Download
Report
Transcript MAC Address Authentication - Faculty Website Directory
Wireless Networking
Wireless Vulnerabilities and Attacks
Module-13
Jerry Bernardini
Community College of Rhode Island
4/13/2016
Wireless Networking J. Bernardini
1
Presentation Reference Material
•
CWNA Certified Wireless Network Administration Official Study Guide
(PWO-104), David Coleman, David Westcott, 2009, Chapter-14
•
CWNA Certified Wireless Network Administration Official Study Guide, Fourth
Edition, Tom Carpenter, Joel Barrett
– Chapter-9,10
•
Cisco White Paper - A Comprehensive Review of 802.11 Wireless LAN Security
and the Cisco Wireless Security Suite
www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm
•
Your 802.11 Wireless Network has No Clothes¤
– William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan, Department of
Computer Science University of Maryland College Park, Maryland 20742
March 30, 2001
– http://www.cs.umd.edu/~waa/wireless.pdf
4/13/2016
Wireless Networking J. Bernardini
2
Categories of Attackers
•
•
•
•
•
•
•
Six categories of attackers:
Hackers - Not malicious; expose security flaws, “ethical attackers”
Crackers – Violates system security with malicious intent
Script kiddies- Break into computers to create damage
Spies – Hired to break in and steal information
Employees-Unhappy employees that steal, damage and change information
Cyber-terrorists- Steal, damage and change information for ideology or
extreme beliefs
3
Security Attackers Profiles
4
Early IEEE 802.11 Security
• Referred to as: Pre-RSNA Security
– RSNA=Robust Security Network Association
• Pre-RSNA Security includes
– Open System Authentication
– Share Key Authentication
– Wired Equivalent Privacy
• This technology has many flaws and should not be
considered for new systems
• But we should understand Pre-RSNA to appreciate
WLAN vulnerabilities
4/13/2016
Wireless Networking J. Bernardini
5
Open Authentication
• Open authentication allows any device network
access.
• If no encryption is enabled on the network, any
device that knows the SSID of the access point can
gain access to the network.
• With WEP encryption enabled on an access point,
the WEP key itself becomes a means of access
control.
CCRI J. Bernardini
6
802.11 client authentication process
•
•
•
•
•
•
•
1. Client broadcasts a probe request frame on every channel
2. Access points within range respond with a probe response frame
3. The client decides which access point (AP) is the best for access and sends an
authentication request
4. The access point will send an authentication reply
5. Upon successful authentication, the client will send an association request frame to the
access point
6. The access point will reply with an association response
7. The client is now able to pass traffic to the access point
CCRI J. Bernardini
7
Open Authentication Vulnerabilities
• No way for the access point to determine whether a
client is valid.
• A major security vulnerability if WEP or better encryption
is not implemented
– Cisco does not recommend deploying wireless LANs without WEP encryption.
• When WEP encryption is not needed or is not feasible to
deploy - such as public WLAN deployments
• Higher-layer authentication can be provided by
implementing a Service Selection Gateway (SSG).
CCRI J. Bernardini
8
Vulnerability of Shared Key Authentication
CCRI J. Bernardini
9
WEP Characteristics
• WEP shared secret keys must be at least 40 bits
– Most vendors use 104 bits
• Options for creating WEP keys:
– 40-bit WEP shared secret key (5 ASCII characters or 10 hexadecimal
characters)
– 104-bit WEP shared secret key (13 ASCII characters or 16 hexadecimal
characters)
– Passphrase (16 ASCII characters)
• APs and wireless devices can store up to four shared
secret keys
– Default key one of the four stored keys
– Default key used for all encryption
– Default key can be different for AP and client
10
WEP Weaknesses
•
Key management and key size.
40-bit
• The IV is too small.
24-bit = 16,777,216 different cipher streams.
• The ICV algorithm is not appropriate
Uses CRC-32 when MD5 or SHA-1 would be
better.
• Authentication messages can be
easily forged.
Initialization Vector Replay Attacks
•
•
•
•
•
1. A known plain-text message is sent to an
observable wireless LAN client (an e-mail
message)
2. The network attacker will sniff the
wireless LAN looking for the predicted
cipher-text
3. The network attacker will find the known
frame and derive the key stream
4. The network attacker can "grow" the key
stream using the same IV/WEP key pair as
the observed frame
This attack is based on the knowledge that
the IV and base WEP key can be reused or
replayed repeatedly to generate a key
stream large enough to subvert the
network.
