TopicsWireless has become criticalBasic Wireless ConfigurationIntrusion ExperimentIntrusion ExperimentInitial FindingsIntrusion ExperimentInitial Findings (cont)Intrusion ExperimentAttempted AttacksIntrusion ExperimentAttempted Attacks (Cont)Intrusion ExperimentResultsWEP VulnerabilitiesWEP Initialization Vectors (IV)Other Tools UsedSecurity ConfigurationSecurity ConfigurationAttacks on ReliabilityTake AwaysUNCLASSIFIEDUNCLASSIFIEDWireless Network Wireless Network Defensive StrategiesDefensive StrategiesJay A. CrosslerJay A. CrosslerECE 646 Analytical ProjectECE 646 Analytical Project12 Dec 200312 Dec 20032UNCLASSIFIEDUNCLASSIFIEDTopics• Wireless Security• Intrusion Experiment– Initial Findings– Attempted Attacks– Results• WEP Vulnerabilities• Other Tools Used• Secure Configurations– Recommendation• Summary3UNCLASSIFIEDUNCLASSIFIEDWireless has become critical• Wireless Local Area Networks used:– By Emergency Response Workers after 9/11– By police and terrorist response cells– By government agencies to control remote security cameras– Within the top five Stock exchanges throughout the world– To Monitor critical patient status and retrieve medical records– In over 200 wireless networks discovered while walking downtown DC and Pentagon City4UNCLASSIFIEDUNCLASSIFIEDBasic Wireless Configuration• Out of the box:–Can “plug and play” on most networks–Default Admin password on router–SSID set to broadcast mode–DHCP enabled–No MAC or IP filters–No WEP key enabled5UNCLASSIFIEDUNCLASSIFIEDIntrusion Experiment• Question: How easy is it to gain admin access to 30 local wireless networks?• Answer: Very, very easyon 28 of them.6UNCLASSIFIEDUNCLASSIFIEDIntrusion ExperimentInitial FindingsStep 1:• Built a map of 30 localwireless systems•Used NetStumbler on a laptop and MiniStumbler on an iPaq to locate and analyze networks and settings7UNCLASSIFIEDUNCLASSIFIEDIntrusion ExperimentInitial Findings (cont)Results:- Level 1 – 23 Systems had never changed the default password or enabled any security- Average intrusion time: 15 minutes to gain root access- Level 2 – 5 Systems had disabled SSID broadcasts and/or set a 56-bit WEP key- Average intrusion time: 4 hours to gain root access- Level 3 – 2 Systems had either a 128-bit key or VPN or both- Average intrusion time: did not achieve8UNCLASSIFIEDUNCLASSIFIEDIntrusion ExperimentAttempted AttacksStep 2:• Used Kismet/KisMACand Ethereal to sniffhidden SSIDs, MAC andIP addresses• Connected to 192.168.0.1 or router IP.• Used router MAC to find device maker, or try to connect to find device name. Retrieved password from product docs on internet.9UNCLASSIFIEDUNCLASSIFIEDIntrusion ExperimentAttempted Attacks (Cont)Step 3:•Use Kismet/AirSnort to attempt to crackWEP keys (need about 1 Gig of packets sniffed)•Use Ethereal to sniff names, passwords, websites, email, bank codes10UNCLASSIFIEDUNCLASSIFIEDIntrusion ExperimentResultsResults:• Access to 28 networks was obtained• Access to 5 networks that owners thought were secure was obtained• Access to 2 live networks with 128-bit security was NOT obtained (not enough packets)• Access to personal test network with 128-bit WEP was obtained (with continuous packet stream)11UNCLASSIFIEDUNCLASSIFIEDWEP Vulnerabilities• Wireless Encryption Protocol (WEP)–Commonly the only security used–Susceptible to known attacks on Initialization Vectors–Data encrypted with RC4 – A stream cipher• Keys vulnerable to known plaintext attacks–CRC-32 used to check integrity of data• Only a linear checksum is used: not sufficient12UNCLASSIFIEDUNCLASSIFIEDWEP Initialization Vectors (IV)• WEP has:– 16 Million possible IVs– 9000 of which are weak– A weak IV can expose onebyte of the key– 5% chance of revealing key byte• AirSnort Attack collects and sorts IVs– Statistically analyzes possible key bytes– Shows tendency towards correct byte of key– Need very large number of packets13UNCLASSIFIEDUNCLASSIFIEDOther Tools Used• Pringle Can Antenna– $10 antenna extended range to1km (receive) and 400m (transmit)• Signal Strength Meter– KisMAC was very usefulfor relocating networks• Lego Mindstorm Aiming arm– Built a targeting device for relocatingnetworks through an IR control14UNCLASSIFIEDUNCLASSIFIEDSecurity ConfigurationSuggested Configuration Techniques:• Realize that WEP is not secure• Remove wireless networks from LAN devices• Remove SSID broadcasts; rename SSIDs• Hard Code MAC addresses and IPs into allow-list• Change encryption keys• Look for Rogue access points• Change Router Admin Password15UNCLASSIFIEDUNCLASSIFIEDSecurity ConfigurationLevel III Configuration:• Virtual Private Network• Time: 5 hours to install• Linux on 486 – FreeS/WAN• SSH Sentinal (SSH Tectia)• Enable 3DES encryption• www.freeswan.org• www.ssh.com16UNCLASSIFIEDUNCLASSIFIEDAttacks on Reliability• 1km Denial of Service using Pringles Can• Easy to mount– Exploit Carrier Sense Multiple Access with Collision detection (CSMA/CD)– Transmit continuous stream of data packets– Can be done with very low power– Difficult to detect– Transmit Clear To Send (CTS) and Request To Send (RTS) packets17UNCLASSIFIEDUNCLASSIFIEDTake Aways• Wireless Security is critical• Many people never change default router password• It is easy to crack WEP in many routers• It is easy to deny service to some wireless networks from 1 km away• Simple fixes can greatly improve
View Full Document
Unlocking...