HACKING THE INVISIBLE NETWORK: INSECURITIES IN 802.11x potx

Page 1 of 35 Hacking the I nvisible Network

Copyright © 2002, iDEFENSE Inc. iALERT White Paper

iALERT White Paper

Hacking the

Invisible Network

Insecurities in 802.11x

By Michael Sutton

iDEFENSE Labs

[email protected]

July 10, 2002

iDEFENSE Inc.

14151 Newbrook Drive

Suite 100

Chantilly, VA 20151

Main: 703-961-1070

Fax: 703-961-1071

http://www.idefense.com

Copyright © 2002, iDEFENSE Inc.

“The Power of Intelligence” is trademarked by iDEFENSE Inc.

iDEFENSE and iALERT are Service Marks of iDEFENSE Inc.

Page 2 of 35 Hacking the Invisible Network

Copyright © 2002, iDEFENSE Inc. iALERT White Paper

TABLE OF CONTENTS

Executive Summary ...................................................................................................................... 4

WEP Insecurities........................................................................................................................... 5

What is 802.11x? ........................................................................................................................... 5

What is WEP? ................................................................................................................................ 6

Issues............................................................................................................................................ 6

Initialization Vector............................................................................................................................................. 6

Cyclical Redundancy Check ................................................................................................................................ 8

Attacks ........................................................................................................................................ 10

IEEE 802.11 Chair Response ......................................................................................................... 12

Auditing WLANs......................................................................................................................... 13

Finding WLANs (“What’s the Frequency, Kenneth?”)....................................................................... 13

Cracking WEP Keys (Keys to the Kingdom) .................................................................................... 15

AirSnort ............................................................................................................................................................. 15

WEPCrack......................................................................................................................................................... 18

Sniffing Traffic (Something Smells Fishy) ....................................................................................... 20

Malicious Attackers........................................................................................................................................... 21

Denial-of-Service Attacks.................................................................................................................................. 21

Securing WLANs......................................................................................................................... 23

WLAN Hardening Checklist............................................................................................................ 23

Do Not Rely on Wep for Encryption.................................................................................................................. 23

Segregate Wireless Networks ............................................................................................................................ 23

Do Not Use a Descriptive Name for SSID Or Access Point.............................................................................. 23

Hard Code MAC Addresses that Can Use the AP............................................................................................. 23

Change Encryption Keys ................................................................................................................................... 24

Disable Beacon Packets .................................................................................................................................... 24

Locate APs Centrally......................................................................................................................................... 24

Change Default Passwords/IP Addresses ......................................................................................................... 24

Avoid WEP Weak Keys...................................................................................................................................... 24

Do Not Use DHCP on WLANs .......................................................................................................................... 25

Identify Rogue Access Points............................................................................................................................. 25

The Future of 802.11x Security ..................................................................................................... 25

TKIP .................................................................................................................................................................. 25

AES.................................................................................................................................................................... 26

802.1x ................................................................................................................................................................ 26

Too Little Too Late ............................................................................................................................................ 26

Other Security Concerns ............................................................................................................... 26

Physical Security ............................................................................................................................................... 26

End-User Awareness..................................................................................................................... 27

Conclusion.................................................................................................................................... 28

Acknowledgements...................................................................................................................... 29

Appendix A: Auditing Tools....................................................................................................... 30

WLAN Scanners............................................................................................................................ 30

WLAN Sniffers.............................................................................................................................. 30

WEP Key Crackers ........................................................................................................................ 30

Other........................................................................................................................................... 31

Page 3 of 35 Hacking the Invisible Network

Copyright © 2002, iDEFENSE Inc. iALERT White Paper

Appendix B: Statistics................................................................................................................. 32

War Driving and Walking .............................................................................................................. 32

Appendix C: References ............................................................................................................. 34

Appendix D: IEEE Task Groups ............................................................................................... 35