hacking wireless networks - (isc)² u.s. military … methods – wpa/wpa2 (802.11i) wpa -...
TRANSCRIPT
-
1
Hacking Wireless Networks
What You Need To Know To
Protect Yours
Michael Votaw
RCC-E Network Monitoring Team Lead
CISSP, CCNA, ECIE-NAC
mailto:[email protected]
-
Overview
Ethical Concerns
CISSP Domains Covered
Wireless Primer: Back to the basics
Encryption Methods
The Tool Chest
Basic Methods for Securing
-
Code of Ethics Canons
Protect society, the common good, necessary public
trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession
-
CISSP Domains Addressed
Security and Risk Management - Confidentiality, integrity, and availability concepts
- Legal and regulatory issues
- Professional ethic
- Security policies, standards, procedures and guidelines
Asset Security
- Ownership (e.g. data owners, system owners)
- Protect privacy
- Data security controls
-
CISSP Domains Addressed (Continued)
Security Engineering
- Engineering processes using secure design principles
- Security architectures, designs, and solution elements
vulnerabilities
- Mobile systems vulnerabilities
- Cryptography
- Site and facility design secure principles
- Physical security
Communication and Network Security
- Secure network architecture design (e.g. IP & non-IP
protocols, segmentation)
- Secure network components
- Secure communication channels
- Network attacks 5
-
CISSP Domains Addressed (Continued)
Identity and Access Management
- Identification and authentication of people and devices
- Identity as a service (e.g. cloud identity)
- Third-party identity services (e.g. on-premise)
- Access control attacks
Security Assessment and Testing
- Assessment and test strategies
- Security process data (e.g. management and operational controls)
- Security control testing
- Security architectures vulnerabilities
6
-
IEEE 802.11 Standards
802.11
Introduced in June, 1997
Operated in the 2.4 GHz band
Operational bandwidth 22MHz
Data rates 1, 2 Mbps
Range 20m Indoor, 100m Outdoor
7
-
IEEE 802.11b
Introduced in September, 1999
Operates in the 2.4 GHz band
Operational bandwidth 22MHz
14 Channels available, but limited to 5 channel separation (3 useful)
Data rates 1, 2, 5.5, 11 Mbps
Range 35m Indoor, 140m Outdoor
8
-
IEEE 802.11a
Introduced in September, 1999
More expensive, not typically used by consumers
Operates in the 5 GHz band
Operational bandwidth 20MHz
Far more channels (22 in North America)
Data rates 6, 9, 12, 18, 24, 36, 48, 54 Mbps
Range 35m Indoor, 120m Outdoor
9
-
IEEE 802.11g
Introduced in June, 2003
Operates in the 2.4 GHz band
Operational bandwidth 20MHz
Data rates 6, 9, 12, 18, 24, 36, 48, 54 Mbps
Range 38m Indoor, 140m Outdoor
Backward compatible with 802.11b
10
-
IEEE 802.11n
Introduced in October, 2009
No new channels or frequencies introduced (uses 2.4GHz & 5 GHz)
Operational bandwidth 20MHz/40MHz
Up to 4 channels of MIMO (Multiple Input, Multiple Output)
Data rates (20MHz) 7.2, 14.4, 21.7, 28.9, 43.3, 57.8, 65, 72.2 Mbps
Data rates (40MHz) 15, 30, 45, 60, 90, 120, 135, 150 Mbps
Range 70m Indoor, 250m Outdoor
11
-
IEEE 802.11ac
Introduced in December, 2013
Uses only the 5 GHz band
Operational bandwidth 20/40/80/160 MHz
Up to 8 channels of MIMO (Multiple Input, Multiple Output)
Data rates 96.3Mbps (20MHz), 200Mbps (40MHz)
Data rates 433.3 (80MHz), 866.7Mbps (160MHz)
Range 35m Indoor, 115m Outdoor
6.77 Gbps possible
12
-
Channel Discussion 802.11b 2.4 GHz
13
Because of the bandwidth constraints, only three useful channels
are available
5 Channel separation is required at 20 and 22 MHz
Japan is the only country where channel 14 is allowed
-
Channel Discussion 802.11b/g/n 2.4 GHz
The 2.4GHz range is by far the
busiest range
Inexpensive equipment makes
it easy to deploy and use
Creates problems for 802.11n
because of channel usage
14
-
Channel Discussion 802.11a/n/ac 5GHz
15
-
Encryption methods - WEP
WEP (Wired Equivalent Privacy)
- Introduced with 802.11 in 1997
- Uses RC4 stream cipher for encryption
- Uses CRC-32 for data integrity
- Was successfully exploited in 2001
- Can be cracked in minutes with aircrack-ng
16
-
17
-
Encryption Methods WPA/WPA2 (802.11i)
WPA
- Introduced in 2003, but only temporary until release of WPA2
- Employs TKIP with a unique 128bit key for each packet
WPA2
- Released in 2004
- Far superior to WEP
- Uses CCMP (Counter Mode, Cipher Block Chaining, Message Authentication
Code Protocol). Its AES based encryption using 128 byte blocks with 128 bit
encryption
- Required for use in 802.11n and 802.11ac networks
- Still breakable with brute force attacks
18
-
Encryption Methods WPA2 (802.11i)
WPA2 offers two methods for encryption/authentication
WPA2-PSK (Also called WPA2-Personal)
- WPA2 Pre Shared Key
- Statically set on the Access Point and the wireless device
- Opens up the possibility for dictionary and brute force attacks
WPA2 Enterprise (802.1x authentication)
- Requires the configuration of a RADIUS server for authentication
- Keys are changed often and unique for each client
- Identity of all clients are known and MAC spoofing is effectively eliminated
19
-
802.1X Basic Components
User Supplicant Network Device Authentication Server
(RADIUS) Valid user (AD/RADIUS) Printer Phone Certificate-Based
Microsoft XP, Vista, 7, 8, 10 Mac OS X Linux Open1X Printers Phones
Cisco Brocade Extreme HP Many others
Windows AD FreeRADIUS OpenRADIUS Steel-Belted RADIUS Many others
-
802.1X Basic Flow
Username/Password
RADIUS Attributes
-Filter-Id
-Tunnel-Priv-Grp-ID
RADIUS Attributes
-User-Name
-NAS-IP-Address
-NAS-Port
-NAS-Port-Type
-
802.1X Message Exchange
All messages on client side are
ethertype 888E (EAPOL/PAE)
All messages between switch
and server are RADIUS packets
Most switch vendors enhance
this with multi-method and
multi-user authentication
-
802.1X Continued
Support for periodic re-auth, and manual re-auth
EAP Types - Industry Standard
- MD5 basic
- PEAP Microsoft & Cisco Protected EAP, Now dominate in the industry
- EAP-TLS (Transparent LAN Service) Requires a digital certificate on each supplicant (see RFC 2716)
EAP Types Proprietary
- EAP-TTLS (Tunneled TLS Authentication Protocol) - Juniper Software TTLS does not require digital
cert (see Internet Draft)
- LEAP Cisco Lightweight EAP (proprietary); Cisco moving to PEAP
802.1X on wireless
- Encryption, Rotating keys, Integration of Users and Enterprise Authentication
The Future 802.1AE
- Key exchange and encryption between clients, switches, and routers
-
The Tools
ANY PC or mobile device
- Nearly all wireless devices become a hacking tool with endless possibilities
- Using just a Pringles can (cantenna) wireless sniffing can be extended to nearly
a mile away. Its highly directional and easy to build.
- In 2008 Robert Graham and David Maynor of Errata Security demonstrated how
a jailbroken iPhone could be powered for days and used to hack internal
networks from a FedEx package delivered to a fictitious employee
BackTrack or the new version, Kali
- Freely available as a bootable ISO disc and loaded with hacking tools
24
-
Tools Included in MAC OSX
25
-
Tools Included in MAC OSX
26
-
Tools Included in MAC OSX
27
-
Brute Force / Dictionary Attack with Kali
28
-
Brute Force / Dictionary Attack with Kali
29
-
Brute Force / Dictionary Attack with Kali
30
-
Brute Force / Dictionary Attack with Kali
31
-
Brute Force / Dictionary Attack with Kali
32
-
Methods For Securing Wireless
Use long passwords for WPA2-Personal keys
Use of complex passwords not so great, but length matters more
Hide SSIDs when possible, but only slows down casual hackers
Enable MAC filtering WITH WPA2 pre-shared keys
Avoid the use of WPS (very easily cracked)
Utilize VPN encryption over wireless for sensitive data
Utilize 802.1x on wireless The safest way, but also very expensive
33
-
Questions?
34