3. Wireless Security Flashcards
How can you keep your Access Point (router) Secure (i.e prevent unauthorised access)?
- Change the default / admin password
- Use encryption: WiFi Protected Access (WPA / WPA2)
- Cloak the SSID (i.e disable broadcasting it)
- MAC address filtering (so the network administrator has to manually add MAC addresses that are permitted to connect. Other MAC addresses will not be allowed). No practical for many or changing devices.
- Firewall (either built into the router or seperate firewall). requires continual monitoring and ajustment.
- Strategic positioning of access point (e.g central in a home - minimising it being broadcast externally).
- continuenly search for rougue access points
- Assign static IPs
DHCP is helpful but alsoc creates vulnerabilities on a network. Assignining a static IP provides enhamced security - but not always practical
What is a rogue access point (pineapple)
Offically a network pen testing and security tool devoped by hack 5, however can be used as rogue acess points to conduct MIM attacks and can broadcast a fake SSID that is similar to a real name of a network allowing it to eavesdrop on network traffic.
Turning off wifi or using a VPN can improve security.
Using websites that provide HTTPS also provides better security for the user.
How can you check your router security?
- Type: 192.168.1.1 into browser
- www.routerlogin.net or
- www.routerlogin.com to see lists of connected devices, to check latest encryption version is being used etc
- Ethernet Cable connected to Router (plugging ethernet cable one end to port 2 on router and the other to the ethernet port on your computer)
What is DHCP (summarise key features)?
Dynamic Host Configuration Protocol - typically is a client / server protocol. Dynamically provides hosts an IP address and configuartion info on a network (subnet masks or a default gateway).
Generally network equipment (routers / firewalls / server) will be assigned static IP addresses. Whereas hosts like smartphones / tablets / laptops will use DHCP.
DHCP can be a server function or a router function.
How can you view DHCP Activity?
On windows devices:
Windows event viewer. An event is created every time DHCP starts or stops.
Examination of the logs will bgive the MAC addresses of devices connected to a specific router.
If a DHCP server is used these logs may be extensive.
You may be able to identify a DHCP server by monitoring traffic on ports 67 and 68
You can use tools to parse these
The logs are not persistant so need obtaining asap.
How can you find information about wireless connections on a Windows device
The following software hives / registry keys store the information:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles\
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\Unmanaged
HKLM \SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkCards
Again you can parse this with open source tools
How can I find wireless information on apple devices
macOS:
/Library/Preferences/SystemConfiguration/
com.apple.airport.preferences
iPhone (iOS):
com.apple.wifi.plist
/private/var/preferences/SystemConfiguration/
Once these files are parsed will give info like SSID, authentication protocol (e.g WPA2), method for joining (auto or not).
How can I find wireless information on an Android device?
wpa_supplicant.conf
file gives SSID network security protocol and signal strength.
com.google.android.gms/databases/herrevad
This herrevad database file will give info like:
SSID
BSSID
WiFi Secuity Protocol (WPA/WPA2/WPA3)
Time stamp (Device time)
What open source web based resources may help us look at access point info?
wigle.net
Can serach an area to see SSIDs and info
What things should you consider re smartphone security?
Prevent autoconnecting (to help with avoiding rogue access points)
Disable wifi calling
avoid public wifi
Where can I find Search and Seizure guidelines?
USSS Best Practices for Seizing Electronic Evidence:
https://www.crime-scene-investigator.net/PDF/usss-best-practices-for-seizing-electronic-evidence.pdf
ACPO:
https://www.digital-detective.net/digital-forensics-documents/ACPO_Good_Practice_Guide_for_Digital_Evidence_v5.pdf
A Guide to Securing Networks for Wi-Fi
https://www.us-cert.gov/sites/default/files/publications/
A_Guide_to_Securing_Networks_for_Wi-Fi.pdf
Wireless encryption:What is / was WEP?
Wired Equivalent Privacy (WEP)
Original WLAN Encryption Protocol
Challenging to Configure
Significant Vulnerabilities. Do not use it.
There were many attacks on WEP such as packet injections, fake authentication, chopchop attack (fake arp)
Wireless encryption: What is WPA?
Wi-Fi Protected Access (WPA) 2003 onwards
Interim Fix for WEP
WPA uses a Pre-shared Key (PSK) & Temporal Key
Integrity Protocol (TKIP)
WPA is responsible for both the Handshake & Encryption between device and the router
Wireless encryption: What is WPA2
Wi-Fi Protected Access version 2 (WPA2)
Based on 802.11i Wireless Security Protocol
Utilizes Advanced Encryption Standard (AES)
Unique Encryption Keys Created for each Client (more secure than WPA)
KRACKs” (Key Reinstallation AttaCKs) a group of vulnerabilities that could allow packets to be intercepted. So a more secure protocol is required
Wireless encryption: What is WPA3
Wi-Fi Protected Access version 3 (WPA3)
No Offline Dictionary Attack possible to determine passwords (now requires attacker to interact with your wifi network for each password - therefore making it difficult & time consuming to crack your password)
Supports “Forward Secrecy” function (if an attcker captures encrypted data from your network & cracks your password, they cannot de-crypt data that was already captured - only de-crypts new data).
Only Recent Transmissions Can be Decrypted
Supports easy connect via QR code
On public networks using WPA will encrypt all traffic
WPA provides stronger encryption as long as your router hass WPA3 switched on. WPA is backward compatible. A WPA2 device can connect to a WPA3 router.
Wireless encryption: WPA3 - what is the relevance of the Dragonfly handshake
The Dragonfly handshake (also known as Simultaneous Authentication of Equals, SAE) is a key feature of WPA3, the latest Wi-Fi security protocol. It was designed to improve upon the weaknesses of its predecessor, WPA2, by providing better protection against offline dictionary attacks and ensuring forward secrecy1.
Simultaneous Authentication: Both the client and the access point authenticate each other simultaneously, which helps prevent man-in-the-middle attacks.
Password Protection: The Dragonfly handshake uses a password-based method that makes it difficult for attackers to crack the password even if they capture the handshake process.
Forward Secrecy: Even if an attacker manages to obtain the encryption keys, they cannot decrypt past communication sessions
The DragonBlood vulnerability / hack allows the attacker to recover the network key, downgrade security measures and launch a DoS attack, launch a timing based side-channel attack or a cache based side-channel attack.
This is because the Dragonfly handshake uses a transitional mode of operation for backward compatability to WPA2. The attacker can use a rogue access point using WPA2 only and this forces the devices to use the less secure WPA2. This hack therefore only requires the SSID.
