hacking & information security presentsfiles.meetup.com/7108012/wifi security - attack and...

HACKING & INFORMATION SECURITY Presents:

-‐With TechNext

We Are…The Speakers…

Sudarshan Pawar Cer.fied Security Expert(C.S.E.) Cer.fied Informa.on Security Specialist (C.I.S.S.) Security Xplained (TechNext Speaker) Computer Engg. & a Security Professional

Prakashchandra Suthar Security Enthusiast

Cisco Cer.fied Network Associate Red Hat Linux Cer.fied

Security Xplained (TechNext Speaker) Computer Engg

Security Researcher.

Topics to be covered

•  Basics of Wifi •  Types of wireless networks •  Wireless Standards(802.11 series) •  Encryp.on Algorithms •  Wireless hacking methodology •  ATTACKS(commonly encountered) •  Staying secure(Defense) •  Security Tools We are not including stats, history, who did what/when/why-‐> Bcoz it’s Booooring….!!! U can

google them later….!

Current Genera.on

•  Basics of Wifi •  Types of wireless networks •  Wireless Standards(802.11 series) •  Encryp.on Algorithms •  Wireless hacking methodology •  ATTACKS(commonly encountered) •  Staying secure(Defense) •  Security Tools

Wifi Basics

•  WiFi(Wireless Fidelity)-‐>Wireless networks(commonly referred as WLAN

•  Developed on IEEE 802.11 standards •  Wireless networks include: Bluetooth, Infrared communica.on, Radio Signal etc.

•  Components used: o Wireless Client Receiver o Access Point o Antennas

Extension to a wired network

(BROADBAND ROUTER)

(ACCESS POINT)

(EXTENSION POINT)

Mul.ple Access points

(BROADBAND ROUTER)

(ACCESS POINT-‐1)

(ACCESS POINT-‐2)

LAN -‐2-‐LAN

LAN-‐1 LAN-‐2

3g Hotspot

GPRS 3G 4G

Internet

How many of you have tried this???

WiFi Standards Points 802.11b 802.11a 802.11g 802.11n

Extension to 802.11 802.11 802.11a 802.11g

Bandwidth (Mhz) 20 (11Mbps) 20 (54Mbps) 20 (54Mbps) 20 (54Mbps) 40 (150Mbps)

Frequency(Ghz) 2.4 5 2.4 2.4, 5

Pros Lowest cost; signal range is good and not easily obstructed

fast maximum speed; regulated frequencies prevent signal interference from other devices

fast maximum speed; signal range is good and not easily obstructed

fastest maximum speed and best signal range; more resistant to signal interference from outside sources

Cons slowest maximum speed

highest cost; shorter range signal that is more easily obstructed

costs more than 802.11b; appliances may interfere on the unregulated signal frequency

standard is not yet finalized;

Are u seriously concerned about wifi security????? Be honest!

WEP(Wired Equivalence Privacy)

•  The first encryp.on scheme made available for Wi-‐Fi.

•  Uses 24 bit ini.aliza.on vector for cipher stream RC4 for confiden.ality

•  CRC-‐32 bit checksum for integrity. •  Typically used by home users. •  Uses 64,128, 256 bit keys •  Flawed from the get go.

WEP Working

KEY STORE WEP Key IV

RC4 CIPHER KEYSTREAM

DATA ICV

PAD KID CIPHERTEXT IV

WEP ENCRYPTED PACKET(MAC FRAME)

CRC 32 CHECKSUM

XOR ALGO.

WEP Weakness

1.  Key management and key size 2.  24 bit IV size is less. 3.  The ICV algorithm is not appropriate 4.  Use of RC4 algorithm is weak 5.  Authen.ca.on messages can be easily forged

Wep Broken beyond repair

WPA (Wi-‐Fi Protected Access) •  Data Encryp.on for WLAN based on 802.11 std. •  Improved Encryp.on & Authen.ca.on Method. •  Uses TKIP

–  Based on WEP – Michael algorithm

•  Hardware changes not required •  Firmware update Types 1.  Personal 2. Enterprise PSK 802.1x + RADIUS

WPA Working Temporary EncrypUon key

Transmit Address

T.S.C.

KEY MIXING

WEP SEED

RC4 CIPHER KEYSTREAM

MAC HEADER

IV KID EIV CIPHER TEXT

MSDU

MIC KEY MPDU ICV MICHAELS

ALGORITHM MSDU + MIC KEY

( PACKET TO BE TRANSMITTED )

WPA2 •  Long Term Solu.on (802.11) •  Stronger Data protec.on & Network access control

•  Used CCMP –  Based on AES

•  Hardware changes required

Types 1.  Personal Pre Shared Key 2.  Enterprise 802.1x + RADIUS

WPA2 Working

Source: EC Council

Source: someecards

Breaking WPA/WPA2

•  Dic.onary Akacks(Not so successful, but yeah some .me…)

•  Brute Force(tools like: Kismac, Aireplay etc) •  WPA PSK

Security breaching sequence Find the network

Study its traffic

Study Security mechanisms

ATTACK!!!!!!!! (i.e. Decrypt the

packets)

BEFORE ATTACK

DOS

Access point is busy handling akackers request

AFTER ATTACK

Man In The Middle Akack(MITM)

•  Before

Aler…

ARP Poisoning/Spoofing

Source: h3p://securitymusings.com/wp-‐content/uploads/2008/12/arp-‐spoofing.png

WiFi JAMMING….

Fake Access Points

SSID: XYZ Bank

Defense against WPA / WPA2 akacks

•  Extremely Complicated keys can help •  Passphrase should not one from dic.onary, so use uncommon-‐senseless words.

•  Key should be more than 20 chars with combina.on of special chars, numbers, alphabets. Change them at regular intervals.

#eY,t#!$c@/\/_B-‐gUd0n3?@$sW0rD

1.  WPA instead of WEP 2.  WPA2 Enterprise implementa.on 3.  Place AP at secured loca.on. 4.  Centralized authen.ca.on & Update Drivers

regularly. 5.  Changing default SSID aler Configuring

WLAN 6.  Firewall policies & Router access Password

Security Checkboxes

1.  MAC add. Filtering 2.  Encryp.on at Access Point 3.  Packet Filtering between AP 4.  Network Strength configura.on. 5.  Use Ipsec’s for encryp.on on WLANS 6.  Check out for Rogue Access Points

Security Checkboxes(contd…)

Wi-‐Fi Security Audi.ng Tools

•  AirMagnet Wifi Analyzer •  AirDefense •  Adap.ve wireless IPS •  ARUBA RF Protect WIPS •  And many others…

Ques.ons?

•  What you want to ask, many already have that same ques.on on their mind. Be bold and lead

•  OK, if you don’t want to speak and keep shut and keep thinking about it in your mind and take those ques.ons home, make sure you email those to us and sleep well at night!

What should be our topic for the next meet? I hate to ask but, how can we make this beker?

hacking & information security presentsfiles.meetup.com/7108012/wifi security - attack and...

Documents