CCRI J. Bernardini
12
"Growing" a Key Stream Attack
•
•
•
•
•
•
Once a key stream has been derived for a given
frame size, it can be "grown" to any size required.
1. The network attacker can build a frame one
byte larger than the known key stream size; an
Internet Control Message Protocol (ICMP) echo
frame is ideal because the access point solicits a
response
2. The network attacker then augments the key
stream by one byte
3. The additional byte is guessed because only
256 possible values are possible
4. When the network attacker guesses the correct
value, the expected response is received: in this
example, the ICMP echo reply message
5. The process is repeated until the desired key
stream length is obtained
CCRI J. Bernardini
13
Corporate Security Policy
•
Develop a wireless security policy to define what is
and what is not allowed with wireless technology.
• Know the technologies and the users that use the
network.
• Measure the basic field or illumination coverage of
the wireless network.
• Physical Security
Corporate Security Policy
• Set base lines and perform
audits/monitoring of the network.
• Harden AP’s, servers, and gateways.
• Determine level of security protocols
and standards.
• Consider using switches, DMZ, RADIUS
servers, and VPN.
• Update firmware and software.
To Secure the WLAN
• If possible, put the wireless network behind its own
routed interface so you can shut it off if necessary.
• Pick a random SSID that gives nothing about your
network away.
• Use WPA or have your broadcast keys rotate every
ten minutes.
• Use 802.1X for key management and authentication
– Look over the available EAP protocols and decide which is
right for your environment.
– Set the session to time out every ten minutes or less.
Service Set Identifier Myth
• The SSID is a construct that allows logical separation
of wireless LANs.
• A client must be configured with the appropriate
SSID to gain access to the wireless LAN.
• The SSID does not provide any data-privacy
functions, nor does it truly authenticate the client to
the access point.
CCRI J. Bernardini
17
MAC Address Authentication
•
•
•
•
MAC address authentication is not specified in the 802.11 standard
Many vendors—including Cisco—support it.
MAC address authentication verifies the client's MAC address against a locally configured list
of allowed addresses or against an external authentication server
MAC authentication is used to augment the open and shared key authentications provided by
802.11
CCRI J. Bernardini
18
MAC Address Authentication Vulnerabilities Myth
• MAC addresses are sent in the clear as required by the 802.11
specification.
• In wireless LANs that use MAC authentication, a network
attacker might be able to subvert the MAC authentication
process by "spoofing" a valid MAC address.
• MAC address spoofing is possible in 802.11 network interface
cards (NICs) that allow the universally administered address
(UAA) to be overwritten with a locally administered address
(LAA).
• A network attacker can use a protocol analyzer to determine a
valid MAC address in the business support system (BSS) and an
LAA-compliant NIC with which to spoof the valid MAC address.
CCRI J. Bernardini
19
Authentication Vulnerabilities with SSID
•
•
•
•
•
The SSID is advertised in plain-text in the access point beacon messages Although beacon
messages are transparent to users
Eavesdropper can easily determine the SSID with WLAN packet analyzer
Some access-point vendors, offer the option to disable SSID broadcasts in the beacon
messages.
The SSID can still be determined by sniffing the probe response frames from an access point
Disabling SSID broadcasts might have adverse effects on Wi-Fi interoperability for mixedclient deployments.
CCRI J. Bernardini
20
Challenges of Securing Information
• Trends influencing increasing difficultly in
information security:
– Speed of attacks
– Sophistication of attacks
– Faster detection of weaknesses
• Day zero attacks
– Distributed attacks
• The “many against one” approach
• Impossible to stop attack by trying to identify and block source
21
Security Organizations
• Many security organizations exist to provide security
information, assistance, and training
• Computer Emergency Response Team Coordination
Center (CERT/CC)
• Forum of Incident Response and Security Teams
(FIRST)
• InfraGard
• Information Systems Security Association (ISSA)
• National Security Institute (NSI)
• SysAdmin, Audit, Network, Security (SANS) Institute
22
Common Attack Methods
•
•
•
•
•
•
•
•
•
•
Eavesdropping
Hijacking
Man-in-the-middle
Denial of Services (DoS)
Management interface exploits
Encryption cracking
Authentication cracking
MAC spoofing
Peer-to-peer
Social engineering
4/13/2016
Wireless Networking J. Bernardini
23
Eavesdropping Issues
• Definition: The interception and reading of messages
and information by unintended recipients
• WLAN sends data through the open air
• Attacker can easily capture frames
• Attacker may not be able read frames
• Encryption of data reduces the ability to “read”
• When you access a network, be sure you have given
the right to do so
• Wardriving is eavesdropping
• Laws are being enforce against eavesdropping
4/13/2016
Wireless Networking J. Bernardini
24
Eavesdropping Utilities
Casual
•MacStumbler
•KisMac
•NetStumbler
•KisMet
•Easy Wi-Fi Radar
•WiFi Hopper
4/13/2016
Malicious
•OmniPeek Personal (free)
•AiroPeek
•Network Instruments
Observer
•AirMagnet Laptop Analyzer
•Javvin CAPSA
•Wireshark (free)
•Comm View for Wi-Fi PC
•Comm View for Wi-Fi
PocketPC
Wireless Networking J. Bernardini
25
Man-in-the-Middle Attack
• Makes it seem that two computers are
communicating with each other
– Actually sending and receiving data with computer between them
– Active or passive
26
SSID Filtering
• Disable SSID broadcast.
By default, most wireless networking devices are set
to broadcast the SSID, so anyone can easily join the
wireless network.
• Change the default SSID.
Wireless AP’s have a default SSID set by the factory.
Linksys wireless products use Linksys. Change the
network's SSID to something unique, and make sure
it doesn't refer to the networking products, your
company, department function, or location.
Hijacking and Man-in-the-middle
• Defined: An unauthorized user takes control of an authorized
user’s WLAN connection
• Occurs at Layer1, Layer2 and Layer3
• Hijacking Outline
–
–
–
–
–
Attacked starts own AP and captures traffic
Attacker configures his AP with victim SSID
Attacker send deauthentication frame with high-power RF
Victim reassociates with higher-power attacker AP
Attacker runs DHCP giving address to victim
• Attacker can try to steal data from victim
• Attacker can use second NIC to connect to original AP
– Traffic between victim and original AP is captured by attacker
– Complete Man-in –the-middle attack with capture of Layer1, Layer2 and Layer3
4/13/2016
Wireless Networking J. Bernardini
28
Windows Client Vulnerabilities and Solutions
• By default Windows send out probe requests for “preferred
networks”
• Wireless Network tab properties establishes what networks
and the order -Scans for SSID in list
• If it can not find “preferred network” will continue to scan
• A rogue AP has heard the SSID scan list and configures as one
of the unsecured SSIDs
• Vitim Windows client connects to rogue AP
• Solutions
– Keep WLAN card powered off
– Remove unsecured SSIDs from list after using
– Disable Windows client and use a more secure third-party client (Cisco LEAP)
4/13/2016
Wireless Networking J. Bernardini
29
Denial of Service Attack (DoS)
• Definition: An attack that results in the inability of a user or
system to access needed resources
• Layer1 Attack-RF jamming
– High level RF signal generator “drowns-out” APs in area
• Unintentional DoS – interference from microwave, wireless phone
• Layer2 Attack – Spoofs AP and generates management frames
–
–
–
–
4/13/2016
Rogue AP spoofs AP MAC address
Rogue generate deauthentication or disassociation frame
Client STA disassociates
Rogue continues to send deauthentication or disassociation frame
Wireless Networking J. Bernardini
