Kismet - The Easy Tutorial - Wireless & Security

Kismet Wireless & Security
Last Change : Dec 07 2010 english flag

Tool
Install
Ergonomy
Forum

Details What is Kismet ?
Screenshots
Prerequisites
Installation
Configurations
Platform
802.11 Protocol
Logs
Wireless & Security

English spelling not yet checked!

⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!

Waves transporting wireless data propagate freely in the air and can be intercepted by anyone around your house.
For this reason, this is very important to secure your Wireless environment to keep it private.

In a wired network, the physical access to the network can be controlled by securing the cable connections of a switch or hub.
In a Wireless environment, an access point diffuses data through airwaves all around it. For this reason and, as it is not possible to limit the diffusion of airwaves, anyone having a sufficient signal level could either:
listen to the traffic between clients and the AP and read the data or
connect, in case of insufficient security, to the AP and access the network.

The access authorizaton process is called authentication and the data encryption confidentiality.

Let's see how to secure your home wireless environmment:

                               1. Change the default SSID
                               2. Disable SSID broadcasting/ activate SSID cloaking
                               3. Set a wireless security policy
                               4. Miscellaneous

1. Change the default SSID

The SSID (Service Set IDentifier) refers to a wireless network name and is contained in a field of certain wireless management frames.
A Wireless client needs to know the SSID of the network it wants to connect to. The SSID can be given by the access point when it is set to "SSID broadcasting" (see next section). If this is not the case, the client must know the SSID before transmitting.

It is important to understand that the SSID does not offer any security protection as it is transmitted in clear text and can be detected by passive wireless sniffers such as Kismet.

Here are two examples of the SSID setting on well-known wireless devices:
- Linksys (bought by Cisco in 2005): A leader in home and small business environments.
- Cisco Systems: A leader in medium to big business environments.

Linksys WAG54G - SSID setting

Wireless -> Basic Wireless Settings -> Wireless Network Name (SSID)

linksys wireless set ssid

Cisco Aironet 1240 - SSID setting

SECURITY -> SSID Manager -> < NEW > -> SSID

You can see that with the Cisco AP, you can set mulitple SSIDs and activated 802.11a and b/g technologies. With the Linksys home AP, you are limited to 802.11b/g and a unique SSID, but this is sufficient for a home environment.

Top of the page

2. Disable SSID broadcasting / activate SSID cloaking

To access a wireless network, a client must know the network name or SSID before being able to authenticate with an access point.
When a client doesn't know the SSID, it can obtain it in two ways:
Passively: the client listens to beacon frames.
Actively: the client sends "probe requests" around it. APs' answer will "probe responses".

The beacon and probe response frames sent by access points are extremely similar. They contain information about the APs' capabilities such as the network name (SSID), supported rates, AP name, AP manufacturer, etc ...

When SSID broadcasting is disabled (or when the SSID cloaking in on), APs will send "probe response" and beacon frames containing a blank SSID field. As a result, the client will not get the SSID.

You can see below two examples showing on the left, a part of a beacon or probe response frame where the SSID is blanked and, on the right, a part of a beacon or probe response frame where the SSID (OPENMANIAK) is provided to the client.

      SSID BROADCASTING DISABLED                    SSID BROADCASTING ENABLED

Tagged parameters (176 bytes)
   SSID parameter set: "\000"
      Tag Number: 0 (SSID parameter set)
      Tag length: 1
      Tag interpretation: Tagged parameters (180 bytes)
   SSID parameter set: "OPENMANIAK"
      Tag Number: 0 (SSID parameter set)
      Tag length: 11
      Tag interpretation: OPENMANIAK
Check also full frame examples:
Beacon frame - SSID broadcasting disabled
Probe response frame - SSID broadcasting enabled

So, how is possible for an attacker to know the SSID?
It is important never to forget that wireless data is transported anywhere around an access point. Therefore the attacker will passively listen with Kismet the wireless management frames (such as authentication request/response) exchanged between a client knowing the SSID and an AP and thus will be able to see the SSID. As seen above, the SSID is traveling in clear text.

When a client is authenticated with the AP and transferring data, this is not possible to see the SSID because SSID is only present in wireless management frames. You can use tools like Aircrack-ng to force the client de-authentication which will then try to automatically reconnect and at that time will use frames containing the SSID. Kismet, which passively listens to the wireless waves, will at that time be aware of the SSID.

Of course, if no client is connected to an AP, this is not possible to see its SSID. So, disabling the SSID broadcasting can offer a little protection against "war driving" when somebody is travelling inside a car with a wireless sniffer linked to a GPS system to map wireless systems. Remember that, in this case, the SSID will be the only setting unknown by the attacker. All the other settings such as encryption type, wireless power , supported rates, etc ... will be known because of the beacon or probe response frames sent by the access point.

By default, most wireless devices are set to broadcast the SSID. So it's always better to disable this functionality in your home or professional environment to improve the security a little even this does not bring it to a sufficient level.
See the next section to fully secure your wireless network.

Note that in a public hotspot environment such as an airport, APs are set to broadcast their SSID to indicate to the clients on which network to connect.

SSID broadcast disabling examples:

Linksys WAG54G - SSID broadcast disabling

Wireless -> Basic Wireless Settings -> Wireless SSID Broadcast -> Disable

linksys disable ssid broadcast mode

Cisco Aironet 1240 - SSID SSID broadcast disabling

SECURITY -> SSID Manager -> Set Single Guest Mode SSID -> NONE

On the Cisco access point, associate a SSID to the "Guest mode" means that you enable the broadcasting for this SSID.

Top of the page

3. Set a Wireless security policy

3. Set the security mode.

It is very common to see wireless access points with no or weak security settings. You must absolutely set a sufficient security mode, which is the most important thing to do on your access-point.

What is the danger if no security setting is applied?
Anyone capturing the signal such as a neighbour or a person in the street will be able to connect to your Wireless network. Thus, he/she will surf on the Internet through your Internet Link and consume your bandwidth or perform illegal activities hidden behind your network. Another threat can be directed against your home machine(s) such as your laptop or Desktop because the attacker, once connected to your wireless network, will be in the same broadcast domain and thus able to build dangerous attacks such as ARP attacks.

Let's see two different security protocols used for the Wireless. WEP and WPA/WPA2. Before entering in the details, never forget that WEP must not be used for Wi-Fi Security as it is a child's play to crack it.

WEP (Wired Equivalent Privacy)

WEP uses the RC4 cipher algorithm for confidentiality and the CRC-32 checksum for integrity. It provides no authentication mechanism.
It uses a 40 or 104 bits key which is associated with a 24 bit Initialization Vector (IV) to provide randomness. The WEP shared key and IV concatenation is referred to as key schedule or "seed" and is 64 (40 + 24) or 128 (104 + 24) bits in length.
WEP is vulnerable because of relatively short IVs and keys that remain static. If a hacker collects enough frames based on the same IV, called "weak IV", he/she can determine the shared secret key.

The Airodump-ng/Aireplay-ng/Aircrack-ng wireless cracking suite can be used to easily crack a WEP key in some minutes even if no data is exchanged between an access point and a client.

Airodump-ng or Kismet
Aireplay-ng
Aircrack-ng/ptw Captures wireless data such as Kismet
Forces the AP to generate traffic
Cracks the WEP keys from captured data
Aircrack-ng is optional. It is used when no data is exchanged between a client and the AP. Aireplay-ng forces the AP to generate traffic which will captured before used by Aircrack-ng to crack the key. Only a few wireless cards support Aireplay-ng.
Aircrack-ptw was released in April 2007 and, included in Aircrack-ng, dramatically reduces the number of data to be captured before being able to crack the key.

WPA/WPA2 (Wi-Fi Protected Access)

WPA improved by TKIP was created before the 802.11i security standard (WPA2) to provide an immediate solution following dramatic security issues with WEP (see above).

The new security standard, WPA 802.11i or WPA2 was then ratified in June 2004 and fixes all WEP weaknesses.

It is divided into three main categories:

1. TKIP: Temporary Key Integrity Protocol

TKIP is a short-term solution that fixes all WEP weaknesses. It provides a re-keying mechanism and per packet key mixing. Contrary to what is generally indicated by network administrators or even manufacturers, it does not provide confidentiality but integrity as it is not a cipher algorithm. The RC4 cipher algorithm is used with TKIP.
TKIP provides the advantage of not being forced to update the Wireless hardware compared to the one used for WEP.
TKIP is used with WPA.

2. AES-CCMP: Advanced Encryption Standard - Counter Mode CBC-MAC Protocol

CCMP uses AES as its cryptographic algorithm. (AES is the successor of DES) CCMP provides integrity and confidentiality.
AES-CCMP requires more computing power than TKIP and migrating from WEP to WPA2 new hardware. Since around 2005/2006, all the good Wireless AP or clients supports WPA2.
AES-CCMP is used with WPA or WPA2 and is the only choice for WPA2.

3. 802.1X

802.1X is a port-based network access control mechanism. Either TKIP or AES-CCMP can be used for 802.1X authentication.

As a reminder, TKIP or AES can be used by WPA but WPA2 uses only AES.

Below you can find definitions about key words used to define a secure link:

- Confidentiality or privacy - The data cannot be seen in a readable format.
  Typical symmetric cipher algorithm: DES, 3DES, AES, Blowfish
- Integrity - The data cannot be altered.
  Typical hash-functions algorithms: sha1, md5
- Authentication- The VPN gateways are sure about the identity of the other.
  Typical algorithm: RSA, DH

WPA and WPA2 provide two types of authentication:

- Enterprise (may be unavailable on some home wireless device models)

IEEE 802.1x authentication is based on EAP protocols such as EAP-TLS/TTLS or PEAP.
Extensible Authentication Protocol (EAP) [RFC 3748] is just the transport protocol optimized for authentication, not the authentication method itself.
Most of the time, the 802.1x authentication is not made by the AP but by another device called RADIUS. The AP acts as a relay for the authentication messages between the client and the RADIUS.
The enterprise authentication method is used in professional environments only because it requires complex configurations and expensive hardware.

