Wireless Intrusion Detection - Sharkfest - Wireshark

More documents

Recommendations

Info

Why do we care • You need to know something is going on • Are there rogue APs on your internal network • Even if you can't do anything about a DoS attack, you need to know it's happening • Your LAN might be a WAN if you're not careful 4
Porous borders • Physical company networks used to be hard to penetrate • Not inside the building Not on the LAN • No-one brought their own device • No-one was connecting their work computer to random networks at airport/starbucks/conference 5
Page 1: Wireless Intrusion Detection Mike K
Page 6 and 7: Security goes both ways • As a us
Page 8 and 9: Options So what are your options 8
Page 10 and 11: Independent/Overlay WIDS • Passiv
Page 12 and 13: Monitoring wireless • Multiple me
Page 14 and 15: Who is coming after you • Lots of
Page 16 and 17: General jackasses • Learned how t
Page 18 and 19: Targetted external attacks • Some
Page 20 and 21: 20 What gets used
Page 22 and 23: RF Denial of Service • Wi-Fi oper
Page 24 and 25: 24 Wavebubble jammer
Page 26 and 27: 26 Detecting jamming
Page 28 and 29: Fake saturation • 802.11 uses CSM
Page 30 and 31: Detecting saturation attacks • Ca
Page 32 and 33: Detecting deauth/disassoc • Easy
Page 34 and 35: When is 100m = 11k • Handshake br
Page 36 and 37: Detecting Reaver attacks • Legiti
Page 38 and 39: Extremely vulnerable • Roaming ha
Page 40 and 41: Two main ways to impersonate • Me
Page 42 and 43: Spoofing the network name • 802.1
Page 44 and 45: Strengthening the system • WPA-PS
Page 46 and 47: Impersonation impact • Once you c
Page 48 and 49: Stream hijacking • Unencrypted ne
Page 50 and 51: Extremely pernicious ● ● ●
Page 52 and 53: Direct attacks against drivers •
Page 54 and 55:
Easy to detect... sort of • Drive
Page 56 and 57:
Detecting client spoofing • Diffe
Page 58 and 59:
Application attacks • Border IDS
Page 60 and 61:
60 Wi-Fi Pineapple
Page 62 and 63:
PwnPlug • Looks like power adapte
Page 64 and 65:
How bad is WEP, really • HORRIBLE
Page 66 and 67:
Where WIDS falls down • We can pr
Page 68 and 69:
Things we can't currently fix • O
Page 70 and 71:
Corralling clients • Can attempt
Page 72 and 73:
Things you CAN'T do • Run jammers
Page 74 and 75:
Kismet • Started as purely a netw
Page 76 and 77:
Kismet IDS • Both signature and t
Page 78 and 79:
Getting the latest version • Your
Page 80 and 81:
Host hardware ● ● ● ● Kisme
Page 82 and 83:
WIDS to Syslog • Two ways to get
Page 84 and 85:
Expanding Kismet - Distributed Capt
Page 86 and 87:
Kismet protocol • Similar to IMAP
Page 88 and 89:
Expanding Kismet - Plugins • Plug
Page 90 and 91:
Client plugins • Able to interfac
Page 92 and 93:
Going beyond Wi-Fi • What about o
Page 94 and 95:
94 Kismet Phy-Neutral
Page 96 and 97:
PHY-N support in progress or planne
Page 98 and 99:
So what else do we care about • O
Page 100 and 101:
Heist of the century • When used
Page 102 and 103:
Ninja-level problems • Attackers
Page 104 and 105:
Different != better • Custom prot
Page 106 and 107:
Things you probably send to pagers
Page 108 and 109:
Recap • If you don't know to look
show all

Wireless Intrusion Detection - Sharkfest - Wireshark

Create successful ePaper yourself

Delete template?

Save as template?