Wireless Security Mark Nakrop Managing Director nForce Security Systems Wireless Security, Advanced Wireless LAN Hacking Advanced 802.11 Attack Wireless Best Practices Wireless Hacking Tools wlan-jack, essid-jack, monkey-jack, kracker-jack Network Stumbler Mitigation Strategies Agenda Conventional LAN Security Model C o r p o r a t e F i r e w a l l I n t e r n e t Firewall shields inside from outside. E n t e r p r i s e P r e m i s e s Internet Corporate Firewall LAN is confined to wires within the premises. Inside is secure. Outside in insecure. Internet E n t e r p r i s e P r e m i s e s WiFi Breaks the Conventional Model Wi-Fi security solutions are needed. Attacks can happen over air. Attacks bypass the firewall. Internet Corporate Firewall Network not confined to wires/premises anymore. Threats from Unmanaged Devices Common Rogue Access Points E n t e r p r i s e N e t w o r k N e i g h b o r i n g N e t w o r k ? Ad Hoc Denial of Service Attack AP MAC Spoofing Rogue AP Mis-configured AP Unauthorized Association Mis-association Honeypot Mis-configured Access Points Denial of Service De-authentication flood Packet storm MAC Spoofing APs Malicious Honeypot APs Unauthorized associations Client mis-associations Ad hoc connections Goals of WLAN Security Fortify authorized communication Access control and encryption over wireless link WEP  WPA  802.11i adequately address this problem Protect the network from unmanaged devices Rogue APs, DoS attacks, client misassociations, Honeypots, ad hoc networks, MAC spoofing etc. Current pain point in enterprise network Wireless Intrusion Detection and Prevention Systems 802.11, 802.11b, etc. IEEE standard – based on well known Ethernet standards 802.11 – FHSS or DSSS, WEP, 2.4 GHz, Infrastructure (BSS) or Ad-Hoc (iBSS) Limited to 2Mb/s due to FCC limits on dwell times per frequency hop 802.11b – DSSS only, WEP, 2.4 GHz, Infrastructure or Ad-Hoc Up to 11Mb/s Also known as Wi-Fi 802.11a and 802.11g General Principles Deal with the basics Integrity Protecting your packets from modification by other parties Confidentiality Keeping eavesdroppers within range from gaining useful information Keeping unauthorized users off the network Free Internet! Risks to both internal and external network Availability Low level DoS is hard to prevent Like any other environment, there are no silver bullets Current Security Practices WEP –Wired Equivalent Privacy Link Level Very Broken Firewalls/MAC Filtering Reactionary – IDS/Active Portal Higher level protocols Thoughts on WEP Key management beyond a handful of people is impossible Too much trust Difficult administration Key lifetime can get very short in an enterprise No authentication for management frames No per packet auth False Advertising!!! [...]... Eliminate invalid trust assumptions What is War Driving.? Equipped with wireless devices and related tools, and driving around in a vehicle or parking at interesting places with a goal of discovering easy-to-getinto wireless networks is known as war driving War-drivers define war driving as “The benign act of locating and logging wireless access points while in motion.” This benign act is of course useful... to the attackers What is War Chalking.? War chalking is the practice of marking sidewalks and walls with special symbols to indicate that wireless access is nearby so that others do not need to go through the trouble of the same discovery What Will Be Covered Wireless network best practices Practical attacks The focus of the attack(s) The network layers The bottom 2 layers Custom (forged) 802.11b... Monkey-Jack Attack Scenarios Monkey-Jack After Monkey-Jack Attack Scenarios - Monkey-Jack WarDriving Techniques NetStumbler - identifies wireless access points and peer networks , http://www.netstumbler.com AiroPeek - actually lets you peak into the data transmitted across a wireless network , http://www.wildpackets.com/products/airopeek AirSnort http://airsnort.shmoo.com/ CrackWEP http://wepcrack.sourceforge.net/... Box Drivers Utilities Proof of concept code What Will Be Covered Attack Scenarios Denial of service Masked ESSID detection 802.11b layer MITM attack Inadequate VPN implementations Mitigation Strategies Wireless Best Practices Enable WEP - Wired equivalent privacy Key rotation when equipment supports it Disable broadcast of ESSID Block null ESSID connection Restrict access by MAC address Use VPN technology . Wireless Security Mark Nakrop Managing Director nForce Security Systems Wireless Security, Advanced Wireless LAN Hacking Advanced 802.11 Attack Wireless. Practices Wireless Hacking Tools wlan-jack, essid-jack, monkey-jack, kracker-jack Network Stumbler Mitigation Strategies Agenda Conventional LAN Security