|
| FAQ Article: Securing Wireless Networks |
There are literally thousands of articles (and even videos) out there dedicated to showing you how to detect and break into simple wireless networks (mostly unsecured wireless nets). It seems every script kiddie in the world has this information - so in this article I will be taking a slightly different approach and will be talking about the different methods used to protect wireless networks.
I will then briefly touch on the common topic of how to scan and test the security of any wireless networks you have access to (+ give you links to some great videos and tools).
If you think WEP encryption makes your wireless network secure, and that NetStumbler is a great scanning tool - this article should help open your eyes!
In this article I will make the following points and explain them:
- Wireless networks CAN be secure, but the vast majority of home (and often business) wireless networks out there are VERY insecure.
- If you think turning off SSID broadcast makes your access point undetectable - you are sadly mistaken.
- MAC filtering will NOT keep your wireless network secure, its ridiculously easy for a hacker to get round.
- WEP encryption can easily be broken - don't think you're safe just because your network uses WEP
- NetStumbler is NOT a good scanning tool - if you are serious about wireless scanning then you should not be using it.
We've all used wireless networks, and i'm sure that a lot of us even have our own wireless networks at home or at work. The fact is wireless networks are everywhere these days and there are more appearing every moment of every day. If you don't use one yet - you soon will. Wireless networks are cheap to setup, offer high speed network access, and most of all they are convenient - but what about the security of these wireless networks? Are the common protections enough to keep your network secure from wardrivers, hackers, neighbours etc ? :) The answer is no...
Before I start talking about the different protections that can be implemented to help secure wireless networks, I need to explain some common terms and technologies I will be mentioning:
- IP Address - You should already know what a IP address is, but if you don't please read our other FAQ article.
- MAC Address - Every network adapter has what's called a Media Access Control address (usually shortened to MAC address). It's a six-byte identifying number permanently embedded in the firmware of the adapter, and is readable by the network and the operating system of the device on which the adapter is installed. All modems have a MAC address; so do all Ethernet cards. The address must follow the standards set by the Institute of Electrical and Electronics Engineers (IEEE), which sets computer networking standards. Basically, the address is a six-pair set of hexadecimal numbers, for example, a1-c2-e3-44-5f-6d. The purpose of the MAC address is to uniquely identify each and every node on a network.
If you want to see what the MAC address is for a particular network adapter in Windows, all you need to do is open a command prompt and then enter the command "ipconfig /all". In Linux you should use "ifconfig -a" (as root).
- DHCP - Short for Dynamic Host Configuration Protocol, a protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network. In some systems, the device's IP address can even change while it is still connected. DHCP also supports a mix of static and dynamic IP addresses. Dynamic addressing simplifies network administration because the software keeps track of IP addresses rather than requiring an administrator to manage the task. This means that a new computer can be added to a network without any hassle of manually assigning it a unique IP address.
- SSID - SSID is an acronym for Service Set Identifier. The SSID is a sequence of up to 32 letters or numbers that is the ID, or name, of a wireless local area network. The SSID is set by a network administrator and for open wireless networks, the SSID is broadcast to all wireless devices within range of the network access point. Put bluntly - the SSID is the ID or name of a wireless network.
- Channel - Wi-Fi equipment provides a set of available channels to choose from. In the United States, for example, any of the Wi-Fi channels 1 - 11 can be chosen when setting up a wireless network (6 is quite a common default, as is 11). If encountering interference from other devices within the home, consider changing the channel up or down to avoid it. Note that all Wi-Fi devices on the network must use the same channel.
- WEP encryption - Wireless Equivalent Privacy (WEP) is a type of encryption that all wireless Ethernet products support. WEP uses a fixed encryption key which a network client must provide before a connection can be made.
- Wardriving / Wardrivers - Wardriving is an activity consisting of driving around with a laptop or a PDA in one's vehicle, detecting Wi-Fi wireless networks. It is also known (as of 2002) as WiLDing (Wireless Lan Driving), originating in the USA with the Bay Area Wireless Users Group (BAWUG). It is similar to using a scanner for radio. Most wardrivers will use GPS devices to find the exact location of the network found and log it on a website. For better range, antennas are often used.
