Wireless Security: Attacks and Defenses

By | May 15, 2006

The method of attack is simple in application, provided you have the right kind of software. Fortunately for a hacker (unfortunate for a director in charge of security), there are several applications available as freeware that perform the tasks necessary to execute a proper MITM attack.

The first task associated with an MITM attack comes into play after the initial tasks for hacking a wireless network have been performed. That is to say, we are assuming that a target network has been located, and that the attacker is within acceptable range of a target access point. Once these tasks have been performed the MITM process can begin.

After having captured information about the target access point, a “soft AP” can be set up by placing a WLAN card on the attacker´s machine into host mode with the same, or similar, properties as the legitimate access point. This soft AP can then attract clients who think they are connecting to a familiar network. At such a time, the attacker can use another WLAN card to forward the traffic to the real access point, all the while capturing any information that moves across its path.

In some access controlled networks, all hosts on a network store a list of acceptable MAC addresses for their respective network. Using the ARP method, those systems can validate IP addresses that request access to their network by resolving them against a known table of valid IP/MAC addresses. MITM can thwart this defense by piggybacking on another attack method called ARP Spoofing. Many systems easily accept ARP commands and freely allow their MAC lists to be updated.

Using software like ARPoison, an attacker can add their own MAC address to the list or trick the system into sending that table to the hijacker´s system. ARPoison uses the ARP Spoofing to trick the network into sending all of their ARP requests to the hijacker´s system instead of a valid host. Once the request comes in, the hijacker can reroute the information to a valid host, but only after they have had extensive access to the transaction.

Once the attacker has established themselves as valid members of the network they can: Execute a denial of service(DoS) by sending all host requests to invalid host addresses, thus causing bounce backs; Monitor all transactions between the hosts (hence “Man-In-The-Middle”); Join the network by adding the attacker´s MAC address to the acceptable list.

There are many other types of software applications that can perform these ARP poisoning methods, as well as execute other hacking techniques such as port sniffing. By utilizing Level two layer vulnerabilities through ARP Spoofing, MITM techniques are easy to execute, and expensive to detect.

Basic Defense

WEP – Wireless Encryption Protocol was integrated into wireless devices with a primary goal of preventing casual eavesdropping on a network. Much like crosstalk can occur among wireless telephones, the same effect could take place in getting packets distorted among common pathways on a wireless network. WEP performs this function rather well, but the second purpose of WEP is where the protocol falls short. The second purpose of WEP is to prevent unauthorized access to wireless networks. Now don´t be mistaken, WEP will prevent uninformed and unskilled crackers from accessing a wireless network. However, it doesn´t take much effort at all to break WEP. While the methods of attack that can be used are too technical for our purposes, it´s important to understand their existence.

One method comes in the form of brute force attacks, which simply break down WEP´s functionality forcing errors within the protocol and eventually causing it to open a door on its own. Other algorithms exist such as the dictionary attack. Dictionary attacks use several common keys, or a dictionary of keys stored over time to try guessing a different key until one works. Deeper hacking methods involve exploiting what is called the IV (Initialization Vector) vulnerability. The Initialization Vector can be used to trick WEP systems, and manipulate them into revealing keys or simply breaking down defenses by causing confusion within the WEP transmissions.

A few improvements have been attempted in regards to WEP mainly in the form of WEP2. WEP2´s primary attempt at improvement came in making the IV key even longer. However, industry experts agree that this not only doesn´t make WEP more secure, but also exposes even greater security threats to users.

WEP does a fine job at keeping novice hackers from spying on your valuable data. However, armed with the right tools, WEP has been proven to be flawed and vulnerable. We recommend that network administrators make use of WEP but emphasize that primary dependence not be placed on this protocol for security. WEP should be used, even according to wireless product makers like Netgear, but certainly not by itself.

Even with its inherent weaknesses, Wireless Encryption Protocols or WEP is still a good method for preventing attackers from capturing your network traffic. Less-experienced hackers will probably not even attempt to capture data packets from a wireless network that is broadcasting using WEP. Even if a hacker possesses the skills and tools necessary to crack WEP, it can be an extremely time-consuming process, especially when dealing with the newer 128-bit specification, which requires in excess of 500,000 captured data packets to even begin the cracking process. Not only is WEP a good way to ward off many would-be attackers, it is strengthened when used with other security techniques.

MAC Address Blocking – For smaller, more static networks you can specify which computers should be able access to your wireless access points. Telling the access points which hardware MAC addresses can join the network does this. Although, like WEP, in which this can be bypassed by knowledgeable hackers, it is still a valid method for keeping many intruders at bay.

Ditch the Defaults – Most wireless devices are being sold today with default configurations that are easily exploited. The three main areas to watch out for are the router administration passwords, SSID broadcasting, and the channel used to broadcast the signal. Upon installation many users would do well to immediately change the router´s administration password. The default passwords are easy to locate provided you can gain access to the user´s manual associated with each device. Turning off the SSID broadcast option will prevent unintentional wireless hijacking because rogue wireless devices will not be able to automatically detect the SSID without extra action. Changing the default-broadcasting channel will also make a WLAN more unique in its architecture and thus less difficult to detect based on default vulnerabilities.

Beacon Intervals – Another AP configuration that is recommended being changed is the beaconing interval. The beaconing interval is a frame that is sent out to announce the presence of the AP. Client stations use this to configure parameters to join a network. This is a separate from the SSID broadcast in that a beacon frame appears as a random data packet without a SSID label. These intervals should be maximized to make it more difficult to find the network. The network appears quieter and any passive listening devices are not as productive at gathering and cracking encryption keys.

Access Lists – Using MAC ACL´s (MAC Address Access List) creates another level of difficulty to hacking a network. A MAC ACL is created and distributed to AP so that only authorized NIC´s can connect to the network. While MAC address spoofing is a proven means to hacking a network this can be used in conjunction with additional security measures to increase the level of complexity of the network security decreasing the chance of a breach.

Controlling Reset – Something as simple as controlling the reset function can add a great deal of security and reduce the risk of potential hack to your network. After all the security measures are in place and the proper encryption settings are enforced, the factory built “reset” button available on nearly all wireless routers/AP´s can, in an obvious way, wipe out everything.

Disable DHCP – Disabling the use of DHCP in a wireless network is again, a simple but effective roadblock to potential hackers. In the event that a threat breaks through your encryption they would then have immediate access to the network if they were assigned an IP address by DHCP. This may not be feasible in a large corporate environment where thousands of IP addresses are leased throughout the day, but in a home space this is a must for all users.

Network Auditing and Intrusion Detection

Network administrators should equip themselves with the proper tools for auditing and troubleshooting their wireless networks. However, one of the tricky things about detecting intrusions on a Wireless LAN is the amount of time and resources that must be committed to monitoring the network. The kinds of tools available range from simple software solutions, to complex hardware devices. Depending on the size and sensitivity of your network (and your budget) these tools can range from completely free to extremely expensive.

Leave a Reply