War driving, war walking, war spying, and war chalking
How Wi-Fi networks are hacked and how to Assess Wi-Fi Networks Wi Fi N t k
1
CONTACTS
´
Michael Gough – CISSP, CISA, VP ISSA Austin
« Senior
Risk Analyst - Comptroller of Public Accounts « Author – ‘SkypeMe!’ and ‘Video Conferencing SkypeMe! Video over IP’ by Syngress Press « Contributor to the Center for Internet Security y Benchmarks.
March 2, 2010
WI FI WI-FI IS EVERYWHERE
3
March 2, 2010
HOW TRUE… TRUE
4
March 2, 2010
WHY WE SHOULD CARE
2005
TJX – 45 Million Credit Card Numbers stolen – could be as high as 200 million $33 million in loses from Gift Cards Largest loss ever from exploited Wireless – estimated at $1Billion
2003
Lowe s Lowe’s Wireless cracked FBI tracked credit card system software replaced with hacked version
5
March 2, 2010
6
March 2, 2010
THERE IS HOPE
´
A much smaller percentage of hacks targeted routers, switches, and other network devices. 2008 saw only a single instance in which a wireless network was exploited across our entire caseload. (Verizon B i (V i Business - 2009 D t B Data Breach h Investigations Report)
7
´
March 2, 2010
SIDEJACKING
8
March 2, 2010
WAR WALKING EQUIPMENT
9
March 2, 2010
WAR WALKING EQUIPMENT
10
March 2, 2010
BRINGING THE “WAR” TO WAR DRIVING WAR
11
March 2, 2010
BRINGING THE “WAR” TO WAR DRIVING WAR
12
March 2, 2010
HOW FAR AWAY ???
´
Wi-Fi Bouncing
«
Having trouble accessing that corporate network due to their new Wi-Fi-proof wallpaper? Try a Wi-Fi attack droid. Some clever hackers at the Shmoo Group made a device using a Sharp Zaurus, a 100 milliwatt Sanio wireless card, and some wires that fit into a tissue box (or another similarly-sized innocuous object. The idea is that y j you surreptitiously drop this thing off in an area with a Wi-Fi network that you can’t access and it sends a 900 MHz signal via a serial port transceiver to pass on the network. With a good antenna this means you can get online from as far as 40 miles away, though with the antenna shown you should be able to get about a mile or so of sneaky wireless access. A il f k i l lithium battery should power this thing for up to four hours or so.
13
March 2, 2010
BLUETOOTH
´
Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection. Bluetooth is a connection high-speed but very short-range wireless technology for exchanging data between desktop and mobile computers, personal digital assistants (PDAs), and other devices. devices By exploiting a vulnerability in the way Bluetooth is implemented on a mobile phone, an attacker can access information -- such as the user's calendar, contact list and e-mail and text messages -- without leaving any evidence of the attack. Other devices that use Bluetooth, such as laptop computers, may also be vulnerable, computers vulnerable although to a lesser extent, by virtue of their more complex systems. Operating in invisible mode protects some devices, but others are vulnerable as long as Bluetooth is enabled enabled.
14
´
March 2, 2010
BLUETOOTH
´
According to a ZDNet UK article, attackers are exploiting p j ap problem with some implementations of the object exchange (OBEX) protocol, which is commonly used to h t l hi h i l dt exchange information between wireless devices. An attacker can synchronize with the victim's device (this is known as pairing) and gain access to any information or service available to the legitimate user The article claims user. that bluesnarfing tools are widely available on the Internet, along with information about how to use them.
So what is the record distance for Bluesnarfing ?
«
«
´
Lasco.A Bluetooth Virus (Nokia Series 60 running Symbian) – spreads via file attachements, games, files etc…
Paris Hilton’s Phone contacts stolen
´
TOOLS:
« « « «
Bluescanner BTCrack The Real BlueJack T-Bear
15
March 2, 2010
WAR SPYING ?
´ ´ ´ ´ ´
Well we focus on wireless networks… What about Wireless cameras ? If you can see data on wireless networks Can you see video on wireless cameras ? Let’s take a look !
16
March 2, 2010
WAR SPYING ?
