Hacking Techniques in Wireless Networks

19/10/12
Hacking Techniques in Wireless Networks
HackingTechniquesinWirelessNetworks
PrabhakerMateti
DepartmentofComputerScienceandEngineering WrightStateUniversity Dayton,Ohio454350001 ThisarticleisscheduledtoappearinTheHandbookofInformationSecurity,HosseinBidgoli(Editor inChief),JohnWiley&Sons,Inc.,2005. 1.Introduction 2.WirelessLANOverview 2.1StationsandAccessPoints 2.2Channels 2.3WEP 2.4InfrastructureandAdHocModes 2.5Frames 2.6Authentication 2.7Association 3.WirelessNetworkSniffing 3.1PassiveScanning 3.2DetectionofSSID 3.3CollectingtheMACAddresses 3.4CollectingtheFramesforCrackingWEP 3.5DetectionoftheSniffers 4.WirelessSpoofing 4.1MACAddressSpoofing 4.2IPspoofing 4.3FrameSpoofing 5.WirelessNetworkProbing 5.1DetectionofSSID 5.2DetectionofAPsandstations 5.3DetectionofProbing 6.APWeaknesses 6.1Configuration 6.2DefeatingMACFiltering 6.3RogueAP 6.4TrojanAP 6.5EquipmentFlaws 7.DenialofService 7.1JammingtheAirWaves 7.2FloodingwithAssociations 7.3ForgedDissociation 7.4ForgedDeauthentication 7.5PowerSaving 8.ManintheMiddleAttacks 8.1WirelessMITM 8.2ARPPoisoning 8.3SessionHijacking 9.WarDriving 9.1Warchalking
www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm 1/20
19/10/12
9.2TypicalEquipment 10.WirelessSecurityBestPractices 10.1LocationoftheAPs 10.2ProperConfiguration 10.3SecureProtocols 10.4WirelessIDS 10.5WirelessAuditing 10.6NewerStandardsandProtocols 10.7SoftwareTools 11.Conclusion GLOSSARY CrossReferences References FurtherReading
KeyWords
IEEE802.11,wirelessspoofing,crackingWEP,forgedDeauthentication,rogue/Trojanaccesspoints, sessionhijacking,wardriving.
Abstract
ThisarticledescribesIEEE802.11specifichackingtechniquesthatattackershaveused,andsuggests various defensive measures. We describe sniffing, spoofing and probing in the context of wireless networks.WedescribehowSSIDscanbedetermined,howasufficientlylargenumberofframescan becollectedsothatWEPcanbecracked.Weshowhoweasyitistocausedenialofservicethrough jammingandthroughforgeddisassociationsanddeauthentications.Wealsoexplainthreemaninthe middleattacksusingwirelessnetworks.Wegivealistofselectedopensourcetools.We summarize theactivityknownaswardriving.Weconcludethearticlewithseveralrecommendationsthatwillhelp improvesecurityatawirelessdeploymentsite.
1. Introduction
Wireless networks broadcast their packets using radio frequency or optical wavelengths. A modern laptopcomputercanlistenin.Worse,anattackercanmanufacturenewpacketsontheflyandpersuade wirelessstationstoaccepthispacketsaslegitimate. Weusethetermhackingasdescribedbelow. hackern.[originally,someonewhomakesfurniturewithanaxe]1.Apersonwhoenjoysexploringthe details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefertolearnonlytheminimumnecessary.2.Onewhoprogramsenthusiastically(evenobsessively)or who enjoys programming rather than just theorizing about programming. 3. A person capable of appreciatinghackvalue. 4.Apersonwhoisgoodatprogrammingquickly. 5.Anexpertataparticular program,oronewhofrequentlydoesworkusingitoronitasin`aUnixhacker'.(Definitions1through 5arecorrelated,andpeoplewhofitthemcongregate.)6.Anexpertorenthusiastofanykind.Onemight be an astronomy hacker, for example. 7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. 8. [deprecated] A malicious meddler who tries to discover
19/10/12
sensitiveinformationbypokingaround.Hence`passwordhacker',`networkhacker'.Thecorrectterm forthissenseiscracker. FromTheJargonDictionaryhttp://info.astrian.net/jargon/ ThisarticledescribesIEEE802.11specifichackingtechniquesthatattackershaveused,andsuggests various defensive measures. It is not an overview of security features proposed in WPA or IEEE 802.11i.Wedonotconsiderlegalimplications,ortheintentbehindsuchhacking,whethermalevolent or benevolent. The articles focus is in describing techniques, methods, analyses and uses in ways unintendedbythedesignersofIEEE802.11.
2. WirelessLANOverview
Inthissection,wegiveabriefoverviewofwirelessLAN(WLAN)whileemphasizingthefeaturesthat helpanattacker.WeassumethatthereaderisfamiliarwiththeTCP/IPsuite(see,e.g.,[Mateti2003]). IEEE 802.11 refers to a family of specifications (www.ieee802.org/11/) developed by the IEEE for overtheairinterfacebetweenawirelessclientandanAPorbetweentwowirelessclients.Tobecalled 802.11 devices, they must conform to the Medium Access Control (MAC) and Physical Layer specifications.TheIEEE802.11standardcoversthePhysical(Layer1)andDataLink(Layer2)layers oftheOSIModel.Inthisarticle,wearemainlyconcernedwiththeMAClayerandnotthevariationsof thephysicallayerknownas802.11a/b/g.
2.1StationsandAccessPoints
Awirelessnetworkinterfacecard(adapter)isadevice,calleda station,providingthenetworkphysical layer over a radio link to another station. An access point (AP) is a station that provides frame distributionservicetostationsassociatedwithit.TheAPitselfistypicallyconnectedbywiretoaLAN. ThestationandAPeachcontainanetworkinterfacethathasaMediaAccessControl(MAC)address, justaswirednetworkcardsdo.Thisaddressisaworldwideunique48bitnumber,assignedtoitatthe timeofmanufacture.The48bitaddressisoftenrepresentedasastringofsixoctetsseparatedbycolons (e.g., 00:02:2D:17:B9:E8) or hyphens(e.g., 00022D17B9E8) . While the MAC address as assignedbythemanufacturerisprintedonthedevice,theaddresscanbechangedinsoftware. EachAPhasa0to32bytelongServiceSetIdentifier(SSID)thatisalsocommonlycalledanetwork name. The SSID is used to segment the airwaves for usage. If two wireless networks are physically close, the SSIDs label the respective networks, and allow the components of one network to ignore thoseoftheother.SSIDscanalsobemappedtovirtualLANsthus,someAPssupportmultipleSSIDs. Unlike fully qualified host names (e.g., gamma.cs.wright.edu), SSIDs are not registered, and it is possiblethattwounrelatednetworksusethesameSSID.
2.2Channels
The stations communicate with each other using radio frequencies between 2.4 GHz and 2.5 GHz. Neighboringchannelsareonly5MHzapart.Twowirelessnetworksusingneighboringchannelsmay interferewitheachother.
2.3WEP
Wired Equivalent Privacy (WEP) is a sharedsecret key encryption system used to encrypt packets transmitted between a station and an AP. The WEP algorithm is intended to protect wireless communicationfromeavesdropping.AsecondaryfunctionofWEPistopreventunauthorizedaccessto
19/10/12
awirelessnetwork.WEPencryptsthepayloadofdatapackets.Managementandcontrolframesare always transmitted in the clear. WEP uses the RC4 encryption algorithm. The sharedsecret key is either40or104bitslong.Thekeyischosenbythesystemadministrator.Thiskeymustbeshared amongallthestationsandtheAPusingmechanismsthatarenotspecifiedintheIEEE802.11.
2.4InfrastructureandAdHocModes
Awirelessnetworkoperatesinoneoftwomodes.Intheadhocmode,eachstationisapeertotheother stations and communicates directly with other stations within the network. No AP is involved. All stations can send Beacon and Probe frames. The ad hoc mode stations form an Independent Basic ServiceSet(IBSS). AstationintheinfrastructuremodecommunicatesonlywithanAP.BasicServiceSet(BSS)isasetof stations that are logically associated with each other and controlled by a single AP. Together they operateasafullyconnectedwirelessnetwork.TheBSSIDisa48bitnumberofthesameformatasa MACaddress.ThisfielduniquelyidentifieseachBSS.ThevalueofthisfieldistheMACaddressofthe AP.
2.5Frames
BoththestationandAPradiateandgather802.11framesasneeded.Theformatofframesisillustrated below.MostoftheframescontainIPpackets.Theotherframesareforthemanagementandcontrolof thewirelessconnection.
Figure1AnIEEE802.11Frame
Therearethreeclassesofframes.The management framesestablish andmaintain communications. TheseareofAssociationrequest,Associationresponse,Reassociationrequest,Reassociationresponse, Probe request, Probe response, Beacon, Announcement traffic indication message, Disassociation, Authentication, Deauthentication types. The SSID is part of several of the management frames. Managementmessagesarealwayssentintheclear,evenwhenlinkencryption(WEPorWPA)isused, sotheSSIDisvisibletoanyonewhocanintercepttheseframes. Thecontrolframeshelpinthedeliveryofdata. ThedataframesencapsulatetheOSINetworkLayerpackets.Thesecontainthesourceanddestination MAC address, the BSSID, and the TCP/IP datagram. The payload part of the datagram is WEP encrypted.
2.6Authentication
Authentication is the process of proving identity of a station to another station or AP. In the open system authentication, all stations are authenticated without any checking. A station A sends an AuthenticationmanagementframethatcontainstheidentityofA,tostationB.StationBreplieswitha framethatindicatesrecognition,addressedtoA.Intheclosednetworkarchitecture,thestationsmust
19/10/12
knowtheSSIDoftheAPinordertoconnecttotheAP.Thesharedkeyauthenticationusesastandard challengeandresponsealongwithasharedsecretkey.
Figure2:StatesandServices
2.7Association
DatacanbeexchangedbetweenthestationandAPonlyafterastationisassociatedwithanAPinthe infrastructuremodeorwithanotherstationintheadhocmode.AlltheAPstransmitBeaconframesa fewtimeseachsecondthatcontaintheSSID,time,capabilities,supportedrates,andotherinformation. StationscanchosetoassociatewithanAPbasedonthesignalstrengthetc.ofeachAP.Stationscan haveanullSSIDthatisconsideredtomatchallSSIDs. Theassociationisatwostepprocess.Astationthatiscurrentlyunauthenticatedandunassociatedlistens for Beacon frames. The station selects a BSS to join. The station and the AP mutually authenticate themselves by exchanging Authentication management frames. The client is now authenticated, but unassociated. In the second step, the station sends an Association Request frame, to which the AP respondswithanAssociationResponseframethatincludesanAssociationIDtothestation.Thestation isnowauthenticatedandassociated. AstationcanbeauthenticatedwithseveralAPsatthesametime,butassociatedwithatmostoneAPat any time. Association implies authentication. There is no state where a station is associated but not authenticated.
3. WirelessNetworkSniffing
Sniffingiseavesdroppingonthenetwork.A(packet) snifferisaprogramthatinterceptsanddecodes networktrafficbroadcastthroughamedium.SniffingistheactbyamachineSofmakingcopiesofa network packet sent by machine A intended to be received by machine B. Such sniffing, strictly speaking, is not a TCP/IP problem, but it is enabled by the choice of broadcast media, Ethernet and 802.11,asthephysicalanddatalinklayers.
19/10/12
Sniffinghaslongbeenareconnaissancetechniqueusedinwirednetworks.Attackerssnifftheframes necessarytoenabletheexploitsdescribedinlatersections.Sniffingistheunderlyingtechniqueusedin toolsthatmonitorthehealthofanetwork.Sniffingcanalsohelpfindtheeasykillasinscanningfor open access points that allow anyone to connect, or capturing the passwords used in a connection sessionthatdoesnotevenuseWEP,orintelnet,rloginandftpconnections. Itiseasiertosniffwirelessnetworksthanwiredones.Itiseasytosniffthewirelesstrafficofabuilding bysettingshopinacarparkedinalotasfarawayasamile,orwhiledrivingaroundtheblock.Ina wired network, the attacker must find a way to install a sniffer on one or more of the hosts in the targetedsubnet.DependingontheequipmentusedinaLAN,asnifferneedstoberuneitheronthe victimmachinewhosetrafficisofinterestoronsomeotherhostinthesamesubnetasthevictim.An attackeratlargeontheInternethasothertechniquesthatmakeitpossibletoinstallasnifferremotelyon thevictimmachine.
3.1PassiveScanning
Scanning is the act of sniffing by tuning to various radio channels of the devices. A passive network scannerinstructsthewirelesscardtolistentoeachchannelforafewmessages.Thisdoesnotrevealthe presenceofthescanner. Anattackercanpassivelyscanwithouttransmittingatall.Severalmodesofastationpermitthis.There isamodecalled RFmonitormodethatallowseveryframeappearingonachanneltobecopiedasthe radio of the station tunes to various channels. This is analogous to placing a wired Ethernet card in promiscuousmode.Thismodeisnotenabledbydefault.Somewirelesscardsonthemarkettodayhave disabled this feature in the default firmware. One can buy wireless cards whose firmware and correspondingdriversoftwaretogetherpermitreadingofallraw802.11frames.Astationin monitor mode can capture packets without associating with an AP or adhoc network. The socalled promiscuous mode allows the capture of all wireless packets of an associated network. In this mode, packetscannotbereaduntilauthenticationandassociationarecompleted. AnexamplesnifferisKismet(http://www.kismetwireless.net).Anexamplewirelesscardthatpermits RFmonitormodesisCiscoAironetAIRPCM342.
3.2DetectionofSSID
TheattackercandiscovertheSSIDofanetworkusuallybypassivescanningbecausetheSSIDoccurs in the following frame types: Beacon, Probe Requests, Probe Responses, Association Requests, and Reassociation Requests. Recall that management frames are always in the clear, even when WEP is enabled. OnanumberofAPs,itispossibletoconfiguresothattheSSIDtransmittedintheBeaconframesis masked,oreventurnoffBeaconsaltogether.TheSSIDshownintheBeaconframesissettonullinthe hopeofmakingtheWLANinvisibleunlessaclientalreadyknowsthecorrectSSID.Insuchacase,a stationwishingtojoinaWLANbeginstheassociationprocessbysendingProbeRequestssinceitcould notdetectanyAPsviaBeaconsthatmatchitsSSID. IftheBeaconsarenotturnedoff,andtheSSIDinthemisnotsettonull,anattackerobtainstheSSID includedintheBeaconframebypassivescanning. WhentheBeacondisplaysanullSSID,therearetwopossibilities.Eventually,anAssociateRequest mayappearfromalegitimatestationthatalreadyhasacorrectSSID.Tosucharequest,therewillbean AssociateResponseframefromtheAP.BothframeswillcontaintheSSIDintheclear,andtheattacker sniffsthese.IfthestationwishestojoinanyavailableAP,itsendsProbeRequestsonallchannels,and listens for Probe Responses that contain the SSIDs of the APs. The station considers all Probe
19/10/12
Responses, just as it would have with the nonempty SSID Beacon frames, to select an AP. Normal associationthenbegins.TheattackerwaitstosnifftheseProbeResponsesandextracttheSSIDs. IfBeacontransmissionisdisabled,theattackerhastwochoices.Theattackercankeepsniffingwaiting foravoluntaryAssociateRequesttoappearfromalegitimatestationthatalreadyhasacorrectSSIDand snifftheSSIDasdescribedabove.Theattackercanalsochosetoactivelyprobebyinjectingframes thatheconstructs,andthensniffstheresponseasdescribedinalatersection. Whentheabovemethodsfail,SSIDdiscoveryisdonebyactivescanning(seeSection5).
3.3CollectingtheMACAddresses
TheattackergatherslegitimateMACaddressesforuselaterinconstructingspoofedframes.Thesource anddestinationMACaddressesarealwaysintheclearinalltheframes.Therearetworeasonswhyan attackerwouldcollectMACaddressesofstationsandAPsparticipatinginawirelessnetwork.(1)The attackerwishestousethesevaluesinspoofedframessothathisstationorAPisnotidentified.(2)The targeted AP may be controlling access by filtering out frames with MAC addresses that were not registered.
3.4CollectingtheFramesforCrackingWEP
The goal of an attacker is to discover the WEP sharedsecret key. Often, the shared key can be discovered by guesswork based on a certain amount of social engineering regarding the administrator whoconfiguresthewirelessLANandallitsusers.SomeclientsoftwarestorestheWEPkeysinthe operating system registry or initialization scripts. In the following, we assume that the attacker was unsuccessfulinobtainingthekeyinthismanner.Theattackerthenemployssystematicproceduresin crackingtheWEP.Forthispurpose,alargenumber(millions)offramesneedtobecollectedbecause ofthewayWEPworks. ThewirelessdevicegeneratesontheflyanInitializationVector(IV)of24bits.Addingthesebitstothe sharedsecretkeyofeither40or104bits,weoftenspeakof64,or128bitencryption.WEPgenerates apseudorandomkeystreamfromthesharedsecretkeyandtheIV.TheCRC32checksumoftheplain text,knownastheIntegrityCheck(IC)field,isappendedtothedatatobesent.Itisthenexclusive ORedwiththepseudorandomkeystreamtoproducetheciphertext.TheIVisappendedintheclear to the cipher text and transmitted. The receiver extracts the IV, uses the secret key to regenerate the randomkeystream,andexclusiveORsthereceivedciphertexttoyieldtheoriginalplaintext. CertaincardsaresosimplisticthattheystarttheirIVas0andincrementitby1foreachframe,resetting inbetweenforsomeevents.EventhebettercardsgenerateweakIVsfromwhichthefirstfewbytesof the shared key can be computed after statistical analyses. Some implementations generate fewer mathematicallyweakvectorsthanothersdo. TheattackersniffsalargenumberofframesfromasingleBSS.Theseframesallusethesamekey. Themathematicsbehindthesystematiccomputationofthesecretsharedkeyfromacollectionofcipher textextractedfromtheseframesisdescribedelsewhereinthisvolume.Whatisneededhoweverisa collection of frames that were encrypted using mathematicallyweak IVs. The number of encrypted framesthatweremathematicallyweakisasmallpercentageofallframes.Inacollectionofamillion frames,theremayonlybeahundredmathematicallyweakframes.Itisconceivablethatthecollection maytakeafewhourstoseveraldaysdependingonhowbusytheWLANis. Givenasufficientnumberofmathematicallyweakframes,thesystematiccomputationthatexposesthe bytes of the secret key is intensive. However, an attacker can employ powerful computers. On an averagePC,thismaytakeafewsecondstohours.Thestorageofthelargenumbersofframesisinthe severalhundredmegabytestoafewgigabytesrange.
19/10/12
AnexampleofaWEPcrackingtoolisAirSnort(http://airsnort.shmoo.com).
3.5DetectionoftheSniffers
Detecting the presence of a wireless sniffer, who remains radiosilent, through network security measures is virtually impossible. Once the attacker begins probing (i.e., by injecting packets), the presenceandthecoordinatesofthewirelessdevicecanbedetected.
4. WirelessSpoofing
Therearewellknownattacktechniquesknownasspoofinginbothwiredandwirelessnetworks.The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate lookingbutnonexistentvalues,orwithvaluesthatbelongtoothers.Theattackerwouldhavecollected theselegitimatevaluesthroughsniffing.
4.1MACAddressSpoofing
Theattackergenerallydesirestobehidden.Buttheprobingactivityinjectsframesthatareobservable bysystemadministrators.TheattackerfillstheSenderMACAddressfieldoftheinjectedframeswitha spoofedvaluesothathisequipmentisnotidentified. TypicalAPscontrolaccessbypermittingonlythosestationswithknownMACaddresses.Eitherthe attacker has to compromise a computer system that has a station, or he spoofs with legitimate MAC addressesinframesthathemanufactures.MACaddressesareassignedatthetimeofmanufacture,but setting the MAC address of a wireless card or AP to an arbitrary chosen value is a simple matter of invokinganappropriatesoftwaretoolthatengagesinadialogwiththeuserandacceptsvalues.Such tools are routinely included when a station or AP is purchased. The attacker, however, changes the MACaddressprogrammatically,sendsseveralframeswiththataddress,andrepeatsthiswithanother MACaddress.Inaperiodofasecond,thiscanhappenseveralthousandtimes. WhenanAPisnotfilteringMACaddresses,thereisnoneedfortheattackertouselegitimateMAC addresses.However,incertainattacks,theattackerneedstohavealargenumberofMACaddresses thanhecouldcollectbysniffing.RandomMACaddressesaregenerated.However,noteveryrandom sequence of six bytes is a MAC address. The IEEE assigns globally the first three bytes, and the manufacturerchoosesthelastthreebytes.Theofficiallyassignednumbersarepubliclyavailable.The attackergeneratesarandomMACaddressbyselectinganIEEEassignedthreebytesappendedwithan additionalthreerandombytes.
4.2IPspoofing
ReplacingthetrueIPaddressofthesender(or,inrarecases,thedestination)withadifferentaddressis knownasIPspoofing.Thisisanecessaryoperationinmanyattacks. TheIPlayeroftheOSsimplytruststhatthesourceaddress,asitappearsinanIPpacketisvalid.It assumesthatthepacketitreceivedindeedwassentbythehostofficiallyassignedthatsourceaddress. Because the IP layer of the OS normally adds these IP addresses to a data packet, a spoofer must circumventtheIPlayerandtalkdirectlytotherawnetworkdevice.Notethattheattackersmachine cannotsimplybeassignedtheIPaddressofanotherhostXusing i f c o n f i g orasimilarconfiguration tool.Otherhosts,aswellasX,willdiscover(throughARP,forexample)thattherearetwomachines withthesameIPaddress. IP spoofing is an integral part of many attacks. For example, an attacker can silence a host A from sendingfurtherpacketstoBbysendingaspoofedpacketannouncingawindowsizeofzerotoAas
19/10/12
thoughitoriginatedfromB.
4.3FrameSpoofing
The attacker will inject frames that are valid by 802.11 specifications, but whose content is carefully spoofedasdescribedabove. Framesthemselvesarenotauthenticatedin802.11networks.Sowhenaframehasaspoofedsource address, it cannot be detected unless the address is wholly bogus. If the frame to be spoofed is a managementorcontrolframe,thereisnoencryptiontodealwith.Ifitisadataframe,perhapsaspartof anongoingMITMattack,thedatapayloadmustbeproperlyencrypted. Construction of the byte stream that constitutes a spoofed frame is a programming matter once the attackerhasgatheredtheneededinformationthroughsniffingandprobing.Therearesoftwarelibraries thateasethistask.Examplesofsuchlibrariesare l i b p c a p (sourceforge.net/projects/libpcap/), l i b n e t (libnet.sourceforge.net/), l i b d n e t (libdnet. sourceforge.net/) and l i b r a d i a t e (www.packetfactory.net/projects/libradiate/). The difficulty here is not in the construction of the contents of the frame, but in getting, it radiated (transmitted)bythestationoranAP.Thisrequirescontroloverthefirmwareanddriverofthewireless cardthatmaysanitizecertainfieldsofaframe.Therefore,theattackerselectshisequipmentcarefully. Currently,thereareofftheshelfwirelesscardsthatcanbemanipulated.Inaddition,theconstructionof specialpurposewirelesscardsiswithinthereachofaresourcefulattacker.
5. WirelessNetworkProbing
Even though the attacker gathers considerable amount of information regarding a wireless network throughsniffing,withoutrevealinghiswirelesspresenceatall,therearepiecesthatmaystillbemissing. The attacker then sends artificially constructed packets to a target that trigger useful responses. This activityisknownasprobingoractivescanning. The target may discover that it is being probed, it might even be a honey pot (www.honeynet.org/) targetcarefullyconstructedtotraptheattacker.Theattackerwouldtrytominimizethisrisk.
5.1DetectionofSSID
DetectionofSSIDisoftenpossiblebysimplysniffingBeaconframesasdescribeinaprevioussection. If Beacon transmission is disabled, and the attacker does not wish to patiently wait for a voluntary AssociateRequesttoappearfromalegitimatestationthatalreadyhasacorrectSSID,orProbeRequests from legitimate stations, he will resort to probing by injecting a Probe Request frame that contains a spoofedsourceMACaddress.TheProbeResponseframefromtheAPswillcontain,intheclear,the SSIDandotherinformationsimilartothatintheBeaconframesweretheyenabled.Theattackersniffs theseProbeResponsesandextractstheSSIDs. SomemodelsofAPshaveanoptiontodisablerespondingtoProbeRequeststhatdonotcontainthe correctSSID.Inthiscase,theattackerdeterminesastationassociatedwiththeAP,andsendsthestation aforgedDisassociationframewherethesourceMACaddressissettothatoftheAP.Thestationwill sendaReassociationRequestthatexposestheSSID.
5.2DetectionofAPsandstations
EveryAPisastation,soSSIDs,MACaddressesaregatheredasdescribedabove.
19/10/12
Certain bits in the frames identify that the frame is from an AP. If we assume that WEP is either disabledorcracked,theattackercanalsogathertheIPaddressesoftheAPandthestations.
5.3DetectionofProbing
Detectionofprobingispossible.Theframesthatanattackerinjectscanalsobeheardbytheintrusion detectionsystems(IDS)ofhardenedwirelessLAN.ThereisGPSenabledequipmentthatcanidentify thephysicalcoordinatesofawirelessdevicethroughwhichtheprobeframesarebeingtransmitted.
6. APWeaknesses
APs have weaknesses that are both due to design mistakes and user interfaces that promote weak passwords, etc. It has been demonstrated by many publicly conducted wardriving efforts (www.worldwidewardrive.org) in major cities around the world that a large majority of the deployed APs are poorly configured, most with WEP disabled, and configuration defaults, as set up the manufacturer,untouched.
6.1Configuration
ThedefaultWEPkeysusedareoftentootrivial.DifferentAPsusedifferenttechniquestoconvertthe userskeyboardinputintoabitvector.Usually5or13ASCIIprintablecharactersaredirectlymapped by concatenating their ASCII 8bit codes into a 40bit or 104bit WEP key. A stronger key can be constructedfromaninputof26hexadecimaldigits.Itispossibletoformanevenstronger104bitWEP keybytruncatingtheMD5hashofanarbitrarylengthpassphrase.
6.2DefeatingMACFiltering
TypicalAPspermitaccesstoonlythosestationswithknownMACaddresses.Thisiseasilydefeated bytheattackerwhospoofshisframeswithaMACaddressthatisregisteredwiththeAPfromamong the ones that he collected through sniffing. That a MAC address is registered can be detected by observingtheframesfromtheAPtothestations.
6.3RogueAP
Accesspointsthatareinstalledwithoutproperauthorizationandverificationthatoverallsecuritypolicy isobeyedarecalled rogueAPs.Theseareinstalledandusedbyvalidusers.SuchAPsareconfigured poorly,andattackerswillfindthem.
6.4TrojanAP
An attacker sets up an AP so that the targeted station receives a stronger signal from it than what it receives from a legitimate AP. If WEP is enabled, the attacker would have already cracked it. A legitimateuserselectstheTrojanAPbecauseofthestrongersignal,authenticatesandassociates.The TrojanAPisconnectedtoasystemthatcollectstheIPtrafficforlateranalyses.Itthentransmitsallthe frames to a legitimate AP so that the victim user does not recognize the ongoing MITM attack. The attackercanstealtheuserspassword,networkaccess,compromisetheuserssystemtogivehimselfroot access.ThisattackiscalledtheEvilTwinAttack. It is easy to build a Trojan AP because an AP is a computer system optimized for its intended application.AgeneralpurposePCwithawirelesscardcanbeturnedintoacapableAP.Anexample ofsuchsoftwareisHostAP(http://hostap.epitest.fi/).SuchaTrojanedAPwouldbeformidable.
19/10/12
6.5EquipmentFlaws
Asearchonwww.securityfocus.comwithaccesspointvulnerabilitieswillshowthatnumerousflaws inequipmentfromwellknownmanufacturersareknown.Forexample,onesuchAPcrasheswhena frameissenttoitthathasthespoofedsourceMACaddressofitself.AnotherAPfeaturesanembedded TFTP (Trivial File Transfer Protocol) server. By requesting a file named c o n f i g . i m g via TFTP, an attacker receives the binary image of the AP configuration. The image includes the administrators passwordrequiredbytheHTTPuserinterface,theWEPencryptionkeys,MACaddress,andSSID. Yet another AP returns the WEP keys, MAC filter list, administrators password when sent a UDP packettoport27155containingthestringg s t s e a r c h . It is not clear how these flaws were discovered. The following is a likely procedure. Most manufacturersdesigntheirequipmentsothatitsfirmwarecanbeflashedwithanewandimprovedone inthefield.Thefirmwareimagesaredownloadedfromthemanufacturerswebsite.TheCPUusedin the APs can be easily recognized, and the firmware can be systematically disassembled revealing the flawsattheassemblylanguagelevel. Comprehensivelistsofsuchequipmentflawsarelikelycirculatingamongtheattackers.
7. DenialofService
Adenialofservice(DoS)occurswhenasystemisnotprovidingservicestoauthorizedclientsbecause of resource exhaustion by unauthorized clients. In wireless networks, DoS attacks are difficult to prevent,difficulttostopanongoingattackandthevictimanditsclientsmaynotevendetecttheattacks. ThedurationofsuchDoSmayrangefrommillisecondstohours.ADoSattackagainstanindividual stationenablessessionhijacking.
7.1JammingtheAirWaves
A number of consumer appliances such as microwave ovens, baby monitors, and cordless phones operate on the unregulated 2.4GHz radio frequency. An attacker can unleash large amounts of noise usingthesedevicesandjamtheairwavessothatthesignaltonoisedropssolow,thatthewirelessLAN ceasestofunction.TheonlysolutiontothisisRFproofingthesurroundingenvironment.
7.2FloodingwithAssociations
The AP inserts the data supplied by the station in the Association Request into a table called the associationtablethattheAPmaintainsinitsmemory.TheIEEE802.11specifiesamaximumvalueof 2007concurrentassociationstoanAP.Theactualsizeofthistablevariesamongdifferentmodelsof APs.Whenthistableoverflows,theAPwouldrefusefurtherclients. Having cracked WEP, an attacker authenticates several nonexisting stations using legitimatelooking butrandomlygeneratedMACaddresses.Theattackerthensendsafloodofspoofedassociaterequests sothattheassociationtableoverflows. EnablingMACfilteringintheAPwillpreventthisattack.
7.3ForgedDissociation
TheattackersendsaspoofedDisassociationframewherethesourceMACaddressissettothatofthe AP.ThestationisstillauthenticatedbutneedsonlytoreassociateandsendsReassociationRequeststo the AP. The AP may send a Reassociation Response accepting the station and the station can then
19/10/12
resumesendingdata.TopreventReassociation,theattackercontinuestosendDisassociationframesfor adesiredperiod.
7.4ForgedDeauthentication
TheattackermonitorsallrawframescollectingthesourceanddestinationMACaddressestoverifythat they are among the targeted victims. When a data or Association Response frame is observed, the attackersendsaspoofedDeauthenticationframewherethesourceMACaddressisspoofedtothatof theAP.Thestationisnowunassociatedandunauthenticated,andneedstoreconnect.Topreventa reconnection,theattackercontinuestosendDeauthenticationframesforadesiredperiod.Theattacker mayevenratelimittheDeauthenticationframestoavoidoverloadinganalreadycongestednetwork. ThemischievouspacketsofDisassociationandDeauthenticationaresentdirectlytotheclient,sothese willnotbeloggedbytheAPorIDS,andneitherMACfilteringnorWEPprotectionwillpreventit.
7.5PowerSaving
Power conservation is important for typical station laptops, so they frequently enter an 802.11 state calledDoze.AnattackercanstealpacketsintendedforastationwhilethestationisintheDozestate. The 802.11 protocol requires a station to inform the AP through a successful frame exchange that it wishestoentertheDozestatefromtheActivestate. PeriodicallythestationawakensandsendsaPSPollframetotheAP.TheAPwilltransmitinresponse thepacketsthatwerebufferedforthestationwhileitwasdozing.Thispollingframecanbespoofedby anattackercausingtheAPtosendthecollectedpacketsandflushitsinternalbuffers.Anattackercan repeatthesepollingmessagessothatwhenthelegitimatestationperiodicallyawakensandpolls,APwill informthattherearenopendingpackets.
8. ManintheMiddleAttacks
Maninthemiddle(MITM)attackreferstothesituationwhereanattackeronhostXinsertsXbetween all communications between hosts B and C,and neither B nor Cis aware ofthepresence ofX.All messages sent by B do reach C but via X, and vice versa. The attacker can merely observe the communication or modify it before sending it out. An MITM attack can break connections that are otherwisesecure.AttheTCPlevel,SSHandVPN,e.g.,arepronetothisattack.
8.1WirelessMITM
Assume that station B was authenticated with C, a legitimate AP. Attacker X is a laptop with two wireless cards. Through one card, he will present X as an AP. Attacker X sends Deauthentication frames to B using the Cs MAC address as the source, and the BSSID he has collected. B gets deauthenticatedandbeginsascanforanAPandmayfindXonachanneldifferentfromC.Thereisa race condition between X and C. If B associates with X, the MITM attack succeeded. X will re transmit the frames it receives from B to C, and the frames it receives from C to B after suitable modifications. The package of tools called AirJack (http://802.11ninja.net/airjack/) includes a program called m o n k e y _ j a c k thatautomatestheMITMattack.Thisisprogrammedwellsothattheoddsofitwinning intheraceconditionmentionedaboveareimproved.
8.2ARPPoisoning
19/10/12
ARPcachepoisoningisanoldprobleminwirednetworks.Wirednetworkshavedeployedmitigating techniques.But,theARPpoisoningtechniqueisreenabledinthepresenceofAPsthatareconnected toaswitch/hubalongwithotherwiredclients. ARPisusedtodeterminetheMACaddressofadevicewhoseIPaddressisknown.Thetranslationis performedwithatablelookup.TheARPcacheaccumulatesasthehostcontinuestonetwork.Ifthe ARPcachedoesnothaveanentryforanIPaddress,theoutgoingIPpacketisqueued,andanARP RequestpacketthateffectivelyrequestsIfyourIPaddressmatchesthistargetIPaddress,thenpleaselet meknowwhatyourEthernetaddressisisbroadcast.ThehostwiththetargetIPisexpectedtorespond withanARPReply,whichcontainstheMACaddressofthehost.Oncethetableisupdatedbecauseof receivingthisresponse,allthequeuedIPpacketscannowbesent.Theentriesinthetableexpireaftera settimeinordertoaccountforpossiblehardwareaddresschangesforthesameIPaddress.Thischange mayhavehappened,e.g.,duetotheNICbeingreplaced. Unfortunately,theARPdoesnotprovideforanyverificationthattheresponsesarefromvalidhostsor that it is receiving a spurious response as if it has sent an ARP Request. ARP poisoning is an attack technique exploiting this lack of verification. It corrupts the ARP cache that the OS maintains with wrongMACaddressesforsomeIPaddresses.AnattackeraccomplishesthisbysendinganARPReply packetthatisdeliberatelyconstructedwithawrongMACaddress.TheARPisastatelessprotocol. Thus,amachinereceivinganARPReplycannotdetermineiftheresponseisduetoarequestitsentor not. ARP poisoning is one of the techniques that enables the maninthemiddle attack. An attacker on machine X inserts himself between two hosts B and C by (i) poisoning B so that Cs IP address is associated with Xs MAC address, (ii) poisoning C so that Bs address is associated with Xs MAC address,and(iii)relayingthepacketsXreceives. TheARPpoisonattackisapplicabletoallhostsinasubnet.MostAPsactastransparentMAClayer bridges,andsoallstationsassociatedwithitarevulnerable.Ifanaccesspointisconnecteddirectlytoa huboraswitchwithoutaninterveningrouter/firewall,thenallhostsconnectedtothathuborswitchare susceptible also. Note that recent devices aimed at the home consumer market combine a network switch with may be four or five ports, an AP, a router and a DSL/cable modem connecting to the Internetatlarge.Internally,theAPisconnectedtotheswitch.Asaresult,anattackeronawireless stationcanbecomeaMITMbetweentwowiredhosts,onewiredonewireless,orbothwirelesshosts. ThetoolcalledEttercap((http://ettercap.sourceforge.net)iscapableofperformingARPpoisoning.
8.3SessionHijacking
Sessionhijackingoccursinthecontextofauser,whetherhumanorcomputer.Theuserhasanon goingconnectionwithaserver.Hijackingissaidtooccurwhenanattackercausestheusertolosehis connection,andtheattackerassumeshisidentityandprivilegesforaperiod. Anattackerdisablestemporarilytheuserssystem,saybyaDoSattackorabufferoverflowexploit. Theattackerthentakestheidentityoftheuser.Theattackernowhasalltheaccessthattheuserhas. When he is done, he stops the DoS attack, and lets the user resume. The user may not detect the interruptionifthedisruptionlastsnomorethanacoupleofseconds.Suchhijackingcanbeachievedby usingforgedDisassociationDoSattack. Corporatewirelessnetworksareoftensetupsothattheuserisdirectedtoanauthenticationserverwhen hisstationattemptsaconnectionwithanAP.Aftertheauthentication,theattackeremploysthesession hijackingdescribedaboveusingspoofedMACaddresses.
9. WarDriving
www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm
13/20
19/10/12
Equipped with wireless devices and related tools, and driving around in a vehicle or parking at interestingplaceswithagoalofdiscoveringeasytogetintowirelessnetworksisknownaswardriving. Wardrivers(http://www.wardrive.net/)definewardrivingasThebenignactoflocatingandlogging wirelessaccesspointswhileinmotion.Thisbenignactisofcourseusefultotheattackers.
9.1Warchalking
War chalking is the practice of marking sidewalks and walls with special symbols to indicate that wirelessaccessisnearbysothatothersdonotneedtogothroughthetroubleofthesamediscovery.A searchonwww.google.comwithkeywordswardrivingmapswillproducealargenumberofhits. Yahoo!Mapscanshow"WifiHotspots"nearanaddressyougive.
Figure3:WarChalkingSymbols
9.2TypicalEquipment
ThetypicalwardrivingequipmentconsistsofalaptopcomputersystemoraPDAwithawirelesscard, aGPS,andahighgainantenna.TypicalchoiceofanoperatingsystemisLinuxorFreeBSDwhere opensourcesniffers(e.g.,Kismet)andWEPcrackers(e.g.,AirSnort)areavailable.Similartools(e.g., NetStumbler)thatrunonWindowsareavailable. WardriversneedtobewithintherangeofanAPorstationlocatedonthetargetnetwork.Therange dependsonthetransmitoutputpoweroftheAPandthecard,andthegainoftheantenna.Ordinary access point antennae transmit their signals in all directions. Often, these signals reach beyond the physicalboundariesoftheintendedworkarea,perhapstoadjacentbuildings,floors,andparkinglots. Withthetypical30mWwirelesscardsintendedforlaptops,therangeisabout300feet,buttherearein 2004wirelesscardsforlaptopsonthemarketthathave200mW.Directionalhighgainantennaeandan RFamplifiercandramaticallyextendtherange.
14/20
19/10/12
Figure4:WarDrivers'Equipment
10. WirelessSecurityBestPractices
Thissectiondescribesbestpracticesinmitigatingtheproblemsdescribedabove.
10.1LocationoftheAPs
APs should be topologically located outside the perimeter firewalls. The wireless network segments shouldbetreatedwiththesamesuspicionasthatforthepublicInternet.Additionally,itisimportantto use directional antennae and physically locate them in such a way that the radiocoverage volume is withinthecontrolofthecorporationorhome.
10.2ProperConfiguration
Statistics collected by www.worldwidewardrive.org show a distressingly large percentage of APs left configuredwiththedefaults. Before a wireless device is connected to the rest of the existing network, proper configuration of the wirelessdeviceisnecessary.TheAPscomewithadefaultSSID,suchasDefaultSSID,WLAN, Wireless,Compaq,intel,andlinksys.Thedefaultpasswordsfortheadministratoraccountsthat configure the AP via a web browser or SNMP are well known for all manufacturers. A proper configurationshouldchangethesetodifficulttopredictvalues. NotethattheSSIDservesasasimplehandle,notasapassword,forawirelessnetwork.Unlessthe defaultSSIDontheAPandstationsischanged,SSIDbroadcastsaredisabled,MACaddressfilteringis enabled,WEPenabled,anattackercanusethewirelessLANresourceswithoutevensniffing.
19/10/12
Theconfigurationviawebbrowsing(HTTP)isprovidedbyasimplisticwebserverbuiltintoanAP. Oftenthisconfigurationinterfaceisprovidedviabothwiredconnectionsandwirelessconnections.The web server embedded in a typical AP does not contain secure HTTP, so the password that the administrator submits to the AP can be sniffed. Web based configuration via wireless connections shouldbedisabled. WEPisdisabledinsomeorganizationbecausethethroughputisthenhigher.EnablingWEPencryption makesitnecessaryfortheattackerintendingtoWEPcracktohavetosniffalargenumberofframes. Thehigherthenumberofbitsintheencryptionthelargerthenumberofframesthatmustbecollectedis. The physical presence in the radio range of the equipment for long periods increases the odds of his equipmentbeingdetected.WEPshouldbeenabled. TheIEEE802.11doesnotdescribeanautomatedwayofdistributingthesharedsecretkeys.Inlarge installations,themanualdistributionofkeyseverytimetheyarechangedisexpensive.Nevertheless,the WEPencryptionkeysshouldbechangedperiodically.
10.3SecureProtocols
If the WEP is disabled, or after the WEP is cracked, the attacker can capture all TCP/IP packets by radiosilentsniffingforlateranalyses.Allthewirednetworkattacksarepossible.Therearerealtime toolsthatanalyzeandinterprettheTCP/IPdataastheyarrive. Allprotocolsthatsendpasswordsanddataintheclearmustbeavoided.Thisincludestherloginfamily, telnet,andPOP3.InsteadoneshoulduseSSHandVPN. Ingeneral,whenawirelesssegmentisinvolved,oneshoulduseendtoendencryptionattheapplication levelinadditiontoenablingWEP.
10.4WirelessIDS
Awirelessintrusiondetectionsystem(WIDS)isoftenaselfcontainedcomputersystemwithspecialized hardwareandsoftwaretodetectanomalousbehavior.Theunderlyingsoftwaretechniquesarethesame hacking techniques described above. The special wireless hardware is more capable than the commoditywirelesscard,includingtheRFmonitormode,detectionofinterference,andkeepingtrack ofsignaltonoiseratios.ItalsoincludesGPSequipmentsothatrogueclientsandAPscanbelocated. AWIDSincludesoneormorelisteningdevicesthatcollectMACaddresses,SSIDs,featuresenabledon the stations, transmit speeds, current channel, encryption status, beacon interval, etc. Its computing engine will be powerful enough that it can dissect frames and WEPdecrypt into IP and TCP components.ThesecanbefedintoTCP/IPrelatedintrusiondetectionsystems. UnknownMACaddressesaredetectedbymaintainingaregistryofMACaddressesofknownstations andAPs.Frequently,aWIDScandetectspoofedknownMACaddressesbecausetheattackercould notcontrolthefirmwareofthewirelesscardtoinserttheappropriatesequencenumbersintotheframe.
10.5WirelessAuditing
Periodically,everywirelessnetworkshouldbeaudited.Several audit firms provide this service for a fee.A security audit begins with a wellestablished security policy. A policy for wireless networks shouldincludeadescriptionofthegeographicalvolumeofcoverage.Themaingoalofanauditisto verifythattherearenoviolationsofthepolicy.Tothisend,thetypicalauditoremploysthetoolsand techniquesofanattacker.
10.6NewerStandardsandProtocols
19/10/12
Many improvements in wireless network technology are proposed through proprietary channels (e.g., Cisco Lightweight Extensible Authentication Protocol) as well as through the IEEE.The new IEEE 802.11i (ratified in June 2004) enhances the current 802.11 standard to provide improvements in security.TheseincludePortBasedAccessControlforauthentication,TemporalKeyIntegrityProtocol for dynamic changing of encryption keys, and Wireless Robust Authentication protocol. An interim solutionproposedbyvendorsistheWiFiProtectedAccess(WPA),asubsetof802.11i,isonlynow becomingavailableinsomeproducts.Timewilltellifthesecanwithstandfutureattacks.
10.7SoftwareTools
Belowwedescribeacollectionofcostfreetoolsthatcanbeusedbothasattacktoolsandasaudittools. AirJack (http://802.11ninja.net/airjack/) is a collection of wireless card drivers and related programs. It includes a program called m o n k e y _ j a c k that automates the MITM attack. W l a n _ j a c k is a DoS tool that accepts a target source and BSSID to send continuous deauthenticate frames to a single client or an entire network (broadcast address). E s s i d _ j a c k sends a disassociate frame to a target client in order to force the client to reassociate with the network,therebygivingupthenetworkSSID. AirSnort(www.airsnort.shmoo.com)canbreakWEPbypassivelymonitoringtransmissionsand computingtheencryptionkeywhenenoughpacketshavebeengathered. Ethereal (www.ethereal.com ) is a LAN analyzer, including wireless. One can interactively browsethecapturedata,viewingsummaryanddetailinformationforallobservedwirelesstraffic. FakeAP (ww.blackalchemy.to/project/fakeap) can generate thousands of counterfeit 802.11b accesspoints. HostAP(www.hostap.epitest.fi)convertsastationthatisbasedonIntersil'sPrism2/2.5/3chipset tofunctionasanaccesspoint. Kismet(www.kismetwireless.net)isawirelesssnifferandmonitor.Itpassivelymonitorswireless trafficanddissectsframestoidentifySSIDs,MACaddresses,channelsandconnectionspeeds. Netstumbler(www.netstumbler.com)isawirelessaccesspointidentifierrunningonWindows.It listensforSSIDsandsendsbeaconsasprobessearchingforaccesspoints. Prismstumbler(prismstumbler.sourceforge.net/)canfindwirelessnetworks.Itconstantlyswitches channelsandmonitorsframesreceived. The Hackers Choice organization (www.thc.org) has LEAP Cracker Tool suite that contains toolstobreakCiscoLEAP.Italsohastoolsforspoofingauthenticationchallengepackets from anAP.TheWarDriveisatoolformappingacityforwirelessnetworkswithaGPSdevice. StumbVerter(www.sonarsecurity.com/sv.html)isatoolthatreadsNetStumbler'scollecteddata files and presents street maps showing the logged WAPs as icons, whose color and shape indicatingWEPmodeandsignalstrength. Wellenreiter (http://www.wellenreiter.net/) is a WLAN discovery tool. It uses brute force to identify low traffic access points while hiding the real MAC address of the card it uses. It is integratedwithGPS. WEPcrack (www.wepcrack.sourceforge.net) cracks 802.11 WEP encryption keys using weaknessesofRC4keyscheduling.
11. Conclusion
Thisarticleisanintroductiontothetechniquesanattackerwoulduseonwirelessnetworks.Regardless of the protocols, wireless networks will remain potentially insecure because an attacker can listen in without gaining physical access. In addition, the protocol designs were securitynave. We have pointed out several existing tools that implement attack techniques that exploit the weaknesses in the
19/10/12
protocoldesigns.Theintegrationofwirelessnetworksintoexistingnetworksalsohasbeencarelessly done.Wepointedoutseveralbestpracticesthatcanmitigatetheinsecurities.
GLOSSARY
AP: Access Point. Any entity that has station functionality and provides access to the distribution services,viathewirelessmediumforassociatedstations. Association Table: The Association table is within an AP and controls the routing of all packets betweentheAccessPointandthewirelessdevicesinaWLAN. BasicServiceSet:BSSisacollection,orset,ofstationsthatarelogicallyassociatedwitheachother andcontrolledbyasingleAP.Together,theyoperateasafullyconnectedwirelessnetwork. BasicServiceSetIdentifier(BSSID):A48bitidentifierusedbyallstationsinaBasicServiceSetas partoftheframeheader. Beacon:AwirelessLANframebroadcastbyaccesspointsthatsignalstheiravailability. Evil Twin Attack. An unauthorized AP whose goal is to masquerade as an existing legitimate/ authorizedAPiscalledanEvilTwin.TheeviltwinAPisdesignedandlocatedsothatclientstations receive stronger signals from it.Legitimate users are lured into the evil twin, and unknowingly give awayuserIDsandpasswords. IndependentBSS:AnIBSSisusuallyanadhocnetwork.InanIBSS,allofthestationsareresponsible forsendingbeacons. IDS:Intrusiondetectionsystem. MITM:Maninthemiddle.SeeSection8. ServiceSetIdentifier(SSID):AllAPsandstationswithinthesamewirelessnetworkuseanidentifier thatisupto32byteslong. SocialEngineering:Socialengineeringisaterm,coinedinjestthatreferstoallnontechnicalmethodsof collectinginformationaboutapersonsothatthepasswordsthepersonmayusecanbepredicted.The methods of collection range from dumpster diving, analyzing the publicly available information to makingphonecallsimpersonatingothers. STA:Awirelessstation. WEP: Wired Equivalent Privacy (WEP) is a sharedsecret key encryption system used to encrypt packetstransmittedbetweenastationandanAP.
CrossReferences
Thefollowingisalistofotherarticlesinthehandbookrelatedtowirelessnetworks.Articlenumbers areasintheHandbookTOC. 26.RadioFrequencyandWirelessCommunicationsSecurity 27.PropagationCharacteristicsofWirelessChannels 43.WirelessLocalAreaNetworks 44.SecurityIssuesinWirelessSensorNetworks 46.MobileIP(InternetProtocol)
19/10/12
48.TCP(TransmissionControlProtocol)overWirelessLinks 50.WirelessInternet 56.PKI(PublicKeyInfrastructure) 67.WirelessApplicationProtocol(WAP) 68.WirelessNetworksStandardsandProtocol(802.11) 74.WirelessInformationWarfare 142.HackingTechniquesinWirelessNetworks(mine) 150.WirelessThreatsandAttacks 151.WEP(WiredEquivalentPrivacy)Security 152.WirelessSecurity 153.CrackingWEP(WiredEquivalentPrivacy)
References
1. John Bellardo and Stefan Savage, 802.11 DenialofService Attacks: Real Vulnerabilities and Practical Solutions, 2003, Usenix 2003 Proceedings. http://www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdfRetrievedJan20,2004. 2. JonEdneyandWilliamA.Arbaugh, Real802.11Security:WiFiProtectedAccessand802.11i, 480pages,AddisonWesley,2003,ISBN:0321136209 3. Jamil Farshchi, Wireless Intrusion Detection Systems, November 5, 2003, http://www.securityfocus.com/infocus/1742RetrievedJan20,2004 4. Bob Fleck and Jordan Dimov, "Wireless Access Points and ARP Poisoning: Wireless vulnerabilities that expose the wired network," October 2001. http://www.cigitallabs.com/resources/papers/download/arppoison.pdf.RetrievedonJan20,2004. 5. RobFlickenger, Wireless Hacks: 100 IndustrialStrength Tips & Tools, 286 pages, O'Reilly & Associates,September2003,ISBN:0596005598 6. Matthew S. Gast, 802.11 Wireless Networks: The Definitive Guide, 464 pages, OReilly & Associates,April2002,ISBN:0596001835. 7. VikramGupta, Srikanth Krishnamurthy, and Michalis Faloutsos, Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks, Proceedings of 2002 MILCOM Conference, Anaheim,CA,October2002. 8. Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, WarDriving: Drive, Detect, Defend,AGuidetoWirelessSecurity,ISBN:1931836035,Syngress,2004. 9. IEEE, IEEE 802.11 standards documents,http://standards.ieee.org/wireless/ . Retrieved Jan 20, 2004 10. TomKarygiannisandLesOwens,WirelessNetworkSecurity:802.11,BluetoothandHandheld Devices,NationalInstituteofStandardsandTechnologySpecialPublication80048,November 2002. http://cswww.ncsl.nist.gov/publications/ nistpubs/80048/NIST_SP_80048.pdf . RetrievedJan20,2004 11. Prabhaker Mateti, TCP/IP Suite, The Internet Encyclopedia, Hossein Bidgoli (Editor), John Wiley2003,ISBN0471222011. 12. Robert Moskowitz, Debunking the Myth of SSID Hiding, Retrieved on March 10, 2004. http://www.icsalabs.com/html/communities/WLAN/wp_ssid_hiding.pdf. 13. BrucePotterandBobFleck, 802.11Security,O'Reilly&Associates,2002ISBN:059600290 4. 14. William Stallings, Wireless Communications & Networks, Prentice Hall, 2001, ISBN: 0130408646. 15. Warchalking,http://www.warchalking.org/.RetrievedJan20,2004. 16. JoshuaWright,DetectingWirelessLANMACAddressSpoofing,RetrievedonJan20,2004. http://home.jwu.edu/jwright/
FurtherReading
19/10/12
Stallings book is a broad introduction to wireless communications including electrical signal theory, TCP/IP suite, IEEE 802.11 and Bluetooth. Gasts book is devoted to 802.11. The report by Karygiannis and Les Owens is a gentle introduction to wireless security. Potter and Fleck's book is about network security in general in spite of its title, and covers several Unixlike OS. The book by Edney and Arbaugh is an advanced technical book aimed at wireless networking professionals and covers802.11iandWPA. The website 802.11security.com/ is a rich collection of links. The site at en.wikipedia. org/wiki/IEEE_802.11 shows promise that it will become a living free encyclopedia on wireless networks. The research paper by Bellardo and Savage provides an experimental analysis of denial of service attacksatthewirelessMAClevel.Thispaperalsodescribesamethodoftransmittingarbitraryframes evenwhilethewirelesscardfirmwareattemptstosanitizetheframecontent. Section8.3isbasedonthewhitepaperbyFleckandDimov. The article by Farshchi is a nontechnical overview of the capabilities of wireless intrusion detection systems. ThebookbyHurleyetal.isallaboutwardriving.
20/20

Hacking Techniques in Wireless Networks

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Hacking Techniques in Wireless Networks

Hochgeladen von

Copyright:

Verfügbare Formate

19/10/12