8/8/2019 Isaca Wireless Hacking 2009 1
1/54
8/8/2019 Isaca Wireless Hacking 2009 1
2/54
CONTACTS
Austin-
Accounts
over IP by Syngress Press
Contributor to the Center for Internet SecuritBenchmarks.
8/8/2019 Isaca Wireless Hacking 2009 1
3/54
-
March 2, 2010
3
8/8/2019 Isaca Wireless Hacking 2009 1
4/54
March 2, 2010
4
8/8/2019 Isaca Wireless Hacking 2009 1
5/54
March 2, 2010
TJX 45 Million Credit Card Numbersstolen could be as high as 200 million
$33 million in loses from Gift Cards
Largest loss ever from exploited
Wireless estimated at $1Billion
2003
FBI tracked credit card system softwarereplaced with hacked version
5
8/8/2019 Isaca Wireless Hacking 2009 1
6/54
March 2, 2010
6
8/8/2019 Isaca Wireless Hacking 2009 1
7/54
March 2, 2010
routers, switches, and other network devices.
wireless network was exploited across our
er zon us ness - a a reacInvestigations Report)
7
8/8/2019 Isaca Wireless Hacking 2009 1
8/54
March 2, 2010
8
8/8/2019 Isaca Wireless Hacking 2009 1
9/54
March 2, 2010
9
8/8/2019 Isaca Wireless Hacking 2009 1
10/54
March 2, 2010
10
8/8/2019 Isaca Wireless Hacking 2009 1
11/54
March 2, 2010
11
8/8/2019 Isaca Wireless Hacking 2009 1
12/54
March 2, 2010
12
8/8/2019 Isaca Wireless Hacking 2009 1
13/54
March 2, 2010
Wi-Fi Bouncing
network due to their new Wi-Fi-proofwallpaper? Try a Wi-Fi attack droid.Some clever hackers at the Shmoo
Zaurus, a 100 milliwatt Sanio wirelesscard, and some wires that fit into a tissue
box (or another similarly-sizedinnocuous ob ect. The idea is that ousurreptitiously drop this thing off in anarea with a Wi-Fi network that you cantaccess and it sends a 900 MHz signalvia a serial port transceiver to pass on
the network. With a good antenna thismeans you can get online from as far as40 miles away, though with the antennashown you should be able to get about am e or so o snea y w re ess access.lithium battery should power this thing
for up to four hours or so.13
8/8/2019 Isaca Wireless Hacking 2009 1
14/54
March 2, 2010
Bluesnarfing is the theft of information from a wireless.
high-speed but very short-range wireless technology forexchanging data between desktop and mobilecomputers, personal digital assistants (PDAs), and other
.
By exploiting a vulnerability in the way Bluetooth isinformation -- such as the user's calendar, contact listand e-mail and text messages -- without leaving anyevidence of the attack. Other devices that use Bluetooth,
, ,although to a lesser extent, by virtue of their morecomplex systems. Operating in invisible mode protectssome devices, but others are vulnerable as long as
.
14
8/8/2019 Isaca Wireless Hacking 2009 1
15/54
March 2, 2010
According to a ZDNet UK article, attackers are exploitinga roblem with some im lementations of the ob ectexc ange pro oco , w c s common y use o
exchange information between wireless devices. Anattacker can synchronize with the victim's device (this isknown as pairing) and gain access to any information or
.that bluesnarfing tools are widely available on theInternet, along with information about how to use them.
So what is the record distance for Bluesnarfing ? Lasco.A Bluetooth Virus (Nokia Series 60 running Symbian)
spreads via file attachements, games, files etc Paris Hiltons Phone contacts stolen
TOOLS: Bluescanner BTCrack
T-Bear
15
8/8/2019 Isaca Wireless Hacking 2009 1
16/54
March 2, 2010
Well we focus on wireless networks
What about Wireless cameras ? If you can see data on wireless networks
Can you see video on wireless cameras ?
Lets take a look !
16
8/8/2019 Isaca Wireless Hacking 2009 1
17/54
8/8/2019 Isaca Wireless Hacking 2009 1
18/54
March 2, 2010
18
8/8/2019 Isaca Wireless Hacking 2009 1
19/54
March 2, 2010
19
8/8/2019 Isaca Wireless Hacking 2009 1
20/54
March 2, 2010
20
8/8/2019 Isaca Wireless Hacking 2009 1
21/54
March 2, 2010
What about Internet Cameras aka:
NannyCams? Google Hacks:
inurl:view/index.shtml Finds AXIS cameras
inurl:ViewerFrame?Mode=" Finds more
inurl:MultiCameraFrame?Mode="
Also can be wireless
21
8/8/2019 Isaca Wireless Hacking 2009 1
22/54
-
March 2, 2010
22
8/8/2019 Isaca Wireless Hacking 2009 1
23/54
March 2, 2010
Step 1- Reconnaissance
Airsnort, NetStumbler, or Aerosol Identify APs SSIDs without WEP enabled
- Configure wireless client to match discovered SSID
Step 3 Check IP Address u
Step 4 Check for Internet access Open Browser to see if the Internet can be accessed
Step 5 - Scan for other clients Run Port scanner (Nmap) to find other clients that may
23
8/8/2019 Isaca Wireless Hacking 2009 1
24/54
March 2, 2010
24
8/8/2019 Isaca Wireless Hacking 2009 1
25/54
-
March 2, 2010
Windows Laptop
-
commercial Orinoco wireless card
NetStumbler, ApSniff, Wlan-Expert
Prism 2 wireless cardAerosol software
USB Wireless CardAirSnare - IDS
Cantenna and wireless MMCX to N t e cable An Access Point for rogue data collection Ferret and Hamster for SideJacking
25
8/8/2019 Isaca Wireless Hacking 2009 1
26/54
-
March 2, 2010
Linux Laptop
Prism2 or Orinoco cardAirSnort software (To crack WEP)
Aircrack software (To crack WEP)
WepLab software (To crack WEP) dwepcrack software (To crack WEP)
We Attack software To crack WEP
Kismet
AirTraf
26
8/8/2019 Isaca Wireless Hacking 2009 1
27/54
-
March 2, 2010
.Aireplay: 802.11 packet injection program
-Airdecap: decrypts WEP/WPA capture files
BackTrack 4 CD/DVD
27
8/8/2019 Isaca Wireless Hacking 2009 1
28/54
-
March 2, 2010
Handheld device
Orinoco wireless cardMinistumbler
Pocket Warrior
AirScannerWi-FiFoFum PocketPC Windows Mobile
(iPAQ)
AirMagnet Commercial $3K Lots of options for iPhone and Android OS
No 802.11a on a handheld against the spec28
8/8/2019 Isaca Wireless Hacking 2009 1
29/54
March 2, 2010
Wi-Finder
Wi-Fi Finder
.
29
8/8/2019 Isaca Wireless Hacking 2009 1
30/54
March 2, 2010
30
8/8/2019 Isaca Wireless Hacking 2009 1
31/54
-
March 2, 2010
31
8/8/2019 Isaca Wireless Hacking 2009 1
32/54
NETSTUMBLER SCREEN CAPTURE
March 2, 2010
DOWNTOWN SACRAMENTO
32
8/8/2019 Isaca Wireless Hacking 2009 1
33/54
NETSTUMBLER SCREEN CAPTURE
March 2, 2010
ARCO ARENA AREA
33
M h 2 2010
8/8/2019 Isaca Wireless Hacking 2009 1
34/54
AIRSNORT SCREEN CAPTURE
March 2, 2010
SACRAMENTO AREA
34
March 2 2010
8/8/2019 Isaca Wireless Hacking 2009 1
35/54
March 2, 2010
35
March 2 2010
8/8/2019 Isaca Wireless Hacking 2009 1
36/54
March 2, 2010
36
March 2 2010
8/8/2019 Isaca Wireless Hacking 2009 1
37/54
March 2, 2010
37
March 2 2010
8/8/2019 Isaca Wireless Hacking 2009 1
38/54
March 2, 2010
38
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
39/54
a c , 0 0
39
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
40/54
,
40
8/8/2019 Isaca Wireless Hacking 2009 1
41/54
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
42/54
42
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
43/54
43
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
44/54
WinSniffer Passwords
Sniffers can see all clear
FTPTelnet
text usernames, passwords
and data that pass acrossthe wireless network to gain
ICQ Instant Messaging
SMTP
more n orma on
NNTP Standard sniffers can see all data in all packets that
,passwords.Read your email
Web based email
44
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
45/54
SideJackin of course
45
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
46/54
- SANS:
http://www.sans.org/critical-security-controls/control.php?id=14
Residential Wireless Audit Checklist http://www.sans.org/score/wirelesschecklist.php
- Wireless STIG (Security Technical Implementation Guides)
http://iase.disa.mil/stigs/stig/index.html
US DoJ: http://www.justice.gov/ust/eo/private_trustee/library/chapter13/doc
s/Wireless_Security_Checklist.pdf
ISO 27001:
http://www.smashingpasswords.com/files/wireless-lan-security-checklist.pdf CIS:
Wireless Benchmark and Assessment Articles
46
http://cisecurity.org/en-
us/?route=downloads.browse.category.benchmarks.network.wireless
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
47/54
- http://www.corecom.com/html/wlan_tools.html - List of Tools
www.war r v ng.ne - oo n o
http://sectools.org/wireless.html - Top 5 Wi-Fi Tools www.dis.org/filez/ - Peter Shipley War driving site
www.w g e.net up oa rea ng rom w re ess too s app ng
www.networkintrusion.co.uk/wireless.htm - List of Wireless tools
www.freeantennas.com Lots of easy to build antennas
Hot Spots www.Wi-Finder.com Wi-Fi locator
www.wi-find.com Wi-Fi locator www.Wi-Fifreespot.com/ Wi-Fi locator www.jiwire.com/ Wi-Fi locator
. . _ . https://selfcare.hotspot.t-mobile.com T-Mobile hotspots www.boingo.com Boingo hotspots
47
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
48/54
Using ARP poisoning hackers are able to place
emse ves n e m e o an sess on us ng
Ettercap or other tools over wireless.
This results in the hacker having the actual SSL
certificate rela in the information to the user thusbeing able to see all that the user sees.
Remember it is estimated that 95% of Wi-Fi usage isunencrypted!
48
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
49/54
49
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
50/54
50
8/8/2019 Isaca Wireless Hacking 2009 1
51/54
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
52/54
Access Points that mimic a real access point in
or er o s ea n orma on.
Secure Wi-Fi is not susceptible to this threat as the
52
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
53/54
Use automated Wireless detection solution
Define what is normal and detect anomalies
Follow up with manual assessments
Issue Wireless cards to consultants and guests
Create Incident Response plan to shut down ornves ga e v o a ons
Rotate Keys 30 days or less
Dual Wi-Fi networks First find all trustedMAC addresses
53
March 2, 2010
8/8/2019 Isaca Wireless Hacking 2009 1
54/54
The END
uestions ?
54
Top Related