Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless Hacking Lesson 13. Reminder As a reminder, remember that the tools and techniques that you learn this semester are only to be used on systems.

Similar presentations


Presentation on theme: "Wireless Hacking Lesson 13. Reminder As a reminder, remember that the tools and techniques that you learn this semester are only to be used on systems."— Presentation transcript:

1 Wireless Hacking Lesson 13

2 Reminder As a reminder, remember that the tools and techniques that you learn this semester are only to be used on systems you are authorized to perform scans/tests on. Authorization doesn’t simply mean that you are an authorized user but rather that: You are specifically authorized to perform the penetration activity on the system. Conducting activity outside your authorized boundaries can result in: Failing the class should it occur now Having your employment terminated if you try this on a company system Criminal prosecution depending on the specific activity

3 Wireless Networks Unlike wired networks, there is little to no control over who is receiving traffic on the network Antenna selection can extend range of wireless reception by several miles 802.11 devices can be small and easily concealed Anonymity is provided to anyone who can successfully connect to the wireless network No source information is available to attempt to trace the origin of the attack

4 Poor Authentication Current production devices have weak authentication schemes without running additional protocols Authentication is currently only provided by SSID, Service Set Identifier or WEP, Wired Equivalent Privacy SSID is easily sniffed from existing traffic WEP is a weak encryption protocol that is easily cracked Future support for 802.1X will provide stronger authentication

5 Weak Encryption WEP, or Wired Equivalent Privacy is the encryption method used to attempt privacy of the wireless packets It is an implementation of the RC4 stream cipher, supporting 40 and 104 bit encryption keys The implementation is subject to weak Initialization Vectors, allowing an attacker to crack the WEP key once they have collected enough packets There are automated tools to perform the cracking of the WEP keys, AirSnort being one of the most popular New wireless standards such as 802.11i will allow for WEP to be replaced by AES, Advanced Encryption Standard

6 Shared Media Topology An 802.11 wireless LAN operates as a shared media technology. Allows any device in Promiscuous mode, i.e. Sniffer programs, to capture every packet that is being transmitted and received from an access point Password are easily retrieved from any cleartext protocol, Telnet, POP3, SMTP, FTP

7 Access Points in Houston An 802.11 wireless LAN operates as a shared media technology. Allows any device in Promiscuous mode, i.e. Sniffer programs, to capture every packet that is being transmitted and received from an access point Password are easily retrieved from any cleartext protocol, Telnet, POP3, SMTP, FTP In preparation for Houston Tabletop Exercise, CIAS personnel conducted some war driving in Houston. Number of different war drivers Netstumbler – windows based Kismet – Linux based

8

9

10 Wireless mapping Once you’ve got all that data on open wireless access points, what do you do with it all? Create those cool maps! Several tools to help with this StumbVerter uses MapPoint to plot data from files in the NetStumbler format. GPSMap is included with Kismet

11 Wireless Scanning and Enumeration Once you’ve found some wireless systems, the next step is similar to wired systems: Scanning Enumeration Along with the Access Points you’ve discovered, you should have learned their: SSID (Service Set IDentifier) Used as the identifier to distinguish one access point from another. Similar to a domain name for a wireless network. MAC address (Media Access Control) The unique address that identifies each node of a network WEP usage (Wired Equivalent Privacy) Encryption for wireless networks IP address

12 SSID All war-driving software designed to grab SSID’s. A probe request to the network with a zero-length SSID will generally result in the network responding with the SSID. SSID’s may also be obtained by: Watching for beacons. These are sent continually by some access points. Watch for probe responses to other systems. Reassociation requests (if system wanders out of range then back in) If probe responses blocked, you can wait until a client tries to reassociate or you can force the issue by sending a deauthentication frame which should result in systems trying to reconnect.

13 Sniffing Once you’ve located a potential target network you need to gather some data. Use sniffer to capture packets Are the packets encrypted? Is it a WEP implementation or some other scheme such as SSL over HTTP. Wireless sniffers not really any different from sniffers for wired lines. Only difference is that sniffers designed for wireless environment will categorize the wireless packet structure. Setting wireless cards for promiscuous mode in Windows-based systems simple. In Linux more difficult. Text covers this in detail. Number of tools for wireless environment covered in text

14 WEP WEP was actually never designed as a security solution but rather just to protect against passive eavesdropping. Number of ways to attack the WEP algorithm. Fortunately for us there are tools out there already designed to help us with this. AirSnort WLAN-Tools (older program, outdated) DWEPCrack tool specifically designed to crack WEP packets via the BSD system. A final note, not related to WEP, wireless can be subject to DoS attacks, not only from computers but also from S-Band ISM frequency systems (Industrial Scientific and Medical)

15 WPA Wi-Fi Protected Access (WPA) Interim solution until 802.11i Temporal Key Integrity ProtocolTemporal Key Integrity Protocol (TKIP) was adopted for WPA TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP WPA2 implements 802.11i fully Mandatory support for CCMP, an AES-based encryption mode with strong securityCCMPAES CCMP: Counter Mode Cipher Block Chaining Message Authentication Code Protocol

16 Cyber Defense Exercise (CDX) A defensive exercise in which members from each of the military academies attempt to protect networks from attacks by aggressors The competition is sponsored by DHS and has been conducted since 2001 2016 National Collegiate Cyber Defense Competition Builds on regional competitions April 22-24 in San Antonio (Marriot Riverwalk) http://www.nationalccdc.org/

17 Summary What is the importance and significance of this material? Wireless is becoming more common. In some environments it is replacing wired networks altogether. How does this topic fit into the subject of “Security Risk Analysis”? If its out there, we need to know how to attack it. Since there are some inherent problems with wireless, this can be an easy access for us into an organization’s network.


Download ppt "Wireless Hacking Lesson 13. Reminder As a reminder, remember that the tools and techniques that you learn this semester are only to be used on systems."

Similar presentations


Ads by Google