Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Wireless Security"

From NetSec
Jump to: navigation, search
(Reaver)
Line 53: Line 53:
 
[http://code.google.com/p/reaver-wps/wiki/README Reaver installation]
 
[http://code.google.com/p/reaver-wps/wiki/README Reaver installation]
 
[http://code.google.com/p/reaver-wps/wiki/HintsAndTips how to use reaver to crack a wireless network]
 
[http://code.google.com/p/reaver-wps/wiki/HintsAndTips how to use reaver to crack a wireless network]
 
 
 
 
 
[[Category:Network Security]]
 

Revision as of 22:18, 19 May 2012

Basics

Contrary to popular belief, wireless penetration is unbelievably simple. Whether a network uses WPA or WEP, an attacker finds it rather simple to crack large wireless networks. The first method of cracking into a network is device driver and hardware level exploitation. These are exploitation vectors which refer to vulnerabilities in device drivers and physical hardware in popular wireless cards, such as the Broadcom, Apple Airport, and Centrino wireless cards. Buffer overflows and frame parsing errors plague the hardware and software supporting these wireless cards and allow for what is called kernel-mode remote code execution. This is why wireless networks are dangerous liabilities for corporations.

Wireless sniffing also plagues wireless networks and is less difficult than sniffing wired networks. The reason that it is so easy to sniff out traffic on a wireless network is because an attacker can simply switch his wireless card into monitor mode and view all wireless data being transmitted at the physical device layer. This is equivalent to turning the receiver portion of the card on and then receiving all transmissions.

Another danger of wireless networks is what is referred to as “Beacon Injection”, which refers to a wireless hardware level MITM attack. The way the 802.11 protocol works, an access point is constantly broadcasting beacon packets at a particular interval, disclosing MAC address, channel and frequency, as well as the SSID of the access point. An attacker can transmit his or her own beacon packets, with the same SSID as the target access point however using his or her own MAC address, then use a MIMO (multiple input/multiple output) card to bridge the connection into the target access point. The result of this attack vector is the victim machine connecting to and believing that the attacker machine is the access point, and transmitting all data to the attacker’s machine rather than to the access point, while the attacker forwards the traffic to the real access point, recording all sensitive victim data.

WEP and WPA cracking is a very simple exploitation vector. Using kismet or airsnort an attacker can change his or her wireless card over to monitor mode and begin recording encrypted packets. Because of modern-day protocols, the encryption type is publically viewable. Using kismet and airsnort in combination with aircrack, once an attacker is recording wireless traffic, cracking the key is only a matter of time. Given enough packets, the key could be cracked in less than a minute. This is another reason that wireless networks should never be trusted for sensitive data.

A largely undocumented vulnerability in wireless phones (cellular phones) involves something called SIS Attachment Exploitation. SIS attachments are the picture and video attachments that can be attached to SMS text messages and sent phone to phone. Because most vendors do not check buffers surrounding this attachment zone, it is easy for an attacker to overflow the buffer and cause arbitrary machine code to be executed. It is for this reason that cellular phones should also never be trusted with sensitive data.

Wired Equivalent Privacy (WEP)

WEP - to be blunt but fair - is outdated and offers only minor security for wireless networks against an intruder. Although there still might be residential wireless networks that use WEP, major networks will most likely have more secure measures of protection. There are two main methods of authentication that can be used with WEP: Open System authentication and Shared Key authentication.

Open System is as bad (or as good) as it sounds, meaning there are no credentials required for authentication at the access point. Meaning - You guessed it, anyone can use it.

Shared Key authentication requires a four way handshake to occur for the client authentication; - The client sends a request to the access point - The access point responds with a clear text challenge - The client then responds with another request using the configured key - The access point then deciphers the key and if the text matches the challenge access is granted.

Wi-Fi Protected Access (WPA / WPA2-PSK)

Protip: Perhaps a small paragraph about reaver or similar WPS breaking utility should go here?
This article contains too little information, it should be expanded or updated.
Things you can do to help:
  • add more content.
  • update current content.

Replacing WPA & WEP, WPA2 is probably the most common security found on wireless networks. WPA2-PSK(Pre-shared key) is used for personal/residential wireless networks and can be problematic to crack. Each device on the wireless network authenticates with the access point using a key generated from a 256 bit encryption. When the pass phrase is sufficiently unique, brute-forcing may not be enough. However, there are tools which focus on WPS vunerabilities which allows us to steal the passphrase from the AP. One great tool for such purposes is called Reaver. Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases.

Reaver can only be used on Linux distributions but is a very helpful tool in recovering WPA passphrases. If you have not currently got a Linux distro installed on your PC, consider doing this ASAP. There are links in this wiki relating to such a feat. But I digress. http://code.google.com/p/reaver-wps/downloads/detail?name=reaver-1.3.tar.gz&can=2&q=

((More updates to follow on step by step instructions on reaver & aircrack-ng instructions))

Tools

[1]


Reaver

Reaver is a brute forcing WPS destroyer. Utilizing a security flaw in wireless security which was only revealed in 2011, Reaver systematically works its way through 10,000 feasible PIN numbers and as most wireless routers have this enabled by default, it proves to be a most successful wireless penetration tool. If you want a history lesson regarding Reaver, go google it. Here is how we use it. First up, this relies on you having a linux box, a wireless card that supports packet injection and the aircrack-ng tool suite installed. If you're still on a windows system I'd suggest getting linux asap. These days it's a piece of cake to make a live usb and with distros like ubuntu the transition from windows isn't a big deal.

Reaver installation how to use reaver to crack a wireless network