Wireless LAN Security

White PaperSecure Solutions

Philippe Bouvier, Thales Security Systems

WIRELESS LAN SECURITY

1. INTRODUCTIONPeople today work as nomads and want to be “always

online, always connected”. Technology that is in line withthis desire also coincides with company needs. The pur-pose of this White Paper is to focus on one such techno-logy, the wireless local area network (WLAN), and its secu-rity strengths and weaknesses.

There are similarities between the explosive growth ofthe Internet and the rapid growth of WLAN. Like any newtechnology, WLAN has led to new needs and behaviours.Today WLAN is a de facto solution adopted by usersaround the world. However, just as security was not a toppriority in the first decade of Internet use, so WLAN secu-rity has not been of utmost concern. Yet, as recent papersby security scientists make clear, some security criteriamust be taken into account in order to prevent unauthori-sed exploitation of resources.

WLAN allows a user with a laptop and a wireless cardto access a network via radio communications media.Security is a concern in two main areas. First, the userneeds to be sure he is connected to the appropriate net-work rather than a fake one, and he wants to assure theconfidentiality of the data he transmits. Second, networkadministrators need to configure the WLAN for which theyare responsible in a way that is meant to ensure that onlyauthorised clients have access.

However, such “native security” (included in WLAN tech-nology) is not, in fact, secure enough. Thus the rise in popu-larity of WLAN has been accompanied by an equivalentincrease in security concerns about the new technology.

This paper first explains how it is possible for unautho-rised users to breach security measures and gain access toa company network; it then recommends security tech-niques that may be added to the basic ones, and notes thatan alternative is to wait for new standards to be approvedand followed by vendors.

It must be pointed out that, unfortunately, when itcomes to security concerns, there is no absolute defence –and the stronger the defence, the stronger the attacks willtend to be.

Note: WLAN is based in a very fast growing technology.This White Paper is published in the second quarter of2003, and may be outdated by the third quarter of 2003.

2. 802.11 WIRELESS LANTECHNOLOGY TODAY2.1. NEW NEEDS AND NEW THREATS

A number of standards exist in the marketplace today,and others are in development. This situation generatesconfusion inasmuch as vendors make technology choicesthat are not well understood by clients.

As the process of developing standards is not yet com-plete, and gaps still exist in terms of security measures,vendors interpret the standards and complement themwith their own technology. Vendors are thus committed tosupporting a wide range of standards. Within this jungle ofstandards and vendor solutions, it is hard for customers toselect one product or another with a genuine understan-ding of the implications of their choice.

A WLAN is an extension of a wired network or standardLAN. A basic hardware installation involves connectingaccess points to the wired network and equipping perso-nal computers and laptops with WLAN cards.

Because of the explosive growth of the Internet, alongwith the security risks involved when a corporate networkis connected to the Internet, network administrators haveinstalled firewalls to protect local networks and act assecurity gates. In radio communications, however, frontiersare not easy to define and to protect, as they are “virtual”.

May 2003

2 • • May 2003

Solutions that can minimise risks of intrusion on a WLANare not bullet-proof, as we will see.

Among the many reasons for a company to choose aWLAN solution are that it does not require a cable plant,it enhances mobility and it facilitates ad-hoc relation-ships. Within a company’s offices, people move fromtheir desks to meeting areas, conference rooms, etc.Staying connected to voice mail, mailbox or intranetwhile moving around the company buildings is next toimpossible with a system where staff members wouldalways have to keep a LAN wire with them and expect aplug to be active near the place they are going to (some-times it is necessary to ask the network administrator toactivate a wall plug). Also, in old buildings or rentedones, considerable investment and time are required tocable the premises for a network.

Compared to LAN, a WLAN can be installed quickly,and furthermore it is easily removed, so the investmentstays in the hands of the company. A WLAN installationcan be accomplished in days rather than weeks. Once thewireless access points are attached to wired high-speednetworks, nomad users can connect to the corporate net-work, at broadband speeds, from a conference room, thecafeteria, or even a bench outside the building. For trai-ning courses or business meetings, ad-hoc wirelessconnections can be made, and removed afterwards.

As far as security is concerned, WLAN standards willdefine some specific solutions (with robust security), butthey are not yet on the market. Consequently major secu-rity problems have arisen in early WLAN installations.

Vendor marketing leads many organisations to believethat the security provided by wireless access points cancope with the risks and prevent unauthorised access anduse. Some companies installing WLAN do not apply thebasic security features, and thus are vulnerable to unau-thorised use of their internal system.

As security test labs discover various types of vulnera-bility, they publish the information, so companies canbecome aware of the threats and risks they are exposed to.The basic areas of vulnerability are data encryption via awired equivalent privacy (WEP) protocol; limitations andweaknesses in controlling access; and the broadcast natu-re of radio transmission.

WLAN is just a new way of communicating with corpo-rate networks. The security “best practices” learnt in thepast should still be applied – and a new security require-ment should be added, given the absence of physical per-imeter in radio broadcasting.

Security officers must constantly be alert for intrudersattempting to access the corporate network and applica-tions. Any breach of the network weakens security and

thus overall network performance. The possible conse-quences include lower productivity, loss of confidentialdata and damage to company reputation.

2.2. WIRELESS LAN STANDARDS

The Institute of Electrical and Electronic Engineers is aprofessional association that sets standards. The IEEE 802Standards Committee is the leader in local area network(LAN) and metropolitan area network (MAN) standards.

The committee is divided into working groups, eachresponsible for a specific area. The 802.11 Working Groupdeals with the WLAN standard. This standard, approved in1997 as IEEE 802.11, defines three different physical layers,a media access control (MAC) function and a managementfunction. The data rate supported is 1 and 2Mbps. Qualityof service, roaming and basic security are included. Thethree physical layers are DSSS (direct sequence spreadspectrum radio) in the 2.4GHz band, FHSS (frequencyhopping spread spectrum radio) in the 2.4GHz band andIrDA (infrared data association).

The need for a higher data rate (5.5 and 11Mbps in the2.4GHz band and 54Mbps in the 5GHz band) has led the802.11 Working Group to organise task groups. Thoseconcerning 802.11a, 802.11b and 802.11g, for instance,focus on air interface standards, while the 802.11i TaskGroup concentrates on security issues. The appendixdetails the standards developed by these groups.

2.3. THE RADIO DOMAIN

Wireless 802.11b networks operate in the UHF band(ultra high frequency, 328.6MHz to 2.9GHz) and morespecifically in the 2.4GHz band, which is divided into 14channels. In US and Europe the allowed bandwidth is2.4000 to 2.4835GHz.Channel Frequency (GHz)

1 2.4122 2.4173 2.4224 2.4275 2.4326 2.4377 2.4428 2.4479 2.452

10 2.45711 2.46212 2.46713 2.47214 2.484The United States uses channels 1 to 11 and Europe

1 to 13.


• 3May 2003 •

IEEE 802.11b employs DSSS to achieve 11Mbps. As thechannel bandwidth for a DSSS signal is about 20MHz, the2.4GHz band accepts up to three non-overlapping chan-nels: 1, 6 and 11. Three access points can thus cover thesame geographical zone, offering up to 33Mbps.

Depending on the country, different spectrums are al-lowed at 2.4GHz, so not all the channels are possible. Thesame kind of problems exist with the 5GHz band but theuse of this band is not allowed in all countries.

The radio frequencies used are 2.4 GHz for 802.11b and802.11g, and 5 GHz for 802.11a.■ 802.11a supports 6, 12 and 24Mbps using OFDM

modulation (orthogonal frequency division multiplexing)■ 802.11b supports 1, 2, 5.5 and 11Mbps using CCK

(complementary code keying)■ 802.11g, still in the draft stage, will extend 802.11b to

speeds up to 54Mbps; it will be backward compatiblewith 802.11b but will use OFDMBecause of the higher modulation frequency used,

802.11a signals die out much faster than 802.11b. As aresult, a wireless network interface card will capture alower frequency wireless signal at a longer ranges than ahigher frequency signal.

2.4. WHAT IS WIRELESS NETWORKING?A wireless local area network, as the name suggests,

does not need wires for communication but instead usesradio technology to transmit and receive data.

A typical WLAN has two main elements: the networkinterface card (NIC) and the access point (AP). The NIC isthe interface between the operating system and the radiodomain, through an antenna. The access point, a networkdevice, forms a network bridge between the radio domainand the wired LAN through a standard Ethernet cable. Itcommunicates with wireless clients by means of an antenna.

One characteristic of wireless networks is that users can“roam” from one geographic area to another. Roaming isthe ability to connect to multiple APs while maintainingthe same authorised connexion. This is possible because awireless client can be “associated” with more than one APand still maintain its communications with the LAN servers(Figure 2.1).

The connection of a wireless client with the LAN is sim-ple. When a wireless client (a wireless NIC-equipped lap-top) needs to connect to the LAN, it has to create a rela-tionship with the AP: this is called the association process.

During this process the client will go through three diffe-rent states:■ Unassociated and unauthenticated■ Unassociated and authenticated■ Associated and authenticated

If either the association or the authentication is not per-formed successfully, the user cannot access the WLAN andconsequently the LAN.

A basic service set (BSS) is made of wireless stationsthat can communicate among themselves. Depending onthe objectives to be served, a 802.11 wireless network canbe configured in either of two modes. The IEEE standarddefines the ad-hoc mode as independent basic service set(IBSS) and the infrastructure mode as BSS with APs.

2.5. AD-HOC MODE

IBSS is designed so that each client can communicatedirectly with others within the network (Figure 2.2). Thismode is very convenient because it is easy to set up – nonetwork administrator is needed. No AP is necessary, norconnection to a wired network; each client has an IP add-ress through which to communicate. This type of networkis designed to be temporary. The communications aremade on a peer-to-peer basis.


Figure 2.1: Wireless LAN connected to a wiredethernet LAN and roaming

Figure 2.2: Ad-hoc network

4 • • May 2003

Figure 2.4 shows the main management and controlframe types and layout.

2.7. NATIVE SECURITY MEASURES

To safeguard information travelling on WLANs, the802.11 standard has defined basic methods for securingnetwork accesses and radio communications.

2.7.1. SSIDThe SSID is the first barrier against intrusion. Multiple

SSIDs allow network administrators to define multiple BSSin the same geographic area. Each BSS has a unique SSID,which is stored in the APs. To connect to a BSS, the clientmust know its SSID (Figure 2.3).

Note that some APs can disable the beacon defaultbroadcast functionality (a beacon frame contains the SSID).

2.7.2. MAC address filteringTo further control access to a BSS, it is possible (but

not necessary) to configure the APs with a list of allowedMAC addresses. This security measure is called MAC add-ress filtering.

Every wireless NIC has a unique MAC address based onan organisationally unique identifier (OUI) allocated toeach hardware manufacturer. As this address is unique it ispossible to use it in network access control.

If a client’s MAC address is not on the list, the AP willdeny access.

2.7.3. WEPThe WEP protocol, which is specified for encryption

and authentication between clients and APs, is mainlyused to increase the confidentiality of data during trans-mission between a client and an AP. There are two levelsof WEP authentication: the open system and the shared orsecret key.

The default authentication protocol (the open systemsubtype) used in 802.11 is based on a null authenticationprocess (i.e. it authenticates anyone who requests authen-tication). This allows any user to access the WLAN.

An alternative authentication protocol (the shared keysubtype) uses a shared key authentication process, whichis based on a standard challenge-response along with ashared key. The shared key (also called secret key) is dis-tributed by an external key management service. In theauthentication request management frame, the client indi-cates to the AP that it uses shared key authentication. TheAP responds by sending the client a “nonce” (a challengetext). The client copies the nonce into a new managementframe and encrypts it with WEP, using the shared key. TheAP then decrypts the frame and verifies that the challenge


2.6. INFRASTRUCTURE MODE

The infrastructure mode (a BSS with APs) is the mostcommonly used. Here the AP acts as the central node ofthe WLAN. Each user sends all communications to a cen-tral station. The AP is similar to an Ethernet bridge in aLAN. It relays communications from the WLAN to the LANand vice versa.

A set of two or more BSS forming a single sub-networkis called an Extended Service Set (ESS). An ESS is a groupof overlapping BSS connected together via a distributionsystem (DS) (in Figure 2.3 the DS is the LAN).

To communicate with the AP, the client needs to beauthenticated and associated. This is accomplished by anexchange of messages called management frames, in thefollowing process: The AP transmits a beacon manage-ment frame at fixed intervals. The frame is received by allclients within range of the AP radio broadcast. A beaconmanagement frame contains a network name, or serviceset identifier (SSID). Depending on the SSID, a client canchoose which BSS to connect to (BSS1 or BSS2 in Figure2.3).

If no beacon frame is broadcast, the client can send aprobe request management frame to find the BSS it wantsto connect to, and the AP responds with a beacon frame.

After the client has selected the AP, both parties performa mutual authentication using management frames. If itsucceeds, the client then needs to be associated, by sen-ding an association management frame. After the client isassociated and authenticated, it needs an IP address tocommunicate with other clients. Many APs send theirclients an IP address automatically (they act as a DynamicHost Configuration Protocol (DHCP) server). Otherwisethe network administrator needs to assign the client a validIP address, which must be configured manually.

After this, the client becomes a “peer” on the wirelessnetwork and can communicate with the LAN.

Figure 2.3: Infrastructure network

• 5May 2003 •

text matches, in which case the authentication is successful(Figure 2.5). WEP is a symmetric algorithm (i.e. the samekey is used for encryption and decryption). The standardonly defines a 64-bit key (including initial vector or IV) butalmost all vendors offer up to 128 bits (including IV).

Authentication may be used between two clients in anIBSS. In a shared key system, only clients configured witha secret key can be authenticated by the APs.

WEP provides an encrypted channel for communica-tions between the AP and the client. The encryption algo-rithm used is Ron’s Code 4 Pseudo Random NumberGenerator (RC4 PRNG), from RSA Data Security, Inc. Thealgorithm is based on a key (a sequence number) of 64

bits (defined by 802.11b) or 128 bits (defined by vendors).This key must be shared by the client and the AP.

In WEP encryption, the shared key (40 or 104 bits long)is added to an IV (which changes periodically and is 24bits long). The RC4 PRNG generates a pseudo-random keyfor the stream. To prevent data modification, an integritycheck algorithm called CRC-32 operates on the plain textand produces an integrity check value (ICV). The ciphertext is obtained by an XOR operation, which is a mathe-matical operation between the key stream and the conca-tenation of the plain text and the ICV. The 802.11 dataframe is the concatenation of the IV and the cyphered text.The receiver follows the same algorithm in reverse toretrieve the original plain text.


The main management frames types are:■ beacon frames: the AP broadcasts the

frame regularly and frequently, announ-cing availability and capabilities of BSSprobe request and response: the clientsends a request for a WLAN, and theresponse is a beacon frame

■ associate request and response: theclient requests to be declared in the BSS

■ disassociate (either the client or the AP)The main control frame types are RTS(request to send), CTS (clear to send)and ACK (acknowledge).

Figure 2.4: 802.11 frame layout

Figure 2.5: Shared key authentication process

Figure 2.6: WEP encryption mechanism

6 • • May 2003

WLAN bad practiceskeeping the default AP configurationenabling broadcast of SSIDkeeping the vendor SSIDdisabling WEPusing null authenticationbroadcasting to a public areausing only APs to connect the WLAN to the intranet

3. KNOWN WEAKNESSES IN 802.11 WLANMany organisations have deployed wireless infrastruc-

ture based on the IEEE 802.11 standard, and in the processa number of weaknesses have come to light. The sectionsbelow describe the main weaknesses discovered so far.

3.1. SIGNAL INTERFERENCE

Multiple methods of interference could break up theradio signals and render the WLAN traffic null:■ a microwave transmitter broadcasting a (bad) signal on

the same frequency as the WLAN■ a Bluetooth device located a few metres from an AP■ certain cordless phones operating in the 2.4GHz band■ a jammer targeting channels 5, 6 and 7 (which can cause

the maximum of interference)The 2.4GHz band is widely used and considered sha-

red, unlike to the 5GHz band.

3.2. WLANS ARE EASY TO IDENTIFY

Anyone with a wireless-equipped laptop can walk ordrive through a town and wait to receive an 802.11 radiosignal. When a signal is received, it means a WLAN isaccessible and potentially vulnerable.

Since the radio environment has no physical frontiers,the radio signal can go far beyond the walls of the office,particularly if the antenna is not well positioned or theradio power too strong.

Another potential problem is that, while employees mayenjoy working on their laptops outside the building, thispractice can permit unauthorised people to access the net-work from the streets nearby.

In addition, natural repeaters (e.g. nearby antennas orwindows containing iron) can extend the radio signalbeyond the desired geographic area.

Furthermore, unlike in a LAN, where the physical layerand the communication layer of a network are typically pro-tected by a cable (for example a category 6 shielded twis-ted pair, Cat 6 STP), in a WLAN the latter layer is exposed.

3.3. SSIDS ARE EASY TO FIND

A wireless laptop equipped with software readily avail-able over the Internet can allow a user to capture the SSID.Such software can also tell if WEP is being used.

If WEP is not enabled, the intruder need only configureits WNIC with the captured SSID to be associated with theAP and to communicate with the servers in the LAN.

Related types of vulnerability include the following:■ SSIDs are broadcast in clear by the APs and the clients

via beacon frames. It is easy to add a new client to theWLAN when WEP is not enabled.

■ APs are configured by default to broadcast the SSID. Itis possible to configure the SSID without broadcasting,but this would only slow down an intruder, who cansend a probe request to the AP and get the SSIDanyway.

■ SSIDs are stored in clear in staff members’ wirelesslaptops. If a laptop is stolen or accessed by a would-beintruder, it is easy to locate and read the SSID.

■ Some companies retain the default SSID used by themanufacturer. A database of default SSIDs can be easilyfound on the Internet.

■ SSIDs must be manually configured on all clients.■ The beacon frame can be read in clear: there is no

possible encryption of signals.

3.4. WIRELESS MAC ADDRESSES ARE EASY TO

FORGE

Wireless MAC addresses can be changed at will andduplicated by any client. Wireless cards permit the chan-ging of the WMAC address via easily available software.Moreover, WMAC addresses are easily “sniffed out” becau-se they appear in clear in all 802.11 frames, even whenWEP is enabled.

As a result, a would-be intruder can easily determinethe WMAC addresses used in the WLAN by eavesdrop-ping, then change its internal WNIC MAC address to avalid address that is not filtered by the AP.

WMAC address filtering requires the company to obtain


Figure 3.1: Outside radio propagation

• 7May 2003 •

the hardware addresses of all clients and to maintain thislist on all its APs. But in wide distribution of wireless lap-tops, it is difficult for a company to enter all clients’ MACaddresses in all APs. Consequently this feature is limited tosmall WLANs.

3.5. LACK OF AUTHENTICATION FOR MANAGEMENT

AND CONTROL FRAMES

No authentication is needed to send or receive mana-gement and control frames, nor is their content encrypted.As a result, information leakage is possible. UnencryptedWLAN sessions are subject to eavesdropping and hijack-ing, regardless of how the session is authenticated.

