Difference between revisions of "Wireless Security"
(→Tools) |
(No difference)
|
Revision as of 18:54, 3 September 2011
Basics
Contrary to popular belief, wireless penetration is unbelievably simple. Whether a network uses WPA or WEP, an attacker finds it rather simple to crack large wireless networks. The first method of cracking into a network is device driver and hardware level exploitation. These are exploitation vectors which refer to vulnerabilities in device drivers and physical hardware in popular wireless cards, such as the Broadcom, Apple Airport, and Centrino wireless cards. Buffer overflows and frame parsing errors plague the hardware and software supporting these wireless cards and allow for what is called kernel-mode remote code execution. This is why wireless networks are dangerous liabilities for corporations.
Wireless sniffing also plagues wireless networks and is less difficult than sniffing wired networks. The reason that it is so easy to sniff out traffic on a wireless network is because an attacker can simply switch his wireless card into monitor mode and view all wireless data being transmitted at the physical device layer. This is equivalent to turning the receiver portion of the card on and then receiving all transmissions.
Another danger of wireless networks is what is referred to as “Beacon Injection”, which refers to a wireless hardware level MITM attack. The way the 802.11 protocol works, an access point is constantly broadcasting beacon packets at a particular interval, disclosing MAC address, channel and frequency, as well as the SSID of the access point. An attacker can transmit his or her own beacon packets, with the same SSID as the target access point however using his or her own MAC address, then use a MIMO (multiple input/multiple output) card to bridge the connection into the target access point. The result of this attack vector is the victim machine connecting to and believing that the attacker machine is the access point, and transmitting all data to the attacker’s machine rather than to the access point, while the attacker forwards the traffic to the real access point, recording all sensitive victim data.
WEP and WPA cracking is a very simple exploitation vector. Using kismet or airsnort an attacker can change his or her wireless card over to monitor mode and begin recording encrypted packets. Because of modern-day protocols, the encryption type is publically viewable. Using kismet and airsnort in combination with aircrack, once an attacker is recording wireless traffic, cracking the key is only a matter of time. Given enough packets, the key could be cracked in less than a minute. This is another reason that wireless networks should never be trusted for sensitive data.
A largely undocumented vulnerability in wireless phones (cellular phones) involves something called SIS Attachment Exploitation. SIS attachments are the picture and video attachments that can be attached to SMS text messages and sent phone to phone. Because most vendors do not check buffers surrounding this attachment zone, it is easy for an attacker to overflow the buffer and cause arbitrary machine code to be executed. It is for this reason that cellular phones should also never be trusted with sensitive data.
