Wireless LAN 802.11 technology
802.11b networks are proliferating like mad. Even though faster wireless networks are now available, 802.11b offers users what they want at a reasonably low price. While the high throughput of other technologies is attractive to large Local Area Networks (LANs) and people wanting to use wireless for high-end home entertainment purposes, 802.11b's 11Mbit/sec is more than enough to hook up a handful of clients in your home to the Wide Area Network (WAN), which in most cases is simply the Internet.This document has been created to help provide an understanding of wireless security its vulnerabilities and how to be part of the wireless world creating your own antennas
How do I build a cheap and effective antenna?
There are many people who are building cheap antennas with various cheap cans bought at the grocery store including the Pringles can and beef stew cans. The waveguide cans appear to be significantly stronger in strength. Here is a good guide to building Pringles and waveguide antennas:
- 802.11b Homebrew Antenna Shootout
- My wireless node location
- Yahoo wireless community
-Can you spot a laptop with wireless 802.11 capability by looking for the antenna?
Many major computer manufacturers are now supporting built in wireless 802..11 capability and many new laptops are building an internal wireless antenna. The physical antenna will not be easy to spot on all laptops.
Basic secure strategy:
don't be an easy target, and know what you want to secure 802.11x is not without its flaws. If someone wants on your wireless network bad enough, they'll probably get on one way or another. What your average home user needs to do is simply not provide fertile stomping grounds for people who are out for an easy target. You might wonder why anyone would even want access to your network. In most scenarios, your wireless network provides perpetrators with two things: 1) access to your local network (the computers connected up in your house), which if unsecured means access to your data, and better yet, 2) access to the 'net. 11Mbits/sec isn't a bad little heist for someone who wants to spend all night downloading pr0n from your connection, or perhaps they'd rather mail bomb the government or something. It's no matter--just don't be an easy target. We're gonna help.
Thus, strictly speaking, there are two things that a user will want to secure: 1) client-to-router traffic, and 2) cracker-to-router access to the LAN/Internet
Client-to-Router concerns In this first instance, your concern is that you don't want someone to be able to see (aka, sniff) the data that travels from your legitimate clients to your wireless router (e.g., e-mail, URLs, your passwords that are plaintext, etc.). The simple fact of the matter is that if a cracker sits within range of your network long enough, with the right tools they will break your basic encryption (if you even have it turned on, which most people apparently do not). Without purchasing rather expensive software, all of the traffic that flows between your wireless laptop (for example) and your router can be seen by a cracker with minimal effort. Therefore, if you work with extremely sensitive data, doing so over a wireless connection is dangerous, unless you are using safe tools. For example, if you want to administrate your UNIX servers via a terminal connection, using SSH makes WEP security irrelevant, since traffic is encrypted via SSH, and SSH is rather strong.
Part I: Lock down must-dos Lock down must-dos are just that, must-dos. If you do anything, do these. Doing these relatively simple things will instantly make you much less of an easy target. It's a bit like taking off your Where's Waldo? garb cap and removing the kick-me sign off of your back. Keep in mind that almost all 802.11x routers and access points ship from the manufacturer with the weakest security options enabled by default in order for you have the easiest time possible setting that hardware up. The default config is not, I repeat, not secure. In this regard I must applaud Microsoft; the company ships its wireless products with WEP setup by default.
Nota Bene: many of the changes suggested below will have immediate effects on your network. We recommend using a PC with an Ethernet connection to your wireless router to do configuration. Otherwise, if you make a mistake configuring your router from a wireless client, you can cut your own access off and be forced to completely reset your router. Furthermore, for safety's sake, make sure all of your wireless clients have the latest drives for the WLAN cards downloaded and installed (some really old cards may not support WEP out of the box) before proceeding.
Change the admin password and turn off remote management These are so obvious that we're loath to mention them, but here goes nothing. Your wireless router's default password should be changed immediately. You might think, "well, I have remote access to the configuration disabled, so no one can get to me," but you're wrong. Even with remote management disabled (which it should be, unless you have a very good reason otherwise), anyone who approaches your wireless LAN with a wireless card is "behind" your firewall, not in front of it. So, if you have a Linksys router and the password is still 'admin,' someone sitting in China can't get to it from the Internet, but they certainly can from your back yard or the room next door. And once they do that, they own your wireless LAN (until you hard reset). Change the password, and turn off remote management (which will only prevent people managing your router from the WAN).
Turn off SSID Broadcast This is the real Job One. By allowing broadcast SSID to associate, you make it easy for your pals to come over and get hooked up on your LAN for some gaming or whatnot, but you also pretty much make it easy for anyone with a wireless receiver to gain access to your network, too. Leaving broadcasting on is a bit like leaving your garage door open at night: anyone passing by looking for trouble can see without much effort that there's opportunity afoot. This is why so many clients with an SSID of 'any' can roam from place to place and find access: broadcast SSID support allows any SSID to bind. That's not good for your security. With a firmware update, pretty much every major wireless router out there now supports this option. Do it!
