Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
22 September 2015 www.infosecawareness.in
Wireless LAN Security
1
22 September 2015 www.infosecawareness.in
Objectives What is WLAN & Wi-Fi? --Architecture & Components of WLAN --Difference between WLAN and Wi-Fi
Need for Security in WLAN Security Standards in WLAN --WEP,WPA, WPA2, WPS
Security Threats --DoS Attacks, Rogue AP, Dictionary Attacks, Wireless Sniffing, Free Tools of Wireless Cracking --Aircrack-ng,Reaver
2
22 September 2015 www.infosecawareness.in
WLAN Wireless Computer Network connecting 2 or more
Devices using a Wireless Distribution mechanism.
WLAN's are based on IEEE 802.11 standards
Range of WLAN is limited to few 100m like Home, Office etc.,
Gained popularity due to ease of installation(less number of cables required), Scalability, High Data Rates, Mobility
3
22 September 2015 www.infosecawareness.in
Wi-Fi Wi-Fi called as "Wireless Fidility" is a Trademark
named used by Wi-Fi alliance Wi-Fi Alliance checks and certifies the WLAN
devices for interoperability. Devices passing the test can use "Wi-Fi Certified"
trademark Logo used by Wi-Fi Alliance
4
22 September 2015 www.infosecawareness.in
Architecture & Components
5
Laptop with wireLess Network Card
MobiLe phoNe
aCCess poiNt
INTERNET
Wired Connectivity
22 September 2015 www.infosecawareness.in
Need for Security in WLAN WLAN's are prone to following Vulnerabilities: Eaves Dropping - Data sent over wireless traffic can be captured in
the range of AP's and from a distance using directional antennas. DoS Attacks - Usage of Unlicensed bands may result in DoS Attacks
due to conjunction in the traffic War Dialing - Attackers can easily identify Security protocols used
by AP's on their way to office or home or by travelling a bus Rogue AP - Access Points configured with same type of Encryption
and Authentication can lead to Man in the Middle attacks Ad-Hocs & Wifi Hotspots with weak encryption created in Wireless
Clients can lead intruders into Organizational or Home Networks
6
22 September 2015 www.infosecawareness.in
Security Standards Following Security Standards have been implemented
to protect the Data communicated through wireless networks.
7
Name Year Who Defined It
Wired Equivalent Privacy (WEP) 1997 IEEE
The interim Cisco solution while awaiting
802.11i 2001 Cisco, IEEE 802.1x Extensible
Authentication Protocol (EAP)
Wi-Fi Protected Access (WPA) 2003 Wi-Fi Alliance
802.11i (WPA2) 2005+ IEEE
WPS 2006 Wi-Fi Alliance
22 September 2015 www.infosecawareness.in
WEP (Wired Equivalent Privacy) Original Security Standard designed to maintain
the confidentiality of data over wireless
Encryption: It uses RC4 Stream Cipher for Confidentiality CRC-32 Checksum for Data Integrity
Authentication:
It supports Open Authentication & Shared Key Authentication
8
22 September 2015 www.infosecawareness.in
WPA (Wi-Fi Protected Access) Referred as 802.11i standard developed by Wi-Fi Alliance in
response to poor encryption used with WEP
Encryption: Temporal Key Integrity Protocol (TKIP) for encrypting data frames Michael is an algorithm used to verify the integrity of the
messages which is stronger and more efficient than CRC used in WEP.
Authentication:
Supports Pre-Shared Key (PSK) for normal Home Users or Small Organizations and also 802.1X standard for more complex authentications 9
22 September 2015 www.infosecawareness.in
WPA2(Wi-Fi Protected Access II) Developed by Wi-Fi Alliance using more stronger encryption to strength
the security of WPA
Encryption: Data frames are encrypted using "Counter Cipher Mode with block
chaining message authentication code Protocol(CCMP)" as AES based encryption technique
CCMP is Stronger when compared to TKIP used in WPA
Authentication: Supports Pre-Shared Key (PSK) for normal Home Users or Small
Organizations and also 802.1X standard for more complex authentications
To allow high bit rates 54Mbits/s (802.11n Standard) it is mandatory to use WPA2 Encryption
10
22 September 2015 www.infosecawareness.in
WPS (Wi-Fi Protected Setup Designed by Wi-Fi for Simple implantation to add clients in the Wireless
Network Designed keeping in view of home users who know very less about
wireless Security Clients can be added using
A PIN A Push Button NFC Method USB Method
Threats: WPS poses a serious threat as the 6 Digit PIN provided with the Access Point is
prone to Brute force Attack Bypasses WPA and WPA2 protocols and their Pre-Shared Key can be obtained if
Brute force attack is Successful Some of Devices have no provision to "Disable WPS"
22 September 2015 www.infosecawareness.in 12
Security Standard Encryption Key Strength Threats
WEP RC4
WEP-64bit (Standard Implementation)
64bit(40bit Key+24bit Initialization Vectors[IV's])
•RC4 Key can be obtained due to poor encryption mechanism
•Shared Key Authentication can only be used creating problems in handling compromises
•Wireless Sniffing, Packet Injection, Spoofing
•WEP is Outdated and Should not be used
WEP-128, WEP-256
Extended Implementations by vendors once restriction over Key Size has been removed
WPA TKIP 128-Bit
•Short Packet Spoofing - Packets with small length with known contents like ARP messages can be decrypted due to vulnerability in TKIP implementation
•Relying on Weak passwords and Passphrases for shared keys have a risk of Bruteforce Attack
•DoS Attacks, Packet Injection
WPA2 CCMP (AES) 128-Bit
•Prone to Brute force attack as WPA if users rely on weak passwords and Passphrases
•Hole 196 is a Vulnerability posing threat for a Denial of Service Attack and Man in the Middle Attack
22 September 2015 www.infosecawareness.in
Tools are available freely for cracking Wireless Security Protocols
Aircrack-ng - Most widely used to crack WEP Key
Air dump-ng - Used for Packet Capturing suitable for capturing IV's (Initialization Vectors) used to crack WEP key
Aireplay-ng - Used to inject Frames Reaver - Bruteforces Access Points for WPS
Pin
TOOLS
13
© ClubHack http://clubhack.com
Types of Security OPEN : No security configured X Obviously not advised Data is in the air in plain text and anyone can read it
WEP : Wired Equivalent privacy X Was broken years ago and takes 15 min to break in Very week and not recommended Accepts only hexadecimal password
© ClubHack http://clubhack.com
Types of Security… WPA: Wi-Fi Protected Access √ Much better than WEP Accept long password and with all possible
combinations Easy to setup, as easy as WEP Available in all the common wi-fi routers A must for all home users Will take a looong time to break in
© ClubHack http://clubhack.com
Types of Security… WPA2: Advance Wi-Fi Protected Access √√ Better than WPA Takes little more pain to setup Advised in corporate environments Strong encryption and authentication support
© ClubHack http://clubhack.com
Wireless Security Standards
© ClubHack http://clubhack.com
Description of WEP Protocol
WEP relies on a shared secret key (64 bit/128 bit) which is shared between the sender (client) and the receiver (Access Point). Secret Key - to encrypt packets before they are transmitted Integrity Check - to ensure packets are not modified in transit. The standard does not discuss how shared key is established. In practice, most installations use a single key which is shared between all mobile stations and access points.
18
© ClubHack http://clubhack.com
CHAP Authentication
Supplicant Authenticator
username
challenge
response
Accept/reject
How WEP works
IV
RC4 key
IV encrypted packet
original unencrypted packet checksum
© ClubHack http://clubhack.com
Immediate Solution WPA Easy to configure Every home router has this No special hardware or software required Boost security level to a comfortable level
© ClubHack http://clubhack.com
How to configure WPA Open the configuration of your wi-fi device Go to wireless setting Under security option, select any one WPA WPA-PSK WPA-Personal WPA2-Personal
Set a complex password Change the login password of the wireless
router. Done
© ClubHack http://clubhack.com
Example : Linksys
© ClubHack http://clubhack.com
Example : Netgear
© ClubHack http://clubhack.com
Example : ZyXEL
© ClubHack http://clubhack.com
Look for this
© ClubHack http://clubhack.com
Further Advised Change the router login password frequently Atleast once a month
Change the wireless WPA password also Atleast once a month
Avoid temptation to connect to open wireless just looking for free internet.
© ClubHack http://clubhack.com
What’s next (added security) We can configure DHCP more tightly. Lets not keep an open pool where any one can
connect Example
I have 3 machines in my home (desktop/laptop/phone) I’ll create a IP pool of 3 IPs only I’ll do DHCP reservation using the MAC of these 3 IP Effectively I’m not allowing any outsider machine to
connect
© ClubHack http://clubhack.com
What’s next (added security) … We can configure MAC binding. Allow only MY machines to connect Many access points support MAC binding Any other machine will not be able to connect to my
Wi-Fi
© ClubHack http://clubhack.com
Not only terrorism, what else Connected to open network?? Attacker can read your mails Attacker can see your password (even gmail) Attacker can see your credit card numbers Attacker can access confidential information on your
computer Attacker can chat with your girlfriend posing as you.
© ClubHack http://clubhack.com
So… 6 easy steps to counter 95% of attack on your wi-
fi
Secure your wi-fi today.