Shekhar shinde Shinde@engr.orst.eduOregon State University.

Drive-by HackingDrive-by Hacking

ECE 578: COMPUTER NETWORK AND SECURITYA TERM PAPER ON

ContentsContents

• Background

• Problem of drive by hacking

• Wireless security options

• Challenges

• Types of attacks

• Internet scanner

• Real life solution to the problem

• Conclusion

• References

BackgroundBackground

• WLAN technology is making its way into organizations, but:– Authorized deployments are hindered by

security concerns.

– Unauthorized (rogue) deployments put the corporate network at risk.

• Top concerns:– Where are the access points?

– Are they vulnerable to attack?

– Where is the network perimeter?

MarketMarket

The Problem … “Drive By Hacking”The Problem … “Drive By Hacking”

Access Port Switch

Ma

in C

orp

ora

te B

ack

bo

ne

Server

Server

Server

iPaq

PalmPilot

Mobile Phone

Notebook

If the distance from the Access Port to the street outside is 1500 feet or less, then a Hacker could also get access – while sat outside

Less than 1500ft *

The Building

Wireless LAN Security OptionsWireless LAN Security Options

• MAC address filtering

• Vendor specific authentication

• SSID/Network ID

• Wired Equivalent Privacy (WEP)

• Emerging IEEE 802.11x

Or in other words …Or in other words …

Notebook

Access Port Switch

Ma

in C

orp

ora

te B

ack

bo

ne

RADIUS/ EAPServer

Access PortSwitch

1. User runs client software and enters User name & Password

2. The request is sent to the RADIUS/EAP Server, RADIUS authenticates the session and sends unique session keys to device & AP

Key

Key

Valid only for session

3. When device wants to connect to a different AP, a new session is created, with a different unique set of keys

Valid only for sessionKey

Key

The Problem ??Totally proprietary technology, and therefore vendor specific – and the initial broadcast keys can still be

sniffed

The ChallengesThe Challenges

• Rogues Access Points– Due to low cost, users setting up their own Aps

without IT knowledge (ie boardrooms)

• DHCP– One of the advantages of WLAN is the ability to

move around the building, therefore moving between IP subnets – therefore DHCP is needed, but very abuse able !!

• 803.11xx and other technologies (such as Bluetooth & WAP) are all new and so no standards exist, so very vendor specific

Types of Attacks Types of Attacks

1. Insertion Attacks

2. Interception and unauthorised monitoring

3. Jamming

4. Client to Client Attacks

5. Brute Force on AP password

6. Encryption Attacks

7. Mis-configurations

Types of AttacksTypes of Attacks

• Insertion– Deploying un-authorised devices or creating new

wireless networks without prior knowledge of IT

• Interception and Unauthorised Monitoring– As with wire networks it is possible to “sniff” the

network, but where monitoring agents are required, with WLAN you can get everything.

• Jamming– As name suggests this is a Denial of Service Attack

floods the 2.4Ghz range, used by these and other devices, so nothing can communicate

Types of AttacksTypes of Attacks

• Client to Client Attacks– Once Windows is configured to support Wireless it can

be contacted by any other wireless device – so all the usual File Sharing and TCP service attacks work

• Brute Force on Access Point password– The APs use simple usernames and passwords which can

be easily brute forced, and key management is not easy

• Encryption Attacks– Although 802.11 has WEP, vulnerabilities have already

been found and the keys can easily be cracked

• Mis-configurations– All major vendors make their units easy to deploy, so

they come with insecure, well known pre-configurations, which are rarely changed when installed

WLAN Security ChallengesWLAN Security Challenges

How to Defend against WLAN Threat

•WLAN Security is similar to the Wired network.– Just represents an extension of wired networks

– Another potential un-trusted entry point into the wired network.

•Multi-Layer Security Approach– Protect WLAN holistically at the network, system, and

application layer for clients, access points, and the back-end servers.

– Apply traditional wired security countermeasures.

WLAN Discovery / Assessment/ Monitoring Tools

WLAN Discovery / Assessment/ Monitoring Tools

1. Internet Scanner 6.2, the market leading network vulnerability assessment tool, was the first to assess many 802.11b security checks. 802.11 checks are in several X-Press Updates (XPU 4.9 and 4.10).

2. RealSecure 6.5, the market leading IDS, was the first to monitor many 802.11b attacks. Recommend to make sure you are up to the latest X-Press Updates. 802.11 checks for IDS were in XPU 3.1.

Internet ScannerInternet Scanner

iPaq

Notebook

Access Port

Switch

Ma

in C

orp

ora

te B

ack

bo

ne

Access Port

Notebook

Firewall

Notebook

1. Finds the Holes

2. Finds Rogue Access Points or Devices

Real SecureReal Secure

Access Port

Switch

Ma

in C

orp

ora

te B

ack

bo

ne

Access Port

FirewallReal Secure

Kill !!Kill !!

The SolutionThe Solution

Wireless Scanner 1.0 is the solution for this problem– Identify 802.11b access points.

– Assess the implementation of available security features.

– Laptop-based for mobility.

“Wireless Scanner provides automated detection and security assessment of WLAN access points and clients.”

Target MarketTarget Market

Primary market of Wireless Scanner 1.0:– Enterprise customers

– SMB customers

– Security consultants / auditors

These customers want to:– Implement a WLAN without compromising their existing

security measures.

– Protect network from unauthorized APs.

How it works ..How it works ..Each device has a WLAN adapterThese communicate back to Access Ports

(AP), or Wireless BridgesThe technology works like old ethernet

bridges by simply passing data onSo anyone with a wireless device could,

theoretically, connect to your network.

Features – DetectionFeatures – Detection

Wireless Scanner detects access points…

… and active clients.

Features – Security AssessmentFeatures – Security Assessment

Wireless Scanner probes access points to determine their vulnerability to connection and attack by unauthorized users.

Features – ReportingFeatures – Reporting

Multi-level reportingExport optionsNew Access Points report highlights new

802.11b devices discovered in scan.

Features – FlexibilityFeatures – Flexibility

Mobile – users can scan while walking

User configurable:– Filters

– Alarms and notifications

– Encryption keys for scanning

Configurations can be saved and loaded

References:References:

1. “Wireless scanner” a white paper by stephen schmid.

2. Cryptography and Network Security: Principles and Practice, Second

Edition by William Stallings

3. Web reference of www.computing.co.uk/News/

4. Cryptography and network security, third edition by William Stallings

5. Fundamentals Of Computer Security Technology by Edward G.

Amoroso. 

6. Network Security by Mario Devargas. 

7. LAN Times Guide To Security And Data Integrity by Marc Farley,

Tom Stearns, And Jeffrey Hsu. 

8. Computer System And Network Security by Gregory B. White, Eric

A. Fisch, Udo W. Pooch.