Wireless Attacks Explained

[SAadmin]

Wireless Attacks Explained

by: SyDisTyKMoFo

email:sydistykmofo@isuber1337.com

Table Of Contents

Intro

The Hackers WLAN Toolbox

Freeware Tools

Antennas

Breaking Encryption

Authentication

War Driving

Attacks Explained

Malicious Association

MAC Spoofing - Identity theft

Man-in-the-middle Attacks

Denial-of-Service Attacks

Conclusion

Intro

Wireless LANs are popping up here, there and everywhere. Many businesses are implementing wireless LAN segments on their internal LANs because it is easy to setup and obviously there are no wires to run. Wireless allows users with laptops and other mobile devices to roam the enterprise and not have to plug in wherever they go. As part of the process of implementing a wireless network segment on the corporate LAN of the company that I presently work for, I did some research and testing of wireless security. This white paper outlines how hackers are exploiting vulnerabilities in 802.11 wireless LANs and the widely available wireless hacking tools that are used. Too often people think that because the setup of a wireless segment is literally plug and go that everything is functioning properly and securely. Wireless is a virtual playground for hackers, the technology is still quite new, most admins are not anywhere near up to speed on it and security protocols and procedures are still being developed; giving quick-learning hackers the edge.

Any wireless access point attached to a network segment is essentially bridging the internal network to the surrounding area directly, without any firewall protection. After only installing one low-budget wireless access point (WAP) I could get access to the LAN anywhere in the shop, the office and in the parking lot!! I don't know how many square feet of shop floor and office space we have, but it isn't small. I was getting 15% connection strength sitting in my car in the parking lot!! Without proper security measures for authentication, any laptop with a wireless card can access the network or stealthy listen in on all network traffic across that access point from any area within the WAPs range.

It is important to realize the potential for rogue wireless access points in an enterprise. WAPs can be hooked up by anyone, just take the cable plugging into your computer and plug it into a WAP, throw a wireless card into your PC and you now have a wireless segment. The network admins wouldn't even know. There are several documented cases of rogue WAPs found in corporations and universities.

The Hackers WLAN toolbox:

This section provides a few examples of the hardware and freeware tools available.

Freeware Tools

New wireless LAN hacking tools are introduced every week and are widely available on the Internet for anyone to download. The table below lists some of these hacking tools.

Netstumbler www.netstumbler.com Freeware wireless access point identifier - listens for SSIDs & sends beacons as probes searching for access points

Kismet www.kismetwireless.net Freeware wireless sniffer and monitor - passively monitors wireless traffic & sorts data to identify SSIDs, MAC addresses, channels and connection speeds

Wellenreiter packetstormsecurity.nl Freeware WLAN discovery tool - Uses brute force to identify low traffic access points; hides your real MAC; integrates with GPS

THC-RUT www.thehackerschoice.com Freeware WLAN discovery tool - Uses brute force to identify low traffic access points

Ethereal www.ethereal.com Freeware WLAN analyzer - interactively browse the capture data, viewing summary and detail information for all observed wireless traffic

WEPCrack wepcrack.sourceforge.net Freeware encryption breaker - Cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling

AirSnort airsnort.shmoo.com Freeware encryption breaker - passively monitoring transmissions, computing the encryption key when enough packets have been gathered

HostAP hostap.epitest.fi Converts a WLAN station to function as an access point; (Available for WLAN cards that are based on Intersil's Prism2/2.5/3 chipset)

Antennas

To connect with wireless LANs from distances greater than a few hundred feet, sophisticated hackers use long-range antennas that are either commercially available or home built and can pick up 802.11 signals from up to 2,000 feet away. The intruders could be in the parking lot or completely out of sight.

Breaking Encryption

The industry's initial encryption technology, WEP, was quickly broken by published tools WEPCrack and AirSnort, which exploit vulnerabilities in the WEP encryption algorithm. WEPCrack and AirSnort passively observe WLAN traffic until it collects enough data by which it recognizes repetitions and breaks the encryption key.

Authentication

The next step in the evolution of wireless LAN security was the introduction of 802.1x for port-based authentication. However, papers have already been published to demonstrate how the newly proposed standard can be defeated. A new standard is expected to be designed within the next two years.

War Driving

War driving is simply driving around in a car to discover unprotected wireless LANs. Windows-based freeware tools such as NetStumbler, probe the airwaves in search of access points that broadcast their SSIDs and offer easy ways to find open networks. More advanced tools, such as Kismet, were then introduced on Linux platforms to passively monitor wireless traffic.

Both Netstumbler and Kismet work in tandem with a global positioning system (GPS) to map exact locations of the identified WLANs. These maps and data are posted on web sites such as www.wigle.net and www.wifinder.com.

Attacks explained

Malicious Association

Using widely available tools, hackers can force unsuspecting stations to connect to an undesired 802.11 network or alter the configuration of the station to operate in ad-hoc networking mode. A hacker begins this attack by using freeware HostAP to convert the attacking station to operate as a functioning access point. As the victim's station broadcasts a probe to associate with an access point, the hacker's new malicious access point responds to the victim's request for association and begins a connection between the two. After providing an IP address to the victim's workstation (if needed), the malicious access point can begin its attacks. The hacker - acting as an access point - can use a wealth of available hacking tools available that have been tested and proven in a wireless environment. At this time, the hacker can exploit all vulnerabilities on the victim's laptop, which can include installing the HostAP firmware or any other laptop configuration or programmatic changes. The malicious association attack shows that wireless LANs are subject to diversion and stations do not always know which network or access point they connect to. Stations can be tricked or forced to connect to a malicious access point. Even wireless LANs that have deployed VPNs are vulnerable to malicious associations. This attack does not try to break the VPN. Rather, it takes over the security-poor client.

