isaca wireless hacking 2009 1

8/8/2019 Isaca Wireless Hacking 2009 1

1/54


2/54

CONTACTS

Austin-

Accounts

over IP by Syngress Press

Contributor to the Center for Internet SecuritBenchmarks.


3/54

-

March 2, 2010

3


4/54

March 2, 2010

4


5/54

March 2, 2010

TJX 45 Million Credit Card Numbersstolen could be as high as 200 million

$33 million in loses from Gift Cards

Largest loss ever from exploited

Wireless estimated at $1Billion

2003

FBI tracked credit card system softwarereplaced with hacked version

5


6/54

March 2, 2010

6


7/54

March 2, 2010

routers, switches, and other network devices.

wireless network was exploited across our

er zon us ness - a a reacInvestigations Report)

7


8/54

March 2, 2010

8


9/54

March 2, 2010

9


10/54

March 2, 2010

10


11/54

March 2, 2010

11


12/54

March 2, 2010

12


13/54

March 2, 2010

Wi-Fi Bouncing

network due to their new Wi-Fi-proofwallpaper? Try a Wi-Fi attack droid.Some clever hackers at the Shmoo

Zaurus, a 100 milliwatt Sanio wirelesscard, and some wires that fit into a tissue

box (or another similarly-sizedinnocuous ob ect. The idea is that ousurreptitiously drop this thing off in anarea with a Wi-Fi network that you cantaccess and it sends a 900 MHz signalvia a serial port transceiver to pass on

the network. With a good antenna thismeans you can get online from as far as40 miles away, though with the antennashown you should be able to get about am e or so o snea y w re ess access.lithium battery should power this thing

for up to four hours or so.13


14/54

March 2, 2010

Bluesnarfing is the theft of information from a wireless.

high-speed but very short-range wireless technology forexchanging data between desktop and mobilecomputers, personal digital assistants (PDAs), and other

.

By exploiting a vulnerability in the way Bluetooth isinformation -- such as the user's calendar, contact listand e-mail and text messages -- without leaving anyevidence of the attack. Other devices that use Bluetooth,

, ,although to a lesser extent, by virtue of their morecomplex systems. Operating in invisible mode protectssome devices, but others are vulnerable as long as

.

14


15/54

March 2, 2010

According to a ZDNet UK article, attackers are exploitinga roblem with some im lementations of the ob ectexc ange pro oco , w c s common y use o

exchange information between wireless devices. Anattacker can synchronize with the victim's device (this isknown as pairing) and gain access to any information or

.that bluesnarfing tools are widely available on theInternet, along with information about how to use them.

So what is the record distance for Bluesnarfing ? Lasco.A Bluetooth Virus (Nokia Series 60 running Symbian)

spreads via file attachements, games, files etc Paris Hiltons Phone contacts stolen

TOOLS: Bluescanner BTCrack

T-Bear

15


16/54

March 2, 2010

Well we focus on wireless networks

What about Wireless cameras ? If you can see data on wireless networks

Can you see video on wireless cameras ?

Lets take a look !

16


17/54


18/54

March 2, 2010

18


19/54

March 2, 2010

19


20/54

March 2, 2010

20


21/54

March 2, 2010

What about Internet Cameras aka:

NannyCams? Google Hacks:

inurl:view/index.shtml Finds AXIS cameras

inurl:ViewerFrame?Mode=" Finds more

inurl:MultiCameraFrame?Mode="

Also can be wireless

21


22/54

-

March 2, 2010

22


23/54

March 2, 2010

Step 1- Reconnaissance

Airsnort, NetStumbler, or Aerosol Identify APs SSIDs without WEP enabled

- Configure wireless client to match discovered SSID

Step 3 Check IP Address u

Step 4 Check for Internet access Open Browser to see if the Internet can be accessed

Step 5 - Scan for other clients Run Port scanner (Nmap) to find other clients that may

23


24/54

March 2, 2010

24


25/54

-

March 2, 2010

Windows Laptop

-

commercial Orinoco wireless card

NetStumbler, ApSniff, Wlan-Expert

Prism 2 wireless cardAerosol software

USB Wireless CardAirSnare - IDS

Cantenna and wireless MMCX to N t e cable An Access Point for rogue data collection Ferret and Hamster for SideJacking

25


26/54

-

March 2, 2010

Linux Laptop

Prism2 or Orinoco cardAirSnort software (To crack WEP)

Aircrack software (To crack WEP)

WepLab software (To crack WEP) dwepcrack software (To crack WEP)

