Category Archives: Wireless

Security+ Series Part 5: Wireless Security

Wireless networks are celebrating huge success these days. They are available almost everywhere from businesses, metro stations, bars, coffee shops to our homes. They connect million of devices – phones, tablets, notebooks, thermostats, televisions and the number is growing. Often security of these networks are overlooked or ignored and expose them to various types of attacks. The motivation may differ from simple free  Internet access to intentional targeted attacks. Although it might not sound scary on the first sight, once you gain access to wireless network you can pull another form of attack, for example ARP spoofing or DNS spoofing.

Random Trivia: Delain playing during post creation.

Disabling SSID Broadcasting

One of the common misunderstanding out there is the fact that when you disable SSID broadcasting you are more secure. It is good to do so if you choose but bear in mind that it will not stay hidden from someone who intentionally scans the radio frequency environment with tools such as inSSIDer or Aircrack-ng.

inSSIDer is useful too for RF analysis. It discovers nearby wireless networks.

MAC Filtering 

Stepping one step up in the security ladder we have MAC address filtering. Fundamentally how this feature works is allows only MAC addresses which are defined in database. This DB can be right on access point or wireless LAN controller. This approach is not very secure and it should not be your primary tool for defense. MAC address can be easily spoofed.

Changing MAC address with MacAppStuff is easy cheese

WEP 

Wired Equivalent Privacy is a wireless network security standard introduced in 1999. Wireless network at that time gained significant popularity and everyone wanted to have one. The main purpose of WEP was to bring data confidentiality and integrity. To achieve this, WEP uses RC4 stream cipher and CRC32 for checksum. WEP uses same key for authentication and encryption. Throughout the years, it was revealed that WEP is no longer secure anymore and is susceptible to multiple forms of attacks because of the weak initialization vector. If the attacker has enough captured packets he can retrieve the original key. We will look at some attacks on WEP network in Offensive Security Series, which is coming soon. If you must use WEP for example to support old bar-code scanners, terminate this network at firewall and allow only required minimum services.

WPA

Wi-Fi Protected Access was introduced in 2003 by a Wi-Fi Alliance to quickie WEP’s weaknesses. The idea was to use same hardware but provider better security. It would be implemented through firmware upgrade. What WPA brings to the table is Temporal Key Integrity Protocol (TKIP) which uses dynamic 128-bit key for each packet. WPA also implements message integrity check to prevent against anti-replay attacks. Unfortunately WPA is also susceptible to some forms of attacks such as re-injection and spoofing, however it is still better choice than WEP.

Aircrack-ng in action, pwning your favorite password.

WPA2

Wi-Fi Protected Access 2 brings new encryption. It was introduced in 2004 and for WEP capable devices it would require a hardware upgrade because of the improvements. It uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol or simply CCMP with AES.

CCMP is an encryption protocol that is part of 802.11i standard. It offers enhanced security compared to TKIP. It uses 128-bit keys and 48-bit IV to mitigate reply attacks.

You must know that WPA or WPA2 with pre-shared keys are still susceptible to attacks when weak or predicable pass-phrase is used. An attacker could possible crack password with good wordlist or brute force attack. Aircrack-ng is one of most favorite tool set to penetrate wireless networks.

WPS

Wi-Fi Protected Setup was introduced in 2006. It purpose was help securing wireless networks without requiring user to know all moving parts underneath. You usually activate this feature physically on wireless router itself or in web GUI and it will help you pair new device. Although this worked well, later in 2011 a security flaw was found in this implementation, which would allow attacker to recovery the WPS PIN using brute force attack.

See the blue button with arrow signs underneath? That is used for WPS.

EAP

Extensible Authentication Protocol is a framework. It is used in most enterprise wireless deployments. It provide a means of transporting key materials and parameters used by various EAP flavors such as PEAP, LEAP, or EAP-TLS. EAP can be used with WPA or WPA2 to provide better authentication and key management.

As you see the limitation of WPA or WPA2 with pre-shared key is the fact that they use pre-shared key. It is one key for everyone. Imagine that you have contractor in office who work for you temporarily, you need to grant him access to be able to work. However once he is finished, you do not want to change the pre shared key every time to keep network security high. That is why in enterprise we need a more advanced method for authentication. When EAP is used over LAN or WLAN network it is referred to as 802.1x.

PEAP

PEAP stands for Protected Extensible Authentication Protocol, it was developed big players in industry Cisco, Microsoft and RSA Security to address security weaknesses in WEP. It is yet another way how to encapsulate EAP frames. PEAP authenticate server with digital certificate and carries data in TLS tunnel.  Each host receives unique encryption key used with TKIP to provide data confidentiality. This protocol meant to replace Cisco’s proprietary LEAP.

LEAP

Lightweight Extensible Authentication Protocol was developed for Cisco by Cisco. It also uses dynamic WEP keys which are changing over time. However LEAP relies on MS-CHAP which did not offer strong protection of credentials.

EAP-TLS

One of the most popular and widely used flavor of EAP.As the name says it uses Transport Layer Security. It requires digital X.509 certificate present on authentication server as well as on client.

Captive portals

Captive portals are excellent choice for wireless guest access. The way it works is that in your office you have an open SSID for example CompanyX-Guest. This network has no authentication, everyone can connect. Once they are connected they redirected to web page which has information about usage policy that need to be accepted. Often a username and password is required for tracking purposes. A receptionist or ambassador who takes care of his guest. During guest account creation there is an option to set the duration that this account will be valid. For example 8 hours.

Starbucks uses captivate portal before letting you on dark net. Enjoy your coffee

VPN (over open wireless)  

You are in the coffee shop enjoying your latte connected to Starbucks Free Wi-Fi and everything is hunky dory. It is it? Think about it for a minute, no authentication, no encryption, is your communication really confidential? Well it depends :-). You could be protected by other protocols like SSL/TLS for example when you visiting https web sites. For application that do not use any additional level of security, their traffic is visible on these wireless networks.

For secure corporate access this may impose a risk. Therefore it is recommended to use IPSec or SSL VPN over these unsecured wireless networks. I use this approach all at he time to secure my communication or bypass site restrictions.

Antenna Placement and Types 

Although antenna placement is not only security related. It does what tools the attacker has,  if he has really bad or no signal he will be very frustrated. by selecting the right antenna for your deployment you can increase security of the environment. Some popular antenna types include bidirectional, directional and yagi. By adjusting power controls you can also right-size the coverage.

Antenna is like water hose, it can focus signal in right direction.

Wireless site survey 

Wireless site survey is the first step for proper wireless network deployment. Its role is to closely map environment form radio frequency point of view. It identifies what areas needs to covered and makes sure that signal levels are acceptable. Voice Wireless network have more strict requirements. Wireless signals are susceptible to many form of interference, for example evaluators or microwave ovens  may cause pose a problem. The output of survey will include heat maps, recommended access point models, their radio power settings and antenna types.

Cisco Wireless Control System can help you perform a predictive site survey.

And with that last piece of information this post came to the very end. I hope you had learned something new while having fun, because that is the whole point. The information summarized here can help you pass the Security+ exam but the real value is to use these skills in real world.

In next part we will look at Compliance and Operational Security. Until then, take care and spread the words.

Advertisements