Download WirelessHacks - Wright State University

Document related concepts

Computer security wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Distributed firewall wikipedia , lookup

Airborne Networking wikipedia , lookup

CAN bus wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Computer network wikipedia , lookup

Network tap wikipedia , lookup

Wireless USB wikipedia , lookup

Wi-Fi wikipedia , lookup

Deep packet inspection wikipedia , lookup

Zero-configuration networking wikipedia , lookup

IEEE 1355 wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Policies promoting wireless broadband in the United States wikipedia , lookup

IEEE 802.11 wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript
Hacking 802.11 Wireless
Prabhaker Mateti
Wright State University
Talk Outline
 Wireless
LAN Overview
 Wireless Network Sniffing
 Wireless Spoofing
 Wireless Network Probing
 AP Weaknesses
 Denial of Service
 Man-in-the-Middle Attacks
 War Driving
 Wireless Security Best Practices
 Conclusion
2
Ack
There is nothing new in this talk. It is an
overview what has been known for a
couple of years.
 Several figures borrowed from many
sources on the www.
 Apologies that I lost track of the original
sources.

3
Wireless LAN Overview
OSI Model
Application
Presentation
Session
Transport
Network
802.11b
Data Link
802.11 MAC header
Physical
802.11 PLCP header
5
Network Layers
6
IEEE 802.11
Published in June 1997
 2.4GHz operating frequency
 1 to 2 Mbps throughput
 Can choose between frequency hopping
or direct sequence spread modulation

7
IEEE 802.11b







1999
Data Rate: 11 Mbps
Reality: 5 to 7 Mbps
2.4-Ghz band; runs on 3 channels
shared by cordless phones, microwave ovens,
and many Bluetooth products
Only direct sequence modulation is specified
Most widely deployed today
8
Channels
9
Physical Layer
802.11a
802.11g
802.11b
Standard
Approved
September 1999
September 1999
September
1999
Available
Bandwidth
300MHz
83.5MHz
83.5MHz
Unlicensed
Frequencies
of Operation
5.15-5.35GHz
5.725-5.825GHz
2.4-2.4835GHz
2.4-2.4835GHz
Number of
Nonoverlapping
Channels
4(Indoor)
4(Indoor/Outdoor)
4(Indoor/Outdoor)
3(Indoor/Outdoor)
3(Indoor/Outdo
or)
Data Rate Per
Channel
6,9,12,18,24,36,48
,54Mbps
1,2,5.5,11
6,9,12,18,22,24,33,36,48,
54Mbps
1,2,5.5,11Mbps
Modulation
OFDM
DSSS,OFDM
PBCC(O),CCK-OFDM(O)
DSSS
CCK
10
The Unlicensed Radio Frequency
Spectrum
5.15-5.35
5.725-5.825GHz
IEEE 802.11a
HiperLAN/2
11
Channel Plan – 802.11/11b/11g
12
Channel Spacing (5MHz)
2.462
2.437
2.412
Non-overlapping channels
13
IEEE 802.11a
Data Rate: 54 Mbps
 Reality: 25 to 27 Mbps
 Runs on 12 channels
 Not backward compatible with 802.11b
 Uses Orthogonal Frequency Division
Multiplexing (OFDM)

14
IEEE 802.11g
 An
extension to 802.11b
 Data rate: 54 Mbps
 2.4-Ghz band
15
IEEE 802.1X





General-purpose port based network access
control mechanism for 802 technologies
Authentication is mutual, both the user (not the
station) and the AP authenticate to each other.
supplicant - entity that needs to be authenticated
before the LAN access is permitted (e.g.,
station);
authenticator - entity that supports the actual
authentication (e.g., the AP);
authentication server - entity that provides the
authentication service to the authenticator
(usually a RADIUS server).
16
IEEE 802.1X
Extensible Authentication Protocol (EAP)
 Can provide dynamic encryption key
exchange, eliminating some of the issues
with WEP
 Roaming is transparent to the end user
 Microsoft includes support in Windows XP

17
802.1x Architecture
18
IEEE 802.11e
Currently under development
 Working to improve security issues
 Extensions to MAC layer, longer keys, and
key management systems
 Adds 128-bit AES encryption

19
Stations and Access Points
802 .11 Terminology: Station (STA)
Device that contains IEEE 802.11
conformant MAC and PHY interface to the
wireless medium, but does not provide
access to a distribution system
 Most often end-stations available in
terminals (work-stations, laptops etc.)
 Typically Implemented in a PC-Card

21
Station Architecture

Ethernet-like driver interface


Frame translation according to IEEE
Std 802.1H





supports virtually all protocol stacks
Ethernet Types 8137 (Novell IPX) and
80F3 (AARP)
encapsulated via the Bridge Tunnel
encapsulation scheme
IEEE 802.3 frames: translated to
802.11
All other Ethernet Types: encapsulated
via the RFC 1042 (Standard for the
Transmission of IP Datagrams over
IEEE 802 Networks) encapsulation
scheme
Maximum Data limited to 1500 octets
Radio
Hardware
PC-Card
Hardware
802.11 frame format
WMAC controller with
Station Firmware
(WNIC-STA)
802.3 frame format
Driver
Software
(STADr)
Platform
Computer
Ethernet V2.0 / 802.3
frame format
Protocol Stack
Transparent bridging to Ethernet
22
Terminology: Access-Point (AP)




A transceiver that serves as the center point of a
stand-alone wireless network or as the
connection point between wireless and wired
networks.
Device that contains IEEE 802.11 conformant
MAC and PHY interface to the wireless medium,
and provide access to a Distribution System for
associated stations (i.e., AP is a STA)
Most often infra-structure products that connect
to wired backbones
Implemented in a “box” containing a STA PCCard.
23
Access-Point (AP) Architecture


Stations select an AP
and “associate” with it
APs support




roaming
Power Management
time synchronization
functions (beaconing)
Traffic typically flows
through AP
Radio
Hardware
PC-Card
Hardware
802.11 frame format
WMAC controller with
Access Point Firmware
(WNIC-AP)
802.3 frame format
Driver
Software
(APDr)
Bridge
Software
Ethernet V2.0 / 802.3
frame format
Kernel Software (APK)
Ethernet
Interface
Bridge
Hardware
24
Basic Configuration
25
Infrastructure and Ad Hoc Modes
26
Terminology: Basic Service Set
(BSS)
A set of stations controlled by a single
“Coordination Function” (=the logical
function that determines when a station
can transmit or receive)
 Similar to a “cell” in pre IEEE terminology
 A BSS may or may not have an AP

27
Basic Service Set (BSS)
BSS
28
Terminology: Distribution
System (DS)
A system to interconnect a set of BSSs
 Integrated; A single AP in a standalone
network
 Wired; Using cable to interconnect the AP
 Wireless; Using wireless to interconnect
the AP

29
Terminology: Independent Basic
Service Set (IBSS)




A BSS forming a self-contained network in which
no access to a Distribution System is available
A BSS without an AP
One of the stations in the IBSS can be
configured to “initiate” the network and assume
the Coordination Function
Diameter of the cell determined by coverage
distance between two wireless stations
30
Independent Basic Service Set
(IBSS)
IBSS
31
Terminology: Extended Service
Set (ESS)
A set of one or more BSS interconnected
by a Distribution System (DS)
 Traffic always flows via AP
 Diameter of the cell is double the coverage
distance between two wireless stations

32
ESS: single BSS (with int. DS)
BSS
33
ESS: with wired DS
BSS
BSS
34
ESS: with wireless DS
BSS
BSS
35
Terminology: Service Set
Identifier (SSID)
“Network name”
 Upto 32 octets long
 One network (ESS or IBSS) has one SSID
 E.g., “WSU Wireless”; defaults: “101” for
3COM and “tsunami” for Cisco

36
Terminology: Basic Service Set
Identifier (BSSID)
“cell identifier”
 One BSS has one BSSID
 Exactly 6 octets long
 BSSID = MAC address of AP

37
802.11 Communication
CSMA/CA (Carrier Sense Multiple
Access/Collision Avoidance) instead of
Collision Detection
 WLAN adapter cannot send and receive
traffic at the same time on the same
channel
 Hidden Node Problem
 Four-Way Handshake

38
Hidden Node Problem
39
Four-Way Handshake
Source
Destination
40
Infrastructure operation modes

Root Mode

Repeater Mode
41
Frames
42
Ethernet Packet Structure
•14 byte header
•2 addresses
43
Graphic Source: Network Computing Magazine August 7, 2000
802.11 Packet Structure
•30 byte header
•4 addresses
44
Graphic Source: Network Computing Magazine August 7, 2000
Ethernet Physical Layer Packet
Structure
•8 byte header (Preamble)
45
Graphic Source: Network Computing Magazine August 7, 2000
802.11 Physical Layer Packet
Structure
•24 byte header (PLCP, Physical Layer Convergence Protocol)
•Always transferred at 1 Mbps
46
Graphic Source: Network Computing Magazine August 7, 2000
Frame Formats
Bytes:
2
2
Frame
Control
6
Duration
ID
Addr 1
6
Addr 2
6
2
6
Sequence
Control
Addr 3
0-2312
Frame
Body
Addr 4
4
CRC
802.11 MAC Header
Bits: 2
Protocol
Version
2
4
Type
SubType
1
To
DS
1
1
1
1
1
1
1
From
DS
More
Frag
Retry
Pwr
Mgt
More
Data
WEP
Rsvd
Frame Control Field
MAC Header format differs per Type:



Control Frames (several fields are omitted)
Management Frames
Data Frames
47
Address Field Description
Bits: 2
Protocol
Version
2
4
Type
SubType
1
To
DS
1
1
1
1
1
1
1
From
DS
More
Frag
Retry
Pwr
Mgt
More
Data
WEP
Rsvd
Frame Control Field
To DS
From DS
Address 1
Address 2
Address 3
Address 4
0
0
DA
SA
BSSID
N/A
0
1
DA
BSSID
SA
N/A
1
0
BSSID
SA
DA
N/A
1
1
RA
TA
DA
SA
Addr. 1 =
All stations filter on this address.
Addr. 2 =
Transmitter Address (TA), Identifies transmitter to
address the ACK frame to.
Addr. 3 =
Dependent on To and From DS bits.
Addr. 4 =
Only needed to identify the original source of WDS
(Wireless Distribution System) frames
48
Type field descriptions
Bits: 2
Protocol
Version
2
4
Type
SubType
1
To
DS
1
1
1
1
1
1
1
From
DS
More
Frag
Retry
Pwr
Mgt
More
Data
WEP
Rsvd
Frame Control Field
Type and subtype identify the function of the frame:

Type=00
Management Frame
Beacon
(Re)Association
Probe
(De)Authentication
Power Management

Type=01
Control Frame
RTS/CTS

Type=10
ACK
Data Frame
49
Management Frames

Beacon



Probe


Timestamp, Beacon Interval, Capabilities, SSID,
Supported Rates, parameters
Traffic Indication Map
SSID, Capabilities, Supported Rates
Probe Response


Timestamp, Beacon Interval, Capabilities, SSID,
Supported Rates, parameters
same for Beacon except for TIM
50
Management Frames (cont’d)

Association Request


Association Response


Capability, Status Code, Station ID, Supported Rates
Re-association Request


Capability, Listen Interval, SSID, Supported Rates
Capability, Listen Interval, SSID, Supported Rates,
Current AP Address
Re-association Response

Capability, Status Code, Station ID, Supported Rates
51
Management Frames (cont’d)

Dis-association


Authentication


Reason code
Algorithm, Sequence, Status, Challenge Text
De-authentication

Reason
52
Synchronization



Necessary for keeping frequency hopping synchronized, and other functions
like Power Saving.
AP periodically transmits special type of frames called Beacon Frames
MS uses info in Beacon frames to synchronize to the AP.
53
Control Frame Format
54
Authentication
55
Authentication
To control access to the infrastructure via
an authentication
 The station first needs to be authenticated
by the AP in order to join the APs network.
 Stations identify themselves to other
stations (or APs) prior to data traffic or
association
 802.11 defines two authentication
subtypes: Open system and shared key

56
Open system authentication


A sends an authentication request to B.
B sends the result back to A
57
Shared Key Authentication

Uses WEP Keys
58
Access Point Discovery










Beacons sent out 10x second
– Advertise capabilities
Station queries access points
– Requests features
Access points respond
– With supported features
Authentication just a formality
– May involve more frames
Features used by war driving
Software






Probe request
Authentication request
Association request
Probe response
Authentication response
Association response
59
Association
60
Association



Next Step after authentication
Association enables data transfer between MS and AP.
The MS sends an association request frame to the AP who
replies to the client with an association response frame either
allowing are disallowing the association.
61
Association


To establish relationship with AP
Stations scan frequency band to and select AP with best
communications quality



AP maintains list of associate stations in MAC FW



Active Scan (sending a “Probe request” on specific channels and
assess response)
Passive Scan (assessing communications quality from beacon
message)
Record station capability (data-rate)
To allow inter-BSS relay
Station’s MAC address is also maintained in bridge learn
table associated with the port it is located on
62
Association + Authentication
State 1:
Unauthenticated
Unassociated
Successful
authentication
Deauthentication
Successful
authentication or
reassociation
Deauthentication
State 2:
Authenticated
Unassociated
Disassociation
State 3:
Authenticated
Associated
63
Starting an ESS




The infrastructure network is identified by its
ESSID
All Access-Points will have been set according to
this ESSID
Wireless stations will be configured to set their
desired SSID to the value of ESSID
On power up, stations will issue Probe Requests
and will locate the AP that they will associate
with:


“best” Access-Point with matching ESSID
“best” Access-Point if the SSID has been set to “ANY”
64
Starting an IBSS

Station configured for IBSS operation will:





“look” for Beacons that contain a network name (SSID) that matches the
one that is configured
When Beacons with matching Network Name are received and are
issued by an AP, Station will associate to the AP
When Beacons with matching Network Name are received and are
issued by another Station in IBSS mode, the station will join this IBSS
When no beacons are received with matching Network Name, Station
will issue beacons itself.
All Stations in an IBSS network will participate in sending beacons.


All stations start a random timer prior to the point in time when next
Beacon is to be sent.
First station whose random timer expires will send the next beacon
65
Inter-Frame Spacing
Free access when medium
is free longer than DIFS
DIFS
Contention Window
PIFS
DIFS
Busy Medium
SIFS
Backoff-Window
Next Frame
Slot time
Defer Access

Inter frame spacing required for MAC protocol traffic




Select Slot and Decrement Backoff as long as medium is idle.
SIFS = Short interframe space
PIFS = PCF interframe space
DIFS = DCF interframe space
Back-off timer expressed in terms of number of time slots
66
Data Frames and their ACK
DIFS
Src
Data
SIFS
Ack
Dest
DIFS
Contention Window
Next MPDU
Other
Defer Access
Backoff after Defer
Acknowledgment are to arrive at within
the SIFS
 The DCF interframe space is observed
before medium is considered free for use

67
Traffic flow - Inter-BSS
AP-1000 or AP-500
Bridge learn
table
STA-1
STA2
2
2
Avaya Wireless PC-Card
Association table
STA1
STA-
BSS-A
2
Inter-BSS
Relay
Associate
ACK
STA-1
Packet for STA-2
Associate
ACK
Packet for STA-2
STA-2
68
Traffic flow - ESS operation
AP-1000 or AP-500
AP-1000 or AP-500
Bridge learn
table
STA1
2
STA2
1
Bridge learn
table
STA2
2
STA1
1
Avaya Wireless PC-Card
Avaya Wireless PC-Card
Association table
STA2
Association table
STA1
Packet for STA-2
Packet for STA-2
ACK
ACK
BSS-B
STA-1
BSS-A
STA-2
69
Traffic flow - WDS operation
AP-1000 or AP-500
Bridge learn
table
STA2
2
STA2
1
AP-1000 or AP-500
Bridge learn
table
STA2
2
STA2
1
Avaya Wireless PC-Card
Association table
STA1
WDS
Relay
Avaya Wireless PC-Card
Association table
STA2
WDS
Relay
Packet for STA-2
ACK
Packet for STA-2
Packet for STA-2
ACK
ACK
BSS-B
STA-1
BSS-A
STA-2
70
Wireless Network Sniffing
Network Sniffing





Sniffing is a reconnaissance technique
Sniffing is eavesdropping on the network.
A sniffer is a program that intercepts and
decodes network traffic broadcast through a
medium.
Sniffing is the act by a machine S of making
copies of a network packet sent by machine A
intended to be received by machine B.
Sniffing is


not a TCP/IP problem
enabled by the media, Ethernet and 802.11, as the
physical and data link layers.
72
Wireless Network Sniffing





An attacker can passively scan without transmitting at
all.
A passive scanner instructs the wireless card to listen to
each channel for a few messages.
RF monitor mode of a wireless card allows every frame
appearing on a channel to be copied as the radio of the
station tunes to various channels. Analogous to wired
Ethernet card in promiscuous mode.
A station in monitor mode can capture packets without
associating with an AP or ad-hoc network.
Many wireless cards permit RFmon mode.
73
Passive Scanning

A corporate network can be accessed from
outside a building using readily available
technology by an eavesdropper
74
Passive Scanning



Wireless LAN sniffers can be used to gather information about the
wireless network from a distance with a directional antenna.
These applications are capable of gathering the passwords from the
HTTP sites and the telnet sessions sent in plain text.
These attacks do not leave any trace of the hacker’s presence on
the network
75
Passive Scanning
Scanning is a reconnaissance technique
 Detection of SSID
 Collecting the MAC addresses
 Collecting the frames for cracking WEP

76
A Basic Attack
Behind the scenes of a completely
passive wireless pre-attack
session
Installing Kismet
Setting up Kismet is fairly straightforward.
 Google on “Kismet”
 http://www.kismetwireless.net/

78
Starting Kismet
The mysqld
service is
started.
The gpsd
service is
started on
serial port 1.
The wireless
card is
placed into
monitor
mode.
kismet is
launched.
79
Detection
Kismet picks
up some
wireless
jabber! In
order to take
a closer look
at the traffic,
disengage
“autofit”
mode by
pressing “ss”
to sort by
SSID.
type
WEP? yes or no.
4 TCP packets
IP’s detected
strength
80
Network Details
Network details for
the 0.0.0.0
address are
viewed by
pressing the “i”
key.
81
Network Details
Network details for
the
169.254.187.86
address are
viewed by
pressing the “i”
key.
82
More network details
More network
details for the
169.254.187.86
address are
viewed by
pressing the “i”
key, then scrolling
down to view more
information.
83
traffic dump
A dump of
“printable” traffic
can be had by
pressing the “d”
key.
\MAILSLOTS?
Could this be a
postal office
computer?
(that is a joke. feel free to
laugh at this point. thank
you.)
84
packet list
A list of packet
types can be
viewed by
selecting a
wireless point and
pressing “p”
85
gpsmap
A gpsmap is
printed of the area
using
# gpsmap –S2 –
s10 -r gpsfile
86
ethereal - beacon
The *.dump files
Kismet generates
can be opened
with tcpdump or
ethereal as shown
here.
This is an 802.11
beacon frame.
87
ethereal – probe request
....an 802.11
Probe Request
from the same
machine
88
ethereal - registration
oooh... a
NETBIOS
registration packet
for “MSHOME”...
89
ethereal - registration
...another
registration
packet, this time
from “LAP10”...
90
ethereal – DHCP request
...a DHCP
request... it would
be interesting to
spoof a response
to this...
91
ethereal – browser request
...a NETBIOS
browser request...
92
ethereal – browser announce
...an SMB host
announcement...
revealing an OS
major version of 5
and an OS minor
version of 1...
We have a
Windows XP client
laptop searching
for an access
point.
This particular target ends up being nothing more than a
lone client crying out for a wireless server to connect to.
Spoofing management frames to this client would most
93
likely prove to be pointless...
Passive Scanning




This simple example demonstrates the ability to
monitor even client machines which are not
actively connected to a wireless access point
In a more “chatty” environment, so much more is
possible
All of this information was captured passively.
Kismet did not send a single packet on the
airwaves.
This type of monitoring can not be detected, but
preventive measures can be taken.
94
Detection of SSID




SSID occurs in the following frame types:
beacon, probe requests, probe responses,
association requests, and reassociation
requests.
Management frames are always in the clear,
even when WEP is enabled.
Merely collect a few frames and note the SSID.
What if beacons are turned off? Or SSID is
hidden?
95
When the Beacon displays
a null SSID …
Patiently wait.
 Recall that management frames are in the
clear.
 Wait for an associate request; Associate
request and response both contain the
SSID
 Wait for a probe request; Probe responses
contain SSID

96
Beacon transmission is disabled ...
Wait for a voluntary associate request to
appear. Or
 Actively probe by injecting spoofed
frames, and then sniff the response

97
Collecting the MAC Addresses
Attacker gathers legitimate MAC
addresses for use later in spoofed frames.
 The source and destination MAC
addresses are always in the clear in all the
frames.
 The attacker sniffs these legitimate
addresses

98
Collecting frames for cracking WEP
Systematic procedures in cracking the
WEP.
 Need to collect a large number (millions)
of frames.
 Collection may take hours to days.
 Cracking is few seconds to a couple of
hours.

99
Cracking WEP
Wired Equivalent Privacy (WEP)
Designed to be computationally efficient,
self-synchronizing, and exportable
 All users of a given AP share the same
encryption key
 Data headers remain unencrypted so
anyone can see the source and
destination of the data stream

101
Initialization Vector (IV)
Over a period, same plaintext packet
should not generate same ciphertext
packet
 IV is random, and changes per packet
 Generated by the device on the fly
 24 bits long
 64 bit encryption: IV + 40 bits WEP key
 128 bit encryption: IV + 104 bits WEP key

102
WEP Encryption









WEP encryption key: a shared 40- or 104-bit long number
WEP keys are used for authentication and encryption of data
A 32-bit integrity check value (ICV) is calculated that provides data
integrity for the MAC frame.
The ICV is appended to the end of the frame data.
A 24-bit initialization vector (IV) is appended to the WEP key.
The combination of [IV+WEP encryption key] is used as the input of
a pseudo-random number generator (PRNG) to generate a bit
sequence that is the same size as the combination of [data+ICV].
The PRNG bit sequence, is bit-wise XORed with [data+ICV] to
produce the encrypted portion of the payload that is sent between
the wireless AP and the wireless client.
The IV is added to the front of the encrypted [data+ICV] which
becomes the payload for the wireless MAC frame.
The result is IV+encrypted [data+ICV].
103
Decryption






The IV is obtained from the front of the MAC payload.
The WEP encryption key is concatenated with the IV.
The concatenated WEP encryption key and IV is used as the input
of the same PRNG to generate a bit sequence of the same size as
the combination of the data and the ICV which is the same bit
sequence as that of the sending wireless node.
The PRNG bit sequence is XORed with the encrypted [data+ICV] to
decrypt the [data+ICV] portion of the payload.
The ICV for the data portion of the payload is calculated and
compared with the value included in the incoming frame. If the
values match, the data is sent from the wireless client and
unmodified in transit.
The WEP key remains constant over a long duration but the IV can
be changed frequently depending on the degree of security needed.
104
WEP Protocol
105
WEP: Wired Equivalent Privacy
106
What is an IV?
Encrypted
Octets
Bits




IV
MSDU
ICV
0-2304
4
Initialization Vector
Pad
Key ID
24
6
2
IV is short for Initialization Vector
24 bits long
64 bit encryption: 24 bits IV + 40 bits WEP key
128 bit encryption: 24 bits IV + 104 bits WEP key
107
What is a “Weak” IV?
In the RC4 algorithm the Key Scheduling
Algorithm (KSA) creates an IV-based on
the base key
 A flaw in the WEP implementation of RC4
allows “weak” IVs to be generated
 Those IVs “give away" info about the key
bytes they were derived from
 An attacker will collect enough weak IVs to
reveal bytes of the base key

108
WEP problem discovery timeline



In October 2000, Jesse Walker was one of the
first people to identify several of the problems
within WEP.
In February 2001 three researchers (Fluhrer,
Mantin, and Shamir) found a flaw in the RC4 key
setup algorithm which results in total recovery of
the secret key.
In June 2001 Tim Newsham found a problem in
the algorithm that some vendors used to
automatically generate WEP keys. He also built
code to perform dictionary attacks against WEPintercepted traffic.
109
WEP Attacks (cont.)

Four types of attacks





Passive attacks to decrypt traffic based on statistical analysis.
Active attack to inject new traffic from unauthorized mobile stations,
based on known plaintext.
Active attacks to decrypt traffic, based on tricking the access point.
Dictionary-building attack that, after analysis of about a day's worth
of traffic, allows real-time automated decryption of all traffic.
Time required to gather enough wireless traffic depends heavily
on the network saturation of target access point
110
Drawbacks of WEP Protocol





The determination and distribution of WEP keys
are not defined
There is no defined mechanism to change the
WEP key either per authentication or periodically
for an authenticated connection
No mechanism for central authentication,
authorization, and accounting
No per-frame authentication mechanism to
identify the frame source.
No per-user identification and authentication
111
Fluhrer Paper/AirSnort Utility

Key recovery possible due to statistical analysis
of plaintext and “weak” IV



Leverages “weak” IVs—large class of weak IVs that
can be generated by RC4
Passive attack, but can be more effective if coupled
with active attack
Two major implementations


AirSnort
AT&T/Rice University tests (not released)
112
UC Berkeley Study

Bit flipping


Bits are flipped in WEP encrypted frames, and ICV
CRC32 is recalculated
Replay




Bit flipped frames with known IVs resent
AP accepts frame since CRC32 is correct
Layer 3 device will reject, and send predictable
response
Response database built and used to derive key
113
UC Berkeley Study
Stream Cipher
1234
PlainText
Cisco
WEP
CipherText
XXYYZZ
PlainText Data Is
XORed with the WEP
Stream Cipher to
Produce the Encrypted
CipherText
Predicted PlainText
Cisco
If CipherText Is XORed
CipherText
Stream Cipher
with Guessed
XXYYZZ
WEP
1234
PlainText, the Stream
Cipher Can Be Derived
114
UC Berkeley Study
Bit Flipped Frame Sent
Frame Passes ICV
Forwarded to Dest MAC
Attacker Anticipates
Response from Upper
Layer Device and
Attempts to Derive Key
AP WEP Encrypts
Response and
Forwards to Source MAC
Upper Layer
Protocol Fails CRC
Sends Predictable
Error Message to
Source MAC
115
Message Integrity Check (MIC)
The MIC will protect WEP frames from
being tampered with
 The MIC is computed from seed value,
destination MAC, source MAC, and
payload
 The MIC is included in the WEP encrypted
payload

116
Message Integrity Check


MIC uses a hashing algorithm to stamp frame
The MIC is still pre-standards, awaiting 802.11i
ratification
WEP Frame—No MIC
DA
SA
IV
Data
ICV
WEP Encrypted
WEP Frame—MIC
DA
SA
IV
Data
SEQ MIC ICV
WEP Encrypted
117
Temporal Key Integrity Protocol
(TKIP)

Base key and IV hashed


Transmit WEP Key changes as IV changes
Key hashing is still pre-standards, awaiting
802.11i ratification
118
WEP and TKIP Implementations


WEP today uses an IV and base key; this includes weak IVs which
can be compromised
TKIP uses the IV and base key to hash a new key—thus a new key
every packet; weak keys are mitigated
WEP Encryption Today
IV
Base
Key
Plaintext
Data
RC4
XOR
TKIP
IV
CipherText
Data
IV
Stream
Cipher
Base
Key
Plaintext
Data
Hash
XOR
CipherText
Data
Packet
Key
RC4
Stream
Cipher
119
Wireless Spoofing
Wireless Spoofing
The attacker constructs frames by filling
selected fields that contain addresses or
identifiers with legitimate looking but nonexistent values, or with legitimate values
that belong to others.
 The attacker would have collected these
legitimate values through sniffing.

121
MAC Address Spoofing
Probing is sniffable by the sys admins.
 Attacker wishes to be hidden.
 Use MAC address of a legitimate card.
 APs can filter based on MAC addresses.

122
IP spoofing
Replacing the true IP address of the
sender (or, in some cases, the destination)
with a different address.
 Defeats IP address based trust.
 IP spoofing is an integral part of many
attacks.

123
Frame Spoofing



Frames themselves are not authenticated in
802.11.
Construction of the byte stream that constitutes
a spoofed frame is facilitated by libraries.
The difficulty here is not in the construction of
the contents of the frame, but in getting, it
radiated (transmitted) by the station or an
AP. This requires control over the firmware.
124
Wireless Network Probing
Wireless Network Probing
Send cleverly constructed packets to a
target that trigger useful responses.
 This activity is known as probing or active
scanning.
 The target can discover that it is being
probed.

126
Active Attacks


Attacker can connect to an AP and obtain an IP
address from the DHCP server.
A business competitor can use this kind of attack
to get the customer information which is
confidential to an organization.
127
Detection of SSID
Beacon transmission is disabled, and
the attacker does not wish to wait …
 Inject a probe request frame using a
spoofed source MAC address.
 The probe response frame from the APs
will contain, in the clear, the SSID and
other information similar to that in the
beacon frames.

128
Detection of APs and stations
Certain bits in the frames identify that the
frame is from an AP.
 If we assume that WEP is either disabled
or cracked, the attacker can also gather
the IP addresses of the AP and the
stations.

129
Detection of Probing
The frames that an attacker injects can be
sniffed by a sys admin.
 GPS-enabled equipment can identify the
physical coordinates of a transmitting
device.

130
AP Weaknesses
Poorly Constructed WEP key


The default WEP keys used are often too trivial.
APs use simple techniques to convert the user’s
key board input into a bit vector.



Usually 5 or 13 ASCII printable characters are directly
mapped by concatenating their ASCII 8-bit codes into a 40-bit
or 104-bit WEP key.
A stronger 104-bit key can be constructed from 26
hexadecimal digits.
It is possible to form an even stronger104 bit
WEP key by truncating the MD5 hash of an
arbitrary length pass phrase.
132
Defeating MAC Filtering
Typical APs permit access to only those
stations with known MAC addresses.
 Easily defeated by the attacker

 Spoofs
his frames with a MAC address that is
registered with the AP from among the ones that
he collected through sniffing.
 That a MAC address is registered can be detected
by observing the frames from the AP to the
stations.
133
Rogue AP
134
Rogue Networks
Rogue AP = an unauthorized access point
 Network users often set up rogue wireless
LANs to simplify their lives
 Rarely implement security measures
 Network is vulnerable to War Driving and
sniffing and you may not even know it

135
Access Point
Stronger or Closer
Access Point
SSID: “goodguy”
SSID: “badguy”
Wi-Fi Card
SSID: “goodguy”
“ANY”
“badguy”
136
Trojan AP
Corporate back-doors
 Corporate espionage

137
Trojan AP Mechanics







Create a competing wireless network.
AP can be actual AP or HostAP of Linux
Create or modify captive portal behind AP
Redirect users to “splash” page
DoS or theft of user credentials, or WORSE
Bold attacker will visit ground zero.
Not-so-bold will drive-by with an amp.
138
Choose your Wi-Fi
weapon...
Cisco Gear @
100mW
(20dBm)
Senao Gear @
200mW
(23dBm)
Use a 15dBd
antenna with a
Senao for 38dBd
total...
6 WATTS!
Normal Gear @
25mW
(14dBm)
Vs 25mW?
No contest!
139
140
141
142
143
Airsnarf
Nothing special
 Simplifies HostAP, httpd, dhcpd,
Net::DNS, and iptables setup
 Simple example rogue AP

144
Equipment Flaws




Numerous flaws in equipment from well-known
manufacturers
Search on www.securityfocus.com with “access point
vulnerabilities”
Ex 1: by requesting a file named config.img via TFTP, an
attacker receives the binary image of the AP
configuration. The image includes the administrator’s
password required by the HTTP user interface, the WEP
encryption keys, MAC address, and SSID.
Ex 2: yet another AP returns the WEP keys, MAC filter
list, administrator’s password when sent a UDP packet to
port 27155 containing the string “gstsearch”.
145
Denial of Service
Denial of Service






A system is not providing services to authorized
clients because of resource exhaustion by
unauthorized clients.
DOS attacks are difficult to prevent
Difficult to stop an on-going attack
Victim and its clients may not even detect the
attacks.
Duration may range from milliseconds to hours.
A DOS attack against an individual station
enables session hijacking.
147
Jamming


The hacker can use a high power RF signal generator to
interfere with the ongoing wireless connection, making it
useless.
Can be avoided only by physically finding the jamming
source.
148
Flooding with Associations





AP inserts the data supplied by the station in the
Association Request into a table called the association
table.
802.11 specifies a maximum value of 2007 concurrent
associations to an AP. The actual size of this table varies
among different models of APs.
When this table overflows, the AP would refuse further
clients.
Attacker authenticates several non-existing stations
using legitimate-looking but randomly generated MAC
addresses. The attacker then sends a flood of spoofed
associate requests so that the association table
overflows.
Enabling MAC filtering in the AP will prevent this attack.
149
Deauth/Disassoc Management frame
• Attacker must spoof AP MAC address in Src Addr and BSSID
• Sequence Control field handled by firmware (not set by attacker)
150
Forged Dissociation
Attacker sends a spoofed Disassociation
frame where the source MAC address is
set to that of the AP.
 To prevent Reassociation, the attacker
continues to send Disassociation frames
for a desired period.

151
Forged Deauthentication




When an Association Response frame is
observed, the attacker sends a spoofed
Deauthentication frame where the source MAC
address is spoofed to that of the AP.
The station is now unassociated and
unauthenticated, and needs to reconnect.
To prevent a reconnection, the attacker
continues to send Deauthentication frames for a
desired period.
Neither MAC filtering nor WEP protection will
prevent this attack.
152
First Stage – Deauth Attack
Airopeek Trace of Deauth Attack
153
First Stage – Deauth Attack
Decode of Deauthentication Frame
154
Power Management


Power-management schemes place a system in sleep mode
when no activity occurs
The MS can be configured to be in continuous aware mode
(CAM) or Power Save Polling (PSP) mode.
155
Power Saving

Attacker steals packets for a station while the station is
in Doze state.




The 802.11 protocol requires a station to inform the AP through a
successful frame exchange that it wishes to enter the Doze state
from the Active state.
Periodically the station awakens and sends a PS-Poll frame to
the AP. The AP will transmit in response the packets that were
buffered for the station while it was dozing.
This polling frame can be spoofed by an attacker causing the AP
to send the collected packets and flush its internal buffers.
An attacker can repeat these polling messages so that when the
legitimate station periodically awakens and polls, AP will inform
that there are no pending packets.
156
Man-in-the-Middle Attacks
Man-in-the-Middle Attacks
Attacker on host X inserts X between all
communication between hosts B and C,
and neither B nor C is aware of the
presence of X.
 All messages sent by B do reach C but via
X, and vice versa.
 The attacker can merely observe the
communication or modify it before sending
it out.

158
MITM Via Deauth/DeAssoc


A hacker may use a Trojan AP to hijack mobile nodes by
sending a stronger signal than the actual AP is sending to
those nodes.
The MS then associates with the Trojan AP, sending its data
into the wrong hands.
159
MITM Attack

Attacker takes over connections at layer 1 and 2






Attacker sends Deauthenticate frames
Race condition between attacker and AP
Attacker associates with client
Attacker associates with AP
Attacker is now inserted between client and AP
Example:


Monkey jack, part of
AirJack (http://802.11ninja.net/airjack/ )
160
Wireless MITM






Assume that station B was authenticated with C, a
legitimate AP.
Attacker X is a laptop with two wireless cards. Through
one card, he presents X as an AP.
Attacker X sends Deauthentication frames to B using the
C’s MAC address as the source, and the BSSID he has
collected.
B is deauthenticated and begins a scan for an AP and
may find X on a channel different from C.
There is a race condition between X and C.
If B associates with X, the MITM attack succeeded. X
will re-transmit the frames it receives from B to C. These
frames will have a spoofed source address of B.
161
The Monkey - Jack Attack
attacker

victim
Before Monkey-Jack
162
The Monkey - Jack Attack

After Monkey-Jack
163
First Stage – Deauth Attack
Attack machine uses vulnerabilities to get
information about AP and clients.
 Attack machine sends deauthentication
frames to victim using the AP’s MAC
address as the source

164
Second Stage – Client Capture
Victim’s 802.11 card scans channels to
search for new AP
 Victim’s 802.11 card associates with
Trojan AP on the attack machine

Attack machine’s fake AP is duplicating MAC
address and ESSID of real AP
 Fake AP is on a different channel than the real
one

165
Third Stage – Connect to AP
Attack machine associates with real AP
using MAC address of the victim’s
machine.
 Attack machine is now inserted and can
pass frames through in a manner that is
transparent to the upper level protocols

166
The Monkey – Jack Attack
167
Monkey-Jack Detection
Why do I hear my MAC Address as the Src
Addr? Is this an attack? Am I being spoofed?
168
Beginning of a MITM IDS Algorithm
169
ARP Poisoning




ARP poisoning is an attack technique that
corrupts the ARP cache that the OS maintains
with wrong MAC addresses for some IP
addresses.
ARP cache poisoning is an old problem in wired
networks.
ARP poisoning is one of the techniques that
enables the man-in-the-middle attack.
ARP poisoning on wireless networks can affect
wired hosts too.
170
Session Hijacking




Session hijacking occurs when an attacker causes a user to lose his
connection, and the attacker assumes his identity and privileges for
a period.
An attacker disables temporarily the user’s system, say by a DOS
attack or a buffer overflow exploit. The attacker then takes the
identity of the user. The attacker now has all the access that the
user has. When he is done, he stops the DOS attack, and lets the
user resume. The user may not detect the interruption if the
disruption lasts no more than a couple of seconds.
Hijacking can be achieved by forged disassociation DOS attack.
Corporate wireless networks are set up so that the user is directed
to an authentication server when his station attempts a connection
with an AP. After the authentication, the attacker employs the
session hijacking described above using spoofed MAC addresses.
171
War Driving
War Driving
“The benign act of locating and logging
wireless access points while in motion.” -(http://www.wardrive.net/).
 This “benign” act is of course useful to the
attackers.

173
War chalking
174
Typical Equipment
175
“Special” Equipment
Possible: 8 mile range using a 24dB gain
parabolic dish antenna.
 PC cards vary in power.

Typical: 25mW (14dBm)
 Cisco: 100mW (20dBm)
 Senao: 200mW (23dBm)

176
War Driving
Default installation allows any wireless
NIC to access the network
 Drive around (or walk) and gain access to
wireless networks
 Provides direct access behind the firewall

177
Software Tools
178
802.11 Attack Tools
The following are all freeware
 Airsnort (Linux)
 WEPcrack (Linux)
 Kismet (Linux)
 Wellenreiter (Linux)
 NetStumbler (windows)
 MiniStumbler (PocketPC)
 BSD – Airtools (*BSD)
 Aerosol (Windows)

179
802.11 Network Security Tools
AiroPeek / AiroPeek NX: Wireless frame
sniffer / analyzer, Windows
 AirTraf: Wireless sniffer / analyzer / “IDS”
 AirSnort: WEP key “cracker”
 BSD Airtools: Ports for common wireless
tools, very useful
 NetStumbler: Access point enumeration
tool, Windows, free

180
Ettercap
Ettercap is a suite for man in the middle
attacks on LAN. It features sniffing of live
connections, content filtering on the fly and
many other interesting tricks.
 It supports active and passive dissection
of many protocols (even ciphered ones)
and includes many feature for network and
host analysis.

181
Weapons Of Mass Disruption

Many tools are new and notable in the
world of wireless attacking:





libradiate – a library
airtraf
kismet
air-jack family
thc-rut - The Hacker's Choice
182
libradiate
Radiate is a C library similar in practice to
Libnet but designed for "802.11 frame
reading, creation and injection."
 Libnet builds layer 3 and above
 Libradiate builds 802.11 frames
 Disperse, an example tool built using
libradiate, is fully functional

183
libradiate

Frame types and subtypes







Beacon transmitted often announcing a WLAN
Probe request: A client frame- "anyone out there?"
Association: client and server exchange- "can i
play?"
Disassociate: "no soup for you!"
RTS/CTS: ready/clear to send frames
ACK: Acknowlegement
Radiate allows construction of these frames
very easily.
184
airtraf



more a tool for the good guys, but
noteworthy none the less
http://airtraf.sourceforge.net/
http://www.elixar.com (Elixar, Inc)
185
netstumbler
‘stumbler certainly deserves a mention, as
it is and was the most popularized wireless
network detection tool around
 windows based, it supports GPS but lacks
in many features required by a REAL
wireless security hacker...
 http://www.netstumbler.com

186
stumbler vs. stumbverter
thanks to fr|tz @
187
www.mindthief.net for map data!
stumbler vs. stumbverter
thanks to fr|tz @
188
www.mindthief.net for map data!
stumbler vs. stumbverter
thanks to fr|tz @
189
www.mindthief.net for map data!
kismet

A wireless network sniffer that






Segregates traffic
Detects IP blocks
decloaks SSID’s
Detects factory default configurations
Detects netstumbler clients
Maps wireless points
190
kismet
191
kismet
192
kismet - gpsmap
Included with kismet,
gpsmap gives a great look
at captured wireless nodes.
./gpsmap –S 2 –s 12 -r
193
kismet - gpsmap
Included with kismet,
gpsmap gives a great look
at captured wireless nodes.
./gpsmap –S 2 –s 14 –r -t
194
kismet - gpsmap
Included with kismet,
gpsmap gives a great look
at captured wireless nodes.
./gpsmap –r –t
195
air-jack





Not a tool, a family of post-detection tools based on
the air-jack driver.
wlan-jack: spoofs a deauthentication frame to force a
wireless user off the net. Shake, repeat forever.
Victim is GONE!
essid-jack: wlan-jacks a victim then sniffs the SSID
when the user reconnects.
Monkey-jack: wlan-jacks a victim, then plays man-inthe-middle between the attacker and the target.
kracker-jack: monkey-jacks a WLAN connection
protected by MAC protected, IPSec secured VPN!
196
air-jack
http://802.11ninja.net/
 Robert Baird & Mike Lynn’s excellent
presentation lays out the attacks available
to air-jack users.


http://www.blackhat.com/presentations/bh-usa02/baird-lynn/bh-us-02-lynn-802.11attack.ppt
197
thc-rut

a set of post-detection tools
198
Wireless Security Best
Practices
Location of the APs

Network segmentation

Treat the WLAN as an untrusted network
RF signal shaping
 Continually check for unauthorized
(“rogue/Trojan”) APs

200
Proper Configuration







Change the default passwords
Use WEP, however broken it may be
Don't use static keys, change them frequently
Don't allow connections with an empty SSID
Don't broadcast your SSID
Use a VPN and MAC address filtering with
strong mutual authentication
Wireless IDS/monitoring (e.g.,
www.airdefense.net)
201
Proper Configuration

Most devices have multiple management
interfaces
HTTP
 Telnet
 FTP
 TFTP
 SNMP

Disable unneeded services / interfaces
 Stay current with patches

202
Remedies

Secure Protocol Techniques
Encrypted messages
 Digitally signed messages
 Encapsulation/tunneling


Use strong authentication
203
Wireless IDS




A wireless intrusion detection system (WIDS) is often a
self-contained computer system with specialized
hardware and software to detect anomalous behavior.
The special wireless hardware is more capable than the
commodity wireless card, including the RF monitor
mode, detection of interference, and keeping track of
signal-to-noise ratios.
It also includes GPS equipment so that rogue clients and
APs can be located.
A WIDS includes one or more listening devices that
collect MAC addresses, SSIDs, features enabled on the
stations, transmit speeds, current channel, encryption
status, beacon interval, etc.
204
Wireless IDS



WIDS computing engine should be powerful
enough that it can dissect frames and WEPdecrypt into IP and TCP components. These
can be fed into TCP/IP related intrusion
detection systems.
Unknown MAC addresses are detected by
maintaining a registry of MAC addresses of
known stations and APs.
Can detect spoofed known MAC addresses
because the attacker could not control the
firmware of the wireless card to insert the
appropriate sequence numbers into the frame.
205
Wireless Auditing





Periodically, every wireless network should be
audited.
Several audit firms provide this service for a fee.
A security audit begins with a well-established
security policy.
A policy for wireless networks should include a
description of the geographical volume of
coverage.
The goal of an audit is to verify that there are no
violations of the policy.
206
Newer Standards and Protocols
207
WLAN Security Timeline
208
Cisco LEAP Overview
Provides centralized, scalable, user-based
authentication
 Algorithm requires mutual authentication



Uses 802.1X for 802.11 authentication
messaging


Network authenticates client, client
authenticates network
APs will support WinXP’s EAP-TLS also
Dynamic WEP key support with WEP key
session timeouts
209
LEAP Authentication Process
Client
AP
Start
Request Identity
Identity
RADIUS
Server
AP Blocks All Requests Until
Authentication Completes
Identity
RADIUS Server Authenticates Client
Client Authenticates RADIUS Server
Derive
Key
Broadcast Key
Key Length
Derive
Key
AP Sends Client Broadcast Key,
Encrypted with Session Key
210
802.11i


Takes base 802.1X and adds several features
Wireless implementations are divided into two
groups: legacy and new



