Types of Wireless Networks

Wireless Standards

Service Set Identifier

An SSID is a unique name given to the wireless local area network (WLAN) that can be up to 32 characters long. All devices and access points that are part of the wireless LAN must use the same SSID. SSIDs do not provide security for the WLAN since it can be sniffed in plaintext. Many devices are shipped with default SSIDs.

802.1x Authentication Process

The IEEE 802.1x standard defines ways used to authenticate a user prior to granting access to network and the authentication server, for example a RADIUS server. 802.1X acts through an intermediate device, like an edge switch, allowing ports to transmit normal traffic if the connection is appropriately authenticated. This avoids unauthorized clients from accessing the publicly available ports on a switch, keeping unauthorized users out of a LAN.

Remote Authentication Dial in User Service, or RADIUS, is a client/server protocol that uses port 1813 to offer centralized authentication, authorization, and accounting for computers to connect and use the available network services.

After the RADIUS server has authenticated the client and sends an encrypted authentication key to the access point (AP), the AP generates a multicast/global authentication key encrypted with a per-station unicast session key before transmitting to the client (in step 7). The following steps outline the authentication process (also shown in Figure 12-1).

1. 1.

   The AP issues a challenge to a wireless client.

    
2. 2.

   The wireless client responds with its identity.

    
3. 3.

   The AP forwards the identity to the RADIUS server.

    
4. 4.

   The RADIUS server sends a request to the client via the AP.

    
5. 5.

   The client responds to the RADIUS server with its credentials via the AP.

    
6. 6.

   The RADIUS server sends an encrypted authentication key if the credentials are good.

    
7. 7.

   The AP transmits to the client.

    

802.11 Vulnerabilities

Beacon frames broadcast the SSID so that users can locate the network. Any station can impersonate another station or access point. An attacker can interfere with the authentication and association, which can force the stations to redo the authentication and association process.

Access points have capabilities for MAC address filtering. However, the MAC address doesn’t provide a strong security mechanism since it can be observed and replicated. MAC addresses appear in plaintext. There is a specific MAC address on each network card and that address can be modified via the ifconfig command.

Wired Equivalent Privacy

A wired equivalent privacy is designed to provide a WLAN with a level of security comparable with that of a wired LAN and is a stream cipher that uses RC4 (www.geeksforgeeks.org/rc4-encryption-algorithm/). The input to the stream cipher algorithm is an initialization vector (IV) sent in plaintext and a secret key. The total length for the IV and the secret key is either 64 or 128 bits. A busy access point can use all available IV values (224) within hours, and then the IV values are reused. There are two issues to consider: a cyclic redundancy check 32 bit (CRC32) is not sufficient to ensure the cryptographic integrity of a packet, and it is vulnerable to dictionary attacks.

Wi-Fi Protected Access 2

Wi-Fi Protected Access 2 (WPA2) utilizes a 256-bit preshared key from 8 to 63 bytes long. When users have passphrases that are less than 20 characters, they are vulnerable to an offline dictionary attack. WPA2 offers two modes of operation: WPA2-Personal and WPA2-Enterprise. WPA2-Personal uses a setup password while WPA2-Enterprise uses a server to confirm the user. WPA2 access implements the AES encryption algorithm to provide government-grade security.

Temporal Key Integrity Protocol

Temporal Key Integrity Protocol (TKIP) is an element of the IEEE 802.11i encryption standard. It is the designated successor to WEP and eliminates the drawbacks that WEP had without requiring the replacement of equipment. TKIP implements key mixing, which means that the secret key is combined with the initialization vector before passing it on to the stream cipher.

Changes from WEP to TKIP include adding a message integrity protocol to prevent tampering. TKIP changed the rules of IV selection so it now changes the encryption key for every time frame. Other changes are an increase in the size of IV to 48 bits and a new mechanism to distribute and change broadcast keys.

Four-Way Handshake

The MIC is a message integrity code, including authentication. The GTK is the Group Temporal Key used to decrypt multicast and broadcast traffic. The sequence number will be used in the next multicast or broadcast frame. Figure 12-2 illustrates this process.

Hacking Wireless Networks

A laptop running Network Stumbler, passive scanners (Kismet or KisMAC), or active beacon scanners (MacStumbler or iStumbler) can be used to hack a wireless network. Network Stumbler or Kismet will tell an attacker how a network is encrypted.

Rogue Access Points

Unauthorized access points can allow anyone with a wireless device onto the network. Access points can be cloaked by putting them in stealth mode. Cloaked access points are not detected by active scanners like Network Stumbler. A passive scanner is required to detect a cloaked access point. The methods used to locate access points include requesting a beacon and sniffing the air. Tools that can be used to cloak access points include Fakeap, Network Stumbler, and MiniStumbler.

Iwconfig Command

The wireless network card is most likely in managed mode, which is the standard mode of operation for wireless cards. Using iwconfig, the card can be placed into monitor mode. If you operate a wireless network card in monitor mode, you can capture all wireless traffic within your card’s range. See Figures 12-3 and 12-4.

Airodump -ng Command

If the program is running, the MAC addresses and AP names are displayed in the top pane (Figure 12-5). The bottom pane displays the MAC address of the AP and the MAC of the stations (Figure 12-6).

Aireplay -ng Command

Aireplay-ng is another command used for wireless purposes. This command is used to execute replay attacks for WEP cracking or deauthentication attacks. During WEP and WPA attacks, a deauthentication attack could be used to knock a client off the network. Not all cards have support for the deauthentication functionality. See Figures 12-7 and 12-8.

Monitoring an Unsecured WLAN

The use of an unsecured wireless network poses significant security risks. If anyone has a wireless card operating in monitor mode, all traffic to and from the access point can be captured. This includes the capability to view DNS requests, view HTTP traffic, and retrieve images from wireless capture traffic. See Figures 12-9 and 12-10. For this very reason, it’s a good practice to use a wireless network with encryption, such as WEP, WPA, OR WPA2.

Using Aircrack –ng

After the WEP key is obtained (Figures 12-11a and 12-11b), you can decrypt the network traffic with aridecap-ng.

Summary

As the number of organizations using wireless LANs increases, so too do the risks that can compromise a network. In this chapter, you reviewed the various types of wireless networks, authentication methods, and wireless encryption. You learned the importance of increasing security to protect systems due to the concerns associated with the use of wireless LANS.

Resource