Wireless Intrusion Detection - Sharkfest - Wireshark

13.01.2015 Views
Monitoring wireless • Multiple methods of monitoring, not all equal • “Scanning mode” - same mechanism a client uses to connect, asks “What access points are available” • “Monitor mode” - Requires support in the driver, such as Linux, or AirPCAP • “Promsic mode” - Doesn't mean much in WiFi 12

WIDS can be hard • Many vulnerabilities in Wi-Fi are not fingerprintable in traditional way • Protocol violations can often be completely legit packets, just used in a weird way • Have to be able to monitor trends over time not just single packet events 13

Page 1: Wireless Intrusion Detection Mike K

Page 4 and 5: Why do we care • You need to know

Page 6 and 7: Security goes both ways • As a us

Page 8 and 9: Options So what are your options 8

Page 10 and 11: Independent/Overlay WIDS • Passiv

Page 14 and 15: Who is coming after you • Lots of

Page 16 and 17: General jackasses • Learned how t

Page 18 and 19: Targetted external attacks • Some

Page 20 and 21: 20 What gets used

Page 22 and 23: RF Denial of Service • Wi-Fi oper

Page 24 and 25: 24 Wavebubble jammer

Page 26 and 27: 26 Detecting jamming

Page 28 and 29: Fake saturation • 802.11 uses CSM

Page 30 and 31: Detecting saturation attacks • Ca

Page 32 and 33: Detecting deauth/disassoc • Easy

Page 34 and 35: When is 100m = 11k • Handshake br

Page 36 and 37: Detecting Reaver attacks • Legiti

Page 38 and 39: Extremely vulnerable • Roaming ha

Page 40 and 41: Two main ways to impersonate • Me

Page 42 and 43: Spoofing the network name • 802.1

Page 44 and 45: Strengthening the system • WPA-PS

Page 46 and 47: Impersonation impact • Once you c

Page 48 and 49: Stream hijacking • Unencrypted ne

Page 50 and 51: Extremely pernicious ● ● ●

Page 52 and 53: Direct attacks against drivers •

Page 54 and 55: Easy to detect... sort of • Drive

Page 56 and 57: Detecting client spoofing • Diffe

Page 58 and 59: Application attacks • Border IDS

Page 60 and 61: 60 Wi-Fi Pineapple

Page 62 and 63: PwnPlug • Looks like power adapte

Page 64 and 65: How bad is WEP, really • HORRIBLE

Page 66 and 67: Where WIDS falls down • We can pr

Page 68 and 69: Things we can't currently fix • O

Page 70 and 71: Corralling clients • Can attempt

Page 72 and 73: Things you CAN'T do • Run jammers

Page 74 and 75: Kismet • Started as purely a netw

Page 76 and 77: Kismet IDS • Both signature and t

Page 78 and 79: Getting the latest version • Your

Page 80 and 81: Host hardware ● ● ● ● Kisme

Page 82 and 83: WIDS to Syslog • Two ways to get

Page 84 and 85: Expanding Kismet - Distributed Capt

Page 86 and 87: Kismet protocol • Similar to IMAP

Page 88 and 89: Expanding Kismet - Plugins • Plug

Page 90 and 91: Client plugins • Able to interfac

Page 92 and 93: Going beyond Wi-Fi • What about o

Page 94 and 95: 94 Kismet Phy-Neutral

Page 96 and 97: PHY-N support in progress or planne

Page 98 and 99: So what else do we care about • O

Page 100 and 101: Heist of the century • When used

Page 102 and 103: Ninja-level problems • Attackers

Page 104 and 105: Different != better • Custom prot

Page 106 and 107: Things you probably send to pagers

Page 108 and 109: Recap • If you don't know to look

kismet

attacks

wireless

networks

packets

devices

plugins

wids

protocol

hardware

intrusion

detection

sharkfest

wireshark

sharkfest.wireshark.org

Wireless Intrusion Detection - Sharkfest - Wireshark

Wireless Intrusion Detection - Sharkfest - Wireshark ... View more Wireless Intrusion Detection - Sharkfest - Wireshark

Delete template?

Save as template ?

Wireless Intrusion Detection - Sharkfest - Wireshark Wireless Intrusion Detection - Sharkfest - Wireshark