This document discusses wireless local area networks (WLANs) and wireless security. It covers WLAN basics and standards like 802.11a, 802.11b and 802.11g. It describes security protocols like Wired Equivalent Privacy (WEP) and vulnerabilities like weak encryption keys. The document discusses ways to crack WEP security and better security protocols like WPA/WPA2. It also provides instructions on how to scan and crack wireless networks using tools like Aircrack-ng on different operating systems.

1. By :
Septafiansyah Dwi Putra
ITB

2.  Radio Frequency Basics
 Mobile telephony
 Cellular Digital Packet Data (CDPD)
 Private data networks
 Bluetooth
 3G
 Etc

3.  Immediate communication, mobile user
 Two-way, interactive
 Broadcast
 Convenience
 Bandwidth limitations
 Roaming (no fixed location)

5.  A wireless LAN or WLAN is a wireless local area network that
uses radio waves as its carrier.
 The last link with the users is wireless, to give a network
connection to all users in a building or campus.
 The backbone network usually uses cables
Wireless LANs operate in almost the same way as wired LANs,
using the same networking protocols and supporting the most
of the same applications.

6. The wireless LAN connects to a wired LAN
 There is a need of an access point that bridges wireless LAN
traffic into the wired LAN.
 The access point (AP) can also act as a repeater for wireless
nodes, effectively doubling the maximum possible di

7.  802.11a offers speeds with a theoretically maximum rate of
54Mbps in the 5 GHz band
 802.11b offers speeds with a theoretically maximum rate of
11Mbps at in the 2.4 GHz spectrum band
 802.11g is a new standard for data rates of up to a theoretical
maximum of 54 Mbps at 2.4 GHz.

8.  Wired Equivalent Privacy (WEP) – A protocol to
protect link-level data during wireless
transmission between clients and access points.
 Services:
 Authentication: provides access control to the network
by denying access to client stations that fail to
authenticate properly.
 Confidentiality: intends to prevent information
compromise from casual eavesdropping
 Integrity: prevents messages from being modified
while in transit between the wireless client and the
access point.

9. Means:
 Based on cryptography
 Non-cryptographic
 Both are identity-based verification mechanisms (devices
request access based on the SSID – Service Set Identifier of the
wireless network).

10.  Authentication techniques

11.  Cryptographic techniques
 WEP Uses RC4 symmetric key, stream cipher algorithm to
generate a pseudo random data sequence. The stream is
XORed with the data to be transmitted
 Key sizes: 40bits to 128bits
 Unfortunately, recent attacks have shown that the WEP
approach for privacy is vulnerable to certain attack regardless
of key size

12.  Data integrity is ensured by a simple encrypted version of
CRC (Cyclic Redundant Check)
 Also vulnerable to some attacks

13.  Security features in Wireless products are
frequently not enabled.
 Use of static WEP keys (keys are in use for a
very long time). WEP does not provide key
management.
 Cryptographic keys are short.
 No user authentication occurs – only devices are
authenticated. A stolen device can access the
network.
 Identity based systems are vulnerable.
 Packet integrity is poor.

14.  3Com Dynamic Security Link
 CISCO LEAP - Lightweight Extensible Authentication
Protocol
 IEEE 802.1x – Port-Based Network Access Control
 RADIUS Authentication Support
 EAP-MD5
 EAP-TLS
 EAP-TTLS
 PEAP - Protected EAP
 TKIP - Temporal Key Integrity Protocol
 IEEE 802.11i

16.  Windows
 Wireless NIC drivers are easy to get
 Wireless hacking tools are few and weak
 Unless you pay for AirPcap devices or OmniPeek
 Linux
 Wireless NIC drivers are hard to get and install
 Wireless hacking tools are much better

17.  For Linux, the best chipsets to use are Orinoco, Prism2.x/3,
Atheros, and Cisco
 A good resource is at Madwifi
 Go to http://madwifi-project.org/wiki/Compatibility

18. Service Set Identifier
(SSID)
 An identifier to distinguish one
access point from another
Initialization Vector (IV)
 Part of a Wired Equivalent Privacy
(WEP) packet
 Used in combination with the shared
secret key to cipher the packet's
data

20. SSID can be found from any of these frames
 Beacons
 Sent continually by the access point (unless disabled)
 Probe Requests
 Sent by client systems wishing to connect
 Probe Responses
 Response to a Probe Request
 Association and Reassociation Requests
 Made by the client when joining or rejoining the network
If SSID broadcasting is off, just send
adeauthentication frame to force a
reassociation

21.  Each MAC must be entered into the list of approved addresses
 High administrative effort, low security
 Attacker can just sniff MACs from clients and spoof them

23.  In Windows, just select it from the available wireless networks
 Click on set up a wireless network from a home or small office.
 And then input
the SSID

24.  In Windows Vista
Rund regedt32
Navigate to
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCla
ss{4D36E972-E325-11CE-BFC1-08002BE10318}
Find REG_SZ name NetworkAddress and change it
 SMAC is easier

25.  Many Wi-Fi cards
allow you to change
the MAC in Windows'
Device Manager

26.  Brute-force keyspace – takes weeks even for 40-bit keys (use
Cain & Abel)
 Collect Initialization Vectors, which are sent in the clear, and
correlate them with the first encrypted byte
 This makes the brute-force process much faster

27.  Aircrack-ng or AirSnort (old)
 kismet
 Cain & Abel
 WLAN-Tools
 DWEPCrack
 WEPAttack
 Cracks using the weak IV flaw
 Best countermeasure – use WPA/WPA2

28.  This demo is conducted in my home
 Network configuration.
Linksys Access point
WEP 64 bit key
Passcode ???
SSID DIJIANG

37.  WPA/WPA2 is strong
 No major weaknesses
 However, if you use a weak Pre-Shared Key, it can be found
with a dictionary attack
 Tool: Aircrack-ng

38.  Change the default setting
 Filtering MAC Address
 100% safe = imposible