802.11 Insecurities
Transcript of 802.11 Insecurities
Wireless NewsWireless News
'BlueBag' PC sniffs out 'BlueBag' PC sniffs out Bluetooth flawsBluetooth flaws • In just under 23 hours of In just under 23 hours of
travel, BlueBag was able travel, BlueBag was able to spot more 1,400 to spot more 1,400 devices with which it devices with which it could have connectedcould have connected
• If you happened to fly If you happened to fly through Milan's Malpensa through Milan's Malpensa Airport last March, your Airport last March, your mobile phone may have mobile phone may have been scanned by the been scanned by the BlueBag.BlueBag.
Wireless NewsWireless News
Next generation wireless is new, nifty, but Next generation wireless is new, nifty, but not yet standardnot yet standard• The The good newsgood news is that there's a new generation is that there's a new generation
of wireless networking products on the horizon, of wireless networking products on the horizon, products that feature about four times as much products that feature about four times as much coverage and more than 10 times faster access coverage and more than 10 times faster access than traditional WiFi networks.than traditional WiFi networks.
• The The bad newsbad news is that this new-and-improved is that this new-and-improved wireless standard doesn't actually exist yet, wireless standard doesn't actually exist yet, even though there's no shortage of retailers even though there's no shortage of retailers who are more than willing to sell it to you right who are more than willing to sell it to you right now.now.
Wireless NewsWireless News
A team of researchers A team of researchers from Research Triangle from Research Triangle Institute successfully Institute successfully tested a paint-on tested a paint-on antenna for high-antenna for high-altitude airships on altitude airships on June 21, in the Nevada June 21, in the Nevada desert. desert.
Misbehaving with WiFiMisbehaving with WiFi
Chapter EightChapter Eight
Wireless LAN Security and Wireless LAN Security and VulnerabilitiesVulnerabilities
TopicsTopics
Snake oil access controlSnake oil access control MAC layers lacks per frame authenticationMAC layers lacks per frame authentication The spoofing problems which resultThe spoofing problems which result 802.1X issues related to spoofing802.1X issues related to spoofing WEP (dead horse, I’ll discuss it briefly)WEP (dead horse, I’ll discuss it briefly) Attacks against these schemesAttacks against these schemes RecommendationsRecommendations Wireless tools you can mess withWireless tools you can mess with WEP Crack DemoWEP Crack Demo
TerminologyTerminology
SSIDSSID – Service Set ID – Service Set ID• A text string used to identify sets of APs A text string used to identify sets of APs
SpoofingSpoofing• Illegitimate generation of network trafficIllegitimate generation of network traffic
Fake packets all togetherFake packets all together Insert traffic into a streamInsert traffic into a stream
WEPWEP – Wired Equivalent Privacy – Wired Equivalent Privacy• Broken 802.11 encryption schemeBroken 802.11 encryption scheme• Should be “Should be “WWhat on hat on EEarth does this arth does this PProtect?”rotect?”
Terminology (continued)Terminology (continued)
Access pointAccess point• Device serving as wireless-to-wired bridgeDevice serving as wireless-to-wired bridge
Association requestAssociation request• Wireless stations ‘associate’ with an APWireless stations ‘associate’ with an AP• Follows rudimentary authentication procedureFollows rudimentary authentication procedure
Per Frame AuthenticationPer Frame Authentication• Every Frame authenticity informationEvery Frame authenticity information• Should be used with initial auth. exchangeShould be used with initial auth. exchange
Terminology (continued)Terminology (continued)
Snake oilSnake oil is a Traditional Chinese is a Traditional Chinese medicine used for joint pain. However, the medicine used for joint pain. However, the most common usage is as a derogatory most common usage is as a derogatory term for medicines to imply that they are term for medicines to imply that they are fake, fraudulent, and usually ineffective. fake, fraudulent, and usually ineffective. The expression is also applied The expression is also applied metaphorically to any product with metaphorically to any product with exaggerated marketing but questionable exaggerated marketing but questionable or unverifiable quality. or unverifiable quality.
