Exam 70-124: Objective 3.3: Wireless LAN Security Issues | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

In general, attacks on wireless networks fall into four basic categories: passive attacks, active attacks, man-in-the-middle attacks, and jamming attacks. After we have examined each of these attack types, we will spend some time examining the problems associated with the current wireless security solutions.

Passive Attacks on Wireless Networks

A passive attack occurs when someone listens to or eavesdrops on network traffic. Armed with a wireless network adapter that supports promiscuous mode, the eavesdropper can capture network traffic for analysis using easily available tools, such as Network Monitor in Microsoft products, TCPDump in Linux-based products, or AirSnort (developed for Linux, but Windows drivers can be written for it).

A passive attack on a wireless network might not be malicious in nature. In fact, many in the war-driving community claim their war-driving activities are benign or "educational" in nature. (War driving is the act of searching for wireless networks—via car, by foot, or by other vehicle—by means of a roaming wireless client.) Wireless communication takes place on unlicensed public frequencies, which anyone can use. This makes it more difficult to protect a wireless network from passive attacks. However, by its very definition, a passive attack can not be an attack at all. The supposed "passive attacker" is merely a bystander. The relative "passivity" of the interaction completely changes when there is criminal intent to either capture or change data on a network the user is not explicitly authorized to access.

Passive attacks are, by their very nature, difficult to detect. If an administrator is using the same DHCP scope and subnet to serve clients on the wireless network (this is not recommended), he or she might notice that an unfamiliar MAC address has acquired an IP address from this scope in the DHCP server logs. Then again, he or she might not notice this. See the "Using a Separate Subnet for Wireless Networks" section later in this chapter for a solution to the DHCP problem. Perhaps the administrator notices a suspicious-looking car sporting an antenna protruding from one of its windows. If the car is parked on private property, the driver could be asked to move or possibly charged with trespassing. However, the legal response might be severely limited, depending on the laws in your jurisdiction. Circumstances under which the war driver is susceptible to being charged with a data-related crime depends entirely on the country or state in which the activity takes place.

Passive attacks on wireless networks are extremely common, almost to the point of being ubiquitous. Detecting and reporting on wireless networks has become a popular hobby for many wireless war-driving enthusiasts. In fact, this activity is so popular that a new term, war plugging, has emerged to describe the behavior of people who actually want to advertise both the availability of an AP and the services they offer by configuring their SSIDs with text such as "Get_food_here!"

War Driving

Most war-driving enthusiasts use a popular freeware program called NetStumbler, available from www.netstumbler.com. The NetStumbler program works primarily with wireless network adapters that use the Hermes chipset due to its ability to detect multiple APs that are within range and WEP, among other features. (A list of supported adapters is available at the NetStumber Web site.) The most common card that uses the Hermes chipset for use with NetStumbler is the ORiNOCO gold card. Another advantage of the ORiNOCO card is that it supports the addition of an external antenna, which can extend the range of a wireless network by many orders of magnitude, depending on the antenna.

Head of the Class…
The Legal Status of War Driving and Responsibility of Wireless Network Owners and Operators

Standard disclaimer: The law is a living and dynamic entity. What might appear to be legal today could become illegal tomorrow, and vice versa. And what might be legal in one country or state could be illegal in another. Furthermore, the legal status of any particular activity is complicated by the fact that such status arises from a number of sources, such as statutes, regulations, and case law precedents. The following text summarizes some of the current popular thinking with regard to the legal status of war driving and related activities in the United States. However, you should not assume that the following in any way constitutes authoritative legal advice or is definitive with regard to the legal status of war driving.

If we define war driving as the relatively benign activity of configuring a wireless device to receive signals (interference) from other wireless devices and then moving around to detect those signals without the presence of an ulterior or malicious motive on the part of the war driver, the activity is most probably legal in most jurisdictions. (Whether or not it is ethical is a separate issue.) Most of this thinking is based on Part 15 of the Federal Communications Commission (FCC) regulations, which can be found at www.access.gpo.gov/nara/cfr/waisidx_00/47cfr15_00.html. In the regulations, wireless devices fall under the definition of Class B devices. Class B devices must not cause harmful interference, and they must accept interference they receive, including interference that harms operations. (In Canada, the situation is identical, except that Class B devices are known as Category I devices. For more information on Canadian regulations regarding low-power radio devices, see the Industry Canada Web site at http://strategis.ic.gc.ca/SSG/sf01320e.html.) In other words, simply accepting a signal from another wireless device could be considered a kind of interference that the device must be able to perform.

So far, war driving appears legal from this point of view. However, this has been the case in the past only because little or no law has specifically addressed this situation, which involves computer-related transmission of data. On the other hand, cordless phones use the same ISM or UNII frequencies as wireless networks, but wiretap laws in place for quite a while make it illegal to intercept and receive signals from cordless phones without the consent of all the parties involved, unless the interception is conducted by a law enforcement agency in possession of valid warrant. (In Canada, the situation is a little different and is based on a reasonable expectation of privacy. Savvy dope peddlers in Canada know better than to use cordless phones to make their drug deals.)

No one to my knowledge has been charged with violating FCC regulations with regard to war driving and the passive reception of computer-related data over the ISM or UNII bands. However, in the wake of September 11, 2001, both the U.S. federal government and state governments have passed new criminal laws addressing breach of computer network security. Some of these laws are written in a way that makes illegal any access to network communications without authorization. Although many of the statutes have not yet been tested in court, it is safest to take the conservative path and avoid intentionally accessing any network that you don't have permission to access.

The issue gets a little more complicated when we consider the implications of associating with a wireless network. If the wireless network administrator has configured a DHCP server on the wireless network and allows any wireless station to authenticate and associate with the wireless network, any wireless user in the vicinity, not just war drivers, could find that the wireless station has automatically received IP address configuration and has associated with the wireless network, simply by being in close proximity to the network. That is, without any intent on his or her part, the person using a wireless-equipped computer is able to use the services of the wireless network, including access to the Internet. Assume that the person used this automatic configuration to gain access to the Internet through the wireless network. Technically, this could be considered theft of service in some jurisdictions, although the person has been, for all intents and purposes, welcomed onto the wireless network. Regardless of this "welcome," however, if the laws in that jurisdiction prohibit all unauthorized access, the person may be charged. Most such statutes set the required culpable mental state at "intentional or knowing." Thus, if the person knows that he or she is accessing a network and does not have permission to do so, the elements of the offense have been satisfied.

Where war driving almost always crosses the line from a "semi-legal" to an illegal activity appears to be when the war driver collects and analyzes data with malicious intent and when the war driver causes undesirable interference with the operation of the network. Cracking WEP keys and other encryption on the network is almost universally illegal. In this case, it is presumed that malicious intent to steal data or services or interfere with operations could be established, since it requires a great deal of effort, time, and planning to break into an encrypted network.

From the point of view of the administrator of a wireless network, the onus to exercise due diligence to protect the wireless network falls squarely on him or her, just as it is the responsibility of corporate security personnel to ensure that tangible property belonging to the company is secured and safe from theft, regardless of laws that prohibit stealing. That is, it is up to the administrator to ensure that the network's data is not radiating freely into space in such a way that anyone can receive it and interpret it using only licensed wireless devices. This much is clear: Administrators who don't take care to protect their wireless networks put their companies at risk. This is true regardless of whether or not laws exist for the purpose of mitigating that risk.

For more information about legal aspects of war driving and other computer-related criminal offenses, see Scene of the Cybercrime: Computer Forensics Handbook, published by Syngress Publishing (ISBN 1-931836-65-5, 2002).

Note

War drivers often make their own Yagi-type (tubular or cylindrical) antenna. Instructions for doing so are easy to find on the Internet, and effective antennas have been made from such items as Pringles potato chip cans. Another type of antenna that can be easily homemade is the dipole, which is basically a piece of wire of a length that's a multiple of the wavelength, cut in the center and attached to a piece of cable that is connected to the wireless network interface card (NIC).

A disadvantage of the Hermes chipset is that it doesn't support promiscuous mode, so it cannot be used to sniff network traffic. For that purpose, you need a wireless network adapter that supports the PRISM2 chipset. The majority of wireless network adapters targeted for the consumer market use this chipset (for example, the Linksys WPC network adapters). Sophisticated war drivers arm themselves with both types of cards—one for discovering wireless networks and the other for capturing the traffic.

In spite of the fact that NetStumbler is free, it is a sophisticated and feature-rich product that is excellent for performing wireless site surveys, for legitimate purposes or otherwise. Not only can it provide detailed information on the wireless networks it detects, it can be used in combination with a global positioning system (GPS) to provide exact details on the latitude and longitude of the detected wireless networks. Figure 7.5 shows the interface of a typical NetStumbler session.

click to expand
Figure 7.5: Discovering Wireless LANs Using NetStumbler

As you can see from Figure 7.5, NetStumbler displays information on the SSID, the channel, and the manufacturer of the wireless AP. A few things are particularly noteworthy about this session. The first is that a couple of APs are still configured with the default SSID supplied by the manufacturer, which should always be changed to a nondefault value on setup and configuration. Another is that at least one network uses a SSID that could provide a clue about the entity that has implemented it; again, this is not a good practice when configuring SSIDs. Finally, we can see which of these networks have implemented WEP.

If the network administrator has been kind enough to provide a clue about the company in the SSID or is not encrypting traffic with WEP, the potential eavesdropper's job is made a great deal easier. Using a tool such as NetStumbler is only a preliminary step for the attacker. After discovering the SSID and other information, the attacker can connect to the wireless network to sniff and capture network traffic. This network traffic can reveal a plethora of information about the network and the company that uses it.

For example, looking at the network traffic, the attacker can determine what DNS servers are being used, the default homepages configured on browsers, network names, logon traffic, and so on. The attacker can use this information to determine if the network is of sufficient interest to proceed further with other attacks. Furthermore, if the network is using WEP, the attacker can, given enough time, capture a sufficient amount of traffic to crack the encryption.

NetStumbler works on networks that are configured as open systems. This means that the wireless network indicates it exists and will respond with the value of its SSID to other wireless devices when they send out a radio beacon with an "empty set" SSID. This does not mean that the wireless network can be easily compromised, if other security measures have been implemented.

To defend against the use of NetStumbler and other programs to easily detect a wireless network, administrators should configure the wireless network as a closed system. This means that the AP will not respond to "empty set" SSID beacons and will consequently be "invisible" to programs such as NetStumbler, which rely on this technique to discover wireless networks. However, it is still possible to capture the "raw" 802.11b frames and decode them through the use of programs such as Ethereal and Wild Packet's AiroPeek to determine this information. RF spectrum analyzers can be used to discover the presence of wireless networks. Notwithstanding this weakness of closed systems, you should choose wireless APs that support this feature.

Sniffing

Originally conceived as a legitimate network and traffic analysis tool, sniffing remains one of the most effective techniques in attacking a wireless network, whether it's to map the network as part of a target reconnaissance, to grab passwords, or to capture unencrypted data.

Sniffing is the electronic form of eavesdropping on the communications that computers transmit across networks. In early networks, the equipment that connected machines allowed every machine on the network to see the traffic of all others. These devices, repeaters and hubs, were very successful at getting machines connected, but they allowed an attacker easy access to all traffic on the network because the attacker only needed to connect to one point to see the entire network's traffic.

Wireless networks function very similarly to the original repeaters and hubs. Every communication across the wireless network is viewable to anyone who happens to be listening to the network. In fact, the person who is listening does not even need to be associated with the network in order to sniff!

The hacker has many tools available to attack and monitor a wireless network. A few of these tools are AiroPeek (www.wildpackets.com/products/airopeek) in Windows; Ethereal in Windows, UNIX, or Linux; and TCPDump or ngrep (http://ngrep.sourceforg.net) in a UNIX or Linux environment. These tools work well for sniffing both wired and wireless networks.

All these software packages function by putting your network card in what is called promiscuous mode. When the NIC is in this mode, every packet that goes past the interface is captured and displayed within the application window. If the attacker is able to acquire a WEP key, he or she can then utilize features within AiroPeek and Ethereal to decrypt either live or post-capture data.

Active Attacks on Wireless Networks

Once an attacker has gained sufficient information from the passive attack, the hacker can then launch an active attack against the network. There is a potentially large number of active attacks that a hacker can launch against a wireless network. For the most part, these attacks are identical to the kinds of active attacks that are encountered on wired networks. These include, but are not limited to, unauthorized access, spoofing, denial of service (DoS), and flooding attacks, as well as the introduction of malware (malicious software) and the theft of devices.

With the rise in popularity of wireless networks, new variations of traditional attacks specific to wireless networks have emerged, along with specific terms to describe them, such as drive-by spamming, in which a spammer sends out tens or hundreds of thousands of spam messages using a compromised wireless network.

Due to the nature of wireless networks and the weaknesses of WEP, unauthorized access and spoofing are the most common threats to wireless networks. Spoofing occurs when an attacker is able to use an unauthorized station to impersonate an authorized station on a wireless network. A common way to protect a wireless network against unauthorized access is to use MAC filtering to allow only clients that possess valid MAC addresses access to the wireless network. The list of allowable MAC addresses can be configured on the AP, or it can be configured on a RADIUS server with which the AP communicates.

However, regardless of the technique used to implement MAC filtering, it is a relatively easy matter to change the MAC address of a wireless device through software, to impersonate a valid station. In Windows, this is accomplished with a simple edit of the Registry, in UNIX through a root shell command. MAC addresses are sent in the clear on wireless networks, so it is also a relatively easy matter to discover authorized addresses.

WEP can be implemented to provide more protection against authentication spoofing through the use of shared-key authentication. However, as we discussed earlier, shared-key authentication creates an additional vulnerability. Because shared-key authentication makes visible both a plaintext challenge and the resulting ciphertext version of it, it is possible to use this information to spoof authentication to a closed network.

Once the attacker has authenticated and associated with the wireless network, he or she can then run port scans, use special tools to dump user lists and passwords, impersonate users, connect to shares, and, in general, create havoc on the network through DoS and flooding attacks. These DoS attacks can be traditional in nature, such as a ping flood, SYN, fragment, or distributed DoS (DDoS) attacks, or they can be specific to wireless networks through the placement and use of rogue APs to prevent wireless traffic from being forwarded properly (similar to the practice of router spoofing on wired networks).

Spoofing and Unauthorized Access

The combination of weaknesses in WEP and the nature of wireless transmission has highlighted the art of spoofing, or interception, as a real threat to wireless network security. Some well-publicized weaknesses in user authentication using WEP have made authentication spoofing just one of an equally well-tested number of exploits by attackers.

One definition of spoofing is an attacker's ability to trick the network equipment into thinking that the address from which a connection is coming is one of the valid and allowed machines from its network. Attackers can accomplish this trick in several ways, the easiest of which is to simply redefine the MAC address of the attacker's wireless or network card to a valid MAC address. This can be accomplished in Windows through a simple Registry edit. Several wireless providers also have an option to define the MAC address for each wireless connection from within the client manager application that is provided with the interface.

There are several reasons that an attacker would spoof. If the network allows only valid interfaces through MAC or IP address filtering, an attacker would need to determine a valid MAC or IP address to be able to communicate on the network. Once that is accomplished, the attacker could then reprogram his or her interface with that information, allowing the attacker to connect to the network by impersonating a valid machine.

IEEE 802.11 networks introduce a new form of spoofing: authentication spoofing. As described in a paper, Intercepting Mobile Communications: The Insecurities of 802.11, the authors Borisov, Goldberg, and Wagner identified a way to utilize weaknesses within WEP and the authentication process to spoof authentication into a closed network. The process of authentication, as defined by IEEE 802.11, is very simple. In a shared-key configuration, the AP sends out a 128-byte random string in a cleartext message to the workstation that is attempting to authenticate. The workstation then encrypts the message with the shared key and returns the encrypted message to the AP. If the message matches what the AP is expecting, the workstation is authenticated onto the network and access is allowed.

As described in the paper, if an attacker has knowledge of both the original plaintext and the ciphertext messages, it is possible to create a forged encrypted message. By sniffing the wireless network, an attacker is able to accumulate many authentication requests, each of which includes the original plaintext message and the returned ciphertext-encrypted reply. From this information, the attacker can easily identify the key stream used to encrypt the response message. The attacker can then use the key stream to forge an authentication message that the AP will accept as a proper authentication.

Notes from the Underground…
MAC Spoofing

For some time after it was introduced into production APs, administrators actually believed that MAC filtering was an effective solution on its own, without using WEP or any other solutions. Taking that train of thought one step further, many administrators actually believed it was more secure to use only MAC filtering for security on their wireless networks. As they found out shortly thereafter, nothing could be further from the truth. Let's look at two different scenarios in which MAC filtering is being used to get an idea of its rightful place in the wireless security arena.

The first scenario involves a small three-node wireless network that you have established in your house to allow your children's computers access to your cable modem connection as well as allowing you to work on your portable computer on the back deck—all without having to run CAT5 cable around the house to various locations. You have implemented MAC filtering but not WEP on your AP. Are you completely secure? Not at all. Are you secure enough? It depends on your interpretation of secure. Let's say now that you have implemented WEP as well on your small home network. Now are you secure? Yes. Why? The odds of someone parking themselves in your driveway or otherwise close enough to your house for a long enough period of time (several days in a small network, several hours in a large network) to capture enough traffic to crack your WEP key is unlikely. In this case, you have put together a fairly effective protective mechanism to keep casual war drivers and most script kiddies—not to mention your next-door neighbor who just wants to ride on your cable modem's bandwidth for a while—off your wireless network.

Now consider the scenario in which you are building a large enterprise wireless network for a hospital. Not only do you need to provide wireless access in a large portion of the hospital building itself, you also need to provide wireless network access to a small outpatient building 500 yards away from the main hospital building itself. Would you rely on only MAC filtering to ensure security in this case? Probably not. Just the same, you will probably be looking for a more robust and secure authentication and authorization mechanism than WEP, such as LEAP with a RADIUS server using TKIP to protect the network transmissions themselves.

The moral of this discussion is, if you rely on simple protective measures to keep your wireless network secure, it will be just that much simpler for an attacker to break through your plan and gain access to your wired network. In short, use every possible means at your disposal to secure wireless networks without adding undue management traffic that causes the wireless network to be a nonviable solution. In addition, consider the use of wireless demilitarized zones (DMZs) and virtual LANs (VLANs) to further segregate wireless traffic from your protected and trusted network backbone.

The wireless hacker does not need many complex tools to succeed in spoofing a MAC address. In many cases, these changes either are features of the wireless manufacturers or can be easily changed through a Windows Registry modification or through Linux system utilities. Once a valid MAC address is identified, the attacker needs only to reconfigure his device to trick the AP into thinking he or she is a valid user.

The ability to forge authentication onto a wireless network is a complex process. No known "off the shelf" packages provide these services. Attackers need to either create their own tool or take the time to decrypt the secret key using AirSnort or WEPCrack.

If the attacker is using Windows 2000 and his network card supports reconfiguring the MAC address, there is another way to reconfigure this information. A card supporting this feature can be changed through the System Control Panel.

Once the attacker is utilizing a valid MAC address, he is able to access any resource available from the wireless network. If WEP is enabled, the attacker must either identify the WEP secret key or capture the key through malware or by stealing the user's notebook.

Denial of Service and Flooding Attacks

The nature of wireless transmission, especially via the use of spread-spectrum technology, makes a wireless network especially vulnerable to denial of service (DoS) attacks. The equipment needed to launch such an attack is freely available and very affordable. In fact, many homes and offices contain the equipment that is necessary to deny service to their wireless networks.

A denial of service occurs when an attacker has engaged most of the resources a host or network has available, rendering it unavailable to legitimate users. One of the original DoS attacks is known as a ping flood. A ping flood utilizes misconfigured equipment along with bad "features" within TCP/IP to cause a large number of hosts or devices to send an ICMP echo (ping) to a specified target. When the attack occurs, it tends to use a large portion of the resources of both the network connection and the host being attacked. This makes it very difficult for valid end users to access the host for normal business purposes.

In a wireless network, several items can cause a similar disruption of service. Probably the easiest method is through a conflict within the wireless spectrum, caused by different devices attempting to use the same frequency. Many new wireless telephones use the same frequency as 802.11 networks. Through either intentional or unintentional uses of another device that uses the 2.4 GHz frequency, a simple telephone call could prevent all wireless users from accessing the network.

Another possible attack occurs through a massive number of invalid (or valid) authentication requests, known as flooding. If the AP is tied up with thousands of spoofed authentication attempts, authorized users attempting to authenticate themselves would have major difficulties acquiring a valid session.

As demonstrated earlier, the attacker has many tools available to hijack network connections. If a hacker is able to spoof the machines of a wireless network into thinking that the attacker's machine is their default gateway, not only will the attacker be able to intercept all traffic destined for the wired network, but she would also be able to prevent any of the wireless network machines from accessing the wired network. To do this, the hacker needs only to spoof the AP and not forward connections to the end destination, preventing all wireless users from doing valid wireless activities.

Not much effort is needed to create a wireless DoS. In fact, many users create these situations with the equipment found within their homes or offices. In a small apartment building, you could find several APs as well as many wireless telephones, all of which transmit on the same frequency. These users could easily inadvertently create DoS attacks on their own networks as well as those of their neighbors.

A hacker who wants to launch a DoS attack against a network with a flood of authentication strings doesn't even need to be a well-skilled programmer in most cases. Many tools are available to create this type of attack, so even the most unskilled of Black Hats, the script kiddie, can launch this type of attack with little or no knowledge of how it works or why.

Many apartments and older office buildings are not wired for the high-tech networks in use today. To add to the problem, if many individuals are setting up their own wireless networks without coordinating the installations, many problems can occur that will be difficult to detect.

Only a limited number of frequencies are available to 802.11 networks. In fact, once the frequency is chosen, it does not change until it's manually reconfigured. Considering these problems, it is not hard to imagine the following situation occurring.

Say that a person purchases a wireless AP and several network cards for his home network. When he gets home to his apartment and configures his network, he is extremely happy with how well wireless networking actually works. Then suddenly none of the machines on the wireless network are able to communicate. After waiting on hold for 45 minutes to get through to the tech support phone line of the vendor who made the device, he finds that the network has magically started working again, so he hangs up.

Later that week, the same problem occurs, except that this time he decides to wait on hold when he calls tech support. While waiting, he goes onto his porch and begins discussing his frustration with his neighbor. During the conversation, his neighbor's kids come out and say that their wireless network is not working.

So they begin to do a few tests (while still waiting on hold, of course). First, the man's neighbor turns off his AP (which is usually off unless the kids are online, to "protect" their network). When this is done, the original person's wireless network starts working again. Then they turn on the neighbor's AP and his network stops working again.

At this point, a tech support rep finally answers and the caller describes what has happened. The tech support representative has seen this situation several times and informs the user that he will need to change the frequency used in the device to another channel. He explains that the neighbor's network is utilizing the same channel, causing the two networks to conflict. Once the caller changes the frequency, everything starts working properly.

Man-in-the-Middle Attacks on Wireless Networks

Placing a rogue access point within range of wireless stations is a wireless-specific variation of a man-in-the-middle attack. If the attacker knows the SSID the network uses (which, as we have seen, is easily discoverable) and the rogue AP has enough strength, wireless users have no way of knowing that they are connecting to an unauthorized AP.

Using a rogue AP, an attacker can gain valuable information about the wireless network, such as authentication requests, the secret key that is in use, and so on. Often, the attacker will set up a laptop with two wireless adapters, in which one card is used by the rogue AP and the other is used to forward requests through a wireless bridge to the legitimate AP. With a sufficiently strong antenna, the rogue AP does not have to be located in close proximity to the legitimate AP.

For example, the attacker can run the rogue AP from a car or van parked some distance away from the building. However, it is also common to set up hidden rogue APs (under desks, in closets, and so on) close to and within the same physical area as the legitimate AP. Because of their virtually undetectable nature, the only defense against rogue APs is vigilance through frequent site surveys (using tools such as AirMagnet, NetStumbler, and AiroPeek) and physical security.

Frequent site surveys also have the advantage of uncovering the unauthorized APs that company staff members might have set up in their own work areas, thereby compromising the entire network and completely undoing the hard work that went into securing the network in the first place. These unauthorized APs are usually set up with no malicious intent but rather for the convenience of the user, who might want to be able to connect to the network via his or her laptop in meeting rooms or break rooms or other areas that don't have wired outlets. Even if your company does not use or plan to use a wireless network, you should consider doing regular wireless site surveys to see if someone has violated your company security policy by placing an unauthorized AP on the network, regardless of that person's intent.

Network Hijacking and Modification

Numerous techniques are available for an attacker to "hijack" a wireless network or session. Unlike some attacks, network and security administrators might be unable to tell the difference between the hijacker and a legitimate "passenger."

Many tools are available to the network hijacker. These tools are based on basic implementation issues within almost every network device available today. As TCP/IP packets go through switches, routers, and APs, each device looks at the destination IP address and compares it with the IP addresses it knows to be local. If the address is not in the table, the device hands the packet off to its default gateway.

This table is used to coordinate the IP address with the MAC addresses that are known to be local to the device. In many situations, this list is a dynamic one that is built up from traffic that is passing through the device and through Address Resolution Protocol (ARP) notifications from new devices joining the network. There is no authentication or verification that the request the device received is valid. Thus a malicious user is able to send messages to routing devices and APs stating that his MAC address is associated with a known IP address. From then on, all traffic that goes through that router destined for the hijacked IP address will be handed off to the hacker's machine.

If the attacker spoofs as the default gateway or a specific host on the network, all machines trying to get to the network or the spoofed machine will connect to the attacker's machine instead of the gateway or host to which they intended to connect. If the attacker is clever, he will only use this information to identify passwords and other necessary information and route the rest of the traffic to the intended recipients. If he does this, the end users will have no idea that this "man in the middle" has intercepted their communications and compromised their passwords and information.

Another clever attack can be accomplished through the use of rogue APs. If the attacker is able to put together an AP with enough strength, the end users might not be able to tell which AP is the authorized one that they should be using. In fact, most will not even know that another AP is available. Using this technique, the attacker is able to receive authentication requests and information from the end workstation regarding the secret key and where users are attempting to connect.

These rogue APs can also be used to attempt to break into more tightly configured wireless APs. Utilizing tools such as AirSnort and WEPCrack requires a large amount of data to be able to decrypt the secret key. A hacker sitting in a car in front of your house or office is noticeable and thus will generally not have time to finish acquiring enough information to break the key. However, if the attacker installs a tiny, easily hidden machine in an inconspicuous location, this machine could sit there long enough to break the key and possibly act as an external AP into the wireless network it has hacked.

Attackers who want to spoof more than their MAC addresses have several tools available. Most of the tools available are for use in a UNIX environment and can be found through a simple search for ARP spoof at http://packetstormsecurity.com. With these tools, the hacker can easily trick all machines on the wireless network into thinking that the hacker's machine is another machine. Through simple sniffing on the network, an attacker can determine which machines are in high use by the workstations on the network. If the attacker then spoofs the address of one of these machines, the attacker might be able to intercept much of the legitimate traffic on the network.

AirSnort and WEPCrack are freely available. It would take additional resources to build a rogue AP, but these tools will run from any Linux machine.

Once an attacker has identified a network for attack and spoofed his MAC address to become a valid member of the network, the attacker can gain further information that is not available through simple sniffing. If the network being attacked is using SSH to access the hosts, just stealing a password might be easier than attempting to break into the host using an available exploit.

By simply ARP spoofing the connection with the AP to be that of the host from which the attacker wants to steal the passwords, the attacker can cause all wireless users who are attempting to SSH into the host to connect to the rogue machine instead. When these users attempt to sign on with their passwords, the attacker is then able to, first, receive their passwords and second, pass on the connection to the real end destination. If the attacker does not perform the second step, it increases the likelihood that the attack will be noticed because users will begin to complain that they are unable to connect to the host.

Jamming Attacks

The last type of attack is the jamming attack. This is a fairly simple attack to pull off and can be done using readily available, off-the-shelf RF testing tools (although they were not necessarily designed to perform this function). Whereas hackers who want to get information from your network would use other passive and active types of attacks to accomplish their goals, attackers who just want to disrupt your network communications or even shut down a wireless network can jam you without ever being seen. Jamming a wireless LAN is similar in many ways to targeting a network with a DoS attack. The difference is that in the case of the wireless network, the attack can be carried out by one person with an overpowering RF signal. This attack can be carried out using any number of products, but the easiest is with a high-power RF signal generator, readily available from various vendors.

The jamming attack is sometimes the most difficult type of attack to prevent against, since the attacker does not need to gain access to your network. The attacker can sit in your parking lot or even further away, depending on the power output of her jamming device. You might be able to readily determine the fact that you are being jammed, but you could find yourself hard pressed to solve the problem. Indications of a jamming attack include clients' sudden inability to connect to APs where there was not a problem previously.

The problem will be evident across all or most of your clients (the ones within the range of the RF jamming device) even though your APs are operating properly. Jamming attacks are sometimes used as the prelude to further attacks. One possible example includes jamming the wireless network, thereby forcing clients to lose their connections with authorized APs. During this time, one or more rogue APs can be made available operating at a higher power than the authorized APs. When the jamming attack is stopped, the clients will tend to associate back to the AP that is presenting the strongest signal. Now the attacker "owns" all the network clients attached to his rogue APs. The attack continues from there.

In some cases, RF jamming is not always intentional and could be the result of other, nonhostile sources such as a nearby communications tower or another wireless LAN that is operating in the same frequency range. Baby monitors, cordless telephones, microwave ovens, and many other consumer products can also be sources of interference.

You can take some comfort in knowing that although a jamming attack is easy and inexpensive to pull off, it is not the preferred means of attack. The only real victory with a jamming attack for most hackers is temporarily taking your wireless network offline.

Exam 70-124: Objective 3.3: Wireless LAN Security: It's Not Perfect

Wireless technologies are inherently more vulnerable to attack due to the nature of the network transmissions. Wireless network transmissions are not physically constrained within the confines of a building or its surroundings, thus an attacker has ready access to the information in the wireless networks. As wireless network technologies have emerged, they have become the focus of analysis by security researchers and hackers, who have realized that wireless networks can be insecure and often can be exploited as a gateway into the relatively secure wired networks beyond them.

WEP Vulnerabilities

Like any standard or protocol, WEP has some inherent disadvantages. The focus of security is to allow a balance of access and control while juggling the advantages and disadvantages of each implemented countermeasure for security gaps. Some of WEP's disadvantages include:

The RC4 encryption algorithm is a known stream cipher. This means that it takes a finite key and attempts to make an infinite pseudo-random key stream in order to generate the encryption.
Altering the secret must be done across the board. All APs and all clients must be changed at the same time.
Used on its own, WEP does not provide adequate WLAN security.
To be effective, WEP has to be implemented on every client as well as on every AP.

WEP is part of the 802.11 standard defined for wireless networks in 1999. WEP differs from many other kinds of encryption employed to secure network communication in that it is implemented at MAC sublayer of the data link layer (Layer 2) of the OSI model. Security can be implemented at many layers of the model. IPSec, for example, is implemented at the network layer (Layer 3) of the OSI model; PPTP creates a secure end-to-end tunnel using the network layer (GRE) and transport layer protocols to encapsulate and transport data; HTTP-S and SSH are application layer (Layer 7) protocols for encrypting data. Due to the complexity of the 802.11 MAC and the amount of processing power it requires, the 802.11 standard made 40-bit WEP an optional implementation.

Vulnerability to Plaintext Attacks

Right from the outset, knowledgeable people warned that because of the way WEP was implemented, it was vulnerable. In October 2000, Jesse Walker, a member of the 802.11 working group, published his now famous paper, Unsafe at Any Key Size: An Analysis of WEP Encapsulation. The paper points out a number of serious shortcomings of WEP and recommended that WEP be redesigned.

For example, WEP is vulnerable to plaintext attacks because it is implemented at the data link layer, meaning that it encrypts IP datagrams. Each encrypted frame on a wireless network, therefore, contains a high proportion of well-known TCP/IP information, which can be revealed fairly accurately through traffic analysis, even if the traffic is encrypted. If someone is able to compare the ciphertext (the WEP-encrypted data) with the plaintext equivalent (the raw TCP/IP data), he or she has a powerful clue for cracking the encryption used on the network. To uncover the keystream used to encrypt the data, all the hacker has to do is plug the two values, the plaintext and the ciphertext, into the RC4 algorithm WEP uses. There are a number of ways to speed up the process of acquiring both the plaintext and ciphertext versions: by sending spam into the network, by injecting traffic into the network, using social engineering to get a wireless user to send the hacker e-mail, and so on.

Vulnerability of RC4 Algorithm

As alluded to in the previous section, another vulnerability of WEP is that it uses a stream cipher called RC4, developed by RSA, to encrypt the data. In 1994, an anonymous user posted the RC4 algorithm to a cipherpunk mailing list; the algorithm was subsequently reposted to a number of Usenet newsgroups the next day with the title "RC4 Algorithm Revealed."

Until August 2001, it was thought that the underlying algorithm RC4 uses was well designed and robust, so even though the algorithm was no longer a trade secret, it was still thought to be an acceptable cipher to use. However, Scott Fluhrer, Itsik Mantin, and Adi Shamir published a paper, Weaknesses in the Key Scheduling Algorithm of RC4, that demonstrated that a number of keys used in RC4 were weak and vulnerable to compromise. The paper designed a theoretical attack that could take advantage of these weak keys. Because the algorithm for RC4 is no longer a secret and because a number of weak keys were used in RC4, it is possible to construct software that is designed to break RC4 encryption relatively quickly using the weak keys in RC4. Not surprisingly, a number of open-source tools have appeared that do precisely that. Two such popular tools for cracking WEP are AirSnort and WEPCrack.

Some vendors, such as Agere (which produces the ORiNOCO product line), responded to the weakness in key scheduling by making a modification to the key scheduling in their products to avoid the use of weak keys, making them resistant to attacks based on weak key scheduling. This feature is known as WEPplus. However, not all vendors have responded similarly.

Stream Cipher Vulnerability

WEP uses an RC4 stream cipher. A stream cipher differs from a block cipher such as DES or AES, which performs mathematical functions on blocks of data, in that the data or the message is treated as a stream of bits. To encrypt the data, the stream cipher performs an XOR of the plaintext data against a key stream to create the ciphertext stream. (An XOR is a mathematical function used with binary numbers. If the bits are the same, the result of the XOR is 0; if the bits are different, the result of the XOR is 1.)

If the key stream were always the same, it would be a relatively trivial matter to crack the encryption if the attacker had both the plaintext and the ciphertext versions of the message (a known plaintext attack). In order to create key streams that are statistically random, a key and a PRNG are used to create the key stream that is XORed against the plaintext message to generate the ciphertext.

A central problem with WEP is the potential for reuse of the IV. A well-known vulnerability of stream ciphers is the reuse of an IV and key to encrypt two different messages. When this occurs, the two ciphertext messages can be XORed with each other to cancel out the keystream, resulting in the XOR of the two original plaintexts. If the attacker knows the contents of one of these plaintext messages, he or she can then easily obtain the plaintext of the other message.

Although there are 224 (16,777,216) possible combinations for the IV, this is in fact a relatively small number. On a busy wireless network, the entire range of possible combinations for the IV can be exhausted in a number of hours. (Remember, each frame or packet uses a different IV.) Once an attacker has collected enough frames that use duplicate IVs, he or she can use this information to derive the shared-secret key. In the absence of other solutions (which are usually proprietary) for automatic key management and out-of-band or encrypted dynamic key distribution, the shared-secret WEP keys have to be manually configured on the APs and wireless client workstations. In addition, because of the administrative burden of changing the shared-secret key, administrators often do not change the shared-secret key frequently enough.

To make matters worse, a hacker does not even need to wait until the 24-bit IV key space is exhausted to find duplicate IVs. (Remember, these are transmitted in the frame of the message.) In fact, it is almost certain that the attacker will encounter a duplicate IV in far fewer frames or discover a number of weak keys. The reason is that upon reinitialization, wireless PC cards will reset the IV to 0.

When the wireless client begins transmitting encrypted frames, it increments the IV by 1 for each subsequent frame. On a busy network, there are likely to be many instances of wireless PC cards being reinitialized, thereby making the reuse of the low-order IVs a common occurrence. Even if the IVs were randomized rather than being used in sequence, this would not be an adequate solution due to the birthday paradox. The birthday paradox predicts the counterintuitive fact that within a group as small as 23 people, there is a 50-percent chance that two people will share the same birthday.

It doesn't really matter whether the wireless network is using 64- or 128-bit encryption (in reality, these constitute 40- and 104-bit encryption, once the 24 bits for the IV are subtracted). Both use a 24-bit IV. Given the amount of traffic on a wireless network and the probability of IV collisions within a relatively short period of time, a 24-bit IV is far too short to provide any kind of meaningful protection against a determined attacker.

Head of the Class…
More Information on WEP

Readers can consult many excellent resources freely available on the Internet to learn more about WEP and its weaknesses. Readers might want to start with Jesse Walker's famous white paper, entitled Unsafe at Any Key Size: An Analysis of WEP Encapsulation, which started the initial uproar about WEP's weaknesses. This paper can be found at http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zip.

Another excellent source of information is Intercepting Mobile Communications: The Insecurity of 802.11, by Nikita Borisov, Ian Goldberg, and David Wagner. This paper can be found at www.cs.berkeley.edu/~daw/papers/wep-mob01.pdf. Your 802.11 Wireless Network Has No Clothes, by William A. Arbaugh, Narendar Shankar, and Y.C. Justin Wan, covers similar ground as the previous two papers but also introduces important information on the problems with access control and authentication mechanisms associated with wireless networks. This paper can be found at www.cs.umd.edu/~waa/wireless.pdf.

Exam 70-124: Objective 3.3: Should You Use WEP?

The existence of these vulnerabilities does not mean that you should not use WEP. One of the most serious problems with wireless security is not that WEP is insecure but that a high percentage of wireless networks discovered by war drivers are not using WEP at all. In fact, at a minimum, all wireless networks should be configured to use WEP. It is available for free with wireless devices. At the very least, WEP prevents casual war drivers from compromising your network and slows the knowledgeable and determined attackers. In the following section, we look at how to configure Windows wireless clients for WLAN security.

Exam Warning

This level of knowledge about WEP presented in this chapter is crucial to functioning in a wireless environment and should be something you know well if you plan to work in such an environment. However, for the exam, focus on WEP's basic definition and its basic weaknesses.

Security of 64-Bit Versus 128-Bit Keys

It might seem to a nontechnical person that something protected with a 128-bit encryption scheme would be twice as secure as something protected with a 64-bit encryption scheme. This, however, is not the case with WEP. Since the same IV vulnerability exists with both encryption levels, they can be compromised within similar time limits.

With 64-bit WEP, the network administrator specifies a 40-bit key—typically 10 hexadecimal digits (0–9, a–f, or A–F). A 24-bit IV is appended to this 40-bit key, and the RC4 key scheme is built from these 64-bits of data. This same process is followed in the 128-bit scheme. The administrator specifies a 104-bit key—this time 26 hexadecimal digits (0–9, a–f, or A–F). The 24-bit IV is added to the beginning of the key, and the RC4 key schedule is built.

Because the vulnerability stems from capturing predictably weak IVs, the size of the original key does not make a significant difference in the security of the encryption. This is due to the relatively small number of total IVs possible under the current WEP specification. Currently, there is a total of 224 (16,777,216) possible IV keys. Because every frame or packet uses an IV, this number can be exhausted within hours on a busy network. If the WEP key was not changed within a strictly defined period of time, all possible IV combinations could be intercepted off a 802.11b connection, captured, and made available for cracking within a short period of time. This is a flaw in WEP's design and bears no correlation to whether the wireless client is using 64-bit WEP or 128-bit WEP.

Exam 70-124: Objective 3.3: IEEE 802.1x Vulnerabilities

The IEEE 802.1x standard is still relatively new in relation to the IEEE 802.11 standard, and the security research community is only recently beginning to seriously evaluate the security of this standard. One of the first groups to investigate the security of the 802.1x standard was the Maryland Information Systems Security Lab (MISSL) at the University of Maryland at College Park. This group, led by Dr. William Arbaugh, was the first to release a paper (www.missl.cs.umd.edu/Projects/wireless/ix.pdf) documenting flaws in the IEEE 802.1x standard. In this paper, the group noted that 802.1x is susceptible to several attacks, due to the following vulnerabilities:

The lack of the requirement of strong mutual authentication. EAP-TLS does provide strong mutual authentication, but it is not required and can be overridden.
The vulnerability of the EAP success message to a man-in-the-middle attack.
The lack of integrity protection for 802.1x management frames.

These flaws provide avenues of attack against wireless networks. Although the networks are not as vulnerable as they would be without EAP and 802.1x, the "silver-bullet" fix designers had hoped for was not provided in the form of 802.1x.