3. Weaknesses in WEP Older Equipment and devices Supports no keys or a shared key management system. You have to manually change your keys The Initialization Vector (IV) is too short and sent in clear text IVs are static No cryptographic integrity protection is implemented
4. Weakness in WPA Using short Pre-shared Keys (PSK) Dictionary Attacks
5. Reconnaissance First Popular Software NetStumbler Windows Mac No Linux Based Version Kismet Popular for professionals Linux version Windows called Kiswin v 0.1 Last Update 2005
6. Reconnaissance continued Use the software to listen to traffic Access Points (AP) Broadcast SSID Encryption Status Rather it is Broadcasting or not AP Information GPS Information Map Locations
7. Sniffing Passive and Undetectable to Intrusion Detection Systems (IDS) Attackers can Identify Additional Resources that can be Compromised Authentication Types Use of Virtual Private Networks (VPN), Secure Sockets Layer (SSL), and Secure Shell (SSH) helps protect against wireless interception
8. Spoofing and Unauthorized Access Due to TCP/IP Design, there is little that can be done to prevent Media Access Control/IP (MAC/IP) Address Spoofing Static Definition of MAC Address Tables can this attack be prevented Staff must be diligent about logging and monitoring those logs to try to address spoofing attacks so they can be identified.
10. Introductions Console-based wireless analysis tool Passive; captures traffic from wireless cards in monitor mode Observes activity from all networks within range Wardriving tool of choice Wardriving is legal Included in Backtrack 4 ready to run and use
12. Objectives of Kismet Locate and Identify AP(s) BSSID, ESSID, Channel and Encryption GPS data And more… Locate and Identify Client(s) MAC Address Manufacturers Spectrum Analysis Drones/Open-Source WIPS
15. Netxml Logging File Can be imported into Excel for post-processing analysis Rename to “.xml”, select “read-only workbook” when opening Requires Internet access to download Kismet DTD file Allows you to graph results, add details for additional analysis
17. Startup Kismet will prompt to start the Kismet Server at startup Once the Kismet server has started, you will be prompted for the first packet source
18. Kismet Sources Specify the available wireless interface as a packet source “wlan0, “wlan1”, etc. Kismet will identify the needed information, place the interface in passive capture mode Add as many sources as you want from Kismet Add Source Can also specify libpcap wireless packet capture files as sources
20. Plugins Plugin architecture to extend functionality Distributed with Kismet: Aircrack-PTW, Spectools Third-Party: DECT wireless sniffing Kismet Plugins Status of plugins, version information Enable or disable UI plugins See list of Kismet Server plugins
21. Extending Kismet Device Manufacturer Name Kismet relies on Wireshark’s “manuf” file to identify manufacturers File can be updated with make-manuf script (not distributed with BT4) # wgethttp://anonsvn.wireshark.org/wireshark/trunk/wka.tmpl # wgethttp://anonsvn.wireshark.org/wireshark/trunk/manuf.tmpl # wgethttp://anonsvn.wireshark.org/wireshark/trunk/make-manuf # perl make-manuf # mvmanuf /usr/share/wireshark
23. GISKisment Building Visual Representations of Kismet data Correlate information in database Graphically represent information Filter out non-useful information
24. GISKismet- Filters Input Filters AP configuration data Query filters on any information AP configuration Client information GPS coordinate(s) Filter Input Insert all AP(s) on channel 6 named Linksys Filter Output Output all AP(s) without encryption
25. Tips on Protecting the Network Use an External Authentication Source RADIUS SecurID Protect MAC Spoofing: Use a Secure Connection for all Host Services Accessed by the Network SSH SSL Use a Dynamic Firewall
26. System Administrators Poor performance on the wireless network complaint Things to observe: What AP are the clients connecting to? Are all AP’s properly configured? Lots of retries indicating poor connections or noise Lots of missed beacons indicating noise or faulty APs What channels are being utilized?
27. Retries are normal in small numbers; more than sustained 10% is a problem
28. Signal and Noise/Channel Packet Rate (Real Time) Data Frames (Cumulative) Networks Count (Yellow is historic, green is currently active) Detail View (Scroll with arrow keys)
29. Auditors Are the networks configured per specification? SSID cloaking enabled/disabled? Appropriate encryption and authentication settings? Are there unencrypted networks (when there shouldn’t be)? Kismet walkthrough while channel hopping, post-processing analysis.
30. Security Analysts Network discovery & analysis Are there open Aps or weak crypto? What are the clients on the network? What kind of EAP types are in use? Post-processing data evaluation Third-Party tools with Kismet pcap files, XML records, nettxt summaries
Notas del editor
WPA- Provides partial compliance in 802.11 Wi-Fi standard. Meant to be an intermediary between WEP and the new verison WPA2WPA2- Full 802.11 Wi-Fi Standard is implemented.
Static Definition of MAC Address Tables: With the amount of resources that it takes to manage that system you have to decide of it is worth taking that approach.
Wardriving is deemed legal by the FBI as long as you do not do anything to crack or break into the network. Since wireless signals are traveling over the air the companies have no expected rights to privacy.
External Authentication: Prevent an unauthorized user from accessing the wireless network, and resources it connects with.Secure Connection for Host Services: Possible to require valid client certificates to access those resources. Even if they got into your network then they would be stopped at the critical systems.