Securing Wireless Networks

Apply Your Knowledge

Many tools are available to the hacker for attacking and scanning WLANs. One of these tools that is valuable to an ethical hacker is NetStumbler.

Exercises

1.1. Using NetStumbler

In this challenge exercise, you will use NetStumbler to scan for available wireless access points. You will need a laptop and wireless card to complete the exercise.

Estimated Time: 15 minutes.

  1. You will be using the NetStumbler program for this exercise. The program is available at www.netstumbler.com/downloads.

  2. After installing the program on a Windows-based PC, you will need to make sure that you have loaded the appropriate wireless card. The NetStumbler site has a list of the types and brands of cards that work with the application.

  3. To help prevent the chance of accidentally accessing someone's wireless access point, it is best to unbind all your TCP/IP properties. This can be done by unchecking the TCP/IP properties under settings/dialup and network connections.

  4. Now, you should start NetStumbler; by default, it places an icon on your desktop. After the program is open, click on file/enable scan. This should start the scanning process. If you are unable to pick up any wireless access points, you might want to move around or consider taking your laptop outside. In most urban areas, you should not have much trouble picking up a few stray signals.

  5. Upon detection of signals, they will be displayed as green, yellow, or red to denote the signal strength. The program provides other fields of information, including signal strength, SSID, name, channel, speed, vendor, and encryption status. If you hook up a GPS, NetStumbler will also provide longitude and latitude.

Exam Prep Questions

1.

Toby is concerned that some of the workers in the R&D facility have been asking about wireless networking. After discussing this with the plant's security manager, Toby gets approval to implement a policy that does not allow any wireless access. What else does Toby need to do besides create the policy. (Choose 2 answers.)

A. Disable SNMP so that wireless devices cannot be remotely monitored or configured.

B. Provide employee awareness activities to make sure that employees are aware of the new policy.

C. Use a magnetron to build an 802.11 wireless jamming device.

D. Perform periodic site surveys to test for rogue access points.
2.

Pablo has set up a Linux PC with Airsnarf that he is planning to take down to the local coffee shop. What type of activity is he planning?

A. He is attempting a DoS attack.

B. He is attempting to steal usernames and passwords from public wireless hotspots.

C. He is attempting to detect rogue access points and unauthorized users.

D. He is attempting to perform a site survey to make sure that the access point is placed in an optimum position.
   
3.

Which method of transmission hops between subchannels sending out short bursts of data on each subchannel for a short period of time?

A. Direct-sequence spread spectrum

B. Plesiochronous digital hierarchy

C. Time division multiplexing

D. Frequency-hopping spread spectrum
4.

At what frequency does Bluetooth operate?

A. 2.54GHz

B. 5GHz

C. 2.45GHz

D. 900Hz
5.

You have enabled MAC filtering at the wireless access point. Which of the following is most correct?

A. MAC address can be spoofed.

B. MAC address cannot be spoofed.

C. MAC address filtering is sufficient if IP address filtering is used.

D. MAC filtering will prevent unauthorized devices from using the wireless network.
6.

After reading an online article about wireless security, Jay attempts to lock down the wireless network by turning off the broadcast of the SSID and changing its value. Jay's now frustrated when he realizes that unauthorized users are still connecting. What is wrong?

A. Jay's solution would work only if the wireless network were in ad-hoc mode.

B. The unauthorized users are using the default SSID.

C. Jay is still running DHCP.

D. The SSID is still sent in packets exchanged between the client and WAP.
7.

Which of the following is a wireless DoS tool?

A. Void11

B. RedFang

C. THC-Wardrive

D. Kismet
   
8.

Which of the following is the best option to prevent hackers from sniffing your information on the wired portion of your network?

A. Kerberos, smart card, and Secure Remote Password protocol

B. PAP, passwords, and Cat 5 cabling

C. 802.1x, cognitive passwords, and WPA

D. WEP, MAC filtering, and no broadcast SSID
9.

Which of the following versions of EAP types only uses a password hash for client authentication?

