Posted: Mon Feb 24, 2003 5:59 pm Post subject: A simple guide to Securing wireless connections - WLAN WAPPosted: Mon Feb 24, 2003 5:59 pm Post subject: Posted: Mon Feb 24, 2003 6:59 pm Post subject: | Quote: |
| The only thing you need to know about wireless security is that you cannot perimeter-ize it. Wireless technologies are not something that stop at any traditional network boundary, so you cannot concentrate your security efforts for wireless at the boundaries. |
Posted: Mon Feb 24, 2003 8:44 pm Post subject: | fastlanwan wrote: |
| I do disagree on one point because I've successfully done this with commercial hardware/softare. |
Posted: Mon Feb 24, 2003 9:18 pm Post subject: 
Posted: Wed Sep 17, 2003 12:46 am Post subject: | Quote: |
| is that you cannot perimeter-ize it. Wireless technologies are not something that stop at any traditional network boundary |
Posted: Mon Sep 12, 2005 5:12 am Post subject: 
Posted: Sun Mar 05, 2006 7:24 am Post subject: Posted: Fri Mar 10, 2006 2:21 pm Post subject: | Quote: |
| I will try on this subject to provide a small handguide on how and where you should pay notice and , even, apply more attention on securing a wireless network. Beside now my references to some simple and basic points on wireless infrastructure , I take for granted that basic knowledge and skills on TCP layers are there and wont extend on an analysis for them.
Object: Build a home network with a DSL connection to the web , by using a modem and a wi-fi router. House is considered to be a third floor building and has some , hard to cover areas , which include an elevator. Building is considered to be , in an area, well known for war-driving incidents , with medium skilled attackers. In addition to this , there are near by flats and building , where some people can maintain a constant contact to your broadcasting devices, as they are in their range. Devices: Two APs , one WIFI router, along with specific wireless NICs of incompatible chipset (all capable though to work on 802.11g protocol). There are also 3 notebooks and one desktop with Linux distribution , installed which will work as a web server , to provide a site for the DSL connection , which is carrying a static IP address. Beginning: No matter how used are users to install , immediately devices on place , this is considered to be a wrong move and might become the cause of future tampers with wireless networks. The first move should be to draw a paper with all the rooms of the building, along with all the areas that might cause , problems to the broadcasted signals. For instance the elevator tube which is metal and can cause reflections for your signal. An obstacle like this , could lead you to place an extra , signal expander to make the network available for users behind that area. Now with this drawing in hand , you are going to select where to place access points and this router of yours. The best way to place them , is to think like in wired cases. Best way to provide , network broadcasting and services , in a wired environment is to setup a DR (Data Room) at the near middle of the building (second floor) . Now , opposed , to the logic of the wired plans , as to setup this router, to the center of the second level , you should better prefer to install it , near the outside wall of the building , near a window. Why?.... that will lead to the second stage of this action… by the time you will install the rest of the devices (APs) you should place them , at the direct, opposite wall, near a window , in order to get the best signal available , for all areas in building. Always, now keep in mind that signal for wireless connections , are altered by obstacles , like multiple walls and power sources (e.g. wireless phones, microwave ovens , etc.) Home devices are also broadcasting in circular waves , on a horizontal level , so think of it as a stone , thrown into a lake and the ripples made by that action as your waves. This is where your drawing takes major importance on how to locate , maybe a signal loss, due to an aboved mentioned ,obstacle. Maximum ability of broadcasting signal now, especially since we are talking about incompatible chipsets on devices, should be considered at 11Mbps (ideal circumstances) to a range of 30 meters with no walls or other obstacles present. If any of the above cases , is not right, then you will experience a signal loss , which will grow in a significant way, if more than one cases , of the ones above , do not match to provide ideal connection. If now by any chance you will notice that , there is an obstacle , that is not possible to overcome or remove (e.g. elevator) then you will be forced to pay , maybe a 80-100$ , to add an expander , for your network. Notice here that even though , it will be hard for someone to think that he might need to add six expanders in a row, i have to say that , only 3-4 will work in sequential connection , so do not , get over this number of installed devices. Second stage. I will not get much into on how to setup a wireless network, since it is easy to find a howto guide, all over the web, by just using Google , and adjust TCP-IP settings and workgroups. What will trouble us here is the next step on how to configure your wireless router, for security setting , while you are thinking that this is a wireless network , where almost anyone , in range, can access your broadcasting signal. Router: You have selected a proper range of private IPs (e.g. 10.0.0.1-254) and establish a web connection , by using the DSL modem of yours , with a static IP assigned for gateway (e.g. 10.0.0.1). How can you secure , now this network? 1) Count down all terminals in your network and re-adjust the pool scope of your DHCP settings for your network. For example , if the number of your terminals are 4 (in our case), then assign a scope for IPs , for the exact match of them. For example in our case, DHCP should be setup , with the following range: 10.0.0.3-10.0.0.6. You might have noticed that the IPs given are increased by one , to the first ip , at the last octet. Forgot to mention that router should also be assigned with a static IP (10.0.0.2) in order to avoid conflicts and TCP collisions, while the terminals try to fin a gateway for their packets. By re-adjusting now the scope , you have limited down possibilities for an intruder to be assigned with an IP available, since all of them will be used by your terminals. He will then , have to use IP spoofing methods or man-in the-middle attack, which will be blocked if you use the next security measure. 2) MAC filtering. All NICs are assigned with a unique hardware address , which can be used as a proper way to identify – authenticate and authorize , use of network resources. In order to see your wireless NICs MACs , you can use the typical command of ipconfig /all or just check the back of your NIC , to see it. Set them in the proper fields of your router, in order to make a local filtering table for your terminals. Even now if the attacker is going to use an IP spoofing method, he will also need to make a successful attempt with ACK-ARP packets to bypass the MAC filtering protection. 3) Reserved mapping ports. Even though, this is “touching” the matter of NAT configuration on TCP layer , it is a very good method to block or even filter , specific ports for your network, in order to always maintain a control over your broadcasting/receiving ports for your network. You can always read a TCP-IP book or FAQ to learn how to set them up. For our case we are going to make a rule for UDP packets , in order to filter Name services (DNS). Eg. UDP packets – Any internal => Destination port 53 => Destination == 0.0.0.0 (Where this IP is the local gateway for your router) . This rule now , will forward any UDP packets from port 53 to the outside world. So , if an attacker will try to commence a DNS attack ,he will not be able to fake a DNS node , as all packets will be redirected to the Gateway. Of course this is very simply explained and you will need to establish additional rules to make this valid, but as i said , we will not expand on TCP settings , here. 4) Key encryption. In the recent years of use for 802.11b , WEP (Wired Equivalent Privacy) was used to encrypt the broadcasting signal and even today , you will propably meet it on a local WLAN. However I am not recommending WEP usage. It is very simple to decrypt it and find out the key used. (will expand later on this). I will suggest to use WPA or WPA PSK.(Pre-Shared Key) which is much more harder to decrypt , due to the randomization of its key broadcasted. WPA2 is also available since the ends of 2004 , but I do not think that it will be essential to use on a simple home network, unless you think that you have something , very important to protect and increased security is the thing you want. Wireless Security. So far we have talked on how to configure your router on a TCP basis , to cover potential bugs and vulnerabilities in your network. But this is a wireless network and besides securing your packets , there are also , some additional ways to establish a secured range of signal for your LAN. a) WEP. This method of encryption and protection is used in wide range for home networks. Most of the people are using 64bit keys , which are set with hexadecimal or alphanumeric keys. AES is the standard encryption used today instead o the RC4 algorithm used in the past. However this method is easy to get compromised with a sniffer like ethereal , which will capture the packets and you will only need a hexadecimal converter , to decrypt the key. More details on how to do this will be following. b) SSID filtering. Service Set Identifier , is a way of joining a wifi network (e.g. like workgroup on terminals and networks) since both AP , NICs and Router will need to have the same given in their settings, for them to be part of this WLAN. Most of the wifi devices today , have an option , to disable broadcasting of SSID. Use it, but do not take it as a security measure. It is only a way to make an attackers life harder , as to find how , he will be able to intrude to this “unknown” network he has discovered. Believe me an uknown wi-fi network (no SSID broadcasted) combined with WPA encryption will discourage 95% of the attackers. c) WPA. This method of encryption today prevails , and it suggested to be used on machines with wifi abilities. It is very different on its usage , compared to the one WEP has. It is broadcasting 128 bit keys (in WPA2 – 256 bits) and it can be used in randomization if you are going to use it , on Enterprise mode. But in those cases, you might meet also RADIUS authentications or even WiFi DMZ over VPN…and the list goes on… as i said, security depends on the network needs. I find it very hard , for a home network to be in need , for implementing such procedures. d) Physical Security. Since we are talking about wireless devices , we have to keep in mind that the main reason for developing and implementing such a WLAN is to gain mobility and flexibility. By logical sequence , this leads to , more and more smaller devices. As humans we tend to lose small objects , or forget them to place where some can access them in a physical way. So you will always need to protect them with strong , random alphanumeric passwords , if they are PDAs , notebooks, etc. What is harder though today to protect , are Bluetooth sticks which are using MAC addresses and can store SSID, WEP-WPA keys and can cause hazards to your network. For them , there is no standard way of protecting them , than the standard and common logic. Place a cord on them , store them in something that you will not forget.(e.g. wallet, cord attached to your key chain, etc.) Conclusion. I know that some of you might got tired of me , mumbling on wifi networks setup, but it is essential to set them here, as I need to proceed to the next step , which is WiFi attacks and a HOWTO for them…. Patience now… all good things , need some time to occur. to be continued........... |
Posted: Mon Mar 13, 2006 9:55 am Post subject: | Quote: |
|
Hacking into WLANs Second part of this tutorial , would be all about how to find and use security bugs and methods , for auditing and even penetration testing , in your OWN WLANs. Remember that GHG is not responsible , if methods and details here will be used by people for malicious purposes. This text is offered , for education and testing purposes only. Goals to achieve. Keep in mind that , wireless networks , are communicating over thin air, so every action that is taking place for wired environment networks, will be happening , also here for sure, but maybe via another way. So , by taking this under consideration , proceed to the next step. - MAC Address discovery - SSID - Access point IP or name - Channel of broadcasted traffic - Share points - Password capture & decrypt - Key decryption - Subnet & IP range Most of the above are already familiar as terms to people who are into , pen testing and auditing for typical and standard networks, in wired environments. They also know that they will need several tools to make this effort real and successful. In WLANs , now , which tools should be useful to have? Well , the answer is not so “typical”… the best way is to find tools which will be able to provide services for: - Discovery of WLANs existence - Share enumerator - WI-F analyzer - Port and OS detection - Application layer analyzer - Hijacking - Jamming RF service - WEP and maybe WPA decryption ability - No need to mention here , that you will also need a wi-fi NIC , along with a strong in signal , antenna. For the first pack of services, you will have to trust Kismet and Netstumbler. They are both easy to find on the web , and they are free of charge. My selection though would be kismet , due to its potentials and abilities , along with the plus service to , discover fake made , APs by software like Black Alchemy. But enough theory…go into action. You are either positioned opposite of the building in the project , or into a car , commencing a war-driving attack. As Wi-Fi networks are not limiting their broadcast on their own , unless you have planned them to do so (omni/direct directional antennas) then you might discover an unknown wi-fi network near you. Now , I know that most of you , would think that for such a job , Linux & UNIX would be a better choice for this effort. Actually this is where Gates , is revenging TUX. Windows, due to their automatic way of discovering networks and direction to help users, they will be much more helpful on this one. Unless you are proud owners of a MacOS-X notebook with airport abilities. In that case you will , experience both, ease of use and in depth abilities of the system to use , via a UNIX terminal, for this. My suggestion though would be to use Windows , preferably XP pro. Use a networking card for Wi-Fi , installed via PCMCIA. Avoid using internal wi-fi cards, due to their limited range , as they are placed inside a box, usually at the bottom of the notebook. If you are lucky enough to have a GPS software installed , engage that too, while probing. It will be of great assistance to provide you with help , on where exactly is this signal coming from. In case you are in a car, remember to stay in dark corners and not in front of the building’s door. Try to not attract attention. Notebooks might do this. Prefer to use PDAs and Smart phones with wi-fi abilities. They are easier to hide and if they are of the “new breed” they will probably have GPS installed already. The beginning. Attack No1… Use an AP of your own…No i am not making fun of you. I am being dead serious. If there is a network near by, use an access point of yours with no setting at all on it. SSID feature is broadcasted every 10-30 seconds by devices, for keeping connected to the WLAN. Your AP will “catch” this signal and re-transmit it , to your area. You will have your own node to experiment on. Do not use your http management for your AP , as to have access to its logs and of course any transmitted packet send to it. Usually these packets include MAC addresses , SSID and the encrypted key for the network and I know that they are a “treasure”. Use an RS-232 and do not connect by any TCP service to the AP. If you use TCP, then your terminal will be announced in the network (since your AP is now a part of it) and an admin will be able to notice you. Remain invisible and monitor all traffic via console and your cable. By the time you will have all details needed , then proceed to penetrate the network. Methods then , you can use are similar to the ones used in wired LANs.. Use ethereal & ettercap to capture passwords, analyze services and in general packets of the network , announced. How to counter-act, if you are the admin of the network? Use fake devices of your own , made with software, or simply placed with fake settings to confuse intruders. By the time they will figure out, that they have been fooled , they will have been exposed to your sniffing and auditing tools. Attack No2… RF jam attack. All wi-fi devices are probing for networks every 10-30 seconds. What you need to do , is to use a software and a directional Antenna to produce an RF jam (kinda like DoS) to block for the wished time , this wi-fi network, on the broadcasted channel. By the time you do this, all wi-fi devices, will search for a transmitter to engage with. Use your notebook to setup one. Use the WinXP abilities to connect via ad-hoc to other networks. One or more computers will most probably , connect to your machine and might use ARIPA for assigning IP addresses to the nodes of this network. You will then have access to a specific terminal in this network and able to enumerate shares, decrypt passwords and even gain access to several files, if you are good enough with nmap and ethereal. For sure you will have a computer name , account and password to connect to the legal Wi-Fi network , as soon as you drop the RF-jam signal of yours and all communications for the building will be restored. (details: Power Signal Generator for RF jam => www.ydi.com) Attack No3… Check for War-Chalking signals. You might encounter them , on front doors or near by walls. e.g )( = open node with SSID broadcasted. SSID might be written on the wall on top of the signal. O = Closed node with SSID not broadcasted O with a W in the middle which means protected node with encryption and probably SSID hidden. I wont tell you what to do with the first two , as it is pretty easy to do what you know best with them. I will elaborate though on the third. Use Kismet and AirSnort. They are both usefull programs which are able to sniff, capture, analyze and finally decrypt all packets found on thin air. Remember to not attract attention while doing this. My best advice , is to stay for 3-4 minutes there and then take the data given with you at home and analyze them. If you wont get the private key in this time, (WPA2 and WPA tend to harden things up) , retry once or twice. If you still can not do it, just forget it. Go somewhere else ,cause there is a case , that someone might have noticed your continuous physical presence there. Attack No4… Hijacking attack. This is clearly an expansion to the first attack , where you are using a rogue device to make your way into this network. By the time your AP, is a part of this network then you can easily extract significant data on how to setup an Access Point , for this WLAN, on your netbook , with a software like Proxim Orinoco. There you can do the following combined… Use an RF JAM device and block again , by selecting the channel where the authorized access point is broadcasting. Engage your notebook with the same settings used (from your captured packets) as a wi-fi switch (by using the Orinoco software) but on a different channel. Suddenly you are the main node for all incoming packets and the main gateway for all networking transactions for this WLAN!!! As you can imagine with a free software like ethereal , on your notebook, ….ehm…lets just say, that you can discover even what kind of “underware” is the admin wearing. Especially if this AP is the only device , between terminals, and a web proxy or gateway… you can limit your actions , only with your IT-Hacking imagination. How to counteract to this?... Use VPN or to be simpler, on this one, do not use DHCP settings on your wi-fi APs. The whole success to this attack is to impersonate , a DHCP server , from a rogue device and stand as authorized machine to the clients. If the DCHP server is set on a desktop server, and MAC address is marked to the scope pool as bind to the leased IP , then the attacker will have a hard time on spoofing this. Not to mention that if there would be an ARP/ACK attack , all leds and alarms on your firewall , will go crazy. Wi-Fi attacks?..sure… but Wi-Fi is not functioning only on NICs and APs.. It is also working on Bluetooth devices which are “in fashion” recently. They are able to use MAC & IP address to connect to WLANs. If now an expert administrator, considers their small size, mobility and ease to install , almost on any terminal, then he will have his hands full on how to fight back this one. Bluetooth devices, are configured mostly in automatic ways (some of them via software) and can connect easily to wi-fi networks with minimum security (No WPA present). Imagine now , a person (visitor or guest, there for presentation or other reasons) at some time ready to connect to your network , with such a device on his notebook. Especially if your LAN is set to provide DHCP-DNS by a simple entrance of the terminal on the wi-fi network , via your local AP. How to confront such a hazard?.. Use a sniffing – auditing tool , like air-magnet, at to be able to locate all Bluetooth devices , on location and capture any traffic , from and to , them. Some times preventing things from happening, is the best cure for it. I know now, that I have not yet completed , much of the expectations here, but in order to this , I would need , more than 3-4 pages on just presenting , what tools to use in theory and do not even touch , attack methods. So I would rely on your questions on this one, and I will wait for them , to elaborate specifically on the things you will have to say. Gandalf |
Posted: Sat Jul 29, 2006 1:38 pm Post subject: Posted: Sat Jul 29, 2006 3:53 pm Post subject: Posted: Thu Aug 10, 2006 9:19 am Post subject: Posted: Thu Aug 10, 2006 10:08 am Post subject: Posted: Mon Jan 04, 2010 8:45 am Post subject: Could the wireless be restricted only for wireless clients?Posted: Mon Jan 04, 2010 7:53 pm Post subject: Wireless IgnorancePosted: Fri May 07, 2010 12:08 pm Post subject: | Skv0znoy wrote: |
| yept of course, but u can do it offline with more powerfull PC for speed boosting. |
Posted: Sat Jan 15, 2011 1:47 am Post subject:
output generated using printer-friendly topic mod, All times are GMT + 2 Hours