Securing a Wireless Network -

WPA Attacked and Defended

Outline
Objectives
Wireless Networks and Security
WEP and problems in WEP
WPA and problems in WPA
The Attack
Defense techniques
WPA2
Conclusion
S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Objectives
Study WPA

Find a way to attack WPA

Finally, find some techniques to defend against this attack

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Wireless Networks and Security
What are Wireless Networks?
A wireless network is the way that a computer is connected to a
router without a physical link.

What is the need?

Facilitates mobility You can use lengthy wires instead, but
someone might trip over them.

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Wireless Networks and Security
Why security?
Attacker may hack a victims personal computer and steal his/her
personal pictures and documents or may perform some illegal
activities or crimes using the victims machine and ID.

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Wireless Networks and Security
Three security approaches:
WEP (Wired Equivalent Privacy)
WPA (Wi-Fi Protected Access)
WPA2 (Wi-Fi Protected Access, Version 2)

Each has two generations named Enterprise and Personal.

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
WEP and its problems
Designed to provide the security of a wired LAN by encryption
through use of the RC4 algorithm with two side of a data
communication

Problems:
Size of IV is short (24 bit) and reused
Problem in the RC-4 algorithm
Easy forging of authentication messages [1]

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
WPA
Enterprise WPA or Commercial WPA: Authentication is made
by an authentication server 802.1x, generating control and
security in the users' traffic of the wireless network. No shared
key.

Personal WPA or WPA-PSK (Pre-Shared Key): Avoids the

authentication server, uses encryption key only once while
initiating session, using a 4 way authentication. [2]

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Improvements:
A cryptographic message integrity code, or MIC to defeat
forgeries.
A new IV sequencing authority, avoids replay attack.
A per-packet key mixing function, to de-correlate the public
IVs from weak keys.
A rekeying mechanism, to provide fresh encryption and
integrity keys, undoing the threat of attacks stemming from
key reuse. [2]

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Problem
Attacking a WPA-PSK network is possible.

Tools like WPA cracker and Cowpatty are available

Both perform a brute-force dictionary attack against WPA-PSK

networks in an attempt to determine the shared passphrase
[2]

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
The Attack
airmon-ng
macchanger -s [Interface]
airodump-ng [The hackers station interface]
airodump-ng --bssid [MAC of Router] w [FILENAME] -c
[CHANNEL] [ADAPTER]
aireplay-ng -0 15 -a [MAC OF ROUTER] -c [MAC OF SYSTEM
ON NETWORK] [ADAPTER]
aircrack-ng -e [ESSID - Name of network] w [WORDLIST]
[FILENAME.cap]

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Tools Description: aircrack-ng
aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking
program that can recover keys once enough data packets
have been captured.

It implements the standard FMS attack along with some

optimizations like KoreK attacks, as well as the all-new PTW
attack, thus making the attack much faster compared to other
WEP cracking tools.

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Tools Description: aircrack-ng
The primary function is to generate traffic for the later use in
aircrack-ng for cracking the WEP and WPA-PSK keys.

There are different attacks which can cause deauthentications

for the purpose of capturing WPA handshake data, fake
authentications, Interactive packet replay, hand-crafted ARP
request injection and ARP-request reinjection.

With the packetforge-ng tool it's possible to create arbitrary

frames.

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Tools Description: macchanger -s
In some situations you need to fake / change / spoof a MAC
address of your network interface.

macchanger Linux command does this job in no time. With

this tool you can change your mac address of any Ethernet
network device wired or wireless.

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Tools Description: airodump-ng
Airodump-ng is used for packet capturing of raw 802.11
frames and is particularly suitable for collecting WEP IVs
(Initialization Vector) for the intent of using them with
aircrack-ng. If you have a GPS receiver connected to the
computer, airodump-ng is capable of logging the coordinates
of the found access points.

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Defense
None of the attack methods are faster or effective when a
larger passphrase is used.
Hide SSID
MAC filtering maintain access control list
Not allowing MAC de-authentication
Letter-envelop protocol [4]
Stop attacker from acquiring client signals
iJam [5]

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
WPA 2
WPA2, like WPA, supports two modes of security, sometimes
referred to as home user and corporate.

In home user mode a pre-shared secret is used, much like

WEP or WAP.

Use of AES for encryption is a good choice.

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
WPA 2
The corporate security is based on 802.1X, the EAP
authentication framework (including RADIUS), one of several
EAP types (such as EAP-TLS, which provides a much stronger
authentication system), and secure key distribution.

Home user security introduces the same security problems

present in WEP and WPA-PSK. [3]

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
Conclusion
We show that WPA can also be attacked and we can defend
against such an attack by following the approaches
mentioned.

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )
 Thank you!!

S u m m e r T r a i n i n g P r o g r a m ( w w w . w e g v e r s i t y. c o m / s t p )