September 22, 2016
State of the Art Wi-Fi Security
September 22, 2016
Wifi is everywhere these days. From homes to large enterprise corporate networks, wifi is quick and easy to install, easy for employees to use, and more constantly supported on mobile. However, the greater availability of Wifi means increased danger from attacks, and increased challenges to an organization, and IT security professionals.The main objective for this post is to educate and guide users on the importance on wireless LAN security and its implementation. For ease to readers I decided to split this post into three parts. The first part (this one) will explain Wifi security issues and its common attacks. The second part will show a practical demo on how to attack a Wifi and to recover the WPA/WPA2 passphrase and the final part will explain on how to secure your wifi with Security best practises (Top 10 Recommendations).
Wireless Security Issues:
Before we have a look into the common Wifi attacks, we will have a quick look on the Wireless Security issues with Open, Public and Enterprise Wifi NetworksOpen Wifi Networks: Open wireless Networks is the first place where most users get caught. While some people genuinely want to share, most others use it in evil ways to get users to connect so that they can steal data. One has no way to make sure that no one can intercept and read and/or modify your data. Public Wifi Networks: Public wifi networks with a Pre-Shared Key are also not much safer. Although it provides a convenient way to check emails or access social networking one has no way to make sure that it's legitimate or someone can intercept, read and/or modify your data. Before connecting to these networks, make sure that the organization has even a Wifi connection established with it. Corporate Wifi Networks: Corporate wifi networks with no proper security in place pose a greater threat to its data and assets. Again the user has no way to confirm that the network he is connected to is legitimate, or if it's the evil twin since someone can intercept, read and/or modify your data (the attacker might operate a fake access point from the parking lot, and once the user is connected, the attacker can distribute malware to compromise the network).
Wifi - Common Attacks / Threats:Human Error: It is understood that an individual with no true understanding of networks can easily set up a flawed and vulnerable network. If an enterprise doesn't have the proper resources to set up its wireless networks, then there is high risk of deploying the network with its default/basic setting, which has basic or no security measures due to wireless hardware being relatively cheap. With ample documentation, it is pretty easy to get it up and running. In any system, the human components are the weakest link. Wireless networking is certainly no exception. Your organization should define strict policies and procedures related to wireless networking. It is important that employees are made aware of these rules and any subsequent changes to those rules. War Driving: As mentioned previously, wireless signals often propagate beyond physical barriers. The risk of someone attempting to break in using the wireless infrastructure is high. The first step is to perform Wardriving. An attacker equipped with a laptop and a wireless adapter will drive around neighborhoods and areas to enumerate what wireless networks exist, what type of encryption (if any) is used, password (if known), and any other pertinent information. Rogue Access Point (AP) a.ka Evil Twin These attacks are more likely to work with public hot spots as well as on corporate Wi-Fi networks. With increased mobility, and users who move from one network to another, keeping their WNIC (in their notebooks) in an active state makes it easier for them to connect to their preferred networks automatically while on the move. With this, an attacker can set up a rogue access point and operate from the parking lot of a building. A user who will eventually come along, and who had previously connected to such a network, will then get tricked into connecting to this Rogue Access point. Using this technique, Hackers can even distribute Malware into a corporate network. Cracking Attacks: Cracking passwords is the most desired attacks as attackers perform it as soon as they encounter an access login page to gain unauthorized access. The most common form of this is Brute force attack and it eventually works most times, but there are measures to minimize the impact. Aircrack-ng suite of tools (airmon-ng, airodump-ng, aireplay-ng) has been widely used to crack wifi (WEP, WPA, and WPA2). With a wireless card set to monitor mode we can steal the 4-way handshake in a file and use your password list to crack the key. Please note that he key MUST be in the dictionary for this attack to work.Denial Of Service Attacks : This type of attack is different from most other attacks because the attackers don’t intend to gain unauthorized access to your network to steal sensitive information. Their real intention is to bring down your organization’s network so valid users cannot access network related services which could have huge business impacts to your corporation. Think of it as an extreme brute force attack that overwhelms something, in this case, a Wifi network or assets/nodes on it. Karma Attacks : Karma was a tool that was used to sniff, probe, and attack wifi networks using Man-in-the-Middle (MITM) methods. It was later integrated with Metasploit and called Karmetasploit. In this instance, when a victim connects to the fake Access Point, karmetasploit launches all the suitable attacks available in the Metasploit framework against the victim. That way we can also capture passwords and other credentials. In development of this attack, the attacker will use the airmong-ng suite of tools to establish a fake wireless access point (evil twin) and will open metasploit and input the Karma run control file then wait for users to connect. Once they connect, the attacker has visibility into what the victim is doing and browsing as well as the capability to interrogate the victim machine and extract cookies, passwords, and hashes (More info with demo will be published in a separate post). Wifi Pineapple - Using Karma and SSLstrip to MITM (Man-in-Middle) secure connectionsBasically Wifi Pineapple is a Wifi honeypot that allows users to carry out man-in-the-middle attacks. Connected clients’ traffic goes through the attacker which makes the attacker capable of pulling a number of attacks. Using Karma coupled with SSLstrip, the Wifi Pineapple can easily give you access to traffic that would normally have been encrypted. Even if a site enforces HTTPS you can still find yourself browsing an insecure version of the site.
SSLstrip works by monitoring HTTP traffic and waiting for links or redirects that use HTTPS. Once it finds a link or redirect using HTTPS it will transparently rewrite it to the HTTP equivalent and pass it along to the victim. In the example above, of navigating to https://google.com, the google servers will respond with a redirect to https://google.com that SSLStrip then replaces. Once SSLstrip has replaced that it stores a map of all the replacements it has made so it can continue to exchange traffic between the HTTPS connection to google and the HTTP connection to the victim. (More info with demo will be in a separate post).
In general there will be no 100 percent solution to settle with, as technology evolves security issues grow along with it. But with proper precaution and good knowledge/implementation of Security Best practices, one can survive in this world to save his own data/assets. With this I will end the first part of my post and will present a detailed practical demo on Wifi auditing & pentesting aka wifi hacking with different scenarios in part two.