(Ebooks) Hacking - Wireless Lan Security, Wszystko inne, Ebooks

 

[ Pobierz całość w formacie PDF ]
White Paper
Wireless LAN Security – What Hackers Know That You Don’t
As the next generation of IT networking, 802.11 wireless
LANs are also the new playgrounds for hackers.
Effective encryption and authentication security
measures for wireless LANs are still developing, but
hackers already possess easy-to-use tools that can launch
increasingly sophisticated attacks that put your
information assets at risk.
encryption, any laptop with a wireless card can connect
with the network or stealthily eavesdrop on all network
traffic across that access point from any area within the
colored areas on the map.
Some enterprises make the mistake of believing that they
do not have to worry about wireless security if they are
running non-mission critical systems with non-sensitive
information across their wireless LANs. However, few
networks operate as islands of automation. Most connect
with the enterprise backbone at some point, and hackers
can use the wireless LAN as a launch pad to the entire
network. Thus, every entry point to that network should
be secured.
Like personal computers in the 1980s and the Internet in
the 1990s, wireless LANs are the new frontier of
technology in the enterprise. Thus, this white paper is not
designed to scare enterprises away from deploying
wireless LANs. Wireless LANs can be secured with a
layered approach to security that goes beyond new
encryption and authentication standards to include 24x7
monitoring and intrusion protection.
This white paper outlines how hackers are exploiting
vulnerabilities in 802.11 wireless LANs and the widely
available hacking tools. The information presented is a
collection of already published risks to wireless LANs.
This white paper is written to inform IT security
managers of what they are up against. In order to
effectively secure their wireless LANs, enterprises must
first know the potential dangers.
Wireless LANs are a breeding ground for new attacks
because the technology is young and organic growth creates
the potential for a huge payoff for hackers.

Pete Lindstrom, Spire Security, Sept. 2002
Figure 1: This image represents the signal emitted from a single
wireless access point located in downtown Lawrence, KS.
What’s at Risk?
Wireless LANs face all of the security challenges of any
wired networks in addition to the new risks introduced
by the wireless medium that connects stations and access
points. This white paper focuses on the wireless-specific
attacks, threats, and risks.
In the summer of 2002, a retail chain was reported to be
running its wireless LAN without any form of
encryption. The retailer responded by saying that its
wireless LAN only handled its inventory application, so
encryption was not needed. However, the open
connection invites hackers to snoop around on the
network to possibly get into confidential customer
records or sensitive corporate information.
Any wireless access point attached to a wired network
essentially broadcasts an Ethernet connection and an
onramp to the entire enterprise network. Layer 1 and
Layer 2 of a network is typically protected by the CAT5
wire within a building in a traditional wired network but
is exposed in a wireless LAN.
Internal Vulnerabilities
Because security risks for wireless LANs can come from
the most malicious hackers as well as employees with the
best intentions, threats to wireless LAN security can be
broken into internal vulnerabilities and external threats.
The satellite photograph on this page graphically
displays how a radio signals from a single access point
can travel several city blocks outside of the building.
Without proper security measures for authentication and
Copyright © 2003, AirDefense, Inc.
Page 1
www.airdefense.net
Internal vulnerabilities are comprised of rogue
deployments, insecure configurations, and accidental
associations to neighboring wireless LANs.
overlapping networks. Accidental associations are
created when a neighboring company across the street or
on adjacent floors of the building operates a wireless
LAN that emanates a strong RF signal that bleeds over
into your building space. The wireless LAN-friendly
Windows XP operating system enables your wireless
users to automatically associate and connect to the
neighbor’s network without their knowledge.
Rogue WLANs
Rogue access points are a well-documented problem. In
2001 Gartner estimated that “at least 20 percent of
enterprises already have rogue WLANs attached to their
corporate networks.” Employees can easily hide their
rogue access points to wired-side sniffers by simply
setting the access point to duplicate the MAC address of
the laptop – an easy and often mandatory configuration
for a consumer-grade access point when installed to a
home cable or DSL modem.
A station connecting to a neighboring wireless LAN can
divulge passwords or sensitive documents to anyone on
the neighboring network. Accidental associations can
even link the two companies’ networks together through
this end user station as it bypasses all internal security
and controls.
Other rogue deployments or unauthorized uses of
wireless LANs can include ad hoc networks. These peer-
to-peer connections between devices with WLAN cards
do not require an access point or any form of
authentication from other stations with which it connects.
While ad hoc networks can be a convenient feature for
users to transfer files between stations or connect to
shared network printers, they present an inherent security
risk where a station in ad hoc mode opens itself to a
direct attack from a hacker who can download files from
the victim’s station or use the authorized station as a
conduit to the entire network.
External Threats
The internal vulnerabilities previously described open
the door for intruders and hackers to pose more serious
threats. However, the most secure wireless LANs are not
100 percent safe from the continuously evolving external
threats that include espionage, identity theft, and other
attacks such as Denial-of-Service and Man-in-the-Middle
attacks.
Eavesdropping & Espionage
Because wireless communication is broadcast over radio
waves, eavesdroppers who merely listen to the airwaves
can easily pick up unencrypted messages. Additionally,
messages encrypted with the Wired Equivalent Privacy
(WEP) security protocol can be decrypted with a little
time and easily available hacking tools. These intruders
put businesses at risk of exposing sensitive information
to corporate espionage.
Insecure Network Configurations
Many organizations secure their wireless LANs with
virtual private networks and then mistakenly believe the
network is bulletproof. While it takes a highly
sophisticated hacker to break a VPN, a VPN can be like
an iron door on a grass hut if the network is not properly
configured. Why would a thief try to pick the lock of the
iron door if he could easily break through the thin walls
of the hut? All security holes – big and small – can be
exploited.
Identity Theft
The theft of an authorized user’s identity poses one the
greatest threats. Service Set Identifiers (SSIDs) that act
as crude passwords and Media Access Control (MAC)
addresses that act as personal identification numbers are
often used to verify that clients are authorized to connect
with an access point. Because existing encryption
standards are not foolproof, knowledgeable intruders can
pick off authorized SSIDs and MAC addresses to
connect to a wireless LAN as an authorized user with the
ability to steal bandwidth, corrupt or download files, and
wreak havoc on the entire network.
By year-end 2002, 30 percent of enterprises will suffer
serious security exposures from deploying WLANs without
implementing the proper security.
– Gartner Group, August 2001
Insecure configurations represent a significant concern.
Default settings that include default passwords, open
broadcasts of SSIDs, weak or no encryption, and lack of
authentication can open an access point to be a gateway
to the greater network. Properly configured access points
can be reconfigured by employees seeking greater
operability or often reset to default settings upon a power
surge or system failure.
Evolving Attacks
More sophisticated attacks, such as Denial-of-Service
and Man-in-the-Middle attacks, can shut down networks
and compromise security of virtual private networks.
This paper goes into greater detail describing how these
attacks occur in the section
Emerging Attacks on WLANs
.
Accidental Associations
Accidental associations between a station and a
neighboring wireless LAN are just now being recognized
as a security concern as enterprises confront the issue of
Copyright © 2003, AirDefense, Inc.
Page 2
www.airdefense.net
The Hacker’s Wireless LAN Toolbox
Hackers – as well as white hat researchers – are
notorious for quickly breaking the new security standards
soon after the standards are released. Such is the case
with the security standards for wireless LANs. This
section provides a few examples of the hardware and
freeware tools available on the Internet.
authentication. However, University of Maryland
professor William Arbaugh published a research paper in
February 2002 that demonstrated how the newly
proposed security standard can be defeated. The IEEE is
now working on a new standard, 802.1i, which is
expected to be ratified within the next two years.
War Driving
To locate the physical presence of wireless LANs,
hackers developed scanning and probing tools that
introduced the concept of “war driving” – driving around
a city in a car to discover unprotected wireless LANs.
User-friendly Windows-based freeware tools, such as
Netstumbler, probe the airwaves in search of access
points that broadcasted their SSIDs and offer easy ways
to find open networks. More advanced tools, such as
Kismet, were then introduced on Linux platforms to
passively monitor wireless traffic.
Available Freeware Tools
As mentioned in the introduction, new wireless LAN
hacking tools are introduced every week and are widely
available on the Internet for anyone to download. Rather
than wait for a hacker to attack your network, security
managers should familiarize themselves with tools to
know what they have to defend themselves against. The
table on this page gives a few examples of widely
available freeware tools. Network security managers
should become familiar with these hacking tools in order
to know the dangers of each.
Both Netstumbler and Kismet work in tandem with a
global positioning system (GPS) to map exact locations
of the identified wireless LANs. These maps and data are
posted on web sites such as
www.wigle.net
and
www.wifinder.com
where wireless freeloaders and other
hackers can locate these open networks.
Antennas
To connect with wireless LANs from distances greater
than a few hundred feet, sophisticated hackers use long-
range antennas that are either commercially available or
built easily with cans or cylinders found in a kitchen
cupboard and can pick up 802.11 signals from up to
2,000 feet away. The intruders can be in the parking lot
or completely out of site.
Emerging Attacks on WLANs
The development of effective wireless LAN security
standards has been preceded by the evolution wireless-
focused attacks that are becoming more sophisticated.
Breaking Encryption
The industry’s initial encryption technology, WEP, was
quickly broken by published tools WEPCrack and
AirSnort, which exploit vulnerabilities in the WEP
encryption algorithm. WEPCrack and AirSnort passively
observe WLAN traffic until it collects enough data by
which it recognizes repetitions and breaks the encryption
key.
Attacks at DefCon
The growing number of attacks on wireless LANs is best
seen in a study of wireless LAN activity at the DefCon X
hacker convention in August 2002. AirDefense surveyed
the wireless LAN at the Las Vegas convention for two
hours and identified more than 10 previously
undocumented wireless attacks from new creative ways
in which hackers are learning to manipulate 802.11
protocols to launch new forms of Denial-of-Service
Breaking 802.1x Authentication
The next step in the evolution of wireless LAN security
was the introduction of 802.1x for port-based
Tool
Web site
Description
NetStumbler
www.netstumbler.com
Freeware wireless access point identifier – listens for SSIDs & sends beacons as
probes searching for access points
Kismet
www.kismetwireless.net
Freeware wireless sniffer and monitor – passively monitors wireless traffic & sorts
data to identify SSIDs, MAC addresses, channels and connection speeds
Wellenreiter
Freeware WLAN discovery tool – Uses brute force to identify low traffic access
points; hides your real MAC; integrates with GPS
THC-RUT
www.thehackerschoice.com
Freeware WLAN discovery tool – Uses brute force to identify low traffic access
points; “your first knife on a foreign network”
Ethereal
www.ethereal.com
Freeware WLAN analyzer – interactively browse the capture data, viewing
summary and detail information for all observed wireless traffic
WEPCrack
sourceforge.net/projects/wepcrack/
Freeware encryption breaker – Cracks 802.11 WEP encryption keys using the latest
discovered weakness of RC4 key scheduling
AirSnort
Freeware encryption breaker – passively monitoring transmissions, computing the
encryption key when enough packets have been gathered
HostAP
Converts a WLAN station to function as an access point; (Available for WLAN
cards that are based on Intersil's Prism2/2.5/3 chipset)
Copyright © 2003, AirDefense, Inc.
Page 3
www.airdefense.net
attacks, identity thefts, and Man-in-the-Middle attacks.
During the two hours of monitoring the conference’s
wireless LAN, AirDefense identified 8 sanctioned access
points, 35 rogue access points, and more than 800
different station addresses.
Malicious Association
Using widely available tools, hackers can force
unsuspecting stations to connect to an undesired 802.11
network or alter the configuration of the station to
operate in ad-hoc networking mode. A hacker begins this
attack by using freeware HostAP to convert the attacking
station to operate as a functioning access point.
AirDefense’s 802.11 security experts estimate that 200 to
300 of the station addresses were fakes because roughly
350 people were in the wireless LAN network room at a
single time.
AirDefense discovered 115 peer-to-peer ad hoc networks
and identified 123 stations that launched a total of 807
attacks during the two hours.
Among the 807 attacks:

490 were wireless probes from tools such as
Netstumbler and Kismet, which were used to scan the
network and determine who was most vulnerable to
greater attacks;

190 were identity thefts, such as when MAC
addresses and SSIDs were spoofed to assume the
identity of another user;

100 were varying forms Denial-of-Service attacks
that either (1) jammed the airwaves with noise to shut
down an access point, (2) targeted specific stations by
continually disconnecting them from an access point,
or (3) forced stations to route their traffic through
other stations that ultimately did not connect back to
the network; and

27 attacks came from out-of-specification
management frames where hackers launched attacks
that exploited 802.11 protocols to take over other
stations and control the network.
As the victim’s station broadcasts a probe to associate
with an access point, the hacker’s new malicious access
point responds to the victim’s request for association and
begins a connection between the two. After providing an
IP address to the victim’s workstation (if needed), the
malicious access point can begin its attacks. The hacker
– acting as an access point – can use a wealth of
available hacking tools available that have been tested
and proven in a wired environment. At this time, the
hacker can exploit all vulnerabilities on the victim’s
laptop, which can include installing the HostAP
firmware or any other laptop configuration or
programmatic changes.
The wireless LAN at DefCon was probably the best
place to learn about these new attacks and threats to
wireless LANs because DefCon is one of few places
where the focus is on breaking things. Enterprises
should be aware of these threats and learn what they
can do to combat them.

Pete Lindstrom, Spire Security, September 2002
The malicious association attack shows that wireless
LANs are subject to diversion and stations do not always
know which network or access point they connect to.
Stations can be tricked or forced to connect to a
malicious access point. Even wireless LANs that have
deployed VPNs are vulnerable to malicious associations.
This attack does not try to break the VPN. Rather, it
takes over the security-poor client.
Of the more than 10 new types of attacks identified by
AirDefense, the company’s 802.11 security experts
determined that many were new forms of Denial-of-
Service attacks but an apparent danger came from the
growing number of ways in which hackers have learned
to abuse 802.11 protocols.
The following section outlines four major attacks, which
represent significant dangers to wireless LANs because
they are published attacks that unsophisticated hackers
can easily perform after downloading tools off the
Internet.
Enterprises must monitor the airwaves of their wireless
LAN to make sure their stations only connect to
authorized access points and networks. Monitoring the
network is the only way to know whom your stations
connect to and which stations connect to your access
points.
Copyright © 2003, AirDefense, Inc.
Page 4
www.airdefense.net
MAC Spoofing – Identity Theft
Many enterprises secure their wireless LAN with
authentication based on an authorized list of MAC
addresses. While this provides a low level of security for
smaller deployments, MAC addresses were never
intended to be used in this manner. Any user can easily
change the MAC address of a station or access point to
change its “identity” and defeat MAC address-based
authentication.
random challenge from the access point, and the access
point must respond to a successful challenge response
with a success packet.
To begin this attack, the hacker passively observes the
station as it connects to the access point, and the hacker
collects the authentication information, including the
username, server name, client and server IP address, the
ID used to compute the response, and the challenge and
associate response. (
See Figure 4
)
Figure 3: MAC Spoofing of an Authorized Station
Figure 4: VPN Attack – Link Establishment, Challenge,
Response
Software tools, such as Kismet or Ethereal, are available
for hackers to easily pick off the MAC addresses of an
authorized user. The hacker can then assume the identity
of that user by asserting the stolen MAC address as his
own. The hacker then connects to the wireless LAN as an
authorized user.
The hacker then tries to associate with the access point
by sending a request that appears to be coming from the
authenticated station. The access point sends the VPN
challenge to the authenticated station, which computes
the required authentic response, and sends the response
to the access point. The hacker observes the valid
response. (
See Figure 5
)
By monitoring the airwaves of their wireless LAN,
enterprises are able to detect MAC spoofing by
identifying when more than one MAC address are
simultaneously on the network. Wireless LAN intrusion
detection systems can also identify when a MAC address
is spoofed by analyzing the vendor “fingerprints” of the
wireless LAN card where by the IDS can see when, as an
example, an Orinoco wireless LAN card connects to the
network using MAC address of a Cisco WLAN card.
Figure 5: VPN Attack – Mounting the assault
Man-in-the-Middle Attacks
As one of the more sophisticated attacks, a Man-in-the-
Middle attack can break a secure VPN connection
between an authorized station and an access point. By
inserting a malicious station between the victim station
and the access point, the hacker becomes the “man in the
middle” as he tricks the station into believing he is the
access point and tricks the access point into believing he
is the authorized station.
The hacker then acts as the access point in presenting a
challenge to the authorized station. The station computes
the appropriate response, which is sent to the access
point. The access point then sends the station a success
packet with an imbedded sequence number. Both are
This attack preys upon a CHAP implementation to
randomly force a connected station to re-authenticate
with the access point. The station must respond to a
Copyright © 2003, AirDefense, Inc.
Page 5
www.airdefense.net
[ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • filmowka.pev.pl
  •