Wireless LANS - PowerPoint PPT Presentation

1 / 52
About This Presentation
Title:

Wireless LANS

Description:

Kismet, although not as graphical or user friendly as NetStumbler, is similar to ... Kismet can even store encrypted packets that use weak keys separately to run ... – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 53
Provided by: kevinc3
Category:
Tags: lans | kismet | wireless

less

Transcript and Presenter's Notes

Title: Wireless LANS


1
Wireless LANS
2
Electromagnetic Radiation
  • An electron is surrounded by an electric field.
  • When an electron moves, a magnetic field forms
    around it.
  • By increasing and decreasing the density of
    electrons in a wire (antenna), we can create a
    ripple effect in the two fields.

3
Electromagnetic Radiation
  • The ripples travel
  • at the speed of
  • lightc3108m/s.
  • The frequency of an electromagnetic wave
    determines its properties. X-rays, ordinary
    light and radio waves are all electro-magnetic
    waves.

4
(No Transcript)
5
Radio Transmission
Site B
Site A
Radio Waves
Receiver
Transmitter
  • Suppose we set up a transmitter that emits radio
    waves of a selected frequency.
  • An aerial and receiver can be designed to
    electrically resonate with the same frequency and
    so pick up that frequency.

6
Radio Channel
  • We can send signals using a radio channel by
    switching our transmitter on and off (just like
    the simple telegraph circuit). This was how
    Morse code used to be send.
  • The signal quality is much improved if the signal
    is send by varying the amplitude of a continuous
    carrier wave.
  • Most noise is out of phase with the carrier wave
    and so gets ignored by the receiver.

7
Electromagnetic Communication Systems
  • Radio, television, satellite systems are all
    designed around the principles of antennas.
  • The frequencies of microwaves and light are much
    higher than radio waves. They are produced more
    efficiently by other means.
  • Microwaves are produced by a special electronic
    valve called a magnetron.
  • Light can be produced by LEDs.

8
Microwave Channels
Microwaves
Transmitter Dish
Receiver Dish
  • Microwaves are transmitted and received using
    parabolic dishes (the special shape focuses the
    microwave beam).
  • The receiver and transmitter dishes must be in
    line of sight with each other. Microwaves can
    pass through walls, trees and clouds but not
    through the ground.

9
Wireless LANS
  • A wireless LAN (WLAN) is a flexible data
    communication system implemented as an extension
    to, or as an alternative for, a wired LAN within
    a building or campus. Using electromagnetic
    waves, WLANs transmit and receive data over the
    air, minimizing the need for wired connections.
    Thus, WLANs combine data connectivity with user
    mobility, and, through simplified configuration,
    enable movable LANs.
  • Of late, WLANs have gained strong popularity in a
    number of vertical markets, including the
    health-care, retail, manufacturing, warehousing,
    and academic arenas. These industries have
    profited from the productivity gains of using
    hand-held terminals and notebook computers to
    transmit real-time information to centralized
    hosts for processing.
  • Today WLANs are becoming more widely recognized
    as a general-purpose connectivity alternative for
    a broad range of business customers.

10
Benefits of Wireless LANS
  • With wireless LANs, users can access shared
    information without looking for a place to plug
    in, and network managers can set up or The
    widespread strategic reliance on networking among
    competitive businesses and the meteoric growth of
    the augment networks without installing or moving
    wires. Wireless LANs offer the following
    productivity, service, convenience, and cost
    advantages over traditional wired networks
  • Mobility-Wireless LAN systems can provide LAN
    users with access to real-time information
    anywhere in their organization..
  • Installation Speed and Simplicity-Installing a
    wireless LAN system can be fast and easy and can
    eliminate the need to pull cable through walls
    and ceilings.
  • Reduced Cost-of-Ownership-While the initial
    investment required for wireless LAN hardware can
    be higher than the cost of wired LAN hardware,
    overall installation expenses and life-cycle
    costs can be significantly lower. Long-term cost
    benefits are greatest in dynamic environments
    requiring frequent moves, adds, and changes.
  • Scalability-Wireless LAN systems can be
    configured in a variety of topologies to meet the
    needs of specific applications and installations.
    Configurations are easily changed and range from
    peer-to-peer networks suitable for a small number
    of users to full infrastructure networks of
    thousands of users that allows roaming over a
    broad area

11
Which type
  • In wireless networking, a peer-to-peer (or
    point-to-point) wireless network means that each
    computer can communicate directly with every
    other computer on the network. But some wireless
    networks are client/server. They have an access
    point, which is a wired controller that receives
    and transmits data to the wireless adapters
    installed in each computer
  • There are various types of wireless networks,
    ranging from slow and inexpensive to fast and
    expensive such as.
  • Bluetooth
  • IrDA
  • HomeRF (SWAP)
  • Wi-Fi

12
Bluetooth
  • Bluetooth technology is a wireless personal
    area networking (WPAN) technology that has gained
    significant industry support and will coexist
    with most wireless LAN solutions.

The Bluetooth specification is for a 1 Mbps,
small form-factor, low-cost radio solution that
can provide links between mobile phones, mobile
computers and other portable handheld devices and
connectivity to the internet. This technology,
embedded in a wide range of devices to enable
simple, spontaneous wireless connectivity is a
complement to wireless LANs which are designed
to provide continuous connectivity via standard
wired LAN features and functionality.
13
IrDA
  • IrDA (Infrared Data Association) is a standard
    for devices to communicate using infrared light
    pulses....like remote controls. The fact that all
    remotes use this standard allows a remote from
    one manufacturer to control a device from another
    manufacturer.
  • IrDA devices use infrared light gt depend on
    being in direct line of sight with each other.
    ....capable of transmitting data at speeds up to
    4 megabits per second (Mbps), the requirement for
    line of sight means that you would need an access
    point in each room, limiting the usefulness of an
    IrDA network in a typical home layout.
  • Infrared (IR) systems use very high frequencies,
    just below visible light in the electromagnetic
    spectrum, to carry data. Like light, IR cannot
    penetrate opaque objects
  • it is either directed (line-of-sight) or diffuse
    technology. Inexpensive directed systems provide
    very limited range (3 ft) and typically are used
    for PANs but occasionally are used in specific
    WLAN applications.
  • Diffuse (or reflective) IR WLAN systems do not
    require line-of-sight, but cells are limited to
    individual rooms.

14
HomeRF and SWAP
  • HomeRF (RF stands for radio frequency) is an
    alliance of businesses that have developed a
    standard called Shared Wireless Access Protocol
    (SWAP). A hybrid standard, SWAP includes six
    voice channels based on the DECTstandard and the
    802.11 standard
  • Here are the advantages of SWAP
  • It's inexpensive and easy to install. Requires no
    additional wires.
  • It has no access point.
  • It uses six full-duplex voice channels and one
    data channel.
  • It allows up to 127 devices multiple networks
    in same location.
  • You can use encryption to make your data secure.

Disadvantages of SWAP
It's not very fast (normally 1 Mbps). It has a
limited range (75 to 125 ft / 23 to 38 m). It's
not compatible with FHSS devices physical
obstructions (walls, large metal objects) can
interfere with communication. It's difficult to
integrate into existing wired networks.
15
802.11b (Wi-Fi)
  • This standard is clearly the market leader.
    802.11b operates in the 2.4GHz unlicensed
    frequency band (same as the one used by 2.4GHz
    cordless phones and microwaves), and uses DSSS
    (Direct Sequence Spread Spectrum) and FHSS
    modulation. It generally has raw data rate of
    ranging from 2Mbps to 100Mbps.
  • Widely used in businesses, 802.11b has been
    adopted for many home networks due to its
    relatively high speed, wide availability, and
    falling prices (although we've probably gotten
    pretty close to the bottom of the price curve at
    this point). It's also the standard that's used
    for wireless public access in places like
    airports, malls, etc., and for enterprising
    individuals, companies, and community groups who
    are trying to grow their own wireless broadband
    networks.
  • Negatives include 802.11b's WEP network security
    method
  • Most access points have an integrated Ethernet
    controller to connect to an existing
    wired-Ethernet network.
  • It also has an omni-directional antenna to
    receive the data transmitted by the wireless
    transceivers.

16
Wi-Fi
  • Below shows a 3Com Airconnect wireless system.
    This allows staff to freely roam about the
    workplace with their laptops constantly connected
    to the network. This is the access point.

This is the base unit of a wireless system used
to connect workers with laptops.
17
Wireless LAN Technology Options
  • Manufacturers of wireless LANs have a range of
    technologies to choose from when designing a
    wireless LAN solution. Each technology comes with
    its own set of advantages and limitations.
  • Spread SpectrumMost wireless LAN systems use
    spread-spectrum technology, a wideband radio
    frequency technique developed by the military for
    use in reliable, secure, mission-critical
    communications systems. Spread-spectrum is
    designed to trade off bandwidth efficiency for
    reliability, integrity, and security. In other
    words, more bandwidth is consumed than in the
    case of narrowband transmission, but the tradeoff
    produces a signal that is, in effect, louder and
    thus easier to detect, provided that the receiver
    knows the parameters of the spread-spectrum
    signal being broadcast. If a receiver is not
    tuned to the right frequency, a spread-spectrum
    signal looks like background noise. There are two
    types of spread spectrum radio frequency hopping
    and direct sequence.