We Attack software To crack WEP

Kismet

AirTraf

26


27/54

-

March 2, 2010

.Aireplay: 802.11 packet injection program

-Airdecap: decrypts WEP/WPA capture files

BackTrack 4 CD/DVD

27


28/54

-

March 2, 2010

Handheld device

Orinoco wireless cardMinistumbler

Pocket Warrior

AirScannerWi-FiFoFum PocketPC Windows Mobile

(iPAQ)

AirMagnet Commercial $3K Lots of options for iPhone and Android OS

No 802.11a on a handheld against the spec28


29/54

March 2, 2010

Wi-Finder

Wi-Fi Finder

.

29


30/54

March 2, 2010

30


31/54

-

March 2, 2010

31


32/54

NETSTUMBLER SCREEN CAPTURE

March 2, 2010

DOWNTOWN SACRAMENTO

32


33/54

NETSTUMBLER SCREEN CAPTURE

March 2, 2010

ARCO ARENA AREA

33

M h 2 2010


34/54

AIRSNORT SCREEN CAPTURE

March 2, 2010

SACRAMENTO AREA

34

March 2 2010


35/54

March 2, 2010

35

March 2 2010


36/54

March 2, 2010

36

March 2 2010


37/54

March 2, 2010

37

March 2 2010


38/54

March 2, 2010

38

March 2, 2010


39/54

a c , 0 0

39

March 2, 2010


40/54

,

40


41/54

March 2, 2010


42/54

42

March 2, 2010


43/54

43

March 2, 2010


44/54

WinSniffer Passwords

Sniffers can see all clear

FTPTelnet

text usernames, passwords

and data that pass acrossthe wireless network to gain

ICQ Instant Messaging

SMTP

more n orma on

NNTP Standard sniffers can see all data in all packets that

,passwords.Read your email

Web based email

44

March 2, 2010


45/54

SideJackin of course

45

March 2, 2010


46/54

- SANS:

http://www.sans.org/critical-security-controls/control.php?id=14

Residential Wireless Audit Checklist http://www.sans.org/score/wirelesschecklist.php

- Wireless STIG (Security Technical Implementation Guides)

http://iase.disa.mil/stigs/stig/index.html

US DoJ: http://www.justice.gov/ust/eo/private_trustee/library/chapter13/doc

s/Wireless_Security_Checklist.pdf

ISO 27001:

http://www.smashingpasswords.com/files/wireless-lan-security-checklist.pdf CIS:

Wireless Benchmark and Assessment Articles

46

http://cisecurity.org/en-

us/?route=downloads.browse.category.benchmarks.network.wireless

March 2, 2010


47/54

- http://www.corecom.com/html/wlan_tools.html - List of Tools

www.war r v ng.ne - oo n o

http://sectools.org/wireless.html - Top 5 Wi-Fi Tools www.dis.org/filez/ - Peter Shipley War driving site

www.w g e.net up oa rea ng rom w re ess too s app ng

www.networkintrusion.co.uk/wireless.htm - List of Wireless tools

www.freeantennas.com Lots of easy to build antennas

Hot Spots www.Wi-Finder.com Wi-Fi locator

www.wi-find.com Wi-Fi locator www.Wi-Fifreespot.com/ Wi-Fi locator www.jiwire.com/ Wi-Fi locator

. . _ . https://selfcare.hotspot.t-mobile.com T-Mobile hotspots www.boingo.com Boingo hotspots

47

March 2, 2010


48/54

Using ARP poisoning hackers are able to place

emse ves n e m e o an sess on us ng

Ettercap or other tools over wireless.

This results in the hacker having the actual SSL

certificate rela in the information to the user thusbeing able to see all that the user sees.

Remember it is estimated that 95% of Wi-Fi usage isunencrypted!

48

March 2, 2010


49/54

49

March 2, 2010


50/54

50


51/54

March 2, 2010


52/54

Access Points that mimic a real access point in

or er o s ea n orma on.

Secure Wi-Fi is not susceptible to this threat as the

52

March 2, 2010


53/54

Use automated Wireless detection solution

Define what is normal and detect anomalies

Follow up with manual assessments

Issue Wireless cards to consultants and guests

Create Incident Response plan to shut down ornves ga e v o a ons

Rotate Keys 30 days or less

Dual Wi-Fi networks First find all trustedMAC addresses

53

March 2, 2010


54/54

The END

uestions ?

54

isaca wireless hacking 2009 1

Documents