When you turn this off, your wireless clients will have to be configured with the exact SSID that you have set for your wireless network. This brings us to the next bit...
Change your SSID Even if someone can't easily tell that you're running a wireless network in your home, if they use popular wireless network sniffers, they'll probably still find you unless you change your SSID from its factory default setting. Considering that factory default SSIDs are well known, this is simply something that you cannot allow. Consider Delta Farce's War Flying experiment: 60% of the APs that they stumbled across were configured with SSIDs relating to only four manufacturers' default SSIDs. What's mah name? Eazy! </old skool rap reference>
When choosing a network name, try not to choose something obvious, such as your name or your address. But don't use something like your e-mail password, either. Crackers can still get at your SSID with enough effort. The idea is not to make it easy. Something silly like bobotheclown is going to be harder to guess than 'linksys,' and it won't betray any vital information (well, unless you happen to be Bobo the Clown). When coming up with a name, stay away from obvious schemes, such as <your organization or name>+WLAN, and its also advisable not to choose names that are alluring to some. "mypotofgold" or "wirelesspr0nheaven" are probably not good names.
WEP: better than nothing If you've read our Wireless Security Blackpaper then you know that Wired Equivalent Privacy (aka WEP) is not bulletproof. But then again, neither is your head, and if you use it in conjunction with other things, you can probably keep yourself out of trouble. WEP should be enabled, and ideally you should use the strongest key possible (on home systems, that's going to typically be 128-bit, but 256-bit is available with select hardware). 64-bit encryption (with a 40-bit encryption key and a 24-bit initialization vector) and 128-bit encryption (with a 104-bit key and a 24-bit initialization vector) are standard on most units (if they have the latest firmware), although you may see them identified only by key size, rather than key-size plus initialization vector bit size (e.g., as 40-bit and 104-bit). While it is true that you will get slightly higher performance with a 64-bit key (less encrypting means faster throughput), 128-bit encryption still delivers excellent throughout, and is harder (more time consuming) to crack. Use 128-bit (or higher). Currently 256-bit encryption is available on select D-Link units, and as an added bonus, I might note that 256-bit support, since it is so rare, really narrows down the field of potential attackers.
WEP encrypts data both to and from your wireless clients, making it harder to peek in on what you're doing. It's not impossible to hack, but keep in mind what we're trying to do here: make it less convenient. With WEP enabled and the SSID Broadcasting off, you've lessened your chances of being the neighborhood's free ISP by a great deal. Also, note that even with WEP enabled, your SSID is never transmitted encrypted. So even with WEP enabled, do not chose sensitive information as the SSID.
When setting up WEP, you can either specify the ASCII or hexadecimal keys yourself, or you can use a pass phrase generator to take a smaller word and generate the key in that way. For those of you with NetGear access points (or any other AP that exhibits this behavior), do not use the built-in "default keys." At press time, NetGear Wireless routers came configured with suggested WEP keys, which are totally useless, since they're published, and well known. Make your own keys. For example, Linksys' generator looks like this:
Pick a passphrase that you'll remember, and then generate the key based off of that. Once you have the key (do yourself a favor and write it down and save it in a file), you'll need to add this key to your clients' wireless connection manager. For those of you using Windows XP to manage your wireless connections, you'll need to modify this:
If you use the Windows XP Wireless Connection manager, note that Windows considers a 128-bit WEP key to be '104 bits (26 digits)' in length (which is technically correct, it's just that the vector key is left out). Note that "Network Authentication" need not be checked unless your hardware requires it.
Finally, note that some Wireless Routers will allow you the option of configuring WEP and also requiring it. If you setup WEP, but don't require it, then you are essentially still exposed. Make sure that WEP is required for all communication (not all products require you to explicitly set WEP as required).
Part II: Additional security options If you've done the above, you're more secure than most, to be sure. At this point, crackers looking to make trouble or use a free pipe are likely to move on to some other site where things are easier to manage. Still, there are additional options you should consider, so we'll lay them out and let you decide.
At this point, we're going to assume that your SSID is not easily guessable, that you've got encryption setup, and that you've disallowed broadcast SSIDs to associate. Only if this is true will the next few suggestions be of real use.
Go MAC or manual: the Promised Land Some, but not all routers (wireless or wired) allow you to identify certain MAC addresses that are valid to associate. If you're willing to take on the extra management required to implement MAC-based security, then this will really help. A MAC address is a physical layer address associated with your networking card or device. In theory, every network card out there has its own unique address, kind of like a fingerprint. If you have a limited number of clients, you can simply record the MAC address of each, and only allow devices with those MAC address to connect. Unfortunately, if someone sits and records data on your network long enough, they'll crack your WEP keys, and will be able to see your MAC addresses. After doing so, they can simply "spoof" a valid MAC address to gain access. But this is a lot of effort to go through, and deterrence is what we're after here. Here's one example of a MAC address filtering table. You would simply collect and deposit your MAC address here once. Some higher end hardware will allow you to upload a CSV or TXT file of MAC addresses, which is extremely convenient, but probably not much of a worry for smaller home users.
Can't find your MAC address? winipcfg.exe does the trick in 95-based OSes, while in NT-based OSes, a quick trip to CMD.EXE will afford you the change to run ipconfig /all , where you would look for "Physical address."
If you just can't stand the idea of all this configuration, then there's one other thing you can try. With many routers, you can specify both the "lease" duration and the number of DHCP clients to allow. If you have 3 wireless clients, you could set the max clients to '3', and adjust the lease time as high as possible, essentially making those leases permanent. The problem there is that many routers, including the popular Linksys models, only allow leases up to a day in length. Of course, you might want to consider nixing DHCP entirely.
Disable DHCP, or limit it severely A simple thing to do is to disable DHCP and just assign IPs automatically. DHCP stands for the Dynamic Host Configuration Protocol, and its designed to let administrators of large networks handle IP address assignments with ease. Clients on a DHCP network get IP addresses automagically, and admins don't have to keep Excel spreadsheets for IP tracking anymore. But DHCP isn't all roses, because basic DHCP implementations aren't discriminatory: they'll hand out IPs to any device that wants one (assuming there are IPs available). This is super convenient for you, but it's also convenient to the cracker who wants on your TCP/IP network.
If your network doesn't consist of more than a few consistent users, you can disable DHCP and assign IPs yourself. This is fairly easy to do, and you have a whole Class C network to do it in (192.168.1.x, leaving out of course the internal IP of your router, but also see below). If a cracker doesn't automatically get an IP from you, she may think that you're not up and running, or that you have MAC level addressing on. Or, she may be savvy and just setup her computer to use 192.168.1.137 (or something other 192.168.1.x) address and get access that way, essentially joining by virtue of knowing the IP address range of your router. This last issue is addressable, as we'll see in the "Little Tricks" section.
Little tricks Ch-ch-ch-changes! For added security, you should consider changing your SSID every few months. Sure, it's annoying and tedious, but it's not a bad idea.
Emanate from within. If you're really concerned, you can also consider moving your wireless router around in your home to see what position gives you the best coverage while keeping your extra-home signal at a minimum. Basic physics would suggest that placement at the center of your home at the ground or basement-level would be most sufficient. Others have found that placing the router in a corner of your house with thick shielding behind it can also work well.
Segregate wires and wireless. While not necessarily a bargain basement solution, you may want to consider segregating your wired LAN and wireless LAN. Most WLAN routers out there have both wireless support and 4-5 10/100 Mbit Ethernet ports. Chances are, you're using the wired connections for your stable/stationary desktop(s), but the wireless for secondary computers and/or laptops. All of those items are, of course, sitting on the same LAN. If your wired LAN is of particular concern, you might consider putting it behind another Firewall, either software or hardware, and denying access from the WLAN router. In this instance, you could use different IP address ranges for the two LANs. In essence, you are making a Wireless Demilitarized Zone (WDMZ) which is isolated from all valuable resources. Corporations are doing this left, right and center, and since a good wired router is less than $100 these days, this is probably your best bet at being extremely safe client-side.
Be your own Network Engineer. Also, keep in mind that behind your WLAN/firewall, you can actually use a wide range of home networking IPs. By default most home networks are on 192.168.1.x, but other options are available. Currently, the Private Address Space ranges are:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
You can use these addresses behind your firewall and experience no host resolution difficulties at all. By choosing another range (such as 192.168.159.x, or some such) you'll keep a would-be cracker guessing as to what IP range your using (provided you've turned Broadcast SSID and DHCP off), thereby making it tougher for him to grab a static IP and gain access to your network. The same concept holds true for the address of your router. In many cases, routers automatically reserve 192.168.1.1, 192.168.1.100 or 192.168.1.254 for themselves. If you can change the IP address of the router to some arbitrary number outside of the address range that you've chosen, it adds just a little more mystery to your network.
Also keep in mind that you are not limited to using 192.168.1.x as a Class C subnet (255.255.255.0 subnet mask). We're getting into networking mojo here, so let me take a second and explain what it is I'm talking about. A subnet mask is a 32-bit dotted decimal number that is used to describe the local network's IP configuration. In larger organizations, it is sometimes a good idea to split up the local network into network segments using subnet classes. Because you have full control over your local network configuration, you can configure your router as a Class B (255.255.0.0), and put your clients on a portion of that network. So, for example, you could configure your router as 192.168.120.210, but then configure your clients (manually) as 192.168.210.x.
Wanna be sure? There's one way and one way only to know if you've achieved a decent level of success. Try to hack your own network. NetStumbler is probably your best bet, so give it a shot.
Changing the wireless channel, while recommended by some, is really a waste of time. Most WLAN adapters are set to autoscan through the limited channel rage, so this isn't worth your effort.
Conclusion Whew, that's a lot of stuff to consider. And you might think, ah, it will never happen to me. If you're utterly convinced of that (which I think is a very un-wise position), at least hit up the must-dos. Now, for those of you who are going make changes to your network, write down everything you're gonna do! If your wireless router burps and needs a hard reset, you're going to need to setup all of this stuff again (at least on the router, not on your clients!). Save yourself the effort of guessing and just make a note right now.
I should note that there is additional security technology in the works for the wireless standard. The recently announced Wi-Fi Protected Access (WPA - PDF FAQ here) scheme should help matters greatly, as should the 802.11i high-end Robust Security Network amendment to the existing wireless LAN standard. Expect to see products with WPA support by the 2nd quarter of 2003.
 What are the major security risks to 802.11b?
Here is the list of main known security risks with 802.11b:
- Insertion Attacks
- Interception and monitoring wireless traffic
- Client to Client Attacks
-War-driving, war-walking, war-flying, war-chalking
Taken from the movie, "WarGames?", dialing many phone numbers looking for computers to access was called "War-Dialing". This similar action has been applied to wireless. War-walking, war-driving, war-flying refer to the modes of transportation for going around and identifying various Access Points. Most reports of war-walking, war-driving, and war-flying has resulted in identifying large numbers of wide open un-secure Access Points in most cities.
War-chalking is the act of marking the area or vicinity with a symbol to infer that an AP is within range. WiFi War-chalking Symbols are at [WWW] http://www.warchalking.org [2.1.0] What are Insertion Attacks?
The insertion attacks are based on placing unauthorized devices on the wireless network without going through a security process and review. [2.1.1] Plug-in Unauthorized Clients
An attacker tries to connect their wireless client, typically a laptop or PDA, to a basestation without authorization. Base stations can be configured to require a password before clients can access. If there is no password, an intruder can connect to the internal network by connecting a client to the base station. [2.1.2] Plug-in Unauthorized Renegade Base Station
Many companies may not be aware that internal employees have deployed wireless capabilities on their network. An internal employee wanting to add their own wireless capabilities to the network plugs in their own base station into the wired intranet. This is a risk if the base station has not been properly secured. This could lead to the previously described attack of unauthorized clients then gaining access to unauthorized base stations, allowing intruders into the internal network. Typically, companies may need a policy against allowing employees to add wireless base stations onto the corporate network without requesting permission and going through a security process. A sophisticated intruder may physical place a base station on the victims network to allow them remote access via wireless. [2.2] What are Interception and monitoring wireless traffic attacks?
These interception and monitoring attacks are popular on broadcast wired networks like Ethernet. The same principles apply to wireless. [2.2.1] Wireless Sniffer
An attacker can sniff and capture legitimate traffic. Many of the sniffer tools for Ethernet are based on capturing the first part of the connection session, where the data would typically include the username and password. An intruder can masquerade as that user by using this captured information. An intruder who monitors the wireless network can apply this same attack principle on the wireless.
One of the big differences between wireless sniffer attacks and wired sniffer attacks is that a wired sniffer attack is achieved by remotely placing a sniffer program on a compromised server and monitor the local network segment. This sniffer based attack can happen from anywhere in the world. Wireless sniffing requires the attacker to typically be within range of the wireless traffic. This is usually around 300 feet range, but wireless equipment keeps strengthening the signal and pushing this range further out. [2.2.2] Hijacking the session
If an attacker can sniff the wireless traffic, it is possible to inject false traffic into a connection. An attacker may be able to issue commands on behalf of a legitimate user by injecting traffic and hijacking their victims session. [2.2.3] Broadcast Monitoring
If a base station is connected to a hub rather than a switch, any network traffic across that hub can be potentially broadcasted out over the wireless network. Because the Ethernet hub broadcasts all data packets to all connected devices including the wireless base station, an attacker can monitor sensitive data going over wireless not even intended for any wireless clients. [2.2.4] ArpSpoof? Monitoring and Hijacking
Normally, in regards to an AP, the network data traffic on the backbone of a subnet would be treated similarly like a network switch, thus traffic not intended for any wireless client would not be sent over the airwaves. This could reduce significantly the amount of sensitive data over the wireless network.
An attacker using the arpspoof technique can trick the network into passing sensitive data from the backbone of the subnet and route it through the attackers wireless client. This provides the attacker both access to sensitive data that normally would not be sent over wireless and an opportunity to hijack TCP sessions. Dsniff is a popular tool that enables arpspoofing and is available at: [WWW] http://www.monkey.org/~dugsong/dsniff/
and Cigital has a diagram depicting the attack available at:
[126.96.36.199]Hijacking SSL (Secure Socket Layer) and SSH (Secure Shell) connections.
By using arpspoofing technique, an attacker can hijack simple TCP connections. There are tools that allow for hijacking SSL and SSH connections. Typically, when SSL and SSH connections get hijacked, the only alert to the end-user is a warning that the credentials of the host and certificate have changed and ask if you trust the new ones. Many users simply accept the new credentials, thus allowing an attacker to succeed. A reasonable interim measure to prevent the attack is to have users enable SSH's StrictHostKeyChecking? option, and to distribute server key signatures to mobile clients.
