The Theory and Reality of Wireless LAN Security

CONTENTS

I. ACKNOWLEDGEMENTS

II. ABSTRACT

IV. LIST OF FIGURES

V. LIST OF ABBREVIATIONS

1. INTRODUCTION
1.1 AIM AND OBJECTIVES
1.1.1 Aim
1.1.2 Objectives

2. LITERATURE REVIEW
2.1 WIRELESS LOCAL AREA NETWORK
2.1.1 Wireless LAN Security
2.2 . WEP – WIRED EQUIVALENT PRIVACY
2.2.1 WEP Security Analysis
2.2.2 How WEP works
2.2.3 Conclusion
2.3 . WPA/WPA2 – WI-FI PROTECTED ACCESS
2.3.1 WPA/WPA2 Security Analysis
2.3.2 How WPA works
2.3.3 How WPA2 works
2.3.4 Conclusion
2.4 . SSID – SERVICE SET IDENTIFIER
2.5 . MAC FILTERING
2.6 . VPN – VIRTUAL PRIVATE NETWORKS
2.7 . WIRELESS LAN ATTACKS
2.7.1 Passive Attacks
2.7.1.1 Replay Attack
2.7.1.2 Eavesdropping
2.7.1.3 Brute force attacks
2.7.1.4 Statistical attacks
2.7.2 Active Attacks
2.7.2.1 Denial of Service
2.7.2.2 Man in the Middle

3. METHODOLOGY
3.1 RESEARCH METHODOLOGY
3.2 EXPERIMENTAL METHODOLOGY
3.3 PLANNING AND MONITORING
3.4 RISK ASSSESMENT
3.5 CONCLUSION

4. WIRELESS NETWORK SECURITY SURVEY: WARDRIVE
4.1 INTRODUCTION
4.2 METHODOLOGY
4.3 FINDINGS
4.4 RESULTS
4.5 CONCLUSION

5. WIRELESS LAN PENETRATION TESTS
5.1 INTRODUCTION
5.2 METHODOLOGY
5.3 CRACKING WEP PASSWORD
5.3.1 Results
5.3.2 Conclusion
5.4 CRACKING WPA PASSWORD
5.4.1 Results
5.4.2 Conclusion

6. RECOMMENDATIONS

7. PROJECT EVALUATION
7.1 EVALUATION OF THE OBJECTIVES
7.2 EVALUATION OF THE METHODOLOGY
7.3 REFLECTION

8. REFERENCES

9. APPENDICES
9.1 Appendix A:Gantt Chart
9.2 Appendix B:Cracking WEP Password: Initial experimentation
9.3 Appendix C:Cracking WEP Password: Final experimentation
9.4 Appendix D:Cracking WPA Password
9.5 Appendix E:Diagram: WEP Step by step
9.6 Appendix F:Project Definition Report
9.7 Appendix G:Project Review Report

VI. BIBLIOGRAPHY

IV. LIST OF FIGURES

Figure 2-1. CIA Triad

Figure 2-2. Open Authentication

Figure 2-3. WEP authentication process

Figure 2-4. WEP one way Authentication

Figure 4-1.InSSIDer main window18

Figure 4-2. Wardriving results from different sources

Figure 4-3. Wardriving Results

Figure 4-4. Pie-chart – wardriving results breakdown

Figure 4-5. Geographical implementation of wardriving results

Figure 4-6. Chart: Highly Vulnerable vs More Secure access points

Figure 5-1. Result of successful WEP password crack

Figure 5-2. Successful association to the target access point

Figure 5-3. Wordlist example

Figure 5-4. Successful WPA crack

Figure 5-5. Brute force calculator (8 characters password)

Figure 5-6. Brute force calculator (1M keys per second)

Figure 5-7. Brute force calculator (10 character key, 1M keys per second)

Figure 5-8. Brute force calculator (20 character key, 1M keys per second)