A. EAP-TLS

B. PEAP

C. EAP-TTLS

D. EAP-MD5
10.

WPA2 uses which of the following encryption standards?

A. RC4

B. RC5

C. AES

D. MD5
11.

The initialization vector for WEP was originally how long?

A. 8 bit

B. 16 bit

C. 24 bit

D. 40 bit
12.

This version of 802.11 wireless operates at the 5.7255.825GHz range.

A. 802.11a

B. 802.11b

C. 802.11g

D. 802.1x
   
13.

Although WEP is a good first start at securing wireless LAN communication, it has been widely reported as having vulnerabilities. Which of the following is one of the primary reasons that WEP is vulnerable?

A. The encryption method used is flawed.

B. The 24-bit IV field is too small.

C. The encryption is too weak since it only used a 40-bit key.

D. Tools such as WEPCrack have been optimized to crack WEP in only a few minutes.
14.

WEP uses which of the following types of encryption?

A. Symmetric

B. Asymmetric

C. Public key encryption

D. SHA-1
15.

Ron would like your advice on a wireless WEP cracking tool that can save him time and get him better results with fewer packets. Which of the following tools would you recommend?

A. Kismet

B. Aircrack

C. WEPCrack

D. AirSnare

Answers to Exam Questions

A1:

1. B. and D. Toby should provide employee awareness activities to make sure that employees know about the new policy and perform periodic site surveys to test for rogue access points. Answer A is incorrect, as disabling SNMP would have no effect because SNMP is used for network management. Answer C is incorrect because using a magnetron to build an 802.11 wireless jamming device could jam more than just wireless network devices, be a danger to those around it, and have an uncontrolled range.
A2:

2. B. Airsnarf is a rogue access point program that can be used to steal usernames and passwords from public wireless hotspots. Answers A, C, and D are incorrect because he is not attempting a DoS attack, Airsnarf will not detect rogue access points, and it is not used to perform site surveys.
   
A3:

3. D. Frequency-hopping spread spectrum hops between subchannels and sends out short bursts of data on each subchannel for a short period of time. Answer A is incorrect because direct-sequence spread spectrum uses a stream of information that is divided into small pieces and transmitted each of which is allocated across to a frequency channel across the spectrum. Answer B is incorrect because plesiochronous digital hierarchy is a technology used in telecommunications networks to transport large quantities of data over digital transport equipment such as fiber-optic cable. Answer C is incorrect, as time division multiplexing is used in circuit switched networks such as the Public Switched Telephone Network.
A4:

4. C. Bluetooth operates at 2.45GHz. It is available in three classes: 1, 2, and 3. It divides the bandwidth into narrow channels to avoid interference with other devices that use the same frequency. Answers A, B, and D are incorrect, as they do not specify the correct frequency.
A5:

5. A. MAC addresses can be spoofed; therefore, used by itself, it is not an adequate defense. Answer B is incorrect because MAC addresses can be spoofed. Answer C is incorrect, as IP addresses, like MAC addresses, can be spoofed. Answer D is incorrect, as MAC filtering will not prevent unauthorized devices from using the wireless network. All a hacker must do is spoof a MAC address.
A6:

6. D. The SSID is still sent in packets exchanged between the client and WAP; therefore, it is vulnerable to sniffing. Tools such as Kismet can be used to discover the SSID. Answer A is incorrect, as turning off the SSID will make it harder to find wireless access points, but ad-hoc or infrastructure will not make a difference. Answer B is incorrect because the SSID has been changed, and as such, the default will no longer work. Answer C is incorrect, as running DHCP or assigning IP address will not affect the SSID issue.
A7:

7. A. Void11 is a wireless DoS tool. Answer B is incorrect because RedFang is used for Bluetooth. Answer C is incorrect, as THC-Wardrive is used to map wireless networks, and answer D is incorrect because Kismet is used to sniff wireless traffic.
A8:

8. A. Strong password authentication protocols, such as Kerberos, coupled with the use of smart card and the secure remote password protocol are good choices to increase security on wired networks. The secure remote password protocol is the core technology behind the Stanford SRP Authentication Project. Answer B is incorrect because PAP, passwords, and Cat 5 cabling are not the best choices for wired security. PAP sends passwords in clear text. Answer C is incorrect, as 802.1x and WPA are used on wireless networks. Answer D is also incorrect, as WEP, MAC filtering, and no broadcast SSID are all solutions for wireless networks.
A9:

9. D. EAP-MD5 does not provide server authentication. Answers A, B, and C are incorrect because they do provide this capability. EAP-TLS does so by public key certificate or smart card. PEAP can use a variety of types, including CHAP, MS-CHAP and public key. EAP-TTLS uses PAP, CHAP, and MS-CHAP.
A10:

10. C. WPA2 uses AES, a symmetric block cipher. Answer A is incorrect, as WPA2 does not use RC4 although WEP does use it. Answer B is incorrect, as WPA2 does not use RC5. Answer D is incorrect because MD5 is a hashing algorithm and is not used for encryption.
A11:

11. C. WEP is the original version of wireless protection. It was based on RC4 and used a 24-bit IV. Answers A, B, and D are incorrect because they do not specify the correct length.
A12:

12. A. Three popular standards are in use for WLANs, along with a new standard, 802.11n, which is due for release. Of these four types, only 802.11a operates at the 5.7255.825GHz range. Answers B and C are incorrect, as 802.11b and 802.11g operate at the 2.40002.2835GHz range. Answer D is incorrect, as 802.1x deals with authentication.
   
A13:

13. B. The 24-bit IV field is too small because of this, and key reusage WEP is vulnerable. Answer A is incorrect because RC4 is not flawed. Answer C is incorrect because although 40 bits is not overly strong, that is not the primary weakness in WEP. Answer D is incorrect, as tools such as WEPCrack must capture five hours of traffic or more to recover the WEP key.
A14:

14. A. WEP uses a shared key, which is a type of symmetric encryption. Answer B is incorrect, as WEP does not use asymmetric encryption. Answer C is incorrect because public key encryption is the same as asymmetric encryption. Answer D is incorrect, as SHA-1 is a hashing algorithm.
A15:

15. B. In 2004, the nature of WEP cracking changed when a hacker named KoreK released a new piece of attack code that sped up WEP key recovery by nearly two orders of magnitude. Instead of the need to collect 10 million packets to crack the WEP key, it now took less than 200,000 packets. Aircrack is one of the tools that have implemented this code. Answer A is incorrect, as Kismet is a wireless sniffer. Answer C is incorrect, as WEPCrack does not use the fast WEP cracking method. Answer D is incorrect because AirSnare is a wireless IDS.

Suggested Reading and Resources

www.totse.com/en/media/cable_and_satellite_television_hacksCable and satellite TV hacks

www.wired.com/wired/archive/12.12/phreakers.htmlAttacking cell phone security

www.tomsnetworking.com/Sections-article106.phpBluetooth sniper rifle

www.crimemachine.com/Tuts/Flash/void11.htmlVoid11 wireless deauthentication attack

www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdfWeaknesses in the Key Scheduling Algorithm of RC4

www.networkworld.com/research/2002/0506whatisit.html802.1x explained

www.informit.com/articles/article.asp?p=369221Exploiting WPA

www.tscm.com/warningsigns.htmlThe warning signs of covert eavesdropping and bugging

www.tomsnetworking.com/Sections-article111.phpThe Feds Can Own Your WLAN Too

www.wi-fiplanet.com/columns/article.php/1556321The Michael vulnerability in WPA

http://manageengine.adventnet.com/products/wifi-manager/rogue-access-point-detection.htmlFinding rogue access points

www.tinypeap.com/html/wpa_cracker.htmlWPA cracking

IDS, Firewalls, and Honeypots
Related

Категории