The very objective of management frames (beacon,probe request/response, association request/response,reassociation request/response, disassociation, deauthenti-cation), which is to control link characteristics and physi-cal medium properties, increases the likelihood of an out-sider getting control of APs or clients and carrying out suchmalicious actions as eavesdropping, spoofing, denial ofservice, flooding or client enumeration.

Note that IEEE 802.1X pre-authentication enablesauthentication and key derivation prior to an exchange ofmanagement frames.

3.6. LACK OF MUTUAL AUTHENTICATION

Some implementations that predate the standards donot support mutual authentication. In such cases, there isno way for a client to know whether an AP can be trusted(or vice versa).

Note that some methods using the extensible authenti-cation protocol (EAP) allow for mutual authentication.

3.7. VULNERABILITIES WITH WEPWEP was originally designed to combine access control,

link privacy and message integrity for WLANs.Unfortunately, the result is much less secure than intendedand many flaws have been exposed.

WEP-RC4 weaknesses can be classified into two majorcategories: key size and weak initialisation vectors (IVs). InAugust 2001, Scott Fluhrer, Itsik Mantin and Adi Shamirdemonstrated the weakness of the RC4-WEP cypher via apassive attack exploiting a defect in the key schedulingalgorithm of RC4 to obtain the key stream (or networkkey). The WEP implementations use RC4 IV improperly inthe following ways: ■ Some PC cards reset IVs after each initialization, in

which case the IV goes up by one.■ The space taken by the IV is too small for WLAN use

(possible number combinations range from 0000 to224).

As a consequence there is a high chance that an IV, andtherefore the key stream, can be reused. This situation canlead to basic cryptanalytic attacks against the cipher andthe decryption of data. In such cases, anyone with a wire-less laptop could gain access to a WLAN within few hoursor even at times within a few minutes.

The theoretical calculation is this: a wireless client thatsends 1500 bytes at 11Mbps (the effective data rate is6Mbps) will use all the IV keys in (224*1500*8)/(6*106)=35554 seconds, or about 9 hours. The time will be less ifthe packets are shorter than 1500 bytes. With the anniver-sary birthday assumption, there is a 50% chance of the keybeing reused after 4823 packets, 99% after 12430 packets(10 and 25 seconds, respectively, at 11Mbps). In practice,a key is usually reused in less than an hour (clients are notalways sending data so the malicious user has to wait lon-ger).

Another possibility is that an eavesdropper captures twocyphered 802.11 data frames encrypted with the same keystream, from which it is possible to obtain the XOR of thetwo plain texts. The calculation is:

C1 = P1 XOR RC4 (shared key, IV)C2 = P2 XOR RC4 (shared key, IV)C1 XOR C2 = P1 XOR P2If the first plain text, P1, is known or predictable, P2 is too.When an intruder knows the data before it is sent (P),

and captures the encrypted data (C), it is easy to XOR thetwo data sets to produce the key stream:

RC4 (shared key, IV) = P XOR COther WEP vulnerabilities:

■ Sometimes WEP keys are stored in clear in the AP, theNIC RAM, the Windows registry or a file.

■ WEP keys must be manually entered for all clients – adifficult management task. The tendency, especially onlarger networks, is to change keys as seldom as possibleand avoid processing other key operations, such asrevocation, distribution and rotation. Best practice,however, is to change keys regularly as an extrameasure of security.

■ WEP lacks support for per-packet integrity protection.■ Because WEP has so many imperfections, many

companies do not even turn it on!A shared secret key can be recovered with easily avai-

lable utilities, thus exposing the network to unauthoriseduse. Though the current version of WEP is crackable, WEPshould be used: it will thwart would-be hackers (passers-by, script kiddies) to the point where they will look foreasier targets.


8 • • May 2003

3.8. NO AUTOMATIC SECRET KEY MANAGEMENT

The shared keys are usually the same for all users andthe APs. Best practice is for each user to have his own sec-ret key, and have it changed regularly, but in the WLANcontext this is difficult for a company.

The administrators should follow a secured keymanagement process:■ Create secret keys.■ Define their lifetime.■ Distribute them among wireless users (one key per

person).■ Archive them.■ Monitor the activity of the owner of each key.■ Revoke any compromised key.

As there is no automatic key management process inWLAN, the problem grows in proportion with the numberof users. It is difficult or impossible to store in each AP allactivated secret keys.

3.9. ICV WEAKNESS

The integrity check value is useless for detecting altera-tion of frames.

3.10. AP WEAKNESSES

AP equipment is shipped with encryption disabled.Many characteristics of APs need to be taken into account,including:■ the way the IP stack is implemented (implicated in

denial of service)■ the different sizes of state tables (in cases of flooding)■ various sanity checks on frames/packets (fringe frames/

packets)■ the protocols supported (e.g. SNMP, telnet, HTTP, ICMP)■ undocumented “back doors” left for maintenance or

management■ natural implementation vulnerabilities

3.11. ACCIDENTAL ASSOCIATIONS

In a more or less densely populated district, manyWLANs can exist in the same geographic area. Accidentalassociation may take place when an employee of onecompany associates his or her computer to another com-pany’s WLAN. This is more likely to happen when defaultAP installation has been carried out or when rogue, unse-cured APs have been installed.

Accidental association can even link two companies’networks together through an end-user station, bypassingall internal security and controls.

3.12. AD-HOC NETWORKS

In ad-hoc mode, each member of a network accepts a

new member. It is not possible for security officers toensure that only authorised users are connected to an ad-hoc network. Any authorised user can transfer private cor-porate documents to unauthorised users without goingthrough the corporate network. In addition, the authenti-cation method used is based on weak security.

3.13. ROGUE WLANS

Rogue APs are those connected to a LAN without anypermission from the network administrator. They areusually place by employees looking for more freedom tomove. Because WLAN is so convenient, some users incompanies that lack wireless access may decide to installtheir own illicit APs. When, as is usual, the rogue AP isimproperly secured, using default configurations, the enti-re corporate LAN is effectively opened to the public.Employees who set up rogue WLANs usually do sowithout understanding the overall security risks. Hence theimportance of security awareness programmes for allemployees.

Rogue APs can also be installed by outsiders, would-behackers/crackers seeking access to the internal networkwhenever it suits them.

4. WLAN HACKING TECHNIQUESTo get inside a LAN via its WLAN access is not a one-

step procedure. The intruder will need several techniquesto bypass all the security protection measures. The follow-ing sections show in more detail how the types of vulne-rability described above can be exploited by an outsider ina WLAN environment. The attacks range from simple tovery difficult, and some are impossible to detect. The bet-ter you know the attacks, the better you can defend yoursystem against them.

4.1. SURVEILLANCE

The most basic method is surveillance. The objective issimply to locate evidence of wireless activity. No specifichardware is used; the potential attacker just observes theenvironment.

Evidence of wireless network use includes antennas,APs and network cables on walls, ceilings, shelves, hall-ways, roofs or windows, etc., and nomad users with per-sonal digital assistants (PDAs) or laptops activated. Aftercarrying out such reconnaissance, the would-be intrudercan identify a place in which to discreetly operate laterwith a laptop equipped for wireless attacks.

Another surveillance method is to use a handheld com-puting device or PDA. As such devices have grown in popu-larity, more wireless network auditing and management


• 9May 2003 •

applications have been developed for them. Someone loo-king to break into a network can do surveillance andsometimes more with these tiny but powerful computers,which are easy to hide.

4.2. PASSIVE LISTENING

Many passive attacks are based on eavesdropping.“Sniffing tools” are used to search for (“sniff out”) WLANs.This simple process can be carried out with any of severalfree tools that are downloadable from the Internet.

4.2.1. Traffic analysisIt is very easy to listen to radio signals, and in WLAN

802.11, frames are easy to capture. The analysis is straight-forward with tools available from the Internet. The infor-mation thus gained can help a hacker/cracker understandwhat the WLAN is for and how it is used and configured.

4.2.2. Getting SSIDsGetting an SSID is easy, since under 802.11 a client can

always receive an SSID. The only security measure thatcan be taken with an AP is not to broadcast the SSID regu-larly (by default, beacon frames are broadcast every 100milliseconds). Even then, as noted earlier, a client can senda probe request to an AP and the response will be a bea-con frame containing the SSID.

Another technique is to use “brute force” to find theSSID with an SSID dictionary attack – i.e. sending the APmany SSIDs until one turns out to be correct (in 802.11FHSS, for example).

It is also possible to get an SSID by force by sending adeauthenticate frame to the broadcast address, then listen-ing and reading the SSID contained in the ensuing clientprobe request or AP probe response.

4.2.3. WEP crackingTools available on the Internet can carry out WEP crack-

ing in a few minutes when the key stream is only 64 bitslong (40-bit shared key and 24-bit IV). Once the sharedkey is revealed the hacker can configure his or her NIC asneeded.

Another method, used in cryptanalysis techniques, is totrick the victim into sending an e-mail (or any known plaintext), whereupon the AP creates the encrypted plain text.

4.2.4. War driving and war footingIn a “war driving” attack, the would-be intruder sear-

ches for WLANs while driving a car, in an effort to detectand map unsecured WLAN systems. This is possible incities and towns around the world. This technique, popu-lar since 2001, can be complemented with a global posi-

tioning system (GPS).“War footing” is the same method used while walking

through streets. The hacker needs to be equipped witha wireless-enabled laptop or notebook. A variation is the“parking lot” attack, where the hacker sits in an organi-sation’s parking lot and accesses hosts in the internalnetwork.

“War chalking” is a related technique – not an activeattack but rather the marking of a special symbol on asidewalk, building, etc., indicating the proximity of aWLAN.