´
Everyone knows about the famous little X-10 th f littl X 10 video cameras that we are bombarded with while surfing the net…
Step 1- Reconnaissance « Detect wireless networks using: ² Airsnort, NetStumbler, or Aerosol ² Identify AP’s SSID’s without WEP enabled Step 2 - Configure client « Configure wireless client to match discovered SSID Step 3 – Check IP Address « See if DHCP hands out an IP address Step 4 – Check for Internet access « Open Browser to see if the Internet can be accessed p Step 5 - Scan for other clients « Run Port scanner (Nmap) to find other clients that may be hacked for information on wireless network
23
´ ´ ´ ´
March 2, 2010
WAR DRIVER GONE WILD
24
March 2, 2010
EQUIPMENT NEEDED TO BE A WI FI FREELOADER WI-FI
´
Windows Laptop
AirMagnet – Clearly the best solution commercial « Orinoco wireless card
«
²
NetStumbler, A S iff Wl E N S bl ApSniff, Wlan-Expert Aerosol software AirSnare - IDS
« «
´ ´ ´ ´
Prism 2 wireless card
²
USB Wireless Card
²
Cantenna and wireless MMCX to N type cable yp An Access Point for rogue data collection Ferret and Hamster for SideJacking BackTrack 4 CD
25
802.11 packet capture program 802 11 Aireplay: 802.11 packet injection program Aircrack: static WEP and WPA PSK key cracker WPA-PSK Airdecap: decrypts WEP/WPA capture files
´
BackTrack 4 – CD/DVD
27
March 2, 2010
EQUIPMENT NEEDED TO BE A WI FI FREELOADER WI-FI
´
Handheld device
« Orinoco
wireless card « Ministumbler « Pocket Warrior « AirScanner « Wi-FiFoFum – PocketPC Windows Mobile (iPAQ) « AirMagnet – Commercial $3K « Lots of options for iPhone and Android OS « No 802.11a on a handheld – against the spec
28
March 2, 2010
IPHONE
TOOLS: Wi-Finder JiWire Wi-Fi Finder And many more more….
Sniffers can see all clear text usernames, passwords and data that pass across the wireless network to gain more i f information ti
Messaging
´
Standard sniffers can see all data in all packets that are not encrypted, not just username and encrypted passwords.
« Read your email « Web content « Web based email
44
March 2, 2010
SAMPLE WINSNIFFER
SideJacking of course… g
45
March 2, 2010
WI FI WI-FI ASSESSMENT CHECKLISTS
´
SANS:
« «
Wireless Device Control (Critical Control 14) « http://www.sans.org/critical-security-controls/control.php?id=14 Residential Wireless Audit Checklist « http://www.sans.org/score/wirelesschecklist.php Wireless STIG (Security Technical Implementation Guides) « http://iase.disa.mil/stigs/stig/index.html Wireless LAN Security Checklist « http://www.justice.gov/ust/eo/private_trustee/library/chapter13/doc s/Wireless_Security_Checklist.pdf ISO 27001 Wireless LAN Security Checklist « http://www.smashingpasswords.com/files/wireless-lan-securitychecklist.pdf Wireless Benchmark and Assessment Articles « http://cisecurity.org/enus/?route=downloads.browse.category.benchmarks.network.wirel ess
46
´ ´ ´ ´
DISA - IASE:
«
US DoJ:
« «
ISO 27001: CIS:
«
March 2, 2010
WI FI WI-FI WEBSITES – TOOLS AND INFO
´ ´ ´ ´ ´ ´ ´
http://www.corecom.com/html/wlan_tools.html - List of Tools www.wardriving.net - Good info di i t G di f http://sectools.org/wireless.html - Top 5 Wi-Fi Tools www.dis.org/filez/ - Peter Shipley War driving site www.wigle.net – upload reading f i l t l d di from wireless t l – M i l tools Mapping i www.networkintrusion.co.uk/wireless.htm - List of Wireless tools www.freeantennas.com – Lots of easy to build antennas
Wi Fi Wi-Fi locator Wi-Fi locator Wi-Fi locator Wi-Fi locator Wi-Fi locator T-Mobile hotspots Boingo hotspots
47
March 2, 2010
SSL OR HTTPS
´
Using ARP poisoning hackers are able to place themselves in the middle of an SSL session using th l i th iddl f i i Ettercap or other tools over wireless. This results in the hacker having the actual SSL certificate relaying the information to the user thus being able to see all that the user sees. Remember it is estimated that 95% of Wi-Fi usage is unencrypted!
48
´
´
March 2, 2010
LOGON HTTP BY DEFAULT
49
March 2, 2010
LOGON HTTP BY DEFAULT
50
March 2, 2010
INFO GATHERING DECOY ACCESS POINT
•
•
Your wireless users connect to the rogue access point and attempt logon or use of company assets Hacker sniffs the traffic to gain information like:
í Usernames í Passwords í Mac addresses í WEP key í General data í System information
Your Company
DAP
Decoy access point set to your company SSID • The signal overlaps into your company
•
51
March 2, 2010
EVIL TWINS – “SOFT AP S SOFT AP’S
•
Access Points that mimic a real access point in
order to steal information. d t t li f ti
•
Secure Wi-Fi is not susceptible to this threat as the
decoy keys will not match
52
March 2, 2010
SO HOW DO YOU DETECT ROGUE USERS ?
´ ´ ´ ´ ´ ´ ´ ´
Use automated Wireless detection solution Define what is normal and detect anomalies Follow up with manual assessments Issue Wireless cards to consultants and guests Create Incident Response plan to shut down or investigate violations Rotate Keys 30 days or less NAC First find all trusted Dual Wi-Fi networks
MAC addresses
53