V. LIST OF ABBREVIATIONS

illustration not visible in this excerpt

1.INTRODUCTION

A decade ago hardly anyone heard of wireless internet. Today, however, the IT technology is mostly based on the wireless connection followed by the development of wireless network-enabled devices (Cache and Liu, 2010). The manufacturers of the speed network equipment generate billions of pounds, yet a worldwide usage carries a number of risks costing their business staggering amount of money and resources. In Wireless Local Area Networks (WLAN) major issues are associated with the security problems.The wireless signal of the WLAN is broadcast through the air in all directions simultaneously. An unauthorized user can easily capture this signal using freeware tools to exploit WLAN vulnerability. WLANs are increasingly used within home and business environment due to the convenience, mobility, and affordable prices for wireless devices. WLAN gives mobility and flexibility to users in homes and hot spot environments, such as airports and campuses. The wide range of usage emphasises the importance of having a secure network and protect from potential break ins. In order to do so, mostly encryptions such as WEP and WPA/WPA2 are used (Kizza, 2011). This allows the transmitted data within the network to be encrypted. Nevertheless, the fact that information is said to be encrypted, does not necessarily mean the hacking specialists can access it (Cache and Liu, 2010).

Wireless LAN networks are generally designed with emphasis on convenience rather than security. This is exactly where the problem lies. On a wireless network almost anyone with a WLAN enabled device can easily connect to and penetrate other users systems (Misic, 2008), thus research based and findings will illustrate just how easy it is to protect from malicious attacks by simply using a combination of strong encryption protocol and complex key. The author discusses the potential consequences that arise from using a weak encryption. In order to explore further the findings and results of this study a wardriving test has been conducted to critically assess the issues associated with security and to examine its current level.

This paperlooks at the security tools available for WLANs and their practicality in order to increase security awareness. It is demonstrated how to gain unauthorised access to anaverage wireless network that is using out dated security protocols like WEP. However, the main focus is on the potential risks whenusing wireless networks and ways to provide an appropriate security.

1.1 AIM AND OBJECTIVES

1.1.1 Aim

To analyse aspects of wireless LAN security and to demonstrate the effects of potential attacks on secured networks

1.1.2 Objectives

- to conduct in depth research of current wireless LAN security and potential issues associated with security
- to establish the operation issues in wireless medium and ways to minimize them
- to discover unsecured wireless access points in Southampton area using “wardrive” technique
- to conduct an experiment of breaking into networks secured by WEP and WPA
- to recommend possible solutions to improve security in WLANs

2.LITERATURE REVIEW

In this chapter, popular WLAN technologies and problems relevant to the research area are introduced. The aim is to provide an overview of wireless LAN securities and to evaluatethe WLAN security issues.

2.1 . WIRELESS LOCAL AREA NETWORK

The WLAN developments, maintenance and standard creation isprovided by the Institute of Electrical and Electronic Engineers (IEEE), which is the world’s leading professional association for the advancement of technology (IEEE, 2011). The IEEE refers to WLAN by its technical name: IEEE 802.11. 802.11 standards cover all versions of WLAN technology. There are different types of 802.11 including B, G, and N, asthe most common versions in use today (Burns, 2007). During further developments of 802.11, the IEEE Standards Boardspecified the types of security available for WLAN communication.

2.1.1 Wireless LAN Security

There are currently three main encryption technologies available to WLAN communication: WEP, WPA, and WPA2. These technologies attempt to provide Confidentiality, Integrity and Authentication (CIA Triad). However, they do not all succeed at these tasks and introduce vulnerabilities into the WLANs.

Abbildung in dieser Leseprobe nicht enthalten

Figure 2-1. CIA Triad (I.S.S.W.G, 2011)

The first protection used in 802.11 networks was Wired Equivalent Privacy (WEP). The author would like tohighlight the word "was", as 2 years later WEP encryption algorithm RC4 was broken by Fluhrer, Mantin and Shamir (2001), hence WLAN security gained a bad reputation. In 2003,Wi-Fi Protected Access (WPA) was introduced by the Wi-Fi alliance. It was not the standard but, at the time, it provided a temporary solution to wireless security. Throughout this time, institutions used VPNs as an alternative security solution to secure their wireless networks (Dowt, 2003).

