1 / 25

Wireless Attacks on your Network

Wireless Attacks on your Network. And how to protect and respond to them. Introduction. Who are we? iViZ – On demand penetration testing Topic for today? Wireless attacks on your network and how to protect and respond to them What we will learn today?. Agenda.

duncan-nguyen
Download Presentation

Wireless Attacks on your Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Attacks on your Network And how to protect and respond to them

  2. Introduction • Who are we? • iViZ – On demand penetration testing • Topic for today? • Wireless attacks on your network and how to protect and respond to them • What we will learn today? On Demand Penetration Testing | www.ivizsecurity.com

  3. Agenda • Introduction to Wireless Technologies (802.11x) • Wireless security and attack techniques • Protecting against and Responding to Wireless attacks • Best practices • Q/A On Demand Penetration Testing | www.ivizsecurity.com

  4. Overview • Wireless has almost all the security issues faced by wired networks • In addition, they have some unique security issues of their own • Need to understand what the threats are and how the attacks work to prevent and respond against them • How do all the pieces of WLAN security fit together? On Demand Penetration Testing | www.ivizsecurity.com

  5. Introduction to Wireless Technologies On Demand Penetration Testing | www.ivizsecurity.com

  6. History of wireless networks • 1970s – First wireless networks • 1985 – US FCC release ISM band for unlicensed use • 1991 – NCR Corp and AT & T invented the precursor of IEEE 802.11. Products marketed under the name WaveLAN with raw data rates of 1Mbps and 2 Mbps • 1997 - IEEE 802.11 released – 2.4 GHz – 1 & 2 Mbps • 1999 – IEEE 802.11b – 2.4 GHz – 11 Mbps • 1999 – IEEE 802.11a – 5 GHz – 54 Mbps – but lower range • 2003 – IEEE 802.11g – 2.4 Ghz – 11/54Mbps – backward compatible with 802.11b • 2009 – IEEE 802.11n -Throughput and range improvements using MIMO (multiple input, multiple output antennas)  On Demand Penetration Testing | www.ivizsecurity.com

  7. Wireless security and attack techniques On Demand Penetration Testing | www.ivizsecurity.com

  8. Wired Equivalent Privacy (WEP) • WEP - Wired Equivalent Privacy - 1997 • original encryption standard for wireless • intended to make wireless networks as secure as wired networks. • Support for different key sizes, common ones being 128 bit and 256 bit • However…. • WEP has serious security issues • Does not deal with key management. • 2001 - Weaknesses in the Key Scheduling Algorithm of RC4” by Fluhrer, Mantin and Shamir – if a cracker can receive packets on a network, it is only a matter of time until the WEP encryption is cracked. • 2004 – Dachboden labs released more effective methods to crack WEP (Chopping attack) • 2007 – Caffé-latte attack - AirTight Networks- Md. Sohail Ahmad and VivekRamachandaran On Demand Penetration Testing | www.ivizsecurity.com

  9. Attacks on WEP • Attacks based on Fluhrer, Mantin and Shamir’s paper came to be known as “FMS attacks” • Shortly after the FMS paper, open-source tools were released to automate WEP cracking • WEPCrack • Airsnort • Tools using Chopping attack to crack WEP • Aircrack-ng • weplab • Caffe Latte Attack uses a weakness in the ICV algorithm of WEP • Target wireless clients trying to connect to preferred wireless networks to obtain the key • Tools like Caffe Latte and Wep0ff  On Demand Penetration Testing | www.ivizsecurity.com

  10. CISCO LEAP • In response to the weaknesses in WEP, new security mechanisms were developed • Cisco developed the Lightweight Extensible Authentication Protocol (LEAP ) • In 2003, Joshua Wright disclosed that LEAP was vulnerable to Dictionary attack • Short time later, tools were released to crack LEAP • Asleap • THC-LeapCracker • Cisco released EAP-FAST as a replacement of LEAP On Demand Penetration Testing | www.ivizsecurity.com

  11. Wi-fi Protected Access (WPA) • Wi-fi Protected Access (WPAv1) was developed to replace WEP by the Wi-fi Alliance • WPA-PSK (Pre-shared key) • WPA-RADIUS • In Nov 2003, Robert Moskowitz of ISCA Labs detailed potential problems with WPA-PSK in his paper “Weakness in Passphrase Choise in WPA Interface” • In Nov 2004, Joshua Wright released a tool to automate dictionary attack process against WPA-PSK • CoWPAtty • In 2008 Erik Tews and Martin Beck uncovered weakness which can be exploited for TKIP. It was further optimised by other in 2009 • In 2010, a new attack was found by Martin Beck • Attacker can decrypt wireless network traffic to the client. • Attack can be defeated by deactivating QoS or by using AES based CCMP in place of TKIP On Demand Penetration Testing | www.ivizsecurity.com

  12. Other wireless security solutions • WPAv2 • Inclusion of the more secure AES-CCMP algorithm as a mandatory feature • Supports both Radius servers and PSK • PEAP – Protected EAP • Smart Cards • USB Tokens • Software Tokens On Demand Penetration Testing | www.ivizsecurity.com

  13. Other Attacks on Wireless Networks • MAC Spoofing attacks • Man in the middle attacks • Tools like AirJack • Denial of service attacks • Targeting wireless drivers of client systems • Metasploit released an exploit for Broadcom wireless drivers • Configurations weaknesses allowing network impersonation attacks • Attacker can inject networking re-configuration commands and bring down a network • Hidden Rogue Aps • Tools like Wknock • IEEE 802.11n GreenField Mode On Demand Penetration Testing | www.ivizsecurity.com

