I want to share an event you may not see very often in the wild, TKIP countermeasure. 

The TKIP countermeasure is a configurable variable by SSID and can be disabled. I blogged about this in December of last year. The commands for both the WLC and Autonomous are below:

So what happen?

Geo - “I blogged on my site about the unencrypted RRM packet just a few weeks ago. The RRM packet got little attention, but I seen this as a much bigger issue. I seen this as more than just an IP address in the clear but rather a gold mine of information, but just how could it be exploited. “

In this tutorial I will share with you an attack using the recently identified and less talked about security vulnerability with the Cisco RRM packet in conjunction with SNMP. I would like to emphasize --- this video is to educate network engineers,  system administrators and security professionals of the potential risk of a enterprise wide attack on your Cisco Unified Wireless Network if Cisco best practices are not followed.

The foundation of this attack is to use the less talked about RRM and widely known SNMP vulnerabilities.  There isn’t  anything new that isn’t already known about these vulnerabilities, but what I will share  is the concept of an attack and the real world potential it may have in your enterprise especially if you use default strings or and more importantly if an attacker knows your strings on the WLC. The concept of the attack is simple, sniff the RRM packet, discovery the WLC, and then join the WLC to the rogue WCS server. After which point your wireless network is at the complete mercy of the hacker. The hacker could create a “rogue” ssid for later outside attack over wireless, complete DOS attack of your wireless network enterprise wide, delete admin accounts on the controllers to prevent you from logging into the controllers while an attack is underway.

In the last week you heard about the OTAP issue. OTAP stands for Over The Air Provisioning. It is a means whereby a Cisco access point can find a Cisco controller to initiate a join process.

OTAP when enable, by design , sends the controller mac and ip information in the clear every 60 seconds in the multicast RRM packet. This aids access points to join the network.

Cisco recommends you disable OTAP during normal production. OTAP should only be deployed during the deployment phase of a wireless network.

What isn’t being reported, when disabled the RRM packets still includes the controller mac and ip address!

 Enjoy the video 

Update on Saturday, September 12, 2009 at 10:41AM by George

OTAP UPDATE 9.07.09:my80211.com article picked up by computerweekly.com

http://www.computerweekly.com/Articles/2009/09/07/237584/video-cisco-access-points-give-away-network-secrets.htm

 

OTAP UPDATE 9.12.09: This week Cisco released a plan to follow up with a patch update to 6.x, which REMOVES OTAP discovery method and encrypts the information element in the RRM discovery packet.

I like this move and something I stated from the early release of this vulnerability. The RRM packet sending controller IP information in the clear to share RRM neighbor information is not necessary for access points that have already joined a controller. This infromation should be encrypted.
.This is comforting news for ANY enterprise or healthcare security team.

I am disappointed the release will be 6.x. Many users are on harbor code 4.2.x who won’t be able to take advantage of this patch. I suspect Cisco will release a 4.2 fix as well, we shall see!

 http://tools.cisco.com/security/center/viewAlert.x?alertId=18919

 

 

 

 

If you're an Enterprise user or any user that uses Windows Zero Config with WEP or PSKs. Or if you're a user who forgot or lost your WEP or PSK, this video is for you!

The WZCOOK application can be delivered via a USB stick and launched on a workstation and within seconds revealing your networks WEP or PSK keys.

In the case of an attacker exploiting a system with WZCOOK, specific to WPA or WPA2 networks using a pre-shared key authentication, are also vulnerable since there is no regular key rotation mechanism. WPA or WPA2 networks using IEEE 802.1X authentication and an EAP type are also vulnerable to attacks when the PMK has been revealed, but it is limited to a single workstation and only for the duration of the current authentication session.

Fig 1

My Video Link: (click full screen for better viewing)

Click to read more ...