(borrowed from Wikipedia)(borrowed from Wikipedia)
Ted’s HackerTed’s Hacker
TED’S HACKER
Auth. in the 802.11 MAC LayerAuth. in the 802.11 MAC Layer Two typesTwo types
• Open SystemOpen System No authenticationNo authentication Gratuitous accessGratuitous access
• Shared KeyShared Key Uses WEP – broken scheme Uses WEP – broken scheme Key distribution and usage issuesKey distribution and usage issues
No per frame auth.No per frame auth.• frame spoofing is easy frame spoofing is easy • If a authentication scheme is to be effective, it needs to be If a authentication scheme is to be effective, it needs to be
per frameper frame No AP auth. – allows impersonation of APsNo AP auth. – allows impersonation of APs MAC layer MAC layer doesdoes leave room for other auth. schemes leave room for other auth. schemes
• None presently implementedNone presently implemented• New schemes which conform to standard still can’t be per New schemes which conform to standard still can’t be per
frameframe• Per frame authenticationPer frame authentication
Other Forms of Access ControlOther Forms of Access Control SSID hiding (complete snake oil)SSID hiding (complete snake oil)
• SSID often beaconed by APsSSID often beaconed by APs• APs can be configured to stop beaconingAPs can be configured to stop beaconing
MAC address filtering (snake oil)MAC address filtering (snake oil)• DHCP serversDHCP servers• AP ACLsAP ACLs
802.1X (spoofing issues)802.1X (spoofing issues)• Takes places following MAC layer auth. and assoc. to APTakes places following MAC layer auth. and assoc. to AP• Controls access only to world beyond AP via EAPControls access only to world beyond AP via EAP• Does allow for more robust authentication (Kerberos, Does allow for more robust authentication (Kerberos,
others)others)• Doesn’t solve per packet auth. problemDoesn’t solve per packet auth. problem• No clients for all OS’s which all use the same auth. schemeNo clients for all OS’s which all use the same auth. scheme
WEP, the “Sweet & Low” of 802.11WEP, the “Sweet & Low” of 802.11
Passive listeningPassive listening• Numerous documented attacksNumerous documented attacks• Attacks widely implementedAttacks widely implemented• Key can be recovered at worst in a few hours of passive Key can be recovered at worst in a few hours of passive
listeninglistening Only encrypts data framesOnly encrypts data frames
• Management, control frames sent in the clearManagement, control frames sent in the clear• We can still spoof these frame types without a keyWe can still spoof these frame types without a key
Key management issuesKey management issues• If key changes all devices must change it at the very same If key changes all devices must change it at the very same
time, so short key periods won’t help muchtime, so short key periods won’t help much• Employee leaves with key in handEmployee leaves with key in hand• Basically BrokenBasically Broken
Sniffing the SSID - Sniffing the SSID - easyeasy
Assoc. Request (…, SSID ‘Paris’, …)
Regular User Station being innocent AP w/ SSID ‘Paris’
Mischievous Station Running
NetStumbler or similar
Sniff, sniff,
sniff…
Beating MAC Address Filters - Beating MAC Address Filters - easyeasy
Sniff legitimate MAC AddressesSniff legitimate MAC Addresses Wait for a station to leaveWait for a station to leave Set your MAC to a legitimate addressSet your MAC to a legitimate address
• linux# ifconfig wlan0 hwaddr 00:00:de:ad:be:eflinux# ifconfig wlan0 hwaddr 00:00:de:ad:be:ef• openbsd# wicontrol wi0 –m b5:db:5d:b5:db:5dopenbsd# wicontrol wi0 –m b5:db:5d:b5:db:5d
You can now authenticate and associateYou can now authenticate and associate MAC filtered by DHCP server?MAC filtered by DHCP server?
• Sniff addresses and set your IP staticallySniff addresses and set your IP statically
Cracking WEP – Cracking WEP – easy, time consumingeasy, time consuming
WEP encrypted Data Frames
(A1%h8#/?e$! ...)
Regular User Station being innocent
Access Point
Mischievous Station Running
AirSnort or similar
Sniff, sniff…
CRACK!
Back to the SpoofingBack to the Spoofing Spoofing allows lots of naughty behaviorSpoofing allows lots of naughty behavior
• Station disassociation DoSStation disassociation DoS Disrupt wireless station’s accessDisrupt wireless station’s access
• Access point saturation DoSAccess point saturation DoS MAC level limit the number of associated stations to ~2000 MAC level limit the number of associated stations to ~2000 Implementation limits set lower to prevent congestionImplementation limits set lower to prevent congestion Prevent new stations from authenticating to an APPrevent new stations from authenticating to an AP
• Hijacking of legitimately authenticated sessionsHijacking of legitimately authenticated sessions• Man in the middle attacks Man in the middle attacks
Old ARP cache poisoning, DNS spoofing affect 802.11 tooOld ARP cache poisoning, DNS spoofing affect 802.11 too Impersonate APImpersonate AP to a client, tamper with traffic, pass it to a client, tamper with traffic, pass it
alongalong
Tools for Spoofing FramesTools for Spoofing Frameschallenging, getting easierchallenging, getting easier
LibradiateLibradiate makes it easy makes it easy• No longer supportedNo longer supported
AirSnarfAirSnarf• mimics a legitimate access point mimics a legitimate access point
DoS Tools (DoS Tools (disassocdisassoc, , AP saturateAP saturate, etc), etc) THC-RUTTHC-RUT
• combines detection, spoofing, masking, and combines detection, spoofing, masking, and cracking into the same tool cracking into the same tool
HotspotterHotspotter• deauthenticate frame sent to a MS Windows XP deauthenticate frame sent to a MS Windows XP
user’s computer that would cause the victim’s user’s computer that would cause the victim’s wireless connection to be switched to a non-wireless connection to be switched to a non-preferred connection, AKA a rouge AP. preferred connection, AKA a rouge AP.
Disassociating a Wireless Station – Disassociating a Wireless Station – easy after implementation!easy after implementation!
Disassociate Frame(SANTA’S MAC, AP BSSID,
DISASSOC, …)Regular User Station being innocent
Access Point
MischievousStation
running dis2
Sniff, sniff…
DISASSOC!
General Wireless Traffic(MGMT, CRTL, DATA)
Session HijackingSession HijackingMITM (Man-In –The-Middle)MITM (Man-In –The-Middle)
The wireless advantage: easy access to medium!The wireless advantage: easy access to medium! Hijacking a wireless sessionHijacking a wireless session
• Known network/transport layer attacks – easy w/ implementationsKnown network/transport layer attacks – easy w/ implementations• MAC level hijacking MAC level hijacking • Simple combination of disassociation and MAC spoofingSimple combination of disassociation and MAC spoofing• Can beat 802.1X, if hijacking after EAP Success received by Can beat 802.1X, if hijacking after EAP Success received by
stationstation MITMMITM
