Wireless LAN Pen-Testing. Part I
|
|
- Malcolm Lawrence Reynolds
- 8 years ago
- Views:
Transcription
1 Wireless LAN Pen-Testing Part I To know your Enemy, you must become your Enemy (Sun Tzu, 600 BC) Georg Penn
2 Motivation Read manuals, documentation, standards Check sources for their reliability, though! Tools are there to assist you, not to cripple your thinking the only limit is your imagination Don't be limited by your imagination Creativity, curiosity and patience are as important as knowledge Exercise on a regular base (at least 5hrs/week)
3 Presentation Conventions Terminal commands will be mono-space blue: echo foo > bar Unless stated otherwise We will use wlan0 as the name of the original and mon0 as the monitor-mode interface The target Access Point will be called WirelessLab and be configured to Channel 11
4 Why WLAN Security? Integrated in lots of devices Laptops, Mobile Phones, Embedded Devices... Connects to the Internet How do you protect something you cannot see Extends beyond boundary walls Difficult to locate attacker Passive attacks can be done from miles away
5 WLAN Security Setup Wireless Card: ALFA AWUS036H (USB) Allows for packet sniffing Allows for packet injection Well integrated into Backtrack 5 Not too expensive (check out Amazon) Tools: Mainly Aircrack-ng suite, Wireshark and some others OS: Backtrack 5 as all tools are already installed on Backtrack 5
6 Wireless Sniffing Basics Wireless sniffing concepts are similar to the ones for the wired world In the wired world we have promiscuous mode In the wireless world we have a concept called monitor mode We can use Airmon-ng to put our card into monitor mode e.g. airmon ng start wlan0
7 Lab-1.1: Simple Sniffing Check if other processes (e.g. dhclient3, etc ) interfere with Airmon-ng: airmon ng check airmon ng check kill Put card into monitor mode (e.g. on wlan0) we actually create a monitor mode interface airmon ng start wlan0 Start wireshark on the monitor-mode interface created by Airmon-ng (e.g. mon0) to sniff traffic
8 Basic Service Set (BSS) A set of stations associated with a local or enterprise Wireless LAN Station (STA): Any device that contains an IEEE conformant medium access control (MAC) and physical layer (PHY) interface to the wireless medium (WM) BSS come in two flavors Independent BSS (IBSS) Infrastructure BSS (never called an IBSS)
9 Basic Service Set (cont'd) IBSS is also referred to as an ad-hoc-network We are only dealing with Infrastructure BSS
10 BSSID Identifies different wireless LANs in the same area In infrastructure networks, the BSSID is the MAC address of the Access Point In an IBSS (ad-hoc-network) the BSSID is randomly generated by the STA (client) that creates the network
11 Distribution System (DS) A system used to interconnect a set of basic service sets (BSSs) and integrated local area networks (LANs) to create an extended service set (ESS)
12 Extended Service Set (ESS) A set of one or more interconnected BSSs that appears as a single BSS to the logical link control (LLC) layer at any station (STA) associated with one of those BSSs
13 Frequency Ranges Wireless can operate in 3 different frequency ranges 2.4 GHz b/g/n (we will only cover 2.4 GHz) 3.6 GHz y 4.9/5.0 GHz a/h/j/n Each of these ranges is divided into a multitude channels Countries apply their own regulations to both the allowable channels and maximum power levels within these frequency ranges
14 2.4 GHz Wireless Channels
15 Wireless Channels (cont'd) However, wireless cards with single radio can only be on one channel at a given time!!! Hence, we cannot sniff on all channels and bands at the same time Best we can do is time-division multiplexing (hop) Bands we can operate on depend on our hardware capability (wifi card) ALFA AWUS036H supports b/g Country regulations can simply be overcome but this could be illegal!
16 Lab-1.2: Channels We can bind the card to a specific channel: iwconfig wlan0 channel 11 Make our card hop channels (this assumes we already have a monitor-mode interface mon0) airodump ng mon0 By default Airodump-ng hops on 2.4GHz channels but frequency band can also be set airodump ng band bg mon0 Check manuals for further options
17 Wireless LAN Frames 3 Types of frames Management (0x00 00) Control (0x01 01) Data (0x02 10) Each of these types also has several defined Subtypes For more details see IEEE Specification:
18 Types And Subtypes
19 Types And Subtypes (cont'd)
20 Know Your Access Point (AP) The AP is configured with a Service Set Identifier (SSID) The SSID indicates the identity of an ESS or IBSS (simply put: the name of the AP or of a network consisting of multiple APs) The AP periodically sends out broadcast frames (Beacon Frames) to announce its presence Clients use these frames to show a list of available wireless networks
21 Beacon Frames (0x08) Are management frames with Type 0x00 and Subtype 0x08 Beacon Frames are used by the AP To broadcast its SSID To announce its capability (e.g. Supported Rates) To indicate the current channel the AP is residing Beacon Frames are always transmitted in plaintext Hence anyone can create and transmit Beacon Frames (card has to support injection)!
22 Lab-1.3: Beacon Frames Create a monitor mode interface Use Wireshark to capture traffic on the monitor mode interface Find a Beacon Frame What's the SSID of the AP which sent this frame? What are the capabilities of the AP? Which channel is the AP currently configured to? What else can we find out (poke around)
23 Probe Request / Response Once we bring up a client's wireless interface it broadcasts Probe Requests to see which APs (networks) are available This is sometimes called a Null-Probe-Request The client can also send Probe Requests for a specific SSID (e.g. if client is configured for this specific AP) Any AP in range replies with a Probe Response which contains e.g the AP's SSID and channel
24 Authentication Phase (OPN) Once a client connects to an open (not encrypted) AP or network the authentication process takes place Client sends an authentication request (SEQ: 1) Server sends an authentication response (SEQ: 2) As we are dealing with an open network no key-exchange what so ever is taking place After successful authentication the association phase begins
25 Association Phase First the client sends an association request where the client tells the AP its capabilities (we will not go into details here) And if the AP is satisfied it sends back an association response After the successful association phase data transfer between the client and the AP starts
26 Demo-1.1 We create an open authentication based AP SSID: WirelessLab (case sensitive!) Channel 11 Connect a client to it (Smart Phone, Laptop,...) Collect all frames (packets) using Wireshark We make sure our card is on the same channel Analyze the flow and try to confirm our previously made assumptions
27 Summary
28 State Machine
29 Dissecting the Frame Understanding things at the frame level is essential for advanced topics frames don't lie!
30 IEEE Frame Format Presents depends on Type / Subtype So an IEEE Frame at least needs: Frame Control Duration ID Address 1 Frame Check Sequence (CRC)
31 Frame Control
32 Frame Control Protocol Version Protocol Version 2 Bits Always 0 at the moment May change if there is a major revision which is not back compatible anymore
33 Frame Control - Type Type 2 Bits Management (Binary 00) Control (Binary 01) Data (Binary 10)
34 Frame Control - Subtype Subtype 4 Bits Type could be something like: Beacon, Probe Response, Request to Send (RTS), etc. Beacon Frame: Binary 1000 = 0x08 Refer to IEEE Standard for details
35 Frame Control To / From DS To DS From DS Meaning STA to STA in same IBSS, Management and Control Frames e.g. Beacon Frames Exiting the Distribution System (DS) e.g. AP sends a Data Frame to a wireless client Entering the DS e.g. Wireless client sends a Data Frame to the AP maybe destined for a host on the Internet Used in Wireless DS (WDS). Allows a wireless network to be expanded using multiple access points without the traditional wired backbone
36 Frame Control Other 1 Bit Flags More Fragments: Set if more fragments are to come Only applicable to Management and Data Frames Retry: Set if the Frame has been retransmitted Only applicable to Management and Data Frames Helps eliminating duplicates
37 Frame Control Other 1 Bit Flags Power Management: Set if STA runs in power save mode (PS mode) Always set to 0 in Frames transmitted by the AP More Data: If STA is in PS mode, AP queues up data Set to inform STA that there is data available
38 Frame Control Other 1 Bit Flags Protected Frame: Set if Frame Body is encrypted Applies to Data Frame and Management Frames of type Authentication Order: Indicates that all received Frames must be processed in order
39 Demo-1.2 Reading raw Frame data is a bit tricky We read 0x08 as Type and Subtype, how does this make sense? Bit 1 and Bit 0 indicate Protocol Version (00) Bit 3 and Bit 2 indicate the Type (10 Data) Bit 7 to Bit 4 indicate the Subtype (0000 Data) Bit Indexes Binary Value 0 8 Hex Value
40 Challenge-1.1 Frame Control ff ff ff ff ff ff f4 6d 04 a0 cc b1 f4 6d 04 a0 cc b e1 f8 5b 6b b c c b c b a f c dd f c cd f1 8e What kind of Frame is it (Type / Subtype)? And where is the catch?
41 Challenge-1.1 Solution We are only interested in 2 Bytes! 0x80 0x10 Let's look at 0x80 in binary Bit Indexes 0 0 Protocol Version 0 0 Type (Management) Subtype (0x08 Beacon) Beacon Frames are sent from AP only!
42 Challenge-1.1 Solution (cont'd) Let's look at 0x10 in binary: Bit Indexes From / To DS 0 More Fragments 0 Retry 1 Power Management 0 More Data 0 Protected Frame 0 Order Oops: Pwr Mgt Flag is always 0 for AP!
43 Frame Format Addresses Value and presence depends on Type/Subtype typically Source Address Destination Address BSSID See IEEE Standard for more details
44 Frame Format Seq. Control Sequence number of the Frame Fragment number of the Frame In case of fragmentation SEQ No. is the same for all fragments belonging together
45 Frame Body and FCS Variable length field containing the payload Management Frame details Actual data Frame Check Sequence (FCS) 32-Bit CRC Calculated over all the fields of the MAC header and the Frame Body field
46 Other Frame Header Fields Refer to IEEE Standard for: Duration / ID Quality of Service (QoS) Control General Advice: If you are not sure about how things work always refer to standards if possible! Always take a hands-on approach and try out things yourself
47 Beacon Frame Announce the existence of a network (SSID) Many APs allow for hiding SSID
48 Probe Request Mobile stations use Probe Requests to scan an area for existing networks A Probe Request frame contains two fields: The SSID The rates supported by the mobile station The mobile station must support all the data rates required by the network
49 Probe Response Probe Responses are very similar to Beacons
50 Other Management Frames Refer to IEEE Standard for: Association Request/Response Reassociation Request/Response Disassociation Authentication Deauthentication ATIM Action
51 Mission Completed It's time to kick ass and chew bubble gum!
52 Lab-1.4 Injection Test Create a monitor mode interface Find out the BSSID of our Access Point We can use Aireplay-ng to inject Frames Make sure your card is set to the correct channel! To perform an injection test you can issue: aireplay ng test a <BSSID> mon0 This initially sends out broadcast probe requests See Aircrack-ng documentation for details
53 Recover Hidden SSID Normally SSID of AP is advertised in Beacon Frames Most APs allow you to create a hidden or visible network Hidden networks do not broadcast SSID However, Probe Requests/Responses still do! Important: We must have at least one legitimate client connected or about to connect!
54 Demo-1.3 Recover Hidden SSID Set AP to hide SSID (supported by most APs) Create a monitor mode interface on channel 11 Use Airodump-ng on channel 11 to sniff traffic airodump ng c 11 mon0 Start Wireshark to capture on mon0 Connect a legitimate mobile client Analyze captured traffic What if client was already connected to AP?
55 Deauthentication Attack Send deauthentication frames to one or more clients which are currently associated with a particular AP Why would we do that? Recovering a hidden ESSID Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate Have clients to connect to a spoofed AP Useless if there are no associated clients
56 State Machine - Revisited
57 Lab-1.5 Deauth Attack Create a monitor mode interface Find out the BSSID of the target AP Use Aireplay-ng to deauthenticate all stations associated with the target aireplay ng deauth 0 a <BSSID> mon0 sends disassocate frames ich are currently associated with a particular access point 0 means send them continuously
58 Soft Access Point We can use Airbase-ng to setup a soft AP Normal APs have two network devices (2 MAC) Wireless interface Wired interface Airbase-ng uses mon0 as its wireless interface and creates the TAP (virtual network) device at0 as the wired interface at0 will not be up by default
59 Lab-1.4 Soft AP Set up a soft AP (ESSID is up to you) airbase ng e <ESSID> c 11 mon0 Use airodump-ng on channel 11 - can you see your fake AP? Bring up at0: ifconfig at0 up Use wireshark to capture traffic on at0 Try to connect a client (e.g. mobile phone) to the fake AP What is your client's IP?
60 Please Try This At Home! Create an Evil-Twin of your legitimate AP Connect a client to the real AP Force the client to connect to the Evil-Twin Try to get IP level connectivity Additions: Try to do a real Man-In-The-Middle-Attack (e.g. by bridging the at0 to wired eth0) Use Metasploit's Autopwn to attack your client
61 Lessons Learned (so far) Spoofing frames is very simple There is no protection mechanism available This insecurity is the starting point for a lot of different attacks e.g. DoS attacks on clients and APs Setting up fake APs WEP or WPA cracking In the wired world the attacker would have to be part of the network to do this!
62 Any Questions? Now we are here!
63 Always A Good Read Matthew S. Gast: Wireless Networks: The Definitive Guide O'Reilly Media 2005 Vivek Ramachandran: Backtrack 5 Wireless Penetration Testing Beginner's Guide Packt Publishing 2011 IEEE : Wireless Local Area Networks Standards (1200+ pages!)
64 What Is Planned? Part II: WEP or there's just two ways this can end, and in both of them, you die! Part III: Understanding and attacking WPA/WPA2 Part IV: WPA2 enterprise and possible attacks Part V: Where to go from here?
MITM Man in the Middle
MITM Man in the Middle Wifi Packet Capturing and Session Hijacking using Wireshark Introduction The main Objective of this Attack is to make a Fake Access point and send the fake ARP Packets on same Wi-Fi
More informationWEP WPA WPS :: INDEX : Introduction :
WEP WPA WPS With clients Without clients :: INDEX : Introduction > Overview > Terms & Definitions [ Step 1 ] : Configuring the network interface [ Step 2 ] : Collecting the network info [ Step 3 ] : Capturing
More information802.11. Markku Renfors. Partly based on student presentation by: Lukasz Kondrad Tomasz Augustynowicz Jaroslaw Lacki Jakub Jakubiak
802.11 Markku Renfors Partly based on student presentation by: Lukasz Kondrad Tomasz Augustynowicz Jaroslaw Lacki Jakub Jakubiak Contents 802.11 Overview & Architecture 802.11 MAC 802.11 Overview and Architecture
More informationBasic processes in IEEE802.11 networks
Module contents IEEE 802.11 Terminology IEEE 802.11 MAC Frames Basic processes in IEEE802.11 networks Configuration parameters.11 Architect. 1 IEEE 802.11 Terminology Station (STA) Architecture: Device
More informationWEP WPA WPS :: INDEX : Introduction :
WEP WPA WPS With clients Without clients :: INDEX : Introduction > Overview > Terms & Definitions [ Step 1 ] : Configuring the network interface [ Step 2 ] : Collecting the network info [ Step 3 ] : Capturing
More informationWiFi Security Assessments
WiFi Security Assessments Robert Dooling Dooling Information Security Defenders (DISD) December, 2009 This work is licensed under a Creative Commons Attribution 3.0 Unported License. Table of Contents
More informationLab Exercise 802.11. Objective. Requirements. Step 1: Fetch a Trace
Lab Exercise 802.11 Objective To explore the physical layer, link layer, and management functions of 802.11. It is widely used to wireless connect mobile devices to the Internet, and covered in 4.4 of
More informationThe Wireless Network Road Trip
The Wireless Network Road Trip The Association Process To begin, you need a network. This lecture uses the common logical topology seen in Figure 9-1. As you can see, multiple wireless clients are in
More informationWiereless LAN 802.11
Tomasz Kurzawa Wiereless LAN 802.11 Introduction The 802.11 Architecture Channels and Associations The 802.11 MAC Protocol The 802.11 Frame Introduction Wireless LANs are most important access networks
More informationIEEE 802 Protocol Layers. IEEE 802.11 Wireless LAN Standard. Protocol Architecture. Protocol Architecture. Separation of LLC and MAC.
IEEE 802.11 Wireless LAN Standard IEEE 802 Protocol Layers Chapter 14 Protocol Architecture Functions of physical layer: Encoding/decoding of signals Preamble generation/removal (for synchronization) Bit
More informationKali Linux Cookbook. Willie L. Pritchett David De Smet. Chapter No. 9 "Wireless Attacks"
Kali Linux Cookbook Willie L. Pritchett David De Smet Chapter No. 9 "Wireless Attacks" In this package, you will find: A Biography of the authors of the book A preview chapter from the book, Chapter NO.9
More informationSecurity in IEEE 802.11 WLANs
Security in IEEE 802.11 WLANs 1 IEEE 802.11 Architecture Extended Service Set (ESS) Distribution System LAN Segment AP 3 AP 1 AP 2 MS MS Basic Service Set (BSS) Courtesy: Prashant Krishnamurthy, Univ Pittsburgh
More informationIEEE 802.11 frame format
IEEE 802.11 frame format Pietro Nicoletti www.studioreti.it 802-11-Frame - 1 P. Nicoletti: see note pag. 2 Copyright note These slides are protected by copyright and international treaties. The title and
More informationHow To Understand The Power Of A Network On A Microsoft Ipa 2.5 (Ipa) 2.2.2 (Ipam) 2-2.5-2 (Networking) 2 (Ipom) 2(2
Workshop Presentation Chapter4 Yosuke TANAKA Agenda(Framing in Detail) Data Frames Control Frames type RTS Duration CTS Addressing (!!important!!) Variation on Data Frame Theme Applied Data Framing ACK
More informationOffensive Security. Wireless Attacks - WiFu
Offensive Security Wireless Attacks - WiFu v. 3.0 Mati Aharoni Devon Kearns Thomas d Otreppe de Bouvette Course Overview The wireless industry continues to grow in leaps and bounds with more and more gadgets
More informationPENETRATION TESTING ON A WIRELESS NETWORK.
Bachelor s Thesis (TUAS) Degree Program: Information Technology Specialization: Internet Technology 2013 Gbolahan Ola PENETRATION TESTING ON A WIRELESS NETWORK. USING BACKTRACK 5 BACHELOR S THESIS ABSTRACT
More informationALEXANDRE BORGES BLOG
Cracking WEP Networks Author: Alexandre Borges Date: FEB/20/2014 Revision: 1.0 ALEXANDRE BORGES BLOG When I ve published the first document about Cracking Wireless Networks (http://alexandreborgesbrazil.files.wordpress.com/2014/02/cracking_wireless.pdf)
More informationCSE331: Introduction to Networks and Security. Lecture 6 Fall 2006
CSE331: Introduction to Networks and Security Lecture 6 Fall 2006 Open Systems Interconnection (OSI) End Host Application Reference model not actual implementation. Transmits messages (e.g. FTP or HTTP)
More informationAn Experimental Study Analysis of Security Attacks at IEEE 802.11 Wireless Local Area Network
, pp. 9-18 http://dx.doi.org/10.14257/ijfgcn.2015.8.1.02 An Experimental Study Analysis of Security Attacks at IEEE 802.11 Wireless Local Area Network 1 Md Waliullah, 2 A B M Moniruzzaman and 3 Md. Sadekur
More informationWireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com
Wireless Security Overview Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com Ground Setting Three Basics Availability Authenticity Confidentiality Challenge
More informationS-38.2131/3133 Networking Technology, laboratory course A/B
A! Aalto University School of Electrical Engineering Department of Communications and Networking S-38.2131/3133 Networking Technology, laboratory course A/B Student edition Anni Matinlauri, 3.1.2007 Tuomas
More informationHacking. Aims. Naming, Acronyms, etc. Sources
Free Technology Workshop Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by Steven Gordon Bangkadi 3 rd floor IT Lab 10:30-13:30 Friday 18 July 2014 http://ict.siit.tu.ac.th/moodle/.-----.-----.-----..----.
More informationSection 1 Wireless Packet Captures & Connection Analysis- A Review
Section 1 Wireless Packet Captures & Connection Analysis- A Review Many of you will have already used many of these tools, or at least had some experience with them in previous CWNP or vendor Wireless
More information0) What is the wpa handhake?
We have already seen how easy it is with time and the right tools to get the WEP key of any wireless network. We have already explained that these operations are not lawful but for pure interest and personal
More informationWiFi. Is for Wireless Fidelity Or IEEE 802.11 Standard By Greg Goldman. WiFi 1
WiFi Is for Wireless Fidelity Or IEEE 802.11 Standard By Greg Goldman WiFi 1 What is the goal of 802.11 standard? To develop a Medium Access Control (MAC) and Physical Layer (PHY) specification for wireless
More informationOverview of 802.11 Networks and Standards
Overview of 802.11 Networks and Standards Mauri Kangas, Helsinki University of Technology, 17.02.2004 Mauri Kangas 17.2.2004 Page 1 (34) Family of 802.xx Standards ISO/IEC 8802-xx = IEEE 802.xx IEEE 802.1
More informationWIRELESS SECURITY TOOLS
WIRELESS SECURITY TOOLS Johanna Janse van Rensburg, Barry Irwin Rhodes University G01j202j7@campus.ru.ac.za, b.irwin@ru.ac.za (083) 944 3924 Computer Science Department, Hamilton Building, Rhodes University
More informationWEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication
WLAN Security WEP Overview 1/2 WEP, Wired Equivalent Privacy Introduced in 1999 to provide confidentiality, authentication and integrity Includes weak authentication Shared key Open key (the client will
More informationBuilding secure wireless access point based on certificate authentication and firewall captive portal
EPJ Web of Conferences 68, 00029 (2014) DOI: 10.1051/ epjconf/ 20146800029 C Owned by the authors, published by EDP Sciences, 2014 Building secure wireless access point based on certificate authentication
More informationvisual packet analysis
visual packet analysis Eye P.A. by MetaGeek USER GUIDE page 1 Eye P.A. visual packet analysis SYSTEM REQUIREMENTS INSTALLATION DIRECT CAPTURE COMPATIBLE FILE FORMATS MAIN VIEWS Work Flow Filter Bar Multi-Layered
More informationSecurity Awareness. Wireless Network Security
Security Awareness Wireless Network Security Attacks on Wireless Networks Three-step process Discovering the wireless network Connecting to the network Launching assaults Security Awareness, 3 rd Edition
More informationWhite paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points. http://www.veryxtech.com
White paper Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points http://www.veryxtech.com White Paper Abstract Background The vulnerabilities spotted in the Wired Equivalent Privacy (WEP) algorithm
More informationNWA1120 Series. User s Guide. Quick Start Guide. Wireless LAN Ceiling Mountable PoE Access Point. Default Login Details
NWA1120 Series Wireless LAN Ceiling Mountable PoE Access Point Version 1.00 Edition 1, 08/2012 Quick Start Guide User s Guide Default Login Details LAN IP Address http://192.168.1.2 User Name admin Passwordwww.zyxel.com
More informationVulnerabilities of Wireless Security protocols (WEP and WPA2)
Vulnerabilities of Wireless Security protocols (WEP and WPA2) Vishal Kumkar, Akhil Tiwari, Pawan Tiwari, Ashish Gupta, Seema Shrawne Abstract - Wirelesses Local Area Networks (WLANs) have become more prevalent
More informationWIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
WIRELESS SECURITY Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Wireless LAN Security Learning Objectives Students should be able
More informationWireless security (WEP) 802.11b Overview
Wireless security (WEP) 9/01/10 EJ Jung 802.11b Overview! Standard for wireless networks Approved by IEEE in 1999! Two modes: infrastructure and ad hoc IBSS (ad hoc) mode Independent Basic Service Set
More informationHow To Secure Wireless Networks
Lecture 24 Wireless Network Security modified from slides of Lawrie Brown Wireless Security Overview concerns for wireless security are similar to those found in a wired environment security requirements
More informationCS 356 Lecture 29 Wireless Security. Spring 2013
CS 356 Lecture 29 Wireless Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter
More informationWIRELESS LAN SECURITY (IEEE 802.11b) A Thesis. Submitted to the Department of Computer Science and Engineering. BRAC University.
WIRELESS LAN SECURITY (IEEE 802.11b) A Thesis Submitted to the Department of Computer Science and Engineering of BRAC University By Iftheker Mohammad Student ID: 03201076 & Mohammad Ashik Elahi Student
More informationAirPcap User s Guide. May 2013
AirPcap User s Guide May 2013 2013 Riverbed Technology. All rights reserved. Accelerate, AirPcap, BlockStream, Cascade, Cloud Steelhead, Granite, Interceptor, RiOS, Riverbed, Shark, SkipWare, Steelhead,
More information12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
More informationUniversiti Teknologi MARA. 802.11 MAC Layer Sniffer Using Spoof Detection Algorithm
Universiti Teknologi MARA 802.11 MAC Layer Sniffer Using Spoof Detection Algorithm Azwan Abdul Satar Thesis submitted in fulfillment of the requirements for Bachelor of Science (Hons) Information Technology
More informationEETS 8316 Wireless Networks Fall 2013
EETS 8316 Wireless Networks Fall 2013 Lecture: WiFi Discovery, Powersave, and Beaconing http://lyle.smu.edu/~skangude/eets8316.html Shantanu Kangude skangude@lyle.smu.edu Discovery and Beaconing Discovery?
More informationRolf Leutert. Network Expert & Trainer Leutert NetServices Switzerland. Analyzing WLAN Roaming Problems. 1 2012 Leutert NetServices
Rolf Leutert Network Expert & Trainer Leutert NetServices Switzerland Analyzing WLAN Roaming Problems 1 2012 Leutert NetServices Case Study Customer is a large retail store chain in Switzerland Sales areas
More informationResearch In Motion D. Stanley, Ed. Aruba Networks March 2009
Network Working Group Request for Comments: 5416 Category: Standards Track P. Calhoun, Ed. Cisco Systems, Inc. M. Montemurro, Ed. Research In Motion D. Stanley, Ed. Aruba Networks March 2009 Control and
More informationWireless Sniffing with Wireshark
ethereal_ch06.qxd 11/8/06 5:07 PM Page 1 Chapter 6 Wireless Sniffing with Wireshark Solutions in this chapter: Techniques for Effective Wireless Sniffing Understanding Wireless Card Operating Modes Configuring
More informationWLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.
Wireless LAN Attacks and Protection Tools (Section 3 contd.) WLAN Attacks Passive Attack unauthorised party gains access to a network and does not modify any resources on the network Active Attack unauthorised
More information802.11 Wireless LAN Protocol CS 571 Fall 2006. 2006 Kenneth L. Calvert All rights reserved
802.11 Wireless LAN Protocol CS 571 Fall 2006 2006 Kenneth L. Calvert All rights reserved Wireless Channel Considerations Stations may move Changing propagation delays, signal strengths, etc. "Non-transitive"
More information802.11 standard. Acknowledgement: Slides borrowed from Richard Y. Yang @ Yale
802.11 standard Acknowledgement: Slides borrowed from Richard Y. Yang @ Yale IEEE 802.11 Requirements Design for small coverage (e.g. office, home) Low/no mobility High data-rate applications Ability to
More informationMethodology: Security plan for wireless networks. By: Stephen Blair Mandeville A. Summary
Methodology: Security plan for wireless networks By: Stephen Blair Mandeville A. Summary The evolution to wireless networks allows connections with the same quality of data transfer at a lower cost but
More informationchap18.wireless Network Security
SeoulTech UCS Lab 2015-1 st chap18.wireless Network Security JeongKyu Lee Email: jungkyu21@seoultech.ac.kr Table of Contents 18.1 Wireless Security 18.2 Mobile Device Security 18.3 IEEE 802.11 Wireless
More informationHole196 Vulnerability in WPA2
Hole196 Vulnerability in WPA2 1 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino, Managing Director, Systems Engineering Dr. Kaustubh Phanse, Principal Wireless Architect Md. Sohail Ahmad, Senior
More informationWireless Mesh Networks under FreeBSD
Wireless Networks under FreeBSD Rui Paulo rpaulo@freebsd.org The FreeBSD Project AsiaBSDCon 2010 - Tokyo, Japan Abstract With the advent of low cost wireless chipsets, wireless mesh networks became much
More informationChapter 7 Low-Speed Wireless Local Area Networks
Wireless# Guide to Wireless Communications 7-1 Chapter 7 Low-Speed Wireless Local Area Networks At a Glance Instructor s Manual Table of Contents Overview Objectives s Quick Quizzes Class Discussion Topics
More informationIEEE 802.11 Technical Tutorial. Introduction. IEEE 802.11 Architecture
IEEE 802.11 Technical Tutorial Introduction The purpose of this document is to give technical readers a basic overview of the new 802.11 Standard, enabling them to understand the basic concepts, principle
More informationNetwork Attacks. Common Network Attacks and Exploits
Common and Exploits AGENDA A Few Observations Hacker Resources Attack Categories Some Common Attacks Wireless Specific Attacks Wireless Observations Because of Common Network Layers, Most of the Attacks
More informationGetting Started with HP Wireless Networks. Version 10.41
Getting Started with HP Wireless Networks Version 10.41 Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties
More informationLegacy 802.11 Security
Legacy 802.11 Security Contents Authentication Open System Authentication Shared Key Authentication Wired Equivalent Privacy (WEP) Encryption Virtual Private Networks (VPNs) Point-to-Point Tunneling Protocol
More informationIEEE 802.11 Wireless LAN Standard. Updated: 5/10/2011
IEEE 802.11 Wireless LAN Standard Updated: 5/10/2011 IEEE 802.11 History and Enhancements o 802.11 is dedicated to WLAN o The group started in 1990 o First standard that received industry support was 802.11b
More informationLevelOne User Manual WPC-0600 N_One Wireless CardBus Adapter
LevelOne User Manual WPC-0600 N_One Wireless CardBus Adapter V2.0.0-0712 Safety FCC WARNING This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to
More informationChapter 6 CDMA/802.11i
Chapter 6 CDMA/802.11i IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Some material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationWireless Networks. Reading: Sec5on 2.8. COS 461: Computer Networks Spring 2011. Mike Freedman
1 Wireless Networks Reading: Sec5on 2.8 COS 461: Computer Networks Spring 2011 Mike Freedman hep://www.cs.princeton.edu/courses/archive/spring11/cos461/ 2 Widespread Deployment Worldwide cellular subscribers
More informationEAP9550 11N Wall Mount Access Point / WDS AP / Universal Repeater
EAP9550 is a powerful and multi-functioned 11n Access Point and it can act three modes AP/WDS/Universal Repeater. Smoke detector appearance will minimize visibility. So this model can work properly at
More informationAnalysis of Open Source Drivers for IEEE 802.11 WLANs
Preprint of an article that appeared in IEEE conference proceeding of ICWCSC 2010 Analysis of Open Source Drivers for IEEE 802.11 WLANs Vipin M AU-KBC Research Centre MIT campus of Anna University Chennai,
More informationWifi Penetration. Wireless Communication and Computer/Network Forensics
Wifi Penetration Wireless Communication and Computer/Network Forensics Terms Skiddy(Derogatory): Variant of "Script Kiddy". Hacker(Derogatory):One who builds something. Cracker(Derogatory):One who breaks
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security Objectives Overview of IEEE 802.11 wireless security Define vulnerabilities of Open System Authentication,
More informationPwC. Outline. The case for wireless networking. Access points and network cards. Introduction: OSI layers and 802 structure
PwC Outline Wireless LAN Security: Attacks and Countermeasures 1. Introduction 2. Problems with 802.11 security 3. Attacks on and risks to Wireless Networks 4. Defending wireless networks ISACA Hong Kong
More informationA Technical Tutorial on the IEEE 802.11 Protocol
A Technical Tutorial on the IEEE 802.11 Protocol By Pablo Brenner Director of Engineering copyright BreezeCOM 1997 Introduction The purpose of this document is to give technical readers a basic overview
More informationMultiple WiFi Clients on a Single Wireless Card
Multiple WiFi Clients on a Single Wireless Card Juan M Torrescusa Supervisor: Andrea Bittau April 27, 2006 This report is submitted as part requirement for the BSc Degree in Computer Science at University
More informationWireless LAN Security: Securing Your Access Point
IJCSNS International Journal of Computer Science and Network Security, VOL.6 No.5B, May 2006 173 Wireless LAN Security: Securing Your Access Point Sia Sie Tung, Nurul Nadia Ahmad, Tan Kim Geok Faculty
More informationWireless Network Security. Pat Wilbur Wireless Networks March 30, 2007
Wireless Network Security Pat Wilbur Wireless Networks March 30, 2007 Types of Attacks Intrusion gain unauthorized access to a network in order to use the network or Internet connection Types of Attacks
More informationWireshark Hands-On Exercises
Wireshark Hands-On Exercises Step 1. Plug in the Airpcap USB device. Step 2. Step 3. Open Wireshark Start Wireless Tools Wireshark. Click on Capture Interfaces. Step 4. Choose the AirPcap USB adapter and
More informationWHITE PAPER. WEP Cloaking for Legacy Encryption Protection
WHITE PAPER WEP Cloaking for Legacy TM Encryption Protection Introduction Wired Equivalent Privacy (WEP) is the encryption protocol defined in the original IEEE 802.11 standard for Wireless Local Area
More informationProgramming Wireless Security. GAWN Gold Certification. Author: Robin Wood, robin@freedomsoftware.co.uk. Adviser:Joey Neim
Programming Wireless Security GAWN Gold Certification Author: Robin Wood, robin@freedomsoftware.co.uk Adviser:Joey Neim Accepted: November 12th 2007 Robin Wood 1 Table of Contents 1 Introduction...5 2
More informationIntroduction to WiFi Security. Frank Sweetser WPI Network Operations and Security fs@wpi.edu
Introduction to WiFi Security Frank Sweetser WPI Network Operations and Security fs@wpi.edu Why should I care? Or, more formally what are the risks? Unauthorized connections Stealing bandwidth Attacks
More informationWireless LAN Access Point. IEEE 802.11g 54Mbps. User s Manual
Wireless LAN Access Point IEEE 802.11g 54Mbps User s Manual Table of Contents Chapter 1 Introduction... 1 1.1 Package Contents...2 1.2 Features...2 1.3 Specifications...2 1.4 Physical Description...3 Chapter
More informationLecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References
Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions
More informationLecture 17: 802.11 Wireless Networking"
Lecture 17: 802.11 Wireless Networking" CSE 222A: Computer Communication Networks Alex C. Snoeren Thanks: Lili Qiu, Nitin Vaidya Lecture 17 Overview" Project discussion Intro to 802.11 WiFi Jigsaw discussion
More informationVLANs. Application Note
VLANs Application Note Table of Contents Background... 3 Benefits... 3 Theory of Operation... 4 IEEE 802.1Q Packet... 4 Frame Size... 5 Supported VLAN Modes... 5 Bridged Mode... 5 Static SSID to Static
More informationTECHNICAL NOTE. GoFree WIFI-1 web interface settings. Revision Comment Author Date 0.0a First release James Zhang 10/09/2012
TECHNICAL NOTE GoFree WIFI-1 web interface settings Revision Comment Author Date 0.0a First release James Zhang 10/09/2012 1/14 Web interface settings under admin mode Figure 1: web interface admin log
More informationKey Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards
White Paper Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards By Dr. Wen-Ping Ying, Director of Software Development, February 2002 Introduction Wireless LAN networking allows the
More informationALL0233 Wireless-N USB Dongle User Guide
ALL0233 Wireless-N USB Dongle User Guide Table of Contents CHAPTER 1 INTRODUCTION... 1 Package Contents... 1 Features... 1 LEDs... 1 Operation... 2 CHAPTER 2 INITIAL INSTALLATION... 3 Requirements... 3
More informationAttenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction
Wireless Physical Layer Q1. Is it possible to transmit a digital signal, e.g., coded as square wave as used inside a computer, using radio transmission without any loss? Why? It is not possible to transmit
More informationTube-U(G) Long-Range Outdoor IEEE 802.11g USB Adapter User s Guide
Tube-U(G) Long-Range Outdoor IEEE 802.11g USB Adapter User s Guide Alfa Network, Inc. Page 1 Table of Content Over view... 3 Unpacking information... 3 Introduction to the Tube-U(G) outdoor USB Adapter...
More informationOSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R
OSBRiDGE 5XLi Configuration Manual Firmware 3.10R 1. Initial setup and configuration. OSBRiDGE 5XLi devices are configurable via WWW interface. Each device uses following default settings: IP Address:
More informationChapter 2 Wireless Networking Basics
Chapter 2 Wireless Networking Basics Wireless Networking Overview Some NETGEAR products conform to the Institute of Electrical and Electronics Engineers (IEEE) 802.11g standard for wireless LANs (WLANs).
More informationWireless LAN Security Mechanisms
Wireless LAN Security Mechanisms Jingan Xu, Andreas Mitschele-Thiel Technical University of Ilmenau, Integrated Hard- and Software Systems Group jingan.xu@tu-ilmenau.de, mitsch@tu-ilmenau.de Abstract.
More informationWireless Security: Secure and Public Networks Kory Kirk
Wireless Security: Secure and Public Networks Kory Kirk Villanova University Computer Science kory.kirk@villanova.edu www.korykirk.com/ Abstract Due to the increasing amount of wireless access points that
More informationWireless Pre-Shared Key Cracking (WPA, WPA2)
Wireless Pre-Shared Key Cracking (WPA, WPA2) TABLE OF CONTENTS Introduction... 2 Mechanics Of PSKs And How They Work Demystified... 2 How PSKs Can Be Cracked!... 5 WPA2 PSK Cracking Demonstration.... 6
More informationWL-5460AP. User s Manual. 54Mbps Multi-Function Wireless AP. AirLive WL-5460AP v2 User Manual
WL-5460AP 54Mbps Multi-Function Wireless AP User s Manual 1 Copyright The contents of this publication may not be reproduced in any part or as a whole, stored, transcribed in an information retrieval system,
More informationNXC5500/2500. Application Note. 802.11w Management Frame Protection. ZyXEL NXC Application Notes. Version 4.20 Edition 2, 02/2015
NXC5500/2500 Version 4.20 Edition 2, 02/2015 Application Note 802.11w Management Frame Protection Copyright 2015 ZyXEL Communications Corporation 802.11w Management Frame Protection Introduction IEEE 802.11w
More informationWhitepaper. Author: Jerome Henry. Editor: Marcus Burton. November 2011 Version 1.00
802.11s Mesh Networking Whitepaper Author: Jerome Henry Editor: Marcus Burton November 2011 Version 1.00 Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 What are mesh networks, and why an amendment
More informationYour 802.11 Wireless Network has No Clothes
Your 802.11 Wireless Network has No Clothes William A. Arbaugh Narendar Shankar Y.C. Justin Wan Department of Computer Science University of Maryland College Park, Maryland 20742 March 30, 2001 Abstract
More informationCS6956: Wireless and Mobile Networks Lecture Notes: 2/11/2015. IEEE 802.11 Wireless Local Area Networks (WLANs)
CS6956: Wireless and Mobile Networks Lecture Notes: //05 IEEE 80. Wireless Local Area Networks (WLANs) CSMA/CD Carrier Sense Multi Access/Collision Detection detects collision and retransmits, no acknowledgement,
More informationVirtual Access Points
Virtual Access Points Performance Impacts in an 802.11 environment and Alternative Solutions to overcome the problems By Thenu Kittappa Engineer Author: Thenu Kittappa Page 1 Virtual Access Points... 1
More informationWildPackets Guide to Wireless LAN Analysis
WildPackets Guide to Wireless LAN Analysis Executive Summary The market for wireless communications has grown rapidly since the introduction of 802.11 wireless local area networking (WLAN) standards. Business
More information