Practical Approach in Teaching Wireless LAN Security using Open Source Software

Transcription

1 Practical Approach in Teaching Wireless LAN Security using Open Source Software Mohd Azizi Sanwani & * Kamaruddin Mamat Centre for Diploma Programme, Multimedia University Cyberjaya, MALAYSIA * Faculty of Computer & Mathematical Science, Universiti Teknologi MARA, MALAYSIA azizi.sanwani@mmu.edu.my, kamar@tmsk.uitm.edu.my Abstract Security plays a major role in today s networking especially in wireless field where widespread deployment of wireless local area network (WLAN) has changed the circumstances in maintaining secure network. While both network security and wireless networking has become major subjects in many computer science courses throughout the world, teaching the concept from theoretical standpoint is vastly different from real world scenarios. This paper presents several hands-on scenarios to depict flaws in typical wireless security implementation by using Open Source Software (OSS) as the tool for simulated attacks. Sanwani, M.A. & Mamat, K. (2011). Practical Approach in Teaching Wireless LAN Security using Open Source Software. Malaysian Journal of Educational Technology, 11(2), pp Introduction WLAN has been proven to be highly beneficial by improving the productivity, decreasing the infrastructure cost and resolving business continuity issues. However these advantages also come with several downsides. The most apparent is the concern for its security. The physical nature of wireless propagation has rendered the conventional approach in securing the network to be ineffective. In the conventional wired LAN setting, the attacker must first, either have to bypass the firewall or have physical access to the available LAN port inside the network before he is able to tap into the intended network. In contrast, in WLAN this limitation has become irrelevant as it uses entirely different approach with regards to the physical medium as it works by transmitting and receiving packets via radio-frequency. The downside is that it may radiate the transmission beyond the intended area and users. Anyone within the coverage is able to intercept the communication. Furthermore, the early WLAN architecture was engineered with ease of use as the major criteria and security was added almost as an afterthought. Consequently, it leads to certain flaws in the encryption implementation that could potentially jeopardize the security of the network [1,2,3,4,5,6]. Methodology In conventional method, security subjects were usually taught using lecture/tutorial approach with heavy emphasis on theory. At present, to meet the ever changing security challenges, there is an urgent need for students to shift their mentality to better comprehend the attacker s mindset [7]. Using hands-on approach, this paper intends to highlight several scenarios whereby the potential threats of wireless LAN can be exposed by using OSS. In this manner, students are be able to learn about networking and security concepts such as radio frequency, authentication, encryption, Service Set Identifier (SSID) broadcasting, packet sniffing etc. by actually performing the attack in controlled environment [8, 9]. While it might introduce some controversy as some students might abuse the knowledge, there are several ways to mitigate the risks such as exposing the students with the ethical consideration and legal implication [10, 11]. Wireless Access Point Setup Wireless access point (WAP) should be first setup in isolated, stand-alone network in order to conduct the attacks in controlled environment and to avoid disrupting live network [9, 10]. The configurations can be demonstrated first by the instructor, followed by hands-on implementation by the students in order to ensure them to be accustomed with WAP configuration such as the selecting SSID name, encryption type; Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), or WPA2, password selection, MAC address filtering, SSID broadcasting etc. These configurations could be changed depending on the scenarios involved. ISSN

2 Hardware WLAN adaptor which has Linux driver support is compulsory as some scenarios require the adaptor to perform packet injection and switch into monitor mode. Handy references for suitable chipset can be found at [12]. Operating System As most computers have preinstalled Microsoft Windows XP/Vista/7, there are several approaches to go about in having a Linux system. The easiest method is to use Linux Live CD/DVD. Via this approach, no installation is required and no alteration can be made onto the system as it runs only in read-only mode. Alternatively, virtualization software such as VirtualBox [13] can be utilized. However, the most practical option is to have a fresh installation of Linux on the hard disk drive (dual boot) or on the flash drive. There are numerous Linux distributions available but Backtrack [14] would be an ideal choice as it has comprehensive software for penetration testing and digital forensic. WLAN Security Threats (5 Scenarios) WLAN face similar threats as conventional wired network. However, in addition it also has certain vulnerabilities which are unique to WLAN. The most prominent and frequently exploited are discussed as follow; Wardriving/piggybacking This act of locating WLAN is usually referred as casual eavesdropping. Despite its name it has evolved as an umbrella term for any method used to locate WLAN; walking, biking, etc. However, there is distinct difference between wardriving and piggybacking. While wardriving is strictly locating WLAN, piggybacking refers to the act of using the WLAN service without explicit permission or knowledge. WLAN without proper authentication or encryption mechanism are prone to this exploits using software such as Kismet [15]. Figure 1 Vulnerable WLANs exposed by Kismet scan Packet sniffing Due to the open nature of data transmission in WLAN, the access is available to anyone within range. Therefore, there is possibility that the packets would be captured by unauthorized person. The threat become more serious if there is no encryption mechanism in place, thus sensitive or personal information are prone to public disclosure. Tool such as Wireshark [16] is usually used for eavesdropping and to further analyse the captured packets to discover any useful information or flaws. ISSN

3 Malaysian Journal of Educational Technology Figure 2 Captured packets revealed visited website MAC spoofing Most WAP come with built-in capability of MAC address filtering. Via this approach, only selected client as specified in the safe list will be allowed access as shown in Figure 3. This restriction is due to the assumption that MAC address is unique to any devices. Security mechanism by MAC filtering can easily be bypassed as the attacker can masquerade as authorized user by spoofing the MAC address [17]. Figure 3 Example of MAC address filtering scheme in Linksys WAP WEP attack While WEP encryption has been proved to be insecure and can easily be cracked [1], [2], [3], it is one of the most widely used encryption in WLAN and still being incorporated as an encryption option in new WAP from vendor such as Linksys. For this attack, the motivation is to capture enough Initialisation Vector (IV), which is a set of random bits used as seed for RC4 cipher. To replicate busy traffic in typical WLAN, a technique known as packet injection can be performed to force WAP to retransmit selected packets quickly. Once sufficient amount IV has been collected, the WAP can be considered to be compromised as it can easily be cracked using Aircrack [18]. ISSN

4 WPA/WPA2 Pre-Shared Key (PSK) dictionary attack WPA and its successor, WPA2 were developed to rectify the security flaws in WEP encryption. Although it does solve most of the deficiencies in WEP, unfortunately it also had created another potential attack vector; dictionary attack. Since this discovery, several tools has been developed that capable of mounting successful attack on WPA/WPA2 PSK enabled WLAN [18, 19]. The key components to mount this attack are password files which is a compilation of common password or generated wordlist and the four-way handshake i.e. Extensible-Authentication-Protocol-Over-LAN (EAPOL). Dictionary attack is a realistic approach as it limits the amount of possible passwords to be tested by exploiting the human tendency of choosing weak passwords [20]. Good password files are available for download at [21, 22, 23]. The first phase is to capture the four-way handshake of the target WAP. The detail of the target client (i.e. channel, MAC address) can be obtained from Kismet scan. There are several scenarios whereas the fourway handshakes occur. The typical one is when a legitimate client is associating with the AP. Thus, the attacker needs to wait for any wireless client to associate in order to capture the handshake. However, there is an alternative method to speed up this process by deauthenticating a target client from the WLAN; packets can be sent to disrupt the communication between target and WAP thus forcing it to reauthenticate. This attack is practically a Denial of Service (DoS). The final step in this attack is to crack the WPA/WPA2 PSK by replicating the WPA/WPA2 initialization process to match the password list using Aircrack [18]. However, the attack will ultimately fail if the passphrase used does not exist in the password list. This would be a good lesson in choosing secure password for security purpose [8]. Figure 4 Successful WPA-PSK attack via Aircrack Discussion By implementing this method, students can gain hands-on experience in configuring and setting up a secure wireless network. The exposure from this practical exercise will ensure that the student acquire some insight into the offensive security field, which will expand their awareness for the need of real world security solutions [7, 11]. Furthermore, by using OSS to replicate actual attack on WLAN, students are in a better position to appreciate the theory that they learn in class [9]. Hands-on approach also promotes active learning and improves communication skills among the students. Consequently, majority of students demonstrate high interest in the subject and explore the topic further beyond the classroom [8], ISSN

5 [9]. Nevertheless, there are two aspects that must be imparted wisely by the instructor; the ethical consideration and legal ramification due to abuse of this know-how [10, 11]. Conclusion We had described five real-world attacks that can be simulated in a controlled environment to encourage awareness and enhance the understanding of WLAN security among students. This hands-on approach can be considered indispensable component of network security subject in this modern era as it balances the conventional method that put emphasis on theoretical knowledge with practical activities that promote active learning so that students would be more involved and motivated. Students who are exposed with this approach can be expected to be competent and self-assured in dealing with the complexity of network security once they enter the industry in the future. References [1] Fluhrer, Mantin & Shamir - Weaknesses in the Key Scheduling Algorithm of RC4, - Retrieved April 1, 2011 [2] Bittau, A., Handley, M. & Lackey, J. - The Final Nail in WEP's Coffin, - Retrieved April 1, 2011 [3] Tews, E., Pychkine, A. & Weinmann, R.P. - Breaking 104 bit WEP in less than 60 seconds, - Retrieved April 1, 2011 [4] Beck, M. & Tews,E. - Practical Attacks Against WEP and WPA, - Retrieved April 1, 2011 [5] Ohigashi, T. & Morii, M. - A Practical Message Falsification Attack on WPA, 20Attack%20on%20WPA.pdf - Retrieved April 1, [6] WPA2 Hole196 Vulnerability Airtight Networks, Hole196 - Retrieved April 1, 2011, [7] Bratus, S., Shubina, A. & Locasto, M.E. (2010). Teaching the Principles of the Hacker Curriculum to Undergraduates, Proceedings of the 41st ACM Technical Symposium on Computer Science Education, March 10-13, 2010, Wisconsin, USA [8] José Carlos Brustoloni. Laboratory Experiments for Network Security Instruction, Journal on Educational Resources in Computing (JERIC), v.6 n.4, p.5-es, December 2006 [9] Wulf, T. (2003). Implementing a Minimal Lab for an Undergraduate Network Security Course, Journal of Computing Sciences in Colleges, Vol. 19, No. 1, pp , October 2003 [10] P. Y. Logan & A. Clarkson, "Teaching students to hack: Curriculum issues in information security," in Proceedings of the 36th SIGCSE Technical Symposium on Computer Science Education St. Louis, Missouri, USA: ACM, [11] B. Pashel, A.B. - "Teaching students to hack: Ethical implications in teaching students to hack at the university level," in Proceedings of the 3rd annual Conference on Information Security Curriculum Development Kennesaw, Georgia: ACM, [12] Backtrack 4 Wiki, Wireless driver, - Retrieved April 1, [13] VirtualBox, - Retrieved April 1, [14] Backtrack 4, - Retrieved April 1, [15] Kismet, - Retrieved April 1, [16] Wireshark, - Retrieved April 1, [17] GNU MAC Changer, - Retrieved April 1, [18] Aircrack-ng suite, - Retrieved April 1, [19] CoWPAtty, - Retrieved April 1, [20] Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant. The Memorability and Security of Passwords - Some Empirical Results, - Retrieved April 1, [21] Openwall wordlist, Retrieved April 1, [22] RenderLab wordlist, - Retrieved April 1, [23] Xploitz Master Password Collection, _Master_Password_Collection. Retrieved April 1, ISSN