  14. Protecting against and Responding to Wireless attacks On Demand Penetration Testing | www.ivizsecurity.com

  15. Responding to attacks against WEP • WEP is a broken and obsolete solution • Use higher layer encryption (SSL/TLS) if possible • Use firewall and proxy servers to enforce • Use tools like Kismet, Wireshark, tcpdump to regularly monitor wireless traffic • Look out for abnormal de-authentication blocks as it is used for cracking WEP • Look out for excessive ARP Injection blocks as these are used for MITM attacks against WEP • Easy to identify • Understand the normal volume of ARP traffic on your network • Rotate WEP keys • LAST RESORT – Shut down the WLAN On Demand Penetration Testing | www.ivizsecurity.com

  16. Responding to attacks against WPA • WPA-PSK with passphrases less than 21 characters are vulnerable to dictionary attack • Attack can be done offline and therefore not easy to detect attack in real-time unlike attacks against WEP • Keep a passphrase more than 21 characters • Switch from TKIP to AES based CCMP • Use WPA with RADIUS or some other form of secondary authentication like certificates or software tokens (2-factor authentication) On Demand Penetration Testing | www.ivizsecurity.com

  17. Responding to MITM attacks • Real time response to MITM attacks is difficult • Preventive measures should be in place • Always require authentication to network over an encrypted channel • Use 2-factor authentication • Separate WLAN from other areas of the network by treating it as a DMZ host with no access to network without authentication On Demand Penetration Testing | www.ivizsecurity.com

  18. Best practices On Demand Penetration Testing | www.ivizsecurity.com

  19. Best Practices • Use 2-factor authentication, eg, Smart cards, USB tokens, and software tokens • However these are expensive • Next safest methods are WPA2 or WPA with RADIUS server. • Utilize IPSec-based Virtual Private Network (VPN) technology for end-to-end security • Use strong encryption (eg, AES based CCMP) • Separate the WLAN from the rest of the Network by treating it as a DMZ if possible • Have a separate VLAN • Use static IP addressing and MAC filtering • Not 100% fool-proof • MAC can be spoofed and MITM can still be possible • Regularly look at Access Point, Firewall/IPS/IDS, Important Server logs On Demand Penetration Testing | www.ivizsecurity.com

  20. Best Practices • Carry out a site-survey • Position the Access Point carefully so that it is not accessible beyond where you intend it to be. • A nice little trick you can use is to place some aluminium behind the AP so that it can limit radiation out a window • Use RF Shielding using specialized wall paint and window films • Use tools like netstumbler to identify Rogue access points. Cisco and other vendors also have proprietary tools for this. • Change all shared-keys, SSIDs, passphrases at regular intervals • At least change the default ones • Select strong and non-guessable strings and keep them safe. • Ensure firmware is up-to-date in client cards and access points • Same applies for Wireless client devices On Demand Penetration Testing | www.ivizsecurity.com

  21. Best Practices • Have strict removable and wireless device policy. • Ensure physical security of Wireless access points. • Ensure only authorized people can reset the access point • Disable access points during non-usage periods. • Implement personal firewalls in client machines On Demand Penetration Testing | www.ivizsecurity.com

  22. Best Practices • Educate network users on security risks and personal preventive measures. IT managers and administrators’ knowledge base should be up-to-date with latest security issues • Regularly carry out Penetration testing of your Wireless Infrastructure • Get your wireless network architecture and configuration vetted by experts On Demand Penetration Testing | www.ivizsecurity.com

  23. Summary • Risks to wireless networks have increased as its adoption has become more prevalent • Growing use and popularity require increased focus on security • Attacks complexity has evolved significantly over the years • As attacks have evolved, so have the tools available to the IT administrators to respond to such attacks • No single solution can be 100% foolproof, therefore use a combination of Best practices • However, no tool is a substitute for well-designed and policy enforced networks along with vigilant administrators On Demand Penetration Testing | www.ivizsecurity.com

  24. Feedback / Questions? • nilanjan.de@ivizsecurity.com • info@ivizsecurity.com On Demand Penetration Testing | www.ivizsecurity.com

  25. More Information • How to: Define Wireless Network Security Policies • http://www.wireless-nets.com/resources/tutorials/define_wireless_security_policies.html • Wireless Security Primer • http://www.windowsecurity.com/articles/Wireless_Security_Primer_Part_II.html • Lisa Phifer. "The Caffe Latte Attack: How It Works—and How to Block It • http://www.wi-fiplanet.com/tutorials/article.php/10724_3716241_1 • Fitting the WLAN Security pieces together • http://www.pcworld.com/businesscenter/article/144647/guide_to_wireless_lan_security.html • PCI DSS Wireless Guidelines". • https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf • Kevin Beaver, Peter T. Davis, Devin K. Akin. "Hacking Wireless Networks For Dummies". • George Ou. "Ultimate wireless security guide: A primer on Cisco EAP-FAST authentication“ • http://articles.techrepublic.com.com/5100-10878_11-6148557.html • Wi-Fi Protected Access". Wi-Fi Alliance • http://www.wifialliance.org/knowledge_center_overview.php?docid=4486 • How to: Improve Wireless Security with Shielding • http://www.wireless-nets.com/resources/tutorials/rf_shielding.html • http://www.dmoz.org/Computers/Data_Communications/Wireless/Security/ On Demand Penetration Testing | www.ivizsecurity.com

More Related