Wireless LAN Security Analysis & Diagnostic Tool

Transcription

1 Technion Israel Institute of Technology Department of Electrical Engineering Networked Software Systems Laboratory Final Report Wireless LAN Security Analysis & Diagnostic Tool Submitted By: Liran Manor Gal Leibovich Supervisor: Hai Vortman Winter 2008/09

2 Table of Contents 1 Introduction Background IEEE General Information Wireless Networks in Types of Networks Joining an Infrastructure Network Types of Frames Control Frames Managment Frames Data Frames Security Authentication Open System Authentication Shared Key Authentication X Authentication Higher Layer Authentication Techniques Encryption WEP TKIP (WPA) CCMP )WPA2) Higher Layer Security Protocols SSID Broadcast The Final Ranking Modes of NIC Operation Wireless Security Analyzer (WSA) The Software Technology Background Microsoft.NET Framework C# WSA Architecture Classes and Data Structures How to use Wireless Security Analyzer? Summary Page 2 of 45

3 7.1 Future Development References Appendixes List of Figures Managed Wi-Fi Class Library DOT11_Algorithm Enumeration Screenshots from the software Page 3 of 45

4 Acknowledgment This challenging project contributes an important experience to us in understanding the process of designing software, starting from the definitions stage and writing a requirement document, through implementing the software and its algorithms and data structures, until checking the software, and also in getting acquaintance with the exciting world of security in wireless networks. We would like to thank Mr. Hai Vortman for his making us acquainted with this interesting subject and for his help in the different stages of the project. Hai accompanied us during the project and advised us in solving problems and issues we have encountered and in promoting ideas we wanted to implement in the project. We also want to thank chief engineer of the lab, Dr Ilana David, for her help and support in every question and problem we have asked her. Page 4 of 45

5 1. Introduction Wireless local area network (WLAN) is a network that links two or more computers in a limited area (the coverage area of the network). The biggest advantage of wireless networks over wired fixed networks is the mobility (and therefore more convenience) the users don't need to be in a fixed physical location. Additional advantages of wireless networks over wired networks are: they are more flexible and easy to install, maintain and use. In several cases their cost is less than the cost of wired networks. Computers network security is one of the challenging aspects in data communication networks. This aspect is very important especially in wireless networks because if, in the past, the attacker wanted to harm a wired network he had to be physically and directly connected to that network. In wireless networks the situation is totally different because there is no need to have a physical connection to the network. Moreover, in the last years wireless networks have become more common among small and big companies and among home users. Therefore the importance of taking measures to secure those networks is very high. As a result arose the need for a tool that reports the current security situation of the inspected networks and advises on possible improvements in both levels of a single network and several networks in a certain area. In this project we will review the different algorithms to secure wireless networks. We will rank them in terms of strength and design software, with GUI, that advises on possible improvements in securing the networks that operate in the environment in which the software operates. This project has the nature of a research and the software that will be designed is the way to show the result of this "research". Page 5 of 45

6 2. Background In the last years the world has becomes more mobile: The need for voice connection between people disregard of their location leads to the cellular phones revolution. The need to be connected to the internet everywhere (even in the neighborhood cafe ) or a temporary connection between laptops in business meetings leads to the wireless networks revolution. There are several wireless technologies for computers communication: we can find HomeRF, Infrared and Bluetooth for short range, cellular modems for long range. But the most prevalent technology for wireless communication between computers is Actually, this is a set of standards developed by group 11 of IEEE LAN/MAN Standards Committee. In this chapter we present the cardinal points of the IEEE and the relevant parts that are related to security. 2.1 IEEE General Information The family includes over the air modulation techniques that use the same basic protocol: a ( legacy) The original version of the standard released in 1997 and supported data rates up to 2 Mbps in three different physical layer technologies: Infrared, radio waves in method Frequency Hopping Spread Spectrum (FHSS) and radio waves in method Direct Sequence Spread Spectrum (DSSS). The two radio technologies use microwave transmission over Industrial Scientific Medical (ISM) frequency band at 2.4 GHz. Today there is no commercial implementation for this old standard. b a This standard is an amendment to the original standard. It operates at 5 GHz (and therefore has a higher distance range than other standards in most speeds due to less interference there are less products that use that frequency) and uses Orthogonal Page 6 of 45

7 Frequency Division Multiplexing (OFDM). It supports data rates up to 54 Mbps. c b This standard was released at 1999 and is a direct extension of the DSSS modulation technique defined in the original standard. It operates at 2.4 GHz (and therefore suffers significant interference from other products operating at that frequency like microwave ovens, Bluetooth devices and cordless telephones). It supports data rates up to 11 Mbps. d g This standard was released at It operates at 2.4 GHz, uses OFDM technique and supports data rates up to 54 Mbps. As of March 2009 this is the most prevalent standard. e n As of March 2009, this standard is not ratified yet. It improves the original standard by adding Multiple Input Multiple Output (MIMO) support and therefore its maximal data rate will be 600 Mbps. As of March 2009 there are commercial products in the market based on the drafts of n. 2.2 Wireless Networks in networks consist of 4 major physical components: a. Stations Those are computed devices between which data is transferred. They have wireless network interface wireless network card. Those devices can be desktops, laptops, cellular phones with support and even electronic entertaining products such as TiVo. b. Access Points The main task of those devices is to bridge between the wired network and the wireless network convert frames in standard to standards that are used in wired networks. c. Wireless Medium Data is transferred between stations using the wireless medium. Page 7 of 45

