DHCP Güvenliği Bozar
Even if an intruder is capable of associating with an access point by using the correct SSID, they must often have an applicable IP address before they can directly access resources (user PCs, servers, etc.) on the network. Many wireless LANs, though, use DHCP (dynamic host configuration protocol) to automatically assign IP addresses to users as they become active. With DHCP enabled, a hacker receives an applicable IP address just as other legitimate users do. This provides freedoms to the hacker you’d rather not share.
For example, you may be sitting at an airport using a public wireless LAN. Someone associated to the same wireless LAN can easily use Windows to see other users (i.e., you) connected to the network. If you have file sharing turned on, the other person can click on your device and drill down to your documents folder and open or copy files to their laptop. This is a serious problem that many end users overlook, especially when operating from home and public networks.
Man-in-the-middle attacks
Through the use of an 802.11 analyzer, a person can monitor 802.11 frames sent over the wireless LAN and easily fool the network through various “man-in-the-middle” attacks. You can view the frames sent back and forth between a user’s radio NIC and access point during the association process. As a result, you’ll learn information about the radio card and access point, such as IP address of both devices, association ID for the radio NIC, and SSID of the network.
With this information, someone can setup a rogue access point (on a different radio channel) closer to a particular user to force the user’s radio NIC to reassociate with the rogue access point. Because 802.11 doesn’t provide access point authentication, the radio NIC will happily reassoicate with the rogue access point. Once reassociation occurs, the rogue access point will capture traffic from unsuspected users attempting to login to their services. Of course this exposes sensitive user names and passwords to a hacker who has an interface with the rogue access point.
Someone can also use man-in-the-middle techniques using a rogue radio NIC. After gleaning information about a particular wireless LAN by monitoring frame transmissions, a hacker can program a rogue radio NIC to mimic a valid one. This enables the hacker to deceive the access point by disassociating the valid radio NIC and reassociating again as a rogue radio NIC with the same parameters as the valid radio NIC. As a result, the hacker can use the rogue radio NIC to steal the session and carryon with a particular network-based service, one that the valid user had logged into.
Problems with WEP
On 802.11 networks, you can enable WEP (wired equivalent privacy), which encrypts the body of each frame. This is supposed to keep hackers from viewing sensitive e-mails, user names and passwords, proprietary documents, etc. As discussed in a previous tutorial, hackers can fairly easily decode WEP-encrypted information after monitoring an active network for less than one day.
Consequently, don’t depend on WEP for protecting sensitive information. The use of WEP in most cases, nevertheless, is better than no encryption at all, especially if you deploy a mechanism to change the WEP key often (see related tutorial).
Denial of service attacks
Another form of security attack is denial of service. In this case, the hacker might not steal any information. They just keep users from accessing services, either to gain some sort of competitive advantage or just have some devious “fun.”
A mischievous person can use a wireless client to insert bogus packets into the wireless LAN with the intent of keeping users from getting access to services. A brute force way of doing this is to setup a relatively high power signal generator to produce enough RF interference to block other radio NICs from accessing the medium. The 802.11 MAC Layer is fairly polite and avoids transmitting when it senses other RF activity. This gives the intruder enough control to keep users from accessing network services for an indefinite period of time.
Other more eloquent methods for denying service include fooling valid radio NICs with fake 802.11 frames. For example, someone could setup their radio NIC (or 802.11 frame generator) to send a continuous stream of CTS (clear-to-send) frames, which mimics an access point informing a particular radio NIC to transmit and all others to wait. (CTS is part of 802.11’s RTS/CTS function.) The radio NIC being given permission to transmit could be a fictitious user. As a result, the legitimate radio NICs in end user devices will continually delay access to the medium.
The bottom line
As you can see, there are many wireless LAN security issues that require attention. If and how you handle these problems depends greatly on your security requirements. In some cases, you might want to keep the network as open as possible and only protect files on user PCs. Most other scenarios, however, will likely need much more. It’s possible to make wireless LANs very secure, as we’ll discuss in a future tutorial. Stay tuned!
Kaynak : 