CHAPTER 1 – INTRODUCTION
Starting of wireless Network is a result of a research Project carried out by University of Hawaii. Initially it’s called as Aloha net, but later it used to call as Wireless Local Area Network or WLAN. At the beginning of aloha net, is capable of transferring 1 to 2 mbps data.
But over the last few years aloha net changed to WLAN and it came with so many enhancements to the initial technology.
Newer days, wireless networks become more popular than the wired networks. The main reason for this is, wireless networks are high in portability and the flexibility, increased productivity, and lower installation cost.
Wireless Network Devices let Users to move their laptops from one place to another without warring about their network connectivity. Minimizing the wiring gives the maximum flexibility over the network and it reduces the wiring cost for the whole network infrastructure.
However, when we comparing the security factor, wireless networks are more vulnerable to attack by outsider than the wired network. Main reason for this is, anyone can see and make the initial connection through the wireless network. But establishing the initial connection in a wired network is bit difficult than the wireless network.
Loss of confidentiality like password cracking and man in the middle attacks are typically associated with wireless networks. Some other way, this kind of attack can easily practise in wireless Networks rather than the wired network.
Even though a wireless network has this kind of problems, it’s not a failed concept. The main reason for that is we can protect a wireless network in maximum and make invincible from unauthorised users or attackers.
Configuring the wireless devices correctly and accurately can minimize the attacks. We are going to discuss about this topic in future.
Breaking wireless protocols is the main objective in this project. Mostly the WEP, WPA and WPA2 will be my major preference. So the goal of this research is break the wireless protocol and get data from the wireless devices and the network.
1.2.1 Comparison of Hacking Tools Available.
There are lots of tools that can use to hack a wireless protocol. Some of the tools are very user friendly. We can install it on our Windows Based Systems and it does our work very easily. Those tools are 100% Graphical User Interface and very easy to use. AirCrack-ng Windows version is the common example.
But Some Other tools are available; we need to have some technical knowledge to use those tools. Mainly those tools run on command base mode and running platform is Linux. These tools do not provide any graphical user Interface, and bit difficult to learn without any proper guidance. But the final result is very accurate than the windows version.
The major difference between these two types of tool’s are the software which runs on linux is more accurate than the Windows version. So I have decided to use Linux version hacking software to carry out my testing.
But to hack a wireless network we need few of software to download from the internet. And then we can install those on a Linux machine and we can start the research. But, I think it’s very easy to use a one operating System rather than struggling with lots of software’s. So I decided to download latest version of worlds famous Hacking Operating System “Back Track”. It has built in hacking tools that need to hack a wireless network.
1.2.2 Downloading related software.
Back Track is free to download, and it’s open source. Anyone can download Back Track from its developer’s web site www.backtrack-linux.org for free. So I have downloaded the latest version of Back Track v4 to carry out my research. We will discuss about BackTrack in further chapters.
1.2.3 Cracking WEP Using AirCrack-ng
In order to crack a WEP Password, I have chosen few amazing tool. That is BackTrack 4 Hacking Operating System. It has all the hacking tools to crack a WEP Network. Airodump-ng can use to get the information about the wireless network and then I can use the Aircrack-ng to crack the password.
1.2.4 Cracking WPA Using AirCrack-ng
We Can Use the same Process to Crack the WPA using AirCrack-ng. Same as in WEP I am going to use the Airodump-ng and Airoreply-ng to collect all the information’s about the wireless Network and AirCrack-ng to decrypt the Password.
1.2.5 Cracking WPA2 Using Cowpatty
In here, I am going to use a special cracking Software to crack WPA2. The software is Cowpatty. Cowpatty bit different than Aircrack-ng. And cowpatty specially designed to crack WPA and WPA2 Passwords.
All these tools are built-in tools which we can find in the BackTrack4 Linux based operating system. So I don’t need to download these software’s from the internet.
1.3 Dissertation Structure
This Documentation mainly divided in to 4 Main Chapters. Including entire Practical and theoretical concepts.
Chapter 1: Introduction
In this section, I am going to give a introduction about what is wireless Network, Start of the Wireless Network and Basic Problems that wireless Networks faced. In the Second Section explain about the whole Research objectives and aims.
Chapter 02: Literature Review
This Chapter Consist all the theoretical information’s relating to my research. In here I am discussing about wireless Networks and it’s Types, Wireless Network Devices, Security Methods that WLAN Uses, WLAN Security Protocols, Deep discussion about WEP, WPA and WPA2, Protocol Hacking tools like Air Crack-ng, Cowpatty, and Hacking Methods that use by the Hacking tools. Eg: Dictionary Attacks, Brute Force Attacks etc.
Chapter 03: Methodology
In here, I am going to show my Practical Work that I have done all over my research. Installing the Hacking OS, Use of Hacking tools, Problems Faced all over the project and the final results will be my main concerns.
Chapter 04: Result and Discussions
In this section I am comparing all the results I have gain all over my project.
Chapter 05: Conclusions
This Chapter will be my conclusions of the Research. In here i am planning to compare my final result and the objectives in my initial project proposal.
CHAPTER 02 – Literature Survey
2.1 Wireless Networks
Wireless Networks enables to communicate devices without any physical media. These Networks are divided to three main categories according to their communication level. Those are, Wireless Local Area Network, Wireless Wide Area Network, Wireless Personnel Area Network.
Wireless Wide Area Network has larger coverage than the WLAN and WPAN. WWAN uses 2G or 3G Cell Phone Networks to connect each and every device in the network. WLAN represents local area network that connected using wireless access point or a wireless router includes 802.11. WPAN is a small network topology. This includes Bluetooth and Infrared technologies.
2.1.1 Wireless Local Area Networks
As I Mentioned earlier, Wireless LANs has more portability and flexibility over traditional Wires Local Area Networks. In WLAN, All the Computer’s and other devices connect to each other using Wireless Access Points also called as AP’s. And Access points communicated with the Wireless Network Adaptors that fixed in to computers. Access Points normally has coverage are up to 75-100 meter’s. In that area users can move their laptops and other wireless devices while maintaining their network connections. We can connect access points together and expand the wireless LAN’s coverage.
In my thesis, I am going to discuss more about wireless LAN in further chapters.
2.1.2 Wireless Wide Area Networks
This is the most familiar wireless Network type for everyone. This network’s are Combination’s of few WLAN’s. In these networks, Antenna’s acts as the access point for all WLAN’s. There are connections between Antennas to Antennas, to expand the Service of the network.
Mobile Phone Networks also a good example for WWAN Networks.
2.1.3 Wireless Personnel Area Networks
These Networks are so smaller when comparing to the other networks. It does not give much coverage as other 2 network type we discuss earlier. And this network does not require Main Access Point to make the connection with other WPAN Devices. Source WPAN device directly connect to the other WPAN device when it’s needs to transfer data.
2.2 Wireless Local Area Networks
This is the most important topic of my thesis. We are going to discuss about this topic all over the project. As I mentioned in my objective’s I am going to analyse the security of WLAN and Break few of WLAN Protocols. Before that we need to get a clear Idea about “What is WLAN?” and “How it operates?”
WLAN is same as the wired Local Area Network. But the only difference is, its using wireless method to connect all devices. WLAN combined with the Client Station and the Wireless Access point.
The Client Station connects to the AP (Access point) using the wireless Network Adaptor. We can connect the wireless adaptor to the computer using Personal Computer Memory Card International (PCMCIA) slot or using the USB Port.
IEEE 802.11 is the Standard of WLAN technology. The coverage of the Wireless network totally relay on the Strength of the Wireless Access Point. Normally it’s can covers up to 75-100 meters circular area.
2.2.1 Architecture of 802.11 Standards
This architecture allows initiating a peer to peer connection between Client Station and the wireless Network based on access point in an infrastructure network (WLAN). The coverage area of an access point called as a “Cell”. A Cell also called as “Basic Service Set” (BSS). The collection other cells of the infrastructure network called as Extended Service Set (ESS).Any access point that work with 802.11 standards has this 2 data sets for their functionality.
BSS is the most important data set in the Access point. BSS contain all the information about wireless Network. This is the security key negotiation protocol of the Access point. BSS consist of AP’s Hardware name, Communication protocol information’s, Signal strength etc.
The Access Point identify in the WLAN using a specific identifier. This is called as “Basic Service Set Identifier” (BSSID). When Laptop or any other wireless device needs to connect to wireless network via access point, the guest station (Eg: Laptop) searches for the available access points in the area by releasing discovery packets. If there any access points available, AP’s respond to the guest station by sending the BSSID.
Normally BSSID is in a Human Readable format. BSSID also called as “AP Name or Router Name” by Technical personal’s. This identifier always represents a Specific Access point. Likewise each and every access point of the network has its own BSSID.
BSSID is very important to accomplish my main objective of the project. We need to retrieve the router’s BSSID before we crack the router’s password. We can discuss about the retrieving methods in future chapters.
2.2.2 Advantages of WLAN’s
Following are the advantages.
- Increased Mobility- Users can be mobile while accessing to all the network resources.
- Fast Installation – Installation of the network is very quick since there no adding wires like wired network.
- Flexibility – anyone can easily install and uninstall a small wireless Network.
2.2.3 Wireless Protocols Use in Wireless Networks
There are 3 main wireless protocols use by the 802.11x wireless networks. Those are,
Wired Equivalent Privacy
This Protocol primarily protect the WLAN uses being a victim from eavesdropping. WEP uses 64 bit RC4 key to generate encrypted data and then those encrypted data transferred over the network.
Wi-Fi Protected Access –
This is introduced by the Wi-Fi Alliance to overcome certain restrictions in WEP. This uses Temporal Key Integrity Protocol (TKIP) to encrypt the wireless data packets.
Wi-Fi Protected Access Version 2 –
This is the latest movement in wireless LAN Protocols. Only the Difference is WPA 2 introduces new AES algorithm to be much more secure than the WPA.
These 3 protocols widely using in wireless Networks. Every protocol has significant advantages and disadvantages. In the next chapter I am going to illustrate features, advantages and disadvantages of each and every protocol.
2.2.4 Wired Equivalent Privacy (WEP)
WEP is an authentication protocol that use in 802.11 wireless networks to secure all the transmitting data. This protocol introduced in 1997 and main intention was increasing the confidentiality of the data than wired network. Any wireless network that uses WEP encrypt the data packets using RC4 cipher stream generated by a 64 bit RC4 key.
IEEE 802.11 has few basic features when it comes to Security. These concerns provide a better security for the wireless environment. This all security elements embedded in to the wireless network protocols. Following are the basic security concerns in a wireless Network.
This is the main goal of the wireless protocols. This means identifying the Client Station by using a password. If any client station failed to comply with this requirement the AP will deny giving the access to the Client Station.
In here, the data should not be changed while it transmitting from the AP and/or to the AP. That mean those data should not be a victim of active attack.
in this goal, the Protocol should protect the security of all data elements that transmit. In other word, the data should not be a victim of passive attacks.
802.11 Networks have 2 kinds of authentication methods. “Open System Authentication” and “Shared Key Authentication”.
Open System Authentication
Shared Key Authentication
Any Client Station can join The Station should Provide the
To the network without authentication Network password in order to join
In Open system authentication does not use any cryptographic password to gain access to the network. Any client station can connect to the network and use the network resources. As an example, Internet facility’s in a public locations like Air Port or a Bus Station. In these places anyone can connect their Laptop or PDA’s to the Wireless Access Point and start browse the internet. No Password required at all to login to the network.
In open system method, the client station sends its MAC address just as a reference to the Access point. Then the AP makes that client as a member of that AP’s network. The major problem with this authentication mode is it’s vulnerable to attack.
Shared key authentication is password based authentication model. The client must have the password to make the connection with AP. when client made a request to the AP that asking the connection, the AP generate a challenge and send it to the client station. If the client station responds to that challenge correctly AP gives the permission to be a member of wireless network. Figure 2.7 give the clear idea about the Shared Key authentication.
Confirm the Result
802.11 Standards also concerns about the integrity of the data transmitted. This always checks the data content whether it got changed while happening the transmitting process. It uses Cyclic Redundancy Check (CRC) approach to check the content of data. Once the CRC completed those data encrypted by using the RC4 key Stream. On the receiving end, data will be decrypted and again check for CRC to check the integrity of the data. If the receiving end CRC value does not match with the initial CRC value the data will be rejected and retransmitting will be required.
WEP Uses an algorithm called Stream Cipher to encrypt all the data. It expand short version of key in to a random key stream. The sender encrypts the Plain text along with the Short key and creates the cipher text. In the receiver end has the same short key to decrypt the data. Once the data stream received by the recipient, it uses the short key to generates cipher text back to plain text.
If one data bit lost on its way to the destination, the decryption process will mislead the data in to incorrect information. To prevent this problem WEP has “Cyclic Redundancy Check” to keep up the Message Integrity correctly.
802.11 standards use cryptographic techniques to support Privacy. It uses RC4 Symmetric Key’s to protect the data. Normally 802.11 standards support different cryptographic key lengths to protect the data from a attack.
Generally, WEP supports 40 bit cryptographic key size for the shared key. But numerous vendors support different key sizes like 104 bits and 128 bits. Increasing the key size increases the security of the cryptographic technique.
18.104.22.168 Problems with WEP
Even though WEP has so many security measurements to protect the transmitting data, it has few failures. These failures make the way, an attacker to break the security of WEP and lost the Integrity and privacy of the transmitting data using WEP.
22.214.171.124.1 Shared WEP Key
WEP Uses single security key to Access the network. So this key should be distributed to all the users who access the network. So this security key might go to an attacker very easily who trying to get the access to the network.
126.96.36.199.2 WEP Key Size
As I mentioned earlier, WEP uses 40 bit Cryptographic Key Size. This key can be crack very easily regardless of the time. So the encryption key is not sufficient to provide a better security for data.
2.2.5 Wi-Fi Protected Access
This is a WLAN protocol created by the Wi-Fi alliance. This is created because of several weakness of the WEP Protocol. WPA has some advanced features when comparing with WEP. To get the optimum performance from the WPA,
The WPA protocol implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. Specifically, the Temporal Key Integrity Protocol (TKIP), was brought into WPA. TKIP could be implemented on pre-WPA wireless network interface cards that began shipping as far back as 1999 through firmware upgrades. Because the changes required fewer modifications on the client than on the wireless access point, most pre-2003 APs could not be upgraded to support WPA with TKIP. Researchers have since discovered a flaw in TKIP that relied on older weaknesses to retrieve the key stream from short packets to use for re-injection and spoofing. [wiki/WPA]
188.8.131.52 Features of WPA
WPA uses Temporal Key Management (TKIP) as its Key encryption system. WPA does, Data Encryption and Discretion based on TKIP technology. It uses 128 bits for encryption using RC4 cipher.
184.108.40.206 Temporal Key Management
TKIP along with the WPA has introduced three security features to overcome some security issues that come with WEP networks. TKIP mixing the security key with the initialization vector before it pass it to the cipher routine. In our case TKIP uses RC4 as the cipher. This method avoids certain kind of key attacks that came along with WEP. And then, WPA protects the data packets against reply attacks by implementing a sequence counter to the data stream. Finally its implements a message integrity check called “MIC” to check the consistency of the data stream.
As i mentioned earlier, TKIP uses Rivest Cipher 4 (RC 4) as its cipher. Rekeying, also an important feature of TKIP. And the most important feature is TKIP always ensure to send data with a Unique Encryption key.
But in certain situations it uses same mechanism like WEP. So TKIP also vulnerable to some kind of attacks which WEP faces. Any how the advance development of Message Integrity Check, Isolated Key Hashing on every packet, Sequence Counter prevents those attacks successfully.
The Best thing is TKIP resolving most of the problems came along with the WEP. The next section discuss about that.
220.127.116.11 Michael Message Integrity Code
Unlike WEP, WPA uses special feature to check the integrity of the transmitted message. This is called as Message Integrity Code (MIC). This is also called as Michel. This is a short cryptographic checksum that use to authenticate a message. This is also known as Message Authentication Code (MAC).
This is a 64 bit algorithm that controls several types of attacks like, Splicing Attacks, Payload Truncation, and Fragmentation Attacks.
18.104.22.168 Extensible Authentication Protocol (EAP)
EAP is an Authentication Method that widely use in wireless networks. This is not specifically designed for wireless networks. This can be use to authentication in wired network as well.
EAP use to transmit the packets containing Authentication information’s. WPA and WPA2 Networks supports 5 EAP Authentication Mechanisms as it Authentication Standards. Those are, EAP-TLS, EAP-SIM, EAP-AKA, PEAP, LEAP.
EAP-Transport Layer Security is well known among Protocol for wireless communication. TLS provide very strong confidentiality for the User Credentials. This uses PKI to secure the communication between the AP and the RADIUS Server.
EAP-TLS is the original, standard wireless LAN EAP authentication protocol. Although it is rarely deployed, it is still considered one of the most secure EAP standards available and is universally supported by all manufacturers of wireless LAN hardware and software. [Wiki/EAP]
A compromised password is not enough to break into EAP-TLS enabled systems because the hacker still needs to have the client-side private key. The highest security available is when client-side keys are housed in smart cards. This is because there is no way to steal a certificate’s corresponding private key from a smart card without stealing the card itself. [Wiki/EAP]
EAP for Subscriber Identity Module used for authentication and Session key distribution using the Global System for Mobile Communication (GSM) SIM. [Wiki/EAP]
EAP for Authentication and Key Management Agreement is used for Authentication and session key distributing using the Universal Mobile Telecommunication System (UMTS). [wiki / EAP]
is a joint proposal by Cisco Systems, Microsoft and RSA Security as an open standard. It is already widely available in products, and provides very good security. It is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication. [Wiki/EAP]
There were two PEAP sub-types certified for the updated WPA and WPA2 standard. They are:
The terms PEAPv0 and PEAPv1 refer to the outer authentication method, the mechanism that creates the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2, EAP-GTC, and EAP-SIM refer to the inner authentication method which facilitates user or device authentication. [Wiki/EAP]
The Lightweight Extensible Authentication Protocol (LEAP)
A proprietary EAP method developed by Cisco Systems prior to the IEEE ratification of the 802.11i security standard. [Wiki/EAP]
LEAP uses a modified version of MS-CHAP, an authentication protocol in which user credentials are not strongly protected and are thus easily compromised. Along these lines, an exploit tool called ASLEAP. [wiki/EAP]
2.2.6 Wi-Fi Protected Access 2
WPA 2 implements IEEE 802.11i standards same as the WPA. WPA 2 supports Advanced Encryption Standards as the encryption cipher. This is an encryption standard that implement by US Government. 3 block of ciphers available in the AES. Those are AES 128, AES 192, and AES 256.
In WPA2, Advanced Encryption Standards using counter Mode-Cipher Block Channing to provide the high confidentiality to the data. [Microsoft]
WPA2 architecture must contain following network components to provide better security to the network. An Authentication Server to authenticate the users, Robust Security Network to maintain the pathways of associations, and AES based methodology to provide the privacy, integrity and authentication.
The authentication server holds all the user name and passwords of the users of wireless network.
When a user wants to connect to a network that uses WPA, The User must provide His / her identical user name and password when the network asks for it. Then the AP sends that information’s to the Authentication server to verify the validity of the user to access network resources. Once the authentication server gave a positive feedback, the user allows connecting to the network otherwise the request will be discarded.
22.214.171.124 The Four way Hand Shake
The Authentication Process has 2 Parts, the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange has provided the shared secret key PMK (Pair wise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. 
Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through a cryptographic hash function. 
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below: 
126.96.36.199 Group Key Hand Shake
The GTK used in the network may need to be updated due to the expiry of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP. 
To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake: 
The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA and protects the data from being tampered using a MIC. The STA acknowledges the new GTK and replies to the AP. 
2.3 Differences between WEP, WPA and WPA2
2.3.1 Encryption Methods
WEP uses only one encryption method for the whole network, but in WPA, encryptions are dedicated for every user. One user has its own encryption method.
In WEP Authentication, it uses Open or Shared key authentication method. In WPA operates on Pre-Shared Key Method. As well as WPA uses an authentication server to validate the user and it using EAP to send all the information’s to the Server. But WEP does not use any authentication server.
2.3.3 Security Protocols and Key Streams
WEP uses WEP as their Security protocol. This is a primary wireless protocol that has few loop hols for attackers, in WPA use Temporal Key Integrity Management as the security protocol. WPA 2 uses bit advanced security protocol than both of the WEP and WPA. It uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP).
WPA and WEP both use Rivest Cipher 4 as their cipher, but WPA 2 uses Advanced Encryption Standards. WEP uses 40 and 104 bits key length for the encryption key. WPA use 128 bit for the encryption and 64 bit for the Authentication. WPA2 uses 128 bit key streams for the both Encryption and the authentication.
2.3.4 Data Integrity and Key Generation
WEP use Cyclic Redundancy Check 32 bit Method to check the Integrity of the data. WPA use Michael Message Integrity Code to check the integrity of data. WPA2 has CBC-MAC for that operation.
WEP does the key generation by using Concatenation. In WPA used “Two phase mixing function (both TKIP and RC4)”. WPA2 doesn’t require any key generation.
2.4 Security Threats Associated with Wireless Networks
As Discussed above, nowadays wireless networks become more popular than the wired networks. Many organisations including Commercial Companies, Hospital’s, government offices and most of the houses use wireless networks to facilitate different services. But the problem is WLAN are not 100 percent protective from attacks. 802.11x networks are vulnerable to certain attacks. There are thousands of papers and reports available in the internet that describes those kinds of attacks and security threats to WLANs. These security threats mainly target on Confidentiality, Integrity and Network availability.
WLAN attacks normally divide in to 2 types. Those are “Active Attacks” and“Passive Attacks”. Then those 2 main classes sub divided into types of attacks.
2.4.1 Active Attacks
Active attacks are the most dangerous attack type. In here, hacker or the unauthorised party gain access to the system and do the modifications to the system or the message transmitting. This outcome a receiving an incorrect message stream or a file to the recipient. Active attacks result a loss of integrity of the network. Active attacks are possible to detect by using special software like packet monitors. But the problem associated with this kind of attacks are, it’s difficult to prevent these kinds of attacks.
Active attacks can be sub categorised in to 4 Methods of attacking. Following explain those,
In here, Attacker imitates as an authorised user in the network and gains the access to the network. This kind of attacks can be happened in few ways. The first consideration is authorised user give away the password to an unknown person or a group of people. So automatically they are possible to get access to the system.
The other consideration is hacker can use some software pieces to collect the passwords or access keys of authorised users. There are many methods to perform this kind of attack. Installing Key Board Activities Recording software is a very successful method to collect these kinds of information’s.
The Attacker can monitor the transmissions of the source and destination machines and re transmit the information’s as a legitimate user. So the attacker’s computer acts as the Source and destination accordingly, to get the actual source and Destination’s information’s.
Reply attacks are offline attacks. The attacker first gathers all the data and then later decrypts that information. This information’s could be users authentication session information’s that carries WLAN password.
188.8.131.52 Message Modification
In here, attacker tries to modify a particular message or information’s. This could results a transmitting wrong information’s to the legitimate user.
184.108.40.206 Denial of Service
This is a very popular attack type and very easily does in a WLAN environment. The main goal of this attack is make the network unavailable to the users. it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely [wiki]. This attacks cause