This chapter discusses hacking wireless networks. It explains wireless technology and standards such as 802.11. Authentication in wireless networks involves establishing that a user is authorized to use the network. Various wireless hacking tools and the process of "wardriving" are also described.
1. Hands-On EthicalHands-On Ethical
Hacking and NetworkHacking and Network
DefenseDefense
Chapter 11Chapter 11
Hacking Wireless NetworksHacking Wireless Networks
Last revised 10-30-08 5 pm
2. 2
ObjectivesObjectives
Explain wireless technologyExplain wireless technology
Describe wireless networking standardsDescribe wireless networking standards
Describe the process of authenticationDescribe the process of authentication
Describe wardrivingDescribe wardriving
Describe wireless hacking and tools usedDescribe wireless hacking and tools used
by hackers and security professionalsby hackers and security professionals
3. 3
Understanding WirelessUnderstanding Wireless
TechnologyTechnology
For a wireless network to function, youFor a wireless network to function, you
must have the right hardware andmust have the right hardware and
softwaresoftware
Wireless technology is part of our livesWireless technology is part of our lives
Baby monitorsBaby monitors
Cell and cordless phonesCell and cordless phones
PagersPagers
GPSGPS
Remote controlsRemote controls
Garage door openersGarage door openers
Two-way radiosTwo-way radios
4. 4
Components of a WirelessComponents of a Wireless
NetworkNetwork
A wireless network has only three basicA wireless network has only three basic
componentscomponents
Access Point (AP)Access Point (AP)
Wireless network interface card (WNIC)Wireless network interface card (WNIC)
Ethernet cableEthernet cable
5. 5
Access PointsAccess Points
An access point (AP) is a transceiver thatAn access point (AP) is a transceiver that
connects to an Ethernet cableconnects to an Ethernet cable
It bridges the wireless network with the wiredIt bridges the wireless network with the wired
networknetwork
Not all wireless networks connect to a wiredNot all wireless networks connect to a wired
networknetwork
Most companies have Wireless LANsMost companies have Wireless LANs
(WLANs) that connect to their wired network(WLANs) that connect to their wired network
topologytopology
6. 6
Access PointsAccess Points
The AP is where channels are configuredThe AP is where channels are configured
An AP enables users to connect to a LANAn AP enables users to connect to a LAN
using wireless technologyusing wireless technology
An AP is available only within a defined areaAn AP is available only within a defined area
7. 7
Service Set IdentifiersService Set Identifiers
(SSIDs)(SSIDs)
Name used to identify the wireless localName used to identify the wireless local
area network (WLAN)area network (WLAN)
The SSID is configured on the APThe SSID is configured on the AP
Unique 1- to 32-character alphanumericUnique 1- to 32-character alphanumeric
namename
Name is case sensitiveName is case sensitive
Wireless computers need to configureWireless computers need to configure
the SSID before connecting to a wirelessthe SSID before connecting to a wireless
networknetwork
8. 8
Service Set IdentifiersService Set Identifiers
(SSIDs)(SSIDs)
SSID is transmitted with each packetSSID is transmitted with each packet
Identifies which network the packet belongsIdentifies which network the packet belongs
The AP usually broadcasts the SSIDThe AP usually broadcasts the SSID
9. 9
Service Set IdentifiersService Set Identifiers
(SSIDs)(SSIDs)
Many vendors have SSIDs set to a defaultMany vendors have SSIDs set to a default
value that companies never changevalue that companies never change
An AP can be configured to not broadcastAn AP can be configured to not broadcast
its SSID until after authenticationits SSID until after authentication
Wireless hackers can attempt to guess theWireless hackers can attempt to guess the
SSIDSSID
Verify that your clients or customers areVerify that your clients or customers are
not using a default SSIDnot using a default SSID
11. 11
Configuring an Access PointConfiguring an Access Point
Configuring an AP varies depending onConfiguring an AP varies depending on
the hardwarethe hardware
Most devices allow access through any WebMost devices allow access through any Web
browserbrowser
Enter IP address on your Web browser andEnter IP address on your Web browser and