An attacker can trick legitimate wireless clients to connect to the attackers honeypot network by placing an unauthorized base station with a stronger signal within close proximity of the wireless clients that mimic a legitimate base station. This may cause unaware users to attempt to log into the attackers honeypot servers. With false login prompts, the user unknowingly can give away sensitive data like passwords. [2.3] What are AP and Client Misconfigurations?
By default, all the base stations analyzed out of the box from the factory were configured in the least secure mode possible. Adding the proper security configuration was left up as an exercise to the administrator to lock down. Unless the administrator of the base station understands the security risks, most of the base stations will remain at a high risk level. The analysis of three base station models by the leading 802.11 vendors lead to many configuration issues that should be audited and assessed by the organization. The top three base station vendors analyzed were Cisco, Lucent, and 3Com. The security risks identified may change in newer versions of the 802.11 solution as it is evolving rapidly. Each vendor had different implementation security risks, but the underlying issues are the same and can be applied to other vendors not listed here. [2.3.1] Server Set ID (SSID)
SSID is a configurable identification that allows clients to communicate to the appropriate base station. With proper configuration, only clients that are configured with the same SSID can communicate with base stations having the same SSID. SSID from a security point of view acts as a simple single shared password between base stations and clients. [188.8.131.52] What are the default SSID's?
Each of the base station models came with default SSIDs. Attackers can use these default SSIDs to attempt to penetrate base stations that are still in their default configuration. Here are some default SSIDs:
tsunami - Cisco
RoamAbout? Default Network Name - Lucent/Cabletron
Compaq - Compaq
WLAN Addtron, a popular AP
intel - Intel
[2.3.2]What is Secure Access mode?
Lucent has Secure Access mode. This configuration option requires the SSID of both client and base station to match. By default this security option is turned off. In non-secure access mode, clients can connect to the base station using the configured SSID, a blank SSID, and the SSID configured as any. [2.3.3] Bruteforce Base Station SSID
Most base stations today are configured with a server set id (SSID) that acts as a single key or password that is shared with all connecting wireless clients.
An attacker can try to guess the base station SSID by attempting to use a bruteforce dictionary attack by trying every possible password. Most companies and people configure most passwords to be simple to remember and therefore easy to guess. Once the intruder guesses the SSID, they can gain access through the base station.
The SSID could be obtained through one of the wireless clients becoming compromised or an employee resigns knowing the key, there is risk that anyone with the SSID could still connect to the base station until the SSID is changed. If there are many wireless users and clients, it can become problematic to scale this security solution if the SSID needs to be changed frequently and all clients and base stations need to reconfigured with an updated shared single SSID each time. [2.3.4] Can the SSID be encrypted?
WEP, the encryption standard for 802.11, only encrypts the data packets not the 802.11 management packets and the SSID is in the beacon and probe management messages. The SSID is not encrypted if WEP is turned on. The SSID goes over the air in clear text. This makes obtaining the SSID easy by sniffing 802.11 wireless traffic. [2.3.5] By turning off the broadcast of SSID, can someone still sniff the SSID?
Many APs by default have broadcasting the SSID turned on. Sniffers typically will find the SSID in the broadcast beacon packets. Turning off the broadcast of SSID in the beacon message (a common practice) does not prevent getting the SSID; since the SSID is sent in the clear in the probe message when a client associates to an AP, a sniffer just has to wait for a valid user to associate to the network to see the SSID. [2.3.6] Wired Equivalent Privacy (WEP)
WEP can be typically configured in 3 possible modes:
- No encryption mode
- 40 bit encryption
- 128 bit encryption
WEP, by default out of the box, all base station models analyzed have WEP turned off. 64 bit encryption versus 128 bit encryption provides no added protection against the known flaw in WEP.
Most public wireless LAN access points (i.e., airports, hotels, etc) do not enable WEP. Based on statistical analysis in regions like New York, San Francisco, London, Atlanta,
most companies do not turn on WEP security on their APs. If the AP does not enable WEP, the wireless clients can not use the WEP encryption.
In some base stations, it is optional whether the encryption is enforced. The WEP encrypted may be turned on, but if it is not enforced, a client without encryption with the proper SSID can still access that base station. [184.108.40.206] Attacks against WEP
802.11b standard uses encryption called WEP (Wired Equivalent Privacy). It has some known weaknesses in how the encryption is implemented.
Papers on WEP Insecurities
- Researchers at Berkeley have documented these findings at:
- Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
Using WEP is better than not using it. It at least stops casual sniffers. Today, there are readily available tools for most attackers to crack the WEP keys. Airsnort and others tools take a lot of packets (several million) to get the WEP key, on most networks this takes longer than most people are willing to wait. If the network is very busy, the WEP key can be cracked and obtained within 15 minutes.
The fix for encryption weakness for the standard is not slated to be addressed before 2002.
Because of the WEP weakness, wireless sniffing and hijacking techniques can work despite the WEP encrypted turned on.
There is the IEEE 802.1X standard which allows network access to be authenticated and keys to be distributed. This allows access to APs to be authenticated and WEP keys to be distributed and updated. More APs are starting to support this standard. [220.127.116.11] Default WEP Keys
The NetGear Access Point uses the following 4 WEP sequences as default keys.
