Researcher :Muhammad Zia Shahid

M.C.s 3rd semester

Wireless LAN Security Risks and Solutions

Presented to:

Sir Waseem Iqbal

Term Paper Supervisor

Overview of Wireless Technology.

Security and Privacy issues in Wireless Network.

Wireless Security Protocols.

Wireless Equivalent Privacy (WEP).

Wireless Equivalent Privacy (WEP2).

Wireless Equivalent Privacy plus (WEP+).

Wi-Fi Protected Access (WPA). Temporal Key Integrity Protocol (TKIP).

WPA Pre Shared Key (WPA-PSK).

Wi-Fi Protected Access (WPA2). Counter-Mode with CBC-MAC Protocol (CCMP).

Wireless Network Threats.

Traffic Analysis.

Passive Eavesdropping.

Active Eavesdropping.

Unauthorized Access.

Man-in-the-middle

Session High-Jacking

Replay

Denial of service (DoS)

Contents

Methodologies of free Wireless Hacking tools over the internet. NetStumbler

Kismet

Wellenreiter

THC-RUT

Ethereal

AirSnort

HostAP

AirSnarf

SMAC

Aircrack

Aircrack-ng

WepAttack

WEPCrack.

Contents

The wireless networks are based on the IEEE standards belonging to the 802 family.

Following list is a simple overview of the 802.11 family:• 802.11bo Most widespreado 11Mb maximum, 2.4 GHZ band• 802.11ao Next generationo 54MB maximum, 5GHZ band• 802.11go 54MB maximum, 2.4 GHZ bando Compatible with 802.11b• 802.11Xo Uses Extensible Authentication Protocol (EAP)o Supports RADIUS• 802.11i

OVERVIEW OF WIRELESS TECHNOLOGY.

Security and Privacy issues in Wireless Network.

End users are not security experts, and may not be aware of the risks posed by wireless LANs.

Nearly all of the access points running with default configurations have not activated WEP.

Most of the users does not change access point’s default key used by all the vendor's products out of the box.

The Wireless Access Points who are enabled with WEP can be cracked easily.

Wireless Equivalent Privacy (WEP) WEP is a protocol that adds security to

wireless local area networks (WLANs) based on the 802.11 Wi-Fi standard.

WEP algorithm is used to protect wireless communication from eavesdropping and to prevent unauthorized access to a wireless network.

The original implementations of WEP supported so-called 40-bit encryption, having a key of length 40 bits and 24 additional bits of system-generated data (64 bits total).

40-bit WEP encryption is too easy to decode.

128-bit encryption (key length of 104 bits, not 128 bits).

WEP relies on a secret key.

WEP uses the RC4 encryption algorithm, which is known as a stream cipher.

stream cipher operates by expanding a short key into an infinite pseudo-random key stream.

Wireless Equivalent Privacy (WEP) (Cont.)

Wireless Equivalent Privacy (WEP2) A stopgap enhancement to WEP,

implement able on some (not all) hardware not able to handle WPA/WPA2, based on:

Enlarged IV value. Enforced 128-bit encryption 

WEP2 remains vulnerable to known WEP attacks.

Keystream for corresponding IV is obtained

1500 bytes for each of the 224 possible IVs

24GB to construct a full table, which would enable the attacker to immediately decrypt each subsequent ciphertext

WPA (Wi-Fi Protected Access) It is also known as WEP+. WEPplus enhances WEP security by

avoiding "weak IVs“. It is only completely effective when

WEPplus is used at both ends of the wireless connection.

It remains serious limitation. WPA use Temporal Key Integrity Protocol

(TKIP) to addresses the encryption weaknesses of WEP.

Key component of WPA is built-in authentication that WEP does not offer.

WPA provides roughly comparable security to VPN tunneling with WEP, with the benefit of easier administration and use.

WPA (Wi-Fi Protected Access) (Cont.) One variation of WPA is called WPA Pre

Shared Key or WPA-PSK. To use WPA-PSK, a person sets a static

key or "passphrase" as with WEP. By using TKIP, WPA-PSK automatically

changes the keys at a preset time interval, making it much more difficult for hackers to find and exploit them.

WPA uses the RC4 cipher. Keys are rotated frequently, and the

packet counter prevents packet replay or packet re-injection attacks.

WPA2 (Wi-Fi Protected Access) WPA2 (Wi-Fi Protected Access 2) gives

wireless networks both confidentiality and data integrity.

The Layer 2-based WPA2 better protects the network.

WPA2 uses a new encryption method called CCMP (Counter-Mode with CBC-MAC Protocol).

CCMP is based on Advanced Encryption Standard (AES).

AES is stronger algorithm then RC4.

Wireless Network Threats Traffic Analysis.

Passive Eavesdropping.

Active Eavesdropping.

Unauthorized Access.

Man-in-the-middle

Session High-Jacking

Replay

Denial of service (DoS)

Traffic Analysis

Traffic analysis allows the attacker to obtain three forms of information.

The attacker preliminary identify that there is activity on the network.

The identification and Physical location of the Wireless Access Point (AP).

The type of protocol being used during the transmission.

Passive Eavesdropping

Attacker

Target

Passive Eavesdropping allows the attacker to obtain two forms of information.

The attacker can read the data transmitted in the session.

The attacker can read the information i.e source, destination, size, number and time of transmission.

Active Eavesdropping

Active Eavesdropping allows the attacker inject the data into the communication to decipher the payload.

Active Eavesdropping can take into two forms.

The attacker can modify the packet.

The attacker can inject complete packet into the data.

The WEP by using CRC only check the integrity of the data into the packet.

Unauthorized Access

Due to physical properties of the WLAN, the attacker will always have access to the Wireless components of the network.

If attacker become successful to get unauthorized access to the network by using brute force attack, man in the middle and denial of service attack, attacker can enjoy the whole network services.

Man-in-the-Middle

Session Hi-Jacking

Methodologies of free Wireless Hacking tools over the internet.

NetStumbler Kismet Wellenreiter THC-RUT Ethereal AirSnort WEPCrack. coWPAtty

HostAP WEPWedgie AirSnarf SMAC Aircrack Aircrack-ng WepAttack

q & a session