wireless security part 1 3/10/04 mark lachniet, analysts international

Wireless Security

Part 1

3/10/04

Mark Lachniet, Analysts International

Introductions

• Mark Lachniet, Technical Director of Analyst International’s Security Services Group

• Technical lead developing for services, methodology, quality control, technical presales

• Certified Information Systems Auditor (CISA) from ISACA

• Certified Information Systems Security Professional (CISSP) ISC^2

• Linux LPIC-1, Novell Master CNE, Microsoft MCSE, Checkpoint CCSE, TruSecure ICSA, etc.

• Former I.T. director of Holt Public Schools• Frequent speaker for local organizations

Agenda

• Overview of Wireless• Wireless frequency types and products• Controlling signal and site surveys• Wireless modes of operation• Wardriving and Warchalking• Basic wireless security features• Advanced wireless security features• Wireless in the network environment• Conclusions• Discussion

Class Logistics

• Frequent breaks, maybe not 20 mins.• I do not mind if you mess around with your

computers while I am talking, in fact I encourage it - you are here because you want to be

• Will attempt to do more hands-on exercises and less talking

• Please speak up! This will be most useful if you ask questions! Don’t wait for the end

• Consider finding a partner, especially one of a higher or lower technical skill level

Class CD-ROM

• I have included a CD-ROM with many tools and utilities on it

• Some of these we will use, some of them we may not

• Most are 30-day expiring demos

• You should go to the web site(s) yourself and download the software, so you can get registered

Classroom Network

EthernetMACUL 2004

LAN

CISCO AIRONET 350 SERIES

WIRELESS ACCESS POINT

Presenter's Laptop192.168.2.171

Windows Hacker Laptop192.168.2.173

Linux hackers Laptop192.168.2.172

Student192.168.2.100-170

Student192.168.2.100-170

Student192.168.2.100-170

USR 8054 AP192.168.2.254

Why Wireless?

• Flexibility• Instructional Potential (mobile labs, data

collection, research in common areas, etc.)• Overcome building limitations (all brick,

asbestos, leased buildings, etc.)• Ubiquitous technology - built into many PDAs

and Laptops• In use in many homes, coffee shops, airports• Many people already have it on their laptop,

making it easy for visits, ad-hoc meetings

Why Not Wireless

• Speed considerations (11mb/s or 54mb/s theoretical throughput - actually much slower than this in reality)

• Security, both real and perceived, especially cost of supporting infrastructure

• Signal interference from other devices• Signal penetration problems through dense

materials• Changing technologies and standards• A little bit too much “fun” for bored students to

hack

Wireless Technology

• Wireless, and especially wireless security operate at many different levels in many different ways

• For the purposes of our class, we will start with the most basic elements of wireless technology (hardware) and work our way up to the most complex (applications)

• One of the best representations of this type of abstraction is the OSI model

The OSI Model

• The OSI Model is used to describe different layers of networks and network services

• Layers 1 and 2 are at the “hardware” level, but in our case there are no wires, but rather signals

• Layer 3, 4 and 5 deal with association and TCP/IP, which may be handled by a wireless Access Point / router

Types of Wireless

• Lets focus first at the lowest levels of the OSI model - frequencies and standards

• Wireless has a few standards:– Frequency Hopping Spread Spectrum (FHSS)

– Direct Sequence Spread Spectrum (DSSS)

– Orthogonal Frequency Division Multiplexing (OFDM)

• FHSS is used in Proxim cards, in industrial applications, barcode scanners, etc.

• DSSS is the most common type, used most in WLAN cards, access devices, etc.

• OFDM is used in modern 54mb/s devices

Direct Sequence Spread Spectrum

• High-speed code sequence manages frequency modulation

• Produces signal centered at carrier frequency

Frequency Hopping Spread Spectrum

• Code function determines “hops” to manage frequency modulation

• Carrier is flat across spectrum

Orthogonal Frequency Division

• Uses multiple carrier waves on different frequencies

• Each wave carries part of the message

• Used for 54mb/s applications (802.11a/g)

• May designate a number of encoding types

Wireless Types and Frequencies

Wireless Types and Frequencies

• Frequencies:– 802.11b and 802.11g are both 2.4ghz– 802.11a is 5ghz

• Bandwidth– The 5ghz space has more bandwidth (throughput speed

capability)

• Non-Overlapping Channels (may not match APs)– 802.11/b/g @ 2.4ghz has 3– 802.11a @ 5ghz has 4

• Compatibility– 802.11g is usually backwards compatible with 802.11b @

11mb/s only– 802.11a isn’t compatible

Interference / Penetration / Leakage

• Managing your signal is an important part of Wireless security

• If you can control your signal, keeping it mostly inside, you can worry less about hackers outside of your building

• At the same time, you want to make sure you can penetrate all important areas of your building

• You also need to be aware of interference issues from phones, microwaves, cell towers, etc.

• Use non-overlapping channels wisely• The best way to make these determinations is by

doing a site survey

Performing a Site Survey

• The Site Survey Toolkit– One or more access points– Various antennas and cables– Various WLAN NIC cards– Distance Roller thingy– Tape, ZIP ties, etc.

• One or more people– May need walkie-talkies– Keep people away from the equipment

Performing a Site Survey

• Attempt to find the best configuration of WLAN equipment by setting it up and measuring signal

• Use a blueprint or floor layout map of the target area

• Use the roller to determine distance

• Measure signal characteristics at various locations to develop a signal coverage map

• Should use the exact hardware that will be installed

• Looks at signal strength, signal to noise ratios, and access ranges at specific speeds

• Consider potential usage - 5 users @ 54mb/s or 20 users @ 11mb/s? (lock wireless cards at that speed, and map with this in mind)

Use Built In Tools w/ Laptop

• Analyze signal strength and signal to noise ratio using a client utility (passive mode)

• Lock your card at a specific speed and just walk away until it stops working

• Use the client utility to generate a large number of packets and see how many arrive correctly (active mode)

Create a Layout

Library

ScienceLab #1

ScienceLab #2

Hallw

ayGynmasium / Lunchroom

250' East-West12

5' N

orth

-Sou

th80

' Nor

th-S

outh

10' East-West 25' East-West

40' E

a.

Install AP and Measure Speed

• For example, place it more or less in the middle of the Gym - in this case there is a signal problem in the Library

ScienceLab #1

ScienceLab #2

Hallw


250' East-West

125'

Nor

th-S

outh

80' N

orth

-Sou

th


40' E

a.



54mb/s

11mb/s

Library

4mb/s

Multiple AP Placement

ScienceLab #1

ScienceLab #2

Hallw


250' East-West

125'

Nor

th-S

outh

80' N

orth

-Sou

th


40' E

a.



54mb/s

11mb/s

Library

4mb/s



54mb/s11mb/s 4mb/s

Signal Leakage Risk!

ScienceLab #1

ScienceLab #2

Hallw


250' East-West

125'

Nor

th-S

outh

80' N

orth

-Sou

th


40' E

a.



54mb/s

11mb/s

Library

4mb/s



54mb/s11mb/s 4mb/s

EVIL HACKER

Directional Antennas

• A directional antenna may help direct signal & stop leaks

ScienceLab #1

ScienceLab #2

Hallw


250' East-West

125'

Nor

th-S

outh

80' N

orth

-Sou

th


40' E

a.



54mb/s

11mb/s

Library

4mb/s



Wireless Components

• The most common type of Wireless Local Area Network (WLAN) infrastructure typically involves two components

• An Access Point, which works as a kind of “smart hub” to allow communication

• A Client, which is typically a laptop, desktop or PDA with a wireless NIC

• Within this paradigm are any number of different products, technologies or variations

• The base standard for wireless LAN is 802.11, as determined by the IEEE:http://grouper.ieee.org/groups/802/11/index.html

Ad-Hoc Mode

• In Ad-Hoc mode, all devices can talk to each other directly (if they are in range and on the same frequency)

• Relatively uncommon, used in WAN configurations, LAN Games, impromptu meetings, etc.

• Referred to as an Independent Basic Service Set (IBSS)

Laptop Laptop

LaptopLaptop

Ad-Hoc Mode Definition

• http://www.webopedia.com/TERM/A/ad_hoc_mode.html

• “An 802.11 networking framework in which devices or stations communicate directly with each other, without the use of an access point (AP). Ad-hoc mode is also referred to as peer-to-peer mode or an Independent Basic Service Set (IBSS). Ad-hoc mode is useful for establishing a network where wireless infrastructure does not exist or where services are not required.”

Infrastructure Mode

• The most common type of WLAN is the infrastructure Mode - used most places

• All devices talk to the access point

• Referred to as a Basic Service Set (BSS).



Laptop

Laptop

Laptop

Laptop

Infrastructure Mode Definition

• http://www.webopedia.com/TERM/I/infrastructure_mode.html

• “An 802.11 networking framework in which devices communicate with each other by first going through an Access Point (AP). In infrastructure mode, wireless devices can communicate with each other or can communicate with a wired network. When one AP is connected to wired network and a set of wireless stations it is referred to as a Basic Service Set (BSS). An Extended Service Set (ESS) is a set of two or more BSSs that form a single subnetwork. Most corporate wireless LANs operate in infrastructure mode because they require access to the wired LAN in order to use services such as file servers or printers. “

Advanced Infrastructure Mode

• There may be multiple access points in an environment• This raises a number of issues, including mobile clients• Comprised of multiple BSS’ to create an Extended Service Set (ESS)



Laptop

Laptop

Laptop

Laptop



Extended Service Set

• Uses a 32-char ID to represent the ESS, known as an ESSID (or SSID) such as “USR8054”

• This essentially represents “the network” and is something all users must have configured in some way

SSID Example

• For example, this is how it looks on a USR8054

• Note the ability to turn off the broadcast of the SSID

Wardriving

• One popular hobby for geeks is to “war drive” for wireless networks

• Using special software such as Net Stumbler, drive or walk around looking for access points, frequently “chalking” them and/or recording the location with a GPS (then uploading coordinates to the Internet)

• http://www.netstumbler.com

• Passive scanners will just passively listen for SSID broadcasts

• Active scanners will probe for them

• Scanners will usually tell you if advanced security (encryption) is configured

• Some will even tell you about connected clients

Warchalking Examples

Wardriving Resources

• http://Michiganwireless.org

• http://Netstumbler.com

• http://www.wardriving.com

• http://www.wigle.net/ (locations)• http://packetstormsecurity.org/wireless

• type in ‘war drive’ in google :)

Activity #1: War Driving

• Install a Lucent Wavelan / Orinoco card in your laptop

• Install Net Stumbler from your CD-ROM

• Run the application, observe the local network

• Survey the facilities (?) and win a prize?

Activity #2: Protocol Analyzer

• Install WinPCap

• Reboot

• Install Ethereal on your laptop

• Associate with the access point (it may complain about it being insecure, that is OK)

• Run Ethereal

Basic Wireless Security Features

• There are a number of basic wireless security features and protocols:– Utilize static IP addresses

– SSID Security (not broadcasting SSID)

– MAC Address Filtering

– WEP Encryption

– Signal control and speed locking

– 802.1X Authentication / Encryption

– WPA Authentication / Encryption

– External security (VPN, VLAN, or other things not part of wireless per se

Utilize Static IP

• Although it won’t stop a hacker with a protocol analyzer, using static IP address assignment instead of DHCP will help

• This will stop the casual and/or stupid hackers from automatically getting an IP address and being allowed to surf

• It creates a management burden, as each laptop must be uniquely identified ahead of time

• It also creates an opportunity, as you can figure out what a user is doing on the network very easily

SSID Broadcasting

• For an extremely minimal amount of security, you can turn off SSID broadcasting

• This means that someone must somehow know or discover the SSID in order to use the access point

• May be able to identify the SSID through analyzing network traffic from another user (via. AP Association Frames)

• Active scanners may find this through a “brute force SSID” scan (rare)

• Windows may “remember” the AP/SSID

Turning Off SSID Broadcasting

Activity #3: SSID Broadcast

• Now that I have turned off SSID Broadcast, disassociate with the AP

• Stop and restart Net Stumbler

• Is the access point still visible?

• Can you connect to it anyway through windows by manually typing in the SSID?

• The SSID: USR8054

MAC Address Filtering

• Each network device has a unique hardware identifier built into it, called a MAC address

• In Windows, use ‘ipconfig /all’ to view the current MAC address of your devices

• This can be used for security purposes

MAC Address Filtering

Problems with MAC Filtering

• Although MAC addresses are hard-coded, they can be changed in some hardware via software

• Thus, a hacker would only have to sniff enough traffic to learn some “allowed” MAC addresses, and then impersonate that MAC address

• Also, MAC address filtering can be very painful to manage in the long haul:– How do you keep track of all the addresses?

– What about traveling users and visitors?

– What is the maximum # of MAC addresses you access point will allow you to type in?

Activity #4: MAC Filtering

• I will now configure the AP to only allow my own MAC• Try not to lock yourself out of your AP :)

WEP Encryption

• To get around the various wireless security problems, an early solution was WEP

• This allows you to configure a 40bit, 64bit or 128bit key to encrypt traffic

• A WEP key is essentially a password• Normally, the same WEP keys are manually

programmed into the client and access point• If the WEP keys match, the devices can

communicate• WEP encryption is better than nothing but it still

has its problems

WEP Encryption Problems

• First of all, the WEP key must be stored on the client computer (or typed in each time)

• Thus, the security of the client workstation(s) is very important

• It might be possible to steal the WEP key from the registry or some configuration file

• Also, WEP adds a little bit of processing overhead (3% in hardware?)

• Most importantly, the WEP implementation is flawed and WEP encryption can be cracked!

Cracking WEP

• Software such as AirSnort (http://airsnort.shmoo.com/) allows you to monitor encrypted wireless activity and eventually get enough information to crack a WEP key

• The problem is due to a flawed implementation of the RC4 protocol in WEP

• Specifically, while almost everything in the packet is encrypted, a plain-text “Initialization Vector” is used to keep the encryption in sync

• This IV periodically computes in a way that provides interesting information about the key

• Given enough packets, 5-10 million, AirSnort can crack the WEP key

Activity #5: Configuring WEP

• First, we need to configure it on the access point

• Note that the key size may be 40 or 128 bit

• Also note that keys may be in ASCII or HEX format


• Now configure the client software (WEP Key is 12345)• Attempt to access something - did it work?


• Now try some of our old tools

• Disassociate with the access point (or type in the wrong WEP key)

• Now try Net Stumbler - do you see the icon? That means WEP is enabled

• 1/2 the class run Ethereal without the WEP key, the other half with it

• What are the results?? (your mileage may vary depending upon card, etc.)

Advanced Wireless Security

• After all of the problems with WEP, alternate security systems needed to be devised

• One is 802.1X, which provides– Use of encryption certificates

– Provides port-based controls

– Uses the extensible authentication protocol (EAP). Can use different protocols w/in EAP.

– Mutual authentication

– Automated encryption key management and rotation (TKIP)

– Authentication (username and password) to a back-end RADIUS server

802.1X

• Requires an 802.1X compliant access point (old ones are not!) or high-end Ethernet switches

• Requires compatible clients and RADIUS servers (for authentication purposes)

• The Supplicant is the client - Windows XP SP1 has this built in, other Windows clients require a commercial product

• Macintosh 10.3+ (?) has 802.1X supplicant software built in, some Linux / UNIX support

• The AP is the authenticator, and the RADIUS server is the authentication source

Slides from: http://www.blackhat.com/presentations/win-usa-03/bh-win-03-riley-wireless/bh-win-03-riley.pdf

802.1X

802.1X Before Authentication

802.1X After Authentication

RADIUS Authentication

• Authentication systems for wireless typically uses encryption-aware RADIUS servers

• Examples include Microsoft IAS, Cisco Secure ACS, and Funk Software products

• RADIUS servers without encryption are very common (Border Manager Authentication Services, etc) but won’t work

• RADIUS is also used in a number of other applications such as VPN authentication, etc.

RADIUS Servers in the Network

• Client talks to AP, AP talks to RADIUS server, which *may* talk to another authentication server

• The RADIUS server may have its own user database• Client and RADIUS *must* talk same EAP protocol

EthernetCISCO AIRONET 350 SERIES


Laptop

RADIUS Server Windows 2000Server

NetWare Server

RADIUS Server Types

• The majority of RADIUS servers authenticate to a local or network authentication database

• Some RADIUS servers have advanced security features such as two-factor authentication (like RSA’s SecurID)

• This requires two of three “factors”– Something you have

– Something you know

– Something you are

• For example, a thumbprint reader, or a SecurID token that changes codes, etc.

• Although expensive, this provides a high level of security, as you would have to steal something

802.1X on the USR 8054

802.1X EAP Types

• There are a number of EAP authentication types that 802.1X can use

• They all have different advantages and disadvantages

EAP-MD5 LEAP EAP-TLSServer Authentication

None Password Hash

Public Key (Certificate)

Password Hash

Public Key (Certificate or Smart Card)

EAP-TTLS PEAPPublic Key (Certificate)

Public Key (Certificate)

CHAP, PAP, MS-CHAP(v2), EAP

Any EAP, like EAP-MS-CHAPv2 or Public Key

Dynamic Key Delivery

No Yes Yes Yes Yes

Supplicant Authentication

Password Hash

MitM attack MitM attackSecurity Risks Identity exposed, Dictionary attack, Man-in-the-Middle (MitM) attack, Session hijacking

Identity exposed, Dictionary attack

Identity exposed

LEAP

• Lightweight EAP

• LEAP is a Cisco-Specific protocol

• Its fairly easy to use because it does not require certificates (this can be a big issue)

• It has one disadvantage - people can attempt to brute force your network passwords by guessing each one

• If you are an all-Cisco environment, it may be better than WEP, but its no longer the ideal

EAP-TLS

• EAP with Transport Layer Security

• Requires the use of certificates to prove identities (both the access point and the client)

• A certificate is a bit of text that includes identity and encryption key information

• These must be generated and distributed to all clients

• This requires touching every workstation, something that may not be practical

• Windows 2k/XP/2003 environments have these services and can be integrated (maybe not easily)

• Use MMC->Certificates in windows to view yours

Obtaining Certificates for EAP• Certificates may be automatically generated (i.e., a

machine certificate when a machine joins a domain)• Certificates can also be manually generated, for example

by requesting one from a windows server running IIS and Certificate services

http://www.win2kserver.com/certsrv• For an example of how this would work with the Cisco

Secure ACS server, check out:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

• Also can use openssl to create certificates under Linux / UNIX operating systems

EAP-TTLS / PEAP

• EAP Tunneled TLS and Protected EAP

• Similar to EAP-TLS, but instead of relying entirely on certificates, can use usernames and passwords via MS-CHAP

• This allows you to authenticate the USER instead of the client machine

• However, you still verify the identity of the authentication server (stops Man in the Middle Attacks) by the certificate

Man In The Middle Attacks

• Use a program like AirSnarf to masquerade as a legitimate access point (http://airsnarf.shmoo.com/)

• As an intermediary, view all network traffic w/out encryption, including passwords

REAL Access Point


WIRELESS ACCESS POINTCISCO AIRONET 350 SERIES


Laptop

SUCKER

Laptop

Laptop

I'm USR8054

No Dude, I'm USR8054

FAKE HackerAccess Point

WPA

• Wifi Protected Access (WPA) is the emerging standard for security

• Includes TKIP and 802.1X features• Soon to be replaced by the 802.11i standard• Allows for a simple version of encryption -

WPA-PSK• Pre-shared keys are similar to WEP keys,

but rotation of the keys will take place, minimizing the risk of cracking

Temporal Encryption Keys

• TKIP is a system that is used to change the encryption in use on the WLAN

• Essentially changes the WEP key so frequently that sniffing the network and cracking the password is not feasible

• This will defeat AirSnort type attacks against the IV

• Not all access points support TKIP

Configure Logging

• In addition to actually performing all of these security functions, make sure that there is also a log of everything that happens

• Many Access Points and RADIUS servers and send log data to a syslog server

• Consider consolidating logs from many APs on to a single log server (such as the Kiwi Syslog server)http://www.kiwisyslog.com/

• Use log analysis and customized alerting to tell you of interesting events (such as failed administrator logon attempts)

• You could even get real-time pages of hacks!

Wireless Network Designs

• Where you put your access point(s) in the network have a huge impact on security

• In terms of network designs, consider the wireless net as hostile as Internet

• The least secure place to connect an access point is to your Internal network

• If possible, put on a dedicated network, and force access through a firewall or VPN appliance

Access Points on a DMZ

• Here you control and log Wireless traffic with a firewall

• It may be possible to limit access to deny all by default, but allow access top specific servers and the Internet

Internal Network

Wireless DMZ

The Internet

Internet Router

Firewall



IBM Compatible

RADIUS ServerMacintosh

Laser printer

Wireless Networks

• The wireless network, be it behind a firewall or not, may actually be one large Virtual LAN (VLAN)

• Thus, you could have wireless access points all over the building or organization, but on the same VLAN

• This allow for roaming• It also allows for centralization of all access

points to a single firewall device• Also allows for a single place to monitor all

traffic with a protocol analyzer or IDS

Use an Intrusion Detection System

• An Intrusion Detection System (IDS) might alert you to the presence of attacks

• This is another advantage of using a Wireless VLAN (only one IDS port required)

• There are also IDS systems specifically for wireless

• Can use “honey pots” to emulate vulnerable hosts (and tell you about it)

• Can also use software designed to confuse war drivers by sending hundreds or thousands of bogus SSIDs ala FakeAP

http://www.blackalchemy.to/project/fakeap/

Using a VPN Concentrator

• If you are using a VPN concentrator, you may be able to use totally insecure wireless and force security through existing or new VPN services

Internal Network

Wireless DMZ

Firewall



IBM Compatible

RADIUS ServerMacintosh

Laser printer

VPN ConcentratorLaptop

Policies and Procedures

• Due to the difficulty of controlling wireless, it would be wise to establish some policies and procedures to regulate their usage

• Installation should only be performed by the I.T. department (no individuals or departments should ever install them)

• Try to hook into the purchasing process such that wireless purchase orders require authorization from I.T.

• Verify compliance by wardriving your own organization regularly

Policies and Procedures

• Create minimum mandatory standards for all access points (WEP, etc.)

• Require the use of authentication, and use controlled authentication databases

• Require that people not share encryption keys, passwords, etc.

• Require that AP’s be turned off when not in use (especially after-hours)

• Lock down clients that have certificates and keys programmed in to them

Discussion

• This presentation to be available at:http://lachniet.com/powerpoint

Mark LachnietCISSP, CISA, MCSE, MCNE, CCSE, LPIC-1, TICSATechnical Director, Security GroupAnalysts International(517) 336-1004 (voice)(517) 336-1100 (fax)mailto: [email protected]

wireless security part 1 3/10/04 mark lachniet, analysts international

Documents