2. Radio Frequency Basics
Mobile telephony
Cellular Digital Packet Data (CDPD)
Private data networks
Bluetooth
3G
Etc
3. Immediate communication, mobile user
Two-way, interactive
Broadcast
Convenience
Bandwidth limitations
Roaming (no fixed location)
4.
5. A wireless LAN or WLAN is a wireless local area network that
uses radio waves as its carrier.
The last link with the users is wireless, to give a network
connection to all users in a building or campus.
The backbone network usually uses cables
Wireless LANs operate in almost the same way as wired LANs,
using the same networking protocols and supporting the most
of the same applications.
6. The wireless LAN connects to a wired LAN
There is a need of an access point that bridges wireless LAN
traffic into the wired LAN.
The access point (AP) can also act as a repeater for wireless
nodes, effectively doubling the maximum possible di
7. 802.11a offers speeds with a theoretically maximum rate of
54Mbps in the 5 GHz band
802.11b offers speeds with a theoretically maximum rate of
11Mbps at in the 2.4 GHz spectrum band
802.11g is a new standard for data rates of up to a theoretical
maximum of 54 Mbps at 2.4 GHz.
8. Wired Equivalent Privacy (WEP) – A protocol to
protect link-level data during wireless
transmission between clients and access points.
Services:
Authentication: provides access control to the network
by denying access to client stations that fail to
authenticate properly.
Confidentiality: intends to prevent information
compromise from casual eavesdropping
Integrity: prevents messages from being modified
while in transit between the wireless client and the
access point.
9. Means:
Based on cryptography
Non-cryptographic
Both are identity-based verification mechanisms (devices
request access based on the SSID – Service Set Identifier of the
wireless network).
11. Cryptographic techniques
WEP Uses RC4 symmetric key, stream cipher algorithm to
generate a pseudo random data sequence. The stream is
XORed with the data to be transmitted
Key sizes: 40bits to 128bits
Unfortunately, recent attacks have shown that the WEP
approach for privacy is vulnerable to certain attack regardless
of key size
12. Data integrity is ensured by a simple encrypted version of
CRC (Cyclic Redundant Check)
Also vulnerable to some attacks
13. Security features in Wireless products are
frequently not enabled.
Use of static WEP keys (keys are in use for a
very long time). WEP does not provide key
management.
Cryptographic keys are short.
No user authentication occurs – only devices are
authenticated. A stolen device can access the
network.
Identity based systems are vulnerable.
Packet integrity is poor.
16. Windows
Wireless NIC drivers are easy to get
Wireless hacking tools are few and weak
Unless you pay for AirPcap devices or OmniPeek
Linux
Wireless NIC drivers are hard to get and install
Wireless hacking tools are much better
17. For Linux, the best chipsets to use are Orinoco, Prism2.x/3,
Atheros, and Cisco
A good resource is at Madwifi
Go to http://madwifi-project.org/wiki/Compatibility
18. Service Set Identifier
(SSID)
An identifier to distinguish one
access point from another
Initialization Vector (IV)
Part of a Wired Equivalent Privacy
(WEP) packet
Used in combination with the shared
secret key to cipher the packet's
data
19.
20. SSID can be found from any of these frames
Beacons
Sent continually by the access point (unless disabled)
Probe Requests
Sent by client systems wishing to connect
Probe Responses
Response to a Probe Request
Association and Reassociation Requests
Made by the client when joining or rejoining the network
If SSID broadcasting is off, just send
adeauthentication frame to force a
reassociation
21. Each MAC must be entered into the list of approved addresses
High administrative effort, low security
Attacker can just sniff MACs from clients and spoof them
22.
23. In Windows, just select it from the available wireless networks
Click on set up a wireless network from a home or small office.
And then input
the SSID
24. In Windows Vista
Rund regedt32
Navigate to
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCla
ss{4D36E972-E325-11CE-BFC1-08002BE10318}
Find REG_SZ name NetworkAddress and change it
SMAC is easier
25. Many Wi-Fi cards
allow you to change
the MAC in Windows'
Device Manager
26. Brute-force keyspace – takes weeks even for 40-bit keys (use
Cain & Abel)
Collect Initialization Vectors, which are sent in the clear, and
correlate them with the first encrypted byte
This makes the brute-force process much faster
27. Aircrack-ng or AirSnort (old)
kismet
Cain & Abel
WLAN-Tools
DWEPCrack
WEPAttack
Cracks using the weak IV flaw
Best countermeasure – use WPA/WPA2
28. This demo is conducted in my home
Network configuration.
Linksys Access point
WEP 64 bit key
Passcode ???
SSID DIJIANG
29.
30.
31.
32.
33.
34.
35.
36.
37. WPA/WPA2 is strong
No major weaknesses
However, if you use a weak Pre-Shared Key, it can be found
with a dictionary attack
Tool: Aircrack-ng
38. Change the default setting
Filtering MAC Address
100% safe = imposible
Editor's Notes
802.11 Most wireless LAN products operate in unlicensed radio bands 2.4 GHz is most popular Available in most parts of the world,No need for user licensing,Most wireless LANs use spread-spectrum radio Resistant to interference, secure Two popular methods Frequency Hopping (FH) Direct Sequence (DS) 802.11a Ultra-high spectrum efficiency 5 GHz band is 300 MHz (vs. 83.5 MHz @ 2.4 GHz) More data can travel over a smaller amount of bandwidth High speed Up to 54 Mbps Less interference , Fewer products using the frequency , 2.4 GHz band shared by cordless phones, microwave ovens, Bluetooth, and WLANs Disadvantages Standards and Interoperability , Standard not accepted worldwide , No interoperability certification available for 802.11a products Not compatible or interoperable with 802.11b , Legal issues , License-free spectrum in 5 GHz band not available worldwide Market Beyond LAN-LAN bridging, there is limited interest for 5 GHz adoption 802.11g is a high-speed extension to 802.11b Compatible with 802.11b , High speed up to 54 Mbps , 2.4 GHz (vs. 802.11a, 5 GHz) , Adaptive Rate Shifting , Provides higher speeds and higher capacity requirements for applications Wireless Public Access Compatible with existing 802.11b standard , Leverages Worldwide spectrum availability in 2.4 GHz , Likely to be less costly than 5 GHz alternatives Provides easy migration for current users of 802.11b WLANs , Delivers backward support for existing 802.11b products , Provides path to even higher speeds in the future
EAP-SIM Dalam sebuah jaringan berbasis GSM, koneksi mobile melakukan otentikasi SIM melalui RADIUS protokol atau dikenal sebagai EAP-SIM. dimana client akan melewati otorisasi provisioning, otentikasi dan layanan yang sama seperti yang sudah ada pada layanan GSM tanpa perubahan pada elemen jaringan selular. EAP-AKA Pada jaringan berbasis UMTS, pada EAP-AKA otentikasi diimplementasikan dengan fungsi yang berasal dari key jaringan akses, biasanya diambil dari Modul Subscriber Identity Universal (USIM). Metode AKA didasarkan pada mekanisme challenge dan respon untuk otentikasi bersama. Hal ini dapat tentunya membuat lebih aman. EAP-TLS didefinisikan dalam RFC5216. Keamanan Transport Layer Protocol (TLS) yang kuat, dengan penggunaan PKI (infrastruktur kunci publik) untuk mengamankan otentikasi bersama antara client ke server dan sebaliknya. Kedua klien dan server harus diberi sertifikat digital ditandatangani oleh Otoritas Sertifikat (CA) yang menyatakan bahwa link tersebut sudah aman. EAP-TTLS Tunnel TLS metode EAP (EAP-TTLS) sangat mirip dengan EAP-PEAP dalam cara kerjanya. Tidak memerlukan klien diotentikasi ke server dengan sertifikat digital yang ditandatangani oleh CA. Server menggunakan tunnel yang aman dari TLS untuk mengotentikasi klien dengan password dan dengan mekanisme pertukaran key. Dan pada EAP-TTLS menggunakan username dan password sebagai tambahannya sedangkan pada EAP-TLS tidak ada username dan password
Wi-Fi Protected Access ( WPA ) and Wi-Fi Protected Access II ( WPA2 ) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy) . [1] WPA2 Main article: IEEE 802.11i-2004 WPA2 has replaced WPA. WPA2, which requires testing and certification by the Wi-Fi Alliance, implements the mandatory elements of IEEE 802.11i. In particular, it introduces CCMP ( Counter Cipher Mode with Block Chaining Message Authentication Code Protocol ) , a new AES -based encryption mode with strong security. [6] Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark. [7] Encryption protocol TKIP (Temporal Key Integrity Protocol) The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet. Used by WPA. CCMP An AES-based encryption mechanism that is stronger than TKIP. Used by WPA2. Among informal names are "AES" and "AES-CCMP". According to the 802.11n specification, this encryption protocol must be used to achieve the fast 802.11n high bitrate schemes , though not all implementations enforce this. [24] Otherwise, the data rate will not exceed 54 MBit/s. EAP extensions under WPA and WPA2 Enterprise In April 2010, the Wi-Fi Alliance announced the inclusion of additional Extensible Authentication Protocol (EAP) [25] types to its certification programs for WPA- and WPA2- Enterprise certification programs. [26] This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance. As of 2010 the certification program includes the following EAP types: EAP-TLS (previously tested) EAP-TTLS/MSCHAPv2 (April 2005 [27] ) PEAPv0/EAP-MSCHAPv2 (April 2005) PEAPv1/EAP-GTC (April 2005) PEAP-TLS EAP-SIM (April 2005) EAP-AKA (April 2009 [28] ) EAP-FAST (April 2009)