9781435486096_PPT_ch11
Download
Report
Transcript 9781435486096_PPT_ch11
Hands-On Ethical Hacking
and Network Defense
Second Edition
Chapter 11
Hacking Wireless Networks
Objectives
• After reading this chapter and completing the
exercises, you will be able to:
–
–
–
–
–
Explain wireless technology
Describe wireless networking standards
Describe the process of authentication
Describe wardriving
Describe wireless hacking and tools used by
hackers and security professionals
Hands-On Ethical Hacking and Network Defense, Second Edition
2
Understanding Wireless Technology
• For a wireless network to function, you must have:
– The right hardware and software
– Technology allowing electrons to travel through air
• Wireless technology is part of daily life
–
–
–
–
–
–
Baby monitors
Cell and cordless phones
Pagers and GPS devices
Remote controls and garage door openers
Two-way radios
Wireless PDAs
Hands-On Ethical Hacking and Network Defense, Second Edition
3
Components of a Wireless Network
• Only a few basic components:
– Wireless network interface cards (WNICs)
• Transmit and receive signals
– Access Points (APs)
– Wireless networking protocols
– A portion of the RF spectrum
Hands-On Ethical Hacking and Network Defense, Second Edition
4
Access Points
• Access points (APs)
– Radio transceiver that connects to network via
Ethernet cable
• Bridges wireless LAN (WLAN) with wired network
• Not all are connect to a wired network
• Most companies use WLANs connected to wired
network topology
– Where channels are configured
– Enables users to connect to a LAN
• Use wireless technology
• Available only within a defined area
Hands-On Ethical Hacking and Network Defense, Second Edition
5
Figure 11-1 AP channels detected
Hands-On Ethical Hacking and Network Defense, Second Edition
6
Service Set Identifiers
• Name used to identify a wireless local area network
(WLAN)
• Configured on the AP
– Unique one- to 32-character alphanumeric name
– Case sensitive
• Wireless computers
– Must configure SSID before connecting
– SSID is transmitted with each packet
• Identifies which network the packet belongs
– AP usually broadcasts SSID
Hands-On Ethical Hacking and Network Defense, Second Edition
7
Figure 11-2 SSIDs advertised to a wireless computer
Hands-On Ethical Hacking and Network Defense, Second Edition
8
Service Set Identifiers (cont’d.)
• Vendors
– Many have SSIDs set to a default value that
companies never change
• AP can be configured
– Not to provide SSID until after authentication
– Wireless hackers can attempt to guess SSID
– Verify your clients are not using a default SSID
Hands-On Ethical Hacking and Network Defense, Second Edition
9
Table 11-1 Default SSIDs
Hands-On Ethical Hacking and Network Defense, Second Edition
10
Configuring an Access Point
• Varies depending on embedded OS
– Most devices allow access through Web browser
• Reconfiguring a wireless router running dd-wrt:
–
–
–
–
–
Enter IP address in Web browser
Provide user logon name and password
After a successful logon, click Status item
Click on Wireless tab to configure SSID
Click Wireless Security tab to configure security
Hands-On Ethical Hacking and Network Defense, Second Edition
11
Figure 11-3 Viewing status information in dd-wrt
Hands-On Ethical Hacking and Network Defense, Second Edition
12
Figure 11-4 Basic wireless configuration in dd-wrt
Hands-On Ethical Hacking and Network Defense, Second Edition
13
Figure 11-5 Configuring wireless security in dd-wrt
Hands-On Ethical Hacking and Network Defense, Second Edition
14
Figure 11-6 Entering a WPA2 key
Hands-On Ethical Hacking and Network Defense, Second Edition
15
Wireless NICs
• For wireless technology to work, each node or
computer must have a WNIC
– Converts radio waves into digital signals
• There are many WNICs on the market
– Choose yours depending planned use
– Some tools require certain specific brands
Hands-On Ethical Hacking and Network Defense, Second Edition
16
Understanding Wireless Network
Standards
• Standard
– Set of rules formulated by an organization
• Institute of Electrical and Electronics Engineers
– Defines several standards for wireless networks
• IEEE Project 802: LAN and WAN standards
Hands-On Ethical Hacking and Network Defense, Second Edition
17
The 802.11 Standard
• First wireless technology standard
– Defined specifications for wireless connectivity
– Applied to Physical layer of OSI model
• Wireless network collisions do not occur
– Radio signals can mix and cause a collision
• Carrier sense multiple access/collision avoidance
(CSMA/CA) is used instead of CSMA/CD
• Wireless LANs
– Don’t have address associated with physical location
• Addressable unit is called a station (STA)
Hands-On Ethical Hacking and Network Defense, Second Edition
18
The Basic Architecture of 802.11
• Basic service set (BSS)
– Used as building block
– Collection of devices that make up a WLAN
• To connect two BSSs
– 802.11 requires a distribution system (DS) as an
intermediate layer
• Access point (AP) is a station
– Provides access to the DS
• Data moves between a BSS and DS through AP
Hands-On Ethical Hacking and Network Defense, Second Edition
19
Figure 11-7 Connecting two wireless remote stations
Hands-On Ethical Hacking and Network Defense, Second Edition
20
The Basic Architecture of 802.11
(cont’d.)
• IEEE 802.11
– defines operating frequency range
• U.S. is 2.4 to 2.4835 GHz
• Each frequency band contains channels
– A channel is a frequency range
– 802.11 standard defines 79 channels
– If channels overlap, interference could occur
Hands-On Ethical Hacking and Network Defense, Second Edition
21
The Basic Architecture of 802.11
(cont’d.)
• Amplitude
– Sound wave height
• Frequency
– Rate at which sound waves repeat
• Cycle
– Completion of repeating pattern
• Hertz
– Cycles per second
• Bands
– Different frequencies
Hands-On Ethical Hacking and Network Defense, Second Edition
22
Table 11-2 Frequency bands
Hands-On Ethical Hacking and Network Defense, Second Edition
23
An Overview of Wireless Technologies
• Infrared (IR) technology
– Can’t be seen by the human eye
– Restricted to a single room or line of sight
– Cannot penetrate walls, ceilings, or floors
• Narrowband
– Uses microwave radio band frequencies to transmit
data
• Cordless phones
• Garage door openers
Hands-On Ethical Hacking and Network Defense, Second Edition
24
An Overview of Wireless Technologies
(cont’d.)
• Spread Spectrum
– Modulation
• Defines how data is placed on carrier signal
– Data is spread across a large-frequency bandwidth
• Instead of traveling across just one frequency band
– Methods:
• Frequency-hopping spread spectrum (FHSS)
• Direct sequence spread spectrum (DSSS)
• Orthogonal frequency division multiplexing (OFDM)
Hands-On Ethical Hacking and Network Defense, Second Edition
25
IEEE Additional 802.11 Projects
• 802.11b (i.e., Wi-Fi)
– Operates in the 2.4 GHz band
– Throughput increased to 11 Mbps
– Allows for 11 channels to prevent overlapping
• Only three channels (1, 6, and 11) can be combined
without overlapping and creating interference
– Introduced Wired Equivalent Privacy (WEP)
Hands-On Ethical Hacking and Network Defense, Second Edition
26
IEEE Additional 802.11 Projects
(cont’d.)
• 802.11a
– Operating frequency range changed
• Three bands in 5 GHz range
– Throughput increased to 54 Mbps
• 802.11g
– Operates in 2.4 GHz range
– Uses OFDM for modulation
– Throughput increased to 54 Mbps
Hands-On Ethical Hacking and Network Defense, Second Edition
27
IEEE Additional 802.11 Projects
(cont’d.)
• 802.11i
– Introduced Wi-Fi Protected Access (WPA)
– Corrected many security vulnerabilities of 802.11b
• 802.11e
– Improvements addressed problem of interference
• When interference is detected, signals can jump to
another frequency more quickly
Hands-On Ethical Hacking and Network Defense, Second Edition
28
IEEE Additional 802.11 Projects
(cont’d.)
• 802.11n
– Operates in same frequency (2.4 GHz band) and
uses same encoding as 802.11g
– Uses multiple antennas and wider bandwidth
channels
• Throughput increased to 600 Mbps
• HiperLAN/2
– European WLAN standard
– Not compatible with 802.11 standards
Hands-On Ethical Hacking and Network Defense, Second Edition
29
Additional IEEE 802 Standards
• 802.15
– Addresses networking devices within one person’s
workspace
• Wireless personal area network (WPAN)
• Bluetooth is a common example
• 802.16
– Addresses issue of wireless metropolitan area
networks (MANs)
• Defines Wireless MAN Air Interface
• Most widely used is Worldwide Interoperability for
Microwave Access (WiMAX)
Hands-On Ethical Hacking and Network Defense, Second Edition
30
Additional IEEE 802 Standards
(cont’d.)
