how to cheat at securing a wireless network phần 2 pps
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (4.05 MB, 47 trang )
Figure 2.4 Enable WEP on the WRT54G
Figure 2.5 The WEP Keys Window
Next, select the key (1–4) that you will initially use by choosing the appropriate
radio button next to Default Transmit Key. Finally, click Save Settings in the
Wireless Security tab to save your settings.
www.syngress.com
Wireless Security • Chapter 2 23
SOME INDEPENDENT ADVICE
Some people will argue that WEP is a “broken” standard and should not
be used. Yes, WEP is an easy protocol to hack and allows intruders to
gain the encryption key to your wireless network using tools included in
the Aircrack suite. However, due to wireless connections by other devices
(game consoles, PDAs, and the like), you may be forced to use WEP
instead of the more secure WPA.
Remember that no security is bad security, and that something is
always better than nothing. Enabling WEP encryption on your network
may be the difference between your network or your unencrypted
neighbor’s being hacked.
Enabling Wi-Fi Protected Access
An alternative and more secure approach to wireless security on an access point is to
use Wi-Fi Protected Access, or WPA. WPA uses an improved encryption process based
on the Temporal Key Integrity Protocol (TKIP).TKIP jumbles the keys and incor-
porates an integrity-checking feature to ensure that the keys have not been tampered
with.
WPA also includes client authentication via the Extensible Authentication
Protocol (EAP). EAP uses a public key encryption mechanism to ensure that only
authorized systems have access to the access point.
In late 2004, the Institute of Electrical and Electronics Engineers (IEEE) ratified
the 802.11i specification, more commonly referred to as WPA2. WPA2 uses AES as
the encryption standard, whereas WPA uses the TKIP standard.This is not to say that
WPA is not secure but to acknowledge that wireless security is ever changing.
WPA2 also supports a personal authentication implementation (PSK) and an enter-
prise authentication implementation (RADIUS).This chapter focuses on the WPA
standard.
Log in to the WRT54G and click the Wireless tab. Click the Wireless secu-
rity subtab to enable WPA. From the drop-down list, choose WPA-Personal,as
shown in Figure 2.6.
www.syngress.com
24 Chapter 2 • Wireless Security
Figure 2.6 The WRT54G WPA Setup Screen
Leave the WPA algorithm as TKIP. Enter a shared key of between 21 and 63
characters in the WPA Shared Key: text box. Leave the Group Key Renewal at
its default of 3600 seconds (see Figure 2.7).
Figure 2.7 WPA Shared Key
Click Save Settings to save the WPA settings on the WRT54G. It is still a good
idea to follow the previous security steps to enable wireless MAC filters and disable
www.syngress.com
Wireless Security • Chapter 2 25
the SSID broadcast. Be careful not to set the SSID to anything personal to you, such
as your phone number, home address, or name.
Filtering by Media
Access Control (MAC) Address
After you have set a unique SSID, disabled SSID broadcast, and enabled WEP
encryption, you need to filter access to the WRT54G by MAC address. Filtering
access to the access point allows only those MAC addresses specified in the list the
ability to access the wireless network.
First, from the main Wireless tab, click the Wireless MAC Filter tab to display
the option to enable or disable Wireless MAC filtering (see Figure 2.8).
Figure 2.8 The Wireless MAC Filter screen
Next select Enable from the Wireless MAC Filter radio buttons.This will
reveal the MAC filter options, as shown in Figure 2.9.
Figure 2.9 The Wireless MAC Filter Options
www.syngress.com
26 Chapter 2 • Wireless Security
Choose the Permit Only PCs listed to access the wireless network radio
button, and click the Edit MAC Filter List button to display the MAC Address
Filter List window (see Figure 2.10).
Figure 2.10 The MAC Address Filter List Window
In the provided text boxes, enter the MAC addresses of wireless clients that are
allowed to access your wireless network, and then click Apply, as shown in
Figure 2.11.
Figure 2.11 Enter Allowed MAC Addresses
Wireless Security • Chapter 2 27
www.syngress.com
Finally, click Save Settings in the Advanced Wireless window to save your
settings and enable filtering by MAC address. Keep in mind that this should not be
the only security measure implemented. Using various tools in Windows and/or
Linux, it is easy for an attacker to spoof his or her local MAC address to gain access
to your wireless network.
SOME INDEPENDENT ADVICE
Finding your MAC address is a simple process with any operating
system. Using Windows XP, from a command line, you can type:
ipconfig /all
to show the MAC address of the installed network devices.
Linux makes the process just as simple. From a terminal window,
type:
ifconfig –a
And find the HWaddr for the requested network interface. This is the
MAC address.
Enabling Security Features on a
D-Link DI-624 AirPlus 2.4GHz Xtreme G
Wireless Router with Four-Port Switch
Although Linksys has a sizable share of the home access point market, D-Link also
has a large market share. D-Link products are sold at most big computer and elec-
tronics stores such as Best Buy and CompUSA.This section details the steps you
need to take to enable the security features on the D-Link 624 AirPlus 2.4GHz
Xtreme G Wireless Router with Four-Port Switch.The DI-624 is an 802.11g access
point with a built-in router and switch, similar in function to the Linksys WRT54G.
Setting a Unique SSID
The first security measure to enable on the D-Link DI-624 is setting a unique SSID.
First you need to log into the access point. Configure your local workstation with a
static IP in the 192.168.0.0/24 subnet and point your browser to 192.168.0.1. Use
the username admin with a blank password to access the initial setup screen (see
Figure 2.12).
www.syngress.com
28 Chapter 2 • Wireless Security
Figure 2.12 The D-Link DI-624 Initial Setup Screen
Next click the Wireless button on the left side of the screen to bring up the
Wireless Settings screen, as shown in Figure 2.13.
Figure 2.13 The Wireless Settings Screen
In the SSID textbox, enter a unique SSID, as shown in Figure 2.14, and click
Apply to save and enable the new SSID.
www.syngress.com
Wireless Security • Chapter 2 29
Figure 2.14 Set a Unique SSID
Disabling SSID Broadcast
After you have set a unique SSID, enabled 128-bit WEP, and filtered access by MAC
address, you need to disable SSID broadcast.
From the Advanced Features screen, click the Performance button, as shown
in Figure 2.15.
Figure 2.15 The Advanced Performance Options
www.syngress.com
30 Chapter 2 • Wireless Security
Select the Disabled radio button next to SSID Broadcast, and click Apply to
save your settings, as shown in Figure 2.16.
Figure 2.16 Disabling SSID Broadcast
Enabling Wired Equivalent Privacy
After you have set a unique SSID, you will need to enable 128-bit WEP encryption.
First, choose the Enabled radio button next to WEP, as shown in Figure 2.17.
Figure 2.17 Enable WEP
Wireless Security • Chapter 2 31
www.syngress.com
Next choose 128Bit from the WEP Encryption drop-down box, as shown in
Figure 2.18.
Figure 2.18 Require 128-Bit WEP Encryption
Then you need to assign a 26-character hexadecimal number to at least Key1
(see Figure 2.19).A 26-digit hexadecimal number can contain the letters A–F and
the numbers 0–9.
Figure 2.19 Assign WEP Keys
www.syngress.com
32 Chapter 2 • Wireless Security
Finally, after you have assigned your WEP keys, click Apply to save your set-
tings. Any wireless clients that connect to the DI-624 must be configured to use this
WEP key.
Enable Wi-Fi Protected Access
To enable WPA on the access point, on the left side of the screen click the Wireless
button.To enable WPA, click the radio button labeled WPA-PSK next to the
Authentication option (see Figure 2.20).
Figure 2.20 Enabling WPA
Enter a passphrase into the Passphrase text box, and retype the passphrase in the
Confirmed Passphrase text box to verify it, as shown in Figure 2.21.
Click Apply to confirm the settings and enjoy added wireless security
protection!
www.syngress.com
Wireless Security • Chapter 2 33
Figure 2.21 WPA Passphrase
Filtering by Media Access Control Address
After you have set a unique SSID and enabled 128-bit WEP encryption, you should
filter access to the wireless network by Media Access Control (MAC) address.
First click the Advanced tab, as shown in Figure 2.22.
Figure 2.22 The Advanced Options Screen
34 Chapter 2 • Wireless Security
www.syngress.com
Next click the Filters button on the left side of the screen, as shown in
Figure 2.23.
Figure 2.23 The Advanced Filters Options
Then choose the MAC Filters radio button.This makes the MAC filtering
options visible, as shown in Figure 2.24.
Figure 2.24 The MAC Filtering Options
www.syngress.com
Wireless Security • Chapter 2 35
Finally, select the Only allow computers with MAC address listed below
to access the network radio button and enter the MAC address of each client
card that is allowed to access the network.You must also enter a descriptive name of
your choice for each client in the Name text box (see Figure 2.25). Note that you
must click Apply after each MAC address entered.
Figure 2.25 Filter by MAC Address
Enabling Security Features on Apple’s
Airport Extreme 802.11g Access Point
In early 2003, Apple released the Airport Extreme base station to the masses, sup-
porting the 802.11b and 802.11g protocols. Even though this access point was
released as an Apple product, it fully supports Apple, Windows, and Linux clients
running WEP or WPA encryption.
Configuring the Airport Extreme is usually done from an Apple, whether a
Powerbook, iBook, or MacBook. Apple provided applications for configuring the
Airport for Windows-based operating systems, but it is a much easier process from
an Apple workstation.This section focuses on configuring the Airport Extreme from
a Apple Powerbook G4.
www.syngress.com
36 Chapter 2 • Wireless Security
Connecting to the AirPort
Extreme and Setting a Unique SSID
The easiest way to connect to the Airport is via the wireless connection. Ensure that
your wireless card is enabled by clicking the wireless symbol at the top right of the
screen and clicking Turn AirPort On, as shown in Figure 2.26.
Figure 2.26 Enabling the AirPort Card on the Apple PowerBook
Once you enable the Airport card, you can reclick the wireless symbol and see
any access points broadcasting in your area. We want to click the Apple Network
###### listing to connect to our AirPort (see Figure 2.27).
NOTE
To ensure that you are connecting to the correct access point, verify that
the network number listed in the drop-down list matches the last six
characters of your Airport ID, located on the access point itself.
Figure 2.27 Connect to the Appropriate Airport Access Point
Wireless Security • Chapter 2 37
www.syngress.com
Once you have connected to the Airport, you will use the AirPort Admin
Utility in Mac OS X to configure the Airport. Launch the AirPort Admin Utility
by clicking the Finder, then Applications | Utilities | AirPort Admin Utility
(see Figure 2.28).This series of clicks will open the AirPort Admin Utility. Click
Rescan to locate the Airport if it does not automatically populate the window
after a few seconds.
Figure 2.28 Launching the Admin Utility and Finding the Airport Base
Station
Click the appropriate base station, and click Configure to enter the base station
properties (see Figure 2.29).
Setting a Unique SSID
At the main properties screen, we will set the SSID by changing the Name text
box, under the AirPort Network heading.Type in the SSID, remembering not to
include any personal information such as address as part of the SSID.At this point, it
would also be a good idea to change the Name of the Airport under the Base
Station heading, to obfuscate the fact that this is an Apple Airport product (see
Figure 2.30). Click Update to save the SSID.
www.syngress.com
38 Chapter 2 • Wireless Security
Figure 2.29 Airport Default Properties
Figure 2.30 Setting the SSID
Disabling SSID Broadcast
To disable the broadcast of the Airport’s SSID, click the Create a closed network
check box.This will not allow the SSID to be broadcast to clients.You will be
prompted on whether or not to disable the broadcast. Click OK. However, any
www.syngress.com
Wireless Security • Chapter 2 39
client authorized to connect to the Airport must know the SSID beforehand to
make the connection (see Figure 2.31).
Figure 2.31 Disabling the SSID Broadcast
Setting a Password on the Airport
Because the Airport is in a default configuration, it is wise to set a password on the
Airport to disable the ability of anyone making unauthorized changes. From the
main base station properties windows, click the Change Password… button and
enter and confirm a password for the Airport. Click OK to set the password. Click
Update to save the changes to the Airport (see Figure 2.32).
Figure 2.32 Setting a Password on the Airport
www.syngress.com
40 Chapter 2 • Wireless Security
Enabling Wired Equivalent Privacy
To enable WEP on the Airport, click the Change Wireless Security… button to
open the Properties dialog box (see Figure 2.33).
Figure 2.33 WEP Default Setting
Click WEP from the drop-down menu.You will be presented with the options
to add your encryption key.Type in an encryption key that is not easily guessable,
and retype the key to confirm. Ensure that the Encryption Type: is set to 128 bit
WEP, and click OK to enable WEP encryption (see Figure 2.34).