8 d. Distribution System Constitutes a logical component that connects between several access points that form a large coverage area. Ethernet technology is usually used as the backbone network to connect the access points. Figure 1. Components of LANs 2.3 Types of Networks The basic building block of a network is the basic service set (BSS), which is simply a group of stations that communicate with each other. Communication takes place within a somewhat fuzzy area, called the basic service area, defined by the propagation characteristics of the wireless medium. There are two types of networks: 1. Independent Network (Independent BSS - IBSS) There are at least two stations in an IBSS that communicate directly with each other. This type of network is also called Ad-Hoc. 2. Infrastructure Network In this type of networks there are access points. Communication is achieved by two hops - first the originating mobile station transfers the data to the access point. Second, the access point transfers the data to the destination station. The basic service area corresponding to an infrastructure BSS is defined by the points in which transmissions from the access point can be received. There are two major advantages of using infrastructure network: Page 8 of 45

9 a. Infrastructure BSS is defined by the distance from the access point and not the distance between two stations. Therefore, the distance between two stations can be big, a fact that doesn't allow direct communication between them, but with the help of an access point those stations can communicate with each other. b. Access points in infrastructure networks can help stations attempting to save power. Access points can note when a station enters a power-saving mode and buffer frames for it. Battery-operated stations can turn the wireless transceiver off and power it up only to transmit and retrieve buffered frames from the access point. Figure 2. Independent and Infrastructure BSSs BSSs can create coverage in small offices and homes, but they can't provide network coverage to larger areas. The standard allows wireless networks of a large size to be created by linking BSSs into an extended service set (ESS). An ESS is created by chaining BSSs together with a backbone network. All the access points in an ESS are given the same service set identifier (SSID) which serves as a network "name" for the users. Page 9 of 45

10 Figure 3. Extended Service Set (ESS) 2.4 Joining an Infrastructure Network If a station wants to communicate with computers in a certain network and obtain its services, it must associate with an access point. The association process is not symmetric: stations always initiate the association process, and access points may choose to grant or deny access based on the contents of an association request. The following points describe the sequence of events that occur when a station wants to join an unsecured network. (We will use the word 'AP' as an acronym to an access point (that is connected to the distribution system) and the word 'STA' as an abbreviation to a station): 1. The AP advertises its presence by transmitting short wireless messages at a regular interval. These short messages are called beacons that allow wireless devices to discover the identity of the AP. 2. When a STA wants to connect to a specific network or to any network, it performs a process that is called scanning the STA must tune into each channel (each channel is a different radio frequency) and listen for beacon Page 10 of 45

11 messages. This process can be accelerated by probing a STA can send a message that is called probe request message which is equivalent to shouting "hello, anyone there?". When any AP receives this message it replies immediately with a probe response that looks like a beacon message. In this way the STA can learn about the APs in its area. 3. After the AP discovers the APs in its area it needs to decide to which network it wants to join. Often this decision is made based on signal strength. This is done by sending an authenticate request message to the chosen AP. 4. Because we describe an unsecured network, the AP immediately responses by sending an authenticate response message. 5. After the STA receives the authenticate response message it must associate with the AP in order to send and receive data from the network. Therefore it sends an association request message. The AP responses to that message by sending an association response message. This indicates that the process of joining the network has been finished successfully. Figure 4. Joining an Infrastructure Network Page 11 of 45

12 2.5 Types of Frames in In IEEE there are three types of frames: control frames, management frames and data frames Control Frames These frames are short and constitute the lowest level of frame types. They are directly related to the standard's Media Access Control (MAC) rules they perform area clearing operations, channel acquisition and carrier-sensing maintenance functions and positive acknowledgment of received data. All control frames use the same Frame Control field: Figure 5. Frame Control field in Control Frames The four bits in Sub Type field indicate the type of the control frame that is being transmitted: Sub Type = 1010: Power Save (PS) Poll: When a mobile station wakes from a power-saving mode it transmits a PS-Poll frame to the AP to retrieve any frames buffered while it was in power-saving mode. Sub Type = 1011: Request to Send (RTS): Those frames are used to gain control of the medium for the transmission of "large" frames, in which "large" is defined by the RTS threshold in the network card driver. Sub Type = 1100: Clear to Send (CTS): Those frames are used to answer RTS frames and are used by the g protection mechanism to avoid interfering with older stations. Sub Type = 1101: Acknowledgment (ACK): Those frames are used to send the positive acknowledgments required by the MAC (only response to unicast Page 12 of 45

13 data) and are used with any data transmission, including plain transmissions, frames preceded by an RTS/CTS handshake and fragmented frames. Sub Type = 1110: Contention-Free (CF)-End Sub Type = 1111: CF-End + CF-Ack The last two subtypes are related to Point Coordination Function (PCF) mode which means that the AP controls all accesses to the media (similar to token ring the AP polls the stations to see if they have any data to transmit). The most interesting thing about control frames is that CTS frames are designed to be honored by unrelated networks on the same channel. For example, if an AP related to network A sends CTS packet to Station A in its network, all the stations and APs that hear this packet (even if they are not related to Network A) are expected to honor the CTS packet and not to transmit anything for the duration specified. An attacker that wants to disrupt any data transferred from the station that receives the CTS packet can disregard this packet and transmit a data from its own that leads to a collision! Management Frames Management frames perform supervisory functions: they are used to join and leave wireless networks and move associations from one AP to another AP. All management frames have the same structure: Figure 6. Generic Management Frame The MAC header contains the following important fields: Destination Address (DA) the address of the device that eventually receives the message. Page 13 of 45

14 Source Address (SA) the address of the device that created the original message. BSSID contains the MAC address of the wireless network interface if AP transmits the frame or in case the stations transmit that frame, the field contains the BSSID of the AP they are currently associated with. This field is used to limit the effect of broadcast and multicast management frames. The stations that receive management frames are required to inspect that field to know if that frame is relevant to them. Information elements and fixed fields contain two types of fields: 1. Fixed length fields like Authentication Algorithm Number (0 for Open system authentication, 1 for Shared key authentication), Authentication Transaction Sequence Number (a number to track progress through the authentication exchange), Beacon Interval, Capability Information (of the network), Current AP Address, Timestamp (allows synchronization between the stations in a BSS), Reason Code (for Disassociation or Deauthentication frames) and Status Code (to indicate success or failure of an operation). 2. Information elements are variable-length components like Service Set Identity (SSID the name of the network), Supported Rates (of the network), information regarding the modulation technique (FHSS/DSSS), Power Capability (minimum and maximum transmit power of the station) and the Robust Security Network (RSN) information element which includes information about the cipher that is used to secure the information (will be discussed later). There are several types of management frames: 1. Beacon Frames they announce the existence of a network. They are transmitted at regular intervals to allow stations to find and identify a network as well as match parameters for joining the network. 2. Probe Request - Stations use this frame to scan an area for existing networks. Page 14 of 45

15 3. Probe Response - If a Probe Request encounters a network with compatible parameters, the APs of the network send a Probe Response frame. This frame carries all the parameters in a Beacon frame which enables stations to match parameters and join the network. 4. Authentication Request Station uses this frame in order to authenticate itself to the AP in the association process to the network. 5. Authentication Response The AP grants or denies access based on the contents of an Authentication Request. 6. Deauthentication This frame is used to end an authentication relationship. 7. Association Request When a station identifies a compatible network which authenticates it, it may attempt to join the network by sending this frame. 8. Reassociation Request A station that moves between different basic service areas of the same ESS needs to reassociate to the network before continuing using its services. 9. Association Response The response frame of the AP to Association Request frame. 10. Reassociation Response The response frame of the AP to Reassociation Request frame. 11. Disassociation This frame is used to end an association relationship. There are some more management frames related to the spectrum used by the stations and frames related to power conservation Data Frames Data frames are used to carry higher level protocol data between stations. Unlike control and management frames, data frames can be authenticated if some form of encryption is turned on. Page 15 of 45

16 The general structure of data frames is: Figure 7. Generic Data Frame There are four address fields but not all of them are used in all frames. That depends on the type of network deployed (Independent BSS (IBSS) or Infrastructure BSS): Figure 8. Address fields in data frames (DS Distribution System, WDS Wireless DS, DA Destination Address, SA Source Address, RA Receiver Address, TA Transmitter Address). There are several types of data frames: 1. Data. 2. Data + Contention Free (CF)-Ack. 3. Data + CF Poll. 4. Data + CF-Ack + CF-Poll. 5. Null. 6. CF-Ack. 7. CF-Poll. 8. CF-Ack + CF-Poll. Only the first four types carry data. The others are related to changes in the power-saving status and frames that perform management functions. It is important to understand that the encryption is applied (if applied) only on Page 16 of 45

17 the frame body field (which contains the data). The address fields are not encrypted and therefore it is easy to trace which station/ap sends data to which station/ap, learns the topology of the network and even to pretend to be an owner of legal address in the network and get full access to its services (if there is no security at all). Page 17 of 45

18 3. Security There are many threats and risks when using wireless technologies. The most critical are data interception (attackers listen and steal sensitive information), input hijacking (attackers "inject" packets and interact with sensitive applications they should not have access to, or change the data in a way that damages its integrity) and data unavailability (like denial of service attacks the data is not available when you want to use if because of an attack). In the following pages we review the different algorithms and techniques that are used as network security mechanisms, and rank them in terms of strength. Based on this ranking we design the software. 3.1 Authentication The purpose of authentication is that each party will be able to prove that it is the party that it claims to be. The original standard defined two levels of authentication: 0 Open System Authentication 1 Shared Key Authentication (WEP) Open System Authentication Open system authentication is basically no authentication the AP responses immediately when it receives an Authentication Request and sends an Authentication Response. Figure 9. Open System Authentication Exchange Page 18 of 45

19 Even if the network uses Open System Authentication policy there is still a way to limit the access to the network this method is called MAC filtering. Every network component (AP, wireless network interface card) has a unique 48 bits number MAC address. APs can contain a list of authorized MAC addresses and when a station wants to join the network the AP checks if the station's MAC address appears in the list or not and react accordingly. The use of MAC filtering is good to overcome "unserious" attacks (like attackers who try to enter the network only one time and if they fail they try another network) and unintentional attempts to join the network (like people who choose to join the network by mistake and intend to join another network). This method should not be used as the main authentication policy since MAC addresses are generally software or firmware programmable and can easily be overridden and forged by an attacker who wants to access the network. It just adds complexity without any substantial additional security benefit Shared Key Authentication Shared key authentication is a simple "challenge response" scheme based on whether a station that wants to join the network knows a shared key. In this mode, the station sends an Authentication Request to the AP. The AP sends back a plaintext challenge packet an unencrypted string of random bytes. The station must encrypt this packet with the shared key and sends it back to the AP. The AP encrypts itself the challenge packet and compares the result with the encrypted packet it receives from the station. If the strings are equal, the AP thinks that the station knows the shared key and therefore it should grant the station an access to the network (sends Authentication Response with a status code of success). Otherwise, the authentication fails. Page 19 of 45

20 Figure 10. Shared Key Authentication Exchange The underline in the word "thinks" is on purpose. That is because the AP can't be sure that the station knows the shared key. If there is an attacker who listens to the transmitted packets, he can see the plaintext challenge packet and the encrypted response. This allows the attacker to compute the output generated by the WEP algorithm (RC4) and use it later to authenticate himself to the network (Explanation about WEP weaknesses will appear later). Another problem in this scheme is that it does not provide mutual authentication. It means that the station does not authenticate the AP and therefore there is no assurance whether the station is communicating with a legitimate AP or with an impostor AP. There is one more important reason why the network administrator should prefer Open System Authentication (with MAC filtering and data encryption) to Shared Key Authentication: if network authentication policy is Shared Key and the station that tries to join the network doesn't know the shared key, the AP rejects that station (Status code indicates that authentication fails) and the station knows immediately the reason of the failure. But if network authentication policy is Open System, the association process will succeed, but every frame the station sends is discarded by the AP because of decryption failure. From the side of the station, it is hard to distinguish this failure from failure due to interference or being out of range. Page 20 of 45

21 X Authentication X is an IEEE standard for port-based Network Access Control ("port" meaning a single point of attachment to the WLAN infrastructure). This standard does not specify a specific authentication algorithm. Instead, it specifies a framework that generic authentication protocols can be built around. Therefore 802.1X authentication is as secure as the specific authentication technique it is using. In wireless networks it is based on the Extensible Authentication Protocol (EAP). The concept is very simple: the purpose is to implement access control at the point at which a user joins the network. There are three components in this world: 1. Supplicant the STA that wants to join the network. 2. Authenticator the AP that controls the access. 3. Authentication Server A computer that makes authorization decision (generally a RADIUS database). Figure X Authentication - General Scheme The supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant is allowed to access resources located on the protected side of the network. EAP has a set of messages to maintain the above scheme that can be seen in the following figure: Page 21 of 45

22 Figure 12. EAP General Message Flow There are several EAP types including EAP-MD5 (this version offers minimal security since it supports only one way authentication without key exchange) and EAP-TLS (this version is considered one of the most secure EAP types since it supports fast reconnection, mutual authentication and key management (Public Key Infrastructure PKI) via certificate authentication, especially when using smart cards). EAP types are not specifically designed for use with wireless networks. Those protocols operate in upper layers in the OSI model and therefore the specific version of EAP can't be detected in the MAC layer (and in our designed software). There is one more important thing since it will be easy for an attacker to wait until a valid STA is granted access and then start using the connection by impersonating that STA (called session hijacking), it is necessary to turn on encryption before granting access to the network. Page 22 of 45

23 3.1.4 Higher Layer Authentication Techniques There are several authentication techniques that operate in higher layer than the link layer (layer 2 in OSI) such as firewalls, VPNs and one time password (OTP) systems. This project focuses on security mechanisms and will not deal with such techniques. Page 23 of 45

24 3.2 Encryption The standard supports privacy through the use of cryptographic techniques WEP WEP stands for Wired Equivalent Privacy. This was the first method for security that appeared in standard. We can understand from its name that the purpose was to design security mechanism that its strength is equal to the security mechanisms used in wired networks. During the last years the cryptographic community has detected flaws in this mechanism and now it is considered unsafe at all and easy to be cracked. WEP uses the RC4 symmetric key, stream cipher algorithm (which means that the internal state of the cipher is continuously updated as data is processed and is not reset like in block cipher algorithms) to generate a pseudo random data sequence. This key stream is simply XORed with the data to be transmitted. Why is WEP weak 1. The original key length was 40 bits but most vendors have implemented products with up to 104 bits key. They called their 104 bits key solutions as "128 bit security". The additional 24 bits are called initialization vector (IV), which participates in initializing the RC4 algorithm (The IV is merely concatenated to the secret key). There are two problems with the IV: a. This vector is too small (only 24 bits) in cryptography terms short IV guarantees that those vectors will repeat after a relatively short time, reuse of the same IV produces identical key streams used to encrypt the data. b. This vector is sent without encryption so the receiver knows which IV value to use in decryption, but an attacker can eavesdrop and record network traffic, and then determine the key stream and use it to decrypt the cipher text. 2. WEP uses static keys many users in a wireless network can share Page 24 of 45

25 identical key for long periods of time. This is because of lack in key management in the WEP protocol. The danger is analytic attacks performed by eavesdropper who can reveal the key rapidly. 3. WEP does not provide cryptographic integrity protection (The WEP's integrity check is a linear hash value). The MAC standard uses no cryptographic CRC to check the integrity of the packets and acknowledge packets with the correct checksum. An attacker can modify the data (and the CRC accordingly) and send it to the AP that will acknowledge the packets! There are 3 kinds of attacks that exploit those weaknesses: 1. Brute force attacks: systematically trying all the options. They can discover 40 bits key in several hours. It is not relevant for 104 bits key since it takes longer than the expected life of the universe. 2. Statistical attacks: use statistical analysis on data collected in order to find the key. The amount of time can vary wildly as a function of your luck and the data collected. 3. Dictionary attacks: use lists of words and permutations to try to guess the key TKIP (WPA) TKIP stands for Temporal Key Integrity Protocol. It was designed by the IEEE i task group and the Wi-Fi Alliance as a solution to replace WEP without replacement of legacy hardware (and therefore uses RC4 algorithm as its cipher). TKIP solves the problems of WEP: 1. It doubles the length of the IV from 24 to 48 bits the probability of repetition is much smaller. 2. It implements key mixing function that combines the secret key with the IV before passing to the RC4 initialization (there was only concatenation in WEP). Moreover, every frame is encrypted by a unique encryption key. 3. It implements a sequence counter in order to protect against replay attacks. Page 25 of 45

26 Frames with a sequence counter that is smaller than the most recently received sequence number counter are rejected. 4. It implements a 64 bit message integrity check called MICHAEL. This method has a drawback: it is not able to withstand a determined active attack. There are countermeasures to deal with that problem: if there is a message integrity code failure, the communication is shut down for 60 seconds and the keys in TKIP are refreshed. TKIP is much more secure than WEP but because it is based on a stream cipher algorithm (RC4) there are algorithms that are stronger. There is a small difference between TKIP and WPA. TKIP is a part of Robust Security Network (RSN) which is a new security standard defined by i task group. TKIP is used for data encryption. WPA is a certification program created by the Wi-Fi Alliance to indicate compliance with the security protocol created by the Wi-Fi Alliance. This protocol implements the majority of i standard, including TKIP. WPA is used for authentication in two variations: 1. WPA Pre Shared Key (WPA-PSK) also known as WPA Personal this variation is based on 256 bit pre-shared key distributed to the wireless stations (if there is a possibility to enter the pre shared key directly) and can be derived from a passphrase and the SSID of the network (when the pre shared key can't be entered directly). Because of the use of pre shared key, WPA is vulnerable to dictionary attacks by determined attackers: the attacker just needs to monitor the handshake traffic between the STA and the AP and derives the unique keys for any other station which shares the same pre shared key. If this mode is used the passphrase must be more than 20 characters and avoid common phrases. 2. WPA with 802.1X port authentication also known as WPA Enterprise - this variation is much more secured since the AP can't grant access to the STA. Only the authentication server can do this. Page 26 of 45

27 3.2.3 CCMP (WPA2) CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. As of March 2009, it is the strongest security mechanism developed. It uses Advanced Encryption Standard (AES) as its block cipher. In implementation, the method combines a 128 bit key and a 128 bit block of unencrypted data to produce an encrypted data using mathematical and logical operations. AES can be used in different modes to encrypt data. One of those modes is the counter mode: each message is divided into blocks. There is a different counter for each block. The blocks pass through the AES encryption and then XOR with blocks of data. The counters of different messages don't start with number 1 but with nonce value that changes for each successive message. There is also a message authentication method called cipher block chaining (CBC) that is used to produce a message integrity code (MIC). There is a small difference between CCMP and WPA2. CCMP is a part of Robust Security Network (RSN) which is a new security standard defined by i task group. CCMP is used for data encryption. WPA2 has replaced WPA. It is also created by the Wi-Fi Alliance to indicate compliance with an advanced protocol that implements the full i standard, which includes CCMP. Like WPA, WPA2 is used for authentication in two variations: 1. WPA2 Pre Shared Key (WPA2-PSK) also known as WPA2 Personal. 2. WPA2 with 802.1X port authentication also known as WPA2 Enterprise Higher Layer Security Protocols There are several security protocols that operate in higher layer than the link layer (layer 2 in OSI) such as Internet Protocol Security (IPsec, operates at layer 3 in OSI), Secure Sockets Layer (SSL, operates at layer 4 in OSI) and Secure Shell (SSH, operates at layer 7 in OSI). Those protocols can't provide efficient protection to the link layer and should be used in addition to a host-based security such as firewall. Page 27 of 45

28 3.3 SSID Broadcast SSID (service set identifier) serves as a network "name" for the users and is included in plaintext in many packets. The SSID is important because the station needs to know it in order to send an Association Request to the AP. If the AP doesn't broadcast its SSID, stations without previous knowledge on the existence of this AP will not be able to join the network. This is not fully true. Since Association Requests messages are transmitted unencrypted (All management frames are unencrypted), an attacker can listen to the transmitted traffic and intercept Association Request messages that were sent by legitimate users, and detect the SSID. A more active attacker can kick a legitimate user off the network by Disassociation Request and force him to send Reassociation Request that contains SSID. Page 28 of 45

29 4. The Final Ranking Based on the last chapters we have ranked the security algorithms and techniques. The rank that each network can get varies from 0 to 10: 0.5 points are given if the network doesn't broadcast its SSID. 0.5 points are given if the network includes MAC filtering. Authentication algorithms: Open System 0 points Shared Key Authentication (WEP) 1 point WPA Pre Shared Key - 2 points WPA 2 Pre Shared Key 3 points WPA-802.1X 4 points WPA X 4.5 points Encryption algorithms: None 0 points WEP 2 points TKIP 3.5 points CCMP 4.5 points Please note that some combinations are not valid, like Open System authentication and CCMP encryption. This rating (and the appropriate recommendations) can be changed if new and more secured algorithms are invented in the future (Explanations in chapter 6). Page 29 of 45

30 5. Modes of NIC Operation Network interface cards (NICs) can operate at several modes, the most important are: a. Local Mode: NIC receives only packets which are targeted to its address. This mode doesn t require an association with an AP. b. Promiscuous Mode: Allows the user to view all wireless packets on a network to which he has been associated. c. Monitor Mode (RFMON): Allows monitoring all traffic in the air, transmitted in all wireless networks. Almost every NIC supports Local Mode and Promiscuous Mode. Usually only designated cards support Monitor Mode. The ideal for our project was working in Monitor Mode. For that purpose we installed a NIC which supports Monitor Mode. The NIC model is: NETGEAR WG311T (based on Atheros chipset). In order to work in Monitor Mode, the operation system must support it, NIC s driver must support it, and it should implement an option to activate this mode. In Linux it is quite simple: OS support exists and open source drivers are freely available, and one may force the card to work in Monitor Mode by using a simple command. In Windows OS it depends on the version of the Windows. Every Windows' version until Windows Vista doesn t support NIC operation in Monitor Mode. Windows Vista, on the other hand, implements NDIS 6.0, which should support Monitor Mode, with the right set of drivers. The only option available currently to support Monitor Mode in Windows is by using a set of external drivers (not the vendor ones) and using designated software which knows how to activate this mode using those drivers. One example is Commview s drivers and its software (This software costs 500$ and is developed by Tamosoft: Page 30 of 45

31 We have installed Commview s drivers (free download from the company website) but we weren t able to activate Monitor Mode since the company doesn t provide its interface. Therefore, according to our research, working in Monitor Mode is currently not possible in Windows Vista, in open-sources projects (only if you develop a specific driver which can support it). The second option was to work in Promiscuous Mode. But this mode doesn t add any extra functionality that can help us because this mode requires the user to associate to a specific network before he can listen to its communication. Finally, we ve decided to work in Local Mode. As a result, the following restrictions apply: No MAC filtering discovery No trigger-packets for hidden networks But we re still using Commview s drivers for future extensions of the project (When the drivers API will be exposed). Page 31 of 45

32 6. Wireless Security Analyzer (WSA) The Software 6.1 Technology Background Microsoft.NET Framework The Microsoft.NET Framework is a software framework available with several Microsoft Windows operating systems. It includes a large library of coded solutions to help the programmer and a virtual machine that manages the execution of programs written specifically for the framework. The.NET Framework is a key Microsoft offering and is intended to be used by most new applications created for the Windows platform. The framework's Base Class Library provides a large range of features including user interface, data and data access, database connectivity, cryptography, web application development, numeric algorithms and network communications. The class library is used by programmers, who combine it with their own code to produce applications. Programs written for the.net Framework execute in a software environment that manages the program's runtime requirements. Also part of the.net Framework, this runtime environment is known as the Common Language Runtime (CLR). The CLR provides the appearance of an application virtual machine so that programmers need not consider the capabilities of the specific CPU that will execute the program. The CLR also provides other important services such as security, memory management and exception handling. The class library and the CLR together compose the.net Framework. As the program is being executed by the CLR, the code is compiled and cached, just in time, to the machine code appropriate for the architecture on which the program is running. Several languages can be used in order to work over the CLR. The most common are: C#, VB.NET, Jscript.NET, but many other languages are supported. All of them use the capabilities and methodologies that the CLR provides. Page 32 of 45

33 6.1.2 C# C# was developed by Microsoft as part of the.net initiative, and lately is getting more and more popular. It is intended to be simple, modern and to fit to any programming need you might have. C# is a pure object oriented language, and contains many pre-written classes, which ease the developer s work and save the developer many code lines. In our project, C# is being used as the main programming language and was selected so we can learn how to use it and, on the other hand, to enlarge our experience in programming using OOP methodologies. Another thing worth mentioning is that besides the benefits we got while working with C#, we also learnt how to build a GUI in Windows using C# and Visual Studio tools, which is something you can t learn in any other programming course in the Technion. 6.2 WSA Architecture Classes and Data Structures WSA is built in C# using OOP methodologies. It s based on Managed Wi-Fi class library (more explanations in the appendix 9.2), three classes and one typed dataset, as can be seen in the class diagram: Network Class Fields _authentication _channel _encryption _frequency _macaddress _networktype _rates _routercompany _signalquality _ssid Properties Authentication Channel Encryption Frequency MacAddress NetworkType Rates RouterCompany SignalQuality SSID DSSecurity Class DataSet Fields _schemaseriali relationdt_auth relationdt_auth relationdt_encr relationdt_encr tabledt_authen tabledt_encryp tabledt_enterp tabledt_person Properties DT_Authenticati DT_Encryption DT_EnterpriseS DT_PersonalSe Relations SchemaSerializ Tables Methods Nested Types Recommender Static Class Fields MaxNetworksPerChannel NumOfChannels Methods CheckChannelCollisions GetGeneralRecommendations Converter Static Class Fields MacDictionary Methods BuildRateString Compare ConvertBSSTypeToString ConvertToChannel ConvertToMbs CreateAuthenticationString FormatMac GetCompanyForMAC GetStringForSSID LoadMacDictionary Figure 13. WSA Class Diagram Page 33 of 45

34 In this chapter we will describe each class capabilities and why it is needed: Network This class represents a wireless network. It contains all of the network s properties such as: frequency, AP MAC address, supported rates and so on. This class is used in order to store all of the network s properties in one place, for easy display and work. Converter A static class which contains static functions that are being used for different conversions required for displaying the wireless network data and recommendation. Methods BuildRateString This method is being used for displaying the rates supported by the wireless network in a fixed display separated by backslashes. Compare Compares between two double variables. This method is being used by BuildRateString in order to sort the rates. ConvertBSSTypeToString This method returns a string representing the BSS type of the network, which it compiles from the type of the enumeration: Wlan.Dot11BssType ConvertToChannel This method returns the network s channel according to its frequency. ConvertToMbs - Converts a list of raw rate values into a list of rates (while using BuildRateString) in units of Mbits/second. CreateAuthenticationString - Cleans the authentication string from the unnecessary added information which is given by the NIC. Page 34 of 45

35 FormatMac - Converts the MacAddress bytes format (an array of bytes) to a string. The format of the string will be like the following: a1:2b:3c:4d:5e:6f. GetStringForSSID Converts the SSID from an ASCII format to a string. LoadMacDictionary Loads from a file the list of MAC headers (vendors.txt) which describes which MAC belongs to which company, and saves it in a Dictionary: MacDictionary (a private member of the class). The vendors.txt structure is (partial example, the file can be found as part of the project source code): C Samsung Electonics Digital Video System Division D Yulong Computer Telecommunication Scientific(shenzhen)Co.,Lt E Arbitron Inc F Intel Corporation SKNET Corporation Symphox Information Co Zenway enterprise ltd Bury GmbH & Co. KG EuroCB (Phils.), Inc Motorola MDb Intel Corporation Bihl+Wiedemann GmbH SHENZHEN BAOAN GAOKE ELECTRONICS CO., LTD eon Communications A Skyworth Overseas Dvelopment Ltd. GetCompanyFromMac Uses the MacDictionary object in order to return the company's name that belongs to the given MAC. Recommender Recommender is a static class which is used for getting the recommendations for each network. Currently this class exposes only one method: GetGeneralRecommendations This method is used to get recommendations which are not specific per network but instead are general and applied to the environment the user is currently at. For example, if the user is found in a place where a lot of wireless networks are broadcasting on the same channel, which can disturb Page 35 of 45

36 DSSecurity the normal communication throughout all networks, then this function will recommend to change one or more of the affecting networks channels. DSSecurity is a typed dataset which is used for holding the different authentication and encryption types, the specific recommendations for each of them, and the rating that each of them gets. These are the tables and their relations in the dataset: Figure 14. DSSecurity Structure As can be seen in figure 14, DSSecurity contains four datatables. Two of them are used to store the authentication and encryption algorithms currently available, and their rating (according to our algorithms rating). The other two datatables are used to store the available combinations of the algorithms, and accordingly the WSA recommendation for this combination. This is held in two datatables because different recommendations will be given for different modes of work (i.e. if this is a personal or an enterprise network). This information is being loaded when WSA starts up and is held in WirelessSecurity.xml. Page 36 of 45

37 This is very useful for easy updating the software. That is, if new authentication or encryption algorithms will become available, then all is needed is to replace this file with an updated one, and the software will now support the new algorithms and will give recommendations accordingly How to use Wireless Security Analyzer? 1. Open WSA. 2. Select your NIC from the drop down list. 3. Press Scan Networks. A list of the available wireless networks will be shown on the left. 4. Choose one of the wireless networks which you want to analyze. 5. On the right, general information regarding the network will be shown. 6. Select if the chosen network is personal or enterprise network. 7. Press next in order to get the security recommendations for the network. Page 37 of 45

38 7. Summary Network security is one of the most challenging aspects in computer networks, especially in wireless networks. In this project we have been exposed to standard which is nowadays the leading standard to implement wireless local area networks. In particular, we have focused on the security aspect of this standard, studied different authentication and encryption algorithms and techniques and their weaknesses and ranked them. We have also designed and implemented software with GUI which reflects our accumulated knowledge. We have done it in a programming language which in new for us C#, which is a part of Microsoft.Net framework. Microsoft Visual Studio 2008 was our IDE. 7.1 Future Development When there will be open source projects for drivers that support Monitor Mode in Windows Vista the current project can be extended: 1. To detect MAC filtering. This is done by listening to stations that succeeded in association with an AP and "stealing" their MAC address. The attacker station will be able to associate with an AP. 2. To discover hidden networks that don't broadcast their SSID. This will be done by transmitting Probe Request messages (packet injection). Projects that deal with wireless security will be (in Windows environment): 1. "Attack and Defense" An attacker will send disassociation and deauthentication messages (by packet injection) in order to disconnect legitimate users from the network. The users can overcome this kind of attack by disregarding those messages (There is a need to change the drivers to support this nonstandard functionality). 2. WEP/WPA-PSK cracking for educational purposes. Page 38 of 45

39 Another project with cryptographic and programming benefits is to design software that implements the different algorithms mentioned in this report (and even much more): WEP (RC4), TKIP and AES. Page 39 of 45

40 8. References 1. Matthew Gast, Wireless Networks: The Definitive Guide, Second Edition, O'Reilly Media. 2. Jon Edney & William A. Arbaugh, Real Security: Wi-Fi Protected Access and i, Addison Wesley. 3. Johny Cache & Vincent Liu, Hacking Exposed Wireless: Wireless Security Secrets & Solutions, McGraw-Hill / Osborne. 4. Aaron E. Earle, Wireless Security Handbook, Auerbach Publications. 5. IEEE Wikipedia, the free encyclopedia 6. IEEE 802.1X - Wikipedia, the free encyclopedia 7. Karli Watson & Cristian Nagel, Beginning Microsoft Visual C# 2008, Wrox. 8. NET Framework Wikipedia, the free encyclopedia Page 40 of 45

41 9. Appendixes 9.1 List of Figures Figure 1. Components of LANs... 8 Figure 2. Independent and Infrastructure BSSs... 9 Figure 3. Extended Service Set (ESS) Figure 4. Joining an Infrastructure Network Figure 5. Frame Control field in Control Frames Figure 6. Generic Management Frame Figure 7. Generic Data Frame Figure 8. Address fields in data frames Figure 9. Open System Authentication Exchange Figure 10. Shared Key Authentication Exchange Figure X Authentication - General Scheme Figure 12. EAP General Message Flow Figure 13. WSA Class Diagram Figure 14. DSSecurity Structure Page 41 of 45

42 9.2 Managed Wi-Fi Class Library Managed Wi-Fi ( is a.net class library that allows you to control Wi-Fi network adapters installed on your Windows machine. This library wraps the Native Wi-Fi API ( The Native Wi-Fi API contains functions, structures and enumerations that support wireless network connectivity and wireless profile management. It is designed for C/C++ developers and available since Windows Vista and Windows XP SP2 (only after applying a hotfix provided in KB article ). The Native Wi-Fi API functions have two purposes: to manage wireless network profiles and to manage wireless network connections. The API elements are exposed by the Auto Configuration Module (ACM). The exposed connection and disconnection API elements can be used to override the automatic configuration logic. Managed Wi-Fi class exposes a list of methods which enables the.net programmer to easily get an interface to any installed NICs, select one of them, and ask for a new wireless scan for example. The scan will return (using its built enumerations) a list of wireless networks (ESSs) and their properties. As explained before, every ESS can be built of a number of BSSs (each one represents an AP). Using Managed Wi-Fi API, the programmer can also get the list of the BSSs that the NIC knows. In WSA, we took the list of BSSs and matched them to the list of ESSs, and then we got for every ESS what are its general and security properties. Page 42 of 45

43 9.3 DOT11_Algorithms Enumeration The following enumerations define the authentication and encryption algorithms that are used in standard (as of March 2009) and in our software: DOT11_AUTH_ALGORITHM Enumeration typedef enum _DOT11_AUTH_ALGORITHM { DOT11_AUTH_ALGO_80211_OPEN = 1, DOT11_AUTH_ALGO_80211_SHARED_KEY = 2, DOT11_AUTH_ALGO_WPA = 3, DOT11_AUTH_ALGO_WPA_PSK = 4, DOT11_AUTH_ALGO_WPA_NONE = 5, DOT11_AUTH_ALGO_RSNA = 6, DOT11_AUTH_ALGO_RSNA_PSK = 7, DOT11_AUTH_ALGO_IHV_START = 0x , DOT11_AUTH_ALGO_IHV_END = 0xffffffff } DOT11_AUTH_ALGORITHM, *PDOT11_AUTH_ALGORITHM; (Taken from DOT11_CIPHER_ALGORITHM Enumeration typedef enum _DOT11_CIPHER_ALGORITHM { DOT11_CIPHER_ALGO_NONE = 0x00, DOT11_CIPHER_ALGO_WEP40 = 0x01, DOT11_CIPHER_ALGO_TKIP = 0x02, DOT11_CIPHER_ALGO_CCMP = 0x04, DOT11_CIPHER_ALGO_WEP104 = 0x05, DOT11_CIPHER_ALGO_WPA_USE_GROUP = 0x100, DOT11_CIPHER_ALGO_RSN_USE_GROUP = 0x100, DOT11_CIPHER_ALGO_WEP = 0x101, DOT11_CIPHER_ALGO_IHV_START = 0x , DOT11_CIPHER_ALGO_IHV_END = 0xffffffff } DOT11_CIPHER_ALGORITHM, *PDOT11_CIPHER_ALGORITHM; (Taken from Page 43 of 45

44 9.4 Screenshots from the software A. In the following screenshot we can see that the user pressed the button "Scan Networks" after choosing the NIC "[Comm View] Atheros Wireless Network Adapter #2". The scan shows that there are five networks in the area, one of them doesn't broadcast its SSID. The user chose to get information on "Techwifi" network: Page 44 of 45

45 B. Since "Techwifi" is unsecured network it receives a low rating (The user assumed that this network contains MAC filtering and therefore the final rating is 0.5): There are several recommendations: 1. SSID The user is advised to disable the broadcast of SSID. 2. Authentication and encryption - The user is advised to turn on both authentication and encryption and upgrade to WEP algorithm in order to improve the network's security rating. 3. General Information Since there are more than two networks broadcasting in the same channel, the user is advised to configure this network in another channel. Page 45 of 45