CWNP CWNA – Types of Wireless Attacks Part 2

6. Wireless Attacks Part5

Wireless land discovery is usually considered to be harmless. And why is that? Like my example of being in downtown Seattle, I wasn’t looking for a wireless network. I didn’t even think about getting into a wireless network. It just happened. My laptop back then with Windows, whatever, it was automatically connected to this wireless network and but people are doing that sometimes on purpose just to map where they are. And they called that war driving. Well, like I said, I wasn’t wardriving at that point, but it was easy to do. And is it my fault that they have an access point that is beaconing their ssid information? And the answer is no, it’s not my fault. So it’s typically not considered to be illegal to do that and it’s usually pretty harmless.

Now, war driving though, is a term we use in the event that you are purposely looking for wireless networks, usually while in a moving vehicle. Now, that term came from a term called war dialing. So before the world of the Internet, and I know for some of you are thinking it’s always been here, but before that day, we had to subscribe if we wanted to talk to other people, to what was called a bulletin board service. That would have been a server where people could talk to each other.

So it would use remote access and we would dial a phone number with our modem and make the connection over the phone. It wasn’t something worldwide if you knew the phone number you just dialed in, people then said, okay, I’ll create a little program to call every phone number in sequence. And so I could find all of these bulletin board servers and then check back with them later. They called that ward dialing.

Believe it or not, that is actually against the law in the United States. They got all of that from a really cool 1983 movie called War Games. If you haven’t seen it, go ahead and turn it on. Don’t be upset that the graphics and the computer stuff looks ancient because it is ancient to me. That’s not ah, because I was in college in 83. So it should be sounds like it should be recent. Anyway, it is illegal to do war dialing, but that’s where the whole term came from.

7. Wireless Attacks Part6

Now, a part of the authorization and the authentication to Network Resources is done at best through a combination of a switching technology called portbased authentication or 802 one x and being able to take your credentials and encrypt them. To send them to an authentication server through the extensible authentication protocol and is a part of what we’re hoping to see as the most secure way of handling our networks is not for everybody. Most often you need to have an active directory or directory server if you’re at home, there’s a personal type of option which uses what we call a psk or a pre shared key. But that’s good for, like I said, the small office home office. Now, the standard doesn’t require you to use a specific type of eep. Many companies like cisco created their own versions of eap. Like with cisco, they created one called the lightweight extensible authentication protocol, which we called Leap. One of the problems with that though, is I guess maybe they didn’t think it through all the way, but they found that it was very easy to offline crack your credentials through dictionary attacks. But there are other things like protecting deep and many other versions that are open and they’re just a form of being able to exchange your username and password securely through the network from the wireless to the wired to get to the radius server or other authenticating server.

8. Wireless Attacks Part7

One thing people might do is to try to get past a really weak form of security called Mac filtering. Now Mac filtering to me is not a big deal. I don’t even think of it as security. But remember, the Mac address is a hexadecimal twelve digit number that is always going to be in clear text. It’s always going to be in the layer to header of any conversation from a client to an access point. It is never going to be encrypted because if it was encrypted then these two would never be able to talk. They need to know what those numbers are. Now you might have found somebody out there who is abusing your system and you might decide to filter their Mac address. So that just means that if they tried again they would not be able to get through your security because you said hey, if it’s that Mac address then get rid of it. One example of hundreds of programs is the Spoof Mac program or smack.

And smack allows you through software to change the Mac address of any one of your network cards. And so all I would have to do is use smack and then I’m no longer on your list. But what if I wanted to go further? What if I wanted to turn my laptop into an access point? By the way, that’s very, very easy to do, but I wanted this person to think I was the real one. Then why not spoof my Mac address to that of the legitimate access point so I have you connect to me instead of to your network so I can try to steal information. So it’s an easy manipulation is what I’m trying to get at. And Mac filtering, I just wanted you to know, is not all that great for security if somebody knows what they’re doing. And it can be even worse for security by somebody pretending to be your own access point.

9. Wireless Attacks Part8

Now your wireless infrastructure hardware such as your autonomous system, aps, your wireless line controllers they all have management capabilities. And again, we would tell you to make sure you’re using the wired connections for the way in which you get into management. Now, depending on the device, it might have a web interface. I’ve been to some companies that say, you know what, we don’t like doing things by web. We don’t think it’s as secure or it’s too easy for somebody to try to gain access and they might actually turn that off. But they all had what we call the cli or the command line interface. And again, you could use telnet, which is completely unencrypted.

Everybody could watch what you’re doing or you could use secure shell so they would turn off the telnet portion of that as well. You might have some older equipment that you had to have a serial port to get to what they called a console connection. Well, they don’t make computers with serial ports anymore so now you have to pay extra money to get a USB connector to be able to do that. Or if it’s under management on the wired network you might have a network management system that might use a protocol like snmp. But in any event, access should first and foremost only come on the wired network. And if it has a separate management interface, hopefully you can put that into a vlan that you might call your management vlan.

10. Wireless Attacks Part9

Another attack we have to be careful of. And I like this name the evil Twin. Not to be related to Dr. Evil, but anyway, it’s where you have people doing what they call wireless hijacking. So what does that mean? That means I could go sit next to you at your favorite coffee shop. And I’m not picking up coffee shops, by the way, but that’s a common place that people go get free wifi. And I could turn my laptop laptop into an access point. And that, by the way, is very easy. In fact, my tablet and my phone, I don’t even have to download extra software. They have that feature. And I would advertise the same ssid as that of your coffee shop, the legitimate one.

Now all I have to do is convince you to connect to my access point. So one thing I might do is buy a jammer and jam the channel that the store’s access point is using. And then when the person loses communication and they’re sad, they go look and they say, oh, I see the same ssid right here. In fact, the signal might even look stronger. And so then the client goes to that one thing and it’s the coffee shop. And then, of course, I give you all the same addresses that you had before with dhcp and everything else.

And the goal here is to make sure that as I’m working, in fact, I might even be able to bridge to the real one so I can get you out to the real Internet through that coffee shop. And so then all your traffic is going to come to me. We actually call this a man in the middle. I could send it to the real one, get you out to the real Internet, but all the while, I could record and decrypt, if I wanted to, all of the information that you’re sending. Now. This is like I said, in today’s world, technology so easy to do by just using your actual cell phone, your Smartphone.

I was kind of disappointed. A few years ago, a friend of mine said, he calls me and says, Ken, I need some ideas. I got invited on the CBS Early Morning Show nationwide show to do something with security. He says, I don’t have any idea what to do. And before this Evil Twin thing was even exciting, I said, hey, this is what you should do. And next thing I know, he’s sending me a clip of the show where he got nationally famous. And I don’t know if I’m jealous yet or not, but I thought to myself, at least you should have put my name in the credit. It.