Tài liệu Wireless Security ppt
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.71 MB, 41 trang )
Wireless Security
Mark Nakrop
Managing Director
nForce Security Systems
Wireless Security, Advanced Wireless LAN Hacking
Advanced 802.11 Attack
Wireless Best Practices
Wireless Hacking Tools
wlan-jack, essid-jack, monkey-jack, kracker-jack
Network Stumbler
Mitigation Strategies
Agenda
Conventional LAN Security Model
C o r p o r a t e F i r e w a l l
I n t e r n e t
Firewall shields
inside from outside.
E
n
t
e
r
p
r
i
s
e
P
r
e
m
i
s
e
s
Internet
Corporate Firewall
LAN is confined to wires
within the premises.
Inside is secure.
Outside in
insecure.
Internet
E
n
t
e
r
p
r
i
s
e
P
r
e
m
i
s
e
s
WiFi Breaks the Conventional Model
Wi-Fi security
solutions are needed.
Attacks can happen over air.
Attacks bypass the firewall.
Internet
Corporate Firewall
Network not confined to
wires/premises anymore.
Threats from Unmanaged Devices
Common
Rogue Access Points
E
n
t
e
r
p
r
i
s
e
N
e
t
w
o
r
k
N
e
i
g
h
b
o
r
i
n
g
N
e
t
w
o
r
k
?
Ad Hoc
Denial
of
Service
Attack
AP MAC
Spoofing
Rogue AP
Mis-configured
AP
Unauthorized
Association
Mis-association
Honeypot
Mis-configured Access Points
Denial of Service
De-authentication flood
Packet storm
MAC Spoofing APs
Malicious
Honeypot APs
Unauthorized associations
Client mis-associations
Ad hoc connections
Goals of WLAN Security
Fortify authorized communication
Access control and encryption over wireless link
WEP WPA 802.11i adequately address this problem
Protect the network from unmanaged devices
Rogue APs, DoS attacks, client misassociations, Honeypots, ad hoc networks, MAC
spoofing etc.
Current pain point in enterprise network
Wireless Intrusion Detection and Prevention Systems
802.11, 802.11b, etc.
IEEE standard – based on well known Ethernet standards
802.11 – FHSS or DSSS, WEP, 2.4 GHz, Infrastructure (BSS) or Ad-Hoc (iBSS)
Limited to 2Mb/s due to FCC limits on dwell times per frequency hop
802.11b – DSSS only, WEP, 2.4 GHz, Infrastructure or Ad-Hoc
Up to 11Mb/s
Also known as Wi-Fi
802.11a and 802.11g
General Principles
Deal with the basics
Integrity
Protecting your packets from modification by other parties
Confidentiality
Keeping eavesdroppers within range from gaining useful information
Keeping unauthorized users off the network
Free Internet!
Risks to both internal and external network
Availability
Low level DoS is hard to prevent
Like any other environment, there are no silver bullets
Current Security Practices
WEP –Wired Equivalent Privacy
Link Level
Very Broken
Firewalls/MAC Filtering
Reactionary – IDS/Active Portal
Higher level protocols
Thoughts on WEP
Key management beyond a handful of people is impossible
Too much trust
Difficult administration
Key lifetime can get very short in an enterprise
No authentication for management frames
No per packet auth
False Advertising!!!
What is Lacking?
Scalability
Many clients
Large networks
Protection for all parties
Eliminate invalid trust assumptions
What is War Driving.?
Equipped with wireless devices and related tools, and driving around in a
vehicle or parking at interesting places with a goal of discovering easy-to-get-
into wireless networks is known as war driving. War-drivers define war driving
as “The benign act of locating and logging wireless access points while in
motion.” This benign act is of course useful to the attackers.
What is War Chalking.?
War chalking is the practice of marking sidewalks and walls with
special symbols to indicate that wireless access is nearby so that
others do not need to go through the trouble of the same
discovery.
What Will Be Covered
Wireless network best practices
Practical attacks
The focus of the attack(s)
The network layers
The bottom 2 layers
Custom (forged) 802.11b management frames
The Tool Box
Drivers
Utilities
Proof of concept code
What Will Be Covered
Attack Scenarios
Denial of service
Masked ESSID detection
802.11b layer MITM attack
Inadequate VPN implementations
Mitigation Strategies
Wireless Best Practices
Enable WEP - Wired equivalent privacy
Key rotation when equipment supports it
Disable broadcast of ESSID
Block null ESSID connection
Restrict access by MAC address
Use VPN technology
Use strong mutual authentication
Practical Attacks
WEP – Can be cracked passively
Masked ESSID – Can be passively observed in management
frames during association
Block null ESSID connects – Same problem
Install VPN – Weakly authenticated VPN is susceptible to
active attack (MITM)
Strong mutual authentication - ?
The Tool Box
Custom Drivers
Air-Jack
Custom driver for PrismII (HFA384x) cards
MAC address setting/spoofing
Send custom (forged) management frames
AP forgery/fake AP
Lucent/Orinoco
Linux driver modified to allow MAC address setting/spoofing
from the command line
Utilities
User space programs – wlan-jack, essid-jack, monkey-jack, kracker-jack
NetStrumbler
Attack Scenarios – WLAN-Jack
Attack Scenarios – WLAN-Jack
Airopeek Trace
Attack Scenarios – WLAN-Jack
Airopeek Trace
Attack Scenarios – WLAN-Jack
Decode of Deauthentication Frame
Attack Scenarios – WLAN-Jack
This is your connection
Attack Scenarios – WLAN-Jack
This is your connection on WLAN-
Jack.
Attack Scenarios – ESSID-Jack
Is the ESSID a shared secret?
If I mask the ESSID from the AP beacons then unauthorized
users will not be able to associate with my AP?
Discover Masked ESSID
Send a deauthenticate frame to the broadcast address.
Obtain ESSID contained in client probe request or AP probe response.