provide your user logon name and passwordprovide your user logon name and password
12. 12
Wireless RouterWireless Router
A wireless router includes an access point,A wireless router includes an access point,
a router, and a switcha router, and a switch
14. 14
Configuring an Access PointConfiguring an Access Point
Wireless Configuration OptionsWireless Configuration Options
SSIDSSID
Wired Equivalent Privacy (WEP) encryptionWired Equivalent Privacy (WEP) encryption
WPA (WiFi Protected Access ) is betterWPA (WiFi Protected Access ) is better
15. 15
Configuring an Access PointConfiguring an Access Point
(continued)(continued)
Steps for configuring a D-Link wirelessSteps for configuring a D-Link wireless
router (continued)router (continued)
Turn off SSID broadcastTurn off SSID broadcast
You should also change your SSIDYou should also change your SSID
17. 17
Wireless NICsWireless NICs
For wireless technology to work, eachFor wireless technology to work, each
node or computer must have a wirelessnode or computer must have a wireless
NICNIC
NIC’s main functionNIC’s main function
Converting the radio waves it receives intoConverting the radio waves it receives into
digital signals the computer understandsdigital signals the computer understands
18. 18
Wireless NICsWireless NICs
There are many wireless NICs on theThere are many wireless NICs on the
marketmarket
Choose yours depending on how you plan toChoose yours depending on how you plan to
use ituse it
Some tools require certain specific brands ofSome tools require certain specific brands of
NICsNICs
19. 19
Understanding WirelessUnderstanding Wireless
Network StandardsNetwork Standards
A standard is a set of rules formulated byA standard is a set of rules formulated by
an organizationan organization
Institute of Electrical and ElectronicsInstitute of Electrical and Electronics
Engineers (IEEE)Engineers (IEEE)
Defines several standards for wirelessDefines several standards for wireless
networksnetworks
20. 20
IEEE: CCSF Student ChapterIEEE: CCSF Student Chapter
Next meeting:Next meeting:
Thurs, Nov 6, 2008 in Sci 37, 5:00 pmThurs, Nov 6, 2008 in Sci 37, 5:00 pm
EmailEmail sbowne@ccsf.edusbowne@ccsf.edu for more infofor more info
21. 21
IEEE StandardsIEEE Standards
Standards pass through these groups:Standards pass through these groups:
Working group (WG)Working group (WG)
Sponsor Executive Committee (SEC)Sponsor Executive Committee (SEC)
Standards Review Committee (RevCom)Standards Review Committee (RevCom)
IEEE Standards BoardIEEE Standards Board
IEEE Project 802IEEE Project 802
LAN and WAN standardsLAN and WAN standards
22. 22
The 802.11 StandardThe 802.11 Standard
The first wireless technology standardThe first wireless technology standard
Defined wireless connectivity at 1 MbpsDefined wireless connectivity at 1 Mbps
and 2 Mbps within a LANand 2 Mbps within a LAN
Applied to layers 1 and 2 of the OSI modelApplied to layers 1 and 2 of the OSI model
Wireless networks cannot detect collisionsWireless networks cannot detect collisions
Carrier sense multiple access/collisionCarrier sense multiple access/collision
avoidance (CSMA/CA) is used instead ofavoidance (CSMA/CA) is used instead of
CSMA/CDCSMA/CD
23. 23
AddressingAddressing
Wireless LANs do not have an addressWireless LANs do not have an address
associated with a physical locationassociated with a physical location
An addressable unit is called a station (STA)An addressable unit is called a station (STA)
24. 24
The Basic Architecture ofThe Basic Architecture of
802.11802.11
802.11 uses a basic service set (BSS) as802.11 uses a basic service set (BSS) as
its building blockits building block
Computers within a BSS can communicateComputers within a BSS can communicate
with each otherwith each other
25. 25
The Basic Architecture of 802.11The Basic Architecture of 802.11
To connectTo connect
two BSSs,two BSSs,
802.11802.11
requires arequires a
distributiondistribution
system (DS)system (DS)
26. 26
Frequency RangeFrequency Range
In the United States, Wi-Fi usesIn the United States, Wi-Fi uses
frequencies near 2.4 GHzfrequencies near 2.4 GHz
(Except 802.11a at 5 GHz)(Except 802.11a at 5 GHz)
There are 11 channels, but they overlap, soThere are 11 channels, but they overlap, so
only three are commonly usedonly three are commonly used
See link Ch 11c (cisco.com)See link Ch 11c (cisco.com)
27. 27
Infrared (IR)Infrared (IR)
Infrared light can’t be seen by the human eyeInfrared light can’t be seen by the human eye
IR technology is restricted to a single room orIR technology is restricted to a single room or
line of sightline of sight
IR light cannot penetrate walls, ceilings, or floorsIR light cannot penetrate walls, ceilings, or floors
Image: IR transmitter for wireless headphonesImage: IR transmitter for wireless headphones
28. 28
IEEE Additional 802.11IEEE Additional 802.11
ProjectsProjects
802.11a802.11a
Created in 1999Created in 1999
Operating frequency 5 GHzOperating frequency 5 GHz
Throughput 54 MbpsThroughput 54 Mbps
29. 29
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
802.11b802.11b
Operates in the 2.4 GHz rangeOperates in the 2.4 GHz range
Throughput 11 MbpsThroughput 11 Mbps
Also referred as Wi-Fi (wireless fidelity)Also referred as Wi-Fi (wireless fidelity)
Allows for 11 channels to prevent overlappingAllows for 11 channels to prevent overlapping
signalssignals
Effectively only three channels (1, 6, and 11) canEffectively only three channels (1, 6, and 11) can
be used in combination without overlappingbe used in combination without overlapping
Introduced Wired Equivalent Privacy (WEP)Introduced Wired Equivalent Privacy (WEP)
30. 30
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
802.11e802.11e
It has improvements to address the problemIt has improvements to address the problem
of interferenceof interference
When interference is detected, signals can jump toWhen interference is detected, signals can jump to
another frequency more quicklyanother frequency more quickly
802.11g802.11g
Operates in the 2.4 GHz rangeOperates in the 2.4 GHz range
Throughput increased from 11 Mbps to 54Throughput increased from 11 Mbps to 54
MbpsMbps
31. 31
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
802.11i802.11i
Introduced Wi-Fi Protected Access (WPA)Introduced Wi-Fi Protected Access (WPA)
Corrected many of the security vulnerabilitiesCorrected many of the security vulnerabilities
of 802.11bof 802.11b
802.11n (draft)802.11n (draft)
Will be finalized in Dec 2009Will be finalized in Dec 2009
Speeds up to 300 MbpsSpeeds up to 300 Mbps
Aerohive AP runs at 264 Mbps nowAerohive AP runs at 264 Mbps now
Links Ch 11zc, Ch 11zdLinks Ch 11zc, Ch 11zd
32. 32
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
802.15802.15
Addresses networkingAddresses networking
devices within onedevices within one
person’s workspaceperson’s workspace
Called wirelessCalled wireless
personal area networkpersonal area network
(WPAN)(WPAN)
Bluetooth is one of sixBluetooth is one of six
802.15 standards802.15 standards
Image fromImage from
ubergizmo.comubergizmo.com
33. 33
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
BluetoothBluetooth
Defines a method for interconnecting portableDefines a method for interconnecting portable
devices without wiresdevices without wires
Maximum distance allowed is 10 metersMaximum distance allowed is 10 meters
It uses the 2.45 GHz frequency bandIt uses the 2.45 GHz frequency band
Throughput of up to 2.1 Mbps for BluetoothThroughput of up to 2.1 Mbps for Bluetooth
2.02.0
Note: the speed value of 12 Mbps in your book andNote: the speed value of 12 Mbps in your book and
the lecture notes is wrongthe lecture notes is wrong
Link Ch 11zgLink Ch 11zg
34. 34
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
802.16 (also called WIMAX)802.16 (also called WIMAX)
Addresses the issue of wireless metropolitanAddresses the issue of wireless metropolitan
area networks (MANs)area networks (MANs)
Defines the WirelessMAN Air InterfaceDefines the WirelessMAN Air Interface
Range of up to 30 milesRange of up to 30 miles
Throughput of up to 120 MbpsThroughput of up to 120 Mbps
802.20802.20
Addresses wireless MANs for mobile usersAddresses wireless MANs for mobile users
who are sitting in trains, subways, or carswho are sitting in trains, subways, or cars
traveling at speeds up to 150 miles per hourtraveling at speeds up to 150 miles per hour
35. 35
IEEE Additional 802.11IEEE Additional 802.11
Projects (continued)Projects (continued)
BluetoothBluetooth
Defines a method for interconnecting portableDefines a method for interconnecting portable
devices without wiresdevices without wires
Maximum distance allowed is 10 metersMaximum distance allowed is 10 meters
It uses the 2.45 GHz frequency bandIt uses the 2.45 GHz frequency band
Throughput of up to 12 MbpsThroughput of up to 12 Mbps
HiperLAN2HiperLAN2
European WLAN standardEuropean WLAN standard
It is not compatible with 802.11 standardsIt is not compatible with 802.11 standards
37. 37
Understanding AuthenticationUnderstanding Authentication
Wireless technology brings new securityWireless technology brings new security
risks to a networkrisks to a network
AuthenticationAuthentication
Establishing that a user is authentic—Establishing that a user is authentic—
authorized to use the networkauthorized to use the network
If authentication fails, anyone in radio rangeIf authentication fails, anyone in radio range
can use your networkcan use your network
38. 38
The 802.1X StandardThe 802.1X Standard
Defines the process of authenticating andDefines the process of authenticating and
authorizing users on a WLANauthorizing users on a WLAN
Basic conceptsBasic concepts
Point-to-Point Protocol (PPP)Point-to-Point Protocol (PPP)
Extensible Authentication Protocol (EAP)Extensible Authentication Protocol (EAP)
Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)
39. 39
Point-to-Point Protocol (PPP)Point-to-Point Protocol (PPP)
Many ISPs use PPP to connect dial-up orMany ISPs use PPP to connect dial-up or
DSL usersDSL users
PPP handles authentication with a userPPP handles authentication with a user
name and password, sent with PAP orname and password, sent with PAP or
CHAPCHAP
PAP (Password Authentication Protocol)PAP (Password Authentication Protocol)
sends passwords unencryptedsends passwords unencrypted
Vulnerable to trivial sniffing attacksVulnerable to trivial sniffing attacks
See link Ch 11fSee link Ch 11f
40. 40
CHAP VulnerabilityCHAP Vulnerability
CHAP (Challenge-HandshakeCHAP (Challenge-Handshake
Authentication Protocol)Authentication Protocol)
Server sends a Challenge with a randomServer sends a Challenge with a random
valuevalue
Client sends a Response, hashing theClient sends a Response, hashing the
random value with the secret passwordrandom value with the secret password
This is still vulnerable to a sort of sessionThis is still vulnerable to a sort of session
hijacking attack (see links Ch 11e)hijacking attack (see links Ch 11e)
41. 41
Extensible AuthenticationExtensible Authentication
Protocol (EAP)Protocol (EAP)
EAP is an enhancement to PPPEAP is an enhancement to PPP
Allows a company to select itsAllows a company to select its
authentication methodauthentication method
CertificatesCertificates
KerberosKerberos
Kerberos is used on LANs for authenticationKerberos is used on LANs for authentication
Uses Tickets and KeysUses Tickets and Keys
Used by Windows 2000, XP, and 2003 Server byUsed by Windows 2000, XP, and 2003 Server by
defaultdefault
Not common on WLANS (I think)Not common on WLANS (I think)
42. 42
X.509 CertificateX.509 Certificate
Record that authenticates networkRecord that authenticates network
entitiesentities
IdentifiesIdentifies
The ownerThe owner
The certificate authority (CA)The certificate authority (CA)
The owner’s public keyThe owner’s public key
See link Ch 11jSee link Ch 11j
43. 43
Sample X.509 CertificateSample X.509 Certificate
Go to gmail.comGo to gmail.com
Double-click the padlockDouble-click the padlock
44. 44
Public KeyPublic Key
Your browserYour browser
uses theuses the
Public Key toPublic Key to
encrypt dataencrypt data
so only Gmailso only Gmail
can read itcan read it
45. 45
LEAPLEAP
Lightweight ExtensibleLightweight Extensible
Authentication ProtocolAuthentication Protocol
(LEAP)(LEAP)
A Cisco productA Cisco product
Vulnerable, but Cisco didn’t careVulnerable, but Cisco didn’t care
Joshua Wright wrote the ASLEAP hackingJoshua Wright wrote the ASLEAP hacking
tool to crack LEAP, and forced Cisco totool to crack LEAP, and forced Cisco to
develop a better protocoldevelop a better protocol
See link Ch 11gSee link Ch 11g
46. 46
More Secure EAP MethodsMore Secure EAP Methods
Extensible Authentication Protocol-Extensible Authentication Protocol-
Transport Layer Security (EAP-TLS)Transport Layer Security (EAP-TLS)
Secure but rarely used, because both clientSecure but rarely used, because both client
and server need certificates signed by a CAand server need certificates signed by a CA
Protected EAP (PEAP) and MicrosoftProtected EAP (PEAP) and Microsoft
PEAPPEAP
Very secure, only requires server to have aVery secure, only requires server to have a
certificate signed by a CAcertificate signed by a CA
See link Ch 11hSee link Ch 11h
47. 47
802.1X components802.1X components
SupplicantSupplicant
The user accessing a WLANThe user accessing a WLAN
