CWNA Chapter 16: Wireless Attacks, Intrusion Monitoring, and Policy

Today we are going to explore what can happen to you while sipping your favorite drink at the local Starbucks and browsing the interwebs.  You may never feel safe on public WiFi ever again.  That being said you may want to use a VPN while using public WiFi, or you might have a bad time.  I wasn’t aware of some of the wireless attacks that were available before reading through this chapter.  I realized that with some of the less secure security implementations that they are truly easy to crack with some googling.  Let’s get into it.

Wireless Attacks

Rogue Wireless Devices

A rogue AP is any unauthorized WiFi device that is not under the management of the proper network administrators.  Rogue APs are most often employees not realizing the consequence of their actions, which winds up adding unsecured wireless access into the network.  Ad-hoc wireless connections, where two computers have wireless connectivity, with one being wired into the network also pose a problem.  Limiting the use of multiple NICs on a computer will help mitigate this, preventing bridging.  Wireless printers can also be an issue.  Hackers can connect to the printer and install their own firmware, allowing them to bridge the wireless and wired connections.  This is also true of wireless cameras.  The best way of preventing rogue access through wired ports is wired-side port control.  802.1X/EAP can also be used to authenticate and authorize access through wired ports on an access layer switch.

Peer to Peer Attacks

When 802.11 client stations are configured in ad-hoc mode, it is known as an IBSS, and all communications are peer-to-peer, without the need for an AP.  This means another station could connect and gain access to any files or resources.  Any user associated to the same AP that are members of the same BSS are in the same VLAN and are susceptible to peer-to-peer attacks because they reside on the same Layer 2 and Layer 3 domains.  Client isolation can often be enabled on WLAN APs or controllers to block wireless clients from communicating with other wireless clients on the same wireless VLAN.  Client isolation should not be enabled in the VoWiFi VLAN if push-to-talk multicasting is required, because it can prevent these devices from functioning properly.

Eavesdropping

Wireless communications can be monitored via two methods: casual eavesdropping and malicious eavesdropping.  Casual eavesdropping is accomplished by simply exploiting the 802.11 beacon management frames and discovering Layer 2 information about the WLAN.  Information that can be gathered include the SSID, MAC address, supported data rates, and other BSS capabilities.  In active scanning, the client transmits management frames known as probe requests, the AP then answers back with a probe response frame, which basically contains all the same layer 2 info as a beacon frame.  A directed probe request will require all APs that support the specific SSID to send a probe response.  A null probe request has all APs regardless of SSID respond with a probe response.  WLAN discovery tools like WiFi Explorer can be used for exactly this purpose.  Malicious eavesdropping is the unauthorized use of 802.11 protocol analyzers to capture wireless communications, and is typically considered illegal.  Protocol analyzers capture 802.11 frames passively, so a wireless intrusion prevention system cannot detect malicious eavesdropping.  Wireshark is one such analyzer.  All Layer 2 info is always exposed, but if WPA2 encryption isn’t in place, the layer 3-7 information can also be exposed.  Encryption is the best protection against unauthorized monitoring of the WLAN.  Most commonly attacked are public access hotspots.

Encryption Cracking

Wired Equivalent Privacy (WEP) is a legacy 802.11 encryption method that was compromised many years ago.  With online tools, WEP can be cracked in minutes.

Krack Attack

KRACK (Key Reinstallation Attack) is a replay attack that targets the 4-way handshake used to establish dynamic encryption keys in the WPA2 protocol.  Firmware updates have been released to mitigate this for the most part.

Authentication Attacks

Lightweight Extensible Authentication Protocol (LEAP), is susceptible to offline dictionary attacks.  The hashed password response during the LEAP authentication process is easily crackable.  Stronger EAP authentication that uses tunneled authentication are not susceptible to offline dictionary attacks.  WPA/WPA2, using a passphrase is a weak authentication and can be cracked using an offline brute-force dictionary attack.  Social engineering is also another method used to acquire the PSK.  To help prevent against brute-force dictionary attacks a passphrase of 20 characters or more is recommended.

MAC Spoofing

MAC addresses can be spoofed, or impersonated, and any amateur can easily bypass a MAC filter by spoofing an allowed clients station address.  Setting up MAC filtering is not a reliable security measure due to MAC spoofing.

Management Interface Exploits

In order to protect your management interfaces you should disable unused interfaces, use strong passwords, and encrypt logins. SSH and HTTPS should always be used for management.

Wireless Hijacking

In wireless hijacking, the attacker configures access point software on a laptop, effectively turning a WiFi client radio into an AP.  They then configure it to use the same SSID as the public hot spot, but on a different channel.  Then they send spoofed disassociation  or deauthentication frames, forcing users associated with the hotspot AP to roam to the evil twin.

Evil Twin WiFi

Often DHCP will be used to issue an IP to the clients which will then grant layer 3 access enabling peer-to-peer attacks.  Another attack is the man in the middle attack.  In this scenario the hijacker does the normal wireless hijacking but also adds a second 802.11 radio that is connected to the hotspots AP.  That radio is bridged to the evil twin radio allowing the traffic to pass through as it were originally.  The hacker now sits in the middle unnoticed.  Lastly we have the WiFi phishing attack, where the attacker may use a web server software and captive portal software.  After being hijacked, they are sent to a login page that mimics the hotspots login page.  In order to avoid hijacking, a mutual authentication solution should be used.  They validate the network the user is connecting to, as well as the user itself.  8021.X/EAP authentication solutions require this.

Denial-Of-Service Attacks

DoS attacks can occur at layer 1 or 2 of the OSI model.  Layer 1 attacks are know as RF jamming attacks, with two types: intentional and unintentional jamming.

  • Intentional Jamming:  this occurs when an attacker uses some type of signal generator to cause interference in the unlicensed frequency space.  This causes all data to be corrupted or to continuously defer when performing CCA.
  • Unintentional Jamming:  unintentional jamming typically occurs from the use of microwaves, cordless phones among others.

Below you can see an example of a cordless phone lighting up the spectrum at the top end of 2.4Ghz.

Wireless Attack

Courtesy of MetaGeek

A spectrum analyzer is the best tool to detect intentional or unintentional jamming.  Layer 2 DoS attacks are a result of manipulating 802.11 frames, which most often includes spoofing, disassociation, or deauthentication frames.  The 802.11w-2009 amendment defined management frame protection (MFP) mechanisms for the prevention of spoofing certain types of 802.11 management frames.  The 802.11w frames are called robust management frames.  While a spectrum analyzer is best to find layer 1 DoS attacks, a protocol analyzer or wireless intrusion detection system is best for layer 2 DoS attacks.

Vendor Specific Attacks

Often hackers will find holes in firmware code used by specific WLAN access point and controller vendors.  This can be avoided by making sure you keep your firmware up to date.  Make sure you understand the impact of the updates you are applying.

Social Engineering

Most breaches occur due to social engineering attacks.  This is done by manipulating people into divulging confidential information, such as passwords.  Strictly enforcing policies to prevent sharing confidential info is the best defense.

Intrusion Monitoring

Most systems today use a Wireless Intrusion Prevention System (WIPS) to mitigate several of the more well known wireless attacks.  Wireless Intrusion Detection Systems (WIDS) are also in use to detect attacks.

Wireless Intrusion Prevention System

  • A WIPS consists of two primary components
  1. WIPS Server:  a software or hardware server appliance acting as a central point of monitoring security and performance data collection.  The server uses signature analysis, behaviour analysis, protocol analysis and RF spectrum analysis to detect potential threats.
  2. Sensors:  hardware or software based sensors may be placed strategically to listen to and capture all 802.11 communications.

WIPS are best at monitoring layer 2 attacks, such as MAC spoofing, disassociation attacks, and deauth attacks.

The components of a WLAN security monitoring solution are usually deployed within one of two major WIPS architectures.

  1. Overlay:  the most secure model is an overlay WIPS, which is  deployed on top of the existing wireless network.  This model uses an independant vendors WIPS and can be deployed to monitor any existing or planned WLAN.
  2. Integrated:  most WLAN vendors have fully integrated WIPS capabilities.  A central WLAN controller or a centralized network management server (NMS) functions as the WIPS server.

Rogue Detection and Mitigation

A WIPS characterizes APs and client radios into four or more classifications.

  1. Authorized Devices:  any station or AP that is an authorized member of the companies wireless network.
  2. Unauthorized or Unknown Device:  automatically assigned to any new 802.11 radios that have been detected but not classified as rogues.
  3. Neighbor Device:  any client or AP that is detected by the WIPS and whose identity is known.
  4. Rogue Device:  any client station or AP that is considered an interfering device and potential threat.  Most WIPS define these rogues as plugged into the wired network backbone and are not known or managed by the organization.