4.2.5. Unauthorised repeatersHackers can take advantage of natural radio repeaters

(see section 3.2), or objects added to serve as repeaters,with the intention of extending the WLAN radio signalto a location where they can operate without being dis-turbed.

With the same objective, an intruder can install a rogueWLAN on a company network to enable reception of LANdata from outside the building. The result is a wide-openentry point to the network. A rogue WLAN effectivelyextends an Ethernet connection to anyone inside oroutside the building.

4.3. AP COUNTERFEITING

When a wireless client moves from one location to ano-ther, the WNIC keeps the connection with the AP thatsends the highest signal. In some situations a counterfeitAP can attract a wireless client and download some of itswireless configuration.

With open source software commonly available fromthe Internet, a hacker can transform a laptop into a fakeAP, known as a “soft AP”. The laptop can then imperso-nate an authorised AP. Clients who mistake the soft AP foran authorised one may try to connect to it; and, as thefake AP is technically sophisticated, the client can betaken over.

4.4. MAN IN THE MIDDLE ATTACK

The concept of the man in the middle attack is notnew to WLAN. In a wireless environment, the idea is toinsert data within the communications between a victimand an AP.

To do so, the attacker can either insert an attack machi-ne between the victim and an AP in such a way that thecommunications go through it, or insert data frames intothe data frame flow between the victim and an AP.

To insert an attack machine, the attacker must firstdeauthenticate the victim by sending him or her deau-thenticated frames using the AP’s MAC address as the


10 • • May 2003

source. The victim’s 802.11 card will then scan channels tosearch for new APs, and will associate with the AP simu-lated by the attack machine as a soft AP. Next theattacker’s machine associates with the real AP, and cannow act as an invisible bridge.

4.5. DENIAL OF SERVICE

Denial of service (DoS) attacks prevent the proper useof functions or services. They come in a seemingly unli-mited number of varieties. Some of the key types are dis-cussed here.

4.5.1. Jamming the airwavesJamming or flooding the airwaves between 2.4GHz and

2.5GHz causes WLAN signals to collide and forces stationsto keep disconnecting from the APs.

The result is that neither clients nor APs can receive anuncorrupted signal, causing them to hold their transmis-sion until the corrupted signal has stopped or causingthem to resend the frames over and over.

4.5.2. Management frames DoSThe lack of authentication of management frames

makes many types of DoS possible. For instance, the attac-ker can simulate the AP by using its MAC address, thensend deauthentication frames either to a broadcast addressor to a specific client. If the phenomenon is periodic theclient will be unable to reassociate with the AP.

Another possibility is to send AP multiple authenticationframes with different source MAC addresses. The AP willallocate memory to store the new connections, and at acertain point it will have to deny access to new clients.

Such attacks shut down the wireless network in a waysimilar to that of DoS attacks on wired networks.

4.5.3. Physical accessAPs are usually located in places where people are.

Physically manipulating an AP - cutting the power, des-troying the antenna, etc. - can slow traffic or make the APunavailable to users.

4.6. LAN ATTACKS

Since APs are connected to a wired network, they haveTCP/IP services (such as HTTP and telnet) and manage-ment protocols (such as ICMP and SNMP) activated forconfiguration and management purposes. The securityproblem arises when weak user authentication is neededto get access to the configuration panel (a feature that canbe forgotten in the implementation).

From the internal network (the LAN), it is possible toconnect to APs’ services if the network segmentation is

insufficient. All types of attack are then possible: DoSagainst the IP stack or clients, reconfiguration (includingadding or deleting AP services), etc.

4.7. MAC ADDRESS SPOOFING

Each element connected to a LAN has a MAC address,which is a unique identifier based on what the hardwaremanufacturer uses. For this reason MAC addresses areused as a layer 2 (communications layer) network identifi-cation factor in the access control procedure.

MAC address spoofing is a type of attack involving alte-ration of the manufacturer-assigned MAC address. This ispossible on nearly all wireless NICs, given the use of ven-dor-supplied drivers, open-source drivers and variousapplication programming frameworks.

There can be many objectives in such an attack, but twokey ones are:■ Obfuscating network presence: the attacker wants to

hide his/her connexion on the WLAN by changing theMAC address regularly. For each different attack a newMAC address can be configured. This technique can beused, for example, to evade network intrusion detectionsystems (NIDS) in a DoS attack.

■ Bypassing access control lists (ACLs) activated in APs:the attacker can passively monitor the network andidentify MAC addresses that are authorised tocommunicate over the WLAN. Then he can change hisMAC address to one that bypasses the AP security.

4.8. CLIENT TO CLIENT ATTACK

A laptop, with a wireless NIC activated and running inpeer mode, sends out probe request frames in an attemptto connect to another client with the same SSID. Then theattacker can exploit any type of operating system vulnera-bility, thus gaining administration privilege on the victimlaptop. If the victim is connected to the LAN, the attackercan further take control of internal LAN resources.

4.9. EAP ATTACKS

Partly because of the heavy competition among ven-dors, but particularly because of market objectives, somepre-standard EAP implementations have weaknesses thatcan be exploited in certain types of attacks.

Several kinds of DoS attacks exploit the absence of EAPframe authentication, including:■ Sending spoofed EAPOL logoff frames: this attack, using

a client-authenticated MAC address, will log the clientoff the AP. Since EAPOL logoff frames are notauthenticated, the sender can impersonate anyauthorised connected user.

■ Flooding with EAPOL start frames: APs whose resources


• 11May 2003 •

are excessively or entirely allocated to EAPOL startframes will no longer accept new requests from clients.

■ Sending spoofed EAP failure packets: these could beinterpreted by the receiver as implying DoS.

■ Sending premature EAP success packets: some weakimplementations allow the WLAN interface to bebrought up before the mutual authentication is finished.An attacker could thus send premature EAP successpackets, leading to DoS.Depending on the EAP method used, user identification

can be read via network sniffing and the password reco-vered through a dictionary or brute force attack. StrongerEAP methods, such as EAP TLS, SRP, TTLS and PEAP,should be used.

The EAP identifier can be anywhere from 0 to 255. Theidentifier must be unique for the AP in order to associateclients. In some implementations if the EAP identifierspace is entirely allocated due to flooding, the AP can nolonger accept new request from clients.

An insufficient integrity check in EAP packet receptioncan cause the receiver to malfunction and lead to DoS.

4.10. AIRBORNE VIRUSES

As 802.11 is a new communication layer, viral softwareinfection will also use this media to spread. Within a LAN,multiple types of anti-virus software are installed in theservers, minimizing the need for installation in each end-user device. With an ad-hoc network, however, peoplefrom outside the company can join the IBSS and send avirus. At the next connexion with the LAN or WLAN, thevictim may contaminate the LAN. All wireless devices(laptop, PDA, etc.) should have up to date antivirus soft-ware installed.

5. WLAN SECURITY SOLUTIONSIn the area of security, “solutions” are best practices that

help minimise risks. Though they do not get rid of all risks,they make it necessary for a would-be intruder to increa-se the attack level.

5.1. ANTENNA RADIATION ZONE

An antenna is an extension of a radio transmitter orreceiver. As a signal is generated, it is passed from theradio to the antenna to be sent out over the air and recei-ved by another antenna, then passed to another radio. Thissignal is measured in hertz (Hz).Three key concepts about antenna technology are:■ Direction: the signal can be omnidirectional (360-

degree) or directional (limited angle direction).■ Gain (measured in dBi or dBd): when antenna gain

rises, the beam width falls.■ Polarisation, or the physical orientation of the elements

on the antenna.Changing the direction of the radio signal, as well as the

AP power, can improve control of the radio broadcast per-imeter. The signal range can be controlled by changing theshape of the physical antenna to alter the shape of thesignal. Antennas can also be more directional to avoidsignal leaks.

Some AP vendors offer an option of completely turningoff the signal on either the right or left antenna, which isa convenient way to restrict unneeded signals and controlthe range of the WLAN.

The maximum power of APs varies by country, depen-ding on local regulations.

The site geography influences the type of antennasused (Figure 5.1).

The nature of radio waves makes it easier to produce

directive antennas at 5GHz than at 2.4GHz. The higher thefrequency, the more controlled the radiation zone.

Note that a hacker can narrow the detection windowand pick up signals from farther away than estimated.

5.2. NETWORK SEGMENTATION

To secure a network it is important to define zones out-side of which no element can communicate with elementsinside the zone without prior authorisation. This not onlyhelps keep non-authorised resources from communicatingwith secured resources, but can also help in detecting non-authorised activity.

5.2.1. WLAN Demilitarised Zone (DMZ)Because the WLAN’s geographic perimeter is often a

public place, where both authorised and non-authorisedusers are located, the WLAN should be considered from


Figure 5.1: Antenna shape and power

12 • • May 2003

the intranet to be as unsecured as the Internet. Thus it needsto be segmented, and protected as a “demilitarised zone.”

The DMZ should be protected by a firewall or a net-work access control gateway (router). All the APs areconnected to a wired network, so a network intrusiondetection system (NIDS) should be installed to detectattacks based on TCP/IP (Internet protocol). A wirelessIDS (WIDS) can be added to detect attacks based on the802.11 protocol.

In another segment, depending on how users areauthenticated, authentication and accounting servers canbe installed.

The accounting server can be used for billable services,for instance in hot spots.

5.2.2. WLAN honeynetA WLAN honeynet is a WLAN based on APs connected

together on the same LAN. As no activity should arrive inthe wired part of the honeynet, any activity is consideredan alert and automatically detected by the NIDS. The inci-dent response team can then analyse the activity and loca-te the cause.

5.2.3. Wireless client protectionWireless clients should have personal firewalls and anti-

virus software installed to directly protect them against

external attacks. If they use a virtual private network(VPN) over the WLAN, additional hardware may be added(such as a WNIC including both specific VPN hardwareand an IP stack different from the operating system).

5.3. NETWORK ACCESS CONTROL

MAC address filtering, SSIDs and WEP are basic authen-tication methods used to control access to a WLAN. Newaccess control solutions have been emerging to deal withmajor security weaknesses.

5.3.1. Port based network authenticationThe port based authentication protocol was approved

in June 2001 as an IEEE 802.1X standard. It was originallydesigned for all IEEE 802 networks (layer 2 authentica-tion), but was extended to 802.11 WLAN. It enablesauthentication and key management for IEEE 802 LANs,including Ethernet, token ring and fibre distributed datainterface. One job of IEEE 802.11 Task Group I is todefine how 802.1X and 802.11 machines are to communi-cate. The objective of this standard in WLAN is to deriveauthentication and encryption keys for use with anycypher and to manage the keys.

IEEE 802.1X is based on EAP as the authentication fra-mework. Authentication methods include one-time pass-words, smart cards, tokens and certificate-based authenti-cation. RADIUS servers that support EAP are often used asauthentication servers, since open standards for authenti-cation, authorisation and accounting (including RADIUSand LDAP) combine well with IEEE 802.1X. EAP messagesare encapsulated in 802.1X messages and are referred toas EAP Over LAN (EAPOL).

802.1X defines three roles in the authentication process:■ supplicant: a wireless device that, when authenticated,

can send IP data to the LAN■ authenticator: an AP that keeps a port status for each

supplicant it is controlling■ authentication server: often a RADIUS based server,

though this not specifically requiredEAP is standardised for use within point-to-point proto-

col (RFC 2284), wired IEEE 802 networks (IEEE 802.1X)and virtual private networks (L2TP/IPsec and PIC). It offers


Figure 5.2: WLAN DMZ

Figure 5.3: WLAN honeynetFigure 5.4: IEEE 802.1XEAP

• 13May 2003 •

a method allowing wireless work stations to create anencryption key for the authentication service. EAP acts asan authentication framework for several authenticationtypes, including user name/password, smart cards,Kerberos, public key, one time password and biometrics.It allows many authentication methods to be implemented,such as:■ EAP MS-CHAP■ EAP TTLS (Tunnelled TLS)■ EAP GSS ■ EAP SRP■ EAP TLS (RFC 2716)■ EAP MD5 ■ Protected EAP (PEAP)■ Lightweight EAP (Cisco LEAP)■ EAP SIM (use of SIM card)

EAP consists of several request/response pairs. Arequest to a client, sent by the network, starts with an EAPidentity request sent by an AP and ends with an EAP suc-cess or EAP failure message, also sent by the AP.

Advantages of 802.1X/EAP authentication are that it:■ provides user authentication/accounting■ provides encryption■ protects the infrastructure■ results in light network traffic, as there is no per-

packet overhead, only periodic authenticationtransactions

■ allows secured application level protocols, such asVPN, SSL and SSH, to be usedDisadvantages of 802.1X/EAP authentication include the

following:■ It is an evolving standard.■ It requires specific client software.■ At the moment, proprietary network equipment isrequired.■ Investment in new authentication infrastructure isnecessary.■ EAP was designed for PPP, and was never meant to

take wireless threat models into account.■ It is limited to one-way authentication: supplicants and


Figure 5.5: 802.1X/EAP authentication process

14 • • May 2003

authenticators should not send data traffic until mutualauthentication is complete.

■ It does not offer authentication of management frames.■ Traffic can be intercepted.■ Various types of attack, including hijacking and man in

the middle, are possible.■ Authentication after association presents roaming

problems because of the time needed, during whichdata transmission can be disrupted.

■ If the RADIUS server fails, the WLAN becomesunavailable.

5.3.2. Remote Access Dial In User Service (RADIUS)RADIUS is a common authentication, authorisation and

accounting protocol; that is, for authenticating remoteconnections made to a system, providing authorisation foruse of network resources, and logging for accountabilitypurposes. It can be used in VPNs and WLANs, as it cancontrol all aspects of a user connection.

Its success is due to its simplicity: it is efficient and easyto implement. RADIUS is based on the user datagramprotocol (UDP). No retransmission is possible, so accoun-ting (RFC 2866) is unreliable, particularly when roamingfrom one AP to another, where substantial packet loss cantake place. RADIUS authentication (RFC 2865) and autho-risation are reliable.

In terms of security, RFC 2869 (RADIUS/EAP) requiresall messages involved in an EAP conversation to includeauthentication and integrity protection via the message-authenticator attribute. To increase the level of security itis possible to abandon RADIUS application-layer securityand run RADIUS over IPsec (RFC 3162).

5.3.3. Virtual Private Network (VPN)A VPN extends the secured internal network out to

remote users. As the communication layer is not trustablein the basic implementation of 802.11, VPN provides userauthentication, network access control and encryption bycreating a secure virtual "tunnel" from the end-user's com-puter through the WLAN, through the AP, all the way tothe company VPN gateway. After the VPN gateway, thedata (IP protocol packets) are decrypted and continue inclear to the internal servers and systems.

The main disadvantage is that VPN architecture requiresspecific software installed on all clients, dedicated VPNgateway hardware at high traffic rates (because it funnelsall traffic through the gateway) and an authentication ser-ver. In addition VPNs are not suitable when roaming: theconnection is lost because the IP client address changes.

Besides VPN, other types of solutions - e.g. the proto-col SSL (Secure Socket Layer) or the application SSH

(Secure Shell) - encrypt data and can protect the data com-munication layer against eavesdropping.

5.3.4. Temporal Key Integrity Protocol (TKIP)The discovery of the WEP-RC4 key recovery vulnerabi-

lity resulted in a major effort to develop a method tochange the WEP key more frequently so that an attackerhas less chance of collecting enough data to work it out.TKIP is the current solution to this problem.

This protocol is still RC4-based because it needs to bebackwards compatible. But its strength is to force a newkey stream to be generated frequently: the IV changesevery 10,000 packets or 10 Kb, depending on the source.

In the current WEP version, the IV is sent in clear in the802.11 frame; with TKIP, the IV value is hashed beforebeing sent.

In addition, TKIP is based on a stronger method to veri-fy the integrity of the data: the particular message integri-ty check (MIC) called “Michael.”

5.3.5. CCMP-AESIn the future 802.11i standard, WEP-RC4 is to be repla-

ced by a security algorithm called the advanced encryptionstandard (AES), which is intended as the encryptionmethod for all wireless traffic. AES uses a robust algorithmknown as Rijndael. The keys can be 128-bit, 192-bit or 256-bit, depending on the security need. AES will be used incounter cypher-block chaining mode (CCM).

TKIP and the CCM protocol use the same key manage-ment, and their implementation requires an authenticationserver for dynamic key change.

5.3.6. Wireless PKIPublic key infrastructure (PKI) provides the framework

that allows a company to deploy security services based

on encryption. With PKI, administrators can create theidentities (and the associated trust) that the companyneeds for identification and authentication processes, and


Figure 5.6: WEP, TKIP and CCMP key characte-ristics

• 15May 2003 •

can manage the public/private key-based encryption. PKIis a system of digital certificates, certification authoritiesand registration authorities.

WLANs may evolve to integrate PKI types of accessgateways that allow selective access requiring special cre-dentials. This type of access depends on granting a digitalcertificate to a user when he or she requests networkaccess. Such a certificate will allow the user to access cer-tain network resources. Wireless PKI access control can besupported by EAP.

5.4. WLAN ANOMALY DETECTION AND INTRUSION

PREVENTION

Any solution aimed at detecting rogue WLANs must beable to detect APs in the vicinity of the company (to pre-vent accidental association) as well as all APs of the com-pany network. Moreover, the solution must assure detec-tion of soft APs as well as any ad-hoc network betweenauthorised hosts of the company network.

Anomaly detection and intrusion prevention in WLAN ismuch like that in LAN but must take into account additio-nal challenges, such as locating traffic capture stations (tocapture 802.11 traffic, the sensor must be in the geogra-phic area of the WLAN being monitored) and identifyinganomalous traffic (analysing 802.11 frames).

5.4.1. Wireless scanners and sniffersWireless scanners and wireless sniffers allow monitors

to capture and analyse WLAN packets from the air. Theyalso provide information on WLAN configuration as wellas the type of security. It takes administrators with a highdegree of skill in the 802.11 standard to analyse captureddata correctly in terms of threats and risks for the compa-ny network.

An administrator auditing network security has to walkoutside the company buildings with a laptop equippedwith a scanner or sniffer. For this reason, such applicationsare limited, since the geographic area defined by the APradio broadcast signal may not be completely covered. Inaddition, some commercial products for this solution areexpensive.

Consequently, even though scanner and sniffer applica-tions can identify WLAN vulnerabilities, they are notconsidered very effective. Furthermore, new threats androgue APs can crop up in between audits, so that the com-pany network is once again open to attack. This posesrisks unacceptable for large companies, though smallerones may be willing to accept the risk to a certain degreeand so use scanner and sniffer applications, assuming theyhave access to experts who can understand the results ofthe audits.

In a large network, audits based on wireless scannersand sniffers are neither scalable nor repeatable, so dailysecurity monitoring cannot be based on these techniques.They can be used for network or security troubleshooting,intrusion forensics and occasional security audits, how-ever, as long as it is borne in mind that they may not beexhaustive and that such audits are time consuming if thephysical area is large.

5.4.2. WLAN monitoringWireless intrusion detection consists of finding any

unauthorised wireless clients or rogue APs. To a certaindegree, it means identifying/locating intruders and recog-nising the type of attack taking place (e.g. DoS, man in themiddle). Rogue APs and ad-hoc networks can appear any-where on the overall network.

Isolated WLAN sniffers may not be very efficient indetecting real time intrusions or anomalies on the corpo-rate network. Hence, a complete WLAN monitoring solu-tion should include:■ a centralised server managing WLAN sniffers■ a radio frequency survey of WLAN sniffers■ remote sensors (24-7 monitoring sniffers with a

coverage area of about 300 metres around the premises)■ a secure connection between the sensors and the

central serverThe solution should constantly monitor all activity on

the WLAN, report any anomaly or possibly malicious acti-vity (with customised alarms signalling the type/degree ofintrusion or damage severity) and be integrated with thecorporate network administration utility.

After business hours, all the APs can be turned off (bysoftware); any ensuing wireless activity (especially fromrogue APs) is suspicious and easy to locate.

5.4.3. Physical securityPhysical monitoring, such as video cameras around the

buildings, and physical security measures (e.g. guards andbarriers) should also be put in place.

The physical access to locations where APs are instal-led should be restricted so as to guard against physicaldamage or physical plug-in to local connexions. Only alimited number of authorised personnel should haveaccess to the APs.

5.4.4. Detecting anomalous MAC addressesOne way to detect anomalous MAC addresses is to use

the IEEE’s list of official prefix allocations. There are morethan 6,000 of these, and they are unique IDs. If a sourceMAC address on the network does not match any of theones allocated by IEEE, this may indicate an anomalous


16 • • May 2003

MAC address and perhaps malicious activity. If the com-pany has bought WLAN NIC cards from a single hardwaremanufacturer, it should be easy to detect any other type.

5.4.5. Geographic localisation and trackingWLAN intrusion detection should not stop with detec-

tion of rogue APs and unauthorised clients, but shouldcontinue with localisation and tracking of the attacker.

A typical method for pinpointing a radio signal sourceis to locate the intruder’s transmitter using directional tech-niques. The principle is to scan an area looking for thestrongest signal, repeat the process farther away, andagain, then triangulate to determine the position of thetransmitter. It is necessary to take into consideration geo-graphy, atmosphere, reflections, temperatures, etc., asthese bias the localisation estimation.

Another method is based on the relative signal strengthat various positions in the vicinity, plus the free-space pro-pagation losses and the power of the intruder’s transmitter,if known. Due to the information required, this method isused much less than triangulation.

Even if bias exists, bear in mind that, owing to the cha-racteristics of the 802.11 standard, the transmitter willgenerally be within 300 metres of the target buildings.

5.4.6. Layer 2 analysisExperience with analysis of IP, TCP and UDP has led to

a realisation that 802.11 frames are susceptible to packetforgery or manipulation – that is, some bytes or bits can bechanged, and the consequence analysed.

Some hacking tools, largely available from the Internet,are not powerful enough to control all the firmware func-tionality of wireless cards. As a result they cannot alter allthe bytes of a 802.11 frame, or neglect to do so.

For example, when an 802.11 frame is segmented, thesequence number is constant and the fragment number isincreased for each segmented packet. When there is nofragmentation, the sequence number is an incrementalnumber starting at zero modulo 4096. Therefore, to detectan attack (MAC address spoofing, for example), it is pos-sible to analyse the sequence numbers, without relying onthe MAC address.

Because some hacking tools use always the same typeof packets (pre-compiled field), the tools have a signaturethat can be identified. This information can be stored inintrusion detection tools capable of sending an alert.

In part of the 802.11 frames, some fields can be used inWLAN attack prevention or detection. These include:■ sequence numbers, used in 802.11 frame fragmentation■ control types and subtypes, some of which are reserved

for future use or are used but undocumented by

vendors■ destination MAC addresses, because in a network

discovery scan the destination MAC address is always“FF:FF:FF:FF:FF” (for broadcast)

■ SSID, because in a probe request frame the SSID is setto a value of “0x00”

■ MAC addresses, which, because they are based onpublic OUIs, are uniqueOther fields exist, such as the data payload, the LLC

protocol type and the LLC protocol ID. Default values aredefined by the standard, but they are not always imple-mented correctly on either the transmission or receivingend. Bad implementation implies risk of evasion or inser-tion of packets in the traffic and risk of not being detectedby IDS.

5.5. WLAN SECURITY CONTROL MANAGEMENT

5.5.1. Security policies and awarenessThe role of a security policy, which is based on risk ana-

lysis, is to define the security rules that the company mustfollow. Security policies should be completed with:■ security standards: definitions of how hardware and

software products are to be used■ security procedures: definitions of how to follow the

security policies■ security baselines: definitions of the minimum level of

security necessary throughout an organisation■ security guidelines: recommendations of actions and

operating procedures for usersFor example, in a company that has decided not to

deploy a WLAN, the security policy must include a banagainst employee-installed networks and procedures forenforcing the ban. A WLAN security policy can define theprocedures to follow when installing, securing and using alaptop or PDA in a wireless environment: for instance,users must properly log out every time they disconnect; inpublic places users must be alert for unauthorised orcurious people watching over their shoulder or trying tosteal the wireless equipment; stolen or lost WLAN equip-ment must be reported immediately to the security officerand network manager.

Even a well-defined WLAN security policy needs to bemonitored to ensure that it is properly implemented andthat all employees follow it.

The users must be aware of the risks associated withWLAN, and agree to the WLAN security policy. The secu-rity officer should institute a security awareness program-me for employees that includes WLAN risks and bestpractices.


• 17May 2003 •

5.5.2. External technical auditsOnce a year the company should ask external auditors

to evaluate the WLAN and analyse the configurations of allcorporate WLAN elements. The results should be compa-red with the requirements defined in the security policy.

Audits ensure that all components of a WLAN are secu-re and are being used in accordance with enterprise-spe-cific policies.

A lot of open source software is available from theInternet (see Appendix 6) and can be used for WLAN tech-nical audits. An intruder can use the same tools to get intoa LAN via the WLAN.

5.5.3. Penetration testingTo test the robustness of WLAN security, a specialised

company can be hired to do penetration testing. The pur-pose of penetration testing is to assess the risk of an intru-der being able to get into a company’s internal computersystem through the WLAN. The test is usually carried outwithout prior notification. Penetration testing consists ofthree main phases:

1. The first phase determines the extent of the area inwhich radio signals from the APs can be picked up. Usingwireless-equipped laptops, this phase is carried out in aradius of about 300 metres from the company’s offices.The goal is to identify the geographic boundaries of theWLAN, which determine the location from which theactual penetration testing will take place.

2. The objective of the next phase is to find a way toaccess the WLAN. The testers try a number of WNICs(802.11, 802.11a and 802.11b) by different manufacturersand use intrusive utilities that can penetrate the networkby allowing eavesdropping on the WLAN, decrypt data ifnecessary and enable discovery of the authentication pro-cedure (logins and passwords), so that the “attacker” canconnect to the company network by masquerading as anauthorised user.

3. The last phase is to identify the WLAN and LAN topo-logy. From the illicit entry point obtained in phase 2, thetesting team attempts to map the topology of the networkbeing examined, using scanning and network mappingutilities. The aim is to determine the characteristics androles of each part of the system, i.e. to figure out the topo-logy of the whole network from the target elements thatcan be identified from the entry point.

5.5.4. Vulnerability assessmentThe objective of scanning to assess network vulnerabi-

lity is similar to that of the early phase of penetration tes-ting: to discover areas of vulnerability and potential threatssuch as weak WLAN configuration, rogue APs and unau-

thorised ad-hoc networks. Vulnerability assessment goesno further than that, however, and thus poses less risk tothe network than a full penetration test.

5.5.5. Wired-side network administration toolsPopular LAN or “wired-side network” administration

tools use ICMP and SNMP polling to identify IP devicesattached to the network and their key characteristics, suchas IP and MAC addresses. Network scanners use TCP andUDP fingerprints to identify various types of open services.

Usually such tools memorise the results and ring analarm each time a new element is discovered or disap-pears. The results can help identify both rogue and autho-rised APs and wireless clients.

Depending on the segmentation of the network, howe-ver, this solution can be difficult to implement.Furthermore, a rogue AP is not likely to have SNMP ena-bled, and an SNMP poll or a network scan against anauthorised station operating as a soft AP would not detectWLAN activity. Nor would SNMP polling detect accidentalassociations or ad-hoc networking.

6. 802.11 WLAN IN THE FUTUREAs of the first quarter of 2003, standard 802.11 security

is unsatisfactory. Security objectives are not met, imple-mentations vary from one vendor to another and standardsare not all defined.

Future solutions must address all these problems.Otherwise new attack tools will be developed to exploitremaining weaknesses such as replay, weak keys, IV col-lisions and frame management forgery.

6.1. WECA: THE WI-FI ALLIANCE

The Wireless Ethernet Compatibility Alliance (WECA),formed in 1999, is a nonprofit international association ofleading wireless equipment and software providers. Itsmission is to certify interoperability of WLAN productsbased on IEEE 802.11 specifications.

The WECA term Wi-Fi® stands for “wireless fidelity”.Wi-Fi certification assures tested and proven interoperabi-lity among types of wireless computer equipment.

Wi-Fi CERTIFIED™ products support a maximum datarate of 11 Mbps (802.11b).


Figure 6.1: Wi-Fi logo

18 • • May 2003

6.2. WI-FI PROTECTED ACCESS

Wireless equipment and software providers, seeking tobring to market an immediate solution to Wi-Fi securityproblems, have decided to deploy what is stable in802.11i, but ahead of IEEE ratification.

Thus, in the first half of 2003, Wi-Fi Alliance vendors areto begin shipping a new standards-based solution called Wi-Fi Protected Access (WPA). Its main security features are:■ data encryption based on TKIP using RC4 WEP■ user authentication based on 802.1X EAP■ message integrity based on Michael

Once the 802.11i standard is approved, WPA productsare supposed to be compatible.

6.3. IEEE 802.11I: ENHANCED SECURITY NET-WORKING

The 802.11i standard proposes long-term security solu-tions for 802.11 WLAN. The full implementation of 802.11i,known as WPA2, will upgrade the fundamental 802.11WLAN encryption algorithm from TKIP/WEP to an AESbased approach. The main security features are:■ data encryption based on TKIP using RC4■ message integrity based on Michael■ encryption/message integrity based on AES-CCMP■ user authentication based on 802.1X EAP■ roaming/pre-authentication■ ad-hoc networking

The processing requirements of AES mean that someWi-Fi/WPA elements will require hardware upgrades.

Products that are 802.11i compliant (WPA2 certified) areexpected to be available in the first quarter of 2004.

7. CONCLUSIONRecent demonstrations of multiple vulnerabilities make

it clear that robust security solutions are required. Manytools exist to test the level of security of WLAN. Wirelessnetworks are more susceptible to active attacks than wirednetworks. Though first implementations and standards inWLAN have been identified as unsecured, WPA providesan interim solution to the WEP problem and 802.11i willprovide long-term support for secured legacy wirelessinfrastructure.

Adopters of early implementations must strengthen theinfrastructure to secure their wireless networks. Late adop-ters may wait for secure solutions (such as WPA and802.11i) to evolve before deploying WLANs.

Observations related to securitydesign and security implementa-tions indicate that companies areseeking more trustable WLANcomponents. They expect moresecured out-of-the-box configura-tions, better multi-vendor inter-operability, a long-term secured802.11 standard, etc. If securityproblems are solved, they willthen consider new services basedon quality and billable services.

To stimulate the market, WPAcertification should be delivered assoon as possible, followed byWPA2, hopefully with no need tochange hardware. It is also to be

hoped that no major weaknesses are discovered in WPA orWPA2; so far the outlook is good, vendors say.Figure 6.2: Wi-Fi security, 1997-2004


• 19May 2003 •

WLAN best practicesIf you already have a WLAN:Disable broadcast of SSIDs.Define private SSIDs.Enable WEP 128 bits.Change shared key regularly.Use MAC address filtering.Where possible, use

- VPN- client firewall- strong mutual authentication (AP and client)- restricted radiation zone- network segmentation and intrusion protection- TKIP and AES.

If you plan to have a WLAN:Wait for WPA or IEEE 802.11i.

8. EXECUTIVE SUMMARYWireless local area networks (WLANs) make the concept

of complete mobility a reality, providing new opportunitiesand challenges. WLAN has proved to be the next majorevolution of technology for business. Its rise in popularityhas been accompanied by an increase in security concerns.WLAN security, however, is also evolving. Because nativesecurity does not prevent attacks, additional security bestpractices should be followed. These include:■ assessing the risks before deployment■ listing and testing the latest wireless technologies and

standards■ evaluating security features and designing a secured

network topology■ defining administration and monitoring procedures■ planning deployment thoroughly

With proper care, it is possible to design and implementa WLAN that is at least as secure as an equivalent wirednetwork.

Thales Security Systems helps companies manageWLAN projects to maximise their return on investment andminimise security risks.

In a WLAN project, Thales Security Systems offers mul-tiple services in the following areas:■ consulting

- WLAN architecture design- penetration testing- technical and organisational audits- risk analysis- security policy- R&D assistance- WLAN project management- security awareness

■ integration- hot spot package installation- WLAN deployment- product reselling

■ managed services- WLAN monitoring- incident response team


20 • • May 2003

APPENDIX 1: GLOSSARY (Definitions of terms used in the context of the white paper)

Term DefinitionAccess control Process of controlling use of system resources

Access point Entity connecting wireless client (qv) to LAN network. An AP is equivalent to a hub in a wired environment. It can be a hardware device or a softwareapplication running on a computer.

Ad-hoc mode Client configuration that provides peer-to-peer connexion. An ad hoc mode is an IBSS.

Ad-hoc network Network composed of wireless entities communicating with each other using no AP

Association Process of mapping a wireless client to an AP and enabling the client to invoke DS services

Authentication Process of proving the identity of a station

Basic service set Set of 802.11-compliant stations controlled by one coordination function. A BSS is composed of wireless stations that can communicate with each other.

Client Any 802.11-compliant entity connected to the WLAN and requesting services

Cyclical redundancy check Error detection function telling the NIC that data have been received with or without error. If an error exists the data are discarded; if not they are forwarded to upper levels.

Deauthentication Process of closing an existing authentication relationship

Direct sequencing spread spectrum One of the three technologies defined in the 802.11 standard. DSSS uses a radio transmitter to spread data packets over a fixed range of the frequency band.

Disassociation Process of closing an existing association

Distribution system Connection between BSS. In infrastructure mode WLAN, the DS is often the LAN.

Extended service set Set of two or more BSS forming a single subnetwork. Note that each BSS in the ESS has the same SSID.

Frequency hopping spread spectrum One of the three technologies defined in the 802.11 standard. FHSS takes the data signal and modulates it with a carrier signal that hops from frequency to frequency, asa function of time, over a wide band of frequencies. Not used in 802.11a, b and g.

Independent basic service set network A BSS with no DS; an ad hoc network in which communications are peer-to-peer

Industrial, scientific and medicine bands Radio frequency bands that the US Federal Communications Commission authorised for wireless LANs. The ISM bands are at 902MHz, 2400GHz and 5.7GHz.

Infrastructure mode A client setting providing connectivity to an AP

Infrastructure network A BSS with one or more APs

Internet protocol Protocol by which data are sent from one computer to another on a LAN. In WLAN, data are sent with the 802.11 protocol. When the 802.11 frame packet contains data, they are probably IP type data. The IP is encapsulated in 802.11 protocol.

Key A password or pass-phrase to cypher clear text or decypher encrypted text

Local area network Communications network offering services for local clients

MAC address Address unique to a WNIC, based on an OUI allocated to each hardware manufacturer.

Media access control Radio controller protocol in a WNIC. IEEE 802.11 defines the MAC protocols for media sharing, packet formats and addressing and error detection.

Peer-to-peer Referring to communications among independant stations

Roaming Ability to connect to multiple APs while maintaining a single authorised connection. Roaming occurs in infrastructure networks built around multiple access points.

Rogue AP AP connected to a LAN without permission from network administrator(s)

Service set identifier Station network identifier that must be associated to a BSS (either an ESS or an IBSS). Each BSS has a unique SSID, which is a 32-byte string.

Shared key authentication An alternative WEP authentication type (shared key subtype) based on standard challenge-response along with a shared key. The shared key (also called secret key) is distributed by an external key management service.

Station See glossary entry for “Client”

Wired equivalent privacy Protocol specified for encryption and authentication between clients and APs, mainlyused to increase confidentiality of data during transmission. There are two levels of WEP authentication: the open system and the shared/secret key.


• 21May 2003 •

APPENDIX 2: ABBREVIATIONSAbbreviation What it stands forAES Advanced encryption standardAP Access pointCRC-32 Cyclical redundancy checkDS Distribution systemDSSS Direct sequence spread spectrumFHSS Frequency hopping spread spectrumICV Integrity check value IEEE Institute of Electrical and Electronic EngineersIrDA Infrared data associationIV Initialisation vectorLAN Local area networkMAC Medium access controlMAN Metropolitan area networkMIC Message integrity check NIC Network interface cardRC4 PRNG Ron’s Code 4 Pseudo Random Number GeneratorTKIP Temporal key integrity protocol UHF Ultra high frequencyWEP Wired equivalent privacy WLAN Wireless local area network WNIC Wireless network interface card

APPENDIX 3: IEEE WIRELESS GROUPS AND STANDARDSIEEE 802.11 Working Group: Coordinates all the task groups.A task group is commissioned by the working group to write the standard or subsequent amendments to it.

Standard DescriptionIEEE 802.1X Security framework for IEEE 802 networksIEEE 802.11 Basic standard for WLAN (1 and 2Mbps)IEEE 802.11a High speed WLAN, extension of IEEE 802.11 specifications using speed of 6 to 54Mbps and

operating at 5GHzIEEE 802.11b Extension of IEEE 802.11 specifications using speed of 1, 2, 5.5, and 11Mbps and operating at 2.4GHzIEEE 802.11d Complement to 802.11 MAC layer adding extra features and restrictions for use in foreign countriesIEEE 802.11e Revision of 802.11 media access control standards including quality of service capabilities and

multimedia traffic supportIEEE 802.11g Extension of IEEE 802.11 specifications using speed greater than 20Mbps and operating at 2.4GHzIEEE 802.11i Not yet defined (expected Q1, 2004); should include security specifications in 802.11 WLANs

APPENDIX 4: WIRELESS POINTERS ON THE INTERNETStandard URLIEEE 802.11 http://standards.ieee.org/wireless/

http://grouper.ieee.org/groups/802/11/index.htmlhttp://standards.ieee.org/wireless/overview.html#802.11

IEEE 802.1X http://grouper.ieee.org/groups/802/1/pages/802.1x.htmlRADIUS http://www.ietf.org/rfc/rfc2138.txt

http://www.ietf.org/rfc/rfc2139.txthttp://www.ietf.org/rfc/rfc2548.txthttp://www.ietf.org/rfc/rfc2865.txt


22 • • May 2003

http://www.ietf.org/internet-drafts/draft-ietf-radius-radius-v2-06.txthttp://www.ietf.org/internet-drafts/draft-ietf-radius-accounting-v2-05.txthttp://www.ietf.org/internet-drafts/draft-ietf-radius-ext-07.txthttp://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-09.txthttp://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-acct-05.txt

EAP http://www.ietf.org/rfc/rfc2284.txthttp://www.ietf.org/rfc/rfc2869.txthttp://www.ietf.org/rfc/rfc2716.txt

AES http://csrc.nist.gov/encryption/aes/Others http://www.80211central.com/

http://www.80211central.com/glossary.html : Glossaryhttp://www.internetnews.com/wireless/archives.php : Newspaperhttp://www.drizzle.com/~aboba/IEEE/ : The Unofficial 802.11 Security Web Pagehttp://www.wirelessinternet.com/WLANS_Articles_Links.htm : Wireless LAArticleshttp://www.computerworld.com/mobiletopics/mobile : Computerworldhttp://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/ : Wireless LAN resources for Linux

FAQ http://www.iss.net/wireless/WLAN_FAQ.phphttp://www.isaac.cs.berkeley.edu/isaac/wep-faq.htmlhttp://www.80211central.com/faqs.htmlhttp://www.sfwireless.net/moin/WlanFaq

APPENDIX 5: REFERENCESBooksWiFi Security Stewart S. Miller, McGraw-Hill Networking Professional, 2003Hotspot Networks: WiFi for Public Daniel Minoli, McGraw-Hill Networking Professional, 2002Access LocationsWireless Maximum Security Cyrus Peikari and Seth Fogie, SAMS, 2003The Essential Guide to Wireless Andy Dornan, Prentice Hall PTR, 2002Communications Applications

White papersAn Initial Security Analysis of the Arunesh Mishra and William A. Arbaugh, IEEE 802.1X Standard University of Maryland, 6 Feb 2002Wireless Ethernet CISCO Symposium in Paris, Feb 2003WLAN Standards and Wireless Gateways: Bluesocket White Paper, 2002Making the right choices to secure and manage your WLANIntercepting Mobile Communications: N. Borisov, I. Goldberg, and D. Wagner, The Insecurity of 802.11 http://www.isaac.cs.berkeley.edu/isaac/wep-faq.htmlLayer 2 Analysis of WLAN Discovery Joshua Wright, GCIH, CCNA, 11 Aug 2002Applications for Intrusion DetectionA Practical Approach to Identifying and Interlink Networks, Inc., 2002Tracking Unauthorised 802.11 Cards and Access PointsWEP2 Security Analysis, Bernard Aboba Microsoft, IEEE 802.11-00/253, May 2001Enterprise Approaches to Detecting AirDefense, 2002Rogue Wireless LANsWireless LAN Policies for Security & Management AirDefense, 2003WIRELESS LANs: Risks and Defenses AirDefense, 2002Enterprise Solutions for Wireless LAN Security Wi-Fi Alliance, 6 Feb 2003


• 23May 2003 •

Issues in Wireless Security (WEP, WPA & 802.11i) Brian R. Miller, Booz Allen Hamilton, 18th Annual ComputerSecurity Applications Conference, 11 Dec 2002,Pervasive (Ubiquitous) Computing: What it is, Efraim Turban, City University of Hong Kong, 2002and how it may impact e-commerceWireless LAN MAC Address Spoofing Joshua Wright, GCIH, CCNA, January 2003Weaknesses in the Key Scheduling Algorithm of RC4 Scott Fluhrer, Itsik Mantin, Adi Shamir, 2001Your 802.11 Wireless Network Has No Clothes William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan, Department

of Computer Science, University of Maryland, 30 Mar 2001

ConferencesBlack Hat 2002, Las Vegas NV, July 2002, http://www.blackhat.comAdvanced 802.11 Attack Mike Lynn & Robert Baird802.1x, What it is, How it’s broken, Bruce Potter, The Shmoo Groupand How to fix itThe Need for an 802.11 Mike Schiffman, @stateWireless ToolkitNIST 802.11 Wireless LAN Security Workshop, December 4-5, 2002, http://csrc.nist.gov/wireless/WiFi Security Workshop NIST Opening Remarks,

http://csrc.nist.gov/wireless/S02-Opening%20remarks-tg.pdfDOD Wireless Policies Timothy J. Havighurst, V34, NSA, and Requirements http://csrc.nist.gov/wireless/S04_DOD%20Wireless%20Requirements-th.pdfNIST Cryptographic Standards Bill Burr, NIST, Program http://csrc.nist.gov/wireless/S04_NIST_crypto_program_final-bb.pdf802.11i: The User Perspective Stephen T. Whitlock and Paul Dodd, The User Perspective http://csrc.nist.gov/wireless/S06_Boeing-stw.pdfWireless Networks: Can Security John Pescatore, VP, Internet Security Gartner, Inc., Catch Up With Business? http://csrc.nist.gov/wireless/S08_State%20of%20industry-jp.pdfWi-Fi Protected Access Wi-Fi alliance, Media Briefing

http://csrc.nist.gov/wireless/S09_WPA%20Analyst%20Briefing%2005-part1-ff.pdfWi-Fi Alliance Overview http://csrc.nist.gov/wireless/S09_Wi-Fi%20Alliance%20Overview-01-part2-ff.pdfIEEE 802.11 Procedures Dave Halasz and Nancy Cam-Winget, CISCO,

http://csrc.nist.gov/wireless/S09_IEEE802.11Procedures-ncwv2.pdfIEEE 802.11i Overview Nancy Cam-Winget (Cisco Systems), Tim Moore (Microsoft),

Dorothy Stanley (Agere Systems), Jesse Walker (Intel Corporation) http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf

EAP and AAA Update Bernard Aboba (Microsoft) http://csrc.nist.gov/wireless/S12_NIST-IETFpart2--ba.pdf

IETF/IEEE 802.11i Liason Report Bernard Aboba (Microsoft), NIST 802.11 Security Workshop, http://csrc.nist.gov/wireless/S12_NIST-Status-ba.pdf

Wireless LAN Security: Where Do Michael Disabato (Burton Group), We Go From Here? http://csrc.nist.gov/wireless/S16_WPA%20Panel-md.pdfWireless LAN Security Solution Russ Housley (Vigil Security), Motives and Rationale http://csrc.nist.gov/wireless/S17_WLAN-Security-Rationale1-rh.pdfStrategy Session Tim Grance Bill Burr,

http://csrc.nist.gov/wireless/S19_StrategySession-lo.pdfComparison of Cellular Industry (’92) Leslie D. Owens, Booz Allen Hamilton, CTIA Critical Issues to WiFi Industry (’02) Forum, 15 Nov 2002, http://csrc.nist.gov/wireless/S25_Comparison

%20of%20cellular%20to%20WiFi-ldo.pdfNIST Wireless Security Guidance SP 800-48, 4 Dec 2002,

http://csrc.nist.gov/wireless/S05_NIST-tk2.pdf


24 • • May 2003

APPENDIX 6: 802.11 NETWORK SECURITY AUDIT TOOLSName Function(s) URLAir Defense Wireless IDS and monitoring http://www.airdefense.netAir Jack MAC address setting/spoofing http://802.11ninja.net

Send custom (forged) management framesAP forgery/fake AP

AirMagnet Wireless analyser http://www.airmagnet.com/products.htmAiroPeek Wireless frame sniffer http://www.wikdpackets.com/products/airopeek

and analyserAirSnort Wireless sniffer http://airsnort.shmoo.com

WEP key “cracker”AirTraf Wireless sniffer / analyser http://airtraf.sourceforge.net

http://sourceforge.net/projects/airtrafbsd-airtools WEP key “cracker” http://www.dachb0den.com/projects/bsd-airtools.html

802.11b WLAN detectionAccess point enumeration

FakeAP Multiple Access Points simulation http://www.blackalchemy.to/Projects/fakeap/fake-ap.htmlHostAP Access Points simulation http://hostip.epitest.fiIsomair Management analysis http://www.isomair.com/products.htmlISS Wireless scanner Vulnerability scanner http://www.iss.net/products_services/enterprise_protection/

vulnerability_assessment/scanner_wireless.phpKismet 802.11a/b WLAN detection http://www.kismetwireless.netMac Stumbler 802.11b WLAN detection http://homepage.mac.com/macstumbler/Mini Stumbler Access point enumeration http://wwwmacstumbler.com

http://www.stumbler.orgMogNet Wireless Ethernet sniffer http://chocobospore.org/mognet/

and analyserNet Stumbler War driving and GPS http://www.netstumbler.org Prism2 Linux driver http://hostap.epitest.fi/

Host AP modeSniffer Wireless network monitoring, http://www.sniffer.com/products/wireless/default.asp?A=5

capturing, decodingSSIDsniff discover AP and capture traffic http://www.bastard.net/~kos/wifi/stumbverter import Network Stumbler's http://www.sonar-security.com/

summary files into Microsoft'sMapPoint maps

THC-RUT network discovery tool http://www.thehackerschoice.com/releases.phpWavemon WLAN monitoring application http://www.jm-music.de/projects.htmlwavestumbler 802.11 network mapper http://www.cqure.net/tools08.htmlWellenreiter 802.11b WLAN detection http://www.remote-exploit.org/

SSID Brute forceWepCrack WEP key “cracker” http://wepcrack.sourceforge.net/WifiScanner 802.11b WLAN detection http://sourceforge.net/projects/wifiscanner/

http://wifiscanner.sourceforge.net/


Date post:	23-Oct-2015
Category:	Documents
Upload:	christosnotaridis
View:	40 times
Download:	4 times

Wireless LAN Security

Documents