Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hacking Exposed 7 Network Security Secrets & Solutions

Published byTina Wolaver Modified over 9 years ago

Similar presentations

Presentation on theme: "Hacking Exposed 7 Network Security Secrets & Solutions"— Presentation transcript:

1 Hacking Exposed 7 Network Security Secrets & Solutions
Chapter 8 Wireless Hacking

2 Case Study on Wireless Hacking Read It and WEP (not Weep)
A store with the point-of-sale system connected through Wi-Fi /w WEP (Wired Equivalent Privacy) encryption A hacker at the parking lot turns laptop with Wi-Fi card and directional antenna to promiscuous mode aircrack-ng airodump-ng to sniff frames including WEP initialization vectors (IVs) Look for SSID (service set identifier) of interest and its MAC address aireplay-ng to spoof as a client to capture ARP and replay it to collect enough IVs aircrack-ng to crack WEP key from the capture file Disable the promiscuous mode Enter WEP key and get an IP address from the DHCP server

3 Background on IEEE 802.11 Wireless LAN
Frequencies and channels ISM (industrial, scientific, medical) unlicensed bands 2.4 GHz: b/g/n, channels 1-14, non-overlapping channels: 1, 6, 11 5 GHz: a/n, channels , all non-overlapping Session establishment Clients scan channels, to send a broadcast probe request and wait for probe responses from APs with SSID (Service Set Identifier) APs also broadcast beacons periodically Windows Vista and later: clients wait for beacons Clients send an authentication request to a selected AP Clients send an association request to the AP

4 Security Mechanisms Basic Authentication: identity and encryption key
MAC filtering: source MAC address pre-configured at APs Hidden wireless networks: omitted SSID in beacons Responding to broadcast probe requests: all pre-configured clients and APs, APs ignore any broadcast probe requests Authentication: identity and encryption key WPA-PSK (Wi-Fi Protected Access, Pre-Shared Key) A 8~63-ASCII-character PSK known by APs and clients to derive encryption keys WPA Enterprise Leverage 802.1x EAP (extensible authentication protocol) from clients to APs and extended to wired RADIUS server Four-way handshake between clients and APs Pairwise transit key (PTK) for unicast, group temporal key (GTK) for multicast/broadcast Encryption: at layer 2 Wired Equivalent Privacy (WEP) RC4, no real authentication to generate the key (known in advance) Temporal Key Integrity Protocol (TKIP) RC4, a quick replacement to WEP Advanced Encryption Standard (AES)

5 Equipments for Hacking
Wireless adapters Chipset Open hardware for re-written drivers allowing low-level control: Atheros, Ralink RT73/RT2770F (merged to Mediatek), ref.: aircrack-ng.org Band support Both 2.4 GHz and 5 GHz Antenna support External antenna for long-range attacks Interface PCMCIA being phased out, Express Card on laptop, USB with Virtual Machine, ref.: Ubiquiti SRC with Atheros on PCMCIA, Alfa with Ralink on USB Operating systems: Windows  Linux BackTrack Linux distribution: preinstalled with all tools and drivers for all popular wireless adapters; run on VM, launch from a LiveCD on USB Miscellaneous goodies Antennas Omnidirectional antenna with a wide focus and small gain, ref.: HyperLinkTech, FAB-corp, Pasadena Networks GPS To plot AP locations on a map, ref.: Garmin, Magellan APs To run OpenWRT or DD-WRT on some off-the-shelf APs

6 Discovery and Monitoring (1/2)
Finding wireless networks Active discovery NetStumbler: broadcast probe requests to get responses from APs Many APs configured to ignore probe requests Passive discovery When APs are configured to not announce SSID or not to respond to probe requests Listen to beacons to list BSSID (Basic SSID, i.e., MAC address of the AP) and mark SSID as unknown Listen to other clients talking to that BSSID to find the SSID Discovery tools War-driving to find APs War-flying with GPS to survey an area User-uploaded WiGLE.net: map of APs Kismet: support GPS-tracking, distributed deployment, GUI airodump-ng: part of aircrack-ng, simpler than Kismet Saved to PCAP files

7 Discovery and Monitoring (2/2)
Sniffing wireless traffic Violation of law in some US states if neither party does not know Many unencrypted wireless networks when difficult to do authentication: hot spots, airports, etc. wireshark on Windows with AirPcap USB adapters Thwarting wireless sniffing WPA-PSK, WPA Enterprise Upper layer encryption: VPN

8 Denial of Service Attacks
built-in mechanism: forced disconnect Incorrect encryption key, overloading, etc. Abused for DoS attacks De-authentication (deauth) attack Spoof de-authentication frames to disconnect From client to AP or from AP to client Client drivers try to reconnect quickly Send more than one deauth frame airplay-ng: part of aircrack-ng Deauth attack: 64 deauth to AP from client, 64 deauth to client from AP Find SSID by observing client’s probe requests as it reconnects

9 Encryption Attacks WPA vs. WEP WEP
/w authentication vs. /wo authentication /w key rotation vs. /wo key rotation Crack again and again vs. crack once for all WEP Keystream Generated by WEP key and IV (Initiation Vector, pseudo-randomly generated for each frame and put into frame header) TX: XOR plain text to get cipher text RX: Use WEP key and IV from frame header to generate a keystream, XOR cipher text to get plain text Duplicate IVs in two frames  compare their cipher texts  guess the keystream  guess WEP key ARP frames with little or no difference  more duplicate IVs  easier to guess the keystream and WEP key

10 Encryption Attacks Passive Attack
Capture enough data frames, parse IVs, deduce WEP key 60,000 IVs to crack a 104-bit key airodump-ng: capture to a PCAP file aircrack-ng: analyze statistically on a PCAP file to get WEP key Watch the rate at which IVs are collected to tell how much longer it will take to gather enough to crack the key Stops with KEY FOUND

11 Encryption Attacks ARP Replay with Fake Authentication
Replay broadcast ARP requests From a client to an AP AP broadcasts with a new IV each time The client replays ARP and generates new ARP In 5 minutes, enough frames and IVs collected Spoof a valid client’s MAC address Fake authentication attack Open authentication without sending actual data Steps airodump-ng: capture to a PCAP file aireplay-ng: run fake authentication attack Open another window to launch ARP replay attack with aireplay-ng again aircrack-ng: crack on the captured PCAP file WEP countermeasures: Don’t use WEP ever.

12 Authentication Attacks WPA PSK
About password brute forcing WPA PSK PSK shared among all users of a wireless network Four-way handshake between clients and APs: Using PSK and SSID to derive encryption keys PSK, 8~63 characters, hashed 4096 times with SSID Trillions of guesses Capture four-way handshake to crack PSK offline Wait or deauth to kick a client off (its driver will reconnect) Brute forcing aircrack-ng with dictionary and PCAP coWPAtty: use SSID-specific rainbow tables (40GB) Use top 1000 SSIDs from WiGLE.net Pyrit: offload hashing to GPU with multiple cores WPA-PSK mitigating controls Complex PSK and unique SSID But could be disclosed by a single user

13 Authentication Attacks WPA Enterprise
Identifying 802.1x EAP (extensible authentication protocol) types Capture EAP handshake Wireshark shows EAP type Unencrypted username in RADIUS server in EAP handshake LEAP (lightweight EAP) Cisco solution /w clear text MSCHAPv2 challenge/response asleep: offline brute-force attack with LEAP handshake and wordlist Avoid using LEAP just like WEP EAP-TTLS and PEAP A TLS (Transport Layer Security, successor of SSL) tunnel between an unauthenticated client and RADIUS server AP relays and has no visibility Less secure inner authentication protocol often in clear text AP impersonation and man-in-the-middle attack Act as a terminating end of the TLS tunnel, if the client is misconfigured not to check the identity of RADIUS server  access inner auth protocol hostapd: Turn your card into an AP asleep: offline brute-force on inner authentication protocol Countermeasure: Check the box to validate server certificate on all clients

14 Summary WEP WPA-PSK WPA Enterprise
Passive attack & ARP replay with fake authentication Cracked in 5 min Don’t use it! WPA-PSK Could be brute-forced, though high complexity One PSK fits all  put other users at risk WPA Enterprise LEAP Could be brute-forced, needs extremely complex passwords EAP-TTLS and PEAP Relatively secure with multilayered encryption Subject to AP impersonation and man-in-the-middle attack Always have clients check server certificate

15 Homework #4 Ch6 & Ch8 (Total: 200) Due: 6/9 (Mon) in the final exam in printed hardcopy (format: problem, solution with explanation, screen dumps) (40 points) Use all of WHOIS, Robtex, and PhishTank to trace back on a phishing found in your mailbox. If you don’t find one, create one account and post the address onto Web to solicit some. Show and discuss your findings. (40 points) On Windows with some running processes connecting to the Internet, use FTK Imager to dump memory and then Volatility Framework to analyze the memory dump. Show processes with connections, and check whether they have DLLs. (30 points) Retrieve Poison Ivy RAT from the Internet. Use a program tracing tool you are familiar with to trace this RAT. Show how you trace the RAT with your tracing tool and summarize what modules this RAT contains. (30 points) Setup your own client and an AP, or find an existing AP, running no encryption. Use wireshark or airodump-ng to sniff and decode data frames. Show and discuss your findings. (60 points) Setup your own client and an AP to run WEP. Use the aircrack-ng suite to crack the WEP key by running through the steps of frame capturing, fake authentication attack, ARP replay attack, and key cracking. Show and discuss the steps you run through.

Download ppt "Hacking Exposed 7 Network Security Secrets & Solutions"

Similar presentations

Overview How to crack WEP and WPA

Overview How to crack WEP and WPA
Wireless Cracking By: Christopher Zacky.

Wireless Cracking By: Christopher Zacky.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Crack WPA Lab Last Update 2014.06.11 1.0.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”

WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Information Security Workshop on Wireless Belgrade - 12.09.2011 Wenche Backman-Kamila.

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Information Security Workshop on Wireless Belgrade Wenche Backman-Kamila.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Security in IEEE 802.11 wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.

Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Wireless Insecurity.

Wireless Insecurity.
 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.

 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Similar presentations

Ads by Google