Category Archives: Wireless Topics

Wireless Security Topics

April 2, 2012

Cool Tool – ASUS WL-330N3G Wireless Router Hub Repeater and More

Todays post is on a nifty little gadget I picked up to solve a problem I had with a demo design (needed to bridge wireless to an Ethernet port providing DHCP without using laptop Sharing so I’m in front of a VPN). The tool is the ASUS WL-330N3G Wireless Router and retails for around 60 dollars.

It’s pretty small and looks like a cheap hub but so much more. There are six different settings you can use it for.

1) Wireless Router – Connects to the modem through a network cable and shares the wireless network. In this mode, NAT, firewall, UPnP, DHCP server and default enable

2) Access Point – Connects to a wired/wireless router through a network cable to establish wireless signal sharing. In this mode, firewall, IP sharing , and NAT functions are default disabled.

3) Repeater – Connects to an existing wireless network to extend the wireless coverage. In this mode, the firewall, IP sharing, and NAT functions are disabled.

4) Network Adapter – Connects any Ethernet-enabled device to your wireless network with WL-330N3G.

5) WI-FI account sharing – Connects to a wireless hotspot that requires authorization / payment (e.g Hotel, Airport and Coffe shop WIFI services). With only one payment, you can share wireless signal to all other WIFI devices. Saves on the cost for multiple devices

6) 3G Sharing – Plug a 3G/3.5G USB adapter into WL-33N3G to turn it into a mobile router.

The ASUS comes with a power adaptor however can be powered using USB (awesome). Once powered on, connect it using the Ethernet port and access its GUI using 192.168.1.1 (The ASUS will provide you DHCP address). Log in to 192.168.1.1 with admin admin and you will be presented with six different configuration options as explained earlier. Once you chose one, you will see the GUI below. Its pretty straight forward to setup.

So far I’ve used it as a wireless repeater (extend my wireless to my 3^rd floor office), Network Adaptor (provide a Ethernet port from my wireless network to a OEAP600 that requires ethernet DHCP) and WI-FI account sharing (extended a expensive hotel network to my iPad and Laptop using one account login). I’m sure there will be other situations that this tool will be useful. Pick one up on Amazon. Totally worth it

Rating: 3.8/5 (5 votes cast)

9 Comments

Filed under General Security, Wireless Topics

Tagged as access point, asus, Home, hub, Joey, Joey Muniz, joseph, joseph muniz, Muniz, repeater, router, Security, wireless access point, wireless bridge, wireless ethernet hub, wireless lab, wireless repeater, wireless to ethernet, WL-330, WL-330 N3g, WL-330N3G, World Wide Technology, world wide technology inc., wwt

February 21, 2012

Penetration Testing Tools At Your Next Security Conference – WIFI Pineapple Mark III

Today’s highlight – WIFI Pineapple Mark III Wireless Penetration Testing Tool.

There are many cool tools sold at conferences. One tool to check out is the WIFI Pineapple Mark III for around $100 dollars. Basically it’s a wireless honeypot using a man-in-the-middle attack to access data. The way it works is it listens for devices calling out for known wireless networks / SSIDs. The WIFI Pineapple will hear the request and clone the requested SSID so the device believes its connecting to a known trusted network.

An example is connecting an iPad on an airplane to the online network GOGO SSID. Some time later the user may be at a Starbucks and turn on the iPad that was used on the airplane. The iPad will beacon out “am I still on the airplane and can I re-connect to GOGO?”. The WIFI Pineapple will hear the request and reply back “I’m GOGO … welcome to the internet”. The iPad will auto-connect to the fake GOGO SSID without re-authenticating, which is really the WIFI Pineapple passing traffic through to another network while the hacker sits in the middle. Essentially, the WIFI Pineapple takes advantage of convenience services via auto connecting to known or trusted networks offered by most wireless devices.

The WIFI Pineapple is pretty easy to setup. It has two LAN interfaces (pass through and admin access). It provides auto DHCP 172.16.42.X to the administrative interface. To access the main interface, a GUI located at 172.16.42.1. From here, the pen tester can enable many tools as well as see who is connecting to the WIFI Pineapple. Network setup is pretty easy and designed to pass traffic through without systems knowing the difference from the fake SSID or real network.

