Strategies for Breaking Wireless Protocols
Disclaimer: This dissertation has been submitted by a student. This is not an example of the work written by our professional dissertation writers. You can view samples of our professional work here.
Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.
CHAPTER 1 - INTRODUCTION
Starting of wireless Network is a result of a research Project carried out by University of Hawaii. Initially it's called as Aloha net, but later it used to call as Wireless Local Area Network or WLAN. At the beginning of aloha net, is capable of transferring 1 to 2 mbps data.
But over the last few years aloha net changed to WLAN and it came with so many enhancements to the initial technology.
Newer days, wireless networks become more popular than the wired networks. The main reason for this is, wireless networks are high in portability and the flexibility, increased productivity, and lower installation cost.
Wireless Network Devices let Users to move their laptops from one place to another without warring about their network connectivity. Minimizing the wiring gives the maximum flexibility over the network and it reduces the wiring cost for the whole network infrastructure.
However, when we comparing the security factor, wireless networks are more vulnerable to attack by outsider than the wired network. Main reason for this is, anyone can see and make the initial connection through the wireless network. But establishing the initial connection in a wired network is bit difficult than the wireless network.
Loss of confidentiality like password cracking and man in the middle attacks are typically associated with wireless networks. Some other way, this kind of attack can easily practise in wireless Networks rather than the wired network.
Even though a wireless network has this kind of problems, it's not a failed concept. The main reason for that is we can protect a wireless network in maximum and make invincible from unauthorised users or attackers.
Configuring the wireless devices correctly and accurately can minimize the attacks. We are going to discuss about this topic in future.
Breaking wireless protocols is the main objective in this project. Mostly the WEP, WPA and WPA2 will be my major preference. So the goal of this research is break the wireless protocol and get data from the wireless devices and the network.
1.2.1 Comparison of Hacking Tools Available.
There are lots of tools that can use to hack a wireless protocol. Some of the tools are very user friendly. We can install it on our Windows Based Systems and it does our work very easily. Those tools are 100% Graphical User Interface and very easy to use. AirCrack-ng Windows version is the common example.
But Some Other tools are available; we need to have some technical knowledge to use those tools. Mainly those tools run on command base mode and running platform is Linux. These tools do not provide any graphical user Interface, and bit difficult to learn without any proper guidance. But the final result is very accurate than the windows version.
The major difference between these two types of tool's are the software which runs on linux is more accurate than the Windows version. So I have decided to use Linux version hacking software to carry out my testing.
But to hack a wireless network we need few of software to download from the internet. And then we can install those on a Linux machine and we can start the research. But, I think it's very easy to use a one operating System rather than struggling with lots of software's. So I decided to download latest version of worlds famous Hacking Operating System “Back Track”. It has built in hacking tools that need to hack a wireless network.
1.2.2 Downloading related software.
Back Track is free to download, and it's open source. Anyone can download Back Track from its developer's web site www.backtrack-linux.org for free. So I have downloaded the latest version of Back Track v4 to carry out my research. We will discuss about BackTrack in further chapters.
1.2.3 Cracking WEP Using AirCrack-ng
In order to crack a WEP Password, I have chosen few amazing tool. That is BackTrack 4 Hacking Operating System. It has all the hacking tools to crack a WEP Network. Airodump-ng can use to get the information about the wireless network and then I can use the Aircrack-ng to crack the password.
1.2.4 Cracking WPA Using AirCrack-ng
We Can Use the same Process to Crack the WPA using AirCrack-ng. Same as in WEP I am going to use the Airodump-ng and Airoreply-ng to collect all the information's about the wireless Network and AirCrack-ng to decrypt the Password.
1.2.5 Cracking WPA2 Using Cowpatty
In here, I am going to use a special cracking Software to crack WPA2. The software is Cowpatty. Cowpatty bit different than Aircrack-ng. And cowpatty specially designed to crack WPA and WPA2 Passwords.
All these tools are built-in tools which we can find in the BackTrack4 Linux based operating system. So I don't need to download these software's from the internet.
1.3 Dissertation Structure
This Documentation mainly divided in to 4 Main Chapters. Including entire Practical and theoretical concepts.
Chapter 1: Introduction
In this section, I am going to give a introduction about what is wireless Network, Start of the Wireless Network and Basic Problems that wireless Networks faced. In the Second Section explain about the whole Research objectives and aims.
Chapter 02: Literature Review
This Chapter Consist all the theoretical information's relating to my research. In here I am discussing about wireless Networks and it's Types, Wireless Network Devices, Security Methods that WLAN Uses, WLAN Security Protocols, Deep discussion about WEP, WPA and WPA2, Protocol Hacking tools like Air Crack-ng, Cowpatty, and Hacking Methods that use by the Hacking tools. Eg: Dictionary Attacks, Brute Force Attacks etc.
Chapter 03: Methodology
In here, I am going to show my Practical Work that I have done all over my research. Installing the Hacking OS, Use of Hacking tools, Problems Faced all over the project and the final results will be my main concerns.
Chapter 04: Result and Discussions
In this section I am comparing all the results I have gain all over my project.
Chapter 05: Conclusions
This Chapter will be my conclusions of the Research. In here i am planning to compare my final result and the objectives in my initial project proposal.
CHAPTER 02 - Literature Survey
2.1 Wireless Networks
Wireless Networks enables to communicate devices without any physical media. These Networks are divided to three main categories according to their communication level. Those are, Wireless Local Area Network, Wireless Wide Area Network, Wireless Personnel Area Network.
Wireless Wide Area Network has larger coverage than the WLAN and WPAN. WWAN uses 2G or 3G Cell Phone Networks to connect each and every device in the network. WLAN represents local area network that connected using wireless access point or a wireless router includes 802.11. WPAN is a small network topology. This includes Bluetooth and Infrared technologies.
2.1.1 Wireless Local Area Networks
As I Mentioned earlier, Wireless LANs has more portability and flexibility over traditional Wires Local Area Networks. In WLAN, All the Computer's and other devices connect to each other using Wireless Access Points also called as AP's. And Access points communicated with the Wireless Network Adaptors that fixed in to computers. Access Points normally has coverage are up to 75-100 meter's. In that area users can move their laptops and other wireless devices while maintaining their network connections. We can connect access points together and expand the wireless LAN's coverage.
In my thesis, I am going to discuss more about wireless LAN in further chapters.
2.1.2 Wireless Wide Area Networks
This is the most familiar wireless Network type for everyone. This network's are Combination's of few WLAN's. In these networks, Antenna's acts as the access point for all WLAN's. There are connections between Antennas to Antennas, to expand the Service of the network.
Mobile Phone Networks also a good example for WWAN Networks.
2.1.3 Wireless Personnel Area Networks
These Networks are so smaller when comparing to the other networks. It does not give much coverage as other 2 network type we discuss earlier. And this network does not require Main Access Point to make the connection with other WPAN Devices. Source WPAN device directly connect to the other WPAN device when it's needs to transfer data.
2.2 Wireless Local Area Networks
This is the most important topic of my thesis. We are going to discuss about this topic all over the project. As I mentioned in my objective's I am going to analyse the security of WLAN and Break few of WLAN Protocols. Before that we need to get a clear Idea about “What is WLAN?” and “How it operates?”
WLAN is same as the wired Local Area Network. But the only difference is, its using wireless method to connect all devices. WLAN combined with the Client Station and the Wireless Access point.
The Client Station connects to the AP (Access point) using the wireless Network Adaptor. We can connect the wireless adaptor to the computer using Personal Computer Memory Card International (PCMCIA) slot or using the USB Port.
IEEE 802.11 is the Standard of WLAN technology. The coverage of the Wireless network totally relay on the Strength of the Wireless Access Point. Normally it's can covers up to 75-100 meters circular area.
2.2.1 Architecture of 802.11 Standards
This architecture allows initiating a peer to peer connection between Client Station and the wireless Network based on access point in an infrastructure network (WLAN). The coverage area of an access point called as a “Cell”. A Cell also called as “Basic Service Set” (BSS). The collection other cells of the infrastructure network called as Extended Service Set (ESS).Any access point that work with 802.11 standards has this 2 data sets for their functionality.
BSS is the most important data set in the Access point. BSS contain all the information about wireless Network. This is the security key negotiation protocol of the Access point. BSS consist of AP's Hardware name, Communication protocol information's, Signal strength etc.
The Access Point identify in the WLAN using a specific identifier. This is called as “Basic Service Set Identifier” (BSSID). When Laptop or any other wireless device needs to connect to wireless network via access point, the guest station (Eg: Laptop) searches for the available access points in the area by releasing discovery packets. If there any access points available, AP's respond to the guest station by sending the BSSID.
Normally BSSID is in a Human Readable format. BSSID also called as “AP Name or Router Name” by Technical personal's. This identifier always represents a Specific Access point. Likewise each and every access point of the network has its own BSSID.
BSSID is very important to accomplish my main objective of the project. We need to retrieve the router's BSSID before we crack the router's password. We can discuss about the retrieving methods in future chapters.
2.2.2 Advantages of WLAN's
Following are the advantages.
- Increased Mobility- Users can be mobile while accessing to all the network resources.
- Fast Installation - Installation of the network is very quick since there no adding wires like wired network.
- Flexibility - anyone can easily install and uninstall a small wireless Network.
2.2.3 Wireless Protocols Use in Wireless Networks
There are 3 main wireless protocols use by the 802.11x wireless networks. Those are,
Wired Equivalent Privacy
This Protocol primarily protect the WLAN uses being a victim from eavesdropping. WEP uses 64 bit RC4 key to generate encrypted data and then those encrypted data transferred over the network.
Wi-Fi Protected Access -
This is introduced by the Wi-Fi Alliance to overcome certain restrictions in WEP. This uses Temporal Key Integrity Protocol (TKIP) to encrypt the wireless data packets.
Wi-Fi Protected Access Version 2 -
This is the latest movement in wireless LAN Protocols. Only the Difference is WPA 2 introduces new AES algorithm to be much more secure than the WPA.
These 3 protocols widely using in wireless Networks. Every protocol has significant advantages and disadvantages. In the next chapter I am going to illustrate features, advantages and disadvantages of each and every protocol.
2.2.4 Wired Equivalent Privacy (WEP)
WEP is an authentication protocol that use in 802.11 wireless networks to secure all the transmitting data. This protocol introduced in 1997 and main intention was increasing the confidentiality of the data than wired network. Any wireless network that uses WEP encrypt the data packets using RC4 cipher stream generated by a 64 bit RC4 key.
IEEE 802.11 has few basic features when it comes to Security. These concerns provide a better security for the wireless environment. This all security elements embedded in to the wireless network protocols. Following are the basic security concerns in a wireless Network.
This is the main goal of the wireless protocols. This means identifying the Client Station by using a password. If any client station failed to comply with this requirement the AP will deny giving the access to the Client Station.
In here, the data should not be changed while it transmitting from the AP and/or to the AP. That mean those data should not be a victim of active attack.
in this goal, the Protocol should protect the security of all data elements that transmit. In other word, the data should not be a victim of passive attacks.
802.11 Networks have 2 kinds of authentication methods. “Open System Authentication” and “Shared Key Authentication”.
Open System Authentication
Shared Key Authentication
Any Client Station can join The Station should Provide the
To the network without authentication Network password in order to join
In Open system authentication does not use any cryptographic password to gain access to the network. Any client station can connect to the network and use the network resources. As an example, Internet facility's in a public locations like Air Port or a Bus Station. In these places anyone can connect their Laptop or PDA's to the Wireless Access Point and start browse the internet. No Password required at all to login to the network.
In open system method, the client station sends its MAC address just as a reference to the Access point. Then the AP makes that client as a member of that AP's network. The major problem with this authentication mode is it's vulnerable to attack.
Shared key authentication is password based authentication model. The client must have the password to make the connection with AP. when client made a request to the AP that asking the connection, the AP generate a challenge and send it to the client station. If the client station responds to that challenge correctly AP gives the permission to be a member of wireless network. Figure 2.7 give the clear idea about the Shared Key authentication.
