1

CSCD 434/539

Lecture 9Spring 2014

Wardriving and Vulnerability Scanning

Reconnaissance and Scanning Combined Today we discuss two separate topics

Wardriving and Vulnerability scanning Both are related to finding networks and

discovering possible absence of security or presence of vulnerabilities that can be exploited

Wardriving is more of a fun pasttime Vulnerability scanning is and should be

part of your security program

3

Introduction• Wardriving

• Reconnaissance technique used to locate wireless networks• Determine location, encryption used• Vulnerability to compromise

• Vulnerability scanning – Allows network administrators to test

their networks for known vulnerabilities– Works closely with vulnerability

databases

Wardriving - Background

• Wi-Fi: Wireless Networks– Wireless Access points provide bridge to

Internet• Problems:– Network access through thin air– Wireless networks often configured without

any security– Commonly used Wi-Fi security protocols

broken– Looking for wireless access points is fun!• You can potentially hack from the comfort

of your Car!!– Using them is… illegal? Immoral?

5

Wardriving

• Goal– Locate WLAN’s and determine their

SSID’s• Definition:– Service Set ID The SSID is identifying

name of a wireless network - strictly it is identifying name of a wireless access point– It allows one wireless network to be

clearly distinguishable from another• SSID transmitted in clear text by access

points and all wireless cards using access points

6

Wardriving

• Wardriving–Who invented it?– Invented by Peter Shipley in 2001 when

he drove around Silicon Valley and found hundreds of access points–Website: http://www.dis.org/shipley/

–Why does it work?• 802.11 signals only valid for a short

distance, so aren’t we safe from War Drivers? Is this true?

What Other Technique was War Driving Based Upon War Dialing A war dialer is a computer program used

to identify the phone numbers that can successfully make a connection with a computer modem

Program automatically dials a defined range of phone numbers and logs and enters in a database those numbers that successfully connect to the modem

What movie was this made famous ?

8

Wardriving• Distances in 802.11– Normal ... Signal travels 100 meters or less – War driving, don’t need to send traffic just

detect the LAN– If using a highgain antenna, researchers have

shown signals can travel > 2 km or 1.2 miles• Km to miles – 1km = .62 miles

– When both ends have a highgain antenna, signals can travel > 100 km or 62 miles!!!!• High-gain antenna (HGA) an antenna with

focused, narrow radiowave beam• Narrow beam allows more precise targeting

where radio signal goes - also known as a directional antenna

Serious Wardriving rig!!

Wardriving

• Then, there's the fasion concious

http://www.theinquirer.net/inquirer/news/1020852/kisses-renderman-brave-inq-snapperazzi

11

War Driving

• Techniques –Active Scanning–Passive Scanning–Forcing de-authentication

• Set of tools to do some of these things here– http://etutorials.org/Networking/

Wireless+lan+security/Appendix+A.+Resources+and+References/General+Tools/

12

War Driving• Active Scanning– Broadcast 802.11 probe packets with SSID of

“any”, check for access points in range• Like going outside and shouting, “Who’s there?”

– Netstumbler is free Older tool for doing active scanning http://ww.netstumbler.com• Popular tool for active scanning WLAN’s• Runs in Windows XP not Windows 7 or Vista

• inSSIDer a newer alternative to NetStumbler• Does work with Windows Vista, Windows 7,

64-bit PCs and Linux http://www.metageek.net/products/inssider/

Netstumbler

• What does Netstumbler do?–Gathers MAC address,– SSIDS,–Wireless Channels and relative signal

strength of each access point– Tells if security is turned on, WEP, WPA2– Coordinates with GPS system• Locates access points on a map

14

Netstumbler

15

War Driving Stats• Statistics (Ed Scoudis)– Netstumbler–ORiNOCO antenna,– Laptop,– Taxi cab– in NY City– Result!!

• One hour found 455 access points

War Driving Stats

http://www.theinquirer.net/inquirer/news/654/1045654/london-leads-wifi-access-points

• From survey by RSA, security firm, 2008– London had more wireless network access

points 12,276 than– New York City, 9,227, or – Paris 4,481–War-driving for unsecured WiFi access points

has replaced war-dialing for unprotected dial-in modems as preferred attack mode of network intruders

War Driving Stats

• Looked at Access Point Security New York, 97 % corporate access points used encryption, • Was 76 % in 2007,

• Paris, 94 % corporate access points were

encrypted, 72 % had WPA or more

• London 20 % corporate AP's unsecured, 48 % beyond WEP

18

San Francisco Wi-Fi’s 2001

19

War Driving

• Defense Against Active Scanning– Configure access points to ignore probes

with “any” set– Becomes invisible to Netstumbler– Active scanning alerts security people to

attacker presence if monitoring – Improved method is Passive Scanning

20

War Driving

• Passive Scanning– Stealthier way of discovering WLAN’s – Puts wireless card into rfmon mode• Monitor Mode • Like Ethernet, promiscuous mode

– Sniffs all wireless traffic from air

– Allows a machine to see all traffic on LAN • Not just traffic destined for that

machine

21

War Driving• Passive Scanning– Kismet – by Mike Kershaw• Does Detailed packet capture and analysis • Linux but can run it in cygwin for Windows• http://www.kismetwireless.net

–Wellenreiter - by Max Moser• Optimized for war-driving• http://www.remote-exploit.org• Runs on Linux and supports, prism2, lucent,

and cisco wireless card types

22

War Driving

• Passive Scanning–Wireless interface also supports

promiscuous mode, rfmon mode– rfmon allows a machine to view all

packets within range from multiple WLAN’s – Doesn’t associate with any of them– Intercepts beacons and extracts SSID’s

from them – SSID’s sent in clear text!

23

War Driving

• Passive Scanning– After discovering wireless AP or client,

gains SSID• Listens then for ARP or DHCP traffic to

determine MAC and IP of each discovered wireless device

24

War Driving

• Drawback of Wellenreiter– If access point is configured to omit its

SSID from its beacons and no other users are sending traffic to access point, won’t be able to determine SSID–Will know access point is there, not its

name– Thus, another way to get SSID’s from

WLAN is to force clients to send traffic …

25

War Driving

• De-authentication – ESSID-Jack is a tool that is part of Airjack

toolkit • If WLAN ignores probes with SSID of

“any” and omits SSID information from beacons, and no active traffic is going to it,

What do you do?• Use De-authentication!• Assume there are clients who have

previously been authenticated to an access point

26

War Driving• Steps to de-authenticate and get

SSID1.Attacker first sends wireless de-

authentication message to broadcast address of the LANSpoofing MAC address of access point (AP)MAC address was previously grabbed from management frames using Kismet or Wellenreiter

2.Client accepts de-authentication message as coming from access pointResult is that client will disconnect from WLAN

3.Client then tries to re-associate with WLAN by sending an association message with SSID in clear text

4.Attacker sniffs for association frame and gets SSID

Dissassociation and Rogue AP

Sniffs association frame packet for SSID

28

War Driving

• De-authentication – Why it works–Wireless clients accept wireless control

messages without authentication!!!– Believes attacker is AP– Attacker can force client off WLAN by

merely spoofing AP’s MAC address

29

Defenses to War Driving• Can set AP to omit SSID from Beacon packet– Not broadcasting name to the world!

• Set up stronger authentication to AP’s–MAC address is not great form of

authentication–MAC addresses can be easily reset to

anything in Linux or Unix• ifconfig eth0 hw ether mymacaddress• Windows a bit harder

– Use strong authentication with 802.11i not WEP

30

Defenses to War Driving

• Recommend use of Virtual Private Networks– VPN’s use encryption – Help prevent sniffing of traffic– VPN’s typically deployed across the

Internet to connect clients securely to corporate networks– Yet, can serve similar purpose for

wireless networks in home corporate environment

31

War Driving

http://www.wardrive.net/wardriving/faq

• Is it illegal to War drive?• Legality of wardriving hasn't been absolutely

tested, but few people think that wardriving itself is illegal

• What is illegal is connecting to and using networks without network owner's permission – Which is what most people call "breaking into a

network"

• Wardriving has taken some hits by press because network crackers will sometimes use wardriving tools to locate networks to break into

32

War Driving• Staying within legal bounds– Adhere to a relatively strict code of ethics: • Don't look.• Don't touch. • Don't play through.

– In other words, – 1) Don't examine the contents of a network; – 2) Don't add, delete, or change anything on

network, and – 3) Don't use network's Internet connection for Web surfing, email, chat, FTP, or anything

else. • Somebody else paid for bandwidth, and if

you don't have permission to use it, you're stealing it

Resources

• URL's Wirelesshttp://www.wardrive.comhttp://wardrive.nethttp://www.netstumbler.nethttp://www.remote-exploit.orghttp://www.kismetwireless.nethttp://sourceforge.net/projects/airjack

• T-shirt - “Wardriving is not a crime”http://www.staticusers.net/

wardrivingisnotacrime/

• Bookshttp://www.amazon.com/gp/product/0764597302

Vulnerability Assessment

35

Vulnerability Assessment• All OS platforms have vulnerabilities

–Windows, Unix/Linux and yes, MAC too!

– OS drivers and utilities have vulnerabilities– Applications that run on OS platforms

have vulnerabilities– These “holes” into your network and

systems are beyond the network protocol vulnerabilities – Lots of software vulnerabilities and some

system level vulnerabilities such as weak password policies

36

Definitions

• What is a computer system vulnerability?

–Vulnerability is• Software flaw, configuration error, or

series of errors that allow access or exposes data to attackers or users that are not authorized

– Vulnerabilities may result from bugs in application code or design flaws in the system– A vulnerability could be hypothetical, or could have a known associated exploit

Vulnerabilities • Who discovers them?

• Humans discover them, • Hacker groups• Security company or • Researcher

– Discovers specific way to violate security of a software product– Discovery may be accidental or through

directed research– Vulnerability, in various levels of detail, is

then released to the security community 37

Can you say holes?

Release of Vulnerabilities

• Both security researchers and hackers publish vulnerabilities.

• Publishing vulnerabilities is controversial.

• Are there pros and cons of alerting the world to vulnerabilities?

38

39

More Definitions

• What is an exploit?– Piece of software, or sequence of

commands that take advantage– Of bug, glitch or vulnerability to get

unintended or unanticipated behavior out of computer software, hardware, or other electronic devices– Frequently includes

• Gaining control of a computer system• Allowing privilege escalation• Denial of service attack

40

Examples of Exploits• Trojan horse Phel -- an anagram of the

word help -- that attacks or attacked Windows XP

• Trojan is capable of remotely controlling a user's system even if the latest Windows XP Service Pack has been installed

• Trojan horse, distributed as an HTML file– Attempts to exploit vulnerability in

Internet Explorer's HTML Help Control component in all versions of Windows … 2004

41

Scanning• Vulnerability Scanning–Next stage in information gathering• At this stage, want to identify specific

vulnerabilities on target systems so that attacker can run exploit against to gain access/ Also used by system administrators

–Can automate process of checking system for known vulnerabilities• Maybe hundreds of vulnerabilities in a

given year• What are the chances they didn’t get all

patched?

Vulnerability Scanners History

• 1992 - First one– Internet Security Scanner (ISS)

• 1995– SATAN - Security Admin Tool for Analyzing

Networks– Dan Farmer and Wietse Venema–Wider checks

• 1998– Nessus - Was Open Source, built on their

ideas– Still one of most popular, home use still free

43

Scanning• Vulnerability Scanning–Looks for several types of

vulnerabilities• Configuration errors• Default configuration weaknesses• Well-known system vulnerabilities

–Number of scanners available• Some are free • Some cost a lot of money• Some of the most popular

vulnerability scanners are free

44

Scanning

• Vulnerability Scanners

• Retina http://www.eeye.com• IBM ISS Internet Scanner http://www.iss.net• Nessus http://www.nessus.org/• GFI LANguard Network Security Scanner

http://www.gfi.com/lannetscan

45

Scanning Nessus• Nessus

• Flexible – can write your own vulnerability checks

• Called plugins, has own scripting language– Source code is supplied– Lots of developers – to enhance functionality– Free for home use, corporate use - Costs!!– CVE is built into product, Common Vulnerabilities and Exposures database• Allows Nessus to cross reference with other tools that are CVE compliant

46

Scanning Nessus• Nessus

• Runs on Linux, Unix and Windows • Nessus doesn’t use large Database of

vulnerabilities that gets updated• It uses Nessus Attack Scripting Language

(NASL)• Allows people to write their own scripts,

plug-ins– It provides plug-in interface

• Many free plug-ins are available from http://www.nessus.org/plugins/index.php?view=all

» Plug-ins specific to detecting a common virus or vulnerability» Like a virus signature

47

Scanners Nessus• Example Nessus Plugins - Backdoor Plugins– Zotob Worm– IRC bot detection– SMTP server on a strange port– Kibuv worm detection– TFTP backdoor– Xerox MicroServer Unauthorized Access

Vulnerabilities– Port TCP:0– XAMPP Default FTP Account– Default web account on Zyxel– Bofra Virus Detection– MoonLit Virus Backdoor

48

Scanning With Nessus• Nessus– What vulnerabilities can it discover?• A few of the common ones include– Finger – often misconfigured–Windows Vulnerabilities – many of them– CGI Problems – Scripts often have

vulnerabilties– RPC – remote procedure call program– Firewalls – mis-configured– FTP – has had a lot of vulnerabilities» Looks for unpatched FTP

implementation– Can just look at the plug-ins list for

sample

49

Scanning With Nessus• Nessus– Has a client/server architecture– Can run it from a Server and allow many

clients– Or, can run the client and server on one

machine – From GUI Interface• Can decide which vulnerability to run• Can target one machine of an entire network• Decide on encryption algorithm for

client/server communication

50

Nessus

Configurewith Respect to Plugin

51

Scanning With Nessus• Nessus– Each vulnerability is ranked with respect

to risk• Low, medium and high• Should interpret the risk results only in view

of your own system• Same vulnerability may not be high risk for

you

– Recommendations are then made for fixing vulnerability

52

Nessus Reports

Reporting Screen

OpenVAS vs. Nessus

• As Nessus became commercialized, OpenVAS became open source version

• OpenVAS was initially named GNessUs as a fork of the Nessus security scanner to allow future free development of the now-proprietary tool.

• OpenVAS was originally proposed by pentesters at Portcullis Computer Security[3] and then announced[4] by Tim Brown on Slashdot ... about 2005

• OpenVAS is actively being developed and supported

http://www.openvas.org/

54

Vulnerability Databases and Information

55

National Vulnerability Database

• NVD, comprehensive cyber security vulnerability database– Integrates all publicly available U.S.

Government vulnerability resources and provides references to industry resources– Based on and synchronized with the CVE

vulnerability naming standard• NVD is CVE standard augmented with

additional analysis, a database, and a fine grained search engine. NVD is a superset of CVE.• NVD is synchronized with CVE such that any

updates to CVE appear immediately on NVD

http://nvd.nist.gov/

56

Common Vulnerabilities and Exposures (CVE)

• A list of standardized names for vulnerabilities and other information security exposures (CVE)– CVE standardizes names for all publicly known

vulnerabilities and security exposures and is a community wide effort

– Content of CVE is collaborative effort of CVE Editorial Board

• Includes representatives from over 20 security-related organizations

• Security tool vendors, academic institutions, and government

– MITRE Corporation maintains CVE and moderates Editorial Board discussions.•CVE, http://cve.mitre.org

57

• Example CVE Entries

– CVE-1999-0002 Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.

– CVE-1999-0003 Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd)

CVE-1999-0005Arbitrary command execution via IMAP buffer overflow in authenticate command.

58

Scanners

• What should you do with Vulnerability scanner?– Run it against your own systems– Do this before an attacker does– Look at results– Fix reported vulnerabilities if

a problem for your site

59

Summary of Techniques• So far ...– To attack a specific system – not

widespread worm or virus attack– Attackers must do a lot of work• Reconnaissance – Gather information

– Dumpster diving– Who is database– DNS queries, physical access

• IP Scanning– Identify hosts, services and operating systems– Host and port scanning, stack fingerprinting– Vulnerability scanning last stage of scanning

phase

• Next phase is the attack!

60

The End

• Next TimeLab is Google Hacking On your own ...