Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless Security.

Published byRosemary Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "Wireless Security."— Presentation transcript:

1 Wireless Security

2 ECE 4112 - Internetwork Security
Agenda Basics of an Attack 802.11b Overview WEP Other security measures Future of Wireless Security Basics & Overview – Blake WEP – Varun Sec. Measures & Future of Wireless – T. Matt Guinn Lab Overview – Matt Condit ECE Internetwork Security

3 ECE 4112 - Internetwork Security
Step 1: War Driving Materials needed: Laptop w/ b card and GPS, Netstumbler, Airsnort, Ethereal, and the car of your choice An attacker would first use Netstumbler to drive around and map out active wireless networks Netstumbler not only has the ability to monitor all active networks in the area, but it also integrates with a GPS to map AP’s ECE Internetwork Security

4 Step 2: Cracking Using Airsnort
At this point, the attacker has chosen his target; most likely a business Netstumbler can tell you whether or not the network is encrypted If encrypted, park the car, start up Airsnort, and leave it be for a few hours Airsnort, given enough time, will passively listen to traffic and figure out the encryption key ECE Internetwork Security

5 Step 3: Listening to the Network
Once the encryption key is compromised, it is a trivial process to connect to the network, and if there wasn’t an encryption key at all, well then …. An attacker would next use Ethereal to listen to the network traffic, analyze, and plan further attacks ECE Internetwork Security

6 That’s it…the network is compromised
Most wireless networks are no more secure than this, many are less secure Hundreds of business’s, schools, airports, and residences use wireless technology as a major point of access to their networks Growth of demand for Wireless LANs (WLAN) is increasing dramatically ECE Internetwork Security

7 ECE 4112 - Internetwork Security
Basic b Overview 802.11b was IEEE approved in 1999 Infrastructure Mode or Ad Hoc Utilizes 2.4GHz band on 15 different channels (only 11 in US) 11mbit shared among all users on access point Cheap!!! ECE Internetwork Security

8 Built in Security Features
Service Set Identifier (SSID) Differentiates one access point from another SSID is sent in ‘beacon frames’ every few seconds. Beacon frames are in plain text! ECE Internetwork Security

9 Do’s and Don'ts for SSID’s
Default SSID’s are well known (Linksys AP’s default to linksys, CISCO defaults to tsunami, etc) so change them immediately. Don’t set your SSID to something that will give away information. Do change the settings on your AP so that it does not broadcast the SSID in the beacon frame. ECE Internetwork Security

10 Associating with the AP
Access points have two ways of initiating communication with a client Shared Key or Open Key authentication Open key allows anyone to start a conversation with the AP Shared Key is supposed to add an extra layer of security by requiring authentication info as soon as one associates ECE Internetwork Security

11 How Shared Key Auth. works
Client begins by sending an association request to the AP AP responds with a challenge text (unencrypted) Client, using the proper WEP key, encrypts text and sends it back to the AP If properly encrypted, AP allows communication with the client ECE Internetwork Security

12 Is Open or Shared Key more secure?
Ironically enough, Open key is the answer in short Using passive sniffing, one can gather 2 of the three variables needed in Shared Key authentication: challenge text and the encrypted challenge text Simply plugging these two values into the RC4 equations will yield the WEP key! ECE Internetwork Security

13 Wired Equivalent Protocol (WEP)
Primary built security for protocol Uses 40bit RC4 encryption Intended to make wireless as secure as a wired network Unfortunately, since ratification of the standard, RC4 has been proven insecure, leaving the protocol wide open for attack ECE Internetwork Security

14 ECE 4112 - Internetwork Security
A closer look at WEP Weakness in RC4 lies within the Initialization Vector (IV) The IV is a random 24bit number (2^24) Packets sent over the network contain the IV followed by the encrypted data RC4 combines the IV and the 40bit key to encrypt the data Two known attacks against this! ECE Internetwork Security

15 Numerical Limitation Attack
IV’s are only 24bit, and thus there are only 16,777,216 possible IV’s A busy network will repeat IV’s often By listening to the encrypted traffic and picking out the duplicate IV’s, it is possible to infer what parts of the WEP key are Enough duplicate IV’s and you can figure out the whole WEP key ECE Internetwork Security

16 ECE 4112 - Internetwork Security
The Weak IV attack Some IV’s do not work well with RC4 Using a formula, one can take a weak IV and infer part of the WEP key Once again, passively monitoring the network for a few hours can be enough time to gather enough weak IV’s to figure out the WEP key ECE Internetwork Security

17 Taking a look back on WEP
WEP is flawed by a technology weakness, and there is no simple solution to fix it Increasing key length will only help against a brute force attack (trying to guess the key). The IV is the weakness in this protocol, so increasing key length is pointless Attacks against WEP are passive and extremely difficult to detect ECE Internetwork Security

18 Security beyond 802.11 specifications
For a secure wireless network, you MUST go above and beyond the b security measures. At this point, there are many measures you can take to secure a wireless network. All have their pro’s and con’s, and of course some work better than others The Goal: a secure network that is easy to deploy and maintain. ECE Internetwork Security

19 ECE 4112 - Internetwork Security
Hiding the SSID As stated earlier, the SSID is by default broadcast every few seconds. Turning it off makes it harder to figure out a wireless connection is there Reading raw packets will reveal the SSID since even when using WEP, the SSID is in plain text Increases deployment difficulty ECE Internetwork Security

20 ECE 4112 - Internetwork Security
MAC address filtering MAC address filtering works by only allowing specific hardware to connect to the AP Management on large networks unfeasible Using a packet sniffer, one can very easily find a valid MAC address and modify their OS to use it, even if the data is encrypted May be good for small networks ECE Internetwork Security

21 Counter measures that could have prevented this!
Only allow users to connect to servers on the wired LAN with secure protocols. If that is not an option, use a firewall to block insecure connections to servers on the wired LAN Use of 802.1X and a secure EAP if possible If convenient, a VPN would greatly increases security of data ECE Internetwork Security

22 Things to keep in mind when securing a WLAN
All WLAN should be considered insecure, and thus should be treated that way Never put a WLAN within the perimeter of your wired LAN’s firewall Use WEP, it will deter most would be trespassers Do not leave default WEP key Implement 802.1X with key rotation every 5 to 10 minutes Combine security mechanisms. ECE Internetwork Security

23 Future of wireless security
802.11i is in progress, and addresses security issues in b 802.11i will in essence be a standardized way for b and 802.1X to be coupled, and introduce new ciphers TKIP cipher should be able to be used on existing hardware with new firmware New ciphers based on AES encryption will require new hardware ECE Internetwork Security

24 ECE 4112 - Internetwork Security
Lab Goals Examine Unencrypted Wireless Traffic Circumventing MAC Address Filtering Cracking WEP using AirSnort ECE Internetwork Security

25 ECE 4112 - Internetwork Security
Network Layout D-Link Wireless AP (2).144 WindowsXP2 FTP Server (2).150 WindowsXP1 FTP Client (2).100 Evil RedHat Linux 8.0 Sniffer (2).50 ECE Internetwork Security

26 Unencrypted Wireless Traffic
ECE Internetwork Security

27 ECE 4112 - Internetwork Security
MAC Address Filtering Use Kismet to find a valid MAC Address Spoof your MAC address With no encryption, full access should be granted ECE Internetwork Security

28 ECE 4112 - Internetwork Security
Cracking WEP Cracking using AirSnort can take a considerable amount of time, so you will be provided with a nearly complete log file ECE Internetwork Security

29 Links to the tools used:
Airsnort Netstumbler Ethereal ECE Internetwork Security

30 Papers and Wireless Security Web Pages
Weaknesses in the Key Scheduling Algorithm of RC4 The Unofficial Security Web Page Wireless Security Blackpaper The IEEE specifications (includes WEP spec) Paper on detecting Netstumbler and similar programs Further reading on upcoming variations Assorted related crypto algorithms written in ANSI C ECE Internetwork Security

31 ECE 4112 - Internetwork Security
Acknowledgements Brian Lee authored most of these slides. ECE Internetwork Security

Download ppt "Wireless Security."

Similar presentations

Ethical Hacking Module XV Hacking Wireless Networks.

Ethical Hacking Module XV Hacking Wireless Networks.
Overview How to crack WEP and WPA

Overview How to crack WEP and WPA
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
1 Wireless Security. 2 Why Wireless is not secure ? Wireless LANs are inherently insecure because they transmit data as electromagnetic waves through.

1 Wireless Security. 2 Why Wireless is not secure ? Wireless LANs are inherently insecure because they transmit data as electromagnetic waves through.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE Intercontinental Group 1.

FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE Intercontinental Group 1.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.

Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.

Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.

Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.

Similar presentations

Ads by Google