hands-on ethical hacking and network defense chapter 11 hacking wireless networks last revised...
TRANSCRIPT
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefenseChapter 11Chapter 11
Hacking Wireless NetworksHacking Wireless Networks
Last revised 10-30-08 5 pm
2
ObjectivesObjectives
Explain wireless technologyExplain wireless technology Describe wireless networking standardsDescribe wireless networking standards Describe the process of authenticationDescribe the process of authentication Describe wardrivingDescribe wardriving Describe wireless hacking and tools used Describe wireless hacking and tools used
by hackers and security professionalsby hackers and security professionals
3
Understanding Wireless Understanding Wireless TechnologyTechnology
For a wireless network to function, you must have For a wireless network to function, you must have the right hardware and softwarethe right hardware and software
Wireless technology is part of our livesWireless technology is part of our lives Baby monitorsBaby monitors Cell and cordless phonesCell and cordless phones PagersPagers GPSGPS Remote controlsRemote controls Garage door openersGarage door openers Two-way radiosTwo-way radios Wireless PDAsWireless PDAs
4
Components of a Wireless Components of a Wireless NetworkNetwork
A wireless network has only three basic A wireless network has only three basic componentscomponents Access Point (AP)Access Point (AP) Wireless network interface card (WNIC)Wireless network interface card (WNIC) Ethernet cableEthernet cable
5
Access PointsAccess Points
An access point (AP) is a transceiver that An access point (AP) is a transceiver that connects to an Ethernet cableconnects to an Ethernet cable It bridges the wireless network with the wired It bridges the wireless network with the wired
networknetwork Not all wireless networks connect to a wired Not all wireless networks connect to a wired
networknetwork Most companies have Wireless LANs Most companies have Wireless LANs
(WLANs) that connect to their wired network (WLANs) that connect to their wired network topologytopology
6
Access PointsAccess Points
The AP is where channels are configuredThe AP is where channels are configured An AP enables users to connect to a LAN An AP enables users to connect to a LAN
using wireless technologyusing wireless technology An AP is available only within a defined areaAn AP is available only within a defined area
7
Service Set Identifiers Service Set Identifiers (SSIDs)(SSIDs)
Name used to identify the wireless local Name used to identify the wireless local area network (WLAN)area network (WLAN)
The SSID is configured on the APThe SSID is configured on the AP Unique 1- to 32-character alphanumeric nameUnique 1- to 32-character alphanumeric name Name is case sensitiveName is case sensitive
Wireless computers need to configure the Wireless computers need to configure the SSID before connecting to a wireless SSID before connecting to a wireless networknetwork
8
Service Set Identifiers Service Set Identifiers (SSIDs)(SSIDs)
SSID is transmitted with each packetSSID is transmitted with each packet Identifies which network the packet belongsIdentifies which network the packet belongs
The AP usually broadcasts the SSIDThe AP usually broadcasts the SSID
9
Service Set Identifiers Service Set Identifiers (SSIDs)(SSIDs)
Many vendors have SSIDs set to a default Many vendors have SSIDs set to a default value that companies never changevalue that companies never change
An AP can be configured to not broadcast An AP can be configured to not broadcast its SSID until after authenticationits SSID until after authentication Wireless hackers can attempt to guess the Wireless hackers can attempt to guess the
SSIDSSID Verify that your clients or customers are Verify that your clients or customers are
not using a default SSIDnot using a default SSID
10
See links Ch 11a, bSee links Ch 11a, b
11
Configuring an Access PointConfiguring an Access Point
Configuring an AP varies depending on Configuring an AP varies depending on the hardwarethe hardware Most devices allow access through any Web Most devices allow access through any Web
browserbrowser Enter IP address on your Web browser and Enter IP address on your Web browser and
provide your user logon name and passwordprovide your user logon name and password
12
Wireless RouterWireless Router
A wireless router includes an access point, A wireless router includes an access point, a router, and a switcha router, and a switch
13
Demo: Configuring an Demo: Configuring an Access PointAccess Point
Wireless Configuration Wireless Configuration OptionsOptions SSIDSSID Wired Equivalent Wired Equivalent
Privacy (WEP) Privacy (WEP) encryptionencryption
Changing Admin Changing Admin PasswordPassword
14
Configuring an Access PointConfiguring an Access Point Wireless Configuration OptionsWireless Configuration Options
SSIDSSID Wired Equivalent Privacy (WEP) encryptionWired Equivalent Privacy (WEP) encryption WPA (WiFi Protected Access ) is betterWPA (WiFi Protected Access ) is better
15
Configuring an Access Point Configuring an Access Point (continued)(continued)
Steps for configuring a D-Link wireless Steps for configuring a D-Link wireless router (continued)router (continued) Turn off SSID broadcastTurn off SSID broadcast You should also change your SSIDYou should also change your SSID
16
17
Wireless NICsWireless NICs
For wireless technology to work, each For wireless technology to work, each node or computer must have a wireless node or computer must have a wireless NICNIC
NIC’s main functionNIC’s main function Converting the radio waves it receives into Converting the radio waves it receives into
digital signals the computer understandsdigital signals the computer understands
18
Wireless NICsWireless NICs
There are many wireless NICs on the There are many wireless NICs on the marketmarket Choose yours depending on how you plan to Choose yours depending on how you plan to
use ituse it Some tools require certain specific brands of Some tools require certain specific brands of
NICsNICs
19
Understanding Wireless Understanding Wireless Network StandardsNetwork Standards
A standard is a set of rules formulated by A standard is a set of rules formulated by an organizationan organization
Institute of Electrical and Electronics Institute of Electrical and Electronics Engineers (IEEE)Engineers (IEEE) Defines several standards for wireless Defines several standards for wireless
networksnetworks
20
IEEE: CCSF Student Chapter IEEE: CCSF Student Chapter
Next meeting:Next meeting: Thurs, Nov 6, 2008 in Sci 37, 5:00 pmThurs, Nov 6, 2008 in Sci 37, 5:00 pm
Email Email [email protected]@ccsf.edu for more info for more info
21
IEEE StandardsIEEE Standards
Standards pass through these groups:Standards pass through these groups: Working group (WG)Working group (WG) Sponsor Executive Committee (SEC)Sponsor Executive Committee (SEC) Standards Review Committee (RevCom)Standards Review Committee (RevCom) IEEE Standards BoardIEEE Standards Board
IEEE Project 802IEEE Project 802 LAN and WAN standardsLAN and WAN standards
22
The 802.11 StandardThe 802.11 Standard
The first wireless technology standardThe first wireless technology standard Defined wireless connectivity at 1 Mbps Defined wireless connectivity at 1 Mbps
and 2 Mbps within a LANand 2 Mbps within a LAN Applied to layers 1 and 2 of the OSI modelApplied to layers 1 and 2 of the OSI model Wireless networks cannot detect collisionsWireless networks cannot detect collisions
Carrier sense multiple access/collision Carrier sense multiple access/collision avoidance (CSMA/CA) is used instead of avoidance (CSMA/CA) is used instead of CSMA/CDCSMA/CD
23
AddressingAddressing
Wireless LANs do not have an address Wireless LANs do not have an address associated with a physical locationassociated with a physical location An addressable unit is called a station (STA)An addressable unit is called a station (STA)
24
The Basic Architecture of The Basic Architecture of 802.11802.11
802.11 uses a basic service set (BSS) as 802.11 uses a basic service set (BSS) as its building blockits building block Computers within a BSS can communicate Computers within a BSS can communicate
with each otherwith each other
25
The Basic Architecture of 802.11The Basic Architecture of 802.11
To connect To connect two BSSs, two BSSs, 802.11 802.11 requires a requires a distribution distribution system (DS)system (DS)
26
Frequency RangeFrequency Range
In the United States, Wi-Fi uses In the United States, Wi-Fi uses frequencies near 2.4 GHzfrequencies near 2.4 GHz
(Except 802.11a at 5 GHz)(Except 802.11a at 5 GHz) There are 11 channels, but they overlap, so There are 11 channels, but they overlap, so
only three are commonly usedonly three are commonly used See link Ch 11c (cisco.com)See link Ch 11c (cisco.com)
27
Infrared (IR)Infrared (IR)
Infrared light can’t be seen by the human eyeInfrared light can’t be seen by the human eye IR technology is restricted to a single room or IR technology is restricted to a single room or
line of sightline of sight IR light cannot penetrate walls, ceilings, or floorsIR light cannot penetrate walls, ceilings, or floors
Image: IR transmitter for wireless headphonesImage: IR transmitter for wireless headphones
28
IEEE Additional 802.11 IEEE Additional 802.11 ProjectsProjects
802.11a802.11a Created in 1999Created in 1999 Operating frequency 5 GHzOperating frequency 5 GHz Throughput 54 MbpsThroughput 54 Mbps
29
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
802.11b802.11b Operates in the 2.4 GHz rangeOperates in the 2.4 GHz range Throughput 11 MbpsThroughput 11 Mbps Also referred as Wi-Fi (wireless fidelity)Also referred as Wi-Fi (wireless fidelity) Allows for 11 channels to prevent overlapping Allows for 11 channels to prevent overlapping
signalssignals Effectively only three channels (1, 6, and 11) can Effectively only three channels (1, 6, and 11) can
be used in combination without overlappingbe used in combination without overlapping Introduced Wired Equivalent Privacy (WEP)Introduced Wired Equivalent Privacy (WEP)
30
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
802.11e802.11e It has improvements to address the problem It has improvements to address the problem
of interferenceof interference When interference is detected, signals can jump to When interference is detected, signals can jump to
another frequency more quicklyanother frequency more quickly
802.11g802.11g Operates in the 2.4 GHz rangeOperates in the 2.4 GHz range Throughput increased from 11 Mbps to 54 Throughput increased from 11 Mbps to 54
MbpsMbps
31
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
802.11i802.11i Introduced Wi-Fi Protected Access (WPA)Introduced Wi-Fi Protected Access (WPA) Corrected many of the security vulnerabilities Corrected many of the security vulnerabilities
of 802.11bof 802.11b 802.11n (draft)802.11n (draft)
Will be finalized in Dec 2009Will be finalized in Dec 2009 Speeds up to 300 MbpsSpeeds up to 300 Mbps Aerohive AP runs at 264 Mbps nowAerohive AP runs at 264 Mbps now
Links Ch 11zc, Ch 11zdLinks Ch 11zc, Ch 11zd
32
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
802.15802.15 Addresses networking Addresses networking
devices within one devices within one person’s workspaceperson’s workspace Called wireless Called wireless
personal area network personal area network (WPAN)(WPAN)
Bluetooth is one of six Bluetooth is one of six 802.15 standards802.15 standards Image from Image from
ubergizmo.comubergizmo.com
33
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
BluetoothBluetooth Defines a method for interconnecting portable Defines a method for interconnecting portable
devices without wiresdevices without wires Maximum distance allowed is 10 metersMaximum distance allowed is 10 meters It uses the 2.45 GHz frequency bandIt uses the 2.45 GHz frequency band Throughput of up to 2.1 Mbps for Bluetooth 2.0Throughput of up to 2.1 Mbps for Bluetooth 2.0
Note: the speed value of 12 Mbps in your book and Note: the speed value of 12 Mbps in your book and the lecture notes is wrongthe lecture notes is wrong
Link Ch 11zgLink Ch 11zg
34
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
802.16 (also called WIMAX)802.16 (also called WIMAX) Addresses the issue of wireless metropolitan area Addresses the issue of wireless metropolitan area
networks (MANs)networks (MANs) Defines the WirelessMAN Air InterfaceDefines the WirelessMAN Air Interface Range of up to 30 milesRange of up to 30 miles Throughput of up to 120 MbpsThroughput of up to 120 Mbps
802.20802.20 Addresses wireless MANs for mobile users who Addresses wireless MANs for mobile users who
are sitting in trains, subways, or cars traveling at are sitting in trains, subways, or cars traveling at speeds up to 150 miles per hourspeeds up to 150 miles per hour
35
IEEE Additional 802.11 IEEE Additional 802.11 Projects (continued)Projects (continued)
BluetoothBluetooth Defines a method for interconnecting portable Defines a method for interconnecting portable
devices without wiresdevices without wires Maximum distance allowed is 10 metersMaximum distance allowed is 10 meters It uses the 2.45 GHz frequency bandIt uses the 2.45 GHz frequency band Throughput of up to 12 MbpsThroughput of up to 12 Mbps
HiperLAN2HiperLAN2 European WLAN standardEuropean WLAN standard It is not compatible with 802.11 standardsIt is not compatible with 802.11 standards
36
2.1 Mbps
37
Understanding AuthenticationUnderstanding Authentication
Wireless technology brings new security Wireless technology brings new security risks to a networkrisks to a network
AuthenticationAuthentication Establishing that a user is authentic—Establishing that a user is authentic—
authorized to use the networkauthorized to use the network If authentication fails, anyone in radio range If authentication fails, anyone in radio range
can use your networkcan use your network
38
The 802.1X StandardThe 802.1X Standard
Defines the process of authenticating and Defines the process of authenticating and authorizing users on a WLANauthorizing users on a WLAN
Basic conceptsBasic concepts Point-to-Point Protocol (PPP)Point-to-Point Protocol (PPP) Extensible Authentication Protocol (EAP)Extensible Authentication Protocol (EAP) Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)
39
Point-to-Point Protocol (PPP)Point-to-Point Protocol (PPP)
Many ISPs use PPP to connect dial-up or Many ISPs use PPP to connect dial-up or DSL usersDSL users
PPP handles authentication with a user PPP handles authentication with a user name and password, sent with PAP or name and password, sent with PAP or CHAPCHAP PAP (Password Authentication Protocol) PAP (Password Authentication Protocol)
sends passwords unencryptedsends passwords unencrypted Vulnerable to trivial sniffing attacksVulnerable to trivial sniffing attacks
See link Ch 11fSee link Ch 11f
40
CHAP VulnerabilityCHAP Vulnerability
CHAP (Challenge-Handshake CHAP (Challenge-Handshake Authentication Protocol)Authentication Protocol) Server sends a Challenge with a random Server sends a Challenge with a random
valuevalue Client sends a Response, hashing the random Client sends a Response, hashing the random
value with the secret passwordvalue with the secret password This is still vulnerable to a sort of session This is still vulnerable to a sort of session
hijacking attack (see links Ch 11e)hijacking attack (see links Ch 11e)
41
Extensible Authentication Extensible Authentication Protocol (EAP)Protocol (EAP)
EAP is an enhancement to PPPEAP is an enhancement to PPP Allows a company to select its Allows a company to select its
authentication methodauthentication method CertificatesCertificates KerberosKerberos
Kerberos is used on LANs for authenticationKerberos is used on LANs for authentication Uses Tickets and KeysUses Tickets and Keys Used by Windows 2000, XP, and 2003 Server by Used by Windows 2000, XP, and 2003 Server by
defaultdefault Not common on WLANS (I think)Not common on WLANS (I think)
42
X.509 CertificateX.509 Certificate Record that authenticates network Record that authenticates network
entitiesentities IdentifiesIdentifies
The ownerThe owner The certificate authority (CA)The certificate authority (CA) The owner’s public keyThe owner’s public key
See link Ch 11jSee link Ch 11j
43
Sample X.509 CertificateSample X.509 Certificate Go to gmail.comGo to gmail.com Double-click the padlockDouble-click the padlock
44
Public KeyPublic Key
Your browser Your browser uses the uses the Public Key to Public Key to encrypt data encrypt data so only Gmail so only Gmail can read itcan read it
45
LEAPLEAP
Lightweight Extensible Lightweight Extensible Authentication Protocol Authentication Protocol (LEAP)(LEAP) A Cisco productA Cisco product Vulnerable, but Cisco didn’t careVulnerable, but Cisco didn’t care Joshua Wright wrote the ASLEAP hacking Joshua Wright wrote the ASLEAP hacking
tool to crack LEAP, and forced Cisco to tool to crack LEAP, and forced Cisco to develop a better protocoldevelop a better protocol See link Ch 11gSee link Ch 11g
46
More Secure EAP MethodsMore Secure EAP Methods
Extensible Authentication Protocol-Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)Transport Layer Security (EAP-TLS) Secure but rarely used, because both client Secure but rarely used, because both client
and server need certificates signed by a CAand server need certificates signed by a CA Protected EAP (PEAP) and Microsoft Protected EAP (PEAP) and Microsoft
PEAPPEAP Very secure, only requires server to have a Very secure, only requires server to have a
certificate signed by a CAcertificate signed by a CA See link Ch 11hSee link Ch 11h
47
802.1X components802.1X components
SupplicantSupplicant The user accessing a WLANThe user accessing a WLAN
AuthenticatorAuthenticator The APThe AP
Authentication serverAuthentication server Checks an account database to see if user’s Checks an account database to see if user’s
credentials are acceptablecredentials are acceptable May use RADIUS (Remote Access Dial-In User May use RADIUS (Remote Access Dial-In User
Service)Service) See link Ch 11kSee link Ch 11k
48
49
Wired Equivalent Privacy Wired Equivalent Privacy (WEP)(WEP)
Part of the 802.11b standardPart of the 802.11b standard Encrypts data on a wireless networkEncrypts data on a wireless network WEP has many vulnerabilitiesWEP has many vulnerabilities To crack WEP, see links Ch 11l, 11mTo crack WEP, see links Ch 11l, 11m
50
Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA) Specified in the 802.11i standardSpecified in the 802.11i standard Replaces WEPReplaces WEP WPA improves encryption by using WPA improves encryption by using
Temporal Key Integrity Protocol (TKIP)Temporal Key Integrity Protocol (TKIP)
51
TKIP EnhancementsTKIP Enhancements
Message Integrity Check (MIC)Message Integrity Check (MIC) Prevent attacker from injecting forged packets Prevent attacker from injecting forged packets
Extended Initialization Vector (IV) with Extended Initialization Vector (IV) with sequencing rulessequencing rules Prevent replays (attacker re-sending copied Prevent replays (attacker re-sending copied
packets)packets)
52
TKIP EnhancementsTKIP Enhancements
Per-packet key mixingPer-packet key mixing MAC addresses are used to create a keyMAC addresses are used to create a key Each link uses a different keyEach link uses a different key
Rekeying mechanismRekeying mechanism Provides fresh keysProvides fresh keys Prevents attackers from reusing old keysPrevents attackers from reusing old keys
53
WPA Adds 802.1xWPA Adds 802.1x
WPA also adds an authentication WPA also adds an authentication mechanism implementing 802.1X and mechanism implementing 802.1X and EAPEAP This was not available in WEPThis was not available in WEP
54
Understanding WardrivingUnderstanding Wardriving
Hackers use wardrivingHackers use wardriving Finding insecure access pointsFinding insecure access points Using a laptop or palmtop computerUsing a laptop or palmtop computer
Wardriving is not illegalWardriving is not illegal But using the resources of these networks is But using the resources of these networks is
illegalillegal WarflyingWarflying
Variant where an airplane is used instead of a Variant where an airplane is used instead of a carcar
55
How It WorksHow It Works
An attacker or security tester simply drives An attacker or security tester simply drives around with the following equipmentaround with the following equipment Laptop computerLaptop computer Wireless NICWireless NIC An antennaAn antenna Software that scans the area for SSIDsSoftware that scans the area for SSIDs
Not all wireless NICs are compatible with Not all wireless NICs are compatible with scanning programsscanning programs
Antenna prices vary depending on the quality Antenna prices vary depending on the quality and the range they can coverand the range they can cover
56
How It Works (continued)How It Works (continued)
Scanning software can identifyScanning software can identify The company’s SSIDThe company’s SSID The type of security enabledThe type of security enabled The signal strengthThe signal strength
Indicating how close the AP is to the attackerIndicating how close the AP is to the attacker
57
Demo: VistaStumblerDemo: VistaStumbler
Link Ch 11zeLink Ch 11ze
58
NetStumblerNetStumbler
Shareware tool written for Windows that Shareware tool written for Windows that enables you to detect WLANs enables you to detect WLANs Supports 802.11a, 802.11b, and 802.11g Supports 802.11a, 802.11b, and 802.11g
standardsstandards NetStumbler was primarily designed toNetStumbler was primarily designed to
Verify your WLAN configurationVerify your WLAN configuration Detect other wireless networksDetect other wireless networks Detect unauthorized APsDetect unauthorized APs
59
NetStumblerNetStumbler
NetStumbler is capable of interface with a NetStumbler is capable of interface with a GPSGPS Enabling a security tester or hacker to map Enabling a security tester or hacker to map
out locations of all the WLANs the software out locations of all the WLANs the software detectsdetects
60
NetStumblerNetStumbler
NetStumbler logs the following informationNetStumbler logs the following information SSIDSSID MAC address and Manufacturer of the APMAC address and Manufacturer of the AP ChannelChannel Signal StrengthSignal Strength EncryptionEncryption
Can detect APs within a 350-foot radiusCan detect APs within a 350-foot radius With a good antenna, they can locate APs a With a good antenna, they can locate APs a
couple of miles awaycouple of miles away
61
62
63
KismetKismet
Another product for conducting wardriving Another product for conducting wardriving attacksattacks
Runs on Linux, BSD, MAC OS X, and Runs on Linux, BSD, MAC OS X, and Linux PDAsLinux PDAs
Kismet is advertised also as a sniffer and Kismet is advertised also as a sniffer and IDSIDS Kismet can sniff 802.11b, 802.11a, and Kismet can sniff 802.11b, 802.11a, and
802.11g traffic802.11g traffic
64
Kismet featuresKismet features
Ethereal- and Tcpdump-compatible data Ethereal- and Tcpdump-compatible data logginglogging
AirSnort compatibleAirSnort compatible Network IP range detectionNetwork IP range detection
65
Kismet features (continued)Kismet features (continued)
Hidden network SSID detectionHidden network SSID detection Graphical mapping of networksGraphical mapping of networks Client-server architectureClient-server architecture Manufacturer and model identification of APs Manufacturer and model identification of APs
and clientsand clients Detection of known default access point Detection of known default access point
configurationsconfigurations XML outputXML output Supports 20 card typesSupports 20 card types
66
Understanding Wireless Understanding Wireless HackingHacking
Hacking a wireless network is not much Hacking a wireless network is not much different from hacking a wired LANdifferent from hacking a wired LAN
Techniques for hacking wireless networksTechniques for hacking wireless networks Port scanningPort scanning EnumerationEnumeration
67
Tools of the TradeTools of the Trade
EquipmentEquipment Laptop computerLaptop computer A wireless NICA wireless NIC An antennaAn antenna Sniffer softwareSniffer software
68
AirSnortAirSnort
Created by Jeremy Bruestle and Blake Created by Jeremy Bruestle and Blake HegerleHegerle
It is the tool most hackers wanting to It is the tool most hackers wanting to access WEP-enabled WLANs useaccess WEP-enabled WLANs use
AirSnort limitationsAirSnort limitations Runs on either Linux or Windows (textbook is Runs on either Linux or Windows (textbook is
wrong)wrong) Requires specific driversRequires specific drivers Not all wireless NICs function with AirSnortNot all wireless NICs function with AirSnort
See links Ch 11p, 11qSee links Ch 11p, 11q
69
WEPCrackWEPCrack
Another open-source tool used to crack Another open-source tool used to crack WEP encryptionWEP encryption WEPCrack was released about a week before WEPCrack was released about a week before
AirSnortAirSnort It also works on *NIX systemsIt also works on *NIX systems WEPCrack uses Perl scripts to carry out WEPCrack uses Perl scripts to carry out
attacks on wireless systemsattacks on wireless systems AirSnort is considered better (link Ch 11r)AirSnort is considered better (link Ch 11r)
70
Countermeasures for Countermeasures for Wireless AttacksWireless Attacks
Anti-wardriving software makes it more Anti-wardriving software makes it more difficult for attackers to discover your difficult for attackers to discover your wireless LANwireless LAN HoneypotsHoneypots
Servers with fake data to snare intrudersServers with fake data to snare intruders Fakeap and Black Alchemy Fake APFakeap and Black Alchemy Fake AP
Software that makes fake Access PointsSoftware that makes fake Access Points Link Ch 11sLink Ch 11s
71
Countermeasures for Countermeasures for Wireless AttacksWireless Attacks
Use special paint to stop radio from Use special paint to stop radio from escaping your buildingescaping your building
Allow only predetermined MAC addresses Allow only predetermined MAC addresses and IP addresses to have access to the and IP addresses to have access to the wireless LANwireless LAN
Use an authentication server instead of Use an authentication server instead of relying on a wireless device to relying on a wireless device to authenticate usersauthenticate users
72
Countermeasures for Countermeasures for Wireless Attacks Wireless Attacks
Use an EAP authentication protocolUse an EAP authentication protocol If you use WEP, use 104-bit encryption If you use WEP, use 104-bit encryption
rather than 40-bit encryptionrather than 40-bit encryption But just use WPA insteadBut just use WPA instead
Assign static IP addresses to wireless Assign static IP addresses to wireless clients instead of using DHCPclients instead of using DHCP
Don’t broadcast the SSIDDon’t broadcast the SSID
73
Countermeasures for Countermeasures for Wireless Attacks Wireless Attacks
Place the AP in the demilitarized zone Place the AP in the demilitarized zone (DMZ) (DMZ) (image from wikipedia)(image from wikipedia)
74
Demo: Defeating MAC Demo: Defeating MAC Address FilteringAddress Filtering
Link Ch 11zfLink Ch 11zf