AuthenticatorAuthenticator
The APThe AP
Authentication serverAuthentication server
Checks an account database to see if user’sChecks an account database to see if user’s
credentials are acceptablecredentials are acceptable
May use RADIUS (Remote Access Dial-In UserMay use RADIUS (Remote Access Dial-In User
Service)Service)
See link Ch 11kSee link Ch 11k
49. 49
Wired Equivalent PrivacyWired Equivalent Privacy
(WEP)(WEP)
Part of the 802.11b standardPart of the 802.11b standard
Encrypts data on a wireless networkEncrypts data on a wireless network
WEP has many vulnerabilitiesWEP has many vulnerabilities
To crack WEP, see links Ch 11l, 11mTo crack WEP, see links Ch 11l, 11m
50. 50
Wi-Fi Protected AccessWi-Fi Protected Access
(WPA)(WPA)
Specified in the 802.11i standardSpecified in the 802.11i standard
Replaces WEPReplaces WEP
WPA improves encryption by usingWPA improves encryption by using
Temporal Key Integrity Protocol (TKIP)Temporal Key Integrity Protocol (TKIP)
52. 52
TKIP EnhancementsTKIP Enhancements
Per-packet key mixingPer-packet key mixing
MAC addresses are used to create a keyMAC addresses are used to create a key
Each link uses a different keyEach link uses a different key
Rekeying mechanismRekeying mechanism
Provides fresh keysProvides fresh keys
Prevents attackers from reusing old keysPrevents attackers from reusing old keys
53. 53
WPA Adds 802.1xWPA Adds 802.1x
WPA also adds an authenticationWPA also adds an authentication
mechanism implementing 802.1X andmechanism implementing 802.1X and
EAPEAP
This was not available in WEPThis was not available in WEP
54. 54
Understanding WardrivingUnderstanding Wardriving
Hackers use wardrivingHackers use wardriving
Finding insecure access pointsFinding insecure access points
Using a laptop or palmtop computerUsing a laptop or palmtop computer
Wardriving is not illegalWardriving is not illegal
But using the resources of these networks isBut using the resources of these networks is
illegalillegal
WarflyingWarflying
Variant where an airplane is used instead of aVariant where an airplane is used instead of a
carcar
55. 55
How It WorksHow It Works
An attacker or security tester simply drivesAn attacker or security tester simply drives
around with the following equipmentaround with the following equipment
Laptop computerLaptop computer
Wireless NICWireless NIC
An antennaAn antenna
Software that scans the area for SSIDsSoftware that scans the area for SSIDs
Not all wireless NICs are compatible withNot all wireless NICs are compatible with
scanning programsscanning programs
Antenna prices vary depending on theAntenna prices vary depending on the
quality and the range they can coverquality and the range they can cover
56. 56
How It Works (continued)How It Works (continued)
Scanning software can identifyScanning software can identify
The company’s SSIDThe company’s SSID
The type of security enabledThe type of security enabled
The signal strengthThe signal strength
Indicating how close the AP is to the attackerIndicating how close the AP is to the attacker
58. 58
NetStumblerNetStumbler
Shareware tool written for Windows thatShareware tool written for Windows that
enables you to detect WLANsenables you to detect WLANs
Supports 802.11a, 802.11b, and 802.11gSupports 802.11a, 802.11b, and 802.11g
standardsstandards
NetStumbler was primarily designed toNetStumbler was primarily designed to
Verify your WLAN configurationVerify your WLAN configuration
Detect other wireless networksDetect other wireless networks
Detect unauthorized APsDetect unauthorized APs
59. 59
NetStumblerNetStumbler
NetStumbler is capable of interface with aNetStumbler is capable of interface with a
GPSGPS
Enabling a security tester or hacker to mapEnabling a security tester or hacker to map
out locations of all the WLANs the softwareout locations of all the WLANs the software
detectsdetects
60. 60
NetStumblerNetStumbler
NetStumbler logs the following informationNetStumbler logs the following information
SSIDSSID
MAC address and Manufacturer of the APMAC address and Manufacturer of the AP
ChannelChannel
Signal StrengthSignal Strength
EncryptionEncryption
Can detect APs within a 350-foot radiusCan detect APs within a 350-foot radius
With a good antenna, they can locate APs aWith a good antenna, they can locate APs a
couple of miles awaycouple of miles away
63. 63
KismetKismet
Another product for conducting wardrivingAnother product for conducting wardriving
attacksattacks
