Rogue Access Point
A rogue access point is any Wi-Fi device that is connected to the wired infrastructure but is not under the management of the proper network administrators. The rogue device will just as easily act as a portal into the wired network infrastructure. Because the rogue device has no authorization and authentication security in place, any intruder can now use this open portal to gain access to network resources. Most rogue APs are installed by employees not realizing the consequences of their actions, but any malicious intruder can use these open portals to gain access.
Furthermore, besides physical security, there is nothing to prevent an intruder from also connecting their own rogue access point via an Ethernet cable into any live data port provided in a wall plate. If an 802.1X solution is deployed for the wireless network, it can also be used to secure the network ports on the wired network. In that case, any new access points would need to authenticate to the network prior to being given access.
This is a good way to not only utilize existing resources, but also to provide better security for our wired network by protecting against rogue APs.
Peer-to-Peer Attacks
Wireless resources may also be attacked. A commonly overlooked risk is the peer-to-peer attack. An 802.11 client station can be configured in either Infrastructure mode or Ad-Hoc mode. When configured in Ad-Hoc mode, the wireless network is known as an independent basic service set (IBSS) and all communications are peer-to-peer without the need for an access point. Because an IBSS is by nature a peer-to-peer connection, any user who can connect wirelessly with another user can potentially gain access to any resource available on either laptop.
Users that are associated to the same access point are typically just as vulnerable to peer-to-peer attacks as IBSS users. Properly securing our wireless network often involves protecting authorized users from each other since hacking at companies is often performed internally by employees.
Public Secure Packet Forwarding (PSPF) is a feature that can be enabled on WLAN access points or switches to block wireless clients from communicating with other wireless clients on the same wireless segment. With PSPF enabled, client devices cannot communicate with other client devices on the wireless network, as pictured in Figure below. Although, PSPF is a term most commonly used by Cisco, other vendors have similar capabilities under different names.
Eavesdropping
802.11 wireless networks operate in license-free frequency bands and all data transmissions travel in the open air. Access to wireless transmissions is available to any person within listening range, and therefore strong encryption is mandatory.
Wireless communications can be monitored via two eavesdropping methods: casual eavesdropping and malicious eavesdropping. Casual eavesdropping is typically considered harmless and is also often referred to as wardriving.
Software utilities known as WLAN discovery tools exist for the purpose of finding open WLAN networks. Wardriving is strictly the act of looking for wireless networks, usually while in a moving vehicle. The most common wardriving software tool is a freeware program called NetStumbler.
Web pages and instant messages can also be reassembled. VoIP packets can be reassembled and saved as a WAV sound file. Malicious eavesdropping of this nature is highly illegal; therefore, because of the passive and undetectable nature of this attack, encryption must always be implemented to provide data privacy.
It should be noted that the most common target of malicious eavesdropping attacks is public access hotspots. Public hotspots rarely offer security and usually transfer data without encryption, making hotspot users prime targets. As a result, it is imperative that a VPN type solution be implemented for all mobile users who connect outside of our company’s network.
Encryption Cracking
The current WEP cracking tools that are freely available on the Internet can crack WEP encryption in as little as 5 minutes. There are several methods used to crack WEP encryption.
An attacker usually needs only to capture several hundred thousand encrypted packets with a protocol analyzer and then run the captured data through a WEP cracking software utility.
The software utility will usually then be able to derive the secret 40-bit or 104-bit key in a matter of seconds. Once the secret key has been revealed, the attacker can decrypt any and all encrypted traffic.
In other words, an attacker can now eavesdrop on the WEP-encrypted network. Because the attacker can decrypt the traffic, they can reassemble the data and read it as if there was no encryption whatsoever.
Authentication Attacks
Lightweight Extensible Authentication Protocol (LEAP), one of the most commonly deployed 802.1X/EAP solutions, is susceptible to offline dictionary attacks.
The hashed password response during the LEAP authentication process is crackable. An attacker merely has to capture a frame exchange when a LEAP user authenticates and then the capture file is run through an offline dictionary attack tool.
Once the attacker gets the user name and password, they are free to impersonate the user by authenticating onto the WLAN and then access any network resources that are available to that user. Stronger EAP authentication protocols exist that are not susceptible to offline dictionary attacks.