- 10 11 12 13 14
- 21 22 23 24 25
- 31 32 33 34 35
- 41 42 43 44 45
It is recommended not to use the default WEP keys.
Please e-mail [MAILTO] firstname.lastname@example.org if you know of other default WEP keys for Access Points. [18.104.22.168] How Large is WEP Keys
The original 802.11 specification defined a 40-bit key. This key is combined with a 24 bit quantity known as the "initialization vector" (which is created automatically by the wireless network hardware) and these 64 bits are used within the RC4 encryption in order to produce the encrypted data. Some vendors describe this as 64-bit encryption (since technically RC4 is using 64 bits), but others describe it as 40-bits (since the initialization vector is public unencrypted data so it does not contribute to the security of the system). Therefore 40-bit and 64-bit WEP keys are the same thing, just being described from different points of view. Most 802.11 hardware now supports a larger 104-bit key; this also has a 24-bit initialization vector and so it is also sometimes marketed as a 128-bit system. [2.3.7] SNMP community words
Many of the wireless base stations have SNMP (Simple Network Management Protocol) agents running. If the community word is not properly configured, an intruder can read and potentially write sensitive information and data on the base station. If SNMP agents are enabled on the wireless clients, the same risk applies to them as well.
By default, all three base stations are read accessible by using the community word, public. With the default of most base stations using the community word public, potentially sensitive information can be obtained from the base station.
By default, the 3com base station has write access by using the community word, comcomcom. Cisco and Lucent/Cabletron require the write community word to be configured by the user before it is enabled.
[22.214.171.124] SNMP vulnerabilities
Many implementations of SNMP were found to be vulnerable by using the PROTOS tool developed by University of Oulu . This affected many vendors, many of which produce wireless access points. Check with your vendor and see if there is a firmware patch regarding SNMP vulnerabilities. For more information on the testing tool for finding SNMP issues, check here:
[2.3.8] Configuration Interfaces
Each base station model has its own interfaces for viewing and modifying the configuration. Here are the current interface options for each base station:
- Cisco - SNMP, serial, Web, telnet
- Lucent / Cabletron - SNMP, serial (no web/telnet)
- 3Com - SNMP, serial, Web, telnet.
3com base station lacks any access control from the web interfaces for reading the configuration options. By connecting to the 3com base station web interface, it provides SSID on the system properties menu display. An attacker who finds a 3com base station web interface can easily get the SSID.
3com base station does require a password on the web interface for write privileges. The password is the same as the community word for write privileges, therefore 3com base stations are at risk if deployed using the default, comcomcom as the password. This gives an attacker easy write access. [2.3.9] Client side security risk
For the clients connecting to the base station, they store sensitive information for authenticating and communicating to the base station. If the client is not properly configured, access to this information is available.
- Cisco client software stores the SSID in the Windows registry. Cisco stores the WEP key in the firmware, which is difficult to gain access to.
- Lucent/Cabletron client software stores the SSID in the Windows registry. The WEP is stored in the Windows registry but it is encrypted. The encryption algorithm is not documented.
- 3Com client software stores the SSID in the Windows registry. The WEP key is stored in registry with no encryption.
Windows XP has 802.11 configuration and has a display of the available SSID's built-in to the OS. [2.3.10] Installation Risk
By default, all installations are optimized for the quickest configuration to get users successful out of the box. Inversely, by default, the installations are configured the least secure mode as possible.
From out of the box experience, Cisco was simple and easiest to install. 3Com installation was straight forward out of the box. And Lucent/Cabletron had many firmware upgrades which led to confusion on which upgrades to install. [2.4] Jamming
Denial of service attacks for wired networks are popular. This same principle can be applied to wireless traffic, where legitimate traffic gets jammed because illegitimate traffic overwhelms the frequencies, and legitimate traffic can not get through. [2.4.1] 2.4 GHz Interfering Technology
An attacker with the proper equipment and tools can easily flood the 2.4 GHz frequency, so that the signal to noise drops so low, that the wireless network ceases to function. This can be a risk with even non-malicious intent as more technologies use the same frequencies and cause blocking. Cordless phones, baby monitors, and other devices like Bluetooth that operate on the 2.4 GHz frequency can disrupt a wireless network. [2.5] What are Client to Client Attacks?
Two wireless clients can talk directly to each other by-passing the base station. Because of this, each client must protect itself from other clients. [2.5.1] Filesharing and other TCP/IP service attacks
If a wireless client, like a laptop or desktop, is running TCP/IP services like a web server or file sharing, an attacker can exploit any misconfigurations or vulnerabilities with another client. [2.5.2] DOS(Denial of Service)
A wireless client can flood another wirelss client with bogus packets, creating a denial of service attack. An attacker and sometimes employees unintentionally can configure their client to duplicate the IP or MAC address of another legitimate client causing disruption on the network.
[2.5.3] Hybrid Threats
Next generation virus and worms have become a multi-vector attack programs that self-propagate through any TCP/IP interface including wireless. If one computer on a wireless network is infected with a hybrid threat, this threat can easily spread to other wireless computers and potentially internal computers behind the wireless network. [2.6] War Driving Access Point Maps
As people are War Driving, and locating the APs and recording the GPS coordinates of the AP location, these AP maps are being shared to any attacker on the Internet. If a company has their AP location and information shared on the Internet, their AP becomes a potential target and increases their risk. They usually include a visual map and a database query tool for locating various APs. Here are some popular places to upload War Driving AP maps.
[2.7] Parasitic Grids
From article, "An underground movement to deploy free wireless access zones in metropolitan areas is taking hold... The movement, called by some the "parasitic grid" and by others more simply the "free metro wireless data network," has already installed itself in New York; San Francisco; Seattle; Aspen, Colo., Portland, Ore., British Columbia; and London..." This provides attackers and intruders completely untraceable anonymous access. Trying to locate and trace attackers using the parasitic grid becomes an impossible task.
Hotspots are WiFi access point areas provided by businesses to enable their customers with access to the Internet. Hotspots are being put up telecommunication companies and start-ups. They are being deployed at airports, hotels, restaurants, and coffee shops.
Starbucks Hotspot at [WWW] http://www.starbucks.com/retail/wireless.asp
 What are solutions to minimizing WLAN security risk?
There are many options that organizations can do today to put proper security protection around their wireless strategy and technology. [3.1] Wireless Security Policy and Architecture Design
Many organization need to develop a wireless security policy to define what is and what is not allowed with wireless technology. From a holistic view, the wireless network should be designed with the proper architecture to minimize risk.
[3.1.1] Basic Field Coverage
Because of wireless leakage, one of the first principals to basic field coverage is to only provide coverage for the areas that you want to have access.
By using directional antennas and lowering the transmit power (on commercial class equipment - i.e., Cisco and Lucent), 85% (or higher) of the typical 802.11 signal leakage can be effectively eliminated. [3.2] Treat BaseStations? as Untrusted
From an network security architecture, the base stations should be evaluated and determined if it should be treated as an untrusted device and need to be quarantined before the wireless clients can gain access to the internal network. The architecture design may include a Wireless DMZ. This WDMZ includes appropriately placing firewalls, VPNs, IDSes, vulnerability assessments, authentication requirements between access point and the Intranet. [3.3] Base Station Configuration Policy
The wireless policy may want to define the standard security settings for any 802.11 base station being deployed. It should cover security issues like the Server Set ID, WEP keys and encryption, and SNMP community words. Turning off broadcast pings on the Access Point makes it invisible to 802.11b analysis tools like NetStumbler.
[3.3.1] 802.1X Security
Windows XP and many hardware vendors are building in 802.1X security standards into their Access Points. This provides a higher level of security than the typical WEP security. The 802.1x standard has a key management protocol built into its specification which provides keys automatically. Keys can also be changed rapidly at set intervals. Check to see if your Access Points support 802.1X.
There have been some security flaws noted by security researches in 802.1X standard. This points out the need for good VPN technology despite this new standard. Here is a document that outlines the issues in 802.1X security:
[3.3.2] MAC Address Filtering
Some Access Points have the ability to filter only trusted MAC addresses. MAC addresses are suppose to be unique addresses on the network. This feature is usually very difficult to implement in a dynamic environment due to the tedious nature of trying to configure AP for each and every trusted client. The MAC address is transmitted in the clear text, so any intruder can sniff authorized MAC addresses, and with proper tools, configure and masquerade their MAC address as a legitimate MAC address and by-pass this security mechanism. Enabling this security feature can be more effort than the actual security benefit that it provides. [3.4] Base Station Discovery
- From a wired network search, an organization could identify unknown and rogue base stations by searching for SNMP agents. The rogue base stations are identified as 802.11 devices through SNMP queries for host id.
- Some base stations have a web and telnet interface. By looking at the banner strings of these interfaces, this provides another method of identifying some 802.11 devices.
- An additional means is by using unique TCP/IP attributes like a fingerprint, it can help identify devices as base stations. Most TCP/IP implementations have a unique set of characteristics and many OS fingerprinting technologies use this method for identifying the OS type. This concept can be applied to the base stations.
From a wireless network search, an organization can identify these rogue base stations by simply setting up a 2.4 GHz sniffer that identifies 802.11 packets in the air. By looking at the packets, you may find the IP addresses to help identify which network they are on. In a densely populated area with many businesses close together, running a sniffer may pick up more the intended organizations traffic, but a close neighboring company.
[3.4.1] Honeypots - FakeAP
Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers?, Script Kiddies, and other undesirables.
[3.5] Base Station Security Assessments
An organization can examine and analyze the base station configuration. A security audit and assessment could determine whether the passwords and community words are still default or easily guessed and if better security modes have been enabled like encryption.
With router ACLs and firewall rules, an organization can minimize access to the SNMP agents and other interfaces on the base station. A security assessment can determine how widely accessible is the configuration interfaces to the base stations are allowed to within the organization. [3.6] Wireless Client Protection
The wireless clients should be assessed for having the following security technologies:
- firecell (distributed personal firewalls) - lock down who can gain access to the client.
- VPN - adds another layer of encryption and authentication beyond what 802.11 can provide.
- intrusion detection - identify and minimize attacks from intruders, worms, viruses, Trojans and backdoors.
- desktop scanning - identify security misconfigurations on the client.
 Who is making 802.11 Security Solutions? [4.1] 802.11 Gateway Infrastructure
BlueSocket?: The WG-1000 Wireless Gateway offers a single scalable solution to the security, quality of service (QoS) and management issues facing enterprises and service providers that deploy wireless LANs based on the IEEE 802.11b and Bluetooth standards.
EcuTel?: Viatores Secure WLAN edition is different from legacy virtual private networks (VPNs) in that it maintains VPN and application sessions uninterrupted with no configuration or re-boot required. Viatores combines two advanced protocols for mobility and security to enable roaming from LANs to WLANs and between WLAN subnets seamlessly and securely. Application sessions and security tunnels are maintained while the user moves from one subnet to another. Roaming users can communicate easily with colleagues, regardless of where they are or how they are connected, because Viatores maintains a single network address. Viatores Secure WLAN edition includes:
- oIndustry-strength secure communication well beyond the WEP standard; oSeamless roaming from wired to wireless networks and between different wireless networks; oSupport for two-way, peer-to-peer communication; o oData confidentiality and integrity, including key exchanges, digital signatures, and industry-strength encryption;
- Option to upgrade to secure and seamless roaming from public networks.
NetMotion? Wireless - NetMotion? Mobility provides a VPN designed to work with WLAN security. [WWW] http://www.netmotionwireless.com/resource/whitepapers/netmotion_security.asp has an overview of wireless security and how NetMotion? Mobility prevents unauthorized users from accessing your system and stops eavesdropping, replay, and other network-level attacks.
[4.2] 802.11 Security Analysis Tools
AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. AirSnort will work for both 40 or 128 bit encryption.
ohttp://freshmeat.net/projects/airsnort/ ohttp://www.dachb0den.com/projects/bsd-airtools.html oWIRELESS TOOLS [WWW] http://neworder.box.sk/codebox.links.php?&key=wireless
- WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling.
Network Stumbler scans for networks roughly every second and logs all the networks it runs into--including the real SSIDs, the AP's MAC address, the best signal-to-noise ratio encountered, and the time you crossed into the network's space. If you add a GPS receiver to the notebook, it logs the exact latitude and longitude of the AP. Network Stumbler does not use promiscuous mode. Thus, by simply turning off broadcast pings hides the Access Point from NetStumbler. Now NetStumbler website includes a PocketPC MiniStumbler?.
ohttp://www.netstumbler.com/ ohttp://www.netstumbler.com/download.php?op=getit&lid=21 PocketPC MiniStumbler?
- Internet Scanner, assesses many 802.11b security checks. This is done by doing analyzing via the wired network and contacting the management interface.
- Wireless Scanner, examines 802.11b security issues via the 802.11b airwaves. Has a penetration testing mode and discovery mode. Uses promiscuous mode, thus capable of capturing the raw 802.11b packets for forensics analysis and replay. Even if broadcast pings are turned off, Wireless Scanner will still catch any Access Points if it sends any kind of traffic due to using promiscuous mode.
o [WWW] http://www.iss.net/download/ Evaluation copy of Wireless Scanner. ohttps://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/home.php WS Knowledge Base
RealSecure?, monitors many 802.11b attacks. Recommend putting Intrusion Detection and Intrusion Prevention behind the Access Point, directly on any servers and desktops behind the access point, as well as, on any wireless clients.
- BlackICE PC Protection 3.5, personal firewall with Intrusion Protection capability, is used on wireless laptops and desktops to protect against client to client attacks.
- WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling.
 About Internet Security Systems Wireless 802.11b Solution
ISS offers the comprehensive wireless security solution:
- Wireless Security Assessments and Penetration Testing
- Wireless Policy Design and Workshops
- Vulnerability Scanning with specific 802.11 configuration checks
- Intrusion Detection for Wireless LAN networks
- Wireless 802.11 Security Classes
- ISS X-Force Advisories:
- ohttp://xforce.iss.net/alerts/advise83.php 802.11 SNMP Auth. Flaw ohttp://xforce.iss.net/alerts/advise84.php WEP Key exposed via SNMP
- ISS X-Force Advisories:
- The following people have contributed to the FAQ. Their contributions are deeply appreciated.
- Todd Nelson
- Skip Carter
- Gunter Ollmann
- Jim Broome
- Phil Brass
- Massimo Dileo
- The following people have contributed to the FAQ. Their contributions are deeply appreciated.
last edited 2006-01-06 05:43:54 by c-67-183-18-60
- Show Changes
- Get Info
- Python Powered
- Valid HTML 4.01
Bandwidth Provided by speakeasy.net