Transcript Presentation Full Set - Professional Information Security Association

PISA Workshop
Wireless LAN Security
Live Demo
Presented by PISA members
27 July 2002
Mr. Alan Tam CISSP, CCSI, ICI
Mr. Jim Shek CISSP, CISA
Mr. Young, Wo Sang CISSP, CISA
Mr. Marco Ho
Supporting Organizations
Table of Content
1.
WLAN War Driving in Hong Kong

2.
WLAN Terms and Security Risks

3.
Young, Wo Sang
Demo IV: Protection from Illegal Access with silent SSID

8.
Marco Ho
WLAN Protection Strategy

7.
Alan Tam
Demo III: Protection from Sniffing by VPN Encryption

6.
Jim Shek
Demo II: WEP Weakness and Cracking

5.
Young, Wo Sang
Demo I: Home made antenna, so easy!

4.
Jim Shek
Marco Ho, Alan Tam
The Powerful WLAN Tool: Kismet

Alan Tam
1
Wireless LAN Security Live Demo
War Driving in Hong Kong
Jim Shek
What is War Driving?

The concept of "war driving" is simple:
You need a device capable of receiving an 802.11b
signal, a device capable of moving around, and
software that will log data from the second when a
network is detected by the first. You then move these
devices from place to place, letting them do their job.
Over time, you build up a database comprised of the
network name, signal strength, location, and
ip/namespace in use.
War Driving in Hong Kong
• Background:
• Date :
• Time :
• Weather:
Jul 07, 2002
11:35am – 1:40pm
Isolated Showers
War Driving in Hong Kong
• Route :
• Admiralty MTR Stations -> Pacific Place -> Tram (Admiralty to
Kennedy Town) -> Tram (Kennedy Town to Causeway Bay)
War Driving in Hong Kong
• Equipments:
– Notebook + Avaya Gold Wireless LAN card +
Windows XP + NetStumbler
– Notebook + Avaya Gold Wireless LAN card +
Antenna + Windows 2000 + NetStumbler
• Notes :
– The Scan Speed of NetStumbler was changed to
Fastest.
• Participants :
– PISA
War Driving in Hong Kong
• Result

Overview:
• Total Number of Discovered Access Point with antenna : 187
• Total Number of Discovered Access Point without antenna : 52 (subset of above)
28%
72%
Chart 1: Antenna Power
War Driving in Hong Kong
• Result

WEP Usage: WEP Enable : 43
WEP Disable : 144
WEP Enable :
23%
WEP Disable :
77%
Chart 2: WEP Usage
War Driving in Hong Kong
• Result

SSID Usage: Default SSID : 77 Use Non Default SSID : 87 Unknown: 5 Other*: 18
Default SSID
41 %
Non Default SSID
Well-known
10 %
46 %
3%
Unknown
Chart 3: SSID Usage
Other means well known SSID, ie
PCCW & i-cable
Some of the Default SSID list is
referenced from
http://wlana.net/acc_point.htm
War Driving in Hong Kong
• Result

IEEE 802.11 LAN
HV24Ap1
4%
5%
Top SSIDs:
tsunami
6%
default
27%
My Network
6%
linksys
6%
PCCW
23%
WaveLAN Network
9%
Times_Square
14%
Chart 4: Top SSIDs
War Driving in Hong Kong
• Result

Channel Distribution:
Channel : 1
Number of APs : 78
2
1
3
13
4
4
5
1
6
18
7
9
8
2
9
6
10
14
11
37
Default Channel ID
71 %
29 %
Non Default Channel ID
Chart 5: Channel ID Setting Behavior
War Driving in Hong Kong
• Interesting Observations
 Building-to-Building WLAN
• We discovered the signals of two APs with the same
SSID name are very strong. These two APs are
appeared in the list for 3 minutes while the tram is
moving.
War Driving in Hong Kong
• Interesting Observations
 When
the tram was stopped …
• When the tram was stopped, the APs are easier to
discover. One of the reasons are having longer time
for the software to poll within the effective range. It
is particular true when we using the machine
without using the antenna.
War Driving in Hong Kong
• Interesting Observations

The Accessibility of APs
• Some APs were accessible when the tram was
stopped. We come across some place that with the
APs ready for us to connect into it. Below is the
snapshot.
War Driving in Hong Kong
• 堅城中心
• 中銀保險
創業商場
環球大廈
西區警局
警察總站
上環 MTR
大有商場
世界書局
英皇中心
298
War Driving in Hong Kong
• Another Discovery in Taikoo Place

Background:
• Date : Jul 05, 2002
• Time : 03:00pm – 3:20pm
• Route : Within Taikoo Place
• Equipment:
– Notebook + Avaya Gold Wireless LAN card + Antenna +
Windows 2000 + NetStumbler
• Notes :
– The Scan Speed of NetStumbler was default (ie medium)
• Participants :
– PISA
War Driving in Hong Kong
• Another Discovery in Taikoo Place




Overview:
• Total No. of Discovered Access Point with antenna : 30
WEP Usage:
• WEP Enable : 7 (23%)
WEP Disable : 23 (77%)
SSID Usage:
• Default SSID : 8 Non Default SSID : 14
• Unknown: 2 Other*: 6
(Problem SSID: 47%)
Channel Distribution:
Channel : 1
Number of APs : 17
3
1
5
2
6
4
7
1
8
1
9
1
11
3
(Default Channel: 80%)
2
Wireless LAN Terms and
Security Risks
Young Wo Sang
What is Wireless LAN?
•
•
•
•
•
It is a LAN
Extension of Wired LAN
Use High Frequency Radio Wave (RF)
Speed : 2Mbps to 54Mbps
Distance 100 feet to 15 miles
WLAN Terms & Basic Concept
• 802.11


IEEE family of specifications for WLANs
2.4GHz 2Mbps
• 802.11a

5GHz, 54Mbps
• 802.11b

Often called Wi-Fi, 2.4GHz, 11Mbps
• 802.11e

QoS & Multimedia support to 802.11b & 802.11a
• 802.11g

2.4GHz, 54Mbps
• 802.11i

An alternative of WEP
• 802.1x

A method of authentication and security for all Ethernet-like
protocols
WLAN Terms & Basic Concept
• Access Point (AP)

A device that serves as a communications "hub" for wireless
clients and provides a connection to a wired LAN
• Beacon


Message transmitted at regular intervals by the APs
Used to maintain and optimize communications to
automatically connect to the AP
WLAN Terms & Basic Concept
• Ad Hoc Mode

Wireless client-to-client communication, the opposite is
Infrastructure Mode
WLAN Terms & Basic Concept
• Infrastructure Mode

A client setting providing connectivity to APs
 As oppose to AdHoc Mode
AP
WLAN Terms & Basic Concept
• SSID or BSSID

Basic Service Set Identifier
BSS
An AP forms an association
with one or more wireless
clients is referred to as a
Basic Service Set
BSSID or SSID
(Basic Service Set Identifier)
beacon
beacon
beacon
WLAN Terms & Basic Concept
•
ESS
ESSID

Extended Service Set Identifier
In order to increase the
range and coverage of the
wireless network, one
needs to add more
strategically placed APs to
the environment to
increase density. This is
referred to as an Extended
Service Set
ESSID
(Extended Service Set Identifier)
WLAN Terms & Basic Concept
• WEP
 optional
cryptographic
 confidentiality algorithm
WLAN Terms & Basic Concept
• Channel
WLAN Terms & Basic Concept
• DSSS Channel
3
4
5
6
7
8
9
Channel 5
Channel 9
Channel 3
Channel 8
Channel 2
Channel 7
Channel 6
2.437
2.412
2.400
11
Channel 10
Channel 4
Channel 1
10
Frequency (GHz)
Channel 11
2.474
2
2.462
1
WLAN Terms & Basic Concept
• Channel
WLAN Terms & Basic Concept
• DSSS

Direct Sequence Spread Spectrum, a RF carrier
and pseudo-random pulse train are mixed to make
a noise like wide-band signal.
• FHSS

Frequency Hopping Spread Spectrum,
transmitting on one frequency for a certain time,
then randomly jumping to another, and
transmitting again.
Reading the Strengthen
• dBm
 Decibel referenced to 1 milli-watt into a
50Ω impedance (usually)
 dBm = 10 * (log10mW)
 e.g. 0 dBm = 1 mW
• Attenuation/gain revision:
 dB = 10 * (log10 [output / input])
 If output>input, then dB will be +ve
 If output<input, then dB will be -ve
WLAN Terms & Basic Concept
• Signal Level & Noise Level
 SL
 NL
 SL
 NL
 SL
 NL
WLAN Risk
• Unauthorized Clients
In range
Malicious client
Out of range !!
Detector
WLAN Risk
• Unauthorized or Renegade Access Points
• Interception and unauthorized monitoring of
wireless traffic
• Client-to-Client Attacks
• Jamming (DoS)
Client-to-client attack
Jamming
malicious
WLAN Risk - Fake Access Point
• Access Point Clone (Evil Twin) Traffic
Interception
AP1
AP1*
WLAN Risk
• Brute force attacks against access point
passwords
• WEP weakness
• “Mis-configurations”
 SSIDs
 SNMP Community (RO & RW)
 Administration (Web, Telnet, Serial)
 Installation
WLAN Risk
• Deployment
 Internal Network?!
 DMZ?!
 Who can install AP?
• Many $$ to secure the wired network
• A user spend HK$2,000 to break it
 When was installed?
 Where are APs installed?
WLAN Risk
• Low cost product prevalent
 limited features, insecure
• Accidental detection
 Wireless card itself
3
Demo I
Home made antenna, so easy
Jim Shek
Home made antenna, so easy
• Use available material to hand make an antenna, gain
from 3dB to 11dB (Real Object Shown)
• Compared to commercial antenna with gain 6dB,
costing HKD600+
• Dimension is the key to success. Measurement available
on web search.
• With an antenna, the result of War Driving can be
much improved  so as to risk of exposure to hacking
of your WLAN network!
4
Demo II
WEP Weakness and Cracking
Alan Tam
WEP Weakness
•
•
•
•
Background
Weakness in KSA/RC4
Proof of Concept
Some counter actions
The magic RFMON mode
• Property:



Like promiscuous mode in wired
Listen(Receive) only
Also known as “Monitor Mode”
• Chipset capable of RFMON (i.e. have
specification opened)

Cisco Aironet
 Based on Intersil Prism2
 Orinoco (well, not official)
What does Linux Hackers use?
• NIC drivers


wlan-ng 0.1.13+ with patch or 0.1.14pre?+
orinoco_cs 0.09b+ with patch
• Libpcap library with PF_PACKET interface


patched to interpret 802.11b packets
for example, 0.7.1 with patch
• Prism Driver & Orinoco Patch


ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/
http://airsnort.shmoo.com/orinocoinfo.html
WEP
• Stands for Wired Equivalent Privacy
• Symmetric Encryption Algorithm: RC4
• Commercial claimed key size: 40 or 128 bit
(as of April 2002)
• At the back:
 40
bit secret key + 24 bit IV = 64 bit packet key
 104 bit secret key + 24 bit IV = 128 bit packet key
IV= Initialization Vector
Weaknesses in KSA of RC4
• Presented in a paper by
 Scott
Fluhrer, Itsik Mantin, Adi Shamir
• Invariance weakness
 Existence
of large class of weak keys
• IV weakness
 Related
key vulnerability
WEP Attack
• Invariance weakness  WEP packet
distinguisher
• IV weakness  Exist in a commonly used
mode in RC4
• Properties
 Cryptanalytic Attack:
Generally faster than
Brute-force Attack
 Passive Ciphertext-only Attack: Zero
knowledge needed
Proof of Concept
• Adam Stubblefield, AT&T Labs
 http://www.cs.rice.edu/~astubble/wep
• WEPCrack
 http://sourceforge.net/projects/wepcrack
• Airsnort
 http://airsnort.shmoo.com/
Case Study: Airsnort
• Maintained by The Shmoo Group
• An X-windows application
• Supported platforms:
 Cisco Aironet
 Prism
 Orinoco
• Requires approx. 5-10 million encrypted
packets to break a key
TKIP
• Temporary Key Integrity Protocol
 Initially
referred as WEP2
 128bit TK + 40 bit Client MAC
 16-octet IV
 RC4 (still)
 TK changed every 10,000 packets
Reference
• Technical Knowledge
 http://www.qsl.net/n9zia/wireless/index.html
 http://www.80211-planet.com/tutorials
• Access Points MAC addresses
 http://aptools.sourceforge.net/
Reference
• Linux Resources
 http://www.hpl.hp.com/personal/Jean_Tourrilhe
s/index.html
 http://lists.samba.org/listinfo/wireless
 http://airtraf.sourceforge.net/
5
Demo III
Securing Wireless Networks
by VPN
Marco Ho
Application
Secure Protocols
for Encryption
SSL
SSL
Transport
(TCP, UDP)
Network (IP)
Transport
(TCP, UDP)
Router
Network (IP)
Network (IP)
WEP
802.1b
Physical
Network (IP)
(VPN)
(VPN)
802.11b Link
Application
802.11b Link
WEP
802.1b
Physical
Ethernet
Link
Ethernet
Link
Ethernet
Physical
Ethernet
Physical
Network Level Encryption (VPN)
Advantages
•
Encryption of multi-protocols
•
Hides the network routing (with proper configuration)
Choices
1.
PPTP
•
•
2.
Come with W2K RRAS
Simpler and easier to configure
IPSec
•
•
•
More secure
Microsoft: IPSec over L2TP using 3DES
Use certificate (instead of pre-shared keys) to further improve the
security : mutual authentication
Real Life Demo with PPTP
VPN Server

Microsoft VPN Server (RRAS+PPTP)
• Encryption

MPPE 128 (Microsoft Point-to-point Encryption)
• Authentication

MS-CHAP V2
Remark: WEP turned off for demonstration purpose
Sniffing Tools
• Two sniffing tools used to capture traffic
packet contents
 Ethereal
• Freeware available in Linux and Win32 platforms
 Iris
• Commercial product, 15-day evaluation available
• Strong decode function to ease protocol session
tracking
Without VPN Encryption
IP-10.0.0.15
Sniffer
A
IP-10.0.0.1
“A” FTP to “B”
No WEP
IP-10.0.0.20
FTP Server
FTP Client
B
IP-10.0.0.25
With VPN Encryption
IP-10.0.0.15
Sniffer
FTP Server
D
IP-192.168.1.254
Clear text
A
VPN
Server
(PPTP)
IP-10.0.0.1
No WEP
“A” FTP to “D”
with VPN
IP-10.0.0.20
VPN Client
Ethernet
FTP Client
IP-192.168.1.230
Wireless
C
IP-10.0.0.10
VPN Gateway
6
Wireless LAN Protection Strategies
Young, Wo Sang
Recommendation (I)
• Wireless LAN related Configuration

Enable WEP, use 128bit key*
 Drop non-encrypted packets
 Disable SSID Broadcasts
 No SNMP access
 Choose complex admin password
 Enable firewall function
 Use MAC (hardware) address to restrict access
 Non-default Access Point password
 Change default Access Point Name
 Use 802.1x [warning]
EAP Enable Authentication
Recommendation (II)
• Deployment Consideration





Closed Network*
Treat Wireless LAN as external network
VPN & Use strong encryption
No DHCP (use fixed private IP)
Install in a Separated Network
Recommendation (III)
• Always (wired or wireless)


Install virus protection software plus automatic frequent pattern
file update
Shared folders must impose password
• Management Issue




Prohibit to install the AP without authorization
Discover any new APs constantly (NetStumbler is free, Antenna is
cheap)
Power off ADSL Modem when Internet access is not required
Carefully select the physical location of your AP, not near windows
or front doors.
The [warning] of 802.1x
• Session hijacking
  waits for  successfully authenticated
 , acts as AP, tells , “you are disconnected”
 AP thinks that  is exists
• Man-in-the-middle-attack

802.1x is one way authentication mechanism
  acts as an AP to the 
  acts as a user to the AP.
Reference
: http://www.infoworld.com/articles/hn/xml/02/02/14/020214hnwifispec.xml
The workaround to
[warning] of 802.1x
• Vendor Proprietary Implementation
 “rekeying”
of WEP
• “Standard”
 TKIP or
Temporal Key Integrity Protocol
 changes the encryption key about every 10,000
packets
7
Demo IV
Silent WLAN Access Point
Marco Ho & Alan Tam
Disabling SSID insertion
• Method 1: Vendor Utility

It may use HTTP or SNMP to set the SSID
• Method 2: Use AP Utility run under Linux



http://ap-utils.polesye.net/
Manage by SNMP
Supported Platforms:
• ATMEL chipset (e.g. Linksys WAP11,D-Link DWL-900AP,
PCi AP-11S)
• NWN chipset (e.g. Compex WavePort WP11)
8
The Powerful WLAN Tool: Kismet
•
•
•
•
•
http://www.kismetwireless.net/
Network sniffer
Client server architecture
Cryptographically weak packet logging
Used by German federal authorities (26 July
2002)
• Platforms



Intel
iPaq/ARM
Zaurus/ARM
Contributors
The workshop was jointly presented by PISA members
Alan Tam [email protected]
Jim Shek [email protected]
Marco Ho [email protected]
Young, Wo Sang [email protected]
On 27 July 2002, the eve of PISA 1st anniversary of establishment
Remark
Another valuable presentation on the theoretical part:
PISA seminar “Critical Security Issues on Wireless LAN”
by Ray Hunt, 13 June 2002
http://www.pisa.org.hk/event/wlan_sec.pdf
Copyright
Professional Information Security Association (PISA) owns the
copyright of the presentation. Any party can quote the whole or part of
this presentation in an undistorted manner and with a clear reference
to PISA.
Disclaimer
This is the handout of a presentation workshop. The points made here
are kept concise for the purpose of presentation. If you require details
of test and implementation please refer to technical references.