Wireless Security Basics Posted By quixote | Wireless Security Guide | By Conor | Introduction | Wireless communications are just so rad. I just want hopefully to spark your interest. It’s not intended to be complete... more like an eye-opener. | Understanding Basic Networking and Terminology | You should already understand LAN topologies but I’ll go over it a bit. There are two types of networks- either infrastructure or ad hoc(Latin for ‘to that’, thanks mom). An infrastructure is set to for all clients to send all of it’s communications to an access point(AP). The access point acts as an Ethernet bridge and forwards the communications to the appropriate network, either wired LAN or another wireless network(WN). Infrastructures are usually only used for large networks or networks with many ‘sub-hubs’. An ad hoc is set up with a router or gateway as to enable clients to connect directly to each other. No APs are used to connect the ad hoc network directly with wired network. Designed to allow only clients within range of each other to communicate. If you own a wireless router/gateway or mobile client it is vital that you acquire some type of encryption method especially if you are in a work environment. | Wireless Whatnot | SSID Service Set Identifier is meant to differentiate networks from one another. Depending on the manufacturer, the SSID can be set by default. For example Linksys’s AP have network name ‘linksys’, Cisco’s is ‘tsunami’ and mine was initially set to ‘54mbps’). I recommend that you change it, an attacker could find your network a lot easier. It is pretty important that you try to conceal your SSID. -by default AP’s broadcast their SSID every few seconds in what are known as ‘Beacon Frames’. Again this could allow an attacker to find your SSID easily. Authentication Type Before any communications can take place, a dialogue must be established between the client and AP. This process is known as associating. Authentication is required immediately after a device associates. There are two types of authentication: shared key authentication and open authentication. -The simplest and default setting for this feature is open authentication. This allows anyone to begin a conversation with the AP and provides no security on who can talk to the AP. -The shared key authentication is where client begins by sending an association request to the AP. The AP responds with a string of challenge text which the client must encrypt using the WEP key(see WEP below). If the text is encrypted correctly, the client is allowed to communicate with the AP and move to the next layer of security. WEP Wired Equivalent Privacy. Intended to give wireless users security equivalent to being on a wired network. Popular types: -Each packet transmitted from one radio to another is first encrypted by taking the packets data payload and secret 40 bit number and passing them through RC4 algorithm. -The resulting encrypted packet is then transmitted across the air waves and the receiving station hears the packet it then uses the resulting in the host receiving useable data. Above Standard types: -The SSID is not transmitted in the ‘Beacon Frames’. -128 bit WEP(also called WEP Plus). Extends WEP key from 40 bits to 104 bits for added security. Broadcast key rotation- another method intended to help counter flaws in WEP. In this model, there are two WEP keys, one key meant to encrypt data between AP and client and the other meant to encrypt broadcasts such as: ARP and DHCP. It generates short-lived WEP keys. Admin sets a specific time(in seconds) for the AP to broadcast a new WEP key, encrypting it with the old one. Because these timeouts are usually set to ten minutes or so, there’s not enough time for attackers to intercept the amount of packets needed to crack the key (see below for methods). MAC address filtering limits access to the AP only those MAC addresses of authorized clients. | Methods and Solutions | Fingerprinting a wireless network can be really fun as long as you know some methods to obtain information even if you don’t get anywhere. WarDriving is when one runs around trafficy areas with a NIC(network interface card) and packet sniffing software in order to attack a network. You should definitely dl some packet sniffing software. (good=Airopeek) SSID This should be considered first level security. Knowing it narrows it down from senseless packets to actual proof of a network. Methods to getting past this first level- -scanning for networks with names of manufacturers default SSID. -try guessing :D WEP Problems: -the RC4 encryption has been proven insecure- combines bitted key with a 24 bit random numbers known as Initialization Vector to encrypt the data. The packet sent over the airwaves contains the IV followed by the encrypted data. -the first attack uses a simple numerical limitation of the IV to figure out the WEP key. Because the IV is only 24 bits long, there are only so many permutations of the IV for the RC4 to pick from. (possible values= 16,777,216 (2^24)). With a great amount of packets, the RC4 begins to choose the same IVs over and over. The attacker can eventually acquire the 2 variables. Solutions: -the 128 bit WEP key. -Broadcast key rotation. One key is meant to encrypt the individual stream of data between the AP and the wireless client and the other is meant to encrypt broadcast transmissions such as DHCP or ARP requests. The admin would set a certain time, in seconds, on the AP, and the AP broadcasts a new WEP key, encrypting it with the old. -MAC Address filtering. This provides good security but difficult to maintain clients if the network is large. | More Implementations | VPN Virtual Private Network. This type of network is to consider the wireless network equivalent to the internet and only users in an encrypted channel would be able to communicate. There are few weaknesses with this setup, the process of getting correct access to a wireless network begins with the client booting up and receiving an IP, the client then can negotiate a tunnel over the wireless network to begin its communications. False users go through the same process and although they can not use communications outside of network, they can, however, communicate to other clients on a LAN. This would divide the connection speed which could be used as a DoS attack. RADIUS server. Remote Dial-In User Service. When a client requests access the AP, the AP then demands a set of credentials and forwards them to a RADIUS server. This method of authentication is defined as <b>EAP</b>. EAP Extensible Authentication Protocol. An authentication method to allow developers to create their own methods of passing credentials. Four commonly used EAP methods are: EAP-MD5 -relies on an MD5 hash of a username and password to pass credentials to the RADIUS server. It offers no key management. EAP-Cisco Wireless (LEAP) -Standard developed by Cisco. LEAP accepts a username and password from the wireless client and transmits them to the RADIUS server for authentication. LEAP dynamics creates a key for and individual user. EAP-TLS (by Microsoft) -Instead of username/password combinations EAP-TLS uses certificates to handle authentication. -Like LEAP, EAP-TLS offers one-time WEP key generation. EAP-TTLS (by Funk Software) -alternative to EAP-TLS. The AP identifies itself to the client with a server certificate but TTLS then passes the credentials to response mechanisms (CHAP, PAP/Token Card, or EAP). | Conclusion | Wireless is fun.

Winnuke the technical side Posted By numberXIII A technical explanation of the OOB packets vulnerablility behind the Winnuke program. Winnuke is a DoS attack involving sending OOB packets (Out Of Band) to a Windows box. The attack consists of sending OOB packets on the netbios port(139) of that machine. The operating system not expecting that type of data will crash or freeze usually resulting in seeing the "Blue Screen Of Death" (BSOD). The main vulnerable systems are Windows 95 and Windows NT. A program was written to do all that and called Winnuke.

Scanning Networks - By Krishna Posted By Kris-Digital By: Krishna Shekhar ; http://www.KrisinDigitalAge.com Scanning helps one to know what services are running on a machine. This will show the open ports on which services are listening for connections. First we will determine whether the target machine is alive or not. This can be done by sending a icmp echo request packet to the server. The server would respond with a icmp echo reply showing that it’s alive. The process to do this on a range of hosts or ipaddresses is known as ping sweep . Of the many methods used, we will look on ICMP ping and echo port ping.

FootPrinting : : Before the real fun begins Posted By Kris-Digital By: Krishna Shekhar : Mail: Krishna@krisindigitalage.com : Homepage http://www.KrisinDigitalAge.com FootPrinting is an art of gathering target information. Its, just like knowing about your enemy before you try to attack. A successful attacker must harvest a wealth of information to execute a focussed and surgical attack. This enables an attacker to create a complete profile of an organization's security posture and this is achieved by using a combination of tools and techniques.