• SSH, SSL – easy w/ SSH, SSL – easy w/ sshmitmsshmitm, , webmitmwebmitm (dsniff package) (dsniff package) ARP Poisoning, DNS redirect still work (may need retooling for 802.11 ARP Poisoning, DNS redirect still work (may need retooling for 802.11
MAC)MAC) Same issues that go along with these attacks on wired medium exist Same issues that go along with these attacks on wired medium exist
herehere• AP impersonate MITM – doable, challenging AP impersonate MITM – doable, challenging • Could be detectableCould be detectable
Main PointsMain Points
Wireless medium is an inherently Wireless medium is an inherently insecureinsecure
The 802.11 MAC poorly compensatesThe 802.11 MAC poorly compensates MAC layer needs stronger MAC layer needs stronger
authenticationauthentication Per packet auth. could solve many Per packet auth. could solve many
issuesissues 802.1X exchange comes too late802.1X exchange comes too late Spoofing attacks will become publicSpoofing attacks will become public
RecommendationsRecommendations The first rule is… The first rule is…
• Secure your network protocolsSecure your network protocols• SECURE NETWORK PROTOCOLSSECURE NETWORK PROTOCOLS• SECURE NETWORK PROTOCOLSSECURE NETWORK PROTOCOLS
wireless only makes attacks wireless only makes attacks easiereasier Snake oil can provide hurdles for the Snake oil can provide hurdles for the
casualcasual Treat wireless the way you treat remote Treat wireless the way you treat remote
traffictraffic High security environments: no wireless High security environments: no wireless
allowedallowed
Wireless Tools for your TinkeringWireless Tools for your Tinkering
WindowsWindows• Netstumbler – find APs and their SSIDsNetstumbler – find APs and their SSIDs• Airopeek – wireless frame snifferAiropeek – wireless frame sniffer
LinuxLinux• Airsnort (and other WEP tools)Airsnort (and other WEP tools)• Airtraf (Netstumbler-like)Airtraf (Netstumbler-like)• Kismet (Netstumbler-like, WEP capture, other Kismet (Netstumbler-like, WEP capture, other
stuff)stuff)
WEP Cracking DemoWEP Cracking Demo
Cracking WEP in 10 MinutesCracking WEP in 10 Minutes http://www.hackingdefined.com/movihttp://www.hackingdefined.com/movi
es/see-sec-wepcrack.zipes/see-sec-wepcrack.zip This is a demo from a distro called This is a demo from a distro called
Woppix which later became Woppix which later became BackTrackBackTrack
Wireless SecurityWireless Security
““The nice thing about standards is that The nice thing about standards is that there are so many to choose from.”there are so many to choose from.”
- Andrew S. Tannenbaum- Andrew S. Tannenbaum
Wireless Security –Wireless Security –Obviously Many Don’t BotherObviously Many Don’t Bother
Wireless Security ProblemsWireless Security Problems
Common Techniques to Compromise Common Techniques to Compromise Wireless Data Networks:Wireless Data Networks:• Rogue Access Point InsertionRogue Access Point Insertion• Traffic SniffingTraffic Sniffing• Traffic Data InsertionTraffic Data Insertion• ARP-Snooping (via “Dsniff”) – trick wired ARP-Snooping (via “Dsniff”) – trick wired
network to pass data over wirelessnetwork to pass data over wireless
Approximate Wireless RangesApproximate Wireless Ranges
802.11b/g Wireless Radio 802.11b/g Wireless Radio Channels (USA)Channels (USA)
Note: Only using channels 1, 6, and 11 incur the least amount of adjacent radio channel interference.
Security OverviewSecurity OverviewAuthenticationAuthentication
Determines:Determines:• If you are who you say you areIf you are who you say you are• If (and What) access rights are grantedIf (and What) access rights are granted
Examples are:Examples are:• ““Smart Card” - SecureIdSmart Card” - SecureId®® Server/Cards Server/Cards• S/Key – One time passwordS/Key – One time password• Digital CertificatesDigital Certificates
Examples of “Smart Cards”Examples of “Smart Cards”
http://www.rsasecurity.com
Wireless Security OverviewWireless Security Overview Data EncryptionData Encryption
• WEP – Wired Equivalent Privacy (No Authentication)WEP – Wired Equivalent Privacy (No Authentication)• WPA – WiFi Protected AccessWPA – WiFi Protected AccessNote: Due to computational overhead, almost all data Note: Due to computational overhead, almost all data
encryption techniques impose an Access Point encryption techniques impose an Access Point performance / throughput penalty.performance / throughput penalty.Average Throughput Reduction ExampleAverage Throughput Reduction Example – (Relative to No – (Relative to No [email protected] w/Linksys WRT54gs):[email protected] w/Linksys WRT54gs):WPA-PSK w/AES (29.005Mbps)WPA-PSK w/AES (29.005Mbps) = ~14.8% slower= ~14.8% slowerWPA-PSK w/TKIP (28.464Mbps)WPA-PSK w/TKIP (28.464Mbps) = ~16.4% slower= ~16.4% slowerWEP-128 (22.265Mbps)WEP-128 (22.265Mbps) = ~34.6% slower= ~34.6% slower
http://www.tomsnetworking.com/Reviews/images/scrnshots/linksys_wrt54gs_security.pnghttp://www.tomsnetworking.com/Reviews/images/scrnshots/linksys_wrt54gs_security.png
WEPWEP(Wired Equivalent Privacy)(Wired Equivalent Privacy)
RC4 (Rivest Cipher 4 / Ron’s Code 4) Encryption RC4 (Rivest Cipher 4 / Ron’s Code 4) Encryption Algorithm Algorithm <<http://www.cebrasoft.co.uk/encryption/rc4.htmhttp://www.cebrasoft.co.uk/encryption/rc4.htm>>
Shared (but Shared (but staticstatic) secret 64 or 128-bit key to ) secret 64 or 128-bit key to encrypt and decrypt the dataencrypt and decrypt the data• 24-bit ‘initialization vector’ (semi-random) leaving only 24-bit ‘initialization vector’ (semi-random) leaving only
40 or 104 bits as the ‘real key’40 or 104 bits as the ‘real key’ WEP Key Cracking SoftwareWEP Key Cracking Software
• WEPCrack / AirSnort / Aircrack (as well as others)WEPCrack / AirSnort / Aircrack (as well as others)• Cracking Time:Cracking Time: 64-bit key = 2 64-bit key = 2 secondsseconds
128-bit key = 128-bit key = ~ 3-10 ~ 3-10 minutesminutes
www.netcraftsmen.net/welcher/papers/wlansec01.htmlwww.netcraftsmen.net/welcher/papers/wlansec01.html and and www.tomsnetworking.com/Sections-article111-page4.php www.tomsnetworking.com/Sections-article111-page4.php
WEP Attack ApproachesWEP Attack Approaches
Traffic (Packet) Collection TechniquesTraffic (Packet) Collection Techniques• High Traffic Access Points (APs)High Traffic Access Points (APs)
Simple/passive traffic sniffing / captureSimple/passive traffic sniffing / capture
• Low Traffic Access PointsLow Traffic Access Points Have client ‘deauth’ to disassociate from the Have client ‘deauth’ to disassociate from the
APAP• (Forces traffic when AP re-associates to the AP) (Forces traffic when AP re-associates to the AP)
Replay captured ‘arp’ requests to the APReplay captured ‘arp’ requests to the AP Sniff / capture resulting packets for analysisSniff / capture resulting packets for analysis
WPA and WPA2WPA and WPA2(WiFi Protected Access)(WiFi Protected Access)
Created by the Wi-Fi Alliance industry Created by the Wi-Fi Alliance industry group due to excessive delays in 802.11i group due to excessive delays in 802.11i approvalapproval
WPA and WPA2 designed to be backward WPA and WPA2 designed to be backward compatible with WEPcompatible with WEP
Closely mirrors the official IEEE 802.11i Closely mirrors the official IEEE 802.11i standards but with EAP (Extensible standards but with EAP (Extensible Authentication Protocol)Authentication Protocol)
Contains both authentication and Contains both authentication and encryption componentsencryption components
Wireless AuthenticationWireless Authentication 802.11i802.11i
• EAP – Extensible Authentication ProtocolEAP – Extensible Authentication Protocol Currently ~40 different EAP authentication methodsCurrently ~40 different EAP authentication methods
PEAP (Protected EAP) = EAP + RADIUS PEAP (Protected EAP) = EAP + RADIUS ServerServer
RADIUS = RADIUS = Remote Authentication Dial-In User ServiceRemote Authentication Dial-In User Service KerberosKerberos
• Provided as Part of Win2K+ UNIX Server Provided as Part of Win2K+ UNIX Server PlatformsPlatforms
IPSec (IP Security) / VPN’sIPSec (IP Security) / VPN’s• End-to-End EncryptionEnd-to-End Encryption
RADIUS AuthenticationRADIUS Authentication Remote UserRemote User
• Desktop / ClientDesktop / Client NAS Client (Network NAS Client (Network
Access Server)Access Server)• Access desired to Access desired to
this Client/Serverthis Client/Server AAA (RADIUS) AAA (RADIUS)
ServerServer• Authentication, Authentication,
Authorization, and Authorization, and AccountingAccounting
http://www.wi-fiplanet.com/img/tutorial-radius-fig1.gif
Kerberos (a.k.a. “Fluffy”)Kerberos (a.k.a. “Fluffy”)End-to-End AuthenticationEnd-to-End Authentication
Kerberos is a widely used authentication server in an open Kerberos is a widely used authentication server in an open environment.environment.
Kerberos tickets have a limited life – generally configured to be 8 Kerberos tickets have a limited life – generally configured to be 8 hours.hours.
ClientClientAuthentication Authentication
Server (AS)Server (AS)
Ticket-grantingTicket-grantingServer (TGS)Server (TGS)
KerberosKerberos
User User secret keyssecret keys
Request a ticket for TGSRequest a ticket for TGS
Ticket for TGSTicket for TGS
Request a ticket for ServiceRequest a ticket for Service
Ticket for ServiceTicket for Service
ServiceServiceRequest ServiceRequest Service
http://www.cs.dartmouth.edu/~minami/Presentations/security.ppt
The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades.
http://www.faqs.org/faqs/kerberos-faq/general/section-4.html
WPA / WPA2 EncryptionWPA / WPA2 Encryption
WPAWPA• Mandates Mandates TKIP (Temporal Key Integrity Protocol)TKIP (Temporal Key Integrity Protocol)
Scheduled Shared Key Change Scheduled Shared Key Change (i.e.; every 10,000 data packets)(i.e.; every 10,000 data packets)
• Optionally specifies AES (Advanced Encryption Optionally specifies AES (Advanced Encryption Standard) capabilityStandard) capability
WPA will essentially fall back to WEP-level WPA will essentially fall back to WEP-level security if even a single device on a network security if even a single device on a network cannot use WPAcannot use WPA
WPA2WPA2 Mandates both TKIP and AES capabilityMandates both TKIP and AES capability
WPA / WPA2 networks will drop any altered packet WPA / WPA2 networks will drop any altered packet or shut down for 30 seconds whenever a message or shut down for 30 seconds whenever a message alteration attack is detected.alteration attack is detected.
WPA / WPA2 (Cont’d)WPA / WPA2 (Cont’d)
AuthenticationAuthentication
MethodMethodEncryptionEncryption
MethodMethod
WPAWPA
SOHO / PersonalSOHO / PersonalPre-Shared KeyPre-Shared Key Temporal Key Temporal Key
Integrity ProtocolIntegrity Protocol
WPAWPA
EnterpriseEnterprise802.1X / Extensible 802.1X / Extensible
Authentication Authentication ProtocolProtocol
Temporal Key Temporal Key Integrity ProtocolIntegrity Protocol
WPA2WPA2
SOHO /PersonalSOHO /PersonalPre-Shared KeyPre-Shared Key Advanced Advanced
Encryption StandardEncryption Standard
WPA2WPA2
EnterpriseEnterprise802.1X / Extensible 802.1X / Extensible
Authentication Authentication ProtocolProtocol
Advanced Advanced Encryption StandardEncryption Standard
WPA / WPA2 (Cont’d)WPA / WPA2 (Cont’d)
Personal Pre-shared KeyPersonal Pre-shared Key• User–entered 8 – 63 ASCII Character User–entered 8 – 63 ASCII Character
Passphrass Produces a 256-bit Pre-Shared KeyPassphrass Produces a 256-bit Pre-Shared Key• To minimize/prevent key cracking, use a To minimize/prevent key cracking, use a
minimumminimum of 21 characters for the passphase of 21 characters for the passphase• Key GenerationKey Generation
passphrase, SSID, and the SSIDlength is hashed 4096 passphrase, SSID, and the SSIDlength is hashed 4096 times to generate a value of 256 bitstimes to generate a value of 256 bits
WPA Key Cracking SoftwareWPA Key Cracking Software• coWPAtty / WPA Cracker (as well as others)coWPAtty / WPA Cracker (as well as others)
WPA AuthenticationWPA Authentication(Before Extended EAP-May 2005)(Before Extended EAP-May 2005)
Personal Mode = Pre-Shared KeyPersonal Mode = Pre-Shared Key
Enterprise Mode = EAP-TLSEnterprise Mode = EAP-TLS• (Transport Layer Security)(Transport Layer Security)
WPA / WPA2 AuthenticationWPA / WPA2 Authentication (Since Extended EAP-May 2005) (Since Extended EAP-May 2005)
Now Now FiveFive WPA / WPA2 Enterprise WPA / WPA2 Enterprise StandardsStandards
1.1. EAP-TLSEAP-TLSa.a. Original EAP ProtocolOriginal EAP Protocol
b.b. Among most secure but seldom Among most secure but seldom implemented as it needs a Client-implemented as it needs a Client-side certificate ie; smartcard side certificate ie; smartcard (SecurId Key Fob (SecurId Key Fob http://www.securid.com/)http://www.securid.com/)
WPA / WPA2 AuthenticationWPA / WPA2 Authentication (Since Extended EAP-May 2005) (Since Extended EAP-May 2005)
2.2. EAP-TTLS/MSCHAPv2EAP-TTLS/MSCHAPv2a.a. Better than #1, as username and Better than #1, as username and
password not in clear textpassword not in clear text
(Tunneled Transport Layer Security)(Tunneled Transport Layer Security)
3.3. PEAPv0/EAP-MSCHAPv2PEAPv0/EAP-MSCHAPv2a.a. Commonly referred to as “PEAP”Commonly referred to as “PEAP”
b.b. Most Widely Supported EAP StandardMost Widely Supported EAP Standard
WPA / WPA2 AuthenticationWPA / WPA2 Authentication (Since Extended EAP-May 2005) (Since Extended EAP-May 2005)
4.4. PEAPv1/EAP-GTCPEAPv1/EAP-GTCa.a. Created by Cisco as alternative to #3. Created by Cisco as alternative to #3.
Cisco’s LEAP or EAP-FAST standard not Cisco’s LEAP or EAP-FAST standard not frequently used as it can be cracked.frequently used as it can be cracked.
