CHAPTER 5: Wireless Networking 196 FIGURE 5.10 Shared-Key Authentications. The requestor receives the transmission, 3. encrypts the challenge with the secret key, and transmits the encrypted challenge back to the authenticator. The authenticator decrypts the challenge text 4. and compares the values against the original. If they match, the requestor is authenticated. On the other hand, if the requestor does not have the shared key, the cipher stream cannot be reproduced, therefore the plaintext cannot be discovered, and theoretically the transmission is secured. One of the greatest weaknesses in shared-key authen- tication is that it provides an attacker with enough information to try and crack the WEP secret key. The challenge, which is sent from authenticator to requestor, is sent in the clear form. The requesting client then trans- mits the same challenge, encrypted using the WEP secret key, back to the authenticator. An attacker who captures both of these packets now has two pieces of a three-piece puzzle: the cleartext challenge and the encrypted cipher- text of that challenge. The algorithm RC4 is also known. All that is missing is the secret key. To determine the key, the attacker may simply try a brute force search of the potential key space using a dictionary attack. At each step, the attacker tries to decrypt the encrypted challenge with a dictionary word as the secret key. The result is then compared against the authenticator’s challenge. If the two match, then the secret key has been determined. In cryptography, this attack is termed a known-plaintext attack and is the primary reason why shared-key authen- tication is actually considered slightly weaker than open authentication. Test Day Tip Although the Network exam does not cover the authentication process in great detail, it is important to remember the two authentication mechanisms in the 802.11 standard: open and shared-key. { dup xcheck 1 index type /operatortype ne and { bind } if pop pop } forall end newpath } def / terminate { end end } def / _ null def / ddef { Adobe_Illustrator_AI5_vars 3 1 roll put } def / xput { dup load dup length exch maxlength eq { dup dup load dup length 2 mul dict copy def } if load begin def end } def / npop { { pop } repeat } def / hswj { dup stringwidth 3 2 roll { _hvwb eq { exch _hvcx add exch _hvcy add } if exch _hvax add exch _hvay add } cforall Wireless Network Concepts 197 802.11i Authentication The current IEEE 802.11 standard is severely limited because it is avail- able only for the current open and shared-key authentication scheme, which is nonextensible. To address the weaknesses in the authentication mech- anisms discussed earlier, several vendors (including Cisco and Microsoft) adopted the IEEE 802.11i authentication mechanism for wireless networks. The IEEE 802.11i standard was created for the purpose of providing a secu- rity framework for port-based access control that resides in the upper layers of the protocol stack. The most common method for port-based access con- trol is to enable new authentication and key management methods without changing current network devices. The benefits that are the end result of this work include the following: There is a significant decrease in hardware cost and complexity.1. There are more options, allowing administrators to pick and 2. choose their security solutions. The latest and greatest security technology can be installed and 3. should still work with the existing infrastructure. You can respond quickly to security issues as they arise.4. When a client device connects to a port on an 802.11i-capable AP, the AP port determines the authenticity of the devices. Before discussing the workings of the 802.11i standard, the following terminology must be defined:  Port A single point of connection to a network.  Port Access Entity (PAE) Controls the algorithms and protocols that are associated with the authentication mechanisms for a port.  Authenticator PAE Enforces authentication before allowing access to resources located off of that port.  Supplicant PAE Tries to access the services that are allowed by the authenticator.  Authentication Server Used to verify the supplicant PAE. It decides whether or not the supplicant is authorized to access the authenticator.  Extensible Authentication Protocol Over LAN (EAPoL) 802.11i defines a standard for encapsulating EAP messages so that they can be handled directly by a LAN MAC service. 802.11i tries to CHAPTER 5: Wireless Networking 198 make authentication more encompassing, rather than enforcing specific mechanisms on the devices. Because of this, 802.111i uses Extensible Authentication Protocol (EAP) to receive authentication information.  Extensible Authentication Protocol Over Wireless (EAPoW) When EAPoL messages are encapsulated over 802.11 wireless frames, they are known as EAPoW. The 802.11i standard works in a similar fashion for both EAPoL and EAPoW. As shown in Figure 5.11, the EAP supplicant (in this case, the wire- less client) communicates with the AP over an “uncontrolled port.” The AP sends an EAP Request/Identity to the supplicant and a Remote Authentication Dial-In User Service (RADIUS)-Access-Request to the RADIUS access server. The supplicant then responds with an identity packet and the RADIUS server sends a challenge based on the identity packets sent from the supplicant. The supplicant provides its credentials in the EAP-Response that the AP forwards to the RADIUS server. If the response is valid and the credentials validated, the RADIUS server sends a RADIUS-Access-Accept to the AP, which then allows the supplicant to communicate over a “controlled” port. This is com- municated by the AP to the supplicant in the EAP-Success packet. HEAD OF THE CLASS… So what exactly are 802.1x and 802.11x? Wireless provides convenience and mobility, but also poses massive security challenges for network admin- istrators, engineers, and security administrators. Secu- rity for 802.11 networks can be broken down into three distinct components: The authentication mechanism  The authentication algorithm  Data frame encryption  Current authentication in the IEEE 802.11 standard is focused more on wireless LAN connectivity than on verifying user or station identity. Because wireless can potentially scale very high in the sheer number of pos- sible users, it is important to consider a centralized way to have user authentication. This is where the IEEE 802.1x standard comes into play. FIGURE 5.11 EAP over LAN (EAPoL) Traffic Flow. Wireless Network Concepts 199 User Identification and Strong Authentication With the addition of the 802.1x standard, clients are identified by username, not by the MAC addresses of the devices. This design not only enhances security, but also streamlines the process of authentication, authorization, and accountability (AAA) for the network. 802.1x was designed to support extended forms of authentication using password methods (such as one-time passwords, or GSS_API mechanisms like Kerberos) and nonpassword meth- ods (such as biometrics, Internet Key Exchange [IKE], and Smart Cards). Dynamic Key Derivation The IEEE 802.1x standard allows for the creation of per-user session keys. WEP keys do not have to be kept at the client device or at the AP when using 802.1x. These WEP keys are dynamically created at the client for every ses- sion, thus making it more secure. The Global key, like a broadcast WEP key, can be encrypted using a Unicast session key, and then sent from the AP to the client in a much more secure manner. Mutual Authentication 802.1x and EAP provide for a mutual authentication capability. This makes the clients and the authentication servers mutually authenticating end points, and assists in the mitigation of attacks from man-in-the-middle (MITM) types of devices. Any of the following EAP methods provide for mutual authentication:  TLS Requires that the server supply a certificate and establish that it has possession of the private key.  IKE Requires that the server show possession of a preshared key or private key (this can be considered certificate authentication).  GSS_API (Kerberos) Requires that the server can demonstrate knowledge of the session key. Per-Packet Authentication EAP can support per-packet authentication and integrity protection, but it is not extended to all types of EAP messages. For example, negative acknowl- edgment (NACK) and notification messages cannot use per-packet authen- tication and integrity. Per-packet authentication and integrity protection works for the following (packet is encrypted unless otherwise noted): TLS and IKE derive session key  TLS cipher suite negotiations (not encrypted) CHAPTER 5: Wireless Networking 200 IKE cipher suite negotiations Kerberos tickets Success and failure messages that use a derived session key  (through WEP) COMMON EXPLOITS OF WIRELESS NETWORKS In general, attacks on wireless networks fall into four basic categories: pas- sive, active, MITM, and jamming. Passive Attacks on Wireless Networks A passive attack occurs when someone listens to or eavesdrops on network traffic. Armed with a wireless network adaptor that supports promiscu- ous mode, the eavesdropper can capture network traffic for analysis using readily available tools, such as Network Monitor in Microsoft products, or TCPDump in Linux-based products, or AirSnort (developed for Linux, but Windows drivers can be written). A passive attack on a wireless network may not be malicious in nature. In fact, many in the wardriving community claim their wardriving activities are benign or educational in nature. Wireless com- munication takes place on unlicensed public frequencies – anyone can use these frequencies. This makes protecting a wireless network from passive attacks more difficult. Note Although it may seem that we are deviating from the topic of networking here, the opposite is indeed the case. Security, especially in the case of wireless networking, is of paramount importance to you in your duties, planning, implementing, and maintaining any network. That said, we are likely diving a bit deeper in this section than you will likely be tested on during your Network exam. DAMAGE AND DEFENSE… Preventing Dictionary Attacks Using EAP EAP was designed to support extended authentica- tion. When implementing EAP, dictionary attacks can be avoided by using nonpassword-based schemes such as biometrics, certificates, OTP, Smart Cards, and token cards. Using a password-based scheme should require the use of some form of mutual authentication so that the authentication process is protected against dictionary attacks. Common Exploits of Wireless Networks 201 Passive attacks are by their very nature difficult to detect. If an adminis- trator is using Dynamic Host Control Protocol (DHCP) on the wireless net- work (this is not recommended), he or she might notice that an authorized MAC address has acquired an IP address in the DHCP server logs. Then again, he or she might