Isaca Wireless Hacking 2009 1

Published on January 2017 | Categories: Documents | Downloads: 58 | Comments: 0 | Views: 236
of 54
Download PDF   Embed   Report

Comments

Content

March 2, 2010

WIRELESS HACKING & ASSESSMENT
´

War driving, war walking, war spying, and war chalking

How Wi-Fi networks are hacked and how to Assess Wi-Fi Networks Wi Fi N t k
1

CONTACTS
´

Michael Gough – CISSP, CISA, VP ISSA Austin
« Senior

Risk Analyst - Comptroller of Public Accounts « Author – ‘SkypeMe!’ and ‘Video Conferencing SkypeMe! Video over IP’ by Syngress Press « Contributor to the Center for Internet Security y Benchmarks.

March 2, 2010

WI FI WI-FI IS EVERYWHERE

3

March 2, 2010

HOW TRUE… TRUE

4

March 2, 2010

WHY WE SHOULD CARE
2005
TJX – 45 Million Credit Card Numbers stolen – could be as high as 200 million $33 million in loses from Gift Cards Largest loss ever from exploited Wireless – estimated at $1Billion

2003
Lowe s Lowe’s Wireless cracked FBI tracked credit card system software replaced with hacked version

5

March 2, 2010

6

March 2, 2010

THERE IS HOPE
´

A much smaller percentage of hacks targeted routers, switches, and other network devices. 2008 saw only a single instance in which a wireless network was exploited across our entire caseload. (Verizon B i (V i Business - 2009 D t B Data Breach h Investigations Report)
7

´

March 2, 2010

SIDEJACKING

8

March 2, 2010

WAR WALKING EQUIPMENT

9

March 2, 2010

WAR WALKING EQUIPMENT

10

March 2, 2010

BRINGING THE “WAR” TO WAR DRIVING WAR

11

March 2, 2010

BRINGING THE “WAR” TO WAR DRIVING WAR

12

March 2, 2010

HOW FAR AWAY ???
´

Wi-Fi Bouncing
«

Having trouble accessing that corporate network due to their new Wi-Fi-proof wallpaper? Try a Wi-Fi attack droid. Some clever hackers at the Shmoo Group made a device using a Sharp Zaurus, a 100 milliwatt Sanio wireless card, and some wires that fit into a tissue box (or another similarly-sized innocuous object. The idea is that y j you surreptitiously drop this thing off in an area with a Wi-Fi network that you can’t access and it sends a 900 MHz signal via a serial port transceiver to pass on the network. With a good antenna this means you can get online from as far as 40 miles away, though with the antenna shown you should be able to get about a mile or so of sneaky wireless access. A il f k i l lithium battery should power this thing for up to four hours or so.
13

March 2, 2010

BLUETOOTH
´

Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection. Bluetooth is a connection high-speed but very short-range wireless technology for exchanging data between desktop and mobile computers, personal digital assistants (PDAs), and other devices. devices By exploiting a vulnerability in the way Bluetooth is implemented on a mobile phone, an attacker can access information -- such as the user's calendar, contact list and e-mail and text messages -- without leaving any evidence of the attack. Other devices that use Bluetooth, such as laptop computers, may also be vulnerable, computers vulnerable although to a lesser extent, by virtue of their more complex systems. Operating in invisible mode protects some devices, but others are vulnerable as long as Bluetooth is enabled enabled.
14

´

March 2, 2010

BLUETOOTH
´

According to a ZDNet UK article, attackers are exploiting p j ap problem with some implementations of the object exchange (OBEX) protocol, which is commonly used to h t l hi h i l dt exchange information between wireless devices. An attacker can synchronize with the victim's device (this is known as pairing) and gain access to any information or service available to the legitimate user The article claims user. that bluesnarfing tools are widely available on the Internet, along with information about how to use them.
So what is the record distance for Bluesnarfing ?
«
«

´

Lasco.A Bluetooth Virus (Nokia Series 60 running Symbian) – spreads via file attachements, games, files etc…
Paris Hilton’s Phone contacts stolen

´

TOOLS:
« « « «

Bluescanner BTCrack The Real BlueJack T-Bear
15

March 2, 2010

WAR SPYING ?
´ ´ ´ ´ ´

Well we focus on wireless networks… What about Wireless cameras ? If you can see data on wireless networks Can you see video on wireless cameras ? Let’s take a look !

16

March 2, 2010

WAR SPYING ?
´

Everyone knows about the famous little X-10 th f littl X 10 video cameras that we are bombarded with while surfing the net…

17

March 2, 2010

WAR SPYING ?

18

March 2, 2010

WAR SPYING ?

19

March 2, 2010

WAR SPYING ?

20

March 2, 2010

WAR SPYING ?
´

Internet Cameras aka: NannyCams?
«

What about

Google Hacks:
² “inurl:view/index.shtml”

– Finds AXIS cameras ² “inurl:ViewerFrame?Mode=" – Finds more webcams ² “inurl:MultiCameraFrame?Mode="
´

Also can be wireless…

21

March 2, 2010

HOW TO HACK… OR ASSESS WI-FI HACK WI FI

22

March 2, 2010

HOW WIRELESS GETS HACKED OR USED
´

Step 1- Reconnaissance « Detect wireless networks using: ² Airsnort, NetStumbler, or Aerosol ² Identify AP’s SSID’s without WEP enabled Step 2 - Configure client « Configure wireless client to match discovered SSID Step 3 – Check IP Address « See if DHCP hands out an IP address Step 4 – Check for Internet access « Open Browser to see if the Internet can be accessed p Step 5 - Scan for other clients « Run Port scanner (Nmap) to find other clients that may be hacked for information on wireless network
23

´ ´ ´ ´

March 2, 2010

WAR DRIVER GONE WILD

24

March 2, 2010

EQUIPMENT NEEDED TO BE A WI FI FREELOADER WI-FI
´

Windows Laptop

AirMagnet – Clearly the best solution commercial « Orinoco wireless card
«
²

NetStumbler, A S iff Wl E N S bl ApSniff, Wlan-Expert Aerosol software AirSnare - IDS

« «
´ ´ ´ ´

Prism 2 wireless card
²

USB Wireless Card
²

Cantenna and wireless MMCX to N type cable yp An Access Point for rogue data collection Ferret and Hamster for SideJacking BackTrack 4 CD
25

March 2, 2010

EQUIPMENT NEEDED TO BE A WI FI FREELOADER WI-FI
´

Linux Laptop
« Prism2

or Orinoco card « AirSnort software (To crack WEP) « Aircrack software (To crack WEP) « WepLab software (To crack WEP) « dwepcrack software (To crack WEP) « WepAttack software (To crack WEP) p ( ) « Kismet « AirTraf
26

March 2, 2010

EQUIPMENT NEEDED TO BE A WI FI FREELOADER WI-FI
´

Linux Laptop
« Airodump:

802.11 packet capture program 802 11 Aireplay: 802.11 packet injection program Aircrack: static WEP and WPA PSK key cracker WPA-PSK Airdecap: decrypts WEP/WPA capture files

´

BackTrack 4 – CD/DVD
27

March 2, 2010

EQUIPMENT NEEDED TO BE A WI FI FREELOADER WI-FI
´

Handheld device
« Orinoco

wireless card « Ministumbler « Pocket Warrior « AirScanner « Wi-FiFoFum – PocketPC Windows Mobile (iPAQ) « AirMagnet – Commercial $3K « Lots of options for iPhone and Android OS « No 802.11a on a handheld – against the spec
28

March 2, 2010

IPHONE
TOOLS: Wi-Finder JiWire Wi-Fi Finder And many more more….

29

March 2, 2010

MINISTUMBLER – WINDOWS MOBILE

30

March 2, 2010

WI FIFOFUM WI-FIFOFUM – WINDOWS MOBILE

31

March 2, 2010

NETSTUMBLER SCREEN CAPTURE –
DOWNTOWN SACRAMENTO

32

March 2, 2010

NETSTUMBLER SCREEN CAPTURE –
ARCO ARENA AREA

33

March 2, 2010

AIRSNORT SCREEN CAPTURE –
SACRAMENTO AREA

34

March 2, 2010

KISMET SAMPLE SCANS AND OUTPUT

35

March 2, 2010

KISMET SAMPLE SCANS AND OUTPUT

36

March 2, 2010

KISMET SAMPLE SCANS AND OUTPUT

37

March 2, 2010

STEP 2 – CONFIGURE CLIENT

38

March 2, 2010

STEP 3 – CHECK IP ADDRESS

39

March 2, 2010

STEP 4 – CHECK FOR INTERNET ACCESS

40

March 2, 2010

STEP 5 – SCAN FOR OTHER CLIENTS ON THE NET

41

March 2, 2010

STEP 5 – SCAN FOR OTHER CLIENTS ON THE NET

42

March 2, 2010

STEP 5 – SCAN FOR OTHER CLIENTS ON THE NET

43

March 2, 2010

SO WHAT ELSE CAN I SEE ? WHAT ELSE CAN I DO ?
´

WinSniffer – Passwords
« HTTP « FTP « Telnet « POP3 « ICQ Instant « SMTP « IMAP « NNTP

Sniffers can see all clear text usernames, passwords and data that pass across the wireless network to gain more i f information ti

Messaging

´

Standard sniffers can see all data in all packets that are not encrypted, not just username and encrypted passwords.
« Read your email « Web content « Web based email
44

March 2, 2010

SAMPLE WINSNIFFER

SideJacking of course… g
45

March 2, 2010

WI FI WI-FI ASSESSMENT CHECKLISTS
´

SANS:
« «

Wireless Device Control (Critical Control 14) « http://www.sans.org/critical-security-controls/control.php?id=14 Residential Wireless Audit Checklist « http://www.sans.org/score/wirelesschecklist.php Wireless STIG (Security Technical Implementation Guides) « http://iase.disa.mil/stigs/stig/index.html Wireless LAN Security Checklist « http://www.justice.gov/ust/eo/private_trustee/library/chapter13/doc s/Wireless_Security_Checklist.pdf ISO 27001 Wireless LAN Security Checklist « http://www.smashingpasswords.com/files/wireless-lan-securitychecklist.pdf Wireless Benchmark and Assessment Articles « http://cisecurity.org/enus/?route=downloads.browse.category.benchmarks.network.wirel ess
46

´ ´ ´ ´

DISA - IASE:
«

US DoJ:
« «

ISO 27001: CIS:
«

March 2, 2010

WI FI WI-FI WEBSITES – TOOLS AND INFO
´ ´ ´ ´ ´ ´ ´

http://www.corecom.com/html/wlan_tools.html - List of Tools www.wardriving.net - Good info di i t G di f http://sectools.org/wireless.html - Top 5 Wi-Fi Tools www.dis.org/filez/ - Peter Shipley War driving site www.wigle.net – upload reading f i l t l d di from wireless t l – M i l tools Mapping i www.networkintrusion.co.uk/wireless.htm - List of Wireless tools www.freeantennas.com – Lots of easy to build antennas

´

Hot Spots
« « « « « « «

www.Wi Finder.com www.Wi-Finder.com www.wi-find.com www.Wi-Fifreespot.com/ www.jiwire.com/ www.surfandsip.com/location_all.htm www surfandsip com/location all htm https://selfcare.hotspot.t-mobile.com www.boingo.com

Wi Fi Wi-Fi locator Wi-Fi locator Wi-Fi locator Wi-Fi locator Wi-Fi locator T-Mobile hotspots Boingo hotspots
47

March 2, 2010

SSL OR HTTPS
´

Using ARP poisoning hackers are able to place themselves in the middle of an SSL session using th l i th iddl f i i Ettercap or other tools over wireless. This results in the hacker having the actual SSL certificate relaying the information to the user thus being able to see all that the user sees. Remember it is estimated that 95% of Wi-Fi usage is unencrypted!
48

´

´

March 2, 2010

LOGON HTTP BY DEFAULT

49

March 2, 2010

LOGON HTTP BY DEFAULT

50

March 2, 2010

INFO GATHERING DECOY ACCESS POINT




Your wireless users connect to the rogue access point and attempt logon or use of company assets Hacker sniffs the traffic to gain information like:
í Usernames í Passwords í Mac addresses í WEP key í General data í System information

Your Company

DAP

Decoy access point set to your company SSID • The signal overlaps into your company

51

March 2, 2010

EVIL TWINS – “SOFT AP S SOFT AP’S


Access Points that mimic a real access point in

order to steal information. d t t li f ti


Secure Wi-Fi is not susceptible to this threat as the

decoy keys will not match

52

March 2, 2010

SO HOW DO YOU DETECT ROGUE USERS ?
´ ´ ´ ´ ´ ´ ´ ´

Use automated Wireless detection solution Define what is normal and detect anomalies Follow up with manual assessments Issue Wireless cards to consultants and guests Create Incident Response plan to shut down or investigate violations Rotate Keys 30 days or less NAC First find all trusted Dual Wi-Fi networks
MAC addresses
53

March 2, 2010

The END Q Questions ?

54

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close