18
Terms
  • IEEE 802.11 Standards
  • IEEE has developed several specifications
    for WLAN technology, the names of which resemble
    the alphabet. There are basically two categories
    of standards those that specify the fundamental
    protocols for the complete wireless system, these
    are called 802.11a, 802.11b and 802.11g and
    those that address specific weaknesses or provide
    additional functionality, these are 802.11d, e,
    f, h, I, j, k, m and n.
  • Frequency Hopping Spread Spectrum (FHSS)
  • Here the signal hops from frequency to
    frequency over a wide band of frequencies. The
    transmitter and receiver change the frequency
    they operate on in accordance with a
    Pseudo-Random Sequence (PRS) of numbers. To
    properly communicate both devices must be set to
    the same hopping code.
  • Denial of Service.
  • A denial of service (DoS) attack is an
    incident in which a user or organization is
    deprived of the services of a resource they would
    normally expect to have. Typically, the loss of
    service is the inability of a particular network
    service to be available or the temporary loss of
    all network connectivity and services

19
Terms
  • ... Direct Sequence Spread Spectrum (DSSS)
  • DSSS combines a data signal with a higher
    data rate bit sequence, referred to as a
    chipping code. The data is exclusive ORed
    (XOR) with a PRS which results in a higher bit
    rate, This increases the signals resistance to
    interference.
  • Wireless Access Point (AP)
  • An Access Point (AP) is a piece of hardware
    that connects wireless clients to a wired
    network. It usually has at least two network
    connections and the wireless interface is
    typically an onboard radio or an embedded PCMCIA
    wireless card.
  • Wireless Network Interface Cards (NICs)
  • Each NIC has a unique Media Access Control
    (MAC) address burned into it at manufacture, to
    uniquely identify it it also contains a small
    radio device and an antenna.
  • Jamming
  • Jamming is a simple, yet highly effective
    method of causing a DoS on a wireless LAN.
    Jamming, as the name suggests, involves the use
    of a device to intentionally create interfering
    radio signals to effectively jam the airwaves,
    resulting in the AP and any client devices being
    unable to transmit.

20
Wireless LANS NarrowBand
  • Narrowband Technology
  • A narrowband radio system transmits and receives
    user information on a specific radio frequency.
    Narrowband radio keeps the radio signal frequency
    as narrow as possible just to pass the
    information. Undesirable crosstalk between
    communications channels is avoided by carefully
    coordinating different users on different channel
    frequencies.
  • A private telephone line is much like a radio
    frequency. When each home in a neighborhood has
    its own private telephone line, people in one
    home cannot listen to calls made to other homes.
    In a radio system, privacy and noninterference
    are accomplished by the use of separate radio
    frequencies. The radio receiver filters out all
    radio signals except the ones on its designated
    frequency.

21
Frequency-Hopping Spread Spectrum Technology
  • Frequency-hopping spread-spectrum (FHSS)
    uses a narrowband carrier that changes frequency
    in a pattern known to both transmitter and
    receiver. Properly synchronized, the net effect
    is to maintain a single logical channel. To an
    unintended receiver, FHSS appears to be
    short-duration impulse noise.

22
Direct-Sequence Spread Spectrum Technology
  • Direct-sequence spread-spectrum (DSSS) generates
    a redundant bit pattern for each bit to be
    transmitted. This bit pattern is called a chip
    (or chipping code).
  • The longer the chip, the greater the probability
    that the original data can be recovered (and, of
    course, the more bandwidth required).
  • Even if one or more bits in the chip are damaged
    during transmission, statistical techniques
    embedded in the radio can recover the original
    data without the need for retransmission.
  • To an unintended receiver, DSSS appears as
    low-power wideband noise and is rejected
    (ignored) by most narrowband receivers.

23
802.11 Introduction
  • On the surface WLANs act the same as their
    wired counterparts, transporting data between
    network devices. However, there is one
    fundamental, and quite significant, difference
    WLANs are based upon radio communications
    technology, as an alternative to structured
    wiring and cables.
  • Data is transmitted between devices through
    the air by utilizing the radio waves. Devices
    that participate in a WLAN must have a Network
    Interface Card (NIC) with wireless capabilities.
    This essentially means that the card contains a
    small radio device that allows it to communicate
    with other wireless devices, within the defined
    range for that card e.g. 2.4-2.4 GHz.
  • For a device to participate in a wireless
    network it must, firstly, be permitted to
    communicate with the devices in that network and,
    secondly, it must be within the transmission
    range of the devices in that network. To
    communicate, radio-based devices take advantage
    of electromagnetic waves and their ability to be
    altered in such a manner that they can carry
    information, known as modulation .

24
Intro....
Wired networks have always presented their own
security issues, but wireless networks introduce
a whole new set of rules with their own unique
vulnerabilities. Most wired security measures
are just not appropriate for application within a
WLAN environment this is mostly due to the
complete change in transmission medium. However,
some of the security implementations developed
specifically for WLANs are also not terribly
strong. Indeed, this aspect could be viewed as
a work-in-progress new vulnerabilities are
being discovered just as quickly as security
measures are being released. Perhaps the issue
that has received the most publicity is the major
weaknesses in WEP, and more particularly the use
of the RC4 algorithm and relatively short
Initialisation Vectors. WLANs suffer from all
the security risks associated with their wired
counterparts however, they also introduce some
unique risks of their own. The main issue with
radio-based wireless networks is signal leakage.
Due to the properties of radio transmissions it
is impossible to contain signals within one
clearly defined area.
25
WLAN Intro
  • In addition, because data is not enclosed within
    cable it makes it very easy to intercept without
    being physically connected to the network .
    This puts it outside the limits of what a user
    can physically control signals can be received
    outside the building and even from streets away.
  • Signal leakage may not be a huge priority when
    organisations are implementing their WLAN, but it
    can present a significant security issue. The
    same signals that are transmitting data around an
    organisations office are the same signals that
    can also be picked up from streets away by an
    unknown third party. This is what makes WLANs so
    vulnerable.
  • Before WLANs became common, someone wishing to
    gain unauthorised access to a wired network had
    to physically attach themselves to a cable within
    the building. This is why wiring closets should
    be kept locked and secured. Any potential hacker
    had to take great risks to penetrate a wired
    network.
  • Today potential hackers do not have to use
    extreme measures, theres no need to smuggle
    equipment on site when it can be done from two
    streets away. It is not difficult for someone to
    obtain the necessary equipment access can be
    gained in a very discrete manner from a distance.

26
DSSS Continued
27
How WLANs Work
  • Wireless LANs use electromagnetic airwaves (radio
    and infrared) to communicate information from one
    point to another without relying on any physical
    connection. Radio waves are often referred to as
    radio carriers because they simply perform the
    function of delivering energy to a remote
    receiver.
  • The data being transmitted is superimposed on the
    radio carrier so that it can be accurately
    extracted at the receiving end. This is generally
    referred to as modulation of the carrier by the
    information being transmitted. Once data is
    superimposed (modulated) onto the radio carrier,
    the radio signal occupies more than a single
    frequency, since the frequency or bit rate of the
    modulating information adds to the carrier.
  • Multiple radio carriers can exist in the same
    space at the same time without interfering with
    each other if the radio waves are transmitted on
    different radio frequencies. To extract data, a
    radio receiver tunes in (or selects) one radio
    frequency while rejecting all other radio signals
    on different frequencies.

28
Wireless LANS Working
  • In a typical WLAN configuration, a
    transmitter/receiver (transceiver) device, called
    an access point, connects to the wired network
    from a fixed location using standard Ethernet
    cable. At a minimum, the access point receives,
    buffers, and transmits data between the WLAN and
    the wired network infrastructure.
  • A single access point can support a small group
    of users and can function within a range of less
    than one hundred to several hundred feet. The
    access point (or the antenna attached to the
    access point) is usually mounted high but may be
    mounted essentially anywhere that is practical as
    long as the desired radio coverage is obtained.
  • End users access the WLAN through wireless LAN
    adapters, which are implemented as PC cards in
    notebook computers, or use ISA or PCI adapters in
    desktop computers, or fully integrated devices
    within hand-held computers. WLAN adapters provide
    an interface between the client network operating
    system (NOS) and the airwaves (via an antenna).
    The nature of the wireless connection is
    transparent to the NOS.

29
Wireless LANS Configurations
  • Independent WLANs
  • The simplest WLAN configuration is an
    independent (or peer-to-peer) WLAN that connects
    a set of PCs with wireless adapters. Any time two
    or more wireless adapters are within range of
    each other, they can set up an independent
    network (Figure 3). These on-demand networks
    typically require no administration or
    preconfiguration.

Independent WLAN
30
Wireless LAN Configurations
  • Access points can extend the range of independent
    WLANs by acting as a repeater (see below)
    effectively doubling the distance between
    wireless PCs.

Extended-Range Independent WLAN Using Access
Point as Repeater
31
Infrastructure WLANs
  • In infrastructure WLANs, multiple access
    points link the WLAN to the wired network and
    allow users to efficiently share network
    resources. The access points not only provide
    communication with the wired network but also
    mediate wireless network traffic in the immediate
    neighborhood. Multiple access points can provide
    wireless coverage for an entire building or
    campus

32
Microcells and Roaming
  • Wireless communication is limited by how far
    signals carry for given power output. WLANs use
    cells, called microcells, similar to the cellular
    telephone system to extend the range of wireless
    connectivity. At any point in time, a mobile PC
    equipped with a WLAN adapter is associated with a
    single access point and its microcell, or area of
    coverage.

Individual microcells overlap to allow continuous
communication within wired network. They handle
low-power signals and hand off users as they
roam through a given geographic area.
33
Range/Coverage
  • The distance over which RF waves can communicate
    is a function of product design (including
    transmitted power and receiver design) and the
    propagation path, especially in indoor
    environments.
  • Interactions with typical building objects,
    including walls, metal, and even people, can
    affect how energy propagates, and thus what range
    and coverage a particular system achieves.
  • Most wireless LAN systems use RF because radio
    waves can penetrate many indoor walls and
    surfaces.
  • The range (or radius of coverage) for typical
    WLAN systems varies from under 100 feet to more
    than 500 feet.
  • Coverage can be extended, and true freedom of
    mobility via roaming, provided through
    microcells.

34
Throughput
  • As with wired LAN systems, actual throughput in
    wireless LANs is dependent upon the product and
    how it is configured.
  • Factors that affect throughput include
  • airwave congestion (number of users), propagation
    factors such as range and multipath,
  • the type of WLAN system used,
  • as well as the latency and bottlenecks on the
    wired portions of the WLAN.
  • Typical data rates range from 1 to 100 Mbps.

35
Multipath Effects
  • As below shows, a radio signal can take multiple
    paths from a transmitter to a receiver, an
    attribute called multipath. Reflections of the
    signals can cause them to become stronger or
    weaker, which can affect data throughput. Affects
    of multipath depend on the number of reflective
    surfaces in the environment, the distance from
    the transmitter to the receiver, the product
    design and the radio technology.

Radio Signals Traveling over Multiple Paths
36
Putting a WLAN together
  • The actual wireless transceiver, with a small,
    integrated antenna, is built into an ISA, PCI or
    PCMCIA card. If you have a laptop computer, the
    PCMCIA card plugs directly into one of the PCMCIA
    slots. For desktop computers, you will either
    need a dedicated ISA or PCI HomeRF card, or a
    PCMCIA card with a special adapter.
  • ISA and PCI adapters are inserted inside the
    computer and have a slot that is accessible from
    the back of your computer so you can plug in the
    PCMCIA card. USB adapters are external devices
    that you plug the PCMCIA card into and then
    connect to a USB port on the computer.
  • Some of the WLAN manufacturers sell kits that
    include the appropriate adapter along with the
    PCMCIA cards and installation software.
    Currently, because of the need to use dedicated
    cards, only computers can participate in a WLAN
    network. Printers and other peripheral devices
    need to be physically connected to a computer and
    shared as a resource by that computer.

37
Interference and Coexistence
  • The unlicensed nature of radio-based wireless
    LANs means that other products that transmit
    energy in the same frequency spectrum can
    potentially provide some measure of interference
    to a WLAN system.
  • Micro-wave ovens are a potential concern, but
    most WLAN manufacturers design their products to
    account for microwave interference.
  • Another concern is the co-location of multiple
    WLAN systems. While co-located WLANs from
    different vendors may interfere with each other,
    others coexist without interference.
  • This issue is best addressed directly with the
    appropriate vendors.

38
Simplicity/Ease of Use
  • Users need very little new information to take
    advantage of wireless LANs. ....applications work
    the same as they do on tethered LANs.
  • WLAN products incorporate a variety of diagnostic
    tools to address issues associated with the
    wireless elements of the system however,
    products are designed so that most users rarely
    need these tools. WLANs simplify many of the
    installation and configuration issues that plague
    network managers.
  • Since only the access points of WLANs require
    cabling, network managers are freed from pulling
    cables for WLAN end users. Lack of cabling also
    makes moves, adds, and changes trivial operations
    on WLANs. Finally, the portable nature of WLANs
    lets network managers pre-configure and
    troubleshoot entire networks before installing
    them at remote locations.

39
Scalability, Battery Security
  • ScalabilityWireless networks can be designed to
    be extremely simple or quite complex. Wireless
    networks can support large numbers of nodes
    and/or large physical areas by adding access
    points to boost or extend coverage.
  • Battery Life for Mobile PlatformsEnd-user
    wireless products are capable of being completely
    untethered, and run off the battery power from
    their host notebook or hand-held computer. WLAN
    vendors typically employ special design
    techniques to maximize the host computeracircs
    energy usage and battery life.
  • SafetyThe output power of wireless LAN systems
    is very low, much less than that of a hand-held
    cellular phone. Since radio waves fade rapidly
    over distance, very little exposure to RF energy
    is provided to those in the area of a wireless
    LAN system. Wireless LANs must meet stringent
    government and industry regulations for safety.
    No adverse health affects have ever been
    attributed to wireless LANs.

40
Wireless Security Mechanisms
  •  To go some way towards providing the same level
    of security the cable provides in wired networks,
    the Wired Equivalent Protocol (WEP) was
    developed. WEP was designed to provide the
    security of a wired LAN by encryption through use
    of the RC4 (Rivest Code 4) algorithm.
  • Its primary function was to safeguard against
    eavesdropping (sniffing), by making the data
    that is transmitted unreadable by a third party
    who does not have the correct WEP key to decrypt
    the data. RC4 is not specific to WEP, it is a
    random generator, also known as a keystream
    generator or a stream cipher, and was developed
    in RSA Laboratories by Ron Rivest in 1987 (hence
    the name Rivest Code (RC)).
  • It takes a relatively short input and produces a
    somewhat longer output, called a pseudo-random
    key stream.
  • This key stream is simply added modulo two that
    is exclusive ORed (XOR), with the data to be
    transmitted, to generate what is known as
    ciphertext .

41
WEP
  • WEP is applied to all data above the 802.11b
    WLAN layers (Physical and Data Link Layers, the
    first two layers of the OSI Reference Model) to
    protect traffic such as Transmission Control
    Protocol/Internet Protocol (TCP/IP), Internet
    Packet Exchange (IPX) and Hyper Text Transfer
    Protocol (HTTP).
  • It should be noted that only the frame body
    of data frames are encrypted and the entire frame
    of other frame types are transmitted in the
    clear, unencrypted . To add an additional
    integrity check, an Initialisation Vector (IV) is
    used in conjunction with the secret encryption
    key. The IV is used to avoid encrypting multiple
    consecutive ciphertexts with the same key, and is
    usually 24 bits long.
  • The shared key and the IV are fed into the
    RC4 algorithm to produce the key stream. This is
    XORed with the data to produce the ciphertext,
    the IV is then appended to the message. The IV
    of the incoming message is used to generate the
    key sequence necessary to decrypt the incoming
    message. The ciphertext, combined with the
    proper key sequence, yields the original
    plaintext and integrity check value (ICV)

42
WEP
  • The decryption is verified by performing the
    integrity check algorithm on the recovered
    plaintext and comparing the output ICV to the ICV
    transmitted with the message. If it is in error,
    an indication is sent back to the sending
    station. The IV increases the key size, for
    example, a 104 bit WEP key with a 24bit IV
    becomes a 128 bit RC4 key. In general,
    increasing the key size increases the security of
    a cryptographic technique.
  • Research has shown that key sizes of greater than
    80 bits make brute force code breaking extremely
    difficult. For an 80 bit key, the number of
    possible keys - 1024 which puts computing power
    to the test but this type of computing power is
    not beyond the reach of most hackers. The
    standard key in use today is 64-bit. However,
    research has shown that the WEP approach to
    privacy is vulnerable to certain attacks
    regardless of key size. Although the application
    of WEP may stop casual sniffers, determine
    hackers can crack WEP keys in a busy network
    within a relatively short period of time.
  •  A method that relies on sheer computing power to
    try all possibilities until the solution to a
    problem is found, usually refers to cracking
    passwords by trying every possible combination of
    a particular key space.

43
WEPs Weaknesses
  • When WEP is enabled in accordance with the
    802.11b standard, the network administrator must
    personally visit each wireless device in use and
    manually enter the appropriate WEP key.
  • This may be acceptable at the installation stage
    of a WLAN or when a new client joins the network,
    but if the key becomes compromised and there is a
    loss of security, the key must be changed. This
    may not be a huge issue in a small organisation
    with only a few users, but it can be impractical
    in large corporations, who typically have
    hundreds of users.
  • As a consequence, potentially hundreds of users
    and devices could be using the same, identical,
    key for long periods of time. All wireless
    network traffic from all users will be encrypted
    using the same key this makes it a lot easier
    for someone listening to traffic to crack the key
    as there are so many packets being transmitted
    using the same key.
  • Unfortunately, there were no key management
    provisions in the original WEP protocol.

44
WEP Weaknesses
  • A 24 bit initialisation vector WEP is also
    appended to the shared key. WEP uses this
    combined key and IV to generate the RC4 key
    schedule it selects a new IV for each packet, so
    each packet can have a different key.
  • Mathematically there are only 16,777,216
    possible values for the IV. This may seem like a
    huge number, but given that it takes so many
    packets to transmit useful data, 16 million
    packets can easily go by in hours on a heavily
    used network. Eventually the RC4 algorithm
    starts using the same IVs over and over.
  • Thus, someone passively listening to
    encrypted traffic and picking out the repeating
    IVs can begin to deduce what the WEP key is. Made
    easier by the fact that there is a static
    variable, (the shared key), an attacker can
    eventually crack the WEP key. For example, a busy
    AP, which constantly sends 1500 byte packets at
    11Mbps, will exhaust the space of IVs after 1500
    x 8/(11 x 106) x 224 18,000 seconds, or 5
    hours. (The amount of time may actually be
    smaller since many packets are less than 1500
    bytes).
  • This allows an attacker to collect two
    ciphertexts that are encrypted with the same key
    stream. This reveals information about both
    messages. By XORing two ciphertexts that use the
    same key stream would cause the key stream to be
    cancelled out and the result would be the XOR of
    the two plaintexts.

45
Wireless Attack Methods
  • A passive attack is an attack on a system that
    does not result in a change to the system in any
    way the attack is purely to monitor or record
    data. Passive attacks affect confidentiality,
    but not necessarily authentication or integrity.
    Eavesdropping and Traffic Analysis fall under
    this category. When an attacker eavesdrops,
    they simply monitor transmissions for message
    content. It usually takes the form of someone
    listening into the transmissions on a LAN between
    stations/devices.
  • Eavesdropping is also known as sniffing or
    wireless footprinting. There are various tools
    available for download online which allow the
    monitoring of networks and their traffic
    developed by hackers, for hackers.
  • Netstumbler, Kismet, Airsnort, WEPCrack and
    Ethereal are all well known names in wireless
    hacking circles, and all are designed
    specifically for use on wireless networks, with
    the exception of Ethereal, which is a packet
    analyser and can also be used on a wired LAN.
  • NetStumbler and Kismet can be used purely for
    passive eavesdropping they have no additional
    active functions, except perhaps their ability to
    work in conjunction with Global Positioning
    Systems to map the exact locations of identified
    wireless LANs.

46
Attack Methods
  • NetStumbler is a Windows-based sniffer, where
    Kismet is primarily a Linux-based tool.
    NetStumbler uses an 802.11 Probe Request sent to
    the broadcast destination address, which causes
    all APs in the area to issue an 802.11 Probe
    Response containing network configuration
    information, such as their SSID, WEP status, the
    MAC address of the device, name (if applicable),
    etc
  • Using the network information and GPS data
    collected, it is then possible to create maps
    with tools such as StumbVerter and MS Mappoint.
  •  Kismet, although not as graphical or user
    friendly as NetStumbler, is similar to its
    Windows counterpart, but it provides superior
    functionality. While scanning for APs, packets
    can also be logged for later analysis. Logging
    features allow for captured packets to be stored
    in separate categories, depending upon the type
    of traffic captured. Kismet can even store
    encrypted packets that use weak keys separately
    to run them through a WEP key cracker after
    capture, such as Airsnort or WEPCrack
    (Sundaralingham, 2005). Wireless network GPS
    information can be uploaded to a site called
    Wigle (http//www.wigle.net). Therefore, if
    wigle data exists for a particular area, there is
    no need to drive around that area probing for
    wireless devices this information can be
    obtained in advance from the Wigle web site.

47
Attack Methods
  • Traffic Analysis gains intelligence in a
    more subtle way by monitoring transmissions for
    patterns of communication. A considerable amount
    of information is contained in the flow of
    messages between communicating parties. Airopeek
    NX, a commercial 802.11 monitoring and analysis
    tool for Windows, analyses transmissions and
    provides a useful node view, which groups
    detected stations and devices by their MAC
    address and will also show IP addresses and
    protocols observed for each.
  • The Peer Map view, within Airopeek NX,
    presents a matrix of all hosts discovered on the
    network by their connections to each other. This
    can make it very easy to visualise AP and client
    relationships, which could be useful to hackers
    in deciding where to try and gain access or
    target for an attack. Some attacks may begin as
    passive, but and then cross over to active as
    they progress.
  • For example, tools such as Airsnort or
    WEPCrack may passively monitor transmissions, but
    their intent is to crack the WEP key used to
    encrypt data being transmitted. Ultimately the
    reasons for wanting to crack the key are so that
    an unauthorised individual can access a protected
    network and then launch an active attack of some
    form or another. These types of attack are
    classed as passive decryption attacks.

