Security & Privacy in WLAN - A Primer and Case Study

A Primer & Case Study
Presented By Mohammad Mahmud KabirPresented By Mohammad Mahmud Kabir
Security & Privacy in
Wireless Local Area Network
[ Prepared As the Presentation on Term Paper Prepared for BIM PGDCS Course 2015 ]

2
Security & Privacy of Wireless Area Network
Warning: Hacking is a crime and this document is not responsible for the way it may got used.
Disclaimer
All data and information provided on this document/Paper/ Presentation
are for informational and educational purpose only and is about Ethical
Hacking, Security and Penetration Testing.

3
About Me
Mohammad Mahmud Kabir
Participant,
PGDCS Course
(Post Graduate Diploma in Computer Science)
BIM
(Bangladesh Institute of Management)
Student ID
15 CS 013
Session
2015
Career Track:
Information security & Assurance
Profession:
Information Audit, ICCD
Currently Deputed as
Deputy Team Lead, Quality Assurance Track,
Core Banking System Transformation Project, CBT
AB Bank Limited

4
PAPER Introduction
Objective
The objective of this paper is to
illustrate a primer on Wireless Local
Area Network (WLAN) security issues
along with an experiment on WLAN
penetration test in a live network.
Scope
The study will focus on the theoretical
and practical perspectives of today’s
wireless local area networks.
Limitations
The paper is limited to the concepts of
“WLAN Security” with a sample
experiment. However, the “WLAN
Security” is vast and has different
perspectives.
The Problem & Background
Wireless Lan Security and Privacy
specifically on WPS vulnerability
scopes.
Paper Supervisor
Ms. Farkhunda Dorin
Management Counsellor
Computer Science Division
BIM, Dhaka

5
PAPER Introduction
Paper Structure
There are two parts in this paper, as the
title says,
(1) A Primer in Part A
A theoretical overview and a
practical experiment that projects a
primer on the Basic Computer
Networking, WLAN, Wireless
Technologies & standards, WLAN
security threats, Countermeasures
etc.
(2) A case study in Part B
This Part portrays a real life case
study based on an experimental
penetration testing in a local
organization.

6
Content Summary
PARTA : The Primer
• Computer Networking
(Definition, Classifications and Types, OSI layers, LAN)
• WLAN Basics
(Definition, Benefits, Classification & Types, Components, Basic Operation, Standards)
• WLAN security
(Security Concepts, Threats /Vulnerabilities, Countermeasure /Defense, Encryption Methods)
• WPS
(About: “WPS”, WPS authentication, WPS implementation flaw, Security Context)

7
COMPUTER NETWORKING
Definition
Classifications and Types
OSI layers
LAN

8
COMPUTER NETWORKING
A computer network or data
network is a telecommunications
network which allows computers
to exchange data system of
interconnected computers and
computerized peripherals is called
computer network. This
interconnection among computers
facilitates information sharing
among them. The connections
between nodes are established
using either cable media or
wireless media.
”
“
Definition
OSI layers
LAN

9
COMPUTER NETWORKING
Computer Networks
Geographical span
PAN
LAN
WAN
MAN
Internet
Inter-connectivity
Point-to-Point
Bus Topology
Star Topology
Ring Topology
Mesh Topology
Tree Topology
Daisy Chain
Hybrid Topology
Administration
Private
Network
Public
Network
Architecture
Client-Server
Peer-to-peer
Hybrid
Definition
OSI layers
LAN

10
COMPUTER NETWORKING
Definition
OSI layers
LAN
1
2
3
4
5
6
7
7Layers
OfOSI

12
COMPUTER NETWORKING
A computer network spanned
inside a building and operated
under single administrative system
is generally termed as Local Area
Network (LAN). Usually, it connects
systems from as least as two to as
much as 16 million.
LANs mostly operates on private IP
addresses. LAN works under its
own local domain and controlled
centrally.
LAN can be wired , wireless, or in
both forms at once.
”
“
Definition
OSI layers
LAN