- Personal

The access point and the client share a similar key called passphrase or shared key.
Be careful not to use passwords that are too simple (vulnerable against dictionary attack) or too short (vulnerable against brute-force attack).
The personal authentication method is used in home environments because it is inexpensive and easily set.

When selecting the security policy, and as a general security rule, choose always the highest security protocol available supported by both the client and AP.
If you use WPA2 and a password sufficiently complicated, you can sleep easily because your wireless network cannot be hacked.
Remember that any encryption method with a weak passphrase is easily broken.

Here is a listing of the different security solutions selected from the most secure.

1. WPA2
2. WPA - AES
3. WPA - TKIP (can be used with old hardware)

Linksys WAG54G - Security mode

- Security mode:

Wireless -> Wireless Security -> Security Mode

linksys wireless security mode

"WPA2-mixed" means that the wireless client can use either "WPA-Personal" or "WPA2-Personal". If your clients all support WPA2, force the security mode to "WPA2-Personal".
This is a general security rule to force the most secure protocol supported by both the client and the access point. If your wireless cards are from 2005 or after, they should support WPA2 without any problem.
Also check details about "WPA-Personal".

- WPA mode:

Wireless -> Wireless Security -> Security Mode -> WPA-Personal

linksys wireless security mode wpa

- WPA2 mode:

Wireless -> Wireless Security -> Security Mode -> WPA2-Personnal

Cisco Aironet 1240 - Security mode

SECURITY -> Encryption Manager -> VLAN -> Cipher

Let's have a look at the different cipher choice proposed by the Cisco Aironet access point:
The "+" signs means literally "or".

"CKIP", "CMIC" and "CKIP-CMIC" can be quickly forgotten because they are Cisco proprietary and not supported by non-Cisco clients.

The only secure choices are: "AES-CCMP", "AES-CCMP + TKIP", "TKIP". Of course, "AES-CCMP" is the most secure mode.

The other choices include the WEP protocol as a possible security solution and must NOT be chosen because WEP can be easily cracked. This is: "WEP 128 bits", "WEP 40 bits", "TKIP + WEP 128 bits", "TKIP + WEP 40 bits", "AES CCMP + TKIP + WEP 128 bits", "AEC CCMP + TKIP + WEP 40 bits".

Check the Cisco website to get more details about the proposed ciphers.

Red card to the wireless manufacturers who do not indicate enough, or most of the time not at all, that WEP is not a secure protocol and can be easily cracked. They should provide a warning message when WEP is chosen.
The problem is WEP is often the first choice in the cipher scrolling list and, statistically, when people have no idea about the different possibilities in a multiple choice, they choose the first one.

Top of the page

Miscellanous:

MAC filtering

MAC filtering allows an administrator to only permit access to computers with specific MAC addresses. It is sometimes recommended to secure the wireless but in fact brings very little security improvement and instead increases administrative tasks.
Even if a MAC address is theoretically burnt inside a physical card, it is easily possible to change it to an authorized one. Authorized addresses can be obtained by sniffing the wireless traffic to find a client speaking with the access point. The source and destination MAC addresses are not encrypted.
Let's see how to change the network interface (eth0) MAC address (12:34:56:78:90:ab) on a Linux system:

ifconfig eth0 hw ether 12:34:56:78:90:ab

DHCP server Disabling

Disabling the DHCP server and configuring only static IP addresses on your clients will provide no security because the hacker can sniff the wireless traffic to determine in which network he/she has to configure his/her static IP address.

Rogue AP:

A rogue AP is an unauthorized access point. Its goal is to bypass the security checks to access an internal network.

Fake AP:

A particularly crapy attack is when a hacker sets an AP, as a hotspot and broadcasts its SSID to incite people to connect to it.
Once people are connected to his/her AP, the attacker can launch particularly dangerous attacks because he/she is located as "man in the middle" and in the same broadcast domain.
A lot of people have their laptops configured to automatically connect to a hotspot and thus they will get connected to the fake AP without even knowing it.

It is highly recommended to follow the rules below:
1. Configure your wireless card NOT to connect automatically to non-preconfigured networks. In other words, your wireless client must not be configured to automatically access hotspots.

See below an example with the Dell wireless card utility:

"Wireless Networks" tab -> Options -> Advanced

cisco dell wirless WLAN Card Utility

"automatically connect to non-preferred networks" must be unchecked.

dell client connect
to non-prefered networks

2. If you access a hotspot to see private resources on the internet, use ONLY secure protocols such as HTTPS or SSH2 but never protocols such as SMTP, HTTP or FTP which transmit their passwords to the server in clear text. You should also have a personal firewall.

About airwaves

Last but not least, a thing never forget with wireless is that, even you have the strongest security settings to protect your data and to authenticate your users, this will not protect you against waves outside your wireless environment which will generate disruptions and quickly deteriorate the performances for the users. The disruptive waves can come from other APs out of your control or from a people with specific devices to make so many "noise" that you wireless envinronmnt would become totally unusable.
If you business is highly sensitive and requires a very high link quality permanently, always be ready to use a solution based on cables as a backup in case the Wireless solution would be affected by performance problems.

Top of the page