• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Launching Attacks via Wifi

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Beginners // Misc. Computer Questions

View previous topic :: View next topic  
Author Message
me6
Just Arrived
Just Arrived


Joined: 29 Dec 2005
Posts: 0


Offline

PostPosted: Tue Jan 10, 2006 12:14 am    Post subject: Launching Attacks via Wifi Reply with quote

I've constantly been reading about how important it is to secure your wireless network to avoid hackers. I was wondering, do hackers carry out attacks on other networks using an open Access Point? I'm concerned because I live in a large city and use a wireless router. Here's an example:

Someone is driving through my neighborhood with their laptop fitted with a Wifi card. They find my network is open and then park their car. They connect to my Wireless network and they deface www.websitehere.com and then drive off. Does anything like this happen?
Back to top
View user's profile Send private message
delete
Just Arrived
Just Arrived


Joined: 02 Jan 2006
Posts: 0
Location: USA - Pennsylvania

Offline

PostPosted: Tue Jan 10, 2006 12:51 am    Post subject: Reply with quote

If your network is open, they can do numerous things. I'm not sure if they can do what you are talking about though.
Back to top
View user's profile Send private message
roundtrip
Just Arrived
Just Arrived


Joined: 04 Aug 2005
Posts: 0
Location: Scotland

Offline

PostPosted: Tue Jan 10, 2006 12:57 am    Post subject: Reply with quote

Yes, it is possible. It is made all the easier if you're wireless network is not secured and if the website has a vulnerability.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Tue Jan 10, 2006 1:04 am    Post subject: Reply with quote

Hello me6,

Yes it is entirely possible to launch attacks from unsecured WAP points. It is merely a matter of associating with it, and you are off to the races. In my opinion it would be one of the preferred methods to launch an attack. Hope this helps.
Back to top
View user's profile Send private message Visit poster's website
roundtrip
Just Arrived
Just Arrived


Joined: 04 Aug 2005
Posts: 0
Location: Scotland

Offline

PostPosted: Tue Jan 10, 2006 2:36 am    Post subject: Reply with quote

It has got to be the simplest way to find a "proxy" to go through.

The attacker would also clone / change their MAC address to ensure they covered every part of their tracks.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
RFmax
Trusted SF Member
Trusted SF Member


Joined: 08 Dec 2005
Posts: 4


Offline

PostPosted: Tue Jan 10, 2006 3:04 am    Post subject: Reply with quote

I agree completely with all of the previous posters, but I wanted to make sure that you were also aware of the fact that when forensics are done and if logs allow a back trace, you will be implicated as it was your external IP addr that was logged.

I always suggest that connection logging be turned on along with all of the normal security precautions. It is not a failsafe excuse, but at least in most cases there will be a record of a MAC addr that is not associated with your equipment.

I have clients that have hotspots in their businesses for various reasons and I try to convince them to get liability insurance or at least make them very aware of the possible consequences for having an uncontrolled wireless access.

If need be we can go into all of the options and security related issues that you can use to reduce your chance of this happening.
Back to top
View user's profile Send private message
me6
Just Arrived
Just Arrived


Joined: 29 Dec 2005
Posts: 0


Offline

PostPosted: Tue Jan 10, 2006 5:36 am    Post subject: Reply with quote

"I wanted to make sure that you were also aware of the fact that when forensics are done and if logs allow a back trace, you will be implicated as it was your external IP addr that was logged."

I'm not entirely sure what this means, could you elaborate?

As rainman said, if they changed their MAC address, would they really be untraceable?
Back to top
View user's profile Send private message
Sh4d0w
Just Arrived
Just Arrived


Joined: 19 Jun 2005
Posts: 0


Offline

PostPosted: Tue Jan 10, 2006 5:53 am    Post subject: Reply with quote

Quote:
In my opinion it would be one of the preferred methods to launch an attack.


Or even better/worse(depending on viewpoint), you could authenticate to the WAP p0wn the persons personal computer, open up their router/firewall and then use this system to launch attacks later.
Back to top
View user's profile Send private message
RFmax
Trusted SF Member
Trusted SF Member


Joined: 08 Dec 2005
Posts: 4


Offline

PostPosted: Tue Jan 10, 2006 6:09 am    Post subject: Reply with quote

The problem is that they will know your external or Internet routable addr and then you have to prove that you were not party to the problems.

You see it is basically what you inferred originally. Someone else can do all sorts of illegal things and it would be pointed at your network.
Back to top
View user's profile Send private message
roundtrip
Just Arrived
Just Arrived


Joined: 04 Aug 2005
Posts: 0
Location: Scotland

Offline

PostPosted: Wed Jan 11, 2006 3:35 am    Post subject: Reply with quote

It is possible for an attacker to monitor your legitimate wireless network usage and observe the MAC addresses being used. Once a device is turned off they can clone that MAC address and associate to the network thereby making it looks like your system is doing the damage and/or performing the criminal activity.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Spyd3r
Just Arrived
Just Arrived


Joined: 20 Jun 2005
Posts: 0
Location: Syracuse, NY

Offline

PostPosted: Wed Feb 01, 2006 10:59 pm    Post subject: Reply with quote

I have to agree with what everyone else mentioned. If I were planning to do an illegal activity, I would most certainly do it from someone else's wireless network. And further, wireless security seems to be a debated topic. I hear too many people with the theory that if it's hard enough to get in, then the attacker will move on. From a residential standpoint, perhaps, but certainly not a professional point of view. And then what about the CEO who goes home to his unencrypted network and then logs into the office? He's just creating another hole.

Two years ago, it took me almost 8 hrs to gather enough packets at my office to crack the 128 WEP at the time. About a year ago, I learned how to inject packets back in with Aireplay. It turned 8 hrs into 11 mins at my office. It still takes almost an hour at my home network, but that's due to the lack of traffic compared to the office.

But getting past wireless security is really just a matter of how creative the attacker is. In our lab, we set up a 128 bit WEP (rotating key) AP with four clients hung off it. The SSID was hidden; MAC filtering on, DHCP off, and then we used a pre-shared key to access the actual Internet.

Because of the rotating key, it took some effort to get the actual WEP key...in fact, we ended up using three systems to inject while a fourth sat back and collected packets. Hiding the SSID is a joke if you're seriously concerned about people trying to get access. And MAC filtering and DHCP were easy enough to get by with just a 30 second collection from Ethereal.

To get by the PSK, I ended up setting up a linux machine to pretend it was the AP. Once it was ready to do a little old fashion MitM, we just issued a void11 attack to de-authenticate all clients and then try to trick a client into connecting to our rogue. (I've since gotten a generic linksys router to do this part for most tests. And setting it up as a wireless bridge after a successful compromise let us further exploit the network from a much safer distance.)

During a pen-test at an international airport, we discovered plenty of strange little things. They run an unencrypted wifi network that redirects all traffic to an SSL that'll ask you to pay $6.95 for the day. Once you've put your credit card in all the traffic goes back to being unsecured. Oddly enough we found that the same de-auth attack mentioned above could be used to hijack a paying user's session just by cloning the MAC and stealing their IP address. I'm afraid my expertise in this area is rather lacking, but shouldn't they have used something a bit more static to track a user's session? Hell even a cookie, right?

My advice to anyone would be to use WPA if your devices will support it, and don't use a dictionary based pass phrase. If you're using sensitive data from a commercial standpoint then your options are either very simple or rather complex. Your most secure choice would be to not use wifi. The other option is to stack up your layers and hope no one wants to really get into your network. Encryption is flawed, so stack it on top of a virtual VPN connection for your WLAN; utilize RADIUS, or use WifiSec. I highly encourage people to practice cracking WEP. Get a bootable linux distro and search some user groups. It's not 'quite' as easy as many make it sound, but once you've built up your confidence in the flaws, it's much easier to convince your boss or IT Administrator that something needs to be done about that $30 Belkin router they've got running their business.
Back to top
View user's profile Send private message Visit poster's website AIM Address
RFmax
Trusted SF Member
Trusted SF Member


Joined: 08 Dec 2005
Posts: 4


Offline

PostPosted: Wed Feb 01, 2006 11:13 pm    Post subject: Reply with quote

Roundtrip,

Just to answer your question, that is very true. It does not even take you turning off the device with the specific MAC addr. There are programs that will force you to re-associate with an access point and by that time, another device has taken your place and you are not able to associate. That would be real obvious and usually not done unless you just want to irritate people. It is really above the radar if you will.

I have linked a few websites that go into more detail about some of the issues.

http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html?page=2

http://www.drizzle.com/~aboba/IEEE/
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Beginners // Misc. Computer Questions All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register