Runs on Linux, BSD, MAC OS X, andRuns on Linux, BSD, MAC OS X, and
Linux PDAsLinux PDAs
Kismet is advertised also as a sniffer andKismet is advertised also as a sniffer and
IDSIDS
Kismet can sniff 802.11b, 802.11a, andKismet can sniff 802.11b, 802.11a, and
802.11g traffic802.11g traffic
64. 64
Kismet featuresKismet features
Ethereal- and Tcpdump-compatible dataEthereal- and Tcpdump-compatible data
logginglogging
AirSnort compatibleAirSnort compatible
Network IP range detectionNetwork IP range detection
65. 65
Kismet features (continued)Kismet features (continued)
Hidden network SSID detectionHidden network SSID detection
Graphical mapping of networksGraphical mapping of networks
Client-server architectureClient-server architecture
Manufacturer and model identification of APsManufacturer and model identification of APs
and clientsand clients
Detection of known default access pointDetection of known default access point
configurationsconfigurations
XML outputXML output
Supports 20 card typesSupports 20 card types
66. 66
Understanding WirelessUnderstanding Wireless
HackingHacking
Hacking a wireless network is not muchHacking a wireless network is not much
different from hacking a wired LANdifferent from hacking a wired LAN
Techniques for hacking wireless networksTechniques for hacking wireless networks
Port scanningPort scanning
EnumerationEnumeration
67. 67
Tools of the TradeTools of the Trade
EquipmentEquipment
Laptop computerLaptop computer
A wireless NICA wireless NIC
An antennaAn antenna
Sniffer softwareSniffer software
68. 68
AirSnortAirSnort
Created by Jeremy Bruestle and BlakeCreated by Jeremy Bruestle and Blake
HegerleHegerle
It is the tool most hackers wanting toIt is the tool most hackers wanting to
access WEP-enabled WLANs useaccess WEP-enabled WLANs use
AirSnort limitationsAirSnort limitations
Runs on either Linux or Windows (textbook isRuns on either Linux or Windows (textbook is
wrong)wrong)
Requires specific driversRequires specific drivers
Not all wireless NICs function with AirSnortNot all wireless NICs function with AirSnort
See links Ch 11p, 11qSee links Ch 11p, 11q
69. 69
WEPCrackWEPCrack
Another open-source tool used to crackAnother open-source tool used to crack
WEP encryptionWEP encryption
WEPCrack was released about a week beforeWEPCrack was released about a week before
AirSnortAirSnort
It also works on *NIX systemsIt also works on *NIX systems
WEPCrack uses Perl scripts to carry outWEPCrack uses Perl scripts to carry out
attacks on wireless systemsattacks on wireless systems
AirSnort is considered better (link Ch 11r)AirSnort is considered better (link Ch 11r)
70. 70
Countermeasures forCountermeasures for
Wireless AttacksWireless Attacks
Anti-wardriving software makes it moreAnti-wardriving software makes it more
difficult for attackers to discover yourdifficult for attackers to discover your
wireless LANwireless LAN
HoneypotsHoneypots
Servers with fake data to snare intrudersServers with fake data to snare intruders
Fakeap and Black Alchemy Fake APFakeap and Black Alchemy Fake AP
Software that makes fake Access PointsSoftware that makes fake Access Points
Link Ch 11sLink Ch 11s
71. 71
Countermeasures forCountermeasures for
Wireless AttacksWireless Attacks
Use special paint to stop radio fromUse special paint to stop radio from
escaping your buildingescaping your building
Allow only predetermined MAC addressesAllow only predetermined MAC addresses
and IP addresses to have access to theand IP addresses to have access to the
wireless LANwireless LAN
Use an authentication server instead ofUse an authentication server instead of
relying on a wireless device torelying on a wireless device to
authenticate usersauthenticate users
72. 72
Countermeasures forCountermeasures for
Wireless AttacksWireless Attacks
Use an EAP authentication protocolUse an EAP authentication protocol
If you use WEP, use 104-bit encryptionIf you use WEP, use 104-bit encryption
rather than 40-bit encryptionrather than 40-bit encryption
But just use WPA insteadBut just use WPA instead
Assign static IP addresses to wirelessAssign static IP addresses to wireless
clients instead of using DHCPclients instead of using DHCP
Don’t broadcast the SSIDDon’t broadcast the SSID
73. 73
Countermeasures forCountermeasures for
Wireless AttacksWireless Attacks
Place the AP in the demilitarized zonePlace the AP in the demilitarized zone
(DMZ)(DMZ) (image from wikipedia)(image from wikipedia)