Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter3 Wireless how safe it is NOT! By: Brett Hoff.

Similar presentations


Presentation on theme: "Chapter3 Wireless how safe it is NOT! By: Brett Hoff."— Presentation transcript:

1 Chapter3 Wireless how safe it is NOT! By: Brett Hoff

2 Overview Chapter 3 of 8 chapter 1 Firewalls introduction. chapter 2 Effective Network Security chapter 3 Wireless how safe it is NOT! chapter 4 Logs not just for camp fires chapter 5 Tracing down your problem chapter 6 Tracing down your problem II chapter 7 How/who/when/why chapter 8 Overview

3 My Disclaimer Some of the things discussed in this Presentation fall out of the normal methods. These ideas presented herein are set as a guide and by no means the end all of security.... The suggestions in this presentation will not keep you 100% safe secure! The old saying is Locks are to keep honest people honest.

4 Overview! We are going to talk about securing your wireless connection today. And about what is out there and what is being used! We are going to show emphasis on what is not working!

5 Encryption do we need it? I hear people talking all the time about encryption. Unfortunately it is about how it is a pain to setup or they don't think they need it. Or the confusion over what they need. Of course we all know that yes we do need it. But do you know which one is the most secure?

6 Types of Encryption WEP WPA PSK –Pre Share Key WPA Radius WPA2 PSK only WPA2 Radius only WPA2 PSK mixed WPA Radius mixed

7 WEP Wired Equivalent Privacy Any WEP key can be cracked with readily available software in two minutes or less. This is the most readily used encryption. The only thing more used is no encryption! WEP uses either 64 or 128 bit encryption.

8 Determining if someone is using WEP For this you will need kismet and Ethereal You will also need to understand how these tools work. If not it will be quick to learn. Start up Kismet near your target AP and let it run for awhile. After getting a good stream of data go ahead and stop Kismet. Next start up Ethereal and open the Kismet.

9 Determining if someone is using WEP cont..dump file. Select a data packet from the top pane and choose a Tag Interpretation field from the second pane. If in the third pane you find an ASCII “P....” this indicates WPA is in use. Otherwise it will be WEP.

10 Determining if someone is using WEP 3 Notes here Kismet alone will tell you that the AP's are using WEP but the.dump file does not lie. With a little work with Kismet and Ethereal you can determine if WEP or WPA is being used. The Latest Version of Kismet will now tell you if it is WPA or WEP!

11 A few things Alright a few things. First and for most I am not going to show you how to hack somebodies box. This will give you the framework and you can easily find the tools for use on your own network on the backtrac cd found at. http://www.remote-exploit.org/backtrack.html

12 Cracking WEP There are 2 ways to attack this subject. 1. sniffing for weak IV Fluhrer, Mantin, and Shamir found out that during normal operation about 9,000 of the possible 16 million IV's could be considered weak. And if enough of these weak IV's could be collected then you determine the key. Good news it takes between 1,500 and 5,000 weak before the crack is successful

13 Cracking WEP cont. After the weak IV's are collected then they are fed back into a key scheduling algorithm. Collecting enough weak IV's can take weeks even months, But there is a solution. Re injecting ARP packets back at the AP. We will talk more about this after finishing our review of cracking WEP.

14 Cracking WEP cont. 2. sniffing for unique IV This also requires a large number of packets but not nearly the amount required by weak IV's collection. This is called a chopping attack. Chopping the last byte off the packet and manipulating it to get the key.

15 Speeding up packet generation To speed up the process of gathering weak or unique IV's you can re inject a captured ARP to the target AP. The response will generate traffic and and increase the speed of which packets are captured.

16 Collecting ARP packets It could take some time to grab a good ARP packet for re injection. There are several scenarios where ARP packets are transmitted. One such is during authentication process. You need to send a deauthentication frame to the AP knocking the client off the network and reacquiring authentication and you have a captured ARP packet.

17 WPA-PSK Pre Share Key Wi-Fi Protected Access This was built to fill in the shortcomings of WEP. It has grater encryption capability and can be used with pre shared key PSK or with Radius server. When using with PSK you should use with a pass phrase of at least 21 characters to 54 for secure use. This encryption is prone to dictionary attack.

18 WPA Radius This is thought to be the most secure and both WPA and WPA2 have no know flaws in this setup. But require the setup of a radius server or PF-Auth server to use and falls beyond the scope of this presentation.

19 Cracking WPA-PSK It is actually easier to crack WPA-PSK than WEP. All you have to do is capture a four way handshake. (four-way Extensible Authentication Handshake) You can wait for an Authentication or force one by sending a deauthentication frame to the AP. After you have captured this one packet you can take it and run and crack it later with a dictionary attack.

20 Cracking WPA-PSK cont. To insure success on this type of attack the pass phrase should be less than 21 characters. And you should have a good word list to use. These are easily downloaded from the Web.

21 Cracking WPA2 psk Someone brought it up to me that WPA2 was not crackable like WPA was due to the added level of encryption, But build a better mouse trap and someone will build a better mouse. A tool called CoWPAtty now has WPA2 capabilities This now makes it another one down. Both WPA-psk and WPA2-psk are both still considered secure if you have a pass phrase of at least 21 characters.

22 Cracking WPA2 psk cont. Maximum protection with either WPA-psk or WPA2-psk come from using a pass phrase of 54 random letters or 39 random ASCII characters. This will give you true 256 bit encryption with WPA.

23 WPA radius and WPA2 radius Presently these are both considered safe and have no known flaws that I could find listed any where. These working by setting up a Authentication server for verifying the users on the network. It is a trick setting up such a network and such is mostly used by large corporations.

24 The worst wireless security! Mac Filtering: some one came with the idea to only allow your list of mac addresses on your AP. In theory it makes since and sound good. But in reality every time you authenticate with the AP you are giving up your mac address. It takes seconds to cut and paste the mac address into your computer essentially stealing your ID!

25 The worst wireless security! cont. SSID hiding: ok people there is no such thing! All you are doing is hiding it from your self! It is broadcast for 4 mechanisms ; probe requests, probe responses, association requests, and re-association requests. Essentially, you are talking about hiding 1 of 5 SSID broadcast mechanisms. Kismet sees them all.

26 The worst wireless security! cont. Disable DHCP: This one is actually listed on several wireless security websites. Come on guys even a newbie can figure out a Network Topography and set there IP/Netmask to match the needed layout.

27 The worst wireless security! cont. Antenna placement: Put your antenna in the middle of your building and turn down the power. Who here thinks that will work? Hackers will always have a better and bigger antenna :} Placement should be used for best coverage with minimum interference.

28 Wrap up Well I hope that helps you better understand wireless security. It is not all bad there is such a thing as secure wireless but like any other type of security it takes work. If anybody has any notes on any of my presentations I would be happy to look at them for inclusion into the presentation and give you credit for your contribution.


Download ppt "Chapter3 Wireless how safe it is NOT! By: Brett Hoff."

Similar presentations


Ads by Google