Eavesdropping attack over Wi-Fi Course: Security and Privacy on the Internet Instructor: Dr. A.K. Aggarwal Presented By: Fadi Farhat Fall, 2007 1 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Table of Contents Part I: Paper presentation 1. Define Eavesdropping. 2. Difference between Eavesdropping over wired networks & Eavesdropping over wireless networks. 3. What we need to eavesdrop? 4. Legality of eavesdropping devices. 5. What makes Wi-Fi susceptible to be compromised? 6. How to Secure Wi-Fi Networks? 7. Wi-Fi Special attacks. 8. How to detect eavesdropping over Wi-Fi? 2 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Table of Contents Part II: Project presentation Introduction 1. Experiment Architecture and Scenarios 2. Hosts Installations and Configuration 3. Tuning CommView sniffer for experiment 4. Conducting the Experiment 4.1. Spying on HTTP (Web Pages) 4.2. Spying on FTP (Downloading files) 4.3. Spying on SMTP (Emails) 3 5. IDS Promisacn 3.0 6. References 7. Lab Experiment with ????? 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Part I Paper presentation 4 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Eavesdropping 5 Eavesdropping is the process of gathering information from a network by snooping on transmitted data. To eavesdrop is to secretly overhear a private conversation over a confidential communication in a not legally authorized way. The information remains intact, but its privacy is compromised. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Eavesdropping over wired & wireless networks Eavesdropping over wired networks Over wired networks eavesdropping is more difficult It needs the eavesdropper to tap the network, using a network tap which is a hardware device that provides a way to access the data flowing across the network. Can’t be achieved unless the eavesdropper can be in touch with the wire of the network which is difficult sometimes and impossible the other times. 6 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Eavesdropping over wired & wireless networks Eavesdropping over wireless networks Easier to be achieved (no compromised dangerous). You need 7 A computer with wireless network adapter working on promiscuous mode To be in the area of the wireless network coverage To have one of the particular software tools that allows the eavesdropping over Wi-Fi. Commercial name for the 802.11 products. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal What we need to eavesdrop? 1. Hardware tools 8 Network adapter supporting promiscuous mode (to intercept and read each network packet especially those of other network address). Ex: Prism 2, 2.5 and 3. High-power antennas can be used to provide intercepting wireless traffic from miles away. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal What we need to eavesdrop? 2. Software tools Any Wireless Packet Sniffer can be used Widely available for sale and even free over the Internet Ex: Network Stumbler, Hitchhiker, Aircrack-ng, Wireshark, Kisemet, Commview, Javvin packet analyzer, Wildpackets, Network monitor, Wireless monitor 9 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Legality of eavesdropping devices 10 Be aware of the legal issues before you buy eavesdropping devices. It is a crime in most countries to eavesdrop on someone’s privacy But as network administrators need to analyze traffic on their networks (debug networks, find illegitimately installed access points) they may need eavesdropping devices. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal What makes Wi-Fi susceptible to be compromised 11 Most of the network adapters used around the world are unsecured and open to unauthorized use Many individuals’ and businesses don't understand how to secure a wireless network Many Wi-Fi products come ready-to-use right out of the box. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Securing Wi-Fi Networks? 12 The only available way to fight eavesdropping is the encryption. But even using the encryption technique will not prevent capturing the data in its encrypted form. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal How to Secure Wi-Fi Networks? Simple Steps to Secure Wi-Fi Network 1. Change the Administrative Password on your Wireless Routers. 2. Installing a Firewall. 3. Change the Default SSID Name and Turn off SSID Broadcasting. 4. Disable DHCP. 5. Replace WEP with WPA. 13 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal How to Secure Wi-Fi Networks? 1. Change the Administrative Password on your Wireless Routers. 14 Routers came with default password to provide easy access. Changing those passwords is one of the first recommended steps to do. Default passwords are posted on the vendor support sites. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal How to Secure Wi-Fi Networks? 2. Installing a Firewall. 15 A firewall is the fence of your network from any unauthorized accessing Can help in the protection of your PC by blocking or allowing the pass to your network. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal How to Secure Wi-Fi Networks? 3. Change the Default SSID Name and Turn off SSID Broadcasting. 16 In Wi-Fi a service set identifier (SSID) is a code attached to all packets on a wireless network to identify each packet as a part of the network. Changing SSID will necessitate the wireless client computers to enter the name of the SSID by hand before they can connect to the network. But even though and because the data packets that are transmitted will include the SSID it may be discovered. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal How to Secure Wi-Fi Networks? 4. Disable DHCP 17 Disable the “Dynamic Host Configuration Protocol” Assign IP addresses to the client computers manually to restrict the access to the router to specific MAC addresses. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal How to Secure Wi-Fi Networks? 5. Replace WEP with WPA 18 WEP “Wired Equivalent Privacy” is a security protocol, encrypting data transmitted over the wireless computer network to provide security and privacy, and to protect the vulnerable wireless link between clients and access points. But as WEP is weak and can be cracked in about 3 minutes as the FBI showed in 2005 using some freely access tools, WPA “Wi-Fi Protected Access” which is more powerful using 128-bit encryption keys and dynamic session keys, must replace it to provide strong data protection. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Wi-Fi Special attacks Man-In-The-Middle Attack is one of the attacks that can’t be applied to wired networks, it’s just applicable to Wi-Fi. 19 Hackers can configure a rogue AP to imitate a legitimate AP. Once the client is connected to the rogue AP, the hacker can perform any attack that involves modifying the packet stream. Emails can be read, phishing attacks can be implemented etc... 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal How to detect eavesdropping over Wi-Fi Some Wi-Fi equipment makers have added more security measures like Intrusion detection uses position location technology to detect the presence of a malicious station in order to track down the offending station and remove it. Sniffing node detection tool to detect the Promiscuous Nodes. Ex: PromiScan. 20 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Part II Project presentation 21 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Introduction In this project, I simulate an easy, yet important, eavesdropping wireless attack. Unsecured wireless sessions can be target for eavesdropping attackers. Serious confidential and personal data can be captured, analyzed and even retransmitted on one’s behalf. 22 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Experiment Architecture and Scenarios Experiment Architecture NetGear Wireless router Victim Laptop Toshiba Windows XP Ethernet Intranet Intranet Server Windows Server 2000 (Web, Mail, FTP services) Victim Machine Intruder HP Laptop Windows XP CommView for WiFi Intruder Machine 23 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Experiment Architecture and Scenarios Experiment Scenarios The intruder (an upset student) will try to listen to the data flow to/from the victim (his professor) and capture important information about him. 24 Spying on HTTP (Web Pages) Spying on FTP (Downloading files) Spying on SMTP (Emails) 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Victim Machine Configuring Outlook Express email client Toshiba Laptop CPU: Centrino 1.7 Ghz Memory: 1 GB Hard Disk: 80 GB Operating System: Windows XP professional IP Address: 192.168.1.2 25 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Victim Machine Configuring Outlook Express email client 26 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Victim Machine Configuring Outlook Express email client 27 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Victim Machine Configuring Outlook Express email client 28 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Host Intruder Machine (Laptop) Installing CommView for Wi-Fi HP Laptop CPU: Centrino 1.7 GHz Memory: 512M Hard Disk: 60 GB Operating System: Windows XP professional IP Address: NO IP ADDRESS CommView For Wi-Fi (packet sniffer and generator) 29 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Host Intranet Server Installing IIS, SMTP and FTP Configuring IIS, SMTP, FTP IBM server CPU: Xeon 3.00 GHz Memory: 256 MB Hard Disk: 80 G Operating System: Windows 2000 Advanced Server (Ser) IP Address: 192.168.1.100 Application: MS-IIS web server, SMTP Relay service, FTP service. Note: For assist limitation: This server is implemented using VMware ver 4.0. A virtual machine application that runs on top of the installed operating system. I had to use it because the installed OS (windows XP) doesn’t support web services (IIS, SMTP, FTP). 100 Mbps UTP connection to Access point 30 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Host Intranet Server ON windows 2000 server, start->setting -> control panel Add/Remove program, Add/Remove windows Components Check the checkbox of IIS services 31 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Host Intranet Server For the HTML, add the file called default.htm to the folder c:\inetpub\wwwroot. 32 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Host Intranet Server For SMTP, configure mail server domain name. start programs administrative tools Internet Services Manager. Click on SMTP. Right click on domain. Click Add new domain and type uwindsor.ca. 33 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Host Intranet Server FTP needs no configuration. Just need to add some file to the ftproot folder. These files will be downloaded by clients. 34 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Access point Router SSID IP address DHCP service Channel ID Brand Name: Netgear 54 wireless router XG614v7 SSID name: Stay Away Channel ID: 2 4 ports UTP switch (Intranet server is connected via) Operating System: Windows 2000 Advanced Server (Ser) IP Address: 192.168.1.1 Acts as a router between the wireless network and the intranet network as shown in figure 1 35 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Access point Router Configure Netgear using HTTP browser typing HTTP://192.168 .1.1 Type the name in the SSID name. In the channel field, select the channel. Make sure the security field is “none”. 36 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Hosts Installations and Configuration Configuration of Access point Router Configure the IP address and the DHCP of the AP 37 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Tuning CommView sniffer for experiment Starting CommView for Wi-Fi, Click on File menu then select start capture. 38 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Tuning CommView sniffer for experiment Configure the channel number To limit the search 39 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Tuning CommView sniffer for experiment Configure IP aliases to simplify the analysis of the captured packets by showing the alias name instead of IP address. click on Settings IP aliases, Type in the IP address of each host involved in the scenario 40 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Tuning CommView sniffer for experiment Configuring CommView Rules (Filters) 41 Click on Rules tab Enable IP address rules Check the Capture option, Check the Both option Type the IP addresses of the entire host 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Tuning CommView sniffer for experiment Configuring CommView Rules (Filters) My scenario is to capture certain packets so only sniff the following set of protocols 42 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Tuning CommView sniffer for experiment Configuring CommView Rules (Filters) Click on Rules tab Tell the sniffer to only sniff the following set of protocols TCP port 80 for HTTP TCP port 20, 21 for FTP TCP port 25 for SMTP (mail). 43 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Conducting the Experiment Start Eavesdropping 44 Start CommView by clicking on File --> start capture From the scanning window, click on start scanning 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Conducting the Experiment Spying on HTTP (Web Pages) 45 In this attack the intruder will spy on the victim http traffic. The Victim is accessing a web server and reading a specific important confidential page from his corporate web server. The victim will type in the web browser the website name (here it is an IP address 192.168.1.100) After performing the previous step, CommView packet tab shows that there are 45 packets has been captured. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Spying on HTTP (Web Pages) 46 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Spying on HTTP (Web Pages) Spying on HTTP (Web Pages) To make it easier for the intruder to actually see what the victim was watching the intruder can reconstruct the HTTP session and view it as a web page with some format limitation. To do this the intruder can simply right click on any HTTP packets and select “Reconstruct TCP session. 47 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Conducting the Experiment Spying on HTTP (Web Pages) 48 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Conducting the Experiment Spying on HTTP (Web Pages) CommView was even able to show images transferred during the HTTP session 49 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Conducting the Experiment Spying on FTP (Downloading files) 50 The victim will connect to an FTP server to download an important confidential file. The victim will do the following steps From command prompt victim will connect to the ftp server entering administrator account and password and then downloading a configuration file called rules.txt 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Conducting the Experiment Spying on FTP (Downloading files) This screen is from the victim’s laptop. 51 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Conducting the Experiment Spying on FTP (Downloading files) The intruder was able to capture the whole session in 67 packets. The username and password where captured. All the commands issued by the victim where gathered as well as a copy of the downloaded text file. 52 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Conducting the Experiment Spying on FTP (Downloading files) Copy of the downloaded text file. 53 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Conducting the Experiment Spying on SMTP (Emails) The victim, using his Outlook Express sends a confidential email to Dr. Aggarwal 54 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Conducting the Experiment Spying on SMTP (Emails) CommView captured the email, the sender, the receiver and the subject 55 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Conducting the Experiment • • • 56 This whole experiment was happened over a non secure network. I conducted the same detailed experiment but over a secure network using WEP security and the results were the same as over a non secure network. But when I conducted the same experiment over a secure network using WPA security, the laptop using sniffer couldn't even connect to the network. 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal IDS Promisacn 3.0 The intrusion detection system that can detect the Promiscuous sniffing nodes (Eavesdropping) is called PromiScan. But due to its high price 500$ I couldn’t used it . The free trial version of that software has many limitations (Special IP address range) and I actually spend more than 10 hours trying it but without any results. 57 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal References 58 [1] M. Domenico, A. Calandriello, G. Calandriello and A. Lioy. Dependability in Wireless Networks: Can We Rely on WiFi?. IEEE Security and Privacy, 5(1):23-29, 2007 [2] www.london-wifi.com [3] www.wlantenna.com/wlantenna.htm [4] http://www.tscmvideo.com/eavesdropping/eavesdropping-device.html [5] LucidLink, the network security products company, WiFiTheft.com, wifi.weblogsinc.com, WarDriving.com, Wigle.net, www.intelligentedu.com [6] Wikipedia encyclopedia. Eavesdropping on Wi-Fi, chapter 6 page 122 [7] http://www.sciam.com/article.cfm [8] A. Nicholson and B. Noble. Automatic Network Management for Mobile Devices. In Proc. Seventh IEEE Workshop on Mobile Computing Systems & Applications, IEEE Computer Society, pages 47–47, 2006. [9] Eavesdropping on Wi-Fi, chapter 6 page 122 [10] The experiment Scenario figure, Eavesdropping project. [11] www.securityfriday.com/products/promiscan.html 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal Questions in the lab 59 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal