This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Normally the network packets in traditional wired network are transmitted along the physical wires, whereas the wireless networks make use of the air as the physical media for both sending and receiving the data packets.
Since air being the physical media for wireless networks, it is easy for anyone who can easily view the network packets within vicinity using suitable hardware and software to capture those packets.
With the help of appropriate hardware and software the sniffing station is well equipped in order to capture wireless packets.
The hardware normally come in the form of a wireless network interface card like CF,PCI,USB,PCMCIA based and on-board wireless NICs/chipsets available.
The software that is normally used for sniffing purposes might differ depending upon the device drivers and capability of each chipsets.
The software often used for sniffing wireless traffic is Kismet. Kismet is an 802.11 layer 2 wireless network detector, sniffer and intrusion detection system. Any wireless card can work with Kismet that supports raw monitoring (rfmon) mode.
In any UNIX based operating system it is easy to install Kismet as well as in executed in Windows running CYGWIN. But the Windows face the difficulty in getting the wireless NIC into rfmon mode and by default the Win32 drivers by default don't support the rfmon mode.
Normally the wireless NIC are placed in a mode called managed mode. In this mode the NIC will not be able to pick up the wireless packets. So in order to capture wireless packets in the traffic, NIC will have to be placed in rfmon mode.
The captured files are saved in pcap format which can be opened and analyzed in offline mode.
Dissecting Wireless Packets:
Beacon frames are the most common frames that can be seen while sniffing wireless packets in the traffic.
On a regular basis the wireless access point sends the beacon frames in order to allow the wireless clients to detect the Station Set Identifier (SSID) of wireless network. The name of the wireless network is defined by SSID in which all other clients associate with.
In the beacon frame the first address field is the Destination Address and it has the value of "ff:ff:ff:ff:ff:ff". The Basic Station System ID (BSS ID) is the third address field which contains the MAC address of the access point. The Sequence Number is another field that is too noted and whenever the wireless station emits a packet, this field number is incremented by one.
Probing and Network Discovery:
Probing and Network Discovery is the first step for an attacker to identify the wireless targets in range. There are mainly two types of Probing, one is active probing and another is passive probing.
Active probing is done by sending probe request with no SSID in order to get a probe response with SSID and other information from access points within attackers range. Also the cloaked access points cannot be detected by using active probing.
In passive probing the attacker can listen to all channels for all wireless packets without even sending a single packet. Likewise in active probing, the attacker engaged in passive probing will not be able to detect the cloaked access points.
For an attacker it is very easy to grab the information from the packets in the wireless networks using the software such as Kismet or Airodump. It is so easy for the attacker to look at the information of traffic stream which is not encrypted. Data gathered can be saved in pcap format and the information such as MAC address, IP address range, Gateway, etc can be viewed from the traffic.
There are also WEP crackers even if the traffic stream is WEP encrypted. In this case Airodump is used to crack the WEP key information. Sometimes there will be insufficient traffic in the network. In such cases the attackers will inject the packets using the tools like WEPWedgie. This method will help the attackers to get responses from the network and collected altogether and then send for WEP key cracking.
The DOS attack can be easily executed in the Layer 1 and Layer 2 in a wireless network. This attack can be operated by increasing noise level on the channel and causing interference to all wireless networks that are operating near that channel by emitting a strong RF interference on the channel.
The Layer 2 DOS attack can be achieved in the form of packet injection, in which the attacker will flood the wireless clients with disassociate or de-authenticate packets that are already attached to the wireless networks.
In this type of attack the attacker will make use of the MAC address that is obtained during the surveillance stage. This MAC address would be definitely belonging to the authorized client in the wireless network. Even though the wireless network is WEP encrypted, the attacker can easily find the MAC address of the sender via sniffer tools. Also changing MAC address can be manually done in Linux as well as in Windows.
Man in the Middle and Rogue AP:
In this type of attack the attacker himself has to indulge in between the communication for the purpose of intercepting and modifying the data which is to be sent to the real destination. The attacker has to perform two tasks to perform this operation. The first way is to make the AP serving the client's server down or making it very busy in order to make the connection difficult. Also in the first task RF interference or Layer 2 packet flooding can be done to perform this task. The second way is to setup an alternate rogue AP with same credentials as the original AP in order to make the client to connect to the rogue AP. The tools like monkey jack can be used to perform second task.
Wireless Attacks Detection Techniques:
Access Point Monitoring:
In this type of monitoring method the owner of the wireless network having the list of authorized AP with their respective SSID, MAC address, Channel information recorded down as a baseline would then listen to all beacon frames sent by the APs and compare the details with the pre-recorded information. In man in the middle attack this component would be helpful for detecting the rogue AP if it suddenly appears in the middle of the communication and can be easily detected and provides an alert on a possible MITM attack.
Wireless Client Monitoring:
In this type of monitoring method there are few methodologies to be followed. First method would be the owner of the wireless network having the "Blacklist" of wireless clients. If any clients in that list try to access in between the communication, the alert is sent off automatically to make the warning.
Second method would be finding the client with illegal MAC address and sending the alert to make the warning.
Third method would be if the wireless clients sends out probe request but does not associate within a certain period of time then the attacker can be easily identified.
Fourth method would be when WEP traffic send or receive data there should be no station should reuse the same IV again and again in short period of time.
Last method would be monitoring the sequence number. Because if the attackers try to communicate in between cannot have the same sequence number as the AP and clients server used for previous communication.
General Wireless Traffic Monitoring:
In this method the wireless traffic can be monitored for making attempts to flood the network using the de-authentication, de-association, authentication, association, erroneous authentication.
An oncoming RF based DOS attack on the wireless network could be signalled by Frequency and Signal-To-Noise Ratio monitoring.
The authentication as well as association failures can also be monitored and reported.
A wireless intrusion detection system adapted from the snort IDS engine is the snort-wireless system.
One can write snort-wireless rules for detecting wireless traffic like one would detect for IP layer attacks by replacing the source and destination IP addresses in the normal snort rules with source and destination MAC addresses.
In the wireless world these items are to be effectively be able to address some of the common threats that there is quite a bit to-do items under the future development.
Loud Fat Bloke (Mark Osborne) built this wireless IDS and it has the modules as follows:
Unauthorized AP monitor - It is responsible for detecting bogus and rogue APs by checking an AP scan result with a baseline file of all authorized APs.
802.11 Traffic monitor - It includes probe/flood monitoring as well as MAC and ESSID blacklist and white list.
AirIDS is a wireless intrusion system in which a number of interesting aspects to wireless IDS is been presented. Robust and powerful rules file controls filtering, which is user definable like any other IDS. It also able to forge frames so as to provide not just detection but active defences against malicious 802.11 activities.