Wireless Security Demonstration

Nebraska CERT Conference 2002

 

Initial Lab setup

Wireless attack

      RF Sniff for

·channel

·ssid

·wep key

 

Show access to the "sensitive data"  (smb protocol activity)

 

Penetration test

·personal firewall stopped

·personal firewall started

 

Reconfiguration to VPN + Personal Firewall

·Sniff  (Show 128 bit RC4 Stateless PPTP VPN activity)

     

 

 

 

 

 

 

 

 

 

 

 

Initial Lab setup

 

The lab drawing supplied in the slide show is not 100% correct.  The IP subnet 192.168.5.0/24 should have been 192.168.2.0/24

 

1)  Power on 5 port Linksys workgroup hub

 

2) Connect Symbol Access Point to Linksys workgroup hub and power up

 

3) Connect Snap Gear "WAN" Interface to Linksys and power up

            IP=192.168.2.1  (Note-- drawing incorrectly shows 192.168.5.1)

 

4) Connect Node 4 (LRP DHCP Server) internal interface to linksys workgroup hub and power up.  No keyboard, video, or mouse should be required.

            IP=192.168.2.254

 

5) Install Cisco Aironet PCMCIA wireless NIC in Node 1 top slot and power up.

            IP=192.168.2.3  (dynamically allocated but should stay at this address)

 

6) Connect Linksys USB wireless NIC to the back of Node 2 and power up.

            IP=192.168.2.5 (dynamically allocated but should stay at this address)

 

7) Connect Node3 to linksys workgroup hub and power up

            IP=192.168.2.6

 

8) Install Linksys PCMCIA in top PCMCIA slot of Node 5.  Install 3COM 10/100 LAN PC Card in the bottom PCMCIA slot of Node 5.  Power up.

 

9)  Connectivity tests

            Login and repeat the below tests on each of the nodes 1,2,3,5:

 

                        Ping 192.168.2.254  (will succeed)

                        ping 192.168.2.1 (will fail)

                        arp -a  (verify that both above IP's are in the arp table)

 

10)  Launch generate wireless traffic batch file from the desktop on nodes 1 and 2  (large SMB file copy from node 3 to nodes 1 and 2.)

 

 

 

Wireless attack

      Sniff for

·channel

·ssid

·wep key

 

      Show access to the "sensitive data"

 

 

11)  Node 5

            initialize the wireless card into RFmon mode and ifconfig up the card

            ifconfig wlan0 up

            kismet_monitor ; kismet_hopper &

 

 

12)  execute kismet

13)  Identify channel of target wireless network.

            Q to quit

            iwconfig wlan0 channel X (6 in lab)

 

14)  alt F2

            startx

            open an Xterm

 

15)  ethereal &

            open up the kismet dump and find the SSID

            iwconfig the ssid of the card

 

16) airsnort &   Get AirSnort started capturing weak initialization vectors.

 

Summary:  Thus far we have shown that all information about wireless networks can be easily obtained from the RF signal itself.  A successful WEP key crack shows that WEP is not secure

 

 

 

 

 

 

 

Penetration test

·personal firewall stopped

·personal firewall started

 

 

17)  stop the firewall on node 2

 

18)  launch net recon on node 1  (the password is security)

 

19)  heavy scan node 2

 

20)  start the firewall on node 2

 

21)  heavy scan node 2 again

 

22)  Compare results.  Note:  node 2 was just patched 3 days ago

 

23)  Scan Node 5.  Patches were omitted from Node 5 on purpose and the firewall policy on 5 is not adequate to protect the vulnerable services on the system. 

 

24)  The vulnerable apache service is off.  /etc/rc.d/init.d/httpd start

 

25)  Scan node 5 gain and compare the results.

 

 

Summary:  We have shown that the individual PC OS is a potential entry point.  Patching helps, but it does not stop the problem entirely. 

 

Turning off serivces assures vulnerabilities in a service that is not needed cannot be exploited from the network.  Start them and you are vulnerable unless a firewall is blocking all access to the service.

 

Firewalls stop the problem right up until you poke holes in them to allow access.

 

 

 

 

 

 

 

 

 

 

 

 

Reconfiguration to VPN + Personal Firewall

·Sniff

 

23)  Unplug Ethernet dongle from Ethernet card on Node 3.  This will cause windows 98 to stop sensing speed on the adapter. 

 

24)  Unplug node 3's cable from the linksys workgroup hub and connect it to a LAN 10/100Mbit connection on the Snap gear

 

25)  Connect the dongle to the Ethernet on Node 3

 

26)  Launch winipcfg.  Choose the Ethernet from the pulldown.  Release.  Renew  Your IP should be 192.168.4.100 now.  If it is not, the "generate VPN...." batches on node 1 and node 2 will need to be fixed.........

 

27)  Launch "generate VPN ...." batches on node 1 and node 2.

 

28)  Sniff the traffic with Ethereal and show the encrypted packets

 

Summary:  Even if someone were to break the wireless, they would still have to get past the personal firewalls or the 128 bit RC4 stateless encryption to get this network's data.

 

Probable clear text may be useful for breaking PPTP even if it is RC4 128 bit stateless (Stateless uses CBC+rekey every packet)

 

168 Bit 3DES IPSEC VPN using Certificates is significantly stronger encryption.  IKE key lifetimes should still be kept down around 20 minutes or 8 MB of data to stop the probable clear text analysis path.