SlideShare a Scribd company logo

Web-style Wireless IDS attacks, Sergey Gordeychik

Q
qqlan

The document discusses the architecture and vulnerabilities of Wireless Intrusion Detection Systems (WIDS), highlighting their increasing importance and integration with active network equipment. It identifies various sources of threats, including external, internal intruders, and operators, and outlines potential hacking methods through manipulated wireless traffic and weaknesses in web interfaces. The article concludes with recommendations for selecting and configuring WIDS to enhance security and mitigate risks associated with their deployment.

Technology
1 of 12
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
To find tomorrow’s vulnerabilities today Web-style Wireless IDS attacks by Sergey Gordeychik gordey @ ptsecurity.com
Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 2 Table of Contents Introduction 3 WIDS architecture 4 Sources of threats 4 Hacking through air gaps 5 Intrusions on a local network 7 Operator intrusions 9 Conclusion 10 About the author 11 About Positive Technologies 11 References 12
Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 3 Introduction Wireless intrusion detection systems (WIDS) are not yet as popular as their wired counterparts, but current trends would suggest that their number is set to grow. One positive factor in this respect is the integration of such programs with active network equipment and Management awareness of the risks associated with the unauthorised use of wireless devices. This awareness has led to an increase in the number of WIDS installations - even where wireless networks are not used. In view of this situation, specialists in the field of security are now aware of the need to evaluate not only the quality features of any product, but also of the need to predict any possible negative influence arising from its implementation on the security of a corporate network. This article looks at the results of research into wireless intrusion detection systems from the point of view of the specialist in the field of applications security. Design faults discovered are not discussed in the article as their correction requires significant effort on the part of the manufacturer.
Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 4 WIDS architecture A modern system of detecting wireless intrusion is a fairly complicated solution based on two- or three-tier architecture - often based on Web technologies. WIDS architecture is based on sensors which collect, and sometimes process, wireless traffic as part of the monitoring process. Sensors can be based on standard operating systems or "specialised software and hardware platforms" (in most cases Linux). As a rule, sensors are quite intelligent devices which support TCP/IP and have sophisticated control interfaces. The Sensors interact with the data collection component (server), and transfer to it information on detected intrusions or intercepted packets. The server processes information received, and performs the functions of detecting intrusions and correlating security-related events. A standard DBMS (database management system) is normally used to store information. To manage the system and monitor events, a control console is used in the form of a "fat" or "thin" client. Thus, WIDS is a distributed system which is potentially vulnerable to intrusions not only in a wireless area. Sources of threats It is possible to give the article a more formally scientific tone with the formation of an "intruder model", i.e. to define basic anthropogenic sources of threats. For WIDS these include external intruders interacting with the system through radio ether, internal intruders who have access to a local network, and operators who have certain limited opportunities to manipulate system components. The architecture of the typical wireless intrusion detection system is discussed in the article and the vectors of the intrusions are shown in the figure 1.
Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 5 DB Server Server Sensor Sensor External Attacker Web interfaceManagement console Internal Attacker Operator Figure 1. WIDS architecture and therats Hacking through air gaps The principal mechanisms by which external intruders impacts on the wireless intrusion detection system are based on the creation of 802.11 frames, processing of which leads to non-standard situations. The experience of wired intrusion detection systems [1], and also the packet sniffers Ethereal/Wireshark, shows that the presence of vulnerabilities in
Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 6 "vivisectors" of complex network protocols is entirely normal. The state machine of 802.11 link layer is fairly complicated, so as to confuse the developers. Vulnerabilities in Kismet [2], coupled with recent publications [3] on vulnerabilities in drivers of wireless clients, are compelling people to consider the probable presence of such problems in WIDS sensors. However, this has only a weak connection with the theme of the article. The data received from a non-trusted source is saved in a database and there is the probability of it not being processed correctly. And as a result there is a possibility of an intruder carrying out SQL Injection-type attacks. By adding to the packets fields of special symbols it is possible to terminate the initial SQL query and add SQL operators to it. In practice, such an intrusion can be carried out by creating fake access points or peer-to-peer networks with SSID like: ‘;insert into ... A fundamental, but surmountable restriction to the use of this type of vulnerability is the SSID length (32 bytes). At present, such vulnerability is processed as part of the policy of responsible disclosure and will possibly be published at a later date. However, the reader can verify the WIDS response to the crafted wireless networks using DBMS tracking tools (SQL Profiler or similar), for example: iwconfig ath0 mode master essid ';-- A further widely-accepted Web vulnerability characteristic of wireless intrusion detection systems is Cross-Site Scripting. Information on a detected intrusion appears in the control console, often Web browser-based. Accordingly, an intruder can select as the SSID of the fake access point a magical sequence of symbols: "><script>alert()</script> And it launches a script in the browser of the operator or administrator which can be controlled by the intruder. In such a case, 32 bytes is adequate to specify external server as a source of the script. The results of such intrusion may be many and varied - from the theft of authentication data through to carrying out certain actions related to customising of the WIDS setup - in place of the operator. Such vulnerabilities was detected in the Web interface of the Airmagnet Enterprise server [4]. The conditions of the
Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 7 stored XSS arose when the wireless networks SSID appeared in the access control lists Enterprise Server https://<servername>/Amom/Amom.dll/BD Where a "fat" client is used the situation can be complicated. For example, the AirMagnet control console for displaying information about an intrusion uses an embedded Internet Explorer object and inserts in the HTML template SSID of access points (or the client) without screening. If the browser works in the security zone Local Machine, the insertion of scripts may lead to serious consequences. Further details about risks associated with use in applications of the object Internet Explorer working in the security zone My Computer can be found in [5] and [6]. In practice, all tested solutions are vulnerable to Cross-site Request Forgery (CSRF) attacks. However, this vulnerability is so widespread that it was not even considered worth mentioning. Of course, implementation of these intrusions requires that the intruder has information about the type of WIDS used, but this issue is fairly well described in the publication [7]. Intrusions on a local network An internal user has far more opportunities than his external intruder counterpart. Since WIDS control interfaces for sensors and servers are fully functional Web interfaces, it is highly probable that an intruder will be able to find in these applications the entire range of vulnerabilities from Web Application Consortium Threads Classification [8]. Examples include vulnerabilities [9], in Cisco WLSE and so on. In the sensor control interface AirMagnet SmartEdge Sensor a persistent Cross-Site Scripting vulnerability was detected in audit journals reviewing interface: https://<sensorip>/AirMagnetSensor/AMSensor.dll/XH WebServer Log
Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 8 In order to carry out an intrusion in this case, the name of the user entered at the time of authentication is used. The non-persistent variant XSS is present in 404-error pages: http://<sensor IP>/xss<script>alert()</script> https://<sensor IP>/xss<script>alert()</script> One further vector of intrusions which an internal intruder can use is network interaction between system components, such as collection of data from sensors, saving events in a DBMS, remote-control and browsing events. Naturally, this traffic is sufficiently critical for vendors to deal with its protection using such reliable protocols as SSL. However, concern about convenience of users is compelling manufacturers to use self-signed certificates rather than use a proper PKI-style verification process. For example, the control console Airmagnet accepts practically any certificate in the server response. This allows an intruder who has satisfied the "man in the middle" conditions to decipher traffic (including user passwords) transmitted between the control console and the server by using generally accessible tools such as ettercap or Cain [10]. Below is an example of traffic intercepted and deciphered. [Client-side-data] GET /AMom/AMom.dll/UA HTTP/1.1 Accept: */* AMUser: admin <STATIONID> AMBuild: 4694 User-Agent: AirMagnet Host: <serverip> Connection: Keep-Alive Authorization: Basic YWRtaW46MTExMTEx [Server-side-data] HTTP/1.1 200 OK Date: Mon, 20 Mar 2006 12:53:12 GMT Server: Apache/2.0.52 (Win32) mod_ssl/2.0.52 OpenSSL/0.9.7a Content-Length: 301 Keep-Alive: timeout=15 Connection: Keep-Alive Content-Type: text/html [Server-side-data] <html> 3 2 AirMagnetSensor 111111 16777215 1 0
Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 9 111111111111111111111111111111111111111111111111111111111111 1111 1 admin111111 16777215 1 0 111111111111111111111111111111111111111111111111111111111111 1111 3 AirMagnetSensor2 111111 16777215 1 0 0 </html> Moreover, WIDS can work with active network equipment, for example switches, using non-secure network protocols such as SNMPv1, which also affords the intruder certain advantages. Operator intrusions In most WIDS the access control mechanism is in place. Users can have authorisation to carry out only certain operations, for example only browse events, or the range of their authorisation can be restricted by certain groups of sensors (building, floor). Where vulnerabilities exist in the control interface, this group of users has the opportunity to increase its privileges within the scope of the intrusion detection system or the entire network if the vulnerability is sufficiently serious. In the process of testing Highwall Enterprise Server and Highwall EndPoint 4.0.2.11045 many Cross-Site Scripting- and SQL Injection-type vulnerabilities were detected. A user with the right to change system parameters (for example names of the sensor WIDS or workstation on which Highwall EndPoint is set up) can insert Javascript operators in the pages of the server and transfer the authorisation data of a more privileged user or perform actions on the WIDS device in that user's name. The function of viewing information about system objects access points and buildings contains an SQL Injection vulnerability, which allows the operator to carry out SQL instructions on the DBMS server. Where an application which uses the Microsoft SQL server has high privileges, the intruder has many opportunities to realize attacks.
Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 10 Conclusion I would like to conclude by giving several minor recommendations for specialists selecting or configuring a wireless intrusion detection system. 1. Check the system response to non-standard traffic in the wireless network. Several examples of such traffic were given in the article. In addition different fuzzers, for example [11] can be used. 2. Pay attention to the level of privileges used by the WIDS to work with the DBMS. The consequences of intrusions could be very serious if a superuser account is used. 3. When planning a network infrastructure for the WIDS, be aware of the requirements for separation of networks. Transfer control traffic to a separate segment/VLAN. 4. Switch off unused control protocols on remote sensor. The use of telnet in 2006 can only be justified by constructing a honeypot. 5. Scan the network interfaces of the WIDS sensors and servers using a vulnerabilities scanner which supports Web applications. I guarantee that, in most cases, you will get a nasty shock. It is important that you make a backup copy of the system. A scanner may inadvertently obtain access to a remote controls and cause mayhem by pressing all available buttons. 6. Pay serious attention to the management workstation. The author uses the following approach, which is easily realised by using a proxy server: • the browser used for working in the corporate network does not have access to Internet resources. • the browser working with the Internet is restricted to use of corporate resources, and works in a "sandbox". 7. It is also possible to block the execution of scripts in the security zone My Computer [12] or to use Terminal Server for keeping client applications separate. 8. Try to use the WIDS system as a critical business application and fulfil the requirements formulated in the security policy for the given class of product. In addition to a special review of the policy, it is a unique opportunity to be with the IT specialists and users who carry out the requirements of the policy every day.
Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 11 About the author Sergey Gordeychik is the System Architects of Positive Technologies (www.ptsecurity.com), where he is responsible for application, wireless and mobile security. Mr. Gordeychik is an author of “Wireless Security”, “Auditing Web-applications security” and “Securing Microsoft Windows-based Enterprise” training courses in Security Training Centre Informzaschita (www.itsecurity.ru). He is regular author of “Windows IT Pro/RE” magazine, SecurityLab (www.securityfocus.ru) and other. Mr. Gordeychik is also contributor of Web Application Security Consortium (WASC). About Positive Technologies Positive Technologies is a private company specializing in network information security. Its head office is located in Moscow, Russia. The company has two main concentrations: provision of integrated services used in protecting computer networks from unauthorized access; and development of the MaxPatrol security scanner and its complementary products. The company's Russian and Ukrainian customers include largest banks, state organizations, leading telecommunication and industrial companies. Our two concentrations both complement and enrich each other. The enormous practical experience of the leading Russian security specialists employed by the company allows us to create products of the highest quality. An excellent product can provide effective, successful, and quick resolutions of information-security problems. Besides this, the company owns a leading Russian Internet portal www.securityfocus.ru for information security that it uses for analytic and educational purposes.
Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 12 References [1] Vulnerabilities in Snort 2.4 http://www.security.nnov.ru/soft/6810.html?l=EN [2] Kevin Finisterre, «New Kismet Packages available - SayText() and suid kismet_server issues» http://www.security.nnov.ru/docs3012.html [3] Johnny «Cache», David Maynor «Device Drivers: Dont build a house on a shaky foundation» www.blackhat.com/presentations/bh-usa-06/BH-US-06-Cache.pdf [4] AirMagnet Enterprise http://www.airmagnet.com/products/enterprise.htm [5] «SPI Dynamics WebInspect Cross Application Script Injection Vulnerability» http://www.securityfocus.com/bid/14385/references [6] SPI Dynamics, «Feed Injection in Web 2.0» http://www.spidynamics.com/assets/documents/HackingFeeds.pdf [7] Joshua Wright, «Weaknesses in Wireless LAN Session Containment» http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf [8] Web Application Security Consortium, Threats Classification http://www.webappsec.org/projects/threat/ [9] Cisco Security Advisory: Multiple Vulnerabilities in the WLSE Appliance http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml [10] Cain & Abel http://www.oxid.it/cain.html [11] Raw Wireless Tools Homepage http://rfakeap.tuxfamily.org/ [12] How to strengthen the security settings for the Local Machine zone in Internet Explorer http://support.microsoft.com/kb/833633

More Related Content

PDF
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
researchinventy
 
PDF
IRJET - IDS for Wifi Security
IRJET Journal
 
PDF
Efficient String Matching Algorithm for Intrusion Detection
editor1knowledgecuddle
 
PDF
Defending Industrial Control Systems From Cyberattack
Mountain States Engineering and Controls
 
PDF
TACTiCS_WP Security_Addressing Security in SDN Environment
Saikat Chaudhuri
 
PDF
A Modular Approach To Intrusion Detection in Homogenous Wireless Network
IOSR Journals
 
PDF
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
Muhammad FAHAD
 
PPTX
RSAC 2021 Spelunking Through the Steps of a Control System Hack
Dan Gunter
 
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
researchinventy
 
IRJET - IDS for Wifi Security
IRJET Journal
 
Efficient String Matching Algorithm for Intrusion Detection
editor1knowledgecuddle
 
Defending Industrial Control Systems From Cyberattack
Mountain States Engineering and Controls
 
TACTiCS_WP Security_Addressing Security in SDN Environment
Saikat Chaudhuri
 
A Modular Approach To Intrusion Detection in Homogenous Wireless Network
IOSR Journals
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
Muhammad FAHAD
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
Dan Gunter
 

What's hot (15)

PDF
Ijcet 06 07_001
IAEME Publication
 
DOCX
Five IDS mistakes people make
Anton Chuvakin
 
PDF
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication
Muhammad FAHAD
 
PDF
A Collaborative Intrusion Detection System for Cloud Computing
ijsrd.com
 
PDF
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
IJNSA Journal
 
PDF
Intrusion Detection System
Codero
 
PDF
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
IJNSA Journal
 
PDF
Darktrace white paper_ics_final
CMR WORLD TECH
 
PDF
Cyber security and cyber law
Divyank Jindal
 
PDF
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Deepak Mishra
 
PDF
IoT security fresh thinking 2017 sep 9
Arvind Tiwary
 
PPTX
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Hassan EL ALLOUSSI
 
PPTX
SCADA Security Training
Bryan Len
 
PDF
D03302030036
theijes
 
PDF
Darktrace Proof of Value
Darktrace
 
Ijcet 06 07_001
IAEME Publication
 
Five IDS mistakes people make
Anton Chuvakin
 
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication
Muhammad FAHAD
 
A Collaborative Intrusion Detection System for Cloud Computing
ijsrd.com
 
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
IJNSA Journal
 
Intrusion Detection System
Codero
 
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
IJNSA Journal
 
Darktrace white paper_ics_final
CMR WORLD TECH
 
Cyber security and cyber law
Divyank Jindal
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Deepak Mishra
 
IoT security fresh thinking 2017 sep 9
Arvind Tiwary
 
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Hassan EL ALLOUSSI
 
SCADA Security Training
Bryan Len
 
D03302030036
theijes
 
Darktrace Proof of Value
Darktrace
 
Ad

Viewers also liked (8)

PPT
Security Metrix
qqlan
 
PDF
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
qqlan
 
PDF
Best of Positive Research 2013
qqlan
 
PDF
ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...
qqlan
 
PDF
Kaspersky SAS SCADA in the Cloud
qqlan
 
PDF
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
PPTX
Миссиоцентрический подход к кибербезопасности АСУ ТП
qqlan
 
PDF
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
qqlan
 
Security Metrix
qqlan
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
qqlan
 
Best of Positive Research 2013
qqlan
 
ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...
qqlan
 
Kaspersky SAS SCADA in the Cloud
qqlan
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
Миссиоцентрический подход к кибербезопасности АСУ ТП
qqlan
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
qqlan
 
Ad

Similar to Web-style Wireless IDS attacks, Sergey Gordeychik (20)

PDF
Optimized Intrusion Detection System using Deep Learning Algorithm
ijtsrd
 
PPT
Intrusion Detection System
Mohit Belwal
 
PPT
Day4
Jai4uk
 
DOC
A secure intrusion detection system against ddos attack in wireless mobile ad...
vishnuRajan20
 
PDF
Iaetsd reducing security risks in virtual networks by
Iaetsd Iaetsd
 
PDF
Review Paper on Predicting Network Attack Patterns in SDN using ML
ijtsrd
 
PPTX
Firewalls
Deevena Dayaal
 
PDF
Ea33762765
IJERA Editor
 
PDF
Ea33762765
IJERA Editor
 
PDF
Secure intrusion detection and countermeasure selection in virtual system usi...
eSAT Publishing House
 
PPT
UTM Unified Threat Management
Lokesh Sharma
 
PDF
CISA GOV - Seven Steps to Effectively Defend ICS
Muhammad FAHAD
 
PDF
Defending industrial control systems from cyber attack
Analynk Wireless, LLC
 
PDF
Defending Industrial Control Systems From Cyberattack
CTi Controltech
 
PDF
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
Miller Energy, Inc.
 
PDF
Seven recommendations for bolstering industrial control system cyber security
CTi Controltech
 
PDF
IRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET Journal
 
PDF
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
PPT
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
PDF
8 Top Cybersecurity Tools.pdf
Metaorange
 
Optimized Intrusion Detection System using Deep Learning Algorithm
ijtsrd
 
Intrusion Detection System
Mohit Belwal
 
Day4
Jai4uk
 
A secure intrusion detection system against ddos attack in wireless mobile ad...
vishnuRajan20
 
Iaetsd reducing security risks in virtual networks by
Iaetsd Iaetsd
 
Review Paper on Predicting Network Attack Patterns in SDN using ML
ijtsrd
 
Firewalls
Deevena Dayaal
 
Ea33762765
IJERA Editor
 
Ea33762765
IJERA Editor
 
Secure intrusion detection and countermeasure selection in virtual system usi...
eSAT Publishing House
 
UTM Unified Threat Management
Lokesh Sharma
 
CISA GOV - Seven Steps to Effectively Defend ICS
Muhammad FAHAD
 
Defending industrial control systems from cyber attack
Analynk Wireless, LLC
 
Defending Industrial Control Systems From Cyberattack
CTi Controltech
 
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
Miller Energy, Inc.
 
Seven recommendations for bolstering industrial control system cyber security
CTi Controltech
 
IRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET Journal
 
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
8 Top Cybersecurity Tools.pdf
Metaorange
 

More from qqlan (20)

PPTX
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
qqlan
 
PDF
Pt infosec - 2014 - импортозамещение
qqlan
 
PPTX
SCADA StrangeLove Kaspersky SAS 2014 - LHC
qqlan
 
PDF
Firebird Interbase Database engine hacks or rtfm
qqlan
 
PDF
SCADA StrangeLove 2: We already know
qqlan
 
PDF
Internet connected ICS/SCADA/PLC
qqlan
 
PDF
SCADA deep inside:protocols and software architecture
qqlan
 
PDF
Techniques of attacking ICS systems
qqlan
 
PDF
Positive Technologies Application Inspector
qqlan
 
PPTX
Database honeypot by design
qqlan
 
PDF
Positive Technologies Application Inspector
qqlan
 
PPTX
Black Hat: XML Out-Of-Band Data Retrieval
qqlan
 
PDF
Positive Technologies - S4 - Scada under x-rays
qqlan
 
PDF
PT - Siemens WinCC Flexible Security Hardening Guide
qqlan
 
PDF
Scada Strangelove - 29c3
qqlan
 
PDF
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
qqlan
 
PDF
Positive Technologies WinCC Security Hardening Guide
qqlan
 
PPTX
From ERP to SCADA and back
qqlan
 
PPT
Denis Baranov: Root via XSS
qqlan
 
PDF
How to hack a telecom and stay alive
qqlan
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
qqlan
 
Pt infosec - 2014 - импортозамещение
qqlan
 
SCADA StrangeLove Kaspersky SAS 2014 - LHC
qqlan
 
Firebird Interbase Database engine hacks or rtfm
qqlan
 
SCADA StrangeLove 2: We already know
qqlan
 
Internet connected ICS/SCADA/PLC
qqlan
 
SCADA deep inside:protocols and software architecture
qqlan
 
Techniques of attacking ICS systems
qqlan
 
Positive Technologies Application Inspector
qqlan
 
Database honeypot by design
qqlan
 
Positive Technologies Application Inspector
qqlan
 
Black Hat: XML Out-Of-Band Data Retrieval
qqlan
 
Positive Technologies - S4 - Scada under x-rays
qqlan
 
PT - Siemens WinCC Flexible Security Hardening Guide
qqlan
 
Scada Strangelove - 29c3
qqlan
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
qqlan
 
Positive Technologies WinCC Security Hardening Guide
qqlan
 
From ERP to SCADA and back
qqlan
 
Denis Baranov: Root via XSS
qqlan
 
How to hack a telecom and stay alive
qqlan
 

Recently uploaded (20)

PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
A Presentation on Artificial Intelligence
memembruh336
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Approach and Philosophy of On baking technology
30anthuong17
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Cloud computing and distributed systems.
kkkkkhan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 

Web-style Wireless IDS attacks, Sergey Gordeychik

  • 1. To find tomorrow’s vulnerabilities today Web-style Wireless IDS attacks by Sergey Gordeychik gordey @ ptsecurity.com
  • 2. Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 2 Table of Contents Introduction 3 WIDS architecture 4 Sources of threats 4 Hacking through air gaps 5 Intrusions on a local network 7 Operator intrusions 9 Conclusion 10 About the author 11 About Positive Technologies 11 References 12
  • 3. Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 3 Introduction Wireless intrusion detection systems (WIDS) are not yet as popular as their wired counterparts, but current trends would suggest that their number is set to grow. One positive factor in this respect is the integration of such programs with active network equipment and Management awareness of the risks associated with the unauthorised use of wireless devices. This awareness has led to an increase in the number of WIDS installations - even where wireless networks are not used. In view of this situation, specialists in the field of security are now aware of the need to evaluate not only the quality features of any product, but also of the need to predict any possible negative influence arising from its implementation on the security of a corporate network. This article looks at the results of research into wireless intrusion detection systems from the point of view of the specialist in the field of applications security. Design faults discovered are not discussed in the article as their correction requires significant effort on the part of the manufacturer.
  • 4. Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 4 WIDS architecture A modern system of detecting wireless intrusion is a fairly complicated solution based on two- or three-tier architecture - often based on Web technologies. WIDS architecture is based on sensors which collect, and sometimes process, wireless traffic as part of the monitoring process. Sensors can be based on standard operating systems or "specialised software and hardware platforms" (in most cases Linux). As a rule, sensors are quite intelligent devices which support TCP/IP and have sophisticated control interfaces. The Sensors interact with the data collection component (server), and transfer to it information on detected intrusions or intercepted packets. The server processes information received, and performs the functions of detecting intrusions and correlating security-related events. A standard DBMS (database management system) is normally used to store information. To manage the system and monitor events, a control console is used in the form of a "fat" or "thin" client. Thus, WIDS is a distributed system which is potentially vulnerable to intrusions not only in a wireless area. Sources of threats It is possible to give the article a more formally scientific tone with the formation of an "intruder model", i.e. to define basic anthropogenic sources of threats. For WIDS these include external intruders interacting with the system through radio ether, internal intruders who have access to a local network, and operators who have certain limited opportunities to manipulate system components. The architecture of the typical wireless intrusion detection system is discussed in the article and the vectors of the intrusions are shown in the figure 1.
  • 5. Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 5 DB Server Server Sensor Sensor External Attacker Web interfaceManagement console Internal Attacker Operator Figure 1. WIDS architecture and therats Hacking through air gaps The principal mechanisms by which external intruders impacts on the wireless intrusion detection system are based on the creation of 802.11 frames, processing of which leads to non-standard situations. The experience of wired intrusion detection systems [1], and also the packet sniffers Ethereal/Wireshark, shows that the presence of vulnerabilities in
  • 6. Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 6 "vivisectors" of complex network protocols is entirely normal. The state machine of 802.11 link layer is fairly complicated, so as to confuse the developers. Vulnerabilities in Kismet [2], coupled with recent publications [3] on vulnerabilities in drivers of wireless clients, are compelling people to consider the probable presence of such problems in WIDS sensors. However, this has only a weak connection with the theme of the article. The data received from a non-trusted source is saved in a database and there is the probability of it not being processed correctly. And as a result there is a possibility of an intruder carrying out SQL Injection-type attacks. By adding to the packets fields of special symbols it is possible to terminate the initial SQL query and add SQL operators to it. In practice, such an intrusion can be carried out by creating fake access points or peer-to-peer networks with SSID like: ‘;insert into ... A fundamental, but surmountable restriction to the use of this type of vulnerability is the SSID length (32 bytes). At present, such vulnerability is processed as part of the policy of responsible disclosure and will possibly be published at a later date. However, the reader can verify the WIDS response to the crafted wireless networks using DBMS tracking tools (SQL Profiler or similar), for example: iwconfig ath0 mode master essid ';-- A further widely-accepted Web vulnerability characteristic of wireless intrusion detection systems is Cross-Site Scripting. Information on a detected intrusion appears in the control console, often Web browser-based. Accordingly, an intruder can select as the SSID of the fake access point a magical sequence of symbols: "><script>alert()</script> And it launches a script in the browser of the operator or administrator which can be controlled by the intruder. In such a case, 32 bytes is adequate to specify external server as a source of the script. The results of such intrusion may be many and varied - from the theft of authentication data through to carrying out certain actions related to customising of the WIDS setup - in place of the operator. Such vulnerabilities was detected in the Web interface of the Airmagnet Enterprise server [4]. The conditions of the
  • 7. Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 7 stored XSS arose when the wireless networks SSID appeared in the access control lists Enterprise Server https://<servername>/Amom/Amom.dll/BD Where a "fat" client is used the situation can be complicated. For example, the AirMagnet control console for displaying information about an intrusion uses an embedded Internet Explorer object and inserts in the HTML template SSID of access points (or the client) without screening. If the browser works in the security zone Local Machine, the insertion of scripts may lead to serious consequences. Further details about risks associated with use in applications of the object Internet Explorer working in the security zone My Computer can be found in [5] and [6]. In practice, all tested solutions are vulnerable to Cross-site Request Forgery (CSRF) attacks. However, this vulnerability is so widespread that it was not even considered worth mentioning. Of course, implementation of these intrusions requires that the intruder has information about the type of WIDS used, but this issue is fairly well described in the publication [7]. Intrusions on a local network An internal user has far more opportunities than his external intruder counterpart. Since WIDS control interfaces for sensors and servers are fully functional Web interfaces, it is highly probable that an intruder will be able to find in these applications the entire range of vulnerabilities from Web Application Consortium Threads Classification [8]. Examples include vulnerabilities [9], in Cisco WLSE and so on. In the sensor control interface AirMagnet SmartEdge Sensor a persistent Cross-Site Scripting vulnerability was detected in audit journals reviewing interface: https://<sensorip>/AirMagnetSensor/AMSensor.dll/XH WebServer Log
  • 8. Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 8 In order to carry out an intrusion in this case, the name of the user entered at the time of authentication is used. The non-persistent variant XSS is present in 404-error pages: http://<sensor IP>/xss<script>alert()</script> https://<sensor IP>/xss<script>alert()</script> One further vector of intrusions which an internal intruder can use is network interaction between system components, such as collection of data from sensors, saving events in a DBMS, remote-control and browsing events. Naturally, this traffic is sufficiently critical for vendors to deal with its protection using such reliable protocols as SSL. However, concern about convenience of users is compelling manufacturers to use self-signed certificates rather than use a proper PKI-style verification process. For example, the control console Airmagnet accepts practically any certificate in the server response. This allows an intruder who has satisfied the "man in the middle" conditions to decipher traffic (including user passwords) transmitted between the control console and the server by using generally accessible tools such as ettercap or Cain [10]. Below is an example of traffic intercepted and deciphered. [Client-side-data] GET /AMom/AMom.dll/UA HTTP/1.1 Accept: */* AMUser: admin <STATIONID> AMBuild: 4694 User-Agent: AirMagnet Host: <serverip> Connection: Keep-Alive Authorization: Basic YWRtaW46MTExMTEx [Server-side-data] HTTP/1.1 200 OK Date: Mon, 20 Mar 2006 12:53:12 GMT Server: Apache/2.0.52 (Win32) mod_ssl/2.0.52 OpenSSL/0.9.7a Content-Length: 301 Keep-Alive: timeout=15 Connection: Keep-Alive Content-Type: text/html [Server-side-data] <html> 3 2 AirMagnetSensor 111111 16777215 1 0
  • 9. Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 9 111111111111111111111111111111111111111111111111111111111111 1111 1 admin111111 16777215 1 0 111111111111111111111111111111111111111111111111111111111111 1111 3 AirMagnetSensor2 111111 16777215 1 0 0 </html> Moreover, WIDS can work with active network equipment, for example switches, using non-secure network protocols such as SNMPv1, which also affords the intruder certain advantages. Operator intrusions In most WIDS the access control mechanism is in place. Users can have authorisation to carry out only certain operations, for example only browse events, or the range of their authorisation can be restricted by certain groups of sensors (building, floor). Where vulnerabilities exist in the control interface, this group of users has the opportunity to increase its privileges within the scope of the intrusion detection system or the entire network if the vulnerability is sufficiently serious. In the process of testing Highwall Enterprise Server and Highwall EndPoint 4.0.2.11045 many Cross-Site Scripting- and SQL Injection-type vulnerabilities were detected. A user with the right to change system parameters (for example names of the sensor WIDS or workstation on which Highwall EndPoint is set up) can insert Javascript operators in the pages of the server and transfer the authorisation data of a more privileged user or perform actions on the WIDS device in that user's name. The function of viewing information about system objects access points and buildings contains an SQL Injection vulnerability, which allows the operator to carry out SQL instructions on the DBMS server. Where an application which uses the Microsoft SQL server has high privileges, the intruder has many opportunities to realize attacks.
  • 10. Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 10 Conclusion I would like to conclude by giving several minor recommendations for specialists selecting or configuring a wireless intrusion detection system. 1. Check the system response to non-standard traffic in the wireless network. Several examples of such traffic were given in the article. In addition different fuzzers, for example [11] can be used. 2. Pay attention to the level of privileges used by the WIDS to work with the DBMS. The consequences of intrusions could be very serious if a superuser account is used. 3. When planning a network infrastructure for the WIDS, be aware of the requirements for separation of networks. Transfer control traffic to a separate segment/VLAN. 4. Switch off unused control protocols on remote sensor. The use of telnet in 2006 can only be justified by constructing a honeypot. 5. Scan the network interfaces of the WIDS sensors and servers using a vulnerabilities scanner which supports Web applications. I guarantee that, in most cases, you will get a nasty shock. It is important that you make a backup copy of the system. A scanner may inadvertently obtain access to a remote controls and cause mayhem by pressing all available buttons. 6. Pay serious attention to the management workstation. The author uses the following approach, which is easily realised by using a proxy server: • the browser used for working in the corporate network does not have access to Internet resources. • the browser working with the Internet is restricted to use of corporate resources, and works in a "sandbox". 7. It is also possible to block the execution of scripts in the security zone My Computer [12] or to use Terminal Server for keeping client applications separate. 8. Try to use the WIDS system as a critical business application and fulfil the requirements formulated in the security policy for the given class of product. In addition to a special review of the policy, it is a unique opportunity to be with the IT specialists and users who carry out the requirements of the policy every day.
  • 11. Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 11 About the author Sergey Gordeychik is the System Architects of Positive Technologies (www.ptsecurity.com), where he is responsible for application, wireless and mobile security. Mr. Gordeychik is an author of “Wireless Security”, “Auditing Web-applications security” and “Securing Microsoft Windows-based Enterprise” training courses in Security Training Centre Informzaschita (www.itsecurity.ru). He is regular author of “Windows IT Pro/RE” magazine, SecurityLab (www.securityfocus.ru) and other. Mr. Gordeychik is also contributor of Web Application Security Consortium (WASC). About Positive Technologies Positive Technologies is a private company specializing in network information security. Its head office is located in Moscow, Russia. The company has two main concentrations: provision of integrated services used in protecting computer networks from unauthorized access; and development of the MaxPatrol security scanner and its complementary products. The company's Russian and Ukrainian customers include largest banks, state organizations, leading telecommunication and industrial companies. Our two concentrations both complement and enrich each other. The enormous practical experience of the leading Russian security specialists employed by the company allows us to create products of the highest quality. An excellent product can provide effective, successful, and quick resolutions of information-security problems. Besides this, the company owns a leading Russian Internet portal www.securityfocus.ru for information security that it uses for analytic and educational purposes.
  • 12. Web-style Wireless IDS attacks Copyright © 2006 Positive Technologies www.ptsecurity.com 12 References [1] Vulnerabilities in Snort 2.4 http://www.security.nnov.ru/soft/6810.html?l=EN [2] Kevin Finisterre, «New Kismet Packages available - SayText() and suid kismet_server issues» http://www.security.nnov.ru/docs3012.html [3] Johnny «Cache», David Maynor «Device Drivers: Dont build a house on a shaky foundation» www.blackhat.com/presentations/bh-usa-06/BH-US-06-Cache.pdf [4] AirMagnet Enterprise http://www.airmagnet.com/products/enterprise.htm [5] «SPI Dynamics WebInspect Cross Application Script Injection Vulnerability» http://www.securityfocus.com/bid/14385/references [6] SPI Dynamics, «Feed Injection in Web 2.0» http://www.spidynamics.com/assets/documents/HackingFeeds.pdf [7] Joshua Wright, «Weaknesses in Wireless LAN Session Containment» http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf [8] Web Application Security Consortium, Threats Classification http://www.webappsec.org/projects/threat/ [9] Cisco Security Advisory: Multiple Vulnerabilities in the WLSE Appliance http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml [10] Cain & Abel http://www.oxid.it/cain.html [11] Raw Wireless Tools Homepage http://rfakeap.tuxfamily.org/ [12] How to strengthen the security settings for the Local Machine zone in Internet Explorer http://support.microsoft.com/kb/833633