• 802.20
– Mobile Broadband Wireless Access (MBWA)
– Addresses wireless MANs for mobile users
• Traveling in trains, subways, or cars at speeds up to
150 miles per hour
Hands-On Ethical Hacking and Network Defense, Second Edition
31
Additional IEEE 802 Standards
(cont’d.)
Table 11-3 Summary of wireless standards
Hands-On Ethical Hacking and Network Defense, Second Edition
32
Understanding Authentication
• Problem of unauthorized users accessing
resources on a network
– Major concern for security professionals
• Organizations that introduce wireless technology
– Increases potential for security problems
Hands-On Ethical Hacking and Network Defense, Second Edition
33
The 802.1X Standard
• Defines process of authenticating and authorizing
users on a WLAN
– Addresses concerns with authentication
• Basic concepts
–
–
–
–
Point-to-Point Protocol (PPP)
Extensible Authentication Protocol (EAP)
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access (WPA)
Hands-On Ethical Hacking and Network Defense, Second Edition
34
Point-to-Point Protocol
• Many ISPs use PPP
– Connect dial-up or DSL users
– PPP handles authentication by requiring a user to
enter a valid user name and password
– PPP verifies that users attempting to use the link are
who they say they are
Hands-On Ethical Hacking and Network Defense, Second Edition
35
Extensible Authentication Protocol
• EAP is an enhancement to PPP
– Allows a company to select authentication method
• Certificate
– Record that authenticates network entities
– Contains X.509 information
• Identifies owner, certificate authority (CA), and
owner’s public key
Hands-On Ethical Hacking and Network Defense, Second Edition
36
Figure 11-8 Viewing information about an X.509 certificate
Hands-On Ethical Hacking and Network Defense, Second Edition
37
Extensible Authentication Protocol
(cont’d.)
• Methods to improve wireless network security:
– Extensible Authentication Protocol-Transport Layer
Security (EAP-TLS)
– Protected EAP (PEAP)
– Microsoft PEAP
• 802.1X components:
– Supplicant
– Authenticator
– Authentication server
Hands-On Ethical Hacking and Network Defense, Second Edition
38
Figure 11-9 A supplicant connecting to an AP and a RADIUS server
Hands-On Ethical Hacking and Network Defense, Second Edition
39
Wired Equivalent Privacy
• Part of the 802.11b standard
– Encrypts data traversing a wireless network
• Many vulnerabilities
– Works well for home users or small businesses
when combined with a Virtual Private Network (VPN)
Hands-On Ethical Hacking and Network Defense, Second Edition
40
Wi-Fi Protected Access
• Specified in the 802.11i standard
– Replacement for WEP
• Improves encryption
– Temporal Key Integrity Protocol (TKIP)
enhancements
• Message Integrity Check (MIC)
• Extended Initialization Vector (IV) with sequencing
rules
• Per-packet key mixing
• Rekeying mechanism
• Authentication mechanism using 802.1X and EAP
Hands-On Ethical Hacking and Network Defense, Second Edition
41
Understanding Wardriving
• Hackers use wardriving
– Driving around with inexpensive hardware and
software that enables them to detect unsecured APs
• Wardriving is not illegal
– But using the network resources is illegal
• Warflying
– Airplane wired with an antenna is used
Hands-On Ethical Hacking and Network Defense, Second Edition
42
How It Works
• An attacker or security tester drives around with the
following equipment:
– Laptop computer
– WNIC
• Not all are compatible with scanning programs
– Antenna
• Prices vary depending on quality and range
– Software that identifies:
• Company’s SSID
• Security type enabled
• Signal strength
Hands-On Ethical Hacking and Network Defense, Second Edition
43
NetStumbler
• Shareware tool written for Windows
– Enables WLAN detection
• Supports 802.11a, 802.11b, and 802.11g standards
• Primarily designed to:
– Verify WLAN configuration
– Detect other wireless networks
– Detect unauthorized APs
• Capable of interface with a GPS
– Enables mapping of all detected WLAN locations
Hands-On Ethical Hacking and Network Defense, Second Edition
44
NetStumbler (cont’d.)
• Logs the following:
–
–
–
–
–
–
SSID
MAC address of AP
Manufacturer of AP
Channel on which it was heard
Signal strength
Encryption
• Attackers can detect APs within a 350-foot radius
– Better antennas can locate APs a couple of miles
away
Hands-On Ethical Hacking and Network Defense, Second Edition
45
Kismet
• Product for conducting wardriving attacks
– Written by Mike Kershaw
– Runs on Linux, BSD, MAC OS X, and Linux PDAs
• Also a sniffer and an intrusion detection system
(IDS)
– Can sniff 802.11b, 802.11a, and 802.11g traffic
Hands-On Ethical Hacking and Network Defense, Second Edition
46
Kismet (cont’d.)
• Features:
–
–
–
–
–
–
–
–
–
Wireshark- and Tcpdump-compatible data logging
Compatible with AirSnort and AirCrack
Network IP range and hidden network SSID detection
Graphical mapping of networks
Client-server architecture
Manufacturer and model identification
Detection of known default AP configurations
XML output
Supports more than 25 card types
Hands-On Ethical Hacking and Network Defense, Second Edition
47
Understanding Wireless Hacking
• Hacking a wireless network
– Not much different from hacking a wired LAN
• Techniques:
– Port scanning
– Enumeration
Hands-On Ethical Hacking and Network Defense, Second Edition
48
Tools of the Trade
• Equipment:
–
–
–
–
Laptop computer
WNIC
Antenna
Sniffers
• Wireless routers that perform DHCP functions
– Pose a big security risk
• Tools for cracking WEP keys:
– AirCrack NG
– WEPCrack
Hands-On Ethical Hacking and Network Defense, Second Edition
49
AirCrack NG
• Tool most hackers use who want to access WEPenabled WLANs
– Replaced AirSnort
• Useful addition:
– Gerix WiFi Cracker
• GUI front-end
Hands-On Ethical Hacking and Network Defense, Second Edition
50
Countermeasures for Wireless Attacks
• Consider using anti-wardriving software
– Makes it more difficult to discover your WLAN
• Honeypots
• Black Alchemy Fake AP
• Use measures for preventing radio waves from
leaving or entering the building
– Use a special paint on the walls
• Use a router
– Filters unauthorized MAC and IP addresses and
prevents access
Hands-On Ethical Hacking and Network Defense, Second Edition
51
Countermeasures for Wireless Attacks
(cont’d.)
• Consider using an authentication server
– Instead of relying on a wireless device
• Consider using EAP
– Allows different protocols that enhance security
• Place AP in demilitarized zone and use a firewall
– Filters out traffic
• If possible, upgrade to WPA2 and replace
hardware that can’t be upgraded
– Better security
Hands-On Ethical Hacking and Network Defense, Second Edition
52
Countermeasures for Wireless Attacks
(cont’d.)
• Assign static IP addresses to wireless clients
– Instead of using DHCP
• Change default SSID and disable SSID broadcasts
– If you can’t disable SSID broadcasts, rename default
SSID
Hands-On Ethical Hacking and Network Defense, Second Edition
53
Summary
• Wireless technology
– Defines how and at what frequency data travels over
radio frequency (RF) spectrum
• Basic components of wireless networks:
– WNICs
– Access points (APs)
– Wireless networking protocols
• Service set identifier (SSID)
– Configured on AP
– Used to identify WLAN
Hands-On Ethical Hacking and Network Defense, Second Edition
54
Summary (cont’d.)
• IEEE’s main purpose
– Create standards for LANs and WANs
• 802.11 is the IEEE standard for wireless networking
• BSS
– Collection of all devices that make up a WLAN
– BSA is the wireless coverage area AP provides
• WLANs technologies
– Infrared
– Narrowband
– Spread spectrum
Hands-On Ethical Hacking and Network Defense, Second Edition
55
Summary (cont’d.)
• Bluetooth
– Most popular form of WPAN technology
• WEP, WPA, and WPA2
– Wireless encryption standards to protect WLANS
• Authentication
– Usually used in combination with wireless encryption
standards
• Wardriving and warflying
– Involve driving or flying with a laptop, WNIC, an
antenna, and software scans for available APs
Hands-On Ethical Hacking and Network Defense, Second Edition
56
Summary (cont’d.)
• WLANs
– Can be attacked with many tools used for hacking
wired LANs
• Countermeasures
–
–
–
–
–
–
Disabling SSID broadcast and renaming SSIDs
Using an authentication server
Placing the AP in the DMZ
Using EAP and a router
Upgrading to WPA2
Assigning static IP addresses to wireless clients
Hands-On Ethical Hacking and Network Defense, Second Edition
57