13
WIRELESS LOCAL AREA NETWORK
Definition
Benefits
Classification & Types
Components
Basic Operation
WLAN Standards (IEEE 802.11)

14
Definition
Benefits
Components
Basic Operation
WLAN Standards
Wireless Local Area Networks
(WLANs) are groups of wireless
networking nodes within a limited
geographic area, such as an office
building or campus that are
capable of radio communications.
WLANs are usually implemented as
extensions to existing wired local
area networks to provide
enhanced user mobility.
”
“

15
Definition
Benefits
Components
Basic Operation
WLAN Standards
• Scalability
• Reduced installation time• Range of coverage
• Mobility • Cost stability • Easy Installation in difficult-areas

16
Definition
Benefits
Components
Basic Operation
WLAN Standards
Basic WLAN Topology
1. IBSS (Independent Basic Service Set)
2. BSS (Basic Service Set)
3. ESS (Extended Service Set)
ESSBSS
BISS

17
The 802.11 Network’s 4 Major Components:
• Distribution system
• Access points (APs)
• Stations (STAs)
• Wireless medium
Definition
Benefits
Components
Basic Operation
WLAN Standards

18
Definition
Benefits
Components
Basic Operation
WLAN Standards

19
32
Definition
Benefits
Components
Basic Operation
WLAN Standards
WLAN Standards & IEEE 802.11
• Service Set Identifier (SSID)
• Media Access Control (MAC) Address Filters
• Wired Equivalent Privacy (WEP)
WEPMAC
Filter
SSID
1

20
31
Definition
Benefits
Components
Basic Operation
WLAN Standards
IEEE 802.11i
• Extensible Authentication Protocol (EAP) standard
• Robust Security Network (RSN)
protocols for RSNAs:
• Temporal Key Integrity Protocol (TKIP) and
• Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol (CCMP).
• Wi-Fi Protected Access 2 (WPA2)2

21
21
Definition
Benefits
Components
Basic Operation
WLAN Standards
3
IEEE 802.11 Vulnerabilities
• MAC Address Authentication
• One-way Authentication
• Static WEP Keys
• SSID
• WEP Key Vulnerability
• Manual Key Management
• Key Size
• Initialization Vector (IV)
• Decryption Dictionaries

22
WLAN SECURITY
Security Concepts
Threats /Vulnerabilities
Countermeasure /Defense
Encryption Methods

23
WLAN SECURITY
Security Concepts
Encryption Methods
Security Mechanics Mechanisms
Confidentiality Encryption (Symmetric and Asymmetric)
Integrity Digital Signatures (Using one-way hash functions)
Availability Defensive technologies to detect/guard against DoS attacks
Authentication 802.1x, RADIUS, PAP/CHAP, MS-CHAP, etc.
Authorization 802.1x (based on authentication), multiple levels and protocols
Access Control Based on authentication, encryption
Encryption WEP, CKIP, TKIP, AES
Decryption WEP, CKIP, TKIP, AES

24
WLAN SECURITY
WLAN Attacks
Passive Attacks
Eavesdropping
Traffic Analysis
Active Attacks
Network Access
Read Access
Write Access
DOS Attack
Security Concepts
Encryption Methods

25
WLAN SECURITY
Security Concepts
Encryption Methods
Eavesdropping
Unauthorized
Access
Key Cracking Wi-Phishing
Honeypots
External APs External Use
Rouge AP
Misconfigured
AP
Ad hoc
Connections
Wireless DoS
Firewall
Internet

26
WLAN SECURITY
Security Concepts
Encryption Methods

28
WLAN SECURITY
Security Concepts
Encryption Methods

30
WPS Wi-Fi Protected Setup
About: “WPS”
WPS authentication
WPS implementation flaw
Security Context

31
Wi-Fi Protected Setup (WPS) is Wi-
Fi alliance’s specification for secure
association of wireless LAN devices
to mutually authenticate the
enrolling device with the Wi-Fi
network and to deliver network
access keys to these device by
having the enrolling device interact
with a device known as the
“registrar” which is responsible for
controlling the Wi-Fi network.
The registrar may be located in the
Wi-Fi access point itself.”
”
“
About: “WPS”
WPS authentication
Security Context

