NETW 05A: APPLIED WIRELESS
SECURITY
Unauthorized Access
By Mohammad Shanehsaz
February 22, 2005
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Explain how intruders obtain network
access using wireless LAN protocol
analyzers, site surveying tools, and active
intrusion techniques.
Explain common points of attacks.
Describe common non-secure
configuration issues that can be the focus
of an attack.
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Describe weaknesses in existing security
solutions.
Explain security vulnerabilities associated
with public access wireless networks.
Explain how malicious code or file
insertion occurs in wireless LAN through
the use of Viral attacks and Placement of
illegal content.
Explain peer-to-peer hacking and how it
can be prevented.
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Tools For Gaining Access
Cisco 350 & Orinoco Gold Cards
High gain omni & directional antennas
Lophtcrack
Manufacturer’s client utilities
Lucent Registry Crack ( LRC )
List of manufacturer’s default settings
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Rogue Devices
A rogue device is any device that is not
authorized to be on the network.
It is considered a security breach of the
highest level.
The best way to go about discovering
these devices is to learn how a
professional intruder would go about
placing them.
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Items that an intruder consider when
placing rogue devices such as Access Points
Location
WEP settings
Placement
Costs
Visibility
SSID settings
Frequency
Spectrum choice
Antenna
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Location, placement, visibility
Rogue devices will be placed as if the
device were designed to be there in the
first place, without any disruption in
service to the existing network.
These devices will be placed near the
edge of the building-the closer to a
window the better, for better coverage
from outside the building.
It is well hidden, placing it in the CEO or
other executive's office behind his or her
desk is ideal, but it require a lot of work.
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Costs, WEP, SSID settings
Small and cheap access points are usually
used, there is a good chance to lose it.
Using WEP key making it easier for a
rogue device without WEP, to be discover
by administrator who is scanning the area.
The SSID must be match with the existing
wireless LAN implementation, having
closed system feature, making it harder to
detect the device.
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Frequency, Antennas, and
Spectrum choice
Intruders may use 900 MHz units instead
2.4 GHz or 5 GHz, Wi-Fi compliant unit,
because no discovery tools can find it.
Horizontally polarized antennas are often
used to produce a very small RF signature
on any scanning devices.
Intruders may use FHSS technology,
Bluetooth, OpenAir, or HomeRF instead of
DSSS, so to avoid being discovered by
discovery tools .
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
List of items that an intruder consider
when placing rogue devices such as
Wireless Bridges
Placement
Priority
MAC Spoofing
Antenna Use
Costs
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Placement, and priority
A rogue bridge is placed within the
Fresnel Zone of an existing bridge link,
which may span several miles, making it
tougher to detect.
It must be set to a very low priority so
it does not become root bridge, and
thus give itself away as a rogue device.
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
MAC spoofing, Antenna use and Costs
If MAC spoofing features are available in the
bridge, then the MAC address of an
authorized non-root bridge can be spoofed.
It will use high-gain directional antennas to
ensure a consistently high quality
connection.
The cost of bridge is higher than access
point, even though the chances of being
discovered are much lower
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
DATA Theft & Malicious Insertion
High-speed wireless connectivity allows
nearby intruders to pull large amount of
data from a network as well as pushing
equal amount of data to the network.
It can be Illegal, Unethical, or
Inappropriate Content that attacker
deposits on the corporate server or
individual computer which will result in
employment termination of the individual
or legal battles between companies.
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
DATA Theft & Malicious Insertion
There are many types of malware (
viruses and spyware ) that an intruder can
place on a computer in order to obtain
information or damage the network.
These worms, Trojans, and other types of
viruses can be caught and disinfected
before they do damage by properly
installed, configured, and updated virus
scanning software.
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Peer-to-Peer Attacks
Peer-to-peer attacks are attacks
instigated by one host aimed at another
particular host, both of which are clients
of the same network system.
Targets that hackers commonly seek are
sensitive data files, password files,
registry information such as WEP keys,
or file share properties, and network
access info.
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Types of peer-to-peer attacks
Spread spectrum RF, by using a compatible
RF technology in ad hoc or infrastructure
mode.
Infrared, using the port on the back of PC.
Hijacking, using a rogue access point and
a rogue DHCP server, to capture layer 2,
and layer 3 connections, then using RF
jamming device force the user to roam to
the rogue access point
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Unauthorized Control
Network Management Tools
Network management tools are powerful
utilities for managing large enterprise
LANs and WANs from a central point of
control.
Attacker can take over entire network
from a mobile workstation using software
packages such as Hyena, Solarwinds
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Unauthorized Control
Configuration Changes
Attacker can reconfigure one access
point and having that access point push
its configuration to all other access
points due to unsecured settings in
wireless LAN, or if it start a firmware
push followed by terminating the power
to all access points because of PoE, it
could disable all APs
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Unauthorized Control
Third Party Attacks
Denial of service and SPAM attacks
originating from an unsuspecting network
with unsecured wireless LAN, the
corporation can then be blacklisted and
eventually disconnected from their ISP.
- Legal Liabilities
- ISP termination of service
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Discussion Questions
How has this lesson changed your
outlook on rogue access points?
Is manual searching for rogues, even
on a regular basis, is enough to keep
them off your network?
What are some ramifications of illegal
or unethical content being placed on
the network over wireless LAN? Could a
hacker target a person for termination?
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.