The most common way a WIPS deals with rogues is to have the sensors go active and begin transmitting spoofed deauth frames.  These frames spoof the MAC address of the rogue AP and clients.  This can be used to disable rogue APs, individual client stations, and rogue ad-hoc networks.

Spectrum Analyzers

A spectrum analyzer that can look at the 2.4GHz ISM band will be able to detect both intentional jamming and unintentional jamming devices.  Some can decipher what type of device is jamming the signal by its signature.

Wireless Security Policies

General Security Policies

A general security policy establishes why a security policy is needed for an organization.

What should be included?

  1. Statement of Authority:  defines who put the wireless policy in place and the executive management that backs the policy.
  2. Applicable Audience:  the audience to whom the policy applies, such as employees, visitors and contractors.
  3. Violation Reporting Procedures:  defines how the wireless security policy will be enforced, including what actions should be taken and who is in charge of enforcement.
  4. Risk Assessment and Threat Analysis:  defines the potential wireless security risks and threats and the financial impact on the company if a successful attack occurs.
  5. Security Auditing:  Internal auditing procedures, as well as the need for independent outside audits should be defined.

Functional Security Policies

A functional policy is also needed to define the technical aspects of wireless security.  It establishes how to secure the wireless network in terms of what solutions and actions are needed.

What should be included?

  1. Policy Essentials:  basic security procedures, such as password policies, training and proper usage of the wireless network should be defined.
  2. Baseline Practices:  defines minimum wireless security practices, such as configuration checklists, staging and testing procedures.
  3. Design and Implementation:  the actual implementation, encryption, and segmentation solutions that are to be put into place.
  4. Monitoring and Response:  all wireless intrusion detection procedures and the appropriate response to alarms are defined.

Legislative Compliance

Most countries have mandated regulations on how to protect and secure data communications within all government agencies.  In the US we have FIPS 140-2 standard, which defines security requirements for cryptography modules.

US regulations for other industries

  • HIPAA:  the Health Insurance Portability and Accountability Act establishes national standards for electronic healthcare transactions and national standards for providers, health insurance plans, and employers.
  • Sarbones-Oxley:  the Sarbones-Oxley Act of 2002 defines stringent controls on corporate accounting and auditing procedures, with a goal of corporate responsibility and enhanced financial disclosure.
  • GLBA:  the Gramm-Leach-Biley Act requires banks and financial institutions to notify customers of policies and practices disclosing customer information.

802.11 Wireless Policy Recommendations

Recommended Wireless Policies

  1. BYOD Policy:  a policy for employees personal devices needs to state how they will be onboarded onto the secure corporate WLAN.  Additionally, it should state how they can be used and which corporate resources will be accessible.
  2. Guest Access Policy:  Guest users should be restricted from accessing company network resources with strong firewall enforcement and network segmentation practices.
  3. Remote-Access WLAN Policy:  Remote access policy should include the required use of an IPSec or SSL VPN solution to provide device authentication, user authentication, and strong encryption of all wireless data traffic.
  4. Rogue AP Policy:  No end user should be permitted to install their own wireless devices on the corporate network, including APs, routers, wireless hardware USB clients, and other wireless NICs.
  5. Wireless LAN Proper Use Policy:  This should outline the proper use and implementation of the main corporate wireless network including proper installation procedures, proper security implementation, and allowed application use on the WLAN.
  6. WIPS Policy:  Policies should be written defining how to properly respond to alerts generated by the wireless intrusion prevention system.

Chapter Review

In CWNA Chapter 16 we went over wireless attacks, intrusion monitoring and wireless policies.  We discussed the types of wireless attacks that are out there and how to mitigate them with WIPS and WIDS.  Then we dug into policy and what should be in place for your environment to better help your clients know how to behave within your network.   We now have three chapters to go…..well technically there are four but for the purposes of CWNA we are going to skip over the 802.11ax chapter as it isn’t part of the CWNA even though it is in the book.  We will come back to it after we pass the CWNA.  We only need to pass the test, so adding that in right now just doesn’t make sense to me. 

Interesting Link of the Day

Have you ever been walking around and notice some terrible WiFi?  Sure you have.  Did you take a picture because you thought it was worth remembering?  OK, we have a site just for you to keep up to date with other people just like you.  Check out BadFi.com for your terrible WiFi needs!