Confirm the Result
802.11 Standards also concerns about the integrity of the data transmitted. This always checks the data content whether it got changed while happening the transmitting process. It uses Cyclic Redundancy Check (CRC) approach to check the content of data. Once the CRC completed those data encrypted by using the RC4 key Stream. On the receiving end, data will be decrypted and again check for CRC to check the integrity of the data. If the receiving end CRC value does not match with the initial CRC value the data will be rejected and retransmitting will be required.
WEP Uses an algorithm called Stream Cipher to encrypt all the data. It expand short version of key in to a random key stream. The sender encrypts the Plain text along with the Short key and creates the cipher text. In the receiver end has the same short key to decrypt the data. Once the data stream received by the recipient, it uses the short key to generates cipher text back to plain text.
If one data bit lost on its way to the destination, the decryption process will mislead the data in to incorrect information. To prevent this problem WEP has “Cyclic Redundancy Check” to keep up the Message Integrity correctly.
802.11 standards use cryptographic techniques to support Privacy. It uses RC4 Symmetric Key's to protect the data. Normally 802.11 standards support different cryptographic key lengths to protect the data from a attack.
Generally, WEP supports 40 bit cryptographic key size for the shared key. But numerous vendors support different key sizes like 104 bits and 128 bits. Increasing the key size increases the security of the cryptographic technique.
184.108.40.206 Problems with WEP
Even though WEP has so many security measurements to protect the transmitting data, it has few failures. These failures make the way, an attacker to break the security of WEP and lost the Integrity and privacy of the transmitting data using WEP.
220.127.116.11.1 Shared WEP Key
WEP Uses single security key to Access the network. So this key should be distributed to all the users who access the network. So this security key might go to an attacker very easily who trying to get the access to the network.
18.104.22.168.2 WEP Key Size
As I mentioned earlier, WEP uses 40 bit Cryptographic Key Size. This key can be crack very easily regardless of the time. So the encryption key is not sufficient to provide a better security for data.
2.2.5 Wi-Fi Protected Access
This is a WLAN protocol created by the Wi-Fi alliance. This is created because of several weakness of the WEP Protocol. WPA has some advanced features when comparing with WEP. To get the optimum performance from the WPA,
The WPA protocol implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. Specifically, the Temporal Key Integrity Protocol (TKIP), was brought into WPA. TKIP could be implemented on pre-WPA wireless network interface cards that began shipping as far back as 1999 through firmware upgrades. Because the changes required fewer modifications on the client than on the wireless access point, most pre-2003 APs could not be upgraded to support WPA with TKIP. Researchers have since discovered a flaw in TKIP that relied on older weaknesses to retrieve the key stream from short packets to use for re-injection and spoofing. [wiki/WPA]
22.214.171.124 Features of WPA
WPA uses Temporal Key Management (TKIP) as its Key encryption system. WPA does, Data Encryption and Discretion based on TKIP technology. It uses 128 bits for encryption using RC4 cipher.
126.96.36.199 Temporal Key Management
TKIP along with the WPA has introduced three security features to overcome some security issues that come with WEP networks. TKIP mixing the security key with the initialization vector before it pass it to the cipher routine. In our case TKIP uses RC4 as the cipher. This method avoids certain kind of key attacks that came along with WEP. And then, WPA protects the data packets against reply attacks by implementing a sequence counter to the data stream. Finally its implements a message integrity check called “MIC” to check the consistency of the data stream.
As i mentioned earlier, TKIP uses Rivest Cipher 4 (RC 4) as its cipher. Rekeying, also an important feature of TKIP. And the most important feature is TKIP always ensure to send data with a Unique Encryption key.
But in certain situations it uses same mechanism like WEP. So TKIP also vulnerable to some kind of attacks which WEP faces. Any how the advance development of Message Integrity Check, Isolated Key Hashing on every packet, Sequence Counter prevents those attacks successfully.
The Best thing is TKIP resolving most of the problems came along with the WEP. The next section discuss about that.
188.8.131.52 Michael Message Integrity Code
Unlike WEP, WPA uses special feature to check the integrity of the transmitted message. This is called as Message Integrity Code (MIC). This is also called as Michel. This is a short cryptographic checksum that use to authenticate a message. This is also known as Message Authentication Code (MAC).
This is a 64 bit algorithm that controls several types of attacks like, Splicing Attacks, Payload Truncation, and Fragmentation Attacks.
184.108.40.206 Extensible Authentication Protocol (EAP)
EAP is an Authentication Method that widely use in wireless networks. This is not specifically designed for wireless networks. This can be use to authentication in wired network as well.
EAP use to transmit the packets containing Authentication information's. WPA and WPA2 Networks supports 5 EAP Authentication Mechanisms as it Authentication Standards. Those are, EAP-TLS, EAP-SIM, EAP-AKA, PEAP, LEAP.
EAP-Transport Layer Security is well known among Protocol for wireless communication. TLS provide very strong confidentiality for the User Credentials. This uses PKI to secure the communication between the AP and the RADIUS Server.
EAP-TLS is the original, standard wireless LAN EAP authentication protocol. Although it is rarely deployed, it is still considered one of the most secure EAP standards available and is universally supported by all manufacturers of wireless LAN hardware and software. [Wiki/EAP]
A compromised password is not enough to break into EAP-TLS enabled systems because the hacker still needs to have the client-side private key. The highest security available is when client-side keys are housed in smart cards. This is because there is no way to steal a certificate's corresponding private key from a smart card without stealing the card itself. [Wiki/EAP]
EAP for Subscriber Identity Module used for authentication and Session key distribution using the Global System for Mobile Communication (GSM) SIM. [Wiki/EAP]
EAP for Authentication and Key Management Agreement is used for Authentication and session key distributing using the Universal Mobile Telecommunication System (UMTS). [wiki / EAP]
is a joint proposal by Cisco Systems, Microsoft and RSA Security as an open standard. It is already widely available in products, and provides very good security. It is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication. [Wiki/EAP]
There were two PEAP sub-types certified for the updated WPA and WPA2 standard. They are:
The terms PEAPv0 and PEAPv1 refer to the outer authentication method, the mechanism that creates the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2, EAP-GTC, and EAP-SIM refer to the inner authentication method which facilitates user or device authentication. [Wiki/EAP]
The Lightweight Extensible Authentication Protocol (LEAP)
A proprietary EAP method developed by Cisco Systems prior to the IEEE ratification of the 802.11i security standard. [Wiki/EAP]
LEAP uses a modified version of MS-CHAP, an authentication protocol in which user credentials are not strongly protected and are thus easily compromised. Along these lines, an exploit tool called ASLEAP. [wiki/EAP]
2.2.6 Wi-Fi Protected Access 2
WPA 2 implements IEEE 802.11i standards same as the WPA. WPA 2 supports Advanced Encryption Standards as the encryption cipher. This is an encryption standard that implement by US Government. 3 block of ciphers available in the AES. Those are AES 128, AES 192, and AES 256.
In WPA2, Advanced Encryption Standards using counter Mode-Cipher Block Channing to provide the high confidentiality to the data. [Microsoft]
WPA2 architecture must contain following network components to provide better security to the network. An Authentication Server to authenticate the users, Robust Security Network to maintain the pathways of associations, and AES based methodology to provide the privacy, integrity and authentication.
The authentication server holds all the user name and passwords of the users of wireless network.
When a user wants to connect to a network that uses WPA, The User must provide His / her identical user name and password when the network asks for it. Then the AP sends that information's to the Authentication server to verify the validity of the user to access network resources. Once the authentication server gave a positive feedback, the user allows connecting to the network otherwise the request will be discarded.
220.127.116.11 The Four way Hand Shake
The Authentication Process has 2 Parts, the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange has provided the shared secret key PMK (Pair wise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. 
Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through a cryptographic hash function. 
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below: 
18.104.22.168 Group Key Hand Shake
The GTK used in the network may need to be updated due to the expiry of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP. 
To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake: 
The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA and protects the data from being tampered using a MIC. The STA acknowledges the new GTK and replies to the AP. 
2.3 Differences between WEP, WPA and WPA2
2.3.1 Encryption Methods
WEP uses only one encryption method for the whole network, but in WPA, encryptions are dedicated for every user. One user has its own encryption method.
In WEP Authentication, it uses Open or Shared key authentication method. In WPA operates on Pre-Shared Key Method. As well as WPA uses an authentication server to validate the user and it using EAP to send all the information's to the Server. But WEP does not use any authentication server.
2.3.3 Security Protocols and Key Streams
WEP uses WEP as their Security protocol. This is a primary wireless protocol that has few loop hols for attackers, in WPA use Temporal Key Integrity Management as the security protocol. WPA 2 uses bit advanced security protocol than both of the WEP and WPA. It uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP).
WPA and WEP both use Rivest Cipher 4 as their cipher, but WPA 2 uses Advanced Encryption Standards. WEP uses 40 and 104 bits key length for the encryption key. WPA use 128 bit for the encryption and 64 bit for the Authentication. WPA2 uses 128 bit key streams for the both Encryption and the authentication.
2.3.4 Data Integrity and Key Generation
WEP use Cyclic Redundancy Check 32 bit Method to check the Integrity of the data. WPA use Michael Message Integrity Code to check the integrity of data. WPA2 has CBC-MAC for that operation.
WEP does the key generation by using Concatenation. In WPA used “Two phase mixing function (both TKIP and RC4)”. WPA2 doesn't require any key generation.
2.4 Security Threats Associated with Wireless Networks
As Discussed above, nowadays wireless networks become more popular than the wired networks. Many organisations including Commercial Companies, Hospital's, government offices and most of the houses use wireless networks to facilitate different services. But the problem is WLAN are not 100 percent protective from attacks. 802.11x networks are vulnerable to certain attacks. There are thousands of papers and reports available in the internet that describes those kinds of attacks and security threats to WLANs. These security threats mainly target on Confidentiality, Integrity and Network availability.
WLAN attacks normally divide in to 2 types. Those are “Active Attacks” and“Passive Attacks”. Then those 2 main classes sub divided into types of attacks.
2.4.1 Active Attacks
Active attacks are the most dangerous attack type. In here, hacker or the unauthorised party gain access to the system and do the modifications to the system or the message transmitting. This outcome a receiving an incorrect message stream or a file to the recipient. Active attacks result a loss of integrity of the network. Active attacks are possible to detect by using special software like packet monitors. But the problem associated with this kind of attacks are, it's difficult to prevent these kinds of attacks.
Active attacks can be sub categorised in to 4 Methods of attacking. Following explain those,
In here, Attacker imitates as an authorised user in the network and gains the access to the network. This kind of attacks can be happened in few ways. The first consideration is authorised user give away the password to an unknown person or a group of people. So automatically they are possible to get access to the system.
The other consideration is hacker can use some software pieces to collect the passwords or access keys of authorised users. There are many methods to perform this kind of attack. Installing Key Board Activities Recording software is a very successful method to collect these kinds of information's.
The Attacker can monitor the transmissions of the source and destination machines and re transmit the information's as a legitimate user. So the attacker's computer acts as the Source and destination accordingly, to get the actual source and Destination's information's.
Reply attacks are offline attacks. The attacker first gathers all the data and then later decrypts that information. This information's could be users authentication session information's that carries WLAN password.
22.214.171.124 Message Modification
In here, attacker tries to modify a particular message or information's. This could results a transmitting wrong information's to the legitimate user.
126.96.36.199 Denial of Service
This is a very popular attack type and very easily does in a WLAN environment. The main goal of this attack is make the network unavailable to the users. it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely [wiki]. This attacks cause Loss of Network availability.
This can be done by sending a huge traffic to the Access Point and making it unable to respond. [IASTED 2004].
2.4.2 Passive Attacks
In these kinds of attacks attacker will get in to the system and does not modify anything in it. Normally the attacker will go through all the information's and takes out whatever the thing that attacker needs. Following are the types of Passive Attacks.
In here, attacker discloses the message and read the content. If the message is encrypt, the attacker will decrypt it. Mainly in this attack he/she can gain 2 important things about the information's. Those are message session information's and packet characteristics. These attacks mainly influence for Data Privacy of the network.
188.8.131.52 Traffic Analysis
The first step of any hacking is gathering the information's that need to hack. These kind of attacks use to gather those information that relating to the WLAN. As an example, Wireless Protocols being use by the network, available access points, MAC address and SSID information etc.
As we discussed above, any network attack bring 3 main kinds of risks to the entire network. These risks categorised in to 3 types. Those are, Loss of Confidentiality, Loss of Integrity, Loss of Network availability.
2.4.3 Loss of Confidentiality
Confidentiality is most important aspect for any organisation. But the confidentiality is more difficult security requirement to achieve in wireless network. Eavesdropping may cause major impact on organisations confidentiality. Attacks like eavesdropping, Traffic analysis may cause huge damage to a company's data privacy and protection of data which available in the network.
2.4.4 Loss of Integrity
If a hacker, modified or a delete data in a network, that called as loss of integrity. This happens because of a successful active attack. As we discuss in previous topics, WEP uses cyclic redundancy check to check the validity and the correctness of data packets. So changing the message's CRC values may bring this kind of risks. These risks might results a delivering wrong information's or incomplete information's to the recipient.
2.4.5 Loss of Network Availability
Loss of network availability might happen mainly because of DoS attack. Such as jamming to the network signals or a shutting down the access point,
No malicious users can also cause DoS attack. A user, for instance, may unintentionally dominate a wireless signal by downloading large files, effectively denying other users access to the network. As a result, agency security policies should limit the types and amounts of data that users are able to download on wireless networks. 
2.5 Hacking Wireless Protocols
As we discussed above, there are 3 main protocols use in WLAN's like WEP, WPA and WPA2. These all protocols are vulnerable for attack. According to the facts that I have found so far, all 3 protocols are possible to crack and retrieve the passwords and other sensitive information's. Next few topics of this part, I am going to explain the methods of hacking and tool that going to use for hacking.
There many ways to hack a wireless network. We can download hacking tools from the internet and get install in the system. Then we can perform the hacking on any network. But my way is bit fancy way than others. I am going to use an operating system and built-in tools in that OS. This operating system developed security penetration testing's, not only wireless network but also any kind network related issue.
is a Linux distribution distributed as a Live CD which resulted from the merger of WHAX (previously Whoppix) and the Auditor Security Collection, which is used for penetration testing. It allows the user to include customizable scripts, additional tools and configurable kernels in personalized distributions. The BackTrack project was created by Mati Aharoni and Max Moser and is a collaborative effort involving the community. [wiki/backtrack]
BackTrack 2 was released on March 6, 2007 and includes over 300 security tools. A beta version of BackTrack 3 was released on December 14, 2007, but it was announced that its main focus was to support more and newer hardware as well as provide more flexibility and modularity. [wiki/backtrack]
BackTrack 3 was released on June 19, 2008. New additions include SAINT and Maltego. Nessus was not included in this release, and the developers decided not to upgrade from kernel version 184.108.40.206. [wiki/backtrack]
BackTrack 4 Beta was released on February 11, 2009, with the biggest change being the move to Debian. [wiki/backtrack]
BackTrack 4 pre-release was released on 19 June 2009. [Wiki/backtrack]
BackTrack 4 Final Release was released on 11 January 2010. [Wiki/backtrack]
2.5.2 Tools in BackTrack 4
We need use of few tools to accomplish our objectives. All those tool are built in Back Track operating system. So we do not need to bother about downloading hacking tools from the internet. Now we are going to discuss about the hacking tools that I am going to use in further chapters.
This tool use to enable the Monitor Mode on the wireless adaptor. Generally wireless adaptors can transfer information's to the access point and received information from the access point. But to hack a wireless network we need to enable monitoring mode on the wireless adaptor. Monitor mode tells wireless adaptor to perform a passive attack on the wireless signal range.
There are 2 purposes using this tool. The first one is this tool use to gather information about the wireless access points. When we perform the attack we have to run this tool, once we run this, it gives all the information's like SSID, MAC Address, Security Protocol it uses and the channel it use to communicate with others etc. Then we can determine which kind of attack to perform based on that information's.
Secondly, we have to run this tool again, along with the targeted access point information's like SSID, Channel no etc. Then we can tell this programme to save all the information that its getting from the access point to a data file. This file called as “Dump File”. Once we completed both stages, we have a file full of security and authentication information's of the targeted access point.
But, there is a small issue when dealing with this tool. That is, this tool can collect authentication information only in a certain times. Airodump-ng can collect the authentication information's when a new client connecting to the access point. Or if a existing client accidentally disconnect from the access point and when it re connecting airodump-ng can collect authentication information's. But the next tools give the solution for this issue.
As we discussed earlier this tool resolve the problem came along with airodump-ng tool.
This tool use to disconnect all the client stations in a specific access point. Once we run this tool with the access point MAC address, it will disconnect all the station in the specified access point. Once it happened, all the clients tiring to reconnect to the access point again. At that time we can run the Airodump-ng and collect all the authentication information's of the access point.
This tool is a very important tool for the hacking. This tool use to crack WEP, WPA and WPA2 Security Protocols. Actually this tool use to decrypt the encrypted authentication information file in to plain text. In another way, we can decrypt the password from this tool easily. As we discussed earlier, once we run the airodump-ng, it save all the information's to a file. If we run that file along with the AirCrack-ng, it can decrypt the password easily.
This tool specifically designed to hack WPA and WPA2. But the process is same as the AirCrack-ng. Only the difference is this tool can decrypt the passwords using rainbow table rather than using a dictionary to get the password.
2.5.3 Summery ofHacking Tools
In Above, shows the most important tools in Backtrack that use to hack a Wireless Network. But the most important thing is the way you use to decrypt the password. That's the only thing that can be changed all over the process. As a nutshell, first we can enable the monitor mode on our wireless adaptor, and then we have to run the airodump-ng to get access point information's. Once it shows all the information's of AP, we can run the airodump-ng again with the specific Access point information's to collect all the authentication information's.
Next running the Airoreply-ng will results disconnecting of all the clients of the access points. While clients tiring to reconnect to the AP, Airodump-ng get a chance to collect the entire authentication information's to a file in the hard disk.
Then we can run AirCrack-ng or CoWPAtty to decrypt all the information's and retrieve the password of the access point.
2.5.4 Types of Hacking Methods
Once we collect all the information's to a file, we can decrypt that file to retrieve the password. As I explained above, we have 2 types of tools to decrypt these files. But these tools use different ways to decrypt the Hash Files (Authentication Information File). There are 2 popular ways to decrypt a hash file. Those are, Dictionary Attack, Rainbow Tables.
220.127.116.11 Dictionary Attack
Dictionary attack is a very popular cracking method in any form of hacking. In here, the tool uses a dictionary to determine the password. According to our case, once we run the cracking tools (Aircrack or cowpatty) it will first get the encrypted key of the password. And then it compares that key with the dictionary's password keys. If the tool found a same key in the dictionary same as in the hash file, it can decrypt the password.
18.104.22.168 Rainbow Tables
A rainbow table
is a lookup table offering a time-memory trade-off used in recovering the plaintext password from a password hash generated by a hash function, often a cryptographic hash function. A common application is to make attacks against hashed passwords feasible. [Wiki/Rainbowtables]
CHAPTER 3 - Research Methodology
This is a total case base study. I have implemented my own wireless network at my home by using 2 laptops and 1 Netgear DG834G wireless router to test the entire task that I have mentioned in objectives. One laptop acting as the attacker, that laptop equip with the Netgear WG111v2 USB wireless Adaptor. The other laptop (Victim) has the built in wireless adaptor and connected to the wireless router. Those are the hardware specification in my testing network.
When considering about the Software Specification, I have already download the BackTrack 4 pre release version from the developer's web site for free. And I am going to run Back Track as a Virtual PC in my laptop by using the VMWare Workstation. I have downloaded the VMWare Work Station from their official Web Site (www.vmware.com).
Security Level of each Protocol will be tested separately, to achieve the objectives accordingly. The most important thing is this project only targeted on Home Based Wireless Routers that store the password and all the configuration information on router itself. Hacking a enterprise Level Router is quite different task than this. We are going to discuss about this in later chapters.
Finally, this stage of the project is 100% Practical based task. All the conclusions and the recommendations totally depend on the results of this project.
Chapter 4 - Hacking Wireless Protocols
As I mentioned earlier, I have already deployed my home wireless network with a wireless router that supports all WEP, WPA and WPA2 protocols. And I have installed BackTrack 4 as a virtual machine on my laptop using VMWare Workstation. Now everything is ready to carry out the testing's.
4.1.1 Problems Faced in the Initial Stage.
In the first stage of the testing's I have assumed that I can use my built in wireless adaptor in my laptop, with BackTrack and VMWare. But unfortunately VMWare does not support built in wireless adaptors in their Virtual Machines. VMWare support only USB Wireless Adaptors. So only the solution that I had to choose is buying a New USB Wireless Adaptor that supports VMWare and BackTrack both.
4.1.2 Finding a Compatible Wireless Adaptor
Normally we cannot use any wireless adaptor in the market to hack a wireless network. The adaptor should support Packet Injection and Packet Monitoring. There are few wireless adaptors that meet the requirement. So I had to find a supporting wireless Adaptor to start the phase one of the project.
I have gone through the BackTrack Developers web site to find compatible wireless adaptors. Compatible guide give about 200 USB Wireless Adaptors that Support BackTrack. Finally, I decided to buy the Net gear WG111v2 Adaptor that support both Packet Injection and Monitoring with Back Track Perfectly.
Netgear WG111v2 has Realtec RTL8187 Chipset. This is a perfect wireless adaptor for the packet injection specially, and not much expensive either. Now I am equipped with all the hardware accessories I need and successfully solved the initial problems.
4.2 VMWare Workstation
VMWare is a well known Virtualisation console. So I am going to install my hacking Operating System (Back Track) in my laptop as a virtual machine by using VMWare. So I can keep my existing Operating System as it is, and use back track as the secondary operating system in my laptop.
4.2.1 Downloading and InstallingVMWare Workstation
VMWare workstation is not Open license software. But for Students, it can download for free. Before that He / She must get register with their official web site (www.vmware.com). Then they will give you an evaluation license of VMWare just for educational purposes. Or else anyone can download the VMWare Player for free. But VMWare Work Station has many options and configuration utilities than VMWare player. So my recommendation is to download the VMWare WorkStation instead VMWare Player. The difference between these two is, we can use VMWare Workstation to create new virtual machines, configure network settings, configure virtual machine hard disk etc. But VMWare Player use to just run the virtual machine.
Once we download the VMWare workstation we have to get install it in our PC or the Laptop. This won't take much longer. (Appendix 1 to 5 - Installing VMWare Workstation)
4.2.2 Getting Start VMWare.
Figure 3.1 shows the initial screen of VMWare workstation. It is very user friendly and very easy to use. The left pane of the main window shows the virtual machines that I have installed already. Right Pane shows the virtual machines details of selected machine. In this image it's “BackTrack”. Just one click on the “Play” Button will start the selected virtual machine.
Appendix 6 shows starting of a VMWare virtual machine.
4.3 Using Back Track 4 as a Virtual Machine
As I mentioned in my objectives, I have downloaded the Back Track 4 from the BackTrack Developers web site (http://www.backtrack-linux.org/downloads/). There are 2 downloads available in this site. The first one is Back Track ISO Image, this is use to write a back track live CD and we can use it in our computer directly without any harm to your existing operating system. Just insert the CD in to your CD ROM Drive and change your BIOS Boot Order in to “CD-ROM”. Then boot up the machine. It will boot up your new Backtrack Operating System instead of your existing operating system. or you can use the ISO image with VMWare Workstation as well. Download the image in the hard disk and run VMWare. then Connect the ISO image to VMWare Console.
The Second available option is, Back Track VMWare Virtual Hard Disk. This is a virtual hard disk with BackTrack Operating System pre-installed. Download this in to your computer and run it through VMWare Workstation or VMWare Player. The operating system will loaded in seconds.
There are 2 major differences between both ISO and Virtual Hard Disk files. equally the files can run through VMWare Workstation. But the changes you making during the OS Running Periods cannot be saved permanently in ISO Image. Once you shut down the ISO Image all the saved configurations will go off. But the Virtual Hard Disk won't do that. It saves all the changes permanently. The settings will not go off once the Virtual Machine Shut Down.
In My Case Study I have downloaded ISO Image of BackTrack v4 and I am going to run it through VMWare Workstation.
Booting Up BackTrack 4
Initial Booting up process for the BT4 is same as Linux. Figure 3.2 shows the Booting up process of BackTrack4.
BackTrack 4 has 3 Main User Modes. Each mode performs different tasks in each stage. Once switched it on, it's booting up to “Basic User Mode”. The next mode is admin mode. To logon to the admin mode from the basic user mode, Type “root” on command Prompt. Then it will ask for the password. If you download the Backtrack from Back Track Developers web site, The Password will be “toor”. Appendix 7 Shows the Basic User mode.
The Next Mode is “Admin Mode” also called as Administrative console. If someone has the authority to admin console, they can do anything to the operating system. Appendix 8 Shows The “Admin Mode”.
The Most Important Mode is “X Mode”. Also called as, Graphical User Interface (GUI). This is another admin mode with all the windows, mouse Pointers and real graphics same as windows. Only the difference between Admin Mode and X Mode is, X Mode Support GUI. Other all are same. To logon to the X Mode type “Startx” on the Prompt. Appendix 9 - Loading of X Mode.
Once the X Mode Loading is finished, it's come to the Desktop. Then we can continue our work in a real GUI same as in Linux GUI or Windows.
4.4 Steps of Hacking
Cracking a protocol is not a single step. It's a combination of few tasks and combination of few tools. Next we are going to discuss about that. Normally we have to use about 5 tools to complete the hacking part.
4.4.1 Monitoring the Network
The first step is changing our wireless adaptor to monitor mode. Normally all wireless adaptors set to work as browsing mode. That's mean; wireless adaptor can use just to transfer data. But to do our task we need to set our adaptor to monitor mode. Once we start the monitor mode on our adaptor, it can use to packet injection and monitor packet contents.
The tool that I am going to use is “Airmon-ng”. Figure 3.5 shows the command that use to setup adaptors mode to monitor mode.
Airmon-ng start wlan0
“wlan0” is wireless adaptors name. Sometimes the adaptor name might be another name, actually it is depend on the model of thadaptor you are using. But for all net gear products the adaptor name shows as “wlan0”.
4.4.2 Retrieving router Information's
The next step is looking for the victim's router. If we have pre determined victim, we have to get all the router information's first. These includes, router SSID channel BSSID, Channel, Security method that the router use etc. for that we can use “Airodump-ng” tool.
This tool can use for 2 purposes. First one is getting the basic information's. The second one for gather the information's to a file. Our first objective is identify the router. For that we have to use the below command.
After we run this command on the prompt, it gives all the information's about available wireless routers.
Using above screen we can determine all the information's relating to the victims router. This allows us to get all the technical details of the router.
4.4.3 Gathering Information's from the router
The Second purpose of Airodump-ng is Gathering information's from the targeted access point or a router. The details we took from the first step are very helpful in this stage. This command tells to write all the details to a file once it retrieved.
Airodump-ng -c 11 -w IroWPA --bssid
: This switch use to specify the Communicating Channel. According to our example, victim's router use Channel 11 to communicate with others.
This switch use to write all the information's to a file. The file name specified along with the switch. According to our example the file name is “IroWPA”.
This Switch use to specify the victim Access Points MAC Address.
If you closely look at the “Data” column on figure 3.7, you can see we haven't received any data yet. The reason for that is no one transmitted any authentication information's to the router. In this case we need to wait until someone communicates with the router to get those information's. Or else;
ack gives another fascinating tool to make clients to communicate with router. The Tool Called as “Aireplay-ng”. Using this tool, we can force router to disconnect all the client machines. That way we are making all the clients to communicate with router, to restore their connection. So then we can get whatever the necessary information's. This whole process called as “De-authentication”. Figure 3.8 Shows the De-authentication process using Aireplay-ng.
Aireplay-ng -0 15 -a 00:18:4D:40:78:AA wlan0
In here, switch “-0” specify the no of de authentication packets to be sent to the router. “-a” tells the victim routers MAC Address. Wlan0 is the source who controls the process.
4.4.5 Getting Ready to Crack the Password
Now we have made all the clients to communicate with router. Look at the Figure 3.9 the “Data” has gathered some data packets. If you compare the top right corner of both figure 3.7 and 3.9 you will noticed a difference between those 2 screen shots.
Obviously, we have received WPA Handshake of our victim. We can see it on the top right corner of the figure 3.9 says, “WPA Handshake” with our victims MAC Address. This means we have captured enough data packets to crack the password.
After we received the WPA Handshake, Press “ctrl+c” and stop the Capturing Process. Now we have a file full of authentication data of our Victims router.
4.5 Cracking WPA
Back Track has 2 kinds of tools to crack. AirCrack-ng and cowpatty are the built in cracking tools in back track. Both tools are equally good. But the performance is bit different. Cowpatty takes bit longer to crack a password than Aircrack. That is the main difference between those tools.
4.5.1 Setting up the Router to use WPA
Before crack WPA in our Testing network, we have to set our router to use WPA as their security protocol. And then only we can crack it. Figure 3.10 shows the router configuration just few minutes before I Cracked the WPA using both Aircrack and cowpatty.
shows the routers password and the Security protocol that going to use to accomplish the first goal of my research. I have Set the Password in to “Password”and Set the protocol to “WPA”.
4.5.2 Cracking WPA UsingCoWPAtty
Once we received the file with the WPA handshake as I describe in 3.4.5, we have to decrypt that file using a password cracking tool. Now I am going to crack the password using cowpatty. Below, shows the command that used to crack the password.
./cowpatty -r root/WPA-01.cap -f dict -s wlan0
Switch “-r” specify the cap or the dump file that contain the WPA handshake. Switch “-f” shows the location that password dictionary where stored. Switch “-s” shows the source. According to this example the source is our wireless adaptor.
4.5.3 Crack WPA Using AirCrack-ng
Following is the command that use to decrypt a password using Aircrack.
Aircrack-ng root/WPA-01.cap -w /root/pentest/wireless/AirCrack-ng/test/password.lst
In here, first we have to specify the capture file name, and then the place where the file saved. Figure 4.11 shows the result of my practical work. In there i have successfully decrypted the WPA password using Aircrack-ng.
Both AirCrack-ng and Cowpatty gave the same password that shown in the router configuration settings page. (Figure 4.9) So I Hope Cracking WPA is Succeed.
4.6 Crack WPA2
Cracking WPA2 also same as Cracking WPA. It uses similar procedures and also similar tools to get the information's and to crack the password.
4.6.1 Setting up the router to use WPA2
As the first step, I have changed my wireless router's security to use WPA2 instead of WPA. Figure 4.12 shows the Security Configuration on the router. I have set the routers Security in to WPA2. And I have Given the Password as “password” (all Letters are lower case). The Protocol set to WPA2.
4.6.2 Cracking WPA2 using CoWPAtty
The first step is retrieving WPA handshake using Airodump-ng. Once you received the handshake it is very easy to crack the password using AirCrack-ng and cowpatty. The similarity of cracking both WPA and WPA2 is, the commands are all same even if you use any software. We can use the same command that we use to crack WPA. Figure 4.13 shows the cracked WPA2 password using cowpatty..
Now you can see the password of the wireless router and the result given by the cowpatty are same.
4.6.3 Cracking WPA2 Using Aircrack-ng
To Crack WPA2 using Aircrack we have to use the same commands that we used to crack WPA. so I am Not going to mention those command again in here.
Cracking WPA2 Using cowpatty and Aircrack-ng was successful. Both tools gave the exact password that I specified in the wireless router. (Figure 4.12)
4.7 Cracking WEP
Cracking WEP bit different than cracking WPA and WPA2, The different comes with the De Authentication Process. In WPA and WPA2 we can directly send the De-Authentication packets using aireplay-ng to the router and disconnect all the clients from the router.
But in WEP Network, we cannot directly send De-Authentication packets to the router. First we have to associate our wireless adaptor to the Wireless router. Figure 4.15 shows the Association process in a WEP Network using aireplay-ng. Below shows, the Command that use to associate WEP Clients.
aireplay-ng -1 0 -a BSSIDOFTHEVICTIM -h BSSIDOFTHEADAPTOR -e NAMEOFTHEAP wlan0
Switch “-1” tells the program to start Association. “-a” switch use to specify the MAC Address of Wireless router and “-h” use to specify the MAC address of wireless adaptor. Finally we have to specify the Wireless Adaptors Interface to start the Process.
And then we can run the De-Authentication Process to disconnect all the clients from the wireless router. Figure 4.16 shows that. The commands using in WEP De-Authentication is bit different than WPA De-Authentication. The Command shown below,
aireplay-ng -3 -b VICTIMBSSID -h ADAPTORBSSID wlan0
Switch “-3” tells the Program to Start sending De-Authentication Packets. “-b” specifies the Victim router and “-h” specifies the Adaptors BSSID. “Wlan0” is Adaptor Interface.
Once we start to run this program, Airodump-ng starts to collect authentication information's. Normally we need 10000 to 15000 data packets to crack a WEP Password. Some time we need only 5000 data packets, it depends on the communication type between the victim router and its clients. Anyway, i have collected 18000 data packets to crack the password. Figure 4.17 shows the result of Airodump-ng.
Unlike WPA, Airodump-ng does not show any authentication handshake here. In WEP it shows as Data Packets. If we collect more than 18000 data packets we can stop running airodump-ng by pressing ctrl-c. Then we can crack the password. It's very easy to collect 18000data packets if you run the Association and De-Authentication process correctly.
Running Airodump-ng was discussed in Section 4.4.3. We can use those commands as it is.
4.7.1 Setting Up the Router to Use WEP
I have set my router to use WEP as the security protocol, before I Crack the password. WEP key Length set as 64bit and it uses 10 Hex digits. That means the key must have 10 keys. So I have given the key as “1234567890”.
4.7.2 Cracking WEP Using AirCrack-ng
Unlike WPA, Aircrack uses different switch set to crack WEP. Below shows, The command with all switches.
aircrack-ng -n 64 -b VICTIMBSSID WEPFILENAME.cap
Switch “-n” specifies the key length that support by the WEP. According to my router I have set the key length as 64bit. If the router supports 128key length we have to change this switch value in to 128.
“-b” use to specify the Victim Routers MAC address or the BSSID. Finally we have to indicate the Capture file that we gave to gather all the authentication information in airodump-ng. Then it will decrypt the password for you.
4.8 Summery of Hacking WPA.WPA2 and WEP
As we in the whole chapter hacking these protocols is not an easy task. We should have a clear idea about the tools that we have to use and all the commands. But its very easy to do this once you know all the commands properly and bit of knowledge of Linux.
The initial steps of hacking protocols are same. Running Airmon-ng, Airodump-ng etc. but we need to use a different way to de authenticate the Routers that uses WEP as their Security Protocol. We need to associate our adaptor with that router and send the de-authentication packets.
But we can directly send the De-Authentication packets to the router, if the router using WPA and WPA2.
When discussing about Password Cracking, Aircrack-ng uses same switches to crack WPA and WPA2 protocols. But to crack WEP it uses different Switch Set.
There are no any other differences Hacking These 3 protocols.
CHAPTER 5 - Future Work
Anyone can protect their wireless networks very easily Even though above objectives were successful. I don't want to underestimate the WEP or WPA security mechanisms in this research. Both Security Mechanisms are good enough to protect a network from unauthorised attack. Generally these kinds of attacks happen when the users are not aware of certain security countermeasures that they have to take while they are managing a wireless network. These are very important even if you have a Home Wireless Network or a Enterprise network.
We are going to discuss about those steps in detail.
Countermeasures divide in to 2 those are, Management Countermeasuresand Technical Countermeasures.
6.1 Management Countermeasures
Any Industrial Organisation must have a Company Security Policy to protect their networks. This policy should not concern only one part of the network. As well as this policy must compliance with other two countermeasures as well. But in here I am going to discuss about Management countermeasures that relating to Wireless Network.
- Utilize Standard Security Setting for all access points.
- Provide Physical Security for the Access Points
- Identify the Users who connecting to WLAN.
- Provide guide lines for Encryption and key management
The management make sure to properly train all the personals to use of wireless networ
Cite This Dissertation
To export a reference to this article please select a referencing stye below: