This is a paper which demonstrates the blunders in the WEP encryption protocol and how to stage and spet up the attacks making use of such gory loopholes .
There is also a paper i uploaded with the same name . Check that out if you liked the presentation.
2. Operating Frequencies
WLans operate in 3 different frequency ranges.
● 2.4 Ghz (802.11 b/g/n)
● 3.6 Ghz (802.11 y)
● 4.9/5.0 Ghz ( 802.11 a/h/j/n)
Each of these ranges are divided into multiple
channels. ( channel 1,2, 3 ,...... 14 for 802.11 b/g/n)
Our Wifi Card can be set into one particular channel , at an
instance of time.
3. Know The Terminology
BSSID - Basic Service Set Identifier
ESSID - Extended Service Set Identifier
STA - Station / Wireless client
AP - Access Point (Wireless Modem)
Beacon- Broadcasting self existance
Probe - Hello ! anybody there ??
PNL - Preferred Network List
4. Different Modes of the NIC
● Monitor mode - Receive all packets , whether the packets are destined to us
or not.
● AdHoc Mode - Peer to Peer connection with no centralised AP.
● Managed mode - Client connects to a particular AP and once connection is
made, client cannot communicate with other clients.
● Master mode - a wireless card can only communicate with with connected
clients in master mode .
** For our discussion , we will be focussing only on the monitor mode .
5. Connection Process
1. Lonely AP keeps Broadcasting its presence.
(keeps sending beacon frames out into the air)
2. Client laptop sends probe requests to the AP’s available nearby . Hey
brother are you there ?? ( sends probe request)
3. AP Sends the client a Probe response saying. Yes bro , i am right here .
4. Client now sends an Authentication Request.Can i use your internet ?
5. AP sends Authentication response saying Yes you can.
6. Client now asks are you sure ? sends Association Request .
7. AP says YES bro i am sure .. sends an Association Response
8. DeAuth Packets are send to close the connection .
7. Protect Unauthorized access
Methods :
1. HIDDEN SSID : LAME !! LAME !!
2. MAC FILTERING : SHAME SHAME !! [2]
3. WEP encryption : SKA 64/128 bit WEP , Blunder !
4. WPA - TKIP , Moderate security
5. WPA2 - CCMP , Does little better than WPA2
** None of the Security methods mentioned are fullproof due to the lack of robustness of the
802.11.
10. It’s Demo Time
What’s in the menu ?
★ Channel Hopping
★ Packets !! ( not food packets )
★ Unhiding Hidden SSID
★ Denial of Service (DoS Attack)
★ Shattering MAC Filtering / Binding
★ Basics of Honeypot / Evil Twin & Other Hotspot Based
Attacks + Isolated Clients + Gratituous ARP
★ The Famous MITM
11. Links and References
[1] Access Point and Station state machine : cecs.wright.edu
[2] Intercepting Mobile Communications: The Insecurity of 802.11 : Nikita Borisov ,Ian Goldberg ,David Wagner
[3] Wlan Packet Headers : www.wildpackets.com
[4] Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networks : Kemal Bicakci , Bulent Tavli b
(This paper just states a possibility and not the working infrastructure and proof )
(Deals With MAC address Spoofing detection --- Used in WIDS and WIPS today )
[5] Study of DoS Attacks on IEEE 802.11 WLAN and its Prevention/Detection Techniques Nisha Sharma, Paras Nath
Barwal CDAC Noida
Editor's Notes
Talk about country regulations . And also on how to check the channels and change it
For probe / Association legitimate ssid’s will be required . We can only hide them from the beacon frames .
Type : management( Beacon Frames ), Control and data
To and from DS : gives you whether it is incoming or outgoing traffic
More Frag : If more fragments of the current frame are to follow
Power : indicated whether the STA is in Power Save Mode .
WEP : specified the encryption type . 1 for encryption , and 0 for no encryption
Order : All received frame bits must be processed in order