Saturday, February 18, 2012

What is Wifi Security?

Everyone's on Wifi
In today's society almost every one has a cell phone and/or laptop or tablet. Either way everyone has used a wifi connection at least once before. Wifi is available almost anywhere you go, in cafes, restaurants and of course, our homes.

Summary of Topics:
- No matter where you are always use HTTPS which is a secure protocol for protecting the data you send and receive on your computer. This is the first line of defence for Data Encryption.
- Attackers can steal/view packets, if they not encrypted, they can read passwords and credit card information in plain text.
- It's always good not to broadcast your SSID, make it slightly harder for the curious.
- Hidden SSIDs are hidden but their BSSIDs aren't.
- Always filter MAC addresses because some people are very curious and like to poke around.
- Attackers can easily spoof accepted MAC addresses.
- Always use WPA2-PSK with AES encryption, this way even if people steal your packets, it will be very hard to read encrypted packets, especially if you are also using HTTPS as well.
- No encryption makes it easy for attackers and WEP is easy to crack.
- Keep good passwords on local computers as well as the router/access points.

Some terms to know(there's more that could be added):
ESSID = Extended Service Set Identification
SSID = Service Set Identification
- This is the name of the network that is being broadcasted
- Ex. "Tom's House"
BSSID = Basic Service Set Identification
- This is the MAC(Media Access Control)
- Ex. "01:23:45:67:89:ab"
WEP = Wired Equivalent Privacy
- Encryption that has 40 and 128 bit keys
WPA = Wi-Fi Protected Access
- Passworded wifi uses TKIP
WPA2-PSK = Wi-Fi Protected Access with Pre-Shared Keys
- Passworded wifi that uses AES and can use TKIP
- Uses "handshakes" for authentication
HTTP = Hypertext Transfer Protocol
- Common used on port 80 for standard web surfing
HTTPS = Hypertext Transfer Protocol Secure
- Secure web surfing that is tunnelled(SSL/TLS) on port 443

When settings up a router we configure the following:

At Home or in the Office (there are more than one way for the methods shown)

1. SSID/ESSID
It doesn't add much security, however I suggest that everyone should hide their router/wifi networks. Simply hiding the broadcast of the SSID from the world will help deter hackers and annoying gamers from wanting break into your router/network to see if they can and poke around or simple just to obtain free Internet. Let alone, this doesn't do much because people can still find and attempt to connect to routers/networks that are hiding their SSID by simply scanning or by turning their wireless cards in monitor mode, you can view network BSSIDs as well as client's MAC addresses:
sudo iwlist wlan0 scan
or
sudo airmon-ng wlan0 start
sudo airodump-ng mon0

2. MAC Address Filtering
Everyone's first line of defence by far should be MAC address filtering. There are two types of MAC address filtering: MAC address control for wifi and wired connections and MAC address filtering for just wireless connections. The most important one to use is MAC address filtering for wifi connections. Someone would have to break into your house or office to use the wired connection anyway and if someone breaks into your facility there are way bigger problems than connecting to a network. MAC address filtering will stop most people who usually poke around at other people's wifi networks. Routers have a list of MAC address that are either "Allowed" or "Denied" to connect to the router. This allows you to simply control who can connect and those who cannot. However, once again, this hardly does much to stop an attacker or someone who simply wants free Internet. If someone is near by, they can simply scan for networks nearby. After scanning nearby networks, attackers can change or "spoof" their MAC address temporarily:
sudo ifconfig wlan0 down
sudo ifconfig wlan0 hw ether 01:23:45:67:89:ab
sudo ifconfig wlan0 up
or another way
sudo ip addr
sudo ip link set dev wlan0 address 01:23:45:67:89:ab
The easiest way it use GNU MAC Changer.
3. Wifi Encryption
Today there are generally three types of encryption for wireless networks: None, WEP(40-bit and 128-bit keys), WPA(WPA-TKIP and WPA2-CCMP). I can't stress this enough to use encryption because attackers do not even need to be on your network to steal your data. If you are not using encryption attackers can simply use tools to capture your wireless packets and steal your data. (more on Packet Analysis) It is also very important that you always use HTTPS when available. Secure sessions are important to prevent session hijacking or phishing websites because it encrypts the data coming in and leaving port 443 instead of using the default port of 80 for HTTP that is not encrypted. So even if the attacker scans for hidden SSIDs and finds some client's MAC addresses that are connected to some routers and spoofs his MAC address in order to connect to the network of his choice, wifi encryption is the next line of defence. While connecting to the network the attacker will be prompted with a password/passphrase in order to actually access and gain Internet access. Obviously these can be guessed or brute-forced, that's why it is very important to have a very hard and obfuscated password.(generate one here Random Password Generator) Create passwords that are very long and use random characters. Since passwords can be brute-forced, it is important to implement "passphrases". A pass phrase a group of a words for a password, which makes it harder to guess because it is longer and uses many words which helps defeat the purpose of brute-forcing(dictionary attack). When choosing an encryption, it is best to go with the latest and greatest WPA2-PSK which is more secure than WPA. WEP, can be easily cracked with tools such as Aircrack and CoWPAtty. Attackers that are not even connected to your network can capture your packets and then crack the WEP key. WPA2 uses a better encryption, AES encryption and isn't crackable because of the handshakes it uses for authentication. Even if the attacker catches your packets and you were using WEP or WPA/WPA2 it would make it very hard for the attacker to read them. To crack WPA2, an attacker would have to capture your packets and then run a dictionary attack which would take a very long time, making WPA2-CCMP(AES encryption) the best standard to use.

4. Inside the Network/Router
So say if the attacker simply logged in your router because you have no encryption or cracked your WEP key, he can now see all the computer on the network by scanning the network by using tools such as Nmap:
ifconfig - view internal ip
Ex. "192.168.1.65" - usually means he is the 64th client, being that the router/access point is on 192.168.1.1
nmap 192.168.1.0/24 - the "/24" indicates "192.168.1.1 - 192.168.1.255
or
sudo nbtscan -r 192.168.1.0/24 - scans the local network, shows hostnames
Since the attacker can see everything on the network they can try to attack individual computers, the router itself or just capture packets. Since the attack is on the network, regardless of encryption or not, they are physically on the network and can see what you are doing. If they try to access the router, it is very important that you have strong passwords on the router as well. Since the router is usually on the "192.168.1.1", attackers can type that in the address bar of their browsers and see if there is a router admin page. It is very important to change the default passwords because an attacker can simply just guess or Google the default password. If they still can't get in the easy way, they can try brute forcing the password using tools such as THC Hydra.

Topics to Read:

http://en.wikipedia.org/wiki/MAC_address
http://en.wikipedia.org/wiki/Wireless_cracking
http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
http://en.wikipedia.org/wiki/Packet_analyzer
http://en.wikipedia.org/wiki/Wi-Fi
http://en.wikipedia.org/wiki/IEEE_802.11
http://en.wikipedia.org/wiki/Wireless_security