CMIS 426 Exam 3 (Ch. 10-12)

•*"Gigabit WiFi" or "WiFi 5"* •433 Mbps to 1 Gbps (or more!), depending on channel bandwidth and spatial streams •*Distance* varies •Actual *throughput* varies *dominant standard*

*802.11ac basics*

Use *two* mathematically related keys •Data encrypted with one key can only be decrypted with the other Also called *public key cryptography* •*Public key*: key can be known by public •*Private key*: secret key known only by owner *Provide message authenticity and nonrepudiation* •Authenticity validates sender of message •Nonrepudiation means a user cannot deny sending a message Asymmetric Algorithms - Examples •*RSA* •*Diffie-Hellman* RSA -Developed in 1977 by Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman -First algorithm used for both encryption and digital signing -Many browsers using the TLS protocol use RSA -Based on difficulty of factoring large numbers -Uses a one-way function to generate a key -Mathematical formula easy to compute in one direction

*Asymmetric* Algorithms

•Basic Service Set ID (*BSSID*) is the name of the access point (*the MAC address!*)

*Basic Service Set (BSS)*

•This is classic *MiTM* •*Highly illegal*

*Evil Twin Attack*

•This is just for flavor 1... *Certificate* •Record that authenticates network entities •Contains X.509 information -*Identifies owner, certificate authority (CA), and owner's public key* EAP is an enhancement to PPP -Allows a company to select authentication method

*Extensible Authentication Protocol (EAP)*

Steal a key

*Is it easier for a hacker to break a key or steal a key?*

*KNOW THE OWASP TOP 10*

*KNOW THE OWASP TOP 10*

For Wardriving attacks (wait, what?) •Runs on Linux, MAC OS Also a sniffer and an intrusion detection system (IDS) Features: •*Wireshark*- and *Tcpdump-compatible* data logging •Compatible with AirSnort and *AirCrack* •Network IP range and *hidden network SSID detection* Product for conducting wardriving attacks -Written by Mike Kershaw -Runs on Linux, BSD, MAC OS X, and Linux PDAs Also a sniffer and an intrusion detection system (IDS) -Can sniff 802.11b, 802.11a, and 802.11g traffic Features: -Wireshark- and Tcpdump-compatible data logging -Compatible with AirSnort and AirCrack -Network IP range and hidden network SSID detection

*Kismet*

•Attackers place themselves between the victim computer and another host computer •Then intercept messages sent from victim to host •Example: Evil Twin attack •Only for data *"in transit"* Pretend to be host computer

*MiTM Attack*

*Password cracking is illegal in the United States* -It is legal to crack your own password if you forgot it If password uses common dictionary words -Most password-cracking programs can use a dictionary file to speed up the process You must first obtain the password file from the system that stores user names and passwords -Stored in /etc/shadow file for *nix systems -Windows password hashes are stored

*Password cracking is illegal in the United States* -It is legal to crack your own password if you forgot it If password uses common dictionary words -Most password-cracking programs can use a dictionary file to speed up the process You must first obtain the password file from the system that stores user names and passwords -Stored in /etc/shadow file for *nix systems -Windows password hashes are stored

VPN

*So what's the fix for end-to-end encryption?*

Freeware tool written for Windows -Enables WLAN detection •Supports 802.11a/b/g/n/ac standards Primarily designed to: -Verify WLAN configuration -Detect other wireless networks -Detect unauthorized APs Capable of interface with a GPS -Enables mapping of all detected WLAN locations

*Vistumbler*

•*Connecting to an open WLAN is encrypted now*. •The *new handshaking* process fixes the KRACK attack discovered in 2017. •Secure connectivity for devices that lack displays and keyboards. •*Stronger encryption* (192 bit)

*WPA3*

symmetric since it is only 1 key

*Which type is probably easier to compromise?*

*Wireless does not equal WiFi*

*Wireless does not equal WiFi*

Many wireless things that aren't Wi-Fi

*Wireless does not equal WiFi* *Why not?*

Core security protocols protect communication between a wireless *client* and a legitimate *access point*. They provide *encryption* for confidentiality and other cryptographic protections.

802.11 *Security Standards*

•*802 is for IEEE network standards* •*802.11 is "WiFi"* •Radio waves •Two frequencies we care about right now •Typically use *multiple access points* to cover large areas

802.11 Wireless LAN Technology

The 2.4 GHz Unlicensed Band •*Potential interference from microwave ovens, cordless phones, etc.* •For 20 MHz 802.11 channels, only three nonoverlapping channels are possible: *Channels 1, 6, and 11* The *5 GHz* Unlicensed Band •*Shorter* propagation distance because of higher frequencies. •*More channels*

802.11 in the *2.4 GHz* and *5 GHz* Unlicensed Bands

*WPA2/802.11i has two modes of operation.* *1. 802.1X mode* •For large organizations •*Uses a central authentication server* •Wi-Fi Alliance calls it *Enterprise Mode* 2. *Pre-Shared Key* mode for homes or small firms •Uses a single access point that does everything •Ethernet Alliance calls it *Personal Mode*

802.1X vs. PSK Mode

A "Multi-function" router is for home use only.

A "Multi-function" router is for home use only.

Asynchronous JavaScript and XML (AJAX)

A Web development technique used for interactive Web sites, such as Facebook and Google Apps; this development technique makes it possible to create the kind of sophisticated interface usually found on desktop programs.

WebGoat

A Web-based application designed to teach security professionals about Web application vulnerabilities.

Open Web Application Security Project (OWASP)

A not-for-profit foundation dedicated to fighting and finding Web application vulnerabilities.

virtual directory

A pointer to a physical directory on a Web server.

ActiveX Data Objects (ADO)

A programming interface for connecting a Web application to a database.

access point (AP)

A radio transceiver that connects to a network via an Ethernet cable and bridges a wireless network with a wired network.

Active Server Pages (ASP)

A scripting language for creating dynamic Web pages.

ColdFusion

A server-side scripting language for creating dynamic Web pages; supports a wide variety of databases and uses a proprietary markup language known as CFML.

Object Linking and Embedding Database (OLE DB)

A set of interfaces enabling Web applications to access diverse database management systems.

Open Database Connectivity (ODBC)

A standard database access method that allows a Web application to interact with a variety of database management systems.

SQL Injection

A type of exploit that takes advantage of poorly written applications. An attacker can issue SQL statements by using a Web browser to retrieve data, change server settings, or possibly gain control of the server.

ad-hoc network

A wireless network that doesn't rely on an AP for connectivity; instead, independent stations connect to each other in a decentralized fashion.

Ad Hoc Network and Infrastructure Network

Ad Hoc Network and Infrastructure Network

802.1X Standard

An IEEE standard that defines the process of authenticating and authorizing users on a network before they're allowed to connect.

Infrared (IR)

An area in the electromagnetic spectrum with a frequency above microwaves; an infrared signal is restricted to a single room or line of sight because IR light can't penetrate walls, ceilings, or floors. This technology is used for most remote controls.

Extensible Authentication Protocol (EAP)

An enhancement to PPP designed to allow an organization to select an authentication method.

Common Gateway Interface (CGI)

An interface that passes data between a Web server and a Web browser.

Institute of Electrical and Electronics Engineers (IEEE)

An organization that creates standards for the IT industry

Dynamic Application Security Testing (DAST)

Analysis of a running application to discover vulnerabilities

Static Application Security Testing (SAST)

Analysis of an applications source code for vulnerabilites

•OWASP *WebGoat* project •Helps security testers learn how to conduct vulnerability testing on Web applications •Deliberately insecure web app for testing purposes •https://owasp.org/www-project-webgoat/ •Like metasploitable... OWASP WebGoat project Helps security testers learn how to conduct vulnerability testing on Web applications Experts from all over the world use WebGoat

Application Vulnerabilities and Countermeasures

Brute-Force Attack

Attacker tries all possible keys in a keyspace •Uses a password-cracking program -Attempts every possible combination of characters •Same as cryptocurrency mining -Can be launched on any kind of message digest

Dictionary Attack

Attacker uses a dictionary of known words to try to guess passwords

*Burp Suite* Included in Kali Linux Offers the tester a number of features for testing Web applications and Web services Allows you to intercept traffic between the Web browser and the server to inspect and manipulate requests before sending it to the server for testing Web applications and Web services Allows you to intercept traffic between the Web browser and the server to inspect and manipulate requests before sending it to the server *Zed Attack Proxy* Can be used interchangeably with Burp Suite Most widely used

Burp Suite and Zed Attack Proxy

•SQL injection •Cross-site scripting •Path traversal •Broken authentication •Security Misconfiguration *All the result of poor development habits?????*

Common vulnerabilities (examples)

•Most Web pages can display information stored on a database server •Open Database Connectivity (*ODBC*) •A standard database access method •ODBC interface •Allows application to access data stored in a database management system, or any system that can understand and issue ODBC commands •*A db API that is language-independent!* •*Note that it is the app server not the client that needs the ODBC connection.* Most Web pages can display information stored on a database server The technology used to connect Web applications to database servers -Depends on the OS -Theory is the same

Connecting to *Databases*

Assign static IP addresses to wireless clients •Instead of using DHCP Disable WPS •Removes the known WPS attacks vectors Change default SSID and disable SSID broadcasts •If you can't disable SSID broadcasts, rename default SSID •*NO* Consider using anti-wardriving software •Makes it more difficult to discover your WLAN -Honeypots - Canary -Black Alchemy Fake AP Use measures for preventing radio waves from leaving or entering the building •Use a special paint on the walls Use a router •Filters unauthorized MAC and IP addresses and prevents access *No, just require a VPN!*

Countermeasures for Wireless Attacks

Shift Left!

DevSecOps

Flipper toy

Flipper toy

•Takes a variable-length message and produces a fixed-length hash value •*If message is changed, hash value changes* •*Ensures message integrity* Collisions Two different messages produce same hash value A good hashing algorithm is collision free

Hashing Algorithms

Shoulder surfing

How might you intercept a password "in use"?

*at rest*

In both brute force and dictionary, data is _______

Security testers should look for answers to some important questions: •Does the application have a *database*? •Does the application require *authentication*? •Does the application have static or *dynamic* pages? •What *languages* and *platform* does the application use? •You are *building a picture/diagram*. Are there devices in-between your Web browser and the application designed to stop attacks from occurring? How does data flow in the application?

Information Gathering and Architecture Mapping

BSSID

MAC address of the access point (must be different)

•ASP.NET •PHP •ColdFusion •Vbscript •*Javascript* •*Java* •*Python*

Modern web app dev platforms

chipping code

Multiple sub-bits representing the original message that can be used for recovery of a corrupted packet traveling across a frequency band.

*Reminder: Client/Server*

N-tier

WAP (a dedicated network device for the enterprise) NIC

Need two things for WLAN

•Not-for-profit organization •Finds and fights Web application vulnerabilities •Publishes Ten Most Critical Web Application Security Risks -Built into *Payment Card Industry (PCI) Data Security Standard (DSS)*

OWASP

•Next step for you

OWASP testing guide - ADVANCED

•Netspot •InSSIDer •WiFi Inspector •*Again, all free.* •*Wireshark and packet capture and stumbling won't work as well inside a VM because of double NAT...* •*Don't rely on built-in WiFi card and antenna.*

Other tools

All access points must have the same SSID

Roaming

SAST -White box testing -Requires Source Code -Earlier detection -Doesn't find environment issues -Supports all software DAST -Black box testing -Requires Web App in staging or production -Later detection -Finds environment issues -Predominantly Web App testing