- NetStumbler - A wireless scanning tool from http://www.netstumbler.com/ which runs on Windows. It is used by many wardrivers and security professionals to scan for wireless networks and to see basic information about the network (such as the SSID of the net, the signal strength, and whether or not the network is encrypted). This tool is (with good reason) considered to be quite lame by anyone who is serious about wireless scanning and/or wardriving.
Ok, now I have briefly described a few of the things you will need to know about, lets discuss the different types of protections that you can use to help secure a wireless network and keep it private. The most common methods are:
- Move away from default configurations - you are asking for trouble if you leave your access point running with its default configuration!
- Turn off SSID Broadcast - this basically involves turning off the settings that make your access point broadcast its presence, so it is less likely to be picked up by people scanning for wireless networks.
- Encryption - encrypting the traffic on a wireless network is the most common security method implemented on wireless networks (64/128 bit WEP being the most common encryption used at the moment).
- MAC Filtering - a common protection used to only allow certain MAC addresses to connect to the wireless network (i.e. only allow certain PC's or certain wireless devices to use the network).
- Disabling DHCP - disabling DHCP can slow some attackers down and even fool some of the dumber script kiddies.
- Controlling broadcast range - this technique is not very common, but makes a lot of sense...why broadcast your wireless network further than you need to?
- System security - be prepared for if/when attackers do get onto your wireless network
Protection #1 - Move away from default configurations
The first problem is that typically most wireless access points/routers do not have any security settings enabled in their default configurations! This might be seem crazy, but I assume it is to make installation easier and to let people get their wireless devices communicating successfully before any kind of encryption/protections are implemented.
The problem is of course that most people just keep these default configurations and never turn on the security features! This is especially common for most home users who just buy a cheap access point to provide wireless internet around their house. However, without any security in place it's not only the computers within their household that are able to connect and use the wireless network :)
Your neighbours might even accidentally connect to your insecure wireless network. Windows XPs built-in wireless support scans for wireless access points that broadcast their presence (most access points often do by default). When it finds one, depending on the settings it is quite likely that XP will attempt to auto-connect to the network. Do you want your neighbours "borrowing" your Internet and using your wireless network? Thought not...
The first thing you change is the administrator password for your access point/router web interface! If your web interface lets you change the username as well as the password, then do that too. Make sure you set a secure password! Secondly, you will want to change the SSID of your network. As mentioned above the SSID is basically the ID or "Name" of your wireless network. By default your SSID will be something like "Linksys" or "NetGear" (the access point manufacturers name). You should change this immediately to something else (and please please, don't change it to "Tim's Network" or something that gives away any of your personal details lol).
Why should you change the SSID? Well, if someone finds your access point and it has the SSID set to "Linksys" - they will know exactly what brand your access point is and will therefore know which default administrator usernames/passwords to try. They will also know other information like the default IP range to use to get themselves onto your network (which will help them if you have DHCP disabled).
You should also change a number of other default configuration settings such as turning on encryption, mac filtering, and SSID cloaking - but we will discuss these below in more details.
Protection #2 - Turn off SSID Broadcast
By default, wireless access points and routers broadcast the SSID for detection by all wireless network clients in the vicinity. To help reduce intrusion attempts, you can disable this behaviour in the device setup. Do you really have any good reason to broadcast your SSID to the world? If the answer is no (and i'm sure it is) then you should turn off SSID broadcasting immediately.
Basically, if someone has your SSID and knows what channel your wireless is on - they can try to connect to you. Tools like "NetStumbler" (which a lot of people use for wardriving and wireless scanning) work by picking up the beacons/broadcasts that your access point sends out. If you broadcast your SSID and someone is using NetStumbler within range of your wireless network...they will be able to detect the presence of your wireless network and they will be able to see other information too (they will see your SSID, signal strength, and they will be able to see if your wireless is encrypted or not). If you turn off SSID broadcasting - NetStumbler (and scanning tools like it) will not be able to detect your wireless network! Lame huh...
I can't give you exact instructions on how to turn off SSID broadcasting because it will depend on the wireless access point or router that you use - but if you have a look in the web interface you will almost certainly see an option to turn SSID broadcast off (if you don't see an option...visit the vendor website and check with them).
So...you've turned off SSID broadcasting and you think you're safe from wardrivers/scanners now? WRONG.
Whilst tools like NetStumbler might rely on your beacons/broadcast in order to be able to detect your wireless network, there are FAR better and much more advanced wireless scanning tools available - the best (in my opinion) being Kismet (http://www.kismetwireless.net/). Kismet runs on Linux and can detect the presence of your wireless network even if SSID broadcast is switched off. More on this later...
You are not safe yet :) So we better move on to protection #3 ;) ...
Protection #3 - Encryption
This is one of the most common security protections that people use on their wireless networks. Sadly way too many people use ONLY encryption and believe they are safe from intruders. Don't get me wrong - encryption is definitely a necessity in any secure wireless network, but the key is to pick the right encryption and make sure you use the other protections too (don't rely on just encryption).
The majority of wireless access points and routers support something called WEP encryption (Wireless Equivalent Privacy). WEP uses a fixed encryption key which a network client must provide before a connection can be made.
WEP uses a fixed encryption key which a network client must provide before a connection can be made, then it encodes packets going to and from your wireless card and router/access point. This basically makes sure that only people who know the WEP key can use the wireless network, and it stops wireless snoops from sniffing the packets and seeing the data that you are sending/receiving on the network.
The higher the WEP level the more protection you have (i.e. 64bit, 128bit, or even 256bit encryption). The type of WEP that your cards and router will support will be detailed in the products user guide. You might find that your access point/router only supports up to 128bit WEP. WEP should be enabled all the time and should be treated as minimum protection for your wireless network.
So what's the problem with WEP? It's commonly used, so it must be ok right? Wrong again.
WEP encryption was thought to be good for a week for most light traffic home wireless networks because the older WEP cracking tools needed to sniff 5 to 10 million packets in order to recover a WEP key. However, there have been many advances and the newest WEP cracking techniques can break WEP in minutes (even 128bit or higher). You used to be fairly safe if there wasn't that much traffic flowing through your network but now there are even ways for attackers to artificially generate traffic and accelerate WEP cracking. If you take security seriously then I seriously recommend that you move away from WEP immediately.
The question you might ask is "which encryption should I use??" - and that is a very good question :) This is a difficult subject because it all depends on what your hardware will support (all your wireless devices need to support the encryption that you choose) and also there are new encryptions and standards being developed right at this moment. However, the one encryption that *seems* to be the new standard (for the time being) is WPA.
WPA improves on the authentication and encryption features of WEP (Wired Equivalent Privacy). One of the key technologies behind WPA is the Temporal Key Integrity Protocol (TKIP). TKIP addresses the encryption weaknesses of WEP. Another key component of WPA is built-in authentication that WEP does not offer. One variation of WPA is called WPA Pre Shared Key or WPA-PSK for short. WPA-PSK is a simplified but still powerful form of WPA most suitable for home Wi-Fi networking. To use WPA-PSK, a person sets a static key or “passphrase” as with WEP. But, using TKIP, WPA-PSK automatically changes the keys at a preset time interval, making it much more difficult for hackers to find and exploit them. Newer systems use WPA to provide greater security, but be aware that non-WPA devices are unable to use a WPA network. WPA itself will be superceded by the 256-bit encryption of WPA2 which will add support for AES (Advanced Encryption Standard).
Is WPA unbreakable? well no - there are already a number of tools available that will brute force WPA using a dictionary-style attack...but generally speaking WPA is adequate protection for most home networks at the moment (when used in conjunction with the other protections mentioned in this article!).
Protection #4 - MAC Filtering
The concept of MAC address filtering works in theory. You know that every single device (whether it be a network adapter, router, or wireless bridge etc) has its own unique MAC address, so therefore you can uniquely permit or deny access based on the MAC address of the device that is attempting to connect to your wireless network. It certainly sounds like a good theory and a nice protection.
The problem is that anyone who has any clue about networking and wireless penetration testing (which will be the vast majority of wardrivers out there) will be able to bypass the MAC filtering protection with ease. It is incredibly easy to spoof your MAC address (using both Linux and Windows) and therefore it is simple for an attacker to spoof their MAC address to one that is permitted by your MAC filter, and therefore bypass the protection.
You might say "ah! but how do they know which MAC addresses are permitted?" - the answer is simple, they sniff the packets (using a good wireless sniffer/scanner like Kismet, not NetStumbler) and they will see a list of MAC addresses that are currently active on your network. Then all the attacker has to do is spoof their MAC address to one of those, and hey presto :)
I know that it seems weird that I would recommend you use MAC filtering on your wireless network after all that I have just explained - but, the fact is...every protection helps. The more layers of security you have, the better. Some will argue that MAC filtering is a pain to maintain (you have to add MAC addresses to your filter every time you add a new device to the network) and gives zero ROI (return on investment) in terms of security gain...but I think that is untrue. Every layer helps.
Protection #5 - Disabling DHCP
DHCP allows the automatic assignment of IP addresses and other configurations. This is very useful for attackers if they manage to get onto your wireless network as they will be automatically assigned a IP address and can start communicating on the network. This is a bit of a controversial protection as some will argue that it does not increase your security that much and you lose a very nice feature from your network.
I can see both sides of the argument as I know it will not take long for a hacker to work out the IP scheme of your network, but on the other hand, this will fool a few people...so its really up to you to decide how useful DHCP is. If you don't really care whether you have it or not (maybe you only have a couple of PC's on your network and don't add new devices all that often) then you might as well switch it off. Personally, I like DHCP so I leave it enabled on my network.
Protection #6 - Controlling broadcast range
Ok, this is a bit of a lame one - but bear with me (i'm just trying to cover all the ideas!). The idea behind this "protection" is that your wireless network probably broadcasts outside of your home/office. In some cases this will be necessary, but in most cases there will be no reason for your wireless network to be accessible outside the building. If you can lower the power on your antenna/wireless - then you will make it less likely for your wireless network to be picked up by wardrivers who drive past.
I do realise that this is hardly a protection, so please don't flame me :) I know that anyone with a a good wireless card or antenna (like most wardrivers have) can still pick your network up - but hey, maybe you will avoid a few people detecting your network? This is all about picking the right level of security for your own network. Personally, I don't want my neighbours picking up my wireless signal and I have no reason to broadcast at full power so that the signal goes outside my house.
Protection #7 - System security
How secure are your systems on the network? Do they have firewalls? Do they operate in trusted zones? Do they have open file shares? You need to start thinking about minimising damage if/when a hacker were to connect to your wireless network successfully. This is often overlooked, but it should certainly be a part of your security plan.
Ensure your internet-connected PCs have firewalls that support networks, then add your system IP addresses to its Trusted Zone (providing that you have assigned them static IP). Make sure each system is secure, fully patched and up to date. Avoid file sharing if possible, and if you really need to - assign passwords to the shares at least. I know local security is outside the scope of this article, but you really need to secure all the boxes that are on the network.
I've secured my wireless network - now what?
If you have implemented all of the protections that you feel are suitable for your network, it's now time to move to the next stage! Hacking your own network :)
This is the most exciting part because you have put the effort into securing your network and now you get to try and break into it as if you were some attacker outside of your home/business. The first thing I need to mention is that I am not going to go into any detail on this. The reason is not because I don't want to explain to you or I don't think you should know - it's purely and simply because it's been explained in billions of tutorials already on the Internet lol. I swear every single hacking zine, hacking podcast, and hacking vidcast I see has at least covered "hacking wireless networks" in some context.
What I will do is link you to some of the tools you need and explain why I am recommending them, and then I will link you to some of the best tutorials I have found on the subject.
Tools you will need
At very least, you will want to download a GOOD Linux security LiveCD. There are a lot of them around (I wrote another article on this recently), and a few of them are aimed at wireless security and penetration testing specifically. Here are a few that you could try:
You might like to try a couple, but Auditor and Whax are definately my favourites.