48
Active Attack
  • An active attack, also referred to as a
    malicious attack, occurs when an unauthorised
    third party gains access to a network and
    proceeds to perform Denial of Service (DoS)
    attack, to disrupt the proper operation of a
    network, to intercept network traffic and either
    modify or delete it, or inject extra traffic onto
    the network.
  • There are many active attacks that can be
    launched against wireless networks the following
    few paragraphs outline almost all of these
    attacks, how they work and what affect they have.
  • DoS attacks are easily the most prevalent
    type of attack against 802.11 networks, and can
    be waged against a single client or an entire
    WLAN. In this type of attack the hacker usually
    does not steal information, they simply prevent
    users from accessing network services, or cause
    services to be interrupted or delayed.
  • Consequences can range from a measurable
    reduction in performance to the complete failure
    of the system. Some common DoS attacks are
    outlined below.

49
Man in the middle
  • A Man in the Middle attack is carried out by
    inserting a malicious station between the victim
    station and the AP, thus the attacker becomes the
    man in the middle the station is tricked into
    believing that the attacker is the AP, and the AP
    into believing that the attacker is the
    legitimate station.
  • To begin the attack the perpetrator
    passively monitors the frames sent back and forth
    between the station and the AP during the initial
    association process with an 802.11 analyser.
  • As a result, information is obtained about
    both the station and the AP, such as the MAC and
    IP address of both devices, association ID for
    the station and SSID of the network. With this
    information a rogue station/AP can be set up
    between the two unsuspecting devices.
  • Because the original 802.11 does not
    provide mutual authentication, a station will
    happily re-associate with the rogue AP. The
    rogue AP will then capture traffic from
    unsuspecting users this of course can expose
    information such as user names and passwords

50
Association Flood
  • An Association flood is a resource
    starvation attack. When a station associates
    with an AP, the AP issues an Associate
    Identification number (AID) to the station in the
    range of 1-2007.
  • This value is used for communicating power
    management information to a station that has been
    in a power-save state. This attack works by
    sending multiple authentication and association
    requests to the AP, each with a unique source MAC
    address.
  • The AP is unable to differentiate the
    authentication requests generated by an attacker
    and those created by legitimate clients, so it is
    forced to process each request. Eventually, the
    AP will run out of AIDs to allocate and will be
    forced to de-associate stations to reuse
    previously allocated AIDs.
  • In practice, many APs will restart after a
    few minutes of authentication flooding, however
    this attack is effective in bringing down entire
    networks or network segments if repeatedly
    carried out, can cause a noticeable decrease in
    network up time

51
SNMP Weaknesses
  • The final issue is a threat posed by the
    Simple Network Management Protocol (SNMP). Some
    APs can be managed via wireless link, usually
    with a proprietary application, replying on SNMP.
  • Executing these operations can represent a
    frightening vulnerability for the whole LAN
    because eavesdroppers can decipher the password
    to access read/write mode on the AP using a
    packet analyser, this means that they share the
    same administration privileges with the WLAN
    administrator and can manage the WLAN in a
    malicious manner .
  • The sheer number of attacks, and their
    affects, would seem to put WLANs at a severe
    disadvantage over their wired counterparts.
    However, there are just as many, if not more,
    security measures that users can utilise to
    counteract most of the above attacks.
  • Layering one security measure on top of
    another, to strengthening the overall system to
    deter any potential attackers, or make their task
    more difficult, if not impossible.

52
Summary
  • Wireless networks have a number of security
    issues. Signal leakage means that network
    communications can be picked up outside the
    physical boundaries of the building in which they
    are being operated, meaning a hacker can operate
    from the street outside or discretely from blocks
    away.
  • In addition to signal leakage wireless
    networks have various other weaknesses. WEP, the
    protocol used within WLANs to provide the
    equivalent security of wired networks is
    inherently weak.
  • The use of the RC4 algorithm and weak IVs
    makes WEP a vulnerable security measure. In
    addition to WEPs weaknesses there are various
    other attacks that can be initiated against
    WLANs, all with detrimental effects
Write a Comment
User Comments (0)
About PowerShow.com