SAST v. DAST

*What does SIUE use specifically?* •*What WiFi protocol?* •*What type of encryption?* •*What type of authentication?*

SIUE

•Apache vs. IIS -Server Oss •SQL •Explain *PaaS*

Server Platforms

•Hard drives - *BitLocker - symmetric* •Email - *S/MIME - asymmetric* •Web - *TLS - asymmetric* •Various - *OpenPGP - asymmetric* •WiFi - *WPA2 - symmetric or asymmetric* •VPN - *IPSec - establishes a secure connection with asymmetric and then switches to symmetric to speed up data transfer.* •New in Win11 - file-level encryption with *Personal Data Encryption (PDE)* - uses AES-CBC with a 256-bit key to encrypt content. •*Is AES symmetric or asymmetric?*

Some popular Crypto standards

*One key* encrypts and decrypts data •Advantages -*Faster* -Difficult to break if a large key size is used -Only one key needed to encrypt and decrypt data •Disadvantages -Challenging key management -Difficult to deliver keys without risk of theft -*Does not support authenticity and nonrepudiation* Symmetric Algorithms - Examples •*3DES* •*AES-128* •AES-256 is believed to be "quantum resistant" •Example: Your WiFi at home Triple DES -Triple Data Encryption Standard (3DES) -Served as a quick fix for DES vulnerabilities -Performed original DES computation three times with different keys -Made it much stronger than DES -Takes longer to encrypt and decrypt data than DES

Symmetric Algorithms

Symmetric = 1 key Asymmetric = 2 key

Symmetric v. Asymmetric

*The frequency spectrum is all possible frequencies from 0 Hz to infinity*

The Frequency Spectrum, Service Bands, and Channels

Basic Service Area (BSA)

The coverage area an access point provides in a wireless network.

infrastructure mode

The mode a wireless network operates in, whereby centralized connectivity is established with one or more APs. It's the most common type of WLAN and differs from an ad-hoc network, which doesn't require an AP.

Equipment: •Laptop computer •WNIC •Antenna •Sniffers Tools for cracking encryption keys: •Aircrack-ng •WiFi Pineapple •Many others

Tools

802.1X Mode •802.1X standard protects communication with an *extensible authentication protocol*. •*Several EAP versions* exist with different security protections. •Firm implementing 802.1X must choose one. •*Protected EAP (PEAP) is popular because Microsoft favors it*. •*LEAP and EAP-Fast used by Cisco*.

Types of EAP

Many platforms and programming languages can be used to design a Web site •*Application security -- As important as network security* *Attackers controlling a Web server can:* •*Deface the Web site* •*Destroy the application's database or sell contents* •*Gain control of user accounts* •*Perform secondary attacks* •*Gain root access to other application servers*

Understanding Web Application Vulnerabilities

•*More than just a passive web page* •Web page plus some scripting language behind it •Web pages are typically public-facing / external to the network •Web applications can have bugs -*Larger user base than standalone applications* -Bugs are a bigger problem •MORE *EXPOSURE* Writing a program without bugs -Nearly impossible -Some bugs create security vulnerabilities Web applications also have bugs -Larger user base than standalone applications -Bugs are a bigger problem

Understanding Web Applications

Standard •Set of rules formulated by an organization Institute of Electrical and Electronics Engineers *(IEEE)* •Defines several standards for wireless networks -*IEEE* Project *802*: LAN and WAN standards •WG names are assigned numbers -Such as *11* for the Wireless LAN group •Letters denote approved projects -Such as 802.11*a* or 802.11*b*

Understanding Wireless Network Standards

Web application vulnerability scanner •Uses a black box approach -Doesn't inspect code •Inspects by searching from outside -Ways to take advantage of XSS, SQL, PHP, JSP, and file-handling vulnerabilities •Uses *"fuzzing"* •*Trying to inject data into whatever will accept it*

Wapiti

Hackers use *wardriving* •Driving around with inexpensive hardware and software that enables them to detect unsecured APs •Wardriving is not illegal •But *accessing* the network resources is still illegal •Warflying •Drones wired with an antenna and the same software used in wardriving •*Lookup video??* •Contrast with *wireless site survey*