Finally, in 2004, IEEE introduced very strong encryption mode called Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) with a new authentication protocol - Advanced Encryption Standard (AES) (IEEE-SA Standards Board, 2004). In result WLAN security developed into a mature and secure solution and its reputation was restored (Kizza, 2011).

2.2 . WEP – WIRED EQUIVALENT PRIVACY

WEP is the original security mechanism of the 802.11bstandard (IEEE-SA Standards Board, 2001). As the name (Wired Equivalent) suggests, its intention has never been to make WLAN a 100 per cent secure, but to provide the same security as in a wired network. WEP was built for the encryption of the network traffic, the data integrity and station authentication. These 3 core elements attempt to satisfy the security objectives Authenticity, Integrity and Confidentiality (Howard and Prince, 2010). However,Borisovet al(2001) has proved that vulnerabilities exist for each of them; therefore none of the security objectives can be reached.Despite these issues, WEP is still widely deployed, thus it is necessary to explore further its vulnerabilities.

2.2.1 WEP Security Analysis

Leading research of the insecurity of WEP was done by Walker (2000) who concluded that the WEP was unsafe at any key size and that it could not meet its design goal which was to provide data privacy to the level of a wired network. Borisovet al(2001) presented the first serious paper on WEP insecurity receivinga high volume of controversy in the press. Only a month later Fluhrer, Mantin and Shamir (FMS) (2001) published a paper called“Weaknesses in the Key Scheduling Algorithm of RC4" describing an attack on the ‘key scheduling algorithm’ used by WEP. The FMS attack was only theoretical, yet it did not take long till it got adapted into the real world. Nevertheless, it was FMS that started the downfall of the WEP. According to Gast (2005) it only tooka week for his group of students, including the delivery of the WLAN Card, to crack the WEP key. However, these tests where purely experimental and no easy-to-use tools were available to the public at the time. Yet, this soon changed when an open source tool called AirSnort was released for Linux, allowing anyone with a computer and networking knowledge to hack into a Wireless LAN (AirSnort, 2011).

The first attempt to counter this attack was made by Agere Systems, who developed more secure version of WEP called ‘WEPPlus’ or WEP+. It greatly reduces the amount of ‘weak IV’ produced bynormal WEP implementations and was released as a firmware update for their own access points(Burns, 2007). Simultaneously, Cisco (2001) decided to go for a different approach and introduced ‘Dynamic WEP Keys’ to their Aironet WLAN Products. Unfortunately, the issue with solutions discussed above is that they are vendor specific and incompatible with each other.

Matters got worse for WEP in 2004, when a hacker knows as‘Korek’ replied to a thread on the Netstumbler forum about WEP security. The attack, he described, was no longer dependent on weak IV. The ‘Korek attack’ used statistical crypto-analysis and proved to be more efficient than the FMS attack (Beaver and McClure, 2010).

In 2007, a new generation of WEP attacks was published by Tews, Weinmann, and Pyshkin. Their attack called PTW introduced new concepts, which allow breaking into WEP in less than a minute.The KoreK and PTW attacks were quickly integrated into WEP cracking and WLAN auditing tools and are now the standard for attacking WEP protected WLANs (Aircrack-ng, 2010).

2.2.2 How WEP Works

Authentication:

According to Beaver and McClure (2010) process of authentication is used to verify that a valid user is trying to connect to the network. In WEP thereare two approaches to do this: open system authentication and shared key authentication.

Open Authenticationis not really any authentication at all, because when a station wants to authenticate, the AP always accepts the request and allows a station to join the network.

Abbildung in dieser Leseprobe nicht enthalten

Figure 2-2. Open Authentication (Bel, 2009)

This is a device-based authentication scheme asthe user does not need to provide a valid user ID or password. Instead, the MAC address of the connecting node is used to identify it. Borisov (2001) in his early research highlights the possibilityto configure the MAC addresses of the permitted clients with their access points. However, this approach does not provide the desired security as it is easy to spoof an address.

Shared key Authenticationuses fourmessages (Figure 2-3). When a station requests Authentication the AP sends a challenge-text in the form of a 40 or 128-bit number. The Station encrypts this text with the WEP secret key, sends it back to the AP which decrypts the text, checks if it is the correct one and then grants access to the network.

Abbildung in dieser Leseprobe nicht enthalten

Figure 2-3. WEP authentication process (Cisco Support, 2008)

This process only authenticates the station to the access point, not the other way around; therefore a malicious AP can simply pretend that the authentication was successful without knowing the secret key (Gast, 2005).

Abbildung in dieser Leseprobe nicht enthalten

Figure 2-4. WEP one way Authentication (Bel, 2009)

WEP uses the RC4 algorithm to encrypt data messages. This algorithm uses a stream cipher meaning that every byte is encrypted individually with the WEP key. The decryption is the reverse of this process and uses the same key(Fluhreret al,2001). Usually the cipher key has 128 bit and consist of 24 bit initialisation vector (IV and 104 bit key). An IV is used to produce a single key-stream for each frame transmitted. The unique key is sent in plain text with the packet, therefore can be viewed by a packet sniffer (Lockhart, 2006). This is a major flaw of WEP encryption. As said by Flickenger (2006) the fact that the same key is used for all frames transmitted in the WLAN network it makes penetration test much easier.

2.2.3 Conclusion

WEP still provides basic security and it is integrated in most of the routers. A recent survey conducted for the purpose of this project on the Wireless security illustrates that an estimated third of the Access Points have WEP encryption enabled (Chapter 3). Ziarek (2011) confirms these findings with a survey of the security situation in Poland where he found 21 per cent of the WLANs are still WEP encrypted.

2.3 . WPA/WPA2 – WI-FI PROTECTED ACCESS

The design of WPA is based on a Draft 3 of IEEE 802.11i standard. It was proposed to ensure the release of a higher volume of security WLAN products before IEEE group could officially introduce 802.11i.Yet, major weaknesses of the WEP had already been known at the time (IEEE-SA Standards Board, 2004).

Due to those weaknesses, WPA introduced some improvements. First, WPA can eitherbe used with an IEEE 802.1x authentication server, where each user is given different keys or be used in a less secure “pre-shared key” (PSK) mode, where every client is given the same pass-phrase (Lockhart, 2006).

Due to the introduction of FMS attack in 2001 (Fluhreret al,2001), IEEE 802.11i or WPA2 standardwas released in 2004 to replace less secure WEP and WPA. The final IEEE 802.11i standard not only adapts all the improvements included in WPA, but also introduces a new AES-based algorithm considered as fully secure (CPP UK, 2010).

2.3.1 WPA/WPA2Security Analysis

An improved level of security in WLANs can be implemented using WPA based on a similar acting as WEP. However, does not include most of the flaws of the previous system. The work on the WPA started immediately after the first reports of violation of the WEP and later on was deployed worldwide (Lowe, 2010).

In the article “Don't use WEP for Wi-Fi security”Sayer (2007)measures WPA encryption as a WEP replacement which is more secure and robust to attacks, yet it is able to run on the same hardware than WEP does.Nevertheless, the WPA shared more of the flaws of the WEP. McMillan (2009) concluded that Pre-Shared Keying (PSK) is not secure and short and/or unsecure passwords are almost as disadvantageous as the WEP. Based on similar thesis Takahashi (2004) developed a tool called WPAcrack, a proof of concept which allows a brute force offline dictionary attack against the WPA. Author further concluded that the recommendation of the Wi-Fi alliance to use passwords longer than twenty characters would most likely not be executed in practice by the users of the WPA. Unfortunately, many people do not pay much attentionto establishing long passwords and the consequences it may have in the future.

In 2008 security researchers Beck and Tews (2008) announced that they had developed a “systematic way to partially crack the Wi-Fi Protected Access 2”. Before this attack, the only other known methods involved a dictionary attack against a weakly chosen pre-shared key. However, the new attack method poses a small threat to WPA2 overall as it does not work against AES – the recommended encryption method for Enterprise Wireless LAN deployments by IEEE and Wi-Fi Alliance (McMillan, 2009).

“There is no weakness in AES or the WPA2 standard based upon it. It's going to last for the next 20 years.”

(Robert Graham: Errata Security, 2008)

Kizza (2011) reviews the AES Protocol as“secure enough to meet the demands Federal Information Standards (FIPS) 140-2”, which is often demanded by institutions such as Police or Security Agencies. This new algorithm requires a separate chip for the encryption and therefore new hardware is needed (Misic, 2008).

The WPA/WPA2 are also subject to vulnerabilities affecting other802.11i standard mechanisms such as attacks with 802.1X message spoofing,first described by Arbaugh and Mishra (2001).Furthermore, Kizza (2011) noted that using the WPA2 protocol itdoes not guarantee protection against attacks such as: frequency jamming, Denial of Service or de-authentication and de-association attacks.

2.3.2 How WPA works

WPA includes two types of user authentication. One named WPA Personal with a pre-shared key mechanism similar tothe WEP and the WPA Enterprise, which uses 802.1X and derives its keys (Lockhart, 2006). Nonetheless, the main improvement of the WPA was introduction of Temporal Key Integrity Protocol (TKIP). Instead of using a pre-shared key, which creates a keystream, WPA uses a pre-shared key to serve as the seed for generating the encryption keys (Lammle, 2010).

For data encryption, the WPA uses the RC4 stream cipher with a 128-bit key and a 48-bit IV, which is similar to the WEP. However, unlike the WEP, there is a major improvement for “WPA to use the Temporal Key Integrity Protocol (TKIP), which the heart of WPA”(Lammle, 2010).Due to the similarity of the encryption process to the WEP, implementation of the WPA can be as simple as upgrading clients’ software and updating the firmware of older access points (Lowe, 2010).

2.3.3 How WPA2 works

Like WPA, WPA2 offers two security modes:

- pre-shared key authentication based on a shared secret,
- authentication by an authentication server

Pre-shared key authentication isintended for personal and small office use where an authentication server is unavailable (Lammle, 2010). Both the WPA and the WPA2 networks use a pre-shared key and are vulnerable to the dictionary attacks (Phifer, 2007). It is significant to make the secret passphrase as long and as casualas possible (at least 20 characters long) with a mix of various random characters (numbers, uppercases etc.) (Lockhart, 2006).

WPA2 also introduces the authentication of Robust Security Network (RSN). “The RSN enhances the weak security of WEP and provides better protection for the wireless link by allowing the creation of Robust Security Network Associations (RSNA) only”(Cache and Liu, 2010).

2.3.4 Conclusion

Through the improvements discussed above, WPA and WPA2 successfully provide more secure WLAN and make breaking into the network tougher.There are of course issues with TKIP (similarly to WEP) that allow small packets like ARP to be decrypted, yet there is no way to completely compromise a secure WPA key as well as it can be done with the WEP.

If the WPA is appropriately implemented and sufficiently managed, it will be a very strong security and highly difficult task ofbreaking; especially with the implementation of the AES-CCMP, whichis the most secure wireless network configuration in use today.

2.4 . SSID

A Wireless LAN is identified by its Service Set Identifier (SSID), otherwise known as “Network Name”(Lammle, 2010). Itmustbe shared by an Access point in order to authenticate clients to the network. Nowadays, most of the Access Points allow to “hide” the SSID andregard it as a secret. However, in order to operate the network, the Access Points need to answer clients with the correct SSID and this type of transmitted trafficallows possible attackers to sniff it (Lockhart, 2006). This mechanism therefore can only help to fulfil authentication in WLANs.

2.5 . MAC FILTERING

Every network card is identified by its unique MAC address. Although WLAN standard does not define Access Control, every AP nowadays implements MAC address filtering, often illustrated in the form of a simple list (Kizza, 2011). This mechanism could provide Authenticity, however MAC addresses are not as fixed as they apprear to be. In result the MAC addresses can be forged rather easily (if ‘config’ under Linux, Registry under Windows). According to Lockhart (2006) an attacker can without difficulty sniff the network traffic to see which stations are communicating in the network and can “choose” one MAC address that is allowed to access the network.He then can change it and access the network. This process is known as MAC spoofing.MAC Filtering should be used only as a small part of the security strategy.

2.6 . VPN

A different approach for securing WLANs is Virtual Private Network (VPN). This term is used to “describe a security system operating at the TCP/IP Layer” (EC-Council, 2009).

Once the flaws of the WEP were examined by Walker (2000) and first attacks were launched by Fluhreret al.(2001), institutions turned to the VPN as add-on security mechanisms. The two VPN technologies recommended by Dowd (2003), used as an example in this project, are IP Security (IPSec) and Secure Socket Layer (SSL). A strong encryption of IPSec, which is recently mainly used for the VPN, is the safest way to secure access within the AP. VPN with IPsec solution can protect users from the attacks that directly influence the confidentiality of application data but cannot prevent attacks that indirectly ruin confidentiality. Man in the middle, high-jacking and replay attacks are the best examples of these types of attacks. However, the SSL is thought to be a better solution to be used with remote users to connect to private networks as the performance limitation is minimal (Coleman, 2009). In addition, theVPN’s were not designed for wireless networks and have a negative effect on the overall throughput, thus Lockhart (2006) proposesthe VPN as a good solution if a network already implements the VPN in the wireless network as an addition.

2.7 . WIRELESS LAN ATTACKS

Many of the wireless attack tools are developed to compromise WLAN networks. The popularity and widespread use of WLAN gives the attacker a platform in which they can cause the most trouble. As other technologies gain popularity and practicality, the more attack tools are developed for those technologies.

Cache and Liu’s (2010) literature classifies wireless attacks into two main categories:

Passive attacks

- Replay attack
- Eavesdropping
- Brute force
- Brue force dictionary
- Statistical

Active attacks

- Man In the middle
- Denial of Service
- Distributed Denial of Service

Passive attacks are used to collect information like the network SSID, the type of authentication and the type of encryption. Active attacks are used to launch an attack against the wireless network.

2.7.1 Passive Attacks

In these attacks, an unauthorized user acquires access to the network data sources. There is no adjustment of message content, but it is possible to spy on the transmission. “Passive attacks are meant not to disrupt, but to acquire information flowing across the wireless network”(Cache and Liu, 2010).The freeware program “inSSIDer” is a popular wireless program that is commonly used to locate wireless networks (Hurley et al, 2007). It can identify the Service Set Identifier (SSID), determine the encryption used, and even determine the manufacturer of the access point. This information is further used by tools such as Airodump-ng to capture required data

2.7.1.1 Replay attack:

In this type of passive attack, the attacker intercepts or eavesdrops on the data channel. The attacker does not do anything to compromise the systems at first, but can resend altered messages to an authorized user pretending to be the system host(Hurleyet al, 2007).

2.7.1.2 Eavesdropping:

This is a passive attack in which the hacker listens to all the network transmissions in an effort to acquire information travelling from one wireless workstation to the access point.

2.7.1.3 Brute force attacks

These attacks attempt to break the encryption of captured traffic through brute force, trying every possible key combination. A particularly popular type of brute-force attack is the dictionary attack, also called the “offline” dictionary attack (Hurleyet al, 2007). For example, if the secret passphrase is “sausages,” a dictionary attack would attempt different commonly used words in encryption and compare the result with the captured traffic. When there is a match (in this case, “sausages”), the key is cracked.

WPA/WPA2 networks use a pre-shared key which is vulnerable to this attack. In fact, the dictionary attack is the only known cryptographic vulnerability of WPA/WPA2-PSK networks (Aircrack-ng, 2010; Cache and Liu, 2010).

2.7.1.4 Statistical attacks

These attacks exploit flaws in the encryption methods to crack the key from captured traffic. The most widely known static attacks are the WEP attacks FMS, KoReK, and PTW. WPA and WPA2 networks are currently assumed to be immune from these attacks (Aircrack-ng, 2010).

2.7.2 Active Attacks

Active attacks are attacks which not only receive wireless traffic but also transmit wireless traffic, taking an active role in the targeted wireless network. Unauthorized access, spoofing, and denial of service attacks can be considered to be active attacks (EC-Council, 2010). Assuming that the attacker has gained enough information from the passive attack, he can then produce an active attack. In contrast to passive attacks, active attacks can be prevented.(Hurleyet al, 2007).

2.7.2.1 Denial of Service

Denial of Service attacks attempt to deny service to the users. Over a wireless network, these attacks can be identical to their wired equivalents and include ping floods, ARP attacks, and Distrbuted DoS (DDoS) attacks (Cache and Liu, 2010).Open and WEP secured networks are vulnerable to this denial of- service attacks, as can be easily accessed.Fortunately, WPA/WPA2 based networks are protected from active DoS attacks. However, WPA networks can be vulnerable to another version of the DoS attack. (Howard et al, 2010)

Another form of a denial of service attack is the disconnecting legitimate users by sending false disassociation frames. When the access point receives these frames, it will disconnect the “supposed” sender from the network. (Howard et al, 2010).

2.7.2.2 Man-in-the-middle

Man in the Middle attacks are a class of attacks that set up illegal access points within range of wireless clients for the purpose of acting as a “middle man”.(Cache and Liu, 2010). When clients see the rogue access point,the SSID matches the legitimate access point and they mistakenly join it instead of the true access point (Hatch, 2008). Once the attacker is connected to the networkcan use tools like Ettercap, or other Man-in the-Middle tools to capture sensitive information. (Hurleyet al, 2007).

3.METHODOLOGY

The main approach used in this project is the comparative approach such as a comparison of the security features and the performance characteristics of different security technologies. Therefore, understanding of the concepts, architectures and practicalities of various WLAN systems and security measures arenecessary to ensure the experiment adequacy.

WLAN security was thoroughly researched, explainedin the form of the Literature Review and demonstrated in experimental section of this project. Since the WEP has the greatest number of vulnerabilities, the WEP is where the main focus is directed. WPA finds its interest since it replaces the WEP in many circumstances, yet it can still be insecure. Thus, the investigation and testing of WPA and WPAv2 is documented.

The Project has two distinct phases: Research and Practical Experimentation.

3.1 RESEARCH METHODOLOGY

Research area covered a wider range of encryption/authentication methods including the WEP, WPA and the WPA2,to provide a theoretical comparison of their contrasting ability to prevent penetrating. As the WEP has been in the news headlines in the past decade, the information on insecurities of the WEP wereeasy to find. The WEP was ideal as a case study to explorethe reasons of the WEP failure and examples of the solid WLAN securities.

The research findings were refined into a first, rough Project Definition Report (Appendix F). In the next phase a series of questions that needed to be answered in the process of the literature review were developed. Moreover, Project Review report was created (Appendix G) demonstrating the progress made during the previous stages of the final year project, indicating further development and narrowing the research area.

3.2 EXPERIMENTAL METHODOLOGY

The main methodology for producing a final report was based on experiments. This methodology was chosen as the WLAN security can be highly theoretical to understand and explore. By adding practical baseto the project, it evolved into enjoyable learning curve that can be applied in the future.

To get an insight into the real-world wireless security statistics, the author attempted to demonstrate that a large number of networks still use inadequate protection by performing a network discovery (wardriving) experiment within a randomly selected areaof Southampton City.The findings can be found in Chapter 4.

The next experimental phase of the project simulates breaking the WEP and the WPA encryption and gaining access to a test network. A range of penetration attack strategies wereshown and attached within the appendices B, C and D. To minimise the level of difficulty in completing the project,early testing was performed using several Windows and Linux based software tools in early stage of implementation. However, it quickly led to the conclusion that Windows tools are very limited in capabilities. For instance, unless operating in very controlled circumstances, it is nearly impossible to perform packet injection (ARP Replay Attack). According to an extensive research, particularly from Lockhart textbook and the WLAN hacking related forums, an informed decision has been made to perform a penetration attack using Aircrack software suite designed for Linux. Therefore, BackTrack distribution of Linux was used as it includes the most suitable tools to perform the experiments. The results from the experimentation are included in Chapter 5.

3.3 . PLANNING AND MONITORING

A project of this size requireda careful and precise planning process, which isillustrated in a Gantt chart (Appendix A). Specific milestones have been indicated on the included Gantt chart to designate successful completion of each phase. Additionally, percentage of task completion was updated so the achievements were clearly visible in the progress of the report and the Gantt chart dictated the plan for the next period.

In order to compensate for the unpredictable occurrences, the plan includeda contingency time of an extra day every two weeks. Extra time was absolutely essential to the progress of the project.

To keep an updated log of the process a log book was used. This helped to focus on the project and keep track of the progression. Particularly useful were mind maps and personal notes allowing greater precision and exploration of ideas from a variety of angles.

Following the theoretical research, the author dedicatedtime to conducting initial practical experimentation. This enabled the author to have a better understanding of the time that would likely be required to complete each stage.

Although not anticipated in the original plan it quickly became apparent that the author has underestimated the level of skills required and the complexityof the Linux Operating System.

It had an impact on the overall time scale of the project. The time was consumed to solve issues with hardware compatibility in terms of driver availability influencing the choice of specific OS distribution.

At the end of the project, the motivation levels were quite low. To counter this problem a checklist was used. It contained all tasks that still needed to be done divided into must haves, should haves and could haves. Every time a task was finished, it was crossed out and the more tasks were crossed out the higher was the motivation.

3.4 . RISK ASSESSMENT

Several risk factors were assessed in early stage of the project in order to compensate unpredictable issues with implementation and testing.

Complexity

- Performing several tasks, including Packet Injection,during the practical phase may require more time than anticipated as very specific network conditions are needed.
- To compensate for this, considerable research has been performed and many technical resources have been identified.

Compatibility

- Despite significant research, a potential issue could still arise from compatibility between the chosen operating system and someof the acquired software tools.This may only become obvious at the time of use.
- To compensate, there is a variety of choice amongst Linux OS distributions. Windows based testing is also a possibility.

Equipment Failure

- The project depends upon reliable operation of a specialist wireless network card which is only available via mail order. The impact of equipment failure could result in up to a week of lost time.
- To compensate, the author has acquired another suitable but not identical wireless network card

3.5 . CONCLUSION

There were several expected outcomes hoped to be achieved as a result of using this method and approach. The research approach aimed to raise the awareness of security issues, especially those related to the wireless LAN security. It is suggested that a reader will understand that every technology has its flaws and vulnerabilities, and often it is up to the users of technology to be aware and take actions to rectify and to use these technologies consequently.

4.WIRELESS NETWORK SECURITY SURVEY: WARDRIVING

4.1 . INTRODUCTION

Hurleyet al(2007) describe Wardriving as “the act of moving around a specific area and mapping the population of wireless access points for statistical purposes”. These statistics are then used to raise awareness of the security problems. The term Wardriving has been coined by Peter M. Shipley, who was the first to automate the process of Wardriving in 2001 (Hurley et al, 2004). In his observations of the San Francisco Bay Area he found only 15-30 per cent of the Access Points to be encrypted.

In this chapter data collected by the author is analysed. The aim is to demonstrate the security awareness of WLANs in Southampton area. In the first section, the methodology used to capture and analyse the data is discussed. In the following sections, the data is analysed and finally conclusions are given.

4.2 . METHODOLOGY

Data was captured by conducting a wardrive and capturing available WLANS in randomly chosen area of Southampton using a powerful wardriving tool, inSSIDer (Figure 1).

Abbildung in dieser Leseprobe nicht enthalten

Figure 4-1. InSSIDer Main Window (Screenshot taken during experimentation)

Data was collected usinga laptopequipped withthe wireless network cardandantenna. InSSIDer was actively searchingforavailable wireless networks, givingsignificantinformation: the name of theSSID, the standard802.11b, g or nconnection type(infrastructureorad hoc), signal strength, noise level, and perhapsmost importantly-security level(noneorWEP/WPA / WPA2).However, itdid notshowwhether theMAC filtration is applied. Research was conductedin a carwith a computerpositionedon thepassenger seat. In later stage of the experiment the author acquired an Alfa External Network card and USB GPS device which allowed for more precise collection of data as it contain high gain omnidirectional antenna.

[...]