Wireless Intrusion Detection - Sharkfest - Wireshark
Wireless Intrusion Detection - Sharkfest - Wireshark Wireless Intrusion Detection - Sharkfest - Wireshark
Where WIDS falls down • We can protect a single network pretty well • WPA+EAP is very secure but hard to config • Once users leave the secure network, all bets are off • You can't out-engineer stupid. “Free public wifi!” • Users want Internet, not security 66
See no evil • If you can't see what's going on you can't do anything • 802.11n – harder to see multi-stream, increased data stream to process • 802.11ac – will be even harder • Super-fast tech pushing towards central AP WIDS 67
- Page 16 and 17: General jackasses • Learned how t
- Page 18 and 19: Targetted external attacks • Some
- Page 20 and 21: 20 What gets used
- Page 22 and 23: RF Denial of Service • Wi-Fi oper
- Page 24 and 25: 24 Wavebubble jammer
- Page 26 and 27: 26 Detecting jamming
- Page 28 and 29: Fake saturation • 802.11 uses CSM
- Page 30 and 31: Detecting saturation attacks • Ca
- Page 32 and 33: Detecting deauth/disassoc • Easy
- Page 34 and 35: When is 100m = 11k • Handshake br
- Page 36 and 37: Detecting Reaver attacks • Legiti
- Page 38 and 39: Extremely vulnerable • Roaming ha
- Page 40 and 41: Two main ways to impersonate • Me
- Page 42 and 43: Spoofing the network name • 802.1
- Page 44 and 45: Strengthening the system • WPA-PS
- Page 46 and 47: Impersonation impact • Once you c
- Page 48 and 49: Stream hijacking • Unencrypted ne
- Page 50 and 51: Extremely pernicious ● ● ●
- Page 52 and 53: Direct attacks against drivers •
- Page 54 and 55: Easy to detect... sort of • Drive
- Page 56 and 57: Detecting client spoofing • Diffe
- Page 58 and 59: Application attacks • Border IDS
- Page 60 and 61: 60 Wi-Fi Pineapple
- Page 62 and 63: PwnPlug • Looks like power adapte
- Page 64 and 65: How bad is WEP, really • HORRIBLE
- Page 68 and 69: Things we can't currently fix • O
- Page 70 and 71: Corralling clients • Can attempt
- Page 72 and 73: Things you CAN'T do • Run jammers
- Page 74 and 75: Kismet • Started as purely a netw
- Page 76 and 77: Kismet IDS • Both signature and t
- Page 78 and 79: Getting the latest version • Your
- Page 80 and 81: Host hardware ● ● ● ● Kisme
- Page 82 and 83: WIDS to Syslog • Two ways to get
- Page 84 and 85: Expanding Kismet - Distributed Capt
- Page 86 and 87: Kismet protocol • Similar to IMAP
- Page 88 and 89: Expanding Kismet - Plugins • Plug
- Page 90 and 91: Client plugins • Able to interfac
- Page 92 and 93: Going beyond Wi-Fi • What about o
- Page 94 and 95: 94 Kismet Phy-Neutral
- Page 96 and 97: PHY-N support in progress or planne
- Page 98 and 99: So what else do we care about • O
- Page 100 and 101: Heist of the century • When used
- Page 102 and 103: Ninja-level problems • Attackers
- Page 104 and 105: Different != better • Custom prot
- Page 106 and 107: Things you probably send to pagers
- Page 108 and 109: Recap • If you don't know to look
Where WIDS falls down<br />
• We can protect a single network pretty well<br />
• WPA+EAP is very secure but hard to config<br />
• Once users leave the secure network, all bets are<br />
off<br />
• You can't out-engineer stupid. “Free public wifi!”<br />
• Users want Internet, not security<br />
66