Forum

Hacking

18 posts by 6 authors in: Forums > CWSP - Enterprise Wi-Fi Security
Last Post: May 9, 2010:
  • I guess one of the hardest aprts of wireless is security.

    Now I know how to setup everything EAP-TLS, EAP-FAST et al. Hoever I know that my knowledge of certain aspects of the protocols could be deeper.

    Question is where to start, OK I can read about all the key exchanges, I can run debugs etc

    Is there anything that will enhance the understanding further such as packet captures, hacking.

    Now I have not done a huge amount of sniffing and dont sww a huge amount of guidance to explain what I am looking at, yeah I can see LWAPP packets DHCP offer etc.

    With regard to hacking, yeah knowing how to break something gives you insight also a knowledge of the attack vectors, howevr where to start, use Backtark and have a go at WEP? Take out TKIP. Is it advantageous to have that capability and is there a knowledge gain from that.

    For the record I do not want to be a Hacker just will it enhance my skill sets as a wireless engineer.

  • By (Deleted User)

    Well in today's world - I'd head over to YouTube - Start with the keyword Wireless, WPA, WEP, etc. and start learning step by step.

    After getting a feel for it...

    Then I'd go grab some step by step how to's found on google that apply to whatever gear I have lying around.

    After I got used to that...

    Then I'd go find a distro of something like backtrack or the like and start playing with it a little and maybe even go war-driving - just for a little "strange"...

    Won't take long and you'll be a full-fledged "hacker".

     

    Warning! :: Patriot Act

    No statute of limitations.

    So...

    Better to hack your own network until you get the ropes down pat.

     

     

  • Pete

    In an upcoming episode of Keith Parson's Wlanprofessionals.com audiocasts I'll be talking about SSL in depth. SSL is the basis of TLS. EAP-TLS in turn combines certain aspects of TLS.

    I have found that if you really understand how SSL works, you have the basis for understanding the vast majority of wireless related protocols. SSL covers public and private keys, certificates and symmetric keys, as well as hashing.

    A number of useful references have also been provided including some step by step traces.

    The CWNP forum has a PDF version of the CWAP book which will give you a good introduction to protocol analysis in the wireless world.

    The new CWSP book is jam-packed with good info and diagrams.

    I'd also suggest start reading through the 802.11n, r and w specs. Even if you can't get the ratified .11n spec, the draft will be just fine as a starting point.

    When I first started learning about 802.11 I was in a place where I didn't have access to books and had to learn by reading the specs alone. I wouldn't wish that on my worst enemy. Without a basic background book to refer to, it was agony.

    Dave

  • By (Deleted User)

    I'm setting up my WLC 4024, 4101, 4124, and 4136 this evening. 

    I have to look but I think I'll have the full capability of dishing out Wireless Mobility with them.

    This means:

    1. IPSec VPN Connectivity from the house.

    2. Someone remotely can be a client - at their house (with an AP that is configured on one of my controllers - Remember Layer 3)  and a Cisco IPSec Site to Site VPN.

    3. So... if that AP can reach my controller via IP and it can also reach my DHCP Server - then I can give out IP's to the Wireless clients on the remote VPN user's Wireless Client that is attached to the Remote AP on the remote network.

    - You can be a client hanging off of your AP, your AP is connected to a switch at your house, that switch is allowed (interesting traffic defined by ACL) to traverse the VPN as protected traffic to my network, reach my Controller and then get an IP Address for your client based on whatever interfaces I've setup and WLANs.

    4.  Now the remote person (on a Wireless Device) can hack a safe network - designed to be hacked.

     

    Just a wild idea - there are a couple of issues with this scenario I have to verify and then work out.  MTU can be a pain when we are encapusating traffice more than once.  So I'll have to check.

     

     

     

     

  • Regarding Pete and Darby's comments on "learning to hack", I pretty much did what they both suggested with WEP. I knew WEP was supposed to be simple to compromise, but had never actually tried it myself. I now have lots of time to mess with things while recovering from a surgery, so thought I'd give it a go. Used a spare AP I had, set it to WEP. Did some searching online, as Darby mentioned and found a site with a very easy step by step tutorial using Backtrack. Took me about 30 minutes, which was mostly wait time for a sufficient capture size.

    It was nice to see for myself just how easy it was to do. Gives me a new appreciation for the need to use better solutions than WEP.

  • By (Deleted User)

    Sorry for the surgery.  The positive side is you have time you might not otherwise be afforded.

    Kewl!

    Nothing like learning by doing.

    Also nice to know just how quickly someone can crack WEP who has never done it before.  There are similar tools/techniques available for higher encryption techniques - all the way up to everything but AES as I recall.  I can be wrong it has been a while since I needed to beak into someone's WLAN just to say I could.

    Still kinda fun to make it everything fall into place all at the same time.

    Of course, once you get in... the next trick is what do you when you are in?

    - Browse the web?

    - Secure your access?

    - Knock out the guards - kill em or just knock em out?

    - Handle surveillance?

    - Cripple, redirect, or disable any communications systems?

    - Do you need access to something?  How will you obtain it?

    - Do you just want to sniff...

    - Has anyone introduced you to crafting packets or perhaps using MetaSploit or another similar tool?

    - The list goes on and on...

     

     

     

  • By (Deleted User)

    FYI - I try to not to hack into anyone's networks, email, commit any DoS, or unleash "found" Bot Nets against any site or entity as a matter of fact.  Unless of course my own personal identity or person is in clear and present danger.  Then it's take out all stops and catch up on the latest and greatest urban assault hacking tools or techniques and figure out they might not be enough and go find the latest "nukes" or kidnap and borrow a bot net somewhere that no one's using and take it for a spin.

    Like I said earlier - it's perfectly acceptable to hack your own network to keep your skills in tip top shape - however, when you take advantage of some poor sap's less than stellar sense of security...  you step off of a ledge and that's when you should be careful that you understand systems at least as well as your adversary and probably a few times better. 

    But I drift... my theme is get your own network and learn to defend it.  A strongest offense can be countered by a mere thorough defense and common sense.  Remember - hacks are designed to defeat the masses and sometimes fall short of having the desired effects upon even the most humble admin who has a sense of thoroughness and due diligence.

     

     

     

  • Darby For your implementation  if you need remote aps have you looked at the 5500, as far as I know the controllers you list dont are seriously old! Could be misleading to people learning. The 5500 allows you to encrypt that data and control lines with DTLS negating vpns (Im still learning so apologies if thats not the best solution) its called office connect. The Patriot Act doesn't apply as I am in the UK and when I say hacking I do not intend to use it for nefarious purposes but to 10 enhance my understanding and 2) demonstrate if necessary weaknesses. I dont really have an interest in going further from breaking in to a WIRELESS network even though its possible. I think I would hand that off to a third party if a client needed more details as it is my desire to be a complete wireless professional and I see that, certainly at the present time beyond the scope of my endeavour. Just so everyone is clear I am a network professional specialising in Wireless but I have a need and desire to enhance my skills and use the term hack to query would it enhance my skill sets.

  • By (Deleted User)

    Do you mean the Cisco 5508 for example?  I'm not willing to throw a $25,000.00 appliance into my home lab.

    Not until it comes down in price a bit - that would make it old.

    I don't need new and shiny to work and to simulate most things.

    In fact, I have the WLC 4402/4404/WiSM Controllers at work.

    So...  My next little project is to run the 3.2.215 AireOS and take a look at how it compares - line by line with the 4.2.207 AireOS - The AssureWave version I'm running in production.

     

    I'm not a vendor or a trainer as it would appear many here are.  I'm the end user.  My Wireless budget this year at work was just about $400k not counting closet upgrades and switch upgrades - just for Controllers and APs - we asked for about $1.3 million but we are recovering from being hit hard by the economy last year.

     

    If you have access to the latest and greatest 5508, by all means, that is surely the way to go.

    My own home lab, solely at my own expense, currently exceeds over $201,000.00 the last time I counted.

    Here's an idea of what I'm talking about:

    http://darbyslogs.blogspot.com/2010/03/super-labs-of-internet-shane-edelman.html

     

    Mine would be the last set of racks - I have 6 full racks in one room and my network operations center and my library are in the other room.  I use the garage for storing spares and equipment.  There are 2 more racks out there.

    I have to more 42U Chatsworth racks to setup.

     

    What I am saying is that while it would surely be nice to work with the latest gear and all hats are off to those who have this available to them - this "seriously old" gear runs code from 2007 and while that is surely not 2010 - I fully expect to see much greater than 85-90% of of everything that is current today fully supported.  For me, it makes it perfect in term of rich functionality at a huge fraction of the price - I may have paid under $500.00 or so for all 4 of my own Wireless LAN Controllers.

    I just downloaded the latest OS for them last night - which was 2007 as I recall.  It's a trade-off.  However, it's one I can live with and there is no way I can afford well over $100,000.00 for 4 Wireless LAN Controllers in my own home.

    Now, I also have purchased a copy of WCS for my personal use - which consequently is the current version - I'd hope it works to some degree with my gear, if not I can down-grade it of course.

    I am concerned about the AP compatability matrix - recall that each version of OS on the WLCs also supports a given version os IOS for the APs it is designed to work with.  So APs newer than 2007 for example will not be supported.

    Like I said it is a trade-off.

    To me it is similar to the trade of of using Cisco IOS 11.3 versus a current version of 12.4.x - 80-90% of the core functionality will be there - no doubts - however the latest features will not.

    If I were starting out on a seriously severe budget - I might take a similar track.

    As a matter of fact - I took exactly that track with Cisco IGS/MGS/CGS/AGS series routers when I started out and yep!  That meant using Cisco IOS 9.x, 10.x, 11.x versus 12.1.x/12.2.x that was usable and state of the art at the time - circa 2000.

    So I don't mean to mis-lead anyone about state of the art versus "useful".

    For me - I need/want the functionality so that I might become fairly "expert" at the CLI, GUI, functionality of most of the OS asap.  This gear affords me that opportunity and I'm using it just for that.

    I'd rather know for certain which features I gain or lose rather than throw the blanket "It's old and must be useless" out there.

    I like emperical evidence whenever possible.  I know lots of stuff in Wireless is changing at literally the speed of light - right now I'm a baby with it and for me... jumping from 2000/2001 to 2004 to 2005 to 2007 is still a few steps in the right direction - I'm working with 2008 right now at work and arguably 2010 for version 6.0 AssureWave in the immediate future, so I'm no track.

    The CCIE Wireless Lab uses 4.2.xxx for code - so the WLC with 2007 code is only a year behind or so maybe 2 at the very worst.  That's really not that bad.

  • Darby

    Thats great I wasnt awareit was your own lab, I see th 4100s going for about £500 but thats still serious money. I am not a vendor I work for a Cisco Partner and even I cant get to play on the latest toys!

    Now I agree it would be nice to play on the latest kit, but you have a significant work budget just for wirelss. Its worth being aware although many of the things are still in the older versions of the code ther are significant doifferences whe you get to the more esoteric stuff like AP Groups and H-REAP groups that are configured differeently. But yeah I agree I would take an older 4100 at home.

    I am looking to invest on a 4402-12 but need it to be cheap anyone selling?

Page 1 of 2