30
Other DoS Attacks
• Empty Data Floods
–
–
–
–
Install two or three wireless adapter in laptop
Generate continuous maximum size frames
Position close to victim STA for stronger signal
Tie-up RF spectrum -preventing connect to legitimate Aps
• Other Attacks
– Association Floods
– Authentication Floods
– Unauthorized AP left on
• Solution
– Use spectrum analyzer to track down location of interference
– Scan for SSIDs and zero-in on signal
4/13/2016
Wireless Networking J. Bernardini
31
Management Interface Exploits
• Web-based Interface exploit
– Attacked captures traffic and determines IP network with scanning
utility
– Varies address and finds AP gateway address (example 192.168.1.1,
10.10.10.1 …)
– Tries passwords if necessary
– Changes AP configurations
– Turns off all MAC access except attacker's – a form of DoS
• Solutions
–
–
–
–
4/13/2016
Strong AP password
Disable web-interface
Secure telnet and SSH
Use strong WPA-PSK or WPA2-PSK
Wireless Networking J. Bernardini
32
Encryption Cracking
• Weak Key Cracking
–
–
–
–
Attacker captures 100 MB of data
Process captured with “cracking tool”
Obtain WEP key in seconds
Weak keys and initialization vectors are very vulnerable
• Solution
–
–
–
–
Use strong encryption
WPA2 and AES
IEEE 802.11i
EAP-Cisco LEAP
• More Information in Chapter-10
4/13/2016
Wireless Networking J. Bernardini
33
Open System Authentication Vulnerabilities
• Inherently weak
– Based only on match of SSIDs
– SSID beaconed from AP during passive scanning
• Easy to discover
• Vulnerabilities:
– Beaconing SSID is default mode in all APs
– Not all APs allow beaconing to be turned off
• Or manufacturer recommends against it
– SSID initially transmitted in plaintext (unencrypted)
• Vulnerabilities -If an attacker cannot capture an initial negotiation process,
can force one to occur
– SSID can be retrieved from an authenticated device
– Many users do not change default SSID
• Several wireless tools freely available that allow users with no advanced
knowledge of wireless networks to capture SSIDs
34
Peer-to-Peer Attacks
• Definition: Peer-to-Peer attack occurs when on STA attacks
•
•
•
•
•
•
another STA that is associated with same AP
Intension is generally data theft
Installation of backdoors and other software
Laptops are particularly vulnerable
IBSS networks vulnerable (ad hoc)
Hot spot networks can be a serious problem
Solutions:
– Public Secure Packet Forwarding (PSPF) applications
– STA to STA communication disallowed
– Microsoft file sharing disabled
4/13/2016
Wireless Networking J. Bernardini
35
Social Engineering
• Definition: Technique of persuading people to give you
something that they should not give you
–
–
–
–
Organization Information
Data
Passwords and passphases
Keys
• Targets
– Help Desk
– On-site contractors
– Employees
• Solutions
– Do not only depend upon technology
– Train personal regularly
4/13/2016
Wireless Networking J. Bernardini
36
MAC Address Filtering and Spoofing
• Most Access point offer some form of
MAC Filtering.
– MAC Access Lists
– Advanced MAC Filtering Lists
• WLAN administrator must configure a list or set of
rules for clients that will be allowed or not allowed to
join the network.
MAC Access Filtering
Proxim AP-600b
MAC Address Filtering
Database
Server
Wired
Clients
MAC Address
001122C5AF3B
Wired LAN
Access Points
AP-1
AP-2
1
Wireless
Clients
MAC Address
00022D9DE44E
2
MAC Address
Filtering
AP-600b
MAC Address
00022D9DE44E
MAC Address
001122C5AF3B
1
Wireless Client
Access Points
AP-1
Database
Server
Filtering = Blocking
Mask:
F = Look
0 = Ignore
(Logical Anding)
Wired MAC Adr.
Wired Mask
=
=
001122C5AF3B
FFFFFFFFFFFF
Wireless MAC Adr.
Wireless Mask
=
=
00022D9DE44E
FFFFFFFFFFFF
MAC Address
Filtering
AP-600b
MAC Address
00022D9DE44E
MAC Address
001122C5AF3B
1
Wireless Client
Access Points
AP-1
Database
Server
Circumventing MAC Filters
• MAC addresses are sent in the clear in the frame
header!
• User/attacker can change their MAC address via
software and then spoof or more accurately
impersonate or masquerade under the address.
•
•
•
Evade/Hide Network Presence
Bypass Access Control Lists
Authenticated User Impersonation
MAC Spoofing
Other Security Techniques
• Wireless hacking Techniques website
• http://www.cs.wright.edu/~pmateti/InternetSecurity
/Lectures/WirelessHacks/Mateti-WirelessHacks.htm
4/13/2016
Wireless Networking J. Bernardini
44