Page 215 - StudyBook.pdf
P. 215
Communication Security: Wireless • Chapter 4 199
allowable MAC addresses can be configured on the AP, or it can be configured on
a RADIUS server with which the AP communicates. However, regardless of the
technique used to implement MAC filtering, it is relatively easy to change the
MAC address of a wireless device through software. In Windows, this is accom-
plished with a simple edit of the registry; in UNIX it is accomplished through a
root shell command. MAC addresses are sent in the clear on wireless networks, so it
is also relatively easy to discover authorized addresses.
WEP can be implemented to provide more protection against authentication
spoofing through the use of shared-key authentication. However, as discussed ear-
lier, shared-key authentication creates an additional vulnerability. Because shared-
key authentication makes visible both a plaintext challenge and the resulting
ciphertext version of it, it is possible to use this information to spoof authentication
to a closed network.
Once an attacker has authenticated and associated with a wireless network, they
can run port scans, use special tools to dump user lists and passwords, impersonate
users, connect to shares, and, in general, create havoc on the network through DoS
and flooding attacks. DoS attacks can be traditional in nature, such as a ping flood,
SYN, fragment, or Distributed DoS (DDoS), or they can be specific to a wireless net-
work through the placement and use of rogue access points that prevent wireless traffic
from being forwarded properly (similar to router spoofing on wired networks).
MITM Attacks on Wireless Networks
Placing a rogue AP within range of a wireless station is a wireless-specific variation
of a MITM attack. If the attacker knows the SSID in use by the network and the
rogue AP has enough strength, wireless users will have no way of knowing that
they are connecting to an unauthorized AP. Using a rogue AP, an attacker can gain
valuable information about a wireless network, such as authentication requests, the
secret key being used, and so on. Often, an attacker will set up a laptop with two
wireless adapters, in which one card is used by the rogue AP and the other is used
to forward requests through a wireless bridge to the legitimate AP.With a suffi-
ciently strong antenna, the rogue AP does not have to be located in close proximity
to the legitimate AP. For example, an attacker can run a rogue AP from a car or van
parked some distance away from a building. However, it is also common to set up
hidden rogue APs (under desks, in closets, and so on.) close to and within the same
physical area as the legitimate AP. Because of their undetectable nature, the only
defense against rogue APs is vigilance through frequent site surveys (using tools
such as NetStumbler and AiroPeek,) and physical security.
www.syngress.com
