1

Detecting Rogue 802.11 Access Points within the

Enterprise

Kirby KuehlCisco Systems, Inc.

2

A Brief Introduction

• Access to a wired LAN is governed by access to an Ethernet port for that LAN. Therefore, access control for a wired LAN often is viewed in terms of physical access to LAN ports. Similarly, because data transmitted on a wired LAN is directed to a particular destination, privacy cannot be compromised unless someone uses specialized equipment to intercept transmissions on their way to their destination. In short, a security breach on a wired LAN is possible only if the LAN is physically compromised.

• With a wireless LAN, transmitted data is broadcast over the air using radio waves, so it can be received by any wireless LAN client in the area served by the data transmitter. Because radio waves travel through ceilings, floors, and walls, transmitted data may reach unintended recipients on different floors and even outside the building of the transmitter. Installing a wireless LAN may seem like putting Ethernet ports everywhere, including in your parking lot. Similarly, data privacy is a genuine concern with wireless LANs because there is no way to direct a wireless LAN transmission to only one recipient.

3

Rogue – Operating outside normal or desirable controls.

• SSID: (Service Set ID )The use of the SSID as a handle to permit/deny access is dangerous because the SSID typically is not well secured. An access point, the device that links wireless clients to the wired LAN, usually is set to broadcast its SSID in its beacons.

• WEP: (wired equivalent privacy) With open authentication, which is the default, the entire authentication process is done in clear-text, and a client can associate with an access point even without supplying the correct WEP key. With shared-key authentication, the access point sends the client a challenge text packet that the client must encrypt with the correct WEP key and return to the access point. If the client has the wrong key or no key, it will fail authentication and will not be allowed to associate with the access point. (Subject to attack with tools such as airsnort)

4

802.11b Detection Methods

• TCP Fingerprinting (Nmap)

5

NMAP TCP FingerprintingDisadvantages:

• Scanning entire network indiscriminately (Could be slow on large networks).

• Intrusive and Noisy (Personal Firewalls and IDS alerts.)

• False Positives.

• Does not Audit Access Points**

Nmap (http://www.insecure.org/nmap/) example:

6

• TCP Fingerprinting (Nmap)

• 802.11b Analyzer (War Driving)

802.11b Detection Methods

7

Detecting Rogue Access Points

With an 802.11b Analyzer

8

“War Driving” is only a partial solution.

Disadvantage: Using a Wireless Protocol Analyzer is limited by signal range.

Cisco AP 340 Range @ 1Mbps: 1500 ft. (460m) open environment; 300 ft. (90m) office

Cisco AP 340 Range @ 11Mbps: 400 ft. (120m) open environment; 100 ft. (30m) office

Cisco AP 350 Range @ 11 Mbps: 800 ft (244 m) open environment; 130 ft (39.6 m) office

Cisco AP 350 Range @ 1Mbps: 2000 ft (610 m) open environment; 350 ft (107 m) office

War driving is typically accomplished using a modified access point with a high gain antenna (Yagi) which significantly increases the range (up to 6.5 miles at 2Mbps).

Cisco Antennas: http://www.cisco.com/warp/public/cc/pd/witc/ao340ap/prodlit/airoa_ds.htm

9

• TCP Fingerprinting (Nmap)

• 802.11b Analyzer (War Driving)

• SNMP

802.11b Detection Methods

10

Disadvantage: Not enabled by default.

Snmpwalk ( http://net-snmp.sourceforge.net/ ) example:

SNMP

11

802.11b Detection Methods

• TCP Fingerprinting (Nmap)

• 802.11b Analyzer (War Driving)

• SNMP

• The Origin of APTools.

IPSU Ethereal

12

Advantages:

Not limited to the signal range of the access points like “war driving”.

Positive Identification through MAC Address assignments and only queries Access Points and Access Point Clients.

Audits Security Configuration.

Detecting Access Points by Querying Routers and Switches

13

Identifying Access Points via MAC Address

IEEE OUI and Company_id Assignments

14

Determine if IP is an Access Point or Client via HTTPD Query

Request: HEAD / HTTP/1.0

Referer: http://10.0.0.10/

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: 10.0.0.9

Accept: */*

Response: HTTP/1.0 501 Not Implemented (Error Ignored)

Server: thttpd/2.03 11jul98

Content-type: text/html

Date: THU, 01 JAN 1970 18:40:48 GMT

Last-modified: THU, 01 JAN 1970 18:40:48 GMT

Accept-Ranges: bytes

Connection: close

15

Audit Access Point Settings via HTML

SetWEP_Keys.html can be “read” to determine settings.

Encryption:NONE, FULL, or MIXEDKey Size:None Set, 40 bit, or 128 bit

16

SNMP Enabled or Disabled?

17

What if Basic Authentication is Required?

18

HTTP Basic Authentication Denied

First Request: GET .SetHwPC4800.shm?ifIndex=2 HTTP/1.0

Referer: http://10.0.0.10/

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: 10.0.0.9

Accept: */*

First Response: HTTP/1.0 401 Unauthorized

Server: thttpd/2.03 11jul98

Content-type: text/html

Date: THU, 01 JAN 1970 18:28:23 GMT

Last-modified: THU, 01 JAN 1970 18:28:23 GMT

Accept-Ranges: bytes

Connection: close

WWW-Authenticate: Basic realm="15“

The User-Agent information is falsified due to JavaScript browser version checking done by the Aironet Access Point HTML pages.

19

HTTP Basic Authentication Accepted

The client then sends the user-ID and password, separated by a single colon (":") character, within a base64 encoded string in the http request.

Second Request: GET /SetHwPC4800.shm?ifIndex=2 HTTP/1.0

Referer: http://10.0.0.10/

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: 10.0.0.9

Accept: */*

Authorization: Basic YWRtaW46cGFzcw==

Second Response: HTTP/1.0 200 OK

Date: FRI, 02 JAN 1970 12:00:00 GMT

Expires: THU, 01 JAN 1970 12:00:00 GMT

Content-type: text/html

The User-Agent information is falsified due to JavaScript browser version checking done by the Aironet Access Point HTML pages.

20

Query Router or Switch from Input List.show ip arp | include 0040.96

show cam dynamic

Is IP an Access Point or Client?

Client Audit via HTMLAuthenticate if Necessary

And Report

Access

PointMore IPs for router?

Yes

No

Begin Aptools

Input List: Router Hostnames

or IP Addresses

GeneratedList of IP Addresses & MAC addresses

Query IP From List

More Routers?Yes

No

Done

Aptools Flowchart

21

APTools Automates this ProcessFeatures:

Single Scan or List Scan Routers and Switches.

HTTP Basic Authentication Support

Nmap greppable output can be used as input to audit devices.

Easily expandable. I have added some untested Scan Types based on information from:

http://www.netstumbler.org/query.php

Can run a custom command on router or switch!

Developed and Tested on Cisco Products: Cisco Aironet Access Points, Cisco Routers, and Cisco Switches. Your Mileage May Vary.

Limitations:

Does not support SSH.

Switch querying needs refinement.

Needs Multithreading.

I

APToolsBeta Version available at aptools.sourceforge.net

22

Command line

Unix and Win32

Version too.

Beta Version available at aptools.sourceforge.net

23

Works CitedCisco Aironet

http://www.cisco.com/warp/public/cc/pd/witc/ao340ap/prodlit/airoa_ds.htm

Assessing Wireless Security With AiroPeek

http://www.wildpackets.com/elements/AiroPeek_Security.pdf

WildPackets AiroPeek

http://www.wildpackets.com/products/airopeek

IEEE OUI and Company_id Assignments

http://standards.ieee.org/regauth/oui/index.shtml

http://www.netstumbler.org

Snmpwalk

http://net-snmp.sourceforge.net

HTTP Basic Authentication

http://www.w3.org/Protocols/HTTP/1.0/spec.html - BasicAA

Nmap

http://www.insecure.org/nmap

Remote OS Detection via TCP/IP fingerprinting

http://www.insecure.org/nmap/nmap-fingerprinting-article.html

List of Default SSIDS

http://www.wi2600.org/mediawhore/nf0/wireless/ssid_defaults/

24

Please remember to fill out the Speaker evaluation forms.

End of Presentation

25

Recently, researchers at the University of California, at Berkeley, published a document identifying "security flaws in the 802.11 security protocol (WEP)," that "seriously undermine the security claims of the system" and use WEP insufficient for wireless LAN (WLAN) security. Articles about the researchers' findings have appeared in The Wall Street Journal and other publications. (Review the summary at http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html and detailed paper at http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf.) Cisco was aware of these limitations before the company defined its Aironet® security architecture. With the recent Aironet Software Release 11.0 and ACS 2.6, Cisco offers centrally managed, dynamic per user, per session WEP that addresses several of the concerns that the researchers refer to in their paper.

Cisco agrees with Berkeley researchers who cite inherent weaknesses in WEP as defined by IEEE 802.11b, the standard for WLANs, and that these weaknesses exist regardless of the length of the encryption key used. The weakness of most WLANs is their use of static WEP keys shared among users. "In practice, most installations use a single key that is shared between all mobile stations and access points," the Berkeley report states. "More sophisticated key management techniques can be used to help defend from the attacks we describe; however, no commercial system we are aware of has mechanisms to support such techniques."

URL: http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.htm

Airsnort ( http://airsnort.sourceforge.net) and WEPCrack (http://wepcrack.sourceforge.net) are two utilities that can be used to recover WEP keys.

Cisco Aironet Security SolutionProvides Dynamic WEP toAddress Researchers' Concerns