Академический Документы
Профессиональный Документы
Культура Документы
Countermeasures
Version 6.1
Module XX
Hacking Wireless
Networks
Scenario
Clients of Xbrokerage Inc. are furious. None of
them are able to logon to its portal. Xbrokerage
had recently introduced this portal as an add-on
service through which clients could track their
shares and trade online.
Being a customer-friendly firm, Xbrokerage
allowed wireless access within its office
premises.
i
Are wireless networks more prone to attacks?
What could have been a vulnerable point?
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News
Source: http://www.journalnow.com/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Security News
Source: http://www.theregister.co.uk/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This module will familiarize you with :
EC-Council
Wireless Networking
Types of Wireless Networks
Wireless Standards
SSID
Wireless Access Points
Wired Equivalent Privacy
Wi-Fi Protected Access
Steps for Hacking Wireless Networks
Cracking WEP
Tools for Scanning
Tools for Sniffing
g Wireless Networks
Securing
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Wireless Networking
Wireless Access
Points
Cracking WEP
Types of Wireless
Networks
WEP
Scanning Tools
Wireless Standards
WPA
Sniffing Tools
SSID
Securing
Wireless Networks
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Netwo
Networking
g
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
Hacking Methods
Cracking WEP
Wireless Security
Tools
Sniffing Tools
Scanning Tools
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Networking
Wireless networking technology is becoming increasingly
popular
l and
d at the
h same time
i
h
has iintroduced
d
d severall
security issues
The popularity of wireless technology is driven by two
primary factors: convenience and cost
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless
Network
Access
Point
Wired
Ethernet
Network
Wireless
Network 1
Access
Point 1
Extension
Point
Wired
Ethernet
Network
Access
A
Point 2
Wireless
Network
Wireless
Network 2
Access
Point 1
Wired
Ethernet
Network 1
Wired
Ethernet
Network 2
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Advantages:
Mobility (easy)
Cost-effective in the initial phase
Easy connection
Diff
Different
t ways tto ttransmit
it data
d t
Easy sharing
Disadvantages:
Mobility (insecure)
Hi h cost post-implementation
High
i l
i
No physical protection of networks
Hacking has become more convenient
Risk of data sharing is high
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Terminologies
~
Warcycling -detecting Wi-Fi wireless networks by driving around with a Wi-Fi equipped
device on a bicycle
Warwalking searching for Wi-Fi wireless networks by a person walking, using a Wi-Fiequipped device, such as a laptop or a PDA
Warrunning; detecting Wi-Fi wireless networks by running with a Wi-Fi equipped device.
Warchalking the name for marking the location of an active Wi-Fi wireless network with a
chalk mark on the sidewalk
Warspying detecting and viewing wireless video. Usually done by driving around with an
x10 receiver.
i
Si
Similar
il tto "W
"Wardriving"
d i i " only
l with
ith wireless
i l
video
id instead
i t d off wireless
i l
networks.
t
k
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WarChalking
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WarChalking
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WarChalking
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WarChalking
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
http://map.airdump.net/
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Netwo
Networking
g
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
Hacking Methods
Cracking WEP
Wireless Security
Tools
Sniffing Tools
Scanning Tools
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Standards
The first wireless standard was 802.11
It defines three physical layers:
Frequency Hopping Spread Spectrum (FHSS)
Direct Sequence
q
Spread
p
Spectrum
p
((DSSS))
Infrared
802.11a: More channels, high speed, and less interference
802.11b: Protocol of Wi-Fi revolution, de facto standard
802.11g: Similar to 802.11b, only faster
8
802.11i:
i IImproves WLAN security
it
802.16: Long distance wireless infrastructure
Bluetooth: Cable replacement option
900 MHz: Low speed, coverage, and backward compatibility
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Actual speeds
p
depend
p
on implementation:
p
5.9 mbps when TCP (Transmission Control Protocol) is used
(error checking)
7.1 mbps when UDP (User Datagram Protocol) is used (no
error checking)
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Standard:802.15
(Bluetooth)
IEEE 802.15
5 is a bluetooth wireless standard defined byy IEEE for wireless
personal area networks (WPANs)
IEEE 802.15
8
has
h characters
h
such
h as short-range,
h
low
l
power, llow cost, small
ll
networks, and communication of devices within a personal operating space
802.15.1/bluetooth specify standards of the Physical
layer and Data Link layer of the OSI model with the
following four sub-layers:
EC-Council
RF layer
Baseband layer
Link manager
Logical Link Control and Adaptation Protocol (L2CAP)
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Standard:802.16
(WiMax)
WiMax (Worldwide Interoperability for Microwave Access), a communications system,
is designed to support point to multi-point
multi point (PMP) broadband wireless access
It provides high-speed mobile Internet access to different devices such as notebook PCs,
p
, and also to consumer electronics such as audio players,
p y ,
handsets,, smartphones,
cameras, gaming devices, camcorders, etc.
The IEEE wireless standard ranges up to 30 miles, and it can provide a broadband up to
75 megabits per second
WiMax types:
Fixed WiMax: It is based on IEEE 802.16-2004 standard and is suitable for
delivering wireless last mile access for fixed broadband services. It is similar to
DSL or cable modem service
Mobile
M bil WiMax:
WiM
It iis based
b d on IEEE 802.16-2005
802 16 200 standard
t d d and
d supports
t both
b th
fixed and mobile applications
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cisco
Hutton
MECA Electronics, Inc.
Nextwave
Mobile Metrics
TESSCO Technologies Incorporated
Telsima
WiNetworks
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Networking
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
H ki Methods
Hacking
M th d
C ki WEP
Cracking
R
Rogue
A
Access Point
P i t
Wireless Security
Tools
Sniffing
ff
Tools
l
Scanning Tools
l
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SSID
The SSID is a unique
q identifier that wireless networking
g
devices use to establish and maintain wireless
connectivity
An SSID acts as a single shared identifier between access
points and clients
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Authentication Modes
Authentication is done by:
A station providing the correct SSID
Or, through the shared key authentication:
Access point and all base stations share a secret encryption
key which is:
Difficult to deploy
Difficult to change
Difficult to keep secret
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Th
The AP forwards
f
d the
h identity
id i to the
h RADIUS server using
i the
h uncontrolled
ll d
port
The RADIUS server sends a request to the wireless station via the AP
specifying the authentication mechanism to be used
The wireless station responds to the RADIUS server with its credentials via
the AP
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Beacon Broadcast
Base stations regularly broadcast its existence for end users to
listen and negotiate a session
Signals can be captured by anyone
Wireless network SSID are known while connecting to the
station
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Authentication and
(Dis)Association Attacks
Any station can impersonate another station or access point and attack
or interfere
i t f
with
ith th
the authentication
th ti ti and
d association
i ti mechanisms:
h i
As these frames are not encrypted, the difficulty is trivial
EC-Council
Entry
Exit
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Networking
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
H ki Methods
Hacking
M th d
C ki WEP
Cracking
R
Rogue
A
Access Point
P i t
Wireless Security
Tools
Sniffing
ff
Tools
l
Scanning Tools
l
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Antennas
Antennas are important for sending and receiving radio
waves
They convert electrical impulses into radio waves and
vice versa
There are two types of antennas:
Omni-directional antennas
Directional antennas
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cantenna
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Beacon Frames
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phone Jammers
A cell-phone jammer transmits radio frequency signals similar to
that used by cellular devices to cut off communications between
cell phones and cell base stations
Jammers signal has enough high power to cancel out cellular
signals
Some of the high-end
g
jjammers block all frequency
q
y signals
g
disabling switching over different network types
Range
g of the jjammer depends
p
on its p
power and the local
environment (9m-1.6km)
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Theatres
Th
t
and
d museums
Lecture rooms, libraries, schools, and Universities
Restaurants and public transport
Places of Worship
Reco ding studios
Recording
st dios
Businesses (conferences, board of directors rooms, seminars, and meeting
rooms)
Government building and Government complexes
Law enforcement facilities
Police stations
Drug enforcement facilities
Prison facilities, jails, etc.
Courts of law and court houses
Military installations, military complexes, and military training centers
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Base Station
EC-Council
Jammer Area
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mobile Blocker
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Networking
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
H ki Methods
Hacking
M th d
C ki WEP
Cracking
R
Rogue
A
Access Point
P i t
Wireless Security
Tools
Sniffing
ff
Tools
l
Scanning Tools
l
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It has significant
g
vulnerabilities and design
g flaws
Only about a quarter to a third of wireless
access points use WEP:
Tam et al. 2002
Hamilton 2002
Pickard and Cracknell 2001,
2001 2003
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It uses RC-4 to produce a stream of bytes that are XORed with the
plaintext
The input to the stream cipher algorithm is an "initial value" (IV)
sent in plaintext and a secret key
IV is 24 bits long
Length of the secret is either 40 or 104 bits, for a total length for the
IV and secret of 64 or 128 bits
Marketing
M k ti publicized
bli i d the
th larger
l
number,
b implying
i l i that
th t th
the secrett
was a 64 or 128 bit number, in a classical case of deceptive
advertising:
How else can you call a protection that is 16.8 million times weaker than
advertised?
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WEP Issues
CRC32 is not sufficient to ensure complete cryptographic
integrity of a packet
By capturing two packets, an attacker can reliably flip a bit in
the encrypted
yp
stream,, and modifyy the checksum so that the
packet is accepted
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
P
Password
d
Denial of Services
Associate and Disassociate messages are not authenticated
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The standard does not dictate that each packet must have a unique IV, so
vendors
d
use only
l a small
ll partt off th
the available
il bl 24-bit
bit possibilities
ibiliti
A mechanism that depends on randomness is not random at all and attackers
can easilyy figure
g
out the keyy stream and decrypt
yp other messages
g
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The AP responds with packets containing the APs SSID and other
network information
When open system authentication (OSA) is configured, the station will
send an authentication request to the AP and the AP will make an access
decision based on its policy
When the shared key authentication (SKA) is configured, the AP will send
a challenge to the station and the station encrypts it with its WEP key and
sends it back to the AP
If the AP obtains the challenge value,
value the station is authorized
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Requesting Station
EC-Council
Receiving Station
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Th authentication
The
h i i and
d association
i i phases
h
authorize
h i the
h d
device,
i and
d not the
h user
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WEP Flaws
Two basic flaws undermine its abilityy to p
protect against
g
a serious attack:
No defined method for encryption key distribution
Pre-shared keys were set once at installation and are rarely (if ever)
changed
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Networking
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
H ki Methods
Hacking
M th d
C ki WEP
Cracking
R
Rogue
A
Access Point
P i t
Wireless Security
Tools
Sniffing
ff
Tools
l
Scanning Tools
l
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What is WPA
Wi-Fi Protected Access (WPA) is a data encryption method for WLANs
based on 802.11 standards
It resolves the issue of weak WEP headers, which are called initialization
vectors (IVs)
It is designed to be a software upgrade
With WPA, the rekeying of global encryption keys is required
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WPA (contd)
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WPA Vulnerabilities
Denial-of-service
Denial
of service attack:
Attacker injects or corrupts packets
IV and message hash are checked before MIC to reduce the
number of false positives
Only way around this is to use WEP
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Enterprise:
p
Verifies network users through
g a server
Personal: Protects unauthorized network access by utilizing a set-up password
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Features:
WPA2 authentication
WPA2 key management
Temporal Key management
Michael Algorithm
AES support
Supporting a mixture of WPA and
WEP wireless clients
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Attacker then sends out his own radio signal, using the
same name
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Netwo
Networking
g
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
Hacking Methods
Cracking WEP
Rogue
g Access Point
Wireless
W
e ess Security
Secu ty
Tools
S iffi T
Sniffing
Tools
l
Scanning Tools
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Working of TKIP
TKIP encryption works in a two
two-phase
phase process
In the first phase, a session key is generated from temporal key, TKIP
sequence counter (TSC), and the transmitter
transmitterss MAC address
Once this phase is completed, a value called the TKIP-mixed transmit
address and key (TTAK) is created
This value is used as a session-based WEP key in the second phase
In the second phase, the TTAK and the IV are used to produce a key
that encrypts the data
TKIP is safer than WEP because the key is using a different value
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IV Size:
Si Increase the
h size
i off IV to avoid
id reusing
i the
h same IV
Key Management: Add a mechanism to distribute and change the
broadcast keys
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
LEAP requires
i
an authentication
th ti ti server (RADIUS) tto
support the access points
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
LEAP
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
LEAP Attacks
Dictionary attacks
Password-based scheme
Passwords should be guessable
LEAP access p
points do not use
weak IVs
Use MS-CHAP v2, show the same weaknesses as MSCHAP (Wright 2003)
There are many variants of the extensible
authentication protocol, such as EAP-TLS and PEAP
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Features:
Recovers weak LEAP passwords (duh)
Can read live from any wireless interface in RFMON
mode
Can monitor a single channel, or perform channel
hopping to look for targets
Handles dictionary and genkeys files up to 4 TB in size
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Working of ASLEAP
This tool works as follows:
Scans the 802.11 packets by putting the wireless interface in RFMON mode
Hops channels to look for targets (WLAN networks that uses LEAP)
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ASLEAP: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Networking
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
H ki Methods
Hacking
M th d
C ki WEP
Cracking
R
Rogue
A
Access Point
P i t
Wireless Security
Tools
Sniffing
ff
Tools
l
Scanning Tools
l
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wardriving
Driving around to look for open wireless networks
WarFlying
y g
Flying around to look for open wireless networks
WarChalking
A method used to draw symbols in public places to
advertise an open Wi-Fi wireless network
Using chalk to identify available open networks
Word in this technique are formed by analogy to
wardriving
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
St 4: Crack
Step
C k th
the WEP key
k
Step 5: Sniff
iff the
h network
k
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Bluejacking
Bluejacking is the art of sending unsolicited messages over Bluetooth to Bluetooth-enabled
devices such as PDA and mobile phones
A loophole in the initialization stage of the Bluetooth communication protocol enables this
attack
Before starting the communication, both the Bluetooth devices exchange information
during an initial handshake period
In this period, initiating Bluetooth devices name is necessary to be displayed on other
devices screen
Initiating device sends a user defined field to the target device
An attacker hacks and uses this field to send the unsolicited messages on the target device
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Eavesdropping
Manipulating
Eavesdropping:
Happens when an attacker
receives a data
communication stream
g securityy
Not using
mechanisms such as Ipsec,
SSH, or SSL makes data
vulnerable to an unauthorized
use
user
Manipulation:
An extended step of
eavesdropping
Can
C b
be d
done b
by ARP
poisoning
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Denial-of-Service Attacks
Wireless LANs are susceptible to the same protocol
protocol-based
based attacks that plague
wired LANs
WLANs send information via radio waves on public frequencies, making them
susceptible to inadvertent or deliberate interference from traffic using the same
radio band
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Networking
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
H ki Methods
Hacking
M th d
C ki WEP
Cracking
R
Rogue
A
Access Point
P i t
Wireless Security
Tools
Sniffing
ff
Tools
l
Scanning Tools
l
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cracking WEP
P i attacks:
Passive
tt k
The presence of the attacker does not change
traffic until WEP has been cracked
traffic,
Active attacks:
Active attacks increase the risk of being detected,
but are more capable
If an active attack is reasonable (i.e., the risk of
detection is disregarded), the goal is to stimulate
traffic:
Collects more pads and uses of weak IVs
Some attacks require only one pad
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Attack
FMS (Fluhrer et al. 2001) cryptographic attack on WEP
Practicality demonstrated by Stubblefield et al. (2001)
Collection of the first encrypted octet of several million
packets
Exploits:
WEPcrack (Rager 2001)
Airsnort (Bruestle et al. 2001)
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
KisMAC
Kismet
EC-Council
Easy
Easy-to-use,
to use, flexible, and sophisticated analyzer
Implementations
p
of the FMA attack
Swiss-army knife
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pad-Collection Attacks
There is (should be) a different pad for every encrypted
packet that is sent between an AP and a station
By mapping pads to IVs, you can build up a
table and skip the RC4 step:
The stream is never longer than 1500 bytes (the maximum
Ethernet frame size)
The 24 bit-IV provides 16,777,216 (256^3) possible streams, so all
the pads can fit inside 25,165,824,000 bytes (23.4 GB)
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
XOR Encryption
0 XOR 0 =
1 XOR 0 =
1 XOR 1 =
(z XOR y)
(z XOR y)
0
1
0
XOR z = y
XOR y = z
Works
k independently
i d
d l when
h z or y iis the
h
plaintext, "pad, or ciphertext
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Stream Cipher
Given an IV and secret key, the stream of bytes (pad) produced
i always
is
l
the
h same:
Pad XOR plaintext = ciphertext
If an IV is ever reused
reused, then the pad is the same
Knowing all pads is equivalent to knowing the secret
Application to WEP:
The pad is generated from the combination between the IV and
the WEP key passed through RC4
Knowing all pads is equivalent to knowing the 40 or 104-bit
secret:
"Weak"
Weak IVs reveal additional information about the secret
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: AirPcap
AirPcap enables troubleshooting tools like Wireshark (formerly WireShark)
and
d WinDump
p to
op
provide
o d information
o
o about
bo the wireless p
protocols
o o o and
d radio
do
signals
It is the first open, affordable, and easy to deploy WLAN (802.11b/g) packet
capture solution for the Windows platform
It comes as a USB 2.0 adapter, and it has been fully integrated with WinPcap
and Wireshark
It enables you to capture and analyze:
802.11b/g
802 11b/ wireless
i l
traffic
t ffi
Control frames
Management frames
Power information
Source: http://www.cacetech.com/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AirPcap (contd)
Features:
Complete visibility on your wireless
networks
Portable and versatile
Easyy to set up
p
Easy to use
The performance you need
Ready to power your application
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AirPcap: Screenshot 1
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AirPcap: Screenshot 2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AirPcap: Screenshot 3
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AirPcap: Screenshot 4
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Features:
Password decoders to immediately decode encrypted passwords from
several sources
WEP Cracker can quickly recover 64-bit and 128-bit WEP keys if enough
q WEP IVs are available
unique
Wireless Scanner detects Wireless Local Area Networks (WLANs) using
802.11x
802.11 capture files decoder can decode wireless capture files from
Wireshark and/or Airodump-ng containing WEP or WPA-PSK encrypted
802 11 frames
802.11
f
Wireless zero configuration password dumper
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Kismet: Screenshot
Source: www.kismetwireless.net
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Networking
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
H ki Methods
Hacking
M th d
C ki WEP
Cracking
R
Rogue
A
Access Point
P i t
Wireless Security
Tools
Sniffing
ff
Tools
l
Scanning Tools
l
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Source: http://www.blackalchemy.to/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netstumbler is a high-level
g
WLAN scanner. It operates
p
byy sending
g a steadyy
stream of broadcast packets on all possible channels
EC-Council
Signal Strength
MAC Address
SS
SSID
Channel details
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netstumbler: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Networking
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
H ki Methods
Hacking
M th d
C ki WEP
Cracking
R
Rogue
A
Access Point
P i t
Wireless Security
Tools
Sniffing
ff
Tools
l
Scanning Tools
l
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scanning Tools
PrismStumbler
MacStumbler
Mognet
WaveStumbler
AP Scanner
Wireless Security Auditor
Ai T f
AirTraf
Wifi Finder
eEye Retina WiFI
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
wlanScanner
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Networking
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
H ki Methods
Hacking
M th d
C ki WEP
Cracking
R
Rogue
A
Access Point
P i t
Wireless Security
Tools
Sniffing
ff
Tools
l
Scanning Tools
l
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sniffing Tools
AiroPeek
NAI Wireless Sniffer
WireShark
VPNmonitorl
Aerosol
vxSniffer
iff
EtherPEG
DriftNet
WinDump
ssidsniff
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Wireless
Networking
Wireless Standards
Wireless Concepts
Wireless Devices
WPA
WEP
H ki Methods
Hacking
M th d
C ki WEP
Cracking
R
Rogue
A
Access Point
P i t
Wireless Security
Tools
Sniffing
ff
Tools
l
Scanning Tools
l
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AirDefense Guard
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: RogueScanner
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
A wireless network enables a mobile user to connect to a LAN through a wireless (radio)
connection
Wired Equivalent Privacy (WEP) is designed to provide a WLAN with a level of security
and privacy comparable to what is usually expected of a wired LAN
It is vulnerable because of relatively short IVs and keys that remain static
Even if WEP is enabled, an attacker can easily sniff MAC addresses as they appear in
the clear format. Spoofing MAC addresses is also easy
Wireless networks are vulnerable to DoS attacks
Wireless network security can adopt a suitable strategy of MAC address filtering,
filtering
firewalling, or a combination of protocol-based measures
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited