Wireless Security

WEP,WPA,Taxonomy Attack,WLAN,UWB,Bluetooth,WiMAX, Mobile Issues

Why we used IV packet to decrypt WEP

Why we need IVs data? In cracking WEP technique , well used airodump-ng c command to capture the IVs data from the specific access point.

The command will capture a file contain IVs packet (e.g ivdump.ivs) until certain number IVs.
IVs data is an arbitrary number or nonce to be used along with secret/shared key for data encryption. Ivs is NOT a random numbers IV used only once in any session, prevent repetition sequences in encryption text In order to decrypt the WEP, we need to used IVs for reverse the process of encryption.

WEP Encryption Process

Shared key 40 bits Original Text 64 bits RC4

IV

24 bits Encrypted IV Clear text

CR32

IV Used

WEP Decryption Process

Shared key 40 bits

CR32
64 bits RC4

Original Text

IV

24 bits Encrypted IV Clear text

IV Used

What are Differences Between WPA and WPA2

WPA WPA2

Independent BSS(IBSS or ad-hoc

Pre-authentication AES-CCMP Cipher

NO
NO NO RC4

YES
YES YES AES

WPA: 1. Increases the level of over-the-air data protection and access control on existing and future wireless networks 2. WPA uses the Temporal Key Integrity Protocol (TKIP) for encryption and employs 802.1X authentication with one of the standard Extensible Authentication Protocol (EAP) types available today. WPA2: 1. Pre-authentication information will be relayed from the access point the client is currently using to the target access point. Enabling this feature can help speed up authentication for roaming clients who connect to multiple access points. 2. Provides the Advanced Encryption Standard (AES). AES is defined in counter cipher-block chaining mode (CCM). 3. Supports the Independent Basic Service Set (IBSS) to enable security between client workstations operating connected wirelessly without a wireless router.

Taxonomy Of WLAN Attacks - Passive

Unauthorise party gains access to the network and does not modify any resources. Type
Traffic Analysis
Attacker gain basic network before launching attack

Passive Eavesdropping
Attacker monitor the WLAN traffic but does not modify

Solution
IPSec Encrypted Tunnel on Layer 3 L2TP - Encrypted Tunnel on Layer 2

Layer 3 Encrypted
Fram e Hr

IP Hr

IP Heade r

TCP Head er

Mess ages

802.1 1 Head er

Layer 2 Encrypted
IP Hr
IP Heade r

TCP Head er

Mess ages

Attacks

Taxonomy Of WLAN Attacks - Active

Method Solution / Tool

Unauthorized Access

Attacker spoof victims MAC address and use it to login as a legitimate user.

Access Control and Firewall.

Agnitum Outpost Firewall BlackICE PC Protection Kerio Personal Firewall Sygate Firewall

Rogue Access Point

AP that has been installed in company network without explicit authorization.

Centralised detection. Will monitor any rogue AP AirMagnet, Air Defence, Aruba TCP Port Scanning. Examine packet sent to/from particular port Port Scanner,Open Port Scanner
Mutual Authentication Both AP and client will need to prove their identities before exchanging any data. Used EAP protocol

MITM, Session Hijacking, Replay

MITM is an attack to the connection between two systems. MITM intercepts a communication between system A and system B. For example, in HTTP transaction the target is TCP connection between client and server. MITM technique is able to read, insert and change the data before the server receive the data.

Taxonomy Of WLAN Attacks - Active

Attacks Denial Of Service (DOS) Method An attempt to make a network or resources to make unavailable. Solution / Tool
Web application firewall Tool : dotDefender. dotDefender inspect HTTP traffic and check packet against the rules to allow or deny such as protocol, port and IP address and stop the traffic from being exploit the resources.

Secure Protocol for Wireless LAN

Application Manager How to secure the data from browser to the application. Use SSL to secure data from browser to application Network Manager How protect company network accessed from unauthorized user. Use VPN to secure connectivity from outside network to the company network (intranet).

Used IPSec between router.

Hardware Manager How to secure transmission between hardware resource to the access point.

Use WEP, WPA2, AES encryption.

WLAN Security with EAP

EAP carry authentication dialogue. Server will act as a authenticator and client as a supplicant. E.g: 802.1x uses EAP (Extensible Authentication Protocol) to facilitate communication from the supplicant to the authenticator and from the authenticator to the authentication server. Types:
EAP-TLS : Provide secure identity transaction. Similar to SSL. EAP-MD5 : To hide credential in HASH. LEAP : Specific authentication provide mutual authentication and dynamic WEP key generation

Summary of Attack
CIA TYPE ATTACK WEAKNESS COUNTERMEASURE

C Confidential

Traffic Analysis
Passive Eavesdropping Rouge AP

Network announce them self to the public WEP is vulnerabilities Lack physical security protection
No firewall between wireless LAN and wired LAN MAC address sent in clear Lack authentication mechanism

IPSec, L2TP
IPSec, SSH, TLS Centralized Monitoring, Port Scanning firewall Firewall Mutual Authentication, EAP EAP, Per Frame auth. EAP, Per Frame auth. Firewall

I Integrity

Unauthorized Access MITM Session Hijacking Replay

A Availability

DOS

Easy access to physical layer.

Issues on Mobile
Storing confidential information such as bank account, password and etc. Exposed to open Wi-Fi network that may risk the access to the network. MITM attack, WEP cracking. Malware risk on the application downloaded to the mobile. The malware could steal your private information/picture without your permission. Data are not encrypted. May risk if someone steal your mobile. Bluetooth vulnerabilities.

Ultra Wide Band (UWB)

For wireless interconnection of multimedia devices Provide significant data transfer up to 500 Mbps (2Meter) Used in Medical Monitoring such as Patient Motion Monitoring Monitor patient motion in short distance Used in medical imaging such as
cardiology imaging For heart monitoring. Obstetrics Imaging Fetal health check

Bluetooth Attack
Vulnerabilities
Discoverable
Lack of encryption Lack of authentication Wide range

Attacks
BlueSnaft : Browse the phonebook and calender using Bluemaho Bluetooth FTP : To FTP data using Bluediving BlueBug : Make phone call using Bluebugger

Solutions
Configured non-discoverable device Do not enter pairing PIN in public

Apply encryption algorithms

WiMAX
WiMAX is the much-anticipated broadband wireless access mechanism for delivering highspeed connectivity over long distances, making it attractive to Internet and telecommunications service providers. Potential attacks
Rogue Base Stations DoS Attacks Man-in-the-Middle Attacks Network manipulation with spoofed management frames