Wireless is Global The standard radio frequencies run in the range of 3Hz to 300 GHz There is other frequencies used for example the 222 MHz through 225 MHz is for amateur radio If your interested in what frequencies your country is using for what Take a look at the frequencies ID: 782039
Download The PPT/PDF document "Part 2 Wireless Technology is all encomp..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Part 2
Slide2Wireless Technology is all encompassing now days. It seems wireless networks are everywhere from Coffee shops to Shopping Centers. But wireless also includes GPS, Satellites, Radio Stations, Cellular Phones Networks, and lets not forget your car. Because all new cars have their own IP addresses
.
Wireless is Global
The standard radio frequencies run in the range of 3Hz to 300 GHz. There is other frequencies used for example the 222 MHz through 225 MHz is for amateur radio. If your interested in what frequencies your country is using for what? Take a look at the frequencies
Part 2 is designed to give one a deeper understanding of how
Wireless networks work, and how the different technologies function when it comes to transmitting, authenticating and managing users. Once you have the knowledge of how something works it’s a lot easier to take something that is already published on a web site or blog and make it better. A little knowledge can take one to a new level of understanding …..RUN SILENT GO DEEP…!
Slide3USA Frequency Allocation Chart
https://upload.wikimedia.org/wikipedia/commons/d/df/United_States_Frequency_Allocations_Chart_2011_-_The_Radio_Spectrum.pdf
Slide4Foot Printing Wireless
One of the biggest threats to any wireless system is the threat of interception.
Because any type of radio transmission that is broadcasted leaves a foot print.
In the beginning we had the 802.11x protocol known as Wired Equivalent
Privacy (WEP) which had serious security flaws.
When the WEP 802.11 network standard came out. It used an RC4 40-bit key.
However, it did not take long before a major flaw was found within its data fed;
RC4 algorithm which allowed attackers to derive the secret key. In order to fix this
major design flaw WPA was created.
In addition, Cell phone networks added protocols like Cellular Message Encryption
Algorithm (CMEA). Which is a lot like the DES used in Code Division Multiple
Access (CDMA). But the DES system for the most part has also had its security
problems. Then along came the AES algorithm for CDMA2000 which was making
it harder for hackers to intercept and decrypted data, but it too also has its flaws.
Slide5Foot Printing Wireless
The Bluetooth platform has also needed upgrading and a new version of its protocol allows for periodic encryption key renegotiations. So by renegotiating the keys attackers would have a harder time decrypting the key or intercepting the data.
Bluetooth is used on everything from wireless keyboards to cell phones. An attacker can sit down next to you at your local coffee shop and pick up the transmission from your Bluetooth device and do any number of things from reading your keyboard inputs to intercepting your cell phone traffic.
Now the newer versions of Bluetooth have implemented security features. One of which will force periodic encryption key renegotiations, but that depends if you
have a version that is up to date with the added feature?
With the explosion of Bluetooth technology their is any number of attacks
One could do on a person even if the range is limited in nature.
Slide6Blue-Jacking
Blue-jacking basics:
1) Best place should have plenty of mobile users, like a coffee shop or mall.
2)Go into you contact list in your Address Book
3) Create a new Contact
4) Enter your message into the name part
5) Save the Contact
6)Choose "send via Bluetooth," Your phone will search for devices within your range
7) Choose a phone and sent the contact.8) Depending on the phone you will get a message "card sent"9) Listen the SMS message tone on your victims phone.
For more sophisticated attacks you will need a program call “Bluesnarfer.” Its an add-on programmer for Kali Backtrack 5. Its very easy to install.
https://www.youtube.com/watch?v=HC1yEOCNrNg
Slide7Basic Communications
The Modulation of the standard analog to digital Wireless conversion is different.
The baseline analog signal is the lowest frequency signal in radio, and too low for
RF transmission, that is why you have a transceiver. The transceiver handles
converting the low-frequency baseline into a higher frequency RF signal.
Slide8Wireless Structure
The existence of electromagnetic waves makes transmission RF signals over
wireless links possible. These waves are time-varying and able to propagate
traveling through space. Two things to remember:
Frequency
of the signal and
the
environment in which they travel.
Voltage is another thing one can consider when looking at hacking a wireless
network. There have been hacks using higher voltages to over power
a network. Moreover, current is measured in amperes (amps)
One can use a combination of voltage and current to takeover a wireless
if all else fails and you can't break the encryption.
Most Router will have on the back of the router its power output and the modulation
levels being used. Modulation is the process of transmitting onto an analog carrier.
Data is converted or transmitted from its native format (analog or digital) into an
analog signal that works with the RF transmission. Given the right amount of
power you could in a sense inject a package that will cause the wireless device
to reset. So modulation is one vector of attack one can use to corrupt a router.
Slide9Modulations
Modulations are separated into two categories: Analog and Digital. The two type
of modulation are amplitude and frequency modulations.
The Different types of Modulations
Pulse Modulation (PM)
Amplitude Modulation (AM) - Most Common
Frequency Modulation (FM) - Classic modulation.
Digital modulation converts a digital bit-stream into an analog signal suitable for RF
transmission. Moreover, phase shift keying (PSK) is one of the simplest digital
modulation techniques and is also one of the most robust.
In a PSK-modulated you have two common; binary phase shift keying (BPSK)
and quadrature phase shift keying (QPSK).
Quadrature Amplitude Modulation (QAM)
digital modulation is capable of
extremely high data rates.
Slide10Spread Spectrum
Spread spectrum and multiplexing are two methods for sharing a fixed amount of bandwidth. It does this because there is only so much room within the RF spectrum
Spread spectrum operates by taking an ordinary communication signals and then spreading it across a wider bandwidth
There are two unique characteristics of a spread spectrum signal.
Frequency Hopping Spread Spectrum (FHSS)
which rapidly changes the frequency.
Direct Sequence Spread Spectrum (DSSS)
which is used the most. DSSS is a technique that adds noise to the channel in order to hide its pattern.
The key to the noise is that its not really noise but a pseudorandom code called a
PN sequence
.
With the right algorithm in place one can separate it from the spectrums frequency and read the message.
Slide11Spread Spectrum
Time Division Multiple Access (TDMA)
multiplexes the channels, dividing the channels into a finite number of timeslots. Each user is aloted a segment of time, and then it starts the cycle over again
Orthogonal Frequency Division Multiplexing (OFDM)
This method divides the bit-stream into several lower-speed bit-streams. Then it modulates the bit-streams onto separate subcarriers. This is, in its cleanest forms achieving higher throughput wireless communications than normally achievable by traditional modulation techniques.
OFDM is a popular scheme for wideband digital communication today, used in DSL Internet access, wireless networks, power-line networks, and 4G mobile communications.
The advantage of OFDM over single-carrier schemes is its ability to cope with severe channel conditions (example: attenuation in a long copper wire, frequency-selective fading due to multipath)
Slide12Wireless Standards
All the Wireless LAN specifications are contained within the IEEE 802.11 standards. There are numerous 802.11 standards in existence today, below is a list of the most prevalent ones in use - 802.11a, 802.11b, 802.11g, and 802.11n..etc.
Slide13Wireless Frame Structure
WLANS communications is done with frames and below is your basic frame structure. The most interesting part of the structure is the 2 byte “
Frame Control,
” because it holds an array of complex information one can use when analyzing a frame for different methods of attack.
Slide14Tools of the Trade
Aircrack and WireShark
Aircrack:
Kali Linux includes Aircrack-ng as part of its package, and there are numerous examples on the internet in how to use it. But its a network packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.
WireShark:
WireShark which is also included with Kali.
Wireshark allows you to put network interface controllers into promiscuous mode which will let you see most traffic coming across the network not just addresses. It allows the user to display TCP/IP and other packets being transmitted or received over the network. Now putting NIC card in promiscuous mode may not let you see all the traffic sent to a port. But port mirroring and other network taps will extend capture modes to a point where you can see a lot of the traffic.
Slide15Hidden Node Problem
The 802.11 platform is unique in that two nodes can be connected to an Access Point (AP), but not hear each others transmissions…(Hidden Node Problem).
This can cause a collision to happen at the AP; so to avoid this problem they included two control packets called:
Request to Send(RTS)
Clear to Send(CTS)
Slide16Hidden Node Problem
There are also two controlling packets, PS-Poll, and acknowledgment. PS Packets are used to retrieve buffered packets from the AP.
One interesting note is that control packets can communicate with unrelated networks on the same channel. So if you neighbor has a network and your AP sends out a Clear to Send (CTS) packet. The subset of this 802.11 by design cannot authenticate it. It will go right through and let you access the AP.
Slide17802.11 Packets
The 802.11 packet structure can have as many as three addresses.
Source Address
Destination Address
Basic Service Set ID (BSSID)
The BSSID identifies the AP and its associated stations - MAC address of the AP.
The other parts of the packet tell it where its coming from, and where its going too.
Now not all packets have three addresses, because the IEEE body which sets the standards for wireless commutations want to minimize overhead as much as possible. They also call these addresses differently. A destination address is called the receiver address, and the source address is called the transmitter address.
Slide18Wireless Cards and Monitor Mode
Monitor Mode: You will need a card that can be place in this state. But their
Is a number of different cards and Operating systems. You have to decide for yourself what you want to use, but Linux has to the most options when it comes to OS systems and tools for hacking.
You not only want a card that can be put in monitor mode, but one you can do packet injections with.
Here is a few links that will list Cards, Chipsets, Drivers, and OS Systems they will work with.
http://www.aircrack-ng.org/doku.php?id=compatible_cards
http://forum.aircrack-ng.org/index.php/board,2.0.html?PHPSESSID=prlofloj8l02vcd86lg8r4a6m3
http://broadcom.rapla.net/
http://ralink.rapla.net/
Slide19OSI – TCP/IP Model and Devices running within each Layer
Slide20Wireless Network Authentication
As the Point-to-Point Protocol (PPP) matured a better method of authenticating users was needed. In the beginning the standard was Password Authentication Protocol (PAP), and Challenge Handshake Authentication Protocol (CHAP).
Basically how it works; your ISP provider sends out a random challenge in which you take your password and compute a hash value that is sent back to the ISP.
Later came the Extensible Authentication Protocol (EAP) design structure.
Authentication-specific details are within the Type-Data Field
One problem with EAP messaging is that every modem bank(Called Point of Presence), needs its own copy of the Username/Password within its database.
Slide21Wireless Network Authentication
Remote Access Dial-In User Service (RADIUS)
The protocol forwards EAP messages from the authenticator to the authentication server called RADIUS. It was originally designed to solve
the EAP Username/Password
database problem, when using CHAP/PAP authentication over PPP. Below is your basic network setup.
Slide22Wireless Network Authentication
Radius terminology does not match up well with what is used in EAP or 802.11x. EAP typically runs directly over the link layer, but The Institute of Electric and Electronics Engineers (IEEE) decided it would work better running directly on top of Ethernet; which the IEEE called EAP over LAN (EAPOL)
The WPA2 is the most commonly used Wi-Fi wireless encryption system used today.
It replaced the WPA since 2006 and before that the WEP standard. The WPA2 is
based on IEEE 802.11i standard and is quickly becoming obsolete itself.
Slide23Wireless Network Authentication
The authentication aspect of the 802.11i looks like a user plugging their laptop directly into a 802.1x protected Ethernet jack. But instead of passing EAP packets (wrapped in EAPOL) over Ethernet, the packets are passed over 802.11
Slide24Wireless Network Authentication
Wi-Fi Protected Access 2 (WPA2), is based on IEEE 802.11i, which is the newest format for
wireless
security protocol.
Its has stronger encryption and with
(
Extensible Authentication Protocol (EAP
), better key management and
protection
from
replay attacks
with added other
security features.
In-addition, it prevents users from being tricked by rogue access points, and to stop attackers from simply stealing the MAC address of authenticated stations,
802.11i requires that the access point and the user share a secret key. In 802.11i terminology, this key is called the pair-wise master key (PMK).
In July 2010, a security vendor claimed their was a vulnerability within the WPA2 protocol, but after an investigation it turned out not to be true. But the protocol is
susceptible to man-in-the-middle attacks if the security architect does his/her job such an attack would not succeed.
While WPA2 can work with TKIP. There is a vulnerability within TKIP found in Nov 2008, so TKIP is no longer considered to be secure and you should use AES.
Slide25The older DES encryption standard was replaced with the newer
Advanced Encryption Standard (
AES) because DES it was found to have major security issues. There was many different favors of DES, but here is its basic makeup along with an overview of AES.
Data Encryption Standard (DES
)
DES
is a symmetric block encryption algorithm. When 64-bit blocks of plaintext
go in, 64-bit blocks of ciphertext come out. It is also a symmetric algorithm, meaning the same key is used for encryption and decryption. It uses a 64-bit key: 56 bits make up the
true key, and 8 bits are used for parity.
Advanced Encryption
Standard(AES)
AES on the other hand was originally
called Rijndael which is
its algorithm that AES runs
on.
The block sizes that
Rijndael(AES) supports are 128, 192, and 256 bits. The number of rounds depends upon the size of
the block
and the key length:
• If both the key and block size are 128 bits, there are 10 rounds.
• If both the key and block size are 192 bits, there are 12 rounds.
• If both the key and block size are 256 bits, there are 14 rounds
DES vs. AES Protocols
Slide26The 802.11i standard includes CCMP. AES as many know is the encryption protocol used by 802.11i, but AES is simply a block cipher. The actual encryption protocol is CCMP. The 802.11i allows for TKIP encryption which as mentioned before is not considered secure now and here is some of the reasons why.
Temporal Key Integrity Protocol (TKIP)
The TKIP attack uses a mechanism similar to the WEP attack, in which an attacker tries to decode one byte at a time by using multiple replays. If he/she can decode small packets like ARP frames and if the Quality of Service (QoS) is enabled on the network. He/she should be able to inject further packets and collection enough information to compromise the network.
These types of attacks are called ARP poisoning and can lead to others like DNS manipulation, or Denial of Service attacks.
Although this is not a key recovery attack and may
not
lead to compromise of TKIP keys or decryption of all subsequent frames. Its still a risks to all TKIP implementations on both WPA and WPA2 networks.
Wireless Networks TKIP
Slide27This diagram below shows authentication between a server using EAP-TLS. TLS is the successor of the SSL protocol which
should be
retired by June 30th 2016
.
EAP-TLS uses TLS for three things: To authenticate the server to the client, to authenticate the client to the server, and finally to generate a cryptographically secure session key.
Wireless Networks EAP-TLS Authentication
Slide28You see in the diagram previous, “EAP-TLS Authentication” The RADIUS server is
not only telling the Access Point to accept the users authentication, but delivering the (PMK) Pair-wise Master Key to the AP. The RADIUS server is doing this because the Access Point has no idea what session key the client and authentication server negotiated.
The EAP-TLS is well designed and makes it hard for eaves-dropper to determine what PMK the client and the authentication server have negotiated.
Note: Carrier Sense Multiple Access (CSMA)
Carrier Sense Multiple Access (CSMA) is an access protocol that uses the absence/presence of a signal on the medium that needs permission to speak, otherwise the frames being transmitted are unreadable.
CSMA uses two variations to detect collisions. On a LAN it requires the device to announce its intentions to transmit by broadcasting a jamming signal. Other devices on the network hear the jamming signal and know not to transmit, otherwise a collision will happen. After sending the device waits to ensure that all devices have received the jamming signal, and then it broadcasts its frames on the media – CSMA/CA is used in the IEEE 802.11 wireless standard.
Wireless Networks EAP-TLS
Slide29The 802.11i hierarchy defines ways the
pair-wise master key (PMK) can be used
To set up temporary keys. When TKIP is being used, four temporal keys are created
One Encryption and one for Integrity, and two others not delved here, but TKIP uses two unique 64-bit keys for integrity, and one for transmission the other for receiving.
EAP Authentication 802.11 Four-way Handshake
Four-Way Handshake consists of AP sending the client its nonce (a number only used once). Once the client has A-nonce, he/she chooses their own S-nonce and derives the
pair-wise transient key (PTK). Takes the S-nonce and puts it into an EAPOL-key message sending it along with a computed
Message Integrity Check (
MIC) packet back to the AP. This proving to the AP he/she knows the PMK. If the client didn’t know the PMK, they could not have derived the PTK and without it computed the MIC.
EAP On top of 802.11 Diagram
Slide30In the 802.11i platform, the Message Integrity Check can also be known as the Message Authentication Code (MAC). The MICs
goal is to prevent the data from being modified in transit, but this does not stop an
attacker from playing with the bits and messing with the messages hash code so no one can read it. The key used in 802.11i is the temporal integrity key (contained in the PTK).
The MIC is constructed using these protocols.
MIC = hash(packet, temporal integrity key)
Below is a diagram of a packet processed by 802.11i. The field contains parameters specific to TKIP/CCMP - Cipher Block Chaining Message Authentication Check (CBC-MAC). The formats can vary, but the important part is the Initialization Vector
Which I talked about in
Part 1 of this two part
Wireles
s
presentation
.
802.11i Message Integrity Check
Slide31Replay attacks have caused the downfall of WEP and other processes within the 802.11 platform as mentioned earlier.
One of the solutions to a replay attacks have been to increment a number for every packet passing between the client and the Access Point. In TKIP its called the TKIP Sequence Counter (TSC).
In the CCMP,
its just
a Packet Number (PN). All the AP has to do in order to check if its a replay attack or not is to compare the number within the serial numbers. Sense what I have found out is that its most likely a sequential number and if its an older number the AP will just drop the packet.
Some of the best ways to pick up these packets is by implementing a passive scanning approach since passive scanning tools don’t transmit packets, just listen
to the network as packets are being transmitted. Passive scanning also generates better results then active scanning. Because active scanning can only process two type of packets probe replies, and beacons.
Replay Attacks
Slide32One of the most effective ways to prevent WPA-PSK attacks is to pick a good passphrase.
Don’t use Dictionary words!
Don’t let the system automatically type in the passphrase!
Change your passphrase regularly!
Choose a unique SSID – anything put linksys!
The easiest way with linksys is to just add random numbers to the SSID
Remember, if the attacker successfully recovers you PMK they can most likely decrypt you WPA-PSK session. Creating a strong passphrase makes it is a lot harder for the attacker to use a Dictionary attack. Moreover, check to see if your AP supports using different passphrases. This will minimize the damage an attacker can do if they do gain access.
Finally: If the attackers recovers the PMK they still need to capture the four-way handshake so he can derive the PTK. This can be accomplished by transmitting a de-authentication packet to the victim.
WPA-PSK Dictionary Attacks
Slide33The most effective method when setting up WPA/WPA2 is to use WPA2 with CCMP (AES-based encryption). Not the WPA TKIP (RC4-based encryption. Which I outlined some of the problems with this protocol earlier in the presentation.
A better option if you’re a company is to decide between WPA-PSK or an enterprise authentication scheme complete with a RADIUS server. But WPA-PSK is really not the best option because if the attacker can compromise the key either by using social engineering or some other
means,
they will be able to read all the network traffic still the next key change.