Some built in tool highlights (in the release of software I’m running) are Karma, Snarf and DNS Spoofing. The GUI is pretty easy to get around. I used the WIFI Pineapple to capture cookies and replay in FireFox via the Add N Edit Cookies plugin. An example is capturing a Facebook cookie to accessing the victim’s Facebook account. An example of using cookies to access a gmail account can be found HERE regarding the cookie reply process.

For those wondering how to defend against this tool there are some options. VPN tunnels encrypt traffic from your device to its destination blocking visibility into traffic seen by the WIFE Pineapple (example using Anyconnect by Cisco). Also using data in motion / encryption technology for sensitive data will defend against this attack since the users must be authenticated to access the data contents that are captured by the man-in-the-middle. Disabling auto-connecting to networks may mean extra steps to establish network connectivity however will help in scenarios like this. The bad part about this attack is you may not auto-connect to known risky networks such as Starbucks however the WIFI Pineapple can clone any SSID including your home network.

Check out Hak5 for more details on this and other cool tools.

Rating: 5.0/5 (4 votes cast)

2 Comments

Filed under Penetration / Hacking, Wireless Topics

Tagged as Access Control, blackhat, clone ssid, Compliance, conference, cookie, Data Loss Prevention, defcon, DLP, DNS Spoofing, GOGO SSID, hack tools, hacker, hacking tools, Hak5, hijack session, Home, honeypot, Joey, Joey Muniz, joseph, joseph muniz, Karma, mobile, mobile device, mobile device management, Muniz, pen testing, Penetration Testing, SchmooCon, Security, security conference, Snarf, SSID, VPN, VPN tunnels, WIFI Pineapple, WIFI Pineapple Mark III, wireless defense, wireless hacking, wireless honeypot, wireless pentesting, wireless security, World Wide Technology, world wide technology inc., wwt

January 26, 2012

Change Your Default Password: Or Get Hacked! iPhone Spoofing / Breaking Into Wireless Networks

The most successful attacks by hackers typically are not technical. Hackers take advantage of the human element, which is usually caused by laziness or being unaware of a vulnerability. A prime example of this is people not changing their default passwords. Here are two examples of password vulnerabilities you should be aware of.

1 – Hacking a mobile devices (example iPhone):

Your mobile device is a database of your LIFE. Most people don’t want what’s on their mobile devices to become public. Look at all the embarrassing celebrity photos posted in popular magazines such as US today. How do you think those pictures are captured? In many cases, it’s through celebrity mobile devices. If you leave the default password on your voicemail on your mobile device, YOU ARE VULNERABLE to being compromised. Here is the hack and how to fix it.

HACKING A iPhone via Spoofing:

1) Go to spoofcard.com and sign up for the spoofing service
2) Enter the phone number of the target
3) Choose the phone number that will be displayed when you call the target
4) Call and get their voicemail.
5) If they haven’t changed their default password for their voicemail or changed auto access the voicemail, you will access their phone’s records

*Note: Most wireless carriers maintained direct dial numbers to their voice mail management systems. If known these numbers can be used to bypass a call being placed to the mobile device. Resulting in no missed call being registered.

What this means: This is one method of exposing information such as Voicemail, Photo’s, Messages, and browser history.

Fix: Change your default voicemail password. Also change the feature on some voicemails to not auto login into the system. Here is a link to change iPhone Voicemail passwords. http://support.apple.com/kb/ht1687 . Look up your models voicemail password settings and change it from the default.

2 – Hacking a wireless router (example Linksys):

HACK: I find this problem on many networks regardless of size (home to enterprise). Basically connect to a wireless network and look at the IP address provided. Open a web browser and type in the IP with a .1 ending (example 192.168.10.1). Most wireless routers offer a web GUI and default access is usually .1. Open a second screen and Google what the default login is for the device (example admin cisco123).

