Detecting Rogue 802.

11 Access Points within the Enterprise

Kirby Kuehl Cisco Systems, Inc.

1

A Brief Introduction
• Access to a wired LAN is governed by access to an Ethernet port for that LAN. Therefore, access control for a wired LAN often is viewed in terms of physical access to LAN ports. Similarly, because data transmitted on a wired LAN is directed to a particular destination, privacy cannot be compromised unless someone uses specialized equipment to intercept transmissions on their way to their destination. In short, a security breach on a wired LAN is possible only if the LAN is physically compromised. With a wireless LAN, transmitted data is broadcast over the air using radio waves, so it can be received by any wireless LAN client in the area served by the data transmitter. Because radio waves travel through ceilings, floors, and walls, transmitted data may reach unintended recipients on different floors and even outside the building of the transmitter. Installing a wireless LAN may seem like putting Ethernet ports everywhere, including in your parking lot. Similarly, data privacy is a genuine concern with wireless LANs because there is no way to direct a wireless LAN transmission to only one recipient.

2

the entire authentication process is done in clear-text. With shared-key authentication. and a client can associate with an access point even without supplying the correct WEP key. • SSID: (Service Set ID )The use of the SSID as a handle to permit/deny access is dangerous because the SSID typically is not well secured. usually is set to broadcast its SSID in its beacons. If the client has the wrong key or no key. An access point.Rogue – Operating outside normal or desirable controls. the device that links wireless clients to the wired LAN. WEP: (wired equivalent privacy) With open authentication. which is the default. the access point sends the client a challenge text packet that the client must encrypt with the correct WEP key and return to the access point. (Subject to attack with tools such as airsnort) • 3 . it will fail authentication and will not be allowed to associate with the access point.

11b Detection Methods • TCP Fingerprinting (Nmap) 4 .802.

• Does not Audit Access Points** Nmap (http://www.org/nmap/) example: 5 .insecure.) • False Positives.NMAP TCP Fingerprinting Disadvantages: • Scanning entire network indiscriminately (Could be slow on large networks). • Intrusive and Noisy (Personal Firewalls and IDS alerts.

11b Detection Methods • TCP Fingerprinting (Nmap) • 802.11b Analyzer (War Driving) 6 .802.

Detecting Rogue Access Points With an 802.11b Analyzer 7 .

Cisco Antennas: http://www. 300 ft. 350 ft (107 m) office War driving is typically accomplished using a modified access point with a high gain antenna (Yagi) which significantly increases the range (up to 6. (90m) office Cisco AP 340 Range @ 11Mbps: 400 ft.“War Driving” is only a partial solution.6 m) office Cisco AP 350 Range @ 1Mbps: 2000 ft (610 m) open environment. 100 ft.com/warp/public/cc/pd/witc/ao340ap/prodlit/airoa_ds.cisco.htm 8 .5 miles at 2Mbps). 130 ft (39. (30m) office Cisco AP 350 Range @ 11 Mbps: 800 ft (244 m) open environment. Disadvantage: Using a Wireless Protocol Analyzer is limited by signal range. Cisco AP 340 Range @ 1Mbps: 1500 ft. (120m) open environment. (460m) open environment.

11b Analyzer (War Driving) • SNMP 9 .11b Detection Methods • TCP Fingerprinting (Nmap) • 802.802.

Snmpwalk ( http://net-snmp.sourceforge.SNMP Disadvantage: Not enabled by default.net/ ) example: 10 .

802.11b Analyzer (War Driving) SNMP The Origin of APTools. IPSU Ethereal 11 .11b Detection Methods • • • • TCP Fingerprinting (Nmap) 802.

12 . Audits Security Configuration.Detecting Access Points by Querying Routers and Switches Advantages: Not limited to the signal range of the access points like “war driving”. Positive Identification through MAC Address assignments and only queries Access Points and Access Point Clients.

Identifying Access Points via MAC Address IEEE OUI and Company_id Assignments 13 .

0 Referer: http://10.0) Host: 10.0.0. Windows NT 5. 01 JAN 1970 18:40:48 GMT Accept-Ranges: bytes Connection: close 14 .0. 01 JAN 1970 18:40:48 GMT Last-modified: THU.9 Accept: */* Response: HTTP/1.0 501 Not Implemented (Error Ignored) Server: thttpd/2.0.0 (compatible.10/ Connection: Keep-Alive User-Agent: Mozilla/4.03 11jul98 Content-type: text/html Date: THU.0. MSIE 6.Determine if IP is an Access Point or Client via HTTPD Query Request: HEAD / HTTP/1.

Audit Access Point Settings via HTML SetWEP_Keys. 40 bit. or 128 bit 15 . FULL. Encryption:NONE.html can be “read” to determine settings. or MIXED Key Size:None Set.

SNMP Enabled or Disabled? 16 .

What if Basic Authentication is Required? 17 .

18 .0.0 Referer: http://10.0. Windows NT 5. MSIE 6.0.SetHwPC4800.10/ Connection: Keep-Alive User-Agent: Mozilla/4.shm?ifIndex=2 HTTP/1.0.0 401 Unauthorized Server: thttpd/2.0) Host: 10.0.03 11jul98 Content-type: text/html Date: THU.9 Accept: */* First Response: HTTP/1. 01 JAN 1970 18:28:23 GMT Accept-Ranges: bytes Connection: close WWW-Authenticate: Basic realm="15“ The User-Agent information is falsified due to JavaScript browser version checking done by the Aironet Access Point HTML pages.0 (compatible.HTTP Basic Authentication Denied First Request: GET . 01 JAN 1970 18:28:23 GMT Last-modified: THU.

02 JAN 1970 12:00:00 GMT Expires: THU. Windows NT 5. Second Request: GET /SetHwPC4800. 01 JAN 1970 12:00:00 GMT Content-type: text/html The User-Agent information is falsified due to JavaScript browser version checking done by the Aironet Access Point HTML pages.0) Host: 10.0 200 OK Date: FRI.10/ Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible.0 Referer: http://10.0.HTTP Basic Authentication Accepted The client then sends the user-ID and password. MSIE 6.9 Accept: */* Authorization: Basic YWRtaW46cGFzcw== Second Response: HTTP/1.0.0.0. separated by a single colon (":") character. within a base64 encoded string in the http request.shm?ifIndex=2 HTTP/1.0. 19 .

Begin Aptools Input List: Router Hostnames or IP Addresses Aptools Flowchart Yes Query Router or Switch from Input List.96 show cam dynamic Generated List of IP Addresses & MAC addresses More Routers? No Done Query IP From List Yes Access Client Is IP an Access Point or Client? Point Audit via HTML Authenticate if Necessary And Report More IPs for router? No 20 . show ip arp | include 0040.

Your Mileage May Vary.net 21 Needs Multithreading. and Cisco Switches. Easily expandable.org/query.sourceforge. Limitations: Does not support SSH.netstumbler. Cisco Routers.php Can run a custom command on router or switch! Developed and Tested on Cisco Products: Cisco Aironet Access Points. .APTools Automates this Process Features: Single Scan or List Scan Routers and Switches. HTTP Basic Authentication Support Nmap greppable output can be used as input to audit devices. APTools Beta Version available at aptools. I have added some untested Scan Types based on information from: http://www. Switch querying needs refinement.

Command line Unix and Win32 Version too.net . 22 Beta Version available at aptools.sourceforge.

w3.org Snmpwalk http://net-snmp.BasicAA Nmap http://www.html .org/Protocols/HTTP/1.ieee.org/nmap/nmap-fingerprinting-article.Works Cited Cisco Aironet http://www.com/products/airopeek IEEE OUI and Company_id Assignments http://standards.wildpackets.insecure.cisco.wildpackets.sourceforge.html List of Default SSIDS 23 .com/warp/public/cc/pd/witc/ao340ap/prodlit/airoa_ds.netstumbler.org/regauth/oui/index.com/elements/AiroPeek_Security.0/spec.net HTTP Basic Authentication http://www.htm Assessing Wireless Security With AiroPeek http://www.shtml http://www.org/nmap Remote OS Detection via TCP/IP fingerprinting http://www.pdf WildPackets AiroPeek http://www.insecure.

24 .End of Presentation Please remember to fill out the Speaker evaluation forms.

11b." URL: http://www.cisco.0 and ACS 2.isaac. (Review the summary at http://www.cs.berkeley. With the recent Aironet Software Release 11. published a document identifying "security flaws in the 802. however. dynamic per user.pdf.berkeley. at Berkeley.html and detailed paper at http://www.edu/isaac/wep-draft. no commercial system we are aware of has mechanisms to support such techniques. "In practice. "More sophisticated key management techniques can be used to help defend from the attacks we describe.sourceforge. the standard for WLANs.isaac.htm Airsnort ( http://airsnort. The weakness of most WLANs is their use of static WEP keys shared among users. and that these weaknesses exist regardless of the length of the encryption key used.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.) Cisco was aware of these limitations before the company defined its Aironet® security architecture.6. Articles about the researchers' findings have appeared in The Wall Street Journal and other publications. most installations use a single key that is shared between all mobile stations and access points.sourceforge." the Berkeley report states.11 security protocol (WEP)." that "seriously undermine the security claims of the system" and use WEP insufficient for wireless LAN (WLAN) security. 25 . per session WEP that addresses several of the concerns that the researchers refer to in their paper. researchers at the University of California. Cisco agrees with Berkeley researchers who cite inherent weaknesses in WEP as defined by IEEE 802. Cisco offers centrally managed.cs.Cisco Aironet Security Solution Provides Dynamic WEP to Address Researchers' Concerns Recently.edu/isaac/wep-faq.net) are two utilities that can be used to recover WEP keys.net) and WEPCrack (http://wepcrack.

Sign up to vote on this title
UsefulNot useful