Post on 25-Feb-2016
description
WIRELESS AWARENESSPREPARED FOR: CAMIS GROUP07/2012
BIOGRAPHYClint Lentner, MCSE, MCITP: EA
• Netgain Datacenter Deployment Specialist• Designing technical solutions around a wide variety of
applications--from complex enterprise to simple and specialty--in order to provide a seamless end-user experience.
Actively engaged in developing the local IT community through free education opportunities to build networking and enhance technical abilities.
• Specialties• Active Directory, Windows Server, Security and Task
Automation
NETGAIN• National eHealth solutions provider• Provide complete IT infrastructure solutions in hosted or on-
site environments.• Design solutions to deliver standards compliant security, five
nine’s availability and the flexibility to meet the changing needs of healthcare organizations.
• Simplify the healthcare IT environment while improving efficiencies and increasing security.
INTRODUCTION
WIRELESS AWARENESS: INTRODUCTIONWireless Communication:
• Defined as “the transfer of information between two or more points that are not physically connected.”
802.11:• Set of standards created and maintained by the IEEE
LAN/MAN Standards Committee (IEEE 802) for implementing Wireless Local Area Network (WLAN) computer communication in the 2.4, 3.6 and 5 GHz frequency bands.
• These standards provide the basis for wireless network products using the Wi-Fi brand name.
WIRELESS AWARENESS: INTRODUCTIONWi-Fi Alliance:
• Founded by six companies: 3Com, Aironet, Intersil, Lucent Technologies, Nokia and Symbol Technologies in 1999 to promote wireless LAN standard of 802.11
• Wi-Fi vs. IEEE 802.11, 802.11, or WLAN
• Commonly mistaken for “Wireless Fidelity”, Wi-Fi is a nonsensical word.
WIRELESS AWARENESS: 802.11 MODES OF OPERATION
Ad-Hoc Mode• Defined by 802.11 as Independent Basic Service Set (IBSS)• Clients communicate directly with other IBSS clients within
transmission range, creating a peer-to-peer network.
WIRELESS AWARENESS: 802.11 MODES OF OPERATIONInfrastructure Mode
• Defined by 802.11 as Basic Service Set (BSS)• Clients communicate with a central station, or access point
(AP), which acts as an Ethernet bridge onto another network.
WIRELESS AWARENESS: DEMO
http://www.nirsoft.net/utils/wireless_network_view.html
WIRELESS AWARENESS: INTRODUCTION
WIRELESS AWARENESS: INTRODUCTION
WIRELESS AWARENESS: INTRODUCTION
IMPLIED TRUST
WIRELESS AWARENESS: IMPLIED TRUST
WIRELESS AWARENESS: IMPLIED TRUSTWireless users are very trusting
• Users need access to the Internet• Users tend to assume wireless is safe.• Wi-Fi is magic! Turn on the device, select your Wi-Fi network,
maybe enter a password, and you’re done!• Users are unknowingly trusting…
• The Access Point is safe• The Access Point is who it says it is• Other users on that Access Point are safe• The Network beyond the Access Point is safe• Wi-Fi enabled devices are safe
WIRELESS AWARENESS: IMPLIED TRUST
All roads to the Internet are safe.. Right?
VULNERABILITIESUNDERSTANDING WI-FI
WIRELESS AWARENESS: UNDERSTANDING WI-FI• Eavesdropping/Traffic Analysis• Data Mining• Masquerading Clients/Access Points• Promiscuous Access Points• Man-in-the-Middle• Compromising Security• Message Injection, Deletion, and Interception• Session Hijacking• Denial-of-Service
WIRELESS AWARENESS: UNDERSTANDING WI-FI
Authentication and Association• Network Discovery• Authentication• Association
NETWORK DISCOVERY
WIRELESS AWARENESS: NETWORK DISCOVERYBeacons
• Broadcast by Access Points, advertising various properties:
• Encryption type• Service Set IDentifier (SSID)• Transmission Rate, etc…
• Clients continually scan\listen for beacons to determine which access points are available.
Probes• Broadcast by clients, searching for Access Points
and their properties. Similar to information contained in beacons.
• Broadcast by clients, searching for a specific Access Point SSID
WIRELESS AWARENESS: DEMO
http://www.wireshark.org
802.11 NETWORK DISCOVERY: METHOD 1
AP: Broadcasts Beacons
• SSID: Linksys• BSSID: 08-86-3b-
1c-be-ef• Encryption: WPA2• Authentication:
PSK• Transfer Rate: 54
Mbps
Client: Listens for beacon and generates list of available APs
802.11 NETWORK DISCOVERY: METHOD 2
Client: Broadcasts Probe for any available AP
AP: Sends probe response
• SSID: Linksys• BSSID: 08-86-3b-1c-be-
ef• Encryption: WPA2• Authentication: PSK• Transfer Rate: 54 Mbps
802.11 NETWORK DISCOVERY: METHOD 3
Client: Broadcasts Probe for SSID “LinkSys”
AP: Sends probe response if SSID = “Linksys”
• SSID: Linksys• BSSID: 08-86-3b-1c-be-ef• Encryption: WPA2• Authentication: PSK• Transfer Rate: 54 Mbps
DATA MINING
WIRELESS AWARENESS: DATA MININGWi-Fi Client
• Basic Service Set Identification (BSSID)• Make/Model
• SSID• Encryption/Authentication
Wi-Fi Access Point• Basic Service Set Identification (BSSID)
• Make/Model• SSID• Encryption/Authentication
WIRELESS AWARENESS: DEMO
http://aircrack-ng.org
WIRELESS AWARENESS: DATA MININGWindows wireless probe issues
• Prior to XP SP3, connecting to an AP with a hidden SSID via Wireless Zero Configuration (WZC) had to be set to “automatically reconnect”, as there was no way to manually connect.
Affected Versions• Windows XP, pre Service Pack 3• Windows Server® 2003, pre Service Pack 2
Technet Article• http://technet.microsoft.com/en-us/library/bb726942.aspx
Other Wi-Fi enabled devices• This isn’t just a Microsoft problem
WIRELESS AWARENESS: DATA MINING
Pre-SP3 SP3/Vista/Win7
WIRELESS AWARENESS: DATA MININGHow can this data be used?Access Point
• BSSID/SSID• Geolocation Mapping with GPS (WarDriving)
• WIGLE.net• Wi-Fi Triangulation
• Skyhook, Placelabs, Navizon• Encryption/Authentication Type
• Identify easy targets for free Wi-Fi, or malicious intent• Open, WEP, or WPA/WPA2 with a common SSID
• BSSID/Transfer Rate, Etc…• Statistical Usage Analysis
WIRELESS AWARENESS: DEMO
http://wigle.net
WIRELESS AWARENESS: DATA MININGHow can this data be used?Client
• SSID• Establish profile of locations via Geolocation Mapping
• BSSID• Wi-Fi probe tracking
WIRELESS AWARENESS: DATA MININGWhy Do I Care?
• Cellular carriers/smartphone vendors already track users 24/7
• Cell tower triangulation• GPS
• Users grant apps access to location services• Users enable GPS and keep it enabled without
understanding consequences• Stalking produces similar results• Analyzing/Tracking Wi-Fi beacons requires zero user
interaction and is completely available to anyone who wishes to “listen”
WIRELESS AWARENESS: DATA MININGSecurity in Layers
• Do you…• Have a front door? Close your front door? • Lock your front door? Reinforce your front door?
• Do you…• Have windows? Close your windows?• Lock your windows? Reinforce your windows?
• Do you…• Have locks? Use your locks? • Have reinforced locks? Keep your keys secured?
WIRELESS AWARENESS: UNDERSTANDING WI-FI• Eavesdropping/Traffic Analysis• Data Mining• Masquerading Clients/Access Points• Promiscuous Access Points• Man-in-the-Middle• Compromising Security• Message Injection, Deletion, and Interception• Session Hijacking• Denial-of-Service
MiTM(Man in The Middle)
WIRELESS AWARENESS: MAN IN THE MIDDLEMan-in-the-middle Attack
• “A form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.”
WIRELESS AWARENESS: MAN IN THE MIDDLE
WIRELESS AWARENESS: MAN IN THE MIDDLEMitM Attacks:
• Collecting clear-text communications• Email• Chat• …Anything not encrypted
• Collecting Usernames/Passwords• Session-Jacking• Manipulating the Internet experience
• Redirection to fake/malicious websites• Manipulated webpage results• Manipulated certificate/SSL requests
• Anything else you can think of—you are the router.
802.11 NETWORK DISCOVERY: METHOD 3
Client: Broadcasts Probe for SSID “LinkSys”
AP: Sends probe response if SSID = “Linksys”
• SSID: Linksys• BSSID: 08-86-3b-1c-be-ef• Encryption: WPA2• Authentication: PSK• Transfer Rate: 54 Mbps
WIRELESS AWARENESS: DEMO
http://aircrack-ng.org
WIRELESS AWARENESS: MAN IN THE MIDDLEAnyone can do it…
• Hak5, a popular hacking community, assisted in developing and selling a small, battery-powered wireless router which acts as a inconspicuous, promiscuous access point.
• Built-in penetration tools makes this device a serious threat to any Wi-Fi environment
• Extremely popular, very easy to use.• Only $99.95!...or make your own for around half.
WIRELESS AWARENESS: MAN IN THE MIDDLE
WIRELESS AWARENESS: MAN IN THE MIDDLE
https://www.youtube.com/watch?v=yr5upPHqhlA
MITIGATION
WIRELESS AWARENESS: MITIGATIONUser Awareness
• Consequences of connecting to public Wi-Fi• Consequences of configuring “auto-connect”• Discourage use of sensitive information sites via Wi-Fi if possible• Disable Wi-Fi when not in use
Wi-Fi Configuration• Manually connect to APs with hidden SSIDs• Require same authentication/encryption type for reconnecting to APs
(software specific)• Prevent users from accessing open APs (Solutions?? Anyone??)• Whitelist acceptable APs (via Windows GPO)• Obfuscate SSID names• Utilize cellular wireless communication if possible• Utilize VPNs to secure Wi-Fi sessions.
WIRELESS AWARENESS: MITIGATIONAdministrator Awareness
• Understanding why Wi-Fi vulnerabilities pose a REAL risk:• Malicious tools are relatively easy to acquire and setup• Targets are very easy to acquire• Attackers are difficult to track• Attacks are difficult to detect, especially when targeting
non-technical users• Wi-Fi enabled devices can be anything• Because Wi-Fi is popular!
• Educating\Reeducating Users• Eliminate Wi-Fi apathy! Don’t implicitly trust Wi-Fi!
Vulnerabilities are a real threat!
THANK YOU!
http://centralmnit.com