Figure 2.34 Configuring a WEP Encryption Key
Anyone who attempts to this access point will now be required to enter the
encryption key to make the connection.
Enabling Wi-Fi Protected Access
Enabling WPA on the Airport is just as simple as enabling WEP encryption. From
the main setup screen, click the Change Wireless Security… button to open the
Wireless Security dialog box. Change the Wireless Security: drop-down list to
WPA2 Personal (see Figure 2.35).
www.syngress.com
Wireless Security • Chapter 2 41
Figure 2.35 WPA Settings
Ensure that the Password option is set, and enter a password or passphrase of
between 8 and 63 ASCII characters.The Encryption Type: may be left at the
default WPA and WPA2 option to allow both WPA and WPA2 connections. If only
WPA clients or only WPA2 clients will be connecting, you may change this option
to reflect that fact. Leave the Group Key Timeout: at its default of 60 minutes.
Click OK to save the settings and enable WPA (see Figure 2.36).
Figure 2.36 Entering the WPA Password
Filtering by Media Access Control Address
To prevent connections to the Airport by workstations not authorized to do so,
enable filtering by the MAC address.The MAC address of the connecting wireless
www.syngress.com
42 Chapter 2 • Wireless Security
network card will need to be entered manually. From the main options screen, click
Access Control to view the settings (see Figure 2.37).
Figure 2.37 The Access Control Options
Click the + (plus) sign next to the main dialog box to enter the MAC address
of the client. A dialog box will open, requesting the Airport ID (MAC address) and
the Description (see Figure 2.38).
Figure 2.38 Default MAC Address Filter Window
Enter the 12-character MAC address and provide a description if needed. Click
OK to add the MAC address to the list (see Figures 2.39 and 2.40).
www.syngress.com
Wireless Security • Chapter 2 43
Figure 2.39 Entering the MAC Address
Figure 2.40 Confirming the List
Click Update to save the settings to the Airport.
Enabling Security Features
on a Cisco 1100 Series Access Point
The Cisco Aironet series of access points are used largely by businesses and local
hotspots that need the robustness of a Cisco product and the ease of use of a small
office/home office (SOHO) product.The Cisco 1100 Series Access Point provides
802.11b/g services, operating on the 2.4GHz band. Unlike most SOHO router/AP
products, the Cisco 1100 does not include a built-in switch and can only be used as
a standalone wireless access point.
The easiest way to configure the Cisco 1100 is to connect via the Web interface.
You will need to assign your local host a static IP between 10.0.0.2 and 10.0.0.10,
www.syngress.com
44 Chapter 2 • Wireless Security
with a subnet mask of 255.255.255.0 and a default gateway of 10.0.0.1.You may use
either a straight-through Ethernet cable or a cross-over cable from your host com-
puter to the Ethernet port on the access point.
When you power up the access point, it will attempt to connect to a DHCP
server. If none exists, after a few moments the access point will default to the static
IP of 10.0.0.1. If no connection is made within five minutes, it will default back to
searching for a DHCP server indefinitely.To restart the process, unplug the access
point for a few seconds, and retry the connection.
Setting a Unique SSID
The first step to configuring the Cisco 1100 is to set a unique SSID. Upon initial
connection to the access point, you will be greeted with the initial setup screen (see
Figure 2.41).
Figure 2.41 The Cisco 1100 Initial Setup Screen
On the left-hand menu, click the Security option. On this screen you will have
direct access to the current setup of the access point (see Figure 2.42).
www.syngress.com
Wireless Security • Chapter 2 45
Figure 2.42 Cisco 1100 Security Settings
Because the Cisco 1100 does not come by default with an administrator pass-
word, it would be wise to set one now. Click the Admin Access option. Enter and
confirm a Default Authentication Password (see Figure 2.43).
Figure 2.43 The Admin Access Screen to Enter a Default Authentication
Password
46 Chapter 2 • Wireless Security
www.syngress.com
Once you click Apply, the password will be saved and you will now be required
to authenticate back to the access point. Leave the Username: blank, and enter
your new password in the Password: field (see Figure 2.44).You will be returned to
the Admin Access screen.
Figure 2.44 The Authentication Request
Once you are back to the Admin Access screen, click the SSID Manager
option on the left side of the screen (see Figure 2.45).
Figure 2.45 The SSID Manager
www.syngress.com
Wireless Security • Chapter 2 47
