0.0 - Introduction
According
to INCIBE (National Institute of Cibersecurity, Spain) nearly 8 out of 10 users utilize wireless networks
for Internet access. Also, the report noted that around 43% of users
do not adopt any measures of security in their wireless connections. Previous figures give a hint of the need to
implement, educate and train the general public in computer security,
specifically in the wireless field.
Nowadays
most computers and networks use wireless connections. This type of
connection allows to access the Internet without needing a physical
cable network. The biggest advantage is that the computer can be used
anywhere, at home or office, while in range of the wireless router.
However, there are potential risks associated to wireless networks,
unless the network is properly protected, because any information
sent or received could be intercepted off the air and the wireless
network could be tampered. If the wireless network is unprotected,
shared files and data could be at risk and network performance be
compromised. Security is one of the most important issues when it
comes to wireless networks. Since the birth of these, it has been
attempted to ensure totally safe communications protocols, but with
limited success. Unlike cable communications, where the information
is contained in a very specific physical medium, wireless
communications information is in the air, available to anyone who has
the will and the means to intercept, analyze, and use with malicious
purposes.
To
illustrate the process of penetration testing for a wireless network,
along this work a great number of practices will be carried out
simulating attacks against clients, wireless access points,
cryptographic systems and authentication mechanisms commonly
available. Starting with a brief introduction to the most important
characteristics of wireless frames specified in the IEEE 802.11
standard, as well as a description of the testing laboratory where
carried out the practices.
0.1
- Wireless Local Area Network (WLAN)
For the purpose of having a thorough understanding of the subsequente chapters and the whole contents, it is neccessary to make a brief introduction to the main features and characteristics of wireless technologies.
A Wireless Local Area Network (WLAN) is a set of two or more devices that are able to communicate wirelessly between them. Most of WLANs are based on the standard IEEE 802.11 by the Institute of Electrical and Electronics Engineers. IEEE 802.11 is a set of specifications for the Medium Access Control (L2 sublayer) and the Physical Layer (L1) regarding wireless transmissions working within 2.4 and 5 GHz frequency bands. This standard provides directions for the products using Wi-Fi, propietary brand owned by the Wi-Fi Alliance, which is the trade association in charge of promoting interoperability between wireless devices manufacturers.
The
IEEE 802.11 architecture uses different components and concepts:
-
client or station (STA): it is a device like a computer, cell
phone, ..., containing a wireless adapter card to provide wireless
connectivity.
-
Access Point (AP): its function is to bridge between the
wireless STAs and the existing network backbone for network access.
-
Independent Basic Service Set (IBSS): also known as "ad-hoc
mode", consists of at least two STAs, used when there are no APs
available.
-
Basic Service Set (BSS): also known as "infrastructure
mode", it is a wireless network that consists only of one AP
providing service to one or more wireless clients. All clients in a
BSS communicate through the AP, both between them and to a wired
network.
-
Extended Service Set (ESS): it is a set of two or more
interconnected BSSs sharing the same SSID (network name) and security
credentials. An ESS allows for mobility and roaming, because clients
can move from one BSS to another BSS seamlessly. An ESS defines a
single logical network segment bounded by a router.
-
Distribution System (DS): a DS is the component used to
interconnect BSSs. In other words, APs of multiple BSSs belonging to
the same ESS are interconnected through a DS. A DS can work either
wired or wireless.
-
Service Set Identifier (SSID): it is a 1 to 32 Byte string used
to identify a BSS or ESS. Also considered as the "network name",
it is human readable.
-
Basic Service Set Identification (BSSID): it is a 6 Bytes string
that defines uniquely a BSS. For a BSS working in "infrastucture
mode" the BSSID is the MAC address of the AP. The BSSID is the
formal name of a BSS (in contrast to the informal name, the SSID),
and it is always associated to only one BSS. It is important to
notice that inside an ESS each of the belonging BSSs uses its own
BSSID, whereas all of them use the same SSID. For an IBSS or "ad-hoc
mode", the BBSID is a locally administered MAC address randomely
generated.
0.2
- Versions, Frequency bands and Channels
The
most important versions of 802.11 protocol are a,b,g,n,ac depending
on the frequency of work. Also, the new version ac is expected to
improve dramatically wireless transmissions by year 2014. The key
features of 802.11 versions are as follows:
Version
|
Frequency
(GHz)
|
Bandwidth
(MHz)
|
Data
Rate
(Mbps)
|
Modulation
|
Indoor
range
(metres)
|
Outdoor
range
(metres)
|
802.11a
|
5
|
20
|
up to
54
|
OFDM
|
35
|
120
|
802.11b
|
2.4
|
20
|
up to
11
|
DSSS
|
35
|
140
|
802.11g
|
2.4
|
20
|
up to
54
|
OFDM/DSSS
|
38
|
140
|
802.11n
|
2.4/5
|
20/40
|
up to
72.2/150
|
OFDM
|
70
|
250
|
802.11ac
|
5
|
20/40/80/160
|
from
87.6 to 866.7
|
OFDM
|
Orthogonal
Frequency Division Multiplexing (OFDM) is a technique to encode
digital data on multiple carrier frequencies. This scheme is used as
a digital multi-carrier modulation method, in which a large number of
closely spaced orthogonal sub-carrier signals are used to carry data
on several parallel data streams or channels.
Direct-sequence
Spread Spectrum (DSSS) is a modulation technique where the
transmitted signal takes up more bandwidth than the information
signal that modulates the carrier or broadcast frequency. 'Spread
spectrum' comes from the fact that the carrier signals occur over the
full bandwidth (spectrum) of a device's transmitting frequency.
As
seen at the previous chart, the most important frequency bands used
in wireless communications are 2.4 GHz and 5 GHz. Each spectrum is
subdivided into channels with a center frequency and bandwidth. The
2.4 GHz band is divided into 15 channels spaced 5 MHz apart, starting
at channel 1 which is centered on 2.412 GHz. The latest channels have
some restrictions of use depending on the regulatory domains.
The
IEEE 802.11 workgroups are in charge of establishing the technical
features of frequency ranges, but each country applies his own
regulations for allowable channels, users and maximum power levels
within those frequency ranges, from a legal perspective. For
instance, channel 14 is forbidden in the US and many other countries
because it is set for other uses, and 12 and 13 channels are not used
to avoid interferences with channel 11. Actually, channel 14 is legal
only in Japan.
There
is also a problem of "overlapping channels", which can be
avoided using those channels that don't have interferences regarding
to working frequencies. As we can see at the next image, for 2.4 GHz
band, channels 1 (2.412 GHz), 6 (2.437 GHz), 11 (2.462 GHz) and 14
(2.484 Ghz) don't interfer because they don't use adjacent
frequencies.
0.3
- Lab Setup
0.3.1
- General description
Because
this blog has got an eminently practical approachment, it is essential
to set up a lab in which different experiments and practical tests
can be developed. Although with some exceptions that will be detailed
at the right moment, the wireless testing lab setup used in most of
our practices consists of the following elements:
- 1 Access Point Motorola SBG941, monitored from 1 PC Desktop equipped with Windows 7.
- 1 Laptop ("kali") whose role will be as attacker or hacker, equipped with Kali Linux distribution and an Alfa Network AWUS036H wireless network USB adapter. The most important tool used for launching the attacks will be Aircrack-ng, whereas Wireshark being used for anylizing the captured packets.
- 1 Laptop ("roch") whose roles will be as victim, equipped with Windows 7 and wireless network interface: a NetGear N600 Wireless Dual-Band USB adapter.
The
layout of the topology would be as follows:
Let's
examine all these elements one by one.
0.3.2
- Access Point
The
most common Access Point used in this work will be a Motorola SBG941
Wireless Cable Gateway:
This
Motorola SBG941 Wireless Cable Gateway combines a cable
modem, an integrated 4 port router (10/100Base-TX RJ-45) and a 802.11
a/b/g/n wireless access point. The gateway is DOCSIS 2.0
standard compliant, compatible with DOCSIS 1.0/1.1
standard. The integrated AP supports WEP and WPA/WPA2
(TKIP and AES) wireless encryption. It uses WMM (QoS)
to prioritize the traffic over the network. A WPS button
allows for easy wireless security configuration.
The router provides VPN pass-through
for IPSec and PPTP. A built-in SPI firewall protects
the network against intruders and Denial of Service (DoS) attacks.
The Transmit Power is 17 dBm and the Receiver Sensitivity is -74 dBm.
The
PC Desktop is connected to the Access Point through an Ethernet
cable, using one of the 4 available ports. To configure and
monitorize the access point the default gateway IP 192.168.0.1 is
entered at the browser:
The
network created by the Access Point uses the name or SSID (Service
Set IP) "spaniard", working in the subnet 192.168.0.0/24.
It is very important to notice that AP's wireless MAC address is
00:25:F2:9B:91:23, as we can see at the next image, because this MAC
address will be used very frequently during the practical tests:
Also,
for the special purpose of demonstrating attacks against WPA/WPA2
Entreprise with RADIUS server autentication, a D-Link DIR-615 router
will be used at Chapter 6.10, where further explanations about this
router will be given:
0.3.3
- The attacker
The
laptop used as an attacker is named "kali", being equipped
fromt the software perspective with a Kali Linux distro as operative
system. Also, Aircrack-ng and Wireshark applications are often used.
From the hardware perspective, an Alfa Network AWUS036H wireless
network USB adapter.
Kali
is a Debian Linux distribution offered by Offensive Security Ltd.,
considered by its authors as the successor of the well-known
BackTrack. It is used for digital forensics, penetration testing, and
generally for any computer security purpose. Kali is preinstalled
with a suite of penetration-testing programs, including Nmap,
Wireshark, John the Ripper , Metasploit, OpenVas, etc .., and the
most important for our purposes, Aircrack-ng (penetration-testing
wireless LANs). Kali Linux can be run from a hard disk, live CD, or
live USB. Kali is distributed in 32- and 64-bit images for use on
hosts based on the x86 instruction set, as well as an image for the
ARM architecture for use on the Raspberry Pi computer and on
Samsung's ARM Chromebook.
Aircrack-ng
is a suite of tools for auditing wireless networks, consisting of a
detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis
tool for 802.11 wireless LANs. It works with any wireless network
interface controller whose driver supports raw monitoring mode and
can sniff 802.11a, 802.11b and 802.11g traffic. The program runs
under Linux and Windows. It can recover keys once enough data packets
have been captured. It implements the standard FMS attack along with
some optimizations like KoreK attacks. As well as the PTW attacks,
new method based on the RC4 cipher, decreasing the number of
initialization vectors or IVs needed to decrypt a WEP key, making the
attack much faster compared to other WEP cracking tools.
The
most important tools included with
Aircrack-ng are:
- aircrack-ng cracks WEP and WPA (Dictionary attack) keys.
- airdecap-ng decrypts WEP or WPA encrypted capture files with known key.
- airmon-ng places different cards in monitor mode.
- aireplay-ng packet injector (Linux, and Windows with CommView drivers).
- airodump-ng packet sniffer, places air traffic into PCAP or IVS files showing information.
- airtun-ng virtual tunnel interface creator.
- packetforge-ng creates encrypted packets for injection.
- ivstools tools to merge and convert.
- airbase-ng incorporates techniques for attacking clients, as opposed to Access Points.
- airdecloak-ng removes WEP cloaking from PACP files.
- airdriver-ng tools for managing wireless drivers
- airolib-ng stores and manages ESSID and password lists and compute Pairwise Master Keys
- airserv-ng allows to access the wireless card from other computers.
- buddy-ng helps server for easside-ng, runs on a remote computer
- tkiptun-ng WPA/TKIP attack
- wesside-ng automatic tool for recovering wep key.
Another
essential software tool to be used is Wireshark, formerly
known as Ethereal, a protocol analyzer used for analyzing and solving
problems in communication networks, for software and protocol
development, and as an educational tool. It has all the standard
features of a protocol analyzer. The functionality provided is
similar to tcpdump, but it adds a graphical interface and many
options for organizing and filtering of information. So, you see all
the traffic passing through a network, setting promiscuous mode
configuration. It also includes a text-based version named tshark,
examining data from a live network or from a capture file saved to
disk. You can analyze the information captured through the details
and summaries for each package. Wireshark includes a complete
language filter, and the ability to follow the reconstructed stream
of a TCP session.
Wireshark
is free software, and runs on most Unix and compatible operating
systems, including Linux, Solaris, FreeBSD, NetBSD, OpenBSD, and Mac
OS X, as well as Microsoft Windows.
From
the hardware perspective, the hacker laptop is equipped with an Alfa
Network AWUS036H wireless adapter. Its key features are:
-
54Mbps via USB 2.0 (also USB 1.1) for desktop and notebook computers
-
Maximum advertised output of 1 Watt
-
Compact size and great flexibility
-
Plug-and-Play compatible with Microsoft Windows and Linux (drivers
integrated in BackTrackR5)
-
High security 64/128/256bit WEP Encryption, TKIP, WPA, 802.11x
-
Packet sniffing
-
Packet injection
- As
we will se later, its MAC address is 00:c0:ca:72:1a:36
0.3.4
- The victim
The
role of victim of the attacks launched from "kali" will be
the laptop named "roch" (also the legitimiate AP will be
attacked), equipped with operative system Windows 7 and a wireless
network interface.
Laptop
"roch" uses the Netgear N600 Wireless Dual Band USB
Adapter. Dual band technology avoids interference, ensuring high
speeds and great ranges. It includes an easy setup with the Smart
Wizard® CD, while Push 'N' Connect gives a secured connection just
pushing a button.
Its
MAC address is 28:c6:8e:63:15:6b
