In the history of networking, it has never been easier to penetrate a network with wireless LAN. Wireless networks are popping up everywhere today. They provide a lot of freedom but with a significant downside: Too many wireless networks are left wide open for attacks. As with computers or networks,organizations must understand the latest security concepts to properly secure 802.11-based wireless networks. Advancements in wireless LAN technology have given hackers and network security professionals inexpensive
and free tools to work with.
Whether you are a Linux user or Windows, the tools are everywhere. The ever growing and enduring wares community has given easy access to expensive analysis and penetration tools — such as 802.11-protocol analyzers —with no investment.
Título original
Wireless Network : A Low Hanging Fruits for Hackers
In the history of networking, it has never been easier to penetrate a network with wireless LAN. Wireless networks are popping up everywhere today. They provide a lot of freedom but with a significant downside: Too many wireless networks are left wide open for attacks. As with computers or networks,organizations must understand the latest security concepts to properly secure 802.11-based wireless networks. Advancements in wireless LAN technology have given hackers and network security professionals inexpensive
and free tools to work with.
Whether you are a Linux user or Windows, the tools are everywhere. The ever growing and enduring wares community has given easy access to expensive analysis and penetration tools — such as 802.11-protocol analyzers —with no investment.
Direitos autorais:
Public Domain
Formatos disponíveis
Baixe no formato PDF, TXT ou leia online no Scribd
In the history of networking, it has never been easier to penetrate a network with wireless LAN. Wireless networks are popping up everywhere today. They provide a lot of freedom but with a significant downside: Too many wireless networks are left wide open for attacks. As with computers or networks,organizations must understand the latest security concepts to properly secure 802.11-based wireless networks. Advancements in wireless LAN technology have given hackers and network security professionals inexpensive
and free tools to work with.
Whether you are a Linux user or Windows, the tools are everywhere. The ever growing and enduring wares community has given easy access to expensive analysis and penetration tools — such as 802.11-protocol analyzers —with no investment.
Direitos autorais:
Public Domain
Formatos disponíveis
Baixe no formato PDF, TXT ou leia online no Scribd
You have secured your wired LAN with all latest technologies and processes. But is your wireless network left open to hackers? How do you ensure the security of your wireless network?
Are wireless networks soft target for “Locking down a wireless
hackers? network involves more than just In the history of networking, it has never been port scanning technique and easier to penetrate a network with wireless patching vulnerabilities.” LAN. Wireless networks are popping up everywhere today. They provide a lot of Where are wireless networks freedom but with a significant downside: Too attacked most? - WEP many wireless networks are left wide open for attacks. As with computers or networks, Vulnerabilities organizations must understand the latest As an encryption algorithm WEP uses RC4 security concepts to properly secure 802.11- which also acts as a stream cipher. A stream based wireless networks. Advancements in cipher operates by expanding a short key into wireless LAN technology have given hackers an infinite pseudo-random key stream. The and network security professionals inexpensive sender of the message stream XORs with the and free tools to work with. plaintext to produce ciphertext. Whether you are a Linux user or Windows, the The receiver has a copy of the same key, and tools are everywhere. The ever growing and uses it to generate identical key stream. The enduring wares community has given easy receiver XORs the key stream with the access to expensive analysis and penetration ciphertext to produce the plaintext. tools — such as 802.11-protocol analyzers — This mode of operation makes stream ciphers with no investment. vulnerable to several attacks. If an attacker flips Locking down a wireless network involves a bit in the ciphertext, then upon decryption, more than just port-scanning testing and the corresponding bit in the plaintext will be patching vulnerabilities. You must also have flipped. Also, if an eavesdropper intercepts two the right security tools, use the proper testing ciphertexts encrypted with the same key techniques, and possess a watchful eye. And stream, it is possible to obtain the XOR of the know your enemy: It’s critical to think like a two plaintexts. Knowledge of this XOR can hacker to get a true sense of how secure your enable statistical attacks to recover the information really is!. plaintexts. The statistical attacks become 13 increasingly practical as more ciphertexts that CRC-32, and performing bit flips on the use the same key stream are known. Once one original encrypted message to change the of the plaintexts becomes known, it is trivial to plaintext to the new message. This packet can recover all of the others. now be sent to the access point or mobile station, and it will be accepted as a valid packet. Passive Wireless Attack to Decrypt A slight modification to this attack makes it Traffic much more insidious. Even without complete The first attack follows directly from the above knowledge of the packet, it is possible to flip explanation. By XORing two packets the selected bits in a message and successfully attacker obtains the XOR of the two plaintext adjust the encrypted CRC (as described in the messages. The resulting XOR can be used to previous section), to obtain a correct encrypted infer data about the contents of the two version of a modified packet. If the attacker has messages. IP traffic is often very predictable partial knowledge of the contents of a packet, and includes a lot of redundancy. This he can intercept it and perform selective redundancy can be used to eliminate many modification on it. For example, it is possible possibilities for the contents of messages. to alter commands that are sent to the shell Further educated guesses about the contents over a telnet session, or interactions with a file of one or both of the messages can be used to server. statistically reduce the space of possible messages, and in some cases it is possible to What are the common security determine the exact contents. problems and Mitigation Techniques? An extension to this attack uses a host Risk No. 1: Access constraints somewhere on the Internet to send traffic from the outside to a host on the wireless network Wireless access points repeatedly send out installation. The contents of such traffic will signals to announce their availability. The be known to the attacker, yielding known users can thus seamlessly find them to initiate plaintext. When the attacker intercepts the connectivity. This signal transmission occurs encrypted version of his message sent over when 802.11 beacon frames containing the 802.11, he will be able to decrypt all packets access points' Service Set Identifier are sent that use the same initialization vector. unencr ypted. (SSIDs are names or descriptions used to differentiate networks “Passive attacks are easier and from one another.) This could make it easy for gives a hacker total control over unauthorized users to learn the network name and attempt an attack or intrusion. your wireless network” How to mitigate: Active Wireless Attack to Inject 1. Enable available security features. The Traffic security features embedded in the access The following attack is also a direct point’s hardware/software are disabled consequence of the problems described in the by default. previous section. Suppose an attacker knows 2. Change the default settings. Default the exact plaintext for one encrypted message. SSIDs are set by the manufacturer. For He can use this knowledge to construct correct example, Cisco's default SSID is encrypted packets. The procedure involves "tsunami," and Linksys' is "linksys." Not constructing a new message, calculating the changing these makes it easier for an 14 unauthorized user to gain access. Define a dangerous Rogue access points are often complex SSID naming convention. poorly configured and might permit traffic Don't change the SSID to reflect that can be hard for intrusion-detection identifiable information, since this too software to pinpoint. could make it easy for an unauthorized How to mitigate: user to gain access. Instead, use long, non meaningful strings of characters, 1. Purchase access points that have including letters, numbers and symbols. flashable firmware which will allow the users to install security patches and 3. Disable Dynamic Host Configuration upgrades in future releases. Protocol and use static IP addresses instead. Using DHCP automatically 2. Disable Simple Network Management provides an IP address to anyone, Protocol community passwords on all authorized or not, attempting to gain access points. SNMP is used as an access to your wireless network, again access-point management mechanism. making it just that much easier for It does offer operational efficiencies but unauthorized penetration. at the same time increases the risk of security breaches. 4. Move or encrypt the SSID and the Wired Equivalent Privacy (WEP) key 3. Set Authentication method to OPEN that are typically stored in the Windows rather than to shared encryption key. registry file. Moving these privileged This might sound insecure because files makes it more difficult for a hacker using encryption for authentication is to acquire privileged information. This typically preferred. However, when s te p c o u l d e i t h e r p r e ve n t a n using the shared encryption key feature, unauthorized intrusion or delay the the challenge text is sent in clear text. intrusion until detection occurs. This could help an unauthorized party calculate the shared secret key using the 5. Use a closed network. With a closed encrypted version of the same text. So network, users type the SSID into the ironically, using the default OPEN client application instead of selecting authentication actually reduces the the SSID from a list. This feature makes possibility of an unauthorized party it slightly more difficult for the user to discovering your WEP encryption key. gain access, but education on this risk- mitigation strategy can reduce potential 4. 30-minute re-authentication for all resistance. users if enforced, is a secure option. “Always change the default SSIDs set by the Risk No. 3 manufacturer. Define a complex SSID naming convention to make the hacker’s job tough” Traffic analysis and eavesdropping without actually gaining access to the network, Risk No. 2: unauthorized parties can passively capture the confidential data traversing the network via Rogue access points Rogue access points are airwaves and can easily read it because it's sent those installed by users on ad hoc basis without in clear text. So an attacker could alter a consultation with the IT. Because access points legitimate message by deleting, adding to, are inexpensive and easy to install, rogue changing or reordering the message. Or the installations are becoming more common and attacker could monitor transmissions and points are often poorly configured and might retransmit messages as a legitimate user. 15 By default, WLANs send unencrypted or authorized sessions being hijacked or poorly encrypted messages using WEP over the authentication credentials being stolen by an airwaves that can be easily intercepted and/or imposter. Therefore, the data contained altered. Currently, wireless networks are beset within their frames can't be assured to be by weak 802.11x Access Control Mechanisms, authentic, since there's no protection against resulting in weak message authentication. forgery of frame source addresses. How to mitigate: Because attackers can observe Media Access Control addresses of stations in use on the 1. Encrypt all traffic over the WLAN. network, they can adopt those addresses for There are a variety of methods to select malicious transmission. Finally, station from: addresses, not the users themselves, are o Use application encryption such as identified. That's not a strong authentication Pretty Good Privacy, Secure Shell technique, and it can be compromised by an (SSH) or Secure Sockets Layer. unauthorized party. o Enable WEP, an encryption method How to mitigate: that's intended to give wireless users security equivalent to being on a 1. Limit access to specific MAC addresses wired network but that has been that are filtered via a firewall. This proved to be insecure Both 40- and technique isn't completely secure, 128-bit keys have been cracked -- the because MAC addresses can be duped, 128-bit encryption only prolongs the but it does improve the overall security cracking process. Despite its strategy. Another difficulty with this weaknesses, the WEP security that's technique is the maintenance effort built into wireless LANs can delay an required. A MAC address is tied to a unauthorized user's intrusion or hardware device, so every time an possibly prevent a novice hacker's authorized device is added to or attacks entirely. removed from the network, the MAC address has to be registered into the 2. Implement two-factor authentication database. scheme using access tokens for users accessing critical infrastructure. 2. Monitor logs weekly and scan critical host logs daily. 3. Restrict LAN access rights by role.
Risk No. 4 MAC spoofing / session hijacking Typically 802.11 networks don't authenticate frames.This may result in frames being altered,