32
WPS Setup Process
Push Button
Configuration
PIN entry
Internal Registrar
External Registrar
Out-of-Band
Push Button
Router Pin
Device Pin
About: “WPS”
WPS authentication
Security Context
1 2 3

33
WPS Setup Process
Push Button Configuration
About: “WPS”
WPS authentication
Security Context
1 2 3

34
WPS Setup Process
PIN entry
(In-band configuration)
About: “WPS”
WPS authentication
Security Context
1 2 3

35
WPS Setup Process
Out-of-Band
1. Exchange of public key commitments
2. Unencrypted key transfer
3. Encrypted key transfer
About: “WPS”
WPS authentication
Security Context
1 2 3

36
Option / Authentication Physical Access Web Interface PIN
Push-button-connect √
Internal Registrar √
External Registrar √ *
* Potentially Vulnerable to brute force attacks as the External Registrar option
does not require any kind of authentication apart from providing the PIN
WPS Options & Authentication type
About: “WPS”
WPS authentication
Security Context

37
8 Digit Security Key
1 2 3 4 5 6 7 0
Checksum
1st half of PIN 2nd half of PIN
Authentication
(PIN – External Registrar)
IEEE 802.11/EAP
Expanded Type,
Vendor ID: WFA (0x372A),
Vendor Type: SimpleConfig (0x01)
* If the WPS-authentication fails at some point, the AP will send an EAP-NACK message
About: “WPS”
WPS authentication
Security Context

38
1 2 3 4 5 6 7 0
Checksum
Trial
Incorrect if
EAP-NACK message
received after
sending M4.
Incorrect if
EAP-NACK message
received after
sending M6.
Maximum possible
authentication attempts
108
=100,000,000
104 + 103
=10,000 + 1,000
=11,000
About: “WPS”
WPS authentication
Security Context

39
Advantages of Attacking WPS
(over the direct attack on WPA/WPA2 )
1. Faster:
Cracking the WPS PIN is considerably faster and not as
luck-dependent.
2. Recovering of The Passphrase
Knowledge of PIN enables recovering of the passphrase
instantly even if the owner changes it. (with ‘wpscrack’ or
‘Reaver’).
3. Multiple radios use the same WPS pin
Access points with multiple radios (2.4/5GHz) can be
configured with multiple WPA keys. Since the radios use
the same WPS pin, knowledge of the pin allows an
attacker to recover all WPA keys.
About: “WPS”
WPS authentication
Security Context

40
Content Summary
PARTB: The Case Study
• Theoretical Methodology
(Preface, Penetration Testing, WPS Review, Brute Force Methodology)
• Preparation & Testing
(Hardware & Software, Reaver, Test environment, Considerations)
• Live Operations
(Live environment, Operation in Area B1, Operation in Area M1)
• Observations and recommendations
(Observations, Recommendations)

41
Objective
Penetration Testing
WPS scope
Brute Force Methodology
THEORETICAL METHODOLOGY

42
The objective was to perform
successful penetration testing
through brute force attack
methodology against a WPS PIN
and describe the whole process
and to execute several tests on APs
in two different areas to find out
how many of the APs used there
were vulnerable to the attack.
”
“
Objective
Penetration Testing
WPS scope

43
1
Determine feasibility
-of a particular set of attack vectors
2
Identify high-risk vulnerabilities
-from a combination of lower-risk vulnerabilities exploited in a particular sequence
-that may be difficult to detect with automated vulnerability scanning software
3
Assess
the magnitude of potential business and operational impacts of successful attacks
4
Test
the ability of network defenders to detect and respond to attacks
5
Provide evidence
to support increased investments in security personnel and technology.
The goals of
penetration
tests
Def.
A software attack on a computer
system looking for security
weaknesses & gaining access on
system and data.
”
“
Objective
Penetration Testing
WPS scope

44
1 2 3 4 5 6 7 0
Checksum
Trial
Incorrect if
EAP-NACK message
received after
sending M4.
Incorrect if
EAP-NACK message
received after
sending M6.
Maximum possible
authentication attempts
108
=100,000,000
104 + 103
=10,000 + 1,000
=11,000
Objective
Penetration Testing
WPS scope

45
802.11 Auth
802.11 Assoc
EAP Initiation
…
802.11 Deauth
Send M4
Increment
1st half PIN
Receive
Send M4
Receive
Dump AP
Configuration (M7)
Increment 2nd
half of PIN/ Fix
Checksum
M5
NACK
NACK
M7
Objective
Penetration Testing
WPS scope

46
PREPARATION & TESTING
Hardware & Software
About: Reaver
Test environment
Test Considerations

47
Reaver
Brute-force Attacking
AirCrack-ng
Monitoring
WireShark
Packet Monitoring
SOFTWARE
OS
Debian
HARDTWARE
Wireless Network Adapter
Atheros AR5B91
System/Laptop //
Acer Aspire 5738z
Hardware & Software
About: Reaver
Test environment
Test Considerations

48
PREPARATION & TESTING “Reaver is an
open source tool
for Linux
distributions
which
implements the
brute force
attack against
WPS PIN in
order to receive
the PSK. The
source and free
download can
be found in.
”
Factors influencing the length of the recovery process
AP type
Signal
strength
Lockout
policy
"Reaver has been
designed to be a robust
and practical attack
against WPS, and has
been tested against a wide
variety of access points
and WPS
implementations.”
Hardware & Software
About: Reaver
Test environment
Test Considerations
Reaver
Brute-force Attacking
Reaver

49
AP configured for WPA2-PSK with 14-60 characters passphrase
Hardware & Software
About: Reaver
Test environment
Test Considerations

50
The wireless card was put into monitor mode
Monitor the network traffic, the airodump-ng tool
Reaver performs a brute force attack against PIN
This provided us with the list of wireless
networks in range of our laptop. After
finding the BSSID of the targeted network,
Hardware & Software
About: Reaver
Test environment
Test Considerations

51
Example
// Frame exchange during the attacking process

52
Example
Successful attack shows PIN, PSK & SSID

53
Random amount of time taken for 10 different attacks
No. PSK Length Duration
1 14 96 minutes
2 14 77 minutes
3 63 226 minutes
4 63 119 minutes
5 47 204 minutes
6 47 112 minutes
7 25 84 minutes
8 25 265 minutes
9 20 189 minutes
10 20 106 minutes
“The time needed to successfully complete the attack in
same conditions is basically random; depends mostly
on how fast is the first half of PIN guessed.”
Hardware & Software
About: Reaver
Test environment
Test Considerations

54
Random amount of time taken for 10 different attacks
Ideal conditions for performing an attack:
• Maximum strength signal,
• Decent router CPUs capabilities, and
• No error messages (no lost frames, no timeouts occurred)
-resulted in very fast PIN attempts (a little less than 2
seconds per one).
At this rate, even the worst possible scenario (11,000
possible trial) would take less than 6 hours to complete.
Hardware & Software
About: Reaver
Test environment
Test Considerations

55
LIVE Operation
Live environment & Client Profile
Operation in Area B1
Operation in Area M1

56
LIVE EXPRIMENT
- The Penetration testing was
operated more than one WLAN.
- Permission obtained from an
organization to perform attacks on
their two sister concerns.
- Two concerns office is located in two
different locations located in-
- Banani (B1) and
- Mohammadpur (M1)
- Due to security reasons the
operation was not permitted any
data (organization’s name, Location,
Technical particulars etc.) that may
indicate the identity of the
organization.

57
LIVE EXPRIMENT
8wireless networks detected in the building.
- 4potential targets (using WPA/WPA2 in PSK mode)
- 3networks were encrypted by WEP
- 1was not using any encryption at all.
(Attacks performs from the public area of the
building caused considerably weaker signal strength
varied from 34%-76%.)
4
1
3
‘B1’ 8 Wireless Networks (APs)
Encrypted with WEP No encryption Not Targated

58
Public Front
OfficeOffice Office Office Office
Office Office Office
Pantry
Office
OfficeMeetingRoom2
MeetingRoom1
Store
RestroomRestroom
RestroomMechanical
Attacker Aps
8
Secured AP
3
Target AP
3
Compr. AP
1
Public AP
1

59
LIVE EXPRIMENT
11wireless networks detected in the building.
- 6potential targets (using WPA/WPA2 in PSK mode)
- 2networks were encrypted by WEP
- 2potential targets (using WPA/WPA2 in enterprise mode)
- 1was not using any encryption at all.
6
2
2
1
‘M1’ 8 Wireless Networks (APs)
Targets WEP Encrypted
WPA/WPA2 Encrypted No Encryption

60
Reception
Meeting Room
Store
Mechanical
Veranda
Restroom
Pantry
Dining
Meeting Room
Office
Office
OfficeOffice Space
Office
Office
Office
Office
Restroom
Restroom
Attacker APs Secured AP
6
Target AP
4
Compr. AP
2
Public AP
1

61
CASE OBSERVATIONS

64
CASE OBSERVATIONS
Majority of the WLAN users (people using any kind of LAN) can
connect and use the WLAN safely, since the biggest (and most
used) networks were being used in the Enterprise mode.
The small local WLANs, which were vulnerable to our attacks, are
being used only by small groups of users. It does not automatically
imply that there is low or no chance of capturing important data,
but it can be assumed that with more users being potential targets
the attacker’s chances would be considerably higher.

65
CASE OBSERVATIONS
Any attack in the network whether it is unsuccessful or not, it is most probably
caused by one of the following reasons:
Any AP should have a lockout policy, which makes a brute force attack
impractical/impossible.
(However, during our tests there was no such a device targeted. Either the
attack got going and did successfully end or it did not start.)
The target AP does not support WPS or it is turned off manually on the device.
Since the WPS is enabled by default on majority of devices which support WPS
and regular users would not turn it off, the unsuccessful attack is more likely
caused by the fact that the device is older and it does not support WPS at all.
AP was used in an Enterprise mode for enhanced security, which is not
vulnerable to WPS PIN brute force attack.

66
CASE RECOMMANDATIONS
The organization should be concerned that it is possible to abuse the WPS
implementation flaw to get full access to the wireless network.
The organization should also be concerned regarding the risk level as to
get into the network all the potential attacker needs minimal resource.
The organization is recommended to acknowledge the followings:
Any AP should have a lockout policy, which makes a brute force attack
impractical/impossible.
If The AP supports WPS, it may turn off manually on the device.
Any AP should be used in an Enterprise mode for enhanced security

67
FUTURE SCOPES
Future work should focus on some of the
following issues:
 Detailed work in-
» WLAN standards
» WLAN Security flows
» Active attacks on WLAN
» Hardware and software
countermeasures on WLAN security
» WLAN Security Encryption methods
» WPS authentication mechanism
 Other pentation testing from different
environments with different other
mechanisms.
 Reducing and eliminating the risks attacks
that can be happened on WLAN networks
such as Man-in-the Middle attacks, Denial of
Service (DoS) attacks and Identity theft (MAC
spoofing).
 Penetration testing from mobile devises (e.g.
Kali Linux/nethunter equipped Android
devices).

68
Thank You
for your Time, passion and interest
» Questions
» Discussions
» Recap
Thank You
> Questions
> Discussions
> Recap
======================================================
This presentation is a part of the paper submitted for BIM
PGDCS 2015 Course. This presentation is also available in
www.MahmudKabir.com/pgdcsppt and also in the following sites:
> //
SlideShare.com || YouTube.com || MS PowerPoint Live

Security & Privacy in WLAN - A Primer and Case Study

More Related Content

What's hot

Viewers also liked

Similar to Security & Privacy in WLAN - A Primer and Case Study

Recently uploaded

Security & Privacy in WLAN - A Primer and Case Study

Editor's Notes