WIRELESS SECURITY ANALYZER

Final Presentation

Presented By:

Gal Leibovich

Liran Manor

Supervisor:

Hai Vortman

Background

Network security is one of the most challenging aspects of the data communication area, especially in wireless networks

A rapid growth in the number of wireless networks in the last few years

The importance of taking measurements in order to secure the wireless networks is very high

A need for a tool which reports: Diagnosis of security properties of nearby wireless networks Offers recommendations for security improvement Offers general recommendations about the wireless infrastructure (Bonus)

Project Definitions & Goals Getting familiar with 802.11 protocol and its security mechanisms

Determine network properties and current security status

Recommend on security improvements

Gaining programming experience in .NET 3.5 environment (C#)

Object Oriented Design

Developing a GUI

802.11 Protocol Wireless Modes:

Infrastructure Peer to Peer (Ad-Hoc)

Three types of frames: 1. Data frames 2. Control frames:

○ Request To Send○ Clear To Send○ Acknowledgment ○ Etc…

3. Management frames:○ Beacon○ Probe Request○ Probe Response○ Association Request○ Etc…

802.11 SecurityAuthentication

Joining an infrastructure unsecured network

Old standard defines two authentication mechanisms:

1. Open System

2. Shared Key Authentication (WEP)

Open System is better than Shared Key Authentication if data encryption exists

802.11 Security – cont. 802.1X Authentication (EAP-TLS for mutual authentication)

Firewalls, VPNs, OTP systems – higher layer authentication techniques

802.11 SecurityEncryption

WEP – Wired Equivalent Privacy (40/ 104 bits key) Uses static keys – statistical attacks can reveal the key rapidly Doesn’t use cryptographic integrity protection

TKIP (WPA) Solves the problems of WEP: - Uses temporal keys

- Implements message integrity check (MICHAEL)

WPA is used in two authentication methods: - WPA Pre Shared Key (WPA Personal) - 802.1X + WPA (WPA Enterprise)

CCMP (WPA2) Strongest security mechanism available today

Based on Advanced Encryption Standard (AES) as its block cipher

WPA2 is used in two authentication methods: - WPA2 Pre Shared Key (WPA2 Personal) - 802.1X + WPA2 (WPA2 Enterprise)

Modes of NIC Operation Local Mode: NIC receives only packets which are targeted to its address.

This mode doesn’t require an association with an AP.

Promiscuous Mode: Allows the user to view all wireless packets on a network to which he has been associated.

Monitor Mode (RFMON): Allows to monitor all traffic in the air, transmitted in all wireless networks.

Local Mode Local Mode: NIC receives only packets which are targeted to its address.

This mode doesn’t require an association with an AP.

Restrictions:• No MAC filtering discovery• No “trigger-packets” for hidden networks

But…Using CommView drivers for future extensions for the project(When the drivers API will be exposed)

Wireless Security Analyzer (WSA) Reflects our 802.11 security study Targeted at standard users, with basic computer

skills but without previous knowledge in security Can also be helpful for system administrators Software engineering considerations were taken

into account (GUI)

WSA Architecture Based on Managed Wi-Fi library

A .NET class library allows you to control wireless network adapters installed on your Windows machine

The library wraps the “Native Wi-Fi API”, which:• Contains functions, structures, and enumerations that support

wireless network connectivity and wireless profile management• Designed for C/C++ developers

Available since Windows Vista and Windows XP SP2 (only after applying a hotfix provided in KB article 918997)

WSA Architecture – Cont. Four classes are used to implement WSA

ConverterStatic Class

Fields

MacDictionary

Methods

BuildRateStringCompareConvertBSSTypeToStringConvertToChannelConvertToMbsCreateAuthenticationStringFormatMacGetCompanyForMACGetStringForSSIDLoadMacDictionary

NetworkClass

Fields

_authentication_channel_encryption_frequency_macAddress_networkType_rates_routerCompany_signalQuality_ssid

Properties

AuthenticationChannelEncryptionFrequencyMacAddressNetworkTypeRatesRouterCompanySignalQualitySSID

RecommenderStatic Class

Fields

MaxNetworksPerChannelNumOfChannels

Methods

CheckChannelCollisionsGetGeneralRecommendations

DSSecurity

DataSetClass

Fields

_schemaSerializationModerelationDT_Authentication_DT_EnterpriseSecurityRecommendationsrelationDT_Authentication_DT_PersonalSecurityRecommendationsrelationDT_Encryption_DT_EnterpriseSecurityRecommendationsrelationDT_Encryption_DT_PersonalSecurityRecommendationstableDT_AuthenticationtableDT_EncryptiontableDT_EnterpriseSecurityRecommendationstableDT_PersonalSecurityRecommendations

Properties

DT_AuthenticationDT_EncryptionDT_EnterpriseSecurityRecommendationsDT_PersonalSecurityRecommendationsRelationsSchemaSerializationModeTables

Methods

Nested Types

DSSecurity Dataset

Two basic tables define the authentication and encryption algorithms

Only relevant combinations are held in two dedicated tables Only one recommendation table will be used according to the user’s

input – different recommendations for different user types Easy updating

Future DevelopmentAssuming monitor mode is available in Windows:

1. MAC filtering detection

2. Discover hidden networks (by packet injection)

3. “Attack and Defense” – Disassociation/Deauthentication packets, nonstandard drivers

4. WEP/WPA-PSK cracking

Demo