Simple wireless security Lab.
keatron
Member Posts: 1,213 ■■■■■■□□□□
To those interested;
Here in my hotel room, I've set up a quick and dirty wireless security practice lab (I'm been on a WPA cracking kick lately). But I decided to review myself on WEP stuff first.
Things I'm using.
1 Toshiba Satellite M20 running Redhat 9
2 Toshiba Portege Tablet running Windows XP SP2.
3. A cheap Netgear WGR614 wireless router.
4. A cheaper linksys wireless router.
5. And (drumroll).........My PPC 6700 Pocket PC phone.
I've posted before about how cool the phone is, but now I'm really impressed as I have been able to easily set up a share on my laptop, and browse/copy files from that shared location via my phone, super cool.
Basic setup is as follows. I've get the Netgear bridged to the hotel's WLAN for internet access, (I got persmission first), both laptops connected to the netgear via wifi. PPC Phone is also connected via wifi. I'm using WPA-TKIP with a key that's about 14 characters (I know the reccomendation is 20, but i'm trying to make it easy on myself for now. ), and WEP with a simple key (yes you can use both contrary to popular belief). I'm using one laptop to act mainly as a peer to peer server (it's got the shared folders), and the other as a my sniffer/packet analyzer, and using my PPC Phone to actually browse the internet. For now I'm randomly browsing and then disconnecting and reconnecting (to see how often the WEP pre-shared key really gets pushed across the airwaves), also I'm using packet injection to create traffic (my analyzer shows all of the injected packets as fragmented and corrupted, hmmm, interesting). Also, I'm using MAC filtering to really keep myself out.
The tools I'm using include, Kismet, Airopeek, COMMView, Aircrack and Airmagnet.
Ok, here are my prelim findings (ahhh only about an hour into it right now). First of all, the MAC filtering was a non-issue, because the MAC's of all devices are being transmitted like crazy (thanks ARP). And COMMView picks them up like crazy (even though it says the packets, are encrypted, the MAC's are still visible after converting the captured packets to ASCII. Cracking the WEP key was extremely easy using the Whoppix Live Cd and simply taking notes from Hacking Defined's video "Cracking WEP in 10 Minutes". With the WEP keys, I was able to associate with AP and easily grab and decrypt all WEP traffic coming across. I needed to capture about 200 megs worth traffic (or so I thought). After Commview reached 220 meg, I went ahead and exported the log to text and used Aircrack to extract the key. The whole thing took about 45 minutes, however, If i was as versed in linux as I should be, it would have been much shorter (took me forever to get the right syntax in the frikin config file for my card).
So far what i've been able to do is....
Reconstruct the TCP and IP packets into html, so I was actually able to view the webpages that I'd browsed from my PPC in Commview (that's scary). Also I was able to Reconstruct a word document I copied from the shared drive on the "server" laptop. It wasn't pretty, but it worked. It basically lost all the formatting, and the words for jumbled and broken. Keep in mind when I say reconstruct, I didn't actually re-code anything, COMMview actually has a reconstruct command that will do this for you by basically trying to put the packets back in the order and sequence they were sent using only information sent in the packets. As far as any of the graphics on the webpages, none of em were able to be reconstructed. Hopefully, some of you will download some of these tools and use them. They are all free (except Commview which is about $550), and they all work pretty well. This is mostly stuff centered around advice from JD Murray on preparing for CWNA, CWSP, and CWAP exams which I'll be taking soon. So far so good, and I'm having much fun. Hope some of you join me soon.
See ya.
Keatron
Here in my hotel room, I've set up a quick and dirty wireless security practice lab (I'm been on a WPA cracking kick lately). But I decided to review myself on WEP stuff first.
Things I'm using.
1 Toshiba Satellite M20 running Redhat 9
2 Toshiba Portege Tablet running Windows XP SP2.
3. A cheap Netgear WGR614 wireless router.
4. A cheaper linksys wireless router.
5. And (drumroll).........My PPC 6700 Pocket PC phone.
I've posted before about how cool the phone is, but now I'm really impressed as I have been able to easily set up a share on my laptop, and browse/copy files from that shared location via my phone, super cool.
Basic setup is as follows. I've get the Netgear bridged to the hotel's WLAN for internet access, (I got persmission first), both laptops connected to the netgear via wifi. PPC Phone is also connected via wifi. I'm using WPA-TKIP with a key that's about 14 characters (I know the reccomendation is 20, but i'm trying to make it easy on myself for now. ), and WEP with a simple key (yes you can use both contrary to popular belief). I'm using one laptop to act mainly as a peer to peer server (it's got the shared folders), and the other as a my sniffer/packet analyzer, and using my PPC Phone to actually browse the internet. For now I'm randomly browsing and then disconnecting and reconnecting (to see how often the WEP pre-shared key really gets pushed across the airwaves), also I'm using packet injection to create traffic (my analyzer shows all of the injected packets as fragmented and corrupted, hmmm, interesting). Also, I'm using MAC filtering to really keep myself out.
The tools I'm using include, Kismet, Airopeek, COMMView, Aircrack and Airmagnet.
Ok, here are my prelim findings (ahhh only about an hour into it right now). First of all, the MAC filtering was a non-issue, because the MAC's of all devices are being transmitted like crazy (thanks ARP). And COMMView picks them up like crazy (even though it says the packets, are encrypted, the MAC's are still visible after converting the captured packets to ASCII. Cracking the WEP key was extremely easy using the Whoppix Live Cd and simply taking notes from Hacking Defined's video "Cracking WEP in 10 Minutes". With the WEP keys, I was able to associate with AP and easily grab and decrypt all WEP traffic coming across. I needed to capture about 200 megs worth traffic (or so I thought). After Commview reached 220 meg, I went ahead and exported the log to text and used Aircrack to extract the key. The whole thing took about 45 minutes, however, If i was as versed in linux as I should be, it would have been much shorter (took me forever to get the right syntax in the frikin config file for my card).
So far what i've been able to do is....
Reconstruct the TCP and IP packets into html, so I was actually able to view the webpages that I'd browsed from my PPC in Commview (that's scary). Also I was able to Reconstruct a word document I copied from the shared drive on the "server" laptop. It wasn't pretty, but it worked. It basically lost all the formatting, and the words for jumbled and broken. Keep in mind when I say reconstruct, I didn't actually re-code anything, COMMview actually has a reconstruct command that will do this for you by basically trying to put the packets back in the order and sequence they were sent using only information sent in the packets. As far as any of the graphics on the webpages, none of em were able to be reconstructed. Hopefully, some of you will download some of these tools and use them. They are all free (except Commview which is about $550), and they all work pretty well. This is mostly stuff centered around advice from JD Murray on preparing for CWNA, CWSP, and CWAP exams which I'll be taking soon. So far so good, and I'm having much fun. Hope some of you join me soon.
See ya.
Keatron
Comments
-
JDMurray Admin Posts: 13,101 AdminUse Ethereal to sniff the the traffic on the hotel's wired network. There's a good chance the hotel is only using a hub, and you'll be able to see the network traffic from all the other hotel guests--both wired and wireless.
Now that's scary! -
keatron Member Posts: 1,213 ■■■■■■□□□□Lol....you are exactly right JD. I actually saw the closet, the guys figured I did "something with computers" for a living and asked me to take a look to see why the wireless sometimes drops. (Probably had something to do with a radio sitting on top of the Aironets they use..lol). I noticed this radio is plugged into their PBX (probably for music on hold). Also I noticed at the front desk they have 2.4ghz cordless phones. Most cordless phones use FHSS and most of the WLAN equipment they have at this hotel is 802.11b, which is not a good combination. And of course, the AP's are wide open with no security controls in place. I'm finding this to be the norm, now that's really scary!!!
-
Webmaster Admin Posts: 10,292 AdminInteresting stuff. I recently installed Wififofum2 you suggested on my PPC. Just walking around in my appartement shows dozens of unprotected wireless networks. Actually, only mine is secured. What's scary here is that several of those open wireless network (not even wep or mac filtering) are installed by the ISP who installed an ADSL connection. Scary and sad at the same time.
-
strauchr Member Posts: 528 ■■■□□□□□□□No wonder why so many companies are nervous about installing wireless! I do plan on messing around with this when I go for my CWSP. Got to get through CCNA first though
-
Webmaster Admin Posts: 10,292 AdminReminds me of one of the major causes for Windows getting a reputation of being unstable: incompetence of those who install and configure it.
I bet there are quite a few companies who get rid of (some part of) their wireless networks after an incident has occured, rather than security. There'll be plenty of people saying "I told you wireless network is not secure". -
TeKniques Member Posts: 1,262 ■■■■□□□□□□Hey guys I have a quick question. After reading this thread (very much informative btw) I am wondering something: What is the best method of making a wireless network secure?
Seems like there is every tool available to crack whatever you do. Where I work we use ACL's with MAC addresses. As I was reading the thread I thought I was magically being transported into an episode of 24. -
drainey Member Posts: 261It is scary how unsecure an AP is at a hotel, but as the primary support for 60 field reps (most over 50) I understand the hotel's need for ease of use to satisfy the majority of unskilled customers who just want to click and connect. Not to mention most hotels don't have a IT support staff handy to answer questions.
The security is a concern but it sure makes my life easier, especially as I've spent over an hour trying to walk one rather "computer stupid" (his words) rep through the process of setting up a connection with a secured AP at a Radisson hotel. I just make sure they have a good firewall installed and AV gets updated whenever they connect via VPN.The irony truly is strange that you're the only one you can change. -- Anthony Gomes -
JDMurray Admin Posts: 13,101 AdminHotels are notorious for poor network security. They often use very old equipment that was recycled from corporate junk sales. Their on-site IT people are ill-trained or non-existent, preferring to out-source all their IT services.
TeKniques, these days you should run a minimum security of WPA-PSK (Pre-Shared Key), aka WPA Personal. There's no reason to use WEP anymore. If you are using wireless devices whose firmware can't be upgraded to use at least WPA (and preferably WPA2), then they should be immediately replaced with newer devices that can. 802.11 networking has changed so much over the last three years that junking old equipment is the safest thing you can do.
Another thing to realize is that wireless security measures only protect the communication on the wireless side of the access point. The wired side needs it own security from something more conventional to wired networks, such as a VPN. -
Webmaster Admin Posts: 10,292 AdminI'm sure Keatron and JD (edit: I see he just did) can give you a better answer, but I would look at 802.1x authentication (using PKI with digital certificated for client auth) and using WPA2 when available.
-
TeKniques Member Posts: 1,262 ■■■■□□□□□□Thanks for the advice guys. I actually haven't updated my Router's firmware at home in a while so I'm going to check that out later.
-
keatron Member Posts: 1,213 ■■■■■■□□□□jdmurray wrote:Another thing to realize is that wireless security measures only protect the communication on the wireless side of the access point. The wired side needs it own security from something more conventional to wired networks, such as a VPN.
And I'll add to this comment by pointing back to JD's original response to my post. He said that I should use ethereal to sniff the wired side of the network. This is a perfect example of the point he made above. And JD is dead on about using old equipment. Those 802.11b AP's in that place look like they're as old as dirt. They are HUGE! And listen to JD's warning again about using WPA or WPA2. As I pointed out in the initial post MAC filtering WILL NOT protect you. I'll eventually post something on ARP spoofing. In the office we were able to poison an AP arp table then have traffic intended for one workstation sent to another, which was then fowarded to the original intended station. So the intended station never knew the traffic was "proxied" through a rogue station before it got there. You can do this and sniff for keys, and passwords all day, and no one will know the wiser. This is why MAC filtering should only be considered ONE LAYER of your protection. If you've ever used a packet analyzer or sniffer, you'll notice that one of the first peices of useful information you'll find is MAC information -
keatron Member Posts: 1,213 ■■■■■■□□□□drainey wrote:It is scary how unsecure an AP is at a hotel, but as the primary support for 60 field reps (most over 50) I understand the hotel's need for ease of use to satisfy the majority of unskilled customers who just want to click and connect. Not to mention most hotels don't have a IT support staff handy to answer questions.
The security is a concern but it sure makes my life easier, especially as I've spent over an hour trying to walk one rather "computer stupid" (his words) rep through the process of setting up a connection with a secured AP at a Radisson hotel. I just make sure they have a good firewall installed and AV gets updated whenever they connect via VPN.
What you're really referring to is the CIA triad. Confidentiality, Integrity, and Availability. Yes, the trick is to balance these three to end up with a workable and applicable solution, however to completely ignore/abandon either of these three is NEVER the best way to go about it. For example, every military client we work with is focused on Confidentiality first, Integrity second, and then Availability as almost an after thought. This thinking stands until something crucial is not available when it needs to be, then the thought process begins to slowly shift. I've seen it happen many times. Same thing with hotel type establishments. Security is more of an after thought until something major happens (like some guy who knows a little about network security sniffs the wired portion of the network using ethereal to get customer guest info and credit card information, SINCE the front desk computer which holds and scans all guest and credit card info is connected to the same Cisco 1720 router that the rest of the guest who are given wireless internet access is connected to). I wonder if they've VLAN'd off that portion of the network????? Not a chance.. -
JDMurray Admin Posts: 13,101 Adminkeatron wrote:This is why MAC filtering should only be considered ONE LAYER of your protection.
If your car were stolen you'd never honestly say "but I locked the doors!" Locked doors are a deterrent, but are simply no guarantee that theft of your car is impossible. Locks doors, a car alarm, a steering wheel lock, and parking in a closed garage is a much better, multi-layered security solution. -
JDMurray Admin Posts: 13,101 AdminWebmaster wrote:I would look at 802.1x authentication (using PKI with digital certificated for client auth) and using WPA2 when available.
-
Webmaster Admin Posts: 10,292 AdminYeah, I realized my suggestion was of little use when TeKniques mentioned 'at home' in his second reply.
-
TeKniques Member Posts: 1,262 ■■■■□□□□□□Well I planned on using all the advice here at work and at home so rest assured that everyone's advice is good advice
-
keatron Member Posts: 1,213 ■■■■■■□□□□Webmaster wrote:Yeah, I realized my suggestion was of little use when TeKniques mentioned 'at home' in his second reply.
I agree to an extent, but you'd be suprised at how many decent sized IT shops have no idea how to configure radius and the likes. Some don't even know what it is!!!!!!!!!!!! -
Webmaster Admin Posts: 10,292 Adminkeatron wrote:Webmaster wrote:Yeah, I realized my suggestion was of little use when TeKniques mentioned 'at home' in his second reply.
I agree to an extent, but you'd be suprised at how many decent sized IT shops have no idea how to configure radius and the likes. Some don't even know what it is!!!!!!!!!!!! -
drainey Member Posts: 261Keatron wrote:What you're really referring to is the CIA triad. Confidentiality, Integrity, and Availability. Yes, the trick is to balance these three to end up with a workable and applicable solution
I haven't heard it put in those terms before but that is the goal of our IT dept. Unfortunetly we are viewed as overhead while the reps (Salesmen) are viewed as our bread and butter so we are relegated to making sure everything is as easy to work for them as possible. This is slowly changing as younger people move up the corporate ladder but it will be a very slow process.The irony truly is strange that you're the only one you can change. -- Anthony Gomes -
JDMurray Admin Posts: 13,101 AdminThe CIA (or AIC) triad is one of the absolute foundations of information security. You can't pick up an InfoSec book that doesn't reference it in some way. All InfoSec technologies and methodologies are describe by how they make information more confidential, integral, and available.
-
Danman32 Member Posts: 1,243I don't understand the hubbub about a hotel's guest access wireless internet access being in the clear. That's the purpose of it; to provide easy internet access for the guests.
If the guest needs security on that channel, use SSL or VPN. It is really no different than broadband cable internet where traffic is shared on the cable. That's why that modem light (or WAN light on the router) keeps blinking even though all your hosts are off.
Now I will grant you that there's no excuse for using hubs on the network, or having the guest internet access being connected to the hotel staff network. Switches are cheap now, though granted the managed ones are a little more money. If they are managed, then VLAN could be employed to isolate the guest connection from the staff connection.
Also, even if the internet access is isolated from the staff network, guests should be made aware that wireless by its very nature is visible to anyone (it is a broadcast radio after all), and internet itself is not secure so the client should employ measures of security if they are to communicate sensitive information, including but not limited to online credit card purchases, and emails.
Even if the hotel decided to use WEP, they would have to give the client the shared key, which all other hotel guests would have as well. Any further security such as WPA would be more effort than a hotel would be willing to employ (or even expected to employ) just to give internet access to the guests. -
JDMurray Admin Posts: 13,101 AdminDanman32 wrote:I don't understand the hubbub about a hotel's guest access wireless internet access being in the clear. That's the purpose of it; to provide easy internet access for the guests.Danman32 wrote:If the guest needs security on that channel, use SSL or VPN. It is really no different than broadband cable internet where traffic is shared on the cable. That's why that modem light (or WAN light on the router) keeps blinking even though all your hosts are off.Danman32 wrote:Switches are cheap now, though granted the managed ones are a little more money.Danman32 wrote:Even if the hotel decided to use WEP, they would have to give the client the shared key, which all other hotel guests would have as well.
This problem doesn't only exists for hotels; all public hotspots, such as airports, libraries, coffee houses, and now even entire cities, are not secure. The only good solution is for the individual network users to provide their own VPN by using a service, such as Hamachi (www.hamachi.cc) and HotSpotVPN (hotspotvpn.com). -
keatron Member Posts: 1,213 ■■■■■■□□□□Danman32 wrote:If the guest needs security on that channel, use SSL or VPN. It is really no different than broadband cable internet where traffic is shared on the cable. That's why that modem light (or WAN light on the router) keeps blinking even though all your hosts are off.
.Danman32 wrote:Even if the hotel decided to use WEP, they would have to give the client the shared key, which all other hotel guests would have as well. Any further security such as WPA would be more effort than a hotel would be willing to employ (or even expected to employ) just to give internet access to the guests.
And if WEP were used, that would mean that someone driving to the hotel parking lot and authenticating with the hotel's AP will have had to circumvent some form of access control. And I can tell you as someone who travels often.....very often, that some hotels are good about it (I'm in Vegas now at a nice hotel, and you do have to authenicate before using the WLAN here). The truth of the matter is, as with most other things, money is the motivating factor. More and more hotels have stopped providing free access and now charge a daily rate for it. And guess what, you have to athenticate with your room number and password. Why? because it now brings a profit and since a user not paying could hurt their profit margin, it's important to implement some type of access control. -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□The truth of the matter is, as with most other things, money is the motivating factor. More and more hotels have stopped providing free access and now charge a daily rate for it. And guess what, you have to athenticate with your room number and password.All things are possible, only believe.
-
JDMurray Admin Posts: 13,101 Adminsprkymrk wrote:All of the hotels did require some sort of authentication to access the LAN - usually a room number. One hotel provided free wireless access from the lobby which did not require authentication.
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□jdmurray wrote:sprkymrk wrote:All of the hotels did require some sort of authentication to access the LAN - usually a room number. One hotel provided free wireless access from the lobby which did not require authentication.All things are possible, only believe.
-
Danman32 Member Posts: 1,243I have had the same experience: less and less hotels charging for internet. It seems the cheaper hotels are less likely to charge. Same for parking I have heard. Expensive hotels often charge for parking too.
All the hotels I went to that offered free access had no authentication mechanism. The AP was in the clear. Now what was behind the AP I had not explored, such as whether the guest internet was integrated into the staff network.
I still say though that it is not the reponsibility of the provider to guarantee confidentiality on a public access network, and this is especially true on a wireless connection. I would agree though that it would be prudent to disclose the fact that the network does not guarantee confidentiality to the public network since most guests would be unaware of this fact. Heck, I am just discovering that RoadRunner doesn't seem to offer secure POP3 connections so I can download my email.
As for cable, it is a bus topology so everyone gets everyone's communications at the cable end of the modem. The modem may filter out uinicasts not directed to me, but broadcasts will get through. I had discovered that the cable broadband uses a 10. address on the MAN. I'll experiment though by connecting my PC directly to the modem rather than through the router that has NAT blocking most traffic and run ethereal on it. By the way my router's WAN port is blinking too, not just the modem activity light (separate devices). -
keatron Member Posts: 1,213 ■■■■■■□□□□jdmurray wrote:sprkymrk wrote:All of the hotels did require some sort of authentication to access the LAN - usually a room number. One hotel provided free wireless access from the lobby which did not require authentication.
I never said it secured your lan traffic, but it does make the task more involved as far as compromising the wireless side. Also, as I pointed out, some hotels DO issue WEP keys or WPA passphrases. Besides I'm definitely not going to get into what IS secure and what isn't, because it's always a matter of relativity anyway.