PowerPoint Presentation

Wireless and how safe are you?

1

About me

Certified Ethical Hacker (C|EH)Computer Hacking Forensics Investigator (C|HFI)Offensive Security Wireless Professional (OSWP)Penetration testerWritten articles for PenTest MagazineConsultant for 7 year old hacks Wi-Fi projectInfrastructure manager for Amplience UK

History of wirelessModern day wireless based upon IEEE 802.11 standards:

802.11a - 1999 - 5.8GHz, speeds up to 54Mbit/s802.11b - 2000 - 2.4GHz, speeds up to 11Mbit/s802.11g - 2003 - 2.4GHz, speeds up to 54Mbit/s802.11n - 2007 - 2.4GHz, speeds from 54Mbit/s to 600Mbit/s802.11ac - 2014 -5GHz, speeds from 500Mbit/s to 1Gbit/s >

802.11x - Uses Extensible Authentication Protocol (EAP) as well as RADIUS

Types of wireless networksWireless networks come in a number of forms:

WLAN Wireless Local Area NetworkWPAN Wireless Personal Area NetworkWMAN Wireless Metropolitan Area networkWWAN Wireless Wide Area Network

WLAN Wireless Local Area NetworkMost popular implementation of Wireless networksSort range communicationUsed in businesses and public areasUsed to connect all range of devicesUsed with IoT devices

WPAN Wireless Personal Area NetworkShort distance area wireless networkUsed for connecting devices centred around individual workspacesBluetooth is a popular technology that is widely usedDevices such as PCs, PDAs, peripherals, cell phones, pagers and consumer electronics

WMAN Wireless Metropolitan Network Allows communication between two or more terminals (nodes) using one access pointCommunication between nodes within a radius up to 25 milesCan be used for last mile connectivity in remote areasTypically owned by a single entity such as anISP, government entity, or large corporationWiMAX is the most widely used form of WMANAlso known as IEEE 802.16 (wireless broadband)

WWAN Wireless Wide Area NetworkDiffers fromWLAN by usingmobile networktechnologies such asLTE,WiMAX(WMAN),GSM etc.to transfer dataUsesLocal Multipoint Distribution Service(LMDS) orWi-Fito provideInternet accessThese technologies are offered regionally, nationwide, or even globally and are provided by awireless service providerConnectivity allows a user with a laptop and a WWAN card to surf the web, check email, or connect to avirtual private network(VPN) from anywhere within the regional boundaries of cellular service

Wireless channels

North AmericaJapanRest of World

ChannelFrequency(MHz)North AmericaJapanMost of world12412YesYesYes22417YesYesYes32422YesYesYes42427YesYesYes52432YesYesYes62437YesYesYes72442YesYesYes82447YesYesYes92452YesYesYes102457YesYesYes112462YesYesYes122467NoYesYes132472NoYesYes142484No11b onlyNo

Wireless channels

Wireless hacking tools

Wireless security

WEP - Wired Equivalent PrivacyWPA - Wi-Fi Protected AccessWPA2 - Wi-Fi Protected Access V2

WEPProtocol designed to work the same as wired networksOriginal implementation supported 40-bit encryptionKey length of 40 bits, 24 additional bits of system-generated data (64 bits in total)WEP can still be easily crackedStill a lot of Access Points configured with WEP

MOVE TO WPA2 NOW!

WEP Demo

WPAIntermediate measure to take the place ofWEPpending the availability of the fullIEEE 802.11istandardWPA could be implemented throughfirmwareupgrades on wireless cardsdesigned for WEPProtocol implements much of the IEEE 802.11i standard. Specifically, theTemporal Key Integrity Protocol(TKIP) was adopted for WPAWEP used a static 40-bit or 104-bit encryption key that was manually entered on wireless Aps and devicesTKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEPIncludes a message integrity check, designed to prevent an attacker from altering and resending data packets - replaces theCRC that was used by WEPUses a message integrity check algorithm calledMichaelto verify the integrity of the packets

WPA Demo

WPA2WPA2 replaced WPAImplements mandatory elements of IEEE 802.11i (brought out after WEP)Includes mandatory support forCCMP, anAES-based encryption mode with strong securityFrom 13th March 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark

War Driving

Searching for Wi-Fi networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA)Android users, download and play with WiGLE Wifi

Wireless security threatsMan in the middle (MITM)Session hijackingReplay attacksRogue access point

Man in the middle (MITM)ARP spoofingIntercepting trafficSSLStrip for HTTPS traffic

Man in the middle (MITM) - Demo

https://www.youtube.com/watch?v=UetP4XPW2Ic

Session hijacking

Session token could be compromised in different ways; the most common are:

Predictable session tokenSession SniffingClient-side attacks (XSS, malicious JavaScript Codes, Trojans, etc)Man-in-the-middle attackMan-in-the-browser attack

Replay attacksIs a form ofnetworkattack in which a transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by anadversarywho intercepts the data and retransmits it, possibly as part of amasquerade attackbyIPpacketsubstitution.

For example, suppose Fredwants to prove his identity to Bob. Bob requests the password as proof of identity, which Fred provides; meanwhile, Alex is eavesdropping on the conversation and keeps the password (or the hash). After the interchange is over, Alex (posing as Fred) connects to Bob; when asked for a proof of identity, Alex sends Freds password (or hash) read from the last session, which Bob accepts thus granting access to Alex.

How to avoid?Avoiding replay attacks can be done by usingsession tokens: Bob sends a one-time token to Fred, which Fred uses to transform the password and send the result to Bob (e.g. computing a hash function of the session token appended to the password). On his side Bob performs the same computation; if and only if both values match, the login is successful. Now suppose Alex has captured this value and tries to use it on another session; Bob sends a different session token, and when Alex replies with the captured value it will be different from Bob's computation.

Rogue access pointAny Wi-Fiaccess point that is installed on a network but is not authorised for operation on that networkNot under the management of the network administratorRoutes user traffic through AP

Cost of a breach

Protecting the businessSeparate guest and enterprise networksImplement authentication via RADIUSImplement policies for connecting to networkChange default password of wireless APsUsing MS AD? Use GPO to auto connect machines to APsEnsure management interface is located on management VLANImplement WIPS / WIDS on enterprise grade APs

Protecting yourselfUse strong passwordsUse firewallsDont advertise SSIDUse WPA2 for your access pointsChange the default username of wireless APForget public networksUse VPNs to protect informationDont send private information across unsecured connectionsUpdate Wi-Fi router firmware

Wireless security in the news

Google Takes Wi-Fi Snooping Scandal to the Supreme Courthttp://www.wired.com/2014/04/threatlevel_0401_streetview 7 year old hacks Wi-Fi within 10 minuteshttp://www.itv.com/news/london/2015-01-21/7-year-old-girl-takes-just-10-minutes-to-hack-into-public-wifi-network-access-strangers-laptop AT&T injecting ads into Wi-Fi hotspotshttp://www.theregister.co.uk/2015/08/26/att_hotspots_ad_injection

What you can learn from this?

Wireless is insecureDont ignore insecurity, it wont go awayBe paranoid when connected to public wirelessUse VPN connections / software:OpenVPNHideMyAssCyberGhost

Questions?