© ClubHack Wireless Security Workshop Rohit Srivastwa Sheetal Joseph 7 th December 2008.

Slides:

Advertisements

Similar presentations

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005

Advertisements

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

1 MD5 Cracking One way hash. Used in online passwords and file verification.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.

Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.

Security+ Guide to Network Security Fundamentals, Third Edition

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University

WLAN What is WLAN? Physical vs. Wireless LAN

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Wireless Security Chapter 12.

Agenda 10:00 11:00 Securing wireless networks 11:00 11:15 Break 11:15 12:00Patch Management in the Enterprise 12:00 1:00 Lunch 1:00 2:30 Network Isolation.

Wireless Security Techniques: An Overview Bhagyavati Wayne C. Summers Anthony DeJoie Columbus State University Columbus State University Telcordia Technologies,

CMGT/441 Intro. to Information Systems Security Management Information Technology University of Phoenix Kapolei Learning Center Week #4 1 Hacking Wireless.

Mobile and Wireless Communication Security By Jason Gratto.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.

ECE 424 Embedded Systems Design Networking Connectivity Chapter 12 Ning Weng.

Wireless Networking.

Wireless Network Security Dr. John P. Abraham Professor UTPA.

Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.

1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.

Wireless standards Unit objective Compare and contrast different wireless standards Install and configure a wireless network Implement appropriate wireless.

Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.

CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.

WEP Protocol Weaknesses and Vulnerabilities

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.

WLANs & Security Standards (802.11) b - up to 11 Mbps, several hundred feet g - up to 54 Mbps, backward compatible, same frequency a.

.  TJX used WEP security  They lost 45 million customer records  They settled the lawsuits for $40.9 million.

The University of Bolton School of Business & Creative Technologies Wireless Networks - Security 1.

Lecture 24 Wireless Network Security

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

Wireless security Wi–Fi (802.11) Security

Wireless Networks Standards and Protocols & x Standards and x refers to a family of specifications developed by the IEEE for.

Wireless Security John Himmelein Erick Andrew Christian Adam Varun Bapna.

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.

Erik Nicholson COSC 352 March 2, WPA Wi-Fi Protected Access New security standard adopted by Wi-Fi Alliance consortium Ensures compliance with different.

By Billy Ripple.  Security requirements  Authentication  Integrity  Privacy  Security concerns  Security techniques  WEP  WPA/WPA2  Conclusion.

EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Chapter-7 Basic Wireless Concepts and Configuration.

Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.

Wireless Protocols WEP, WPA & WPA2.

WEP & WPA Mandy Kershishnik.

Wireless LAN Security 4.3 Wireless LAN Security.

Wireless Network Security

Presentation transcript:

© ClubHack Wireless Security Workshop Rohit Srivastwa Sheetal Joseph 7 th December 2008

2 © ClubHack Roadmap Wireless Overview Wireless Security Standards Exploiting Wireless Vulnerabilities Wireless Best Practices 2

3 © ClubHack Wireless - The World of Convenience! User mobility Reduced cost Flexibility and convenience Increase the productivity Wireless devices use Radio Frequency (RF) technology to facilitate communication. 3

4 © ClubHack Wireless Standards b – Transmits at 2.4 GHz, sends data up to 11 Mbps using direct sequence spread spectrum modulation feet range a – Transmits at 5 GHz and send data up to 54 Mbps using orthogonal frequency division multiplexing (OFDM) feet range. Not interoperable is b g – Combines features of both standards (a,b), 2.4 GHz frequency, 54 Mbps Speed, feet range and is interoperable with b i – Improves WEP encryption by implementing Wi-Fi Protected Access (WPA2). Data encryption with Advanced Encryption Standard (AES) n – 600 Mbps speed by adding multiple-input multiple- output (MIMO) and Channel-bonding/40 MHz operation to the physical (PHY) layer, and frame aggregation to the MAC layer n uses WPA and WPA2 to secure the network. 4

5 © ClubHack Latest Wireless Hacks sent before the Ahmedabad & Delhi bombings sent via a hacked wireless connection TJX theft tops 45.6 million card numbers 5

6 © ClubHack Types of Attacks Identity theft (MAC spoofing) - Cracker is able to listen in on network traffic and identify the MAC address of a computer and attack after spoofing the same Man-in-the-middle attacks - Cracker entices clients to log into a computer set up as an AP Once this is done, the hacker connects to a real AP through another wireless card offering a steady flow of traffic. Denial of service - Cracker continually bombards a targeted AP with bogus requests, premature successful connection messages, failure messages, and/or other commands. 6

7 © ClubHack Wireless Security Goals Access Control - Ensure that your wireless infrastructure is not mis-used. This calls for Efficient Key Management Data Integrity - Ensure that your data packets are not modified in transit. Confidentiality - Ensure that the contents of your wireless traffic is not learned. Proper Encryption mechanisms need to be implemented.

8 © ClubHack Wireless Security Standards

9 © ClubHack Description of WEP Protocol WEP relies on a shared secret key (64 bit/128 bit) which is shared between the sender (Mobile Station) and the receiver (Access Point). Secret Key - to encrypt packets before they are transmitted Integrity Check - to ensure packets are not modified in transit. The standard does not discuss how shared key is established. In practice, most installations use a single key which is shared between all mobile stations and access points. 9

© ClubHack CHAP Authentication SupplicantAuthenticator username challenge response Accept/reject

© ClubHack How WEP works IV RC4 key IV encrypted packet original unencrypted packetchecksum

12 © ClubHack Deficiencies of WEP IV is too short and not protected from reuse. The per packet key is constructed from the IV, making it susceptible to weak key attacks. No effective detection of message tampering (message integrity). No built-in provision to update the keys in all wireless clients connected to the access point. No protection against message replay. 12

© ClubHack WEP Cracking Demo

14 © ClubHack Radius: An additional layer in security

© ClubHack x Port-based access control Mutual authentication via authentication server 3. Issue challenge 5. Validate response 2. Limit access to authentication server 6. Allow access to network 1. Request access 4. Answer challenge 7. Use other Network devices Time Supplicant Authenticator Authenticator server Client inaccessible network devices

16 © ClubHack Wi-Fi Protected Access (WPA) IEEE 802.1X authentication server- LEAP, EAP/TLS, PEAP or PSK (Pre-Shared Key) RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV). Temporal Key Integrity Protocol (TKIP) Message Integrity Code (MIC) Michael to ensure data Integrity 16

17 © ClubHack WPA – PSK A pass phrase (shared secret key) is used. Pre-Shared Key is generated by combining the Service Set Identifier (SSID) with a passphrase (an ASCII string, 8-63 characters.) A passphrase less than 64 characters can be insecure Management is handled on the AP - Vulnerable to dictionary attacks 17

18 © ClubHack Temporal Key Integrity Protocol Fixes flaws of key reuse in WEP - Comprised of 3 parts, guarantees clients different keys – bit temporal key, shared by clients and APs – - MAC of client – - 48-bit IV describes packet sequence number Increments the value of the IV to ensure every frame has a different value Changes temporal keys every 10,000 packets Uses RC4 like WEP, only firmware upgrade required 18

19 © ClubHack Michael Message Integrity Check Message Integrity Code (MIC) - 64-bit message calculated using “Michael” algorithm inserted in TKIP packet to detect content alteration Message is concatenated with the secret key and the result is hashed Protects both data and header Implements a frame counter, which discourages replay attacks 19

20 © ClubHack WPA Summary Confidentiality : Per-packet keying via TKIP Message Authenticity : Michael algorithm Access Control and Authentication : IEEE 802.1x - EAP/TLS 20

21 © ClubHack Deficiencies of WPA Dictionary Attack on WPA-PSK - The weak pass- phrases users typically employ are vulnerable to dictionary attacks. DoS Attacks - Due to inevitable weaknesses of Michael, the network is forced to shut down for one minute if two frames are discovered that fail the Michael check. TKIP Attack - An attacker sniffs a packet, makes minor modifications to affect the checksum, and checks the results by sending the packet back to the access point. 21

© ClubHack WPA–PSK Hacking Demo

23 © ClubHack WPA2 – i 802.1x / PSK for authentication. CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) to provide confidentiality, integrity and origin authentication. AES replaces RC4 w/TKIP 23