If your organization already has a RADIUS server setup for authentication, extending it to the wireless network is pretty straightforward. One things that
could be a problem is that the EAP authentication type doesn’t support mutual authentication. A
requirement of the WPA2/802.11i platform.
Other EAP Types: Each will have to be researched given your network setup, because each on there strength and weaknesses. EAP-TLS ----
LEAP (CISCO-EAP) and PEAP or EAP-TTLS
Securely Setting up WPA/WPA2
Slide34Note: General Rules for Mobile Users
1) Use a pass-code/pass-phrase/pattern to lock the device after inactivity.
2) Encrypt the device using the highest encryption possible(Min 128-Bit).
3) When Choosing between Unsecured Wi-Fi and 3G/4G/CDMA services. Go with the cellular data service its more secure.
4) If you have a VPN network, use it instead of the open Wi-Fi network.
5) Turn-off you GPS location software when you don’t need it.
6) Turn-off “Bluetooth” applications when not in use.7) If you jailbreak your phone you might have inadvertently disabled build-in security setting opening yourself
and your companies network to an attack?8) Pay close attention to the software you download. Some of the best Malware viruses now days are undetectable from many antivirus applications. 9) If your mobile device is lost or stolen can it remotely wipe its data after a certain number of incorrect authentication attempts?10) Restrict the use of synchronization services, and automatic backups to the cloud depending on the data that is being stored on the device.
Securing your Mobile
Users
NIST Special Publication 800-124 Revision 1,
“Guidelines for Managing the Security of Mobile Devices
Slide35Virtual Private Networks (VPN's) let users establish a secure communication channel over an insecure Internet. The VPN is placed behind a firewall to allow users to authenticate, and establish protected sessions.
VPN’s – Home-Office/Remote Users/Mobile Users
Slide36Based on the OSI model layers, VPNs can be divided into the following three main categories:
Data link layer VPNs
Network layer VPNs
Application layer VPNs
There is also
Intranet VPNs, Extranet VPNs, which can be based along the same principles. Other types like Sock VPNs and Point to Point Tunneling Protocol (PPTP) can also exist.
Data Link Layer VPNsIn this type of VPN two private networks are connected on Layer 2 of the OSI model. Using Frame Relay or ATM. But this type of VPN can be expensive since it requires dedicated Layer 2 pathways.
Moreover, Frame Relay and Asynchronous Transfer Mode (ATM) protocols don't provide encryption methods. The traffic is segregated based on Layer 2 connection, so you will need added on technology to secure and encrypt the network.
Virtual Private Networks (VPN’s)
Slide37Network Layer VPN's
This one is created using Layer 3 (Network Layer) of the OSI model tunneling protocol and/or encryption techniques. A good example is to use IPsec tunneling and encryption protocols. Other examples might be the generic routing encapsulation(GRE) and Layer 2 Tunneling Protocol(L2TP) protocols, which
uses Layer 3. The network layer also provides suitable encryption and lets other application running above it within the OSI stack suitable granularity for traffic that might need an extensive IP addressing architecture. Cisco systems focus there VPN's networks mainly on this layer.
Application Layer VPN's
This type of VPN works specifically with applications. Example: VPNs are SSL-based VPNs. The SSL provides encryption between the Web Browser and servers running SSL. Another example; Secure Shell’s (SSH). An SSH tunnel protects the integrity of the communication, preventing session hijacking and other man-in-the-middle attacks. The SSH is
used
as a mechanism for encrypted and secure login sessions to various network devices. This is also one of its drawbacks in that application layer VPNs are not seamless. A user must perform actions to enable the end devices for creating the VPN for the different applications.
Virtual Private Networks (VPN’s)
Slide38SOCKS and SSL VPNs
The heart of SOCKv5 is RFC 1928, which does not require encryption of traffic. When implemented one of its key advantages is that SOCKS and SSL VPNs use proxy servers. This makes it a feature that most other VPNs are missing, A SOCKs server may also require the user to authenticate before providing services.
SSL/TSL VPN's
This is another approach to remote access. Instead of building the VPN around the IPsec and network layer. SSL VPNs leverage SSL/TLS to tunnel back to the home office. This is employed using a Web Browser to access applications that reside on the home network.
This
type of VPN is not restricted to applications that use HTTP. With added plugs-ins like Java, Visual Studio.Net, users can access just about anything on the home network.
Layer 2 Tunneling Protocol (L2TP)
Layer 2 Tunneling Protocol (L2TP) is a hybrid of Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s PPTP. It allows callers over a serial line using PPP to connect over the Internet to a remote network.
Virtual Private Networks (VPN’s)
Slide39Point to Point Tunneling Protocol (PPTP)
PPTP is a VPN protocol that runs over other protocols. PPTP uses a generic routing encapsulation (GRE) to build the tunnel between the end points. It typically uses the Microsoft Challenge Handshake Authentication Protocol version
2 (MSCHAPv2), but there are others.
In addition, IP Security (IPsec) is a suite of protocols for securely communicating with IP using methods of authenticating and encryption. IPsec is mandatory in IPv6. IPsec can be implemented in two modes: one to protect end-to-end communication, and the other to safeguard traffic on the network.
The standard version of IPsec only authenticates hosts with each other. If a business wants to authenticate they must deploy a nonstandard proprietary IPsec or use IPsec over L2TP (Layer 2 Tunneling protocol). Moreover,
L2TP does not provide encryption and relies on other protocols, such as tunnel mode
IPsec, for confidentiality
Virtual Private Networks (VPN’s)
Slide40Note: A key weakness of PPTP is the fact that it derives its encryption key from the user’s password. This violates the principles of randomness and can provide a basis for attacks.
Note: Transport Mode and Tunnel Mode
End points communicate with IPsec using either transport or tunnel mode. In transport the IP payload is protected end-to-end. In Tunnel Mode the IP header and payload are protected. Tunnel mode is often used between networks, such as with firewall-to-firewall
.
Note:
Also remember SSL is scheduled to be replaced by June 30
th 2016. The Payment Card Industry is mandating the change or you should at least have a plan inPlace before then to phase it out.
The SSL standard is obsolete and will be dead soon!
Virtual Private Networks (VPN’s)
Slide41Some of the Best ways to hack something is to understand how To repair it. Then reverse engineer the methods used.
Here is some basic tips on hacking A VPN Network.
Find out the type of VPN they are using. I outlined the different types earlier.
How are they connecting and authenticating on the network?
Windows Server environment /Linux/Unix…..etc ?
What type of Firewall policies do they have in place?What types of VPN software are they using to connect, major brand?
Or some open source platform you can research on for flaws in its design.
How do they Login? Is it just your basic alphanumeric login, or can they use special
characters which will be much harder to break?
What types of resources can a user access once on the network.
Find out the different IP addresses, Ports and Server name?
Map the Network and how its setup?
Look for bottlenecks in Routers, Bridges, and Switches
?
Remember:
On average any software application has about 15 major flaws per
thousand lines of code….!
(VPN) Hacking
Slide42Helpful links
802.11 is the standard itself, available from the IEEE at
http://www.standards.ieee.org/getieee802/802.11.html
Wireshark
http://www.wireshark.org
Kismac http://www.kismac.de
Kismet http://www.kismetwireless.netKARMA http://www.theta44.org/karma/airpwn http://www.sourceforge.net/projects/airpwnCain & Abel
http://www.oxid.it/cain.htmlDarwin Ports http://www.darwinports.opendarwin.orgEttercap http://www.ettercap.sourceforge.net/Kismet http://www.perrygeo.net/wordpress/?p=55Google Wifi http://www.wifi.google.com/support/
Network Stumbler
http://www.networkstumbler.com
Metasploit
http://www.metasploit.com
dsniff
http://www.monkey.org/~dugsong/dsniff