not. Perhaps the administrator notices a suspicious- looking car sporting an antenna out of one of its windows. If the car is parked on private property, the driver could be asked to move or possibly charged with trespassing, but the legal response is severely limited. Only if it could be determined the wardriver was actively attempting to crack any encryption used on the network or otherwise interfering or analyzing wireless traffic with malicious intent would he or she be susceptible to being charged with a data-related crime, but this would depend on the country or state in which the activity took place. Passive attacks on wireless networks are extremely common, almost to the point of being ubiquitous. Detecting and reporting on wireless networks has become a popular hobby for many wireless wardriving enthusiasts. In fact, this activity is so popular that a new term, “war plugging,” has emerged to describe the behavior of people who actually wish to advertise both the availability of an AP and the services they offer by configuring their SSIDs with text such as “Get_food_here”! Detecting Wireless Networks Utilizing new tools created for wireless networks and the existing identi- fication and attack techniques and utilities originally designed for wired networks, attackers have many avenues into a wireless network. The first step in attacking a wireless network involves finding a network to attack. The most popular software developed to identify wireless networks was NetStumbler (www.netstumbler.com). NetStumbler is a Windows applica- tion that listens for information, such as the SSID, being broadcast from APs that have not disabled the broadcast feature. When it finds a network, it notifies the person running the scan and adds it to the list of found networks. As people began to drive around their towns and cities looking for wire- less networks, NetStumbler added features such as pulling coordinates from Global Positioning System (GPS) satellites and plotting the information on mapping software. This method of finding networks is reminiscent of the method hackers used to find computers when they had only modems to communicate. They ran programs designed to search through all possible phone numbers and call each one, looking for a modem to answer. This type of scan was typically referred to as wardialing; driving around looking for wireless networks is known as wardriving. CHAPTER 5: Wireless Networking 202 Similar tools are available for Linux and other UNIX-based OSs. These tools contain additional utilities that hackers use to attack hosts and networks once access is found. A quick search on www.freshmeat. net or www.packetstormsecurity.com for “802.11” reveals several network identification tools, as well as tools used to configure and monitor wireless network connections. Using NetStumbler The NetStumbler program works primarily with wireless network adaptors that use the Hermes chipset, because of its ability to detect multiple APs that are within range and WEP, among other features (a list of supported adaptors is available at the NetStumber Web site). The most common card that uses the Hermes chipset for use with NetStumbler is the ORiNOCO gold card. Another advantage of the ORiNOCO card is that it supports the addition of an external antenna, which can greatly extend the range of a wireless network by many orders of magnitude, depending on the antenna. A disadvantage of the Hermes chipset is that it doesn’t support promis- cuous mode, so it cannot be used to sniff network traffic. For that purpose, you need a wireless network adaptor that supports the PRISM2 chipset. The majority of wireless network adaptors targeted for the consumer market use this chipset (for example, the Linksys WPC network adaptors). Sophisticated wardrivers will arm themselves with both types of cards, one for discovering wireless networks and another for capturing the traffic. Despite the fact that NetStumbler is free, it is a sophisticated and feature- rich product that is excellent for performing wireless site surveys, whether for legitimate purposes or not. Not only can it provide detailed information on the wireless networks it detects, but it can also be used in combina- tion with a GPS to provide exact details on the latitude and longitude of the detected wireless networks. Figure 5.12 shows the interface of a typical NetStumbler session. Note Wardrivers often make their own Yagi-type (tubular or cylindrical) antenna. Instructions for doing so are easy to find on the Internet, and effective antennas have been made out of such items as Pringles potato chip cans. Another type of antenna that can be easily homemade is the dipole, which is basically a piece of wire of a length that’s a multiple of the wavelength, cut in the center and attached to a piece of cable that is connected to the wireless network interface card (NIC). Common Exploits of Wireless Networks 203 As you can see in Figure 5.12, NetStumbler displays information on the SSID, the channel, and the manufacturer of the wireless AP. There are a few things that are particularly noteworthy about this session. The first is that a couple of APs are still configured with the default SSID supplied by the manufacturer, which should always be changed to a non-default value upon setup and configuration. Another is that at least one network uses an SSID that may provide a clue about the entity that has implemented it; again, this is not a good practice when configuring SSIDs. Finally, we can see which of these networks have implemented WEP. If the network administrator has been kind enough to provide a clue about the company in the SSID or is not encrypting traffic with WEP, the potential eavesdropper’s job is made a lot easier. Using a tool such as NetStumbler is only a preliminary step for the attacker. After discovering the SSID and other information, the attacker can connect to the wireless network to sniff and capture network traffic. This network traffic can reveal a lot of informa- tion about the network and the company that uses it. For example, looking at the network traffic, the attacker can determine which DNS servers are being used, the default home pages configured on browsers, network names, logon traffic, and so on. The attacker can use this information to determine FIGURE 5.12 Discovering Wireless LANs Using NetStumbler. CHAPTER 5: Wireless Networking 204 if the network is of sufficient interest to proceed further with other attacks. Furthermore, if the network is using WEP, the attacker can, given enough time, capture a sufficient amount of traffic to crack the encryption. NetStumbler works on networks that are configured as open systems. This means that the wireless network indicates that it exists and will respond with the value of its SSID to other wireless devices when they send out a radio beacon with an empty set SSID. This does not mean, however, that the wireless network can be easily compromised, if other security measures have been implemented. Protecting Against Wireless Network Detection To defend against the use of NetStumbler and other programs to detect a wireless network easily, administrators should configure the wireless network as a closed system. This means that the AP will not respond to empty set SSID beacons and will consequently be “invisible” to programs such as NetStumbler, which rely on this technique to discover wireless networks. However, it is still possible to capture the raw 802.11 frames and decode them through the use of programs such as ethereal and Wild Packet’s AiroPeek to determine this information. As well, RF spectrum analyzers can be used to discover the presence of wireless networks. Notwithstanding this weakness of closed systems, you should choose wireless APs that support this feature. Sniffing Originally conceived as a legitimate network and traffic analysis tool, sniffing remains one of the most effective techniques in attacking a wireless network, whether it’s to map the network as part of a target reconnaissance, to grab passwords, or to capture unencrypted data. Sniffing is the electronic form of eavesdropping on the communications that computers transmit across networks. In early networks, the equipment that connected machines together allowed every machine on the network to see the traffic of all others. These devices, repeaters and hubs, were very successful for getting machines connected, but allowed an attacker easy access to all traffic on the network because the attacker only needed to connect to one point to see the entire network’s traffic. Wireless networks function very similarly to the original repeaters and hubs. Every communication across the wireless network is viewable to anyone who happens to be listening to the network. In fact, the person who is listening does not even need to be associated with the network in order to sniff! The hacker has many tools available to attack and monitor a wireless network. A few of these tools are AiroPeek (www.wildpackets.com/products/ airopeek) in Windows, Ethereal in Windows, UNIX, or Linux, and TCPDump Common Exploits of Wireless Networks 205 or ngrep (http://ngrep.sourceforg.net) in a UNIX or Linux environment. These tools work well for sniffing both wired and wireless networks. All of these software packages function by putting your network card in what is called promiscuous mode. When the NIC is in this mode, every packet that goes past the interface is captured and displayed within the application window. If the attacker is able to acquire a WEP key, he or she can then utilize features within AiroPeek and Ethereal to decrypt either live or post-capture data. By running NetStumbler, or other software that can perform the same function, hackers are able to find possible targets. Once a hacker has found possible networks to attack, one of the first tasks is to identify the target. Many organizations are “nice” enough to include their names or addresses in the network name. Even if the network administrator has configured his or her equipment in such a way as to hide this information, there are tools available that can determine this information. Utilizing any of the aforementioned network sniffing tools, an attacker can easily monitor the unencrypted network. Figure 5.13 shows a network sniff of the traffic on a wireless network. From this session, it is simple to determine the DNS server and the default search domain and default Web home page. With this information, an attacker can easily identify a target and determine if it is worth attacking. FIGURE 5.13 Sniffing with Ethereal. . the SSID, the channel, and the manufacturer of the wireless AP. There are a few things that are particularly noteworthy about this session. The first is that a couple of APs are still configured. most effective techniques in attacking a wireless network, whether it’s to map the network as part of a target reconnaissance, to grab passwords, or to capture unencrypted data. Sniffing is