Universiti Teknologi MARA 802.11 MAC Layer Sniffer Using Spoof Detection Algorithm Azwan Abdul Satar Thesis submitted in fulfillment of the requirements for Bachelor of Science (Hons) Information Technology Faculty of Information Technology And Quantitative Science MAY 2007
APPROVAL 802.11 MAC LAYER SNIFFER USING SPOOF DETECTION ALGORITHM by AZWAN ABDUL SATAR This thesis project was prepared under the supervision of Final Year Project Coordinator, Puan Sofianita Mutalib and thesis supervisor, Puan Nik Mariza Nik Abdul Malik. It was submitted to the Faculty of Information Technology and Quantitative Science and was accepted in partial fulfillment of the requirements for the degree of Bachelor of Science. Approved by: NIK MARIZA NIK ABDUL MALIK Thesis Supervisor MAY 2007
DECLARATION I certify that this thesis and the research to which it refers are the product of my own work and that any ideas or quotation from the work of other people, published or otherwise arefiiuyacknowledged in accordance with the standard referring practices of the discipline MAY 15,2007 AZWAN ABDUL SATAR 2005808069
ACKNOWLEDGEMENT First of all I thank almighty Allah whom through His grace and blessing has supported me during these times. I am greatly indebted to my supervisor, Puan Nik Mariza Nik Abdul Malik. This thesis would not have been completed without her attentive supports. I'm very thankful for her valuable guidance and comments. This research could not have been completed without the help and support of my housemate, Encik Aznor Zamhuri, Encik Faizul Nizam and Encik Rashidee Roslee in lending me their laptops for purpose of experimentation in this research. I am very grateful to all of them. I owe a lot to my parents, brothers and sisters for accepting my absence during my study. They have been a constant source of patience and encouragement. And finally I would like to express my gratitude to all lecturers of Faculty of Information Technology and Quantitative Science for who have inherit me their knowledge and to all my fellow fiiends who have been given me support directly or indirectly. Azwan Abdul Satar IV
TABLE OF CONTENTS CONTENT PAGE ACKNOWLEDGEMENT LIST OF TABLES LIST OF FIGURES LIST OF ABBREVIATIONS ABSTRACT iv viii ix x xi CHAPTER ONE: INTRODUCTION 1.0 Introduction 1 1.1 Problem Statement 2 1.2 Objectives 3 1.3 Scope 4 1.5 Significance of the Research 4 CHAPTER TWO: LITERATURE REVIEW 2.0 Introduction 5 2.1 IEEE802.il 5 2.1.1 IEEE 802.11 Link Layer Frame 7 2.1.1 [a] Management Frames 8 2.1.1[b] Control Frames 11 2.1.1[c] Data Frames 12 2.1.2 Prism Monitor Header 12 2.2 Sniffing 13 2.2.1 Sniffer 13 2.3 MAC Address Spoofing 14 2.3.1 MAC Address Spoofing Attack 15 2.3.1 [a] Deauthentication/Disassociation 15 2.3.1 [b] Power Saving DoS 16 2.3.1 [c] Rouge Access Points 17
2.3.2 MAC Address Spoofing Detection 17 2.3.2[a] Sequence Number-Based MAC Address Spoof Detection 18 CHAPTER THREE: METHODOLOGY 3.0 Introduction 22 3.1 Project Methodology and Approaches 22 3.1.1 Proj ect Planning 24 3.1.2 Analysis 25 3.1.2 [a] Controlled Experimentation 25 3.1.2[b] Result of Analysis 30 3.1.3 Development 44 3.1.4 Evaluation & Testing 46 3.1.4[a] Alpha Evaluation & Testing 46 3.1.5 Report Writing and Documentation 47 CHAPTER FOUR: FINDINGS AND DISCUSSION 4.0 Introduction 48 4.1 Testing the Wireless Sniffer from Live Packet Capture 48 4.2 Testing of Sniffer against Simulation of Wireless Traffic 51 4.2.1 Test Result of Sniffer under Normal Traffic 51 4.2.1 [a] Frames Coming From an AP 51 4.2.1 [b] Frames Coming From a Station 53 4.2.2 Test Result of Sniffer with Spoofing Activity 55 4.2.3 Test Result of Sniffer with AP Misconfiguration 56 4.2.4 Test Result of Sniffer under High Loss and Retransmit Frames 58 CHAPTER FIVE: CONCLUSION AND RECOMMENDATION 5.0 Introduction 60 5.1 Advantages 60 5.2 Limitation 61 VI
5.3 Recommendation and Future Work 63 REFERENCES 64 APPENDIX A: Source Code 66 vu
LIST OF TABLES TABLE PAGE 2.1 IEEE802.il Standard 5 3.1 Frame Type, Subtype and Flag Control Table 32 4.1 Result Table for Frames ComingfromAP under Normal Condition 52 4.2 Result Table for Frames Coming from Station under Normal Condition 54 4.3 Result Table for Frames with Spoofing Activity 55 4.4 Result Table with AP Misconfiguration 57 4.5 Result Table under High Loss and Retransmitted Frames 59 viu
LIST OF FIGURES FIGURE PAGE 2.1 802.11 Frame Structure 7 2.2 802.11 Frame Sequence Control 8 2.3 SMAC Graphical User Interface 14 2.4 Graphical Depiction of the Deauthentication Attack 16 3.1 Flowchart ofthe Methodology Used 23 3.2 Raw Iee802.11 Capture Data 30 3.3 Prism Header 31 3.4 Frame Type, Subtype and Flag Control 32 3.5 Source Mac Address 33 3.6 Source Mac Address of Data Frame 33 3.7 Sequence Number 34 3.8 Distribution of Sequence Number Gap for Frames Coming From AP 36 3.9 Distribution of Sequence Number Gap for Frames Coming From Station 37 3.10 Spoofing Simulation of Frames Sequence Number Gap 39 3.11 Distribution of Sequence Number Gap for AP Misconfiguration 40 3.12 Distribution of Sequence Number Gap for High Retransmit and High Loss 42 4.1 Distribution of Sequence Number Gap for Frames Coming From an AP 52 4.2 Distribution of Sequence Number Gap for Frames Coming from Station 53 4.3 Spoofing Simulation of Frames Sequence Number Gap 55 4.4 Distribution of Sequence Number Gap for AP Misconfiguration 56 4.5 Distribution of Sequence Number Gap for High Retransmit and High Loss 58 IX
LIST OF ABBREVIATIONS ACK AP BSS CTS IBSS IEEE LAN MAC OSI OUI RF RTS RSSI SDLC SNR SSID SQ WEP WLAN WPA Acknowledgement Access Point Basic Service Set Clear to Send Independent Basic Service Set Institute of Electrical and Electronics Engineers Local Area Network Media Access Control Open System Interconnection Organizational Unique Identifier Radio Frequency Request to Send Received Signal Strength Indication System Development Life Cycle Signal Noise Ratio Service Set Identifier Signal Quality Wireless Equivalent Privacy Wireless Local Area Network Wireless Protected Access
ABSTRACT The explosive growth of 802.11 networks has coincided with increased presence of security treat to these networks. A large portion of these treats are in the form of spoof attacks. Spoof attacks involve with impersonation of authorized network client to access network resource or to launch malicious code. If security measures in wireless network are not without doubts, it is worsen by its performance. Radio interference, attenuation, channel overlapping, sharing of bandwidth and overhead of the wireless protocol are known to degrade wireless network performance. This paper present a wireless sniffer monitoring tool, as well as the analysis and development process of constructing it. The goal is to design a wireless sniffer that can automatically detect spoofing and provide simple network statistic. The wireless sniffer implements sequence number-based spoofing detection algorithm in its processing. The information provided on both security and connectivity problem of wireless network can be generated by sniffing real-time frames capture using wireless adaptor or automation of log analysis on static pcap file. The testing of the wireless sniffer prototype was evaluated against four wireless traffic simulations under normal, spoofing, AP misconfiguration, high loss and retransmitted fi-ames conditions. The result of these tests showed that the wireless sniffer was able to identify all normal gap, spoofing, high gap between successive frames, out of order and retransmit frames. Furthermore, at the end of its execution, the sniffer provide simple network statistic allowing user to detect abnormal fraffic such as high gap between successive frames sequence number or high percentage of retransmitted frames send by a source. This indicates that the wireless network may have been misconfigured or some station may suffer from availability and connectivity issues. These characteristics of the wireless sniffer, provides a foundation for development of more advance monitoring tool that explicitly leveraging on the sequence number field in IEEE 802.11 MAC header. XI
CHAPTER ONE INTRODUCTION 1.0 Introduction The development of wireless networks migrate connectivity into the era of mobile computing. Enterprises, small businesses, and even homes have been deploying wireless networking into their computing environment. Unfortunately, the migration to wireless networks suffers a downside as consumers overlooked the drawback of wireless networks with wired networks. Manufacturer advertised speed of wireless product and promise of mobility is not without a catch. Being a shared medium network, all traffic transmitted on the network passes through public airwaves. Because of this, the built-in security of wired networks, that is the inaccessibility of the transmission medium itself; the physical wires, is no more available in wireless networks. Furthermore in wireless networks, eavesdropping by unauthorized users is virtually impossible to be detected because Radio Frequency (RF) that emit beyond the physical boundary. If security measures in wireless network are not without doubts, it is worsen by its performance. Radio interference, attenuation, channel overlapping, sharing of bandwidth and overhead of the tireless protocol are known to degrade wireless network performance.
Growth in wireless network development has been directed toward better infrastructure with strong emphasis on security. However, deployment of wireless network put more burdens to administrator on the assessment on the security threats and reliability of their wireless network. This paper presented a wireless sniffer monitoring tool, as well as the analysis and development process of constructing it. The goal is to design a wireless sniffer that can automatically detect spoofing and provide simple network statistic. The wireless sniffer implements sequence number-based spoofing detection algorithm in its processing. The information provided on both security and connectivity problem of wireless network can be generated by sniffing real-time frames capture using wireless adaptor or automation of log analysis on static pcap file. 1.1 Problem Statement The security threat of wireless network is overwhelming although vendors and standardised bodies are working rigorously to deploy more advanced security measures and newer 802.11 wireless standard to bring sort of peace to the consumers. For network administrator, maintaining a wireless network would mean offering moreflexibilityto their network user in term of mobile freedom. However, the part where security is a crucial priority remains a cumbersome task. The fact is worsening by the complexity of deploying and maintaining wireless network to provide the freedom of mobility without compromising connectivity. It is without a doubt that network administrators are equipped with arsenal of monitoring software to measure both security and performance of their wireless network. Ranging from off the shelves utility, regardless whether it
is open source or proprietary products, it is up to the network administrator to develop the fundamental knowledge of how to treat the vast information from those software on their wireless network for better security and availability. The particular issues of security and connectivity of wireless network discussed in this research is MAC address spoofing and high loss and retransmitframes.mac address spoofing in wireless network that exploit the link layer vulnerability is common attack of impersonating authenticated station to gain access to the network. The implementation of sequence number-based spoofing detection algorithm in a wireless sniffer tries to accomplish the goal of an automated monitoring tool for network administrator to detect spoofing activity. In addition, the wireless sniffer can provide more reliable percentage of duplicate frames over total frames send per source station as part of it network statistic gathering. High percentage of retransmitted frames indicates that the station may suffer connectivity problem. The purpose of this paper is to enrich the repository of wireless tools available to network administrators using manipulation of 802.11 data link layerframeswith combination of sequence number analysis technique. 1.2 Objectives The objectives of this research are: To conduct a study on underlying 802.11 data link layer frames for frame sniffing analysis. To experiment on set of wireless frames traffic transactions that can be applied to MAC address sequence number spoofing analysis. To develop a tool that can identify spoofing and provide simple network statistic using sequence number analysis in wireless environment.
1.3 Scope The scope of this project is to conduct a study of how 802.11 data link layer frames can be processed using sequence number analysis to identify spoofing and gather information about a wireless network. With the attained knowledge and understanding, a wireless sniffer tool is developed to automate spoofing detection and provide simple network analysis. 1.4 Significance of the Research The significance of the research is to provide understanding of how 802.11 data link layer frames can be manipulated allowing spoofing detection mechanism and network information gathering using sequence number analysis. With this imderstanding, the tool developed is hope will be able to compliment the repository of network monitoring software and reduces dependencies on of-the-shelves software especially proprietary software that do not provide source code. As the tool was developed using Perl programming language, it will allow modification that can offer more flexibility in its processing.
CHAPTER TWO LITERATURE REVIEW 2.0 Introduction This chapter concern about the subject matter and issues concerning the research. This chapter will attempt to define and explain IEEE 802.11 frames, network sniffing, MAC address spoofing and spoofing detection using sequence number algorithm. 2.1 IEEE 802.11 802.11 is an industry standard developed by the Institute of Electrical and Electronics Engineers (IEEE) for Wireless Local Area Networks (WLANs). The original 802.11 standard was defined in 1997, followed by 802.11a and 802.11b in 1999 and the latest 802.1 Ig in 2003. These standards operate in the Industrial, Scientific, and Medical (ISM) frequency bands. Please refer Table 2.1. IEEE Standard 802.11 802.11a 802.11b 802.1 Ig Data Rate (Speed) Radio Frequency Band 1-2 Mbps 2.4 GHz Up to 54 Mbps 5.8 GHz 5.5-11 Mbps 2.4 GHz Up to 54 Mbps 2.4 GHz Table 2.1 : IEEE 802.11 Standard
The IEEE 802.11 standard allows for two different ways to configure a wireless network, that are ad hoc and infrastructure. In ad hoc mode, stations commimicate directly with each other on a peer-to-peer level, sharing a given cell coverage area. This type of network is often formed on a temporary basis, and is commonly referred to as an ad hoc network or Independent Basic Service Set (IBSS). In most deployment, the nodes are cormected to an access point (AP) or also known as infrastructure. These network access points are sometimes connected to landlines to widen the LAN's capability by bridging wireless nodes to other wired nodes. When an AP is present, stations do not communicate on a peer-to-peer basis. All communications between stations or between a station and a wired network client go through the AP. A BSS in this configuration is said to be operating in the infrastructure mode. IEEE 802.11 applies at the lowest two layers of the Open System Interconnection (OSI) protocol stack, namely the physical layer and the data link layer. The physical layer standard specifies the signalling techniques used and the implementation of media specific fiinctions. The data link layer defines the frame transmission structure for control, data and management messages and the architecture for data transmission across a WLAN (IEEE, 1999).
2.1.1 IEEE 802.11 Link Layer Frame The IEEE 802.11 standard (IEEE, 1999) defines three frame types of both wireless adaptors and access points used for communications. The three frames types are: Management Frame Control Frame Data Frame Every frame regardless of its frame type has a control field that contains the 802.11 protocol version, frame type and indicator of security features mechanism of WEP or WPA is enabled or not. In all frames contain MAC address of the source, destination station and the access point, frame sequence number, frame body and frame check sequence for error detection. The 802.11framestructure is illustrated in Figure 2.1. Octets; 2 0-2312 Frame Control Duration/ ID Address 1 Address 2 Address 3 Sequence Control Address 4 Frame Body FCS MAC Header Figure 2.1: 802.11 Frame Structure Particular important part of the IEEE link layer with respect to this research is the frame sequence control. The 16 bit field is used for both defragmentation and discarding duplicate frames. It is composed of a 4 bit fragment number field and a 12 bit sequence number field. Fragment number is used for fragmented frames numbering starting from one with the next fragmented frame increments by one. Sequence number of frame is used to for reassembly of MAC layer frames. IEEE 802.11 standard requires that the sequence number of each frame is assigned from a counter variable of modulo 4096. Successive frame is incremented by one while when a frame is retransmitted, the sequence number is not change. Please refer to Figure 2.2 for 802.11framesequence control structure.
2 bytes Frame Duraliun Control ID Address 1 (receiver) Address 2 (sender) Address 3 (filtering) Seqcil Address 4 (optional) Frame body FCS ^ ^""^ 12 bits ^ \ Fragmenl Number Sequence Number Figure 2.2 : 802.11 Frame Sequence Control 2.2.1 [a] Management Frames IEEE (1999) defined that 802.11 management frames enable stations to establish and maintain communications. The following are common 802.11 management frame subtypes: Authentication frame: 802.11 authentication is a process whereby the access point either accepts or rejects the identity of a wireless adaptor. The wireless adaptor begins the process by sending an authentication frame containing its identity to the access point. With open system authentication, the wireless station sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance. With the optional shared key authentication, the radio wireless adaptor sends an initial authentication frame, and the access point responds with an authentication frame containing challenge text. The wireless station must send an encrypted version of the challenge text using its WEP key in an authentication frame back to the access point. The access point ensures that the wireless station has the correct WEP key by
seeing whether the challenge text recovered after decryption is the same with what was sent previously. Deauthentication frame: A station sends a deauthentication frame to another station if it wishes to terminate secure communications. Association requestframe:802.11 association enables the access point to allocate resources and synchronize with a wireless station. A wireless station begins the association process by sending an association request to an access point. This frame carries information about the wireless station, such as supported data rates and the SSID of the network it wishes to associate with. After receiving the association request, the wireless station is considered associating with access point. Association response frame: An access point sends an association response frame containing an acceptance or rejection notice to the wireless station requesting association. If the access point accepts the wireless station, the frame includes information regarding the association, such as association ID and supported data rates. If the association is accepted by the access point, the wireless station can utilize the access point to communicate with other wireless stations on the network and the resource of the network such as wired LAN or Internet access connected to the access point. Reassociation request frame: If a wireless station roams away from the currently associated access point and finds another access point having a stronger beacon signal, the wireless station sends a reassociation frame to the new access point. The new access point then coordinates the forwarding of dataframesthat may still be in the buffer of the previous access point waiting for transmission to the wireless station.
Reassociation response frame: An access point sends a reassociation response frame containing an acceptance or rejection notice to the wireless station requesting reassociation. Similar to the association process, the frame includes information regarding the association, such as association ID and supported data rates. Disassociation frame: A station sends a disassociation frame to another station if it wishes to terminate the association. For example, a wireless station that is shut down gracefully can send a disassociation frame to alert the access point that the station is powering off The access point can then renounce memory allocations and remove the wireless stationfromthe association table. Beacon frame: The access point periodically sends a beacon frame to annoimce its presence and relay information, such as timestamp, SSID, and other parameters regarding the access point to wireless stations that are within range. Wireless station continually scan all 802.11 radio channels and listen to beacons as the basis for choosing which access point is best to associate with. Probe request frame: A station sends a probe request frame when it needs to obtain information from another station. For example, a wireless station would send a probe request to determine which access points are within range. Probe response frame: A station will respond with a probe response frame, containing capability information, supported data rates, after it receives a probe request frame. 10
2.2.1 [b] Control Frames IEEE (1999) defined that 802.11 control frames assist in the delivery of data frames between stations. The following are common 802.11 control frame subtypes: Request to Send (RTS) frame: The RTS/CTS function is optional and reduces frame collisions when hidden stations have associations with the same access point. A station sends a RTS frame to another station as the first phase of a two-way handshake necessary before sending a data frame. Clear to Send (CTS) frame: A station responds to a RTS with a CTS frame, providing clearance for the requesting station to send a data frame. The CTS includes a time value that causes all other stations to hold off transmission of frames for a time period necessary for the requesting station to send its frame. This minimizes collisions among hidden stations, which can result in higher throughput if properly implemented. Acknowledgement (ACK) frame: After receiving a data frame, the receiving station will utilize an error checking processes to detect the presence of errors. The receiving station will send an ACK frame to the sending station if no errors are found. If the sending station doesn't receive an ACK after a period of time, the sending station will retransmit the frame. 11
2.2.1 [c] Data Frames 802.11 data frames carry protocols and data from higher layers within the frame body. A data frame, for example, could be carrying the HTML code from a Web page. Data frame carries packets from higher layers within the body of the frame. 2.2.2 Prism Monitor Header Prism monitor header is not a part of IEEE 802.11 frame header, but is generated by the firmware of the receiving card. The header includes usefiil physical layer information, such as MAC Time, Received Signal Strength Indication (RSSI), Signal Quality (SQ), Signal sfrength. Noise, Signal Noise Ratio (SNR) and data rate. All signal and noise information are in manufacture-specific units. However, they can be used for relative comparison. (Jihwang et al., 2004) 12
2.3 Sniffing Sankar et al. (2005) refer sniffing as eavesdropping packets or irames on any medium, in related to this research, the air medium. Air medium provide the best environments for sniffing as it is imdetectable. Sniffing is done as the best way to figure out what is happening on the network. The result of sniffing would yield information about the network in the form of packet or fi"ame capture. However, the packets orfi-amesare required to be analyzed in order to better understand what information it carries. 2.3.1 Sniffer Howlett (2004) stated that sniffers are generally specific to the type of network they work on. This understanding establishes that type of sniffer is associated with the type of protocol it can analyze. Sniffer enables network traffic to be analysed for specific patterns, troubleshoot specific problems, spot suspicious behaviour and even being abused in reconnaissance of a network before launching attacks. Sniffers operate at the lower levels of the OSI model, the physical and data link layers. 13