CWNP CWSP – Module 06 – SOHO 802.11 Security Part 3

10. Wi -Fi Protected Setup (WPS) Part4

Now, I mentioned already that we have an inland and out of band configuration mode for the use of this registration protocol. So like I said, when we’re using in band, we’re using Diffi Hellman to create a device password. And if I didn’t say what Diffie Hellman was, let me just see how well I can figure out how to kind of describe it. I’m not going to go through the whole math. But both sides have to agree on what they call a prime number and that’s usually represented by a group number. Group one, two, 3514 is just a group number. And the larger the group number, the bigger the prime number. So there’s let’s say they both decided to use group one.

Now, Diffie Elman also has a separate reference number that they both have to agree on, or reference value. It could be almost think of it like a pre shared key, but it’s another numerical value. And what they do is that let’s say that we both agree that it’s the number one. What they do is that they pick a random number, each one picking their own random number, and they do some mathematics and the value that they get becomes what they call their public key. And so they send this mathematical answer as a public key. And this side gets a random number, does some mathematics. Again, different random number. But we had two out of the three of those things being the same. And so it sends its public key and then somehow mathematically, I can take the public key sent to me by the access point and use again these bits of information and mathematically derive a key.

The other side would use the public key that they were sent with those same first two values and they would end up mathematically getting the same key. So that’s why I said it’s a key exchange without sending the key. Or if you don’t want to do that, you could use a USB or a certificate to be able to install a public key. And again, the idea is, remember what I said about asymmetric encryption. We can encrypt things with a public key and then only those people who have the private key would be able to decrypt it. Now, the out of band configuration would be again, not well.

All right, so think about this. This first part here is In Band because we’re using the same radio frequency that we would use for the actual communication of data. So that’s why it’s called in band. But if I’m just sticking a USB drive into my access point, then this would be authentication not done over the network. Now, we could still use Diffi Hellman for encrypted settings or it could be something that’s operated in peer to peer mode. Peer to peer mode would be another radio channel that’s used for talking to each other over the wire wireless, but not the same one. That would be used otherwise for your actual data. And so and obviously, the USB drive is certainly out of band because we’re not using radio frequency at all.

11. Wi -Fi Protected Setup (WPS) Part5

All right, so I was talking about these pin numbers, and some of the WiFi protected setup specs provide the best practices for pin numbers. And like I said, when you look at you’re probably getting tired of seeing my access points. I told you that you would see on a sticker on this access point what the actual pin number is. But that doesn’t mean you can’t change it. You certainly can. But if you’re using just the one on the box, hopefully, as it’s recommended, that they made it somewhat random and it should be eight or more digits. I know in the one I was using for some demonstrations, I think it was exactly eight digits for the pin numbers. So, again, the reason for doing that is for WiFi protected setup is that if you don’t have a push button option, then you have to provide a pin number just to be able to start the initial setup.

12. Initial WLAN Setup

So when we look at the initial wireless LAN setup, the first option, as I said, is, and this is again with WPS, is that the access point can be a standalone registrar. And that’s probably what’s really going to happen in the small office, home office, that we’re not going to have an external one, but we could still, as a second option, have a nonwpscapable equipment that we’d have to probably have an external registrar to work with to be able to get that legacy. Legacy means it’s old, right, to be able to go through and do the WiFi protected setup. So what would be the legacy? That’d be you over here with this really old access point that might not be doing WPS.

And so you’d have to have something external to handle that registration setup for the client making the connection. A third option, as you see here, is a WPS capable access point that could have one or more external registrars and can be granted authority by the access point to issue credentials. Again, we’re getting a little bit further out, I think, from what we would normally see in a Soho option. But again, we could do that. But remember, that’s going to be an in band setup that we’d be using. And you know, the only thing that I worry about that is probably the cost. And the whole purpose of WPS was to make it easier for the non tech savvy people in a remote location or a small office to be able to set up secure communications. You.

13. SOHO Best Practices

So here’s our best practices. Number one, no default settings. What do I mean by that? I mean every setting on your access point should be purposely changed. And here’s what I mean. You go and buy an access point from a store and let’s say this one here you bought was linksys and the SSID coming out of that thing is going to be linksys, all right? And to log on, the log on to the management is going to be admin. I think admin and admin, same username and password. And here’s a story that I’ll tell you. Seems like the friends I talk about are getting themselves in trouble. But I was at a city in Alabama working with a friend of mine and we went to a Thai restaurant that advertised they had a hot spot. And so we sat down, you know, to have lunch and we went to log in and we saw linksys as the SSID.