Both groups use 802.1x for credential verification, but
the encryption method differs
Legacy networks must use 104-bit WEP, TKIP
and MIC
New networks will be same as legacy, except
that they must replace WEP/TKIP with advanced
encryption standard – operation cipher block
(AES-OCB)
211
Wi-Fi Protected Access (WPA)




Security solution based on IEEE standards
Replacement for WEP
Designed to run on existing hardware as a
software upgrade, Wi-Fi Protected Access is
derived from and will be forward-compatible with
the upcoming IEEE 802.11i standard
Two main features are:


enhanced encryption using TKIP
user authentication via 802.1x and EAP
212
Other Vulnerabilities



In February 2002, Arunesh Mishra and William
Arbaugh described several design flaws in the
combination of the IEEE 802.1X and IEEE
802.11 protocols that permit man-in-the-middle
and session hijacking attacks.
LEAP-enabled Cisco wireless networks are
vulnerable to dictionary attacks (a la “anwrap”)
Attackers can compromise other VPN clients
within a “wireless DMZ” and piggyback into the
protected network.
213
Secure LAN (SLAN)






Intent to protect link between wireless client and
(assumed) more secure wired network
Similar to a VPN and provides server
authentication, client authentication, data
privacy, and integrity using per session and per
user short life keys
Simpler and more cost efficient than a VPN
Cross-platform support and interoperability, not
highly scaleable, though
Supports Linux and Windows
Open Source (slan.sourceforge.net)
214
SLAN Architecture
215
SLAN Steps
1.
2.
3.
4.
5.
Client/Server Version Handshake
Diffie-Hellman Key Exchange
Server Authentication (public key
fingerprint)
Client Authentication (optional) with PAM
on Linux
IP Configuration – IP address pool and
adjust routing table
216
SLAN Client
Client Application
ie Web Browser
Encrypted Traffic to
SLAN Server
Encrypted Traffic
Plaintext Traffic
SLAN Driver
Physical Driver
Plaintext
Traffic
Encrypted Traffic
User Space Process
217
Intermediate WLAN
11-100 users
 Can use MAC addresses, WEP and rotate
keys if you want.
 Some vendors have limited MAC storage
ability
 SLAN also an option
 Another solution is to tunnel traffic through
a VPN

218
Intermediate WLAN Architecture
219
VPN
Provides a scaleable authentication and
encryption solution
 Does require end user configuration and a
strong knowledge of VPN technology
 Users must re-authenticate if roaming
between VPN servers

220
VPN Architecture
221
VPN Architecture
222
Enterprise WLAN
100+ users
 Reconfiguring WEP keys not feasible
 Multiple access points and subnets
 Possible solutions include VLANs, VPNs,
custom solutions, and 802.1x

223
VLANs
Combine wireless networks on one VLAN
segment, even geographically separated
networks.
 Use 802.1Q VLAN tagging to create a
wireless subnet and a VPN gateway for
authentication and encryption

224
VLAN Architecture
225
Customized Gateway




Georgia Institute of Technology
Allows students with laptops to log on to the
campus network
Uses VLANs, IP Tables, and a Web browser
No end user configuration required


User access a web site and enters a userid and
password
Gateway runs specialized code authenticating the
user with Kerberos and packet filtering with IPTables,
adding the user’s IP address to the allowed list to
provide network access
226
Gateway Architecture
227
Temporal Key Integrity Protocol
(TKIP)

128-bit shared secret – “temporal key” (TK)



Mixes the transmitter's MAC address with TK to produce a
Phase 1 key.
The Phase 1 key is mixed with an initialization vector (iv) to
derive per-packet keys.
Each key is used with RC4 to encrypt one and only one data
packet.

Defeats the attacks based on “Weaknesses in the key
scheduling algorithm of RC4” by Fluhrer, Mantin and
Shamir"

TKIP is backward compatible with current APs and
wireless NICs
228
Message Integrity Check (MIC)
MIC prevents bit-flip attacks
 Implemented on both the access point and
all associated client devices, MIC adds a
few bytes to each packet to make the
packets tamper-proof.

229
Conclusion
Some predictions are that the market for
wireless LANs will be $2.2 billion in 2004,
up from $771 million in 2000.
 Current 802.11 security state is not ideal
for sensitive environments.
 Wireless Networks at home …

230
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
John Bellardo and Stefan Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”,
2003, Usenix 2003 Proceedings. http://www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf
Jon Edney and William A. Arbaugh, Real 802.11 Security: Wi-Fi Protected Access and 802.11i, 480 pages, Addison
Wesley, 2003, ISBN: 0-321-13620-9
Jamil Farshchi, Wireless Intrusion Detection Systems, November 5, 2003,
http://www.securityfocus.com/infocus/1742 Retrieved Jan 20, 2004
Rob Flickenger, Wireless Hacks: 100 Industrial-Strength Tips & Tools, 286 pages, O'Reilly & Associates, September
2003, ISBN: 0-596-00559-8
Matthew S. Gast, 802.11 Wireless Networks: The Definitive Guide, 464 pages, O’Reilly & Associates, April 2002,
ISBN: 0596001835.
Vikram Gupta, Srikanth Krishnamurthy, and Michalis Faloutsos, “Denial of Service Attacks at the MAC Layer in
Wireless Ad Hoc Networks”, Proceedings of 2002 MILCOM Conference, Anaheim, CA, October 2002.
Chris Hurley, Michael Puchol, Russ Rogers, and Frank Thornton, WarDriving: Drive, Detect, Defend, A Guide to
Wireless Security, ISBN: 1931836035, Syngress, 2004.
IEEE, IEEE 802.11 standards documents, http://standards.ieee.org/wireless/
Tom Karygiannis and Les Owens, Wireless Network Security: 802.11, Bluetooth and Handheld Devices, National
Institute of Standards and Technology Special Publication 800-48, November 2002. http://cswww.ncsl.nist.gov/publications/ nistpubs/800-48/NIST_SP_800-48.pdf
Prabhaker Mateti, TCP/IP Suite, The Internet Encyclopedia, Hossein Bidgoli (Editor), John Wiley 2003, ISBN
0471222011.
Robert Moskowitz, “Debunking the Myth of SSID Hiding”, Retrieved on March 10, 2004.
http://www.icsalabs.com/html/communities/WLAN/wp_ssid_hiding. pdf.
Bruce Potter and Bob Fleck, 802.11 Security, O'Reilly & Associates, 2002; ISBN: 0-596-00290-4.
William Stallings, Wireless Communications & Networks, Prentice Hall, 2001, ISBN: 0130408646.
http://www.warchalking.org/ “Collaboratively creating a hobo-language for free wireless networking.”
Joshua Wright, “Detecting Wireless LAN MAC Address Spoofing”, Retrieved on Jan 20, 2004.
http://home.jwu.edu/jwright/
231
232