b.b. This standard is rarely usedThis standard is rarely used
5.5. EAP-SIMEAP-SIMa.a. Used by GSM mobile telecom industry Used by GSM mobile telecom industry
with SIM card authenticationwith SIM card authentication
Other Security TechniquesOther Security Techniques
The following techniques may provide The following techniques may provide marginal additional security, but may also marginal additional security, but may also make network administration tasks more make network administration tasks more difficult:difficult:
The six dumbest ways to secure a wireless LANThe six dumbest ways to secure a wireless LAN
• MAC Address FilteringMAC Address Filtering• Disabling SSID BroadcastsDisabling SSID Broadcasts• Disabling Access Point’s DHCP server (so new client addresses Disabling Access Point’s DHCP server (so new client addresses
are not automatically issued)are not automatically issued)• Cisco LEAP / EAP-FASTCisco LEAP / EAP-FAST• Use 802.11a / BluetoothUse 802.11a / Bluetooth• Antenna type, placement, direction, and transmitted power Antenna type, placement, direction, and transmitted power
levels - Effective Isotropic Radiated Power (EIRP)levels - Effective Isotropic Radiated Power (EIRP)http://www.netstumbler.com/2002/11/13/antenna_to_boost_wireless_security/http://www.netstumbler.com/2002/11/13/antenna_to_boost_wireless_security/
Security ConfigurationSecurity ConfigurationRecommendationsRecommendations
EnterpriseEnterprise1.1. WPA2 – RADIUS / KerberosWPA2 – RADIUS / Kerberos2.2. WPA2 – Pre-shared KeyWPA2 – Pre-shared Key3.3. (Continue With SOHO / Personal Options)(Continue With SOHO / Personal Options)
SOHO / PersonalSOHO / Personal1.1. WPA with AESWPA with AES2.2. WPA with TKIPWPA with TKIP3.3. WEP with 128-bit keyWEP with 128-bit key4.4. WEP with 64-bit keyWEP with 64-bit key5.5. No EncryptionNo Encryption
Security ConfigurationSecurity Configuration
When configuring a wireless router / When configuring a wireless router / access point, access point, alwaysalways use a ‘wired’ use a ‘wired’ connection!connection!• (Don’t cut ‘the branch you’re standing on’!)(Don’t cut ‘the branch you’re standing on’!)
When changing a configuration option, When changing a configuration option, always make the change on the always make the change on the router / access point firstrouter / access point first,, then make then make the compatible change on your local the compatible change on your local wireless network card / configuration!wireless network card / configuration!
Security Configuration OptionsSecurity Configuration Options
Security Configuration OptionsSecurity Configuration Options
Security Configuration OptionsSecurity Configuration Options
Security Configuration OptionsSecurity Configuration Options
Security Configuration OptionsSecurity Configuration Options
Security Configuration OptionsSecurity Configuration Options
Security Configuration OptionsSecurity Configuration Options
Security Configuration OptionsSecurity Configuration Options
Security Configuration OptionsSecurity Configuration Options
Other Firmware OptionsOther Firmware Options
Cisco/Linksys WRT54G/GS wireless Cisco/Linksys WRT54G/GS wireless router /access point utilizes some router /access point utilizes some Open Source (Linux) code.Open Source (Linux) code.
Cisco released the firmware source Cisco released the firmware source code in July, 2003 – Additional code in July, 2003 – Additional branches of firmware are now branches of firmware are now available.available.
Sources Of Other FirmwareSources Of Other Firmware
SveasoftSveasoft• http://www.sveasoft.com/http://www.sveasoft.com/
DD-WRT (I use this)DD-WRT (I use this)• http://www.dd-wrt.orghttp://www.dd-wrt.org
EarthlinkEarthlink SputnikSputnik LinksysInfoLinksysInfo WRT54G.netWRT54G.net
Other Firmware Options Other Firmware Options Support / Provide:Support / Provide:
VPN ServicesVPN Services VoIP ServicesVoIP Services Configure as a repeater / bridgeConfigure as a repeater / bridge A Managed ‘Hot Spot’ with RADIUS SupportA Managed ‘Hot Spot’ with RADIUS Support Manage bandwidth per protocolManage bandwidth per protocol Control traffic shapingControl traffic shaping Support IPv6Support IPv6 Boost antenna powerBoost antenna power Remotely access router logsRemotely access router logs Use router as a low power PC running Linux ApplicationsUse router as a low power PC running Linux Applications Bad firmware flash recovery:Bad firmware flash recovery:
• WRT54G Revival GuideWRT54G Revival Guide
http://www.wi-fiplanet.com/tutorials/article.php/3562391http://www.wi-fiplanet.com/tutorials/article.php/3562391
Miscellaneous LinksMiscellaneous Links
WEP Cracking ArticleWEP Cracking Article• http://www.securityfocus.com/infocus/1814http://www.securityfocus.com/infocus/1814
SecureDVDSecureDVD• http://securedvd.org/screenshots.htmlhttp://securedvd.org/screenshots.html