WPA/WPA2 Personal, using pre-shared keys, is also a weak authentication method that is vulnerable to offline dictionary attacks. Hacking utilities are available that can derive the WPA/WPA2 passphrase using an offline dictionary attack.
A policy mandating very strong passphrases should always be in place whenever a WPA/WPA2 Personal solution must be used in situations where there is no AAA server or the client devices do not support 802.1X authentication.
MAC Spoofing
All 802.11 wireless network cards have a physical address known as a MAC address. This address is a 12-digit hexadecimal number that is seen in clear text in the layer 2 header of 802.11 frames.
Wi-Fi vendors provide MAC filtering capabilities on their access points. Usually, MAC filters are configured to apply restrictions that will allow traffic only from specific client stations to pass through.
These restrictions are based on their unique MAC addresses. All other client stations whose MAC addresses are not on the allowed list will not be able to pass traffic through the virtual port of the access point and onto the distribution system medium.
Third-party software utilities can also be used be assist in MAC spoofing. Because of spoofing and because of all the administrative work that is involved with setting up MAC filters, MAC filtering is not considered a reliable means of security for wireless enterprise networks and should be implemented only as a last resort.
In some cases, it is used as part of tier security architecture to better secure client devices that are not capable of 802.1X or stronger encryption.
Wireless Hijacking
An attack that often generates a lot of press is wireless hijacking, also known as the evil twin attack. The attacker configures access point software on a laptop, effectively turning a Wi-Fi client card into an access point.
The access point software is configured with the same SSID that is used by a public hotspot access point. The attacker then sends spoofed disassociation or deauthentication frames, forcing users associated with the hotspot access point to roam to the evil twin access point.
At this point, the attacker has effectively hijacked wireless clients at layer 2 from the original access point. The evil twin will typically be configured with a Dynamic Host Configuration Protocol (DHCP) server available to issue IP addresses to the clients.
Once the attacker hijacks the users from the original AP, the traffic is then routed from the evil twin access point through the second Wi-Fi card right back to the original access point from which they have just been hijacked.
The result is that the users remain hijacked; however, they still have a route back through the gateway to their original network, so they never know they have been hijacked.
The attacker can therefore sit in the middle and execute peer-to-peer attacks indefinitely while remaining completely unnoticed. These attacks can also take another form in what is known as the Wi-Fi phishing attack.
Then the attacker’s fake login page may request a credit card number from the hijacked user. Phishing attacks are very common on the Internet and are now appearing at our local hotspot.
The only way to prevent a hijacking, man-in-the-middle, and/or Wi-Fi phishing attack is to use a mutual authentication solution. Mutual authentication solutions not only validate the user that is connecting to the network, they also validate the network to which the user is connecting.
802.1X/ EAP authentication solutions require that mutual authentication credentials be exchanged before a user can be authorized. A user cannot get an IP address unless authorized; therefore, they cannot be hijacked.
Denial of Service (DoS)
DoS attacks can occur at either layer 1 or layer 2 of the OSI model. Layer 1 attacks are known as RF jamming attacks. The two most common types of RF jamming attacks are intentional jamming and unintentional jamming.
Intentional jamming attacks occur when an attacker uses some type of signal generator to cause interference in the unlicensed frequency space.
Both narrowband and wideband jammers exist that will interfere with the 802.11 transmissions, either causing all data to become corrupted or causing the 802.11 radio cards to continuously defer when performing a Clear Channel Assessment (CCA).
Good wireless intrusion detection system will be able to alert an administrator immediately to a layer 2 DoS attack. The 802.11w draft amendment is the proposed “protected” management frame amendment with a goal of delivering management frames in a secure manner.
The end result will hopefully prevent many of the layer 2 denial of service attacks that currently exist, but it is doubtful that all layer 2 DoS attacks will ever be circumvented. A spectrum analyzer is our best tool to detect a layer 1 DoS attack and a protocol analyzer or wireless IDS is our best tool to detect a layer 2 DoS attack.
The best way to prevent any type of denial of service attack is physical security. If that is not an option, there are several solutions that provide intrusion detection at layers 1, 2, and 3.
References
http://www.sans.org/reading_room/whitepapers/detection/understanding-wireless-attacks-detection_1633
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment