{"id":443,"date":"2007-10-19T22:26:00","date_gmt":"2007-10-19T14:26:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=443"},"modified":"2024-02-17T20:32:58","modified_gmt":"2024-02-17T12:32:58","slug":"wireless-security","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/443","title":{"rendered":"Wireless Security"},"content":{"rendered":"\n

802.11 specific vulnerabilities:<\/strong>
\u7528\u6236\u4f7f\u7528default SSID
beacon broadcast\u6703\u8b93\u5176\u4ed6\u4eba\u77e5\u9053ssid<\/p>\n\n\n\n

\u5e38\u898b\u5a01\u8105<\/strong>
mac sniffing:\u53ef\u4ee5sniffing\u4ee5\u53d6\u5f97mac address,\u82e5ap\u6709\u9396mac address\u53ef\u7528\u6b64\u65b9\u6cd5\u7834\u89e3
ap spoofing:\u4f7f\u7528rouge ap\u6b3a\u9a19clinet,\u4e5f\u7a31evil twin<\/p>\n\n\n\n

\u65e9\u671fap\u5b89\u5168\u9632\u8b77<\/strong>
\u95dc\u9589ssid broadcast
\u958b\u555fwep
\u9650\u5236mac-address<\/p>\n\n\n\n

ps:
phone jamming<\/strong>
\u7121\u7ddados,\u53ef\u5e72\u64fe\u624b\u6a5f\u8207 wireless<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………<\/p>\n\n\n\n

802.11 wireless authentication\u4e3b\u8981\u6709\u4e09\u7a2e\uff1a<\/strong>
Open System Authentication (\u958b\u653e\u7cfb\u7d71\u8a8d\u8b49)
Closed System Authentication (\u5c01\u9589\u7cfb\u7d71\u8a8d\u8b49)
Shared-key Authentication (\u5206\u4eab\u5bc6\u9470\u8a8d\u8b49):\u4f7f\u7528wep,wpa,..\u7b49<\/p>\n\n\n\n

Open System Authentication<\/strong>
\u5728\u6b64\u6a21\u5f0f\u4e0bap\u6703\u5c0d\u7a7a\u767d\u7684SSID(null SSID)\u4f5c\u51fa\u56de\u61c9\uff0c\u56de\u61c9\u7684\u5167\u5bb9\u5247\u662f\u8a72\u5b58\u53d6\u9ede\u7684SSID
\u5728\u9019\u7a2e\u8a8d\u8b49\u65b9\u5f0f\u4e0b\u4efb\u4f55\u4eba\u90fd\u53ef\u4ee5\u53d6\u5f97SSID\u4e26\u4e14\u8207\u5b58\u53d6\u9ede\u9032\u884c\u9023\u7dda\uff0c\u662f\u5b8c\u5168\u6c92\u6709\u4efb\u4f55\u5b89\u5168\u9632\u8b77\u7684\u8a8d\u8b49\u65b9\u5f0f\u3002<\/p>\n\n\n\n

Closed System Authentication<\/strong>
\u5728\u6b64\u6a21\u5f0f\u4e0bap\u5c07\u4e0d\u5c0dnull SSID\u56de\u61c9\uff0c\u4f7f\u7528\u8005\u5fc5\u9808\u63d0\u4f9b\u6b63\u78ba\u7684 SSID \u624d\u80fd\u8207\u8a72\u5b58\u53d6\u9ede\u9032\u884c\u9023\u7dda\u3002
\u9019\u7a2e\u65b9\u5f0f\u4e4d\u770b\u4e4b\u4e0b\u61c9\u8a72\u8db3\u5920\u5b89\u5168\uff0c\u56e0\u70ba\u9019\u7a2e\u8a8d\u8b49\u65b9\u5f0f\u5982\u540c\u4e00\u822c\u7684\u5bc6\u78bc\u8a8d\u8b49\uff0c\u5fc5\u9808\u8981\u5f97\u77e5\u5bc6\u78bc\u624d\u80fd\u9032\u5165\u7cfb\u7d71\u3002\u4f46\u662f\u7531\u65bc\u7121\u7dda\u7db2\u8def\u7684\u7279\u6027\uff0c\u7121\u6cd5\u63a7\u5236\u8a0a\u606f\u7684\u50b3\u64ad\u65b9\u5411(\u5b83\u662f\u4ee5\u7121\u7dda\u5ee3\u64ad\u7684\u65b9\u5f0f\u50b3\u9001\u8cc7\u6599)\uff0c\u56e0\u6b64\u653b\u64ca\u8005\u53ef\u4ee5\u5229\u7528\u7db2\u8def\u55c5\u63a2 (sniffing) \u7684\u65b9\u5f0f\u53d6\u5f97 SSID\uff0c\u9032\u800c\u4f7f\u7528\u7121\u7dda\u7db2\u8def\u3002
\u9019\u7a2e\u65b9\u5f0f\u5982\u540c\u8981\u901a\u904e\u5927\u6a13\u8b66\u885b\u7684\u8a62\u554f\u6642\uff0c\u5077\u807d\u524d\u5e7e\u500b\u4eba\u7684\u56de\u7b54\u800c\u4f9d\u6a23\u756b\u846b\u8606\uff0c\u85c9\u4ee5\u6b3a\u9a19\u8b66\u885b\u4ee5\u9054\u5230\u6ef2\u900f\u7684\u76ee\u7684\u3002<\/p>\n\n\n\n

…………………..<\/p>\n\n\n\n

WEP(wired equivalent privacy,\u6709\u7dda\u7b49\u6548\u79c1\u5bc6)<\/strong>
\u7531Wi-Fi\u806f\u76df\u5236\u5b9a,\u6700\u65e9\u4e5f\u662f\u6700\u57fa\u790e\u7684\u4e00\u7a2eWLAN\u52a0\u5bc6\u6280\u8853,1999\u5e74\u904e\u904e\u6210\u70ba802.11\u6a19\u6e96\u7684\u4e00\u90e8\u4efd
\u8cc7\u6599\u5148\u7528CRC32 \u7b97\u51fa\u6aa2\u67e5\u7e3d\u5408\u4e26\u9644\u5728\u8cc7\u6599\u5f8c\u9762,\u5728\u9032\u884cRC4\u52a0\u5bc6\u4e26\u5728\u5bc6\u6587\u52a0\u4e0a\u4e00\u500b\u503c
rc4:\u8ca0\u8cac\u8cc7\u6599\u6a5f\u5bc6\u6027,\u4e26\u642d\u914d24bit IV
crc32:\u8ca0\u8cac\u8cc7\u6599\u5b8c\u6574\u6027,\u4f46\u8cc7\u6599\u5b8c\u6574\u6027\u5f31
ps:WEP \u7528\u7684CRC\u5148\u5929\u5c31\u4e0d\u5b89\u5168\uff0c\u5728\u4e0d\u77e5\u9053WEP\u9470\u5319\u7684\u60c5\u6cc1\u4e0b\uff0c\u8981\u7be1\u6539\u6240\u8f09\u8cc7\u6599\u548c\u5c0d\u61c9\u7684CRC\u662f\u53ef\u80fd\u7684<\/p>\n\n\n\n

WEP\u7684RC4\u91d1\u9470=key+24bit IV
\u5e38\u898b\u7684\u6709\u4ee5\u4e0b\u5e7e\u7a2e\u9577\u5ea6
64bit=40bit key+24bit IV
128bit=4*26bit key+24bit IV
256bit=4*58bit key+24bit IV
ps:
IV(initialization vector,\u521d\u5411\u91cf):\u7528\u4f86\u907f\u514d\u91cd\u8907<\/p>\n\n\n\n

wep\u5df1\u8b49\u5be6\u8a31\u591a\u7f3a\u5931<\/strong>
24bit IV\u5728\u5fd9\u788c\u7684\u7db2\u8def\u4e0a\u53ef\u80fd\u6703\u91cd\u8907,\u82e5\u6536\u96c6\u5230\u8db3\u5920\u591a\u7684IV,\u5c31\u53ef\u4ee5\u63a8\u5c0e\u51fakey
\u5229\u7528RC4\u52a0\u89e3\u5bc6\u548cIV\u7684\u4f7f\u7528\u65b9\u5f0f\u7684\u7279\u6027,\u5728\u7db2\u8def\u4e0a\u5077\u807d\u5e7e\u500b\u5c0f\u6642\u53ef\u628aRC4\u7684key\u7834\u89e3
\u9470\u5319\u9577\u5ea6\u4e0d\u662fWEP\u5b89\u5168\u6027\u7684\u4e3b\u8981\u56e0\u7d20\uff0c\u7834\u89e3\u8f03\u9577\u7684\u9470\u5319\u9700\u8981\u6514\u622a\u8f03\u591a\u7684\u5c01\u5305\uff0c\u4f46\u662f\u6709\u67d0\u4e9b\u4e3b\u52d5\u5f0f\u7684\u653b\u64ca\u53ef\u4ee5\u6fc0\u767c\u6240\u9700\u7684\u6d41\u91cf<\/p>\n\n\n\n

\u5efa\u8b70<\/strong>
\u4f7f\u7528WPA<\/p>\n\n\n\n

……<\/p>\n\n\n\n

wpa(wi-fi protected access)<\/strong>
\u5be6\u4f5c802.11i\u6a19\u6e96\u7684\u5927\u90e8\u4efd,\u662f\u5728802.11i\u5b8c\u5099\u4e4b\u524d\u7684\u66ff\u4ee3\u65b9\u6848
\u57282003\u5e74\u6642\u7372\u5f97Wi-Fi\u806f\u76df\u652f\u6301,\u53d6\u4ee3WEP\u7528
\u65b0\u589e\u529f\u80fd:\u5229\u7528TKIP\u53caMIC\u7684\u6280\u8853\u4f86\u52a0\u5f37\u4fdd\u5bc6\u6027
\u4e3b\u8981\u6280\u8853\u5982\u4e0b
RC4: \u8ca0\u8cac\u8cc7\u6599\u6a5f\u5bc6\u6027,\u4e26\u642d\u914d48bit IV,\u8cc7\u6599\u7528128bit\u7684\u9470\u5319\u548c48bit\u7684IV(\u521d\u5411\u91cf)\u7684RC4 stream cipher\u52a0\u5bc6
TKIP:\u8ca0\u8cac\u52d5\u614b\u6539\u8b8a\u9470\u5319
MIC:\u8ca0\u8cac\u8cc7\u6599\u5b8c\u6574\u6027,\u53d6\u4ee3wep\u7684mic<\/p>\n\n\n\n

mic(\u8a0a\u606f\u5b8c\u6574\u6027\u67e5\u6838)<\/strong>
\u4f7f\u7528michael\u6f14\u7b97\u6cd5\u6539\u9032\u8cc7\u6599\u5b8c\u6574\u6027,\u53ef\u907f\u514d\u91dd\u5c0dwep\u7684 reply attack<\/p>\n\n\n\n

WPA vulnerabilities:<\/strong>
dos attack
pre-shared key dictionary attack<\/p>\n\n\n\n

…….<\/p>\n\n\n\n

WPA2<\/strong>
\u5be6\u4f5c802.11i\u6240\u6709\u6a19\u6e96,2004 \u5e74\u7d93wifi\u9a57\u8b49\u904e\u7684IEEE 802.11i\u6a19\u6e96\u683c\u5f0f
\u4e3b\u8981\u6280\u8853\u5982\u4e0b
AES:\u8ca0\u8cac\u8cc7\u6599\u6a5f\u5bc6\u6027,\u53d6\u4ee3rc4,\u4e14\u652f\u63f4128,192,256bit\u91d1\u9470
TKIP: \u8ca0\u8cac\u52d5\u614b\u6539\u8b8a\u9470\u5319
CCMP:\u8ca0\u8cac\u8cc7\u6599\u5b8c\u6574\u6027,\u53d6\u4ee3wpa\u7684mic
ps:win xp\u57282005\u5e74\u624d\u6709\u652f\u63f4wpa2<\/p>\n\n\n\n

CCMP(the counter mode with cbc-mac protocol)<\/strong>
\u4f7f\u7528AES\u7684CBC(\u8a08\u6578\u5668\u5bc6\u6587\u5340\u584a\u9023\u9396)+MAC(\u8a0a\u606f\u8a8d\u8b49\u78bc)<\/p>\n\n\n\n

WPA operation mode<\/strong>
wpa-personal:\u8a2d\u5b9apre-shared key\u505a\u4fdd\u8b77
wpa-enterprise:\u9700\u53e6\u5916\u8a2d\u5b9aserver\u8a8d\u8b49\u505a\u4fdd\u8b77<\/p>\n\n\n\n

………<\/p>\n\n\n\n

TKIP(the temporal key integrity protocol,\u66ab\u6642\u5bc6\u78bc\u6574\u5408\u901a\u8a0a\u5354\u5b9a)<\/strong>
\u53ef\u5728\u9023\u7dda\u4e2d\u52d5\u614b\u6539\u8b8a\u91d1\u9470\uff0c\u6bd4\u8f03\u4e0d\u5bb9\u6613\u88ab\u66b4\u529b\u7834\u89e3
\u53ef\u64ca\u6557\u91dd\u5c0dwep\u7684\u91d1\u9470\u64f7\u53d6\u653b\u64ca<\/p>\n\n\n\n

LEAP(the lightweight EAP,\u8f15\u91cf\u7d1a\u7684\u64f4\u5c55\u8a8d\u8b49\u5354\u8b70)<\/strong>
EAP\u7684\u4e00\u7a2e,\u7531CISCO\u958b\u767c
\u4efb\u4f55windows\u90fd\u4e0d\u652f\u63f4LEAP,\u4f46\u5176\u4ed6\u7528\u6236\u8edf\u9ad4\u652f\u63f4
\u5bb9\u6613\u53d7\u5230\u5b57\u5178\u653b\u64ca\u8106\u5f31\u6027,\u5b58\u5728\u56b4\u91cd\u7684\u5b89\u5168\u554f\u984c,\u53ef\u4f7f\u7528ASLEAP\u9032\u884c\u653b\u64ca<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………<\/p>\n\n\n\n

wireless network\u5075\u6e2c\u6280\u8853\u6709<\/strong>
warwalking:walking around to look for open wireless networks
wardriving:driving around to look for open wireless networks
warflying:flying around to look for open wireless networks
warchalking:using chalk to identify available open networks
warspying:
blue jacking
GPS<\/p>\n\n\n\n

warchalk<\/strong>
)( open mode
O close mode
wep mode<\/p>\n\n\n\n

hacking wirless networks\u6b65\u9a5f\u5982\u4e0b<\/strong>
1 find networks to attack
2 choose the network to attack
3 analyze the network
4 crack the wep key
5 sniff the network
ps:
sniffer \u6642\u7121\u7dda\u7db2\u5361\u9700\u8a2d\u5168\u983b<\/p>\n\n\n\n

…<\/p>\n\n\n\n

bluejacking<\/strong>
\u4f7f\u7528\u9810\u8a2d\u5bc6\u78bc\u9023\u63a5,…\u7b49
tool\u6709 super bluetooth hack<\/p>\n\n\n\n

man-in-the-middle attack<\/strong>
\u4e3b\u89812\u7a2etype:
eavesdropping
manipulation<\/p>\n\n\n\n

wireless DoS attack<\/strong>
\u67093\u7a2etype:
physical dos attacks
data-link dos attacks
network dos attacks<\/p>\n\n\n\n

hijacking and modifying<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………<\/p>\n\n\n\n

cracking wep
\u5206\u70ba
passive attacks<\/strong>
  need some time,space
  do not change network traffic
active attacks<\/strong>
  need less time and space,and more effective
  stimulate network traffic
  increase the risk of being detected<\/p>\n\n\n\n

ps:
weak key (a.k.a weak IVs)
FMS(Fluhrer,Mantin,Shamir) attack<\/strong>
collection of the first encrypted octet of serveral million packets
exploits tool:
  wepcrack:first publicy available code for this purpose
  airsnort<\/p>\n\n\n\n

problem with wep’s key stream and reuse:<\/strong>
secreet key never changes ,only the initialization vectors
initialization vectors are sent unencrypted
if two messaes with the same initializaion vector are intercepted it is possible to obtain the plaintext
initialization vectors are commonly reused
initialization vectors can be used up in less than 1 hour
attackers can inject a known plaintext and re-capture the ciphertext
it leaves wep susceptible to replay attacks<\/p>\n\n\n\n

automated wep cracker:
airopeek:commercial tool
kismac:a mac osx tool for network discovery and cracking wep
netstumbler
kismet:sniffer tool<\/p>\n\n\n\n

\u5176\u4ed6\u76f8\u95dc\u6280\u8853:<\/strong>
pad-collection attacks
xor encryption
stream cipher<\/p>\n\n\n\n

wep crack tool:
aircrack:The fastest available WEP\/WPA cracking tool
cain & abel
kismet:scan,sniffer,…\u7b49<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………<\/p>\n\n\n\n

rogue AP<\/strong>
unauthorized ap in wireless network<\/p>\n\n\n\n

tools
fake ap:\u53ef\u7522\u751f\u5927\u91cffake ap,client\u9023\u7dda\u6642\u6703\u770b\u5230\u4e00\u5806ap
airsnarf:rouge ap setup utility<\/p>\n\n\n\n

2 basic methods for locating unauthorized ap:<\/strong>
requesting a beacon
sniffing the air:looking for packets in the air<\/p>\n\n\n\n

detect tool
netstumbler: \u53ef\u62ff\u88dd\u597d\u7684notebook\u5230\u8655\u8d70,\u5075\u6e2crouge ap
ministumbler:\u624b\u6301\u7248netstumbler,\u5075\u6e2crouge ap<\/p>\n\n\n\n

…<\/p>\n\n\n\n

cloaked ap(\u96b1\u85cfap)<\/strong>
\u4f7f\u7528\u4e0d\u5305\u542b SSID\u503c\u7684Beacon\u529f\u80fd
SSID cloaking\u7528\u9014:\u9664\u975e\u7528\u6236\u7aef\u77e5\u9053\u6240\u4f7f\u7528SSID,\u5426\u5247\u7121\u6cd5\u4f7f\u7528\u9019\u500bAP
ps:\u7576\u6709\u7528\u6236\u8981\u9023\u63a5\u6642,\u9084\u662f\u6703\u807d\u5230\u6240\u4f7f\u7528\u7684SSID<\/p>\n\n\n\n

\u5075\u6e2c cloaked ap\u65b9\u5f0f:<\/strong>
\u4e3b\u52d5\u6383\u63cf\u5de5\u5177\u7121\u6cd5\u5075\u6e2c\u5230,ex:netstumbler
\u88ab\u52d5\u6383\u63cf\u5de5\u5177\u53ef\u5075\u6e2c\u5230,ex:kismet,airsnort<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………<\/p>\n\n\n\n

scanning tools\u6709\u4ee5\u4e0b
kismet
prismstumbler
macstumbler
mognet
wavestumbler
netchaser for palm tops
ap scanner
wavemon
wireless security auditor
airtraf
wifi finder
eeye retina wifi
simple wireless scanner
wlanscanner<\/p>\n\n\n\n

………<\/p>\n\n\n\n

sniffing tools\u6709\u4ee5\u4e0b
airopeek
nai wireless sniffer
wireshark
vpnmonitorl
aerosol
vxsniffer
etherpeg
airmagnet
driftnet
windump
ssidsniff<\/p>\n\n\n\n

ps:
\u591a\u7528\u9014\u5de5\u5177
thc-rut
microsoft network monitor<\/p>\n\n\n\n

……..<\/p>\n\n\n\n

security tools\u6709\u4ee5\u4e0b
commview for wifi ppc:wlan\u8a3a\u65b7
airmagnet handheld analyzerwlan\u8a3a\u65b7
airdefense:detect rogue wlans
google secure access
rogue scanner<\/p>\n","protected":false},"excerpt":{"rendered":"

802.11 specific vulnerabilitie …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[39],"tags":[],"class_list":["post-443","post","type-post","status-publish","format-standard","hentry","category-concept"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=443"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/443\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}