Upload
lance-howell
View
4.203
Download
2
Tags:
Embed Size (px)
Citation preview
Wireless Security, Wardriving, and
Detecting Rogue Access Points Using Kismet Wireless Scanner
By: Lance Howell
Wireless Security
•WEP (Wired Equivalent Privacy)•WPA (Wi-Fi Protected Access)•WPA2 (Wi-Fi Protected Access version 2)
Weaknesses in WEP
•Older Equipment and devices•Supports no keys or a shared key
management system. •You have to manually change your keys•The Initialization Vector (IV) is too short
and sent in clear text•IVs are static•No cryptographic integrity protection is
implemented
Reconnaissance
•First Popular Software NetStumbler▫Windows▫Mac▫No Linux Based Version
•Kismet ▫Popular for professionals▫Linux version ▫Windows called Kiswin v 0.1 Last Update
2005
Reconnaissance continued
•Use the software to listen to traffic•Access Points (AP) Broadcast
▫SSID▫Encryption Status▫Rather it is Broadcasting or not▫AP Information▫GPS Information
•Map Locations
Sniffing
•Passive and Undetectable to Intrusion Detection Systems (IDS)
•Attackers can Identify Additional Resources that can be Compromised
•Authentication Types•Use of Virtual Private Networks (VPN),
Secure Sockets Layer (SSL), and Secure Shell (SSH) helps protect against wireless interception
Spoofing and Unauthorized Access•Due to TCP/IP Design, there is little that
can be done to prevent Media Access Control/IP (MAC/IP) Address Spoofing
•Static Definition of MAC Address Tables can this attack be prevented
•Staff must be diligent about logging and monitoring those logs to try to address spoofing attacks so they can be identified.
Introductions
•Console-based wireless analysis tool•Passive; captures traffic from wireless
cards in monitor mode•Observes activity from all networks within
range•Wardriving tool of choice•Wardriving is legal•Included in Backtrack 4 ready to run and
use
Objectives of Kismet
•Locate and Identify AP(s)▫BSSID, ESSID, Channel and Encryption▫GPS data▫And more…
•Locate and Identify Client(s)▫MAC Address▫Manufacturers
•Spectrum Analysis•Drones/Open-Source WIPS
LOG FilesType of File File Description
Dump A raw packet dump that can be opened in Wireshark or other packet analyzers.
Network A text file listing the networks that have been detected.
CSV A comma-separated listing of networks detected.
XML An eXtensible Markup Language (XML) formatted log of networks detected. This is useful for importing into other applications.
Weak The weak Initialization Vector (IV) packets detected in AirSnort format.
Cisco A log of Cisco Discovery Protocol (CDP) broadcasts produced by Cisco equipment.
GPS The log of GPS coordinates of access points detected.
Netxml Logging File
•Can be imported into Excel for post-processing analysis▫Rename to “.xml”, select “read-only
workbook” when opening•Requires Internet access to download
Kismet DTD file•Allows you to graph results, add details
for additional analysis
Startup
•Kismet will prompt to start the Kismet Server at startup
•Once the Kismet server has started, you will be prompted for the first packet source
Kismet Sources
•Specify the available wireless interface as a packet source▫“wlan0, “wlan1”, etc.
•Kismet will identify the needed information, place the interface in passive capture mode
•Add as many sources as you want from Kismet Add Source
•Can also specify libpcap wireless packet capture files as sources
Plugins
•Plugin architecture to extend functionality•Distributed with Kismet: Aircrack-PTW,
Spectools•Third-Party: DECT wireless sniffing•Kismet Plugins
▫Status of plugins, version information▫Enable or disable UI plugins▫See list of Kismet Server plugins
Extending Kismet• Device Manufacturer Name
▫ Kismet relies on Wireshark’s “manuf” file to identify manufacturers
▫ File can be updated with make-manuf script (not distributed with BT4)
▫ # wget http://anonsvn.wireshark.org/wireshark/trunk/wka.tmpl
▫ # wget http://anonsvn.wireshark.org/wireshark/trunk/manuf.tmpl
▫ # wget http://anonsvn.wireshark.org/wireshark/trunk/make-manuf
▫ # perl make-manuf▫ # mv manuf /usr/share/wireshark
GISKisment
•Building Visual Representations of Kismet data
•Correlate information in database•Graphically represent information •Filter out non-useful information
GISKismet- Filters
•Input Filters▫AP configuration data▫Query filters on any information
AP configuration Client information GPS coordinate(s)
•Filter Input▫Insert all AP(s) on channel 6 named Linksys
•Filter Output▫Output all AP(s) without encryption
Tips on Protecting the Network
•Use an External Authentication Source▫RADIUS▫SecurID
•Protect MAC Spoofing: Use a Secure Connection for all Host Services Accessed by the Network▫SSH▫SSL
•Use a Dynamic Firewall
System Administrators
•Poor performance on the wireless network complaint
•Things to observe:▫What AP are the clients connecting to?▫Are all AP’s properly configured?▫Lots of retries indicating poor connections
or noise▫Lots of missed beacons indicating noise or
faulty APs▫What channels are being utilized?
Signal and Noise/Channe
l
Packet Rate (Real Time)
Data Frames (Cumulative)
Networks Count (Yellow
is historic, green is currently active)
Detail View (Scroll with arrow keys)
Auditors
•Are the networks configured per specification?▫SSID cloaking enabled/disabled?▫Appropriate encryption and authentication
settings?▫Are there unencrypted networks (when
there shouldn’t be)?•Kismet walkthrough while channel
hopping, post-processing analysis.