What does this means: I can own your network. I can see where you browse, what is on your network, etc.

Fix: Change the default password on your wireless network management GUI. You can also change the web GUI interface IP from .1 to something else.

CHANGE YOUR DEFAULT PASSWORDS!!!!

Credits to Aamir Lakhani, Tim Adams and Joseph Muniz. Posting is also HERE

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Host And Mobile Device Security, Penetration / Hacking, Wireless Topics

Tagged as .1, Access Control, Cisco, Compliance, Data Loss Prevention, default login, default passwords, DLP, end point management, hacking phones, hacking routers, Home, iPad, iPhone, Joey, Joey Muniz, joseph, joseph muniz, linksys, mobile, mobile device, mobile device management, Muniz, NAC, network security, passwords, RSA, Security, spoofing, voicemail hack, wireless router, wireless security, World Wide Technology, world wide technology inc., wwt

October 30, 2011

Configuring Cisco ISE With Wireless For Mobile Device Access Control : iPad Android Etc.

My team built a Cisco Identity Services Engine ISE demo lab designed to secure mobile devices such as iPads, Androids, etc. We ran into a few snags however in the end got the system to work nicely. Here is a guide to help you build a Cisco ISE lab for securing mobile devices.

First the assumption is you have a standard Cisco ISE configuration built. In our lab, we use Cisco UCS to host a virtualized ISE appliance, Active Directory and other services. For hardware, we had a Cisco 3560 switch running 12.2 55E (downgraded from 12.2 58), ASA 5505 (for outbound NATing, info HERE) and Cisco Wireless network consisting of two APs and WLC appliance (NOTE: WLC MUST run 7.X code for Radius between ISE and WLC to work!!!). The ISE system was synched with AD for three identity groups (employees, contractors and guests). We used the default 90-day demo license and enabled all profiling probes. The wireless system was built in a standard fashion.

To start off, its VERY important to check the time in AD (windows clock) and ISE (show clock command). If time is not synched, your radius authentication will fail with a variation of funky error messages (see ISE monitor image above). Once groups are added, test AD users in ISE under external identity store, AD, Connect to make sure the AD / ISE integration is working. Next go to Authentication and verify you have a default 802.1x policy. Click the little triangle and change the ISE identity sources to AD (see below). This will tell ISE to query AD for any device accessing the network using 802.1x. Next go to Network Devices under Administration and add a new network device. Fill out the form for your Wireless LAN controller and configure a shared radius key (cisco guides explain this).

On WLC, go to security and add ISE for radius authentication and accounting. Make sure to match the shared secret used in ISE! Next create the WLAN for your environment. Under Security and Layer 2 in your WLAN, make sure Auth Key Mgmt is set to 802.1x. Under the AAA Server tab add your services via selecting from the scroll down section or manually. Under advanced, check AAA override and scroll down to radius NAC under NAC state. Enable your WLAN and save.

Back in ISE, go to Profiling under Policy and select the mobile profiles you want to include in your lab. Each profile by default will state “Use Hierarchy”. Change this to “Create Matching Identity Group” (see image below).

Next go to Rules under Policy and click down into the Authorization Profiles section under Authorization. This section tells what to do with authorized users. In our ISE lab, we created an iPad Employe and iPad Guest policy which employees were put into VLAN 10 and guests in VLAN 20. You can put users on the same vlan and apply ACLs for control, create a redirection if posture is desired or other combinations of security. Spend time learning the different options for authorization.

The final step is buiding your ISE Authorization policy under the Policy tab. We created rules for specified devices as the Identity Source such as Apple-iPad and Apple-Device as seen in the default profiling section. NOTE: The device profiles you changed to “Create Matching Identity Group” will appear here. Under conditions, click new condition, select your AD, select = and whichever group of users should apply. Below is our ISE policy covering general Apple Devices, Ipads, Iphones and PC workstations for employees and guests. An example is the Identity Group is Apple-iPad, Condition is AD users = to AD_group_employes then apply iPadEmployees which means all iPads used by Employees will end up in Vlan 10 as specified by the iPadEmployee policy.