And my friend said you don’t think, do you, that they left everything at the default settings? And I said, Well, I don’t know. And so he did what any, I guess, practitioner of security would do. He opened up his web browser, went to http one and 192 168 one one, which is also the default management address management page opened. He logged in as admin admin and he was inside and he could have at that point done anything he wanted to for the settings of that access point. And it was just amazing. Trust me, he didn’t do anything more. But I was nervous enough that he was just logging into somebody’s access point. But we don’t want that in the small office, home office either. We want you to change SSIDs to something else.

And remember, don’t make an SSID like the Jones family because that’s also going to kind of give people who see it other information about you. Come up with something unique for an SSID. Again, the default settings on the login stuff get there and change that. So what did I just say? SSID name not giving away where it is. I’m in an office building right now and there’s a lot of wireless access points in all of the offices in this building and I think I probably see 15 or 20 and they are all using SSIDs. That’s the name of the company, which is crazy because I know that I can find where that is by the SSID name and if I wanted to break into that network, I could because I know where it goes. Maybe I should say it the other way around. If like the law office that’s next door, if I decide I want to break into their network, well, I’ll look at the SSID that’s got the name of their law office, which it does. One of the things I really like is where I am working right now, we follow that idea. The SSID name has nothing to do with the company that I’m working with right now.

The other thing is SSID cloaking. Now, remember, you can cloak, but it’s not I mean, so that means no passive scanning. Passive meaning you’re not broadcasting or beaconing your SSID, but it could be found by an active probe. But you’d have to have somebody who knows what they’re doing, I guess, to be able to set that up. Mac address filters. Not a bad idea, right? You limit by Mac address who can log into that access point. But remember I said it was easy to destroy that security by my simply spoofing my Mac address to match one of the ones that is connected. And of course, we don’t want you using WEP. We don’t want you using open authentication. We want you to be using WPA Two personal so that we can support having that robust security network. So those are our best practices that I would tell you. And even though I kind of made it sound like cloaking is easy to figure out, filters are easier to get by. Or easy to get by. Yes, that’s true.

But the thing to remember is that we like to see security in depth. And what security in depth means is that we don’t have any just one solution. So you say okay. Mac, filters. If somebody wants to break into your network, they’re going to have to figure that out. If you’re going to cloak, somebody has to go and figure that out. Well, first they’d have to figure out the cloaking and then the Mac filters. I guess a strong authentication or password with WPA Two. And so the more of these things that you do, the more work it is for somebody to break into your network. That’s why we call it security in depth. There is no perfect security. Some of these things, like Mac filters and cloaking, I sometimes call it a warm, fuzzy feeling of security, but it isn’t perfect. It just means that the more of these things I do, then the harder it is or the more work. And my hope is if somebody wants to break into a network just for fun, that mine will be more of an annoyance and they’ll pick on somebody else.

14. Demo – Cracking Hashes

So what I want to show you here is this thing we talked about in this module, about how easy it is to crack some of these hashes, I should say. And why that? We tell you that you need to have long pass phrases as well as the exchange of hashes using salt, right? Adding that something extra into the password to hash and why that’s so important. What I’ve done here is I’ve got on over here to Cane enable. Now, remember, I could have captured this wirelessly, but I probably would have captured something that also had the salt in it. And that just takes a little bit longer to be able to hash it, or I should say, to reverse it to figure out what the hash is. So what I did here is I went to the cracker tab, and in the cracker tab, what I did is I did a right click and I went down here to the add to list, and I just said, show me the hashes of the user accounts that are on this system. So I’ve got some user accounts here, administrator, guest, instructor, a bunch of these ones. And it shows me their LM hashes and their NTLM hashes.

NTLM hashes, by the way, are so much stronger, so much better to use. But because these two hashes are the same, that tells me that they both have the same password. That’s just a side note. When you hash something, if you don’t change the data, it will always have the same hash. So what I want to do is I want to take this hash. Let’s see if I can copy it. Let’s see. Come on, let me copy that. All right, so one of the things I can do with this since I’m in the cracker is I can do this crypt analysis attack. The challenge, by the way, is adding the salt into it.

And here you can see that there are some online types of things at places we can go. But I really want to be able to copy this record, and that’s what I’m trying to see if I can okay, export it to I guess it’s going to export it to a loft crack file. Let’s see if I can still open it up. Even as a loft crack file, I’ll call it hash should be on my desktop. I’m going to try to open it with open and select a program. I’m going to see if I can open it from Notepad or even WordPad. Just makes it easier if I can. Yeah, there we go. So, yeah, I was able to do that. Now I can copy it. And so if I intercept your hash and I hit control C, now I got it copied. There’s a number of places right online. I’m showing you an example of a website called crackstation. Net. And it’s a free password, hash cracker. So I can paste that hash in here. Looks like I have to make sure I’m not a robot.

So I got to type in some numbers 9352-2488 and then click on Crack hashes. And my hope is that it will come up very quickly for me to show me what the results are. And I don’t have that particular result. Sometimes it does take a while, by the way, for this to get in there. So color codes means that they have an exact match. I’m just wondering why I don’t see the results. All right, well, it does take a little bit of time, usually two to five minutes. So I’m going to say that that’s why it’s not showing up there. But the good news is the color code green means that they did find an exact match. And I’m going to assume that at some point I’m going to see the results show up. Maybe if I refresh the page.

Let’s see. At least I can hope that it would do it that way. No, see, I’m impatient when I’m doing these examples. I want it to work. Right now, I don’t even know if that first character is a B. Maybe it’s a V. Hard to tell. I hate these things. All right, let’s see if that was it incorrect, so I got to do it again. Well, maybe it was correct. I guess it was. All right, so it’s not shown it to me yet. That means we’re going to have to wait a little bit to be able to see it. But trust me that it works. And remember what I said about a rainbow table is that they take all combinations of passwords and they hash them with all these different hashing protocols. And then they sort the hashes in numerical order.

And that way when they do a lookup of a hash, they’re going to go to probably pretty close to the beginning of the list with AA and find in that list this hash. And then they can look to see what password made that. Now what I will tell you is that the longer you make the password, the harder it is to be able to crack. And again, since we talked about the needs for long passphrases, let me really verify it to you here with another website where I got the cane enabled. And they have a little tool here called WinRT Gen, which is Windows rainbow table generation. So I’m going to open it up, run it, see if it’ll let me run it. And what happens here is you can make your own rainbow tables.

You click on Add table. Oh, I couldn’t read the character sets because I didn’t extract it. Okay, be that way. Extract all files. Let’s put them on our desktop. I’m going to have a messy desktop by the time we’re all done. All right, let’s extract them. Now we’re showing the files, and there’s Win rtgen, going to add the table. So I just showed you an LM hash. And technically, that’s the worst of the hashes that Microsoft ever made. Even though you can have up to 14 letters, they really only did two hashes if you were over 14 letters. So the first seven would be hashed, and then the next seven would be hashed. And then you can choose the character set. So let’s say that they’re going to use alphabet number and the space.

So here’s that character set, right? The space, the numbers. Oh, and by the way, Ellen hash was also all uppercase. And it’s telling me right now that if I make just one table, I can crack maybe 55% of the passwords. And they do break it up in table sizes to fit on a CD Rom. And so that’s why you might have to make like three tables. Now with three tables, it looks like I’m up to 90%. I know from experience, having done this, that five tables is pretty close to 98%.

And then I can click this benchmark and show you, you know, on this computer, how long it would take to make all of these tables. So each table would take a day to make total time to make all the tables would be five days. All right, so now let’s talk about MD five. So MD five, if we assume you have an eight character password, that’s and minimum length six. We always tell people they have to have at least six characters. Sometimes we say eight and they can use the special characters, right, the at.

So I changed the character space. And with five tables, you notice that I can crack maybe 1% of those hashes. So what if I made it 50 tables? Now I’m barely at 10%, not even quite there if I made 5000 tables. All right, well, I went a little extreme, maybe 500 tables. Wow, really? Let’s say 1000 tables. All right, well, that’s close. All right, so this is for all passwords using all of these characters from six to eight characters in the password. So if you made a longer one, that’s nine characters. Then you’ll see here in just a second what happens to the percentage.

So notice what it says, it’s going to take me 2. 7 years to make all the tables. So now how do I defeat that? Because a lot of these places have 200, 300 computers, each one doing just one table at a time so they can get it done faster. But what happens if I change this to nine characters? Now when I change it to nine characters, look at this. Success went down to almost 4%. So, you know, now what do I need 10,000 tables. Now, see, so what I’m trying to help convey to you that we talked about is that you need to have long passwords and complex passwords, because it is pretty easy to be able to crack these passwords with rainbow tables.

And many of these companies actually have rainbow tables that you can spend time downloading. They might charge you for those tables, but nonetheless, instead of you having to make them all, you could just download them and use them in your own hacking. So that’s what I wanted to show you about the reason why we need to have security or want to talk about these past phrases and why, when we talk about things like pre shared keys, adding salt. By the way, if I added salt to any of these, then the chances become even harder for people to crack it.

15. Module 06 Review

So in this module, what we did is we talked about 800 and 211 security in the Soho. That means we looked at WPA really we talked about it, but we focused more on WPA two personal that made more sense for the small office. We also looked at the WiFi protected setup and the registration protocols and what’s really going on behind the scenes. And there’s a lot going on behind the scenes, but if you about it, it’s easy for the people that are administering the actual wireless network. And then we talked about some of the security best practices for the Soho, where I talked about all of these things we can do to create some security in depth.