The tools you will be most interested in will be Kismet, Aerodump, Aircrack, and in some cases Aireply. Auditor also includes gKismet which is a graphical version of the Kismet sniffer tool - but honestly I think the standard Kismet is cool enough ;)
Now you might be saying "Hey! I use NetStumbler and its a good tool!" - I know a lot of you will be using it. I've been quite critical of NetStumbler throughout this article...but with good reason! Here are the reasons why you shouldn't bother with NetStumbler if you are going to get serious about wireless penetration testing:
- NetStumbler can only detect wireless networks if they have their SSID broadcast switched on. This means its fine for finding publicly available wireless networks, but it wont find any hidden/private networks.
- NetStumbler performs "active scanning" as opposed to "passive scanning" like Kismet. In active scanning, NetStumbler sends out a "hello" broadcast on all channels. Any access point that has SSID broadcasting enabled will respond. Why is this a problem? well...think about it - this means that NetStumbler is DETECTABLE. If you are scanning and someone has the right IDS (intrusion detection system) or tools, they will spot you. With NetStumbler you are not invisible.
- One article I read claims NetStumbler will help you "Detect unauthorized rogue access points in your workplace." - which is not strictly true. I don't think anyone with a "clue" would put up a rogue access point and leave the SSID broadcast on. If SSID broadcast is off, then NetStumbler will not find the network.
- NetStumbler can not show you any useful penetration testing information about the network, such as connected clients, IP addresses, packet dumps, string dumps etc.
Don't get me wrong, NetStumbler is fine if you are just going to do a quick check to see what publically available access points are in your area, or if you are without a LiveCD/Linux and are using Windows - it is certainly the best wireless scanning tool for Windows that I know of. However, we are interested in discovering and testing the security of supposedly-secure wireless access points...and therefore we need to get serious - so goodbye NetStumbler, and hello Kismet :)
So how does Kismet differ from the "active scanning" NetStumbler? Well, most scanners work by querying the firmware of the card to see what networks are in the area that will let the card join them, Instead, Kismet collects all the packets in the air at any given time and dissects them to identify each network. This lets Kismet detect networks with hidden SSIDs, provide packet dumps, and best of all - since its grabbing the packets from the air and not connecting to anything or sending out any "hello" broadcasts like NetStumbler - Kismet is not detectable. Put simply, it rocks.
Now the cool part :) I am not going to bother explaining step-by-step how to test the security of your wireless networks.....i'm going to link you to videos showing how! w00t :) I think these vidcasts and flash movies are awesome, and you can't get much better than someone on-screen showing you the commands and tools you need. So here are the links:
- FromTheShadows StashBox 3.0 - excellent vidcast which has a whole step-by-step feature showing how to break WEP encryption on a wireless network
- WHAX-Whoppix-Action-Demos - this link will take you to some excellent Flash movies that show how to break WEP and WPA using the Whax Linux LiveCD.
- Whax-Usage-Demos - some more Flash videos showing you how to setup Kismet and do some other cool stuff using the Whax Linux LiveCD.
Enjoy! and please, only use this information for securing and penetration testing your own wireless networks!
Related Articles
Here are some links to other good sources of information:
|
Posted on: 09-08-2005
Article has been viewed 726095 times
|
| |
| Comments |
|
Comment by Wang - 16-08-2005
A huge list of default usernames and passwords for wireless access points has been published here: http://www.phenoelit.de/dpl/dpl.html
Comment by insurancesonline - 23-03-2008
I love your services and products, many thanks!
Comment by goomuloo - 01-04-2008
Im Paul from Canada, a retired Author. Ive only been at this about 4
months now, and Ive hit the ground running. Im only really getting around
to visiting all the forums now. I still have a lot to learn but Im getting
there.
All the best,
Paul
Comment by allwordcosmetics - 09-04-2009
I love your services and products, many thanks! You have unique info for me.
Post a comment
Please use the form below to post your comments on this article. All comments will be reviewed by the admin before being published publically.
|
| |
|