Wardriving

•Drones wired with an antenna and the same software used in wardriving •https://www.youtube.com/watch?v=yNj3iGReQPU (just do 30sec - 3min mark in class) - *Note use of Raspberry Pi, Kali, and Kismet*

Warflying

*Static* Application Security Testing (SAST) •Analyzing an application's *source code* for vulnerabilities •A reliable way to enumerate most application vulnerabilities •Some test only the source code, some test the compiled code, while some test both *source and compiled code*. *Dynamic* Application Security Testing (DAST) •Analysis of a *running web application* for vulnerabilities •Can be used alongside SAST to prioritize SAST findings •commonly referred as *Black Box* Testing or Vulnerability Scanning tools. •test an application from an *outsider's* perspective with limited to no knowledge of the written source code. •testing the application during *runtime* to uncover potential security issues: memory corruption, cross-site request forgery, remote file inclusion, buffer overflow and denial-of-service. •often uses *fuzzing* to throw large volumes of known invalid errors and unexpected test cases at the application •*ZAP* is an example!

Web Application Testing Two techniques by which an application can be tested

Dynamic Web Page

Web pages that can change on the fly depending on variables, such as the date or time of day.

VPN?

What's the defense against Evil Twin attack?

•*WEP* •*WPA* •*WPA2 (802.11i) (two flavors)* •*WPA3*

WiFi Security

•"most widely used"? •Installing ZAP •Running ZAP •Also Burp Suite •WPScan for Wordpress •Wfuzz

ZAP for HW7 ZAP = Zed Attack Proxy OWASP Zed Attack Proxy

802.11

a set of IEEE standards that define protocols for implementing WLANs

PHP Hypertext Preprocessor (PHP)

an open-source server side scripting language

an automated software testing technique that involves providing invalid, unexpected, or *random data as inputs* to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. *Trying to inject data into whatever will accept it* a technique

fuzzing

SSID

name of the wireless network (must be same)

channels

specific frequency ranges w/in a frequency band in which data is transmitted

Basic Service Set (BSS)

the collection of connected devices in a wireless network

Amplitude

the height of a sound wave; determines a sounds volume

frequency

the number of sound wave repetitions in a specified time; also referred to as cycles per second

Static Web Page

web pages that display the same information whenever they're accessed

•*Obviously your WNIC won't see frequencies that it can't support!* •*You need to invest in a better NIC and a better antenna.*

•*Obviously your WNIC won't see frequencies that it can't support!* •*You need to invest in a better NIC and a better antenna.*

•*Security is based on the secrecy of the key not the secrecy of the algorithm.* •The biggest security risk is that the private key of a pair becomes known! Passive attacks -Using tools to eavesdrop or perform port scanning Active attacks -Attempt to determine secret key used to encrypt plaintext Culprit and general public usually know the algorithm -Companies developing encryption algorithms realize vulnerabilities may be discovered -Software engineers develop open-source code

•*Security is based on the secrecy of the key not the secrecy of the algorithm.* •The biggest security risk is that the private key of a pair becomes known!

Static web pages

•Created using HTML •Display *the same information regardless of time or user*

•Example: Airport, spoofing eduroam

•Example: Airport, spoofing eduroam

Dynamic web pages

•Information varies •Need special components -<form> element, AJAX, Common Gateway Interface (CGI), Active Server Pages (ASP), PHP, ColdFusion, JavaScript, and database connectors

•Not broadcasting your SSID *does not* hide anything! •Changing your SSID *does not* confuse hackers •Don't get me started on paint, MAC address filtering, having to authenticate first, or static IPs!!!!!!!!!

•Not broadcasting your SSID *does not* hide anything! •Changing your SSID *does not* confuse hackers •Don't get me started on paint, MAC address filtering, having to authenticate first, or static IPs!!!!!!!!!