wifi-hacking-100228163648-phpapp01

7/23/2019 wifi-hacking-100228163648-phpapp01

1/22

Thursday, February 25, 2010


2/22

PRESENTED BY

Paul Gillingwater, CISSP, CISM

Adjunct Professor of Computer ScienceWebster University Vienna

http://security-risk.blogspot.com

Working in IT Security 20+ years

http://security-risk.bogspot.com/http://security-risk.bogspot.com/http://security-risk.bogspot.com/


3/22

A BRIEF OVERVIEW

Wi-Fi has been around more than 12 years --originally, it lacked any form of security

Since 2001, Wireless Encryption Protocol (WEP) hasbeen successfully attacked -- in 2007, it takes no morethan 90,000 packets to break keys (due to weaknessesin RC4) -- time to crack less than 1 minute

Since 2004, Wi-Fi Protected Access (WPA & WPA2)were introduced to address WEPs failure -- but eventhis is not quite enough for full security



4/22

WI-FI HISTORY

Originally offered as IEEE 802.11 in 1997 -- securitylimited due to export restrictions of certaingovernments

Implements Wireless LAN access over 2.4 and 5 GHzbands -- former with 3 channels (and shared withAmateur Radio and Cordless Phones), latter with 19

Initial systems 1-2 Mbps, later increased to 11 Mbpswith 802.11b, then up to 802.11n with 54-600 Mbpspossible (since 2009)



5/22

WIRELESS SIGNALS

Any wireless signal can be received by suitableequipment

Key-sharing is fundamental issue -- and the moreoften a key is used, the easier it is to find it due tomathematics of encryption

In addition to receiving packets, we can also injectpackets -- e.g., ARP or de-auth to create traffic



6/22

SECURING WI-FI

In my view, only reliable method for securing Wi-Fi isto run a VPN on top (e.g., OpenVPN)

WEP and WPA are easily broken (WPA TKIP crackedin less than 1 minute by Japanese researchers in 2009)

WPA is TKIP -- WPA2 is CCMP, which is better (AES)

WPA2 is probably secure enough for home usage --but there is still risk of impersonation



7/22

TRAFFIC MONITORING

On OSX, from command line (with sudo):/System/Library/PrivateFrameworks/

Apple80211.framework/Versions/A/Resources/airport

Specify en1 sniff 1as parameters to capturepackets into /tmp/airportSniffxxxx.cap file

WireShark is free utility for Windows, OSX or Linuxthat captures and displays packets



8/22

HOW WPA WORKS

WPA tried to fix WEP problems, while WPA2 was anew approach to solving security problem

802.1X port access control is key to successful use

This Enterprise approach depends on separateRADIUS authentication server -- each new session

gets a fresh key, good for a short time

Home networks dont use RADIUS, so a Pre SharedKey (PSK) is used



9/22

WPA KEY HANDSHAKE



10/22

COW PATTY ATTACK

Where 802.1X not available, PSK may be sniffed fromother authenticating stations

KisMac and coWPAtty use dictionary and otherattacks to guess the PSK from captured packets

Packet injection can force re-connects to capture

coWPAtty with Rainbow Tables (pre-calculatedhashes) can test >18,000 pass-phrases per second



11/22

WPA CRACKER

Regular WPA-PSK cracking on business gradehardware can take up to two weeks

WPA Cracker is a commercial service using cloud-based computing with 400 nodes, which can crack aWPA key in 20 minutes for $34

This is based on 135 million word dictionary attack --therefore a strong password can defeat this class

Businesses now know the price of security



12/22

BOGUS HOTSPOTS

Any computer can also be a Wireless Access Point

Windows 7 has new feature SoftAP -- which can be

used for Internet Connection Sharing (use Connectifyfor example -- http://connectify.me/)

However, the bad guys can capture all of the

packets which pass through their system, even if theyconnect to you with WEP or WPA

Bad guys can use similar names, e.g., Webster-Wi-Fi

http://connectify.me/http://connectify.me/http://connectify.me/http://connectify.me/


13/22

MAC SPOOFING

Some Access Points allow restriction based on the

MAC (Media Access Control) address

This is good basic security, but not reliable -- becauseattackers can simply sniff for trusted address anduse that in their own systems

802.1x makes this more difficult for attackers



14/22

SUPPRESSING SSID

Most Wi-Fi networks broadcast

their network name -- called the SSID

Security may be improved by disabling this featurefor a home or business network

However, experienced hackers will simply monitorauthorized connections to learn the SSID



15/22

MAN IN THE MIDDLE

A MITM attack means intruder pretends to be

authorized gateway, but intercepts and can changepackets (this was used by Japanese team with TKIP)

Example: Video of Cain tool, with packet capture

and WEP crackingcracking-wep-with-airpcap-packet-injection-and-cain-and-abel.wmv



16/22

BYPASSING AIRPORT WI-FI

Frequent airport travelers know about airport Wi-Fi

Such systems intercept HTTP, redirect to a login page

before allowing access (e.g., Boingo Hotspot)

Most airport Wi-Fi allows DNS lookups -- some direct,and some via DNS relay

If port 53 is allowed, then you can run OpenVPN usingUDP port 53 to your home system

If DNS relayed, then use DNS tunnel (Linux mostly)



17/22

AIRPORT RISKS

Free Wi-Fi hotspots in an airport or cafe mightbelong to a hacker, who is capturing traffic --

including, potentially, user names & passwords

Hackers can also relay HTTPS -- so dont assumeyour password is safe at a public Hot Spot

Most hotspots dont use WEP or WPA -- so mosttraffic is not encrypted (unless SSH or SSL is used)



18/22

WI-FI SECURITY ADVICE

Avoid WEP and WPA/TKIP, use WPA2 or WPA/AES

If using in a business, use 802.1X -- otherwise makesure you have PSK length > 20 characters

Use MAC access control (restrict connecting devices

based on their internal address)Use VPN for truly sensitive information



19/22

TJ Maxx is classic example of Wi-Fi vector: resulted inloss of 45 million customer records (Credit Card details)

The weakness was the use of WEP to secure a LAN, which was

exploited by the hackers

This breach cost the company $12 million in direct costs, notincluding the subsequent remedial work and loss of PCIcompliance

Average cost of a Data Breach rose to $200 per customer record in2009, according to PonemonInstitute study -- average total costrose to $6.75m

COMMERCIAL RISKS



20/22

LEGAL ASPECTS

In many countries, hacking others Wi-Fi is illegal --therefore, do any tests using your OWN gear

See NCSL web site for summary of States laws

Unauthorized access can attract seriousprosecutions, fines and criminal charges

Within Webster University, unauthorized Wi-Fiaccess could be grounds for expulsion



21/22

LATEST WI-FI TRENDS

Passive-Aggressive SSIDs now used by some... e.g.:

YOURDOGPOOPSINMYYARD

TURNTHEMUSICDOWN

CAITLINSTOPUSINGOURINTERNET

WECANHEARYOUHAVINGSEX

OBAMAISASOCIALIST



22/22

THANK YOU!

Any questions?

Comments?

Discussion....

wifi-hacking-100228163648-phpapp01

Documents