Published on January 11, 2008
Slide1: PISA Workshop Wireless LAN Security Live Demo Supporting Organizations Presented by PISA members Mr. Alan Tam CISSP, CCSI, ICI Mr. Jim Shek CISSP, CISA Mr. Young, Wo Sang CISSP, CISA Mr. Marco Ho 27 July 2002 Table of Content: Table of Content WLAN War Driving in Hong Kong Jim Shek WLAN Terms and Security Risks Young, Wo Sang Demo I: Home made antenna, so easy! Jim Shek Demo II: WEP Weakness and Cracking Alan Tam Demo III: Protection from Sniffing by VPN Encryption Marco Ho WLAN Protection Strategy Young, Wo Sang Demo IV: Protection from Illegal Access with silent SSID Marco Ho, Alan Tam The Powerful WLAN Tool: Kismet Alan Tam Slide3: 1 Slide4: Wireless LAN Security Live Demo War Driving in Hong Kong Jim Shek What is War Driving?: What is War Driving? The concept of "war driving" is simple: You need a device capable of receiving an 802.11b signal, a device capable of moving around, and software that will log data from the second when a network is detected by the first. You then move these devices from place to place, letting them do their job. Over time, you build up a database comprised of the network name, signal strength, location, and ip/namespace in use. War Driving in Hong Kong: War Driving in Hong Kong Background: Date : Jul 07, 2002 Time : 11:35am – 1:40pm Weather: Isolated Showers War Driving in Hong Kong: War Driving in Hong Kong Route : Admiralty MTR Stations -> Pacific Place -> Tram (Admiralty to Kennedy Town) -> Tram (Kennedy Town to Causeway Bay) War Driving in Hong Kong: War Driving in Hong Kong Equipments: Notebook + Avaya Gold Wireless LAN card + Windows XP + NetStumbler Notebook + Avaya Gold Wireless LAN card + Antenna + Windows 2000 + NetStumbler Notes : The Scan Speed of NetStumbler was changed to Fastest. Participants : PISA War Driving in Hong Kong: War Driving in Hong Kong Result Overview: Total Number of Discovered Access Point with antenna : 187 Total Number of Discovered Access Point without antenna : 52 (subset of above) Chart 1: Antenna Power War Driving in Hong Kong: War Driving in Hong Kong Result WEP Usage: WEP Enable : 43 WEP Disable : 144 Chart 2: WEP Usage War Driving in Hong Kong: War Driving in Hong Kong Result SSID Usage: Default SSID : 77 Use Non Default SSID : 87 Unknown: 5 Other*: 18 Chart 3: SSID Usage Other means well known SSID, ie PCCW & i-cable Some of the Default SSID list is referenced from http://wlana.net/acc_point.htm War Driving in Hong Kong: War Driving in Hong Kong Result Top SSIDs: Chart 4: Top SSIDs War Driving in Hong Kong: War Driving in Hong Kong Result Channel Distribution: Chart 5: Channel ID Setting Behavior War Driving in Hong Kong: War Driving in Hong Kong Interesting Observations Building-to-Building WLAN We discovered the signals of two APs with the same SSID name are very strong. These two APs are appeared in the list for 3 minutes while the tram is moving. War Driving in Hong Kong: War Driving in Hong Kong Interesting Observations When the tram was stopped … When the tram was stopped, the APs are easier to discover. One of the reasons are having longer time for the software to poll within the effective range. It is particular true when we using the machine without using the antenna. War Driving in Hong Kong: War Driving in Hong Kong Interesting Observations The Accessibility of APs Some APs were accessible when the tram was stopped. We come across some place that with the APs ready for us to connect into it. Below is the snapshot. War Driving in Hong Kong: War Driving in Hong Kong 堅城中心 創業商場 西區警局 上環 MTR 世界書局 中銀保險 環球大廈 警察總站 大有商場 英皇中心 298 War Driving in Hong Kong: War Driving in Hong Kong Another Discovery in Taikoo Place Background: Date : Jul 05, 2002 Time : 03:00pm – 3:20pm Route : Within Taikoo Place Equipment: Notebook + Avaya Gold Wireless LAN card + Antenna + Windows 2000 + NetStumbler Notes : The Scan Speed of NetStumbler was default (ie medium) Participants : PISA War Driving in Hong Kong: War Driving in Hong Kong Another Discovery in Taikoo Place Overview: Total No. of Discovered Access Point with antenna : 30 WEP Usage: WEP Enable : 7 (23%) WEP Disable : 23 (77%) SSID Usage: Default SSID : 8 Non Default SSID : 14 Unknown: 2 Other*: 6 (Problem SSID: 47%) Channel Distribution: (Default Channel: 80%) Slide20: 2 Wireless LAN Terms and Security Risks: Wireless LAN Terms and Security Risks Young Wo Sang What is Wireless LAN?: What is Wireless LAN? It is a LAN Extension of Wired LAN Use High Frequency Radio Wave (RF) Speed : 2Mbps to 54Mbps Distance 100 feet to 15 miles WLAN Terms & Basic Concept: WLAN Terms & Basic Concept 802.11 IEEE family of specifications for WLANs 2.4GHz 2Mbps 802.11a 5GHz, 54Mbps 802.11b Often called Wi-Fi, 2.4GHz, 11Mbps 802.11e QoS & Multimedia support to 802.11b & 802.11a 802.11g 2.4GHz, 54Mbps 802.11i An alternative of WEP 802.1x A method of authentication and security for all Ethernet-like protocols WLAN Terms & Basic Concept: WLAN Terms & Basic Concept Access Point (AP) A device that serves as a communications "hub" for wireless clients and provides a connection to a wired LAN Beacon Message transmitted at regular intervals by the APs Used to maintain and optimize communications to automatically connect to the AP WLAN Terms & Basic Concept: WLAN Terms & Basic Concept Ad Hoc Mode Wireless client-to-client communication, the opposite is Infrastructure Mode WLAN Terms & Basic Concept: WLAN Terms & Basic Concept Infrastructure Mode A client setting providing connectivity to APs As oppose to AdHoc Mode WLAN Terms & Basic Concept: WLAN Terms & Basic Concept SSID or BSSID Basic Service Set Identifier BSS An AP forms an association with one or more wireless clients is referred to as a Basic Service Set WLAN Terms & Basic Concept: WLAN Terms & Basic Concept ESSID Extended Service Set Identifier ESS In order to increase the range and coverage of the wireless network, one needs to add more strategically placed APs to the environment to increase density. This is referred to as an Extended Service Set WLAN Terms & Basic Concept: WLAN Terms & Basic Concept WEP optional cryptographic confidentiality algorithm WLAN Terms & Basic Concept: WLAN Terms & Basic Concept Channel WLAN Terms & Basic Concept: WLAN Terms & Basic Concept DSSS Channel WLAN Terms & Basic Concept: WLAN Terms & Basic Concept Channel WLAN Terms & Basic Concept: WLAN Terms & Basic Concept DSSS Direct Sequence Spread Spectrum, a RF carrier and pseudo-random pulse train are mixed to make a noise like wide-band signal. FHSS Frequency Hopping Spread Spectrum, transmitting on one frequency for a certain time, then randomly jumping to another, and transmitting again. Reading the Strengthen: Reading the Strengthen dBm Decibel referenced to 1 milli-watt into a 50Ω impedance (usually) dBm = 10 * (log10mW) e.g. 0 dBm = 1 mW Attenuation/gain revision: dB = 10 * (log10 [output / input]) If output>input, then dB will be +ve If output<input, then dB will be -ve WLAN Terms & Basic Concept: WLAN Terms & Basic Concept Signal Level & Noise Level SL NL SL NL SL NL WLAN Risk: WLAN Risk Unauthorized Clients In range Malicious client Out of range !! Detector WLAN Risk: WLAN Risk Unauthorized or Renegade Access Points Interception and unauthorized monitoring of wireless traffic Client-to-Client Attacks Jamming (DoS) WLAN Risk - Fake Access Point: WLAN Risk - Fake Access Point Access Point Clone (Evil Twin) Traffic Interception WLAN Risk : WLAN Risk Brute force attacks against access point passwords WEP weakness “Mis-configurations” SSIDs SNMP Community (RO & RW) Administration (Web, Telnet, Serial) Installation WLAN Risk : WLAN Risk Deployment In the Internal Network?! In the DMZ?! Who is allowed install AP? Many $$ to secure the wired network A user spend HK$2,000 to break it When were APs once installed? Where are APs installed? WLAN Risk : WLAN Risk Low cost product prevalent limited features, insecure Accidental detection and connection Wireless card itself Slide42: 3 Demo IHome made antenna, so easyJim Shek: Demo I Home made antenna, so easy Jim Shek Home made antenna, so easy: Home made antenna, so easy Use available material to hand make an antenna, gain from 3dB to 11dB (Real Object Shown) Compared to commercial antenna with gain 6dB, costing HKD600+ Dimension is the key to success. Measurement available on web search. With an antenna, the result of War Driving can be much improved so as to risk of exposure to hacking of your WLAN network! Slide45: 4 Demo IIWEP Weakness and CrackingAlan Tam: Demo II WEP Weakness and Cracking Alan Tam WEP Weakness: WEP Weakness Background Weakness in KSA/RC4 Proof of Concept Some counter actions The magic RFMON mode: The magic RFMON mode Property: Like promiscuous mode in wired Listen(Receive) only Also known as “Monitor Mode” Chipset capable of RFMON (i.e. have specification opened) Cisco Aironet Based on Intersil Prism2 Orinoco (well, not official) What does Linux Hackers use?: What does Linux Hackers use? NIC drivers wlan-ng 0.1.13+ with patch or 0.1.14pre?+ orinoco_cs 0.09b+ with patch Libpcap library with PF_PACKET interface patched to interpret 802.11b packets for example, 0.7.1 with patch Prism Driver & Orinoco Patch ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/ http://airsnort.shmoo.com/orinocoinfo.html WEP: WEP Stands for Wired Equivalent Privacy Symmetric Encryption Algorithm: RC4 Commercial claimed key size: 40 or 128 bit (as of April 2002) At the back: 40 bit secret key + 24 bit IV = 64 bit packet key 104 bit secret key + 24 bit IV = 128 bit packet key IV= Initialization Vector Weaknesses in KSA of RC4 : Weaknesses in KSA of RC4 Presented in a paper by Scott Fluhrer, Itsik Mantin, Adi Shamir Invariance weakness Existence of large class of weak keys IV weakness Related key vulnerability WEP Attack: WEP Attack Invariance weakness WEP packet distinguisher IV weakness Exist in a commonly used mode in RC4 Properties Cryptanalytic Attack: Generally faster than Brute-force Attack Passive Ciphertext-only Attack: Zero knowledge needed Proof of Concept: Proof of Concept Adam Stubblefield, AT&T Labs http://www.cs.rice.edu/~astubble/wep WEPCrack http://sourceforge.net/projects/wepcrack Airsnort http://airsnort.shmoo.com/ Case Study: Airsnort: Case Study: Airsnort Maintained by The Shmoo Group An X-windows application Supported platforms: Cisco Aironet Prism Orinoco Requires approx. 5-10 million encrypted packets to break a key TKIP: TKIP Temporary Key Integrity Protocol Initially referred as WEP2 128bit TK + 40 bit Client MAC 16-octet IV RC4 (still) TK changed every 10,000 packets Reference: Reference Technical Knowledge http://www.qsl.net/n9zia/wireless/index.html http://www.80211-planet.com/tutorials Access Points MAC addresses http://aptools.sourceforge.net/ Reference: Reference Linux Resources http://www.hpl.hp.com/personal/Jean_Tourrilhes/index.html http://lists.samba.org/listinfo/wireless http://airtraf.sourceforge.net/ Slide58: 5 Demo IIISecuring Wireless Networksby VPNMarco Ho: Demo III Securing Wireless Networks by VPN Marco Ho Secure Protocolsfor Encryption: Secure Protocols for Encryption Application Transport (TCP, UDP) Network (IP) 802.11b Link 802.1b Physical SSL (VPN) WEP Network (IP) 802.11b Link 802.1b Physical WEP Network (IP) Ethernet Link Ethernet Physical Application Transport (TCP, UDP) Network (IP) Ethernet Link Ethernet Physical SSL (VPN) Router Network Level Encryption (VPN): Network Level Encryption (VPN) Advantages Encryption of multi-protocols Hides the network routing (with proper configuration) Choices PPTP Come with W2K RRAS Simpler and easier to configure IPSec More secure Microsoft: IPSec over L2TP using 3DES Use certificate (instead of pre-shared keys) to further improve the security : mutual authentication Real Life Demo with PPTP: Real Life Demo with PPTP VPN Server Microsoft VPN Server (RRAS+PPTP) Encryption MPPE 128 (Microsoft Point-to-point Encryption) Authentication MS-CHAP V2 Remark: WEP turned off for demonstration purpose Sniffing Tools: Sniffing Tools Two sniffing tools used to capture traffic packet contents Ethereal Freeware available in Linux and Win32 platforms Iris Commercial product, 15-day evaluation available Strong decode function to ease protocol session tracking Without VPN Encryption: Without VPN Encryption IP-10.0.0.15 Sniffer IP-10.0.0.20 FTP Client IP-10.0.0.25 FTP Server A B “A” FTP to “B” Clear text Clear text Clear text Clear text With VPN Encryption: With VPN Encryption Wireless IP-10.0.0.10 VPN Gateway Ethernet IP-192.168.1.230 VPN Server (PPTP) IP-10.0.0.20 VPN Client FTP Client A D C “A” FTP to “D” with VPN xasdfasdfwasf xasdfasdfwasf IP-10.0.0.15 Sniffer Clear text Slide66: 6 Wireless LAN Protection StrategiesYoung, Wo Sang: Wireless LAN Protection Strategies Young, Wo Sang Recommendation (I): Recommendation (I) Wireless LAN related Configuration Enable WEP, use 128bit key* Drop non-encrypted packets Disable SSID Broadcasts No SNMP access Choose complex admin password Enable firewall function Use MAC (hardware) address to restrict access Non-default Access Point password Change default Access Point Name Use 802.1x [warning] EAP Enable Authentication: EAP Enable Authentication Recommendation (II): Recommendation (II) Deployment Consideration Closed Network* Treat Wireless LAN as external network VPN & Use strong encryption No DHCP (use fixed private IP) Install in a Separated Network Recommendation (III): Recommendation (III) Always (wired or wireless) Install virus protection software plus automatic frequent pattern file update Shared folders must impose password Management Issue Prohibit to install the AP without authorization Discover any new APs constantly (NetStumbler is free, Antenna is cheap) Power off ADSL Modem when Internet access is not required Carefully select the physical location of your AP, not near windows or front doors. The [warning] of 802.1x: The [warning] of 802.1x Session hijacking waits for successfully authenticated , acts as AP, tells , “you are disconnected” AP thinks that is exists Man-in-the-middle-attack 802.1x is one way authentication mechanism acts as an AP to the acts as a user to the AP. Reference : http://www.infoworld.com/articles/hn/xml/02/02/14/020214hnwifispec.xml The workaround to [warning] of 802.1x: The workaround to [warning] of 802.1x Vendor Proprietary Implementation “rekeying” of WEP “Standard” TKIP or Temporal Key Integrity Protocol changes the encryption key about every 10,000 packets Slide74: 7 Demo IVSilent WLAN Access PointMarco Ho & Alan Tam: Demo IV Silent WLAN Access Point Marco Ho & Alan Tam Disabling SSID insertion: Disabling SSID insertion Method 1: Vendor Utility It may use HTTP or SNMP to set the SSID Method 2: Use AP Utility run under Linux http://ap-utils.polesye.net/ Manage by SNMP Supported Platforms: ATMEL chipset (e.g. Linksys WAP11,D-Link DWL-900AP, PCi AP-11S) NWN chipset (e.g. Compex WavePort WP11) Slide77: 8 The Powerful WLAN Tool: Kismet: The Powerful WLAN Tool: Kismet http://www.kismetwireless.net/ Network sniffer Client server architecture Cryptographically weak packet logging Used by German federal authorities (26 July 2002) Platforms Intel iPaq/ARM Zaurus/ARM Contributors: Contributors The workshop was jointly presented by PISA members Alan Tam [email protected] Jim Shek [email protected] Marco Ho [email protected] Young, Wo Sang [email protected] On 27 July 2002, the eve of PISA 1st anniversary of establishment Remark Another valuable presentation on the theoretical part: PISA seminar “Critical Security Issues on Wireless LAN” by Ray Hunt, 13 June 2002 http://www.pisa.org.hk/event/wlan_sec.pdf Copyright: Copyright Professional Information Security Association (PISA) owns the copyright of the presentation. Any party can quote the whole or part of this presentation in an undistorted manner and with a clear reference to PISA. Disclaimer This is the handout of a presentation workshop. The points made here are kept concise for the purpose of presentation. If you require details of test and implementation please refer to technical references.