Shekhar shinde [email protected] State University.
Drive-by HackingDrive-by Hacking
ECE 578: COMPUTER NETWORK AND SECURITYA TERM PAPER ON
ContentsContents
• Background
• Problem of drive by hacking
• Wireless security options
• Challenges
• Types of attacks
• Internet scanner
• Real life solution to the problem
• Conclusion
• References
BackgroundBackground
• WLAN technology is making its way into organizations, but:– Authorized deployments are hindered by
security concerns.
– Unauthorized (rogue) deployments put the corporate network at risk.
• Top concerns:– Where are the access points?
– Are they vulnerable to attack?
– Where is the network perimeter?
MarketMarket
The Problem … “Drive By Hacking”The Problem … “Drive By Hacking”
Access Port Switch
Ma
in C
orp
ora
te B
ack
bo
ne
Server
Server
Server
iPaq
PalmPilot
Mobile Phone
Notebook
If the distance from the Access Port to the street outside is 1500 feet or less, then a Hacker could also get access – while sat outside
Less than 1500ft *
The Building
Wireless LAN Security OptionsWireless LAN Security Options
• MAC address filtering
• Vendor specific authentication
• SSID/Network ID
• Wired Equivalent Privacy (WEP)
• Emerging IEEE 802.11x
Or in other words …Or in other words …
Notebook
Access Port Switch
Ma
in C
orp
ora
te B
ack
bo
ne
RADIUS/ EAPServer
Access PortSwitch
1. User runs client software and enters User name & Password
2. The request is sent to the RADIUS/EAP Server, RADIUS authenticates the session and sends unique session keys to device & AP
Key
Key
Valid only for session
3. When device wants to connect to a different AP, a new session is created, with a different unique set of keys
Valid only for sessionKey
Key
The Problem ??Totally proprietary technology, and therefore vendor specific – and the initial broadcast keys can still be
sniffed
The ChallengesThe Challenges
• Rogues Access Points– Due to low cost, users setting up their own Aps
without IT knowledge (ie boardrooms)
• DHCP– One of the advantages of WLAN is the ability to
move around the building, therefore moving between IP subnets – therefore DHCP is needed, but very abuse able !!
• 803.11xx and other technologies (such as Bluetooth & WAP) are all new and so no standards exist, so very vendor specific
Types of Attacks Types of Attacks
1. Insertion Attacks
2. Interception and unauthorised monitoring
3. Jamming
4. Client to Client Attacks
5. Brute Force on AP password
6. Encryption Attacks
7. Mis-configurations
Types of AttacksTypes of Attacks
• Insertion– Deploying un-authorised devices or creating new
wireless networks without prior knowledge of IT
• Interception and Unauthorised Monitoring– As with wire networks it is possible to “sniff” the
network, but where monitoring agents are required, with WLAN you can get everything.
• Jamming– As name suggests this is a Denial of Service Attack
floods the 2.4Ghz range, used by these and other devices, so nothing can communicate
Types of AttacksTypes of Attacks
• Client to Client Attacks– Once Windows is configured to support Wireless it can
be contacted by any other wireless device – so all the usual File Sharing and TCP service attacks work
• Brute Force on Access Point password– The APs use simple usernames and passwords which can
be easily brute forced, and key management is not easy
• Encryption Attacks– Although 802.11 has WEP, vulnerabilities have already
been found and the keys can easily be cracked
• Mis-configurations– All major vendors make their units easy to deploy, so
they come with insecure, well known pre-configurations, which are rarely changed when installed
WLAN Security ChallengesWLAN Security Challenges
How to Defend against WLAN Threat
•WLAN Security is similar to the Wired network.– Just represents an extension of wired networks
– Another potential un-trusted entry point into the wired network.
•Multi-Layer Security Approach– Protect WLAN holistically at the network, system, and
application layer for clients, access points, and the back-end servers.
– Apply traditional wired security countermeasures.
WLAN Discovery / Assessment/ Monitoring Tools
WLAN Discovery / Assessment/ Monitoring Tools
1. Internet Scanner 6.2, the market leading network vulnerability assessment tool, was the first to assess many 802.11b security checks. 802.11 checks are in several X-Press Updates (XPU 4.9 and 4.10).
2. RealSecure 6.5, the market leading IDS, was the first to monitor many 802.11b attacks. Recommend to make sure you are up to the latest X-Press Updates. 802.11 checks for IDS were in XPU 3.1.
Internet ScannerInternet Scanner
iPaq
Notebook
Access Port
Switch
Ma
in C
orp
ora
te B
ack
bo
ne
Access Port
Notebook
Firewall
Notebook
1. Finds the Holes
2. Finds Rogue Access Points or Devices
Real SecureReal Secure
Access Port
Switch
Ma
in C
orp
ora
te B
ack
bo
ne
Access Port
FirewallReal Secure
Kill !!Kill !!
The SolutionThe Solution
Wireless Scanner 1.0 is the solution for this problem– Identify 802.11b access points.
– Assess the implementation of available security features.
– Laptop-based for mobility.
“Wireless Scanner provides automated detection and security assessment of WLAN access points and clients.”
Target MarketTarget Market
Primary market of Wireless Scanner 1.0:– Enterprise customers
– SMB customers
– Security consultants / auditors
These customers want to:– Implement a WLAN without compromising their existing
security measures.
– Protect network from unauthorized APs.
How it works ..How it works ..Each device has a WLAN adapterThese communicate back to Access Ports
(AP), or Wireless BridgesThe technology works like old ethernet
bridges by simply passing data onSo anyone with a wireless device could,
theoretically, connect to your network.
Features – DetectionFeatures – Detection
Wireless Scanner detects access points…
… and active clients.
Features – Security AssessmentFeatures – Security Assessment
Wireless Scanner probes access points to determine their vulnerability to connection and attack by unauthorized users.
Features – ReportingFeatures – Reporting
Multi-level reportingExport optionsNew Access Points report highlights new
802.11b devices discovered in scan.
Features – FlexibilityFeatures – Flexibility
Mobile – users can scan while walking
User configurable:– Filters
– Alarms and notifications
– Encryption keys for scanning
Configurations can be saved and loaded
References:References:
1. “Wireless scanner” a white paper by stephen schmid.
2. Cryptography and Network Security: Principles and Practice, Second
Edition by William Stallings
3. Web reference of www.computing.co.uk/News/
4. Cryptography and network security, third edition by William Stallings
5. Fundamentals Of Computer Security Technology by Edward G.
Amoroso.
6. Network Security by Mario Devargas.
7. LAN Times Guide To Security And Data Integrity by Marc Farley,
Tom Stearns, And Jeffrey Hsu.
8. Computer System And Network Security by Gregory B. White, Eric
A. Fisch, Udo W. Pooch.