Difference between revisions of "Wireless Security"
BarbraLees (Talk | contribs) (→Wi-Fi Protected Access (WPA / WPA2-PSK)) |
BarbraLees (Talk | contribs) (→Tools) |
||
| Line 43: | Line 43: | ||
*Aireplay | *Aireplay | ||
*[http://www.blackalchemy.to/project/fakeap/ Fakeap] | *[http://www.blackalchemy.to/project/fakeap/ Fakeap] | ||
| − | + | *Reaver | |
| + | [http://code.google.com/p/reaver-wps/downloads/detail?name=reaver-1.3.tar.gz&can=2&q=] | ||
[[Category:Network Security]] | [[Category:Network Security]] | ||
Revision as of 05:33, 15 March 2012
Contents
Basics
Contrary to popular belief, wireless penetration is unbelievably simple. Whether a network uses WPA or WEP, an attacker finds it rather simple to crack large wireless networks. The first method of cracking into a network is device driver and hardware level exploitation. These are exploitation vectors which refer to vulnerabilities in device drivers and physical hardware in popular wireless cards, such as the Broadcom, Apple Airport, and Centrino wireless cards. Buffer overflows and frame parsing errors plague the hardware and software supporting these wireless cards and allow for what is called kernel-mode remote code execution. This is why wireless networks are dangerous liabilities for corporations.
Wireless sniffing also plagues wireless networks and is less difficult than sniffing wired networks. The reason that it is so easy to sniff out traffic on a wireless network is because an attacker can simply switch his wireless card into monitor mode and view all wireless data being transmitted at the physical device layer. This is equivalent to turning the receiver portion of the card on and then receiving all transmissions.
Another danger of wireless networks is what is referred to as “Beacon Injection”, which refers to a wireless hardware level MITM attack. The way the 802.11 protocol works, an access point is constantly broadcasting beacon packets at a particular interval, disclosing MAC address, channel and frequency, as well as the SSID of the access point. An attacker can transmit his or her own beacon packets, with the same SSID as the target access point however using his or her own MAC address, then use a MIMO (multiple input/multiple output) card to bridge the connection into the target access point. The result of this attack vector is the victim machine connecting to and believing that the attacker machine is the access point, and transmitting all data to the attacker’s machine rather than to the access point, while the attacker forwards the traffic to the real access point, recording all sensitive victim data.
WEP and WPA cracking is a very simple exploitation vector. Using kismet or airsnort an attacker can change his or her wireless card over to monitor mode and begin recording encrypted packets. Because of modern-day protocols, the encryption type is publically viewable. Using kismet and airsnort in combination with aircrack, once an attacker is recording wireless traffic, cracking the key is only a matter of time. Given enough packets, the key could be cracked in less than a minute. This is another reason that wireless networks should never be trusted for sensitive data.
A largely undocumented vulnerability in wireless phones (cellular phones) involves something called SIS Attachment Exploitation. SIS attachments are the picture and video attachments that can be attached to SMS text messages and sent phone to phone. Because most vendors do not check buffers surrounding this attachment zone, it is easy for an attacker to overflow the buffer and cause arbitrary machine code to be executed. It is for this reason that cellular phones should also never be trusted with sensitive data.
Wired Equivalent Privacy (WEP)
WEP - to be blunt but fair - is outdated and offers only minor security for wireless networks against an intruder. Although there still might be residential wireless networks that use WEP, major networks will most likely have more secure measures of protection. There are two main methods of authentication that can be used with WEP: Open System authentication and Shared Key authentication.
Open System is as bad (or as good) as it sounds, meaning there are no credentials required for authentication at the access point. Meaning - You guessed it, anyone can use it.
Shared Key authentication requires a four way handshake to occur for the client authentication; - The client sends a request to the access point - The access point responds with a clear text challenge - The client then responds with another request using the configured key - The access point then deciphers the key and if the text matches the challenge access is granted.
Wi-Fi Protected Access (WPA / WPA2-PSK)
| This article contains too little information, it should be expanded or updated. |
|---|
Things you can do to help:
|
Replacing WPA & WEP, WPA2 is probably the most common security found on wireless networks. WPA2-PSK(Pre-shared key) is used for personal/residential wireless networks and can be problematic to crack. Each device on the wireless network authenticates with the access point using a key generated from a 256 bit encryption. When the pass phrase is sufficiently unique, brute-forcing may not be enough. However, there are tools which focus on WPS vunerabilities which allows us to steal the passphrase from the AP. One great tool for such purposes is called Reaver. Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases.
Reaver can only be used on Linux distributions but is a very helpful tool in recovering WPA passphrases. If you have not currently got a Linux distro installed on your PC, consider doing this ASAP. There are links in this wiki relating to such a feat. But I digress. http://code.google.com/p/reaver-wps/downloads/detail?name=reaver-1.3.tar.gz&can=2&q=
((More updates to follow on step by step instructions on reaver & aircrack-ng instructions))
