Wireless Intrusion Detection - Sharkfest - Wireshark
Wireless Intrusion Detection - Sharkfest - Wireshark Wireless Intrusion Detection - Sharkfest - Wireshark
Monitoring wireless • Multiple methods of monitoring, not all equal • “Scanning mode” - same mechanism a client uses to connect, asks “What access points are available” • “Monitor mode” - Requires support in the driver, such as Linux, or AirPCAP • “Promsic mode” - Doesn't mean much in WiFi 12
WIDS can be hard • Many vulnerabilities in Wi-Fi are not fingerprintable in traditional way • Protocol violations can often be completely legit packets, just used in a weird way • Have to be able to monitor trends over time not just single packet events 13
- Page 1: Wireless Intrusion Detection Mike K
- Page 4 and 5: Why do we care • You need to know
- Page 6 and 7: Security goes both ways • As a us
- Page 8 and 9: Options So what are your options 8
- Page 10 and 11: Independent/Overlay WIDS • Passiv
- Page 14 and 15: Who is coming after you • Lots of
- Page 16 and 17: General jackasses • Learned how t
- Page 18 and 19: Targetted external attacks • Some
- Page 20 and 21: 20 What gets used
- Page 22 and 23: RF Denial of Service • Wi-Fi oper
- Page 24 and 25: 24 Wavebubble jammer
- Page 26 and 27: 26 Detecting jamming
- Page 28 and 29: Fake saturation • 802.11 uses CSM
- Page 30 and 31: Detecting saturation attacks • Ca
- Page 32 and 33: Detecting deauth/disassoc • Easy
- Page 34 and 35: When is 100m = 11k • Handshake br
- Page 36 and 37: Detecting Reaver attacks • Legiti
- Page 38 and 39: Extremely vulnerable • Roaming ha
- Page 40 and 41: Two main ways to impersonate • Me
- Page 42 and 43: Spoofing the network name • 802.1
- Page 44 and 45: Strengthening the system • WPA-PS
- Page 46 and 47: Impersonation impact • Once you c
- Page 48 and 49: Stream hijacking • Unencrypted ne
- Page 50 and 51: Extremely pernicious ● ● ●
- Page 52 and 53: Direct attacks against drivers •
- Page 54 and 55: Easy to detect... sort of • Drive
- Page 56 and 57: Detecting client spoofing • Diffe
- Page 58 and 59: Application attacks • Border IDS
- Page 60 and 61: 60 Wi-Fi Pineapple
Monitoring wireless<br />
• Multiple methods of monitoring, not all equal<br />
• “Scanning mode” - same mechanism a client uses<br />
to connect, asks “What access points are available”<br />
• “Monitor mode” - Requires support in the driver,<br />
such as Linux, or AirPCAP<br />
• “Promsic mode” - Doesn't mean much in WiFi<br />
12