Enterprises must monitor the airwaves of their wireless LAN to make sure their stations only connect to authorized access points and networks. Monitoring the network is the only way to know whom your stations connect to and which stations connect to your access points.

MAC Spoofing - Identity theft

Many enterprises secure their wireless LAN with authentication based on an authorized list of MAC addresses. While this provides a low level of security for smaller deployments, MAC addresses were never intended to be used in this manner. Any user can easily change the MAC address of a station or access point to change its 'identity' and defeat MAC address-based authentication.

Software tools such as Kismet or Ethereal, are available for hackers to easily pick off the MAC addresses of an authorized user. The hacker can then assume the identity of that user by asserting the stolen MAC address as his own. The hacker then connects to the wireless LAN as an authorized user.

By monitoring the airwaves of their wireless LAN, enterprises are able to detect MAC spoofing by identifying when more than one MAC address is simultaneously on the network. Wireless LAN intrusion detection systems also identify when a MAC address is spoofed by analyzing the vendor 'fingerprints' of the wireless LAN card. This enables the IDS to see when, for example, a Orinoco wireless LAN card connects to the network using a MAC address of a Cisco WLAN card.

Man-in-the-middle Attacks

As one of the more sophisticated attacks, a man-in-the-middle attack can break a secure VPN connection between an authorized station and an access point. By inserting a malicious station between the victim station and the access point, the hacker becomes the "man in the middle" as he tricks the station into believing that he is the access point and tricks the access point into thinking he is the station.

This attack preys upon an authentication implementation to randomly force a connected station to re-authenticate with the access point. The station must respond to a random challenge from the access point, and the access point must respond to a successful challenge response with a success packet.

To begin this attack, the hacker passively observes the station as it connects to the access point, and the hacker collects the authentication information, including the username, server name, client and server IP address, the ID used to compute the response, and the challenge and associate response.

The hacker then tries to associate with the access point by sending a request that appears to be coming from the authenticated station. The access point sends the VPN challenge to the authenticated station, which computes the required authentic response, and sends the response to the access point. The hacker observes the valid response. The hacker then acts as the access point in presenting a challenge to the authorized station. The station computes the appropriate response, which is sent to the access point. The access point then sends the station a success packet with an imbedded sequence number. Both are captured by the hacker. After capturing all this data, the hacker then has what he needs to complete the attack and defeat the VPN. The hacker sends a spoofed reply, with large sequence number, which bumps the victim's station off the network and keeps it from re-associating (ie 0x00ffffff). The hacker then enters the network as the authorized station.

Only 24/7 monitoring and a highly capable wireless IDS can detect this type of attack on a wireless LAN. An effective security solution must first keep a constant watch over the wireless LAN while it analyzes the activity it observes.

Denial-of-Service Attacks

Every network and security manager fears the downtime and loss of productivity from a crippling Denial-of-Service attack. In the wireless world, this damaging attack can come from any direction, and the most basic variations of DoS attacks can be just as worrisome as the most sophisticated.

Because 802.11b wireless LANs operate on the unregulated 2.4GHz radio frequency that is also used by microwave ovens, baby monitors, and cordless phones, commonly available consumer products can give hackers the tools for a simple and extremely damaging DoS attack. Unleashing large amounts of noise from these other devices can jam the airwaves and shut down a wireless LAN.

Hackers can launch more sophisticated DoS attacks by configuring a station to operate as an access point. As as access point, the hacker can flood the airwaves with persistent disassociate commands that force all stations within range to disconnect from the wireless LAN. In another variation, the hacker's malicious access point broadcasts periodic disassociate commands every few minutes that causes a situation where stations are continually kicked off the network, reconnected, and kicked off again.

In addition to malicious disassociation attacks, hackers are now abusing the Extensible Authentication Protocol (EAP) to launch DoS attacks. There are several forms of DoS attacks from various ways a hacker can manipulate EAP protocols by targeting wireless stations and access points with log-off commands, start commands, premature successful connection messages, failure messages, and other modifications of the EAP protocol.

Conclusion

To better secure a wireless network segment, a layered approach should be used. Similar to a wired network infrastructure, I have implemented several security features that each alone would not be sufficient, but together with monitoring create a much more secure WLAN. On my network there is only one access point and one wireless user to date, so the traffic can be monitored from an old laptop that I have on my desk running RedHat. I occasionally boot up and trap sections of traffic to look for any attack signatures. We are also not located in a city or industrial complex and our grounds are quite large and secured. The user is connecting via a vpn, the access point is secured so it cannot be reset, WEP is enabled, the access point is in a position that limits travel of the radio frequency outside of the building, and mine and the mobile user's MAC addresses are the only two that are registered with the access point. I also check for rogue access points, as every other laptop user wants to be mobile now as well. The traffic between the access point and the LAN passes through a firewall to help block any possible DoS attacks on the wireless LAN from entering the enterprise LAN.

Wireless networks are a great alternative or addition to ethernet networks, they can bridge two segments of traditional cable ethernet network segments or allow laptop users to wander the enterprise and stay connected to the LAN at all times. WLANs are definitely here to stay, but pose definite security issues.