© ClubHack A Comparison WEPWPAWPA2 CipherRC4 AES Key Size40 bits128 bits Key Life24 bit IV48 bit IV Packet KeyConcatenatedMixing Function Not Needed Data IntegrityCRC - 32MichaelCCM Replay AttackNoneIV Sequence Key Management NoneEAP - Based

25 A dedicated website for wardriving in India

26 © ClubHack Trivia On 10th November 2008, ClubHack with support of Cyber Crime Cell of Pune Police conducted a Wardriving in Pune, Maharashtra.ClubHack 50% of Pune’s wireless networks were found to be Open. 31% of Pune’s wireless networks were found with weak encryption (WEP) Only 19% of the networks were strongly encrypted with WPA (and its variants) Ref: 26

27 © ClubHack Exploiting Vulnerabilities Locating a wireless network Attaching to the Found Wireless Network Sniffing Wireless Data 27

28 © ClubHack Locating a wireless network We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'. Strip Number: 466

29 © ClubHack Locating a wireless network NetStumbler – This Windows based tool easily finds wireless signals being broadcast within range 29

30 © ClubHack Locating a wireless network (contd) Kismet – Kismet will detect and display SSIDs that are not being broadcast which is very critical in finding wireless networks. 30

31 © ClubHack Capturing the Wireless Network If the wireless network is using authentication and/or encryption, you may need one of the following tools. Airodump-ng - packet capture program, collects authentication handshake Aireplay-ng - de-authenticator /packet injection program 31

32 © ClubHack Attacking to the Wireless Network CowPatty – Brute force tool for cracking WPA-PSK. Aircrack-ng - To crack PSK using authentication handshake 32

33 © ClubHack Sniffing Wireless Data Wireshark – Ethereal can scan wireless and Ethernet data and comes with some robust filtering capabilities. It can also be used to sniff-out management beacons and probes and subsequently could be used as a tool to sniff-out non-broadcast SSIDs. 33

34 Steps to achieve security for home users Open the configuration of your wi-fi device Go to wireless setting Under security option, select any one (whichever available)  – WPA  – WPA - PSK  – WPA - Personal  – WPA - AES  – WPA2 - Personal  – WPA2 - PSK Set a complex password Change the login password of the wireless router. Change the SSID to something classy Don't disable SSID broadcast Done

35 Example : Linksys

36 Example : Netgear

37 Example : Dlink

38 Example : ZyXEL

39 Further Advised Change the router login password frequently –Atleast once a month Change the wireless WPA password also –Atleast once a month Avoid temptation to connect to open wireless just looking for free internet.

40 © ClubHack Securing Enterprise Networks 1. Define, monitor and enforce a wireless security policy –Policy should cover all and Bluetooth wireless devices –Define wireless policies for mobile workers –Ensure wireless devices are not used until they comply with the wireless security policy 2. Take a complete inventory of all Access Points and devices in the airwaves –Eliminate rogue Access Points and unauthorized user Stations. 40

41 © ClubHack Securing Enterprise Networks (Contd) 3. Define secure configurations for Access Points and user Stations –Change default setting –Disable SSID broadcast –Turn-off “ad-hoc” mode operation 4. Define acceptable encryption and authentication protocols –Use strong authentication (802.1x with EAP recommended) –Use strong encryption with at least 128-bit keys (WPA2, WPA recommended) –Deploy a layer-3 Virtual Private Network (VPN) for wireless communication 41

42 © ClubHack Securing Enterprise Networks (Contd) 5. Monitor the airwaves to identify suspicious activity –Deploy a Wireless Intrusion Detection System (IDS) to identify threats and attacks –Detect and terminate unauthorized associations in a timely manner –Monitor wireless assets for policy violations –Log, analyze, and resolve incidents in a timely manner –Gather and store wireless activity information for forensic analysis 42

© ClubHack References Aircrack-ng Airtight Networks BackTrack 3 Understanding WPA TKIP crack Practical attacks against WEP and WPA Best Practices for Wireless Network Security and Sarbanes- Oxley compliance – Joshua Wright iPig Encryption Software Wikipedia!

44 Q & 42 ? :-?

© ClubHack Thank You!