Hopefully this guide helps you with your ISE mobile device testing.

Rating: 5.0/5 (4 votes cast)

21 Comments

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security, Network Admission Control, Wireless Topics

Tagged as 802.1x, Access Control, ACS, ACS5.0, ACS5.1, ACS5.2, android security, Cisco, Cisco NAC, Cisco Wireless Lan Controller, Clean Access, end point management, enterprise mobile device, Home, Identity Services Engine, iPad, ipad security, iPhone, iphone security, ISE, ise android, ISE authentication, ise authorization, ise ipad, ise iphone, ise lab, ISE MDM, ise profiles, ISE wireless, ISE1.0, Joey, Joey Muniz, joseph, joseph muniz, MDM, MDM lab, mobile device lab, mobile device management, mobile device security, Mobile phone security, Muniz, NAC, NAC appliance, network access control, network security, Radius, secure x, Security, wireless access control, wireless ISE, wireless lan controller, wireless security, WLC, World Wide Technology, world wide technology inc., wwt

September 22, 2011

How To Secure Your Wireless Network: Identifying Rouge Wireless Devices

Detecting rouge wireless devices can be a headache if not performed properly. I’ve asked customers “How do you ENFORCE your zero wireless policy?” and received many answers. Example one is “We have random sweeps with wireless detectors” which are only good at the time of the sweep and range of the detector. Example two is “We use network access control (NAC) so plugging in rouge wireless devices will be denied” which can be bypassed by having an approved laptop act as a wireless bridge. Example three is “We have wireless scanners in our building” however are they certified for all frequencies or are you missing devices on other frequencies? Here are some tips for properly detecting rouge wireless devices.

It’s extremely important to automate access control to any part of your network. Regarding the LAN, see my blog on Network Admission Control HERE. For wireless, walking the halls with a scanner such as a Fluke appliance or laptop detection software is not a reliable practice. I’ve heard stories of users powering down devices to avoid detection or rouge wireless devices on the edge of a campus being out of range or hidden behind a wall. Plus manual methods are time consuming and leave vulnerability gaps between scans.

Relying on LAN access control technologies such as port security or Network Admission Control (NAC) may stop rouge wireless devices plugged into the network however will not detect approved devices such as laptops becoming wireless bridges. Some examples could be a nearby Starbucks offering wireless near your campus, which a user could be connected to the cooperate LAN and Starbucks wireless network simultaneously. A common virus known as “Free WIFI” could turn your endpoints into open wireless bridges that permit anybody in range of your campus free WIFI access to your network.

One solution to prevent endpoint wireless bridges is locking down endpoints with software that disables wireless use when physically connected to the LAN. This may work for trusted endpoints however fails if guest or contactors are permitted on the network without security software enforcing the zero wireless policy. A better solution is developing a wireless detection solution using WIDS WIPS (Wireless Intrusion Detection / Prevention) even if you do not plan to provide wireless access. See my blog on defining WIDS WIPS HERE. Using a wireless detection solution with WIDS WIPS can detect all forms of wireless including approved LAN devices exposing rouge wireless access. It’s also wise to include data security using Data Loss Prevention (DLP) and encryption to provide defense in depth in the event your access layer is bypassed.

When developing a rouge wireless detection solution with WIDS WIPS, its best practice to deploy one dedicated WIDS WIPS sensor for every five service providing access points. When enforcing WIPS prevention, your design should be capable of leveraging multiple access points near a identified rouge device to ensure your access points are close enough to drown out the rouge signal. Hardware should be capable of detecting all channels or some rouge devices may be missed.

It’s highly recommended to treat a wireless detection solution with WIDS WIPS to detect rouge wireless devices the same way as designing a solution to provide wireless access. Site surveys are critical to how effective your detection will be. Not planning for obstacles or proper access point placement may leave you with vulnerable areas. The bonus of a rouge wireless detection system delivered properly is the capability to enable wireless using the same hardware if wireless access is desired in the future.

Rating: 3.3/5 (3 votes cast)

3 Comments

Filed under Wireless Topics

Tagged as 3500 access point, 5500 lan controller, 802.11n, Access Control, access points, AG, aironet, aironet 3500, BGN, channel 1, channel 11, channel 6, Cisco, cisco wlc, cleanair, cleanair technology, Compliance, detecting rouge wireless, DLP, ids, Intrusion Detection, intrusion detection system, Intrusion Prevention, Intrusion Prevention System, ips, Joey, Joey Muniz, joseph, joseph muniz, linksys, mobile, mobile device, Muniz, NAC, network security, rouge wireless, scanning wireless networks, securing wireless, wcs, WIDS, WIDS WIPS, WIPS, wireless control system, wireless defense, wireless ids, wireless ips, wireless lan controller, wireless security, wireless site survey, WLC, World Wide Technology, world wide technology inc., wwt

September 12, 2011

WIDS WIPS 101: Wireless Intrusion Detection And Prevention Systems Wireless IDS IPS

Many security professionals understand the concepts behind Intrusion Detection and Prevention solutions IPS IDS for LAN and WAN however not Wireless WIDS WIPS. If you plan to provide network and wireless access, you need to equally secure all access avenues or you are not securing access to your network properly. Many security professionals see IDS IPS as key technology for their network so it’s important to understand the fundamentals behind wireless IDS IPS aka WIDS WIPS as well.

According to Wiki, “Intrusion Prevention Systems (IPS) are network security appliances that monitor network and/or system activities for malicious activity. The main functions of IPS is to identify malicious activity, log information, attempt to block/stop activity, and report activity.”. Wireless detection/prevention WIDS WIPS is similar however focuses on reacting to rouge wireless devices rather the security events. WIDS are wireless access points detecting and alerting when a wireless device is detected. WIPS do the same and can prevent use of the device using things like overflowing the rouge access point with 802.11 de-authentication frames. Best practice is to manually review discovered rouge devices rather than automatically killing them. You may knock down Starbuck’s network or an emergency wireless setup for FIMA.

By default, wireless is a whitelist technology meaning rouge access points are not auto added to the network. Regardless it’s important to detect rouge devices or they may end up on the network exposing you to attack. For most vendors, WIDS WIPS functions can be enforced in two ways. The first method is having access points service users and scan for rouge devices (sensor and service mode). The WIDS access point sits on one RFID channel and switches from accepting users to scanning for rouge devices every few milliseconds. The pro is you get both services however con is you only scan the RFID channel assigned to that access point. Some customers have multiple WIDS access points on different channels, which can cover the majority of channels however doesn’t mean other channels are covered. Method 2 for setting up an WIPS access point in senor only mode (dedicated WIDS WIPS access point), which scans all RFID channels for rouge devices. Best practice is to have one dedicated senor for every 5 servicing access points.

The final WIDS WIPS concept to understand is wireless channels. The common commercial channel is BGN (2.4 range), which is used by devices such as best buy routers. Best practice to avoid signal bleeding is to separate BGN by 5 channels, meaning standard BGN channels used are 1,6 and 11. Newer wireless technology uses AN (5.0 range) channels, which offer 20+ options. If you use a laptop or older access point scanning BGN for WIDS WIPS, you are only scanning that channel range meaning AN or other range access points are completely bypassing your security. Another point to note is channels are unlicensed by FTC meaning there really isn’t a way to enforce misuse of channels. This means if you kill Starbuck’s wireless network, all they can do is kill your network. So its expected that we all get along meaning being ethical about using WIDS WIPS to kill a rouge signal.

This is just a glimpse at understanding securing wireless networks using WIDS WIPS. Shout out to Bart Robinson at World Wide Technology for his input for this piece.

Rating: 3.0/5 (1 vote cast)

4 Comments

Filed under Wireless Topics

August 22, 2011

How Secure Is Your Home Wireless Network? Wireless Network Security 101

Wireless Network Security is important. Wireless networks are the way of the future. People don’t want to run cables through their homes and mobile devices are becoming common tools for surfing the Internet. If you live in a populated area, you will find many wireless SSIDs broadcasted. How secure is your wireless network? How much should you spend on a wireless router? Can you get by with a basic password or should you utilize Wireless Network Security features? Here is my answer.

The first Wireless Network Security feature many people believe is important is not broadcasting the service set identifier or SSID. Regarding security, this is equivalent to putting up a four-foot high wood fence to keep burglars out. The fence may stop dogs or children but the average person can step right over it. Anybody looking to access your wireless network can scan for networks regardless if the SSID is advertised. Here is a scan from KisMAC showing all networks regardless if the SSID is broadcasted.

The next important Wireless Network Security concept is passwords. The majority of the population today understands it’s important to add a password, which is good considering it took enough hacker movies and scary credit card stories to make it happen. What the average wireless administrator doesn’t understand is using a weak password is like locking the front door. See my post on how secure that is How The Bad guys Break In.

Make sure your wireless security passwords use at least 10 characters that include numbers, special characters, and mix of capital and lowercase letters. Don’t get lazy with your password thinking other security features will protect you. See my post about how computer speed is making brute force methods easier regardless of what type of encryption you use Passwords Are Doomed. Also make sure to create a new administrator name and delete the “admin” account. This will make hackers have to compromise both user name and password before accessing your network.

The next Wireless Network Security concept is encryption. The default encryption for many low-end wireless routers is WEP, which is a WEAK algorithm. Password cracker programs such as John the Ripper or Aircrack-ptw can break WEP in under a minute. If you look at the screenshot below, you will notice the majority of the networks are secured by WEP. This will only keep the honest people out. Most routers offer WPA2, which will dramatically increase your defense against wireless hackers.

Another security concept is not using wireless or locking down device access to your wireless network. I find many people use wireless to add one desktop in another room. Consider using your power grid utilizing solutions like the Linksys power line adapter. Basically you plug two hubs in the wall and they transfer traffic over the power lines. Some solutions include encryption. I use it for my desktops and swear by it. If you need to go wireless, you can lock down the MAC address of all approved devices and blacklist everything else. This will increase the work to add new devices but is more secure than having an open wireless network.

One final tip for purchasing wireless routers is not spending money on bogus features. I’ve seen some routers offer a built in Intrusion Detection / Prevention (IDS/IPS) component however the routers I tested with this feature were garbage. I would click “update signatures” and it would display “updated and secure”. Static signatures are worthless and home use routers never offer a way to test it. Other features I’ve seen are built in Anti-Virus and Content Filters, which are also worthless. Invest in a solid host based Anti-virus / IPS solution for your endpoints and consider content filtering applications such as netnanny if you are concerned about children surfing to inappropriate websites. Focus your router as being a wireless provider and capitalize on its wireless network security features. Don’t get lazy or you will eventually be owned.

Rating: 5.0/5 (2 votes cast)

2 Comments

Filed under Wireless Topics

Tagged as 802.11, 802.11a, 802.11b, 802.1x, Access Control, access point, AES, Aircrack-ptw, asus, belkin, Cisco, cisco-linksys, comcast, cox, d-link, dlink, EAP, EAP-TLS, EAP-TTLS, home network, Joey, Joey Muniz, john the ripper, joseph, joseph muniz, kismac, LEAP, linksys, medialink, mobile, mobile device, Muniz, netgear, password cracker, passwords, router, Symantec, weak passwords, wep, Wi-Fi, Wired Equivalent Privacy, wireless, wireless network security, wireless router, wireless security, World Wide Technology, world wide technology inc., wpa, wpa2, wwt

Category Archives: Wireless Topics

Cool Tool – ASUS WL-330N3G Wireless Router Hub Repeater and More

Configuring Cisco ISE With Wireless For Mobile Device Access Control : iPad Android Etc.

How To Secure Your Wireless Network: Identifying Rouge Wireless Devices

WIDS WIPS 101: Wireless Intrusion Detection And Prevention Systems Wireless IDS IPS

How Secure Is Your Home Wireless Network? Wireless Network Security 101

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll