Date post: | 08-Jan-2018 |
Category: |
Documents |
Upload: | jean-bailey |
View: | 221 times |
Download: | 0 times |
Wireless Security
John HimmeleinErick Andrew
Christian AdamVarun Bapna
Outline● 802.11 Overview
● WEP
● Other security measures
● Attacks
● Lab motivation
802.11 Overview● IEEE 802.11 denotes a set of wireless standards definied by IEEE
● Most popular include 802.11a/b/g
● 802.11a is in the 5GHz band, b/g is in the2.4GHz band
● 802.11i is intended to improve security
Security Features● Service Set Identifier (SSID)
● Used to differentiate between access points
● Sent out in a beacon frame
● These are plain text messages
Associating with an AP● Two initialization methods
● Shared Key or Open Key
● With Open Key anyone can talk to the AP
● Shared Key requires authentication as soon as association succeeds
Wired Equivalent Privacy (WEP)
● WEP uses the stream cipher C4– RC4 generates a pseudorandom stream of bits (a "keystream") which is
combined with the plaintext using xor– Decryption is performed the same way
● WEP uses two key sizes: 40 bit &104 bit– 64 bit and 128 bit WEP
● To each is added a 24-bit initialization vector
(IV) which is transmitted in the clear.
WEP● WEP has several weaknesses
● The weakness with RC4 is with the Initialization Vector (IV)
● This lead to several different types of attacks
● We will use a tool that combines two of these attacks, and the appendix will describe another
WEP attack #1● The 24 bit IV has a numerical limit
● Only 16,777,216 possible IVs
● Listening long enough, and IVs will be repeated
● Enough duplicate IVs and the WEP key can be determined
WEP attack #2● Another attack relies on the fact that some
IVs are weak
● Using a formula, one can take a weak IV and infer part of the WEP key
● Listening to the network long enough and the WEP key can be discovered
● This attack, like the last one, can take a very long time
WEP attack #3
● A new attack was developed by a hacker name KoreK
● This attack relies on gathering enough unique IVs
● This is a statistical attack that requires about 200,000 unique IVs to determine a 40-bit WEP key
Default Settings● Most consumer access points are very easy
to setup
● However, their default states have no security and are easy to lookup
● Despite this, many people leave their APs in this state, making them easy targets
Protecting Your Network● There are several methods to increase the
security of a wireless network
● Turning off SSID broadcasting
● SSID broadcasting helps attackers find your WLAN
● While not broadcasting will not stop anyone, it will make your network less interesting
MAC Address Filtering● MAC address filtering allows only a set list of
hardware devices connect
● In theory every device will have a unique MAC address
● However, using a sniffer the MAC address of a valid client is easily found
● Most wireless cards allow their MAC addresses to be changed
WPA - Wi-Fi Protected Access● By increasing the size of the keys, the
number of keys in use, and adding a secure message verification system, WPA makes breaking into a Wireless LAN far more difficult.
● The Michael algorithm was the strongest that WPA designers could come up with that would still work with most older network cards; however it is subject to attack. To limit this risk, WPA networks shut down for 30 seconds whenever an attempted attack is detected.
Lab Goals● Determine router type and defaults
● Examining unencrypted traffic
● Bypassing MAC address filtering
● Cracking WEP using Aircrack
● Setting up a fake AP to steal login information
Network Layout
Unencrypted Traffic
MAC Address Filtering
● Sniff traffic for a valid MAC address
● Change your MAC address to the valid one (Spoofing)
● Full access if no encryption on the network
Cracking WEP with Aircrack● Airodump collects
packets● Aircrack is used on
the output file from Airodump
● It uses unique IVs to break the WEP key
● ~330,000 unique IVs and Aircrack broke the key in 1 second
● ~100,000 and it took 21 seconds
Fake AP● The tool suite we will use allows us to setup
our wireless card as an access point● To make this useful we will need to do some
work● By deauthenticating a client from his AP, we
can make him connect to our fake one● By forging a web page we can potentially
steal important login information● This attack is very hard for the victim to
realize until it is far to late
Links to tools● Ethereal –
– http://www.ethereal.com
● Kismet – – http://www.kismetwireless.net
● Auditor security collection -– http://new.remote-exploit.org/index.php/Auditor_main
● Aircrack –– http://www.cr0.net:8040/code/network/aircrack
References
● http://en.wikipedia.org/wiki/RC4
● http://en.wikipedia.org/wiki/WEP
● http://en.wikipedia.org/wiki/IEEE_802.11
● http://www.securityfocus.com/infocus/1814
● http://www.cr0.net:8040/code/network/aircrack/
Questions?