Defending Wireless Networks Against Rogue Access Points Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The documentation part is almost done, since the project cannot be proceeded without the permission of the REC, The experiment and Survey cannot be conducted these many days. After the approval from the REC committee on 22nd September 2010, I plan to conduct the experiment on 28th of September. As the other parts of the documentations were already done, only the data filling a corresponding conclusion will be an easier task.

Problem areas

The issue is the time constrain, as the REC people took almost 40 days to decide about the project, the time for conducting the experiment was limited. But I can avoid applying extension by finishing of the experiment by 28th of September and fill the appropriate data into the already completed document.

Key work during the next period

Conducting the experiment and survey, then correlating the results and conclude with an appropriate suggestion.



In this Digital era, Information is considered as the crucial assert for both public and also for corporate. In olden days Information were held as physical files and folders, secured by physical security like locks and security guard. In recent days it is important to secure these digital assert both physically as well as electronically. In olden days commercial transactions were commodity to commodity followed by commodity to money but now a day's these transactions are electronically processed. Now a day's money is more transacted as digital 1s and 0s.

On the other hand when the technology develops, people tend to switch from traditional wired networks to modern wireless networks. This not only increase the flexibility and comfort level of the users but also increase the insecure level of internet communication. Whenever there is an advantage in a technology, obviously it has a disadvantage in the other hand.

Wireless internet could be used by public and organizations. Accordingly they possess the wireless threat. In the case of public, whenever people have an access to a public free Wi-Fi connection they tend to exploit it, without knowing that they are being exploited. Wireless hackers who have a malicious intent, try to create an access point which is very similar to a well know Wi-Fi free access point, for instance BT Openzone can be imposed by BT 0penzone or BT openzone.

In the above stated example the upper case O is replaced by the number 0 or by lower case o, which users find it difficult to differentiate as they usually don't notice them and fall for free internet. Once they fall for free internet they may tend to check emails, bank accounts, etc, without knowing that they are being sniffed. Once they are compromised they are exploited, their hard earned money will be transported electronically by the financial fraudsters. Sometimes terrorist also take this unfair advantage to exploit the user weaknesses by creating fake access points and send emails from the victim's email id, sometimes even from the victim's computer.

In the case of organization, it could be government offices, corporate offices, etc. The attackers and some notorious employee employs, some unauthorized access points called rogue access point, using these rogue access points, they create a backdoor entry for the attacker and also for Industrial espionage purposes. Organization which really take interest on Information security survives against these attack, rest of them fails to protect their company's digital assert.

Protecting strong network is easy, because some organization that cares for their information security, resist against these attacks by detecting rouge access points using security software. But on the other hand Protecting open network (open network used by the public) is the greatest task, as the malicious rouge access points cannot be determined easily. To prevent this, the project deals with how rogue access points are created physically and logically, also methods to suppress the rogue access points and to recommend solution for these social issues.


To physically create a rogue access point

To logically create a rouge access point

To analyse the security issues associated with rogue access point

To explore different ways of creating rogue access points.

To create awareness about access point exploits.

To suggest solution for fixing the rogue access point issue




Computer networks are broadly classified into wired networks and wireless networks. When communications becomes wireless, the physical control over the data transferred will be uncertain, which give rise to the security issue. As per the security level of the wireless communication, the wireless networks are again classified into two, namely Open network (Unsecured) and closed network (Secured)

Open Network:

When there is no securing method (encryption) between the two communicating device then the type of wireless network is considered as wireless open network. The very good example for this type of network is the Wi-Fi hotspots, where one can have a free internet connection. It does not require any password to authenticate the users. Also Some of the access point (Router) does not have any authentication techniques in order to differentiate between the authenticate user and the illegitimate users of that particular access point.

Closed Network

When there is a securing method (encryption) between the two communicating device then the type of wireless network is considered as wireless secured network or closed network. In wireless network there are two types of encryption methods involved namely WEP and WPA.

Some important Security Protocols to be considered when deploying Wireless LANs.


It is an encryption technology used to provide data integrity for wireless communications. It stands for wired equivalent Privacy; this is the first encryption methods which have been developed by IEEE 802.11 standard in order to provide securing mechanism for the existing unsecured networks which were available those days. Unfortunately this type of encryption is considered as the weakest mode of encryption. In this encryption technique the data frames of the communication consist of payload which will be encrypted by the network interface card before transmission. On the other end the receiving terminal reverse the encryption(decrypts) and access the frames. This is why it is called as Wired Equivalent Privacy, it wishes to

When a key is used for authentication purpose, the broadcast of the authentication holds the data in plain text instead of a cipher text format, so the WEP authentication method is least preferred as the cracker can easily crack the password within few minutes. But then this type of encryption still exists just because something is better than nothing. But unfortunately may of the access points still hold the WEP encryption technique.

The vulnerability of WEP encryption techniques grows with time. By a specific method called Active Packet injection, the time to crack the encryption literally went down from an hour to few seconds. On the other hand, even though the WEP cracking takes an hour or more nobody have employed an automatic technique to refresh the encryption keys periodically and apparently they have the same encryption keys unchanged for ages. This terribly makes it vulnerable such that it cannot be preferred at all. In spite of all these vulnerabilities and issues for adopting WEP, it still exists because certain companies cannot afford for the migration from WEP to WPA encryption.


Wi-Fi Protected Access, a Wi-Fi standard that was designed to improve upon the security features of WEP. The technology is designed to work with existing Wi-Fi products that have been enabled with WEP. In order to overcome the flaws of WEP encryption, Wi-Fi Alliance had introduced another method of securing the wireless network. The protocol used for this type of using an encryption called as Temporal Key Integrity Protocol (TKIP). Initially they tried to implement the WPA encryption using the same hardware with TKIP but TKIP has generic flaws in its design. Hence they have developed another encryption called WPA 2 with AES algorithm (Advance Encryption Standard) but for this type of encryption, it requires a newer type of hardware, some of the WEP user could not afford the WPA transition. Which made a room for WEP even though it is considered as Weakest method of securing a wireless network.

("Johnny Cache & Vincent Liu, the McGraw-Hill companies, 2007")


Temporal Key Integrity Protocol, which was developed by the IEEE 802.11i standards committee as a WEP improvement.


(Extensible Authentication Protocol) - It is a framework employed by 802.1x to permit a wide variety of authentication mechanisms. EAP is built around challenge-response communications paradigm. There are several EAP variants in the market.

Cisco Wireless EAP (LEAP)

EAP authentication developed by Cisco to provide dynamic per user, per session WEP encryption keys. LEAP includes Cisco's proprietary extensions to 802.1X to share authentication data between Cisco Aironet wireless LAN access points and the Cisco Secure Access Control Server.

PEAP (protected EAP)

Protected Extensible Authentication Protocol, which was developed by Microsoft, Cisco and RSA Security, is now an IETF draft standard. PEAP encrypts authentication data using a tunnelling method and supports variety of different authentication methods, including logon passwords and one-time passwords.


Aauthentication algorithm based on TLS protocol. TLS uses mutual authentication based on X.509 certificates.

Tunnelled Transport Layer Security (TTLS)

which was developed by Funk Software and Certicom, now is an IETF draft standard. It is an alternative to PEAP. With all the above standards and interoperation requirements ,Security planning remains an essential part of wireless LAN design.


Rogue Access Point is an unauthorized access point setup which is connected to a network without the authorization of the administrator, this is done in order to perform man in the middle attack, by which an intruder can have the access to the compromised network.


Today's enterprises are looking for wireless solutions that drive business processes much faster. The key challenge is to increase the productivity of employees who work away from their workstations. These users need access to information in all possible workplaces without limitation of being connected. These trends increasingly drive business environments that are defined by mobile workforces and concrete organizations. Being mobile can increase the productivity of employees exponentially .On average, wireless LAN users tend to be connected one and a half more hours per business day. This in turn enables the average user to be more productive.

The following are the major security risks known in wireless networks:

Insertion Attacks

A user may bring unauthorized wireless devices and place them on the wireless network without going through a security process. Thus with an unsecured implementation, user may gain access to all network resources integrated with wireless LAN. This has become one of the predominant attack vector in the industry lately.

Interception and monitoring wireless traffic

An unauthorized user can make use of wireless sniffers to monitor communication traffic, as the device only needs to be in the range of access point.


Improper configuration of wireless devices may mean loss of communication. On the other hand, weak password .An access points may allow unauthorized clients to guess session passwords and obtain connectivity to internal networks, when they are in range of WLANs. Gartner Research has predicted that misconfiguration will account for an estimated 70% of successful wireless LAN attacks through the year 2010 and then after.

Default Configuration

One the predominantly known attack vector in the arena is the default configuration attacks, this attack is possible because the end user / client don't take any step in lieu to preventing access for outsider or unauthorized users to secure the sensitive data or network. Also 76% of internets attacks vectors happens because of leaving the devices, application, appliances, etc with default configuration. List of complied Default Logins information:


It is a method in which there occurs a loss of communication when illegitimate traffic overrides the RF frequencies used by wireless devices and as a result legitimate traffic cannot get be either be received or transmitted, and this leads to a chaos.

Rogue Access Points (RAP)

RAP is an access point that is not authorized for operation for one or a group of users, but often violated to gain access.

Client-to-Client Attacks

Two wireless clients can talk directly to each other by-passing the access point. Because of this, each client must protect itself from other clients. Companies have to develop right security policies to safeguard their wireless and wired networks. To prevent above attacks and exploits, it is necessary to encrypt the wireless LAN data communication as well as provide necessary mechanisms in each session for additional security. To address these security concerns and allow wide deployment of Wireless LAN networks, many security protocols have been developed over the past few years.

Security Attacks known in wireless networks:

Access control attacks are attacks that attempts to intrude into a network by using wireless or circumventing WLAN access control measures, like Access Points , MAC filters and 802.1X port access controls.

Access Control Attacks


Type of attack



War Driving

Discovering wireless LANs by listening to beacons or sending probe requests, thereby providing launch point for further attacks.


Rogue Access Points

Installing an unsecured AP inside firewall, creating open backdoor into trusted network.


MAC Spoofing

Reconfiguring an attacker's MAC address to pose as an authorized AP or station.


802.1X RADIUS Cracking

Recovering RADIUS secret by brute force from 802.1X access request, for use by evil twin AP.

A confidentiality attack is an attack vector in which the attacker tries to steal confidential information such as username, password, credit card numbers and data in emails,etc so that he can use that data for malicious purposes. Confidentiality attacks mostly go unnoticed because the attacker makes a copies the data, than changing the data.

Confidentiality Attacks


Type of attack




Capturing and decoding unprotected application traffic to obtain potentially sensitive information.


WEP Key Cracking

Capturing data to recover a WEP key using brute force or Fluhrer-Mantin-Shamir (FMS) cryptanalysis.


Evil Twin AP

Masquerading as an authorized AP by beaconing the WLAN's service set identifier (SSID) to lure users.


AP Phishing

Running a phony portal or Web server on an evil twin AP to "phish" for user logins, credit card numbers.


Man in the Middle

Running traditional man-in-the-middle attack tools on an evil twin AP to intercept TCP sessions or SSL/SSH tunnels.

Data integrity is a concern for Information Security professionals always, Since it plays a vital part in the CIA triage. Most of these attacks happen on the packets levels so that detection of these attacks becomes a herculean task

Integrity Attacks


Type of attack



802.11 Frame Injection

Crafting and sending forged 802.11 frames.


802.11 Data Replay

Capturing 802.11 data frames for later (modified) replay.


802.11 Data Deletion

Jamming an intended receiver to prevent delivery while simultaneously spoofing ACKs for deleted data frames.


802.1X EAP Replay

Capturing 802.1X Extensible Authentication Protocols (e.g., EAP Identity, Success, Failure) for later replay.


802.1X RADIUS Replay

Capturing RADIUS Access-Accept or Reject messages for later replay.

Authentication attacks are attack vectors that are prevalent for a very long time now, its one of the most sort out attacks in current scenarios too, since the attackers are interested in identity theft and access to personal information.

Authentication Attacks


Type of attack



Shared Key Guessing

Attempting 802.11 Shared Key Authentication with guessed vendor default or cracked WEP keys.


802.1X Identity Theft

Capturing user identities from clear text 802.1X Identity Response packets.


802.1X Password Guessing

Using a captured identity, repeatedly attempting 802.1X authentication to guess the user's password.


802.1X LEAP Cracking

Recovering user credentials from captured 802.1X Lightweight EAP (LEAP) packets using a dictionary attack tool to crack the NT password hash.

Availability attacks are attack vectors in which the attacker tries to use up or consume all the available resource of the wireless router so that the purpose of the router is not met.In this case attacker is not interested in identity theft or personal information but surging the services of the legit users. DOS and DDOS also falls in this category of attacks.

Availability Attacks


Type of attack



RF Jamming

Transmitting at the same frequency as the target WLAN, perhaps at a power that exceeds regulation Equivalent Isotopically Radiated Power (EIRP).


Queensland DoS

Exploiting the CSMA/CA Clear Channel Assessment (CCA) mechanism to make a channel appear busy.


802.11 Beacon Flood

Generating thousands of counterfeit 802.11 beacons to make it hard for stations to find a legitimate AP.


802.11 Associate / Authenticate Flood

Sending forged Authenticates or Associates from random MACs to fill a target AP's association table.


802.11 TKIP MIC Exploit

Generating invalid TKIP data to exceed the target AP's MIC error threshold, suspending WLAN service.


802.11 Deauthenticate Flood

Flooding station(s) with forged Deauthenticates or Disassociates to disconnecting users from an AP.


802.1X EAP-Start Flood

Flooding an AP with EAP-Start messages to consume resources or crash the target.


802.1X EAP-Failure

Observing a valid 802.1X EAP exchange, and then sending the station a forged EAP-Failure message.


802.1X EAP-of-Death

Sending a malformed 802.1X EAP Identity response known to cause some APs to crash.


802.1X EAP Length Attacks

Sending EAP type-specific messages with bad length fields to try to crash an AP or RADIUS server.

Steps to Protect your wireless networks:

Usage of Strong Encryption techniques

It's been a long time since wireless is usage by user across the globe, but current the sudden rise of the usage of wireless networks also increases the security threats with it astoundingly. Most of the wireless appliance come with prebuilt security mechanisms, that once used properly can enable proper level of security. Over the most wide used protocols WPA is preferred over WEP, and hence the dependability on WPA is more currently, Also make sure to enable wireless security protocols to avoid attackers cracking into the unauthorized networks.

Admin passwords:

Admin passwords of the wireless routers are to be changed before connecting to the internet since the default passwords are vulnerable to certain dictionary attacks that can be cracked in seconds. Also availability of lists of default factory logins used by most vendors are easily available. Also 76% of internets attacks vectors happens because of leaving the devices, application, appliances, etc with default configuration. List of complied Default Logins information:

Disable remote management

Disable remote management feature on the wireless router unless deemed necessary .Since it becomes a potential attack vector via which a lot of brute force and dictionary attacks can possibly happen. Also If it is certainly necessary make just give the trusted IP alone which needs the access to the router. And hence Allow trusted, deny all rule.

Broadcasting SSID

SSID is a useful but a risky feature, since the technique allows anyone to connect to the wireless network using the broadcasted SSID. Also Broadcasting of SSID has resulted for an blended attack vector called the Rogue Access Point.

MAC address mapping/filtering

MAC addresses are otherwise called Machine Address Code, it is a 48 bytes address, which is a built in address that cannot be spoofed in earlier days, however that's why it was otherwise called burnt in address.

MAC addresses authentication mapping of user device port to port of the switch enables an additional layer of security. So that it can prevent other prominent attack vectors such as Man in the middle attacks, ARP poisoning attacks, DNS poisoning attacks etc.,

Change the SSID

Most of the wireless router devices come up with a default SSID value of its own respective vendor's names. In this way, the SSID information of the Router is easily probed not only for the software running on the device but also the vulnerabilities associated with the respective vendor products. Hence enabling the attackers narrow downs the attack.

Positioning of Wi-Fi router

Wi-Fi signals do not know where the area limit of coverage is and where to stop the broadcast of Wi-Fi signals thus enabling and easy opportunity for attackers to leverage this vulnerability of trying to peek into the Wi-Fi network with the coverage using high powered reception antenna with more dbi Rx power.

Turning off the wireless network

Wireless networks are not bound by physical perimeters and limits, and hence the wavelength and the frequencies becomes both as the advantage and the disadvantage in the technology.

Processes that will enable securing your wireless networks:

Develop wireless security policy and architecture design, including the Wireless architecture Deployment.

Identify and develop basic field coverage area for wireless communications.

Utilize directional antennas and reduce transmit power to avoid signal leakages outside designated areas.

Place proper authentication and authorization schemes for all Access points and clients when connecting to Intranet

Deploy wireless devices that support high encryption and robust AAA functions for the network, like 802.1 xs, LEAP, PEAP etc.

Develop an operations and management framework for WLAN.

Timely assessments and periodic audits for all wireless devices


The Rogue access point can be created either by integration of the Cracking software and the wireless adapter with the antenna or using the Infrastructure mode of windows networking and the Wireless adapter with the antenna. The product is designed by integration of existing tools and apparatus which are analyzed as below.



It is a tool which can be used to recover the encrypted keys. It is a wireless tool which operates passively monitors the transmission. It computes only after gathering enough encrypted keys. In other words, we can explain Air snort as a tool which listens to the wireless transmission and translates them it in a meaningful manner. Once the gathering completed, the data is processed by the analytical tool till the network security is broken. Once everything is done, the data can be read in a plain text.

WEP Crack

It is also a wireless cracking tool. It is developed while developing the Air Snort wireless tool. As the same says, it is a WEP cracking tool. It has three in-built hacking applications which are based on development of the language PERL. They are WeakIVGen, Prism-getIV, WEPcrack. The first one emulates the encryption output of 802.11 networks. Prism-getIV will analyze the information till it gets the matching information. So it will decrypt the security keys. Finally, WEPcrack uses the two other beneficial data outputs together to decipher the network encryption.


It is a tool which supports intrusion detection approach to the wireless security. Computer installed with Kismet tool can be used to search and analyze the access point if it is within the range. First, it will check the SSID and then it will check whether the access point uses the WEP, type of channel, IP address range used in the access point. It also has the features like de-cloaking of hidden wireless networks. Using the kismet tool, we can also map the network graphically using the GPS integration.


It is a utility used for capturing pre-produced network. 530 networks can be identified and analysed using this utility. It can create a substantial threat after discovery of any network communication.


It is an 802.11 device driver which is designed to be used with a Prism network card. It is also known as Packet injection / reception tool. It is used as a development tool for developing new wireless application. A common hacking use of this tool is to terminate the connection between the devices connected to the network access point immediately.


It is just a firmwire for a Prism cards which act as an access point in any kind of environment. It scans and then connects the disconnected computers to the HostAP enabled computers. There, we can do whatever needed at that situation.


We cannot say that it is a single application. It is a collection of different application. It creates larger threats to any wireless networks of any character. It is a tool which can completely inspect and lock down the WEP enabled network. It collects all the WEP encrypted packets and it deduces the WEP keys with frequently employed techniques. At last, dwepkeygen which is a 40bit key generator creates keys which are not susceptible to the Tim Newsham 221 attack with a variable length seed.


The operating system used for this experiment can be either Linux based operating system or normal windows based operating system. The Linux based operating system like Back track version 4 can be used, where there are some inbuilt sniffing and spoofing software like Air Suite are available. With windows based operating system the computer can be operated as a fake access point by turning it into infrastructure mode.


The wireless adapter deployed for this experiment is Alpha N type adapter which is compatible in backwards; it can support the previous version like 802.11b and 802.11g. it is preferred also because it is developed from a technology called MIMO Multiple in and multiple out, which have a feature called signal reflection using which it can have coverage up to 4 time than the normal adapter, this is done without altering any of the resources. In this model the link range of the adapter is increased by employing 4 transmitters and 4 receivers instead of 2 transmitters and 2 receivers.

When considering about the interference of the existing medium, it will be placed under almost same band in a proximity area,. The frequency bands that are available at this range are 2.4 GHz, 3.6 GHz and 5 GHZ. Usually 2.4 GHZ is used extensively at it cover a long range. Even thought 5 GHz band is of high intensity and better quality it will not cover an extensive. This is the reason the 2.4 GHz band is always crowed than 5 and 3.4 GHZ.


The antennae deployed for this experiment is an Alpha Omni-directional antennae which can operates from any given angle. Previously to boost the signal, unidirectional type of antenna called cantenna were used this would be usually made of empty tin can like Pringles chips can. Even though it is cheaper, due to its directional limitation it is considered as unsuitable for an efficient result.


This I ll do it

Legal Issues:

Data Protection Act:

Research and Ethics Issue:


The methodology that we are going to use is experiment and survey

(refer my project methodology just have a brief about it)





Explain about the infrastructure mode and how we gonna conduct this experiment in university lab. Which is king William 1st floor lab


Fill what I have sent


Result obtained from the experiment

Result obtained from the survey


Correlation of experiment and survey states that the number of people falling for rouge access point is due to lack of awareness as they are directly proportional.


Online blog is created that answers the survey and how to secure themself against rogue access point.

Add points like avoid using financial transaction at wi fi hot spots

Future Enhancement:

Since the time is limited we have concentrated in infrastructure mode to conduct the rogue access point experiment on public.

With time, using the tools like air suit as discussed in the literature review the product can be enhanced to even impost and corporate network.