WLAN Security Protection – Penetration Testing

With the rapid development of the Internet, as well as portable computers, smart phones and other mobile intelligent terminal use increasingly frequent wireless channel as a transmission medium of wireless local area network (WLAN) technology to provide users with a wired network unmatched mobile, roaming convenient. Wireless LAN The most common standard is the IEEE-defined 802.11 series of standards, early application positioning in the home, within the enterprise and operators of hot areas, such as airports, office buildings, cafes and so on.

With the maturity of technology and the development of mobile Internet applications, WLAN has now become one of the mainstream Internet high-speed access technology. However, the WLAN service system is growing at the same time, but also continue to expose a variety of security issues, this article from the equipment, network, business and other levels for the WLAN business system security threats faced by the analysis, and part of the business security issues raised the current solution.

WLAN security access standard

Wireless network WLAN security access standards, there are roughly three, namely, WEP, WPA and WAPI.

WEP (Wired Equivalent Privacy)

WEP (Wired Equivalent Privacy) is the security standard adopted by 802.11b, which is used to provide an encryption mechanism to protect the data link layer security, so that the wireless network WLAN data transmission security and wired LAN to the same level. WEP uses RC4 algorithm to achieve symmetric encryption. The key is shared between the AP and the wireless network card by presetting. In communication, the WEP standard requires the transport program to create a packet-specific initialization vector (IV), which is combined with the pre-set key to generate an encryption key for packet encryption. The receiving program receives the initialization vector and combines it with the local preset key to recover the encryption key.

WEP allows a 40bit long key, which is too short for most applications. At the same time, WEP does not support automatic replacement of keys, all keys must be manually reset, which led to the same key long-term reuse. Third, although the initialization vector is used, the initialization vector is passed in plaintext and is allowed to be reused within 5 hours, with no effect on the enhanced key strength. In addition, the RC4 algorithm used in WEP proved to be vulnerable. In summary, the limitations of key settings and the lack of the algorithm itself makes WEP there are obvious security flaws, WEP provides security protection, can only be defined as “better than nothing.”

WPA (Wi-Fi Protected Access)

WPA (Wi-Fi Protected Access) is a device that protects Wi-Fi login security. It is divided into WPA and WPA2 two versions, is an upgraded version of WEP, WEP for several shortcomings were made up. Is an integral part of 802.11i, 802.11i is not complete before, is a temporary alternative version of 802.11i.

Unlike WEP, WPA provides both encryption and authentication. It ensures the security of the data link layer, while ensuring that only authorized users can access the wireless network WLAN. WPA uses the TKIP protocol (Temporal Key Integrity Protocol) as the encryption protocol, which provides the key reset mechanism, and enhances the effective length of the key, through these methods to make up for the lack of WEP protocol. Authentication can take two methods, one using the 802.11x protocol, a way to use the pre-set key PSK.

WAPI (WLAN Authentication and PrivacyInfrastructure)

WAPI (WLAN Authentication and Privacy Infrastructure) is China’s independent research and development and vigorously promote the implementation of wireless WLAN security standards, it passed the IEEE (note, not Wi-Fi) certification and authorization, is a certification and privacy protection agreement, its role similar WEP in 802.11b, but can provide more complete security protection. WAPI uses the method of asymmetric (elliptic curve cryptography) and symmetric cryptography (block cipher) to realize security protection, and realizes the encryption protection of device identification, link verification, access control and user information in wireless transmission.

In addition to the mutual authentication between the mobile terminal and the AP, the WAPI can realize the authentication of the mobile terminal and the mobile terminal. At the same time, AP and mobile terminal certificate to the completion of AS, on the one hand to reduce the MT and AP power consumption, on the other hand MT and AP use different issuers issued public key certificate possible.

WLAN systems face security risks and problems

Enter the stage

WPA / WPA2 and WEP standard security: the current mainstream WPA-PSK type of wireless network can use PSK + ssid into PMK, and then combined with the handshake packet client MAC, AP BSSID, A-NONCE, S-NONCE calculation PTK, plus the original message data to calculate the MIC and compare with the MIC sent by the AP for violent crack, this method is called the dictionary running package. Another kind of more mainstream crack method for the PIN code crack, also known as WPS crack, the main principle for the use of WPS security problems exist, through the PIN code can be directly extracted password. The PIN code is an 8-bit integer, the crack process time is relatively short. The 8th digit of the WPS PIN is a checksum, so the hacker only needs to count the first seven digits. In addition, the top four and the last three are separately certified. So crack pin code up to only need 10,000 attempts, smooth case in about 3 hours. The WEP because of its own design flaws, has been in 2003 by Wi-Fi Protected Access (WPA) eliminated, and in 2004 by the complete IEEE 802.11i standard (also known as WPA2) replaced, but the network is still some old Old devices still use simple WEP standards to provide services.

Fake AP : Fake AP in Wikipedia has two kinds of interpretation, one is honeypot, the use of illegal ap to attract users access, and steal information; the other is rouge ap, hackers use rouge ap illegal access to the network. Hackers in the use of Fake AP can easily get the customer WLAN system key for the follow-up data interception, stealing resources and other acts to provide great convenience.

Configuration Defects: Defects in these configurations can also cause passwords to be cracked by violence because many organizations do not have authentication systems enabled, or if passwords are not set up in the password login section of the WLAN authentication Portal page.

Password sharing: With the Wi-Fi universal key products such as the prevalence of flooding, many companies do not enable the certification system is facing the password of the password is cracked, the enterprise intranet exposed in front of the invaders.

Attack stage

Device vulnerabilities: WLAN system equipment itself, the existence of security vulnerabilities, vulnerability, can be used to control the operation of WLAN equipment, thereby affecting the normal use of WLAN services. If you do not use a detailed access policy to control, users access the WLAN network, you can access these devices. General AP equipment security is poor, if there is a weak password or the default password, a malicious attacker can modify the configuration or turn off the device, resulting in equipment can not be used normally. AC and other devices exist some loopholes (such as any configuration file download vulnerability) can also lead to account password, IP routing and other information leakage, thereby affecting the safe operation of the system.

Springboard attack: WLAN device management IP address segment and ordinary WLAN user IP address segment is not effectively isolated, resulting in WLAN devices vulnerable to attack control, AC can log from any address, the attacker can use the scanning software for violent password scanning device.

Address spoofing and session blocking: Because 11 wireless LANs do not perform authentication on data frames, an attacker can redirect data streams by spoofing frames and make the ARP tables messy. In a very simple way, an attacker can easily gain access to the network The MAC address of the site, which can be used for malicious attacks. In addition to attacking the attacker by spoofing the attacker, the attacker can also discover the authentication flaw in the AP by intercepting the session frame and discover the existence of the AP by monitoring the broadcast frame sent by the AP. However, because 802.11 does not require the AP to prove that he is really an AP, an attacker can easily dress up into the AP into the network, through such an AP, the attacker can further obtain the identity information to enter the network. In the absence of 802.11i for each 802.11 MAC frame authentication technology, through the session blocking network intrusion can not be avoided.

Advanced invasion stage

Advanced Intrusion: Once an attacker enters the wireless network, it will become the starting point for further invasion of other systems. Many networks have a well-set security device as a network shell to prevent illegal attacks, but in the shell to protect the internal network is indeed very vulnerable vulnerable to attack. The wireless network can be quickly connected to the network backbone through a simple configuration, but this will expose the network to the attacker. Even if there is a certain border security equipment network, the same will expose the network and thus be further invasion.

WLAN system security protection

In view of the above security risks, in order to ensure the normal operation of the WLAN system, we should fully comb the data flow and control flow of the WLAN service, and make basic security protection at all levels and at all levels.

Access protection

Access protection is the most basic guarantee for ensuring the safe operation of all devices in the WLAN system. AP is controlled to cause the user to simply fail to access; AC is controlled to affect all AP devices managed by the AC, resulting in a large number of users failing to access normally and possibly introducing the user into the Portal page designed by the attacker; RADIUS is controlled User management; network equipment is controlled will affect the network access; RADIUS, Portal problems affecting the user’s authentication and billing; network management equipment problems caused by abnormal operation of the managed object, and even lead to an attacker from the external network into the network, and then Initiate a deeper attack. So the following points are recommended to reinforce WLAN access protection:

WLAN system related equipment to set up a complex password;

For devices that open the SNMP protocol, a complex communication word should be set unless the communication word with write permission is not necessary and the address can be restricted strictly;

Using port access technology (1x) to prevent unauthorized access and access;

Set up complex SSIDs for APs and NICs and determine whether roaming is required to determine if MAC binding is required;

Prohibits the AP from broadcasting its SSID outbound;

When arranging the AP, check the office outside the office area to prevent the coverage of the AP from exceeding the office area (more difficult), and keep the security personnel around the company to prevent the outside personnel from accessing the network near the company.

Open the log and view the system log regularly. In the attacker scanning will generally leave a more obvious log in the system, as shown in Figure 1 is an AC device log on the log, you can see from the log to the IP address of the AC device account password scan crack

RADIUS system stored in the WLAN user account password, should be encrypted to save, while enhancing the WLAN user password generation mechanism security, to avoid the WLAN system reset password is the default weak password.

Attack protection

Do the user isolation, turn on AC user isolation and switch port isolation. Under normal circumstances, unauthenticated users can not access other users within the network, after authentication users in the same AP, the same hotspot can not communicate with different AP.

According to the need for the division of management VLAN and user VLAN, inter-VLAN interoperability. In the WLAN system and between the external network, as well as between different internal security domain through the firewall to achieve isolation and access control, detailed access control policy to strictly limit the address and maintenance of the address range and port.

Advanced Intrusion Prevention

Regional deployment of professional safety equipment. In the core network element deployment intrusion detection system, the firewall, in the portal server network deployment anti-denial and page tampering software.

Strengthen the audit, the WLAN network all the nodes are well statistics

The security wireless defense system consists of the following components:

Secure wireless defense system: the deployment of the need for security in the wireless network, the integration of a variety of security capabilities for wireless scanning, wireless deception, wireless DoS, wireless cracking and other wireless network threats, to achieve precise control of high reliability, high performance, easy management Security wireless defense equipment.

Wireless Security Centralized Data Analysis Center: Wireless Security Data Analysis is a background for wireless security products. Mainly to complete the security of wireless defense systems and security events of the storage, analysis, audit and processing functions.

The post WLAN Security Protection appeared first on Penetration Testing.


Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s